Huang Huang
70988356c8
Support config files which use .yml file extension ( #586 )
...
Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
2020-03-03 12:03:21 -05:00
Abubakr-Sadik Nii Nai Davis
d988b81540
CIS GKE 1.0.0 benchmark ( #570 )
...
* Add initial commit for CIS GKE 1.0 benchmark
* Update README with GKE instructions
* Fix YAML linter issues
* Set GKE benchmark k8s version to gke-1.0
* Add tests for gke-1.0
Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
2020-03-03 09:51:48 -05:00
Thorsten Schifferdecker
237f8cf818
fix small typo ( #592 )
...
proykubeconfig -> proxykubeconfig
2020-03-02 16:35:01 +00:00
Huang Huang
65fb352e0e
Change to checking --disable-admission-plugins
for cis-1.4-1.1.27 and cis-1.5-1.2.14 ( #584 )
...
Fixes #582
2020-02-18 09:37:50 -05:00
LukasAuerbeck
037bb14729
added 444, 440, 400 and 000 file permission checks for all benchmarks ( #563 )
...
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-01-22 14:40:01 +00:00
mustafa-rean
89f8e454ba
Resolved bug in master.yml for cis-1.5 for the apiserverbin variable name ( #567 )
...
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-01-22 14:00:23 +00:00
Murali Paluru
48e33d33e5
fix mismatching checks, tests ( #544 )
2020-01-07 12:31:07 +00:00
James Ward
5f34058dc7
Support Linting YAML as part of Travis CI build ( #554 )
...
* add yamllint command to travis CI
installs and runs a linter across the YAML in the
project to ensure consistency in the written YAML.
this uses yamllint and the default yamllint config with
"truthy" and "line-length" disabled.
* run dos2unix on CRLF files
* YAMLLINT: remove trailing spaces
* YAMLLint: add YAML document start
* YAMLLint: too many spaces around bracket
* YAMLLint: fix indentation
* YAMLLint: remove duplicate key
* YAMLLint: newline at end of file
* YAMLLint: Too few spaces after comma
* YAMLLint: too many spaces after colon
2020-01-06 09:18:25 +00:00
Roberto Rojas
13193d75b0
Fixes Issue #535 ( #537 )
...
* isEtcd should not run on openshift 3.10/3.11
* adds openssl
* fixed tests
* fixes bugs
* adds isEtcd tests
2019-12-13 10:09:30 -05:00
Huang Huang
4a07f87e6f
Fix remediations about file permission ( #534 )
...
* Fix remediation of 2.2.3 in cis-1.3
* Fix remediation of 4.1.1 in cis-1.5
2019-12-10 13:57:07 -05:00
Mateus Caruccio
6e1c39237a
Openshift configs ( #526 )
...
* Adds openshift to autodetect node type
* detect okd node units
2019-12-09 09:07:44 -05:00
Roberto Rojas
af976e6f50
Fixes Issue #494 - add tests for CIS 1.5 ( #530 )
...
* Initial commit.
* Add master and node config.
* Add section 5 of CIS 1.5.1.
* Split sections into section files
* Fix YAML issues.
* adds target translation
* adds target translation
* adds cis-1.5 mapping
* fixed tests
* fixes are per PR
* fixed intergration test
* integration kind test file to appropriate ks8 version
* fixed etcd text
* fixed README
* fixed text
* etcd: fixed grep path
* etcd: fixes
* fixed error message bug
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* fixes as per PR review
2019-12-05 15:55:44 -05:00
Huang Huang
7015f4b4b5
Fix remediation of 2.2.3 ( #527 )
2019-12-04 07:06:50 -08:00
Roberto Rojas
9c6d4de860
Issue #421 : Merges PR #422 with master ( #523 )
...
* Add kubeconfig location of kube-proxy for AKS
* Add job for AKS node
* Automate ca file permission check
* removed job-aks.yaml as other PRs added needed features
* fixed integration test due to merge changes
2019-11-27 15:30:29 +00:00
Liz Rice
d7b5422e8a
Fix detection of encryption-provider-config ( #513 )
...
Fixes: https://github.com/aquasecurity/kube-bench/issues/420
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
2019-11-05 19:45:40 -05:00
Roberto Rojas
7ca438b618
Fixes Issue 269 - Numbering to use CIS Versions ( #511 )
...
* starting benchmark flag
* Revert "starting benchmark flag"
This reverts commit 58fc948626
.
* fixes issue #269
* add more unit tests
* fix bug
* Update cmd/common.go
Co-Authored-By: Liz Rice <liz@lizrice.com>
* fixes as per PR review
* fixes as per PR review
* adds more tests
* fixed tests
* changes as per PR Review
* changes as per PR Review
* updated README
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* changes are per PR review
2019-11-05 16:31:27 -05:00
mwwolters
8276e521d4
Changed 1.3.3 to check that --use-service-account-credentials isn't set to false, but the flag is set ( #442 )
2019-11-05 21:29:16 +01:00
Roberto Rojas
13fe1cdfb8
Fixes issue #501 : specifying absolute path for both ps and cat ( #508 )
...
* fixes issue #501
* specify abolute path for ps and cat
2019-11-01 13:10:52 +00:00
Kevin W Monroe
04946a48fb
add snap component paths to default config ( #414 )
2019-10-25 20:19:56 -04:00
Prem Kumar
01ee110ac4
Fix repetitive flags in some ocp-3.11 tests ( #462 )
...
* fix flag repetition in ocp-3.11/node.yaml
* fix flag repetition in ocp-3.11/master.yaml
2019-10-25 20:12:56 -04:00
Arpit Pandey
ce0137a31a
Fix few typos ( #469 )
2019-10-24 14:05:13 -07:00
Simarpreet Singh
d77eab2234
master.yaml: Add --audit-policy-file check for 1.1.37. ( #440 )
...
* master.yaml: Add --audit-policy-file check for 1.1.37.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* fix-177: fix line endings
Signed-off-by: Simarpreet Singh <simar@linux.com>
2019-10-18 13:23:23 -07:00
Simarpreet Singh
d12a45bba9
Properly initialize viper library when checking for master components ( #434 )
...
* common_test: Add a failing test to show the SISEGV
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Go green by fixing isMaster() to instantiate viper
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Inject a seam for getBinariesFunc to be patched-in.
Also adds additional tests to showcase unhappy behaviors.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common_test: Rename TestIsMaster()
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: init viper with master config
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Add a pre-check if valid yaml is passed but doesn't include master.
Also adds additional tests to showcase unhappy behaviors.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* mod: Upgrade viper to v1.4.0
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Refactor node only yaml to a file
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Log when master components are not found
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common_test: Refactor subtests into a table
Signed-off-by: Simarpreet Singh <simar@linux.com>
2019-10-14 11:15:08 -04:00
Roberto Rojas
a6ee61fd08
Fixes issue #289 : removed versions prior to 1.11 ( #429 )
...
* removed version prior to 1.11
* removed references to kubernetes versions prior to 1.11
2019-10-14 10:52:43 -04:00
Roberto Rojas
3aa41db166
Issue #353 : Merges JSON and Exec Params files ( #426 )
...
* starts fixes #353
* new approach to minize duplications
* applied merged yaml files for v1.11 and v1.13
* yaml files json/params merged
* fixes to remove double quotes from numbers and booleans
* fixed bug
* fixed certificate check
* removed -json files
* changes based on PR review
* Update check/check_test.go
Yay more tests!
Co-Authored-By: Liz Rice <liz@lizrice.com>
* changes as PR review
* fixed bug when scored check is missing tests
* attempt to improve the code
* fixed list breaks
* removes handleError function
* Update check/check.go
Accepting suggested log level.
Co-Authored-By: Liz Rice <liz@lizrice.com>
2019-10-14 10:37:10 -04:00
Roberto Rojas
c22f81610d
removes federated ( #431 )
2019-10-12 19:00:26 -04:00
yoavrotems
89afda1f63
Add [Manual test] to remediation in all the manual tests ( #435 )
2019-10-09 16:26:02 +01:00
Simarpreet Singh
37f626dce6
cfg: Make proxy checks optional ( #436 )
...
Signed-off-by: Simarpreet Singh <simar@linux.com>
2019-10-08 11:53:39 +01:00
Roberto Rojas
41e0ae77de
changes to use the "op: valid_elements" operation to manage list of items ( #402 )
2019-09-03 13:36:47 +01:00
yoavrotems
ea9089bd42
update the yaml according ( #410 )
...
The update is from the new cis version 1.4.1.
like been done in https://github.com/aquasecurity/kube-bench/issues/370
2019-09-02 16:40:45 +01:00
Roberto Rojas
ec3b1076c0
Fixes issue #407 ( #409 )
...
* fixes issue #407
* fixes issue #407
2019-08-30 17:33:14 +01:00
Roberto Rojas
13dfa15ad6
Fixes Issue #396 - Replaces $kubeletconf for $kubeletsvc ( #399 )
...
* fixes issue #396
* reverts remediation text change
* changes to 1.11-json and 1.13-json as per PR review
* Tiny typo
2019-08-30 15:21:41 +01:00
Liz Rice
a2466da4b0
Correct 1.1.13 to match CIS spec ( #406 )
...
Text should say Not Scored
2019-08-30 15:10:30 +01:00
Roberto Rojas
7a53806863
fixes issue #346 by explicitly only checking read-only property ( #404 )
2019-08-30 08:56:48 +01:00
yoavrotems
4b5a877f1f
Remove some tests from been manual ( #398 )
...
* Remove some tests from been manual
* Remove some tests from been manual
2019-08-29 08:54:29 +01:00
Roberto Rojas
f343d36862
hyperkube v1.15 renamed "proxy" to "kube-proxy" ( #400 )
2019-08-28 16:53:48 +01:00
Roberto Rojas
3e5d02e920
fixes issue #386 ( #397 )
...
* fixes issue #386
* Correct typo
2019-08-28 09:27:56 +01:00
Abubakr-Sadik Nii Nai Davis
a3b8ba58ad
Fix error converting from string to integer ( #392 )
...
Replace the `gt` with `eq` for string comparison of kube-bench check 2.1.6 in `cfg/1.6/node.yaml`.
2019-08-23 16:15:21 +01:00
Patrick Lieberg
0d81ef10d5
Update config.yaml to add Azure AKS file locations for kubelet ( #383 )
...
* testing Azure config locations
* "Updated default config.yaml to incorporate Azure AKS file locations for kubelet"
* "Adjusted order of new lines. Removed unneeded lines."
2019-08-22 14:52:34 +01:00
mwwolters
787bf6ca4d
Updated check to pass if flag isn't set ( #379 )
2019-08-09 18:24:20 +01:00
Liz Rice
f8b2f6c841
Correct 1.4.21 text ( #356 )
...
1.4.21 is about the PKI key file not the certificate
2019-08-07 17:17:21 +01:00
yoavrotems
136e9cd731
Remove federated from ocp ( #381 )
...
* Delete federated.yaml
There is no federated tests in ocp
* Delete federated.yaml
There are no federated tests in OCP
2019-08-07 16:52:04 +01:00
Efrat Levitan
b8a463f051
Correction to 1.13 and 1.13-json test 2.1.5 ( #380 )
2019-08-07 03:33:09 -07:00
yoavrotems
22b971a633
fixes-according-kube-cis1.4.1 ( #376 )
...
* Update master.yaml
* Update node.yaml
Fix 2.1.11 - got DEPRECATED
2.1.14 changed to be a set of options, would be fixed by https://github.com/aquasecurity/kube-bench/pull/367
* Update master.yaml
* Update node.yaml
change 2.1.11 Title, and state to not scored
2019-08-06 06:19:29 -07:00
Roberto Rojas
0422368615
issue #369 : fixes RotateKubeletServerCertificate tests in 1.13-json ( #371 )
2019-08-06 00:58:35 -07:00
mwwolters
893aa3588c
Updated check to pass if flag isn't set ( #375 )
2019-07-30 10:09:24 -07:00
Roberto Rojas
937bfc7b2e
issue #344 : Adds support for array comparison. Every element in the s… ( #367 )
...
* issue #344 : Adds support for array comparison. Every element in the source array must exist in the target array.
* issue #344 : Fixed typo and found if condition based on code review
* adds unit tests for valid_elements comparison
* removes spaces from split strings
2019-07-26 11:11:59 -07:00
Roberto Rojas
c87c5cfb51
Fixes bugs on tests 2.1.4 and 2.1.5 - 1.13-json ( #365 )
...
* Adds bin_op to Test 2.1.4
* Adds bin_op to Test 2.1.5
2019-07-13 07:35:44 +01:00
Roberto Rojas
3926ba3977
issue #337 : Adds comment for properties detected thru parsing command line. Fixed Audit for test 2.1.8 ( #354 )
2019-07-11 17:05:24 +01:00
Roberto Rojas
d127512ab9
issue #349 : changes test 2.2.8 ( #351 )
2019-07-10 15:54:09 +01:00
Roberto Rojas
336ca84998
fixes substitution variable (kubeletconf -> kubeletsvc). ( #350 )
2019-07-10 14:20:14 +01:00
zilard
d8528a1ec8
issue #234 : implement test 2.2.8 ( #343 )
...
* implement test 2.2.8
* Nit: correct indentation
The indentation looked a bit wonky due to spaces vs tabs; hopefully this corrects it
2019-07-10 10:43:15 +01:00
Roberto Rojas
a0bed18054
Adds json version of config for k8s 1.13 ( #342 )
2019-07-10 09:26:37 +01:00
Manuel Rüger
5e6cdfdb0e
Detect kube-controller in CMD ( #326 )
...
If kube-controller-manager is getting detected by older versions of
procps, it will only be detected if we're looking for kube-controller
(15 chars)
NOTE: "The command name is not the same as the command line. Previous versions of
procps and the kernel truncated this command name to 15
characters. This limitation is no longer present in both. If
you depended on matching only 15 characters, you may no longer
get a match."
2019-06-28 16:58:23 +01:00
Simarpreet Singh
dddc42f046
cfg: remove erroneous whitespaces in yaml
...
Signed-off-by: Simarpreet Singh <simar@linux.com>
2019-06-25 07:18:46 -07:00
pthomson
2275eea93f
Adding OCP 3.11
...
Adding OCP 3.11
2019-06-17 13:44:35 -04:00
Simarpreet Singh
5df39eed02
ocp-3.10: Fix malformed yaml and improve TestControls_RunChecks
...
This improves the TestControls_RunChecks() test by making
more comprehensive assertions on a more fully fledged input yaml
Fixes: https://github.com/aquasecurity/kube-bench/issues/304
Signed-off-by: Simarpreet Singh <simar@linux.com>
2019-06-10 13:39:43 -07:00
Liz Rice
bab1237a44
Merge branch 'master' into add_kubelet_config_path
2019-06-05 12:27:07 +02:00
Daniel Sagi
43caaab00a
added another kubelet config file to paths, in the main config yaml file. default location for gke cluster
2019-06-04 17:16:05 +03:00
Liz Rice
9d577d94b4
Update openshift executables
2019-05-30 23:04:44 +01:00
Liz Rice
12e48297a6
Config file improvements
...
Correct defaults in main config.yaml file
Remove unnecessary overrides in version-specific config.yaml
2019-05-17 14:21:42 +01:00
Liz Rice
02d5654cc1
Correct 1.1.14 in 1.13/master.yaml
2019-05-14 19:37:44 +01:00
Liz Rice
caf3fbd0a0
Moving more config into master config file
2019-05-13 18:20:57 +01:00
daniellohausen
22e835f0f5
Reverted kubelet conf to original value
2019-05-08 13:55:45 +02:00
daniellohausen
7ec10211a5
Added KOPS-specific paths
2019-05-08 13:52:08 +02:00
Abubakr-Sadik Nii Nai Davis
fbbf6b37c7
Change test_items in 1.11 master.yaml check 1.5.2 to fix issue with
...
check failing even when --client-cert-auth is set.
2019-04-30 16:51:10 +00:00
Liz Rice
91c6ef2155
Merge branch 'master' into json-config
2019-04-23 13:51:30 +02:00
Liz Rice
7e8dfbc6ea
Fix invalid YAML
2019-04-23 11:41:48 +01:00
Liz Rice
b4419e810f
Tiny typo
2019-04-23 11:01:38 +01:00
Liz Rice
d05d71553f
Tiny typo
2019-04-23 10:57:15 +01:00
yoavrotems
e70f50b2b5
update files
2019-04-16 06:01:51 +00:00
Liz Rice
27dc75fefa
No need for unused master config file.
...
Better comments in config file
2019-04-11 18:36:30 +01:00
Liz Rice
902a10f1c7
Just have one path for both json and yaml
2019-04-11 17:09:33 +01:00
Liz Rice
c887794807
Merge branch 'master' into feature/json-config
2019-04-11 10:03:07 +01:00
Liz Rice
b1ce0a9a75
Merge branch 'master' into yoavrotems-patch-2
2019-03-26 09:51:03 +00:00
yoavrotems
d059196b71
Update master.yaml
...
Fix 1.1.23 to check *if* --service-account-lookup argument is set and if so then if it's equal to true
2019-03-25 14:41:06 +02:00
yoavrotems
a85e5a7759
Update master.yaml
...
Fix title of 1.4.21 from 644 to 600 according to cis benchmark
2019-03-25 14:33:52 +02:00
Florent Delannoy
4d3144ca21
Support JSON and YAML configuration
...
Support new configuration options besides --flags:
- JSON file through `jsonpath`
- YAML file through `yamlpath`
These new options are fully backwards-compatible with the existing
tests.
Added a new profile, 1.11-json, that expects a JSON kubelet
configuration file and scores accordingly. This profile is compatible
with EKS.
2019-03-21 12:13:31 +00:00
Liz Rice
9b3628e76a
Update openshift executable config for #236
2019-03-07 11:18:06 +00:00
Liz Rice
1ead9e1d71
Merge branch 'master' into clean-ocp-configs
2019-03-07 09:22:47 +00:00
Abubakr-Sadik Nii Nai Davis
53ed68a0b2
Clean up OCP benchmark config.
...
The OCP benchmarks uses configs for only binary component variable names.
This commit cleans up the OCP config by removing all configuration
except those component binaries required to run kube-bench on OCP
installations and adds missing ones.
2019-03-06 12:02:58 +00:00
yoavrotems
c6102f0a1b
Fix the files
...
Fix the start from 1.11 to 1.13 and adding changes from pull #227 , and pull #228 .
2019-03-06 11:26:36 +00:00
yoavrotems
e534392525
Delete node.yaml
...
replace with the new node.yaml file
2019-03-06 13:24:14 +02:00
yoavrotems
5f09ecef44
Delete master.yaml
...
replace with the new master.yaml file
2019-03-06 13:23:49 +02:00
yoavrotems
a7d9e06c1b
Delete config.yaml
...
replace with the new config.yaml file
2019-03-06 13:23:18 +02:00
yoavrotems
50f22e7f13
Merge branch 'master' into add-new-cfg-version1.4
2019-03-06 11:16:36 +00:00
Liz Rice
dd8e7ec874
Merge branch 'master' into fix-208
2019-03-03 09:45:16 +00:00
Abubakr-Sadik Nii Nai Davis
d255b49d4b
Revert 1.8 config file.
2019-03-02 17:20:46 +00:00
Abubakr-Sadik Nii Nai Davis
a88b0703d8
Add kubeconfig variable substitution for kubelet and proxy.
...
There are checks for the kubeconfig for both kubelet and proxy which
the current kube-bench implementation does not check for properly.
kube-bench checks the wrong files.
This PR adds support for variable substitution for all the config file
types are that should be checked in the CIS benchmarks.
This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for
ownership of the kubelet config file /var/lib/kubelet/config.yaml but
recommends changing ownership of kubelet kubeconfig file
/etc/kubernetes/kubelet.conf as remediation.
2019-02-27 22:15:14 +00:00
Abubakr-Sadik Nii Nai Davis
3f98c1def2
Fix wrong reference to kubelet.config in node checks.
...
This fix applies to only checks for kubernetes versions 1.8 and 1.11.
See https://github.com/aquasecurity/kube-bench/pull/208 .
2019-02-27 22:14:19 +00:00
Liz Rice
d712db47a2
Only find flags on the process we really want
2019-02-28 01:33:21 +08:00
yoavrotems
82150fdc63
add new config files from the new CIS Kubernetes Benchmark
...
there is a new update at CIS_Kubernetes_Benchmark_v1.4.0 for Kubernetes 1.13
2019-02-27 10:39:32 +00:00
Abubakr-Sadik Nii Nai Davis
e899e941f7
Add OCP 3.10 benchmarks.
2019-02-15 19:44:39 +00:00
Maximilian Bischoff
791fbba9e7
Changed 1.1.14 to not fail when flag is not set
...
Added another test item that checks whether --disable-admission-plugins is not set and an "or" bin_op.
This causes check 1.1.14 to be successful when the flag is not set, while still failing when the flag is set and includes the value NamespaceLifecycle
2019-01-08 13:58:41 +01:00
Liz Rice
2d721ed4ad
Merge branch 'master' into rm-space-tls-cipher
2019-01-02 10:53:29 +00:00
Colin GILLE
ffe7ffb3d3
Type: trailing whitespace for rule text
2018-12-31 16:36:15 +01:00
Martin Mosegaard Amdisen
fd120d0adf
Remove spaces in remediation command for tls-cipher-suites
...
Makes it easier to copy-paste the remediation. Matches the other occurences
of tls-cipher-suites in the configuration.
2018-12-27 14:48:21 +01:00
Liz Rice
26e28b8897
Merge branch 'master' into master
2018-12-21 11:26:53 +00:00
Maximilian Bischoff
e81b785bf8
Added missing "=" to master.yaml
...
In the remediation of 1.1.11 the flag --enable-admission-plugins was missing a =
2018-12-19 18:20:23 +01:00
Vladimir Dimov
645d23e1ec
fixing typos 2.1.15
2018-11-28 13:14:49 +02:00