arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-08-03 20:38:11 +00:00
Code Issues Releases Wiki Activity

Merge branch 'master' into issue_278_remediation

Browse Source
This commit is contained in:
Liz Rice 2019-05-10 09:47:57 +01:00 committed by GitHub
commit c361b9b82f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 3153 additions and 2038 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -4,3 +4,5 @@ vendor
dist dist
.vscode/ .vscode/
hack/kind.test.yaml hack/kind.test.yaml
.idea/

49
Gopkg.lock generated
View File

@ -1,6 +1,14 @@
# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'. # This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
[[projects]]
digest = "1:ffe9824d294da03b391f44e1ae8281281b4afc1bdaa9588c9097785e3af10cec"
name = "github.com/davecgh/go-spew"
packages = ["spew"]
pruneopts = "UT"
revision = "8991bc29aa16c548c550c7ff78260e27b9ab7c73"
version = "v1.1.1"
[[projects]] [[projects]]
digest = "1:938a2672d6ebbb7f7bc63eee3e4b9464c16ffcf77ec8913d3edbf32b4e3984dd" digest = "1:938a2672d6ebbb7f7bc63eee3e4b9464c16ffcf77ec8913d3edbf32b4e3984dd"
name = "github.com/fatih/color" name = "github.com/fatih/color"
@ -113,6 +121,14 @@
pruneopts = "UT" pruneopts = "UT"
revision = "0131db6d737cfbbfb678f8b7d92e55e27ce46224" revision = "0131db6d737cfbbfb678f8b7d92e55e27ce46224"
[[projects]]
digest = "1:0028cb19b2e4c3112225cd871870f2d9cf49b9b4276531f03438a88e94be86fe"
name = "github.com/pmezard/go-difflib"
packages = ["difflib"]
pruneopts = "UT"
revision = "792786c7400a136282c1664665ae0a8db921c6c2"
version = "v1.0.0"
[[projects]] [[projects]]
digest = "1:1fccaaeae58b2a2f1af4dbf7eee92ff14f222e161d143bfd20082ef664f91216" digest = "1:1fccaaeae58b2a2f1af4dbf7eee92ff14f222e161d143bfd20082ef664f91216"
name = "github.com/spf13/afero" name = "github.com/spf13/afero"
@ -161,6 +177,25 @@
revision = "25b30aa063fc18e48662b86996252eabdcf2f0c7" revision = "25b30aa063fc18e48662b86996252eabdcf2f0c7"
version = "v1.0.0" version = "v1.0.0"
[[projects]]
digest = "1:ac83cf90d08b63ad5f7e020ef480d319ae890c208f8524622a2f3136e2686b02"
name = "github.com/stretchr/objx"
packages = ["."]
pruneopts = "UT"
revision = "477a77ecc69700c7cdeb1fa9e129548e1c1c393c"
version = "v0.1.1"
[[projects]]
digest = "1:0bcc464dabcfad5393daf87c3f8142911d0f6c52569b837e91a1c15e890265f3"
name = "github.com/stretchr/testify"
packages = [
"assert",
"mock",
]
pruneopts = "UT"
revision = "ffdc059bfe9ce6a4e144ba849dbedead332c6053"
version = "v1.3.0"
[[projects]] [[projects]]
digest = "1:c9c0ba9ea00233c41b91e441cfd490f34b129bbfebcb1858979623bd8de07f72" digest = "1:c9c0ba9ea00233c41b91e441cfd490f34b129bbfebcb1858979623bd8de07f72"
name = "golang.org/x/sys" name = "golang.org/x/sys"
@ -189,6 +224,17 @@
pruneopts = "UT" pruneopts = "UT"
revision = "c95af922eae69f190717a0b7148960af8c55a072" revision = "c95af922eae69f190717a0b7148960af8c55a072"
[[projects]]
digest = "1:e8e3acc03397f71fad44385631e665c639a8d55bd187bcfa6e70b695e3705edd"
name = "k8s.io/client-go"
packages = [
"third_party/forked/golang/template",
"util/jsonpath",
]
pruneopts = "UT"
revision = "e64494209f554a6723674bd494d69445fb76a1d4"
version = "v10.0.0"
[solve-meta] [solve-meta]
analyzer-name = "dep" analyzer-name = "dep"
analyzer-version = 1 analyzer-version = 1
@ -199,7 +245,10 @@
"github.com/jinzhu/gorm/dialects/postgres", "github.com/jinzhu/gorm/dialects/postgres",
"github.com/spf13/cobra", "github.com/spf13/cobra",
"github.com/spf13/viper", "github.com/spf13/viper",
"github.com/stretchr/testify/assert",
"github.com/stretchr/testify/mock",
"gopkg.in/yaml.v2", "gopkg.in/yaml.v2",
"k8s.io/client-go/util/jsonpath",
] ]
solver-name = "gps-cdcl" solver-name = "gps-cdcl"
solver-version = 1 solver-version = 1

4
Gopkg.toml
View File

@ -18,6 +18,10 @@
name = "github.com/spf13/viper" name = "github.com/spf13/viper"
version = "1.0.0" version = "1.0.0"
[[constraint]]
name = "github.com/stretchr/testify"
version = "1.3.0"
[prune] [prune]
go-tests = true go-tests = true
unused-packages = true unused-packages = true

33
README.md
View File

@ -25,6 +25,8 @@ kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.
By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine. By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
There is also preliminary support for Red Hat's Openshift Hardening Guide for 3.10 and 3.11. Please note that kube-bench does not automatically detect Openshift - see below.
## Installation ## Installation
You can choose to You can choose to
@ -47,14 +49,14 @@ You can even use your own configs by mounting them over the default ones in `/op
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest [master|node] docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest [master|node]
``` ```
> Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this. > Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this.
### Running in a kubernetes cluster ### Running in a kubernetes cluster
You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored. You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.
Master nodes are automatically detected by kube-bench and will run master checks when possible. Master nodes are automatically detected by kube-bench and will run master checks when possible.
The detection is done by verifying that mandatory components for master are running. (see [config file](#configuration). The detection is done by verifying that mandatory components for master, as defined in the config files, are running (see [Configuration](#configuration)).
The supplied `job.yaml` file can be applied to run the tests as a job. For example: The supplied `job.yaml` file can be applied to run the tests as a job. For example:
@ -72,7 +74,7 @@ NAME READY STATUS RESTARTS AGE
kube-bench-j76s9 0/1 Completed 0 11s kube-bench-j76s9 0/1 Completed 0 11s
# The results are held in the pod's logs # The results are held in the pod's logs
k logs kube-bench-j76s9 kubectl logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration [INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server [INFO] 1.1 API Server
... ...
@ -84,6 +86,15 @@ To run the tests on the master node, the pod needs to be scheduled on that node.
The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node. The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node.
### Running in an EKS cluster
There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. **Note that you must update the image reference in `job-eks.yaml`.** Typically you will push the container image for kube-bench to ECR and refer to it there in the YAML file.
There are two significant differences on EKS:
* It uses [config files in JSON format](https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/)
* It's not possible to schedule jobs onto the master node, so master checks can't be performed
### Installing from a container ### Installing from a container
This command copies the kube-bench binary and configuration files to your host from the Docker container: This command copies the kube-bench binary and configuration files to your host from the Docker container:
@ -112,6 +123,9 @@ go build -o kube-bench .
./kube-bench ./kube-bench
``` ```
## Running on OpenShift
kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 3.11. To run this you will need to specify `--version ocp-3.10` when you run the `kube-bench` command (either directly or through YAML). This config version is valid for OCP 3.10 and 3.11.
## Configuration ## Configuration
@ -190,6 +204,19 @@ tests:
value: value:
... ...
``` ```
You can also define jsonpath and yamlpath tests using the following syntax:
```
tests:
- path:
set:
compare:
op:
value:
...
```
Tests have various `operations` which are used to compare the output of audit commands for success. Tests have various `operations` which are used to compare the output of audit commands for success.
These operations are: These operations are:

20
cfg/1.11-json/config.yaml Normal file
View File

@ -0,0 +1,20 @@
---
# Config file for systems such as EKS where config is in JSON files
# Master nodes are controlled by EKS and not user-accessible
node:
kubernetes:
confs:
- "/var/lib/kubelet/kubeconfig"
kubeconfig:
- "/var/lib/kubelet/kubeconfig"
kubelet:
bins:
- "hyperkube kubelet"
- "kubelet"
defaultconf: "/etc/kubernetes/kubelet/kubelet-config.json"
defaultsvc: "/etc/systemd/system/kubelet.service"
defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
proxy:
defaultkubeconfig: "/var/lib/kubelet/kubeconfig"

508
cfg/1.11-json/node.yaml Normal file
View File

@ -0,0 +1,508 @@
---
controls:
version: 1.11
id: 2
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 2.1
text: "Kubelet"
checks:
- id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--allow-privileged"
compare:
op: eq
value: false
set: true
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--allow-privileged=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.authentication.anonymous.enabled}"
compare:
op: eq
value: false
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false .
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.authorization.mode}"
compare:
op: noteq
value: "AlwaysAllow"
set: true
remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.authentication.x509.clientCAFile}"
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: or
test_items:
- path: "{.readOnlyPort}"
set: false
- path: "{.readOnlyPort}"
compare:
op: eq
value: "0"
set: true
remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: or
test_items:
- path: "{.streamingConnectionIdleTimeout}"
set: false
- path: "{.streamingConnectionIdleTimeout}"
compare:
op: noteq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.protectKernelDefaults}"
compare:
op: eq
value: true
set: true
remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: or
test_items:
- path: "{.makeIPTablesUtilChains}"
set: false
- path: "{.makeIPTablesUtilChains}"
compare:
op: eq
value: true
set: true
remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.9
text: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.hostnameOverride}"
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.10
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.eventRecordQPS}"
compare:
op: eq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.11
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: and
test_items:
- path: "{.tlsCertFile}"
set: true
- path: "{.tlsPrivateKeyFile}"
set: true
remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
corresponding private key file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.12
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: or
test_items:
- path: "{.cadvisorPort}"
compare:
op: eq
value: 0
set: true
- path: "{.cadvisorPort}"
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.13
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: or
test_items:
- path: "{.rotateCertificates}"
set: false
- path: "{.rotateCertificates}"
compare:
op: noteq
value: "false"
set: true
remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
If using command line arguments, edit the kubelet service file $kubeletsvc
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.14
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.featureGates.RotateKubeletServerCertificate}"
compare:
op: eq
value: true
set: true
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.15
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.tlsCipherSuites}"
compare:
op: eq
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
set: true
remediation: |
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false
- id: 2.2
text: "Configuration Files"
checks:
- id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $kubeletkubeconfig
scored: true
- id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletkubeconfig
scored: true
- id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: 644
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 755 $kubeletsvc
scored: true
- id: 2.2.4
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletsvc
scored: true
- id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $proxykubeconfig
scored: true
- id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $proxykubeconfig
scored: true
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
type: manual
remediation: |
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
type: manual
remediation: |
Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename>
scored: true
- id: 2.2.9
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
chown root:root $kubeletconf
scored: true
- id: 2.2.10
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf
scored: true

12
cfg/1.11/config.yaml
View File

@ -9,15 +9,27 @@
master: master:
apiserver: apiserver:
confs:
- /etc/kubernetes/manifests/kube-apiserver.yaml
- /etc/kubernetes/manifests/kube-apiserver.manifest
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
scheduler: scheduler:
confs:
- /etc/kubernetes/manifests/kube-scheduler.yaml
- /etc/kubernetes/manifests/kube-scheduler.manifest
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
controllermanager: controllermanager:
confs:
- /etc/kubernetes/manifests/kube-controller-manager.yaml
- /etc/kubernetes/manifests/kube-controller-manager.manifest
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
etcd: etcd:
confs:
- /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.manifest
defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultconf: /etc/kubernetes/manifests/etcd.yaml
node: node:

4
cfg/1.11/master.yaml
View File

@ -1201,8 +1201,8 @@ groups:
test_items: test_items:
- flag: "--client-cert-auth" - flag: "--client-cert-auth"
compare: compare:
op: eq op: noteq
value: true value: false
set: true set: true
remediation: | remediation: |
Edit the etcd pod specification file $etcdconf on the master Edit the etcd pod specification file $etcdconf on the master

12
cfg/1.13/config.yaml
View File

@ -9,15 +9,27 @@
master: master:
apiserver: apiserver:
confs:
- /etc/kubernetes/manifests/kube-apiserver.yaml
- /etc/kubernetes/manifests/kube-apiserver.manifest
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
scheduler: scheduler:
confs:
- /etc/kubernetes/manifests/kube-scheduler.yaml
- /etc/kubernetes/manifests/kube-scheduler.manifest
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
controllermanager: controllermanager:
confs:
- /etc/kubernetes/manifests/kube-controller-manager.yaml
- /etc/kubernetes/manifests/kube-controller-manager.manifest
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
etcd: etcd:
confs:
- /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.manifest
defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultconf: /etc/kubernetes/manifests/etcd.yaml
node: node:

492
cfg/ocp-3.10/master.yaml
View File

File diff suppressed because it is too large Load Diff

98
cfg/ocp-3.10/node.yaml
View File

@ -4,21 +4,21 @@ id: 2
text: "Worker Node Security Configuration" text: "Worker Node Security Configuration"
type: "node" type: "node"
groups: groups:
- id: 2.1 - id: 7
text: "Kubelet" text: "Kubelet"
checks: checks:
- id: 2.1.1 - id: 7.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)" text: "Use Security Context Constraints to manage privileged containers as needed"
type: "skip" type: "skip"
scored: true scored: true
- id: 2.1.2 - id: 7.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" text: "Ensure anonymous-auth is not disabled"
type: "skip" type: "skip"
scored: true scored: true
- id: 2.1.3 - id: 7.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" text: "Verify that the --authorization-mode argument is set to WebHook"
audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml" audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
@ -35,8 +35,8 @@ groups:
kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook". kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
scored: true scored: true
- id: 2.1.4 - id: 7.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" text: "Verify the OpenShift default for the client-ca-file argument"
audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml" audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
@ -51,8 +51,8 @@ groups:
The config file does not have this defined in kubeletArgument, but in PodManifestConfig. The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
scored: true scored: true
- id: 2.1.5 - id: 7.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" text: "Verify the OpenShift default setting for the read-only-port argument"
audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml" audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
@ -68,15 +68,15 @@ groups:
Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied. Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
scored: true scored: true
- id: 2.1.6 - id: 7.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" text: "Adjust the streaming-connection-idle-timeout argument"
audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml" audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "streaming-connection-idle-timeout" - flag: "streaming-connection-idle-timeout"
set: false set: false
- flag: "0" - flag: "5m"
set: false set: false
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
@ -87,13 +87,13 @@ groups:
   - "5m"    - "5m"
scored: true scored: true
- id: 2.1.7 - id: 7.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" text: "Verify the OpenShift defaults for the protect-kernel-defaults argument"
type: "skip" type: "skip"
scored: true scored: true
- id: 2.1.8 - id: 7.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument"
audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml" audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
@ -110,8 +110,8 @@ groups:
default value of true. default value of true.
scored: true scored: true
id: 2.1.9 - id: 7.9
text: "Ensure that the --keep-terminated-pod-volumeskeep-terminated-pod-volumes argument is set to false (Scored)" text: "Verify that the --keep-terminated-pod-volumes argument is set to false"
audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml" audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
@ -124,13 +124,13 @@ groups:
Reset to the OpenShift defaults Reset to the OpenShift defaults
scored: true scored: true
- id: 2.1.10 - id: 7.10
text: "Ensure that the --hostname-override argument is not set (Scored)" text: "Verify the OpenShift defaults for the hostname-override argument"
type: "skip" type: "skip"
scored: true scored: true
- id: 2.1.11 - id: 7.11
text: "Ensure that the --event-qps argument is set to 0 (Scored)" text: "Set the --event-qps argument to 0"
audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml" audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
@ -147,8 +147,8 @@ groups:
the kubeletArguments section of. the kubeletArguments section of.
scored: true scored: true
- id: 2.1.12 - id: 7.12
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" text: "Verify the OpenShift cert-dir flag for HTTPS traffic"
audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml" audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
@ -161,8 +161,8 @@ groups:
Reset to the OpenShift default values. Reset to the OpenShift default values.
scored: true scored: true
- id: 2.1.13 - id: 7.13
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" text: "Verify the OpenShift default of 0 for the cadvisor-port argument"
audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml" audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
@ -179,8 +179,8 @@ groups:
if it is set in the kubeletArguments section. if it is set in the kubeletArguments section.
scored: true scored: true
- id: 2.1.14 - id: 7.14
text: "Ensure that the RotateKubeletClientCertificate argument is not set to false (Scored)" text: "Verify that the RotateKubeletClientCertificate argument is set to true"
audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml" audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
@ -193,8 +193,8 @@ groups:
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true. Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
scored: true scored: true
- id: 2.1.15 - id: 7.15
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" text: "Verify that the RotateKubeletServerCertificate argument is set to true"
audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml" audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
test: test:
test_items: test_items:
@ -208,11 +208,11 @@ groups:
scored: true scored: true
- id: 2.2 - id: 8
text: "Configuration Files" text: "Configuration Files"
checks: checks:
- id: 2.2.1 - id: 8.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)" text: "Verify the OpenShift default permissions for the kubelet.conf file"
audit: "stat -c %a /etc/origin/node/node.kubeconfig" audit: "stat -c %a /etc/origin/node/node.kubeconfig"
tests: tests:
bin_op: or bin_op: or
@ -237,8 +237,8 @@ groups:
chmod 644 /etc/origin/node/node.kubeconfig chmod 644 /etc/origin/node/node.kubeconfig
scored: true scored: true
- id: 2.2.2 - id: 8.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" text: "Verify the kubeconfig file ownership of root:root"
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
tests: tests:
test_items: test_items:
@ -252,8 +252,8 @@ groups:
chown root:root /etc/origin/node/node.kubeconfig chown root:root /etc/origin/node/node.kubeconfig
scored: true scored: true
- id: 2.2.3 - id: 8.3
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" text: "Verify the kubelet service file permissions of 644"
audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service" audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
tests: tests:
bin_op: or bin_op: or
@ -278,8 +278,8 @@ groups:
chmod 644 /etc/systemd/system/atomic-openshift-node.service chmod 644 /etc/systemd/system/atomic-openshift-node.service
scored: true scored: true
- id: 2.2.4 - id: 8.4
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)" text: "Verify the kubelet service file ownership of root:root"
audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service" audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
tests: tests:
test_items: test_items:
@ -293,8 +293,8 @@ groups:
chown root:root /etc/systemd/system/atomic-openshift-node.service chown root:root /etc/systemd/system/atomic-openshift-node.service
scored: true scored: true
- id: 2.2.5 - id: 8.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
audit: "stat -c %a /etc/origin/node/node.kubeconfig" audit: "stat -c %a /etc/origin/node/node.kubeconfig"
tests: tests:
bin_op: or bin_op: or
@ -319,8 +319,8 @@ groups:
chmod 644 /etc/origin/node/node.kubeconfig chmod 644 /etc/origin/node/node.kubeconfig
scored: true scored: true
- id: 2.2.6 - id: 8.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" text: "Verify the proxy kubeconfig file ownership of root:root"
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
tests: tests:
test_items: test_items:
@ -334,8 +334,8 @@ groups:
chown root:root /etc/origin/node/node.kubeconfig chown root:root /etc/origin/node/node.kubeconfig
scored: true scored: true
- id: 2.2.7 - id: 8.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" text: "Verify the OpenShift default permissions for the certificate authorities file."
audit: "stat -c %a /etc/origin/node/client-ca.crt" audit: "stat -c %a /etc/origin/node/client-ca.crt"
tests: tests:
bin_op: or bin_op: or
@ -360,8 +360,8 @@ groups:
chmod 644 /etc/origin/node/client-ca.crt chmod 644 /etc/origin/node/client-ca.crt
scored: true scored: true
- id: 2.2.8 - id: 8.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" text: "Verify the client certificate authorities file ownership of root:root"
audit: "stat -c %U:%G /etc/origin/node/client-ca.crt" audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
tests: tests:
test_items: test_items:

34
check/check.go
View File

@ -36,11 +36,11 @@ const (
// PASS check passed. // PASS check passed.
PASS State = "PASS" PASS State = "PASS"
// FAIL check failed. // FAIL check failed.
FAIL = "FAIL" FAIL State = "FAIL"
// WARN could not carry out check. // WARN could not carry out check.
WARN = "WARN" WARN State = "WARN"
// INFO informational message // INFO informational message
INFO = "INFO" INFO State = "INFO"
// MASTER a master node // MASTER a master node
MASTER NodeType = "master" MASTER NodeType = "master"
@ -74,20 +74,37 @@ type Check struct {
Scored bool `json:"scored"` Scored bool `json:"scored"`
} }
// Runner wraps the basic Run method.
type Runner interface {
// Run runs a given check and returns the execution state.
Run(c *Check) State
}
// NewRunner constructs a default Runner.
func NewRunner() Runner {
return &defaultRunner{}
}
type defaultRunner struct{}
func (r *defaultRunner) Run(c *Check) State {
return c.run()
}
// Run executes the audit commands specified in a check and outputs // Run executes the audit commands specified in a check and outputs
// the results. // the results.
func (c *Check) Run() { func (c *Check) run() State {
// If check type is skip, force result to INFO // If check type is skip, force result to INFO
if c.Type == "skip" { if c.Type == "skip" {
c.State = INFO c.State = INFO
return return c.State
} }
// If check type is manual or the check is not scored, force result to WARN // If check type is manual or the check is not scored, force result to WARN
if c.Type == "manual" || !c.Scored { if c.Type == "manual" || !c.Scored {
c.State = WARN c.State = WARN
return return c.State
} }
var out bytes.Buffer var out bytes.Buffer
@ -97,7 +114,7 @@ func (c *Check) Run() {
for _, cmd := range c.Commands { for _, cmd := range c.Commands {
if !isShellCommand(cmd.Path) { if !isShellCommand(cmd.Path) {
c.State = WARN c.State = WARN
return return c.State
} }
} }
@ -106,7 +123,7 @@ func (c *Check) Run() {
if n == 0 { if n == 0 {
// Likely a warning message. // Likely a warning message.
c.State = WARN c.State = WARN
return return c.State
} }
// Each command runs, // Each command runs,
@ -188,6 +205,7 @@ func (c *Check) Run() {
if errmsgs != "" { if errmsgs != "" {
glog.V(2).Info(errmsgs) glog.V(2).Info(errmsgs)
} }
return c.State
} }
// textToCommand transforms an input text representation of commands to be // textToCommand transforms an input text representation of commands to be

16
check/check_test.go
View File

@ -1,3 +1,17 @@
// Copyright © 2017-2019 Aqua Security Software Ltd. <info@aquasec.com>
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package check package check
import ( import (
@ -21,7 +35,7 @@ func TestCheck_Run(t *testing.T) {
for _, testCase := range testCases { for _, testCase := range testCases {
testCase.check.Run() testCase.check.run()
if testCase.check.State != testCase.Expected { if testCase.check.State != testCase.Expected {
t.Errorf("test failed, expected %s, actual %s\n", testCase.Expected, testCase.check.State) t.Errorf("test failed, expected %s, actual %s\n", testCase.Expected, testCase.check.State)

134
check/controls.go
View File

@ -17,8 +17,8 @@ package check
import ( import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"github.com/golang/glog"
yaml "gopkg.in/yaml.v2" "gopkg.in/yaml.v2"
) )
// Controls holds all controls to check for master nodes. // Controls holds all controls to check for master nodes.
@ -50,6 +50,9 @@ type Summary struct {
Info int `json:"total_info"` Info int `json:"total_info"`
} }
// Predicate a predicate on the given Group and Check arguments.
type Predicate func(group *Group, check *Check) bool
// NewControls instantiates a new master Controls object. // NewControls instantiates a new master Controls object.
func NewControls(t NodeType, in []byte) (*Controls, error) { func NewControls(t NodeType, in []byte) (*Controls, error) {
c := new(Controls) c := new(Controls)
@ -73,76 +76,44 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
return c, nil return c, nil
} }
// RunGroup runs all checks in a group. // RunChecks runs the checks with the given Runner. Only checks for which the filter Predicate returns `true` will run.
func (controls *Controls) RunGroup(gids ...string) Summary { func (controls *Controls) RunChecks(runner Runner, filter Predicate) Summary {
g := []*Group{} var g []*Group
controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn, controls.Info = 0, 0, 0, 0
// If no groupid is passed run all group checks.
if len(gids) == 0 {
gids = controls.getAllGroupIDs()
}
for _, group := range controls.Groups {
for _, gid := range gids {
if gid == group.ID {
for _, check := range group.Checks {
check.Run()
check.TestInfo = append(check.TestInfo, check.Remediation)
summarize(controls, check)
summarizeGroup(group, check)
}
g = append(g, group)
}
}
}
controls.Groups = g
return controls.Summary
}
// RunChecks runs the checks with the supplied IDs.
func (controls *Controls) RunChecks(ids ...string) Summary {
g := []*Group{}
m := make(map[string]*Group) m := make(map[string]*Group)
controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn, controls.Info = 0, 0, 0, 0 controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn, controls.Info = 0, 0, 0, 0
// If no groupid is passed run all group checks.
if len(ids) == 0 {
ids = controls.getAllCheckIDs()
}
for _, group := range controls.Groups { for _, group := range controls.Groups {
for _, check := range group.Checks { for _, check := range group.Checks {
for _, id := range ids {
if id == check.ID {
check.Run()
check.TestInfo = append(check.TestInfo, check.Remediation)
summarize(controls, check)
// Check if we have already added this checks group. if !filter(group, check) {
if v, ok := m[group.ID]; !ok { continue
// Create a group with same info
w := &Group{
ID: group.ID,
Text: group.Text,
Checks: []*Check{},
}
// Add this check to the new group
w.Checks = append(w.Checks, check)
// Add to groups we have visited.
m[w.ID] = w
g = append(g, w)
} else {
v.Checks = append(v.Checks, check)
}
}
} }
state := runner.Run(check)
check.TestInfo = append(check.TestInfo, check.Remediation)
// Check if we have already added this checks group.
if v, ok := m[group.ID]; !ok {
// Create a group with same info
w := &Group{
ID: group.ID,
Text: group.Text,
Checks: []*Check{},
}
// Add this check to the new group
w.Checks = append(w.Checks, check)
summarizeGroup(w, state)
// Add to groups we have visited.
m[w.ID] = w
g = append(g, w)
} else {
v.Checks = append(v.Checks, check)
summarizeGroup(v, state)
}
summarize(controls, state)
} }
} }
@ -155,29 +126,8 @@ func (controls *Controls) JSON() ([]byte, error) {
return json.Marshal(controls) return json.Marshal(controls)
} }
func (controls *Controls) getAllGroupIDs() []string { func summarize(controls *Controls, state State) {
var ids []string switch state {
for _, group := range controls.Groups {
ids = append(ids, group.ID)
}
return ids
}
func (controls *Controls) getAllCheckIDs() []string {
var ids []string
for _, group := range controls.Groups {
for _, check := range group.Checks {
ids = append(ids, check.ID)
}
}
return ids
}
func summarize(controls *Controls, check *Check) {
switch check.State {
case PASS: case PASS:
controls.Summary.Pass++ controls.Summary.Pass++
case FAIL: case FAIL:
@ -186,11 +136,13 @@ func summarize(controls *Controls, check *Check) {
controls.Summary.Warn++ controls.Summary.Warn++
case INFO: case INFO:
controls.Summary.Info++ controls.Summary.Info++
default:
glog.Warningf("Unrecognized state %s", state)
} }
} }
func summarizeGroup(group *Group, check *Check) { func summarizeGroup(group *Group, state State) {
switch check.State { switch state {
case PASS: case PASS:
group.Pass++ group.Pass++
case FAIL: case FAIL:
@ -199,5 +151,7 @@ func summarizeGroup(group *Group, check *Check) {
group.Warn++ group.Warn++
case INFO: case INFO:
group.Info++ group.Info++
default:
glog.Warningf("Unrecognized state %s", state)
} }
} }

146
check/controls_test.go
View File

@ -1,41 +1,151 @@
// Copyright © 2017-2019 Aqua Security Software Ltd. <info@aquasec.com>
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package check package check
import ( import (
"io/ioutil" "io/ioutil"
"os"
"path/filepath"
"testing" "testing"
yaml "gopkg.in/yaml.v2" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/mock"
"gopkg.in/yaml.v2"
) )
const cfgDir = "../cfg/" const cfgDir = "../cfg/"
type mockRunner struct {
mock.Mock
}
func (m *mockRunner) Run(c *Check) State {
args := m.Called(c)
return args.Get(0).(State)
}
// validate that the files we're shipping are valid YAML // validate that the files we're shipping are valid YAML
func TestYamlFiles(t *testing.T) { func TestYamlFiles(t *testing.T) {
// TODO: make this list dynamic err := filepath.Walk(cfgDir, func(path string, info os.FileInfo, err error) error {
dirs := []string{"1.6/", "1.7/"}
for _, dir := range dirs {
dir = cfgDir + dir
files, err := ioutil.ReadDir(dir)
if err != nil { if err != nil {
t.Fatalf("error reading %s directory: %v", dir, err) t.Fatalf("failure accessing path %q: %v\n", path, err)
} }
if !info.IsDir() {
for _, file := range files { t.Logf("reading file: %s", path)
in, err := ioutil.ReadFile(path)
fileName := file.Name()
in, err := ioutil.ReadFile(dir + fileName)
if err != nil { if err != nil {
t.Fatalf("error opening file %s: %v", fileName, err) t.Fatalf("error opening file %s: %v", path, err)
} }
c := new(Controls) c := new(Controls)
err = yaml.Unmarshal(in, c) err = yaml.Unmarshal(in, c)
if err != nil { if err == nil {
t.Fatalf("failed to load YAML from %s: %v", fileName, err) t.Logf("YAML file successfully unmarshalled: %s", path)
} else {
t.Fatalf("failed to load YAML from %s: %v", path, err)
} }
} }
return nil
})
if err != nil {
t.Fatalf("failure walking cfg dir: %v\n", err)
} }
} }
func TestNewControls(t *testing.T) {
t.Run("Should return error when node type is not specified", func(t *testing.T) {
// given
in := []byte(`
---
controls:
type: # not specified
groups:
`)
// when
_, err := NewControls(MASTER, in)
// then
assert.EqualError(t, err, "non-master controls file specified")
})
t.Run("Should return error when input YAML is invalid", func(t *testing.T) {
// given
in := []byte("BOOM")
// when
_, err := NewControls(MASTER, in)
// then
assert.EqualError(t, err, "failed to unmarshal YAML: yaml: unmarshal errors:\n line 1: cannot unmarshal !!str `BOOM` into check.Controls")
})
}
func TestControls_RunChecks(t *testing.T) {
t.Run("Should run checks matching the filter and update summaries", func(t *testing.T) {
// given
runner := new(mockRunner)
// and
in := []byte(`
---
type: "master"
groups:
- id: G1
checks:
- id: G1/C1
- id: G2
checks:
- id: G2/C1
`)
// and
controls, _ := NewControls(MASTER, in)
// and
runner.On("Run", controls.Groups[0].Checks[0]).Return(PASS)
runner.On("Run", controls.Groups[1].Checks[0]).Return(FAIL)
// and
var runAll Predicate = func(group *Group, c *Check) bool {
return true
}
// when
controls.RunChecks(runner, runAll)
// then
assert.Equal(t, 2, len(controls.Groups))
// and
G1 := controls.Groups[0]
assert.Equal(t, "G1", G1.ID)
assert.Equal(t, "G1/C1", G1.Checks[0].ID)
assertEqualGroupSummary(t, 1, 0, 0, 0, G1)
// and
G2 := controls.Groups[1]
assert.Equal(t, "G2", G2.ID)
assert.Equal(t, "G2/C1", G2.Checks[0].ID)
assertEqualGroupSummary(t, 0, 1, 0, 0, G2)
// and
assert.Equal(t, 1, controls.Summary.Pass)
assert.Equal(t, 1, controls.Summary.Fail)
assert.Equal(t, 0, controls.Summary.Info)
assert.Equal(t, 0, controls.Summary.Warn)
// and
runner.AssertExpectations(t)
})
}
func assertEqualGroupSummary(t *testing.T, pass, fail, info, warn int, actual *Group) {
t.Helper()
assert.Equal(t, pass, actual.Pass)
assert.Equal(t, fail, actual.Fail)
assert.Equal(t, info, actual.Info)
assert.Equal(t, warn, actual.Warn)
}

132
check/data
View File

@ -157,7 +157,6 @@ groups:
value: Something value: Something
set: true set: true
- id: 14 - id: 14
text: "check that flag some-arg is set to some-val with ':' separator" text: "check that flag some-arg is set to some-val with ':' separator"
tests: tests:
@ -167,3 +166,134 @@ groups:
op: eq op: eq
value: some-val value: some-val
set: true set: true
- id: 15
text: "jsonpath correct value on field"
tests:
test_items:
- path: "{.readOnlyPort}"
compare:
op: eq
value: 15000
set: true
- path: "{.readOnlyPort}"
compare:
op: gte
value: 15000
set: true
- path: "{.readOnlyPort}"
compare:
op: lte
value: 15000
set: true
- id: 16
text: "jsonpath correct case-sensitive value on string field"
tests:
test_items:
- path: "{.stringValue}"
compare:
op: noteq
value: "None"
set: true
- path: "{.stringValue}"
compare:
op: noteq
value: "webhook,Something,RBAC"
set: true
- path: "{.stringValue}"
compare:
op: eq
value: "WebHook,Something,RBAC"
set: true
- id: 17
text: "jsonpath correct value on boolean field"
tests:
test_items:
- path: "{.trueValue}"
compare:
op: noteq
value: somethingElse
set: true
- path: "{.trueValue}"
compare:
op: noteq
value: false
set: true
- path: "{.trueValue}"
compare:
op: eq
value: true
set: true
- id: 18
text: "jsonpath field absent"
tests:
test_items:
- path: "{.notARealField}"
set: false
- id: 19
text: "jsonpath correct value on nested field"
tests:
test_items:
- path: "{.authentication.anonymous.enabled}"
compare:
op: eq
value: "false"
set: true
- id: 20
text: "yamlpath correct value on field"
tests:
test_items:
- path: "{.readOnlyPort}"
compare:
op: gt
value: 14999
set: true
- id: 21
text: "yamlpath field absent"
tests:
test_items:
- path: "{.fieldThatIsUnset}"
set: false
- id: 22
text: "yamlpath correct value on nested field"
tests:
test_items:
- path: "{.authentication.anonymous.enabled}"
compare:
op: eq
value: "false"
set: true
- id: 23
text: "path on invalid json"
tests:
test_items:
- path: "{.authentication.anonymous.enabled}"
compare:
op: eq
value: "false"
set: true
- id: 24
text: "path with broken expression"
tests:
test_items:
- path: "{.missingClosingBrace"
set: true
- id: 25
text: "yamlpath on invalid yaml"
tests:
test_items:
- path: "{.authentication.anonymous.enabled}"
compare:
op: eq
value: "false"
set: true

86
check/test.go
View File

@ -15,11 +15,16 @@
package check package check
import ( import (
"bytes"
"encoding/json"
"fmt" "fmt"
"os" "os"
"regexp" "regexp"
"strconv" "strconv"
"strings" "strings"
yaml "gopkg.in/yaml.v2"
"k8s.io/client-go/util/jsonpath"
) )
// test: // test:
@ -38,6 +43,7 @@ const (
type testItem struct { type testItem struct {
Flag string Flag string
Path string
Output string Output string
Value string Value string
Set bool Set bool
@ -54,33 +60,79 @@ type testOutput struct {
actualResult string actualResult string
} }
func failTestItem(s string) *testOutput {
return &testOutput{testResult: false, actualResult: s}
}
func (t *testItem) execute(s string) *testOutput { func (t *testItem) execute(s string) *testOutput {
result := &testOutput{} result := &testOutput{}
match := strings.Contains(s, t.Flag) var match bool
var flagVal string
if t.Flag != "" {
// Flag comparison: check if the flag is present in the input
match = strings.Contains(s, t.Flag)
} else {
// Path != "" - we don't know whether it's YAML or JSON but
// we can just try one then the other
buf := new(bytes.Buffer)
var jsonInterface interface{}
if t.Path != "" {
err := json.Unmarshal([]byte(s), &jsonInterface)
if err != nil {
err := yaml.Unmarshal([]byte(s), &jsonInterface)
if err != nil {
fmt.Fprintf(os.Stderr, "failed to load YAML or JSON from provided input \"%s\": %v\n", s, err)
return failTestItem("failed to load YAML or JSON")
}
}
}
// Parse the jsonpath/yamlpath expression...
j := jsonpath.New("jsonpath")
j.AllowMissingKeys(true)
err := j.Parse(t.Path)
if err != nil {
fmt.Fprintf(os.Stderr, "unable to parse path expression \"%s\": %v\n", t.Path, err)
return failTestItem("unable to parse path expression")
}
err = j.Execute(buf, jsonInterface)
if err != nil {
fmt.Fprintf(os.Stderr, "error executing path expression \"%s\": %v\n", t.Path, err)
return failTestItem("error executing path expression")
}
jsonpathResult := fmt.Sprintf("%s", buf)
match = (jsonpathResult != "")
flagVal = jsonpathResult
}
if t.Set { if t.Set {
var flagVal string
isset := match isset := match
if isset && t.Compare.Op != "" { if isset && t.Compare.Op != "" {
// Expects flags in the form; if t.Flag != "" {
// --flag=somevalue // Expects flags in the form;
// --flag // --flag=somevalue
// somevalue // flag: somevalue
//pttn := `(` + t.Flag + `)(=)*([^\s,]*) *` // --flag
pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *` // somevalue
flagRe := regexp.MustCompile(pttn) pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *`
vals := flagRe.FindStringSubmatch(s) flagRe := regexp.MustCompile(pttn)
vals := flagRe.FindStringSubmatch(s)
if len(vals) > 0 { if len(vals) > 0 {
if vals[3] != "" { if vals[3] != "" {
flagVal = vals[3] flagVal = vals[3]
} else {
flagVal = vals[1]
}
} else { } else {
flagVal = vals[1] fmt.Fprintf(os.Stderr, "invalid flag in testitem definition")
os.Exit(1)
} }
} else {
fmt.Fprintf(os.Stderr, "invalid flag in testitem definition")
os.Exit(1)
} }
result.actualResult = strings.ToLower(flagVal) result.actualResult = strings.ToLower(flagVal)

60
check/test_test.go
View File

@ -120,6 +120,38 @@ func TestTestExecute(t *testing.T) {
controls.Groups[0].Checks[14], controls.Groups[0].Checks[14],
"2:45 kube-apiserver some-arg:some-val --admission-control=Something ---audit-log-maxage=40", "2:45 kube-apiserver some-arg:some-val --admission-control=Something ---audit-log-maxage=40",
}, },
{
controls.Groups[0].Checks[15],
"{\"readOnlyPort\": 15000}",
},
{
controls.Groups[0].Checks[16],
"{\"stringValue\": \"WebHook,Something,RBAC\"}",
},
{
controls.Groups[0].Checks[17],
"{\"trueValue\": true}",
},
{
controls.Groups[0].Checks[18],
"{\"readOnlyPort\": 15000}",
},
{
controls.Groups[0].Checks[19],
"{\"authentication\": { \"anonymous\": {\"enabled\": false}}}",
},
{
controls.Groups[0].Checks[20],
"readOnlyPort: 15000",
},
{
controls.Groups[0].Checks[21],
"readOnlyPort: 15000",
},
{
controls.Groups[0].Checks[22],
"authentication:\n anonymous:\n enabled: false",
},
} }
for _, c := range cases { for _, c := range cases {
@ -129,3 +161,31 @@ func TestTestExecute(t *testing.T) {
} }
} }
} }
func TestTestExecuteExceptions(t *testing.T) {
cases := []struct {
*Check
str string
}{
{
controls.Groups[0].Checks[23],
"this is not valid json {} at all",
},
{
controls.Groups[0].Checks[24],
"{\"key\": \"value\"}",
},
{
controls.Groups[0].Checks[25],
"broken } yaml\nenabled: true",
},
}
for _, c := range cases {
res := c.Tests.execute(c.str).testResult
if res {
t.Errorf("%s, expected:%v, got:%v\n", c.Text, false, res)
}
}
}

64
cmd/common.go
View File

@ -25,9 +25,40 @@ import (
"github.com/spf13/viper" "github.com/spf13/viper"
) )
var ( // NewRunFilter constructs a Predicate based on FilterOpts which determines whether tested Checks should be run or not.
errmsgs string func NewRunFilter(opts FilterOpts) (check.Predicate, error) {
)
if opts.CheckList != "" && opts.GroupList != "" {
return nil, fmt.Errorf("group option and check option can't be used together")
}
var groupIDs map[string]bool
if opts.GroupList != "" {
groupIDs = cleanIDs(opts.GroupList)
}
var checkIDs map[string]bool
if opts.CheckList != "" {
checkIDs = cleanIDs(opts.CheckList)
}
return func(g *check.Group, c *check.Check) bool {
var test = true
if len(groupIDs) > 0 {
_, ok := groupIDs[g.ID]
test = test && ok
}
if len(checkIDs) > 0 {
_, ok := checkIDs[c.ID]
test = test && ok
}
test = test && (opts.Scored && c.Scored || opts.Unscored && !c.Scored)
return test
}, nil
}
func runChecks(nodetype check.NodeType) { func runChecks(nodetype check.NodeType) {
var summary check.Summary var summary check.Summary
@ -40,7 +71,7 @@ func runChecks(nodetype check.NodeType) {
glog.V(1).Info(fmt.Sprintf("Using benchmark file: %s\n", def)) glog.V(1).Info(fmt.Sprintf("Using benchmark file: %s\n", def))
// Get the set of exectuables and config files we care about on this type of node. // Get the set of executables and config files we care about on this type of node.
typeConf := viper.Sub(string(nodetype)) typeConf := viper.Sub(string(nodetype))
binmap, err := getBinaries(typeConf) binmap, err := getBinaries(typeConf)
@ -65,18 +96,14 @@ func runChecks(nodetype check.NodeType) {
exitWithError(fmt.Errorf("error setting up %s controls: %v", nodetype, err)) exitWithError(fmt.Errorf("error setting up %s controls: %v", nodetype, err))
} }
if groupList != "" && checkList == "" { runner := check.NewRunner()
ids := cleanIDs(groupList) filter, err := NewRunFilter(filterOpts)
summary = controls.RunGroup(ids...) if err != nil {
} else if checkList != "" && groupList == "" { exitWithError(fmt.Errorf("error setting up run filter: %v", err))
ids := cleanIDs(checkList)
summary = controls.RunChecks(ids...)
} else if checkList != "" && groupList != "" {
exitWithError(fmt.Errorf("group option and check option can't be used together"))
} else {
summary = controls.RunGroup()
} }
summary = controls.RunChecks(runner, filter)
// if we successfully ran some tests and it's json format, ignore the warnings // if we successfully ran some tests and it's json format, ignore the warnings
if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0 || summary.Info > 0) && jsonFmt { if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0 || summary.Info > 0) && jsonFmt {
out, err := controls.JSON() out, err := controls.JSON()
@ -199,12 +226,17 @@ func loadConfig(nodetype check.NodeType) string {
// isMaster verify if master components are running on the node. // isMaster verify if master components are running on the node.
func isMaster() bool { func isMaster() bool {
_ = loadConfig(check.MASTER)
glog.V(2).Info("Checking if the current node is running master components") glog.V(2).Info("Checking if the current node is running master components")
masterConf := viper.Sub(string(check.MASTER)) masterConf := viper.Sub(string(check.MASTER))
if _, err := getBinaries(masterConf); err != nil { components, err := getBinaries(masterConf)
if err != nil {
glog.V(2).Info(err) glog.V(2).Info(err)
return false return false
} }
if len(components) == 0 {
glog.V(2).Info("No master binaries specified")
return false
}
return true return true
} }

112
cmd/common_test.go Normal file
View File

@ -0,0 +1,112 @@
// Copyright © 2017-2019 Aqua Security Software Ltd. <info@aquasec.com>
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package cmd
import (
"github.com/aquasecurity/kube-bench/check"
"github.com/stretchr/testify/assert"
"testing"
)
func TestNewRunFilter(t *testing.T) {
type TestCase struct {
Name string
FilterOpts FilterOpts
Group *check.Group
Check *check.Check
Expected bool
}
testCases := []TestCase{
{
Name: "Should return true when scored flag is enabled and check is scored",
FilterOpts: FilterOpts{Scored: true, Unscored: false},
Group: &check.Group{},
Check: &check.Check{Scored: true},
Expected: true,
},
{
Name: "Should return false when scored flag is enabled and check is not scored",
FilterOpts: FilterOpts{Scored: true, Unscored: false},
Group: &check.Group{},
Check: &check.Check{Scored: false},
Expected: false,
},
{
Name: "Should return true when unscored flag is enabled and check is not scored",
FilterOpts: FilterOpts{Scored: false, Unscored: true},
Group: &check.Group{},
Check: &check.Check{Scored: false},
Expected: true,
},
{
Name: "Should return false when unscored flag is enabled and check is scored",
FilterOpts: FilterOpts{Scored: false, Unscored: true},
Group: &check.Group{},
Check: &check.Check{Scored: true},
Expected: false,
},
{
Name: "Should return true when group flag contains group's ID",
FilterOpts: FilterOpts{Scored: true, Unscored: true, GroupList: "G1,G2,G3"},
Group: &check.Group{ID: "G2"},
Check: &check.Check{},
Expected: true,
},
{
Name: "Should return false when group flag doesn't contain group's ID",
FilterOpts: FilterOpts{GroupList: "G1,G3"},
Group: &check.Group{ID: "G2"},
Check: &check.Check{},
Expected: false,
},
{
Name: "Should return true when check flag contains check's ID",
FilterOpts: FilterOpts{Scored: true, Unscored: true, CheckList: "C1,C2,C3"},
Group: &check.Group{},
Check: &check.Check{ID: "C2"},
Expected: true,
},
{
Name: "Should return false when check flag doesn't contain check's ID",
FilterOpts: FilterOpts{CheckList: "C1,C3"},
Group: &check.Group{},
Check: &check.Check{ID: "C2"},
Expected: false,
},
}
for _, testCase := range testCases {
t.Run(testCase.Name, func(t *testing.T) {
filter, _ := NewRunFilter(testCase.FilterOpts)
assert.Equal(t, testCase.Expected, filter(testCase.Group, testCase.Check))
})
}
t.Run("Should return error when both group and check flags are used", func(t *testing.T) {
// given
opts := FilterOpts{GroupList: "G1", CheckList: "C1"}
// when
_, err := NewRunFilter(opts)
// then
assert.EqualError(t, err, "group option and check option can't be used together")
})
}

16
cmd/root.go
View File

@ -25,6 +25,13 @@ import (
"github.com/spf13/viper" "github.com/spf13/viper"
) )
type FilterOpts struct {
CheckList string
GroupList string
Scored bool
Unscored bool
}
var ( var (
envVarsPrefix = "KUBE_BENCH" envVarsPrefix = "KUBE_BENCH"
defaultKubeVersion = "1.6" defaultKubeVersion = "1.6"
@ -33,14 +40,13 @@ var (
cfgDir string cfgDir string
jsonFmt bool jsonFmt bool
pgSQL bool pgSQL bool
checkList string
groupList string
masterFile = "master.yaml" masterFile = "master.yaml"
nodeFile = "node.yaml" nodeFile = "node.yaml"
federatedFile string federatedFile string
noResults bool noResults bool
noSummary bool noSummary bool
noRemediations bool noRemediations bool
filterOpts FilterOpts
) )
// RootCmd represents the base command when called without any subcommands // RootCmd represents the base command when called without any subcommands
@ -79,16 +85,18 @@ func init() {
RootCmd.PersistentFlags().BoolVar(&noRemediations, "noremediations", false, "Disable printing of remediations section") RootCmd.PersistentFlags().BoolVar(&noRemediations, "noremediations", false, "Disable printing of remediations section")
RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON") RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")
RootCmd.PersistentFlags().BoolVar(&pgSQL, "pgsql", false, "Save the results to PostgreSQL") RootCmd.PersistentFlags().BoolVar(&pgSQL, "pgsql", false, "Save the results to PostgreSQL")
RootCmd.PersistentFlags().BoolVar(&filterOpts.Scored, "scored", true, "Run the scored CIS checks")
RootCmd.PersistentFlags().BoolVar(&filterOpts.Unscored, "unscored", true, "Run the unscored CIS checks")
RootCmd.PersistentFlags().StringVarP( RootCmd.PersistentFlags().StringVarP(
&checkList, &filterOpts.CheckList,
"check", "check",
"c", "c",
"", "",
`A comma-delimited list of checks to run as specified in CIS document. Example --check="1.1.1,1.1.2"`, `A comma-delimited list of checks to run as specified in CIS document. Example --check="1.1.1,1.1.2"`,
) )
RootCmd.PersistentFlags().StringVarP( RootCmd.PersistentFlags().StringVarP(
&groupList, &filterOpts.GroupList,
"group", "group",
"g", "g",
"", "",

7
cmd/util.go
View File

@ -50,15 +50,18 @@ func continueWithError(err error, msg string) string {
return "" return ""
} }
func cleanIDs(list string) []string { func cleanIDs(list string) map[string]bool {
list = strings.Trim(list, ",") list = strings.Trim(list, ",")
ids := strings.Split(list, ",") ids := strings.Split(list, ",")
set := make(map[string]bool)
for _, id := range ids { for _, id := range ids {
id = strings.Trim(id, " ") id = strings.Trim(id, " ")
set[id] = true
} }
return ids return set
} }
// ps execs out to the ps command; it's separated into a function so we can write tests // ps execs out to the ps command; it's separated into a function so we can write tests

34
job-eks.yaml Normal file
View File

@ -0,0 +1,34 @@
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
spec:
hostPID: true
containers:
- name: kube-bench
# Push the image to your ECR and then refer to it here
image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
command: ["kube-bench", "--version", "1.11-json"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
- name: etc-systemd
mountPath: /etc/systemd
- name: etc-kubernetes
mountPath: /etc/kubernetes
restartPolicy: Never
volumes:
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"