Get the tests working on deployments where file names may be different or not in path (#1)
* Replace the default help text * Readme file, including the test config format documentation * Typo * Warn if config files / executables aren't found * Ignore original name of executable (as per current README) * Update tests to avoid failing on stat of a non-existant file * Add a makefile for ease of buildpull/6/head
parent
7d091c5eba
commit
26cc77ec1d
@ -1,2 +1,3 @@
|
||||
kubernetes-bench-security
|
||||
cis_kubernetes
|
||||
*.swp
|
||||
|
@ -1,55 +0,0 @@
|
||||
# Checks
|
||||
Checks are recommendations from the Center for Internet Security for Kubernetes 1.6+ installations.
|
||||
|
||||
## YAML Representation
|
||||
In this application these recommendations are represented as YAML documents.
|
||||
An example is as listed below:
|
||||
```
|
||||
---
|
||||
controls:
|
||||
id: 1
|
||||
text: "Master Checks"
|
||||
type: "master"
|
||||
groups:
|
||||
- id: 1.1
|
||||
text: "Kube-apiserver"
|
||||
checks:
|
||||
- id: 1.1.1
|
||||
text: "Ensure that the --allow-privileged argument is set (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
tests:
|
||||
- flag: "--allow-privileged"
|
||||
set: true
|
||||
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
||||
scored: true
|
||||
```
|
||||
|
||||
Recommendations (called `checks` in this document) can run on Kubernetes Master, Node or Federated API Servers.
|
||||
Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document.
|
||||
These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types.
|
||||
|
||||
## Tests
|
||||
Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass.
|
||||
|
||||
The syntax for tests:
|
||||
```
|
||||
tests:
|
||||
- flag:
|
||||
set:
|
||||
compare:
|
||||
op:
|
||||
value:
|
||||
...
|
||||
```
|
||||
Tests have various `operations` which are used to compare the output of audit commands for success.
|
||||
These operations are:
|
||||
|
||||
- `eq`: tests if the flag value is equal to the compared value.
|
||||
- `noteq`: tests if the flag value is unequal to the compared value.
|
||||
- `gt`: tests if the flag value is greater than the compared value.
|
||||
- `gte`: tests if the flag value is greater than or equal to the compared value.
|
||||
- `lt`: tests if the flag value is less than the compared value.
|
||||
- `lte`: tests if the flag value is less than or equal to the compared value.
|
||||
- `has`: tests if the flag value contains the compared value.
|
||||
- `nothave`: tests if the flag value does not contain the compared value.
|
||||
|
Loading…
Reference in new issue