1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-27 00:48:07 +00:00
Commit Graph

808 Commits

Author SHA1 Message Date
Maximilian Bischoff
791fbba9e7
Changed 1.1.14 to not fail when flag is not set
Added another test item that checks whether --disable-admission-plugins is not set and an "or" bin_op. 
This causes check 1.1.14 to be successful when the flag is not set, while still failing when the flag is set and includes the value NamespaceLifecycle
2019-01-08 13:58:41 +01:00
Liz Rice
f6cab11357
Merge pull request #187 from martinmosegaard/doc-kubectl-host-pid
Document limitation of running with kubectl
2019-01-02 11:05:32 +00:00
Liz Rice
9f2899027e
Merge branch 'master' into doc-kubectl-host-pid 2019-01-02 10:59:19 +00:00
Liz Rice
313fe038f6
Merge pull request #188 from martinmosegaard/rm-space-tls-cipher
Remove spaces in remediation command for tls-cipher-suites
2019-01-02 10:59:07 +00:00
Liz Rice
2d721ed4ad
Merge branch 'master' into rm-space-tls-cipher 2019-01-02 10:53:29 +00:00
Liz Rice
799b928054
Merge pull request #189 from Congelli501/patch-1
Typo: trailing whitespace for rule text
2019-01-02 10:53:16 +00:00
Liz Rice
3a662b3ff6
Merge branch 'master' into doc-kubectl-host-pid 2019-01-02 10:53:04 +00:00
Liz Rice
f902b30110
Merge branch 'master' into rm-space-tls-cipher 2019-01-02 10:31:34 +00:00
Liz Rice
b52a88214f
Merge branch 'master' into patch-1 2019-01-02 10:30:33 +00:00
Liz Rice
bfdd921f3d
Merge pull request #190 from Congelli501/patch-2
Advise the use to mount /etc & /var read only for docker usage
2019-01-02 10:29:58 +00:00
Colin GILLE
af7ad90477
Advise the use to mount /etc & /var read only for docker usage 2018-12-31 16:39:31 +01:00
Colin GILLE
ffe7ffb3d3
Type: trailing whitespace for rule text 2018-12-31 16:36:15 +01:00
Martin Mosegaard Amdisen
fd120d0adf Remove spaces in remediation command for tls-cipher-suites
Makes it easier to copy-paste the remediation. Matches the other occurences
of tls-cipher-suites in the configuration.
2018-12-27 14:48:21 +01:00
Martin Mosegaard Amdisen
ba03d8f64b Document limitation of running with kubectl
Once the master node recommended check:

1.1.12 Ensure that the admission control plugin DenyEscalatingExec is set

has been followed, it is no longer possible to run kube-bench itself using kubectl.
2018-12-27 13:10:00 +01:00
Liz Rice
21f7902288
Merge pull request #183 from s1lv3r40/master
Fixing Node Check - 2.1.15 typos
2018-12-21 11:31:43 +00:00
Liz Rice
26e28b8897
Merge branch 'master' into master 2018-12-21 11:26:53 +00:00
Liz Rice
ae1812b4db
Merge pull request #185 from maxbischoff/patch-1
Added missing "=" to master.yaml
2018-12-21 11:26:40 +00:00
Liz Rice
1534a4aea8
Merge branch 'master' into patch-1 2018-12-21 11:20:13 +00:00
Liz Rice
28a57ff1a3
Merge branch 'master' into master 2018-12-21 11:18:26 +00:00
Liz Rice
41fe066039
Merge pull request #186 from seslattery/seslattery-patch-1
Fix typo on README.md
2018-12-21 11:17:31 +00:00
Sean Slattery
5ca498cd50
Fix typo on README.md 2018-12-20 11:19:44 -08:00
Maximilian Bischoff
e81b785bf8
Added missing "=" to master.yaml
In the remediation of 1.1.11 the flag --enable-admission-plugins was missing a =
2018-12-19 18:20:23 +01:00
Vladimir Dimov
645d23e1ec
fixing typos 2.1.15 2018-11-28 13:14:49 +02:00
Liz Rice
52d6ac717d
Merge pull request #181 from aquasecurity/config-file-location-mount
read config files from host /etc
2018-11-20 19:49:37 +00:00
Liz Rice
bdbbe41b69
Also /var 2018-11-20 13:22:36 +00:00
Liz Rice
ba9985047c
read config files from host /etc
I don't see how kube-bench can check the permissions on files unless it has access to them on the host, so I think we need to be mounting the /etc directory from the host
2018-11-20 10:18:06 +00:00
Liz Rice
5fe702edbe
Merge pull request #175 from aquasecurity/fix-2.1.8
Fix node check 2.1.8
2018-11-08 12:22:17 +00:00
Liz Rice
6e80b6477a
Merge branch 'master' into fix-2.1.8 2018-11-08 11:41:54 +00:00
Liz Rice
e1f5bb1ace
Merge pull request #173 from aquasecurity/fix-1.1.37
Fix check 1.1.37.
2018-11-08 11:40:06 +00:00
Liz Rice
6d8788071f
Merge branch 'master' into fix-2.1.8 2018-11-08 11:38:34 +00:00
Liz Rice
f42243e9b5
Merge branch 'master' into fix-1.1.37 2018-11-08 11:35:58 +00:00
Liz Rice
d004acdbba
Merge pull request #174 from johscheuer/correct-readme
Correct readme for 1.11 example
2018-11-08 11:33:50 +00:00
Abubakr-Sadik Nii Nai Davis
0a5358665e By default --make-iptables-util-chain is true, so PASS if this flag is not set. 2018-11-07 23:57:38 +00:00
Abubakr-Sadik Nii Nai Davis
4f40a11e84 Change binary op from and to or. 2018-11-07 23:54:41 +00:00
Johannes M. Scheuermann
b3b3cb819a Correct readme for 1.11 example
Signed-off-by: Johannes M. Scheuermann <joh.scheuer@gmail.com>
2018-11-07 21:51:52 +01:00
Abubakr-Sadik Nii Nai Davis
c0f56e966a Fix check 1.1.37. 2018-11-06 14:35:45 +00:00
Liz Rice
ed7f6cf3fc
Merge pull request #171 from nickperry/master
Fixes https://github.com/aquasecurity/kube-bench/issues/170
2018-11-01 09:57:14 +00:00
Nick Perry
e083c8f0a3 Fixes https://github.com/aquasecurity/kube-bench/issues/170
Correcting the logic of 1.1.14 for Kubernetes 1.11.
2018-10-30 23:40:41 +00:00
Liz Rice
77481e8739
Merge pull request #169 from mikekim/fix-1.3.7
Fixing 1.3.7 on 1.11 master.
2018-10-29 12:12:39 +00:00
Liz Rice
48489637c5
Merge branch 'master' into fix-1.3.7 2018-10-29 12:08:22 +00:00
Liz Rice
15537cb42b
Merge pull request #168 from mikekim/fix-dollar-in-paths
Fixing checks 2.2.9 and 2.2.10 on 1.11 nodes.
2018-10-27 09:31:55 +01:00
Michal Jankowski
9988503223 Fixing 1.3.7 on 1.11 master.
With multiple test items operator defaults to "and". In case of 1.3.7
the tests check whether --address flag is either set to 127.0.0.1 or not
set at all. Those conditions cannot be met at the same time.
2018-10-25 15:32:41 -07:00
Michal Jankowski
5f254de415 Fixing checks 2.2.9 and 2.2.10 on 1.11 nodes.
Path to kubelet configuration was accidentally prefixed with a dollar
symbol (probably as a result of copying some other test that used
variable name).
After removing the dollar sign from paths both checks pass on conforming
deployment.
2018-10-24 17:06:21 -07:00
Liz Rice
64f4f638e9
Merge pull request #167 from aquasecurity/fix-issue-with-kubelet-config-and-unitfile-checks
Fix issue with kubelet config and unitfile checks
2018-10-23 14:45:19 +01:00
Abubakr-Sadik Nii Nai Davis
97623aea05 Update kubernetes node benchmark to check kubelet systemd unitfile.
Also clean up the config file for 1.11 a bit.
2018-10-23 02:30:08 +00:00
Abubakr-Sadik Nii Nai Davis
ed21839464 Add getServiceFiles function.
The CIS benchmark check for node checks 2 config files for kubelet:
  - kubelet config file (kubelet.conf)
  - kubelet systemd unitfile (10-kubeadm.conf)

The getServiceFiles function gets candidates for kubelet systemd
unitfile and returns valid untifiles.
2018-10-23 02:26:38 +00:00
Liz Rice
277ec9c823
Merge pull request #163 from noqcks/master
Update tests for Kubernetes 1.11 - thank you @noqcks!
2018-10-13 22:09:24 +01:00
Abubakr-Sadik Nii Nai Davis
b1369832bc A few corrections to node tests. (#2)
* Add a few corrections.

* Add a few corrections to node test file.
2018-10-13 15:48:50 -04:00
Abubakr-Sadik Nii Nai Davis
934b4aef96 Add a few corrections. (#1) 2018-10-12 10:22:08 -04:00
noqcks
e85de9e8af
fix simple errors 2018-10-09 19:16:08 -04:00