* Add expectedResultPattern to invalid test
when testing and try convert to numeric we didn't set expectedResultPattern value.
* check for auditconfig before using it
The current state is that when ever audit output is not what we search for we check for auditConfig output which is sometime empty and therefore create empty expected result as described in #694
* Fix issue about expectedResultPattern
expectedResultPattern not always shown and wasn't accurate enough
Issue #705
* Add tests for ExpectedResult and fixes
Add tests for ExpectedResult with the new output and the verify that the fix is working
* Add missing flags
In some cases not having audit or audit_config flag would fail the test.
So added just a simple commands like echo something to solve this issue
Also add bitmask checks
* Add example IAM policy
* Pass RotateKubeletServerCertificate related checks if it's not found (#767)
* Allow for environment variables to be checked in tests (#755)
* Initial commit for checking environment variables for etcd
* Revert config changes
* Remove redundant struct data
* Fix issues with failing tests
* Initial changes based on code review
* Add option to disable envTesting + Update docs
* Initial tests
* Finished testing
* Fix broken tests
* Add a total summary and always show all tests. (#759)
Whether the total summary is shown can be specified with an option.
Fixes#528
Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
* Update Readme.md file with link to Contribution guide (#754)
* Update License with the year and the owner name
Please add this to make your license agreement strong
* Updated Readme.md file with license and proper documentation links
I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks.
* Update LICENSE
* Update README.md
* Update README.md
* Remove erroneous license info
Co-authored-by: Liz Rice <liz@lizrice.com>
* Support auto-detect platform when running on EKS or GKE (#683)
* Support auto-detect platform when running on EKS or GKE
* Change to get platform name from `kubectl version`
* fix regexp and add test
* Update Server Version match for EKS
* try to get version info from api sever at first
* Change expected expectedResultPattern
Now expectedResultPattern is more verbose
* Update ops tests
* Fix unit tests
* Fix bitmask output syntax
* Changes to be committed:
modified: check/check.go
modified: check/test.go
modified: check/test_test.go
fix unit testing and test.go to resolve conflicts.
* Change found to flagFound
* add missing }
* change found to flag found
Co-authored-by: yoavrotems <yoavrotems97@gmail.com>
* Add example IAM policy
* Pass RotateKubeletServerCertificate related checks if it's not found (#767)
* Allow for environment variables to be checked in tests (#755)
* Initial commit for checking environment variables for etcd
* Revert config changes
* Remove redundant struct data
* Fix issues with failing tests
* Initial changes based on code review
* Add option to disable envTesting + Update docs
* Initial tests
* Finished testing
* Fix broken tests
* Add a total summary and always show all tests. (#759)
Whether the total summary is shown can be specified with an option.
Fixes#528
Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
* Update Readme.md file with link to Contribution guide (#754)
* Update License with the year and the owner name
Please add this to make your license agreement strong
* Updated Readme.md file with license and proper documentation links
I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks.
* Update LICENSE
* Update README.md
* Update README.md
* Remove erroneous license info
Co-authored-by: Liz Rice <liz@lizrice.com>
* Support auto-detect platform when running on EKS or GKE (#683)
* Support auto-detect platform when running on EKS or GKE
* Change to get platform name from `kubectl version`
* fix regexp and add test
* Update Server Version match for EKS
* try to get version info from api sever at first
* Refactor group skip
changed group 'skip' from being a bool to be 'type' string as done in check
* Change skip: true -> type: skip
Co-authored-by: Huang Huang <mozillazg101@gmail.com>
Co-authored-by: Wicked <jason_attwood@hotmail.co.uk>
Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com>
Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com>
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
* Fix go vet issues
* to omit the property from JSON parsing one should use "-". "omit" in
that case would use omit tag
* The error was not reachable in the tests, so I moved it to the place
where it make sense for me (but maybe it was just unnecessary)
* Run all go vet linters in CI
* This return breaks the test
* Code quality improvements such -
1. Improves empty string test (len vs str == "")
2. Converts fmt.Sprintf to string literal and Printf to Print where possible (as the dynamic args are missing!)
* Delete .deepsource.toml
Co-authored-by: DeepSource Bot <bot@deepsource.io>
Co-authored-by: Liz Rice <liz@lizrice.com>
* read-only-port defaults are correct
* Tests that should catch good read-only-port
* Rework checks & tests
* Linting on issue template YAML
* More explicit test for 4.2.4
* Run audit as shell script instead of as single line command
* Rename runExecCommands to runAudit
* Fix tests
Co-authored-by: Liz Rice <liz@lizrice.com>
* Update check.go
Added new warn_reason value which gives a brief explanation about why the not scored tests failed
* Update common.go
Changed when a not scored test fails because it has a wrong syntax audit command or just running something that can't be run the print the failure. but if the test just fails because it doesn't line up with the cis hardening recommendations then print the remediation text.
* Update check/check.go
fix typo
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update check.go
* Update common.go
* Update check.go
added back os.Exit(1) to exitWithError
* Update job-master.data
Change some tests output to fit warn reason. (No change to the summary)
* Update job-node.data
Changed some tests output to fit warn reason. (No change to the summary)
* Update job.data
Change some tests output to fit warn reason. (No change to the summary)
* Update common.go
Keep to old way to print manual test output
Co-authored-by: Liz Rice <liz@lizrice.com>
Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
If a check is marked with type "skip", it will be marked as Info.
Support scored property:
If a check is not scored and is not marked with type skip, it will be marked as Warn.
and modify text to command function to support this.
Shell builtins fail the binary command lookup test which result in a
WARN. Audit commands which include shell builtins must use the form:
"/bin/sh -c 'sh-builtin arg'"
So they are executed properly. Additionally Go will fail to execute
commands involving shell builtins if they are not in the above format.
This is caused by a command in the audit pipeline (for example
ps -ef | grep kube-apiserver) failing. The causes of this failure
in my testing is usually a missing config file.
Extensive refactor and correction in verification code to check for
config files and binaries.
Replace joncalhoun/pipes with implementation using exec.Cmds so errors
are visible and can be handled when audit pipeline commands fail.
Change some audit commands
from: ps -ef | grep <cmd> | grep -v
to: ps -C <something> -o comm,args --no-headers
which is simpler to work with.