arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 16:18:07 +00:00
Code Issues Releases Wiki Activity
394 Commits 4 Branches 82 Tags 157 MiB
53ed68a0b2
Commit Graph

87 Commits

Author SHA1 Message Date
Abubakr-Sadik Nii Nai Davis
53ed68a0b2 Clean up OCP benchmark config. 
The OCP benchmarks uses configs for only binary component variable names.
This commit cleans up the OCP config by removing all configuration
except those component binaries required to run kube-bench on OCP
installations and adds missing ones.
 2019-03-06 12:02:58 +00:00
Liz Rice
dd8e7ec874
Merge branch 'master' into fix-208 2019-03-03 09:45:16 +00:00
Abubakr-Sadik Nii Nai Davis
d255b49d4b Revert 1.8 config file. 2019-03-02 17:20:46 +00:00
Abubakr-Sadik Nii Nai Davis
a88b0703d8 Add kubeconfig variable substitution for kubelet and proxy. 
There are checks for the kubeconfig for both kubelet and proxy which
the current kube-bench implementation does not check for properly.
kube-bench checks the wrong files.

This PR adds support for variable substitution for all the config file
types are that should be checked in the CIS benchmarks.

This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for
ownership of the kubelet config file /var/lib/kubelet/config.yaml but
recommends changing ownership of kubelet kubeconfig file
/etc/kubernetes/kubelet.conf as remediation.
 2019-02-27 22:15:14 +00:00
Abubakr-Sadik Nii Nai Davis
3f98c1def2 Fix wrong reference to kubelet.config in node checks. 
This fix applies to only checks for kubernetes versions 1.8 and 1.11.
See https://github.com/aquasecurity/kube-bench/pull/208.
 2019-02-27 22:14:19 +00:00
Liz Rice
d712db47a2
Only find flags on the process we really want 2019-02-28 01:33:21 +08:00
Abubakr-Sadik Nii Nai Davis
e899e941f7 Add OCP 3.10 benchmarks. 2019-02-15 19:44:39 +00:00
Maximilian Bischoff
791fbba9e7
Changed 1.1.14 to not fail when flag is not set 
Added another test item that checks whether --disable-admission-plugins is not set and an "or" bin_op. 
This causes check 1.1.14 to be successful when the flag is not set, while still failing when the flag is set and includes the value NamespaceLifecycle
 2019-01-08 13:58:41 +01:00
Liz Rice
2d721ed4ad
Merge branch 'master' into rm-space-tls-cipher 2019-01-02 10:53:29 +00:00
Colin GILLE
ffe7ffb3d3
Type: trailing whitespace for rule text 2018-12-31 16:36:15 +01:00
Martin Mosegaard Amdisen
fd120d0adf Remove spaces in remediation command for tls-cipher-suites 
Makes it easier to copy-paste the remediation. Matches the other occurences
of tls-cipher-suites in the configuration.
 2018-12-27 14:48:21 +01:00
Liz Rice
26e28b8897
Merge branch 'master' into master 2018-12-21 11:26:53 +00:00
Maximilian Bischoff
e81b785bf8
Added missing "=" to master.yaml 
In the remediation of 1.1.11 the flag --enable-admission-plugins was missing a =
 2018-12-19 18:20:23 +01:00
Vladimir Dimov
645d23e1ec
fixing typos 2.1.15 2018-11-28 13:14:49 +02:00
Liz Rice
6e80b6477a
Merge branch 'master' into fix-2.1.8 2018-11-08 11:41:54 +00:00
Abubakr-Sadik Nii Nai Davis
0a5358665e By default --make-iptables-util-chain is true, so PASS if this flag is not set. 2018-11-07 23:57:38 +00:00
Abubakr-Sadik Nii Nai Davis
4f40a11e84 Change binary op from and to or. 2018-11-07 23:54:41 +00:00
Abubakr-Sadik Nii Nai Davis
c0f56e966a Fix check 1.1.37. 2018-11-06 14:35:45 +00:00
Nick Perry
e083c8f0a3 Fixes https://github.com/aquasecurity/kube-bench/issues/170 
Correcting the logic of 1.1.14 for Kubernetes 1.11.
 2018-10-30 23:40:41 +00:00
Liz Rice
48489637c5
Merge branch 'master' into fix-1.3.7 2018-10-29 12:08:22 +00:00
Michal Jankowski
9988503223 Fixing 1.3.7 on 1.11 master. 
With multiple test items operator defaults to "and". In case of 1.3.7
the tests check whether --address flag is either set to 127.0.0.1 or not
set at all. Those conditions cannot be met at the same time.
 2018-10-25 15:32:41 -07:00
Michal Jankowski
5f254de415 Fixing checks 2.2.9 and 2.2.10 on 1.11 nodes. 
Path to kubelet configuration was accidentally prefixed with a dollar
symbol (probably as a result of copying some other test that used
variable name).
After removing the dollar sign from paths both checks pass on conforming
deployment.
 2018-10-24 17:06:21 -07:00
Abubakr-Sadik Nii Nai Davis
97623aea05 Update kubernetes node benchmark to check kubelet systemd unitfile. 
Also clean up the config file for 1.11 a bit.
 2018-10-23 02:30:08 +00:00
Abubakr-Sadik Nii Nai Davis
b1369832bc A few corrections to node tests. (#2) 
* Add a few corrections.

* Add a few corrections to node test file.
 2018-10-13 15:48:50 -04:00
Abubakr-Sadik Nii Nai Davis
934b4aef96 Add a few corrections. (#1) 2018-10-12 10:22:08 -04:00
noqcks
e85de9e8af
fix simple errors 2018-10-09 19:16:08 -04:00
noqcks
b3a115963b
adding 1.11 config and node checks 2018-10-09 18:57:37 -04:00
noqcks
ba5ec8d4be
adding 1.11 master configuration 2018-10-09 18:34:52 -04:00
Liz Rice
c44e0db97b Inlcude .manifest extension config files for kops & kubespray 2018-06-29 10:24:09 +01:00
Liz Rice
024b7ed396
Merge branch 'master' into master 2018-06-18 08:30:24 -07:00
Julien Garcia Gonzalez
2073e08363
update 2.2.4 rules 2018-06-18 13:44:25 +02:00
Julien Garcia Gonzalez
db096c9f51
Rule node 2.2.4 is not correct 2018-06-15 15:49:55 +02:00
hutr
d736d10f90
fix sed string for 1.4.12 2018-06-07 16:34:03 +02:00
hutr
50a3725ff2
Merge branch 'master' into master 2018-06-07 16:12:04 +02:00
hutr
468f5fac6e
changes for 1.4.11 and 1.4.2 
added tests: for 1.4.11 and removed grep -v grep for both
 2018-06-07 16:08:43 +02:00
Erwan Miran
182e9b5e01 Addition of missing audit field in 2.2.6 node item 2018-06-05 15:27:20 +02:00
hutr
e4100a4435
fixed grep string for 1.4.11 and 1.4.22 
check 1.4.11 and 1.4.22 FAIL even when permissions is correct.
 2018-05-28 15:39:07 +02:00
Abubakr-Sadik Nii Nai Davis
b10b2bd22e Merge branch 'master' into fix-typo 2018-05-15 04:09:27 +00:00
Abubakr-Sadik Nii Nai Davis
aa9da13226 Fix a bunch of typos. 2018-05-15 04:08:44 +00:00
Liz Rice
1935c952d6 --request-timeout is a duration 2018-05-11 16:03:03 +01:00
Lee Briggs
d464ab5639
Wrong configuration file 2018-01-30 09:49:41 -08:00
Lee Briggs
165444df60
Test fixes for 1.8 2018-01-30 09:28:20 -08:00
Liz Rice
4b1b2b8762
Merge branch 'master' into master 2018-01-25 13:13:57 +00:00
Liz Rice
fc4fe38bc2
Merge branch 'master' into unnecessary-warning 2018-01-25 13:01:48 +00:00
Konstantin Semenov
961dbeb2b5
Correct sed regex 2018-01-25 00:34:52 +00:00
Konstantinos Karampogias
8fc6904093 Improve etcd data directory extraction 
- If data-dir is not the last argument, the remaining arguments
  are captured preventing the correct checking.

Signed-off-by: Konstantin Semenov <ksemenov@pivotal.io>
 2018-01-24 14:17:45 +00:00
Abubakr-Sadik Nii Nai Davis
7fcfb0cf30 Fix issue with etcd checks failing because of using " " instead of "=" to specify value. 
This issue affects master checks 1.4.11 and 1.4.12.
 2018-01-18 14:41:46 +00:00
Abubakr-Sadik Nii Nai Davis
53eb720952 Merge branch 'master' into unnecessary-warning 2017-11-28 17:44:53 +00:00
Abubakr-Sadik Nii Nai Davis
04f044e3b9 Add support for merging general and kubernetes version specific config files. 
This change unifies all config files, podspecs and unitfiles under
a single component configuration key; `config`.
 2017-11-28 17:38:34 +00:00
Liz Rice
d52e326147
Correct test config file typo 2017-11-14 18:05:40 +02:00