Abubakr-Sadik Nii Nai Davis
a88b0703d8
Add kubeconfig variable substitution for kubelet and proxy.
...
There are checks for the kubeconfig for both kubelet and proxy which
the current kube-bench implementation does not check for properly.
kube-bench checks the wrong files.
This PR adds support for variable substitution for all the config file
types are that should be checked in the CIS benchmarks.
This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for
ownership of the kubelet config file /var/lib/kubelet/config.yaml but
recommends changing ownership of kubelet kubeconfig file
/etc/kubernetes/kubelet.conf as remediation.
2019-02-27 22:15:14 +00:00
Abubakr-Sadik Nii Nai Davis
3f98c1def2
Fix wrong reference to kubelet.config in node checks.
...
This fix applies to only checks for kubernetes versions 1.8 and 1.11.
See https://github.com/aquasecurity/kube-bench/pull/208 .
2019-02-27 22:14:19 +00:00
Liz Rice
d712db47a2
Only find flags on the process we really want
2019-02-28 01:33:21 +08:00
yoavrotems
82150fdc63
add new config files from the new CIS Kubernetes Benchmark
...
there is a new update at CIS_Kubernetes_Benchmark_v1.4.0 for Kubernetes 1.13
2019-02-27 10:39:32 +00:00
Liz Rice
c824daeb15
Merge pull request #222 from nshauli/search_for_kubelet_binary_when_not_in_path
...
search for the kubelet binary when it is not in the path
2019-02-19 16:07:20 +00:00
nshauli
e93bfc1aac
search for the kubelet binary when it is not in the path
2019-02-19 16:38:10 +02:00
Liz Rice
da09e6513a
Merge pull request #218 from yoavAqua/bugfix-log-warnings-instead-of-print
...
Bugfix: Logging warning instead of printing
2019-02-19 13:48:30 +00:00
Liz Rice
7626dc2705
Merge branch 'master' into bugfix-log-warnings-instead-of-print
2019-02-19 13:44:23 +00:00
Yoav Hizkiahou
082e9cf7e9
Bugfix: Logging warning instead of printing
...
Made all the warnings to be logged and not printed, so when using the json flag the output will be only in json format.
fix #217
2019-02-19 14:39:55 +02:00
Liz Rice
2d4c7e8b42
Merge pull request #212 from aquasecurity/ocp-configs
...
OCP benchmarks and configs
2019-02-18 09:31:45 +00:00
Liz Rice
cd231106cc
Improve comment
...
Tests could easily be marked "skip" because the user doesn't want to run them in their environment, and in this common case the set of tests will be non-nil
2019-02-18 08:46:26 +00:00
Liz Rice
db962a0ad9
Fix merge of skip check
2019-02-18 08:40:57 +00:00
Abubakr-Sadik Nii Nai Davis
911e9051dc
Merge remote-tracking branch 'origin/master' into ocp-configs
2019-02-15 19:48:53 +00:00
Abubakr-Sadik Nii Nai Davis
e899e941f7
Add OCP 3.10 benchmarks.
2019-02-15 19:44:39 +00:00
Weston Steimel
42ed8628de
Only get runningVersion if --version has not been provided
...
Signed-off-by: Weston Steimel <weston.steimel@gmail.com>
2019-02-15 19:43:13 +00:00
Liz Rice
dc8dcfbf8c
Merge pull request #211 from yoavAqua/support-skip-flag
...
Type skip and not scored checks
2019-01-29 23:14:05 +02:00
Yoav Hizkiahou
49f745af8e
Support new check type - skip:
...
If a check is marked with type "skip", it will be marked as Info.
Support scored property:
If a check is not scored and is not marked with type skip, it will be marked as Warn.
2019-01-29 19:05:12 +02:00
Liz Rice
ba437d500a
Merge pull request #206 from westonsteimel/no_runningversion_if_version_set
...
Only get runningVersion if --version has not been provided
2019-01-24 12:00:59 +01:00
Weston Steimel
42f4152058
Only get runningVersion if --version has not been provided
...
Signed-off-by: Weston Steimel <weston.steimel@gmail.com>
2019-01-24 00:34:09 +00:00
Liz Rice
8dabb7dc37
Merge pull request #201 from aquasecurity/yam-comment
...
Comment why we mount /usr/bin
2019-01-22 09:49:25 +01:00
Liz Rice
f2062e81a1
Comment why /usr/bin is mounted
2019-01-17 11:36:25 +00:00
Liz Rice
528bcfbffe
Update job-node.yaml
2019-01-17 11:34:26 +00:00
Liz Rice
3422b9102f
Add comment for why /usr/bin is mounted
2019-01-17 11:33:35 +00:00
Liz Rice
86b126ad2b
Create NOTICE ( #199 )
...
* Create NOTICE
* Update NOTICE
2019-01-16 10:53:07 +02:00
Liz Rice
827945f7fb
Merge pull request #200 from spuder/patch-1
...
warn osx limitation
2019-01-15 11:11:57 +00:00
Liz Rice
79427e185e
Merge branch 'master' into patch-1
2019-01-15 11:05:27 +00:00
Liz Rice
6b9ceae9d4
True for Windows too
2019-01-15 11:05:04 +00:00
Liz Rice
fbd6eb8ff5
Merge pull request #198 from aquasecurity/mount-volumes
...
For #197 - create job YAML files that mount host volumes as needed
2019-01-15 11:03:06 +00:00
Spencer Owen
2a9a02f25b
warn osx limitation
2019-01-14 10:41:19 -07:00
Liz Rice
8021610e46
For #197 - create job YAML files that mount host volumes as needed
2019-01-11 18:44:13 +00:00
Liz Rice
2eef3e8ad2
Merge pull request #193 from maxbischoff/patch-1
...
Changed 1.1.14 to not fail when flag is not set
2019-01-09 10:21:27 +00:00
Maximilian Bischoff
791fbba9e7
Changed 1.1.14 to not fail when flag is not set
...
Added another test item that checks whether --disable-admission-plugins is not set and an "or" bin_op.
This causes check 1.1.14 to be successful when the flag is not set, while still failing when the flag is set and includes the value NamespaceLifecycle
2019-01-08 13:58:41 +01:00
Liz Rice
f6cab11357
Merge pull request #187 from martinmosegaard/doc-kubectl-host-pid
...
Document limitation of running with kubectl
2019-01-02 11:05:32 +00:00
Liz Rice
9f2899027e
Merge branch 'master' into doc-kubectl-host-pid
2019-01-02 10:59:19 +00:00
Liz Rice
313fe038f6
Merge pull request #188 from martinmosegaard/rm-space-tls-cipher
...
Remove spaces in remediation command for tls-cipher-suites
2019-01-02 10:59:07 +00:00
Liz Rice
2d721ed4ad
Merge branch 'master' into rm-space-tls-cipher
2019-01-02 10:53:29 +00:00
Liz Rice
799b928054
Merge pull request #189 from Congelli501/patch-1
...
Typo: trailing whitespace for rule text
2019-01-02 10:53:16 +00:00
Liz Rice
3a662b3ff6
Merge branch 'master' into doc-kubectl-host-pid
2019-01-02 10:53:04 +00:00
Liz Rice
f902b30110
Merge branch 'master' into rm-space-tls-cipher
2019-01-02 10:31:34 +00:00
Liz Rice
b52a88214f
Merge branch 'master' into patch-1
2019-01-02 10:30:33 +00:00
Liz Rice
bfdd921f3d
Merge pull request #190 from Congelli501/patch-2
...
Advise the use to mount /etc & /var read only for docker usage
2019-01-02 10:29:58 +00:00
Colin GILLE
af7ad90477
Advise the use to mount /etc & /var read only for docker usage
2018-12-31 16:39:31 +01:00
Colin GILLE
ffe7ffb3d3
Type: trailing whitespace for rule text
2018-12-31 16:36:15 +01:00
Martin Mosegaard Amdisen
fd120d0adf
Remove spaces in remediation command for tls-cipher-suites
...
Makes it easier to copy-paste the remediation. Matches the other occurences
of tls-cipher-suites in the configuration.
2018-12-27 14:48:21 +01:00
Martin Mosegaard Amdisen
ba03d8f64b
Document limitation of running with kubectl
...
Once the master node recommended check:
1.1.12 Ensure that the admission control plugin DenyEscalatingExec is set
has been followed, it is no longer possible to run kube-bench itself using kubectl.
2018-12-27 13:10:00 +01:00
Liz Rice
21f7902288
Merge pull request #183 from s1lv3r40/master
...
Fixing Node Check - 2.1.15 typos
2018-12-21 11:31:43 +00:00
Liz Rice
26e28b8897
Merge branch 'master' into master
2018-12-21 11:26:53 +00:00
Liz Rice
ae1812b4db
Merge pull request #185 from maxbischoff/patch-1
...
Added missing "=" to master.yaml
2018-12-21 11:26:40 +00:00
Liz Rice
1534a4aea8
Merge branch 'master' into patch-1
2018-12-21 11:20:13 +00:00
Liz Rice
28a57ff1a3
Merge branch 'master' into master
2018-12-21 11:18:26 +00:00