mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2025-01-04 21:00:54 +00:00
e4d6ed2e8e
* Add example IAM policy * Pass RotateKubeletServerCertificate related checks if it's not found (#767) * Allow for environment variables to be checked in tests (#755) * Initial commit for checking environment variables for etcd * Revert config changes * Remove redundant struct data * Fix issues with failing tests * Initial changes based on code review * Add option to disable envTesting + Update docs * Initial tests * Finished testing * Fix broken tests * Add a total summary and always show all tests. (#759) Whether the total summary is shown can be specified with an option. Fixes #528 Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud> * Update Readme.md file with link to Contribution guide (#754) * Update License with the year and the owner name Please add this to make your license agreement strong * Updated Readme.md file with license and proper documentation links I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks. * Update LICENSE * Update README.md * Update README.md * Remove erroneous license info Co-authored-by: Liz Rice <liz@lizrice.com> * Support auto-detect platform when running on EKS or GKE (#683) * Support auto-detect platform when running on EKS or GKE * Change to get platform name from `kubectl version` * fix regexp and add test * Update Server Version match for EKS * try to get version info from api sever at first * Refactor group skip changed group 'skip' from being a bool to be 'type' string as done in check * Change skip: true -> type: skip Co-authored-by: Huang Huang <mozillazg101@gmail.com> Co-authored-by: Wicked <jason_attwood@hotmail.co.uk> Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com> Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com> Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
114 lines
6.4 KiB
JSON
114 lines
6.4 KiB
JSON
[
|
|
{
|
|
"id": "2",
|
|
"version": "1.15",
|
|
"text": "Etcd Node Configuration",
|
|
"node_type": "etcd",
|
|
"tests": [
|
|
{
|
|
"section": "2",
|
|
"pass": 7,
|
|
"fail": 0,
|
|
"warn": 0,
|
|
"info": 0,
|
|
"desc": "Etcd Node Configuration Files",
|
|
"results": [
|
|
{
|
|
"test_number": "2.1",
|
|
"test_desc": "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)",
|
|
"audit": "/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep",
|
|
"AuditConfig": "",
|
|
"type": "",
|
|
"remediation": "Follow the etcd service documentation and configure TLS encryption.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml\non the master node and set the below parameters.\n--cert-file=</path/to/ca-file>\n--key-file=</path/to/key-file>\n",
|
|
"test_info": [
|
|
"Follow the etcd service documentation and configure TLS encryption.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml\non the master node and set the below parameters.\n--cert-file=</path/to/ca-file>\n--key-file=</path/to/key-file>\n"
|
|
],
|
|
"status": "PASS",
|
|
"actual_value": "root 3277 3218 3 Apr19 ? 03:57:52 etcd --advertise-client-urls=https://192.168.64.4:2379 --cert-file=/var/lib/minikube/certs/etcd/server.crt --client-cert-auth=true --data-dir=/var/lib/minikube/etcd --initial-advertise-peer-urls=https://192.168.64.4:2380 --initial-cluster=minikube=https://192.168.64.4:2380 --key-file=/var/lib/minikube/certs/etcd/server.key --listen-client-urls=https://127.0.0.1:2379,https://192.168.64.4:2379 --listen-metrics-urls=http://127.0.0.1:2381 --listen-peer-urls=https://192.168.64.4:2380 --name=minikube --peer-cert-file=/var/lib/minikube/certs/etcd/peer.crt --peer-client-cert-auth=true --peer-key-file=/var/lib/minikube/certs/etcd/peer.key --peer-trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt --snapshot-count=10000 --trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt\nroot 4624 4605 8 Apr21 ? 04:55:10 kube-apiserver --advertise-address=192.168.64.4 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/var/lib/minikube/certs/ca.crt --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodSecurityPolicy --enable-bootstrap-token-auth=true --etcd-cafile=/var/lib/minikube/certs/etcd/ca.crt --etcd-certfile=/var/lib/minikube/certs/apiserver-etcd-client.crt --etcd-keyfile=/var/lib/minikube/certs/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --insecure-port=0 --kubelet-client-certificate=/var/lib/minikube/certs/apiserver-kubelet-client.crt --kubelet-client-key=/var/lib/minikube/certs/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/var/lib/minikube/certs/front-proxy-client.crt --proxy-client-key-file=/var/lib/minikube/certs/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=8443 --service-account-key-file=/var/lib/minikube/certs/sa.pub --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/var/lib/minikube/certs/apiserver.crt --tls-private-key-file=/var/lib/minikube/certs/apiserver.key\n",
|
|
"scored": true,
|
|
"expected_result": "'--cert-file' is present AND '--key-file' is present"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"total_pass": 7,
|
|
"total_fail": 0,
|
|
"total_warn": 0,
|
|
"total_info": 0
|
|
},
|
|
{
|
|
"id": "3",
|
|
"version": "1.5",
|
|
"text": "Control Plane Configuration",
|
|
"node_type": "controlplane",
|
|
"tests": [
|
|
{
|
|
"section": "3.1",
|
|
"pass": 0,
|
|
"fail": 0,
|
|
"warn": 1,
|
|
"info": 0,
|
|
"desc": "Authentication and Authorization",
|
|
"results": [
|
|
{
|
|
"test_number": "3.1.1",
|
|
"test_desc": "Client certificate authentication should not be used for users (Not Scored)",
|
|
"audit": "",
|
|
"AuditConfig": "",
|
|
"type": "manual",
|
|
"remediation": "Alternative mechanisms provided by Kubernetes such as the use of OIDC should be\nimplemented in place of client certificates.\n",
|
|
"test_info": [
|
|
"Alternative mechanisms provided by Kubernetes such as the use of OIDC should be\nimplemented in place of client certificates.\n"
|
|
],
|
|
"status": "WARN",
|
|
"actual_value": "",
|
|
"scored": false,
|
|
"expected_result": "",
|
|
"reason": "Test marked as a manual test"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"total_pass": 0,
|
|
"total_fail": 0,
|
|
"total_warn": 3,
|
|
"total_info": 0
|
|
},
|
|
{
|
|
"id": "1",
|
|
"version": "1.5",
|
|
"text": "Master Node Security Configuration",
|
|
"node_type": "master",
|
|
"tests": [
|
|
{
|
|
"section": "1.1",
|
|
"pass": 15,
|
|
"fail": 1,
|
|
"warn": 5,
|
|
"info": 0,
|
|
"desc": "Master Node Configuration Files",
|
|
"results": [
|
|
{
|
|
"test_number": "1.1.1",
|
|
"test_desc": "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)",
|
|
"audit": "/bin/sh -c 'if test -e /etc/kubernetes/manifests/kube-apiserver.yaml; then stat -c permissions=%a /etc/kubernetes/manifests/kube-apiserver.yaml; fi'",
|
|
"AuditConfig": "",
|
|
"type": "",
|
|
"remediation": "Run the below command (based on the file location on your system) on the\nmaster node.\nFor example, chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml\n",
|
|
"test_info": [
|
|
"Run the below command (based on the file location on your system) on the\nmaster node.\nFor example, chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml\n"
|
|
],
|
|
"status": "PASS",
|
|
"actual_value": "permissions=600\n",
|
|
"scored": true,
|
|
"expected_result": "bitmask '600' AND '644'"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"total_pass": 42,
|
|
"total_fail": 12,
|
|
"total_warn": 11,
|
|
"total_info": 0
|
|
}
|
|
] |