1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-22 14:48:07 +00:00

Merge branch 'master' into issue-25

This commit is contained in:
Abubakr-Sadik Nii Nai Davis 2017-08-12 19:05:48 +00:00
commit dddea28713
9 changed files with 336 additions and 115 deletions

3
OWNERS Normal file
View File

@ -0,0 +1,3 @@
approvers:
- lizrice
- jerbia

View File

@ -29,7 +29,7 @@ installation:
conf:
apiserver: /etc/kubernetes/apiserver
scheduler: /etc/kubernetes/scheduler
controller-manager: /etc/kubernetes/apiserver
controller-manager: /etc/kubernetes/controller-manager
node:
bin:
kubelet: kubelet

View File

@ -479,19 +479,14 @@ groups:
parameter to \"--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>\""
scored: true
# TODO: provide flag to WARN of manual tasks which we can't automate.
- id: 1.1.35
text: "Ensure that the encryption provider is set to aescbc (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "requires manual intervention"
set: true
type: "manual"
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider"
scored: true
- id: 1.2
text: "Scheduler"
checks:
@ -573,7 +568,13 @@ groups:
KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
scored: true
# TODO: 1.3.6 is manual, provide way to WARN
- id: 1.3.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
\"--feature-gates=RotateKubeletServerCertificate=true\""
scored: false
- id: 1.3.7
text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
@ -751,6 +752,20 @@ groups:
chmod 700 /var/lib/etcd/default.etcd"
scored: true
- id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G"
tests:
test_items:
- flag: "etcd:etcd"
set: true
remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command:\n
ps -ef | grep etcd\n
Run the below command (based on the etcd data directory found above). For example,\n
chown etcd:etcd /var/lib/etcd/default.etcd"
scored: true
- id: 1.5
text: "etcd"
checks:
@ -893,3 +908,65 @@ groups:
remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service."
scored: false
- id: 1.6
text: "General Security Primitives"
checks:
- id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
scored: false
- id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
suggested Pod Security Policies for your environment."
scored: false
- id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
need them."
scored: false
- id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
scored: false
- id: 1.6.5
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual"
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing \"--feature-
gates=AllAlpha=true\" argument.\n
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
parameter to \"--feature-gates=AllAlpha=true\"
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
scored: false
- id: 1.6.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers."
scored: false
- id: 1.6.7
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and setup image provenance."
scored: false
- id: 1.6.8
text: "Configure Network policies as appropriate (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
scored: false

View File

@ -18,10 +18,11 @@ import (
"bytes"
"fmt"
"io"
"os"
"os/exec"
"regexp"
"strings"
"github.com/golang/glog"
)
// NodeType indicates the type of node (master, node, federated).
@ -61,6 +62,7 @@ type Check struct {
ID string `yaml:"id" json:"id"`
Text string
Audit string `json:"omit"`
Type string `json:"type"`
Commands []*exec.Cmd `json:"omit"`
Tests *tests `json:"omit"`
Set bool `json:"omit"`
@ -70,7 +72,13 @@ type Check struct {
// Run executes the audit commands specified in a check and outputs
// the results.
func (c *Check) Run(verbose bool) {
func (c *Check) Run() {
// If check type is manual, force result to WARN.
if c.Type == "manual" {
c.State = WARN
return
}
var out bytes.Buffer
var errmsgs string
@ -147,9 +155,7 @@ func (c *Check) Run(verbose bool) {
i++
}
if verbose && errmsgs != "" {
fmt.Fprintf(os.Stderr, "%s\n", errmsgs)
}
glog.V(2).Info("%s\n", errmsgs)
res := c.Tests.execute(out.String())
if res {

View File

@ -68,7 +68,7 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
}
// RunGroup runs all checks in a group.
func (controls *Controls) RunGroup(verbose bool, gids ...string) Summary {
func (controls *Controls) RunGroup(gids ...string) Summary {
g := []*Group{}
controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn = 0, 0, 0
@ -82,7 +82,7 @@ func (controls *Controls) RunGroup(verbose bool, gids ...string) Summary {
for _, gid := range gids {
if gid == group.ID {
for _, check := range group.Checks {
check.Run(verbose)
check.Run()
summarize(controls, check)
}
@ -96,7 +96,7 @@ func (controls *Controls) RunGroup(verbose bool, gids ...string) Summary {
}
// RunChecks runs the checks with the supplied IDs.
func (controls *Controls) RunChecks(verbose bool, ids ...string) Summary {
func (controls *Controls) RunChecks(ids ...string) Summary {
g := []*Group{}
m := make(map[string]*Group)
controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn = 0, 0, 0
@ -110,7 +110,7 @@ func (controls *Controls) RunChecks(verbose bool, ids ...string) Summary {
for _, check := range group.Checks {
for _, id := range ids {
if id == check.ID {
check.Run(verbose)
check.Run()
summarize(controls, check)
// Check if we have already added this checks group.

View File

@ -17,7 +17,6 @@ package cmd
import (
"fmt"
"io/ioutil"
"os"
"strings"
"github.com/aquasecurity/kube-bench/check"
@ -46,7 +45,8 @@ var (
errmsgs string
// TODO: Consider specifying this in config file.
kubeVersion = "1.7.0"
kubeMajorVersion = "1"
kubeMinorVersion = "7"
)
func runChecks(t check.NodeType) {
@ -59,7 +59,7 @@ func runChecks(t check.NodeType) {
schedulerBin = viper.GetString("installation." + installation + ".master.bin.scheduler")
schedulerConf = viper.GetString("installation." + installation + ".master.conf.scheduler")
controllerManagerBin = viper.GetString("installation." + installation + ".master.bin.controller-manager")
controllerManagerConf = viper.GetString("installation." + installation + ".master.conf.controler-manager")
controllerManagerConf = viper.GetString("installation." + installation + ".master.conf.controller-manager")
config = viper.GetString("installation." + installation + ".config")
etcdBin = viper.GetString("etcd.bin")
@ -78,7 +78,8 @@ func runChecks(t check.NodeType) {
fedControllerManagerBin = viper.GetString("installation." + installation + ".federated.bin.controller-manager")
// Run kubernetes installation validation checks.
warns := verifyNodeType(t)
verifyKubeVersion(kubeMajorVersion, kubeMinorVersion)
verifyNodeType(t)
switch t {
case check.MASTER:
@ -91,8 +92,7 @@ func runChecks(t check.NodeType) {
in, err := ioutil.ReadFile(file)
if err != nil {
fmt.Fprintf(os.Stderr, "error opening %s controls file: %v\n", t, err)
os.Exit(1)
exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err))
}
// Variable substitutions. Replace all occurrences of variables in controls files.
@ -102,7 +102,6 @@ func runChecks(t check.NodeType) {
s = strings.Replace(s, "$schedulerconf", schedulerConf, -1)
s = strings.Replace(s, "$controllermanagerbin", controllerManagerBin, -1)
s = strings.Replace(s, "$controllermanagerconf", controllerManagerConf, -1)
s = strings.Replace(s, "$controllermanagerconf", controllerManagerConf, -1)
s = strings.Replace(s, "$config", config, -1)
s = strings.Replace(s, "$etcdbin", etcdBin, -1)
@ -120,63 +119,47 @@ func runChecks(t check.NodeType) {
controls, err := check.NewControls(t, []byte(s))
if err != nil {
fmt.Fprintf(os.Stderr, "error setting up %s controls: %v\n", t, err)
os.Exit(1)
exitWithError(fmt.Errorf("error setting up %s controls: %v", t, err))
}
if groupList != "" && checkList == "" {
ids := cleanIDs(groupList)
summary = controls.RunGroup(verbose, ids...)
summary = controls.RunGroup(ids...)
} else if checkList != "" && groupList == "" {
ids := cleanIDs(checkList)
summary = controls.RunChecks(verbose, ids...)
summary = controls.RunChecks(ids...)
} else if checkList != "" && groupList != "" {
fmt.Fprintf(os.Stderr, "group option and check option can't be used together\n")
os.Exit(1)
exitWithError(fmt.Errorf("group option and check option can't be used together"))
} else {
summary = controls.RunGroup(verbose)
summary = controls.RunGroup()
}
// if we successfully ran some tests and it's json format, ignore the warnings
if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0) && jsonFmt {
out, err := controls.JSON()
if err != nil {
fmt.Fprintf(os.Stderr, "failed to output in JSON format: %v\n", err)
os.Exit(1)
exitWithError(fmt.Errorf("failed to output in JSON format: %v", err))
}
fmt.Println(string(out))
} else {
prettyPrint(warns, controls, summary)
prettyPrint(controls, summary)
}
}
// verifyNodeType checks the executables and config files are as expected
// for the specified tests (master, node or federated).
func verifyNodeType(t check.NodeType) []string {
var w []string
// Always clear out error messages.
errmsgs = ""
func verifyNodeType(t check.NodeType) {
switch t {
case check.MASTER:
w = append(w, verifyBin(apiserverBin, schedulerBin, controllerManagerBin)...)
w = append(w, verifyConf(apiserverConf, schedulerConf, controllerManagerConf)...)
w = append(w, verifyKubeVersion(apiserverBin)...)
verifyBin(apiserverBin, schedulerBin, controllerManagerBin)
verifyConf(apiserverConf, schedulerConf, controllerManagerConf)
case check.NODE:
w = append(w, verifyBin(kubeletBin, proxyBin)...)
w = append(w, verifyConf(kubeletConf, proxyConf)...)
w = append(w, verifyKubeVersion(kubeletBin)...)
verifyBin(kubeletBin, proxyBin)
verifyConf(kubeletConf, proxyConf)
case check.FEDERATED:
w = append(w, verifyBin(fedApiserverBin, fedControllerManagerBin)...)
w = append(w, verifyKubeVersion(fedApiserverBin)...)
verifyBin(fedApiserverBin, fedControllerManagerBin)
}
if verbose {
fmt.Fprintf(os.Stderr, "%s\n", errmsgs)
}
return w
}
// colorPrint outputs the state in a specific colour, along with a message string
@ -186,13 +169,9 @@ func colorPrint(state check.State, s string) {
}
// prettyPrint outputs the results to stdout in human-readable format
func prettyPrint(warnings []string, r *check.Controls, summary check.Summary) {
func prettyPrint(r *check.Controls, summary check.Summary) {
colorPrint(check.INFO, fmt.Sprintf("Using config file: %s\n", viper.ConfigFileUsed()))
for _, w := range warnings {
colorPrint(check.WARN, w)
}
colorPrint(check.INFO, fmt.Sprintf("%s %s\n", r.ID, r.Text))
for _, g := range r.Groups {
colorPrint(check.INFO, fmt.Sprintf("%s %s\n", g.ID, g.Text))

View File

@ -15,6 +15,7 @@
package cmd
import (
goflag "flag"
"fmt"
"os"
@ -34,11 +35,12 @@ var (
nodeFile string
federatedFile string
loud bool
kubeConfDir string
etcdConfDir string
flanneldConfDir string
verbose bool
installation string
)
@ -52,6 +54,9 @@ var RootCmd = &cobra.Command{
// Execute adds all child commands to the root command sets flags appropriately.
// This is called by main.main(). It only needs to happen once to the rootCmd.
func Execute() {
goflag.Set("logtostderr", "true")
goflag.CommandLine.Parse([]string{})
if err := RootCmd.Execute(); err != nil {
fmt.Println(err)
os.Exit(-1)
@ -83,7 +88,11 @@ func init() {
`Run all the checks under this comma-delimited list of groups. Example --group="1.1"`,
)
RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is ./cfg/config.yaml)")
RootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "verbose output (default false)")
goflag.CommandLine.VisitAll(func(goflag *goflag.Flag) {
RootCmd.PersistentFlags().AddGoFlag(goflag)
})
}
// initConfig reads in config file and ENV variables if set.
@ -103,5 +112,4 @@ func initConfig() {
colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", err))
os.Exit(1)
}
}

View File

@ -4,10 +4,12 @@ import (
"fmt"
"os"
"os/exec"
"regexp"
"strings"
"github.com/aquasecurity/kube-bench/check"
"github.com/fatih/color"
"github.com/golang/glog"
)
var (
@ -20,11 +22,35 @@ var (
}
)
func handleError(err error, context string) (errmsg string) {
func printlnWarn(msg string) {
fmt.Fprintf(os.Stderr, "[%s] %s\n",
colors[check.WARN].Sprintf("%s", check.WARN),
msg,
)
}
func sprintlnWarn(msg string) string {
return fmt.Sprintf("[%s] %s",
colors[check.WARN].Sprintf("%s", check.WARN),
msg,
)
}
func exitWithError(err error) {
fmt.Fprintf(os.Stderr, "\n%v\n", err)
os.Exit(1)
}
func continueWithError(err error, msg string) string {
if err != nil {
errmsg = fmt.Sprintf("%s, error: %s\n", context, err)
glog.V(1).Info(err)
}
return
if msg != "" {
fmt.Fprintf(os.Stderr, "%s\n", msg)
}
return ""
}
func cleanIDs(list string) []string {
@ -38,76 +64,121 @@ func cleanIDs(list string) []string {
return ids
}
func verifyConf(confPath ...string) []string {
var w []string
func verifyConf(confPath ...string) {
var missing string
for _, c := range confPath {
if _, err := os.Stat(c); err != nil && os.IsNotExist(err) {
w = append(w, fmt.Sprintf("config file %s does not exist\n", c))
continueWithError(err, "")
missing += c + ", "
}
}
return w
if len(missing) > 0 {
missing = strings.Trim(missing, ", ")
printlnWarn(fmt.Sprintf("Missing kubernetes config files: %s", missing))
}
}
func verifyBin(binPath ...string) []string {
var w []string
var binList string
func verifyBin(binPath ...string) {
var binSlice []string
var bin string
var missing string
var notRunning string
// Construct proc name for ps(1)
for _, b := range binPath {
binList += b + ","
_, err := exec.LookPath(b)
errmsgs += handleError(
err,
fmt.Sprintf("%s: command not found in path", b),
)
bin = bin + "," + b
binSlice = append(binSlice, b)
if err != nil {
missing += b + ", "
continueWithError(err, "")
}
}
bin = strings.Trim(bin, ",")
cmd := exec.Command("ps", "-C", bin, "-o", "cmd", "--no-headers")
out, err := cmd.Output()
if err != nil {
continueWithError(fmt.Errorf("%s: %s", cmd.Args, err), "")
}
binList = strings.Trim(binList, ",")
// Run ps command
cmd := exec.Command("ps", "-C", binList, "-o", "cmd", "--no-headers")
out, err := cmd.Output()
errmsgs += handleError(
err,
fmt.Sprintf("failed to run: %s", cmd.Args),
)
// Actual verification
for _, b := range binPath {
for _, b := range binSlice {
matched := strings.Contains(string(out), b)
if !matched {
w = append(w, fmt.Sprintf("%s is not running\n", b))
notRunning += b + ", "
}
}
return w
}
func verifyKubeVersion(b string) []string {
// These executables might not be on the user's path.
// TODO! Check the version number using kubectl, which is more likely to be on the path.
var w []string
_, err := exec.LookPath(b)
errmsgs += handleError(
err,
fmt.Sprintf("%s: command not found on path - version check skipped", b),
)
// Check version
cmd := exec.Command(b, "--version")
out, err := cmd.Output()
errmsgs += handleError(
err,
fmt.Sprintf("failed to run:%s", cmd.Args),
)
matched := strings.Contains(string(out), kubeVersion)
if !matched {
w = append(w, fmt.Sprintf("%s unsupported version\n", b))
if len(missing) > 0 {
missing = strings.Trim(missing, ", ")
printlnWarn(fmt.Sprintf("Missing kubernetes binaries: %s", missing))
}
return w
if len(notRunning) > 0 {
notRunning = strings.Trim(notRunning, ", ")
printlnWarn(fmt.Sprintf("Kubernetes binaries not running: %s", notRunning))
}
}
func verifyKubeVersion(major string, minor string) {
// These executables might not be on the user's path.
_, err := exec.LookPath("kubectl")
if err != nil {
continueWithError(err, sprintlnWarn("Kubernetes version check skipped"))
return
}
cmd := exec.Command("kubectl", "version")
out, err := cmd.Output()
if err != nil {
s := fmt.Sprintf("Kubernetes version check skipped with error %v", err)
continueWithError(err, sprintlnWarn(s))
return
}
msg := checkVersion("Client", string(out), major, minor)
if msg != "" {
continueWithError(fmt.Errorf(msg), msg)
}
msg = checkVersion("Server", string(out), major, minor)
if msg != "" {
continueWithError(fmt.Errorf(msg), msg)
}
}
var regexVersionMajor = regexp.MustCompile("Major:\"([0-9]+)\"")
var regexVersionMinor = regexp.MustCompile("Minor:\"([0-9]+)\"")
func checkVersion(x string, s string, expMajor string, expMinor string) string {
regexVersion, err := regexp.Compile(x + " Version: version.Info{(.*)}")
if err != nil {
return fmt.Sprintf("Error checking Kubernetes version: %v", err)
}
ss := regexVersion.FindString(s)
major := versionMatch(regexVersionMajor, ss)
minor := versionMatch(regexVersionMinor, ss)
if major == "" || minor == "" {
return fmt.Sprintf("Couldn't find %s version from kubectl output '%s'", x, s)
}
if major != expMajor || minor != expMinor {
return fmt.Sprintf("Unexpected %s version %s.%s", x, major, minor)
}
return ""
}
func versionMatch(r *regexp.Regexp, s string) string {
match := r.FindStringSubmatch(s)
if len(match) < 2 {
return ""
}
return match[1]
}

77
cmd/util_test.go Normal file
View File

@ -0,0 +1,77 @@
// Copyright © 2017 Aqua Security Software Ltd. <info@aquasec.com>
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package cmd
import (
"regexp"
"testing"
)
func TestCheckVersion(t *testing.T) {
kubeoutput := `Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-06-30T09:51:01Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-07-26T00:12:31Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}`
cases := []struct {
t string
s string
major string
minor string
exp string
}{
{t: "Client", s: kubeoutput, major: "1", minor: "7"},
{t: "Server", s: kubeoutput, major: "1", minor: "7"},
{t: "Client", s: kubeoutput, major: "1", minor: "6", exp: "Unexpected Client version 1.7"},
{t: "Client", s: kubeoutput, major: "2", minor: "0", exp: "Unexpected Client version 1.7"},
{t: "Server", s: "something unexpected", major: "2", minor: "0", exp: "Couldn't find Server version from kubectl output 'something unexpected'"},
}
for _, c := range cases {
t.Run("", func(t *testing.T) {
m := checkVersion(c.t, c.s, c.major, c.minor)
if m != c.exp {
t.Fatalf("Got: %s, expected: %s", m, c.exp)
}
})
}
}
func TestVersionMatch(t *testing.T) {
minor := regexVersionMinor
major := regexVersionMajor
client := `Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-06-30T09:51:01Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}`
server := `Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-07-26T00:12:31Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}`
cases := []struct {
r *regexp.Regexp
s string
exp string
}{
{r: major, s: server, exp: "1"},
{r: minor, s: server, exp: "7"},
{r: major, s: client, exp: "1"},
{r: minor, s: client, exp: "7"},
{r: major, s: "Some unexpected string"},
{r: minor}, // Checking that we don't fall over if the string is empty
}
for _, c := range cases {
t.Run("", func(t *testing.T) {
m := versionMatch(c.r, c.s)
if m != c.exp {
t.Fatalf("Got %s expected %s", m, c.exp)
}
})
}
}