Daniel Sagi
43caaab00a
added another kubelet config file to paths, in the main config yaml file. default location for gke cluster
5 years ago
Liz Rice
9d577d94b4
Update openshift executables
5 years ago
Liz Rice
12e48297a6
Config file improvements
...
Correct defaults in main config.yaml file
Remove unnecessary overrides in version-specific config.yaml
5 years ago
Liz Rice
02d5654cc1
Correct 1.1.14 in 1.13/master.yaml
5 years ago
Liz Rice
caf3fbd0a0
Moving more config into master config file
5 years ago
daniellohausen
22e835f0f5
Reverted kubelet conf to original value
5 years ago
daniellohausen
7ec10211a5
Added KOPS-specific paths
5 years ago
Abubakr-Sadik Nii Nai Davis
fbbf6b37c7
Change test_items in 1.11 master.yaml check 1.5.2 to fix issue with
...
check failing even when --client-cert-auth is set.
5 years ago
Liz Rice
91c6ef2155
Merge branch 'master' into json-config
5 years ago
Liz Rice
7e8dfbc6ea
Fix invalid YAML
5 years ago
Liz Rice
b4419e810f
Tiny typo
5 years ago
Liz Rice
d05d71553f
Tiny typo
5 years ago
yoavrotems
e70f50b2b5
update files
5 years ago
Liz Rice
27dc75fefa
No need for unused master config file.
...
Better comments in config file
5 years ago
Liz Rice
902a10f1c7
Just have one path for both json and yaml
5 years ago
Liz Rice
c887794807
Merge branch 'master' into feature/json-config
5 years ago
Liz Rice
b1ce0a9a75
Merge branch 'master' into yoavrotems-patch-2
5 years ago
yoavrotems
d059196b71
Update master.yaml
...
Fix 1.1.23 to check *if* --service-account-lookup argument is set and if so then if it's equal to true
5 years ago
yoavrotems
a85e5a7759
Update master.yaml
...
Fix title of 1.4.21 from 644 to 600 according to cis benchmark
5 years ago
Florent Delannoy
4d3144ca21
Support JSON and YAML configuration
...
Support new configuration options besides --flags:
- JSON file through `jsonpath`
- YAML file through `yamlpath`
These new options are fully backwards-compatible with the existing
tests.
Added a new profile, 1.11-json, that expects a JSON kubelet
configuration file and scores accordingly. This profile is compatible
with EKS.
5 years ago
Liz Rice
9b3628e76a
Update openshift executable config for #236
5 years ago
Liz Rice
1ead9e1d71
Merge branch 'master' into clean-ocp-configs
5 years ago
Abubakr-Sadik Nii Nai Davis
53ed68a0b2
Clean up OCP benchmark config.
...
The OCP benchmarks uses configs for only binary component variable names.
This commit cleans up the OCP config by removing all configuration
except those component binaries required to run kube-bench on OCP
installations and adds missing ones.
5 years ago
yoavrotems
c6102f0a1b
Fix the files
...
Fix the start from 1.11 to 1.13 and adding changes from pull #227 , and pull #228 .
5 years ago
yoavrotems
e534392525
Delete node.yaml
...
replace with the new node.yaml file
5 years ago
yoavrotems
5f09ecef44
Delete master.yaml
...
replace with the new master.yaml file
5 years ago
yoavrotems
a7d9e06c1b
Delete config.yaml
...
replace with the new config.yaml file
5 years ago
yoavrotems
50f22e7f13
Merge branch 'master' into add-new-cfg-version1.4
5 years ago
Liz Rice
dd8e7ec874
Merge branch 'master' into fix-208
5 years ago
Abubakr-Sadik Nii Nai Davis
d255b49d4b
Revert 1.8 config file.
5 years ago
Abubakr-Sadik Nii Nai Davis
a88b0703d8
Add kubeconfig variable substitution for kubelet and proxy.
...
There are checks for the kubeconfig for both kubelet and proxy which
the current kube-bench implementation does not check for properly.
kube-bench checks the wrong files.
This PR adds support for variable substitution for all the config file
types are that should be checked in the CIS benchmarks.
This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for
ownership of the kubelet config file /var/lib/kubelet/config.yaml but
recommends changing ownership of kubelet kubeconfig file
/etc/kubernetes/kubelet.conf as remediation.
5 years ago
Abubakr-Sadik Nii Nai Davis
3f98c1def2
Fix wrong reference to kubelet.config in node checks.
...
This fix applies to only checks for kubernetes versions 1.8 and 1.11.
See https://github.com/aquasecurity/kube-bench/pull/208 .
5 years ago
Liz Rice
d712db47a2
Only find flags on the process we really want
5 years ago
yoavrotems
82150fdc63
add new config files from the new CIS Kubernetes Benchmark
...
there is a new update at CIS_Kubernetes_Benchmark_v1.4.0 for Kubernetes 1.13
5 years ago
Abubakr-Sadik Nii Nai Davis
e899e941f7
Add OCP 3.10 benchmarks.
5 years ago
Maximilian Bischoff
791fbba9e7
Changed 1.1.14 to not fail when flag is not set
...
Added another test item that checks whether --disable-admission-plugins is not set and an "or" bin_op.
This causes check 1.1.14 to be successful when the flag is not set, while still failing when the flag is set and includes the value NamespaceLifecycle
6 years ago
Liz Rice
2d721ed4ad
Merge branch 'master' into rm-space-tls-cipher
6 years ago
Colin GILLE
ffe7ffb3d3
Type: trailing whitespace for rule text
6 years ago
Martin Mosegaard Amdisen
fd120d0adf
Remove spaces in remediation command for tls-cipher-suites
...
Makes it easier to copy-paste the remediation. Matches the other occurences
of tls-cipher-suites in the configuration.
6 years ago
Liz Rice
26e28b8897
Merge branch 'master' into master
6 years ago
Maximilian Bischoff
e81b785bf8
Added missing "=" to master.yaml
...
In the remediation of 1.1.11 the flag --enable-admission-plugins was missing a =
6 years ago
Vladimir Dimov
645d23e1ec
fixing typos 2.1.15
6 years ago
Liz Rice
6e80b6477a
Merge branch 'master' into fix-2.1.8
6 years ago
Abubakr-Sadik Nii Nai Davis
0a5358665e
By default --make-iptables-util-chain is true, so PASS if this flag is not set.
6 years ago
Abubakr-Sadik Nii Nai Davis
4f40a11e84
Change binary op from and to or.
6 years ago
Abubakr-Sadik Nii Nai Davis
c0f56e966a
Fix check 1.1.37.
6 years ago
Nick Perry
e083c8f0a3
Fixes https://github.com/aquasecurity/kube-bench/issues/170
...
Correcting the logic of 1.1.14 for Kubernetes 1.11.
6 years ago
Liz Rice
48489637c5
Merge branch 'master' into fix-1.3.7
6 years ago
Michal Jankowski
9988503223
Fixing 1.3.7 on 1.11 master.
...
With multiple test items operator defaults to "and". In case of 1.3.7
the tests check whether --address flag is either set to 127.0.0.1 or not
set at all. Those conditions cannot be met at the same time.
6 years ago
Michal Jankowski
5f254de415
Fixing checks 2.2.9 and 2.2.10 on 1.11 nodes.
...
Path to kubelet configuration was accidentally prefixed with a dollar
symbol (probably as a result of copying some other test that used
variable name).
After removing the dollar sign from paths both checks pass on conforming
deployment.
6 years ago
Abubakr-Sadik Nii Nai Davis
97623aea05
Update kubernetes node benchmark to check kubelet systemd unitfile.
...
Also clean up the config file for 1.11 a bit.
6 years ago
Abubakr-Sadik Nii Nai Davis
b1369832bc
A few corrections to node tests. ( #2 )
...
* Add a few corrections.
* Add a few corrections to node test file.
6 years ago
Abubakr-Sadik Nii Nai Davis
934b4aef96
Add a few corrections. ( #1 )
6 years ago
noqcks
e85de9e8af
fix simple errors
6 years ago
noqcks
b3a115963b
adding 1.11 config and node checks
6 years ago
noqcks
ba5ec8d4be
adding 1.11 master configuration
6 years ago
Liz Rice
c44e0db97b
Inlcude .manifest extension config files for kops & kubespray
6 years ago
Liz Rice
024b7ed396
Merge branch 'master' into master
6 years ago
Julien Garcia Gonzalez
2073e08363
update 2.2.4 rules
6 years ago
Julien Garcia Gonzalez
db096c9f51
Rule node 2.2.4 is not correct
6 years ago
hutr
d736d10f90
fix sed string for 1.4.12
6 years ago
hutr
50a3725ff2
Merge branch 'master' into master
6 years ago
hutr
468f5fac6e
changes for 1.4.11 and 1.4.2
...
added tests: for 1.4.11 and removed grep -v grep for both
6 years ago
Erwan Miran
182e9b5e01
Addition of missing audit field in 2.2.6 node item
6 years ago
hutr
e4100a4435
fixed grep string for 1.4.11 and 1.4.22
...
check 1.4.11 and 1.4.22 FAIL even when permissions is correct.
6 years ago
Abubakr-Sadik Nii Nai Davis
b10b2bd22e
Merge branch 'master' into fix-typo
6 years ago
Abubakr-Sadik Nii Nai Davis
aa9da13226
Fix a bunch of typos.
6 years ago
Liz Rice
1935c952d6
--request-timeout is a duration
6 years ago
Lee Briggs
d464ab5639
Wrong configuration file
7 years ago
Lee Briggs
165444df60
Test fixes for 1.8
7 years ago
Liz Rice
4b1b2b8762
Merge branch 'master' into master
7 years ago
Liz Rice
fc4fe38bc2
Merge branch 'master' into unnecessary-warning
7 years ago
Konstantin Semenov
961dbeb2b5
Correct sed regex
7 years ago
Konstantinos Karampogias
8fc6904093
Improve etcd data directory extraction
...
- If data-dir is not the last argument, the remaining arguments
are captured preventing the correct checking.
Signed-off-by: Konstantin Semenov <ksemenov@pivotal.io>
7 years ago
Abubakr-Sadik Nii Nai Davis
7fcfb0cf30
Fix issue with etcd checks failing because of using " " instead of "=" to specify value.
...
This issue affects master checks 1.4.11 and 1.4.12.
7 years ago
Abubakr-Sadik Nii Nai Davis
53eb720952
Merge branch 'master' into unnecessary-warning
7 years ago
Abubakr-Sadik Nii Nai Davis
04f044e3b9
Add support for merging general and kubernetes version specific config files.
...
This change unifies all config files, podspecs and unitfiles under
a single component configuration key; `config`.
7 years ago
Liz Rice
d52e326147
Correct test config file typo
7 years ago
Liz Rice
2eb261b94f
Remove odd spacing and line breaks from test config files
7 years ago
Abubakr-Sadik Nii Nai Davis
e227934c88
Add function to get unit files for kubernetes components.
7 years ago
Abubakr-Sadik Nii Nai Davis
6ce0c5bf60
Add function to get pod specs for kubernetes components.
7 years ago
Abubakr-Sadik Nii Nai Davis
8e758bb5e0
Update federated definitions.
7 years ago
Abubakr-Sadik Nii Nai Davis
82e325f96e
Update 1.8 node definition.
7 years ago
Abubakr-Sadik Nii Nai Davis
04f21d1887
Update 1.8 master definition.
7 years ago
Abubakr-Sadik Nii Nai Davis
7663dc87ee
Copy 1.7 benchmark as 1.8.
7 years ago
Abubakr-Sadik Nii Nai Davis
d9e1eee2cd
Merge remote-tracking branch 'origin/master' into support for multiple
...
Kubernetes versions.
7 years ago
Abubakr-Sadik Nii Nai Davis
f2e744bdcb
Reorganize benchmark checks into Kubernetes 1.7 and restore Kubernetes 1.6 benchmarks.
7 years ago
Liz Rice
a6036bcfcf
Corrections to config file substitutions. Use “kubernetes” as a fake component name so we can more easily substitute “kubernetesconf”
7 years ago
Liz Rice
a3197f8efe
Reorder YAML to make a bit more sense. Allow for optional components, and a config file that we don’t think exists.
7 years ago
Liz Rice
e4e41683c4
Update the config file
7 years ago
Abubakr-Sadik Nii Nai Davis
3e3aa0ed82
Change node check 2.1.6 to use operation `noteq` instead of `gt`.
...
Kubelet option --streaming-connection-idle-timeout expects a string
value which fails parsing to integer for greater than comparison.
The string "0" indicates no timeout and this is what we are checking
for.
7 years ago
Liz Rice
cf62def9fd
Better config file locations
7 years ago
Abubakr-Sadik Nii Nai Davis
086bb629db
Add 640 to permission checks.
7 years ago
Abubakr-Sadik Nii Nai Davis
e6f2b4d4fe
Add config checks for permissions stricter that 644 to definition files.
7 years ago
Abubakr-Sadik Nii Nai Davis
dddea28713
Merge branch 'master' into issue-25
7 years ago
Abubakr-Sadik Nii Nai Davis
d2fa9d35b6
Rewrite audit commands in the check definition that contain shell builtins
...
and modify text to command function to support this.
Shell builtins fail the binary command lookup test which result in a
WARN. Audit commands which include shell builtins must use the form:
"/bin/sh -c 'sh-builtin arg'"
So they are executed properly. Additionally Go will fail to execute
commands involving shell builtins if they are not in the above format.
7 years ago
Abubakr-Sadik Nii Nai Davis
9c07527069
Remove misleading comment about manual checks in node check definition.
7 years ago
Abubakr-Sadik Nii Nai Davis
c39516581b
Add master node manual check definitions.
7 years ago
Liz Rice
b5f4876138
Revert "Issue 19"
7 years ago
Liz Rice
cf5f025593
Merge branch 'master' into issue-19
7 years ago
Liz Rice
2b4047a3c1
Merge pull request #28 from ttousai/errorhandling
...
Improve error handling.
7 years ago
Abubakr-Sadik Nii Nai Davis
9c563b0987
Remove misleading comment about manual checks in node check definition.
7 years ago
Abubakr-Sadik Nii Nai Davis
29122b82ad
Add master node manual check definitions.
7 years ago
Abubakr-Sadik Nii Nai Davis
f88de572f6
Improve error handling.
7 years ago
Abubakr-Sadik Nii Nai Davis
e08e069174
Update controls to CIS Kubernetes Benchmark v1.1.0
7 years ago
Abubakr-Sadik Nii Nai Davis
609c4ff01c
Move kubernetes binaries and config paths to kube-bench config.
7 years ago
Abubakr-Sadik Nii Nai Davis
2ee99eca64
Add support for various installation modes, hyperkube, kubeadm and kops.
...
Issue #17 .
7 years ago
Liz Rice
3b93167c07
And now correct the flag and put it in the right place
7 years ago
Liz Rice
903f232dc1
Correct bad yaml indentation
7 years ago
jerbia
432651e85f
Added test 1.4.11 ( #8 )
7 years ago
Amir Jerbi
eefa0dfb61
Change check 1.15
...
Check is successful in case --kubelet-https is set to true OR missing
7 years ago
Liz Rice
1ad63cb4e6
Correct a block-copy mistake in one of the test configs
7 years ago
Amir Jerbi
55fd838191
No need to run install.sh.
...
Simply clone the project, compile the go app and run ./cis_kubernetes
7 years ago
Liz Rice
26cc77ec1d
Get the tests working on deployments where file names may be different or not in path ( #1 )
...
* Replace the default help text
* Readme file, including the test config format documentation
* Typo
* Warn if config files / executables aren't found
* Ignore original name of executable (as per current README)
* Update tests to avoid failing on stat of a non-existant file
* Add a makefile for ease of build
7 years ago
Amir Jerbi
154a140f74
Initial commit
7 years ago