diff --git a/.gitignore b/.gitignore index d73d4b7..4e258cb 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ kube-bench *.swp +vendor +dist diff --git a/Dockerfile b/Dockerfile index 241f265..115f429 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,12 @@ -FROM golang:1.8 +FROM golang:1.9 WORKDIR /kube-bench RUN go get github.com/aquasecurity/kube-bench -RUN cp /go/bin/kube-bench /kube-bench/ && chmod +x /kube-bench/kube-bench -RUN cp -r /go/src/github.com/aquasecurity/kube-bench/cfg cfg -# When Docker Hub supports it, we would split this into a multi-stage build with the second part based on, say, alpine for size +FROM alpine:latest WORKDIR / -ADD entrypoint.sh /entrypoint.sh +COPY --from=0 /go/bin/kube-bench /kube-bench +COPY cfg cfg +COPY entrypoint.sh /entrypoint.sh ENTRYPOINT /entrypoint.sh # Build-time metadata as defined at http://label-schema.org diff --git a/README.md b/README.md index 664c542..1f2b2db 100644 --- a/README.md +++ b/README.md @@ -23,9 +23,12 @@ You can either install kube-bench through a dedicated container, or compile it f Run ```docker run --rm -v `pwd`:/host aquasec/kube-bench:latest```. This will copy the kube-bench binary and configuration to you host. You can then run ```./kube-bench ```. 2. Install from sources: -If Go is installed on the target machines, you can simply clone this repository and run as follows: +If Go is installed on the target machines, you can simply clone this repository and run as follows (assuming your [$GOPATH is set](https://github.com/golang/go/wiki/GOPATH)): ```go get github.com/aquasecurity/kube-bench``` -```cp $GOROOT/bin/kube-bench .``` +```go get github.com/Masterminds/glide``` +```cd $GOPATH/src/github.com/aquasecurity/kube-bench``` +```$GOPATH/bin/glide install``` +```go build -o kube-bench . ``` ```./kube-bench ``` ## Usage diff --git a/check/check.go b/check/check.go index 16c3984..fdcd886 100644 --- a/check/check.go +++ b/check/check.go @@ -60,15 +60,16 @@ func handleError(err error, context string) (errmsg string) { // Check contains information about a recommendation in the // CIS Kubernetes 1.6+ document. type Check struct { - ID string `yaml:"id" json:"id"` - Text string + ID string `yaml:"id" json:"test_number"` + Text string `json:"test_desc"` Audit string `json:"omit"` Type string `json:"type"` Commands []*exec.Cmd `json:"omit"` Tests *tests `json:"omit"` Set bool `json:"omit"` - Remediation string - State + Remediation string `json:"-"` + TestInfo []string `json:"test_info"` + State `json:"status"` } // Run executes the audit commands specified in a check and outputs diff --git a/check/controls.go b/check/controls.go index 8660e81..a246791 100644 --- a/check/controls.go +++ b/check/controls.go @@ -23,26 +23,29 @@ import ( // Controls holds all controls to check for master nodes. type Controls struct { - ID string `yaml:"id"` - Version string - Text string - Type NodeType - Groups []*Group + ID string `yaml:"id" json:"id"` + Version string `json:"version"` + Text string `json:"text"` + Type NodeType `json:"node_type"` + Groups []*Group `json:"tests"` Summary } // Group is a collection of similar checks. type Group struct { - ID string `yaml:"id"` - Text string - Checks []*Check + ID string `yaml:"id" json:"section"` + Pass int `json:"pass"` + Fail int `json:"fail"` + Warn int `json:"warn"` + Text string `json:"desc"` + Checks []*Check `json:"results"` } // Summary is a summary of the results of control checks run. type Summary struct { - Pass int - Fail int - Warn int + Pass int `json:"total_pass"` + Fail int `json:"total_fail"` + Warn int `json:"total_warn"` } // NewControls instantiates a new master Controls object. @@ -84,7 +87,9 @@ func (controls *Controls) RunGroup(gids ...string) Summary { if gid == group.ID { for _, check := range group.Checks { check.Run() + check.TestInfo = append(check.TestInfo, check.Remediation) summarize(controls, check) + summarizeGroup(group, check) } g = append(g, group) @@ -112,6 +117,7 @@ func (controls *Controls) RunChecks(ids ...string) Summary { for _, id := range ids { if id == check.ID { check.Run() + check.TestInfo = append(check.TestInfo, check.Remediation) summarize(controls, check) // Check if we have already added this checks group. @@ -178,3 +184,14 @@ func summarize(controls *Controls, check *Check) { controls.Summary.Warn++ } } + +func summarizeGroup(group *Group, check *Check) { + switch check.State { + case PASS: + group.Pass++ + case FAIL: + group.Fail++ + case WARN: + group.Warn++ + } +} diff --git a/glide.lock b/glide.lock new file mode 100644 index 0000000..f4d0816 --- /dev/null +++ b/glide.lock @@ -0,0 +1,72 @@ +hash: f3cf12cf95d66d315c4aef2f3d0940770bd26267f84703e53c4928b786a91c14 +updated: 2018-01-09T12:49:41.3014329-08:00 +imports: +- name: github.com/fatih/color + version: 570b54cabe6b8eb0bc2dfce68d964677d63b5260 +- name: github.com/fsnotify/fsnotify + version: 4da3e2cfbabc9f751898f250b49f2439785783a1 +- name: github.com/golang/glog + version: 23def4e6c14b4da8ac2ed8007337bc5eb5007998 +- name: github.com/hashicorp/hcl + version: 23c074d0eceb2b8a5bfdbb271ab780cde70f05a8 + subpackages: + - hcl/ast + - hcl/parser + - hcl/scanner + - hcl/strconv + - hcl/token + - json/parser + - json/scanner + - json/token +- name: github.com/inconshreveable/mousetrap + version: 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75 +- name: github.com/jinzhu/gorm + version: 5174cc5c242a728b435ea2be8a2f7f998e15429b + subpackages: + - dialects/postgres +- name: github.com/jinzhu/inflection + version: 1c35d901db3da928c72a72d8458480cc9ade058f +- name: github.com/lib/pq + version: 83612a56d3dd153a94a629cd64925371c9adad78 + subpackages: + - hstore + - oid +- name: github.com/magiconair/properties + version: 49d762b9817ba1c2e9d0c69183c2b4a8b8f1d934 +- name: github.com/mattn/go-colorable + version: 5411d3eea5978e6cdc258b30de592b60df6aba96 + repo: https://github.com/mattn/go-colorable +- name: github.com/mattn/go-isatty + version: 57fdcb988a5c543893cc61bce354a6e24ab70022 + repo: https://github.com/mattn/go-isatty +- name: github.com/mitchellh/mapstructure + version: 06020f85339e21b2478f756a78e295255ffa4d6a +- name: github.com/pelletier/go-toml + version: 0131db6d737cfbbfb678f8b7d92e55e27ce46224 +- name: github.com/spf13/afero + version: 57afd63c68602b63ed976de00dd066ccb3c319db + subpackages: + - mem +- name: github.com/spf13/cast + version: acbeb36b902d72a7a4c18e8f3241075e7ab763e4 +- name: github.com/spf13/cobra + version: 7b2c5ac9fc04fc5efafb60700713d4fa609b777b +- name: github.com/spf13/jwalterweatherman + version: 12bd96e66386c1960ab0f74ced1362f66f552f7b +- name: github.com/spf13/pflag + version: 4c012f6dcd9546820e378d0bdda4d8fc772cdfea +- name: github.com/spf13/viper + version: 25b30aa063fc18e48662b86996252eabdcf2f0c7 +- name: golang.org/x/sys + version: e24f485414aeafb646f6fca458b0bf869c0880a1 + repo: https://go.googlesource.com/sys + subpackages: + - unix +- name: golang.org/x/text + version: e19ae1496984b1c655b8044a65c0300a3c878dd3 + subpackages: + - transform + - unicode/norm +- name: gopkg.in/yaml.v2 + version: c95af922eae69f190717a0b7148960af8c55a072 +testImports: [] diff --git a/glide.yaml b/glide.yaml new file mode 100644 index 0000000..31e3ef4 --- /dev/null +++ b/glide.yaml @@ -0,0 +1,14 @@ +package: github.com/aquasecurity/kube-bench +import: +- package: github.com/fatih/color + version: ^1.5.0 +- package: github.com/golang/glog +- package: github.com/jinzhu/gorm + version: ^1.0.0 + subpackages: + - dialects/postgres +- package: github.com/spf13/cobra + version: ^0.0.1 +- package: github.com/spf13/viper + version: ^1.0.0 +- package: gopkg.in/yaml.v2