Brian Terry
c3f94dd89f
Aws asff ( #770 )
...
* add aasf
* add AASF format
* credentials provider
* add finding publisher
* add finding publisher
* add write AASF path
* add testing
* read config from file
* update docker file
* refactor
* remove sample
* add comments
* Add comment in EKS config.yaml
* Fix comment typo
* Fix spelling of ASFF
* Fix typo and other small code review suggestions
* Limit length of Actual result field
Avoids this message seen in testing:
Message:Finding does not adhere to Amazon Finding Format. data.ProductFields['Actual result'] should NOT be longer than 1024 characters.
* Add comment for ASFF schema
* Add Security Hub documentation
* go mod tidy
* remove dupe lines in docs
* support integration in any region
* fix README link
* fix README links
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-11-23 19:43:53 +00:00
Wicked
aa2a6f08f3
Add exit-code parameter for when checks have failed ( #734 )
...
* Add int command to specify exit code wih a default of 0
* Re-structured to add tests
* Refactor exit code selection
2020-10-29 12:12:45 +02:00
Wicked
3a35c039e5
Add --skip command to skip groups and checks ( #751 )
2020-10-29 12:03:41 +02:00
Huang Huang
456d9b62e2
Default log output to stderr ( #696 )
2020-09-09 13:46:35 +01:00
Liz Rice
772839fc92
move target mapping to config.yaml - updated version ( #682 )
...
* move target mapping to config.yaml
* Update config.yaml
* Update common.go
* Add support for eks-1.0
Add also eks-1.0 to map
* chore: merge correction
* Move file only used for testing
* Tidier logs
* Add target mapping for GKE and EKS
* fingers cross this finishes target mapping
Co-authored-by: Murali Paluru <leodotcloud@gmail.com>
Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
Co-authored-by: yoavrotems <yoavrotems97@gmail.com>
2020-08-30 10:16:21 +03:00
Liz Rice
a6161aa868
Warn if kubectl can't autodetect the version ( #656 )
...
* Add warning if lacking kubeconfig for auto-detect
* Only run getbenchmarkVersion once
* Remove call to continueWithError
2020-08-04 18:04:02 +03:00
Liz Rice
b0d175bf5c
Update default Kubernetes to 1.18 ( #657 )
...
* Update default Kubernetes to 1.18
* Add missing mapping
* Show pod logs on failure
2020-08-04 16:40:12 +03:00
Huang Huang
52ebfa5b5a
Fix invalid JSON output ( #629 )
...
* Fix invalid JSON output
Fixes #622
* Apply suggestions from code review
Co-authored-by: Liz Rice <liz@lizrice.com>
* Add tests
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-06-24 10:13:10 +01:00
Abubakr-Sadik Nii Nai Davis
d988b81540
CIS GKE 1.0.0 benchmark ( #570 )
...
* Add initial commit for CIS GKE 1.0 benchmark
* Update README with GKE instructions
* Fix YAML linter issues
* Set GKE benchmark k8s version to gke-1.0
* Add tests for gke-1.0
Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
2020-03-03 09:51:48 -05:00
Murali Paluru
b677c86868
remove always true for logtostderr ( #548 )
...
* remove always true for logtostderr
* update README for log collection instructions
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-01-07 13:04:06 +00:00
Roberto Rojas
13193d75b0
Fixes Issue #535 ( #537 )
...
* isEtcd should not run on openshift 3.10/3.11
* adds openssl
* fixed tests
* fixes bugs
* adds isEtcd tests
2019-12-13 10:09:30 -05:00
Roberto Rojas
62af68f3f5
fixes issue #536 ( #540 )
2019-12-12 16:51:35 -05:00
Roberto Rojas
af976e6f50
Fixes Issue #494 - add tests for CIS 1.5 ( #530 )
...
* Initial commit.
* Add master and node config.
* Add section 5 of CIS 1.5.1.
* Split sections into section files
* Fix YAML issues.
* adds target translation
* adds target translation
* adds cis-1.5 mapping
* fixed tests
* fixes are per PR
* fixed intergration test
* integration kind test file to appropriate ks8 version
* fixed etcd text
* fixed README
* fixed text
* etcd: fixed grep path
* etcd: fixes
* fixed error message bug
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* fixes as per PR review
2019-12-05 15:55:44 -05:00
Liz Rice
f2caa1f0ec
Add run subcommand ( #529 )
...
* test: fix TestGetConfigFilePath
This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking.
Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error).
The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment.
* add getYamlFilesFromDir
* add getTestYamlFiles and test
* docs: Update master / node help text
* return path + filename from getYamlFilesFromDir
* subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
John Schnake
6ffd382711
Add option to output in JUnit format ( #516 )
...
If running these checks in a CI system it may be beneficial
to output in a more standardized format such as JUnit for
parsing by other tools in a consistent manner.
Fixes #460
Signed-off-by: John Schnake <jschnake@vmware.com>
2019-11-13 08:03:04 -05:00
Roberto Rojas
7ca438b618
Fixes Issue 269 - Numbering to use CIS Versions ( #511 )
...
* starting benchmark flag
* Revert "starting benchmark flag"
This reverts commit 58fc948626
.
* fixes issue #269
* add more unit tests
* fix bug
* Update cmd/common.go
Co-Authored-By: Liz Rice <liz@lizrice.com>
* fixes as per PR review
* fixes as per PR review
* adds more tests
* fixed tests
* changes as per PR Review
* changes as per PR Review
* updated README
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* changes are per PR review
2019-11-05 16:31:27 -05:00
Roberto Rojas
a6ee61fd08
Fixes issue #289 : removed versions prior to 1.11 ( #429 )
...
* removed version prior to 1.11
* removed references to kubernetes versions prior to 1.11
2019-10-14 10:52:43 -04:00
Roberto Rojas
c22f81610d
removes federated ( #431 )
2019-10-12 19:00:26 -04:00
Abubakr-Sadik Nii Nai Davis
92df9cb36c
Read kubernetes version from environment ( #390 )
...
* Read kubernetes version from environment
Set kubernetes version to the value of the environment variable `KUBE_BENCH_VERSION` if it is defined and the flag `--version` is not specified on the kube-bench command line.
The command line flag `--version` takes precedence of the environment variable `KUBE_BENCH_VERSION` if both are defined.
* Add info about KUBE_BENCH_VERSION to README
2019-08-27 09:04:11 +01:00
Abubakr-Sadik Nii Nai Davis
3fba5f4dac
Fix version command failing because of missing config file it does not need. ( #377 )
...
* Fix version command failing because of missing config file it does
not need.
* Fix typo
* Remove reference to github issue in comment
2019-08-22 13:43:09 +01:00
patelpayal
e6e6333e6d
add glog flush to write the output to a file ( #329 )
...
* add glog flush to write the output to a file
* add glog flush before exit on error and fix code comment
2019-07-01 09:49:46 +01:00
nshauli
e64f61fa7f
Add --outputfile flag for writing json results to output file ( #295 )
2019-05-29 18:05:55 +03:00
Yoav Hizkiahou
3aa28c4c32
Printing the actual test result of failed tests - when a flag is raised
...
fix #110
2019-05-15 10:14:11 +03:00
Daniel Pacak
5fb133cd02
Adjust the semantics of scored and unscored flags
2019-05-01 22:52:56 +02:00
Daniel Pacak
306e1960af
Add flags to further filter CIS checks to run
2019-05-01 22:52:56 +02:00
Cyril Tovena
5baf81a70a
Adds master node detection and a root command that automatically detect checks to run.
...
The root command will run node checks and if possible master checks.
I've also added some Makefile targets to improve local testing and improve the documentation.
2019-03-12 19:32:05 -04:00
bvwells
cc43fcbb7e
Add link to CIS kubernetes benchmark
2018-08-10 20:55:02 +01:00
Abubakr-Sadik Nii Nai Davis
6d237607fb
Fix typo in help text.
2018-05-15 04:50:39 +00:00
Abubakr-Sadik Nii Nai Davis
5da707b8d6
Remove CIS benchmark version in tool title.
...
it has grown stale and is dependent on k8s version we are checking.
2018-05-15 04:23:39 +00:00
Liz Rice
0b4872104d
Merge branch 'master' into feature/issue-107
2018-04-16 17:15:30 +01:00
Will Medlar
9469b1c124
Allow kubernetes version and config directory to be specified ( resolves #107 )
2018-04-12 15:01:58 -04:00
Abubakr-Sadik Nii Nai Davis
ade064006e
Add extra output manipulation flags, --noremediations, --nosummary and
...
--noresults.
These flags disable printing sections of the final output of kube-bench.
2018-04-10 20:01:47 +00:00
Lee Briggs
94a1f3c41f
Lint all code for golint tests
2018-01-11 10:01:58 -08:00
Abubakr-Sadik Nii Nai Davis
42a1068964
Add default version if version check fails.
2017-11-13 15:25:34 +00:00
Steven Logue
d79a2a5478
added support for saving scan results to pgsql
2017-10-31 13:08:46 -07:00
Liz Rice
c4be4a1240
Remove installation flag and some other unused variables
2017-08-31 17:52:21 +01:00
Abubakr-Sadik Nii Nai Davis
f88de572f6
Improve error handling.
2017-07-25 00:34:07 +00:00
Abubakr-Sadik Nii Nai Davis
3d395994b0
Change environment variable prefix.
2017-07-13 00:24:57 +00:00
Abubakr-Sadik Nii Nai Davis
609c4ff01c
Move kubernetes binaries and config paths to kube-bench config.
2017-07-13 00:24:09 +00:00
Abubakr-Sadik Nii Nai Davis
2ee99eca64
Add support for various installation modes, hyperkube, kubeadm and kops.
...
Issue #17 .
2017-07-10 00:15:27 +00:00
Abubakr-Sadik Nii Nai Davis
bd53529387
Fix issue #16 about supporting verbosity.
2017-07-07 17:01:30 +00:00
Abubakr-Sadik Nii Nai Davis
d0d9900b29
Resolve issue #7 wait: error running audit command exit status 1.
...
This is caused by a command in the audit pipeline (for example
ps -ef | grep kube-apiserver) failing. The causes of this failure
in my testing is usually a missing config file.
Extensive refactor and correction in verification code to check for
config files and binaries.
Replace joncalhoun/pipes with implementation using exec.Cmds so errors
are visible and can be handled when audit pipeline commands fail.
Change some audit commands
from: ps -ef | grep <cmd> | grep -v
to: ps -C <something> -o comm,args --no-headers
which is simpler to work with.
2017-06-30 14:19:38 +00:00
Liz Rice
07750ea43a
Don't output message about config file if output format is JSON
2017-06-23 10:48:49 +01:00
Liz Rice
f6509b804e
Typo
2017-06-23 10:28:58 +01:00
Liz Rice
0d6d3a03ef
Allow config file to be specified on the command line
2017-06-22 15:34:21 +01:00
Liz Rice
96364e3f29
Error if the config file can’t be found
2017-06-22 15:34:01 +01:00
jerbia
432651e85f
Added test 1.4.11 ( #8 )
2017-06-21 22:45:50 +03:00
Liz Rice
c3d67e0fee
Use colorPrint for config file info too
2017-06-20 11:10:11 +01:00
Liz Rice
dcd416a521
Executable name changes
...
Updates to travis file, readme and help text
2017-06-20 09:52:53 +01:00
Amir Jerbi
55fd838191
No need to run install.sh.
...
Simply clone the project, compile the go app and run ./cis_kubernetes
2017-06-20 00:03:46 +03:00