1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-22 14:48:07 +00:00
Commit Graph

250 Commits

Author SHA1 Message Date
Derek Nola
e1d1053358
Fix to empty grep and other cis-1.6-k3s checks (#1352)
* Fix to empty grep and other k3s checks

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Lint fix

Signed-off-by: Derek Nola <derek.nola@suse.com>

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-01-13 18:06:57 +02:00
Huang Huang
bd8dd3adcc
use $etcddatadir in more etcd related checks (#1331) 2022-11-28 07:58:06 +02:00
Huang Huang
865817dfda
support customize datadir locations of etcd (#1330) 2022-11-25 15:32:49 +02:00
Huang Huang
3ccafa7be1
support CIS Kubernetes V1.24 Benchmark v1.0.0 (#1329) 2022-11-24 15:23:10 +02:00
Anupam Tamrakar
3b8379f081
Fixing OCP checks for rh-1.0 (#1259) 2022-10-11 09:18:49 +03:00
TARI TARI
4d76c77c6a
feat(cis-1.6-k3s): Add support to CIS-1.6 for k3s distribution (#1261)
* feat(cis-1.6-k3s): Add support to CIS-1.6 for k3s distribution

* update(docs): change platforms and architectrue document; update(review): code review for cfg/cis-1.6-k3s;

* update(docs): recover sheet style

* fix(yaml-lint): CI/CD YAML Error

* fix: Correct the problem of command and file/directory/log not found scene

* fix(yaml-lint): CI/CD YAML Error
2022-09-15 14:26:15 +03:00
Huang Huang
07e01cf38c
Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0 (#1222)
* Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

* fix yaml lint error
2022-09-15 09:04:54 +03:00
Chris Renzo
a34047c105
Adding eks-stig-kubernetes-v1r6 (#1266)
* Adding eks-stig-kubernetes-v1r6

* Fixing lint errors

* Reformatting texts

* Removing pinned docker tag

* Updating Expected Stig Output

Co-authored-by: EC2 Default User <ec2-user@ip-10-0-44-222.ec2.internal>
2022-09-14 17:40:48 +03:00
Anupam Tamrakar
7a68b38763
Updating checks 4.2.1 and 4.2.3 (#1236)
Removing colon from these checks so that grep command will work with both communication method (YAML and JSON)
2022-08-08 15:54:37 -03:00
Huang Huang
e6b3eddb03
fix 4.2.11 in cis-1.20 should be Automated (#1213) 2022-06-19 17:10:37 +03:00
Qiming Teng
02fd0d4be2
Add support to CIS-1.23 1.0.0 (#1148) 2022-04-18 09:27:33 +03:00
Huang Huang
c28e7a796e
Fixed typo in policies.yaml (#1113) 2022-03-13 09:27:25 +02:00
Mirtov Alexey
a2b3de1bf4
Support Yandex Managed Service for Kubernetes (#1069) 2022-01-06 10:20:48 +02:00
Huang Huang
2d6bf55ab2
Support CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0 (#1050)
* Support CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

* restore gke-1.0

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-12-09 12:04:38 +02:00
Huang Huang
6589eb16e1
Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (#1045)
* Update eks-1.0 to support CIS EKS Benchmark v1.0.1

* add "No remediation"

* rename eks-1.0 to eks-1.0.1

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-11-18 10:42:53 +02:00
Huang Huang
f8e0171c09
Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0 (#1042)
* Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0

* fix typo

* fix empty remediation

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-11-14 15:37:54 +02:00
Huang Huang
65b45f699d
Fix status of cis-1.20 4.1.6 should be Automated (#1041) 2021-11-08 11:25:59 +02:00
tonyqui
11136317f2
Fix experimental-encryption-provider-config test on OCP 3.11 - Issue #926 (#1024)
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-10-27 12:56:00 +03:00
Lennard Klein
70fa2cc0d5
Add various paths as used by Talos (#1009)
Implements #1008
2021-10-04 10:10:13 +03:00
Lennard Klein
5f7fb350a7
Add a trailing slash to find directory path (#1006)
This transplants #687 to cis-1.6 and cis-1.20. Fixes #686 for cis-1.6 and cis-1.20.
2021-10-03 13:08:28 +03:00
Huang Huang
e50de8145c
Fix status of cis-1.20 1.2.25 should be Manual (#1010)
* fix status of cis-1.20 1.2.25 should be Manual

* Fix tests

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-10-03 13:00:58 +03:00
brainfair
548b021340
Add node kubelet config path (#961)
In kubespray tool we have another path for kubelet config, add them to kube-bench config on top

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-08-30 16:02:26 +03:00
Nick Keenan
946a48ca74
Fix 4.1.9, skip irremediable checks, add /home/kubernetes mount (#976)
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-08-30 15:33:59 +03:00
Hacks4Snacks
016d67bade
cis-1.20 section 1.1.10 command revision. (#922)
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-07-07 18:06:50 +03:00
Huang Huang
e5e2804dfa
Fix values of version field in cfg/cis-1.20 were wrong (#913) 2021-06-20 11:23:24 +03:00
Yoav Rotem
2d033edc96
New cis v1.20 (#912)
* Add files via upload

* Add new cis support v1.20!

* Fix issue with 1.1.9 and 1.1.10 tests

Tests in some cases stat empty path which will return error.

* Add tests for kubernetes 1.20 and retire 1.15 tests

kubernetes 1.15 is not supported anymore and we shouldn't keep testing it.

* Kubernetes 1.15 is not supported anymore

* Tests for kubernetes 1.20

* Fix yamllint errors

Removed trailing spaces (trailing-spaces)

* Add tests for v1.20

* Remove extra spaces

* Change cis test functions names
2021-06-16 20:55:04 +03:00
Yoav Rotem
7bbcaeba04
Fix issue tests 1.1.9 and 1.1.10 (#911)
Issue https://github.com/aquasecurity/kube-bench/issues/909
2021-06-16 17:14:20 +03:00
Ed Robinson
4b28c84b97
Allow kube-bench to scan Bottlerocket OS (#889) 2021-06-08 12:23:43 +03:00
tonyqui
6605ff8844
False positive when running rh-0.7 benchmarks (#886) 2021-06-07 12:18:59 +03:00
Dave Hay
fb92680702
Issue 867: Updating CIS 1.1.9 and 1.1.10 (#877)
Mitigating "No such file or directory" related to CNI config directory

Signed-off by: Dave Hay <david_hay@uk.ibm.com>
2021-05-23 11:46:36 +03:00
Yoav Rotem
1f4b941c51
Fix test request timeout (#874)
* Test 1.2.24 should be manual

* Test 1.2.26 should be manual

* Test 1.2.26 should be manual

* Change test 1.2.26

* Change test 1.2.26

* Change test 1.2.26

* Change test 1.2.26

* Change test 1.2.26
2021-05-18 16:53:50 +03:00
Yoav Rotem
9820da9579
Update gke-1.0 (#873)
* Create controlplane.yaml

* Update and tidy yaml

* Update and tidy yaml

* Update and tidy yaml
2021-05-18 16:37:55 +03:00
hbc
e4d9455820
cfg: add /etc/default/kubeletconfig.json for AKS (#865)
* cfg: add `/etc/default/kubeletconfig.json`

* fix(cfg): search kubeletconfig.json first

* feat: mount `/etc/default` from host for AKS cluster

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-05-11 12:37:25 +03:00
Huang Huang
47c2494728
Support CIS ACK 1.0.0 benchmark (#841)
* Support CIS ACK 1.0.0 benchmark

* fix yaml lint

* Fix TestMakeSubsitutions may failed when order of map changed

* Support auto-detect platform when running on ACK

* Apply suggestions from code review

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-05-11 11:52:24 +03:00
Yoav Rotem
887965d31f
Add detected kubernetes version (#869)
* Add detected kubernetes version to controls

* Refactore NewControls function

Now new Control function is expecting detected version argument.

* Refactore NewControls function

Now new Control function is expecting detected version argument.

* Refactore NewControls function

New Control function is expecting detected version argument.

* Add detected kube version

* add detecetedKubeVersion

* Add detecetedKubeVersion

* Add detectedKubeVersion

* Add detecetedKubeVersion

* Fix missing version

* Change version

Change version from 3.10 to rh-0.7

* fix version: "cis-1.5"

* fix version: "cis-1.5"

* fix version: "cis-1.5"

* Fix version: "cis-1.5"

* Fix version: "cis-1.5"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"
2021-05-09 14:48:34 +03:00
Yoav Rotem
a1bd51db99
Add rh-1.0 (#863) 2021-05-02 19:31:03 +03:00
Yoav Rotem
68c2ee2ebf
Add support for Redhat openshift 4.0 cis 1.1.0 (#860) 2021-04-29 17:08:41 +03:00
Dmytro Oboznyi
d528400881
Fix file permissions false positive (#800)
* Fix file permissions false positive

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Added kops files to config path list

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Automated CNI files checks

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Fixed linting

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Fixed to right folder CNI test

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Changed Automated to manual

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Removed changes from remediation

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Added path to config files

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Update cfg/cis-1.6/master.yaml

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Fix

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Fix to job.yaml

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Add extra mountpoints

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Revert audit scripts changes

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-04-08 17:02:27 +03:00
Yoav Rotem
f2386c0386
Update ocp 3.11 (#849)
* Add OCP auto-detection

* Add test for openshift

* update and fix bugs

update file to match with new kube-bench features and fix bugs

* Update file and fix bugs

update file to match with new kube-bench features and fix bugs

* Remove specific configs

Those configs could be set in main config.yaml

* Update to include openshift files

* fix typos

* fix typo

* Remove trailing spaces

* Update util.go

* Add tests for getOcpValidVersion
2021-03-24 18:06:54 +02:00
Yoav Rotem
0cb302761c
Add logging (#822)
* Add more logging

The old logging could was lacking and in some cases misleading

* Add Logging

Add more logs and change some old messages, the important part is make each test log more readable by adding ------ test id ------ section in logs

* Fix typos

* more info

add more info in comment about the function and it use cases

Co-authored-by: Liz Rice <liz@lizrice.com>

* Use switch case

Change the logic from if to switch and tidy up the code
2021-03-22 17:33:53 +02:00
Dmytro Oboznyi
6262bc79ec
Automated testing 1.2.34 (#801)
* Automated testing 1.2.34

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Changed automation status in test

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Changed one more test

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>

* Changed Automated to manual

Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
2021-02-11 11:54:41 +02:00
Felipe Augusto de Castro
ed53e56356
Allow kube-bench to scan Bottlerocket OS (#809) 2021-02-10 16:56:11 +02:00
Giuseppe Ingoglia
773b3e6f79
add new proxy path (#820)
Solving issue raised in #819
2021-02-10 12:14:25 +02:00
Dmytro Oboznyi
ebcb742931
Fix 1.1.7 1.1.8 (#798)
Signed-off-by: Dmytro Oboznyi <dmytro.oboznyi@syncier.com>
2021-01-20 14:42:57 +02:00
Dmytro Oboznyi
58c614cf6c
Update master.yaml (#797) 2021-01-13 12:43:40 +02:00
Liz Rice
e4d6ed2e8e
Refactor group skip (#783)
* Add example IAM policy

* Pass RotateKubeletServerCertificate related checks if it's not found (#767)

* Allow for environment variables to be checked in tests (#755)

* Initial commit for checking environment variables for etcd

* Revert config changes

* Remove redundant struct data

* Fix issues with failing tests

* Initial changes based on code review

* Add option to disable envTesting + Update docs

* Initial tests

* Finished testing

* Fix broken tests

* Add a total summary and always show all tests. (#759)

Whether the total summary is shown can be specified with an option.

Fixes #528

Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>

* Update Readme.md file with link to Contribution guide (#754)

* Update License with the year and the owner name

Please add this to make your license agreement strong

* Updated Readme.md file with license and proper documentation links

I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks.

* Update LICENSE

* Update README.md

* Update README.md

* Remove erroneous license info

Co-authored-by: Liz Rice <liz@lizrice.com>

* Support auto-detect platform when running on EKS or GKE (#683)

* Support auto-detect platform when running on EKS or GKE

* Change to get platform name from `kubectl version`

* fix regexp and add test

* Update Server Version match for EKS

* try to get version info from api sever at first

* Refactor group skip

changed group 'skip' from being a bool to be 'type' string as done in check

* Change skip: true -> type: skip

Co-authored-by: Huang Huang <mozillazg101@gmail.com>
Co-authored-by: Wicked <jason_attwood@hotmail.co.uk>
Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com>
Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com>
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2020-12-21 13:18:54 +02:00
Brian Terry
c3f94dd89f
Aws asff (#770)
* add aasf

* add AASF format

* credentials provider

* add finding publisher

* add finding publisher

* add write AASF path

* add testing

* read config from file

* update docker file

* refactor

* remove sample

* add comments

* Add comment in EKS config.yaml

* Fix comment typo

* Fix spelling of ASFF

* Fix typo and other small code review suggestions

* Limit length of Actual result field

Avoids this message seen in testing:
  Message:Finding does not adhere to Amazon Finding Format. data.ProductFields['Actual result'] should NOT be longer than 1024 characters.

* Add comment for ASFF schema

* Add Security Hub documentation

* go mod tidy

* remove dupe lines in docs

* support integration in any region

* fix README link

* fix README links

Co-authored-by: Liz Rice <liz@lizrice.com>
2020-11-23 19:43:53 +00:00
Huang Huang
054c401f71
Support case which run etcd as systemd service instead of pod (#762) 2020-11-16 14:50:15 +02:00
Borko
ab3881420c
Created config and test files for Azure Kubernetes Service (AKS). (#733)
* First draft of AKS configuration checks.

* Updated Azure Configurations. Added more policy checks.

* Finalized cfg components for AKS.

* Fixed targets for aks-1.0 in common_test.go

* Fixed yaml linting issues.

* Fixed white space yaml linkting issues in policies.yaml

* Fixed white space yaml linting issues in policies.yaml
2020-11-16 14:35:57 +02:00
bjrara
83b80a5816
automate check 3.2.1 Ensure that a minimal audit policy is created (#742)
Co-authored-by: mengyzhou <mengyzhou@ebay.com>
2020-11-02 09:41:07 +02:00