1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-21 14:18:06 +00:00
Commit Graph

37 Commits

Author SHA1 Message Date
Abubakr-Sadik Nii Nai Davis
a15e8acaa3
Add GKE 1.6 CIS benchmark for GCP environment (#1672)
* Add config entries for GKE 1.6 controls

* Add gke1.6 control plane recommendations

* Add gke-1.6.0 worker node recommendations

* Add gke-1.6.0 policy recommendations

* Add managed services and policy recommendation

* Add master recommendations

* Fix formatting across gke-1.6.0 files

* Add gke-1.6.0 benchmark selection based on k8s version

* Workaround: hardcode kubelet config path for gke-1.6.0

* Fix tests for makeIPTablesUtilChaings

* Change scored field for all node tests to true

* Fix kubelet file permission to check for

---------

Co-authored-by: afdesk <work@afdesk.com>
2024-10-11 10:49:35 +06:00
za
674d8e8bb7
Update command to build docker to run in EKS cluster (#1648)
because with the previous command unable to get the argument.

Issue: https://github.com/aquasecurity/kube-bench/issues/1647

Co-authored-by: za <za@noreply.users.github.com>
2024-09-30 12:13:10 +06:00
Andy Pitcher
7027b6b2ec
Add CIS kubernetes CIS-1.9 for k8s v1.27 - v1.29 (#1617)
* Create cis-1.9 yamls and Update info
      - policies.yaml
          - 5.1.1 to 5.1.6 were adapted from Manual to Automated
          - 5.1.3 got broken down into 5.1.3.1 and 5.1.3.2
          - 5.1.6 got broken down into 5.1.6.1 and 5.1.6.2
          - version was set to cis-1.9
       - node.yaml master.yaml controlplane.yaml etcd.yaml
          - version was set to cis-1.9

* Adapt master.yaml
    - Expand 1.1.13/1.1.14 checks by adding super-admin.conf to the permission and ownership verification
    - Remove 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)
    - Adjust numbering from 1.2.12 to 1.2.29

* Adjust policies.yaml
   - Check 5.2.3 to 5.2.9 Title Automated to Manual

* Append node.yaml
   - Create 4.3 kube-config group
   - Create 4.3.1 Ensure that the kube-proxy metrics service is bound to localhost (Automated)

* Adjust policies 5.1.3 and 5.1.6

   - Merge 5.1.3.1 and 5.1.3.2 into 5.1.3 (use role_is_compliant and clusterrole_is_compliant)
   - Remove 5.1.6.1 and promote 5.1.6.2 to 5.1.6 since it natively covered 5.1.6.1 artifacts

* Add kubectl dependency and update publish
   - Download kubectl (build stage) based on version and architecture
   - Add binary checksum verification
   - Use go env GOARCH for ARCH
2024-06-26 15:53:57 +03:00
Huang Huang
92a18e7dfd
support CIS Kubernetes Benchmark v1.8.0 (#1527)
* support CIS Kubernetes Benchmark v1.8.0

* update version info
2023-12-02 09:59:30 +02:00
Kiran Bodipi
f8fe5ee173
Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s (#1523)
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397

* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397

* release: prepare v0.6.15 (#1455)

Signed-off-by: chenk <hen.keinan@gmail.com>

* build(deps): bump golang from 1.19.4 to 1.20.4 (#1436)

Bumps golang from 1.19.4 to 1.20.4.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump actions/setup-go from 3 to 4 (#1402)

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>

* Fix test_items in cis-1.7 - node - 4.2.12 (#1469)

Related issue: https://github.com/aquasecurity/kube-bench/issues/1468

* Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472)

* chore: add fips compliant images (#1473)

For fips complaince we need to generate fips compliant images.
As part of this change, we will create new kube-bench image which will be fips compliant. Image name follows this tag pattern <version>-ubi-fips

* release: prepare v0.6.16-rc (#1476)

* release: prepare v0.6.16-rc

Signed-off-by: chenk <hen.keinan@gmail.com>

* release: prepare v0.6.16-rc

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>

* release: prepare v0.6.16 official (#1479)

Signed-off-by: chenk <hen.keinan@gmail.com>

* Update job.yaml (#1477)

* Update job.yaml

Fix on typo for image version

* chore: sync with upstream

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>

* release: prepare v0.6.17 (#1480)

Signed-off-by: chenk <hen.keinan@gmail.com>

* Bump docker base images (#1465)

During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE.

```
grype aquasec/kube-bench:v0.6.15
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [73 packages]
 ✔ Scanning image...       [4 vulnerabilities]
   ├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible
   └── 4 fixed
NAME        INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
libssl3     3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
openssl     3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
```

The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly

* build(deps): bump golang from 1.20.4 to 1.20.6 (#1475)

Bumps golang from 1.20.4 to 1.20.6.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s
Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides
kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.

* RKE/RKE2 CIS Benchmarks
Updated the order of checks for RKE and RKE2 Platforms.

* fixed vulnerabilities|upgraded package golang.org/x/net to version v0.17.0

* Error handling for RKE Detection Pre-requisites

* Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions, kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
updated documentation specific to added rancher platforms

* addressed review comments
1.Implemented IsRKE functionality in kube-bench
2. Removed containerd from global level config and accommodated in individual config file
3. Corrected the control id from 1.2.25 to 1.2.23 in master.yaml(k3s-cis-1.23 and k3s-cis-1.24)

* Removed unncessary dependency - kubernetes-provider-detector

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andy Pitcher <andy.pitcher@suse.com>
Co-authored-by: Devendra Turkar <devendra.turkar@gmail.com>
Co-authored-by: Guille Vigil <contact@guillermotti.com>
Co-authored-by: Jonas-Taha El Sesiy <jonas-taha.elsesiy@snowflake.com>
2023-11-26 12:27:38 +02:00
Benjamin Schimke
fac90f756e
feat(cis-1.24-microk8s): Add support to CIS-1.24 for microk8s distro (#1510) 2023-11-20 12:59:32 +02:00
KiranBodipi
ca8743c1f7
add support VMware Tanzu(TKGI) Benchmarks v1.2.53 (#1452)
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397

* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
2023-06-01 16:37:50 +03:00
Huang Huang
60dde65d72
support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0 (#1449)
closes #1448
2023-05-21 17:53:58 +03:00
Huang Huang
124c57c6f4
support CIS Kubernetes Benchmark v1.7.0 (#1424) 2023-05-21 15:46:16 +03:00
Jack Henschel
0decc8a53f
docs: Clarify how to run Job on OpenShift (#1401)
Signed-off-by: Jack Henschel <jackdev@mailbox.org>
2023-03-18 19:30:19 +02:00
Huang Huang
3ccafa7be1
support CIS Kubernetes V1.24 Benchmark v1.0.0 (#1329) 2022-11-24 15:23:10 +02:00
Joe Bowbeer
377a05f872
docs: document --unscored flag (#1297) 2022-10-10 22:31:36 +03:00
Joe Bowbeer
150c40b5b1
docs: Improve Automated/Manual documentation (#1298)
* docs: improve Automated/Manual documentation

* sic
2022-10-09 22:37:50 +03:00
TARI TARI
4d76c77c6a
feat(cis-1.6-k3s): Add support to CIS-1.6 for k3s distribution (#1261)
* feat(cis-1.6-k3s): Add support to CIS-1.6 for k3s distribution

* update(docs): change platforms and architectrue document; update(review): code review for cfg/cis-1.6-k3s;

* update(docs): recover sheet style

* fix(yaml-lint): CI/CD YAML Error

* fix: Correct the problem of command and file/directory/log not found scene

* fix(yaml-lint): CI/CD YAML Error
2022-09-15 14:26:15 +03:00
Huang Huang
07e01cf38c
Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0 (#1222)
* Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

* fix yaml lint error
2022-09-15 09:04:54 +03:00
Chris Renzo
a34047c105
Adding eks-stig-kubernetes-v1r6 (#1266)
* Adding eks-stig-kubernetes-v1r6

* Fixing lint errors

* Reformatting texts

* Removing pinned docker tag

* Updating Expected Stig Output

Co-authored-by: EC2 Default User <ec2-user@ip-10-0-44-222.ec2.internal>
2022-09-14 17:40:48 +03:00
rhtenhove
ebdfba55cc
fix: fully qualified image names (#1206) 2022-06-17 18:01:32 +03:00
Qiming Teng
02fd0d4be2
Add support to CIS-1.23 1.0.0 (#1148) 2022-04-18 09:27:33 +03:00
Huang Huang
9f92e81361
Update docs about the --outputfile flag (#1094) 2022-02-14 19:05:48 +02:00
Huang Huang
9119968940
Remove broken badges and add link for some badges (#1083)
* Remove broken badges and add link for some badges

* update badges in docs
2022-01-19 10:13:23 +02:00
Huang Huang
2d6bf55ab2
Support CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0 (#1050)
* Support CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

* restore gke-1.0

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-12-09 12:04:38 +02:00
Vinícius Gajo
7e5445d2ad
fix: change the path for images in the asff docs markdown (#1059) 2021-12-01 12:00:58 +02:00
Huang Huang
5ad2817eb9
Add aks-1.0 to docs/architecture.md (#1051) 2021-11-29 12:04:15 +02:00
Huang Huang
6589eb16e1
Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (#1045)
* Update eks-1.0 to support CIS EKS Benchmark v1.0.1

* add "No remediation"

* rename eks-1.0 to eks-1.0.1

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-11-18 10:42:53 +02:00
Huang Huang
f8e0171c09
Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0 (#1042)
* Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0

* fix typo

* fix empty remediation

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-11-14 15:37:54 +02:00
Dave Hay
42f479596c
doc(install): Adding detail and example for build (#928)
- Added to the `Installing from sources`
- Includes `git clone` etc.
- Also includes comments

Signed-off-by: Dave Hay <david_hay@uk.ibm.com>
2021-07-07 10:56:33 +03:00
Huang Huang
1173667622
Add docs for cis v1.20 (#914)
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-06-20 12:56:56 +03:00
Yoav Rotem
0d1bd2bbd9
mkdocs support and update docs (#884)
* Delete README.md

* Edit readme and separate into different files

* Update README.md

* Update Running.md

* Update CONTRIBUTING.md

* Create Contributing.md

* Add files via upload

* Update Index.md

* Rename Flags and Commands.md to Flags_and_commands.md

* Rename Index.md to index.md

* Create mkdocs.yml

* Delete images directory

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Create mkdocs-dev.yaml

* Create mkdocs-latest.yaml

* Update mkdocs.yml

* Update mkdocs.yml

* Update mkdocs.yml

Add yamllint ---

* Make it yamllint comply

* Make Yamllint comply

* Make Yamllint comply

* Change description

Co-authored-by: Itay Shakury <itay@itaysk.com>

* Fix syntax

Co-authored-by: Itay Shakury <itay@itaysk.com>

* Update docs/Architecture.md

Co-authored-by: Itay Shakury <itay@itaysk.com>

* Update docs/Architecture.md

Co-authored-by: Itay Shakury <itay@itaysk.com>

* Update example for test files

* Update contributing

* Delete Contributing.md

* Update Flags_and_commands.md

* Change syntax and add source

* Update Platforms.md

* lower case file names

* lower case file names

* Lower case file names

* Lower case file names

* Lower case file names

* Lower case file names

* Add note about inspect master in some platforms

* Add quick start

* Lower case files names

* Lower case files names

* Fixing typo

* Remove section about old ocp

* Fix typos

Co-authored-by: Itay Shakury <itay@itaysk.com>
2021-06-09 11:17:16 +03:00
Michael Kandelaars
3e9b5a7b49
Refactor of EKS and ASFF integration Job and instructions (#794)
* Refactor to use Configmap for EKS and ASFF integration

* newline

* markdown fix

* formatting fix

* Update docs/asff.md

Co-authored-by: Liz Rice <liz@lizrice.com>

* typo

* docs: remove section about rebuilding

* docs: reminder to specify kube-bench image for ASFF

Co-authored-by: Liz Rice <liz@lizrice.com>
2021-02-22 14:28:36 +00:00
Liz Rice
e4d6ed2e8e
Refactor group skip (#783)
* Add example IAM policy

* Pass RotateKubeletServerCertificate related checks if it's not found (#767)

* Allow for environment variables to be checked in tests (#755)

* Initial commit for checking environment variables for etcd

* Revert config changes

* Remove redundant struct data

* Fix issues with failing tests

* Initial changes based on code review

* Add option to disable envTesting + Update docs

* Initial tests

* Finished testing

* Fix broken tests

* Add a total summary and always show all tests. (#759)

Whether the total summary is shown can be specified with an option.

Fixes #528

Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>

* Update Readme.md file with link to Contribution guide (#754)

* Update License with the year and the owner name

Please add this to make your license agreement strong

* Updated Readme.md file with license and proper documentation links

I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks.

* Update LICENSE

* Update README.md

* Update README.md

* Remove erroneous license info

Co-authored-by: Liz Rice <liz@lizrice.com>

* Support auto-detect platform when running on EKS or GKE (#683)

* Support auto-detect platform when running on EKS or GKE

* Change to get platform name from `kubectl version`

* fix regexp and add test

* Update Server Version match for EKS

* try to get version info from api sever at first

* Refactor group skip

changed group 'skip' from being a bool to be 'type' string as done in check

* Change skip: true -> type: skip

Co-authored-by: Huang Huang <mozillazg101@gmail.com>
Co-authored-by: Wicked <jason_attwood@hotmail.co.uk>
Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com>
Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com>
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2020-12-21 13:18:54 +02:00
Brian Terry
c3f94dd89f
Aws asff (#770)
* add aasf

* add AASF format

* credentials provider

* add finding publisher

* add finding publisher

* add write AASF path

* add testing

* read config from file

* update docker file

* refactor

* remove sample

* add comments

* Add comment in EKS config.yaml

* Fix comment typo

* Fix spelling of ASFF

* Fix typo and other small code review suggestions

* Limit length of Actual result field

Avoids this message seen in testing:
  Message:Finding does not adhere to Amazon Finding Format. data.ProductFields['Actual result'] should NOT be longer than 1024 characters.

* Add comment for ASFF schema

* Add Security Hub documentation

* go mod tidy

* remove dupe lines in docs

* support integration in any region

* fix README link

* fix README links

Co-authored-by: Liz Rice <liz@lizrice.com>
2020-11-23 19:43:53 +00:00
Soumyadeep Sinha
8e4da53006 Fixed some typos (#446)
* Fixed some typos

* Fixed some typos

* Fixed typo and capitalization of Kubernetes

* Update README.md

Co-Authored-By: Liz Rice <liz@lizrice.com>

* Update README.md

Co-Authored-By: Liz Rice <liz@lizrice.com>

* Update docs/README.md

Co-Authored-By: Liz Rice <liz@lizrice.com>

* Update docs/README.md

Co-Authored-By: Liz Rice <liz@lizrice.com>

* Update README.md

Co-Authored-By: Liz Rice <liz@lizrice.com>

* Update docs/README.md

Co-Authored-By: Liz Rice <liz@lizrice.com>

* docs: trivial, reinstate capital K

* docs: trivial, reinstate backticks

* docs: trivial, reinstate "in order" for clarity

* docs: trivial, reinstate capital K
2019-11-05 14:59:29 -08:00
michizhou
b0abc74350 Fixed documentation errors (#450) 2019-10-25 11:58:41 -07:00
Alexey Pyltsyn
7a2cc3f554 Improve docs (#437) 2019-10-24 09:15:29 +01:00
Abubakr-Sadik Nii Nai Davis
2e27d681f7 Remove duplicate documentation. (#373)
* Remove duplicate documentation.

* Add test configuration header back in main README.

* Add missing regex operator in docs/README.

* Fix incorrect description of configuration options bins, confs etc.

* Move description of version auto-detection to main README.

* Use 1.13 in examples since cfg/1.12 doesn't exist

* Remove duplicate sentence about regex

This sentence is now in the docs/README

* Add link to the docs for test YAML definitions
2019-08-07 03:43:51 -07:00
Liz Rice
87820b9775
Remove duplicate versions section
That info is important enough that it needs to stay in the main README.
I also changed the file title
2019-06-05 10:28:11 +01:00
Abubakr-Sadik Nii Nai Davis
85849a3c1f Add detailed kube-bench config documentation. 2019-06-04 22:25:24 +00:00