* Add OCP auto-detection
* Add test for openshift
* update and fix bugs
update file to match with new kube-bench features and fix bugs
* Update file and fix bugs
update file to match with new kube-bench features and fix bugs
* Remove specific configs
Those configs could be set in main config.yaml
* Update to include openshift files
* fix typos
* fix typo
* Remove trailing spaces
* Update util.go
* Add tests for getOcpValidVersion
* Add more logging
The old logging could was lacking and in some cases misleading
* Add Logging
Add more logs and change some old messages, the important part is make each test log more readable by adding ------ test id ------ section in logs
* Fix typos
* more info
add more info in comment about the function and it use cases
Co-authored-by: Liz Rice <liz@lizrice.com>
* Use switch case
Change the logic from if to switch and tidy up the code
* Add example IAM policy
* Pass RotateKubeletServerCertificate related checks if it's not found (#767)
* Allow for environment variables to be checked in tests (#755)
* Initial commit for checking environment variables for etcd
* Revert config changes
* Remove redundant struct data
* Fix issues with failing tests
* Initial changes based on code review
* Add option to disable envTesting + Update docs
* Initial tests
* Finished testing
* Fix broken tests
* Add a total summary and always show all tests. (#759)
Whether the total summary is shown can be specified with an option.
Fixes#528
Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
* Update Readme.md file with link to Contribution guide (#754)
* Update License with the year and the owner name
Please add this to make your license agreement strong
* Updated Readme.md file with license and proper documentation links
I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks.
* Update LICENSE
* Update README.md
* Update README.md
* Remove erroneous license info
Co-authored-by: Liz Rice <liz@lizrice.com>
* Support auto-detect platform when running on EKS or GKE (#683)
* Support auto-detect platform when running on EKS or GKE
* Change to get platform name from `kubectl version`
* fix regexp and add test
* Update Server Version match for EKS
* try to get version info from api sever at first
* Refactor group skip
changed group 'skip' from being a bool to be 'type' string as done in check
* Change skip: true -> type: skip
Co-authored-by: Huang Huang <mozillazg101@gmail.com>
Co-authored-by: Wicked <jason_attwood@hotmail.co.uk>
Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com>
Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com>
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
* add aasf
* add AASF format
* credentials provider
* add finding publisher
* add finding publisher
* add write AASF path
* add testing
* read config from file
* update docker file
* refactor
* remove sample
* add comments
* Add comment in EKS config.yaml
* Fix comment typo
* Fix spelling of ASFF
* Fix typo and other small code review suggestions
* Limit length of Actual result field
Avoids this message seen in testing:
Message:Finding does not adhere to Amazon Finding Format. data.ProductFields['Actual result'] should NOT be longer than 1024 characters.
* Add comment for ASFF schema
* Add Security Hub documentation
* go mod tidy
* remove dupe lines in docs
* support integration in any region
* fix README link
* fix README links
Co-authored-by: Liz Rice <liz@lizrice.com>
* First draft of AKS configuration checks.
* Updated Azure Configurations. Added more policy checks.
* Finalized cfg components for AKS.
* Fixed targets for aks-1.0 in common_test.go
* Fixed yaml linting issues.
* Fixed white space yaml linkting issues in policies.yaml
* Fixed white space yaml linting issues in policies.yaml
* Changes for 1.5
* Update cis-1.3 through 1.6 to also work with configmaps.
* Switch on if proxykubeconfig is set, instead of setting a variable in the script.
* permissons -> proxykubeconfig for 2.2.5/4.1.3 to keep these tests locked with 2.2.6/4.1.4
* Updating test output? Maybe?
* Copy integration test output files into docker image?
* Make entrypoint move integration folder to host, print 1.5 node info.
* Change the order of tests in travis to load files before testing.
* Return tests to place
Those tests comes first since there is more likely to fail with them and then the test will fail "faster" which will save time
* Remove copy integration
When running in a container we don't need to test, only when build and running in Travis to make sure everything is working fine.
* Add $ mark before proxykubeconfig
If not having $ before the parameter then it won't get substituted
* Add $ mark before proxykubeconfig
If not having $ before the parameter then it won't get substituted
* Remove test relate lines
We don't test while running, only integration testing when building and unit testing
* Add spaces
* Change 4.1.3 4.1.4
Those tests now should pass.
* Change tests 4.1.3 and 4.1.4
Those tests now should PASS
* Update job.data with more accurate counts. Thanks to @yoavrotems for getting the project this far!
* Thanks for linting, yamllint!
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
- id: 4.6
text: "Verify the scheduler pod specification file ownership set by OpenShift"
audit: "stat -c %u:%g /etc/origin/node/pods/controller.yaml" -- (lower case u and g ) it returns the uID and gID in numeric i.e 0:0 not root:root.
it supposed to be Uppercase: audit: "stat -c %U:%G /etc/origin/node/pods/controller.yaml"
* read-only-port defaults are correct
* Tests that should catch good read-only-port
* Rework checks & tests
* Linting on issue template YAML
* More explicit test for 4.2.4
* Add tests for 1.1.19、1.1.20 and 1.1.21 of cis-1.5
* Avoid division by 0
* Use bitmask instead of lte
* Change to use multiple values via `use_multiple_values: true`
* Use find in 1.1.20 and 1.1.21
Allows user to specify either `--version` or `--benchmark-version` as `eks-1.0`
Allows user to specify (or auto-detect K8s version 1.18) and get the CIS 1.5 benchmark
* Remove unnecessary whitespaces
* Fix a typo
* Add integration tests for cis 1.3 and cis 1.5
* Change the timeout of integration tests from 600s to 1200s
* Avoid repeated codes
* Add option to do bitwise and between two value in order to compare permissions
* Update test.go
Removed self debug note
* Update test_test.go
FIx typo
* Update test.go
* Update test.go
Switched between max and requested value, because accidentally assigned them oppositely and remove old function relate to octal base
* Update test_test.go
* Update test_test.go
* add yamllint command to travis CI
installs and runs a linter across the YAML in the
project to ensure consistency in the written YAML.
this uses yamllint and the default yamllint config with
"truthy" and "line-length" disabled.
* run dos2unix on CRLF files
* YAMLLINT: remove trailing spaces
* YAMLLint: add YAML document start
* YAMLLint: too many spaces around bracket
* YAMLLint: fix indentation
* YAMLLint: remove duplicate key
* YAMLLint: newline at end of file
* YAMLLint: Too few spaces after comma
* YAMLLint: too many spaces after colon
