add glog flush to write the output to a file (#329)

* add glog flush to write the output to a file

* add glog flush before exit on error and fix code comment

.travis.yml

@@ -14,12 +14,8 @@ before_install:
   - sudo apt-get install -y rpm
   - gem install --no-ri --no-rdoc fpm
 
-install:
-  - go get -v github.com/golang/dep/cmd/dep
-  - dep ensure -v -vendor-only
-
 script:
-  - go test ./...
+  - GO111MODULE=on go test ./...
   - docker build --tag kube-bench .
   - docker run -v `pwd`:/host kube-bench install 
   - test -d cfg

Dockerfile

@@ -1,13 +1,12 @@
-FROM golang:1.9 AS build
+FROM golang:1.12 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
-ADD Gopkg.toml Gopkg.lock ./
-RUN go get -v github.com/golang/dep/cmd/dep && dep ensure -v -vendor-only
+ADD go.mod go.sum ./
 ADD main.go .
 ADD check/ check/
 ADD cmd/ cmd/
-RUN CGO_ENABLED=0 go install -a -ldflags '-w'
+RUN GO111MODULE=on CGO_ENABLED=0 go install -a -ldflags '-w'
 
-FROM alpine:3.7 AS run
+FROM alpine:3.10 AS run
 WORKDIR /opt/kube-bench/
 # add GNU ps for -C, -o cmd, and --no-headers support
 # https://github.com/aquasecurity/kube-bench/issues/109

Gopkg.lock

@@ -1,254 +0,0 @@
-# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
-
-
-[[projects]]
-  digest = "1:ffe9824d294da03b391f44e1ae8281281b4afc1bdaa9588c9097785e3af10cec"
-  name = "github.com/davecgh/go-spew"
-  packages = ["spew"]
-  pruneopts = "UT"
-  revision = "8991bc29aa16c548c550c7ff78260e27b9ab7c73"
-  version = "v1.1.1"
-
-[[projects]]
-  digest = "1:938a2672d6ebbb7f7bc63eee3e4b9464c16ffcf77ec8913d3edbf32b4e3984dd"
-  name = "github.com/fatih/color"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "570b54cabe6b8eb0bc2dfce68d964677d63b5260"
-  version = "v1.5.0"
-
-[[projects]]
-  digest = "1:38c783cf85b9454cc02a1a8319239800ed0af6c1c864adf19cea0539e134adad"
-  name = "github.com/fsnotify/fsnotify"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "4da3e2cfbabc9f751898f250b49f2439785783a1"
-
-[[projects]]
-  branch = "master"
-  digest = "1:1ba1d79f2810270045c328ae5d674321db34e3aae468eb4233883b473c5c0467"
-  name = "github.com/golang/glog"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "23def4e6c14b4da8ac2ed8007337bc5eb5007998"
-
-[[projects]]
-  digest = "1:145eff5207977eb95c3649a27cdc2e467d8a1c104810bc12b6a53745a91d823a"
-  name = "github.com/hashicorp/hcl"
-  packages = [
-    ".",
-    "hcl/ast",
-    "hcl/parser",
-    "hcl/scanner",
-    "hcl/strconv",
-    "hcl/token",
-    "json/parser",
-    "json/scanner",
-    "json/token",
-  ]
-  pruneopts = "UT"
-  revision = "23c074d0eceb2b8a5bfdbb271ab780cde70f05a8"
-
-[[projects]]
-  digest = "1:870d441fe217b8e689d7949fef6e43efbc787e50f200cb1e70dbca9204a1d6be"
-  name = "github.com/inconshreveable/mousetrap"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "76626ae9c91c4f2a10f34cad8ce83ea42c93bb75"
-  version = "v1.0"
-
-[[projects]]
-  digest = "1:510a2b056950ed12b4f3ac704ee1b34fd1920cb5b26f60f98d069de89c60adb7"
-  name = "github.com/jinzhu/gorm"
-  packages = [
-    ".",
-    "dialects/postgres",
-  ]
-  pruneopts = "UT"
-  revision = "5174cc5c242a728b435ea2be8a2f7f998e15429b"
-  version = "v1.0"
-
-[[projects]]
-  digest = "1:2cf1e05311b662e68d938f6655c6c5a44ae0e6b3995e390c75fcd8224afa48df"
-  name = "github.com/jinzhu/inflection"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "1c35d901db3da928c72a72d8458480cc9ade058f"
-
-[[projects]]
-  digest = "1:38dd5cee5306173bfe78f8c401edec1e08f772551bee95a85617b4e39347e366"
-  name = "github.com/lib/pq"
-  packages = [
-    ".",
-    "hstore",
-    "oid",
-  ]
-  pruneopts = "UT"
-  revision = "83612a56d3dd153a94a629cd64925371c9adad78"
-
-[[projects]]
-  digest = "1:9cbfcfd1ec741817698b844d17b523f54682a5f7c8683b1ec62b6b6542143240"
-  name = "github.com/magiconair/properties"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "49d762b9817ba1c2e9d0c69183c2b4a8b8f1d934"
-
-[[projects]]
-  digest = "1:31fcf8f5f8f6cc36ef11182c0a0f63ba464e1a7ad9f0e92a7cf46f38bfc0adfd"
-  name = "github.com/mattn/go-colorable"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "5411d3eea5978e6cdc258b30de592b60df6aba96"
-
-[[projects]]
-  digest = "1:fa610f9fe6a93f4a75e64c83673dfff9bf1a34bbb21e6102021b6bc7850834a3"
-  name = "github.com/mattn/go-isatty"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "57fdcb988a5c543893cc61bce354a6e24ab70022"
-
-[[projects]]
-  digest = "1:56a0bd1a1f3809171d1abe0bfd389558be0cd672e858e1f831b88f806aa8764f"
-  name = "github.com/mitchellh/mapstructure"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "06020f85339e21b2478f756a78e295255ffa4d6a"
-
-[[projects]]
-  digest = "1:128af710970a788bb2348dbcdde6b86fa41f92086297f909d659b6d3affc2902"
-  name = "github.com/pelletier/go-toml"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "0131db6d737cfbbfb678f8b7d92e55e27ce46224"
-
-[[projects]]
-  digest = "1:0028cb19b2e4c3112225cd871870f2d9cf49b9b4276531f03438a88e94be86fe"
-  name = "github.com/pmezard/go-difflib"
-  packages = ["difflib"]
-  pruneopts = "UT"
-  revision = "792786c7400a136282c1664665ae0a8db921c6c2"
-  version = "v1.0.0"
-
-[[projects]]
-  digest = "1:1fccaaeae58b2a2f1af4dbf7eee92ff14f222e161d143bfd20082ef664f91216"
-  name = "github.com/spf13/afero"
-  packages = [
-    ".",
-    "mem",
-  ]
-  pruneopts = "UT"
-  revision = "57afd63c68602b63ed976de00dd066ccb3c319db"
-
-[[projects]]
-  digest = "1:9b28ee2984c69d78afe2ce52b1650ba91a6381f355ff08c1d0e53d9e66bd62fe"
-  name = "github.com/spf13/cast"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "acbeb36b902d72a7a4c18e8f3241075e7ab763e4"
-  version = "v1.1.0"
-
-[[projects]]
-  digest = "1:7ffc0983035bc7e297da3688d9fe19d60a420e9c38bef23f845c53788ed6a05e"
-  name = "github.com/spf13/cobra"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "7b2c5ac9fc04fc5efafb60700713d4fa609b777b"
-  version = "v0.0.1"
-
-[[projects]]
-  digest = "1:9f28b7e326b8cd1db556678b7ce679cf9bf888647e40922f91d9d40f451f942b"
-  name = "github.com/spf13/jwalterweatherman"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "12bd96e66386c1960ab0f74ced1362f66f552f7b"
-
-[[projects]]
-  digest = "1:772bf4d1907ccb275aaa532ec6cb0d85fc61bd05648af28551590af3ea4e2d53"
-  name = "github.com/spf13/pflag"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "4c012f6dcd9546820e378d0bdda4d8fc772cdfea"
-
-[[projects]]
-  digest = "1:f8e1a678a2571e265f4bf91a3e5e32aa6b1474a55cb0ea849750cc177b664d96"
-  name = "github.com/spf13/viper"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "25b30aa063fc18e48662b86996252eabdcf2f0c7"
-  version = "v1.0.0"
-
-[[projects]]
-  digest = "1:ac83cf90d08b63ad5f7e020ef480d319ae890c208f8524622a2f3136e2686b02"
-  name = "github.com/stretchr/objx"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "477a77ecc69700c7cdeb1fa9e129548e1c1c393c"
-  version = "v0.1.1"
-
-[[projects]]
-  digest = "1:0bcc464dabcfad5393daf87c3f8142911d0f6c52569b837e91a1c15e890265f3"
-  name = "github.com/stretchr/testify"
-  packages = [
-    "assert",
-    "mock",
-  ]
-  pruneopts = "UT"
-  revision = "ffdc059bfe9ce6a4e144ba849dbedead332c6053"
-  version = "v1.3.0"
-
-[[projects]]
-  digest = "1:c9c0ba9ea00233c41b91e441cfd490f34b129bbfebcb1858979623bd8de07f72"
-  name = "golang.org/x/sys"
-  packages = ["unix"]
-  pruneopts = "UT"
-  revision = "e24f485414aeafb646f6fca458b0bf869c0880a1"
-
-[[projects]]
-  digest = "1:8029e9743749d4be5bc9f7d42ea1659471767860f0cdc34d37c3111bd308a295"
-  name = "golang.org/x/text"
-  packages = [
-    "internal/gen",
-    "internal/triegen",
-    "internal/ucd",
-    "transform",
-    "unicode/cldr",
-    "unicode/norm",
-  ]
-  pruneopts = "UT"
-  revision = "e19ae1496984b1c655b8044a65c0300a3c878dd3"
-
-[[projects]]
-  digest = "1:cb130999076da4717267c51235d62b63228c330ad86160255cbe3276de4c9892"
-  name = "gopkg.in/yaml.v2"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "c95af922eae69f190717a0b7148960af8c55a072"
-
-[[projects]]
-  digest = "1:e8e3acc03397f71fad44385631e665c639a8d55bd187bcfa6e70b695e3705edd"
-  name = "k8s.io/client-go"
-  packages = [
-    "third_party/forked/golang/template",
-    "util/jsonpath",
-  ]
-  pruneopts = "UT"
-  revision = "e64494209f554a6723674bd494d69445fb76a1d4"
-  version = "v10.0.0"
-
-[solve-meta]
-  analyzer-name = "dep"
-  analyzer-version = 1
-  input-imports = [
-    "github.com/fatih/color",
-    "github.com/golang/glog",
-    "github.com/jinzhu/gorm",
-    "github.com/jinzhu/gorm/dialects/postgres",
-    "github.com/spf13/cobra",
-    "github.com/spf13/viper",
-    "github.com/stretchr/testify/assert",
-    "github.com/stretchr/testify/mock",
-    "gopkg.in/yaml.v2",
-    "k8s.io/client-go/util/jsonpath",
-  ]
-  solver-name = "gps-cdcl"
-  solver-version = 1

Gopkg.toml

@@ -1,27 +0,0 @@
-[[constraint]]
-  name = "github.com/fatih/color"
-  version = "1.5.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/golang/glog"
-
-[[constraint]]
-  name = "github.com/jinzhu/gorm"
-  version = "1.0.0"
-
-[[constraint]]
-  name = "github.com/spf13/cobra"
-  version = "0.0.1"
-
-[[constraint]]
-  name = "github.com/spf13/viper"
-  version = "1.0.0"
-
-[[constraint]]
-  name = "github.com/stretchr/testify"
-  version = "1.3.0"
-
-[prune]
-  go-tests = true
-  unused-packages = true

README.md

@@ -5,7 +5,9 @@
 
 <img src="images/kube-bench.png" width="200" alt="kube-bench logo">
 
-kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
+kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/). 
+
+Note that it is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS and AKS, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.
 
 Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
 
@@ -131,6 +133,8 @@ kube-bench includes a set of test files for Red Hat's OpenShift hardening guide
 
 Kubernetes config and binary file locations and names can vary from installation to installation, so these are configurable in the `cfg/config.yaml` file.
 
+Any settings in the version-specific config file `cfg/<version>/config.yaml` take precedence over settings in the main `cfg/config.yaml` file.
+
 For each type of node (*master*, *node* or *federated*) there is a list of components, and for each component there is a set of binaries (*bins*) and config files (*confs*) that kube-bench will look for (in the order they are listed). If your installation uses a different binary name or config file location for a Kubernetes component, you can add it to `cfg/config.yaml`.
 
 * **bins** - If there is a *bins* list for a component, at least one of these binaries must be running. The tests will consider the parameters for the first binary in the list found to be running.
@@ -228,6 +232,9 @@ These operations are:
 - `lte`: tests if the flag value is less than or equal to the compared value.
 - `has`: tests if the flag value contains the compared value.
 - `nothave`: tests if the flag value does not contain the compared value.
+- `regex`: tests if the flag value matches the compared value regular expression.
+
+When defining regular expressions in YAML it is generally easier to wrap them in single quotes, for example `'^[abc]$'`, to avoid issues with string escaping.
 
 # Roadmap
 Going forward we plan to release updates to kube-bench to add support for new releases of the Benchmark, which in turn we can anticipate being made for each new Kubernetes release.
@@ -247,3 +254,36 @@ Next you'll have to build the kube-bench docker image using `make build-docker`,
 Finally we can use the `make kind-run` target to run the current version of kube-bench in the cluster and follow the logs of pods created. (Ctrl+C to exit)
 
 Everytime you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` )
+
+# GitHub Issues
+
+## Bugs
+
+If you think you have found a bug please follow the instructions below.
+
+- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate.
+- Open a [new issue](https://github.com/aquasecurity/kube-bench/issues/new) if a duplicate doesn't already exist.
+- Note the version of kube-bench you are running (from `kube-bench version`) and the command line options you are using.
+- Note the version of kubernetes you are running (from `kubectl version` or `oc version` for Openshift).
+- Set `-v 10` command line option and save the log output. Please paste this into your issue.
+- Remember users might be searching for your issue in the future, so please give it a meaningful title to help others.
+
+## Features
+
+We also use the GitHub issue tracker to track feature requests. If you have an idea to make kube-bench even more awesome follow the steps below.
+
+- Open a [new issue](https://github.com/aquasecurity/kube-bench/issues/new).
+- Remember users might be searching for your issue in the future, so please give it a meaningful title to helps others.
+- Clearly define the use case, using concrete examples. For example: I type `this` and kube-bench does `that`.
+- If you would like to include a technical design for your feature please feel free to do so.
+
+## Pull Requests 
+
+We welcome pull requests! 
+
+- Your PR is more likely to be accepted if it focuses on just one change.
+- Please include a comment with the results before and after your change. 
+- Your PR is more likely to be accepted if it includes tests. (We have not historically been very strict about tests, but we would like to improve this!). 
+- You're welcome to submit a **WIP** *(work in progress)* PR if you would like early feedback on an idea or an approach. 
+- Happy coding!
+

cfg/1.11-json/config.yaml

@@ -9,10 +9,6 @@ node:
       - "/var/lib/kubelet/kubeconfig"
 
   kubelet:
-    bins:
-      - "hyperkube kubelet"
-      - "kubelet"
-    defaultconf: "/etc/kubernetes/kubelet/kubelet-config.json"
     defaultsvc: "/etc/systemd/system/kubelet.service"
     defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
 

cfg/1.11-json/node.yaml

@@ -318,7 +318,7 @@ groups:
           value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
         set: true
     remediation: |
-      If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+      If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
       If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
       --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
     scored: false

cfg/1.11/config.yaml

@@ -1,29 +1,2 @@
 ---
-## Controls Files.
-# These are YAML files that hold all the details for running checks.
-#
-## Uncomment to use different control file paths.
-# masterControls: ./cfg/master.yaml
-# nodeControls: ./cfg/node.yaml
-# federatedControls: ./cfg/federated.yaml
-
-master:
-  apiserver:
-    defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
-
-  scheduler:
-    defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
-
-  controllermanager:
-    defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
-
-  etcd:
-    defaultconf: /etc/kubernetes/manifests/etcd.yaml
-
-node:
-  kubelet:
-    defaultconf: /etc/kubernetes/kubelet.conf
-    defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
-
-  proxy:
-    defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
+## Version-specific settings that override the values in cfg/config.yaml

cfg/1.11/node.yaml

@@ -309,7 +309,7 @@ groups:
           value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
         set: true
     remediation: |
-      If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+      If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
       If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
       --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
     scored: false

cfg/1.13/config.yaml

@@ -1,29 +1,2 @@
 ---
-## Controls Files.
-# These are YAML files that hold all the details for running checks.
-#
-## Uncomment to use different control file paths.
-# masterControls: ./cfg/master.yaml
-# nodeControls: ./cfg/node.yaml
-# federatedControls: ./cfg/federated.yaml
-
-master:
-  apiserver:
-    defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
-
-  scheduler:
-    defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
-
-  controllermanager:
-    defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
-
-  etcd:
-    defaultconf: /etc/kubernetes/manifests/etcd.yaml
-
-node:
-  kubelet:
-    defaultconf: /etc/kubernetes/kubelet.conf
-    defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
-
-  proxy:
-    defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
+## Version-specific settings that override the values in cfg/config.yaml

cfg/1.13/master.yaml

@@ -220,12 +220,15 @@ groups:
     text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     tests:
+      bin_op: or
       test_items:
       - flag: "--disable-admission-plugins"
         compare:
           op: nothave
           value: "NamespaceLifecycle"
         set: true
+      - flag: "--disable-admission-plugins"
+        set: false
     remediation: |
       Edit the API server pod specification file $apiserverconf
       on the master node and set the --disable-admission-plugins parameter to
@@ -499,7 +502,7 @@ groups:
     remediation: |
       Edit the API server pod specification file $apiserverconf
       on the master node and set the below parameter.
-      --tls-cipher- suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM _SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM _SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM _SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+      --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
     scored: false
 
   - id: 1.1.31

cfg/1.13/node.yaml

@@ -290,7 +290,7 @@ groups:
           value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
         set: true
     remediation: |
-      If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+      If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
       If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
       --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
     scored: false

cfg/1.8/config.yaml

@@ -1,42 +1,2 @@
 ---
-## Controls Files. 
-# These are YAML files that hold all the details for running checks.
-#
-## Uncomment to use different control file paths.
-# masterControls: ./cfg/master.yaml
-# nodeControls: ./cfg/node.yaml
-# federatedControls: ./cfg/federated.yaml
-
-master:
-  apiserver:
-    confs:
-      - /etc/kubernetes/manifests/kube-apiserver.yaml
-      - /etc/kubernetes/manifests/kube-apiserver.manifest
-    defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
-
-  scheduler:
-    confs: 
-      - /etc/kubernetes/manifests/kube-scheduler.yaml
-      - /etc/kubernetes/manifests/kube-scheduler.manifest
-    defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
-
-  controllermanager:
-    confs:
-      - /etc/kubernetes/manifests/kube-controller-manager.yaml
-      - /etc/kubernetes/manifests/kube-controller-manager.manifest
-    defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
-
-  etcd:
-    confs:
-      - /etc/kubernetes/manifests/etcd.yaml
-      - /etc/kubernetes/manifests/etcd.manifest
-    defaultconf: /etc/kubernetes/manifests/etcd.yaml
-
-node:
-  kubelet:
-    defaultconf: /var/lib/kubelet/config.yaml
-    defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
-    defaultkubeconfig: /etc/kubernetes/kubelet.conf
-  
-  proxy:
-    defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
+## Version-specific settings that override the values in cfg/config.yaml

cfg/config.yaml

@@ -27,9 +27,9 @@ master:
       - "hyperkube kube-apiserver"
       - "apiserver"
     confs:
-      - /etc/kubernetes/apiserver.conf
-      - /etc/kubernetes/apiserver
-    defaultconf: /etc/kubernetes/apiserver
+      - /etc/kubernetes/manifests/kube-apiserver.yaml
+      - /etc/kubernetes/manifests/kube-apiserver.manifest
+    defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
 
   scheduler:
     bins:
@@ -37,29 +37,32 @@ master:
       - "hyperkube scheduler"
       - "hyperkube kube-scheduler"
       - "scheduler"
-    confs: 
-      - /etc/kubernetes/scheduler.conf
-      - /etc/kubernetes/scheduler
-    defaultconf: /etc/kubernetes/scheduler
+    confs:
+      - /etc/kubernetes/manifests/kube-scheduler.yaml
+      - /etc/kubernetes/manifests/kube-scheduler.manifest
+    defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
 
   controllermanager:
     bins:
       - "kube-controller-manager"
+      - "kube-controller"
       - "hyperkube controller-manager"
       - "hyperkube kube-controller-manager"
       - "controller-manager"
     confs:
-      - /etc/kubernetes/controller-manager.conf
-      - /etc/kubernetes/controller-manager
-    defaultconf: /etc/kubernetes/controller-manager
+      - /etc/kubernetes/manifests/kube-controller-manager.yaml
+      - /etc/kubernetes/manifests/kube-controller-manager.manifest
+    defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
 
   etcd:
     optional: true
     bins:
       - "etcd"
     confs:
+      - /etc/kubernetes/manifests/etcd.yaml
+      - /etc/kubernetes/manifests/etcd.manifest
       - /etc/etcd/etcd.conf
-    defaultconf: /etc/etcd/etcd.conf
+    defaultconf: /etc/kubernetes/manifests/etcd.yaml
 
   flanneld:
     optional: true
@@ -81,6 +84,10 @@ node:
     bins:
       - "hyperkube kubelet"
       - "kubelet"
+    confs:
+      - "/var/lib/kubelet/config.yaml"
+      - "/etc/kubernetes/kubelet/kubelet-config.json"
+      - "/home/kubernetes/kubelet-config.yaml"
     defaultconf: "/var/lib/kubelet/config.yaml"
     defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
     defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
@@ -93,6 +100,7 @@ node:
     confs:
       - /etc/kubernetes/proxy
       - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
+    defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
     defaultkubeconfig: "/etc/kubernetes/proxy.conf"
 
 federated:

cfg/ocp-3.10/config.yaml

@@ -1,16 +1,21 @@
 ---
-## Controls Files.
-# These are YAML files that hold all the details for running checks.
-#
-## Uncomment to use different control file paths.
-# masterControls: ./cfg/master.yaml
-# nodeControls: ./cfg/node.yaml
-# federatedControls: ./cfg/federated.yaml
+## Version-specific settings that override the values in cfg/config.yaml
 
 master:
   apiserver:
     bins:
+      - openshift start master api
       - hypershift openshift-kube-apiserver
+     
+  scheduler:
+    bins:
+      - "openshift start master controllers"
+    confs:
+      - /etc/origin/master/scheduler.json
+
+  controllermanager:
+    bins:
+      - "openshift start master controllers"
 
   etcd:
     bins:

cfg/ocp-3.10/node.yaml

@@ -196,7 +196,7 @@ groups:
   - id: 7.15
     text: "Verify that the RotateKubeletServerCertificate argument is set to true"
     audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
-    test:
+    tests:
       test_items:
       - flag: "RotateKubeletServerCertificate=true"
         compare:

cfg/ocp-3.11/config.yaml

@@ -0,0 +1,27 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml
+
+master:
+  apiserver:
+    bins:
+      - openshift start master api
+      - hypershift openshift-kube-apiserver
+     
+  scheduler:
+    bins:
+      - "openshift start master controllers"
+    confs:
+      - /etc/origin/master/scheduler.json
+
+  controllermanager:
+    bins:
+      - "openshift start master controllers"
+
+  etcd:
+    bins:
+      - openshift start etcd
+
+node:
+  proxy:
+    bins:
+      - openshift start network

cfg/ocp-3.11/federated.yaml

@@ -0,0 +1,113 @@
+---
+controls:
+id: 3
+text: "Federated Deployments"
+type: "federated"
+groups:
+- id: 3.1
+  text: "Federated API Server"
+  checks:
+  - id: 3.1.1
+    text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.2
+    text: "Ensure that the --basic-auth-file argument is not set (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.3
+    text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.4
+    text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.5
+    text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.6
+    text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.7
+    text: "Ensure that the --profiling argument is set to false (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.8
+    text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.9
+    text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.10
+    text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.11
+    text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.12
+    text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.13
+    text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.14
+    text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.15
+    text: "Ensure that the --token-auth-file parameter is not set (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.16
+    text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.17
+    text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.18
+    text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+  - id: 3.1.19
+    text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
+    type: "skip"
+    scored: true
+
+
+- id: 3.2
+  text: "Federation Controller Manager"
+  checks:
+  - id: 3.2.1
+    text: "Ensure that the --profiling argument is set to false (Scored)"
+    type: "skip"
+    scored: true
+

cfg/ocp-3.11/node.yaml

@@ -0,0 +1,376 @@
+---
+controls:
+id: 2
+text: "Worker Node Security Configuration"
+type: "node"
+groups:
+- id: 7
+  text: "Kubelet"
+  checks:
+  - id: 7.1
+    text: "Use Security Context Constraints to manage privileged containers as needed"
+    type: "skip"
+    scored: true
+
+  - id: 7.2
+    text: "Ensure anonymous-auth is not disabled"
+    type: "skip"
+    scored: true
+
+  - id: 7.3
+    text: "Verify that the --authorization-mode argument is set to WebHook"
+    audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "authorization-mode"
+        set: false
+      - flag: "authorization-mode: Webhook"
+        compare:
+          op: has
+          value: "Webhook"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
+      kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
+    scored: true
+
+  - id: 7.4
+    text: "Verify the OpenShift default for the client-ca-file argument"
+    audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "client-ca-file"
+        set: false
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
+      grep -A1 client-ca-file /etc/origin/node/node-config.yaml
+
+      Reset to the OpenShift default. 
+      See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
+      The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
+    scored: true
+
+  - id: 7.5
+    text: "Verify the OpenShift default setting for the read-only-port argument"
+    audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "read-only-port"
+        set: false
+      - flag: "read-only-port: 0"
+        compare:
+          op: has
+          value: "0"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
+    scored: true
+
+  - id: 7.6
+    text: "Adjust the streaming-connection-idle-timeout argument"
+    audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "streaming-connection-idle-timeout"
+        set: false
+      - flag: "5m"
+        set: false
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
+      value like the following in node-config.yaml.
+      
+      kubeletArguments:
+        streaming-connection-idle-timeout:
+           - "5m"
+    scored: true
+
+  - id: 7.7
+    text: "Verify the OpenShift defaults for the protect-kernel-defaults argument"
+    type: "skip"
+    scored: true
+
+  - id: 7.8
+    text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument"
+    audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "make-iptables-util-chains"
+        set: false
+      - flag: "make-iptables-util-chains: true"
+        compare:
+          op: has
+          value: "true"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
+      default value of true. 
+    scored: true
+
+  - id: 7.9
+    text: "Verify that the --keep-terminated-pod-volumes argument is set to false"
+    audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "keep-terminated-pod-volumes: false"
+        compare:
+          op: has
+          value: "false"
+        set: true
+    remediation: |
+      Reset to the OpenShift defaults
+    scored: true
+
+  - id: 7.10
+    text: "Verify the OpenShift defaults for the hostname-override argument"
+    type: "skip"
+    scored: true
+
+  - id: 7.11
+    text: "Set the --event-qps argument to 0"
+    audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "event-qps"
+        set: false
+      - flag: "event-qps: 0"
+        compare:
+          op: has
+          value: "0"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
+      the kubeletArguments section of.
+    scored: true
+
+  - id: 7.12
+    text: "Verify the OpenShift cert-dir flag for HTTPS traffic"
+    audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "/etc/origin/node/certificates"
+        compare:
+          op: has
+          value: "/etc/origin/node/certificates"
+        set: true
+    remediation: |
+      Reset to the OpenShift default values.
+    scored: true
+
+  - id: 7.13
+    text: "Verify the OpenShift default of 0 for the cadvisor-port argument"
+    audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "cadvisor-port"
+        set: false
+      - flag: "cadvisor-port: 0"
+        compare:
+          op: has
+          value: "0"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag 
+      if it is set in the  kubeletArguments section.
+    scored: true
+
+  - id: 7.14
+    text: "Verify that the RotateKubeletClientCertificate argument is set to true"
+    audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "RotateKubeletClientCertificate=true"
+        compare:
+          op: has
+          value: "true"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
+    scored: true
+
+  - id: 7.15
+    text: "Verify that the RotateKubeletServerCertificate argument is set to true"
+    audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "RotateKubeletServerCertificate=true"
+        compare:
+          op: has
+          value: "true"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
+    scored: true
+
+
+- id: 8
+  text: "Configuration Files"
+  checks:
+  - id: 8.1
+    text: "Verify the OpenShift default permissions for the kubelet.conf file"
+    audit: "stat -c %a  /etc/origin/node/node.kubeconfig"
+    tests:
+      bin_op: or
+      test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+    remediation: |
+      Run the below command on each worker node.
+      chmod 644 /etc/origin/node/node.kubeconfig
+    scored: true
+
+  - id: 8.2
+    text: "Verify the kubeconfig file ownership of root:root"
+    audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
+    tests:
+      test_items:
+        - flag: "root:root"
+          compare:
+            op: eq
+            value: root:root
+          set: true
+      remediation: |
+        Run the below command on each worker node.
+        chown root:root /etc/origin/node/node.kubeconfig
+      scored: true
+
+  - id: 8.3
+    text: "Verify the kubelet service file permissions of 644"
+    audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
+    tests:
+      bin_op: or
+      test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+    remediation: |
+      Run the below command on each worker node.
+      chmod 644 /etc/systemd/system/atomic-openshift-node.service
+    scored: true
+
+  - id: 8.4
+    text: "Verify the kubelet service file ownership of root:root"
+    audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
+    tests:
+      test_items:
+        - flag: "root:root"
+          compare:
+            op: eq
+            value: root:root
+          set: true
+      remediation: |
+        Run the below command on each worker node.
+        chown root:root /etc/systemd/system/atomic-openshift-node.service
+      scored: true
+
+  - id: 8.5
+    text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
+    audit: "stat -c %a /etc/origin/node/node.kubeconfig"
+    tests:
+      bin_op: or
+      test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+    remediation: |
+      Run the below command on each worker node.
+      chmod 644 /etc/origin/node/node.kubeconfig
+    scored: true
+
+  - id: 8.6
+    text: "Verify the proxy kubeconfig file ownership of root:root"
+    audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
+    tests:
+      test_items:
+        - flag: "root:root"
+          compare:
+            op: eq
+            value: root:root
+          set: true
+      remediation: |
+        Run the below command on each worker node.
+        chown root:root /etc/origin/node/node.kubeconfig
+      scored: true
+
+  - id: 8.7
+    text: "Verify the OpenShift default permissions for the certificate authorities file."
+    audit: "stat -c %a /etc/origin/node/client-ca.crt"
+    tests:
+      bin_op: or
+      test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+    remediation: |
+      Run the below command on each worker node.
+      chmod 644 /etc/origin/node/client-ca.crt
+    scored: true
+
+  - id: 8.8
+    text: "Verify the client certificate authorities file ownership of root:root"
+    audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
+    tests:
+      test_items:
+        - flag: "root:root"
+          compare:
+            op: eq
+            value: root:root
+          set: true
+      remediation: |
+        Run the below command on each worker node.
+        chown root:root /etc/origin/node/client-ca.crt
+      scored: true

check/check.go

@@ -62,16 +62,17 @@ func handleError(err error, context string) (errmsg string) {
 type Check struct {
 	ID          string      `yaml:"id" json:"test_number"`
 	Text        string      `json:"test_desc"`
-	Audit       string      `json:"omit"`
+	Audit       string      `json:"audit"`
 	Type        string      `json:"type"`
 	Commands    []*exec.Cmd `json:"omit"`
 	Tests       *tests      `json:"omit"`
 	Set         bool        `json:"omit"`
-	Remediation string      `json:"-"`
+	Remediation string      `json:"remediation"`
 	TestInfo    []string    `json:"test_info"`
 	State       `json:"status"`
 	ActualValue string `json:"actual_value"`
 	Scored      bool   `json:"scored"`
+	ExpectedResult string `json:"expected_result"`
 }
 
 // Runner wraps the basic Run method.
@@ -188,6 +189,7 @@ func (c *Check) run() State {
 	finalOutput := c.Tests.execute(out.String())
 	if finalOutput != nil {
 		c.ActualValue = finalOutput.actualResult
+		c.ExpectedResult = finalOutput.ExpectedResult
 		if finalOutput.testResult {
 			c.State = PASS
 		} else {

check/controls_test.go

@@ -103,13 +103,26 @@ type: "master"
 groups:
 - id: G1
   checks:
-    - id: G1/C1
+  - id: G1/C1
 - id: G2
   checks:
-    - id: G2/C1
+  - id: G2/C1
+    text: "Verify that the SomeSampleFlag argument is set to true"
+    audit: "grep -B1 SomeSampleFlag=true /this/is/a/file/path"
+    tests:
+      test_items:
+      - flag: "SomeSampleFlag=true"
+        compare:
+          op: has
+          value: "true"
+        set: true
+    remediation: |
+      Edit the config file /this/is/a/file/path and set SomeSampleFlag to true.
+    scored: true
 `)
 		// and
-		controls, _ := NewControls(MASTER, in)
+		controls, err := NewControls(MASTER, in)
+		assert.NoError(t, err)
 		// and
 		runner.On("Run", controls.Groups[0].Checks[0]).Return(PASS)
 		runner.On("Run", controls.Groups[1].Checks[0]).Return(FAIL)
@@ -130,6 +143,12 @@ groups:
 		G2 := controls.Groups[1]
 		assert.Equal(t, "G2", G2.ID)
 		assert.Equal(t, "G2/C1", G2.Checks[0].ID)
+		assert.Equal(t, "has", G2.Checks[0].Tests.TestItems[0].Compare.Op)
+		assert.Equal(t, "true", G2.Checks[0].Tests.TestItems[0].Compare.Value)
+		assert.Equal(t, true, G2.Checks[0].Tests.TestItems[0].Set)
+		assert.Equal(t, "SomeSampleFlag=true", G2.Checks[0].Tests.TestItems[0].Flag)
+		assert.Equal(t, "Edit the config file /this/is/a/file/path and set SomeSampleFlag to true.\n", G2.Checks[0].Remediation)
+		assert.Equal(t, true, G2.Checks[0].Scored)
 		assertEqualGroupSummary(t, 0, 1, 0, 0, G2)
 		// and
 		assert.Equal(t, 1, controls.Summary.Pass)
@@ -139,7 +158,6 @@ groups:
 		// and
 		runner.AssertExpectations(t)
 	})
-
 }
 
 func assertEqualGroupSummary(t *testing.T, pass, fail, info, warn int, actual *Group) {

check/data

@@ -297,3 +297,13 @@ groups:
               op: eq
               value: "false"
             set: true
+
+    - id: 26
+      text: "check regex op matches"
+      tests:
+        test_items:
+          - path: "{.currentMasterVersion}"
+            compare:
+              op: regex
+              value: '^1\.12.*$'
+            set: true

check/test.go

@@ -58,6 +58,7 @@ type compare struct {
 type testOutput struct {
 	testResult   bool
 	actualResult string
+	ExpectedResult string
 }
 
 func failTestItem(s string) *testOutput {
@@ -135,9 +136,10 @@ func (t *testItem) execute(s string) *testOutput {
 				}
 			}
 
-			result.actualResult = strings.ToLower(flagVal)
+			expectedResultPattern := ""
 			switch t.Compare.Op {
 			case "eq":
+				expectedResultPattern = "'%s' is equal to '%s'"
 				value := strings.ToLower(flagVal)
 				// Do case insensitive comparaison for booleans ...
 				if value == "false" || value == "true" {
@@ -147,6 +149,7 @@ func (t *testItem) execute(s string) *testOutput {
 				}
 
 			case "noteq":
+				expectedResultPattern = "'%s' is not equal to '%s'"
 				value := strings.ToLower(flagVal)
 				// Do case insensitive comparaison for booleans ...
 				if value == "false" || value == "true" {
@@ -156,32 +159,46 @@ func (t *testItem) execute(s string) *testOutput {
 				}
 
 			case "gt":
+				expectedResultPattern = "%s is greater then %s"
 				a, b := toNumeric(flagVal, t.Compare.Value)
 				result.testResult = a > b
 
 			case "gte":
+				expectedResultPattern = "%s is greater or equal to %s"
 				a, b := toNumeric(flagVal, t.Compare.Value)
 				result.testResult = a >= b
 
 			case "lt":
+				expectedResultPattern = "%s is lower then %s"
 				a, b := toNumeric(flagVal, t.Compare.Value)
 				result.testResult = a < b
 
 			case "lte":
+				expectedResultPattern = "%s is lower or equal to %s"
 				a, b := toNumeric(flagVal, t.Compare.Value)
 				result.testResult = a <= b
 
 			case "has":
+				expectedResultPattern = "'%s' has '%s'"
 				result.testResult = strings.Contains(flagVal, t.Compare.Value)
 
 			case "nothave":
+				expectedResultPattern = " '%s' not have '%s'"
 				result.testResult = !strings.Contains(flagVal, t.Compare.Value)
+
+			case "regex":
+				expectedResultPattern = " '%s' matched by '%s'"
+				opRe := regexp.MustCompile(t.Compare.Value)
+				result.testResult = opRe.MatchString(flagVal)
 			}
+
+			result.ExpectedResult = fmt.Sprintf(expectedResultPattern, t.Flag, t.Compare.Value)
 		} else {
+			result.ExpectedResult = fmt.Sprintf("'%s' is present", t.Flag)
 			result.testResult = isset
 		}
-
 	} else {
+		result.ExpectedResult = fmt.Sprintf("'%s' is not present", t.Flag)
 		notset := !match
 		result.testResult = notset
 	}
@@ -207,8 +224,11 @@ func (ts *tests) execute(s string) *testOutput {
 		return finalOutput
 	}
 
+	expectedResultArr := make([]string, len(res))
+
 	for i, t := range ts.TestItems {
 		res[i] = *(t.execute(s))
+		expectedResultArr[i] = res[i].ExpectedResult
 	}
 
 	var result bool
@@ -222,16 +242,25 @@ func (ts *tests) execute(s string) *testOutput {
 		for i := range res {
 			result = result && res[i].testResult
 		}
+		// Generate an AND expected result
+		finalOutput.ExpectedResult = strings.Join(expectedResultArr, " AND ")
+
 	case or:
 		result = false
 		for i := range res {
 			result = result || res[i].testResult
 		}
+		// Generate an OR expected result
+		finalOutput.ExpectedResult = strings.Join(expectedResultArr, " OR ")
 	}
 
 	finalOutput.testResult = result
 	finalOutput.actualResult = res[0].actualResult
 
+	if finalOutput.actualResult == "" {
+		finalOutput.actualResult = s
+	}
+
 	return finalOutput
 }
 

check/test_test.go

@@ -152,6 +152,10 @@ func TestTestExecute(t *testing.T) {
 			controls.Groups[0].Checks[22],
 			"authentication:\n  anonymous:\n    enabled: false",
 		},
+		{
+			controls.Groups[0].Checks[26],
+			"currentMasterVersion: 1.12.7",
+		},
 	}
 
 	for _, c := range cases {
@@ -180,6 +184,14 @@ func TestTestExecuteExceptions(t *testing.T) {
 			controls.Groups[0].Checks[25],
 			"broken } yaml\nenabled: true",
 		},
+		{
+			controls.Groups[0].Checks[26],
+			"currentMasterVersion: 1.11",
+		},
+		{
+			controls.Groups[0].Checks[26],
+			"currentMasterVersion: ",
+		},
 	}
 
 	for _, c := range cases {

cmd/common.go

@@ -15,10 +15,12 @@
 package cmd
 
 import (
+	"bufio"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/aquasecurity/kube-bench/check"
 	"github.com/golang/glog"
@@ -111,7 +113,7 @@ func runChecks(nodetype check.NodeType) {
 			exitWithError(fmt.Errorf("failed to output in JSON format: %v", err))
 		}
 
-		fmt.Println(string(out))
+		PrintOutput(string(out), outputFile)
 	} else {
 		// if we want to store in PostgreSQL, convert to JSON and save it
 		if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0 || summary.Info > 0) && pgSQL {
@@ -142,6 +144,10 @@ func prettyPrint(r *check.Controls, summary check.Summary) {
 			colorPrint(check.INFO, fmt.Sprintf("%s %s\n", g.ID, g.Text))
 			for _, c := range g.Checks {
 				colorPrint(c.State, fmt.Sprintf("%s %s\n", c.ID, c.Text))
+
+				if includeTestOutput && c.State == check.FAIL && len(c.ActualValue) > 0 {
+					printRawOutput(c.ActualValue)
+				}
 			}
 		}
 
@@ -240,3 +246,32 @@ func isMaster() bool {
 	}
 	return true
 }
+
+func printRawOutput(output string) {
+	for _, row := range strings.Split(output, "\n") {
+		fmt.Println(fmt.Sprintf("\t %s", row))
+	}
+}
+
+func writeOutputToFile(output string, outputFile string) error {
+	file, err := os.Create(outputFile)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	w := bufio.NewWriter(file)
+	fmt.Fprintln(w, output)
+	return w.Flush()
+}
+
+func PrintOutput(output string, outputFile string) {
+	if len(outputFile) == 0 {
+		fmt.Println(output)
+	} else {
+		err := writeOutputToFile(output, outputFile)
+		if err != nil {
+			exitWithError(fmt.Errorf("Failed to write to output file %s: %v", outputFile, err))
+		}
+	}
+}

cmd/root.go

@@ -47,6 +47,8 @@ var (
 	noSummary          bool
 	noRemediations     bool
 	filterOpts         FilterOpts
+	includeTestOutput  bool
+	outputFile         string
 )
 
 // RootCmd represents the base command when called without any subcommands
@@ -72,8 +74,12 @@ func Execute() {
 
 	if err := RootCmd.Execute(); err != nil {
 		fmt.Println(err)
+		// flush before exit non-zero
+		glog.Flush()
 		os.Exit(-1)
 	}
+	// flush before exit
+	glog.Flush()
 }
 
 func init() {
@@ -87,6 +93,8 @@ func init() {
 	RootCmd.PersistentFlags().BoolVar(&pgSQL, "pgsql", false, "Save the results to PostgreSQL")
 	RootCmd.PersistentFlags().BoolVar(&filterOpts.Scored, "scored", true, "Run the scored CIS checks")
 	RootCmd.PersistentFlags().BoolVar(&filterOpts.Unscored, "unscored", true, "Run the unscored CIS checks")
+	RootCmd.PersistentFlags().BoolVar(&includeTestOutput, "include-test-output", false, "Prints the actual result when test fails")
+	RootCmd.PersistentFlags().StringVar(&outputFile, "outputfile", "", "Writes the JSON results to output file")
 
 	RootCmd.PersistentFlags().StringVarP(
 		&filterOpts.CheckList,

cmd/util.go

@@ -35,6 +35,8 @@ func init() {
 
 func exitWithError(err error) {
 	fmt.Fprintf(os.Stderr, "\n%v\n", err)
+	// flush before exit non-zero
+	glog.Flush()
 	os.Exit(1)
 }
 
@@ -241,11 +243,11 @@ func getKubeConfigFiles(v *viper.Viper) map[string]string {
 				glog.V(2).Info(fmt.Sprintf("Using default kubeconfig file name '%s' for component %s", kubeconfig, component))
 			} else {
 				// Default the service file name that we'll substitute to the name of the component
-				glog.V(2).Info(fmt.Sprintf("Missing service file for %s", component))
+				glog.V(2).Info(fmt.Sprintf("Missing kubeconfig file for %s", component))
 				kubeconfig = component
 			}
 		} else {
-			glog.V(2).Info(fmt.Sprintf("Component %s uses service file '%s'", component, kubeconfig))
+			glog.V(2).Info(fmt.Sprintf("Component %s uses kubeconfig file '%s'", component, kubeconfig))
 		}
 
 		kubeconfigmap[component] = kubeconfig

cmd/version.go

@@ -0,0 +1,23 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/spf13/cobra"
+)
+
+var KubeBenchVersion string
+
+// versionCmd represents the version command
+var versionCmd = &cobra.Command{
+	Use:   "version",
+	Short: "Shows the version of kube-bench.",
+	Long:  `Shows the version of kube-bench.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		fmt.Println(KubeBenchVersion)
+	},
+}
+
+func init() {
+	RootCmd.AddCommand(versionCmd)
+}
+

docs/README.md

@@ -0,0 +1,379 @@
+# Test and config files
+
+`kube-bench` runs checks specified in `controls` files that are a YAML 
+representation of the CIS Kubernetes Benchmark checks. There is a 
+`controls` file per kubernetes version and node type.
+
+kube-bench automatically selects which `controls` to use based on the detected
+node type and the version of kubernetes a cluster is running. This behaviour
+can be overridden by specifying the `master` or `node` subcommand and the
+`--version` flag on the command line.
+
+For example:
+run kube-bench against a master with version  auto-detection:
+
+```
+kube-bench master
+```
+
+or run kube-bench against a node with the node `controls` for kubernetes 
+version 1.12:
+```
+kube-bench node --version 1.12
+```
+
+`controls` for the various versions of kubernetes can be found in directories
+with same name as the kubernetes versions under `cfg/`, for example `cfg/1.12`.
+`controls` are also organized by distribution under the `cfg` directory for
+example `cfg/ocp-3.10`.
+
+
+## Controls
+
+`controls` is a YAML document that contains checks that must be run against a 
+specific kubernetes node type, master or node and version.
+
+`controls` is the fundamental input to `kube-bench`. The following is an example 
+of a basic `controls`:
+
+```
+---
+controls:
+id: 1
+text: "Master Node Security Configuration"
+type: "master"
+groups:
+- id: 1.1
+  text: API Server
+  checks:
+    - id: 1.1.1
+      text: "Ensure that the --allow-privileged argument is set (Scored)"
+      audit: "ps -ef | grep kube-apiserver | grep -v grep"
+      tests:
+      bin_op: or
+      test_items:
+      - flag: "--allow-privileged"
+        set: true
+      - flag: "--some-other-flag"
+        set: false
+      remediation: "Edit the /etc/kubernetes/config file on the master node and
+        set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
+      scored: true
+- id: 1.2
+  text: Scheduler
+  checks:
+    - id: 1.2.1
+      text: "Ensure that the --profiling argument is set to false (Scored)"
+      audit: "ps -ef | grep kube-scheduler | grep -v grep"
+      tests:
+        bin_op: or
+        test_items:
+          - flag: "--profiling"
+            set: true
+          - flag: "--some-other-flag"
+            set: false
+      remediation: "Edit the /etc/kubernetes/config file on the master node and
+        set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
+      scored: true
+```
+
+`controls` is composed of a hierachy of groups, sub-groups and checks. Each of
+the `controls` components have an id and a text description which are displayed 
+in the `kube-bench` output.
+
+`type` specifies what kubernetes node type a `controls` is for. Possible  values
+for `type` are `master` and `node`.
+
+## Groups
+
+`groups` is list of subgroups which test the various kubernetes components
+that run on the node type specified in the `controls`. 
+
+For example one subgroup checks parameters passed to the apiserver binary, while 
+another subgroup checks parameters passed to the controller-manager binary.
+
+```
+groups:
+- id: 1.1
+  text: API Server
+  ...
+- id: 1.2
+  text: Scheduler
+  ...
+```
+
+These subgroups have `id`, `text` fields which serve the same purposes described
+in the previous paragraphs. The most important part of the subgroup is the
+`checks` field which is the collection of actual `check`s that form the subgroup.
+
+This is an example of a subgroup and checks in the subgroup.
+
+```
+id: 1.1
+text: API Server
+checks:
+  - id: 1.1.1
+    text: "Ensure that the --allow-privileged argument is set (Scored)"
+    audit: "ps -ef | grep kube-apiserver | grep -v grep"
+    tests:
+    ...
+  - id: 1.1.2
+    text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)"
+    audit: "ps -ef | grep kube-apiserver | grep -v grep"
+    tests:
+    ...
+``` 
+
+`kube-bench` supports running a subgroup by specifying the subgroup `id` on the
+command line, with the flag `--group` or `-g`.
+
+## Check
+
+The CIS Kubernetes Benchmark recommends configurations to harden kubernetes 
+components. These recommendations are usually configuration options, and can be 
+specified by flags to kubernetes binaries, or in configuration files.
+
+The Benchmark also provides commands to audit a kubernetes installation, identify
+places where the cluster security can be improved, and steps to remediate these
+identified problems.
+
+In `kube-bench`, `check` objects embody these recommendations.  This an example
+`check` object:
+
+```
+id: 1.1.1
+text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)"
+audit: "ps -ef | grep kube-apiserver | grep -v grep"
+tests:
+  test_items:
+  - flag: "--anonymous-auth"
+    compare:
+      op: eq
+      value: false
+    set: true
+remediation: |
+  Edit the API server pod specification file kube-apiserver
+  on the master node and set the below parameter.
+  --anonymous-auth=false
+scored: false
+```
+
+A `check` object has an `id`, a `text`, an `audit` , a `tests`,`remediation`
+and `scored` fields.
+
+`kube-bench` supports running individual checks by specifying the check's `id`
+as a comma-delimited list on the command line with the `--check` flag.
+
+The `audit` field specifies the command to run for a check. The output of this
+command is then evaluated for conformance with the CIS Kubernetes Benchmark
+recommendation.
+
+The audit is evaluated against a criteria specified by the `tests`
+object. `tests` contain `bin_op` and `test_items`.
+
+`test_items` specify the criteria(s) the `audit` command's output should meet to
+pass a check. This criteria is made up of keywords extracted from the output of
+the `audit` command and operations that compare the these keywords against
+values expected by the CIS Kubernetes Benchmark. 
+
+The are two ways to extract keywords from the output of the `audit` command,
+`flag` and `path`.
+
+`flag` is used when the keyword is a command line flag. The associated `audit`
+command is usually a `ps` command and a `grep` for the binary whose flag we are
+checking:
+
+```
+ps -ef | grep somebinary | grep -v grep
+``` 
+
+Here is an example usage of the `flag` option:
+
+```
+...
+audit: "ps -ef | grep kube-apiserver | grep -v grep"
+tests:
+  test_items:
+  - flag: "--anonymous-auth"
+  ...
+```
+
+`path` is used when the keyword is an option set in a JSON or YAML config file.
+The associated `audit` command is usually `cat /path/to/config-yaml-or-json`.
+For example:
+
+```
+...
+
+text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)"
+audit: "cat /path/to/some/config"
+tests:
+  test_items:
+  - path: "{.someoption.value}"
+    ...
+```
+
+`test_item` compares the output of the audit command and keywords using the
+`set` and `compare` fields.
+
+```
+  test_items:
+  - flag: "--anonymous-auth"
+    compare:
+      op: eq
+      value: false
+    set: true
+```
+
+`set` checks if a keyword is present in the output of the audit command or in
+a config file. The possible values for `set` are true and false.
+
+If `set` is true, the check passes only if the keyword is present in the output
+of the audit command, or config file. If `set` is false, the check passes only
+if the keyword is not present in the output of the audit command, or config file.
+
+`compare` has two fields `op` and `value` to compare keywords with expected
+value. `op` specifies which operation is used for the comparison , and `value`
+specifies the value to compare against.
+
+> To use `compare`, `set` must true. The comparison will be ignored if `set` is
+> false
+
+The `op` (operations) currently supported in `kube-bench` are:
+- `eq`: tests if the keyword is equal to the compared value.
+- `noteq`: tests if the keyword is unequal to the compared value.
+- `gt`: tests if the keyword is greater than the compared value.
+- `gte`: tests if the keyword is greater than or equal to the compared value.
+- `lt`: tests if the keyword is less than the compared value.
+- `lte`: tests if the keyword is less than or equal to the compared value.
+- `has`: tests if the keyword contains the compared value.
+- `nothave`: tests if the keyword does not contain the compared value.
+
+## Configuration and Variables
+
+Kubernetes component configuration and binary file locations and names 
+vary based on cluster deployment methods and kubernetes distribution used.
+For this reason, the locations of these binaries and config files are configurable
+by editing the `cfg/config.yaml` file and these binaries and files can be
+referenced in a `controls` file via variables.
+
+The `cfg/config.yaml` file is a global configuration file. Configuration files
+can be created for specific Kubernetes versions (distributions). Values in the
+version specific config overwrite similar values in `cfg/config.yaml`.
+
+For example, the kube-apiserver in Redhat OCP distribution is run as 
+`hypershift openshift-kube-apiserver` instead of the default `kube-apiserver`.
+This difference can be specified by editing the `master.apiserver.defaultbin`
+entry `cfg/ocp-3.10/config.yaml`.
+
+Below is the structure of `cfg/config.yaml`:
+
+```
+nodetype
+  |-- components
+    |-- component1
+  |-- component1
+    |-- bins
+    |-- defaultbin (optional)
+    |-- confs
+    |-- defaultconf (optional)
+    |-- svcs
+    |-- defaultsvc (optional)
+    |-- kubeconfig
+    |-- defaultkubeconfig (optional)
+```
+
+Every node type has a subsection that specifies the main configurations items.
+
+- `components`: A list of components for the node type. For example master 
+  will have an entry for **apiserver**, **scheduler** and **controllermanager**.
+  
+  Each component has the following entries:
+
+- `bins`: A list of candidate binaries for a component. `kube-bench` checks this
+   list and selects the first binary that is running on the node, if none is
+   running, `kube-bench` terminates.
+
+   If `defaultbin` is specified, `kube-bench` ignores the `bins` list (if it is
+   specified) and verifies the binary specified with `defaultbin` is running on
+   the node. `kube-bench` terminates if this binary is not running.
+   
+   The selected binary for a component can be referenced in `controls` using a 
+   variable in the form `$<component>bin`. In the example below, we reference 
+   the selected API server binary with the variable `$apiserverbin` in an `audit`
+   command.
+   
+   ```
+   id: 1.1.1
+    text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
+    audit: "ps -ef | grep $apiserverbin | grep -v grep"
+    ...
+   ```
+   
+- `confs`: A list of candidate configuration files for a component. `kube-bench`
+  checks this list and selects the first config fille that is found on the node,
+  if none of the config files exists `kube-bench` terminates.
+  
+  If `defaultconf`is specified for a component, `kube-bench` ignores the `confs`
+  list (if it is specified) and verifies the config specified by `defaultconf`
+  exists on the node. `kube-bench` terminates if this file does not exist.
+  
+  The selected config for a component can be referenced in `controls` using a
+  variable in the form `$<component>conf`. In the example below we reference the 
+  selected API server config file with the variable `$apiserverconf` in an `audit`
+  command.
+  
+  ```
+  id: 1.4.1
+    text: "Ensure that the API server pod specification file permissions are
+    set to 644 or more restrictive (Scored)"
+    audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
+
+  ```
+  
+- `svcs`:  A list of candidates unitfiles for a component. `kube-bench` checks this 
+  list and selects the first unitfile that is found on the node, if none of the
+  unitfiles exists `kube-bench` terminates.
+  
+  If `defaultsvc`is specified for a component, `kube-bench` ignores the `svcs`
+  list (if it is specified) and verifies the unitfile specified by `defaultsvc`
+  exists on the node. `kube-bench` terminates if this file does not exist.
+  
+  The selected unitfile for a component can be referenced in `controls` via a
+  variable in the form `$<component>svc`. In the example below, the selected 
+  kubelet unitfile is referenced with `$kubeletsvc` in the `remediation` of the 
+  `check`.
+  
+  ```
+  id: 2.1.1
+    ...
+    remediation: |
+      Edit the kubelet service file $kubeletsvc
+      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --allow-privileged=false
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    ...
+  ```
+  
+  - `kubeconfig`: A list of candidate kubeconfig files for a component. `kube-bench`
+    checks this list and selects the first file that is found on the node, if none
+    of the files exists `kube-bench` terminates.
+    
+    If `defaultkubeconfig` is specified for a component, `kube-bench` ignores the
+    `kubeconfig` list (if it is specified) and verifies the kubeconfig file exists on
+    the node. `kube-bench` terminates if this file does not exist.
+    
+    The selected kubeconfig for a component can be referenced in `controls` with
+    a variable in the form `$<component>kubeconfig`. In the example below, the
+    selected kubelet kubeconfig is referenced with `$kubeletkubeconfig` in the
+    `audit` command.
+    
+    ```
+    id: 2.2.1
+      text: "Ensure that the kubelet.conf file permissions are set to 644 or
+      more restrictive (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
+      ...
+    ```

go.mod

@@ -0,0 +1,33 @@
+module github.com/aquasecurity/kube-bench
+
+go 1.12
+
+require (
+	github.com/denisenkom/go-mssqldb v0.0.0-20190515213511-eb9f6a1743f3 // indirect
+	github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 // indirect
+	github.com/fatih/color v1.5.0
+	github.com/go-sql-driver/mysql v1.4.1 // indirect
+	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+	github.com/hashicorp/hcl v0.0.0-20171017181929-23c074d0eceb // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jinzhu/gorm v0.0.0-20160404144928-5174cc5c242a
+	github.com/jinzhu/inflection v0.0.0-20170102125226-1c35d901db3d // indirect
+	github.com/jinzhu/now v1.0.1 // indirect
+	github.com/kr/pretty v0.1.0 // indirect
+	github.com/lib/pq v0.0.0-20171126050459-83612a56d3dd // indirect
+	github.com/magiconair/properties v0.0.0-20171031211101-49d762b9817b // indirect
+	github.com/mattn/go-colorable v0.0.0-20170210172801-5411d3eea597 // indirect
+	github.com/mattn/go-isatty v0.0.0-20170307163044-57fdcb988a5c // indirect
+	github.com/mattn/go-sqlite3 v1.10.0 // indirect
+	github.com/mitchellh/mapstructure v0.0.0-20171017171808-06020f85339e // indirect
+	github.com/pelletier/go-toml v0.0.0-20171222114548-0131db6d737c // indirect
+	github.com/spf13/afero v0.0.0-20171228125011-57afd63c6860 // indirect
+	github.com/spf13/cast v1.1.0 // indirect
+	github.com/spf13/cobra v0.0.1
+	github.com/spf13/jwalterweatherman v0.0.0-20170901151539-12bd96e66386 // indirect
+	github.com/spf13/pflag v0.0.0-20171106142849-4c012f6dcd95 // indirect
+	github.com/spf13/viper v1.0.0
+	github.com/stretchr/testify v1.3.0
+	gopkg.in/yaml.v2 v2.2.2
+	k8s.io/client-go v10.0.0+incompatible
+)

go.sum

@@ -0,0 +1,184 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.37.4 h1:glPeL3BQJsbF6aIIYfZizMwc5LTYz250bDMjttbBGAU=
+cloud.google.com/go v0.37.4/go.mod h1:NHPJ89PdicEuT9hdPXMROBD91xc5uRDxsMtSB16k7hw=
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
+github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
+github.com/aquasecurity/kube-bench v0.0.29 h1:jn0odIPAx+OArSfGGjA529PxZSS4xps6gq8LlX4h5wk=
+github.com/aquasecurity/kube-bench v0.0.29/go.mod h1:OJtT6nbmq/4tkF3sIKHO8DIZz7PVXDwYlXJusc33R3Y=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/denisenkom/go-mssqldb v0.0.0-20190515213511-eb9f6a1743f3 h1:tkum0XDgfR0jcVVXuTsYv/erY2NnEDqwRojbxR1rBYA=
+github.com/denisenkom/go-mssqldb v0.0.0-20190515213511-eb9f6a1743f3/go.mod h1:zAg7JM8CkOJ43xKXIj7eRO9kmWm/TW578qo+oDO6tuM=
+github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
+github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
+github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
+github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y=
+github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
+github.com/fatih/color v1.5.0 h1:vBh+kQp8lg9XPr56u1CPrWjFXtdphMoGWVHr9/1c+A0=
+github.com/fatih/color v1.5.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
+github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
+github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/hcl v0.0.0-20171017181929-23c074d0eceb h1:1OvvPvZkn/yCQ3xBcM8y4020wdkMXPHLB4+NfoGWh4U=
+github.com/hashicorp/hcl v0.0.0-20171017181929-23c074d0eceb/go.mod h1:oZtUIOe8dh44I2q6ScRibXws4Ajl+d+nod3AaR9vL5w=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/jinzhu/gorm v0.0.0-20160404144928-5174cc5c242a h1:pfPxlCVlKqBRqHpyCxOIKhhB4ERpz02iadDpRVevLm4=
+github.com/jinzhu/gorm v0.0.0-20160404144928-5174cc5c242a/go.mod h1:Vla75njaFJ8clLU1W44h34PjIkijhjHIYnZxMqCdxqo=
+github.com/jinzhu/inflection v0.0.0-20170102125226-1c35d901db3d h1:jRQLvyVGL+iVtDElaEIDdKwpPqUIZJfzkNLV34htpEc=
+github.com/jinzhu/inflection v0.0.0-20170102125226-1c35d901db3d/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
+github.com/jinzhu/now v1.0.1 h1:HjfetcXq097iXP0uoPCdnM4Efp5/9MsM0/M+XOTeR3M=
+github.com/jinzhu/now v1.0.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/lib/pq v0.0.0-20171126050459-83612a56d3dd h1:2RDaVc4/izhWyAvYxNm8c9saSyCDIxefNwOcqaH7pcU=
+github.com/lib/pq v0.0.0-20171126050459-83612a56d3dd/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/magiconair/properties v0.0.0-20171031211101-49d762b9817b h1:bR3tkU6ocnK5a0NsdgTMWc7sILt+BY0PceUYC6EpSqc=
+github.com/magiconair/properties v0.0.0-20171031211101-49d762b9817b/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/mattn/go-colorable v0.0.0-20170210172801-5411d3eea597 h1:hGizH4aMDFFt1iOA4HNKC13lqIBoCyxIjWcAnWIy7aU=
+github.com/mattn/go-colorable v0.0.0-20170210172801-5411d3eea597/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-isatty v0.0.0-20170307163044-57fdcb988a5c h1:AHfQR/s6GNi92TOh+kfGworqDvTxj2rMsS+Hca87nck=
+github.com/mattn/go-isatty v0.0.0-20170307163044-57fdcb988a5c/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-sqlite3 v1.10.0 h1:jbhqpg7tQe4SupckyijYiy0mJJ/pRyHvXf7JdWK860o=
+github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mitchellh/mapstructure v0.0.0-20171017171808-06020f85339e h1:PtGHLB3CX3TFPcksODQMxncoeQKWwCgTg0bJ40VLJP4=
+github.com/mitchellh/mapstructure v0.0.0-20171017171808-06020f85339e/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
+github.com/pelletier/go-toml v0.0.0-20171222114548-0131db6d737c h1:38Gz4xhAnFXimzmHWtvA13DKjvKbXA8OoCpUwCsfmAk=
+github.com/pelletier/go-toml v0.0.0-20171222114548-0131db6d737c/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/spf13/afero v0.0.0-20171228125011-57afd63c6860 h1:Sah2mqQfQuPUyJ+MJN2JevGfVjF80KsRLR5fcaERajg=
+github.com/spf13/afero v0.0.0-20171228125011-57afd63c6860/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/cast v1.1.0 h1:0Rhw4d6C8J9VPu6cjZLIhZ8+aAOHcDvGeKn+cq5Aq3k=
+github.com/spf13/cast v1.1.0/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg=
+github.com/spf13/cobra v0.0.1 h1:zZh3X5aZbdnoj+4XkaBxKfhO4ot82icYdhhREIAXIj8=
+github.com/spf13/cobra v0.0.1/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+github.com/spf13/jwalterweatherman v0.0.0-20170901151539-12bd96e66386 h1:zBoLErXXAvWnNsu+pWkRYl6Cx1KXmIfAVsIuYkPN6aY=
+github.com/spf13/jwalterweatherman v0.0.0-20170901151539-12bd96e66386/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/pflag v0.0.0-20171106142849-4c012f6dcd95 h1:fBkxrj/ArtKnC3J1DOZhn3SYiVkVRFZC574bq2Ifa/0=
+github.com/spf13/pflag v0.0.0-20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/viper v1.0.0 h1:RUA/ghS2i64rlnn4ydTfblY8Og8QzcPtCcHvgMn+w/I=
+github.com/spf13/viper v1.0.0/go.mod h1:A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c h1:Vj5n4GlwjmQteupaxJ9+0FNOmBrHfq7vN4btdGoDZgI=
+golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv3hCI0z56oJR5vAMgBU=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2 h1:z99zHgr7hKfrUcX/KsoJk5FJfjTceCKIp96+biqP4To=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/client-go v10.0.0+incompatible h1:F1IqCqw7oMBzDkqlcBymRq1450wD0eNqLE9jzUrIi34=
+k8s.io/client-go v10.0.0+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=

makefile

@@ -2,6 +2,7 @@ SOURCES := $(shell find . -name '*.go')
 BINARY := kube-bench
 DOCKER_REGISTRY ?= aquasec
 VERSION ?= $(shell git rev-parse --short=7 HEAD)
+KUBEBENCH_VERSION ?= $(shell git describe --tags --abbrev=0)
 IMAGE_NAME ?= $(DOCKER_REGISTRY)/$(BINARY):$(VERSION)
 TARGET_OS := linux
 BUILD_OS := linux
@@ -22,7 +23,7 @@ KIND_CONTAINER_NAME=$(KIND_PROFILE)-control-plane
 build: kube-bench
 
 $(BINARY): $(SOURCES)
-	GOOS=$(TARGET_OS) go build -o $(BINARY) .
+	GOOS=$(TARGET_OS) go build -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=$(KUBEBENCH_VERSION)" -o $(BINARY) .
 
 # builds the current dev docker version
 build-docker: