Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
kube-bench
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Releases
Model registry
Analyze
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
GitLab community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
GitHub Mirror
aquasecurity
kube-bench
Commits
29122b82
Commit
29122b82
authored
7 years ago
by
Abubakr-Sadik Nii Nai Davis
Browse files
Options
Downloads
Patches
Plain Diff
Add master node manual check definitions.
parent
43c1470c
No related branches found
No related tags found
No related merge requests found
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
cfg/master.yaml
+84
-7
84 additions, 7 deletions
cfg/master.yaml
with
84 additions
and
7 deletions
cfg/master.yaml
+
84
−
7
View file @
29122b82
...
@@ -479,19 +479,14 @@ groups:
...
@@ -479,19 +479,14 @@ groups:
parameter
to
\"
--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>
\"
"
parameter
to
\"
--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>
\"
"
scored
:
true
scored
:
true
# TODO: provide flag to WARN of manual tasks which we can't automate.
-
id
:
1.1.35
-
id
:
1.1.35
text
:
"
Ensure
that
the
encryption
provider
is
set
to
aescbc
(Scored)"
text
:
"
Ensure
that
the
encryption
provider
is
set
to
aescbc
(Scored)"
audit
:
"
ps
-ef
|
grep
$apiserverbin
|
grep
-v
grep"
audit
:
"
ps
-ef
|
grep
$apiserverbin
|
grep
-v
grep"
tests
:
type
:
"
manual"
test_items
:
-
flag
:
"
requires
manual
intervention"
set
:
true
remediation
:
"
Follow
the
Kubernetes
documentation
and
configure
a
EncryptionConfig
file.
In
this
file,
remediation
:
"
Follow
the
Kubernetes
documentation
and
configure
a
EncryptionConfig
file.
In
this
file,
choose
aescbc
as
the
encryption
provider"
choose
aescbc
as
the
encryption
provider"
scored
:
true
scored
:
true
-
id
:
1.2
-
id
:
1.2
text
:
"
Scheduler"
text
:
"
Scheduler"
checks
:
checks
:
...
@@ -573,7 +568,13 @@ groups:
...
@@ -573,7 +568,13 @@ groups:
KUBE_CONTROLLER_MANAGER_ARGS
parameter
to
include
--root-ca-file=<file>"
KUBE_CONTROLLER_MANAGER_ARGS
parameter
to
include
--root-ca-file=<file>"
scored
:
true
scored
:
true
# TODO: 1.3.6 is manual, provide way to WARN
-
id
:
1.3.6
text
:
"
Apply
Security
Context
to
Your
Pods
and
Containers
(Not
Scored)"
type
:
"
manual"
remediation
:
"
Edit
the
/etc/kubernetes/controller-manager
file
on
the
master
node
and
set
the
KUBE_CONTROLLER_MANAGER_ARGS
parameter
to
a
value
to
include
\"
--feature-gates=RotateKubeletServerCertificate=true
\"
"
scored
:
false
-
id
:
1.3.7
-
id
:
1.3.7
text
:
"
Ensure
that
the
RotateKubeletServerCertificate
argument
is
set
to
true
(Scored)"
text
:
"
Ensure
that
the
RotateKubeletServerCertificate
argument
is
set
to
true
(Scored)"
...
@@ -717,6 +718,20 @@ groups:
...
@@ -717,6 +718,20 @@ groups:
chmod
700
/var/lib/etcd/default.etcd"
chmod
700
/var/lib/etcd/default.etcd"
scored
:
true
scored
:
true
-
id
:
1.4.12
text
:
"
Ensure
that
the
etcd
data
directory
ownership
is
set
to
etcd:etcd
(Scored)"
audit
:
"
ps
-ef
|
grep
$etcdbin
|
grep
-v
grep
|
grep
-o
data-dir=.*
|
cut
-d=
-f2
|
xargs
stat
-c
%U:%G"
tests
:
test_items
:
-
flag
:
"
etcd:etcd"
set
:
true
remediation
:
"
On
the
etcd
server
node,
get
the
etcd
data
directory,
passed
as
an
argument
--data-dir
,
from
the
below
command:
\n
ps
-ef
|
grep
etcd
\n
Run
the
below
command
(based
on
the
etcd
data
directory
found
above).
For
example,
\n
chown
etcd:etcd
/var/lib/etcd/default.etcd"
scored
:
true
-
id
:
1.5
-
id
:
1.5
text
:
"
etcd"
text
:
"
etcd"
checks
:
checks
:
...
@@ -859,3 +874,65 @@ groups:
...
@@ -859,3 +874,65 @@ groups:
remediation
:
"
Follow
the
etcd
documentation
and
create
a
dedicated
certificate
authority
setup
for
the
remediation
:
"
Follow
the
etcd
documentation
and
create
a
dedicated
certificate
authority
setup
for
the
etcd
service."
etcd
service."
scored
:
false
scored
:
false
-
id
:
1.6
text
:
"
General
Security
Primitives"
checks
:
-
id
:
1.6.1
text
:
"
Ensure
that
the
cluster-admin
role
is
only
used
where
required
(Not
Scored)"
type
:
"
manual"
remediation
:
"
Remove
any
unneeded
clusterrolebindings:
kubectl
delete
clusterrolebinding
[name]"
scored
:
false
-
id
:
1.6.2
text
:
"
Create
Pod
Security
Policies
for
your
cluster
(Not
Scored)"
type
:
"
manual"
remediation
:
"
Follow
the
documentation
and
create
and
enforce
Pod
Security
Policies
for
your
cluster.
Additionally,
you
could
refer
the
\"
CIS
Security
Benchmark
for
Docker
\"
and
follow
the
suggested
Pod
Security
Policies
for
your
environment."
scored
:
false
-
id
:
1.6.3
text
:
"
Create
administrative
boundaries
between
resources
using
namespaces
(Not
Scored)"
type
:
"
manual"
remediation
:
"
Follow
the
documentation
and
create
namespaces
for
objects
in
your
deployment
as
you
need
them."
scored
:
false
-
id
:
1.6.4
text
:
"
Create
network
segmentation
using
Network
Policies
(Not
Scored)"
type
:
"
manual"
remediation
:
"
Follow
the
documentation
and
create
NetworkPolicy
objects
as
you
need
them."
scored
:
false
-
id
:
1.6.5
text
:
"
Ensure
that
the
seccomp
profile
is
set
to
docker/default
in
your
pod
definitions
(Not
Scored)"
type
:
"
manual"
remediation
:
"
Seccomp
is
an
alpha
feature
currently.
By
default,
all
alpha
features
are
disabled.
So,
you
would
need
to
enable
alpha
features
in
the
apiserver
by
passing
\"
--feature-
gates=AllAlpha=true
\"
argument.
\n
Edit
the
$apiserverconf
file
on
the
master
node
and
set
the
KUBE_API_ARGS
parameter
to
\"
--feature-gates=AllAlpha=true
\"
KUBE_API_ARGS=
\"
--feature-gates=AllAlpha=true
\"
"
scored
:
false
-
id
:
1.6.6
text
:
"
Apply
Security
Context
to
Your
Pods
and
Containers
(Not
Scored)"
type
:
"
manual"
remediation
:
"
Follow
the
Kubernetes
documentation
and
apply
security
contexts
to
your
pods.
For
a
suggested
list
of
security
contexts,
you
may
refer
to
the
CIS
Security
Benchmark
for
Docker
Containers."
scored
:
false
-
id
:
1.6.7
text
:
"
Configure
Image
Provenance
using
ImagePolicyWebhook
admission
controller
(Not
Scored)"
type
:
"
manual"
remediation
:
"
Follow
the
Kubernetes
documentation
and
setup
image
provenance."
scored
:
false
-
id
:
1.6.8
text
:
"
Configure
Network
policies
as
appropriate
(Not
Scored)"
type
:
"
manual"
remediation
:
"
Follow
the
Kubernetes
documentation
and
setup
network
policies
as
appropriate."
scored
:
false
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment