From 31b5910a7f7b309a1a638ae19efc4b9dd67e0aac Mon Sep 17 00:00:00 2001 From: Abubakr-Sadik Nii Nai Davis Date: Fri, 3 Nov 2017 10:41:01 +0000 Subject: [PATCH 01/12] Remove unnecessary warnings about missing config files. --- cmd/util.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/util.go b/cmd/util.go index dfd8b23..62cec19 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -136,7 +136,7 @@ func getConfigFiles(v *viper.Viper, t string) map[string]string { glog.V(2).Info(fmt.Sprintf("Using default config file name '%s' for component %s", conf, component)) } else { // Default the config file name that we'll substitute to the name of the component - printlnWarn(fmt.Sprintf("Missing config file for %s", component)) + glog.V(2).Info(fmt.Sprintf("Missing config file for %s", component)) conf = component } } else { From 04f044e3b9d645a3d4053ea430b15836e947b37e Mon Sep 17 00:00:00 2001 From: Abubakr-Sadik Nii Nai Davis Date: Tue, 28 Nov 2017 17:33:42 +0000 Subject: [PATCH 02/12] Add support for merging general and kubernetes version specific config files. This change unifies all config files, podspecs and unitfiles under a single component configuration key; `config`. --- cfg/1.8/config.yaml | 38 +++++++++++++ cfg/1.8/master.yaml | 136 ++++++++++++++++++++++---------------------- cfg/1.8/node.yaml | 36 ++++++------ cfg/config.yaml | 23 -------- cmd/common.go | 44 +++++++------- cmd/util.go | 8 +-- cmd/util_test.go | 2 +- 7 files changed, 150 insertions(+), 137 deletions(-) create mode 100644 cfg/1.8/config.yaml diff --git a/cfg/1.8/config.yaml b/cfg/1.8/config.yaml new file mode 100644 index 0000000..2dcad14 --- /dev/null +++ b/cfg/1.8/config.yaml @@ -0,0 +1,38 @@ +--- +## Controls Files. +# These are YAML files that hold all the details for running checks. +# +## Uncomment to use different control file paths. +# masterControls: ./cfg/master.yaml +# nodeControls: ./cfg/node.yaml +# federatedControls: ./cfg/federated.yaml + +master: + apiserver: + defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml + + scheduler: + confs: + - /etc/kubernetes/manifests/kube-scheduler.yaml + defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml + + controllermanager: + confs: + - /etc/kubernetes/manifests/kube-controller-manager.yaml + defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml + + etcd: + confs: + - /etc/kubernetes/manifests/etcd.yaml + defaultconf: /etc/kubernetes/manifests/etcd.yaml + +node: + kubelet: + confs: + - /etc/systemd/system/kubelet.service.d/10-kubeadm.conf + defaultconf: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf + + proxy: + confs: + - /etc/kubernetes/addons/kube-proxy-daemonset.yaml + defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml index edadb11..818b4bf 100644 --- a/cfg/1.8/master.yaml +++ b/cfg/1.8/master.yaml @@ -19,7 +19,7 @@ groups: value: false set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the below parameter. --anonymous-auth=false @@ -34,7 +34,7 @@ groups: set: false remediation: | Follow the documentation and configure alternate mechanisms for authentication. Then, - edit the API server pod specification file $apiserverpodspec + edit the API server pod specification file $apiserverconf on the master node and remove the --basic-auth-file= parameter. scored: true @@ -47,7 +47,7 @@ groups: - flag: "--insecure-allow-any-token" set: false remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and remove the --insecure-allow-any-token parameter. scored: true @@ -66,7 +66,7 @@ groups: - flag: "--kubelet-https" set: false remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and remove the --kubelet-https parameter. scored: true @@ -78,7 +78,7 @@ groups: - flag: "--insecure-bind-address" set: false remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and remove the --insecure-bind-address parameter. scored: true @@ -94,7 +94,7 @@ groups: value: 0 set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf apiserver.yaml on the master node and set the below parameter. --insecure-port=0 scored: true @@ -113,7 +113,7 @@ groups: - flag: "--secure-port" set: false remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port. scored: true @@ -129,7 +129,7 @@ groups: value: false set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the below parameter. --profiling=false scored: true @@ -145,7 +145,7 @@ groups: value: false set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the below parameter. --repair-malformed-updates=false scored: true @@ -161,7 +161,7 @@ groups: value: AlwaysAdmit set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to a value that does not include AlwaysAdmit. scored: true @@ -177,7 +177,7 @@ groups: value: "AlwaysPullImages" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to include AlwaysPullImages. --admission-control=...,AlwaysPullImages,... @@ -194,7 +194,7 @@ groups: value: "DenyEscalatingExec" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to a value that includes DenyEscalatingExec. --admission-control=...,DenyEscalatingExec,... @@ -211,7 +211,7 @@ groups: value: "SecurityContextDeny" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to include SecurityContextDeny. --admission-control=...,SecurityContextDeny,... @@ -228,7 +228,7 @@ groups: value: "NamespaceLifecycle" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to include NamespaceLifecycle. --admission-control=...,NamespaceLifecycle,... @@ -242,7 +242,7 @@ groups: - flag: "--audit-log-path" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log @@ -259,7 +259,7 @@ groups: value: 30 set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days: --audit-log-maxage=30 @@ -276,7 +276,7 @@ groups: value: 10 set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate value. --audit-log-maxbackup=10 @@ -293,7 +293,7 @@ groups: value: 100 set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB. For example, to set it as 100 MB: --audit-log-maxsize=100 @@ -310,7 +310,7 @@ groups: value: "AlwaysAllow" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --authorization-mode parameter to values other than AlwaysAllow. One such example could be as below. --authorization-mode=RBAC @@ -325,7 +325,7 @@ groups: set: false remediation: | Follow the documentation and configure alternate mechanisms for authentication. Then, - edit the API server pod specification file $apiserverpodspec + edit the API server pod specification file $apiserverconf on the master node and remove the --token-auth-file= parameter. scored: true @@ -340,7 +340,7 @@ groups: remediation: | Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file - $apiserverpodspec on the master node and set the -- + $apiserverconf on the master node and set the -- kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. --kubelet-certificate-authority= @@ -360,7 +360,7 @@ groups: remediation: | Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file - $apiserverpodspec on the master node and set the + $apiserverconf on the master node and set the kubelet client certificate and key parameters as below. --kubelet-client-certificate= --kubelet-client-key= @@ -377,7 +377,7 @@ groups: value: true set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the below parameter. --service-account-lookup=true scored: true @@ -394,7 +394,7 @@ groups: set: true remediation: | Follow the documentation and create Pod Security Policy objects as per your environment. - Then, edit the API server pod specification file $apiserverpodspec + Then, edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to a value that includes PodSecurityPolicy : --admission-control=...,PodSecurityPolicy,... @@ -410,7 +410,7 @@ groups: - flag: "--service-account-key-file" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --service-account-key-file parameter to the public key file for service accounts: --service-account-key-file= @@ -430,7 +430,7 @@ groups: remediation: | Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file - $apiserverpodspec on the master node and set the etcd + $apiserverconf on the master node and set the etcd certificate and key file parameters. --etcd-certfile= --etcd-keyfile= @@ -448,7 +448,7 @@ groups: set: true remediation: | Follow the documentation and create ServiceAccount objects as per your environment. - Then, edit the API server pod specification file $apiserverpodspec + Then, edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to a value that includes ServiceAccount. --admission-control=...,ServiceAccount,... @@ -467,7 +467,7 @@ groups: set: true remediation: | Follow the Kubernetes documentation and set up the TLS connection on the apiserver. - Then, edit the API server pod specification file $apiserverpodspec + Then, edit the API server pod specification file $apiserverconf on the master node and set the TLS certificate and private key file parameters. --tls-cert-file= @@ -483,7 +483,7 @@ groups: set: true remediation: | Follow the Kubernetes documentation and set up the TLS connection on the apiserver. - Then, edit the API server pod specification file $apiserverpodspec + Then, edit the API server pod specification file $apiserverconf on the master node and set the client certificate authority file. --client-ca-file= scored: true @@ -498,7 +498,7 @@ groups: remediation: | Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file - $apiserverpodspec on the master node and set the etcd + $apiserverconf on the master node and set the etcd certificate authority file parameter. --etcd-cafile= scored: true @@ -514,7 +514,7 @@ groups: value: "Node" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --authorization-mode parameter to a value that includes Node. --authorization-mode=Node,RBAC @@ -532,7 +532,7 @@ groups: set: true remediation: | Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. - Then, edit the API server pod specification file $apiserverpodspec + Then, edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to a value that includes NodeRestriction. --admission-control=...,NodeRestriction,... @@ -548,7 +548,7 @@ groups: set: true remediation: | Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit - the API server pod specification file $apiserverpodspec + the API server pod specification file $apiserverconf on the master node and set the --experimental-encryption-provider-config parameter to the path of that file: --experimental-encryption-provider-config= @@ -586,7 +586,7 @@ groups: set: true remediation: | Follow the Kubernetes documentation and set the desired limits in a configuration file. - Then, edit the API server pod specification file $apiserverpodspec + Then, edit the API server pod specification file $apiserverconf and set the below parameters. --admission-control=EventRateLimit --admission-control-config-file= @@ -598,7 +598,7 @@ groups: type: "manual" remediation: | Follow the Kubernetes documentation and set the desired audit policy in the - /etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverpodspec + /etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf and set the below parameters. --audit-policy-file=/etc/kubernetes/audit-policy.yaml scored: true @@ -608,7 +608,7 @@ groups: audit: "ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf and set the below parameter as appropriate and if needed. For example, --request-timeout=300 scored: true @@ -628,7 +628,7 @@ groups: set: true remediation: | Remediation: - Edit the Scheduler pod specification file $apiserverpodspec + Edit the Scheduler pod specification file $apiserverconf file on the master node and set the below parameter. --profiling=false scored: true @@ -644,7 +644,7 @@ groups: - flag: "--terminated-pod-gc-threshold" set: true remediation: | - Edit the Controller Manager pod specification file $apiserverpodspec + Edit the Controller Manager pod specification file $apiserverconf on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example: --terminated-pod-gc-threshold=10 scored: true @@ -660,7 +660,7 @@ groups: value: false set: true remediation: | - Edit the Controller Manager pod specification file $apiserverpodspec + Edit the Controller Manager pod specification file $apiserverconf on the master node and set the below parameter. --profiling=false scored: true @@ -676,7 +676,7 @@ groups: value: true set: true remediation: | - Edit the Controller Manager pod specification file $apiserverpodspec + Edit the Controller Manager pod specification file $apiserverconf on the master node to set the below parameter. --use-service-account-credentials=true scored: true @@ -689,7 +689,7 @@ groups: - flag: "--service-account-private-key-file" set: true remediation: | - Edit the Controller Manager pod specification file $apiserverpodspec + Edit the Controller Manager pod specification file $apiserverconf on the master node and set the --service-account-private- key-file parameter to the private key file for service accounts. --service-account-private-key-file= @@ -703,7 +703,7 @@ groups: - flag: "--root-ca-file" set: true remediation: | - Edit the Controller Manager pod specification file $apiserverpodspec + Edit the Controller Manager pod specification file $apiserverconf on the master node and set the --root-ca-file parameter to the certificate bundle file. --root-ca-file= @@ -729,7 +729,7 @@ groups: value: true set: true remediation: | - Edit the Controller Manager pod specification file $apiserverpodspec + Edit the Controller Manager pod specification file $apiserverconf controller-manager.yaml on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. --feature-gates=RotateKubeletServerCertificate=true @@ -741,7 +741,7 @@ groups: - id: 1.4.1 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $apiserverpodspec; then stat -c %a $apiserverpodspec; fi'" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" tests: bin_op: or test_items: @@ -763,13 +763,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chmod 644 $apiserverpodspec + chmod 644 $apiserverconf scored: true - id: 1.4.2 text: "Ensure that the API server pod specification file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $apiserverpodspec; then stat -c %U:%G $apiserverpodspec; fi'" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" tests: test_items: - flag: "root:root" @@ -780,13 +780,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chown root:root $apiserverpodspec + chown root:root $apiserverconf scored: true - id: 1.4.3 text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $controllermanagerpodspec; then stat -c %a $controllermanagerpodspec; fi'" + audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'" tests: bin_op: or test_items: @@ -808,13 +808,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chmod 644 $controllermanagerpodspec + chmod 644 $controllermanagerconf scored: true - id: 1.4.4 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $controllermanagerpodspec; then stat -c %U:%G $controllermanagerpodspec; fi'" + audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" tests: test_items: - flag: "root:root" @@ -825,13 +825,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chown root:root $controllermanagerpodspec + chown root:root $controllermanagerconf scored: true - id: 1.4.5 text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $schedulerpodspec; then stat -c %a $schedulerpodspec; fi'" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" tests: bin_op: or test_items: @@ -853,13 +853,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chmod 644 $schedulerpodspec + chmod 644 $schedulerconf scored: true - id: 1.4.6 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $schedulerpodspec; then stat -c %U:%G $schedulerpodspec; fi'" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" tests: test_items: - flag: "root:root" @@ -870,13 +870,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chown root:root $schedulerpodspec + chown root:root $schedulerconf scored: true - id: 1.4.7 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $etcdpodspec; then stat -c %a $etcdpodspec; fi'" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" tests: bin_op: or test_items: @@ -898,13 +898,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chmod 644 $etcdpodspec + chmod 644 $etcdconf scored: true - id: 1.4.8 text: "Ensure that the etcd pod specification file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $etcdpodspec; then stat -c %U:%G $etcdpodspec; fi'" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" tests: test_items: - flag: "root:root" @@ -915,7 +915,7 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chown root:root $etcdpodspec + chown root:root $etcdconf scored: true - id: 1.4.9 @@ -1086,7 +1086,7 @@ groups: set: true remediation: | Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file $etcdpodspec on the + Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameters. --ca-file= --key-file= @@ -1103,7 +1103,7 @@ groups: value: true set: true remediation: | - Edit the etcd pod specification file $etcdpodspec on the master + Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --client-cert-auth="true" scored: true @@ -1121,7 +1121,7 @@ groups: op: neq value: true remediation: | - Edit the etcd pod specification file $etcdpodspec on the master + Edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. --auto-tls=false scored: true @@ -1138,7 +1138,7 @@ groups: set: true remediation: | Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. Then, edit the etcd pod specification file $etcdpodspec on the + for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameters. --peer-client-file= --peer-key-file= @@ -1155,7 +1155,7 @@ groups: value: true set: true remediation: | - Edit the etcd pod specification file $etcdpodspec on the master + Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --peer-client-cert-auth=true scored: true @@ -1174,7 +1174,7 @@ groups: value: false set: true remediation: | - Edit the etcd pod specification file $etcdpodspec on the master + Edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. --peer-auto-tls=false scored: true @@ -1187,7 +1187,7 @@ groups: - flag: "--wal-dir" set: true remediation: | - Edit the etcd pod specification file $etcdpodspec on the master + Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --wal-dir= scored: true @@ -1203,7 +1203,7 @@ groups: value: 0 set: true remediation: | - Edit the etcd pod specification file $etcdpodspec on the master + Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --max-wals=0 scored: true @@ -1218,7 +1218,7 @@ groups: remediation: | Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service. - Then, edit the etcd pod specification file $etcdpodspec on the + Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --trusted-ca-file= scored: false diff --git a/cfg/1.8/node.yaml b/cfg/1.8/node.yaml index c8c51f2..e4cd249 100644 --- a/cfg/1.8/node.yaml +++ b/cfg/1.8/node.yaml @@ -19,7 +19,7 @@ groups: value: false set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --allow-privileged=false Based on your system, restart the kubelet service. For example: @@ -38,7 +38,7 @@ groups: value: false set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --anonymous-auth=false Based on your system, restart the kubelet service. For example: @@ -57,7 +57,7 @@ groups: value: "AlwaysAllow" set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. --authorization-mode=Webhook Based on your system, restart the kubelet service. For example: @@ -73,7 +73,7 @@ groups: - flag: "--client-ca-file" set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. --client-ca-file= Based on your system, restart the kubelet service. For example: @@ -92,7 +92,7 @@ groups: value: 0 set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --read-only-port=0 Based on your system, restart the kubelet service. For example: @@ -111,7 +111,7 @@ groups: value: 0 set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: @@ -130,7 +130,7 @@ groups: value: true set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --protect-kernel-defaults=true Based on your system, restart the kubelet service. For example: @@ -150,7 +150,7 @@ groups: value: true set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and remove the --make-iptables-util-chains argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: @@ -169,7 +169,7 @@ groups: value: false set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --keep-terminated-pod-volumes=false Based on your system, restart the kubelet service. For example: @@ -185,7 +185,7 @@ groups: - flag: "--hostname-override" set: false remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and remove the --hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: @@ -204,7 +204,7 @@ groups: value: 0 set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --event-qps=0 Based on your system, restart the kubelet service. For example: @@ -245,7 +245,7 @@ groups: value: 0 set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable. --cadvisor-port=0 Based on your system, restart the kubelet service. For example: @@ -264,7 +264,7 @@ groups: value: true set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and remove the --feature- gates=RotateKubeletClientCertificate=false argument from the KUBELET_CERTIFICATE_ARGS variable. @@ -284,7 +284,7 @@ groups: value: true set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. --feature-gates=RotateKubeletServerCertificate=true Based on your system, restart the kubelet service. For example: @@ -342,7 +342,7 @@ groups: - id: 2.2.3 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %a $kubeletunitfile; fi'" + audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" tests: bin_op: or test_items: @@ -364,13 +364,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, - chmod 755 $kubeletunitfile + chmod 755 $kubeletconf scored: true - id: 2.2.4 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %U:%G $kubeletunitfile; fi'" + audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" tests: test_items: - flag: "root:root" @@ -378,7 +378,7 @@ groups: remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, - chown root:root $kubeletunitfile + chown root:root $kubeletconf scored: true - id: 2.2.5 diff --git a/cfg/config.yaml b/cfg/config.yaml index 8512c75..f25ebc0 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -30,10 +30,6 @@ master: - /etc/kubernetes/apiserver defaultconf: /etc/kubernetes/apiserver - podspecs: - - /etc/kubernetes/manifests/kube-apiserver.yaml - defaultpodspec: /etc/kubernetes/manifests/kube-apiserver.yaml - scheduler: bins: - "kube-scheduler" @@ -44,10 +40,6 @@ master: - /etc/kubernetes/scheduler defaultconf: /etc/kubernetes/scheduler - podspecs: - - /etc/kubernetes/manifests/kube-scheduler.yaml - defaultpodspec: /etc/kubernetes/manifests/kube-scheduler.yaml - controllermanager: bins: - "kube-controller-manager" @@ -58,10 +50,6 @@ master: - /etc/kubernetes/controller-manager defaultconf: /etc/kubernetes/controller-manager - podspecs: - - /etc/kubernetes/manifests/kube-controller-manager.yaml - defaultpodspec: /etc/kubernetes/manifests/kube-controller-manager.yaml - etcd: optional: true bins: @@ -70,17 +58,12 @@ master: - /etc/etcd/etcd.conf defaultconf: /etc/etcd/etcd.conf - podspecs: - - /etc/kubernetes/manifests/etcd.yaml - defaultpodspec: /etc/kubernetes/manifests/etcd.yaml - flanneld: optional: true bins: - flanneld defaultconf: /etc/sysconfig/flanneld - node: components: - kubelet @@ -100,10 +83,6 @@ node: - /etc/kubernetes/kubelet defaultconf: "/etc/kubernetes/kubelet.conf" - unitfiles: - - /etc/systemd/system/kubelet.service.d/10-kubeadm.conf - defaultunitfile: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf - proxy: bins: - "kube-proxy" @@ -130,5 +109,3 @@ federated: - "hyperkube federation-controller-manager" - "kube-federation-controller-manager" - "federation-controller-manager" - - diff --git a/cmd/common.go b/cmd/common.go index 3e01f2a..b6404ab 100644 --- a/cmd/common.go +++ b/cmd/common.go @@ -29,6 +29,7 @@ var ( func runChecks(t check.NodeType) { var summary check.Summary + var nodetype string var file string var err error var typeConf *viper.Viper @@ -36,47 +37,44 @@ func runChecks(t check.NodeType) { switch t { case check.MASTER: file = masterFile - typeConf = viper.Sub("master") + nodetype = "master" case check.NODE: file = nodeFile - typeConf = viper.Sub("node") + nodetype = "node" case check.FEDERATED: file = federatedFile - typeConf = viper.Sub("federated") + nodetype = "federated" } - // Get the set of exectuables and config files we care about on this type of node. This also - // checks that the executables we need for the node type are running. - binmap := getBinaries(typeConf) - confmap := getConfigFiles(typeConf, "conf") - podspecmap := getConfigFiles(typeConf, "podspec") - unitfilemap := getConfigFiles(typeConf, "unitfile") + ver := getKubeVersion() + path := fmt.Sprintf("%s/%s", cfgDir, ver.Server) - switch t { - case check.MASTER: - file = masterFile - case check.NODE: - file = nodeFile - case check.FEDERATED: - file = federatedFile + def := fmt.Sprintf("%s/%s", path, file) + in, err := ioutil.ReadFile(def) + if err != nil { + exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err)) } - ver := getKubeVersion() - path := fmt.Sprintf("%s/%s/%s", cfgDir, ver.Server, file) - in, err := ioutil.ReadFile(path) + // Merge kubernetes version specific config if any. + viper.SetConfigFile(path + "/config.yaml") + err = viper.MergeInConfig() if err != nil { - exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err)) + continueWithError(err, fmt.Sprintf("Reading %s specific configuration file", ver.Server)) } + typeConf = viper.Sub(nodetype) + + // Get the set of exectuables and config files we care about on this type of node. This also + // checks that the executables we need for the node type are running. + binmap := getBinaries(typeConf) + confmap := getConfigFiles(typeConf) // Variable substitutions. Replace all occurrences of variables in controls files. s := string(in) s = makeSubstitutions(s, "bin", binmap) s = makeSubstitutions(s, "conf", confmap) - s = makeSubstitutions(s, "podspec", podspecmap) - s = makeSubstitutions(s, "unitfile", unitfilemap) glog.V(1).Info(fmt.Sprintf("Using config file: %s\n", viper.ConfigFileUsed())) - glog.V(1).Info(fmt.Sprintf("Using benchmark file: %s\n", path)) + glog.V(1).Info(fmt.Sprintf("Using benchmark file: %s\n", def)) controls, err := check.NewControls(t, []byte(s)) if err != nil { diff --git a/cmd/util.go b/cmd/util.go index 62cec19..f724847 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -119,7 +119,7 @@ func getBinaries(v *viper.Viper) map[string]string { // getConfigFiles finds which of the set of candidate config files exist // accepts a string 't' which indicates the type of config file, conf, // podspec or untifile. -func getConfigFiles(v *viper.Viper, t string) map[string]string { +func getConfigFiles(v *viper.Viper) map[string]string { confmap := make(map[string]string) for _, component := range v.GetStringSlice("components") { @@ -129,10 +129,10 @@ func getConfigFiles(v *viper.Viper, t string) map[string]string { } // See if any of the candidate config files exist - conf := findConfigFile(s.GetStringSlice(t + "s")) + conf := findConfigFile(s.GetStringSlice("confs")) if conf == "" { - if s.IsSet("default" + t) { - conf = s.GetString("default" + t) + if s.IsSet("defaultconf") { + conf = s.GetString("defaultconf") glog.V(2).Info(fmt.Sprintf("Using default config file name '%s' for component %s", conf, component)) } else { // Default the config file name that we'll substitute to the name of the component diff --git a/cmd/util_test.go b/cmd/util_test.go index 50044cf..e9c6eac 100644 --- a/cmd/util_test.go +++ b/cmd/util_test.go @@ -282,7 +282,7 @@ func TestGetConfigFiles(t *testing.T) { e = c.statResults eIndex = 0 - m := getConfigFiles(v, "conf") + m := getConfigFiles(v) if !reflect.DeepEqual(m, c.exp) { t.Fatalf("Got %v\nExpected %v", m, c.exp) } From 64aaef799716768ee15e3089347d2c22a2a0585c Mon Sep 17 00:00:00 2001 From: Abubakr-Sadik Nii Nai Davis Date: Tue, 28 Nov 2017 17:47:57 +0000 Subject: [PATCH 03/12] Fixed expected return for getKubeVersion. --- cmd/common.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/common.go b/cmd/common.go index b6404ab..bc4dbe2 100644 --- a/cmd/common.go +++ b/cmd/common.go @@ -47,7 +47,7 @@ func runChecks(t check.NodeType) { } ver := getKubeVersion() - path := fmt.Sprintf("%s/%s", cfgDir, ver.Server) + path := fmt.Sprintf("%s/%s", cfgDir, ver) def := fmt.Sprintf("%s/%s", path, file) in, err := ioutil.ReadFile(def) @@ -59,7 +59,7 @@ func runChecks(t check.NodeType) { viper.SetConfigFile(path + "/config.yaml") err = viper.MergeInConfig() if err != nil { - continueWithError(err, fmt.Sprintf("Reading %s specific configuration file", ver.Server)) + continueWithError(err, fmt.Sprintf("Reading %s specific configuration file", ver)) } typeConf = viper.Sub(nodetype) From 3dd5db693d8c716c0b3a4a6526ae4164095db0b8 Mon Sep 17 00:00:00 2001 From: Lee Briggs Date: Thu, 11 Jan 2018 09:43:06 -0800 Subject: [PATCH 04/12] Add goreleaser configuration --- .goreleaser.yml | 23 +++++++++++++++++++++++ .travis.yml | 21 ++++++++++++++++++--- 2 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 .goreleaser.yml diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 0000000..6da1967 --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,23 @@ +builds: + - main: main.go + binary: kube-bench + goos: + - darwin + - linux + goarch: + - amd64 +# Archive customization +archive: + format: tar.gz +dockers: + - + binary: kube-bench + image: aquasecurity/kube-bench + latest: true +fpm: + vendor: Aqua Security + description: "The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices" + license: Apache-2.0 + formats: + - deb + - rpm diff --git a/.travis.yml b/.travis.yml index c9bf753..32d6478 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,21 @@ +--- language: go -install: - - go get github.com/aquasecurity/kube-bench + +notifications: + email: false + +before_install: + - sudo apt-get -qq update + - sudo apt-get install -y rpm + - gem install --no-ri --no-rdoc fpm + +install: + - go get -v github.com/Masterminds/glide + - cd $GOPATH/src/github.com/Masterminds/glide && git checkout tags/v0.12.3 && go install && cd - # use a known good glide version + - glide install + script: - go test ./... - - go build -o kube-bench . + +after_success: + - test -n "$TRAVIS_TAG" && curl -sL https://git.io/goreleaser | bash From f63cd118079b9de7503930182054dbcebd32a199 Mon Sep 17 00:00:00 2001 From: Lee Briggs Date: Fri, 12 Jan 2018 08:54:39 -0800 Subject: [PATCH 05/12] Fix docker repo path --- .goreleaser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 6da1967..61aa356 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -12,7 +12,7 @@ archive: dockers: - binary: kube-bench - image: aquasecurity/kube-bench + image: aquasec/kube-bench latest: true fpm: vendor: Aqua Security From cbe02e1d5edbcfab1f99fe968c58e2e1db8e6f4e Mon Sep 17 00:00:00 2001 From: jerbia Date: Mon, 15 Jan 2018 00:59:27 +0200 Subject: [PATCH 06/12] Fixed typo in entrypoint.sh (#86) The entrypoint.sh had a typo where it tried coping files from "/kube-bench" instead of just "/". --- entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 4ccd821..ad28fbf 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,8 +1,8 @@ #!/bin/sh if [ -d /host ]; then mkdir -p /host/cfg/ - yes | cp -rf ./kube-bench/cfg/* /host/cfg/ - yes | cp -rf ./kube-bench/kube-bench /host/ + yes | cp -rf /cfg/* /host/cfg/ + yes | cp -rf /kube-bench /host/ echo "===============================================" echo "kube-bench is now installed on your host " echo "Run ./kube-bench to perform a security check " From 850cde23e96df39024a74c6a44ea318b642fff3d Mon Sep 17 00:00:00 2001 From: jerbia Date: Mon, 15 Jan 2018 01:24:42 +0200 Subject: [PATCH 07/12] Added travis token (#87) --- .travis.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index c9bf753..9a885dc 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,9 @@ language: go -install: - - go get github.com/aquasecurity/kube-bench +install: +- go get github.com/aquasecurity/kube-bench script: - - go test ./... - - go build -o kube-bench . +- go test ./... +- go build -o kube-bench . +env: + global: + secure: mb8AYZKDo6hkKN+2F9ldXcw27Yn2AfxpXvKlD8GD7NdGOI+TaiSFbE0I+qqTa/1DqcRekCQwqN7OG/17s9JDkgzUXYuYUGlVUOM4WbeJoSlzJFIOh9r9R/JddluYJohypgkE20IBHIrEHq5sY0Nn1Pl9WgSQFaVcQjxkX009AOuVjN0o5HcoXsb5hAzvHrpoSPkcSSqq7VWab60TgUttVaRlZSGwGdSYQEqk5TdO0hWHuXyxaaEPybgFIyZLLbxPS4JmMz8n3Sngetpw9Jgc+V9Fc7wKXpjvZZ33SpArG5p5ZFFu2YQOXFLZth9qtQOjduQ2gU1kHN6WjWnJ8QX2s8vmU38Tk19kd5i+mz9dvc87IdBvmTIqVYSpM6AAYa2osBGP3f97Rj2S68lTad4ecSVyHdsjz56vdE3ZH4wskswmogbKkVdvO4biPHxT6odszBxYLEJuRJyZ7ckXd52MCzqAUPrw7YUuH8N1mLIlf7V5bW5R+q4DlKw774zxnHiWrymXGvlINSrB0qxBn8Fii6ib+Pacl3PuqSumCcgIHlVjqrzIXaqcTMn2/ABZYC99mralGvwA/EgNa8CBKB5evMCEwWa5Ntvcs2I2DFcO5Q2WzN4H0YScyAzzCzK7/3hWJE/rUIJntwiSXkV3MSa1yxWSGGH8F1lcz+lzgTBm/MU= From 7fcfb0cf302bb485c7468ad46e154b9f3e88f68d Mon Sep 17 00:00:00 2001 From: Abubakr-Sadik Nii Nai Davis Date: Thu, 18 Jan 2018 14:41:27 +0000 Subject: [PATCH 08/12] Fix issue with etcd checks failing because of using " " instead of "=" to specify value. This issue affects master checks 1.4.11 and 1.4.12. --- cfg/1.6/master.yaml | 4 ++-- cfg/1.7/master.yaml | 4 ++-- cfg/1.8/master.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cfg/1.6/master.yaml b/cfg/1.6/master.yaml index 209f31d..1db170f 100644 --- a/cfg/1.6/master.yaml +++ b/cfg/1.6/master.yaml @@ -731,7 +731,7 @@ groups: - id: 1.4.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" + audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a tests: test_items: - flag: "700" @@ -748,7 +748,7 @@ groups: - id: 1.4.12 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G" + audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G tests: test_items: - flag: "etcd:etcd" diff --git a/cfg/1.7/master.yaml b/cfg/1.7/master.yaml index a306eef..fa35e39 100644 --- a/cfg/1.7/master.yaml +++ b/cfg/1.7/master.yaml @@ -793,7 +793,7 @@ groups: - id: 1.4.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" + audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a tests: test_items: - flag: "700" @@ -810,7 +810,7 @@ groups: - id: 1.4.12 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G" + audit: ps -ef | grep $etcdbin | grep -v grep | ed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G tests: test_items: - flag: "etcd:etcd" diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml index 0a3c465..9894f4c 100644 --- a/cfg/1.8/master.yaml +++ b/cfg/1.8/master.yaml @@ -942,7 +942,7 @@ groups: - id: 1.4.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" + audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a tests: test_items: - flag: "700" @@ -960,7 +960,7 @@ groups: - id: 1.4.12 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G" + audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G tests: test_items: - flag: "etcd:etcd" From 8fc6904093dbf35f12b965ae20c3d0beccdce57f Mon Sep 17 00:00:00 2001 From: Konstantinos Karampogias Date: Wed, 24 Jan 2018 14:17:45 +0000 Subject: [PATCH 09/12] Improve etcd data directory extraction - If data-dir is not the last argument, the remaining arguments are captured preventing the correct checking. Signed-off-by: Konstantin Semenov --- cfg/1.8/master.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml index 9894f4c..fee7e24 100644 --- a/cfg/1.8/master.yaml +++ b/cfg/1.8/master.yaml @@ -942,7 +942,7 @@ groups: - id: 1.4.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" - audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a + audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | awk '{print $1}' | xargs stat -c %a tests: test_items: - flag: "700" From 961dbeb2b5bfae66ef30971d0e76a534246de602 Mon Sep 17 00:00:00 2001 From: Konstantin Semenov Date: Thu, 25 Jan 2018 00:34:52 +0000 Subject: [PATCH 10/12] Correct sed regex --- cfg/1.8/master.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml index fee7e24..e281487 100644 --- a/cfg/1.8/master.yaml +++ b/cfg/1.8/master.yaml @@ -942,7 +942,7 @@ groups: - id: 1.4.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" - audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | awk '{print $1}' | xargs stat -c %a + audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a tests: test_items: - flag: "700" From c389d6ecf2cf601d145f1824d554b2ada5ca1855 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Tue, 30 Jan 2018 16:56:23 +0000 Subject: [PATCH 11/12] Fix build Copy the cfg files and entrypoint.sh from the first stage of the multistage build --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 115f429..10f1676 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,8 +5,8 @@ RUN go get github.com/aquasecurity/kube-bench FROM alpine:latest WORKDIR / COPY --from=0 /go/bin/kube-bench /kube-bench -COPY cfg cfg -COPY entrypoint.sh /entrypoint.sh +COPY --from=0 /go/src/github.com/aquasecurity/kube-bench/cfg /cfg +COPY --from=0 /go/src/github.com/aquasecurity/kube-bench/entrypoint.sh /entrypoint.sh ENTRYPOINT /entrypoint.sh # Build-time metadata as defined at http://label-schema.org From fe23f8140a73018e29866fee4f76d3cc1871a603 Mon Sep 17 00:00:00 2001 From: Lee Briggs Date: Tue, 30 Jan 2018 11:16:53 -0800 Subject: [PATCH 12/12] Remove docker build --- .goreleaser.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 61aa356..7cb5822 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -9,11 +9,6 @@ builds: # Archive customization archive: format: tar.gz -dockers: - - - binary: kube-bench - image: aquasec/kube-bench - latest: true fpm: vendor: Aqua Security description: "The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices"