mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-19 13:18:07 +00:00
Merge branch 'master' into feature/json-config
This commit is contained in:
commit
c887794807
33
README.md
33
README.md
@ -13,7 +13,17 @@ Tests are configured with YAML files, making this tool easy to update as test sp
|
||||
|
||||
## CIS Kubernetes Benchmark support
|
||||
|
||||
kube-bench supports the tests for multiple versions of Kubernetes (1.6, 1.7, 1.8, and 1.11) as defined in the CIS Benchmarks 1.0.0, 1.1.0, 1.2.0, and 1.3.0 respectively. It will determine the test set to run based on the Kubernetes version running on the machine.
|
||||
kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.0.0 to 1.4.0 respectively.
|
||||
|
||||
| CIS Kubernetes Benchmark | kube-bench config | Kubernetes versions |
|
||||
|---|---|---|
|
||||
| 1.0.0| 1.6 | 1.6 |
|
||||
| 1.1.0| 1.7 | 1.7 |
|
||||
| 1.2.0| 1.8 | 1.8-1.10 |
|
||||
| 1.3.0| 1.11 | 1.11-1.12 |
|
||||
| 1.4.0| 1.13 | 1.13- |
|
||||
|
||||
By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
|
||||
|
||||
## Installation
|
||||
|
||||
@ -114,6 +124,13 @@ For each type of node (*master*, *node* or *federated*) there is a list of compo
|
||||
* **confs** - If one of the listed config files is found, this will be considered for the test. Tests can continue even if no config file is found. If no file is found at any of the listed locations, and a *defaultconf* location is given for the component, the test will give remediation advice using the *defaultconf* location.
|
||||
* **unitfiles** - From version 1.2.0 of the benchmark (tests for Kubernetes 1.8), the remediation instructions were updated to assume that kubelet configuration is defined in a service file, and this setting defines where to look for that configuration.
|
||||
|
||||
## Output
|
||||
|
||||
There are three output states
|
||||
- [PASS] and [FAIL] indicate that a test was run successfully, and it either passed or failed
|
||||
- [WARN] means this test needs further attention, for example it is a test that needs to be run manually
|
||||
- [INFO] is informational output that needs no further action.
|
||||
|
||||
## Test config YAML representation
|
||||
The tests are represented as YAML documents (installed by default into ./cfg).
|
||||
|
||||
@ -146,6 +163,20 @@ Recommendations (called `checks` in this document) can run on Kubernetes Master,
|
||||
Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document.
|
||||
These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types.
|
||||
|
||||
### Omitting checks
|
||||
|
||||
If you decide that a recommendation is not appropriate for your environment, you can choose to omit it by editing the test YAML file to give it the check type `skip` as in this example:
|
||||
|
||||
```yaml
|
||||
checks:
|
||||
- id: 2.1.1
|
||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
```
|
||||
|
||||
No tests will be run for this check and the output will be marked [INFO].
|
||||
|
||||
## Tests
|
||||
Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass.
|
||||
|
||||
|
@ -366,7 +366,10 @@ groups:
|
||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--service-account-lookup"
|
||||
set: false
|
||||
- flag: "--service-account-lookup"
|
||||
compare:
|
||||
op: eq
|
||||
@ -1213,7 +1216,7 @@ groups:
|
||||
scored: true
|
||||
|
||||
- id: 1.4.21
|
||||
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)"
|
||||
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Scored)"
|
||||
audit: "stat -c %n\ %a /etc/kubernetes/pki/*.key"
|
||||
type: "manual"
|
||||
tests:
|
||||
|
@ -166,6 +166,8 @@ func (c *Check) Run() {
|
||||
i++
|
||||
}
|
||||
|
||||
glog.V(3).Info(out.String())
|
||||
|
||||
finalOutput := c.Tests.execute(out.String())
|
||||
if finalOutput != nil {
|
||||
c.ActualValue = finalOutput.actualResult
|
||||
|
30
check/data
30
check/data
@ -158,6 +158,16 @@ groups:
|
||||
set: true
|
||||
|
||||
- id: 14
|
||||
text: "check that flag some-arg is set to some-val with ':' separator"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "some-arg"
|
||||
compare:
|
||||
op: eq
|
||||
value: some-val
|
||||
set: true
|
||||
|
||||
- id: 15
|
||||
text: "jsonpath correct value on field"
|
||||
tests:
|
||||
test_items:
|
||||
@ -177,7 +187,7 @@ groups:
|
||||
value: 15000
|
||||
set: true
|
||||
|
||||
- id: 15
|
||||
- id: 16
|
||||
text: "jsonpath correct case-sensitive value on string field"
|
||||
tests:
|
||||
test_items:
|
||||
@ -197,7 +207,7 @@ groups:
|
||||
value: "WebHook,Something,RBAC"
|
||||
set: true
|
||||
|
||||
- id: 16
|
||||
- id: 17
|
||||
text: "jsonpath correct value on boolean field"
|
||||
tests:
|
||||
test_items:
|
||||
@ -217,14 +227,14 @@ groups:
|
||||
value: true
|
||||
set: true
|
||||
|
||||
- id: 17
|
||||
- id: 18
|
||||
text: "jsonpath field absent"
|
||||
tests:
|
||||
test_items:
|
||||
- jsonpath: "{.notARealField}"
|
||||
set: false
|
||||
|
||||
- id: 18
|
||||
- id: 19
|
||||
text: "jsonpath correct value on nested field"
|
||||
tests:
|
||||
test_items:
|
||||
@ -234,7 +244,7 @@ groups:
|
||||
value: "false"
|
||||
set: true
|
||||
|
||||
- id: 19
|
||||
- id: 20
|
||||
text: "yamlpath correct value on field"
|
||||
tests:
|
||||
test_items:
|
||||
@ -244,14 +254,14 @@ groups:
|
||||
value: 14999
|
||||
set: true
|
||||
|
||||
- id: 20
|
||||
- id: 21
|
||||
text: "yamlpath field absent"
|
||||
tests:
|
||||
test_items:
|
||||
- yamlpath: "{.fieldThatIsUnset}"
|
||||
set: false
|
||||
|
||||
- id: 21
|
||||
- id: 22
|
||||
text: "yamlpath correct value on nested field"
|
||||
tests:
|
||||
test_items:
|
||||
@ -261,7 +271,7 @@ groups:
|
||||
value: "false"
|
||||
set: true
|
||||
|
||||
- id: 22
|
||||
- id: 23
|
||||
text: "jsonpath on invalid json"
|
||||
tests:
|
||||
test_items:
|
||||
@ -271,14 +281,14 @@ groups:
|
||||
value: "false"
|
||||
set: true
|
||||
|
||||
- id: 23
|
||||
- id: 24
|
||||
text: "jsonpath with broken expression"
|
||||
tests:
|
||||
test_items:
|
||||
- jsonpath: "{.missingClosingBrace"
|
||||
set: true
|
||||
|
||||
- id: 24
|
||||
- id: 25
|
||||
text: "yamlpath on invalid yaml"
|
||||
tests:
|
||||
test_items:
|
||||
|
@ -123,10 +123,10 @@ func (t *testItem) execute(s string) *testOutput {
|
||||
if t.Flag != "" {
|
||||
// Expects flags in the form;
|
||||
// --flag=somevalue
|
||||
// flag: somevalue
|
||||
// --flag
|
||||
// somevalue
|
||||
//pttn := `(` + t.Flag + `)(=)*([^\s,]*) *`
|
||||
pttn := `(` + t.Flag + `)(=)*([^\s]*) *`
|
||||
pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *`
|
||||
flagRe := regexp.MustCompile(pttn)
|
||||
vals := flagRe.FindStringSubmatch(s)
|
||||
|
||||
|
@ -111,28 +111,34 @@ func TestTestExecute(t *testing.T) {
|
||||
"2:45 ../kubernetes/kube-apiserver --option --admission-control=Something ---audit-log-maxage=40",
|
||||
},
|
||||
{
|
||||
// check for ':' as argument-value separator, with space between arg and val
|
||||
controls.Groups[0].Checks[14],
|
||||
"{\"readOnlyPort\": 15000}",
|
||||
"2:45 kube-apiserver some-arg: some-val --admission-control=Something ---audit-log-maxage=40",
|
||||
},
|
||||
{
|
||||
// check for ':' as argument-value separator, with no space between arg and val
|
||||
controls.Groups[0].Checks[14],
|
||||
"2:45 kube-apiserver some-arg:some-val --admission-control=Something ---audit-log-maxage=40",
|
||||
},
|
||||
{
|
||||
controls.Groups[0].Checks[15],
|
||||
"{\"stringValue\": \"WebHook,Something,RBAC\"}",
|
||||
"{\"readOnlyPort\": 15000}",
|
||||
},
|
||||
{
|
||||
controls.Groups[0].Checks[16],
|
||||
"{\"trueValue\": true}",
|
||||
"{\"stringValue\": \"WebHook,Something,RBAC\"}",
|
||||
},
|
||||
{
|
||||
controls.Groups[0].Checks[17],
|
||||
"{\"readOnlyPort\": 15000}",
|
||||
"{\"trueValue\": true}",
|
||||
},
|
||||
{
|
||||
controls.Groups[0].Checks[18],
|
||||
"{\"authentication\": { \"anonymous\": {\"enabled\": false}}}",
|
||||
"{\"readOnlyPort\": 15000}",
|
||||
},
|
||||
{
|
||||
controls.Groups[0].Checks[19],
|
||||
"readOnlyPort: 15000",
|
||||
"{\"authentication\": { \"anonymous\": {\"enabled\": false}}}",
|
||||
},
|
||||
{
|
||||
controls.Groups[0].Checks[20],
|
||||
@ -140,6 +146,10 @@ func TestTestExecute(t *testing.T) {
|
||||
},
|
||||
{
|
||||
controls.Groups[0].Checks[21],
|
||||
"readOnlyPort: 15000",
|
||||
},
|
||||
{
|
||||
controls.Groups[0].Checks[22],
|
||||
"authentication:\n anonymous:\n enabled: false",
|
||||
},
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user