1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-18 12:48:08 +00:00

Just have one path for both json and yaml

This commit is contained in:
Liz Rice 2019-04-11 17:09:33 +01:00
parent 9b034024a7
commit 902a10f1c7
No known key found for this signature in database
GPG Key ID: 837476CA214296CB
5 changed files with 58 additions and 78 deletions

View File

@ -195,17 +195,7 @@ You can also define jsonpath and yamlpath tests using the following syntax:
``` ```
tests: tests:
- jsonpath: - path:
set:
compare:
op:
value:
...
```
```
tests:
- yamlpath:
set: set:
compare: compare:
op: op:

View File

@ -8,9 +8,6 @@
# federatedControls: ./cfg/federated.yaml # federatedControls: ./cfg/federated.yaml
# Master nodes are controlled by EKS and not user-accessible # Master nodes are controlled by EKS and not user-accessible
master:
components: []
node: node:
kubernetes: kubernetes:
confs: confs:

View File

@ -32,7 +32,7 @@ groups:
audit: "cat $kubeletconf" audit: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- jsonpath: "{.authentication.anonymous.enabled}" - path: "{.authentication.anonymous.enabled}"
compare: compare:
op: eq op: eq
value: false value: false
@ -54,7 +54,7 @@ groups:
audit: "cat $kubeletconf" audit: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- jsonpath: "{.authorization.mode}" - path: "{.authorization.mode}"
compare: compare:
op: noteq op: noteq
value: "AlwaysAllow" value: "AlwaysAllow"
@ -75,7 +75,7 @@ groups:
audit: "cat $kubeletconf" audit: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- jsonpath: "{.authentication.x509.clientCAFile}" - path: "{.authentication.x509.clientCAFile}"
set: true set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
@ -95,9 +95,9 @@ groups:
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- jsonpath: "{.readOnlyPort}" - path: "{.readOnlyPort}"
set: false set: false
- jsonpath: "{.readOnlyPort}" - path: "{.readOnlyPort}"
compare: compare:
op: eq op: eq
value: "0" value: "0"
@ -119,9 +119,9 @@ groups:
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- jsonpath: "{.streamingConnectionIdleTimeout}" - path: "{.streamingConnectionIdleTimeout}"
set: false set: false
- jsonpath: "{.streamingConnectionIdleTimeout}" - path: "{.streamingConnectionIdleTimeout}"
compare: compare:
op: noteq op: noteq
value: 0 value: 0
@ -143,7 +143,7 @@ groups:
audit: "cat $kubeletconf" audit: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- jsonpath: "{.protectKernelDefaults}" - path: "{.protectKernelDefaults}"
compare: compare:
op: eq op: eq
value: true value: true
@ -165,9 +165,9 @@ groups:
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- jsonpath: "{.makeIPTablesUtilChains}" - path: "{.makeIPTablesUtilChains}"
set: false set: false
- jsonpath: "{.makeIPTablesUtilChains}" - path: "{.makeIPTablesUtilChains}"
compare: compare:
op: eq op: eq
value: true value: true
@ -188,7 +188,7 @@ groups:
audit: "cat $kubeletconf" audit: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- jsonpath: "{.hostnameOverride}" - path: "{.hostnameOverride}"
set: false set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletsvc Edit the kubelet service file $kubeletsvc
@ -204,7 +204,7 @@ groups:
audit: "cat $kubeletconf" audit: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- jsonpath: "{.eventRecordQPS}" - path: "{.eventRecordQPS}"
compare: compare:
op: eq op: eq
value: 0 value: 0
@ -226,9 +226,9 @@ groups:
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- jsonpath: "{.tlsCertFile}" - path: "{.tlsCertFile}"
set: true set: true
- jsonpath: "{.tlsPrivateKeyFile}" - path: "{.tlsPrivateKeyFile}"
set: true set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
@ -250,12 +250,12 @@ groups:
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- jsonpath: "{.cadvisorPort}" - path: "{.cadvisorPort}"
compare: compare:
op: eq op: eq
value: 0 value: 0
set: true set: true
- jsonpath: "{.cadvisorPort}" - path: "{.cadvisorPort}"
set: false set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletsvc Edit the kubelet service file $kubeletsvc
@ -272,9 +272,9 @@ groups:
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- jsonpath: "{.rotateCertificates}" - path: "{.rotateCertificates}"
set: false set: false
- jsonpath: "{.rotateCertificates}" - path: "{.rotateCertificates}"
compare: compare:
op: noteq op: noteq
value: "false" value: "false"
@ -293,7 +293,7 @@ groups:
audit: "cat $kubeletconf" audit: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- jsonpath: "{.featureGates.RotateKubeletServerCertificate}" - path: "{.featureGates.RotateKubeletServerCertificate}"
compare: compare:
op: eq op: eq
value: true value: true
@ -312,7 +312,7 @@ groups:
audit: "cat $kubeletconf" audit: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- jsonpath: "{.tlsCipherSuites}" - path: "{.tlsCipherSuites}"
compare: compare:
op: eq op: eq
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"

View File

@ -171,17 +171,17 @@ groups:
text: "jsonpath correct value on field" text: "jsonpath correct value on field"
tests: tests:
test_items: test_items:
- jsonpath: "{.readOnlyPort}" - path: "{.readOnlyPort}"
compare: compare:
op: eq op: eq
value: 15000 value: 15000
set: true set: true
- jsonpath: "{.readOnlyPort}" - path: "{.readOnlyPort}"
compare: compare:
op: gte op: gte
value: 15000 value: 15000
set: true set: true
- jsonpath: "{.readOnlyPort}" - path: "{.readOnlyPort}"
compare: compare:
op: lte op: lte
value: 15000 value: 15000
@ -191,17 +191,17 @@ groups:
text: "jsonpath correct case-sensitive value on string field" text: "jsonpath correct case-sensitive value on string field"
tests: tests:
test_items: test_items:
- jsonpath: "{.stringValue}" - path: "{.stringValue}"
compare: compare:
op: noteq op: noteq
value: "None" value: "None"
set: true set: true
- jsonpath: "{.stringValue}" - path: "{.stringValue}"
compare: compare:
op: noteq op: noteq
value: "webhook,Something,RBAC" value: "webhook,Something,RBAC"
set: true set: true
- jsonpath: "{.stringValue}" - path: "{.stringValue}"
compare: compare:
op: eq op: eq
value: "WebHook,Something,RBAC" value: "WebHook,Something,RBAC"
@ -211,17 +211,17 @@ groups:
text: "jsonpath correct value on boolean field" text: "jsonpath correct value on boolean field"
tests: tests:
test_items: test_items:
- jsonpath: "{.trueValue}" - path: "{.trueValue}"
compare: compare:
op: noteq op: noteq
value: somethingElse value: somethingElse
set: true set: true
- jsonpath: "{.trueValue}" - path: "{.trueValue}"
compare: compare:
op: noteq op: noteq
value: false value: false
set: true set: true
- jsonpath: "{.trueValue}" - path: "{.trueValue}"
compare: compare:
op: eq op: eq
value: true value: true
@ -231,14 +231,14 @@ groups:
text: "jsonpath field absent" text: "jsonpath field absent"
tests: tests:
test_items: test_items:
- jsonpath: "{.notARealField}" - path: "{.notARealField}"
set: false set: false
- id: 19 - id: 19
text: "jsonpath correct value on nested field" text: "jsonpath correct value on nested field"
tests: tests:
test_items: test_items:
- jsonpath: "{.authentication.anonymous.enabled}" - path: "{.authentication.anonymous.enabled}"
compare: compare:
op: eq op: eq
value: "false" value: "false"
@ -248,7 +248,7 @@ groups:
text: "yamlpath correct value on field" text: "yamlpath correct value on field"
tests: tests:
test_items: test_items:
- yamlpath: "{.readOnlyPort}" - path: "{.readOnlyPort}"
compare: compare:
op: gt op: gt
value: 14999 value: 14999
@ -258,41 +258,41 @@ groups:
text: "yamlpath field absent" text: "yamlpath field absent"
tests: tests:
test_items: test_items:
- yamlpath: "{.fieldThatIsUnset}" - path: "{.fieldThatIsUnset}"
set: false set: false
- id: 22 - id: 22
text: "yamlpath correct value on nested field" text: "yamlpath correct value on nested field"
tests: tests:
test_items: test_items:
- yamlpath: "{.authentication.anonymous.enabled}" - path: "{.authentication.anonymous.enabled}"
compare: compare:
op: eq op: eq
value: "false" value: "false"
set: true set: true
- id: 23 - id: 23
text: "jsonpath on invalid json" text: "path on invalid json"
tests: tests:
test_items: test_items:
- jsonpath: "{.authentication.anonymous.enabled}" - path: "{.authentication.anonymous.enabled}"
compare: compare:
op: eq op: eq
value: "false" value: "false"
set: true set: true
- id: 24 - id: 24
text: "jsonpath with broken expression" text: "path with broken expression"
tests: tests:
test_items: test_items:
- jsonpath: "{.missingClosingBrace" - path: "{.missingClosingBrace"
set: true set: true
- id: 25 - id: 25
text: "yamlpath on invalid yaml" text: "yamlpath on invalid yaml"
tests: tests:
test_items: test_items:
- yamlpath: "{.authentication.anonymous.enabled}" - path: "{.authentication.anonymous.enabled}"
compare: compare:
op: eq op: eq
value: "false" value: "false"

View File

@ -43,8 +43,7 @@ const (
type testItem struct { type testItem struct {
Flag string Flag string
Jsonpath string Path string
Yamlpath string
Output string Output string
Value string Value string
Set bool Set bool
@ -74,40 +73,34 @@ func (t *testItem) execute(s string) *testOutput {
// Flag comparison: check if the flag is present in the input // Flag comparison: check if the flag is present in the input
match = strings.Contains(s, t.Flag) match = strings.Contains(s, t.Flag)
} else { } else {
// Means either t.Jsonpath != "" or t.Yamlpath != "" // Path != "" - we don't know whether it's YAML or JSON but
// Find out and convert the input as needed // we can just try one then the other
buf := new(bytes.Buffer) buf := new(bytes.Buffer)
var jsonInterface interface{} var jsonInterface interface{}
var pathExpression string
if t.Yamlpath != "" { if t.Path != "" {
pathExpression = t.Yamlpath
err := yaml.Unmarshal([]byte(s), &jsonInterface)
if err != nil {
fmt.Fprintf(os.Stderr, "failed to load YAML from provided input \"%s\": %v\n", s, err)
return failTestItem("failed to load YAML")
}
} else if t.Jsonpath != "" {
pathExpression = t.Jsonpath
err := json.Unmarshal([]byte(s), &jsonInterface) err := json.Unmarshal([]byte(s), &jsonInterface)
if err != nil { if err != nil {
fmt.Fprintf(os.Stderr, "failed to load JSON from provided input: \"%s\": %v\n", s, err) err := yaml.Unmarshal([]byte(s), &jsonInterface)
return failTestItem("failed to load JSON") if err != nil {
fmt.Fprintf(os.Stderr, "failed to load YAML or JSON from provided input \"%s\": %v\n", s, err)
return failTestItem("failed to load YAML or JSON")
}
} }
} }
// Parse the jsonpath/yamlpath expression... // Parse the jsonpath/yamlpath expression...
j := jsonpath.New("jsonpath") j := jsonpath.New("jsonpath")
j.AllowMissingKeys(true) j.AllowMissingKeys(true)
err := j.Parse(pathExpression) err := j.Parse(t.Path)
if err != nil { if err != nil {
fmt.Fprintf(os.Stderr, "unable to parse path expression \"%s\": %v\n", pathExpression, err) fmt.Fprintf(os.Stderr, "unable to parse path expression \"%s\": %v\n", t.Path, err)
return failTestItem("unable to parse path expression") return failTestItem("unable to parse path expression")
} }
err = j.Execute(buf, jsonInterface) err = j.Execute(buf, jsonInterface)
if err != nil { if err != nil {
fmt.Fprintf(os.Stderr, "error executing path expression \"%s\": %v\n", pathExpression, err) fmt.Fprintf(os.Stderr, "error executing path expression \"%s\": %v\n", t.Path, err)
return failTestItem("error executing path expression") return failTestItem("error executing path expression")
} }