1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-02 04:48:14 +00:00
Commit Graph

113 Commits

Author SHA1 Message Date
Liz Rice
12e48297a6 Config file improvements
Correct defaults in main config.yaml file
Remove unnecessary overrides in version-specific config.yaml
2019-05-17 14:21:42 +01:00
Liz Rice
02d5654cc1
Correct 1.1.14 in 1.13/master.yaml 2019-05-14 19:37:44 +01:00
Liz Rice
caf3fbd0a0
Moving more config into master config file 2019-05-13 18:20:57 +01:00
daniellohausen
22e835f0f5 Reverted kubelet conf to original value 2019-05-08 13:55:45 +02:00
daniellohausen
7ec10211a5 Added KOPS-specific paths 2019-05-08 13:52:08 +02:00
Abubakr-Sadik Nii Nai Davis
fbbf6b37c7 Change test_items in 1.11 master.yaml check 1.5.2 to fix issue with
check failing even when --client-cert-auth is set.
2019-04-30 16:51:10 +00:00
Liz Rice
91c6ef2155
Merge branch 'master' into json-config 2019-04-23 13:51:30 +02:00
Liz Rice
7e8dfbc6ea
Fix invalid YAML 2019-04-23 11:41:48 +01:00
Liz Rice
b4419e810f
Tiny typo 2019-04-23 11:01:38 +01:00
Liz Rice
d05d71553f
Tiny typo 2019-04-23 10:57:15 +01:00
yoavrotems
e70f50b2b5 update files 2019-04-16 06:01:51 +00:00
Liz Rice
27dc75fefa No need for unused master config file.
Better comments in config file
2019-04-11 18:36:30 +01:00
Liz Rice
902a10f1c7
Just have one path for both json and yaml 2019-04-11 17:09:33 +01:00
Liz Rice
c887794807
Merge branch 'master' into feature/json-config 2019-04-11 10:03:07 +01:00
Liz Rice
b1ce0a9a75
Merge branch 'master' into yoavrotems-patch-2 2019-03-26 09:51:03 +00:00
yoavrotems
d059196b71
Update master.yaml
Fix 1.1.23 to check *if* --service-account-lookup argument is set and if so then if it's equal to true
2019-03-25 14:41:06 +02:00
yoavrotems
a85e5a7759
Update master.yaml
Fix title of 1.4.21 from 644 to 600 according to cis benchmark
2019-03-25 14:33:52 +02:00
Florent Delannoy
4d3144ca21 Support JSON and YAML configuration
Support new configuration options besides --flags:
- JSON file through `jsonpath`
- YAML file through `yamlpath`

These new options are fully backwards-compatible with the existing
tests.

Added a new profile, 1.11-json, that expects a JSON kubelet
configuration file and scores accordingly. This profile is compatible
with EKS.
2019-03-21 12:13:31 +00:00
Liz Rice
9b3628e76a
Update openshift executable config for #236 2019-03-07 11:18:06 +00:00
Liz Rice
1ead9e1d71
Merge branch 'master' into clean-ocp-configs 2019-03-07 09:22:47 +00:00
Abubakr-Sadik Nii Nai Davis
53ed68a0b2 Clean up OCP benchmark config.
The OCP benchmarks uses configs for only binary component variable names.
This commit cleans up the OCP config by removing all configuration
except those component binaries required to run kube-bench on OCP
installations and adds missing ones.
2019-03-06 12:02:58 +00:00
yoavrotems
c6102f0a1b
Fix the files
Fix the start from 1.11 to 1.13 and adding changes from pull #227, and pull #228.
2019-03-06 11:26:36 +00:00
yoavrotems
e534392525
Delete node.yaml
replace with the new node.yaml file
2019-03-06 13:24:14 +02:00
yoavrotems
5f09ecef44
Delete master.yaml
replace with the new master.yaml file
2019-03-06 13:23:49 +02:00
yoavrotems
a7d9e06c1b
Delete config.yaml
replace with the new config.yaml file
2019-03-06 13:23:18 +02:00
yoavrotems
50f22e7f13
Merge branch 'master' into add-new-cfg-version1.4 2019-03-06 11:16:36 +00:00
Liz Rice
dd8e7ec874
Merge branch 'master' into fix-208 2019-03-03 09:45:16 +00:00
Abubakr-Sadik Nii Nai Davis
d255b49d4b Revert 1.8 config file. 2019-03-02 17:20:46 +00:00
Abubakr-Sadik Nii Nai Davis
a88b0703d8 Add kubeconfig variable substitution for kubelet and proxy.
There are checks for the kubeconfig for both kubelet and proxy which
the current kube-bench implementation does not check for properly.
kube-bench checks the wrong files.

This PR adds support for variable substitution for all the config file
types are that should be checked in the CIS benchmarks.

This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for
ownership of the kubelet config file /var/lib/kubelet/config.yaml but
recommends changing ownership of kubelet kubeconfig file
/etc/kubernetes/kubelet.conf as remediation.
2019-02-27 22:15:14 +00:00
Abubakr-Sadik Nii Nai Davis
3f98c1def2 Fix wrong reference to kubelet.config in node checks.
This fix applies to only checks for kubernetes versions 1.8 and 1.11.
See https://github.com/aquasecurity/kube-bench/pull/208.
2019-02-27 22:14:19 +00:00
Liz Rice
d712db47a2
Only find flags on the process we really want 2019-02-28 01:33:21 +08:00
yoavrotems
82150fdc63
add new config files from the new CIS Kubernetes Benchmark
there is a new update at CIS_Kubernetes_Benchmark_v1.4.0 for Kubernetes 1.13
2019-02-27 10:39:32 +00:00
Abubakr-Sadik Nii Nai Davis
e899e941f7 Add OCP 3.10 benchmarks. 2019-02-15 19:44:39 +00:00
Maximilian Bischoff
791fbba9e7
Changed 1.1.14 to not fail when flag is not set
Added another test item that checks whether --disable-admission-plugins is not set and an "or" bin_op. 
This causes check 1.1.14 to be successful when the flag is not set, while still failing when the flag is set and includes the value NamespaceLifecycle
2019-01-08 13:58:41 +01:00
Liz Rice
2d721ed4ad
Merge branch 'master' into rm-space-tls-cipher 2019-01-02 10:53:29 +00:00
Colin GILLE
ffe7ffb3d3
Type: trailing whitespace for rule text 2018-12-31 16:36:15 +01:00
Martin Mosegaard Amdisen
fd120d0adf Remove spaces in remediation command for tls-cipher-suites
Makes it easier to copy-paste the remediation. Matches the other occurences
of tls-cipher-suites in the configuration.
2018-12-27 14:48:21 +01:00
Liz Rice
26e28b8897
Merge branch 'master' into master 2018-12-21 11:26:53 +00:00
Maximilian Bischoff
e81b785bf8
Added missing "=" to master.yaml
In the remediation of 1.1.11 the flag --enable-admission-plugins was missing a =
2018-12-19 18:20:23 +01:00
Vladimir Dimov
645d23e1ec
fixing typos 2.1.15 2018-11-28 13:14:49 +02:00
Liz Rice
6e80b6477a
Merge branch 'master' into fix-2.1.8 2018-11-08 11:41:54 +00:00
Abubakr-Sadik Nii Nai Davis
0a5358665e By default --make-iptables-util-chain is true, so PASS if this flag is not set. 2018-11-07 23:57:38 +00:00
Abubakr-Sadik Nii Nai Davis
4f40a11e84 Change binary op from and to or. 2018-11-07 23:54:41 +00:00
Abubakr-Sadik Nii Nai Davis
c0f56e966a Fix check 1.1.37. 2018-11-06 14:35:45 +00:00
Nick Perry
e083c8f0a3 Fixes https://github.com/aquasecurity/kube-bench/issues/170
Correcting the logic of 1.1.14 for Kubernetes 1.11.
2018-10-30 23:40:41 +00:00
Liz Rice
48489637c5
Merge branch 'master' into fix-1.3.7 2018-10-29 12:08:22 +00:00
Michal Jankowski
9988503223 Fixing 1.3.7 on 1.11 master.
With multiple test items operator defaults to "and". In case of 1.3.7
the tests check whether --address flag is either set to 127.0.0.1 or not
set at all. Those conditions cannot be met at the same time.
2018-10-25 15:32:41 -07:00
Michal Jankowski
5f254de415 Fixing checks 2.2.9 and 2.2.10 on 1.11 nodes.
Path to kubelet configuration was accidentally prefixed with a dollar
symbol (probably as a result of copying some other test that used
variable name).
After removing the dollar sign from paths both checks pass on conforming
deployment.
2018-10-24 17:06:21 -07:00
Abubakr-Sadik Nii Nai Davis
97623aea05 Update kubernetes node benchmark to check kubelet systemd unitfile.
Also clean up the config file for 1.11 a bit.
2018-10-23 02:30:08 +00:00
Abubakr-Sadik Nii Nai Davis
b1369832bc A few corrections to node tests. (#2)
* Add a few corrections.

* Add a few corrections to node test file.
2018-10-13 15:48:50 -04:00