github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/ack-1.0/controlplane.yaml

github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/ack-1.0/controlplane.yaml (about)

     1  ---
     2  controls:
     3  version: "ack-1.0"
     4  id: 3
     5  text: "Control Plane Configuration"
     6  type: "controlplane"
     7  groups:
     8    - id: 3.1
     9      text: "Authentication and Authorization"
    10      checks:
    11        - id: 3.1.1
    12          text: "Revoke client certificate when possible leakage (Manual)"
    13          type: "manual"
    14          remediation: |
    15            Kubernetes provides the option to use client certificates for user authentication.
    16            ACK issues kubeconfig with its client certificates as the user credentials for connecing to target cluster.
    17            User should revoke his/her issued kubeconfig when possible leakage.
    18          scored: false
    19  
    20    - id: 3.2
    21      text: "Logging"
    22      checks:
    23        - id: 3.2.1
    24          text: "Ensure that a minimal audit policy is created (Manual)"
    25          audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
    26          tests:
    27            test_items:
    28              - flag: "--audit-policy-file"
    29          remediation: |
    30            Create an audit policy file for your cluster.
    31          scored: false
    32  
    33        - id: 3.2.2
    34          text: "Ensure that the audit policy covers key security concerns (Manual)"
    35          type: "manual"
    36          remediation: |
    37            Consider modification of the audit policy in use on the cluster to include these items, at a
    38            minimum.
    39          scored: false