github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.6/controlplane.yaml

github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.6/controlplane.yaml (about)

     1  ---
     2  controls:
     3  version: "cis-1.6"
     4  id: 3
     5  text: "Control Plane Configuration"
     6  type: "controlplane"
     7  groups:
     8    - id: 3.1
     9      text: "Authentication and Authorization"
    10      checks:
    11        - id: 3.1.1
    12          text: "Client certificate authentication should not be used for users (Manual)"
    13          type: "manual"
    14          remediation: |
    15            Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
    16            implemented in place of client certificates.
    17          scored: false
    18  
    19    - id: 3.2
    20      text: "Logging"
    21      checks:
    22        - id: 3.2.1
    23          text: "Ensure that a minimal audit policy is created (Manual)"
    24          audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
    25          tests:
    26            test_items:
    27              - flag: "--audit-policy-file"
    28                set: true
    29          remediation: |
    30            Create an audit policy file for your cluster.
    31          scored: false
    32  
    33        - id: 3.2.2
    34          text: "Ensure that the audit policy covers key security concerns (Manual)"
    35          type: "manual"
    36          remediation: |
    37            Consider modification of the audit policy in use on the cluster to include these items, at a
    38            minimum.
    39          scored: false