1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-23 00:28:07 +00:00
kube-bench/cfg/ack-1.0/controlplane.yaml
Huang Huang 47c2494728
Support CIS ACK 1.0.0 benchmark (#841)
* Support CIS ACK 1.0.0 benchmark

* fix yaml lint

* Fix TestMakeSubsitutions may failed when order of map changed

* Support auto-detect platform when running on ACK

* Apply suggestions from code review

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-05-11 11:52:24 +03:00

40 lines
1.3 KiB
YAML

---
controls:
version: "ack-1.0"
id: 3
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 3.1
text: "Authentication and Authorization"
checks:
- id: 3.1.1
text: "Revoke client certificate when possible leakage (Manual)"
type: "manual"
remediation: |
Kubernetes provides the option to use client certificates for user authentication.
ACK issues kubeconfig with its client certificates as the user credentials for connecing to target cluster.
User should revoke his/her issued kubeconfig when possible leakage.
scored: false
- id: 3.2
text: "Logging"
checks:
- id: 3.2.1
text: "Ensure that a minimal audit policy is created (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-policy-file"
remediation: |
Create an audit policy file for your cluster.
scored: false
- id: 3.2.2
text: "Ensure that the audit policy covers key security concerns (Manual)"
type: "manual"
remediation: |
Consider modification of the audit policy in use on the cluster to include these items, at a
minimum.
scored: false