mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2026-02-22 22:03:54 +00:00
Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
8780e5cb59 | ||
|
|
230d286708 | ||
|
|
9c6d4de860 | ||
|
|
e2f61fad13 |
@@ -15,7 +15,7 @@ before_install:
|
||||
|
||||
script:
|
||||
- GO111MODULE=on go test ./...
|
||||
- docker build --tag kube-bench .
|
||||
- IMAGE_NAME=kube-bench make build-docker
|
||||
- docker run -v `pwd`:/host kube-bench install
|
||||
- test -d cfg
|
||||
- test -f kube-bench
|
||||
|
||||
12
Dockerfile
12
Dockerfile
@@ -1,9 +1,9 @@
|
||||
FROM golang:1.12 AS build
|
||||
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
|
||||
ADD go.mod go.sum ./
|
||||
ADD main.go .
|
||||
ADD check/ check/
|
||||
ADD cmd/ cmd/
|
||||
COPY go.mod go.sum ./
|
||||
COPY main.go .
|
||||
COPY check/ check/
|
||||
COPY cmd/ cmd/
|
||||
ARG KUBEBENCH_VERSION
|
||||
RUN GO111MODULE=on CGO_ENABLED=0 go install -a -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=${KUBEBENCH_VERSION} -w"
|
||||
|
||||
@@ -13,8 +13,8 @@ WORKDIR /opt/kube-bench/
|
||||
# https://github.com/aquasecurity/kube-bench/issues/109
|
||||
RUN apk --no-cache add procps
|
||||
COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
|
||||
ADD entrypoint.sh .
|
||||
ADD cfg/ cfg/
|
||||
COPY entrypoint.sh .
|
||||
COPY cfg/ cfg/
|
||||
ENTRYPOINT ["./entrypoint.sh"]
|
||||
CMD ["install"]
|
||||
|
||||
|
||||
@@ -1215,7 +1215,7 @@ groups:
|
||||
set: true
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chown -R root:root /etc/kubernetes/pki/
|
||||
scored: true
|
||||
|
||||
@@ -1243,7 +1243,7 @@ groups:
|
||||
set: true
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
|
||||
scored: true
|
||||
|
||||
@@ -1260,7 +1260,7 @@ groups:
|
||||
set: true
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 600 /etc/kubernetes/pki/*.key
|
||||
scored: true
|
||||
|
||||
|
||||
@@ -464,8 +464,25 @@ groups:
|
||||
|
||||
- id: 2.2.7
|
||||
text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
type: manual
|
||||
tests: {}
|
||||
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %a $kubeletcafile; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the following command to modify the file permissions of the --client-ca-file
|
||||
chmod 644 <filename>
|
||||
|
||||
@@ -135,7 +135,8 @@ node:
|
||||
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
||||
- /var/snap/kube-proxy/current/args
|
||||
kubeconfig:
|
||||
- /etc/kubernetes/kubelet-kubeconfig
|
||||
- "/etc/kubernetes/kubelet-kubeconfig"
|
||||
- "/var/lib/kubelet/kubeconfig"
|
||||
svc:
|
||||
- "/lib/systemd/system/kube-proxy.service"
|
||||
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
||||
|
||||
@@ -3,4 +3,5 @@
|
||||
# $IMAGE_NAME var is injected into the build so the tag is correct.
|
||||
docker build --build-arg BUILD_DATE=`date -u +"%Y-%m-%dT%H:%M:%SZ"` \
|
||||
--build-arg VCS_REF=`git rev-parse --short HEAD` \
|
||||
--build-arg KUBEBENCH_VERSION=`git describe --tags --abbrev=0` \
|
||||
-t $IMAGE_NAME .
|
||||
|
||||
6
integration/testdata/job-master.data
vendored
6
integration/testdata/job-master.data
vendored
@@ -304,15 +304,15 @@ Run the below command (based on the etcd data directory found above). For exampl
|
||||
chown etcd:etcd /var/lib/etcd
|
||||
|
||||
1.4.19 [Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chown -R root:root /etc/kubernetes/pki/
|
||||
|
||||
1.4.20 [Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
|
||||
|
||||
1.4.21 [Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 600 /etc/kubernetes/pki/*.key
|
||||
|
||||
1.5.1 Follow the etcd service documentation and configure TLS encryption.
|
||||
|
||||
9
integration/testdata/job-node.data
vendored
9
integration/testdata/job-node.data
vendored
@@ -21,7 +21,7 @@
|
||||
[PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
|
||||
[FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
||||
[FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||
[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
||||
[PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
||||
[PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||
@@ -81,12 +81,9 @@ chmod 644 /etc/kubernetes/proxy.conf
|
||||
node. For example,
|
||||
chown root:root /etc/kubernetes/proxy.conf
|
||||
|
||||
2.2.7 Run the following command to modify the file permissions of the --client-ca-file
|
||||
chmod 644 <filename>
|
||||
|
||||
|
||||
== Summary ==
|
||||
15 checks PASS
|
||||
16 checks PASS
|
||||
7 checks FAIL
|
||||
1 checks WARN
|
||||
0 checks WARN
|
||||
1 checks INFO
|
||||
15
integration/testdata/job.data
vendored
15
integration/testdata/job.data
vendored
@@ -304,15 +304,15 @@ Run the below command (based on the etcd data directory found above). For exampl
|
||||
chown etcd:etcd /var/lib/etcd
|
||||
|
||||
1.4.19 [Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chown -R root:root /etc/kubernetes/pki/
|
||||
|
||||
1.4.20 [Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
|
||||
|
||||
1.4.21 [Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 600 /etc/kubernetes/pki/*.key
|
||||
|
||||
1.5.1 Follow the etcd service documentation and configure TLS encryption.
|
||||
@@ -447,7 +447,7 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
|
||||
[PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
|
||||
[FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
||||
[FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||
[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
||||
[PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
||||
[PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||
@@ -507,12 +507,9 @@ chmod 644 /etc/kubernetes/proxy.conf
|
||||
node. For example,
|
||||
chown root:root /etc/kubernetes/proxy.conf
|
||||
|
||||
2.2.7 Run the following command to modify the file permissions of the --client-ca-file
|
||||
chmod 644 <filename>
|
||||
|
||||
|
||||
== Summary ==
|
||||
15 checks PASS
|
||||
16 checks PASS
|
||||
7 checks FAIL
|
||||
1 checks WARN
|
||||
0 checks WARN
|
||||
1 checks INFO
|
||||
Reference in New Issue
Block a user