* Fix the issue 1982
* remove the type manual and revert changes of test in each check
* fix linter error
* changed scored to false for check 5.1.3, 5.1.5, 5.1.6
The CIS Benchmark for Amazon EKS v1.7.0, recommendation 3.2.7 asks to
"Ensure that the --eventRecordQPS argument is set to 0 or a level which
ensures appropriate event capture". The --event-qps option on the
command line and the eventRecordQPS option in the configuration file
both have the same default value of 5, but differ in how they treat the
an explicitly set value of 0:
- The --event-qps command line option treats 0 as the default
value of 5 QPS.
- The eventRecordQPS configuration file option treats 0 as unlimited
(and the absence of the option as the default value of 5 QPS).
Since setting --event-qps=0, using the default value, is acceptable for
the command line option, using the default value for eventRecordQPS by
not explicitly setting the option should be allowed as well. Note that
this is already the case in the configuration for the generic Kubernetes
CIS Benchmark.
First yamls and Update info
- Modify yaml versions from 1.10 to 1.11
- Adapt configmap to cover cis-1.11
- Adapt docs and cmd files
- Fix version_mapping in global configMap and common_test.go: Kuberversion for cis-1.11
- doc: improve version mapping in platforms
Adapt master.yaml
- modify: 1.1.20 https://workbench.cisecurity.org/benchmarks/19519/tickets/24017 permissions changed from 600 to 644
- create: 1.2.30 Ensure that the --service-account-extend-token-expiration parameter is set to false (Automated)
Adapt node.yaml
- Add: 4.2.14 Ensure that the --seccomp-default parameter is set to true (Manual)
- Add: 4.2.15 Ensure that the --IPAddressDeny is set to any (Manual) - this check is to be removed in CIS-1.1.12, I suggest we discard it.
- Modify: 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual) - (changed from 600 to 644) https://workbench.cisecurity.org/community/43/discussions/11786
- Modify: 4.2.4 Verify that if defined, readOnlyPort is set to 0 (Manual) - Added "if defined"
Adapt policies.yaml
- Modify: 5.1.1 to 5.1.6 from (Automated) to (Manual)
- Modify: section titled "General Policies" was renumbered from 5.7 in v1.10 to 5.6
* add CIS Benchmark for eks-v1.7
* fix failed test cases
* added eks 1.7 for supported kubernetes version
* added eks 1.7 for supported kubernetes version
* fix failed test cases
* add test cases for it
* fix
* add test case for eks 1.5
* change methodoloy
* fix the issue mentioned in pr
* fix linter error
* Update cmd/util.go
Co-authored-by: afdesk <work@afdesk.com>
* fix the failed test
* add cis benchmark for red hat openshift containre v1.4
* fix failed test cases
* fix checks for rh-1.4
* mark scored true to manual test if they have test cases
* fix check 1.2.4
* rebase the changes in go.sum
---------
Co-authored-by: afdesk <work@afdesk.com>
* add CIS Benchmark for eks-v1.7
* fix failed test cases
* added eks 1.7 for supported kubernetes version
* added eks 1.7 for supported kubernetes version
* fix failed test cases
* add test cases for it
* fix
* add test case for eks 1.5
* change methodoloy
* fix the issue mentioned in pr
* fix linter error
* Update cmd/util.go
Co-authored-by: afdesk <work@afdesk.com>
* fix the failed test
---------
Co-authored-by: afdesk <work@afdesk.com>
* Add AKS-1.7 version
* resolve linter error
* add aks-1.7 as a default plateform aks version
* add alternative method to identify AKS specific cluster
* fix alternative method
* combine logic of label and providerId in isAKS function
* fix checks of aks-1.7
* fix the mentioned issues
* fix test cases
- Updated 1.1.11 to wrap etcd data directory stat in a conditional check.
- Updated 1.3.7 and 1.4.2 to conditionally check if the controller manager and scheduler binaries exist before running ps/grep.
Resolves#1843.
This PR adds pathes to schedulerkubeconfig and controllermanagerkubeconfig to
fix the failures. And replace hard coded values with variables.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* Create cis-1.10 yamls and Update info
- Modify yaml versions from 1.9 to 1.10
- Adapt configmap to cover cis-1.10
- Adapt docs and cmd files
* Adapt master.yaml
- 1.2.29 update cipher list to remove the following insecure ones (RC4-Based, 3DES-Based, RSA-Based AES CBC):
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA
ticket: https://workbench.cisecurity.org/community/43/tickets/21760
* Adapt policies.yaml
- 5.1.11 typo in sub-resource name 'certificatesigningrequest' https://workbench.cisecurity.org/tickets/21352
- 5.2.2 new audit to verify if a container is privileged or not. https://workbench.cisecurity.org/tickets/20919
- 5.2.3 new audit to verify the presence of hostPID opt-in across all pods. https://workbench.cisecurity.org/tickets/20919
- 5.2.4 new audit to verify the presence of hostIPC opt-in across all pods. https://workbench.cisecurity.org/tickets/20923
- 5.2.5 new audit to verify the presence of hostNetwork opt-in across all pods. https://workbench.cisecurity.org/tickets/20921
- 5.2.6 new audit to verify the presence of 'allowPrivilegeEscalation' to true across all pods' container(s)
- 5.2.6 the 'allowPrivilegeEscalation' setting is moved from 'spec' to 'securityContext' https://workbench.cisecurity.org/tickets/20922
- 5.2.9 new audit to verify the presence of added capabilities across all pods' container(s)
* Fix 5.2.6 remediation
- the latest default Kubernetes setup of AWS has
its kubelet config path in the added location.
Proposing to extend the list of scanned paths in
order to make kube-bench execution more painless
and "quick start like" in default setups.
* Modify 1.2.3 Ensure that the DenyServiceExternalIPs is set
- op changed from `have` to `has` and removed bin_op: or
- remediation description changed to only include --enable-admission-plugins
* Apply changes for CIS-1.9
MASTER:
Checks 1.1.10,1.1.20 are manual
NODE:
a. Check 4.2.12 is the node-level equivalent of the master-level check 1.3.6 and is treated the same way.
* Create cis-1.9 yamls and Update info
- policies.yaml
- 5.1.1 to 5.1.6 were adapted from Manual to Automated
- 5.1.3 got broken down into 5.1.3.1 and 5.1.3.2
- 5.1.6 got broken down into 5.1.6.1 and 5.1.6.2
- version was set to cis-1.9
- node.yaml master.yaml controlplane.yaml etcd.yaml
- version was set to cis-1.9
* Adapt master.yaml
- Expand 1.1.13/1.1.14 checks by adding super-admin.conf to the permission and ownership verification
- Remove 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)
- Adjust numbering from 1.2.12 to 1.2.29
* Adjust policies.yaml
- Check 5.2.3 to 5.2.9 Title Automated to Manual
* Append node.yaml
- Create 4.3 kube-config group
- Create 4.3.1 Ensure that the kube-proxy metrics service is bound to localhost (Automated)
* Adjust policies 5.1.3 and 5.1.6
- Merge 5.1.3.1 and 5.1.3.2 into 5.1.3 (use role_is_compliant and clusterrole_is_compliant)
- Remove 5.1.6.1 and promote 5.1.6.2 to 5.1.6 since it natively covered 5.1.6.1 artifacts
* Add kubectl dependency and update publish
- Download kubectl (build stage) based on version and architecture
- Add binary checksum verification
- Use go env GOARCH for ARCH
This approach becomes time-consuming for larger clusters.
As kube-bench is executed as a job on every node in the cluster, To enhance performance, Streamlined the commands to execute directly on current node where kube-bench operates.
This change ensures that the time complexity remains constant, regardless of the cluster size.
By running the necessary commands only once per node, regardless of how many nodes are in the cluster, this approach significantly boosts performance and efficiency.
1. Have modified test criteria such that it produces right output in case of there is no file exists.
2. Have modified the tests wherever root:root is checked multiple times.
1. Added audit commands wherever required.
2. Updated the scripts with type to manual to match the title.
3. Updated the scripts with test_items wherever required.
4. Fixed a typo.
Fix: To address this, we've modified the command to achieve the following:
Verify the existence of the file.
If the file is found, show the user and group ownership in the "username:groupname" format.
If the file is not found, display the message "File not found."
To accommodate this change, we've integrated the expected output "File not found" for instances where the file is absent. This adjustment ensures the successful execution of the test.
Co-authored-by: mjshastha <manojshastha.madriki@aquasec.com>
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
* release: prepare v0.6.15 (#1455)
Signed-off-by: chenk <hen.keinan@gmail.com>
* build(deps): bump golang from 1.19.4 to 1.20.4 (#1436)
Bumps golang from 1.19.4 to 1.20.4.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump actions/setup-go from 3 to 4 (#1402)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
* Fix test_items in cis-1.7 - node - 4.2.12 (#1469)
Related issue: https://github.com/aquasecurity/kube-bench/issues/1468
* Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472)
* chore: add fips compliant images (#1473)
For fips complaince we need to generate fips compliant images.
As part of this change, we will create new kube-bench image which will be fips compliant. Image name follows this tag pattern <version>-ubi-fips
* release: prepare v0.6.16-rc (#1476)
* release: prepare v0.6.16-rc
Signed-off-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.16-rc
Signed-off-by: chenk <hen.keinan@gmail.com>
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.16 official (#1479)
Signed-off-by: chenk <hen.keinan@gmail.com>
* Update job.yaml (#1477)
* Update job.yaml
Fix on typo for image version
* chore: sync with upstream
Signed-off-by: chenk <hen.keinan@gmail.com>
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.6.17 (#1480)
Signed-off-by: chenk <hen.keinan@gmail.com>
* Bump docker base images (#1465)
During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE.
```
grype aquasec/kube-bench:v0.6.15
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [73 packages]
✔ Scanning image... [4 vulnerabilities]
├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible
└── 4 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
libssl3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
openssl 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High
```
The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly
* build(deps): bump golang from 1.20.4 to 1.20.6 (#1475)
Bumps golang from 1.20.4 to 1.20.6.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s
Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides
kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
* RKE/RKE2 CIS Benchmarks
Updated the order of checks for RKE and RKE2 Platforms.
* fixed vulnerabilities|upgraded package golang.org/x/net to version v0.17.0
* Error handling for RKE Detection Pre-requisites
* Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions, kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
updated documentation specific to added rancher platforms
* addressed review comments
1.Implemented IsRKE functionality in kube-bench
2. Removed containerd from global level config and accommodated in individual config file
3. Corrected the control id from 1.2.25 to 1.2.23 in master.yaml(k3s-cis-1.23 and k3s-cis-1.24)
* Removed unncessary dependency - kubernetes-provider-detector
---------
Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andy Pitcher <andy.pitcher@suse.com>
Co-authored-by: Devendra Turkar <devendra.turkar@gmail.com>
Co-authored-by: Guille Vigil <contact@guillermotti.com>
Co-authored-by: Jonas-Taha El Sesiy <jonas-taha.elsesiy@snowflake.com>
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
