github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/check/data (about) 1 --- 2 controls: 3 id: 1 4 text: "Test Checks" 5 type: "master" 6 groups: 7 - id: 1.1 8 text: "First Group" 9 checks: 10 - id: 0 11 text: "flag is set" 12 audit: "echo \"Non empty command\"" 13 tests: 14 test_items: 15 - flag: "--allow-privileged" 16 set: true 17 18 - id: 1 19 text: "flag is not set" 20 audit: "echo \"Non empty command\"" 21 tests: 22 test_items: 23 - flag: "--basic-auth" 24 set: false 25 26 - id: 2 27 text: "flag value is set to some value" 28 audit: "echo \"Non empty command\"" 29 tests: 30 test_items: 31 - flag: "--insecure-port" 32 compare: 33 op: eq 34 value: 0 35 set: true 36 37 - id: 3 38 text: "flag value is greater than or equal some number" 39 audit: "echo \"Non empty command\"" 40 tests: 41 test_items: 42 - flag: "--audit-log-maxage" 43 compare: 44 op: gte 45 value: 30 46 set: true 47 48 - id: 4 49 text: "flag value is less than some number" 50 audit: "echo \"Non empty command\"" 51 tests: 52 test_items: 53 - flag: "--max-backlog" 54 compare: 55 op: lt 56 value: 30 57 set: true 58 59 - id: 5 60 text: "flag value does not have some value" 61 audit: "echo \"Non empty command\"" 62 tests: 63 test_items: 64 - flag: "--admission-control" 65 compare: 66 op: nothave 67 value: AlwaysAdmit 68 set: true 69 70 - id: 6 71 text: "test AND binary operation" 72 audit: "echo \"Non empty command\"" 73 tests: 74 bin_op: and 75 test_items: 76 - flag: "--kubelet-client-certificate" 77 set: true 78 - flag: "--kubelet-clientkey" 79 set: true 80 81 - id: 7 82 text: "test OR binary operation" 83 audit: "echo \"Non empty command\"" 84 tests: 85 bin_op: or 86 test_items: 87 - flag: "--secure-port" 88 compare: 89 op: eq 90 value: 0 91 set: true 92 - 93 flag: "--secure-port" 94 set: false 95 96 - id: 8 97 text: "test flag with arbitrary text" 98 audit: "echo \"Non empty command\"" 99 tests: 100 test_items: 101 - flag: "permissions" 102 compare: 103 op: eq 104 value: "SomeValue" 105 set: true 106 107 - id: 9 108 text: "test permissions" 109 audit: "/bin/sh -c 'if test -e $config; then stat -c permissions=%a $config; fi'" 110 tests: 111 test_items: 112 - flag: "permissions" 113 compare: 114 op: bitmask 115 value: "644" 116 set: true 117 118 - id: 10 119 text: "flag value includes some value in a comma-separated list, value is last in list" 120 audit: "echo \"Non empty command\"" 121 tests: 122 test_items: 123 - flag: "--admission-control" 124 compare: 125 op: has 126 value: RBAC 127 set: true 128 129 - id: 11 130 text: "flag value includes some value in a comma-separated list, value is first in list" 131 audit: "echo \"Non empty command\"" 132 tests: 133 test_items: 134 - flag: "--admission-control" 135 compare: 136 op: has 137 value: WebHook 138 set: true 139 140 - id: 12 141 text: "flag value includes some value in a comma-separated list, value middle of list" 142 audit: "echo \"Non empty command\"" 143 tests: 144 test_items: 145 - flag: "--admission-control" 146 compare: 147 op: has 148 value: Something 149 set: true 150 151 - id: 13 152 text: "flag value includes some value in a comma-separated list, value only one in list" 153 audit: "echo \"Non empty command\"" 154 tests: 155 test_items: 156 - flag: "--admission-control" 157 compare: 158 op: has 159 value: Something 160 set: true 161 162 - id: 14 163 text: "check that flag some-arg is set to some-val with ':' separator" 164 audit: "echo \"Non empty command\"" 165 tests: 166 test_items: 167 - flag: "some-arg" 168 compare: 169 op: eq 170 value: some-val 171 set: true 172 173 - id: 15 174 text: "jsonpath correct value on field" 175 audit: "echo \"Non empty command\"" 176 audit_config: "echo \"Non empty command\"" 177 tests: 178 bin_op: or 179 test_items: 180 - path: "{.readOnlyPort}" 181 compare: 182 op: eq 183 value: 15000 184 set: true 185 - path: "{.readOnlyPort}" 186 compare: 187 op: gte 188 value: 15000 189 set: true 190 - path: "{.readOnlyPort}" 191 compare: 192 op: lte 193 value: 15000 194 set: true 195 196 - id: 16 197 text: "jsonpath correct case-sensitive value on string field" 198 audit: "echo \"Non empty command\"" 199 audit_config: "echo \"Non empty command\"" 200 tests: 201 test_items: 202 - path: "{.stringValue}" 203 compare: 204 op: noteq 205 value: "None" 206 set: true 207 - path: "{.stringValue}" 208 compare: 209 op: noteq 210 value: "webhook,Something,RBAC" 211 set: true 212 - path: "{.stringValue}" 213 compare: 214 op: eq 215 value: "WebHook,Something,RBAC" 216 set: true 217 218 - id: 17 219 text: "jsonpath correct value on boolean field" 220 audit: "echo \"Non empty command\"" 221 audit_config: "echo \"Non empty command\"" 222 tests: 223 test_items: 224 - path: "{.trueValue}" 225 compare: 226 op: noteq 227 value: somethingElse 228 set: true 229 - path: "{.trueValue}" 230 compare: 231 op: noteq 232 value: false 233 set: true 234 - path: "{.trueValue}" 235 compare: 236 op: eq 237 value: true 238 set: true 239 240 - id: 18 241 text: "jsonpath field absent" 242 audit: "echo \"Non empty command\"" 243 audit_config: "echo \"Non empty command\"" 244 tests: 245 test_items: 246 - path: "{.notARealField}" 247 set: false 248 249 - id: 19 250 text: "jsonpath correct value on nested field" 251 audit: "echo \"Non empty command\"" 252 audit_config: "echo \"Non empty command\"" 253 tests: 254 test_items: 255 - path: "{.authentication.anonymous.enabled}" 256 compare: 257 op: eq 258 value: "false" 259 set: true 260 261 - id: 20 262 text: "yamlpath correct value on field" 263 audit: "echo \"Non empty command\"" 264 audit_config: "echo \"Non empty command\"" 265 tests: 266 test_items: 267 - path: "{.readOnlyPort}" 268 compare: 269 op: gt 270 value: 14999 271 set: true 272 273 - id: 21 274 text: "yamlpath field absent" 275 audit: "echo \"Non empty command\"" 276 audit_config: "echo \"Non empty command\"" 277 tests: 278 test_items: 279 - path: "{.fieldThatIsUnset}" 280 set: false 281 282 - id: 22 283 text: "yamlpath correct value on nested field" 284 audit: "echo \"Non empty command\"" 285 audit_config: "echo \"Non empty command\"" 286 tests: 287 test_items: 288 - path: "{.authentication.anonymous.enabled}" 289 compare: 290 op: eq 291 value: "false" 292 set: true 293 294 - id: 23 295 text: "path on invalid json" 296 audit: "echo \"Non empty command\"" 297 audit_config: "echo \"Non empty command\"" 298 tests: 299 test_items: 300 - path: "{.authentication.anonymous.enabled}" 301 compare: 302 op: eq 303 value: "false" 304 set: true 305 306 - id: 24 307 text: "path with broken expression" 308 audit: "echo \"Non empty command\"" 309 audit_config: "echo \"Non empty command\"" 310 tests: 311 test_items: 312 - path: "{.missingClosingBrace}" 313 set: true 314 315 - id: 25 316 text: "yamlpath on invalid yaml" 317 audit: "echo \"Non empty command\"" 318 tests: 319 test_items: 320 - path: "{.authentication.anonymous.enabled}" 321 compare: 322 op: eq 323 value: "false" 324 set: true 325 326 - id: 26 327 text: "check regex op matches" 328 audit: "echo \"Non empty command\"" 329 audit_config: "echo \"Non empty command\"" 330 tests: 331 test_items: 332 - path: "{.currentMasterVersion}" 333 compare: 334 op: regex 335 value: '^1\.12.*$' 336 set: true 337 338 - id: 27 339 text: "check boolean flag with no value" 340 audit: "echo \"Non empty command\"" 341 tests: 342 test_items: 343 - flag: "--peer-client-cert-auth" 344 compare: 345 op: eq 346 value: true 347 set: true 348 349 - id: 28 350 text: "check boolean flag with false value" 351 audit: "echo \"Non empty command\"" 352 tests: 353 test_items: 354 - flag: "--peer-client-cert-auth" 355 compare: 356 op: eq 357 value: false 358 set: true 359 - id: 29 360 text: "flag is set (via env)" 361 tests: 362 test_items: 363 - flag: "--allow-privileged" 364 env: "ALLOW_PRIVILEGED" 365 set: true 366 367 - id: 30 368 text: "flag is not set (via env)" 369 tests: 370 test_items: 371 - flag: "--basic-auth" 372 env: "BASIC_AUTH" 373 set: false 374 375 - id: 31 376 text: "flag value is set to some value (via env)" 377 tests: 378 test_items: 379 - flag: "--insecure-port" 380 env: "INSECURE_PORT" 381 compare: 382 op: eq 383 value: 0 384 set: true 385 386 - id: 32 387 text: "flag value is greater than or equal some number (via env)" 388 tests: 389 test_items: 390 - flag: "--audit-log-maxage" 391 env: "AUDIT_LOG_MAXAGE" 392 compare: 393 op: gte 394 value: 30 395 set: true 396 397 - id: 33 398 text: "flag value is less than some number (via env)" 399 tests: 400 test_items: 401 - env: "MAX_BACKLOG" 402 compare: 403 op: lt 404 value: 30 405 set: true 406 407 - id: 2.1 408 text: "audit and audit_config commands" 409 checks: 410 - id: 0 411 text: "audit finds flag and passes, audit_config doesn't exist -> pass" 412 audit: "echo flag=correct" 413 tests: 414 test_items: 415 - flag: "flag" 416 compare: 417 op: eq 418 value: "correct" 419 set: true 420 scored: true 421 - id: 1 422 text: "audit finds flag and fails, audit_config doesn't exist -> fail" 423 audit: "echo flag=wrong" 424 tests: 425 test_items: 426 - flag: "flag" 427 compare: 428 op: eq 429 value: "correct" 430 set: true 431 scored: true 432 - id: 2 433 text: "audit doesn't find flag, audit_config doesn't exist -> fail" 434 audit: "echo somethingElse=correct" 435 tests: 436 test_items: 437 - flag: "flag" 438 compare: 439 op: eq 440 value: "correct" 441 set: true 442 scored: true 443 - id: 3 444 text: "audit doesn't find flag, audit_config has correct setting -> pass" 445 audit: "echo somethingElse=correct" 446 audit_config: "echo 'flag: correct'" 447 tests: 448 test_items: 449 - flag: "flag" 450 path: "{.flag}" 451 compare: 452 op: eq 453 value: "correct" 454 set: true 455 scored: true 456 - id: 4 457 text: "audit doesn't find flag, audit_config has wrong setting -> fail" 458 audit: "echo somethingElse=correct" 459 audit_config: "echo 'flag: wrong'" 460 tests: 461 test_items: 462 - flag: "flag" 463 path: "{.flag}" 464 compare: 465 op: eq 466 value: "correct" 467 set: true 468 scored: true 469 - id: 5 470 text: "audit finds correct flag, audit_config has wrong setting -> pass" 471 audit: "echo flag=correct" 472 audit_config: "echo 'flag: wrong'" 473 tests: 474 test_items: 475 - flag: "flag" 476 path: "{.flag}" 477 compare: 478 op: eq 479 value: "correct" 480 set: true 481 scored: true 482 - id: 6 483 text: "neither audit nor audit_config has correct setting -> fail" 484 audit: "echo flag=wrong" 485 audit_config: "echo 'flag: wrong'" 486 tests: 487 test_items: 488 - flag: "flag" 489 path: "{.flag}" 490 compare: 491 op: eq 492 value: "correct" 493 set: true 494 scored: true 495 - id: 7 496 text: "audit isn't present, superfluous flag field,audit_config is correct -> pass" 497 audit_config: "echo 'flag: correct'" 498 tests: 499 test_items: 500 - flag: "flag" 501 path: "{.flag}" 502 compare: 503 op: eq 504 value: "correct" 505 set: true 506 scored: true 507 - id: 8 508 text: "audit isn't present, superfluous flag field,audit_config is wrong -> fail" 509 audit_config: "echo 'flag: wrong'" 510 tests: 511 test_items: 512 - flag: "flag" 513 path: "{.flag}" 514 compare: 515 op: eq 516 value: "correct" 517 set: true 518 scored: true 519 - id: 9 520 text: "test use_multiple_values is correct -> pass" 521 audit: "printf 'permissions=600\npermissions=600\npermissions=600'" 522 use_multiple_values: true 523 tests: 524 test_items: 525 - flag: "permissions" 526 compare: 527 op: bitmask 528 value: "600" 529 set: true 530 scored: true 531 - id: 10 532 text: "test use_multiple_values is wrong -> fail" 533 audit: "printf 'permissions=600\npermissions=600\npermissions=644'" 534 use_multiple_values: true 535 tests: 536 test_items: 537 - flag: "permissions" 538 compare: 539 op: bitmask 540 value: "600" 541 set: true 542 scored: true 543 - id: 11 544 text: "test use_multiple_values include empty value -> fail" 545 audit: "printf 'permissions=600\n\npermissions=600'" 546 use_multiple_values: true 547 tests: 548 test_items: 549 - flag: "permissions" 550 compare: 551 op: bitmask 552 value: "600" 553 set: true 554 scored: true 555 - id: 12 556 text: "audit is present and wrong, audit_config is right -> fail (command line parameters override config file)" 557 audit: "echo flag=wrong" 558 audit_config: "echo 'flag: correct'" 559 tests: 560 test_items: 561 - flag: "flag" 562 path: "{.flag}" 563 compare: 564 op: eq 565 value: "correct" 566 set: true 567 scored: true 568 - id: 13 569 text: "parameter and config file don't have same default - parameter has failing value" 570 audit: "echo '--read-only-port=1'" 571 audit_config: "echo 'readOnlyPort: 0'" 572 tests: 573 bin_op: and 574 test_items: 575 - flag: "--read-only-port" 576 path: "{.readOnlyPort}" 577 set: true 578 compare: 579 op: eq 580 value: 0 581 - flag: "--read-only-port" 582 path: '{.readOnlyPort}' 583 set: false 584 scored: true 585 - id: 14 586 text: "parameter and config file don't have same default - config file has failing value" 587 audit: "echo ''" 588 audit_config: "echo 'readOnlyPort: 1'" 589 tests: 590 bin_op: or 591 test_items: 592 - flag: "--read-only-port" 593 path: '{.readOnlyPort}' 594 set: true 595 compare: 596 op: eq 597 value: 0 598 - flag: "--read-only-port" 599 path: '{.readOnlyPort}' 600 set: false 601 scored: true 602 - id: 15 603 text: "parameter and config file don't have same default - passing" 604 audit: "echo ''" 605 audit_config: "echo ''" 606 tests: 607 bin_op: or 608 test_items: 609 - flag: "--read-only-port" 610 path: '{.readOnlyPort}' 611 set: true 612 compare: 613 op: eq 614 value: 0 615 - flag: "--read-only-port" 616 path: '{.readOnlyPort}' 617 set: false 618 scored: true 619 - id: 16 620 text: "parameter and config file don't have same default - parameter has bad value and config is not present - failing" 621 audit: "echo '--read-only-port=1'" 622 audit_config: "echo ''" 623 tests: 624 bin_op: or 625 test_items: 626 - flag: "--read-only-port" 627 path: '{.readOnlyPort}' 628 set: true 629 compare: 630 op: eq 631 value: 0 632 - flag: "--read-only-port" 633 path: '{.readOnlyPort}' 634 set: false 635 scored: true 636 637 - id: 3.1 638 text: "audit_env commands" 639 checks: 640 - id: 0 641 text: "audit fails to find flag, audit_env finds flag -> pass" 642 audit: "echo in=incorrect" 643 audit_env: "echo flag=correct" 644 tests: 645 test_items: 646 - flag: "flag" 647 env: "flag" 648 compare: 649 op: eq 650 value: "correct" 651 set: true 652 scored: true 653 - id: 1 654 text: "audit fails to find flag, audit_env finds flag and fails -> fail" 655 audit: "echo in=wrong" 656 audit_env: "echo flag=wrong" 657 tests: 658 test_items: 659 - flag: "flag" 660 env: "flag" 661 compare: 662 op: eq 663 value: "correct" 664 set: true 665 scored: true 666 - id: 2 667 text: "audit finds correct flag, audit_env is incorrect -> pass" 668 audit: "echo flag=correct" 669 audit_env: "echo flag=incorrect" 670 tests: 671 test_items: 672 - flag: "flag" 673 env: "flag" 674 compare: 675 op: eq 676 value: "correct" 677 set: true 678 scored: true 679 - id: 3 680 text: "audit doesn't flag flag, audit_config finds it and passes, audit_env is not present -> pass" 681 audit: "echo in=correct" 682 audit_config: "echo 'flag: correct'" 683 tests: 684 test_items: 685 - flag: "flag" 686 path: "{.flag}" 687 compare: 688 op: eq 689 value: "correct" 690 set: true 691 scored: true 692 - id: 4 693 text: "audit doesn't flag flag, audit_config doesn't find flag, audit_env finds and passes -> pass" 694 audit: "echo in=correct" 695 audit_config: "echo 'in: correct'" 696 audit_env: "echo flag=correct" 697 tests: 698 test_items: 699 - flag: "flag" 700 path: "{.flag}" 701 env: "flag" 702 compare: 703 op: eq 704 value: "correct" 705 set: true 706 scored: true 707 - id: 5 708 text: "audit doesn't find flag, audit_config doesn't find flag, audit_env finds and fails -> fails" 709 audit: "echo in=correct" 710 audit_config: "echo 'in: correct'" 711 audit_env: "echo flag=incorrect" 712 tests: 713 test_items: 714 - flag: "flag" 715 path: "{.flag}" 716 env: "flag" 717 compare: 718 op: eq 719 value: "correct" 720 set: true 721 scored: true 722 - id: 6 723 text: "audit finds flag and fails, audit_config finds flag and fails, audit_env finds and passes -> fails" 724 audit: "echo flag=incorrect" 725 audit_config: "echo 'flag: incorrect'" 726 audit_env: "echo flag=correct" 727 tests: 728 test_items: 729 - flag: "flag" 730 path: "{.flag}" 731 env: "flag" 732 compare: 733 op: eq 734 value: "correct" 735 set: true 736 scored: true