github/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2026-02-14 18:10:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f1807bb192d83e1cf78a2576930be2e61c2f4685
kube-bench/cfg/cis-1.12/controlplane.yaml
Andy Pitcher f1807bb192 feat: add CIS-1.12 support (#2035) 
- Update master to 1.2.29 and purge CBC ciphers: https://workbench.cisecurity.org/tickets/24968
- Remove TLS_RSA_WITH_AES_256_GCM_SHA384 & TLS_RSA_WITH_AES_128_GCM_SHA256 (CBC support) for node 4.2.12: https://workbench.cisecurity.org/tickets/24968
- Remove node check 4.2.15: https://workbench.cisecurity.org/tickets/24915
- Remove policy 5.2.9 "Minimize the admission of containers with added capabilities" (Manual): https://workbench.cisecurity.org/benchmarks/21709/tickets/25337
- Update "Minimize the admission of containers with capabilities assigned" policies to remove PodSecurityPolicy (PSP) references

Signed-off-by: Andy Pitcher <andy.pitcher@suse.com>
2026-02-12 11:34:08 +06:00

63 lines
2.3 KiB
YAML
Raw Blame History

---
controls:
version: "cis-1.12"
id: 3
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 3.1
text: "Authentication and Authorization"
checks:
- id: 3.1.1
text: "Client certificate authentication should not be used for users (Manual)"
type: "manual"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
implemented in place of client certificates.
scored: false
- id: 3.1.2
text: "Service account token authentication should not be used for users (Manual)"
type: "manual"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented
in place of service account tokens.
scored: false
- id: 3.1.3
text: "Bootstrap token authentication should not be used for users (Manual)"
type: "manual"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented
in place of bootstrap tokens.
scored: false
- id: 3.2
text: "Logging"
checks:
- id: 3.2.1
text: "Ensure that a minimal audit policy is created (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-policy-file"
set: true
remediation: |
Create an audit policy file for your cluster.
scored: false
- id: 3.2.2
text: "Ensure that the audit policy covers key security concerns (Manual)"
type: "manual"
remediation: |
Review the audit policy provided for the cluster and ensure that it covers
at least the following areas,
- Access to Secrets managed by the cluster. Care should be taken to only
log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in
order to avoid risk of logging sensitive data.
- Modification of Pod and Deployment objects.
- Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`.
For most requests, minimally logging at the Metadata level is recommended
(the most basic level of logging).
scored: false
Reference in New Issue View Git Blame Copy Permalink