github/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2026-03-01 01:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github:v0.6.15
Branches Tags
github:main github:dependabot/go_modules/github.com/aws/aws-sdk-go-v2-1.41.2 github:dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/securityhub-1.67.5 github:dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.32.10 github:dependabot/github_actions/goreleaser/goreleaser-action-7 github:lihiz_preflight github:dependabot/github_actions/golangci/golangci-lint-action-7 github:gh-pages github:aquadev
github:v0.15.0 github:v0.14.1 github:v0.14.0 github:v0.13.0 github:v0.12.0 github:v0.11.2 github:v0.11.1 github:v0.11.0 github:v0.10.7 github:v0.10.6 github:v0.10.5 github:v0.10.4 github:v0.10.3 github:v0.10.2 github:v0.10.1 github:v0.10.0 github:v0.9.4 github:v0.9.3 github:v0.9.2 github:v0.9.1 github:v0.9.0 github:v0.8.0 github:v0.7.3 github:v0.7.2 github:v0.7.1 github:v0.7.0 github:v0.6.19 github:v0.6.18 github:v0.6.18-rc github:v0.6.17 github:v0.6.16 github:v0.6.16-rc github:v0.6.15 github:v0.6.14 github:v0.6.14-rc github:v0.6.13 github:v0.6.13-rc2 github:v0.6.13-rc github:v0.6.12 github:v0.6.12-rc github:v0.6.11 github:v0.6.10 github:v0.6.9 github:v0.6.8 github:v0.6.7 github:v0.6.7-rc1 github:v0.6.6 github:v0.6.5 github:v0.6.4 github:v0.6.3 github:v0.6.2 github:0.6.1 github:v0.6.0 github:v0.5.0 github:v0.4.0 github:v0.3.1 github:v0.3.0 github:v0.2.3 github:v0.0.1-alpha.0 github:v0.2.2 github:v0.2.1 github:v0.2.0 github:v0.1.0 github:v0.0.34 github:v0.0.33 github:v0.0.32 github:v0.0.31 github:v0.0.30 github:v0.0.29 github:v0.0.27 github:V0.0.27 github:v0.0.28 github:0.0.27 github:v0.0.26 github:v0.0.25 github:v0.0.24 github:v0.0.23 github:v0.0.22 github:v0.0.21 github:v0.0.20 github:v0.0.18 github:v0.0.19 github:v0.0.17 github:v0.0.16 github:v0.0.15 github:v0.0.14 github:0.0.14 github:v0.0.13 github:v0.0.12 github:v0.0.11 github:v0.0.10 github:v0.0.9 github:v0.0.8 github:v0.0.7 github:v0.0.6 github:v0.0.5 github:v0.0.4 github:v0.0.3 github:v0.0.2 github:v0.0.1
..
compare: github:v0.6.19
Branches Tags
github:dependabot/go_modules/github.com/aws/aws-sdk-go-v2-1.41.2 github:dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/securityhub-1.67.5 github:dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.32.10 github:dependabot/github_actions/goreleaser/goreleaser-action-7 github:main github:lihiz_preflight github:dependabot/github_actions/golangci/golangci-lint-action-7 github:gh-pages github:aquadev
github:v0.15.0 github:v0.14.1 github:v0.14.0 github:v0.13.0 github:v0.12.0 github:v0.11.2 github:v0.11.1 github:v0.11.0 github:v0.10.7 github:v0.10.6 github:v0.10.5 github:v0.10.4 github:v0.10.3 github:v0.10.2 github:v0.10.1 github:v0.10.0 github:v0.9.4 github:v0.9.3 github:v0.9.2 github:v0.9.1 github:v0.9.0 github:v0.8.0 github:v0.7.3 github:v0.7.2 github:v0.7.1 github:v0.7.0 github:v0.6.19 github:v0.6.18 github:v0.6.18-rc github:v0.6.17 github:v0.6.16 github:v0.6.16-rc github:v0.6.15 github:v0.6.14 github:v0.6.14-rc github:v0.6.13 github:v0.6.13-rc2 github:v0.6.13-rc github:v0.6.12 github:v0.6.12-rc github:v0.6.11 github:v0.6.10 github:v0.6.9 github:v0.6.8 github:v0.6.7 github:v0.6.7-rc1 github:v0.6.6 github:v0.6.5 github:v0.6.4 github:v0.6.3 github:v0.6.2 github:0.6.1 github:v0.6.0 github:v0.5.0 github:v0.4.0 github:v0.3.1 github:v0.3.0 github:v0.2.3 github:v0.0.1-alpha.0 github:v0.2.2 github:v0.2.1 github:v0.2.0 github:v0.1.0 github:v0.0.34 github:v0.0.33 github:v0.0.32 github:v0.0.31 github:v0.0.30 github:v0.0.29 github:v0.0.27 github:V0.0.27 github:v0.0.28 github:0.0.27 github:v0.0.26 github:v0.0.25 github:v0.0.24 github:v0.0.23 github:v0.0.22 github:v0.0.21 github:v0.0.20 github:v0.0.18 github:v0.0.19 github:v0.0.17 github:v0.0.16 github:v0.0.15 github:v0.0.14 github:0.0.14 github:v0.0.13 github:v0.0.12 github:v0.0.11 github:v0.0.10 github:v0.0.9 github:v0.0.8 github:v0.0.7 github:v0.0.6 github:v0.0.5 github:v0.0.4 github:v0.0.3 github:v0.0.2 github:v0.0.1

20 Commits
v0.6.15 ... v0.6.19

Author SHA1 Message Date
chenk
55a18aed87 release: prepare-0.6.19 (#1511) 
Signed-off-by: chenk <hen.keinan@gmail.com>
 2023-10-23 10:03:22 +03:00
dependabot[bot]
7f5a2eb78b build(deps): bump docker/build-push-action from 4 to 5 (#1498) 
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 4 to 5.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v4...v5)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
 2023-10-20 19:31:35 +03:00
chenk
18f8456abd release: prepare v0.6.18 (#1509) 
Signed-off-by: chenk <hen.keinan@gmail.com>
 2023-10-17 16:28:52 +03:00
chenk
8bc4daae10 release: prepare v0.6.18-rc (#1508) 
Signed-off-by: chenk <hen.keinan@gmail.com>
 2023-10-17 11:34:53 +03:00
AnaisUrlichs
7ad0f2fee6 updates to the readme 
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
 2023-10-02 12:39:24 +03:00
dependabot[bot]
276d30ad75 build(deps): bump crazy-max/ghaction-docker-meta from 4 to 5 (#1499) 
Bumps [crazy-max/ghaction-docker-meta](https://github.com/crazy-max/ghaction-docker-meta) from 4 to 5.
- [Release notes](https://github.com/crazy-max/ghaction-docker-meta/releases)
- [Upgrade guide](https://github.com/docker/metadata-action/blob/master/UPGRADE.md)
- [Commits](https://github.com/crazy-max/ghaction-docker-meta/compare/v4...v5)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-docker-meta
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-30 19:34:22 +03:00
dependabot[bot]
e1c6c80d02 build(deps): bump golang from 1.20.6 to 1.21.1 (#1494) 
Bumps golang from 1.20.6 to 1.21.1.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-16 12:59:20 +03:00
dependabot[bot]
34ef478b41 build(deps): bump goreleaser/goreleaser-action from 4 to 5 (#1495) 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4 to 5.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](https://github.com/goreleaser/goreleaser-action/compare/v4...v5)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-12 08:11:27 +03:00
dependabot[bot]
3ef3e9a861 build(deps): bump alpine from 3.18.2 to 3.18.3 (#1487) 
Bumps alpine from 3.18.2 to 3.18.3.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-09 21:37:29 +03:00
dependabot[bot]
d70459b77c build(deps): bump golang from 1.20.4 to 1.20.6 (#1475) 
Bumps golang from 1.20.4 to 1.20.6.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-07-28 12:12:45 +03:00
Jonas-Taha El Sesiy
20ad80577c Bump docker base images (#1465) 
During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE.

```
grype aquasec/kube-bench:v0.6.15
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [73 packages]
 ✔ Scanning image...       [4 vulnerabilities]
   ├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible
   └── 4 fixed
NAME        INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
libssl3     3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
openssl     3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
```

The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly
 2023-07-26 18:22:19 +03:00
chenk
456684462a release: prepare v0.6.17 (#1480) 
Signed-off-by: chenk <hen.keinan@gmail.com>
 2023-07-25 12:41:24 +03:00
Guille Vigil
c8cabc4b14 Update job.yaml (#1477) 
* Update job.yaml

Fix on typo for image version

* chore: sync with upstream

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
 2023-07-25 12:30:14 +03:00
chenk
8c6915c478 release: prepare v0.6.16 official (#1479) 
Signed-off-by: chenk <hen.keinan@gmail.com>
 2023-07-25 10:33:54 +03:00
chenk
9363cdf8ef release: prepare v0.6.16-rc (#1476) 
* release: prepare v0.6.16-rc

Signed-off-by: chenk <hen.keinan@gmail.com>

* release: prepare v0.6.16-rc

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
 2023-07-24 11:01:43 +03:00
Devendra Turkar
b29ed6b6ed chore: add fips compliant images (#1473) 
For fips complaince we need to generate fips compliant images.
As part of this change, we will create new kube-bench image which will be fips compliant. Image name follows this tag pattern <version>-ubi-fips
 2023-07-24 10:02:19 +03:00
Andy Pitcher
aa16551811 Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472) 2023-07-11 11:45:06 +03:00
Andy Pitcher
40cdc1bfbb Fix test_items in cis-1.7 - node - 4.2.12 (#1469) 
Related issue: https://github.com/aquasecurity/kube-bench/issues/1468
 2023-07-02 10:50:07 +03:00
dependabot[bot]
e2e353a81a build(deps): bump actions/setup-go from 3 to 4 (#1402) 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
 2023-06-24 19:42:03 +03:00
dependabot[bot]
a727d73e8a build(deps): bump golang from 1.19.4 to 1.20.4 (#1436) 
Bumps golang from 1.19.4 to 1.20.4.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-06-10 18:07:26 +03:00
17 changed files with 174 additions and 97 deletions
Expand all files Collapse all files

10
.github/workflows/build.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup Go
uses: actions/setup-go@v3
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Checkout code
@@ -41,7 +41,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup Go
uses: actions/setup-go@v3
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Checkout code
@@ -57,7 +57,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup Go
uses: actions/setup-go@v3
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Checkout code
@@ -87,7 +87,7 @@ jobs:
needs: [e2e, unit]
steps:
- name: Setup Go
uses: actions/setup-go@v3
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Checkout code
@@ -95,7 +95,7 @@ jobs:
with:
fetch-depth: 0
- name: Dry-run release snapshot
uses: goreleaser/goreleaser-action@v4
uses: goreleaser/goreleaser-action@v5
with:
distribution: goreleaser
version: v1.7.0

25
.github/workflows/publish.yml vendored
View File

@@ -41,7 +41,7 @@ jobs:
password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
- name: Get version
id: get_version
uses: crazy-max/ghaction-docker-meta@v4
uses: crazy-max/ghaction-docker-meta@v5
with:
images: ${{ env.REP }}
tag-semver: |
@@ -49,7 +49,7 @@ jobs:
- name: Build and push - Docker/ECR
id: docker_build
uses: docker/build-push-action@v4
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
@@ -67,7 +67,7 @@ jobs:
- name: Build and push ubi image - Docker/ECR
id: docker_build_ubi
uses: docker/build-push-action@v4
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
@@ -83,3 +83,22 @@ jobs:
cache-to: type=local,mode=max,dest=/tmp/.buildx-cache/release
- name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}
- name: Build and push fips ubi image - Docker/ECR
id: docker_build_fips_ubi
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
builder: ${{ steps.buildx.outputs.name }}
push: true
file: Dockerfile.fips.ubi
build-args: |
KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
tags: |
${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi-fips
public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi-fips
cache-from: type=local,src=/tmp/.buildx-cache/release
cache-to: type=local,mode=max,dest=/tmp/.buildx-cache/release
- name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}

4
.github/workflows/release.yml vendored
View File

@@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Setup Go
uses: actions/setup-go@v3
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Checkout code
@@ -44,7 +44,7 @@ jobs:
second_file_path: integration/testdata/Expected_output.data
expected_result: PASSED
- name: Release
uses: goreleaser/goreleaser-action@v4
uses: goreleaser/goreleaser-action@v5
with:
distribution: goreleaser
version: v1.7.0

4
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM golang:1.19.4 AS build
FROM golang:1.21.1 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile
COPY go.mod go.sum ./
@@ -9,7 +9,7 @@ COPY internal/ internal/
ARG KUBEBENCH_VERSION
RUN make build && cp kube-bench /go/bin/kube-bench
FROM alpine:3.18 AS run
FROM alpine:3.18.3 AS run
WORKDIR /opt/kube-bench/
# add GNU ps for -C, -o cmd, and --no-headers support
# https://github.com/aquasecurity/kube-bench/issues/109

49
Dockerfile.fips.ubi Normal file
View File

@@ -0,0 +1,49 @@
FROM golang:1.21.1 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile
COPY go.mod go.sum ./
COPY main.go .
COPY check/ check/
COPY cmd/ cmd/
COPY internal/ internal/
ARG KUBEBENCH_VERSION
RUN make build-fips && cp kube-bench /go/bin/kube-bench
# ubi8-minimal base image for build with ubi standards
FROM registry.access.redhat.com/ubi8/ubi-minimal as run
RUN microdnf install -y yum findutils openssl \
&& yum -y update-minimal --security --sec-severity=Moderate --sec-severity=Important --sec-severity=Critical \
&& yum update -y \
&& yum install -y glibc \
&& yum update -y glibc \
&& yum install -y procps \
&& yum update -y procps \
&& yum install jq -y \
&& yum clean all \
&& microdnf remove yum || rpm -e -v yum \
&& microdnf clean all
WORKDIR /opt/kube-bench/
ENV PATH=$PATH:/usr/local/mount-from-host/bin
COPY LICENSE /licenses/LICENSE
COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
COPY entrypoint.sh .
COPY cfg/ cfg/
ENTRYPOINT ["./entrypoint.sh"]
CMD ["install"]
# Build-time metadata as defined at http://label-schema.org
ARG BUILD_DATE
ARG VCS_REF
LABEL org.label-schema.build-date=$BUILD_DATE \
org.label-schema.name="kube-bench" \
org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.schema-version="1.0"

2
Dockerfile.ubi
View File

@@ -1,4 +1,4 @@
FROM golang:1.19.4 AS build
FROM golang:1.21.1 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile
COPY go.mod go.sum ./

7
README.md
View File

@@ -24,7 +24,12 @@ Tests are configured with YAML files, making this tool easy to update as test sp
![Kubernetes Bench for Security](/docs/images/output.png "Kubernetes Bench for Security")
### Quick start
## CIS Scanning as part of Trivy and the Trivy Operator
[Trivy](https://github.com/aquasecurity/trivy), the all in one cloud native security scanner, can be deployed as a [Kubernetes Operator](https://github.com/aquasecurity/trivy-operator) inside a cluster.
Both, the [Trivy CLI](https://github.com/aquasecurity/trivy), and the [Trivy Operator](https://github.com/aquasecurity/trivy-operator) support CIS Kubernetes Benchmark scanning among several other features.
## Quick start
There are multiple ways to run kube-bench.
You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.

4
cfg/ack-1.0/node.yaml
View File

@@ -97,7 +97,7 @@ groups:
- id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
tests:
@@ -114,7 +114,7 @@ groups:
- id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
tests:

4
cfg/cis-1.20/node.yaml
View File

@@ -98,7 +98,7 @@ groups:
- id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
tests:
@@ -115,7 +115,7 @@ groups:
- id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
tests:

4
cfg/cis-1.23/node.yaml
View File

@@ -97,7 +97,7 @@ groups:
- id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
tests:
@@ -114,7 +114,7 @@ groups:
- id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
tests:

4
cfg/cis-1.24/node.yaml
View File

@@ -97,7 +97,7 @@ groups:
- id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
tests:
@@ -114,7 +114,7 @@ groups:
- id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
tests:

4
cfg/cis-1.5/node.yaml
View File

@@ -106,7 +106,7 @@ groups:
- id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
tests:
@@ -124,7 +124,7 @@ groups:
- id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
tests:

4
cfg/cis-1.6/node.yaml
View File

@@ -98,7 +98,7 @@ groups:
- id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
tests:
@@ -115,7 +115,7 @@ groups:
- id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
tests:

16
cfg/cis-1.7/node.yaml
View File

@@ -97,7 +97,7 @@ groups:
- id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
tests:
@@ -114,7 +114,7 @@ groups:
- id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
tests:
@@ -424,16 +424,12 @@ groups:
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}'
- flag: --tls-cipher-suites
path: '{range .tlsCipherSuites[:]}{}{'',''}{end}'
compare:
op: nothave
value: false
- flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}'
set: false
op: valid_elements
value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
remediation: |
If using a Kubelet config file, edit the file to set `TLSCipherSuites` to
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

7
fipsonly.go Normal file
View File

@@ -0,0 +1,7 @@
//go:build fipsonly
package main
import (
_ "crypto/tls/fipsonly"
)

120
job.yaml
View File

@@ -9,79 +9,77 @@ spec:
labels:
app: kube-bench
spec:
hostPID: true
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:v0.6.15
command: ["kube-bench"]
- command: ["kube-bench"]
image: docker.io/aquasec/kube-bench:v0.6.19
name: kube-bench
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
- mountPath: /var/lib/etcd
name: var-lib-etcd
readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
- mountPath: /var/lib/kubelet
name: var-lib-kubelet
readOnly: true
- name: var-lib-kube-scheduler
mountPath: /var/lib/kube-scheduler
- mountPath: /var/lib/kube-scheduler
name: var-lib-kube-scheduler
readOnly: true
- name: var-lib-kube-controller-manager
mountPath: /var/lib/kube-controller-manager
- mountPath: /var/lib/kube-controller-manager
name: var-lib-kube-controller-manager
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
- mountPath: /etc/systemd
name: etc-systemd
readOnly: true
- name: lib-systemd
mountPath: /lib/systemd/
- mountPath: /lib/systemd/
name: lib-systemd
readOnly: true
- name: srv-kubernetes
mountPath: /srv/kubernetes/
- mountPath: /srv/kubernetes/
name: srv-kubernetes
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
- mountPath: /etc/kubernetes
name: etc-kubernetes
readOnly: true
# /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
- mountPath: /usr/local/mount-from-host/bin
name: usr-bin
readOnly: true
- name: etc-cni-netd
mountPath: /etc/cni/net.d/
- mountPath: /etc/cni/net.d/
name: etc-cni-netd
readOnly: true
- name: opt-cni-bin
mountPath: /opt/cni/bin/
- mountPath: /opt/cni/bin/
name: opt-cni-bin
readOnly: true
hostPID: true
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: var-lib-kube-scheduler
hostPath:
path: "/var/lib/kube-scheduler"
- name: var-lib-kube-controller-manager
hostPath:
path: "/var/lib/kube-controller-manager"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: lib-systemd
hostPath:
path: "/lib/systemd"
- name: srv-kubernetes
hostPath:
path: "/srv/kubernetes"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
- name: etc-cni-netd
hostPath:
path: "/etc/cni/net.d/"
- name: opt-cni-bin
hostPath:
path: "/opt/cni/bin/"
- hostPath:
path: /var/lib/etcd
name: var-lib-etcd
- hostPath:
path: /var/lib/kubelet
name: var-lib-kubelet
- hostPath:
path: /var/lib/kube-scheduler
name: var-lib-kube-scheduler
- hostPath:
path: /var/lib/kube-controller-manager
name: var-lib-kube-controller-manager
- hostPath:
path: /etc/systemd
name: etc-systemd
- hostPath:
path: /lib/systemd
name: lib-systemd
- hostPath:
path: /srv/kubernetes
name: srv-kubernetes
- hostPath:
path: /etc/kubernetes
name: etc-kubernetes
- hostPath:
path: /usr/bin
name: usr-bin
- hostPath:
path: /etc/cni/net.d/
name: etc-cni-netd
- hostPath:
path: /opt/cni/bin/
name: opt-cni-bin

3
makefile
View File

@@ -39,6 +39,9 @@ build: $(BINARY)
$(BINARY): $(SOURCES)
GOOS=$(GOOS) CGO_ENABLED=0 go build -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=$(KUBEBENCH_VERSION)" -o $(BINARY) .
build-fips:
GOOS=$(GOOS) CGO_ENABLED=0 GOEXPERIMENT=boringcrypto go build -tags fipsonly -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=$(KUBEBENCH_VERSION)" -o $(BINARY) .
# builds the current dev docker version
build-docker:
docker build --build-arg BUILD_DATE=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ") \