mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-18 12:48:08 +00:00
Just have one path for both json and yaml
This commit is contained in:
parent
9b034024a7
commit
902a10f1c7
12
README.md
12
README.md
@ -195,17 +195,7 @@ You can also define jsonpath and yamlpath tests using the following syntax:
|
|||||||
|
|
||||||
```
|
```
|
||||||
tests:
|
tests:
|
||||||
- jsonpath:
|
- path:
|
||||||
set:
|
|
||||||
compare:
|
|
||||||
op:
|
|
||||||
value:
|
|
||||||
...
|
|
||||||
```
|
|
||||||
|
|
||||||
```
|
|
||||||
tests:
|
|
||||||
- yamlpath:
|
|
||||||
set:
|
set:
|
||||||
compare:
|
compare:
|
||||||
op:
|
op:
|
||||||
|
@ -8,9 +8,6 @@
|
|||||||
# federatedControls: ./cfg/federated.yaml
|
# federatedControls: ./cfg/federated.yaml
|
||||||
|
|
||||||
# Master nodes are controlled by EKS and not user-accessible
|
# Master nodes are controlled by EKS and not user-accessible
|
||||||
master:
|
|
||||||
components: []
|
|
||||||
|
|
||||||
node:
|
node:
|
||||||
kubernetes:
|
kubernetes:
|
||||||
confs:
|
confs:
|
||||||
|
@ -32,7 +32,7 @@ groups:
|
|||||||
audit: "cat $kubeletconf"
|
audit: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.authentication.anonymous.enabled}"
|
- path: "{.authentication.anonymous.enabled}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: false
|
value: false
|
||||||
@ -54,7 +54,7 @@ groups:
|
|||||||
audit: "cat $kubeletconf"
|
audit: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.authorization.mode}"
|
- path: "{.authorization.mode}"
|
||||||
compare:
|
compare:
|
||||||
op: noteq
|
op: noteq
|
||||||
value: "AlwaysAllow"
|
value: "AlwaysAllow"
|
||||||
@ -75,7 +75,7 @@ groups:
|
|||||||
audit: "cat $kubeletconf"
|
audit: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.authentication.x509.clientCAFile}"
|
- path: "{.authentication.x509.clientCAFile}"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
|
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
|
||||||
@ -95,9 +95,9 @@ groups:
|
|||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.readOnlyPort}"
|
- path: "{.readOnlyPort}"
|
||||||
set: false
|
set: false
|
||||||
- jsonpath: "{.readOnlyPort}"
|
- path: "{.readOnlyPort}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "0"
|
value: "0"
|
||||||
@ -119,9 +119,9 @@ groups:
|
|||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.streamingConnectionIdleTimeout}"
|
- path: "{.streamingConnectionIdleTimeout}"
|
||||||
set: false
|
set: false
|
||||||
- jsonpath: "{.streamingConnectionIdleTimeout}"
|
- path: "{.streamingConnectionIdleTimeout}"
|
||||||
compare:
|
compare:
|
||||||
op: noteq
|
op: noteq
|
||||||
value: 0
|
value: 0
|
||||||
@ -143,7 +143,7 @@ groups:
|
|||||||
audit: "cat $kubeletconf"
|
audit: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.protectKernelDefaults}"
|
- path: "{.protectKernelDefaults}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
@ -165,9 +165,9 @@ groups:
|
|||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.makeIPTablesUtilChains}"
|
- path: "{.makeIPTablesUtilChains}"
|
||||||
set: false
|
set: false
|
||||||
- jsonpath: "{.makeIPTablesUtilChains}"
|
- path: "{.makeIPTablesUtilChains}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
@ -188,7 +188,7 @@ groups:
|
|||||||
audit: "cat $kubeletconf"
|
audit: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.hostnameOverride}"
|
- path: "{.hostnameOverride}"
|
||||||
set: false
|
set: false
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the kubelet service file $kubeletsvc
|
Edit the kubelet service file $kubeletsvc
|
||||||
@ -204,7 +204,7 @@ groups:
|
|||||||
audit: "cat $kubeletconf"
|
audit: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.eventRecordQPS}"
|
- path: "{.eventRecordQPS}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: 0
|
value: 0
|
||||||
@ -226,9 +226,9 @@ groups:
|
|||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.tlsCertFile}"
|
- path: "{.tlsCertFile}"
|
||||||
set: true
|
set: true
|
||||||
- jsonpath: "{.tlsPrivateKeyFile}"
|
- path: "{.tlsPrivateKeyFile}"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
|
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
|
||||||
@ -250,12 +250,12 @@ groups:
|
|||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.cadvisorPort}"
|
- path: "{.cadvisorPort}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: 0
|
value: 0
|
||||||
set: true
|
set: true
|
||||||
- jsonpath: "{.cadvisorPort}"
|
- path: "{.cadvisorPort}"
|
||||||
set: false
|
set: false
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the kubelet service file $kubeletsvc
|
Edit the kubelet service file $kubeletsvc
|
||||||
@ -272,9 +272,9 @@ groups:
|
|||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.rotateCertificates}"
|
- path: "{.rotateCertificates}"
|
||||||
set: false
|
set: false
|
||||||
- jsonpath: "{.rotateCertificates}"
|
- path: "{.rotateCertificates}"
|
||||||
compare:
|
compare:
|
||||||
op: noteq
|
op: noteq
|
||||||
value: "false"
|
value: "false"
|
||||||
@ -293,7 +293,7 @@ groups:
|
|||||||
audit: "cat $kubeletconf"
|
audit: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.featureGates.RotateKubeletServerCertificate}"
|
- path: "{.featureGates.RotateKubeletServerCertificate}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
@ -312,7 +312,7 @@ groups:
|
|||||||
audit: "cat $kubeletconf"
|
audit: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.tlsCipherSuites}"
|
- path: "{.tlsCipherSuites}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
|
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
|
||||||
|
38
check/data
38
check/data
@ -171,17 +171,17 @@ groups:
|
|||||||
text: "jsonpath correct value on field"
|
text: "jsonpath correct value on field"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.readOnlyPort}"
|
- path: "{.readOnlyPort}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: 15000
|
value: 15000
|
||||||
set: true
|
set: true
|
||||||
- jsonpath: "{.readOnlyPort}"
|
- path: "{.readOnlyPort}"
|
||||||
compare:
|
compare:
|
||||||
op: gte
|
op: gte
|
||||||
value: 15000
|
value: 15000
|
||||||
set: true
|
set: true
|
||||||
- jsonpath: "{.readOnlyPort}"
|
- path: "{.readOnlyPort}"
|
||||||
compare:
|
compare:
|
||||||
op: lte
|
op: lte
|
||||||
value: 15000
|
value: 15000
|
||||||
@ -191,17 +191,17 @@ groups:
|
|||||||
text: "jsonpath correct case-sensitive value on string field"
|
text: "jsonpath correct case-sensitive value on string field"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.stringValue}"
|
- path: "{.stringValue}"
|
||||||
compare:
|
compare:
|
||||||
op: noteq
|
op: noteq
|
||||||
value: "None"
|
value: "None"
|
||||||
set: true
|
set: true
|
||||||
- jsonpath: "{.stringValue}"
|
- path: "{.stringValue}"
|
||||||
compare:
|
compare:
|
||||||
op: noteq
|
op: noteq
|
||||||
value: "webhook,Something,RBAC"
|
value: "webhook,Something,RBAC"
|
||||||
set: true
|
set: true
|
||||||
- jsonpath: "{.stringValue}"
|
- path: "{.stringValue}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "WebHook,Something,RBAC"
|
value: "WebHook,Something,RBAC"
|
||||||
@ -211,17 +211,17 @@ groups:
|
|||||||
text: "jsonpath correct value on boolean field"
|
text: "jsonpath correct value on boolean field"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.trueValue}"
|
- path: "{.trueValue}"
|
||||||
compare:
|
compare:
|
||||||
op: noteq
|
op: noteq
|
||||||
value: somethingElse
|
value: somethingElse
|
||||||
set: true
|
set: true
|
||||||
- jsonpath: "{.trueValue}"
|
- path: "{.trueValue}"
|
||||||
compare:
|
compare:
|
||||||
op: noteq
|
op: noteq
|
||||||
value: false
|
value: false
|
||||||
set: true
|
set: true
|
||||||
- jsonpath: "{.trueValue}"
|
- path: "{.trueValue}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
@ -231,14 +231,14 @@ groups:
|
|||||||
text: "jsonpath field absent"
|
text: "jsonpath field absent"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.notARealField}"
|
- path: "{.notARealField}"
|
||||||
set: false
|
set: false
|
||||||
|
|
||||||
- id: 19
|
- id: 19
|
||||||
text: "jsonpath correct value on nested field"
|
text: "jsonpath correct value on nested field"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.authentication.anonymous.enabled}"
|
- path: "{.authentication.anonymous.enabled}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "false"
|
value: "false"
|
||||||
@ -248,7 +248,7 @@ groups:
|
|||||||
text: "yamlpath correct value on field"
|
text: "yamlpath correct value on field"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- yamlpath: "{.readOnlyPort}"
|
- path: "{.readOnlyPort}"
|
||||||
compare:
|
compare:
|
||||||
op: gt
|
op: gt
|
||||||
value: 14999
|
value: 14999
|
||||||
@ -258,41 +258,41 @@ groups:
|
|||||||
text: "yamlpath field absent"
|
text: "yamlpath field absent"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- yamlpath: "{.fieldThatIsUnset}"
|
- path: "{.fieldThatIsUnset}"
|
||||||
set: false
|
set: false
|
||||||
|
|
||||||
- id: 22
|
- id: 22
|
||||||
text: "yamlpath correct value on nested field"
|
text: "yamlpath correct value on nested field"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- yamlpath: "{.authentication.anonymous.enabled}"
|
- path: "{.authentication.anonymous.enabled}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "false"
|
value: "false"
|
||||||
set: true
|
set: true
|
||||||
|
|
||||||
- id: 23
|
- id: 23
|
||||||
text: "jsonpath on invalid json"
|
text: "path on invalid json"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.authentication.anonymous.enabled}"
|
- path: "{.authentication.anonymous.enabled}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "false"
|
value: "false"
|
||||||
set: true
|
set: true
|
||||||
|
|
||||||
- id: 24
|
- id: 24
|
||||||
text: "jsonpath with broken expression"
|
text: "path with broken expression"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- jsonpath: "{.missingClosingBrace"
|
- path: "{.missingClosingBrace"
|
||||||
set: true
|
set: true
|
||||||
|
|
||||||
- id: 25
|
- id: 25
|
||||||
text: "yamlpath on invalid yaml"
|
text: "yamlpath on invalid yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- yamlpath: "{.authentication.anonymous.enabled}"
|
- path: "{.authentication.anonymous.enabled}"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "false"
|
value: "false"
|
||||||
|
@ -42,13 +42,12 @@ const (
|
|||||||
)
|
)
|
||||||
|
|
||||||
type testItem struct {
|
type testItem struct {
|
||||||
Flag string
|
Flag string
|
||||||
Jsonpath string
|
Path string
|
||||||
Yamlpath string
|
Output string
|
||||||
Output string
|
Value string
|
||||||
Value string
|
Set bool
|
||||||
Set bool
|
Compare compare
|
||||||
Compare compare
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type compare struct {
|
type compare struct {
|
||||||
@ -74,40 +73,34 @@ func (t *testItem) execute(s string) *testOutput {
|
|||||||
// Flag comparison: check if the flag is present in the input
|
// Flag comparison: check if the flag is present in the input
|
||||||
match = strings.Contains(s, t.Flag)
|
match = strings.Contains(s, t.Flag)
|
||||||
} else {
|
} else {
|
||||||
// Means either t.Jsonpath != "" or t.Yamlpath != ""
|
// Path != "" - we don't know whether it's YAML or JSON but
|
||||||
// Find out and convert the input as needed
|
// we can just try one then the other
|
||||||
buf := new(bytes.Buffer)
|
buf := new(bytes.Buffer)
|
||||||
var jsonInterface interface{}
|
var jsonInterface interface{}
|
||||||
var pathExpression string
|
|
||||||
|
|
||||||
if t.Yamlpath != "" {
|
if t.Path != "" {
|
||||||
pathExpression = t.Yamlpath
|
|
||||||
err := yaml.Unmarshal([]byte(s), &jsonInterface)
|
|
||||||
if err != nil {
|
|
||||||
fmt.Fprintf(os.Stderr, "failed to load YAML from provided input \"%s\": %v\n", s, err)
|
|
||||||
return failTestItem("failed to load YAML")
|
|
||||||
}
|
|
||||||
} else if t.Jsonpath != "" {
|
|
||||||
pathExpression = t.Jsonpath
|
|
||||||
err := json.Unmarshal([]byte(s), &jsonInterface)
|
err := json.Unmarshal([]byte(s), &jsonInterface)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Fprintf(os.Stderr, "failed to load JSON from provided input: \"%s\": %v\n", s, err)
|
err := yaml.Unmarshal([]byte(s), &jsonInterface)
|
||||||
return failTestItem("failed to load JSON")
|
if err != nil {
|
||||||
|
fmt.Fprintf(os.Stderr, "failed to load YAML or JSON from provided input \"%s\": %v\n", s, err)
|
||||||
|
return failTestItem("failed to load YAML or JSON")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parse the jsonpath/yamlpath expression...
|
// Parse the jsonpath/yamlpath expression...
|
||||||
j := jsonpath.New("jsonpath")
|
j := jsonpath.New("jsonpath")
|
||||||
j.AllowMissingKeys(true)
|
j.AllowMissingKeys(true)
|
||||||
err := j.Parse(pathExpression)
|
err := j.Parse(t.Path)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Fprintf(os.Stderr, "unable to parse path expression \"%s\": %v\n", pathExpression, err)
|
fmt.Fprintf(os.Stderr, "unable to parse path expression \"%s\": %v\n", t.Path, err)
|
||||||
return failTestItem("unable to parse path expression")
|
return failTestItem("unable to parse path expression")
|
||||||
}
|
}
|
||||||
|
|
||||||
err = j.Execute(buf, jsonInterface)
|
err = j.Execute(buf, jsonInterface)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Fprintf(os.Stderr, "error executing path expression \"%s\": %v\n", pathExpression, err)
|
fmt.Fprintf(os.Stderr, "error executing path expression \"%s\": %v\n", t.Path, err)
|
||||||
return failTestItem("error executing path expression")
|
return failTestItem("error executing path expression")
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -123,7 +116,7 @@ func (t *testItem) execute(s string) *testOutput {
|
|||||||
if t.Flag != "" {
|
if t.Flag != "" {
|
||||||
// Expects flags in the form;
|
// Expects flags in the form;
|
||||||
// --flag=somevalue
|
// --flag=somevalue
|
||||||
// flag: somevalue
|
// flag: somevalue
|
||||||
// --flag
|
// --flag
|
||||||
// somevalue
|
// somevalue
|
||||||
pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *`
|
pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *`
|
||||||
|
Loading…
Reference in New Issue
Block a user