1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-03 05:18:12 +00:00
Commit Graph

819 Commits

Author SHA1 Message Date
Liz Rice
06ab5dfc80
Rename master branch to main (#778) 2021-01-04 10:31:57 +00:00
Carol Valencia
888c912847
chore: build and push action for ecr and docker (#790)
Co-authored-by: Carol Valencia <krol3@users.noreply.github.com>
2020-12-27 09:43:30 +02:00
Liz Rice
6452df7c7f
Expected result pattern not always shows (#784)
* Add expectedResultPattern to invalid test

when testing and try convert to numeric we didn't set expectedResultPattern value.

* check for auditconfig before using it

The current state is that when ever audit output is not what we search for we check for auditConfig output which is sometime empty and therefore create empty expected result as described in #694

* Fix issue about expectedResultPattern

expectedResultPattern not always shown and wasn't accurate enough 
Issue #705

* Add tests for ExpectedResult and fixes

Add tests for ExpectedResult with the new output and the verify that the fix is working

* Add missing flags

In some cases not having audit or audit_config flag would fail the test.
So added just a simple commands like echo something to solve this issue 
Also add bitmask checks

* Add example IAM policy

* Pass RotateKubeletServerCertificate related checks if it's not found (#767)

* Allow for environment variables to be checked in tests (#755)

* Initial commit for checking environment variables for etcd

* Revert config changes

* Remove redundant struct data

* Fix issues with failing tests

* Initial changes based on code review

* Add option to disable envTesting + Update docs

* Initial tests

* Finished testing

* Fix broken tests

* Add a total summary and always show all tests. (#759)

Whether the total summary is shown can be specified with an option.

Fixes #528

Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>

* Update Readme.md file with link to Contribution guide (#754)

* Update License with the year and the owner name

Please add this to make your license agreement strong

* Updated Readme.md file with license and proper documentation links

I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks.

* Update LICENSE

* Update README.md

* Update README.md

* Remove erroneous license info

Co-authored-by: Liz Rice <liz@lizrice.com>

* Support auto-detect platform when running on EKS or GKE (#683)

* Support auto-detect platform when running on EKS or GKE

* Change to get platform name from `kubectl version`

* fix regexp and add test

* Update Server Version match for EKS

* try to get version info from api sever at first

* Change expected expectedResultPattern

Now expectedResultPattern is more verbose

* Update ops tests

* Fix unit tests

* Fix bitmask output syntax

* Changes to be committed:
	modified:   check/check.go
	modified:   check/test.go
	modified:   check/test_test.go
fix unit testing and test.go to resolve conflicts.

* Change found to flagFound

* add missing }

* change found to flag found

Co-authored-by: yoavrotems <yoavrotems97@gmail.com>
2020-12-24 16:38:22 +02:00
Liz Rice
b6f619cdcb
GitHub Actions in correct directory (#787)
* Rename workflow to workflows

* Add integration tests to Actions

* Upload code coverage after unit test

* don't need code coverage when we do a release

* Use same Go version as in go.mod

* Use same Go version as go.mod
2020-12-23 12:48:17 +02:00
Liz Rice
e4d6ed2e8e
Refactor group skip (#783)
* Add example IAM policy

* Pass RotateKubeletServerCertificate related checks if it's not found (#767)

* Allow for environment variables to be checked in tests (#755)

* Initial commit for checking environment variables for etcd

* Revert config changes

* Remove redundant struct data

* Fix issues with failing tests

* Initial changes based on code review

* Add option to disable envTesting + Update docs

* Initial tests

* Finished testing

* Fix broken tests

* Add a total summary and always show all tests. (#759)

Whether the total summary is shown can be specified with an option.

Fixes #528

Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>

* Update Readme.md file with link to Contribution guide (#754)

* Update License with the year and the owner name

Please add this to make your license agreement strong

* Updated Readme.md file with license and proper documentation links

I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks.

* Update LICENSE

* Update README.md

* Update README.md

* Remove erroneous license info

Co-authored-by: Liz Rice <liz@lizrice.com>

* Support auto-detect platform when running on EKS or GKE (#683)

* Support auto-detect platform when running on EKS or GKE

* Change to get platform name from `kubectl version`

* fix regexp and add test

* Update Server Version match for EKS

* try to get version info from api sever at first

* Refactor group skip

changed group 'skip' from being a bool to be 'type' string as done in check

* Change skip: true -> type: skip

Co-authored-by: Huang Huang <mozillazg101@gmail.com>
Co-authored-by: Wicked <jason_attwood@hotmail.co.uk>
Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com>
Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com>
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2020-12-21 13:18:54 +02:00
Carol Valencia
abe0954dcb
feat: github actions to publish ecr and docker (#782)
* feat: github actions to publish ecr and docker

* fix: yaml lint in build

Co-authored-by: Carol Valencia <krol3@users.noreply.github.com>
2020-12-21 11:10:02 +00:00
Greg DeKoenigsberg
ecdd0b4158
Fix AWS ECR authentication docs (#781)
The command you listed here did not work. The command from the official documentation did:

https://docs.aws.amazon.com/AmazonECR/latest/userguide/getting-started-cli.html

aws ecr get-login-password --region region | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com
2020-12-21 10:39:01 +00:00
Liz Rice
4ebfe684c9 Rename master branch to main 2020-12-17 13:37:02 +00:00
Brian Terry
c3f94dd89f
Aws asff (#770)
* add aasf

* add AASF format

* credentials provider

* add finding publisher

* add finding publisher

* add write AASF path

* add testing

* read config from file

* update docker file

* refactor

* remove sample

* add comments

* Add comment in EKS config.yaml

* Fix comment typo

* Fix spelling of ASFF

* Fix typo and other small code review suggestions

* Limit length of Actual result field

Avoids this message seen in testing:
  Message:Finding does not adhere to Amazon Finding Format. data.ProductFields['Actual result'] should NOT be longer than 1024 characters.

* Add comment for ASFF schema

* Add Security Hub documentation

* go mod tidy

* remove dupe lines in docs

* support integration in any region

* fix README link

* fix README links

Co-authored-by: Liz Rice <liz@lizrice.com>
2020-11-23 19:43:53 +00:00
Huang Huang
054c401f71
Support case which run etcd as systemd service instead of pod (#762) 2020-11-16 14:50:15 +02:00
Borko
bd0f59a013
Added Kubernetes Job for AKS-1.0 tests. (#735) 2020-11-16 14:38:02 +02:00
Borko
ab3881420c
Created config and test files for Azure Kubernetes Service (AKS). (#733)
* First draft of AKS configuration checks.

* Updated Azure Configurations. Added more policy checks.

* Finalized cfg components for AKS.

* Fixed targets for aks-1.0 in common_test.go

* Fixed yaml linting issues.

* Fixed white space yaml linkting issues in policies.yaml

* Fixed white space yaml linting issues in policies.yaml
2020-11-16 14:35:57 +02:00
bjrara
83b80a5816
automate check 3.2.1 Ensure that a minimal audit policy is created (#742)
Co-authored-by: mengyzhou <mengyzhou@ebay.com>
2020-11-02 09:41:07 +02:00
Wicked
aa2a6f08f3
Add exit-code parameter for when checks have failed (#734)
* Add int command to specify exit code wih a default of 0

* Re-structured to add tests

* Refactor exit code selection
2020-10-29 12:12:45 +02:00
Wicked
3a35c039e5
Add --skip command to skip groups and checks (#751) 2020-10-29 12:03:41 +02:00
Eric Ho
519f632147
Fix command on extract kube-bench binary (#750) 2020-10-29 11:45:07 +02:00
Sinith
a4c3ce9f9e
Update policies.yaml (#757) 2020-10-29 10:49:34 +02:00
bjrara
dc84ae3438
Fix defaultkubeconfig in config.yaml to resolve variable exposure in remediation when conf is missing (#758)
Co-authored-by: mengyzhou <mengyzhou@ebay.com>
2020-10-29 10:46:50 +02:00
Wicked
9474472194
Allow for skip to be defined on a group-level skipping all checks inside (#736)
* Allow for skip to be defined on a group-level skipping all checks inside

* Refactor skip code to not run skipped checks
2020-10-19 10:51:33 +03:00
bjrara
724cea4980
Customize kubeconfig location for kube-scheduler and kube-controller-manager (#738) 2020-10-18 18:10:29 +03:00
bjrara
d026e046f7
Check tls-cipher-suites using valid_elements op (#739) 2020-10-18 18:08:19 +03:00
Oleksandr Slynko
58bea9c89b
Fix go vet issues (#720)
* Fix go vet issues

* to omit the property from JSON parsing one should use "-". "omit" in
that case would use omit tag
* The error was not reachable in the tests, so I moved it to the place
where it make sense for me (but maybe it was just unnecessary)

* Run all go vet linters in CI

* This return breaks the test
2020-10-09 15:56:22 +01:00
Borko
f213918552
Updated documentation with section on downloading and installing kube-bench on Linux. (#716)
Added section on manually downloading and installing kube-bench
2020-10-09 15:46:57 +01:00
Huang Huang
ff0ce661a8
Fix typo of 1.1.19 in cis-1.6 (#728) 2020-10-09 15:39:05 +01:00
Tom Kelley
8207532d16
Since the 1.3 and 1.4 tests were removed, these files are unnecessary. (#727) 2020-10-07 21:58:44 +03:00
Tom Kelley
a7aa21f32c
Improve Proxykubeconfig tests (#708)
* Changes for 1.5

* Update cis-1.3 through 1.6 to also work with configmaps.

* Switch on if proxykubeconfig is set, instead of setting a variable in the script.

* permissons -> proxykubeconfig for 2.2.5/4.1.3 to keep these tests locked with 2.2.6/4.1.4

* Updating test output? Maybe?

* Copy integration test output files into docker image?

* Make entrypoint move integration folder to host, print 1.5 node info.

* Change the order of tests in travis to load files before testing.

* Return tests to place

Those tests comes first since there is more likely to fail with them and then the test will fail "faster" which will save time

* Remove copy integration 

When running in a container we don't need to test, only when build and running in Travis to make sure everything is working fine.

* Add $ mark before proxykubeconfig

If not having $ before the parameter then it won't get substituted

* Add $ mark before proxykubeconfig

If not having $ before the parameter then it won't get substituted

* Remove test relate lines

We don't test while running, only integration testing when building and unit testing

* Add spaces

* Change 4.1.3 4.1.4

Those tests now should pass.

* Change tests 4.1.3 and 4.1.4

Those tests now should PASS

* Update job.data with more accurate counts. Thanks to @yoavrotems for getting the project this far!

* Thanks for linting, yamllint!

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2020-10-07 21:53:34 +03:00
Yoav Rotem
714430c7fc
Not exiting when executable not found (#702)
Regrading https://github.com/aquasecurity/kube-bench/issues/701 where kube bench is crushing when not finding components
2020-10-03 11:51:13 +01:00
Neha Viswanathan
90b7ae6628
upgrade to go 1.15 (#706) 2020-10-03 11:30:01 +01:00
Neha Viswanathan
82421e5838
retire cis 1.3 and 1.4 (#693) 2020-10-03 11:23:28 +01:00
Yoav Rotem
deecf6265f
Test Travis build condition (#713)
* Add condition to make docker

Build and push Docker image only when pushing to master.

* Update to Golang 1.15

As https://github.com/aquasecurity/kube-bench/pull/706 did, just doing it in my fork to test Travis changes about the build
2020-10-01 16:37:38 +01:00
Liz Rice
cf305eed74
Update .travis.yml 2020-09-21 10:18:40 +01:00
yoavrotems
7280438eb5
Add cis 1.6 (#678)
* Add new cis version yamls

Add new cis version yamls

* Add new cis version yamls

* Add cis-1.6 to versions table

* support version mapping cis-1.6

* support version mapping cis-1.6

* Update controlplane.yaml

* Update etcd.yaml

* Update node.yaml

* Update policies.yaml

* Create job.data

* Create job-node.data

* Create job-master.data

* Create add-tls-kind.yaml

* Change node version to 1.15.0

* Add tests for cis-1.6

* Delete node_only.yaml

* Change tests 1.1.19-1.1.21

Change 1.1.19-1.1.21 because failing tests

* Update job.data

* Update job-master.data

* Update job-master.data

* Update job.data

* fix 1.2.35 remediation 

tabs instead of spaces

* Update job-master.data

* Remove extra space

* Update job.data

* Create node_only.yaml

* Add tests for cis-1.6

Add tests for cis-1.6 and change some from 1,5 to 1.6

* Fix typo

* Add mapping for cis-1.6

* Remove extra space in 1.2.35 remediation

* Update job.data

* Update job-master.data

* Fix type 1.2.35

* Remove trailing spaces

* Remove trailing spaces

* Remove trailing spaces

* Remove trailing spaces

* Add version 1.19 kubernetes support

* Add version 1.19 kubernetes support

* Add version 1.19 kubernetes support
2020-09-17 16:54:43 +01:00
yoavrotems
041c437339
Set actualResult (#703)
actual Result is used later on to get actual value and the --include-test-output values but it never got set so its always empty.
2020-09-17 13:23:02 +03:00
Liz Rice
1899f26bc1
Note about OpenShift OCP 4.* (#700)
- Add note about why we don't support OCP 4.*
- Move GKE & OpenShift sub-sections next to EKS and AKS
- Minor corrections
2020-09-14 09:27:49 +03:00
Liz Rice
d6de4f7c3c
Multi-arch build (#690)
* multi-arch build and other makefile tidies

* docker login in travis
2020-09-14 09:26:29 +03:00
Huang Huang
456d9b62e2
Default log output to stderr (#696) 2020-09-09 13:46:35 +01:00
Liz Rice
41a4059abe
Create codecov.yml 2020-09-09 12:05:57 +01:00
dylanzt
6702300b0a
Fix remediation typo in 3.1.1 and 4.1.1 (#692) 2020-09-07 09:33:21 +01:00
Liz Rice
a8a59d3bd8
docs: more clarification on output states (#691) 2020-09-06 10:46:29 +03:00
JoostC
f0e30cef62
Add a trailing slash to find directory path (#687) 2020-09-03 18:18:48 +01:00
Sathi Dyapa
3488c8343d
Updating section id 4.6 (#689)
- id: 4.6
        text: "Verify the scheduler pod specification file ownership set by OpenShift"
        audit: "stat -c %u:%g /etc/origin/node/pods/controller.yaml" -- (lower case u and g ) it returns the uID and gID in numeric i.e 0:0 not root:root.
it supposed to be Uppercase: audit: "stat -c %U:%G /etc/origin/node/pods/controller.yaml"
2020-09-02 15:29:57 +01:00
Danny Sauer
4e43c9a9a2
Update makefile to create kubeconfig (#685)
Per https://github.com/kubernetes-sigs/cluster-api/issues/1796, the
`kind get kubeconfig-path` command no longer works.  Update makefile
to create kube-bench local kubeconfig and use that.
2020-09-02 15:28:30 +01:00
Satya Pawan
33f6773a43
Code quality improvements (#677)
* Code quality improvements such -

1. Improves empty string test (len vs str == "")
2. Converts fmt.Sprintf to string literal and Printf to Print where possible (as the dynamic args are missing!)

* Delete .deepsource.toml

Co-authored-by: DeepSource Bot <bot@deepsource.io>
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-09-01 14:50:04 +01:00
Liz Rice
772839fc92
move target mapping to config.yaml - updated version (#682)
* move target mapping to config.yaml

* Update config.yaml

* Update common.go

* Add support for eks-1.0

Add also eks-1.0 to map

* chore: merge correction

* Move file only used for testing

* Tidier logs

* Add target mapping for GKE and EKS

* fingers cross this finishes target mapping

Co-authored-by: Murali Paluru <leodotcloud@gmail.com>
Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
Co-authored-by: yoavrotems <yoavrotems97@gmail.com>
2020-08-30 10:16:21 +03:00
Liz Rice
01c77b2315
chore: improve test clarity (#675)
* read-only-port defaults are correct

* Tests that should catch good read-only-port

* Rework checks & tests

* Linting on issue template YAML

* More explicit test for 4.2.4

* Remove verbosity for ease of reading results

* Use subtests

* Tidy more test cases
2020-08-13 11:01:30 +03:00
Huang Huang
2d548597ae
Support CIS v1.5.1 (#673) 2020-08-12 21:57:51 +03:00
Liz Rice
07f3c40dc7
Better handling of parameters and config audits (#674)
* read-only-port defaults are correct

* Tests that should catch good read-only-port

* Rework checks & tests

* Linting on issue template YAML

* More explicit test for 4.2.4
2020-08-12 14:32:42 +01:00
Huang Huang
5d138f6388
Fix YAML Linting issue (#672) 2020-08-12 09:14:45 +01:00
yoavrotems
10f4e6c691
Refactor testitem-set (#668)
* set: default true

Refactor testitem-set to be default true

* fix typo

Co-authored-by: Liz Rice <liz@lizrice.com>

Co-authored-by: Liz Rice <liz@lizrice.com>
2020-08-10 17:12:41 +03:00
Liz Rice
68c8764ea8
Create bug_report.md 2020-08-10 15:09:03 +01:00