kube_auto_analyzer 0.0.5 → 0.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/kube_auto_analyzer/api_checks/master_node.rb +82 -73
- data/lib/kube_auto_analyzer/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 62e3662e8af79fd34786e09365d3dc9247facc66
|
|
4
|
+
data.tar.gz: 6f8b1ab40edfba133847ebc220863c00f5d5f6c6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 47fdb79b36cdf3cad35b13f9225426e3c926040a60dbf806ca1b2d7b388ce0a88d6037e172571b58ad2db9d45cf46b005e4e7c242e24629160bb9dd6484e290e
|
|
7
|
+
data.tar.gz: 28f825709c18510c33d0e524e877b6de640489d63c0668df9c05256ff64a0a635820ee157e6e8585afec48d1d7f19973f712607a7e060b45a9042f37fbb7e37e
|
|
@@ -21,222 +21,231 @@ module KubeAutoAnalyzer
|
|
|
21
21
|
|
|
22
22
|
api_server_command_line = @api_server['spec']['containers'][0]['command']
|
|
23
23
|
|
|
24
|
-
#Check for Allow Privileged
|
|
25
|
-
unless api_server_command_line.index{|line| line =~ /--allow-privileged=false/}
|
|
26
|
-
@results[target]['api_server']['CIS 1.1.1 - Ensure that the --allow-privileged argument is set to false'] = "Fail"
|
|
27
|
-
else
|
|
28
|
-
@results[target]['api_server']['CIS 1.1.1 - Ensure that the --allow-privileged argument is set to false'] = "Pass"
|
|
29
|
-
end
|
|
30
|
-
|
|
31
24
|
#Check for Anonymous Auth
|
|
32
25
|
unless api_server_command_line.index{|line| line =~ /--anonymous-auth=false/}
|
|
33
|
-
@results[target]['api_server']['CIS 1.1.
|
|
26
|
+
@results[target]['api_server']['CIS 1.1.1 - Ensure that the --anonymous-auth argument is set to false'] = "Fail"
|
|
34
27
|
else
|
|
35
|
-
@results[target]['api_server']['CIS 1.1.
|
|
28
|
+
@results[target]['api_server']['CIS 1.1.1 - Ensure that the --anonymous-auth argument is set to false'] = "Pass"
|
|
36
29
|
end
|
|
37
30
|
|
|
38
31
|
#Check for Basic Auth
|
|
39
32
|
if api_server_command_line.index{|line| line =~ /--basic-auth-file/}
|
|
40
|
-
@results[target]['api_server']['CIS 1.1.
|
|
33
|
+
@results[target]['api_server']['CIS 1.1.2 - Ensure that the --basic-auth-file argument is not set'] = "Fail"
|
|
41
34
|
else
|
|
42
|
-
@results[target]['api_server']['CIS 1.1.
|
|
35
|
+
@results[target]['api_server']['CIS 1.1.2 - Ensure that the --basic-auth-file argument is not set'] = "Pass"
|
|
43
36
|
end
|
|
44
37
|
|
|
45
38
|
#Check for Insecure Allow Any Token
|
|
46
39
|
if api_server_command_line.index{|line| line =~ /--insecure-allow-any-token/}
|
|
47
|
-
@results[target]['api_server']['CIS 1.1.
|
|
40
|
+
@results[target]['api_server']['CIS 1.1.3 - Ensure that the --insecure-allow-any-token argument is not set'] = "Fail"
|
|
48
41
|
else
|
|
49
|
-
@results[target]['api_server']['CIS 1.1.
|
|
42
|
+
@results[target]['api_server']['CIS 1.1.3 - Ensure that the --insecure-allow-any-token argument is not set'] = "Pass"
|
|
50
43
|
end
|
|
51
44
|
|
|
52
45
|
#Check to confirm that Kubelet HTTPS isn't set to false
|
|
53
46
|
if api_server_command_line.index{|line| line =~ /--kubelet-https=false/}
|
|
54
|
-
@results[target]['api_server']['CIS 1.1.
|
|
47
|
+
@results[target]['api_server']['CIS 1.1.4 - Ensure that the --kubelet-https argument is set to true'] = "Fail"
|
|
55
48
|
else
|
|
56
|
-
@results[target]['api_server']['CIS 1.1.
|
|
49
|
+
@results[target]['api_server']['CIS 1.1.4 - Ensure that the --kubelet-https argument is set to true'] = "Pass"
|
|
57
50
|
end
|
|
58
51
|
|
|
59
52
|
#Check for Insecure Bind Address
|
|
60
53
|
if api_server_command_line.index{|line| line =~ /--insecure-bind-address/}
|
|
61
|
-
@results[target]['api_server']['CIS 1.1.
|
|
54
|
+
@results[target]['api_server']['CIS 1.1.5 - Ensure that the --insecure-bind-address argument is not set'] = "Fail"
|
|
62
55
|
else
|
|
63
|
-
@results[target]['api_server']['CIS 1.1.
|
|
56
|
+
@results[target]['api_server']['CIS 1.1.5 - Ensure that the --insecure-bind-address argument is not set'] = "Pass"
|
|
64
57
|
end
|
|
65
58
|
|
|
66
59
|
#Check for Insecure Bind port
|
|
67
60
|
unless api_server_command_line.index{|line| line =~ /--insecure-port=0/}
|
|
68
|
-
@results[target]['api_server']['CIS 1.1.
|
|
61
|
+
@results[target]['api_server']['CIS 1.1.6 - Ensure that the --insecure-port argument is set to 0'] = "Fail"
|
|
69
62
|
else
|
|
70
|
-
@results[target]['api_server']['CIS 1.1.
|
|
63
|
+
@results[target]['api_server']['CIS 1.1.6 - Ensure that the --insecure-port argument is set to 0'] = "Pass"
|
|
71
64
|
end
|
|
72
65
|
|
|
73
66
|
#Check Secure Port isn't set to 0
|
|
74
67
|
if api_server_command_line.index{|line| line =~ /--secure-port=0/}
|
|
75
|
-
@results[target]['api_server']['CIS 1.1.
|
|
68
|
+
@results[target]['api_server']['CIS 1.1.7 - Ensure that the --secure-port argument is not set to 0'] = "Fail"
|
|
76
69
|
else
|
|
77
|
-
@results[target]['api_server']['CIS 1.1.
|
|
70
|
+
@results[target]['api_server']['CIS 1.1.7 - Ensure that the --secure-port argument is not set to 0'] = "Pass"
|
|
78
71
|
end
|
|
79
72
|
|
|
80
73
|
#
|
|
81
74
|
unless api_server_command_line.index{|line| line =~ /--profiling=false/}
|
|
82
|
-
@results[target]['api_server']['CIS 1.1.
|
|
75
|
+
@results[target]['api_server']['CIS 1.1.8 - Ensure that the --profiling argument is set to false'] = "Fail"
|
|
83
76
|
else
|
|
84
|
-
@results[target]['api_server']['CIS 1.1.
|
|
77
|
+
@results[target]['api_server']['CIS 1.1.8 - Ensure that the --profiling argument is set to false'] = "Pass"
|
|
85
78
|
end
|
|
86
79
|
|
|
87
80
|
unless api_server_command_line.index{|line| line =~ /--repair-malformed-updates/}
|
|
88
|
-
@results[target]['api_server']['CIS 1.1.
|
|
81
|
+
@results[target]['api_server']['CIS 1.1.9 - Ensure that the --repair-malformed-updates argument is set to false'] = "Fail"
|
|
89
82
|
else
|
|
90
|
-
@results[target]['api_server']['CIS 1.1.
|
|
83
|
+
@results[target]['api_server']['CIS 1.1.9 - Ensure that the --repair-malformed-updates argument is set to false'] = "Pass"
|
|
91
84
|
end
|
|
92
85
|
|
|
93
86
|
if api_server_command_line.index{|line| line =~ /--admission-control\S*AlwaysAdmit/}
|
|
94
|
-
@results[target]['api_server']['CIS 1.1.
|
|
87
|
+
@results[target]['api_server']['CIS 1.1.10 - Ensure that the admission control policy is not set to AlwaysAdmit'] = "Fail"
|
|
95
88
|
else
|
|
96
|
-
@results[target]['api_server']['CIS 1.1.
|
|
89
|
+
@results[target]['api_server']['CIS 1.1.10 - Ensure that the admission control policy is not set to AlwaysAdmit'] = "Pass"
|
|
97
90
|
end
|
|
98
91
|
|
|
99
92
|
unless api_server_command_line.index{|line| line =~ /--admission-control\S*AlwaysPullImages/}
|
|
100
|
-
@results[target]['api_server']['CIS 1.1.
|
|
93
|
+
@results[target]['api_server']['CIS 1.1.11 - Ensure that the admission control policy is set to AlwaysPullImages'] = "Fail"
|
|
101
94
|
else
|
|
102
|
-
@results[target]['api_server']['CIS 1.1.
|
|
95
|
+
@results[target]['api_server']['CIS 1.1.11 - Ensure that the admission control policy is set to AlwaysPullImages'] = "Pass"
|
|
103
96
|
end
|
|
104
97
|
|
|
105
98
|
unless api_server_command_line.index{|line| line =~ /--admission-control\S*DenyEscalatingExec/}
|
|
106
|
-
@results[target]['api_server']['CIS 1.1.
|
|
99
|
+
@results[target]['api_server']['CIS 1.1.12 - Ensure that the admission control policy is set to DenyEscalatingExec'] = "Fail"
|
|
107
100
|
else
|
|
108
|
-
@results[target]['api_server']['CIS 1.1.
|
|
101
|
+
@results[target]['api_server']['CIS 1.1.12 - Ensure that the admission control policy is set to DenyEscalatingExec'] = "Pass"
|
|
109
102
|
end
|
|
110
103
|
|
|
111
104
|
unless api_server_command_line.index{|line| line =~ /--admission-control\S*SecurityContextDeny/}
|
|
112
|
-
@results[target]['api_server']['CIS 1.1.
|
|
105
|
+
@results[target]['api_server']['CIS 1.1.13 - Ensure that the admission control policy is set to SecurityContextDeny'] = "Fail"
|
|
113
106
|
else
|
|
114
|
-
@results[target]['api_server']['CIS 1.1.
|
|
107
|
+
@results[target]['api_server']['CIS 1.1.13 - Ensure that the admission control policy is set to SecurityContextDeny'] = "Pass"
|
|
115
108
|
end
|
|
116
109
|
|
|
117
110
|
unless api_server_command_line.index{|line| line =~ /--admission-control\S*NamespaceLifecycle/}
|
|
118
|
-
@results[target]['api_server']['CIS 1.1.
|
|
111
|
+
@results[target]['api_server']['CIS 1.1.14 - Ensure that the admission control policy is set to NamespaceLifecycle'] = "Fail"
|
|
119
112
|
else
|
|
120
|
-
@results[target]['api_server']['CIS 1.1.
|
|
113
|
+
@results[target]['api_server']['CIS 1.1.14 - Ensure that the admission control policy is set to NamespaceLifecycle'] = "Pass"
|
|
121
114
|
end
|
|
122
115
|
|
|
123
116
|
unless api_server_command_line.index{|line| line =~ /--audit-log-path/}
|
|
124
|
-
@results[target]['api_server']['CIS 1.1.
|
|
117
|
+
@results[target]['api_server']['CIS 1.1.15 - Ensure that the --audit-log-path argument is set as appropriate'] = "Fail"
|
|
125
118
|
else
|
|
126
|
-
@results[target]['api_server']['CIS 1.1.
|
|
119
|
+
@results[target]['api_server']['CIS 1.1.15 - Ensure that the --audit-log-path argument is set as appropriate'] = "Pass"
|
|
127
120
|
end
|
|
128
121
|
|
|
129
122
|
#TODO: This check needs to do something with the number of days but for now lets just check whether it's present.
|
|
130
123
|
unless api_server_command_line.index{|line| line =~ /--audit-log-maxage/}
|
|
131
|
-
@results[target]['api_server']['CIS 1.1.
|
|
124
|
+
@results[target]['api_server']['CIS 1.1.16 - Ensure that the --audit-log-maxage argument is set to 30 or as appropriate'] = "Fail"
|
|
132
125
|
else
|
|
133
|
-
@results[target]['api_server']['CIS 1.1.
|
|
126
|
+
@results[target]['api_server']['CIS 1.1.16 - Ensure that the --audit-log-maxage argument is set to 30 or as appropriate'] = "Pass"
|
|
134
127
|
end
|
|
135
128
|
|
|
136
129
|
#TODO: This check needs to do something with the number of backups but for now lets just check whether it's present.
|
|
137
130
|
unless api_server_command_line.index{|line| line =~ /--audit-log-maxbackup/}
|
|
138
|
-
@results[target]['api_server']['CIS 1.1.
|
|
131
|
+
@results[target]['api_server']['CIS 1.1.17 - Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate'] = "Fail"
|
|
139
132
|
else
|
|
140
|
-
@results[target]['api_server']['CIS 1.1.
|
|
133
|
+
@results[target]['api_server']['CIS 1.1.17 - Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate'] = "Pass"
|
|
141
134
|
end
|
|
142
135
|
|
|
143
136
|
#TODO: This check needs to do something with the size of backups but for now lets just check whether it's present.
|
|
144
137
|
unless api_server_command_line.index{|line| line =~ /--audit-log-maxsize/}
|
|
145
|
-
@results[target]['api_server']['CIS 1.1.
|
|
138
|
+
@results[target]['api_server']['CIS 1.1.18 - Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate'] = "Fail"
|
|
146
139
|
else
|
|
147
|
-
@results[target]['api_server']['CIS 1.1.
|
|
140
|
+
@results[target]['api_server']['CIS 1.1.18 - Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate'] = "Pass"
|
|
148
141
|
end
|
|
149
142
|
|
|
150
143
|
if api_server_command_line.index{|line| line =~ /--authorization-mode\S*AlwaysAllow/}
|
|
151
|
-
@results[target]['api_server']['CIS 1.1.
|
|
144
|
+
@results[target]['api_server']['CIS 1.1.19 - Ensure that the --authorization-mode argument is not set to AlwaysAllow'] = "Fail"
|
|
152
145
|
else
|
|
153
|
-
@results[target]['api_server']['CIS 1.1.
|
|
146
|
+
@results[target]['api_server']['CIS 1.1.19 - Ensure that the --authorization-mode argument is not set to AlwaysAllow'] = "Pass"
|
|
154
147
|
end
|
|
155
148
|
|
|
156
149
|
if api_server_command_line.index{|line| line =~ /--token-auth-file/}
|
|
157
|
-
@results[target]['api_server']['CIS 1.1.
|
|
150
|
+
@results[target]['api_server']['CIS 1.1.20 - Ensure that the --token-auth-file argument is not set'] = "Fail"
|
|
158
151
|
else
|
|
159
|
-
@results[target]['api_server']['CIS 1.1.
|
|
152
|
+
@results[target]['api_server']['CIS 1.1.20 - Ensure that the --token-auth-file argument is not set'] = "Pass"
|
|
160
153
|
end
|
|
161
154
|
|
|
162
155
|
unless api_server_command_line.index{|line| line =~ /--kubelet-certificate-authority/}
|
|
163
|
-
@results[target]['api_server']['CIS 1.1.
|
|
156
|
+
@results[target]['api_server']['CIS 1.1.21 - Ensure that the --kubelet-certificate-authority argument is set as appropriate'] = "Fail"
|
|
164
157
|
else
|
|
165
|
-
@results[target]['api_server']['CIS 1.1.
|
|
158
|
+
@results[target]['api_server']['CIS 1.1.21 - Ensure that the --kubelet-certificate-authority argument is set as appropriate'] = "Pass"
|
|
166
159
|
end
|
|
167
160
|
|
|
168
161
|
unless (api_server_command_line.index{|line| line =~ /--kubelet-client-certificate/} && api_server_command_line.index{|line| line =~ /--kubelet-client-key/})
|
|
169
|
-
@results[target]['api_server']['CIS 1.1.
|
|
162
|
+
@results[target]['api_server']['CIS 1.1.22 - Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate'] = "Fail"
|
|
170
163
|
else
|
|
171
|
-
@results[target]['api_server']['CIS 1.1.
|
|
164
|
+
@results[target]['api_server']['CIS 1.1.22 - Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate'] = "Pass"
|
|
172
165
|
end
|
|
173
166
|
|
|
174
167
|
unless api_server_command_line.index{|line| line =~ /--service-account-lookup=true/}
|
|
175
|
-
@results[target]['api_server']['CIS 1.1.
|
|
168
|
+
@results[target]['api_server']['CIS 1.1.23 - Ensure that the --service-account-lookup argument is set to true'] = "Fail"
|
|
176
169
|
else
|
|
177
|
-
@results[target]['api_server']['CIS 1.1.
|
|
170
|
+
@results[target]['api_server']['CIS 1.1.23 - Ensure that the --service-account-lookup argument is set to true'] = "Pass"
|
|
178
171
|
end
|
|
179
172
|
|
|
180
173
|
unless api_server_command_line.index{|line| line =~ /--admission-control\S*PodSecurityPolicy/}
|
|
181
|
-
@results[target]['api_server']['CIS 1.1.
|
|
174
|
+
@results[target]['api_server']['CIS 1.1.24 - Ensure that the admission control policy is set to PodSecurityPolicy'] = "Fail"
|
|
182
175
|
else
|
|
183
|
-
@results[target]['api_server']['CIS 1.1.
|
|
176
|
+
@results[target]['api_server']['CIS 1.1.24 - Ensure that the admission control policy is set to PodSecurityPolicy'] = "Pass"
|
|
184
177
|
end
|
|
185
178
|
|
|
186
179
|
unless api_server_command_line.index{|line| line =~ /--service-account-key-file/}
|
|
187
|
-
@results[target]['api_server']['CIS 1.1.
|
|
180
|
+
@results[target]['api_server']['CIS 1.1.25 - Ensure that the --service-account-key-file argument is set as appropriate'] = "Fail"
|
|
188
181
|
else
|
|
189
|
-
@results[target]['api_server']['CIS 1.1.
|
|
182
|
+
@results[target]['api_server']['CIS 1.1.25 - Ensure that the --service-account-key-file argument is set as appropriate'] = "Pass"
|
|
190
183
|
end
|
|
191
184
|
|
|
192
185
|
unless (api_server_command_line.index{|line| line =~ /--etcd-certfile/} && api_server_command_line.index{|line| line =~ /--etcd-keyfile/})
|
|
193
|
-
@results[target]['api_server']['CIS 1.1.
|
|
186
|
+
@results[target]['api_server']['CIS 1.1.26 - Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate'] = "Fail"
|
|
194
187
|
else
|
|
195
|
-
@results[target]['api_server']['CIS 1.1.
|
|
188
|
+
@results[target]['api_server']['CIS 1.1.26 - Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate'] = "Pass"
|
|
196
189
|
end
|
|
197
190
|
|
|
198
191
|
unless api_server_command_line.index{|line| line =~ /--admission-control\S*ServiceAccount/}
|
|
199
|
-
@results[target]['api_server']['CIS 1.1.
|
|
192
|
+
@results[target]['api_server']['CIS 1.1.27 - Ensure that the admission control policy is set to ServiceAccount'] = "Fail"
|
|
200
193
|
else
|
|
201
|
-
@results[target]['api_server']['CIS 1.1.
|
|
194
|
+
@results[target]['api_server']['CIS 1.1.27 - Ensure that the admission control policy is set to ServiceAccount'] = "Pass"
|
|
202
195
|
end
|
|
203
196
|
|
|
204
197
|
unless (api_server_command_line.index{|line| line =~ /--tls-cert-file/} && api_server_command_line.index{|line| line =~ /--tls-private-key-file/})
|
|
205
|
-
@results[target]['api_server']['CIS 1.1.
|
|
198
|
+
@results[target]['api_server']['CIS 1.1.28 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate'] = "Fail"
|
|
206
199
|
else
|
|
207
|
-
@results[target]['api_server']['CIS 1.1.
|
|
200
|
+
@results[target]['api_server']['CIS 1.1.28 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate'] = "Pass"
|
|
208
201
|
end
|
|
209
202
|
|
|
210
203
|
unless api_server_command_line.index{|line| line =~ /--client-ca-file/}
|
|
211
|
-
@results[target]['api_server']['CIS 1.1.
|
|
204
|
+
@results[target]['api_server']['CIS 1.1.29 - Ensure that the --client-ca-file argument is set as appropriate'] = "Fail"
|
|
212
205
|
else
|
|
213
|
-
@results[target]['api_server']['CIS 1.1.
|
|
206
|
+
@results[target]['api_server']['CIS 1.1.29 - Ensure that the --client-ca-file argument is set as appropriate'] = "Pass"
|
|
214
207
|
end
|
|
215
208
|
|
|
216
209
|
unless api_server_command_line.index{|line| line =~ /--etcd-cafile/}
|
|
217
|
-
@results[target]['api_server']['CIS 1.1.
|
|
210
|
+
@results[target]['api_server']['CIS 1.1.30 - Ensure that the --etcd-cafile argument is set as appropriate'] = "Fail"
|
|
218
211
|
else
|
|
219
|
-
@results[target]['api_server']['CIS 1.1.
|
|
212
|
+
@results[target]['api_server']['CIS 1.1.30 - Ensure that the --etcd-cafile argument is set as appropriate'] = "Pass"
|
|
220
213
|
end
|
|
221
214
|
|
|
222
215
|
unless api_server_command_line.index{|line| line =~ /--authorization-mode\S*Node/}
|
|
223
|
-
@results[target]['api_server']['CIS 1.1.
|
|
216
|
+
@results[target]['api_server']['CIS 1.1.31 - Ensure that the --authorization-mode argument is set to Node'] = "Fail"
|
|
224
217
|
else
|
|
225
|
-
@results[target]['api_server']['CIS 1.1.
|
|
218
|
+
@results[target]['api_server']['CIS 1.1.31 - Ensure that the --authorization-mode argument is set to Node'] = "Pass"
|
|
226
219
|
end
|
|
227
220
|
|
|
228
221
|
unless api_server_command_line.index{|line| line =~ /--admission-control\S*NodeRestriction/}
|
|
229
|
-
@results[target]['api_server']['CIS 1.1.
|
|
222
|
+
@results[target]['api_server']['CIS 1.1.32 - Ensure that the admission control policy is set to NodeRestriction'] = "Fail"
|
|
230
223
|
else
|
|
231
|
-
@results[target]['api_server']['CIS 1.1.
|
|
224
|
+
@results[target]['api_server']['CIS 1.1.32 - Ensure that the admission control policy is set to NodeRestriction'] = "Pass"
|
|
232
225
|
end
|
|
233
226
|
|
|
234
227
|
unless api_server_command_line.index{|line| line =~ /--experimental-encryption-provider-config/}
|
|
235
|
-
@results[target]['api_server']['CIS 1.1.
|
|
228
|
+
@results[target]['api_server']['CIS 1.1.33 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate'] = "Fail"
|
|
236
229
|
else
|
|
237
|
-
@results[target]['api_server']['CIS 1.1.
|
|
230
|
+
@results[target]['api_server']['CIS 1.1.33 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate'] = "Pass"
|
|
238
231
|
end
|
|
239
232
|
|
|
233
|
+
#1.1.34 can't be checked using this methodology so it's TBD
|
|
234
|
+
|
|
235
|
+
unless api_server_command_line.index{|line| line =~ /--admission-control\S*EventRateLimit/}
|
|
236
|
+
@results[target]['api_server']['CIS 1.1.35 - Ensure that the admission control policy is set to EventRateLimit'] = "Fail"
|
|
237
|
+
else
|
|
238
|
+
@results[target]['api_server']['CIS 1.1.35 - Ensure that the admission control policy is set to EventRateLimit'] = "Pass"
|
|
239
|
+
end
|
|
240
|
+
|
|
241
|
+
if api_server_command_line.index{|line| line =~ /--feature-gates=AdvancedAuditing=false/}
|
|
242
|
+
@results[target]['api_server']['CIS 1.1.36 - Ensure that the AdvancedAuditing argument is not set to false'] = "Fail"
|
|
243
|
+
else
|
|
244
|
+
@results[target]['api_server']['CIS 1.1.36 - Ensure that the AdvancedAuditing argument is not set to false'] = "Pass"
|
|
245
|
+
end
|
|
246
|
+
|
|
247
|
+
#1.1.37 This one is dubious for a pass/fail test as the value should be evaluated against the relity of the cluster.
|
|
248
|
+
|
|
240
249
|
@results[target]['evidence']['API Server'] = api_server_command_line
|
|
241
250
|
end
|
|
242
251
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kube_auto_analyzer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rory McCune
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-10-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|