arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-29 11:28:14 +00:00
Code Issues Releases Wiki Activity

Add new tests and clean up old tests.

Browse Source
This commit is contained in:
Abubakr-Sadik Nii Nai Davis 2017-08-12 18:54:33 +00:00
parent d2fa9d35b6
commit 0933fa420b
2 changed files with 48 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
check/data
View File

@ -7,59 +7,42 @@ groups:
- id: 1.1 - id: 1.1
text: "Kube-apiserver" text: "Kube-apiserver"
checks: checks:
- id: 1.1.1 - id: 0
text: "Ensure that the --allow-privileged argument is set (Scored)" text: "flag is set"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests: tests:
test_items: test_items:
- - flag: "--allow-privileged"
flag: "--allow-privileged"
set: true set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.2 - id: 1
text: "Ensure that the --basic-auth argument is not set (Scored)" text: "flag is not set"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests: tests:
test_item: test_item:
- - flag: "--basic-auth"
flag: "--basic-auth"
set: false set: false
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.3 - id: 2
text: "Ensure that the --insecure-port argument is set to 0 (Scored)" text: "flag value is set to some value"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests: tests:
test_items: test_items:
- - flag: "--insecure-port"
flag: "--insecure-port"
compare: compare:
op: eq op: eq
value: 0 value: 0
set: true set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.4 - id: 3
text: "Ensure that the --audit-log-maxage argument is set to 30 or appropriate (Scored)" text: "flag value is greater than or equal some number"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests: tests:
test_items: test_items:
- - flag: "--audit-log-maxage"
flag: "--audit-log-maxage"
compare: compare:
op: gte op: gte
value: 30 value: 30
set: true set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.5 - id: 4
text: "Ensure that the --max-backlog argument is set to 30 or less (Scored)" text: "flag value is less than some number"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--max-backlog" - flag: "--max-backlog"
@ -67,26 +50,19 @@ groups:
op: lt op: lt
value: 30 value: 30
set: true set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.6 - id: 5
text: "Ensure admission control does not include AlwaysAdmit (Scored)" text: "flag value does not have some value"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests: tests:
test_items: test_items:
- - flag: "--admission-control"
flag: "--admission-control"
compare: compare:
op: nothave op: nothave
value: AlwaysAdmit value: AlwaysAdmit
set: true set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.7 - id: 6
text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)" text: "test AND binary operation"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -94,17 +70,13 @@ groups:
set: true set: true
- flag: "--kubelet-clientkey" - flag: "--kubelet-clientkey"
set: true set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.1.8 - id: 7
text: "Ensure that the --secure-port argument is not set to 0 (Scored)" text: "test OR binary operation"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- - flag: "--secure-port"
flag: "--secure-port"
compare: compare:
op: eq op: eq
value: 0 value: 0
@ -112,28 +84,13 @@ groups:
- -
flag: "--secure-port" flag: "--secure-port"
set: false set: false
remediation: "Edit the /etc/kubernetes/apiserver file on the master node and either remove the -secure-port argument from the KUBE_API_ARGS parameter or set it to a different desired port."
scored: true
- id: 1.4.1 - id: 8
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" text: "test flag with arbitrary text"
audit: "stat -c %a /etc/kubernetes/apiserver"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver"
scored: true
- id: 2.1.14
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
audit: "ps -ef | grep kubelet | grep -v grep"
tests:
test_items:
- flag: "KubeletClient"
compare: compare:
op: eq op: eq
value: true value: "644"
set: true set: true
remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver"
scored: true

55
check/test_test.go
View File

@ -16,6 +16,8 @@ package check
import ( import (
"io/ioutil" "io/ioutil"
"os"
"strings"
"testing" "testing"
) )
@ -30,79 +32,66 @@ func init() {
if err != nil { if err != nil {
panic("Failed reading test data: " + err.Error()) panic("Failed reading test data: " + err.Error())
} }
controls, err = NewControls(MASTER, in)
// substitute variables in data file
user := os.Getenv("USER")
s := strings.Replace(string(in), "$user", user, -1)
controls, err = NewControls(MASTER, []byte(s))
// controls, err = NewControls(MASTER, in)
if err != nil { if err != nil {
panic("Failed creating test controls: " + err.Error()) panic("Failed creating test controls: " + err.Error())
} }
} }
func TestTestExecute(t *testing.T) { func TestTestExecute(t *testing.T) {
cases := []struct { cases := []struct {
*tests *Check
testfor string
str string str string
}{ }{
{ {
controls.Groups[0].Checks[0].Tests, controls.Groups[0].Checks[0],
"flag set",
"2:45 ../kubernetes/kube-apiserver --allow-privileged=false --option1=20,30,40", "2:45 ../kubernetes/kube-apiserver --allow-privileged=false --option1=20,30,40",
}, },
{ {
controls.Groups[0].Checks[1].Tests, controls.Groups[0].Checks[1],
"flag not set",
"2:45 ../kubernetes/kube-apiserver --allow-privileged=false", "2:45 ../kubernetes/kube-apiserver --allow-privileged=false",
}, },
{ {
controls.Groups[0].Checks[2].Tests, controls.Groups[0].Checks[2],
"flag and value set",
"niinai 13617 2635 99 19:26 pts/20 00:03:08 ./kube-apiserver --insecure-port=0 --anonymous-auth", "niinai 13617 2635 99 19:26 pts/20 00:03:08 ./kube-apiserver --insecure-port=0 --anonymous-auth",
}, },
{ {
controls.Groups[0].Checks[3].Tests, controls.Groups[0].Checks[3],
"flag value greater than value",
"2:45 ../kubernetes/kube-apiserver --secure-port=0 --audit-log-maxage=40 --option", "2:45 ../kubernetes/kube-apiserver --secure-port=0 --audit-log-maxage=40 --option",
}, },
{ {
controls.Groups[0].Checks[4].Tests, controls.Groups[0].Checks[4],
"flag value less than value",
"2:45 ../kubernetes/kube-apiserver --max-backlog=20 --secure-port=0 --audit-log-maxage=40 --option", "2:45 ../kubernetes/kube-apiserver --max-backlog=20 --secure-port=0 --audit-log-maxage=40 --option",
}, },
{ {
controls.Groups[0].Checks[5].Tests, controls.Groups[0].Checks[5],
"flag value does not have",
"2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40", "2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40",
}, },
{ {
controls.Groups[0].Checks[6].Tests, controls.Groups[0].Checks[6],
"AND multiple tests, all testitems pass",
"2:45 .. --kubelet-clientkey=foo --kubelet-client-certificate=bar --admission-control=Webhook,RBAC", "2:45 .. --kubelet-clientkey=foo --kubelet-client-certificate=bar --admission-control=Webhook,RBAC",
}, },
{ {
controls.Groups[0].Checks[7].Tests, controls.Groups[0].Checks[7],
"OR multiple tests",
"2:45 .. --secure-port=0 --kubelet-client-certificate=bar --admission-control=Webhook,RBAC", "2:45 .. --secure-port=0 --kubelet-client-certificate=bar --admission-control=Webhook,RBAC",
}, },
{ {
controls.Groups[0].Checks[8].Tests, controls.Groups[0].Checks[8],
"text",
"644", "644",
}, },
{
controls.Groups[0].Checks[9].Tests,
"flag value is comma-separated",
"2:35 ../kubelet --features-gates=KubeletClient=true,KubeletServer=true",
},
{
controls.Groups[0].Checks[9].Tests,
"flag value is comma-separated",
"2:35 ../kubelet --features-gates=KubeletServer=true,KubeletClient=true",
},
} }
for _, c := range cases { for _, c := range cases {
res := c.tests.execute(c.str) res := c.Tests.execute(c.str)
if !res { if !res {
t.Errorf("%s, expected:%v, got:%v\n", c.testfor, true, res) t.Errorf("%s, expected:%v, got:%v\n", c.Text, true, res)
} }
} }
} }