Huang Huang
70988356c8
Support config files which use .yml file extension ( #586 )
...
Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
4 years ago
Abubakr-Sadik Nii Nai Davis
d988b81540
CIS GKE 1.0.0 benchmark ( #570 )
...
* Add initial commit for CIS GKE 1.0 benchmark
* Update README with GKE instructions
* Fix YAML linter issues
* Set GKE benchmark k8s version to gke-1.0
* Add tests for gke-1.0
Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
4 years ago
Thorsten Schifferdecker
237f8cf818
fix small typo ( #592 )
...
proykubeconfig -> proxykubeconfig
4 years ago
Huang Huang
65fb352e0e
Change to checking `--disable-admission-plugins` for cis-1.4-1.1.27 and cis-1.5-1.2.14 ( #584 )
...
Fixes #582
4 years ago
LukasAuerbeck
037bb14729
added 444, 440, 400 and 000 file permission checks for all benchmarks ( #563 )
...
Co-authored-by: Liz Rice <liz@lizrice.com>
4 years ago
mustafa-rean
89f8e454ba
Resolved bug in master.yml for cis-1.5 for the apiserverbin variable name ( #567 )
...
Co-authored-by: Liz Rice <liz@lizrice.com>
4 years ago
Murali Paluru
48e33d33e5
fix mismatching checks, tests ( #544 )
4 years ago
James Ward
5f34058dc7
Support Linting YAML as part of Travis CI build ( #554 )
...
* add yamllint command to travis CI
installs and runs a linter across the YAML in the
project to ensure consistency in the written YAML.
this uses yamllint and the default yamllint config with
"truthy" and "line-length" disabled.
* run dos2unix on CRLF files
* YAMLLINT: remove trailing spaces
* YAMLLint: add YAML document start
* YAMLLint: too many spaces around bracket
* YAMLLint: fix indentation
* YAMLLint: remove duplicate key
* YAMLLint: newline at end of file
* YAMLLint: Too few spaces after comma
* YAMLLint: too many spaces after colon
4 years ago
Roberto Rojas
13193d75b0
Fixes Issue #535 ( #537 )
...
* isEtcd should not run on openshift 3.10/3.11
* adds openssl
* fixed tests
* fixes bugs
* adds isEtcd tests
5 years ago
Huang Huang
4a07f87e6f
Fix remediations about file permission ( #534 )
...
* Fix remediation of 2.2.3 in cis-1.3
* Fix remediation of 4.1.1 in cis-1.5
5 years ago
Mateus Caruccio
6e1c39237a
Openshift configs ( #526 )
...
* Adds openshift to autodetect node type
* detect okd node units
5 years ago
Roberto Rojas
af976e6f50
Fixes Issue #494 - add tests for CIS 1.5 ( #530 )
...
* Initial commit.
* Add master and node config.
* Add section 5 of CIS 1.5.1.
* Split sections into section files
* Fix YAML issues.
* adds target translation
* adds target translation
* adds cis-1.5 mapping
* fixed tests
* fixes are per PR
* fixed intergration test
* integration kind test file to appropriate ks8 version
* fixed etcd text
* fixed README
* fixed text
* etcd: fixed grep path
* etcd: fixes
* fixed error message bug
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* fixes as per PR review
5 years ago
Huang Huang
7015f4b4b5
Fix remediation of 2.2.3 ( #527 )
5 years ago
Roberto Rojas
9c6d4de860
Issue #421 : Merges PR #422 with master ( #523 )
...
* Add kubeconfig location of kube-proxy for AKS
* Add job for AKS node
* Automate ca file permission check
* removed job-aks.yaml as other PRs added needed features
* fixed integration test due to merge changes
5 years ago
Liz Rice
d7b5422e8a
Fix detection of encryption-provider-config ( #513 )
...
Fixes: https://github.com/aquasecurity/kube-bench/issues/420
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
5 years ago
Roberto Rojas
7ca438b618
Fixes Issue 269 - Numbering to use CIS Versions ( #511 )
...
* starting benchmark flag
* Revert "starting benchmark flag"
This reverts commit 58fc948626
.
* fixes issue #269
* add more unit tests
* fix bug
* Update cmd/common.go
Co-Authored-By: Liz Rice <liz@lizrice.com>
* fixes as per PR review
* fixes as per PR review
* adds more tests
* fixed tests
* changes as per PR Review
* changes as per PR Review
* updated README
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* changes are per PR review
5 years ago
mwwolters
8276e521d4
Changed 1.3.3 to check that --use-service-account-credentials isn't set to false, but the flag is set ( #442 )
5 years ago
Roberto Rojas
13fe1cdfb8
Fixes issue #501 : specifying absolute path for both ps and cat ( #508 )
...
* fixes issue #501
* specify abolute path for ps and cat
5 years ago
Kevin W Monroe
04946a48fb
add snap component paths to default config ( #414 )
5 years ago
Prem Kumar
01ee110ac4
Fix repetitive flags in some ocp-3.11 tests ( #462 )
...
* fix flag repetition in ocp-3.11/node.yaml
* fix flag repetition in ocp-3.11/master.yaml
5 years ago
Arpit Pandey
ce0137a31a
Fix few typos ( #469 )
5 years ago
Simarpreet Singh
d77eab2234
master.yaml: Add --audit-policy-file check for 1.1.37. ( #440 )
...
* master.yaml: Add --audit-policy-file check for 1.1.37.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* fix-177: fix line endings
Signed-off-by: Simarpreet Singh <simar@linux.com>
5 years ago
Simarpreet Singh
d12a45bba9
Properly initialize viper library when checking for master components ( #434 )
...
* common_test: Add a failing test to show the SISEGV
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Go green by fixing isMaster() to instantiate viper
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Inject a seam for getBinariesFunc to be patched-in.
Also adds additional tests to showcase unhappy behaviors.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common_test: Rename TestIsMaster()
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: init viper with master config
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Add a pre-check if valid yaml is passed but doesn't include master.
Also adds additional tests to showcase unhappy behaviors.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* mod: Upgrade viper to v1.4.0
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Refactor node only yaml to a file
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Log when master components are not found
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common_test: Refactor subtests into a table
Signed-off-by: Simarpreet Singh <simar@linux.com>
5 years ago
Roberto Rojas
a6ee61fd08
Fixes issue #289 : removed versions prior to 1.11 ( #429 )
...
* removed version prior to 1.11
* removed references to kubernetes versions prior to 1.11
5 years ago
Roberto Rojas
3aa41db166
Issue #353 : Merges JSON and Exec Params files ( #426 )
...
* starts fixes #353
* new approach to minize duplications
* applied merged yaml files for v1.11 and v1.13
* yaml files json/params merged
* fixes to remove double quotes from numbers and booleans
* fixed bug
* fixed certificate check
* removed -json files
* changes based on PR review
* Update check/check_test.go
Yay more tests!
Co-Authored-By: Liz Rice <liz@lizrice.com>
* changes as PR review
* fixed bug when scored check is missing tests
* attempt to improve the code
* fixed list breaks
* removes handleError function
* Update check/check.go
Accepting suggested log level.
Co-Authored-By: Liz Rice <liz@lizrice.com>
5 years ago
Roberto Rojas
c22f81610d
removes federated ( #431 )
5 years ago
yoavrotems
89afda1f63
Add [Manual test] to remediation in all the manual tests ( #435 )
5 years ago
Simarpreet Singh
37f626dce6
cfg: Make proxy checks optional ( #436 )
...
Signed-off-by: Simarpreet Singh <simar@linux.com>
5 years ago
Roberto Rojas
41e0ae77de
changes to use the "op: valid_elements" operation to manage list of items ( #402 )
5 years ago
yoavrotems
ea9089bd42
update the yaml according ( #410 )
...
The update is from the new cis version 1.4.1.
like been done in https://github.com/aquasecurity/kube-bench/issues/370
5 years ago
Roberto Rojas
ec3b1076c0
Fixes issue #407 ( #409 )
...
* fixes issue #407
* fixes issue #407
5 years ago
Roberto Rojas
13dfa15ad6
Fixes Issue #396 - Replaces $kubeletconf for $kubeletsvc ( #399 )
...
* fixes issue #396
* reverts remediation text change
* changes to 1.11-json and 1.13-json as per PR review
* Tiny typo
5 years ago
Liz Rice
a2466da4b0
Correct 1.1.13 to match CIS spec ( #406 )
...
Text should say Not Scored
5 years ago
Roberto Rojas
7a53806863
fixes issue #346 by explicitly only checking read-only property ( #404 )
5 years ago
yoavrotems
4b5a877f1f
Remove some tests from been manual ( #398 )
...
* Remove some tests from been manual
* Remove some tests from been manual
5 years ago
Roberto Rojas
f343d36862
hyperkube v1.15 renamed "proxy" to "kube-proxy" ( #400 )
5 years ago
Roberto Rojas
3e5d02e920
fixes issue #386 ( #397 )
...
* fixes issue #386
* Correct typo
5 years ago
Abubakr-Sadik Nii Nai Davis
a3b8ba58ad
Fix error converting from string to integer ( #392 )
...
Replace the `gt` with `eq` for string comparison of kube-bench check 2.1.6 in `cfg/1.6/node.yaml`.
5 years ago
Patrick Lieberg
0d81ef10d5
Update config.yaml to add Azure AKS file locations for kubelet ( #383 )
...
* testing Azure config locations
* "Updated default config.yaml to incorporate Azure AKS file locations for kubelet"
* "Adjusted order of new lines. Removed unneeded lines."
5 years ago
mwwolters
787bf6ca4d
Updated check to pass if flag isn't set ( #379 )
5 years ago
Liz Rice
f8b2f6c841
Correct 1.4.21 text ( #356 )
...
1.4.21 is about the PKI key file not the certificate
5 years ago
yoavrotems
136e9cd731
Remove federated from ocp ( #381 )
...
* Delete federated.yaml
There is no federated tests in ocp
* Delete federated.yaml
There are no federated tests in OCP
5 years ago
Efrat Levitan
b8a463f051
Correction to 1.13 and 1.13-json test 2.1.5 ( #380 )
5 years ago
yoavrotems
22b971a633
fixes-according-kube-cis1.4.1 ( #376 )
...
* Update master.yaml
* Update node.yaml
Fix 2.1.11 - got DEPRECATED
2.1.14 changed to be a set of options, would be fixed by https://github.com/aquasecurity/kube-bench/pull/367
* Update master.yaml
* Update node.yaml
change 2.1.11 Title, and state to not scored
5 years ago
Roberto Rojas
0422368615
issue #369 : fixes RotateKubeletServerCertificate tests in 1.13-json ( #371 )
5 years ago
mwwolters
893aa3588c
Updated check to pass if flag isn't set ( #375 )
5 years ago
Roberto Rojas
937bfc7b2e
issue #344 : Adds support for array comparison. Every element in the s… ( #367 )
...
* issue #344 : Adds support for array comparison. Every element in the source array must exist in the target array.
* issue #344 : Fixed typo and found if condition based on code review
* adds unit tests for valid_elements comparison
* removes spaces from split strings
5 years ago
Roberto Rojas
c87c5cfb51
Fixes bugs on tests 2.1.4 and 2.1.5 - 1.13-json ( #365 )
...
* Adds bin_op to Test 2.1.4
* Adds bin_op to Test 2.1.5
5 years ago
Roberto Rojas
3926ba3977
issue #337 : Adds comment for properties detected thru parsing command line. Fixed Audit for test 2.1.8 ( #354 )
5 years ago
Roberto Rojas
d127512ab9
issue #349 : changes test 2.2.8 ( #351 )
5 years ago