diff --git a/README.md b/README.md index 2aff0ce..f342905 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,68 @@ Tests are configured with YAML files, making this tool easy to update as test sp ## Installation -Install by cloning this repository and running +You will need to run this application on the target machines that you want to test. + +If Go is installed on the target machines, you can simply clone this repository, build and install as follows: + +```go build -o cis_kubernetes .``` +```./install.sh``` + +The installation script creates a directory ~/.cis_kubernetes and copies the test config files there. + +## Test config YAML representation +The tests are represented as YAML documents (installed by default into ~/.cis_kubernetes). + +An example is as listed below: +``` +--- +controls: +id: 1 +text: "Master Checks" +type: "master" +groups: +- id: 1.1 + text: "Kube-apiserver" + checks: + - id: 1.1.1 + text: "Ensure that the --allow-privileged argument is set (Scored)" + audit: "ps -ef | grep kube-apiserver | grep -v grep" + tests: + - flag: "--allow-privileged" + set: true + remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" + scored: true +``` + +Recommendations (called `checks` in this document) can run on Kubernetes Master, Node or Federated API Servers. +Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document. +These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types. + +## Tests +Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass. + +The syntax for tests: +``` +tests: +- flag: + set: + compare: + op: + value: +... +``` +Tests have various `operations` which are used to compare the output of audit commands for success. +These operations are: + +- `eq`: tests if the flag value is equal to the compared value. +- `noteq`: tests if the flag value is unequal to the compared value. +- `gt`: tests if the flag value is greater than the compared value. +- `gte`: tests if the flag value is greater than or equal to the compared value. +- `lt`: tests if the flag value is less than the compared value. +- `lte`: tests if the flag value is less than or equal to the compared value. +- `has`: tests if the flag value contains the compared value. +- `nothave`: tests if the flag value does not contain the compared value. + + -```make install``` -This builds the application and also copies the test configuration files into a .cis_kubernetes directory in your home directory. diff --git a/check/README.md b/check/README.md deleted file mode 100644 index cdfe4b3..0000000 --- a/check/README.md +++ /dev/null @@ -1,55 +0,0 @@ -# Checks -Checks are recommendations from the Center for Internet Security for Kubernetes 1.6+ installations. - -## YAML Representation -In this application these recommendations are represented as YAML documents. -An example is as listed below: -``` ---- -controls: -id: 1 -text: "Master Checks" -type: "master" -groups: -- id: 1.1 - text: "Kube-apiserver" - checks: - - id: 1.1.1 - text: "Ensure that the --allow-privileged argument is set (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" - tests: - - flag: "--allow-privileged" - set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true -``` - -Recommendations (called `checks` in this document) can run on Kubernetes Master, Node or Federated API Servers. -Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document. -These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types. - -## Tests -Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass. - -The syntax for tests: -``` -tests: -- flag: - set: - compare: - op: - value: -... -``` -Tests have various `operations` which are used to compare the output of audit commands for success. -These operations are: - -- `eq`: tests if the flag value is equal to the compared value. -- `noteq`: tests if the flag value is unequal to the compared value. -- `gt`: tests if the flag value is greater than the compared value. -- `gte`: tests if the flag value is greater than or equal to the compared value. -- `lt`: tests if the flag value is less than the compared value. -- `lte`: tests if the flag value is less than or equal to the compared value. -- `has`: tests if the flag value contains the compared value. -- `nothave`: tests if the flag value does not contain the compared value. -