Neha Viswanathan
82421e5838
retire cis 1.3 and 1.4 ( #693 )
2020-10-03 11:23:28 +01:00
Yoav Rotem
deecf6265f
Test Travis build condition ( #713 )
...
* Add condition to make docker
Build and push Docker image only when pushing to master.
* Update to Golang 1.15
As https://github.com/aquasecurity/kube-bench/pull/706 did, just doing it in my fork to test Travis changes about the build
2020-10-01 16:37:38 +01:00
Liz Rice
cf305eed74
Update .travis.yml
2020-09-21 10:18:40 +01:00
yoavrotems
7280438eb5
Add cis 1.6 ( #678 )
...
* Add new cis version yamls
Add new cis version yamls
* Add new cis version yamls
* Add cis-1.6 to versions table
* support version mapping cis-1.6
* support version mapping cis-1.6
* Update controlplane.yaml
* Update etcd.yaml
* Update node.yaml
* Update policies.yaml
* Create job.data
* Create job-node.data
* Create job-master.data
* Create add-tls-kind.yaml
* Change node version to 1.15.0
* Add tests for cis-1.6
* Delete node_only.yaml
* Change tests 1.1.19-1.1.21
Change 1.1.19-1.1.21 because failing tests
* Update job.data
* Update job-master.data
* Update job-master.data
* Update job.data
* fix 1.2.35 remediation
tabs instead of spaces
* Update job-master.data
* Remove extra space
* Update job.data
* Create node_only.yaml
* Add tests for cis-1.6
Add tests for cis-1.6 and change some from 1,5 to 1.6
* Fix typo
* Add mapping for cis-1.6
* Remove extra space in 1.2.35 remediation
* Update job.data
* Update job-master.data
* Fix type 1.2.35
* Remove trailing spaces
* Remove trailing spaces
* Remove trailing spaces
* Remove trailing spaces
* Add version 1.19 kubernetes support
* Add version 1.19 kubernetes support
* Add version 1.19 kubernetes support
2020-09-17 16:54:43 +01:00
yoavrotems
041c437339
Set actualResult ( #703 )
...
actual Result is used later on to get actual value and the --include-test-output values but it never got set so its always empty.
2020-09-17 13:23:02 +03:00
Liz Rice
1899f26bc1
Note about OpenShift OCP 4.* ( #700 )
...
- Add note about why we don't support OCP 4.*
- Move GKE & OpenShift sub-sections next to EKS and AKS
- Minor corrections
2020-09-14 09:27:49 +03:00
Liz Rice
d6de4f7c3c
Multi-arch build ( #690 )
...
* multi-arch build and other makefile tidies
* docker login in travis
2020-09-14 09:26:29 +03:00
Huang Huang
456d9b62e2
Default log output to stderr ( #696 )
2020-09-09 13:46:35 +01:00
Liz Rice
41a4059abe
Create codecov.yml
2020-09-09 12:05:57 +01:00
dylanzt
6702300b0a
Fix remediation typo in 3.1.1 and 4.1.1 ( #692 )
2020-09-07 09:33:21 +01:00
Liz Rice
a8a59d3bd8
docs: more clarification on output states ( #691 )
2020-09-06 10:46:29 +03:00
JoostC
f0e30cef62
Add a trailing slash to find directory path ( #687 )
2020-09-03 18:18:48 +01:00
Sathi Dyapa
3488c8343d
Updating section id 4.6 ( #689 )
...
- id: 4.6
text: "Verify the scheduler pod specification file ownership set by OpenShift"
audit: "stat -c %u:%g /etc/origin/node/pods/controller.yaml" -- (lower case u and g ) it returns the uID and gID in numeric i.e 0:0 not root:root.
it supposed to be Uppercase: audit: "stat -c %U:%G /etc/origin/node/pods/controller.yaml"
2020-09-02 15:29:57 +01:00
Danny Sauer
4e43c9a9a2
Update makefile to create kubeconfig ( #685 )
...
Per https://github.com/kubernetes-sigs/cluster-api/issues/1796 , the
`kind get kubeconfig-path` command no longer works. Update makefile
to create kube-bench local kubeconfig and use that.
2020-09-02 15:28:30 +01:00
Satya Pawan
33f6773a43
Code quality improvements ( #677 )
...
* Code quality improvements such -
1. Improves empty string test (len vs str == "")
2. Converts fmt.Sprintf to string literal and Printf to Print where possible (as the dynamic args are missing!)
* Delete .deepsource.toml
Co-authored-by: DeepSource Bot <bot@deepsource.io>
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-09-01 14:50:04 +01:00
Liz Rice
772839fc92
move target mapping to config.yaml - updated version ( #682 )
...
* move target mapping to config.yaml
* Update config.yaml
* Update common.go
* Add support for eks-1.0
Add also eks-1.0 to map
* chore: merge correction
* Move file only used for testing
* Tidier logs
* Add target mapping for GKE and EKS
* fingers cross this finishes target mapping
Co-authored-by: Murali Paluru <leodotcloud@gmail.com>
Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
Co-authored-by: yoavrotems <yoavrotems97@gmail.com>
2020-08-30 10:16:21 +03:00
Liz Rice
01c77b2315
chore: improve test clarity ( #675 )
...
* read-only-port defaults are correct
* Tests that should catch good read-only-port
* Rework checks & tests
* Linting on issue template YAML
* More explicit test for 4.2.4
* Remove verbosity for ease of reading results
* Use subtests
* Tidy more test cases
2020-08-13 11:01:30 +03:00
Huang Huang
2d548597ae
Support CIS v1.5.1 ( #673 )
2020-08-12 21:57:51 +03:00
Liz Rice
07f3c40dc7
Better handling of parameters and config audits ( #674 )
...
* read-only-port defaults are correct
* Tests that should catch good read-only-port
* Rework checks & tests
* Linting on issue template YAML
* More explicit test for 4.2.4
2020-08-12 14:32:42 +01:00
Huang Huang
5d138f6388
Fix YAML Linting issue ( #672 )
2020-08-12 09:14:45 +01:00
yoavrotems
10f4e6c691
Refactor testitem-set ( #668 )
...
* set: default true
Refactor testitem-set to be default true
* fix typo
Co-authored-by: Liz Rice <liz@lizrice.com>
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-08-10 17:12:41 +03:00
Liz Rice
68c8764ea8
Create bug_report.md
2020-08-10 15:09:03 +01:00
Liz Rice
56770b14c6
Ideas and questions go to Discussions
2020-08-10 15:05:47 +01:00
yoavrotems
4b9453bb83
Refactor: remove ContinueWithError ( #630 )
...
* Update util.go
Remove Continue with error function
* Update cmd/util.go
Co-authored-by: Liz Rice <liz@lizrice.com>
* Update util.go
* Update util.go
Remove unnecessary ')'
* Update util.go
removed fmt.Fprintf(os.Stderr, "%s: %s", cmd.Args, err) since it wasn't suppose to print.
* Update util.go
* Update .travis.yml
option --no-ri and --no-doc are deprecated we have to use --no-document instead.
https://github.com/rubygems/heroku-buildpack-bundler2/pull/1#issuecomment-451654992
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-08-10 10:12:57 +01:00
Huang Huang
6684979741
Add tests for 1.1.19、1.1.20 and 1.1.21 of cis-1.5 ( #641 )
...
* Add tests for 1.1.19、1.1.20 and 1.1.21 of cis-1.5
* Avoid division by 0
* Use bitmask instead of lte
* Change to use multiple values via `use_multiple_values: true`
* Use find in 1.1.20 and 1.1.21
2020-08-09 23:44:42 +03:00
Liz Rice
a6161aa868
Warn if kubectl can't autodetect the version ( #656 )
...
* Add warning if lacking kubeconfig for auto-detect
* Only run getbenchmarkVersion once
* Remove call to continueWithError
2020-08-04 18:04:02 +03:00
Liz Rice
b0d175bf5c
Update default Kubernetes to 1.18 ( #657 )
...
* Update default Kubernetes to 1.18
* Add missing mapping
* Show pod logs on failure
2020-08-04 16:40:12 +03:00
Liz Rice
e69b2fe549
Add mappings for eks-1.0 and Kubernetes 1.18 ( #654 )
...
Allows user to specify either `--version` or `--benchmark-version` as `eks-1.0`
Allows user to specify (or auto-detect K8s version 1.18) and get the CIS 1.5 benchmark
2020-08-03 22:38:37 +03:00
Huang Huang
5ff32e55eb
Check PodSecurityPolicy when test 1.2.13 of cis-1.5 ( #651 )
2020-08-03 10:38:22 +03:00
Huang Huang
db109daf43
Support multiple values flag when check the audit output ( #652 )
2020-08-03 10:31:54 +03:00
Matthieu ANTOINE
ea4eaa6fd5
Fix supported targets for EKS benchmark ( #648 )
...
* Fix supported targets for EKS benchmark
* docs: heading at wrong level in README
* docs: remove duplicate TOC heading
* Fix invalid argument for gem install
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-07-29 14:40:59 +01:00
Kevin W Monroe
2a325bd60d
make the kubelet cafile test posix compliant ( #643 )
2020-07-21 17:43:39 +03:00
Huang Huang
66692951c8
4.1.7 of cis-1.5 should not be marked as manual ( #640 )
...
* 4.1.7 of cis-1.5 should not be marked as manual
* Making the test posix compliant like #643
2020-07-21 17:32:13 +03:00
Manuel Rüger
50a9dca720
Dockerfile: Update to alpine-3.12 ( #645 )
...
https://alpinelinux.org/posts/Alpine-3.12.0-released.html
2020-07-21 12:09:41 +03:00
Liz Rice
4e00954485
docs: add Troubleshooting ( #638 )
...
* docs: add Troubleshooting
Adding basic instructions for running with debug logs
* docs: remember --logtostderr
* docs: note about cfg requirement
Note that installing a binary release is not sufficient - you also need the config and test files
Fixes #613
2020-07-15 14:41:35 +01:00
Paavan
20ec5d14f2
added eks-1.0 cfg and modified job-eks.yaml for node checks ( #639 )
...
* added eks-1.0 cfg and modified job-eks.yaml for node checks
* fixed yamllint errors and README updates
2020-07-10 16:14:41 +01:00
Huang Huang
3e6a41af04
Try to search the right ca file of kubelet ( #633 )
2020-07-08 10:22:49 +03:00
yoavrotems
1b5b6c2afe
Remove os.exit When not needed ( #631 )
...
* Update test.go
* Update test_test.go
2020-06-28 17:29:55 +03:00
Huang Huang
52ebfa5b5a
Fix invalid JSON output ( #629 )
...
* Fix invalid JSON output
Fixes #622
* Apply suggestions from code review
Co-authored-by: Liz Rice <liz@lizrice.com>
* Add tests
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-06-24 10:13:10 +01:00
Manuel Rüger
5cf3821eb6
.goreleaser: Create binaries for arm/arm64 ( #628 )
...
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
2020-06-23 10:02:31 -07:00
Huang Huang
c7b518e76b
Run audit as shell script instead of as single line command ( #610 )
...
* Run audit as shell script instead of as single line command
* Rename runExecCommands to runAudit
* Fix tests
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-06-22 10:45:31 +03:00
Andrew Horton
122bc4b351
Fix misspelling - identied / identified ( #626 )
2020-06-17 15:08:20 +01:00
Huang Huang
35cf28c140
Add integration tests for cis 1.3 and cis 1.5 ( #609 )
...
* Remove unnecessary whitespaces
* Fix a typo
* Add integration tests for cis 1.3 and cis 1.5
* Change the timeout of integration tests from 600s to 1200s
* Avoid repeated codes
2020-05-20 18:30:52 +01:00
Neha Viswanathan
2cf2876a10
Update Running in an EKS cluster
documentation ( #621 )
...
Co-authored-by: Neha Viswanathan <nviswanathan@axway.com>
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-05-15 09:53:24 +01:00
Craig Jellick
305283f9d4
Fix OpenShift table layout ( #612 )
...
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-05-14 18:04:14 +01:00
Huang Huang
4557ca00f1
Fix a typo in 1.1.11 of cis-1.5 ( #605 )
...
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-05-14 17:44:43 +01:00
Paul McCarthy
582ce02ce6
Removed references to dep
from README.md ( #607 )
...
Looks like this project now uses Go modules so `dep` steps are not needed.
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-05-14 17:34:47 +01:00
Gábor Lipták
82614d9b3f
Correct typo ( #616 )
...
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-05-14 17:25:47 +01:00
Liz Rice
d8234ff07c
docs: update params for logging to screen ( #618 )
...
We're now following the normal behaviour of glog, which means specifying --logtostderr to get the output written to screen. See https://godoc.org/github.com/golang/glog
2020-05-11 10:18:30 +01:00
Liz Rice
7e87c980b2
docs: CIS benchmarks are not frequent ( #617 )
...
Correct misleading comment about anticipated CIS benchmarks for every Kubernetes release - bad assumption!
2020-05-06 14:42:40 +01:00