Merge pull request #102 from aquasecurity/update-goreleaser

Update to nfpm as fpm is deprecated

.goreleaser.yml

@@ -9,12 +9,7 @@ builds:
 # Archive customization
 archive:
   format: tar.gz
-dockers:
-  -
-    binary: kube-bench
-    image: aquasec/kube-bench
-    latest: true
-fpm:
+nfpm:
   vendor: Aqua Security
   description: "The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices"
   license: Apache-2.0

README.md

@@ -47,7 +47,6 @@ Flags:
   -c, --check string          A comma-delimited list of checks to run as specified in CIS document. Example --check="1.1.1,1.1.2"
       --config string         config file (default is ./cfg/config.yaml)
   -g, --group string          Run all the checks under this comma-delimited list of groups. Example --group="1.1"
-      --installation string   Specify how kubernetes cluster was installed. Possible values are default,hyperkube,kops,kubeadm (default "default")
       --json                  Prints the results as JSON
   -v, --verbose               verbose output (default false)
 ```

cfg/1.8/master.yaml

@@ -628,7 +628,7 @@ groups:
         set: true
     remediation: |
       Remediation:
-        Edit the Scheduler pod specification file $apiserverconf
+        Edit the Scheduler pod specification file $schedulerconf
         file on the master node and set the below parameter.
         --profiling=false
     scored: true
@@ -644,7 +644,7 @@ groups:
         - flag: "--terminated-pod-gc-threshold"
           set: true
     remediation: |
-      Edit the Controller Manager pod specification file $apiserverconf
+      Edit the Controller Manager pod specification file $controllermanagerconf
       on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example:
       --terminated-pod-gc-threshold=10
     scored: true
@@ -978,12 +978,23 @@ groups:
     more restrictive (Scored)"
     audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
     tests:
+      bin_op: or
       test_items:
-      - flag: "644"
-        compare:
-          op: eq
-          value: "644"
-        set: true
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true 
     remediation: |
       Run the below command (based on the file location on your system) on the master node.
       For example,
@@ -1009,14 +1020,25 @@ groups:
   - id: 1.4.15
     text: "Ensure that the scheduler.conf file permissions are set to 644 or
     more restrictive (Scored)"
-    audit: "/bin/sh -c 'if test -e $schedulerconf then stat -c %a $schedulerconf; fi'"
+    audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
     tests:
+      bin_op: or
       test_items:
-      - flag: "644"
-        compare:
-          op: eq
-          value: "644"
-        set: true
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
     remediation: |
       Run the below command (based on the file location on your system) on the master node.
       For example,
@@ -1042,14 +1064,25 @@ groups:
   - id: 1.4.17
     text: "Ensure that the controller-manager.conf file permissions are set
     to 644 or more restrictive (Scored)"
-    audit: "/bin/sh -c 'if test -e $controllermanagerconf then stat -c %a $controllermanagerconf; fi'"
+    audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
     tests:
+      bin_op: or
       test_items:
-      - flag: "644"
-        compare:
-          op: eq
-          value: "644"
-        set: true
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true   
     remediation: |
       Run the below command (based on the file location on your system) on the master node.
       For example,

cmd/common.go

@@ -17,6 +17,7 @@ package cmd
 import (
 	"fmt"
 	"io/ioutil"
+	"path/filepath"
 
 	"github.com/aquasecurity/kube-bench/check"
 	"github.com/golang/glog"
@@ -47,9 +48,15 @@ func runChecks(t check.NodeType) {
 	}
 
 	ver := getKubeVersion()
-	path := fmt.Sprintf("%s/%s", cfgDir, ver)
+	switch ver {
+	case "1.9", "1.10":
+		continueWithError(nil, fmt.Sprintf("No CIS spec for %s - using tests from CIS 1.2.0 spec for Kubernetes 1.8\n", ver))
+		ver = "1.8"
+	}
+
+	path := filepath.Join(cfgDir, ver)
+	def := filepath.Join(path, file)
 
-	def := fmt.Sprintf("%s/%s", path, file)
 	in, err := ioutil.ReadFile(def)
 	if err != nil {
 		exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err))
@@ -103,7 +110,7 @@ func runChecks(t check.NodeType) {
 		fmt.Println(string(out))
 	} else {
 		// if we want to store in PostgreSQL, convert to JSON and save it
-		if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0) && pgSql {
+		if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0) && pgSQL {
 			out, err := controls.JSON()
 			if err != nil {
 				exitWithError(fmt.Errorf("failed to output in JSON format: %v", err))

cmd/database.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/golang/glog"
 	"github.com/jinzhu/gorm"
-	_ "github.com/jinzhu/gorm/dialects/postgres"
+	_ "github.com/jinzhu/gorm/dialects/postgres" // database packages get blank imports
 	"github.com/spf13/viper"
 )
 

cmd/root.go

@@ -30,7 +30,7 @@ var (
 	defaultKubeVersion = "1.6"
 	cfgFile            string
 	jsonFmt            bool
-	pgSql              bool
+	pgSQL              bool
 	checkList          string
 	groupList          string
 	masterFile         string
@@ -61,7 +61,7 @@ func init() {
 	cobra.OnInitialize(initConfig)
 
 	RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")
-	RootCmd.PersistentFlags().BoolVar(&pgSql, "pgsql", false, "Save the results to PostgreSQL")
+	RootCmd.PersistentFlags().BoolVar(&pgSQL, "pgsql", false, "Save the results to PostgreSQL")
 	RootCmd.PersistentFlags().StringVarP(
 		&checkList,
 		"check",

cmd/util.go

@@ -196,9 +196,8 @@ func findExecutable(candidates []string) (string, error) {
 	for _, c := range candidates {
 		if verifyBin(c) {
 			return c, nil
-		} else {
-			glog.V(1).Info(fmt.Sprintf("executable '%s' not running", c))
 		}
+		glog.V(1).Info(fmt.Sprintf("executable '%s' not running", c))
 	}
 
 	return "", fmt.Errorf("no candidates running")
@@ -216,10 +215,19 @@ func multiWordReplace(s string, subname string, sub string) string {
 func getKubeVersion() string {
 	// These executables might not be on the user's path.
 	_, err := exec.LookPath("kubectl")
+
 	if err != nil {
-		exitWithError(fmt.Errorf("kubernetes version check failed: %v", err))
+		_, err = exec.LookPath("kubelet")
+		if err != nil {
+			exitWithError(fmt.Errorf("Version check failed: need kubectl or kubelet binaries to get kubernetes version"))
+		}
+		return getKubeVersionFromKubelet()
 	}
 
+	return getKubeVersionFromKubectl()
+}
+
+func getKubeVersionFromKubectl() string {
 	cmd := exec.Command("kubectl", "version", "--short")
 	out, err := cmd.CombinedOutput()
 	if err != nil {
@@ -229,6 +237,17 @@ func getKubeVersion() string {
 	return getVersionFromKubectlOutput(string(out))
 }
 
+func getKubeVersionFromKubelet() string {
+	cmd := exec.Command("kubelet", "--version")
+	out, err := cmd.CombinedOutput()
+	
+	if err != nil {
+		continueWithError(fmt.Errorf("%s", out), "")
+	}
+
+	return getVersionFromKubeletOutput(string(out))
+}
+
 func getVersionFromKubectlOutput(s string) string {
 	serverVersionRe := regexp.MustCompile(`Server Version: v(\d+.\d+)`)
 	subs := serverVersionRe.FindStringSubmatch(s)
@@ -239,6 +258,16 @@ func getVersionFromKubectlOutput(s string) string {
 	return subs[1]
 }
 
+func getVersionFromKubeletOutput(s string) string {
+	serverVersionRe := regexp.MustCompile(`Kubernetes v(\d+.\d+)`)
+	subs := serverVersionRe.FindStringSubmatch(s)
+	if len(subs) < 2 {
+		printlnWarn(fmt.Sprintf("Unable to get kubelet version, using default version: %s", defaultKubeVersion))
+		return defaultKubeVersion
+	}
+	return subs[1]
+}
+
 func makeSubstitutions(s string, ext string, m map[string]string) string {
 	for k, v := range m {
 		subst := "$" + k + ext