Merge pull request #159 from lukebond/master

Update README.md

README.md

@@ -5,7 +5,7 @@
 
 <img src="images/kube-bench.png" width="200" alt="kube-bench logo">
 
-kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
+kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
 
 Tests are configured with YAML files, making this tool easy to update as test specifications evolve. 
 
@@ -28,15 +28,17 @@ You can choose to
 You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace.
 
 ```
-docker run --pid=host aquasec/kube-bench:latest <master|node>
+docker run --pid=host -t aquasec/kube-bench:latest <master|node>
 ```
 
 You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
 
 ```
-docker run --pid=host -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node>
+docker run --pid=host -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node>
 ```
 
+> Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this.
+
 ### Running in a kubernetes cluster
 Run the master check
 

check/check.go

@@ -60,16 +60,17 @@ func handleError(err error, context string) (errmsg string) {
 // Check contains information about a recommendation in the
 // CIS Kubernetes 1.6+ document.
 type Check struct {
-	ID          string 		`yaml:"id" json:"test_number"`
-	Text        string		`json:"test_desc"`
+	ID          string      `yaml:"id" json:"test_number"`
+	Text        string      `json:"test_desc"`
 	Audit       string      `json:"omit"`
 	Type        string      `json:"type"`
 	Commands    []*exec.Cmd `json:"omit"`
 	Tests       *tests      `json:"omit"`
 	Set         bool        `json:"omit"`
-	Remediation string 		`json:"-"`
-	TestInfo    []string 	`json:"test_info"`
-	State 					`json:"status"`
+	Remediation string      `json:"-"`
+	TestInfo    []string    `json:"test_info"`
+	State       `json:"status"`
+	ActualValue string `json:"actual_value"`
 }
 
 // Run executes the audit commands specified in a check and outputs
@@ -157,15 +158,25 @@ func (c *Check) Run() {
 		i++
 	}
 
-	if errmsgs != "" {
-		glog.V(2).Info(errmsgs)
+	finalOutput := c.Tests.execute(out.String())
+	if finalOutput != nil {
+		c.ActualValue = finalOutput.actualResult
+		if finalOutput.testResult {
+			c.State = PASS
+		} else {
+			c.State = FAIL
+		}
+	} else {
+		errmsgs += handleError(
+			fmt.Errorf("final output is nil"),
+			fmt.Sprintf("failed to run: %s\n",
+				c.Audit,
+			),
+		)
 	}
 
-	res := c.Tests.execute(out.String())
-	if res {
-		c.State = PASS
-	} else {
-		c.State = FAIL
+	if errmsgs != "" {
+		glog.V(2).Info(errmsgs)
 	}
 }
 

check/controls.go

@@ -23,9 +23,9 @@ import (
 
 // Controls holds all controls to check for master nodes.
 type Controls struct {
-	ID      string `yaml:"id" json:"id"`
-	Version string	`json:"version"`
-	Text    string 	`json:"text"`
+	ID      string   `yaml:"id" json:"id"`
+	Version string   `json:"version"`
+	Text    string   `json:"text"`
 	Type    NodeType `json:"node_type"`
 	Groups  []*Group `json:"tests"`
 	Summary
@@ -43,9 +43,9 @@ type Group struct {
 
 // Summary is a summary of the results of control checks run.
 type Summary struct {
-	Pass int   `json:"total_pass"`
-	Fail int   `json:"total_fail"`
-	Warn int   `json:"total_warn"`
+	Pass int `json:"total_pass"`
+	Fail int `json:"total_fail"`
+	Warn int `json:"total_warn"`
 }
 
 // NewControls instantiates a new master Controls object.

check/data

@@ -17,7 +17,7 @@ groups:
     - id: 1
       text: "flag is not set"
       tests:
-        test_item:
+        test_items:
           - flag: "--basic-auth"
             set: false
 

check/test.go

@@ -49,8 +49,13 @@ type compare struct {
 	Value string
 }
 
-func (t *testItem) execute(s string) (result bool) {
-	result = false
+type testOutput struct {
+	testResult   bool
+	actualResult string
+}
+
+func (t *testItem) execute(s string) *testOutput {
+	result := &testOutput{}
 	match := strings.Contains(s, t.Flag)
 
 	if t.Set {
@@ -78,57 +83,57 @@ func (t *testItem) execute(s string) (result bool) {
 				os.Exit(1)
 			}
 
+			result.actualResult = strings.ToLower(flagVal)
 			switch t.Compare.Op {
 			case "eq":
 				value := strings.ToLower(flagVal)
 				// Do case insensitive comparaison for booleans ...
 				if value == "false" || value == "true" {
-					result = value == t.Compare.Value
+					result.testResult = value == t.Compare.Value
 				} else {
-					result = flagVal == t.Compare.Value
+					result.testResult = flagVal == t.Compare.Value
 				}
 
 			case "noteq":
 				value := strings.ToLower(flagVal)
 				// Do case insensitive comparaison for booleans ...
 				if value == "false" || value == "true" {
-					result = !(value == t.Compare.Value)
+					result.testResult = !(value == t.Compare.Value)
 				} else {
-					result = !(flagVal == t.Compare.Value)
+					result.testResult = !(flagVal == t.Compare.Value)
 				}
 
 			case "gt":
 				a, b := toNumeric(flagVal, t.Compare.Value)
-				result = a > b
+				result.testResult = a > b
 
 			case "gte":
 				a, b := toNumeric(flagVal, t.Compare.Value)
-				result = a >= b
+				result.testResult = a >= b
 
 			case "lt":
 				a, b := toNumeric(flagVal, t.Compare.Value)
-				result = a < b
+				result.testResult = a < b
 
 			case "lte":
 				a, b := toNumeric(flagVal, t.Compare.Value)
-				result = a <= b
+				result.testResult = a <= b
 
 			case "has":
-				result = strings.Contains(flagVal, t.Compare.Value)
+				result.testResult = strings.Contains(flagVal, t.Compare.Value)
 
 			case "nothave":
-				result = !strings.Contains(flagVal, t.Compare.Value)
+				result.testResult = !strings.Contains(flagVal, t.Compare.Value)
 			}
 		} else {
-			result = isset
+			result.testResult = isset
 		}
 
 	} else {
 		notset := !match
-		result = notset
+		result.testResult = notset
 	}
-
-	return
+	return result
 }
 
 type tests struct {
@@ -136,13 +141,19 @@ type tests struct {
 	BinOp     binOp       `yaml:"bin_op"`
 }
 
-func (ts *tests) execute(s string) (result bool) {
-	res := make([]bool, len(ts.TestItems))
+func (ts *tests) execute(s string) *testOutput {
+	finalOutput := &testOutput{}
 
-	for i, t := range ts.TestItems {
-		res[i] = t.execute(s)
+	res := make([]testOutput, len(ts.TestItems))
+	if len(res) == 0 {
+		return finalOutput
 	}
 
+	for i, t := range ts.TestItems {
+		res[i] = *(t.execute(s))
+	}
+
+	var result bool
 	// If no binary operation is specified, default to AND
 	switch ts.BinOp {
 	default:
@@ -151,16 +162,19 @@ func (ts *tests) execute(s string) (result bool) {
 	case and, "":
 		result = true
 		for i := range res {
-			result = result && res[i]
+			result = result && res[i].testResult
 		}
 	case or:
 		result = false
 		for i := range res {
-			result = result || res[i]
+			result = result || res[i].testResult
 		}
 	}
 
-	return
+	finalOutput.testResult = result
+	finalOutput.actualResult = res[0].actualResult
+
+	return finalOutput
 }
 
 func toNumeric(a, b string) (c, d int) {

check/test_test.go

@@ -113,7 +113,7 @@ func TestTestExecute(t *testing.T) {
 	}
 
 	for _, c := range cases {
-		res := c.Tests.execute(c.str)
+		res := c.Tests.execute(c.str).testResult
 		if !res {
 			t.Errorf("%s, expected:%v, got:%v\n", c.Text, true, res)
 		}

cmd/common.go

@@ -44,7 +44,11 @@ func runChecks(nodetype check.NodeType) {
 		file = federatedFile
 	}
 
-	path, err := getConfigFilePath(kubeVersion, getKubeVersion(), file)
+	runningVersion, err := getKubeVersion()
+	if err != nil && kubeVersion == "" {
+		exitWithError(fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err))
+	}
+	path, err := getConfigFilePath(kubeVersion, runningVersion, file)
 	if err != nil {
 		exitWithError(fmt.Errorf("can't find %s controls file in %s: %v", nodetype, cfgDir, err))
 	}

cmd/root.go

@@ -46,7 +46,7 @@ var (
 var RootCmd = &cobra.Command{
 	Use:   os.Args[0],
 	Short: "Run CIS Benchmarks checks against a Kubernetes deployment",
-	Long:  `This tool runs the CIS Kubernetes Benchmark (http://www.cisecurity.org/benchmark/kubernetes/)`,
+	Long:  `This tool runs the CIS Kubernetes Benchmark (https://www.cisecurity.org/benchmark/kubernetes/)`,
 }
 
 // Execute adds all child commands to the root command sets flags appropriately.

cmd/util.go

@@ -129,6 +129,8 @@ func getConfigFilePath(specifiedVersion string, runningVersion string, filename
 		fileVersion = runningVersion
 	}
 
+	glog.V(2).Info(fmt.Sprintf("Looking for config for version %s", fileVersion))
+
 	for {
 		path = filepath.Join(cfgDir, fileVersion)
 		file := filepath.Join(path, string(filename))
@@ -265,19 +267,19 @@ func multiWordReplace(s string, subname string, sub string) string {
 	return strings.Replace(s, subname, sub, -1)
 }
 
-func getKubeVersion() string {
+func getKubeVersion() (string, error) {
 	// These executables might not be on the user's path.
 	_, err := exec.LookPath("kubectl")
 
 	if err != nil {
 		_, err = exec.LookPath("kubelet")
 		if err != nil {
-			exitWithError(fmt.Errorf("Version check failed: need kubectl or kubelet binaries to get kubernetes version.\nAlternately, you can specify the version with --version"))
+			return "", fmt.Errorf("need kubectl or kubelet binaries to get kubernetes version")
 		}
-		return getKubeVersionFromKubelet()
+		return getKubeVersionFromKubelet(), nil
 	}
 
-	return getKubeVersionFromKubectl()
+	return getKubeVersionFromKubectl(), nil
 }
 
 func getKubeVersionFromKubectl() string {