mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-26 01:49:28 +00:00
Get the tests working on deployments where file names may be different or not in path (#1)
* Replace the default help text * Readme file, including the test config format documentation * Typo * Warn if config files / executables aren't found * Ignore original name of executable (as per current README) * Update tests to avoid failing on stat of a non-existant file * Add a makefile for ease of build
This commit is contained in:
parent
7d091c5eba
commit
26cc77ec1d
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,2 +1,3 @@
|
|||||||
kubernetes-bench-security
|
kubernetes-bench-security
|
||||||
|
cis_kubernetes
|
||||||
*.swp
|
*.swp
|
||||||
|
66
README.md
66
README.md
@ -6,8 +6,68 @@ Tests are configured with YAML files, making this tool easy to update as test sp
|
|||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
Install by cloning this repository and running
|
You will need to run this application on the target machines that you want to test.
|
||||||
|
|
||||||
|
If Go is installed on the target machines, you can simply clone this repository, build and install as follows:
|
||||||
|
|
||||||
|
```go build -o cis_kubernetes .```
|
||||||
|
```./install.sh```
|
||||||
|
|
||||||
|
The installation script creates a directory ~/.cis_kubernetes and copies the test config files there.
|
||||||
|
|
||||||
|
## Test config YAML representation
|
||||||
|
The tests are represented as YAML documents (installed by default into ~/.cis_kubernetes).
|
||||||
|
|
||||||
|
An example is as listed below:
|
||||||
|
```
|
||||||
|
---
|
||||||
|
controls:
|
||||||
|
id: 1
|
||||||
|
text: "Master Checks"
|
||||||
|
type: "master"
|
||||||
|
groups:
|
||||||
|
- id: 1.1
|
||||||
|
text: "Kube-apiserver"
|
||||||
|
checks:
|
||||||
|
- id: 1.1.1
|
||||||
|
text: "Ensure that the --allow-privileged argument is set (Scored)"
|
||||||
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||||
|
tests:
|
||||||
|
- flag: "--allow-privileged"
|
||||||
|
set: true
|
||||||
|
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
||||||
|
scored: true
|
||||||
|
```
|
||||||
|
|
||||||
|
Recommendations (called `checks` in this document) can run on Kubernetes Master, Node or Federated API Servers.
|
||||||
|
Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document.
|
||||||
|
These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types.
|
||||||
|
|
||||||
|
## Tests
|
||||||
|
Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass.
|
||||||
|
|
||||||
|
The syntax for tests:
|
||||||
|
```
|
||||||
|
tests:
|
||||||
|
- flag:
|
||||||
|
set:
|
||||||
|
compare:
|
||||||
|
op:
|
||||||
|
value:
|
||||||
|
...
|
||||||
|
```
|
||||||
|
Tests have various `operations` which are used to compare the output of audit commands for success.
|
||||||
|
These operations are:
|
||||||
|
|
||||||
|
- `eq`: tests if the flag value is equal to the compared value.
|
||||||
|
- `noteq`: tests if the flag value is unequal to the compared value.
|
||||||
|
- `gt`: tests if the flag value is greater than the compared value.
|
||||||
|
- `gte`: tests if the flag value is greater than or equal to the compared value.
|
||||||
|
- `lt`: tests if the flag value is less than the compared value.
|
||||||
|
- `lte`: tests if the flag value is less than or equal to the compared value.
|
||||||
|
- `has`: tests if the flag value contains the compared value.
|
||||||
|
- `nothave`: tests if the flag value does not contain the compared value.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
```make install```
|
|
||||||
|
|
||||||
This builds the application and also copies the test configuration files into a .cis_kubernetes directory in your home directory.
|
|
||||||
|
@ -531,7 +531,7 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 1.4.1
|
- id: 1.4.1
|
||||||
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "stat -c %a $kubeConfDir/apiserver"
|
audit: "if test -e $kubeConfDir/apiserver; then stat -c %a $kubeConfDir/apiserver; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
@ -542,7 +542,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.4.2
|
- id: 1.4.2
|
||||||
text: "Ensure that the apiserver file ownership is set to root:root (Scored)"
|
text: "Ensure that the apiserver file ownership is set to root:root (Scored)"
|
||||||
audit: "stat -c %U:%G $kubeConfDir/apiserver"
|
audit: "if test -e $kubeConfDir/apiserver; then stat -c %U:%G $kubeConfDir/apiserver; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -553,7 +553,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.4.3
|
- id: 1.4.3
|
||||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "stat -c %a $kubeConfDir/config"
|
audit: "if test -e $kubeConfDir/config; then stat -c %a $kubeConfDir/config; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
@ -564,7 +564,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.4.4
|
- id: 1.4.4
|
||||||
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
||||||
audit: "stat -c %U:%G $kubeConfDir/config"
|
audit: "if test -e $kubeConfDir/config; then stat -c %U:%G $kubeConfDir/config; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -575,7 +575,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.4.5
|
- id: 1.4.5
|
||||||
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "stat -c %a $kubeConfDir/scheduler"
|
audit: "if test -e $kubeConfDir/scheduler; then stat -c %a $kubeConfDir/scheduler; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
@ -586,7 +586,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.4.6
|
- id: 1.4.6
|
||||||
text: "Ensure that the scheduler file ownership is set to root:root (Scored)"
|
text: "Ensure that the scheduler file ownership is set to root:root (Scored)"
|
||||||
audit: "stat -c %U:%G $kubeConfDir/scheduler"
|
audit: "if test -e $kubeConfDir/scheduler; then stat -c %U:%G $kubeConfDir/scheduler; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -597,7 +597,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.4.7
|
- id: 1.4.7
|
||||||
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "stat -c %a $etcdConfDir/etcd.conf"
|
audit: "if test -e $etcdConfDir/etcd.conf; then stat -c %a $etcdConfDir/etcd.conf; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
@ -608,7 +608,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.4.8
|
- id: 1.4.8
|
||||||
text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
|
text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
|
||||||
audit: "stat -c %U:%G $etcdConfDir/etcd.conf"
|
audit: "if test -e $etcdConfDir/kubelet; then stat -c %U:%G $etcdConfDir/etcd.conf; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -619,7 +619,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.4.9
|
- id: 1.4.9
|
||||||
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "stat -c %a /etc/sysconfig/flanneld"
|
audit: "if test -e /etc/sysconfig/flanneld; then stat -c %a /etc/sysconfig/flanneld; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
@ -630,7 +630,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.4.10
|
- id: 1.4.10
|
||||||
text: "Ensure that the flanneld file ownership is set to root:root (Scored)"
|
text: "Ensure that the flanneld file ownership is set to root:root (Scored)"
|
||||||
audit: "stat -c %U:%G /etc/sysconfig/flanneld"
|
audit: "if test -e /etc/sysconfig/flanneld; then stat -c %U:%G /etc/sysconfig/flanneld; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
|
@ -193,7 +193,7 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 2.2.1
|
- id: 2.2.1
|
||||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "stat -c %a $kubeConfDir/config"
|
audit: "if test -e $kubeConfDir/config; then stat -c %a $kubeConfDir/config; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
@ -204,7 +204,7 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.2
|
- id: 2.2.2
|
||||||
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
||||||
audit: "stat -c %U:%G $kubeConfDir/config"
|
audit: "if test -e $kubeConfDir/config; then stat -c %U:%G $kubeConfDir/config; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -215,7 +215,7 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.3
|
- id: 2.2.3
|
||||||
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "stat -c %a $kubeConfDir/kubelet"
|
audit: "if test -e $kubeConfDir/kubelet; then stat -c %a $kubeConfDir/kubelet; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
@ -226,7 +226,7 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.4
|
- id: 2.2.4
|
||||||
text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
|
text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
|
||||||
audit: "stat -c %U:%G $kubeConfDir/kubelet"
|
audit: "if test -e $kubeConfDir/kubelet; then stat -c %U:%G $kubeConfDir/kubelet; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -237,7 +237,7 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.5
|
- id: 2.2.5
|
||||||
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "stat -c %a $kubeConfDir/proxy"
|
audit: "if test -e $kubeConfDir/proxy; then stat -c %a $kubeConfDir/proxy; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
@ -248,7 +248,7 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.6
|
- id: 2.2.6
|
||||||
text: "Ensure that the proxy file ownership is set to root:root (Scored)"
|
text: "Ensure that the proxy file ownership is set to root:root (Scored)"
|
||||||
audit: "stat -c %U:%G $kubeConfDir/proxy"
|
audit: "if test -e $kubeConfDir/proxy; then stat -c %U:%G $kubeConfDir/proxy; fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
|
@ -1,55 +0,0 @@
|
|||||||
# Checks
|
|
||||||
Checks are recommendations from the Center for Internet Security for Kubernetes 1.6+ installations.
|
|
||||||
|
|
||||||
## YAML Representation
|
|
||||||
In this application these recommendations are represented as YAML documents.
|
|
||||||
An example is as listed below:
|
|
||||||
```
|
|
||||||
---
|
|
||||||
controls:
|
|
||||||
id: 1
|
|
||||||
text: "Master Checks"
|
|
||||||
type: "master"
|
|
||||||
groups:
|
|
||||||
- id: 1.1
|
|
||||||
text: "Kube-apiserver"
|
|
||||||
checks:
|
|
||||||
- id: 1.1.1
|
|
||||||
text: "Ensure that the --allow-privileged argument is set (Scored)"
|
|
||||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
||||||
tests:
|
|
||||||
- flag: "--allow-privileged"
|
|
||||||
set: true
|
|
||||||
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
|
||||||
scored: true
|
|
||||||
```
|
|
||||||
|
|
||||||
Recommendations (called `checks` in this document) can run on Kubernetes Master, Node or Federated API Servers.
|
|
||||||
Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document.
|
|
||||||
These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types.
|
|
||||||
|
|
||||||
## Tests
|
|
||||||
Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass.
|
|
||||||
|
|
||||||
The syntax for tests:
|
|
||||||
```
|
|
||||||
tests:
|
|
||||||
- flag:
|
|
||||||
set:
|
|
||||||
compare:
|
|
||||||
op:
|
|
||||||
value:
|
|
||||||
...
|
|
||||||
```
|
|
||||||
Tests have various `operations` which are used to compare the output of audit commands for success.
|
|
||||||
These operations are:
|
|
||||||
|
|
||||||
- `eq`: tests if the flag value is equal to the compared value.
|
|
||||||
- `noteq`: tests if the flag value is unequal to the compared value.
|
|
||||||
- `gt`: tests if the flag value is greater than the compared value.
|
|
||||||
- `gte`: tests if the flag value is greater than or equal to the compared value.
|
|
||||||
- `lt`: tests if the flag value is less than the compared value.
|
|
||||||
- `lte`: tests if the flag value is less than or equal to the compared value.
|
|
||||||
- `has`: tests if the flag value contains the compared value.
|
|
||||||
- `nothave`: tests if the flag value does not contain the compared value.
|
|
||||||
|
|
@ -140,11 +140,13 @@ func verifyNodeType(t check.NodeType) {
|
|||||||
confPath = kubeFederatedConf
|
confPath = kubeFederatedConf
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// These executables might not be on the user's path.
|
||||||
|
// TODO! Check the version number using kubectl, which is more likely to be on the path.
|
||||||
for _, b := range binPath {
|
for _, b := range binPath {
|
||||||
_, err := exec.LookPath(b)
|
_, err := exec.LookPath(b)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Fprintf(os.Stderr, "%s: command not found\n", b)
|
fmt.Fprintf(os.Stderr, "WARNING: %s: command not found on path - version check skipped\n", b)
|
||||||
os.Exit(1)
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check version
|
// Check version
|
||||||
@ -152,16 +154,18 @@ func verifyNodeType(t check.NodeType) {
|
|||||||
out, _ = cmd.Output()
|
out, _ = cmd.Output()
|
||||||
if matched, _ := regexp.MatchString(kubeVersion, string(out)); !matched {
|
if matched, _ := regexp.MatchString(kubeVersion, string(out)); !matched {
|
||||||
fmt.Fprintf(os.Stderr,
|
fmt.Fprintf(os.Stderr,
|
||||||
"%s unsupported version, expected v%s, got %s\n",
|
"%s unsupported version, expected %s, got %s\n",
|
||||||
b,
|
b,
|
||||||
kubeVersion,
|
kubeVersion,
|
||||||
string(out),
|
string(out),
|
||||||
)
|
)
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Check if running
|
for _, b := range binPath {
|
||||||
cmd = exec.Command("ps", "-ef")
|
// Check if running.
|
||||||
|
cmd := exec.Command("ps", "-ef")
|
||||||
out, _ = cmd.Output()
|
out, _ = cmd.Output()
|
||||||
if matched, _ := regexp.MatchString(".*"+b, string(out)); !matched {
|
if matched, _ := regexp.MatchString(".*"+b, string(out)); !matched {
|
||||||
fmt.Fprintf(os.Stderr, "%s is not running\n", b)
|
fmt.Fprintf(os.Stderr, "%s is not running\n", b)
|
||||||
@ -171,8 +175,8 @@ func verifyNodeType(t check.NodeType) {
|
|||||||
|
|
||||||
for _, c := range confPath {
|
for _, c := range confPath {
|
||||||
if _, err := os.Stat(c); os.IsNotExist(err) {
|
if _, err := os.Stat(c); os.IsNotExist(err) {
|
||||||
fmt.Fprintf(os.Stderr, "config file %s does not exist\n", c)
|
fmt.Fprintf(os.Stderr, "WARNING: config file %s does not exist\n", c)
|
||||||
os.Exit(1)
|
// os.Exit(1)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -41,13 +41,8 @@ var (
|
|||||||
// RootCmd represents the base command when called without any subcommands
|
// RootCmd represents the base command when called without any subcommands
|
||||||
var RootCmd = &cobra.Command{
|
var RootCmd = &cobra.Command{
|
||||||
Use: "cis_kubernetes",
|
Use: "cis_kubernetes",
|
||||||
Short: "A brief description of your application",
|
Short: "Run CIS Benchmarks checks against a Kubernetes deployment",
|
||||||
Long: `A longer description that spans multiple lines and likely contains
|
Long: `This tool runs the CIS Kubernetes 1.6 Benchmark v1.0.0 checks.`,
|
||||||
examples and usage of using your application. For example:
|
|
||||||
|
|
||||||
Cobra is a CLI library for Go that empowers applications.
|
|
||||||
This application is a tool to generate the needed files
|
|
||||||
to quickly create a Cobra application.`,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Execute adds all child commands to the root command sets flags appropriately.
|
// Execute adds all child commands to the root command sets flags appropriately.
|
||||||
|
Loading…
Reference in New Issue
Block a user