Add support for CIS OpenShift 1.6 Benchmark #1682
Conversation
|
|
| @@ -13,7 +13,7 @@ groups: | |||
| type: "manual" | |||
| audit: | | |||
| #To get a list of users and service accounts with the cluster-admin role | |||
| oc get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | | |||
| oc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | | |||
There was a problem hiding this comment.
This was a typo in the benchmark. I was comparing both the standards when I identified this. The type is marked as manual, so wasn't caught earlier.
deebhatia
force-pushed
the
cis-openshift-1-6
branch
3 times, most recently
from
2873eea to
d2041f5
Compare
|
Hi @afdesk @mozillazg, |
|
Hi @deebhatia! |
safiyat
force-pushed
the
cis-openshift-1-6
branch
from
ac899d1 to
c8d2de5
Compare
|
Hi @afdesk, Can you please take some time out and review it? |
|
Hi @afdesk @mozillazg, a gentle reminder for review. |
| @@ -0,0 +1,106 @@ | |||
| --- | |||
There was a problem hiding this comment.
What is the difference between job-ocp.yaml and job.yaml?
There was a problem hiding this comment.
Few additional volume mounts "/etc/group" and "/etc/passwd" and service account token mounting
serviceAccountName: kube-bench
automountServiceAccountToken: true
There was a problem hiding this comment.
@deebhatia Do we need to include the dependent ServiceAccount and RBAC resources in this YAML file?
This adds support of CIS OpenShift 1.6 Benchmark.
Closes #1457
CIS Benchmark Link
https://workbench.cisecurity.org/benchmarks/16094
CIS Blog mentioning the OpenShift 4.15 release version
https://www.cisecurity.org/insights/blog/cis-benchmarks-july-2024-update#CISRedHatOpenShiftContainerPlatformBenchmarkv1.6.0
Sample Run
Command Used
kube-bench run --json --version ocp-4.16
Report
1_6_results.json