arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 16:18:07 +00:00
Code Issues Releases Wiki Activity
586 Commits 4 Branches 82 Tags 157 MiB
b0abc74350
Commit Graph

42 Commits

Author SHA1 Message Date
Simarpreet Singh
d77eab2234
master.yaml: Add --audit-policy-file check for 1.1.37. (#440) 
* master.yaml: Add --audit-policy-file check for 1.1.37.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* fix-177: fix line endings

Signed-off-by: Simarpreet Singh <simar@linux.com>
 2019-10-18 13:23:23 -07:00
Roberto Rojas
3aa41db166
Issue #353: Merges JSON and Exec Params files (#426) 
* starts fixes #353

* new approach to minize duplications

* applied merged yaml files for v1.11 and v1.13

* yaml files json/params merged

* fixes to remove double quotes from numbers and booleans

* fixed bug

* fixed certificate check

* removed -json files

* changes based on PR review

* Update check/check_test.go

Yay more tests!

Co-Authored-By: Liz Rice <liz@lizrice.com>

* changes as PR review

* fixed bug when scored check is missing tests

* attempt to improve the code

* fixed list breaks

* removes handleError function

* Update check/check.go

Accepting suggested log level.

Co-Authored-By: Liz Rice <liz@lizrice.com>
 2019-10-14 10:37:10 -04:00
yoavrotems
89afda1f63 Add [Manual test] to remediation in all the manual tests (#435) 2019-10-09 16:26:02 +01:00
Roberto Rojas
41e0ae77de changes to use the "op: valid_elements" operation to manage list of items (#402) 2019-09-03 13:36:47 +01:00
Roberto Rojas
13dfa15ad6 Fixes Issue #396 - Replaces $kubeletconf for $kubeletsvc (#399) 
* fixes issue #396

* reverts remediation text change

* changes to 1.11-json and 1.13-json as per PR review

* Tiny typo
 2019-08-30 15:21:41 +01:00
yoavrotems
4b5a877f1f Remove some tests from been manual (#398) 
* Remove some tests from been manual

* Remove some tests from been manual
 2019-08-29 08:54:29 +01:00
Roberto Rojas
3e5d02e920 fixes issue #386 (#397) 
* fixes issue #386

* Correct typo
 2019-08-28 09:27:56 +01:00
mwwolters
787bf6ca4d Updated check to pass if flag isn't set (#379) 2019-08-09 18:24:20 +01:00
Efrat Levitan
b8a463f051 Correction to 1.13 and 1.13-json test 2.1.5 (#380) 2019-08-07 03:33:09 -07:00
mwwolters
893aa3588c Updated check to pass if flag isn't set (#375) 2019-07-30 10:09:24 -07:00
zilard
d8528a1ec8 issue #234: implement test 2.2.8 (#343) 
* implement test 2.2.8

* Nit: correct indentation

The indentation looked a bit wonky due to spaces vs tabs; hopefully this corrects it
 2019-07-10 10:43:15 +01:00
Simarpreet Singh
dddc42f046
cfg: remove erroneous whitespaces in yaml 
Signed-off-by: Simarpreet Singh <simar@linux.com>
 2019-06-25 07:18:46 -07:00
Liz Rice
12e48297a6 Config file improvements 
Correct defaults in main config.yaml file
Remove unnecessary overrides in version-specific config.yaml
 2019-05-17 14:21:42 +01:00
Liz Rice
caf3fbd0a0
Moving more config into master config file 2019-05-13 18:20:57 +01:00
daniellohausen
22e835f0f5 Reverted kubelet conf to original value 2019-05-08 13:55:45 +02:00
daniellohausen
7ec10211a5 Added KOPS-specific paths 2019-05-08 13:52:08 +02:00
Abubakr-Sadik Nii Nai Davis
fbbf6b37c7 Change test_items in 1.11 master.yaml check 1.5.2 to fix issue with 
check failing even when --client-cert-auth is set.
 2019-04-30 16:51:10 +00:00
Liz Rice
dd8e7ec874
Merge branch 'master' into fix-208 2019-03-03 09:45:16 +00:00
Abubakr-Sadik Nii Nai Davis
a88b0703d8 Add kubeconfig variable substitution for kubelet and proxy. 
There are checks for the kubeconfig for both kubelet and proxy which
the current kube-bench implementation does not check for properly.
kube-bench checks the wrong files.

This PR adds support for variable substitution for all the config file
types are that should be checked in the CIS benchmarks.

This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for
ownership of the kubelet config file /var/lib/kubelet/config.yaml but
recommends changing ownership of kubelet kubeconfig file
/etc/kubernetes/kubelet.conf as remediation.
 2019-02-27 22:15:14 +00:00
Abubakr-Sadik Nii Nai Davis
3f98c1def2 Fix wrong reference to kubelet.config in node checks. 
This fix applies to only checks for kubernetes versions 1.8 and 1.11.
See https://github.com/aquasecurity/kube-bench/pull/208.
 2019-02-27 22:14:19 +00:00
Liz Rice
d712db47a2
Only find flags on the process we really want 2019-02-28 01:33:21 +08:00
Maximilian Bischoff
791fbba9e7
Changed 1.1.14 to not fail when flag is not set 
Added another test item that checks whether --disable-admission-plugins is not set and an "or" bin_op. 
This causes check 1.1.14 to be successful when the flag is not set, while still failing when the flag is set and includes the value NamespaceLifecycle
 2019-01-08 13:58:41 +01:00
Liz Rice
2d721ed4ad
Merge branch 'master' into rm-space-tls-cipher 2019-01-02 10:53:29 +00:00
Colin GILLE
ffe7ffb3d3
Type: trailing whitespace for rule text 2018-12-31 16:36:15 +01:00
Martin Mosegaard Amdisen
fd120d0adf Remove spaces in remediation command for tls-cipher-suites 
Makes it easier to copy-paste the remediation. Matches the other occurences
of tls-cipher-suites in the configuration.
 2018-12-27 14:48:21 +01:00
Liz Rice
26e28b8897
Merge branch 'master' into master 2018-12-21 11:26:53 +00:00
Maximilian Bischoff
e81b785bf8
Added missing "=" to master.yaml 
In the remediation of 1.1.11 the flag --enable-admission-plugins was missing a =
 2018-12-19 18:20:23 +01:00
Vladimir Dimov
645d23e1ec
fixing typos 2.1.15 2018-11-28 13:14:49 +02:00
Liz Rice
6e80b6477a
Merge branch 'master' into fix-2.1.8 2018-11-08 11:41:54 +00:00
Abubakr-Sadik Nii Nai Davis
0a5358665e By default --make-iptables-util-chain is true, so PASS if this flag is not set. 2018-11-07 23:57:38 +00:00
Abubakr-Sadik Nii Nai Davis
4f40a11e84 Change binary op from and to or. 2018-11-07 23:54:41 +00:00
Abubakr-Sadik Nii Nai Davis
c0f56e966a Fix check 1.1.37. 2018-11-06 14:35:45 +00:00
Nick Perry
e083c8f0a3 Fixes https://github.com/aquasecurity/kube-bench/issues/170 
Correcting the logic of 1.1.14 for Kubernetes 1.11.
 2018-10-30 23:40:41 +00:00
Liz Rice
48489637c5
Merge branch 'master' into fix-1.3.7 2018-10-29 12:08:22 +00:00
Michal Jankowski
9988503223 Fixing 1.3.7 on 1.11 master. 
With multiple test items operator defaults to "and". In case of 1.3.7
the tests check whether --address flag is either set to 127.0.0.1 or not
set at all. Those conditions cannot be met at the same time.
 2018-10-25 15:32:41 -07:00
Michal Jankowski
5f254de415 Fixing checks 2.2.9 and 2.2.10 on 1.11 nodes. 
Path to kubelet configuration was accidentally prefixed with a dollar
symbol (probably as a result of copying some other test that used
variable name).
After removing the dollar sign from paths both checks pass on conforming
deployment.
 2018-10-24 17:06:21 -07:00
Abubakr-Sadik Nii Nai Davis
97623aea05 Update kubernetes node benchmark to check kubelet systemd unitfile. 
Also clean up the config file for 1.11 a bit.
 2018-10-23 02:30:08 +00:00
Abubakr-Sadik Nii Nai Davis
b1369832bc A few corrections to node tests. (#2) 
* Add a few corrections.

* Add a few corrections to node test file.
 2018-10-13 15:48:50 -04:00
Abubakr-Sadik Nii Nai Davis
934b4aef96 Add a few corrections. (#1) 2018-10-12 10:22:08 -04:00
noqcks
e85de9e8af
fix simple errors 2018-10-09 19:16:08 -04:00
noqcks
b3a115963b
adding 1.11 config and node checks 2018-10-09 18:57:37 -04:00
noqcks
ba5ec8d4be
adding 1.11 master configuration 2018-10-09 18:34:52 -04:00