1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-29 11:28:14 +00:00
kube-bench/check/data
2017-07-24 17:30:13 +00:00

140 lines
4.9 KiB
Plaintext

---
controls:
id: 1
text: "Master Checks"
type: "master"
groups:
- id: 1.1
text: "Kube-apiserver"
checks:
- id: 1.1.1
text: "Ensure that the --allow-privileged argument is set (Scored)"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests:
test_items:
-
flag: "--allow-privileged"
set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.2
text: "Ensure that the --basic-auth argument is not set (Scored)"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests:
test_item:
-
flag: "--basic-auth"
set: false
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.3
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests:
test_items:
-
flag: "--insecure-port"
compare:
op: eq
value: 0
set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.4
text: "Ensure that the --audit-log-maxage argument is set to 30 or appropriate (Scored)"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests:
test_items:
-
flag: "--audit-log-maxage"
compare:
op: gte
value: 30
set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.5
text: "Ensure that the --max-backlog argument is set to 30 or less (Scored)"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests:
test_items:
- flag: "--max-backlog"
compare:
op: lt
value: 30
set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.6
text: "Ensure admission control does not include AlwaysAdmit (Scored)"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests:
test_items:
-
flag: "--admission-control"
compare:
op: nothave
value: AlwaysAdmit
set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.7
text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--kubelet-client-certificate"
set: true
- flag: "--kubelet-clientkey"
set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.8
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests:
bin_op: or
test_items:
-
flag: "--secure-port"
compare:
op: eq
value: 0
set: true
-
flag: "--secure-port"
set: false
remediation: "Edit the /etc/kubernetes/apiserver file on the master node and either remove the -secure-port argument from the KUBE_API_ARGS parameter or set it to a different desired port."
scored: true
- id: 1.4.1
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a /etc/kubernetes/apiserver"
tests:
test_items:
- flag: "644"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver"
scored: true
- id: 2.1.14
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
audit: "ps -ef | grep kubelet | grep -v grep"
tests:
test_items:
- flag: "KubeletClient"
compare:
op: eq
value: true
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver"
scored: true