arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-21 15:48:06 +00:00
Code Issues Releases Wiki Activity

Better handling of parameters and config audits (#674)

Browse Source 
* read-only-port defaults are correct

* Tests that should catch good read-only-port

* Rework checks & tests

* Linting on issue template YAML

* More explicit test for 4.2.4
This commit is contained in:
Liz Rice 2020-08-12 14:32:42 +01:00 committed by GitHub
parent 5d138f6388
commit 07f3c40dc7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 454 additions and 287 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/ISSUE_TEMPLATE/config.yml vendored
View File

@ -1,3 +1,4 @@
---
blank_issues_enabled: false
contact_links:
- name: Feature request

4
cfg/cis-1.5/node.yaml
View File

@ -236,6 +236,7 @@ groups:
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
@ -243,6 +244,9 @@ groups:
compare:
op: eq
value: 0
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: false
remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file

227
check/check.go
View File

@ -62,21 +62,23 @@ const (
// Check contains information about a recommendation in the
// CIS Kubernetes document.
type Check struct {
ID string `yaml:"id" json:"test_number"`
Text string `json:"test_desc"`
Audit string `json:"audit"`
AuditConfig string `yaml:"audit_config"`
Type string `json:"type"`
Tests *tests `json:"omit"`
Set bool `json:"omit"`
Remediation string `json:"remediation"`
TestInfo []string `json:"test_info"`
State `json:"status"`
ActualValue string `json:"actual_value"`
Scored bool `json:"scored"`
IsMultiple bool `yaml:"use_multiple_values"`
ExpectedResult string `json:"expected_result"`
Reason string `json:"reason,omitempty"`
ID string `yaml:"id" json:"test_number"`
Text string `json:"test_desc"`
Audit string `json:"audit"`
AuditConfig string `yaml:"audit_config"`
Type string `json:"type"`
Tests *tests `json:"omit"`
Set bool `json:"omit"`
Remediation string `json:"remediation"`
TestInfo []string `json:"test_info"`
State `json:"status"`
ActualValue string `json:"actual_value"`
Scored bool `json:"scored"`
IsMultiple bool `yaml:"use_multiple_values"`
ExpectedResult string `json:"expected_result"`
Reason string `json:"reason,omitempty"`
AuditOutput string `json:"omit"`
AuditConfigOutput string `json:"omit"`
}
// Runner wraps the basic Run method.
@ -123,63 +125,46 @@ func (c *Check) run() State {
return c.State
}
lastCommand := c.Audit
hasAuditConfig := c.AuditConfig != ""
state, finalOutput, retErrmsgs := performTest(c.Audit, c.Tests, c.IsMultiple)
if len(state) > 0 {
c.Reason = retErrmsgs
c.State = state
return c.State
}
errmsgs := retErrmsgs
// If something went wrong with the 'Audit' command
// and an 'AuditConfig' command was provided, use it to
// execute tests
if (finalOutput == nil || !finalOutput.testResult) && hasAuditConfig {
lastCommand = c.AuditConfig
nItems := len(c.Tests.TestItems)
// The reason we're creating a copy of the "tests"
// is so that tests can executed
// with the AuditConfig command
// against the Path only
currentTests := &tests{
BinOp: c.Tests.BinOp,
TestItems: make([]*testItem, nItems),
}
for i := 0; i < nItems; i++ {
ti := c.Tests.TestItems[i]
nti := &testItem{
// Path is used to test Command Param values
// AuditConfig ==> Path
Path: ti.Path,
Set: ti.Set,
Compare: ti.Compare,
}
currentTests.TestItems[i] = nti
}
state, finalOutput, retErrmsgs = performTest(c.AuditConfig, currentTests, c.IsMultiple)
if len(state) > 0 {
c.Reason = retErrmsgs
c.State = state
return c.State
}
errmsgs += retErrmsgs
}
if finalOutput != nil && finalOutput.testResult {
c.State = PASS
c.ActualValue = finalOutput.actualResult
c.ExpectedResult = finalOutput.ExpectedResult
} else {
// If there aren't any tests defined this is a FAIL or WARN
if c.Tests == nil || len(c.Tests.TestItems) == 0 {
c.Reason = "No tests defined"
if c.Scored {
c.State = FAIL
} else {
c.State = WARN
}
return c.State
}
// Command line parameters override the setting in the config file, so if we get a good result from the Audit command that's all we need to run
var finalOutput *testOutput
var lastCommand string
lastCommand, err := c.runAuditCommands()
if err == nil {
finalOutput, err = c.execute()
}
if finalOutput != nil {
if finalOutput.testResult {
c.State = PASS
} else {
if c.Scored {
c.State = FAIL
} else {
c.State = WARN
}
}
c.ActualValue = finalOutput.actualResult
c.ExpectedResult = finalOutput.ExpectedResult
}
if err != nil {
c.Reason = err.Error()
if c.Scored {
c.State = FAIL
} else {
c.Reason = errmsgs
c.State = WARN
}
}
@ -190,39 +175,97 @@ func (c *Check) run() State {
glog.V(3).Infof("Check.ID: %s Command: %q TestResult: <<EMPTY>> \n", c.ID, lastCommand)
}
if errmsgs != "" {
glog.V(2).Info(errmsgs)
if c.Reason != "" {
glog.V(2).Info(c.Reason)
}
return c.State
}
func performTest(audit string, tests *tests, isMultipleOutput bool) (State, *testOutput, string) {
if len(strings.TrimSpace(audit)) == 0 {
return "", failTestItem("missing command"), "missing audit command"
func (c *Check) runAuditCommands() (lastCommand string, err error) {
// Run the audit command and auditConfig commands, if present
c.AuditOutput, err = runAudit(c.Audit)
if err != nil {
return c.Audit, err
}
var out bytes.Buffer
errmsgs := runAudit(audit, &out)
finalOutput := tests.execute(out.String(), isMultipleOutput)
if finalOutput == nil {
errmsgs += fmt.Sprintf("Final output is <<EMPTY>>. Failed to run: %s\n", audit)
}
return "", finalOutput, errmsgs
c.AuditConfigOutput, err = runAudit(c.AuditConfig)
return c.AuditConfig, err
}
func runAudit(audit string, out *bytes.Buffer) string {
errmsgs := ""
func (c *Check) execute() (finalOutput *testOutput, err error) {
finalOutput = &testOutput{}
ts := c.Tests
res := make([]testOutput, len(ts.TestItems))
expectedResultArr := make([]string, len(res))
glog.V(3).Infof("%d tests", len(ts.TestItems))
for i, t := range ts.TestItems {
t.isMultipleOutput = c.IsMultiple
// Try with the auditOutput first, and if that's not found, try the auditConfigOutput
t.isConfigSetting = false
result := *(t.execute(c.AuditOutput))
if !result.flagFound {
t.isConfigSetting = true
result = *(t.execute(c.AuditConfigOutput))
}
res[i] = result
expectedResultArr[i] = res[i].ExpectedResult
}
var result bool
// If no binary operation is specified, default to AND
switch ts.BinOp {
default:
glog.V(2).Info(fmt.Sprintf("unknown binary operator for tests %s\n", ts.BinOp))
finalOutput.actualResult = fmt.Sprintf("unknown binary operator for tests %s\n", ts.BinOp)
return finalOutput, fmt.Errorf("unknown binary operator for tests %s", ts.BinOp)
case and, "":
result = true
for i := range res {
result = result && res[i].testResult
}
// Generate an AND expected result
finalOutput.ExpectedResult = strings.Join(expectedResultArr, " AND ")
case or:
result = false
for i := range res {
result = result || res[i].testResult
}
// Generate an OR expected result
finalOutput.ExpectedResult = strings.Join(expectedResultArr, " OR ")
}
finalOutput.testResult = result
finalOutput.actualResult = res[0].actualResult
glog.V(3).Infof("Returning from execute on tests: finalOutput %#v", finalOutput)
return finalOutput, nil
}
func runAudit(audit string) (output string, err error) {
var out bytes.Buffer
audit = strings.TrimSpace(audit)
if len(audit) == 0 {
return output, err
}
cmd := exec.Command("/bin/sh")
cmd.Stdin = strings.NewReader(audit)
cmd.Stdout = out
cmd.Stderr = out
if err := cmd.Run(); err != nil {
errmsgs += fmt.Sprintf("failed to run: %q, output: %q, error: %s\n", audit, out.String(), err)
}
cmd.Stdout = &out
cmd.Stderr = &out
err = cmd.Run()
output = out.String()
glog.V(3).Infof("Command %q - Output:\n\n %q\n - Error Messages:%q \n", audit, out.String(), errmsgs)
return errmsgs
if err != nil {
err = fmt.Errorf("failed to run: %q, output: %q, error: %s", audit, output, err)
} else {
glog.V(3).Infof("Command %q\n - Output:\n %q", audit, output)
}
return output, err
}

86
check/check_test.go
View File

@ -15,38 +15,57 @@
package check
import (
"bytes"
"strings"
"testing"
)
func TestCheck_Run(t *testing.T) {
type TestCase struct {
name string
check Check
Expected State
}
testCases := []TestCase{
{check: Check{Type: MANUAL}, Expected: WARN},
{check: Check{Type: "skip"}, Expected: INFO},
{check: Check{Scored: false}, Expected: WARN}, // Not scored checks with no type, or not scored failing tests are marked warn
{name: "Manual check should WARN", check: Check{Type: MANUAL}, Expected: WARN},
{name: "Skip check should INFO", check: Check{Type: "skip"}, Expected: INFO},
{name: "Unscored check (with no type) should WARN on failure", check: Check{Scored: false}, Expected: WARN},
{
check: Check{ // Not scored checks with passing tests are marked pass
name: "Unscored check that pass should PASS",
check: Check{
Scored: false,
Audit: ":",
Tests: &tests{TestItems: []*testItem{&testItem{}}},
Audit: "echo hello",
Tests: &tests{TestItems: []*testItem{{
Flag: "hello",
Set: true,
}}},
},
Expected: PASS,
},
{check: Check{Scored: true}, Expected: WARN}, // If there are no tests in the check, warn
{check: Check{Scored: true, Tests: &tests{}}, Expected: FAIL}, // If there are tests that are not passing, fail
{name: "Check with no tests should WARN", check: Check{Scored: true}, Expected: WARN},
{name: "Scored check with empty tests should FAIL", check: Check{Scored: true, Tests: &tests{}}, Expected: FAIL},
{
check: Check{ // Scored checks with passing tests are marked pass
name: "Scored check that doesn't pass should FAIL",
check: Check{
Scored: true,
Audit: ":",
Tests: &tests{TestItems: []*testItem{&testItem{}}},
Audit: "echo hello",
Tests: &tests{TestItems: []*testItem{{
Flag: "hello",
Set: false,
}},
}},
Expected: FAIL,
},
{
name: "Scored checks that pass should PASS",
check: Check{
Scored: true,
Audit: "echo hello",
Tests: &tests{TestItems: []*testItem{{
Flag: "hello",
Set: true,
}}},
},
Expected: PASS,
},
@ -56,7 +75,7 @@ func TestCheck_Run(t *testing.T) {
testCase.check.run()
if testCase.check.State != testCase.Expected {
t.Errorf("test failed, expected %s, actual %s\n", testCase.Expected, testCase.check.State)
t.Errorf("%s: expected %s, actual %s\n", testCase.name, testCase.Expected, testCase.check.State)
}
}
}
@ -115,6 +134,26 @@ func TestCheckAuditConfig(t *testing.T) {
controls.Groups[1].Checks[11],
"FAIL",
},
{
controls.Groups[1].Checks[12],
"FAIL",
},
{
controls.Groups[1].Checks[13],
"FAIL",
},
{
controls.Groups[1].Checks[14],
"FAIL",
},
{
controls.Groups[1].Checks[15],
"PASS",
},
{
controls.Groups[1].Checks[16],
"FAIL",
},
}
for _, c := range cases {
@ -128,7 +167,6 @@ func TestCheckAuditConfig(t *testing.T) {
func Test_runAudit(t *testing.T) {
type args struct {
audit string
out *bytes.Buffer
output string
}
tests := []struct {
@ -141,7 +179,6 @@ func Test_runAudit(t *testing.T) {
name: "run success",
args: args{
audit: "echo 'hello world'",
out: &bytes.Buffer{},
},
errMsg: "",
output: "hello world\n",
@ -156,7 +193,6 @@ hello() {
hello
`,
out: &bytes.Buffer{},
},
errMsg: "",
output: "hello world\n",
@ -165,7 +201,6 @@ hello
name: "run failed",
args: args{
audit: "unknown_command",
out: &bytes.Buffer{},
},
errMsg: "failed to run: \"unknown_command\", output: \"/bin/sh: ",
output: "not found\n",
@ -173,16 +208,19 @@ hello
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
errMsg := runAudit(tt.args.audit, tt.args.out)
if errMsg != "" && !strings.Contains(errMsg, tt.errMsg) {
t.Errorf("runAudit() errMsg = %q, want %q", errMsg, tt.errMsg)
var errMsg string
output, err := runAudit(tt.args.audit)
if err != nil {
errMsg = err.Error()
}
if errMsg != "" && !strings.Contains(errMsg, tt.errMsg) {
t.Errorf("name %s errMsg = %q, want %q", tt.name, errMsg, tt.errMsg)
}
output := tt.args.out.String()
if errMsg == "" && output != tt.output {
t.Errorf("runAudit() output = %q, want %q", output, tt.output)
t.Errorf("name %s output = %q, want %q", tt.name, output, tt.output)
}
if errMsg != "" && !strings.Contains(output, tt.output) {
t.Errorf("runAudit() output = %q, want %q", output, tt.output)
t.Errorf("name %s output = %q, want %q", tt.name, output, tt.output)
}
})
}

83
check/data
View File

@ -166,7 +166,7 @@ groups:
op: eq
value: some-val
set: true
- id: 15
text: "jsonpath correct value on field"
tests:
@ -476,3 +476,84 @@ groups:
value: "600"
set: true
scored: true
- id: 12
text: "audit is present and wrong, audit_config is right -> fail (command line parameters override config file)"
audit: "echo flag=wrong"
audit_config: "echo 'flag: correct'"
tests:
test_items:
- flag: "flag"
path: "{.flag}"
compare:
op: eq
value: "correct"
set: true
scored: true
- id: 13
text: "parameter and config file don't have same default - parameter has failing value"
audit: "echo '--read-only-port=1'"
audit_config: "echo 'readOnlyPort: 0'"
tests:
bin_op: and
test_items:
- flag: "--read-only-port"
path: "{.readOnlyPort}"
set: true
compare:
op: eq
value: 0
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: false
scored: true
- id: 14
text: "parameter and config file don't have same default - config file has failing value"
audit: "echo ''"
audit_config: "echo 'readOnlyPort: 1'"
tests:
bin_op: or
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: true
compare:
op: eq
value: 0
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: false
scored: true
- id: 15
text: "parameter and config file don't have same default - passing"
audit: "echo ''"
audit_config: "echo ''"
tests:
bin_op: or
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: true
compare:
op: eq
value: 0
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: false
scored: true
- id: 15
text: "parameter and config file don't have same default - parameter has bad value and config is not present - failing"
audit: "echo '--read-only-port=1'"
audit_config: "echo ''"
tests:
bin_op: or
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: true
compare:
op: eq
value: 0
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: false
scored: true

258
check/test.go
View File

@ -43,15 +43,25 @@ const (
defaultArraySeparator = ","
)
type testItem struct {
Flag string
Path string
Output string
Value string
Set bool
Compare compare
type tests struct {
TestItems []*testItem `yaml:"test_items"`
BinOp binOp `yaml:"bin_op"`
}
type testItem struct {
Flag string
Path string
Output string
Value string
Set bool
Compare compare
isMultipleOutput bool
isConfigSetting bool
}
type pathTestItem testItem
type flagTestItem testItem
type compare struct {
Op string
Value string
@ -59,6 +69,7 @@ type compare struct {
type testOutput struct {
testResult bool
flagFound bool
actualResult string
ExpectedResult string
}
@ -67,99 +78,124 @@ func failTestItem(s string) *testOutput {
return &testOutput{testResult: false, actualResult: s}
}
func (t *testItem) execute(s string, isMultipleOutput bool) *testOutput {
func (t testItem) flagValue() string {
if t.isConfigSetting {
return t.Path
}
return t.Flag
}
func (t testItem) findValue(s string) (match bool, value string, err error) {
if t.isConfigSetting {
pt := pathTestItem(t)
return pt.findValue(s)
}
ft := flagTestItem(t)
return ft.findValue(s)
}
func (t flagTestItem) findValue(s string) (match bool, value string, err error) {
if s == "" || t.Flag == "" {
return
}
match = strings.Contains(s, t.Flag)
if match {
// Expects flags in the form;
// --flag=somevalue
// flag: somevalue
// --flag
// somevalue
pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *`
flagRe := regexp.MustCompile(pttn)
vals := flagRe.FindStringSubmatch(s)
if len(vals) > 0 {
if vals[3] != "" {
value = vals[3]
} else {
// --bool-flag
if strings.HasPrefix(t.Flag, "--") {
value = "true"
} else {
value = vals[1]
}
}
} else {
err = fmt.Errorf("invalid flag in testItem definition: %s", s)
}
}
glog.V(3).Infof("In flagTestItem.findValue %s, match %v, s %s, t.Flag %s", value, match, s, t.Flag)
return match, value, err
}
func (t pathTestItem) findValue(s string) (match bool, value string, err error) {
var jsonInterface interface{}
err = unmarshal(s, &jsonInterface)
if err != nil {
return false, "", fmt.Errorf("failed to load YAML or JSON from input \"%s\": %v", s, err)
}
value, err = executeJSONPath(t.Path, &jsonInterface)
if err != nil {
return false, "", fmt.Errorf("unable to parse path expression \"%s\": %v", t.Path, err)
}
glog.V(3).Infof("In pathTestItem.findValue %s", value)
match = (value != "")
return match, value, err
}
func (t testItem) execute(s string) *testOutput {
result := &testOutput{}
s = strings.TrimRight(s, " \n")
// If the test has output that should be evaluated for each row
if isMultipleOutput {
output := strings.Split(s, "\n")
for _, op := range output {
result = t.evaluate(op)
// If the test failed for the current row, no need to keep testing for this output
if !result.testResult {
break
}
}
var output []string
if t.isMultipleOutput {
output = strings.Split(s, "\n")
} else {
result = t.evaluate(s)
output = []string{s}
}
for _, op := range output {
result = t.evaluate(op)
// If the test failed for the current row, no need to keep testing for this output
if !result.testResult {
break
}
}
return result
}
func (t *testItem) evaluate(s string) *testOutput {
func (t testItem) evaluate(s string) *testOutput {
result := &testOutput{}
var match bool
var flagVal string
if t.Flag != "" {
// Flag comparison: check if the flag is present in the input
match = strings.Contains(s, t.Flag)
} else {
// Path != "" - we don't know whether it's YAML or JSON but
// we can just try one then the other
var jsonInterface interface{}
if t.Path != "" {
err := unmarshal(s, &jsonInterface)
if err != nil {
fmt.Fprintf(os.Stderr, "failed to load YAML or JSON from provided input \"%s\": %v\n", s, err)
return failTestItem("failed to load YAML or JSON")
}
}
jsonpathResult, err := executeJSONPath(t.Path, &jsonInterface)
if err != nil {
fmt.Fprintf(os.Stderr, "unable to parse path expression \"%s\": %v\n", t.Path, err)
return failTestItem("error executing path expression")
}
match = (jsonpathResult != "")
flagVal = jsonpathResult
match, value, err := t.findValue(s)
if err != nil {
fmt.Fprintf(os.Stderr, err.Error())
return failTestItem(err.Error())
}
if t.Set {
isset := match
if isset && t.Compare.Op != "" {
if t.Flag != "" {
// Expects flags in the form;
// --flag=somevalue
// flag: somevalue
// --flag
// somevalue
pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *`
flagRe := regexp.MustCompile(pttn)
vals := flagRe.FindStringSubmatch(s)
if len(vals) > 0 {
if vals[3] != "" {
flagVal = vals[3]
} else {
// --bool-flag
if strings.HasPrefix(t.Flag, "--") {
flagVal = "true"
} else {
flagVal = vals[1]
}
}
} else {
glog.V(1).Infof(fmt.Sprintf("invalid flag in testitem definition"))
return failTestItem("error invalid flag in testitem definition")
}
}
result.ExpectedResult, result.testResult = compareOp(t.Compare.Op, flagVal, t.Compare.Value)
if match && t.Compare.Op != "" {
result.ExpectedResult, result.testResult = compareOp(t.Compare.Op, value, t.Compare.Value)
} else {
result.ExpectedResult = fmt.Sprintf("'%s' is present", t.Flag)
result.testResult = isset
result.ExpectedResult = fmt.Sprintf("'%s' is present", t.flagValue())
result.testResult = match
}
} else {
result.ExpectedResult = fmt.Sprintf("'%s' is not present", t.Flag)
notset := !match
result.testResult = notset
result.ExpectedResult = fmt.Sprintf("'%s' is not present", t.flagValue())
result.testResult = !match
}
result.flagFound = match
glog.V(3).Info(fmt.Sprintf("flagFound %v", result.flagFound))
return result
}
@ -326,66 +362,6 @@ func splitAndRemoveLastSeparator(s, sep string) []string {
return ts
}
type tests struct {
TestItems []*testItem `yaml:"test_items"`
BinOp binOp `yaml:"bin_op"`
}
func (ts *tests) execute(s string, isMultipleOutput bool) *testOutput {
finalOutput := &testOutput{}
// If no tests are defined return with empty finalOutput.
// This may be the case for checks of type: "skip".
if ts == nil {
return finalOutput
}
res := make([]testOutput, len(ts.TestItems))
if len(res) == 0 {
return finalOutput
}
expectedResultArr := make([]string, len(res))
for i, t := range ts.TestItems {
res[i] = *(t.execute(s, isMultipleOutput))
expectedResultArr[i] = res[i].ExpectedResult
}
var result bool
// If no binary operation is specified, default to AND
switch ts.BinOp {
default:
glog.V(2).Info(fmt.Sprintf("unknown binary operator for tests %s\n", ts.BinOp))
finalOutput.actualResult = fmt.Sprintf("unknown binary operator for tests %s\n", ts.BinOp)
return finalOutput
case and, "":
result = true
for i := range res {
result = result && res[i].testResult
}
// Generate an AND expected result
finalOutput.ExpectedResult = strings.Join(expectedResultArr, " AND ")
case or:
result = false
for i := range res {
result = result || res[i].testResult
}
// Generate an OR expected result
finalOutput.ExpectedResult = strings.Join(expectedResultArr, " OR ")
}
finalOutput.testResult = result
finalOutput.actualResult = res[0].actualResult
if finalOutput.actualResult == "" {
finalOutput.actualResult = s
}
return finalOutput
}
func toNumeric(a, b string) (c, d int, err error) {
c, err = strconv.Atoi(strings.TrimSpace(a))
if err != nil {

52
check/test_test.go
View File

@ -48,143 +48,181 @@ func TestTestExecute(t *testing.T) {
cases := []struct {
*Check
str string
str string
strConfig string
}{
{
controls.Groups[0].Checks[0],
"2:45 ../kubernetes/kube-apiserver --allow-privileged=false --option1=20,30,40",
"",
},
{
controls.Groups[0].Checks[1],
"2:45 ../kubernetes/kube-apiserver --allow-privileged=false",
"",
},
{
controls.Groups[0].Checks[2],
"niinai 13617 2635 99 19:26 pts/20 00:03:08 ./kube-apiserver --insecure-port=0 --anonymous-auth",
"",
},
{
controls.Groups[0].Checks[3],
"2:45 ../kubernetes/kube-apiserver --secure-port=0 --audit-log-maxage=40 --option",
"",
},
{
controls.Groups[0].Checks[4],
"2:45 ../kubernetes/kube-apiserver --max-backlog=20 --secure-port=0 --audit-log-maxage=40 --option",
"",
},
{
controls.Groups[0].Checks[5],
"2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40",
"",
},
{
controls.Groups[0].Checks[6],
"2:45 .. --kubelet-clientkey=foo --kubelet-client-certificate=bar --admission-control=Webhook,RBAC",
"",
},
{
controls.Groups[0].Checks[7],
"2:45 .. --secure-port=0 --kubelet-client-certificate=bar --admission-control=Webhook,RBAC",
"",
},
{
controls.Groups[0].Checks[8],
"644",
"",
},
{
controls.Groups[0].Checks[9],
"640",
"",
},
{
controls.Groups[0].Checks[9],
"600",
"",
},
{
controls.Groups[0].Checks[10],
"2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40",
"",
},
{
controls.Groups[0].Checks[11],
"2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40",
"",
},
{
controls.Groups[0].Checks[12],
"2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,Something,RBAC ---audit-log-maxage=40",
"",
},
{
controls.Groups[0].Checks[13],
"2:45 ../kubernetes/kube-apiserver --option --admission-control=Something ---audit-log-maxage=40",
"",
},
{
// check for ':' as argument-value separator, with space between arg and val
controls.Groups[0].Checks[14],
"2:45 kube-apiserver some-arg: some-val --admission-control=Something ---audit-log-maxage=40",
"",
},
{
// check for ':' as argument-value separator, with no space between arg and val
controls.Groups[0].Checks[14],
"2:45 kube-apiserver some-arg:some-val --admission-control=Something ---audit-log-maxage=40",
"",
},
{
controls.Groups[0].Checks[15],
"",
"{\"readOnlyPort\": 15000}",
},
{
controls.Groups[0].Checks[16],
"",
"{\"stringValue\": \"WebHook,Something,RBAC\"}",
},
{
controls.Groups[0].Checks[17],
"",
"{\"trueValue\": true}",
},
{
controls.Groups[0].Checks[18],
"",
"{\"readOnlyPort\": 15000}",
},
{
controls.Groups[0].Checks[19],
"",
"{\"authentication\": { \"anonymous\": {\"enabled\": false}}}",
},
{
controls.Groups[0].Checks[20],
"",
"readOnlyPort: 15000",
},
{
controls.Groups[0].Checks[21],
"",
"readOnlyPort: 15000",
},
{
controls.Groups[0].Checks[22],
"",
"authentication:\n anonymous:\n enabled: false",
},
{
controls.Groups[0].Checks[26],
"",
"currentMasterVersion: 1.12.7",
},
{
controls.Groups[0].Checks[27],
"--peer-client-cert-auth",
"",
},
{
controls.Groups[0].Checks[27],
"--abc=true --peer-client-cert-auth --efg=false",
"",
},
{
controls.Groups[0].Checks[27],
"--abc --peer-client-cert-auth --efg",
"",
},
{
controls.Groups[0].Checks[27],
"--peer-client-cert-auth=true",
"",
},
{
controls.Groups[0].Checks[27],
"--abc --peer-client-cert-auth=true --efg",
"",
},
{
controls.Groups[0].Checks[28],
"--abc --peer-client-cert-auth=false --efg",
"",
},
}
for _, c := range cases {
res := c.Tests.execute(c.str, c.IsMultiple).testResult
if !res {
c.Check.AuditOutput = c.str
c.Check.AuditConfigOutput = c.strConfig
res, err := c.Check.execute()
if err != nil {
t.Errorf(err.Error())
}
if !res.testResult {
t.Errorf("%s, expected:%v, got:%v\n", c.Text, true, res)
}
}
@ -219,8 +257,12 @@ func TestTestExecuteExceptions(t *testing.T) {
}
for _, c := range cases {
res := c.Tests.execute(c.str, c.IsMultiple).testResult
if res {
c.Check.AuditConfigOutput = c.str
res, err := c.Check.execute()
if err != nil {
t.Errorf(err.Error())
}
if res.testResult {
t.Errorf("%s, expected:%v, got:%v\n", c.Text, false, res)
}
}

15
integration/testdata/cis-1.5/job-node.data vendored
View File

@ -14,7 +14,7 @@
[PASS] 4.2.1 Ensure that the --anonymous-auth argument is set to false (Scored)
[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[FAIL] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
[PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Scored)
[PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Scored)
@ -33,15 +33,6 @@ chmod 644 /etc/kubernetes/proxy.conf
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root /etc/kubernetes/proxy.conf
4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
@ -80,7 +71,7 @@ systemctl restart kubelet.service
== Summary ==
16 checks PASS
6 checks FAIL
17 checks PASS
5 checks FAIL
1 checks WARN
0 checks INFO

15
integration/testdata/cis-1.5/job.data vendored
View File

@ -227,7 +227,7 @@ minimum.
[PASS] 4.2.1 Ensure that the --anonymous-auth argument is set to false (Scored)
[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[FAIL] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
[PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Scored)
[PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Scored)
@ -246,15 +246,6 @@ chmod 644 /etc/kubernetes/proxy.conf
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root /etc/kubernetes/proxy.conf
4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
@ -293,8 +284,8 @@ systemctl restart kubelet.service
== Summary ==
16 checks PASS
6 checks FAIL
17 checks PASS
5 checks FAIL
1 checks WARN
0 checks INFO
[INFO] 5 Kubernetes Policies