arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 16:18:07 +00:00
Code Issues Releases Wiki Activity

Get the tests working on deployments where file names may be different or not in path (#1)

Browse Source 
* Replace the default help text

* Readme file, including the test config format documentation

* Typo

* Warn if config files / executables aren't found

* Ignore original name of executable (as per current README)

* Update tests to avoid failing on stat of a non-existant file

* Add a makefile for ease of build
This commit is contained in:
Liz Rice 2017-06-19 21:17:19 +01:00 committed by jerbia
parent 7d091c5eba
commit 26cc77ec1d
8 changed files with 101 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
kubernetes-bench-security kubernetes-bench-security
cis_kubernetes
*.swp *.swp

66
README.md
View File

@ -6,8 +6,68 @@ Tests are configured with YAML files, making this tool easy to update as test sp
## Installation ## Installation
Install by cloning this repository and running You will need to run this application on the target machines that you want to test.
If Go is installed on the target machines, you can simply clone this repository, build and install as follows:
```go build -o cis_kubernetes .```
```./install.sh```
The installation script creates a directory ~/.cis_kubernetes and copies the test config files there.
## Test config YAML representation
The tests are represented as YAML documents (installed by default into ~/.cis_kubernetes).
An example is as listed below:
```
---
controls:
id: 1
text: "Master Checks"
type: "master"
groups:
- id: 1.1
text: "Kube-apiserver"
checks:
- id: 1.1.1
text: "Ensure that the --allow-privileged argument is set (Scored)"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests:
- flag: "--allow-privileged"
set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
```
Recommendations (called `checks` in this document) can run on Kubernetes Master, Node or Federated API Servers.
Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document.
These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types.
## Tests
Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass.
The syntax for tests:
```
tests:
- flag:
set:
compare:
op:
value:
...
```
Tests have various `operations` which are used to compare the output of audit commands for success.
These operations are:
- `eq`: tests if the flag value is equal to the compared value.
- `noteq`: tests if the flag value is unequal to the compared value.
- `gt`: tests if the flag value is greater than the compared value.
- `gte`: tests if the flag value is greater than or equal to the compared value.
- `lt`: tests if the flag value is less than the compared value.
- `lte`: tests if the flag value is less than or equal to the compared value.
- `has`: tests if the flag value contains the compared value.
- `nothave`: tests if the flag value does not contain the compared value.
```make install```
This builds the application and also copies the test configuration files into a .cis_kubernetes directory in your home directory.

20
cfg/master.yaml
View File

@ -531,7 +531,7 @@ groups:
checks: checks:
- id: 1.4.1 - id: 1.4.1
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a $kubeConfDir/apiserver" audit: "if test -e $kubeConfDir/apiserver; then stat -c %a $kubeConfDir/apiserver; fi"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
@ -542,7 +542,7 @@ groups:
- id: 1.4.2 - id: 1.4.2
text: "Ensure that the apiserver file ownership is set to root:root (Scored)" text: "Ensure that the apiserver file ownership is set to root:root (Scored)"
audit: "stat -c %U:%G $kubeConfDir/apiserver" audit: "if test -e $kubeConfDir/apiserver; then stat -c %U:%G $kubeConfDir/apiserver; fi"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -553,7 +553,7 @@ groups:
- id: 1.4.3 - id: 1.4.3
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a $kubeConfDir/config" audit: "if test -e $kubeConfDir/config; then stat -c %a $kubeConfDir/config; fi"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
@ -564,7 +564,7 @@ groups:
- id: 1.4.4 - id: 1.4.4
text: "Ensure that the config file ownership is set to root:root (Scored)" text: "Ensure that the config file ownership is set to root:root (Scored)"
audit: "stat -c %U:%G $kubeConfDir/config" audit: "if test -e $kubeConfDir/config; then stat -c %U:%G $kubeConfDir/config; fi"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -575,7 +575,7 @@ groups:
- id: 1.4.5 - id: 1.4.5
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a $kubeConfDir/scheduler" audit: "if test -e $kubeConfDir/scheduler; then stat -c %a $kubeConfDir/scheduler; fi"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
@ -586,7 +586,7 @@ groups:
- id: 1.4.6 - id: 1.4.6
text: "Ensure that the scheduler file ownership is set to root:root (Scored)" text: "Ensure that the scheduler file ownership is set to root:root (Scored)"
audit: "stat -c %U:%G $kubeConfDir/scheduler" audit: "if test -e $kubeConfDir/scheduler; then stat -c %U:%G $kubeConfDir/scheduler; fi"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -597,7 +597,7 @@ groups:
- id: 1.4.7 - id: 1.4.7
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a $etcdConfDir/etcd.conf" audit: "if test -e $etcdConfDir/etcd.conf; then stat -c %a $etcdConfDir/etcd.conf; fi"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
@ -608,7 +608,7 @@ groups:
- id: 1.4.8 - id: 1.4.8
text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)" text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
audit: "stat -c %U:%G $etcdConfDir/etcd.conf" audit: "if test -e $etcdConfDir/kubelet; then stat -c %U:%G $etcdConfDir/etcd.conf; fi"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -619,7 +619,7 @@ groups:
- id: 1.4.9 - id: 1.4.9
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a /etc/sysconfig/flanneld" audit: "if test -e /etc/sysconfig/flanneld; then stat -c %a /etc/sysconfig/flanneld; fi"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
@ -630,7 +630,7 @@ groups:
- id: 1.4.10 - id: 1.4.10
text: "Ensure that the flanneld file ownership is set to root:root (Scored)" text: "Ensure that the flanneld file ownership is set to root:root (Scored)"
audit: "stat -c %U:%G /etc/sysconfig/flanneld" audit: "if test -e /etc/sysconfig/flanneld; then stat -c %U:%G /etc/sysconfig/flanneld; fi"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"

12
cfg/node.yaml
View File

@ -193,7 +193,7 @@ groups:
checks: checks:
- id: 2.2.1 - id: 2.2.1
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a $kubeConfDir/config" audit: "if test -e $kubeConfDir/config; then stat -c %a $kubeConfDir/config; fi"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
@ -204,7 +204,7 @@ groups:
- id: 2.2.2 - id: 2.2.2
text: "Ensure that the config file ownership is set to root:root (Scored)" text: "Ensure that the config file ownership is set to root:root (Scored)"
audit: "stat -c %U:%G $kubeConfDir/config" audit: "if test -e $kubeConfDir/config; then stat -c %U:%G $kubeConfDir/config; fi"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -215,7 +215,7 @@ groups:
- id: 2.2.3 - id: 2.2.3
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a $kubeConfDir/kubelet" audit: "if test -e $kubeConfDir/kubelet; then stat -c %a $kubeConfDir/kubelet; fi"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
@ -226,7 +226,7 @@ groups:
- id: 2.2.4 - id: 2.2.4
text: "Ensure that the kubelet file ownership is set to root:root (Scored)" text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
audit: "stat -c %U:%G $kubeConfDir/kubelet" audit: "if test -e $kubeConfDir/kubelet; then stat -c %U:%G $kubeConfDir/kubelet; fi"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -237,7 +237,7 @@ groups:
- id: 2.2.5 - id: 2.2.5
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a $kubeConfDir/proxy" audit: "if test -e $kubeConfDir/proxy; then stat -c %a $kubeConfDir/proxy; fi"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
@ -248,7 +248,7 @@ groups:
- id: 2.2.6 - id: 2.2.6
text: "Ensure that the proxy file ownership is set to root:root (Scored)" text: "Ensure that the proxy file ownership is set to root:root (Scored)"
audit: "stat -c %U:%G $kubeConfDir/proxy" audit: "if test -e $kubeConfDir/proxy; then stat -c %U:%G $kubeConfDir/proxy; fi"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"

55
check/README.md
View File

@ -1,55 +0,0 @@
# Checks
Checks are recommendations from the Center for Internet Security for Kubernetes 1.6+ installations.
## YAML Representation
In this application these recommendations are represented as YAML documents.
An example is as listed below:
```
---
controls:
id: 1
text: "Master Checks"
type: "master"
groups:
- id: 1.1
text: "Kube-apiserver"
checks:
- id: 1.1.1
text: "Ensure that the --allow-privileged argument is set (Scored)"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests:
- flag: "--allow-privileged"
set: true
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
```
Recommendations (called `checks` in this document) can run on Kubernetes Master, Node or Federated API Servers.
Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document.
These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types.
## Tests
Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass.
The syntax for tests:
```
tests:
- flag:
set:
compare:
op:
value:
...
```
Tests have various `operations` which are used to compare the output of audit commands for success.
These operations are:
- `eq`: tests if the flag value is equal to the compared value.
- `noteq`: tests if the flag value is unequal to the compared value.
- `gt`: tests if the flag value is greater than the compared value.
- `gte`: tests if the flag value is greater than or equal to the compared value.
- `lt`: tests if the flag value is less than the compared value.
- `lte`: tests if the flag value is less than or equal to the compared value.
- `has`: tests if the flag value contains the compared value.
- `nothave`: tests if the flag value does not contain the compared value.

18
cmd/common.go
View File

@ -140,11 +140,13 @@ func verifyNodeType(t check.NodeType) {
confPath = kubeFederatedConf confPath = kubeFederatedConf
} }
// These executables might not be on the user's path.
// TODO! Check the version number using kubectl, which is more likely to be on the path.
for _, b := range binPath { for _, b := range binPath {
_, err := exec.LookPath(b) _, err := exec.LookPath(b)
if err != nil { if err != nil {
fmt.Fprintf(os.Stderr, "%s: command not found\n", b) fmt.Fprintf(os.Stderr, "WARNING: %s: command not found on path - version check skipped\n", b)
os.Exit(1) continue
} }
// Check version // Check version
@ -152,16 +154,18 @@ func verifyNodeType(t check.NodeType) {
out, _ = cmd.Output() out, _ = cmd.Output()
if matched, _ := regexp.MatchString(kubeVersion, string(out)); !matched { if matched, _ := regexp.MatchString(kubeVersion, string(out)); !matched {
fmt.Fprintf(os.Stderr, fmt.Fprintf(os.Stderr,
"%s unsupported version, expected v%s, got %s\n", "%s unsupported version, expected %s, got %s\n",
b, b,
kubeVersion, kubeVersion,
string(out), string(out),
) )
os.Exit(1) os.Exit(1)
} }
}
// Check if running for _, b := range binPath {
cmd = exec.Command("ps", "-ef") // Check if running.
cmd := exec.Command("ps", "-ef")
out, _ = cmd.Output() out, _ = cmd.Output()
if matched, _ := regexp.MatchString(".*"+b, string(out)); !matched { if matched, _ := regexp.MatchString(".*"+b, string(out)); !matched {
fmt.Fprintf(os.Stderr, "%s is not running\n", b) fmt.Fprintf(os.Stderr, "%s is not running\n", b)
@ -171,8 +175,8 @@ func verifyNodeType(t check.NodeType) {
for _, c := range confPath { for _, c := range confPath {
if _, err := os.Stat(c); os.IsNotExist(err) { if _, err := os.Stat(c); os.IsNotExist(err) {
fmt.Fprintf(os.Stderr, "config file %s does not exist\n", c) fmt.Fprintf(os.Stderr, "WARNING: config file %s does not exist\n", c)
os.Exit(1) // os.Exit(1)
} }
} }
} }

9
cmd/root.go
View File

@ -41,13 +41,8 @@ var (
// RootCmd represents the base command when called without any subcommands // RootCmd represents the base command when called without any subcommands
var RootCmd = &cobra.Command{ var RootCmd = &cobra.Command{
Use: "cis_kubernetes", Use: "cis_kubernetes",
Short: "A brief description of your application", Short: "Run CIS Benchmarks checks against a Kubernetes deployment",
Long: `A longer description that spans multiple lines and likely contains Long: `This tool runs the CIS Kubernetes 1.6 Benchmark v1.0.0 checks.`,
examples and usage of using your application. For example:
Cobra is a CLI library for Go that empowers applications.
This application is a tool to generate the needed files
to quickly create a Cobra application.`,
} }
// Execute adds all child commands to the root command sets flags appropriately. // Execute adds all child commands to the root command sets flags appropriately.

8
makefile Normal file
View File

@ -0,0 +1,8 @@
SOURCES := $(shell find . -name '*.go')
TARGET_OS := linux
cis_kubernetes: $(SOURCES)
GOOS=$(TARGET_OS) go build -o cis_kubernetes .
install: cis_kubernetes
./install.sh