1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-25 17:38:21 +00:00
Commit Graph

275 Commits

Author SHA1 Message Date
Arano-kai
3a0ccc440c
fix: rh-1.0 check 4.1.3 typo (#1652)
Co-authored-by: Arano-kai <captcha.is(dot)evil(meov)gmail.com>
2024-10-04 13:42:56 +06:00
Winnerson Kharsunai
7ea1d59bb1
update audit script for cis-1.9 kubernetes policies id 5.1.6 (#1655) 2024-10-01 11:48:02 +06:00
Andy Pitcher
4b4c1ce709
Modify 1.2.3 Ensure that the DenyServiceExternalIPs is set in CIS-1.7/1.8 (#1607)
* Modify 1.2.3 Ensure that the DenyServiceExternalIPs is set
 - op changed from `have` to `has` and removed bin_op: or
 - remediation description changed to only include --enable-admission-plugins

* Apply changes for CIS-1.9
2024-09-30 10:30:59 +06:00
Andy Pitcher
b85ec78a84
Fix CIS-1.9 policies 5.1.1/5.1.5 typos (#1658)
* Fix CIS-1.9 policies 5.1.1 typo

* Fix typo CIS-1.9 5.1.5

* Add new lines to CIS-1.9
2024-09-30 09:54:45 +06:00
Andy Pitcher
2751f87034
Fix audit and remediation for CIS-1.9 master 1.1.13/1.1.14 (#1649)
* Fix audit and remediation for CIS-1.9 master 1.1.13/1.1.14

* Fix loop syntax for file paths

---------

Co-authored-by: afdesk <work@afdesk.com>
2024-09-26 10:45:48 +06:00
Derek Nola
a9422a6623
Overhaul of K3s scans (#1659)
* Overhaul K3s 1.X checks

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Overhaul K3s 2.X Checks

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Overhaul K3s 4.X checks

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Overhaul K3s 5.X checks

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Add K3s cis-1.8 scan

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Fix K3s 1.1.10 check

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Merge journalctl checks for K3s

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Matched Manual/Automated to correct scoring (false/true)

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Remove incorrect use of check_for_default_sa.sh script

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: afdesk <work@afdesk.com>
2024-09-25 13:12:02 +06:00
Saurabh Misra
c533d68bad
FIXING RKE-2-CIS-1.24 Checks (#1688)
MASTER:
          Checks 1.1.10,1.1.20 are manual 
NODE:
            a. Check 4.2.12 is the node-level equivalent of the master-level check 1.3.6 and is treated the same way.
2024-09-24 11:56:58 +06:00
Andy Pitcher
7027b6b2ec
Add CIS kubernetes CIS-1.9 for k8s v1.27 - v1.29 (#1617)
* Create cis-1.9 yamls and Update info
      - policies.yaml
          - 5.1.1 to 5.1.6 were adapted from Manual to Automated
          - 5.1.3 got broken down into 5.1.3.1 and 5.1.3.2
          - 5.1.6 got broken down into 5.1.6.1 and 5.1.6.2
          - version was set to cis-1.9
       - node.yaml master.yaml controlplane.yaml etcd.yaml
          - version was set to cis-1.9

* Adapt master.yaml
    - Expand 1.1.13/1.1.14 checks by adding super-admin.conf to the permission and ownership verification
    - Remove 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)
    - Adjust numbering from 1.2.12 to 1.2.29

* Adjust policies.yaml
   - Check 5.2.3 to 5.2.9 Title Automated to Manual

* Append node.yaml
   - Create 4.3 kube-config group
   - Create 4.3.1 Ensure that the kube-proxy metrics service is bound to localhost (Automated)

* Adjust policies 5.1.3 and 5.1.6

   - Merge 5.1.3.1 and 5.1.3.2 into 5.1.3 (use role_is_compliant and clusterrole_is_compliant)
   - Remove 5.1.6.1 and promote 5.1.6.2 to 5.1.6 since it natively covered 5.1.6.1 artifacts

* Add kubectl dependency and update publish
   - Download kubectl (build stage) based on version and architecture
   - Add binary checksum verification
   - Use go env GOARCH for ARCH
2024-06-26 15:53:57 +03:00
Derek Nola
ed51191d7c
Replace custom k3s etcd script checks with vanilla grep checks (#1601)
* Replace custom k3s etcd script checks with vanilla grep checks

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Rework etcd grep, remove etcd ENV checks (no-op), add correct k3s etcddatadir

Signed-off-by: Derek Nola <derek.nola@suse.com>

* chore: update go-linter version

Signed-off-by: chenk <hen.keinan@gmail.com>

* Use etcddatadir variable

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
2024-05-20 13:47:15 +03:00
mjshastha
d2d3e72271
Currently, certain commands involve retrieving all node names or pods and then executing additional commands in a loop, resulting in a time complexity linearly proportional to the number of nodes. (#1597)
This approach becomes time-consuming for larger clusters.

As kube-bench is executed as a job on every node in the cluster, To enhance performance, Streamlined the commands to execute directly on current node where kube-bench operates.
This change ensures that the time complexity remains constant, regardless of the cluster size.
By running the necessary commands only once per node, regardless of how many nodes are in the cluster, this approach significantly boosts performance and efficiency.
2024-04-18 09:01:17 +03:00
Kiran Bodipi
ee5e4aff51
update rke-cis-1.24 benchmarks: corrected errors and tests (#1570)
corrected few benchmarks with title and respective tests
Handled type and title mismatch
Added missing audit commands
2024-02-15 11:34:31 +02:00
Kiran Bodipi
2374e7b07f
Rancher checks correction (#1563)
1. Have modified test criteria such that it produces right output in case of there is no file exists.
2. Have modified the tests wherever root:root is checked multiple times.
2024-02-12 15:29:36 +02:00
Kiran Bodipi
13da372a87
Updating the rh-1.0 OCP checks (#1548)
1. Added audit commands wherever required.
2. Updated the scripts with type to manual to match the title.
3. Updated the scripts with test_items wherever required.
4. Fixed a typo.
2024-01-23 08:56:40 +02:00
mjshastha
7a55d5d57c
Issue: The initial command produces "root:root" as its output only when the file is present. However, if the file is missing, the command will still run successfully, though the desired output of "root:root" won't be obtained. (#1538)
Fix: To address this, we've modified the command to achieve the following:

Verify the existence of the file.

If the file is found, show the user and group ownership in the "username:groupname" format.

If the file is not found, display the message "File not found."

To accommodate this change, we've integrated the expected output "File not found" for instances where the file is absent. This adjustment ensures the successful execution of the test.

Co-authored-by: mjshastha <manojshastha.madriki@aquasec.com>
2023-12-18 09:10:07 +02:00
Huang Huang
0c553cd2f6
fix wrong use of flag in test_items found in 4.13 and 4.14 (#1528)
* fix wrong use of flag in test_items found in 4.13 and 4.14

Fixes #1491

* fix for more benchmarks

* update integration test

* fix test
2023-12-03 09:06:35 +02:00
Huang Huang
92a18e7dfd
support CIS Kubernetes Benchmark v1.8.0 (#1527)
* support CIS Kubernetes Benchmark v1.8.0

* update version info
2023-12-02 09:59:30 +02:00
Kiran Bodipi
f8fe5ee173
Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s (#1523)
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397

* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397

* release: prepare v0.6.15 (#1455)

Signed-off-by: chenk <hen.keinan@gmail.com>

* build(deps): bump golang from 1.19.4 to 1.20.4 (#1436)

Bumps golang from 1.19.4 to 1.20.4.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump actions/setup-go from 3 to 4 (#1402)

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>

* Fix test_items in cis-1.7 - node - 4.2.12 (#1469)

Related issue: https://github.com/aquasecurity/kube-bench/issues/1468

* Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472)

* chore: add fips compliant images (#1473)

For fips complaince we need to generate fips compliant images.
As part of this change, we will create new kube-bench image which will be fips compliant. Image name follows this tag pattern <version>-ubi-fips

* release: prepare v0.6.16-rc (#1476)

* release: prepare v0.6.16-rc

Signed-off-by: chenk <hen.keinan@gmail.com>

* release: prepare v0.6.16-rc

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>

* release: prepare v0.6.16 official (#1479)

Signed-off-by: chenk <hen.keinan@gmail.com>

* Update job.yaml (#1477)

* Update job.yaml

Fix on typo for image version

* chore: sync with upstream

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>

* release: prepare v0.6.17 (#1480)

Signed-off-by: chenk <hen.keinan@gmail.com>

* Bump docker base images (#1465)

During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE.

```
grype aquasec/kube-bench:v0.6.15
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [73 packages]
 ✔ Scanning image...       [4 vulnerabilities]
   ├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible
   └── 4 fixed
NAME        INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
libssl3     3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
openssl     3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
```

The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly

* build(deps): bump golang from 1.20.4 to 1.20.6 (#1475)

Bumps golang from 1.20.4 to 1.20.6.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s
Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides
kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.

* RKE/RKE2 CIS Benchmarks
Updated the order of checks for RKE and RKE2 Platforms.

* fixed vulnerabilities|upgraded package golang.org/x/net to version v0.17.0

* Error handling for RKE Detection Pre-requisites

* Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions, kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
updated documentation specific to added rancher platforms

* addressed review comments
1.Implemented IsRKE functionality in kube-bench
2. Removed containerd from global level config and accommodated in individual config file
3. Corrected the control id from 1.2.25 to 1.2.23 in master.yaml(k3s-cis-1.23 and k3s-cis-1.24)

* Removed unncessary dependency - kubernetes-provider-detector

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andy Pitcher <andy.pitcher@suse.com>
Co-authored-by: Devendra Turkar <devendra.turkar@gmail.com>
Co-authored-by: Guille Vigil <contact@guillermotti.com>
Co-authored-by: Jonas-Taha El Sesiy <jonas-taha.elsesiy@snowflake.com>
2023-11-26 12:27:38 +02:00
Benjamin Schimke
fac90f756e
feat(cis-1.24-microk8s): Add support to CIS-1.24 for microk8s distro (#1510) 2023-11-20 12:59:32 +02:00
Andy Pitcher
aa16551811
Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472) 2023-07-11 11:45:06 +03:00
Andy Pitcher
40cdc1bfbb
Fix test_items in cis-1.7 - node - 4.2.12 (#1469)
Related issue: https://github.com/aquasecurity/kube-bench/issues/1468
2023-07-02 10:50:07 +03:00
KiranBodipi
ca8743c1f7
add support VMware Tanzu(TKGI) Benchmarks v1.2.53 (#1452)
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397

* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
2023-06-01 16:37:50 +03:00
Huang Huang
60dde65d72
support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0 (#1449)
closes #1448
2023-05-21 17:53:58 +03:00
Huang Huang
124c57c6f4
support CIS Kubernetes Benchmark v1.7.0 (#1424) 2023-05-21 15:46:16 +03:00
Huang Huang
e41755ba90
cis-1.24: fix tests of 1.1.1 and 4.2.9 were wrong (#1423)
fixes #1410
fixes #1421
2023-05-21 11:39:51 +03:00
Rayan Das
c3b6871766
Fix version in policies.yaml (#1415) 2023-04-07 17:33:52 +03:00
Derek Nola
e1d1053358
Fix to empty grep and other cis-1.6-k3s checks (#1352)
* Fix to empty grep and other k3s checks

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Lint fix

Signed-off-by: Derek Nola <derek.nola@suse.com>

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-01-13 18:06:57 +02:00
Huang Huang
bd8dd3adcc
use $etcddatadir in more etcd related checks (#1331) 2022-11-28 07:58:06 +02:00
Huang Huang
865817dfda
support customize datadir locations of etcd (#1330) 2022-11-25 15:32:49 +02:00
Huang Huang
3ccafa7be1
support CIS Kubernetes V1.24 Benchmark v1.0.0 (#1329) 2022-11-24 15:23:10 +02:00
Anupam Tamrakar
3b8379f081
Fixing OCP checks for rh-1.0 (#1259) 2022-10-11 09:18:49 +03:00
TARI TARI
4d76c77c6a
feat(cis-1.6-k3s): Add support to CIS-1.6 for k3s distribution (#1261)
* feat(cis-1.6-k3s): Add support to CIS-1.6 for k3s distribution

* update(docs): change platforms and architectrue document; update(review): code review for cfg/cis-1.6-k3s;

* update(docs): recover sheet style

* fix(yaml-lint): CI/CD YAML Error

* fix: Correct the problem of command and file/directory/log not found scene

* fix(yaml-lint): CI/CD YAML Error
2022-09-15 14:26:15 +03:00
Huang Huang
07e01cf38c
Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0 (#1222)
* Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

* fix yaml lint error
2022-09-15 09:04:54 +03:00
Chris Renzo
a34047c105
Adding eks-stig-kubernetes-v1r6 (#1266)
* Adding eks-stig-kubernetes-v1r6

* Fixing lint errors

* Reformatting texts

* Removing pinned docker tag

* Updating Expected Stig Output

Co-authored-by: EC2 Default User <ec2-user@ip-10-0-44-222.ec2.internal>
2022-09-14 17:40:48 +03:00
Anupam Tamrakar
7a68b38763
Updating checks 4.2.1 and 4.2.3 (#1236)
Removing colon from these checks so that grep command will work with both communication method (YAML and JSON)
2022-08-08 15:54:37 -03:00
Huang Huang
e6b3eddb03
fix 4.2.11 in cis-1.20 should be Automated (#1213) 2022-06-19 17:10:37 +03:00
Qiming Teng
02fd0d4be2
Add support to CIS-1.23 1.0.0 (#1148) 2022-04-18 09:27:33 +03:00
Huang Huang
c28e7a796e
Fixed typo in policies.yaml (#1113) 2022-03-13 09:27:25 +02:00
Mirtov Alexey
a2b3de1bf4
Support Yandex Managed Service for Kubernetes (#1069) 2022-01-06 10:20:48 +02:00
Huang Huang
2d6bf55ab2
Support CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0 (#1050)
* Support CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

* restore gke-1.0

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-12-09 12:04:38 +02:00
Huang Huang
6589eb16e1
Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (#1045)
* Update eks-1.0 to support CIS EKS Benchmark v1.0.1

* add "No remediation"

* rename eks-1.0 to eks-1.0.1

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-11-18 10:42:53 +02:00
Huang Huang
f8e0171c09
Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0 (#1042)
* Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0

* fix typo

* fix empty remediation

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-11-14 15:37:54 +02:00
Huang Huang
65b45f699d
Fix status of cis-1.20 4.1.6 should be Automated (#1041) 2021-11-08 11:25:59 +02:00
tonyqui
11136317f2
Fix experimental-encryption-provider-config test on OCP 3.11 - Issue #926 (#1024)
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-10-27 12:56:00 +03:00
Lennard Klein
70fa2cc0d5
Add various paths as used by Talos (#1009)
Implements #1008
2021-10-04 10:10:13 +03:00
Lennard Klein
5f7fb350a7
Add a trailing slash to find directory path (#1006)
This transplants #687 to cis-1.6 and cis-1.20. Fixes #686 for cis-1.6 and cis-1.20.
2021-10-03 13:08:28 +03:00
Huang Huang
e50de8145c
Fix status of cis-1.20 1.2.25 should be Manual (#1010)
* fix status of cis-1.20 1.2.25 should be Manual

* Fix tests

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-10-03 13:00:58 +03:00
brainfair
548b021340
Add node kubelet config path (#961)
In kubespray tool we have another path for kubelet config, add them to kube-bench config on top

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-08-30 16:02:26 +03:00
Nick Keenan
946a48ca74
Fix 4.1.9, skip irremediable checks, add /home/kubernetes mount (#976)
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-08-30 15:33:59 +03:00
Hacks4Snacks
016d67bade
cis-1.20 section 1.1.10 command revision. (#922)
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-07-07 18:06:50 +03:00
Huang Huang
e5e2804dfa
Fix values of version field in cfg/cis-1.20 were wrong (#913) 2021-06-20 11:23:24 +03:00