Liz Rice
e69b2fe549
Add mappings for eks-1.0 and Kubernetes 1.18 ( #654 )
...
Allows user to specify either `--version` or `--benchmark-version` as `eks-1.0`
Allows user to specify (or auto-detect K8s version 1.18) and get the CIS 1.5 benchmark
2020-08-03 22:38:37 +03:00
Huang Huang
5ff32e55eb
Check PodSecurityPolicy when test 1.2.13 of cis-1.5 ( #651 )
2020-08-03 10:38:22 +03:00
Kevin W Monroe
2a325bd60d
make the kubelet cafile test posix compliant ( #643 )
2020-07-21 17:43:39 +03:00
Huang Huang
66692951c8
4.1.7 of cis-1.5 should not be marked as manual ( #640 )
...
* 4.1.7 of cis-1.5 should not be marked as manual
* Making the test posix compliant like #643
2020-07-21 17:32:13 +03:00
Paavan
20ec5d14f2
added eks-1.0 cfg and modified job-eks.yaml for node checks ( #639 )
...
* added eks-1.0 cfg and modified job-eks.yaml for node checks
* fixed yamllint errors and README updates
2020-07-10 16:14:41 +01:00
Huang Huang
3e6a41af04
Try to search the right ca file of kubelet ( #633 )
2020-07-08 10:22:49 +03:00
Andrew Horton
122bc4b351
Fix misspelling - identied / identified ( #626 )
2020-06-17 15:08:20 +01:00
Huang Huang
35cf28c140
Add integration tests for cis 1.3 and cis 1.5 ( #609 )
...
* Remove unnecessary whitespaces
* Fix a typo
* Add integration tests for cis 1.3 and cis 1.5
* Change the timeout of integration tests from 600s to 1200s
* Avoid repeated codes
2020-05-20 18:30:52 +01:00
Huang Huang
4557ca00f1
Fix a typo in 1.1.11 of cis-1.5 ( #605 )
...
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-05-14 17:44:43 +01:00
Gábor Lipták
82614d9b3f
Correct typo ( #616 )
...
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-05-14 17:25:47 +01:00
Mathis Kretz
9efd942bcc
Add config paths for microk8s ( #556 )
...
* Add config paths for microk8s
* Fix order for kube-proxy conf path and fix yaml linting issue
Co-authored-by: Mathis Kretz <mathis@bespinian.io>
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-03-16 12:37:32 +00:00
yoavrotems
60f2fb592a
Add option to do bitmask ( #565 )
...
* Add option to do bitwise and between two value in order to compare permissions
* Update test.go
Removed self debug note
* Update test_test.go
FIx typo
* Update test.go
* Update test.go
Switched between max and requested value, because accidentally assigned them oppositely and remove old function relate to octal base
* Update test_test.go
* Update test_test.go
2020-03-16 12:25:46 +00:00
Huang Huang
70988356c8
Support config files which use .yml file extension ( #586 )
...
Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
2020-03-03 12:03:21 -05:00
Abubakr-Sadik Nii Nai Davis
d988b81540
CIS GKE 1.0.0 benchmark ( #570 )
...
* Add initial commit for CIS GKE 1.0 benchmark
* Update README with GKE instructions
* Fix YAML linter issues
* Set GKE benchmark k8s version to gke-1.0
* Add tests for gke-1.0
Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
2020-03-03 09:51:48 -05:00
Thorsten Schifferdecker
237f8cf818
fix small typo ( #592 )
...
proykubeconfig -> proxykubeconfig
2020-03-02 16:35:01 +00:00
Huang Huang
65fb352e0e
Change to checking --disable-admission-plugins
for cis-1.4-1.1.27 and cis-1.5-1.2.14 ( #584 )
...
Fixes #582
2020-02-18 09:37:50 -05:00
LukasAuerbeck
037bb14729
added 444, 440, 400 and 000 file permission checks for all benchmarks ( #563 )
...
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-01-22 14:40:01 +00:00
mustafa-rean
89f8e454ba
Resolved bug in master.yml for cis-1.5 for the apiserverbin variable name ( #567 )
...
Co-authored-by: Liz Rice <liz@lizrice.com>
2020-01-22 14:00:23 +00:00
Murali Paluru
48e33d33e5
fix mismatching checks, tests ( #544 )
2020-01-07 12:31:07 +00:00
James Ward
5f34058dc7
Support Linting YAML as part of Travis CI build ( #554 )
...
* add yamllint command to travis CI
installs and runs a linter across the YAML in the
project to ensure consistency in the written YAML.
this uses yamllint and the default yamllint config with
"truthy" and "line-length" disabled.
* run dos2unix on CRLF files
* YAMLLINT: remove trailing spaces
* YAMLLint: add YAML document start
* YAMLLint: too many spaces around bracket
* YAMLLint: fix indentation
* YAMLLint: remove duplicate key
* YAMLLint: newline at end of file
* YAMLLint: Too few spaces after comma
* YAMLLint: too many spaces after colon
2020-01-06 09:18:25 +00:00
Roberto Rojas
13193d75b0
Fixes Issue #535 ( #537 )
...
* isEtcd should not run on openshift 3.10/3.11
* adds openssl
* fixed tests
* fixes bugs
* adds isEtcd tests
2019-12-13 10:09:30 -05:00
Huang Huang
4a07f87e6f
Fix remediations about file permission ( #534 )
...
* Fix remediation of 2.2.3 in cis-1.3
* Fix remediation of 4.1.1 in cis-1.5
2019-12-10 13:57:07 -05:00
Mateus Caruccio
6e1c39237a
Openshift configs ( #526 )
...
* Adds openshift to autodetect node type
* detect okd node units
2019-12-09 09:07:44 -05:00
Roberto Rojas
af976e6f50
Fixes Issue #494 - add tests for CIS 1.5 ( #530 )
...
* Initial commit.
* Add master and node config.
* Add section 5 of CIS 1.5.1.
* Split sections into section files
* Fix YAML issues.
* adds target translation
* adds target translation
* adds cis-1.5 mapping
* fixed tests
* fixes are per PR
* fixed intergration test
* integration kind test file to appropriate ks8 version
* fixed etcd text
* fixed README
* fixed text
* etcd: fixed grep path
* etcd: fixes
* fixed error message bug
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* fixes as per PR review
2019-12-05 15:55:44 -05:00
Huang Huang
7015f4b4b5
Fix remediation of 2.2.3 ( #527 )
2019-12-04 07:06:50 -08:00
Roberto Rojas
9c6d4de860
Issue #421 : Merges PR #422 with master ( #523 )
...
* Add kubeconfig location of kube-proxy for AKS
* Add job for AKS node
* Automate ca file permission check
* removed job-aks.yaml as other PRs added needed features
* fixed integration test due to merge changes
2019-11-27 15:30:29 +00:00
Liz Rice
d7b5422e8a
Fix detection of encryption-provider-config ( #513 )
...
Fixes: https://github.com/aquasecurity/kube-bench/issues/420
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
2019-11-05 19:45:40 -05:00
Roberto Rojas
7ca438b618
Fixes Issue 269 - Numbering to use CIS Versions ( #511 )
...
* starting benchmark flag
* Revert "starting benchmark flag"
This reverts commit 58fc948626
.
* fixes issue #269
* add more unit tests
* fix bug
* Update cmd/common.go
Co-Authored-By: Liz Rice <liz@lizrice.com>
* fixes as per PR review
* fixes as per PR review
* adds more tests
* fixed tests
* changes as per PR Review
* changes as per PR Review
* updated README
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* changes are per PR review
2019-11-05 16:31:27 -05:00
mwwolters
8276e521d4
Changed 1.3.3 to check that --use-service-account-credentials isn't set to false, but the flag is set ( #442 )
2019-11-05 21:29:16 +01:00
Roberto Rojas
13fe1cdfb8
Fixes issue #501 : specifying absolute path for both ps and cat ( #508 )
...
* fixes issue #501
* specify abolute path for ps and cat
2019-11-01 13:10:52 +00:00
Kevin W Monroe
04946a48fb
add snap component paths to default config ( #414 )
2019-10-25 20:19:56 -04:00
Prem Kumar
01ee110ac4
Fix repetitive flags in some ocp-3.11 tests ( #462 )
...
* fix flag repetition in ocp-3.11/node.yaml
* fix flag repetition in ocp-3.11/master.yaml
2019-10-25 20:12:56 -04:00
Arpit Pandey
ce0137a31a
Fix few typos ( #469 )
2019-10-24 14:05:13 -07:00
Simarpreet Singh
d77eab2234
master.yaml: Add --audit-policy-file check for 1.1.37. ( #440 )
...
* master.yaml: Add --audit-policy-file check for 1.1.37.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* fix-177: fix line endings
Signed-off-by: Simarpreet Singh <simar@linux.com>
2019-10-18 13:23:23 -07:00
Simarpreet Singh
d12a45bba9
Properly initialize viper library when checking for master components ( #434 )
...
* common_test: Add a failing test to show the SISEGV
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Go green by fixing isMaster() to instantiate viper
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Inject a seam for getBinariesFunc to be patched-in.
Also adds additional tests to showcase unhappy behaviors.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common_test: Rename TestIsMaster()
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: init viper with master config
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Add a pre-check if valid yaml is passed but doesn't include master.
Also adds additional tests to showcase unhappy behaviors.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* mod: Upgrade viper to v1.4.0
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Refactor node only yaml to a file
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Log when master components are not found
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common_test: Refactor subtests into a table
Signed-off-by: Simarpreet Singh <simar@linux.com>
2019-10-14 11:15:08 -04:00
Roberto Rojas
a6ee61fd08
Fixes issue #289 : removed versions prior to 1.11 ( #429 )
...
* removed version prior to 1.11
* removed references to kubernetes versions prior to 1.11
2019-10-14 10:52:43 -04:00
Roberto Rojas
3aa41db166
Issue #353 : Merges JSON and Exec Params files ( #426 )
...
* starts fixes #353
* new approach to minize duplications
* applied merged yaml files for v1.11 and v1.13
* yaml files json/params merged
* fixes to remove double quotes from numbers and booleans
* fixed bug
* fixed certificate check
* removed -json files
* changes based on PR review
* Update check/check_test.go
Yay more tests!
Co-Authored-By: Liz Rice <liz@lizrice.com>
* changes as PR review
* fixed bug when scored check is missing tests
* attempt to improve the code
* fixed list breaks
* removes handleError function
* Update check/check.go
Accepting suggested log level.
Co-Authored-By: Liz Rice <liz@lizrice.com>
2019-10-14 10:37:10 -04:00
Roberto Rojas
c22f81610d
removes federated ( #431 )
2019-10-12 19:00:26 -04:00
yoavrotems
89afda1f63
Add [Manual test] to remediation in all the manual tests ( #435 )
2019-10-09 16:26:02 +01:00
Simarpreet Singh
37f626dce6
cfg: Make proxy checks optional ( #436 )
...
Signed-off-by: Simarpreet Singh <simar@linux.com>
2019-10-08 11:53:39 +01:00
Roberto Rojas
41e0ae77de
changes to use the "op: valid_elements" operation to manage list of items ( #402 )
2019-09-03 13:36:47 +01:00
yoavrotems
ea9089bd42
update the yaml according ( #410 )
...
The update is from the new cis version 1.4.1.
like been done in https://github.com/aquasecurity/kube-bench/issues/370
2019-09-02 16:40:45 +01:00
Roberto Rojas
ec3b1076c0
Fixes issue #407 ( #409 )
...
* fixes issue #407
* fixes issue #407
2019-08-30 17:33:14 +01:00
Roberto Rojas
13dfa15ad6
Fixes Issue #396 - Replaces $kubeletconf for $kubeletsvc ( #399 )
...
* fixes issue #396
* reverts remediation text change
* changes to 1.11-json and 1.13-json as per PR review
* Tiny typo
2019-08-30 15:21:41 +01:00
Liz Rice
a2466da4b0
Correct 1.1.13 to match CIS spec ( #406 )
...
Text should say Not Scored
2019-08-30 15:10:30 +01:00
Roberto Rojas
7a53806863
fixes issue #346 by explicitly only checking read-only property ( #404 )
2019-08-30 08:56:48 +01:00
yoavrotems
4b5a877f1f
Remove some tests from been manual ( #398 )
...
* Remove some tests from been manual
* Remove some tests from been manual
2019-08-29 08:54:29 +01:00
Roberto Rojas
f343d36862
hyperkube v1.15 renamed "proxy" to "kube-proxy" ( #400 )
2019-08-28 16:53:48 +01:00
Roberto Rojas
3e5d02e920
fixes issue #386 ( #397 )
...
* fixes issue #386
* Correct typo
2019-08-28 09:27:56 +01:00
Abubakr-Sadik Nii Nai Davis
a3b8ba58ad
Fix error converting from string to integer ( #392 )
...
Replace the `gt` with `eq` for string comparison of kube-bench check 2.1.6 in `cfg/1.6/node.yaml`.
2019-08-23 16:15:21 +01:00