* Add expectedResultPattern to invalid test
when testing and try convert to numeric we didn't set expectedResultPattern value.
* check for auditconfig before using it
The current state is that when ever audit output is not what we search for we check for auditConfig output which is sometime empty and therefore create empty expected result as described in #694
* Fix issue about expectedResultPattern
expectedResultPattern not always shown and wasn't accurate enough
Issue #705
* Add tests for ExpectedResult and fixes
Add tests for ExpectedResult with the new output and the verify that the fix is working
* Add missing flags
In some cases not having audit or audit_config flag would fail the test.
So added just a simple commands like echo something to solve this issue
Also add bitmask checks
* Add example IAM policy
* Pass RotateKubeletServerCertificate related checks if it's not found (#767)
* Allow for environment variables to be checked in tests (#755)
* Initial commit for checking environment variables for etcd
* Revert config changes
* Remove redundant struct data
* Fix issues with failing tests
* Initial changes based on code review
* Add option to disable envTesting + Update docs
* Initial tests
* Finished testing
* Fix broken tests
* Add a total summary and always show all tests. (#759)
Whether the total summary is shown can be specified with an option.
Fixes#528
Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
* Update Readme.md file with link to Contribution guide (#754)
* Update License with the year and the owner name
Please add this to make your license agreement strong
* Updated Readme.md file with license and proper documentation links
I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks.
* Update LICENSE
* Update README.md
* Update README.md
* Remove erroneous license info
Co-authored-by: Liz Rice <liz@lizrice.com>
* Support auto-detect platform when running on EKS or GKE (#683)
* Support auto-detect platform when running on EKS or GKE
* Change to get platform name from `kubectl version`
* fix regexp and add test
* Update Server Version match for EKS
* try to get version info from api sever at first
* Change expected expectedResultPattern
Now expectedResultPattern is more verbose
* Update ops tests
* Fix unit tests
* Fix bitmask output syntax
* Changes to be committed:
modified: check/check.go
modified: check/test.go
modified: check/test_test.go
fix unit testing and test.go to resolve conflicts.
* Change found to flagFound
* add missing }
* change found to flag found
Co-authored-by: yoavrotems <yoavrotems97@gmail.com>
* Rename workflow to workflows
* Add integration tests to Actions
* Upload code coverage after unit test
* don't need code coverage when we do a release
* Use same Go version as in go.mod
* Use same Go version as go.mod
* Add example IAM policy
* Pass RotateKubeletServerCertificate related checks if it's not found (#767)
* Allow for environment variables to be checked in tests (#755)
* Initial commit for checking environment variables for etcd
* Revert config changes
* Remove redundant struct data
* Fix issues with failing tests
* Initial changes based on code review
* Add option to disable envTesting + Update docs
* Initial tests
* Finished testing
* Fix broken tests
* Add a total summary and always show all tests. (#759)
Whether the total summary is shown can be specified with an option.
Fixes#528
Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
* Update Readme.md file with link to Contribution guide (#754)
* Update License with the year and the owner name
Please add this to make your license agreement strong
* Updated Readme.md file with license and proper documentation links
I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks.
* Update LICENSE
* Update README.md
* Update README.md
* Remove erroneous license info
Co-authored-by: Liz Rice <liz@lizrice.com>
* Support auto-detect platform when running on EKS or GKE (#683)
* Support auto-detect platform when running on EKS or GKE
* Change to get platform name from `kubectl version`
* fix regexp and add test
* Update Server Version match for EKS
* try to get version info from api sever at first
* Refactor group skip
changed group 'skip' from being a bool to be 'type' string as done in check
* Change skip: true -> type: skip
Co-authored-by: Huang Huang <mozillazg101@gmail.com>
Co-authored-by: Wicked <jason_attwood@hotmail.co.uk>
Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com>
Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com>
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
* add aasf
* add AASF format
* credentials provider
* add finding publisher
* add finding publisher
* add write AASF path
* add testing
* read config from file
* update docker file
* refactor
* remove sample
* add comments
* Add comment in EKS config.yaml
* Fix comment typo
* Fix spelling of ASFF
* Fix typo and other small code review suggestions
* Limit length of Actual result field
Avoids this message seen in testing:
Message:Finding does not adhere to Amazon Finding Format. data.ProductFields['Actual result'] should NOT be longer than 1024 characters.
* Add comment for ASFF schema
* Add Security Hub documentation
* go mod tidy
* remove dupe lines in docs
* support integration in any region
* fix README link
* fix README links
Co-authored-by: Liz Rice <liz@lizrice.com>
* First draft of AKS configuration checks.
* Updated Azure Configurations. Added more policy checks.
* Finalized cfg components for AKS.
* Fixed targets for aks-1.0 in common_test.go
* Fixed yaml linting issues.
* Fixed white space yaml linkting issues in policies.yaml
* Fixed white space yaml linting issues in policies.yaml
* Fix go vet issues
* to omit the property from JSON parsing one should use "-". "omit" in
that case would use omit tag
* The error was not reachable in the tests, so I moved it to the place
where it make sense for me (but maybe it was just unnecessary)
* Run all go vet linters in CI
* This return breaks the test
* Changes for 1.5
* Update cis-1.3 through 1.6 to also work with configmaps.
* Switch on if proxykubeconfig is set, instead of setting a variable in the script.
* permissons -> proxykubeconfig for 2.2.5/4.1.3 to keep these tests locked with 2.2.6/4.1.4
* Updating test output? Maybe?
* Copy integration test output files into docker image?
* Make entrypoint move integration folder to host, print 1.5 node info.
* Change the order of tests in travis to load files before testing.
* Return tests to place
Those tests comes first since there is more likely to fail with them and then the test will fail "faster" which will save time
* Remove copy integration
When running in a container we don't need to test, only when build and running in Travis to make sure everything is working fine.
* Add $ mark before proxykubeconfig
If not having $ before the parameter then it won't get substituted
* Add $ mark before proxykubeconfig
If not having $ before the parameter then it won't get substituted
* Remove test relate lines
We don't test while running, only integration testing when building and unit testing
* Add spaces
* Change 4.1.3 4.1.4
Those tests now should pass.
* Change tests 4.1.3 and 4.1.4
Those tests now should PASS
* Update job.data with more accurate counts. Thanks to @yoavrotems for getting the project this far!
* Thanks for linting, yamllint!
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
* Add condition to make docker
Build and push Docker image only when pushing to master.
* Update to Golang 1.15
As https://github.com/aquasecurity/kube-bench/pull/706 did, just doing it in my fork to test Travis changes about the build
- id: 4.6
text: "Verify the scheduler pod specification file ownership set by OpenShift"
audit: "stat -c %u:%g /etc/origin/node/pods/controller.yaml" -- (lower case u and g ) it returns the uID and gID in numeric i.e 0:0 not root:root.
it supposed to be Uppercase: audit: "stat -c %U:%G /etc/origin/node/pods/controller.yaml"
* Code quality improvements such -
1. Improves empty string test (len vs str == "")
2. Converts fmt.Sprintf to string literal and Printf to Print where possible (as the dynamic args are missing!)
* Delete .deepsource.toml
Co-authored-by: DeepSource Bot <bot@deepsource.io>
Co-authored-by: Liz Rice <liz@lizrice.com>
* read-only-port defaults are correct
* Tests that should catch good read-only-port
* Rework checks & tests
* Linting on issue template YAML
* More explicit test for 4.2.4
* Remove verbosity for ease of reading results
* Use subtests
* Tidy more test cases