mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-15 20:39:08 +00:00
e4d6ed2e8e
* Add example IAM policy * Pass RotateKubeletServerCertificate related checks if it's not found (#767) * Allow for environment variables to be checked in tests (#755) * Initial commit for checking environment variables for etcd * Revert config changes * Remove redundant struct data * Fix issues with failing tests * Initial changes based on code review * Add option to disable envTesting + Update docs * Initial tests * Finished testing * Fix broken tests * Add a total summary and always show all tests. (#759) Whether the total summary is shown can be specified with an option. Fixes #528 Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud> * Update Readme.md file with link to Contribution guide (#754) * Update License with the year and the owner name Please add this to make your license agreement strong * Updated Readme.md file with license and proper documentation links I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks. * Update LICENSE * Update README.md * Update README.md * Remove erroneous license info Co-authored-by: Liz Rice <liz@lizrice.com> * Support auto-detect platform when running on EKS or GKE (#683) * Support auto-detect platform when running on EKS or GKE * Change to get platform name from `kubectl version` * fix regexp and add test * Update Server Version match for EKS * try to get version info from api sever at first * Refactor group skip changed group 'skip' from being a bool to be 'type' string as done in check * Change skip: true -> type: skip Co-authored-by: Huang Huang <mozillazg101@gmail.com> Co-authored-by: Wicked <jason_attwood@hotmail.co.uk> Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com> Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com> Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
310 lines
8.6 KiB
Go
310 lines
8.6 KiB
Go
// Copyright © 2017 Aqua Security Software Ltd. <info@aquasec.com>
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package check
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"encoding/xml"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
"github.com/aws/aws-sdk-go/service/securityhub"
|
|
"github.com/golang/glog"
|
|
"github.com/onsi/ginkgo/reporters"
|
|
"github.com/spf13/viper"
|
|
"gopkg.in/yaml.v2"
|
|
)
|
|
|
|
const (
|
|
// UNKNOWN is when the AWS account can't be found
|
|
UNKNOWN = "Unknown"
|
|
// ARN for the AWS Security Hub service
|
|
ARN = "arn:aws:securityhub:%s::product/aqua-security/kube-bench"
|
|
// SCHEMA for the AWS Security Hub service
|
|
SCHEMA = "2018-10-08"
|
|
// TYPE is type of Security Hub finding
|
|
TYPE = "Software and Configuration Checks/Industry and Regulatory Standards/CIS Kubernetes Benchmark"
|
|
)
|
|
|
|
type OverallControls struct {
|
|
Controls []*Controls
|
|
Totals Summary
|
|
}
|
|
|
|
// Controls holds all controls to check for master nodes.
|
|
type Controls struct {
|
|
ID string `yaml:"id" json:"id"`
|
|
Version string `json:"version"`
|
|
Text string `json:"text"`
|
|
Type NodeType `json:"node_type"`
|
|
Groups []*Group `json:"tests"`
|
|
Summary
|
|
}
|
|
|
|
// Group is a collection of similar checks.
|
|
type Group struct {
|
|
ID string `yaml:"id" json:"section"`
|
|
Type string `yaml:"type" json:"type"`
|
|
Pass int `json:"pass"`
|
|
Fail int `json:"fail"`
|
|
Warn int `json:"warn"`
|
|
Info int `json:"info"`
|
|
Text string `json:"desc"`
|
|
Checks []*Check `json:"results"`
|
|
}
|
|
|
|
// Summary is a summary of the results of control checks run.
|
|
type Summary struct {
|
|
Pass int `json:"total_pass"`
|
|
Fail int `json:"total_fail"`
|
|
Warn int `json:"total_warn"`
|
|
Info int `json:"total_info"`
|
|
}
|
|
|
|
// Predicate a predicate on the given Group and Check arguments.
|
|
type Predicate func(group *Group, check *Check) bool
|
|
|
|
// NewControls instantiates a new master Controls object.
|
|
func NewControls(t NodeType, in []byte) (*Controls, error) {
|
|
c := new(Controls)
|
|
|
|
err := yaml.Unmarshal(in, c)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to unmarshal YAML: %s", err)
|
|
}
|
|
|
|
if t != c.Type {
|
|
return nil, fmt.Errorf("non-%s controls file specified", t)
|
|
}
|
|
|
|
return c, nil
|
|
}
|
|
|
|
// RunChecks runs the checks with the given Runner. Only checks for which the filter Predicate returns `true` will run.
|
|
func (controls *Controls) RunChecks(runner Runner, filter Predicate, skipIDMap map[string]bool) Summary {
|
|
var g []*Group
|
|
m := make(map[string]*Group)
|
|
controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn, controls.Info = 0, 0, 0, 0
|
|
|
|
for _, group := range controls.Groups {
|
|
for _, check := range group.Checks {
|
|
|
|
if !filter(group, check) {
|
|
continue
|
|
}
|
|
|
|
_, groupSkippedViaCmd := skipIDMap[group.ID]
|
|
_, checkSkippedViaCmd := skipIDMap[check.ID]
|
|
|
|
if group.Type == SKIP || groupSkippedViaCmd || checkSkippedViaCmd {
|
|
check.Type = SKIP
|
|
}
|
|
|
|
state := runner.Run(check)
|
|
|
|
check.TestInfo = append(check.TestInfo, check.Remediation)
|
|
|
|
// Check if we have already added this checks group.
|
|
if v, ok := m[group.ID]; !ok {
|
|
// Create a group with same info
|
|
w := &Group{
|
|
ID: group.ID,
|
|
Text: group.Text,
|
|
Checks: []*Check{},
|
|
}
|
|
|
|
// Add this check to the new group
|
|
w.Checks = append(w.Checks, check)
|
|
summarizeGroup(w, state)
|
|
|
|
// Add to groups we have visited.
|
|
m[w.ID] = w
|
|
g = append(g, w)
|
|
} else {
|
|
v.Checks = append(v.Checks, check)
|
|
summarizeGroup(v, state)
|
|
}
|
|
|
|
summarize(controls, state)
|
|
}
|
|
}
|
|
|
|
controls.Groups = g
|
|
return controls.Summary
|
|
}
|
|
|
|
// JSON encodes the results of last run to JSON.
|
|
func (controls *Controls) JSON() ([]byte, error) {
|
|
return json.Marshal(controls)
|
|
}
|
|
|
|
// JUnit encodes the results of last run to JUnit.
|
|
func (controls *Controls) JUnit() ([]byte, error) {
|
|
suite := reporters.JUnitTestSuite{
|
|
Name: controls.Text,
|
|
TestCases: []reporters.JUnitTestCase{},
|
|
Tests: controls.Summary.Pass + controls.Summary.Fail + controls.Summary.Info + controls.Summary.Warn,
|
|
Failures: controls.Summary.Fail,
|
|
}
|
|
for _, g := range controls.Groups {
|
|
for _, check := range g.Checks {
|
|
jsonCheck := ""
|
|
jsonBytes, err := json.Marshal(check)
|
|
if err != nil {
|
|
jsonCheck = fmt.Sprintf("Failed to marshal test into JSON: %v. Test as text: %#v", err, check)
|
|
} else {
|
|
jsonCheck = string(jsonBytes)
|
|
}
|
|
tc := reporters.JUnitTestCase{
|
|
Name: fmt.Sprintf("%v %v", check.ID, check.Text),
|
|
ClassName: g.Text,
|
|
|
|
// Store the entire json serialization as system out so we don't lose data in cases where deeper debugging is necessary.
|
|
SystemOut: jsonCheck,
|
|
}
|
|
|
|
switch check.State {
|
|
case FAIL:
|
|
tc.FailureMessage = &reporters.JUnitFailureMessage{Message: check.Remediation}
|
|
case WARN, INFO:
|
|
// WARN and INFO are two different versions of skipped tests. Either way it would be a false positive/negative to report
|
|
// it any other way.
|
|
tc.Skipped = &reporters.JUnitSkipped{}
|
|
case PASS:
|
|
default:
|
|
glog.Warningf("Unrecognized state %s", check.State)
|
|
}
|
|
|
|
suite.TestCases = append(suite.TestCases, tc)
|
|
}
|
|
}
|
|
|
|
var b bytes.Buffer
|
|
encoder := xml.NewEncoder(&b)
|
|
encoder.Indent("", " ")
|
|
err := encoder.Encode(suite)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Failed to generate JUnit report: %s", err.Error())
|
|
}
|
|
|
|
return b.Bytes(), nil
|
|
}
|
|
|
|
// ASFF encodes the results of last run to AWS Security Finding Format(ASFF).
|
|
func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
|
|
fs := []*securityhub.AwsSecurityFinding{}
|
|
a, err := getConfig("AWS_ACCOUNT")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
c, err := getConfig("CLUSTER_ARN")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
region, err := getConfig("AWS_REGION")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
arn := fmt.Sprintf(ARN, region)
|
|
|
|
ti := time.Now()
|
|
tf := ti.Format(time.RFC3339)
|
|
for _, g := range controls.Groups {
|
|
for _, check := range g.Checks {
|
|
if check.State == FAIL || check.State == WARN {
|
|
// ASFF ProductFields['Actual result'] can't be longer than 1024 characters
|
|
actualValue := check.ActualValue
|
|
if len(check.ActualValue) > 1024 {
|
|
actualValue = check.ActualValue[0:1023]
|
|
}
|
|
f := securityhub.AwsSecurityFinding{
|
|
AwsAccountId: aws.String(a),
|
|
Confidence: aws.Int64(100),
|
|
GeneratorId: aws.String(fmt.Sprintf("%s/cis-kubernetes-benchmark/%s/%s", arn, controls.Version, check.ID)),
|
|
Id: aws.String(fmt.Sprintf("%s%sEKSnodeID+%s%s", arn, a, check.ID, tf)),
|
|
CreatedAt: aws.String(tf),
|
|
Description: aws.String(check.Text),
|
|
ProductArn: aws.String(arn),
|
|
SchemaVersion: aws.String(SCHEMA),
|
|
Title: aws.String(fmt.Sprintf("%s %s", check.ID, check.Text)),
|
|
UpdatedAt: aws.String(tf),
|
|
Types: []*string{aws.String(TYPE)},
|
|
Severity: &securityhub.Severity{
|
|
Label: aws.String(securityhub.SeverityLabelHigh),
|
|
},
|
|
Remediation: &securityhub.Remediation{
|
|
Recommendation: &securityhub.Recommendation{
|
|
Text: aws.String(check.Remediation),
|
|
},
|
|
},
|
|
ProductFields: map[string]*string{
|
|
"Reason": aws.String(check.Reason),
|
|
"Actual result": aws.String(actualValue),
|
|
"Expected result": aws.String(check.ExpectedResult),
|
|
"Section": aws.String(fmt.Sprintf("%s %s", controls.ID, controls.Text)),
|
|
"Subsection": aws.String(fmt.Sprintf("%s %s", g.ID, g.Text)),
|
|
},
|
|
Resources: []*securityhub.Resource{
|
|
{
|
|
Id: aws.String(c),
|
|
Type: aws.String(TYPE),
|
|
},
|
|
},
|
|
}
|
|
fs = append(fs, &f)
|
|
}
|
|
}
|
|
}
|
|
return fs, nil
|
|
}
|
|
func getConfig(name string) (string, error) {
|
|
r := viper.GetString(name)
|
|
if len(r) == 0 {
|
|
return "", fmt.Errorf("%s not set", name)
|
|
}
|
|
return r, nil
|
|
}
|
|
func summarize(controls *Controls, state State) {
|
|
switch state {
|
|
case PASS:
|
|
controls.Summary.Pass++
|
|
case FAIL:
|
|
controls.Summary.Fail++
|
|
case WARN:
|
|
controls.Summary.Warn++
|
|
case INFO:
|
|
controls.Summary.Info++
|
|
default:
|
|
glog.Warningf("Unrecognized state %s", state)
|
|
}
|
|
}
|
|
|
|
func summarizeGroup(group *Group, state State) {
|
|
switch state {
|
|
case PASS:
|
|
group.Pass++
|
|
case FAIL:
|
|
group.Fail++
|
|
case WARN:
|
|
group.Warn++
|
|
case INFO:
|
|
group.Info++
|
|
default:
|
|
glog.Warningf("Unrecognized state %s", state)
|
|
}
|
|
}
|