Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AKS 1.5.0 CIS benchmark #1678

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
+2,151 −0
Open

AKS 1.5.0 CIS benchmark #1678

Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
2ad0aa1
Added yamls for OKE
rootxrishabh May 10, 2024
a8dda72
Merge pull request #2 from nirmata/add-oke-support
rootxrishabh May 10, 2024
2148409
Crawl paths from ENVs
rootxrishabh Jun 10, 2024
a70243f
Fixed typos
rootxrishabh Jun 10, 2024
5414877
Update config.yaml
rootxrishabh Jun 11, 2024
6ed1721
changes made
rootxrishabh Jun 11, 2024
45dfc51
Merge pull request #3 from nirmata/error-testing-oke
rootxrishabh Jun 11, 2024
01ea8f8
Merge pull request #4 from nirmata/add-oke-support
rootxrishabh Jun 13, 2024
75ead54
NDEV-20011 : adding CIS GKE-1.6.0 benchmarks
deboshree-b Aug 16, 2024
96a8081
NDEV-20011 : initial commit for other benchmarks
deboshree-b Aug 26, 2024
2668e26
Revert "NDEV-20011 : initial commit for other benchmarks"
deboshree-b Aug 26, 2024
e85614e
Revert "NDEV-20011 : adding CIS GKE-1.6.0 benchmarks"
deboshree-b Aug 26, 2024
f55346b
NDEV-20011 : adding gke 1.6.0 benchmark
deboshree-b Sep 10, 2024
1388da7
NDEV-20011 : adding type and test for scored = true benchmarks
deboshree-b Sep 10, 2024
5e7030f
NDEV-20011 : adding gke-1.6.0 in config.yaml
deboshree-b Sep 10, 2024
39dd50c
NDEV-20011 : adding AKS 1.5.0 benchmarks
deboshree-b Sep 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Crawl paths from ENVs 
Signed-off-by: rootxrishabh <rishabh.soni@nirmata.com>
@rootxrishabh
rootxrishabh committed Jun 10, 2024
commit 21484093ec2fdaff96251cfd988600732e11f018
54 changes: 28 additions & 26 deletions cfg/oke-1.26/node.yaml
View file
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ groups:
checks:
- id: 3.1.1
text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)"
audit: "stat -c %a /etc/kubernetes/kubelet.conf; stat -c %a /etc/kubernetes/bootstrap-kubelet.conf"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
tests:
test_items:
- flag: "permissions"
@@ -22,9 +22,10 @@ groups:
For example,
chmod 644 $kubeletkubeconfig
scored: false

- id: 3.1.2
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)"
audit: "stat -c %U:%G etc/kubernetes/kubelet.conf; stat -c %U:%G etc/kubernetes/bootstrap-kubelet.conf"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
tests:
bin_op: or
test_items:
@@ -37,7 +38,7 @@ groups:
scored: false
- id: 3.1.3
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)"
audit: "stat -c %a etc/kubernetes/kubelet.conf; stat -c %a etc/kubernetes/bootstrap-kubelet.conf"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "permissions"
@@ -51,7 +52,7 @@ groups:
scored: true
- id: 3.1.4
text: "Ensure that the kubelet configuration file ownership is set to root:root (Manual)"
audit: "stat -c %U:%G etc/kubernetes/kubelet.conf; stat -c %U:%G etc/kubernetes/bootstrap-kubelet.conf"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests:
test_items:
- flag: root:root
@@ -64,8 +65,8 @@ groups:
checks:
- id: 3.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
@@ -84,8 +85,8 @@ groups:
scored: true
- id: 3.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
@@ -104,8 +105,8 @@ groups:
scored: true
- id: 3.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --client-ca-file
@@ -121,8 +122,8 @@ groups:
scored: false
- id: 3.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
@@ -145,8 +146,8 @@ groups:
scored: false
- id: 3.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --streaming-connection-idle-timeout
@@ -169,8 +170,8 @@ groups:
scored: false
- id: 3.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Manual)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "cat /etc/systemd/system/kubelet.service"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --protect-kernel-defaults
@@ -190,8 +191,8 @@ groups:
scored: false
- id: 3.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --make-iptables-util-chains
@@ -217,7 +218,7 @@ groups:
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "cat /etc/systemd/system/kubelet.service"
audit: "/bin/ps -fC $kubeletbin "
tests:
test_items:
- flag: --hostname-override
@@ -232,8 +233,8 @@ groups:
scored: false
- id: 3.2.9
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --event-qps
@@ -255,7 +256,8 @@ groups:
scored: true
- id: 3.2.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: and
test_items:
@@ -273,8 +275,8 @@ groups:
scored: true
- id: 3.2.11
text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --rotate-certificates
@@ -297,8 +299,8 @@ groups:
scored: true
- id: 3.2.12
text: "Ensure that the --rotate-server-certificates argument is set to true (Manual)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --rotate-certificates