dev-sec / cis-kubernetes-benchmark Goto Github PK
View Code? Open in Web Editor NEWCIS Kubernetes Benchmark - InSpec Profile
Home Page: https://dev-sec.io/baselines/kubernetes/
License: Apache License 2.0
CIS Kubernetes Benchmark - InSpec Profile
Home Page: https://dev-sec.io/baselines/kubernetes/
License: Apache License 2.0
Just saw that CIS Benchmark v1.3.0 is out. It is available for Kubernetes 1.11.
Let me know if you need help with the implementation of this version :-)
I have just started using inspec to run tests against my infrastructure that is generated via terraform. Everything is working great. I output the terraform results to a JSON file, parse it to create various variables and then use those variables in my tests.
Looking at this profile, Im not quite sure
Thanks,
inspec exec https://github.com/dev-sec/cis-kubernetes-benchmark/archive/master.zip --format json WARN: Unresolved specs during Gem::Specification.reset: rake (>= 0) WARN: Clearing out unresolved specs. Please report a bug if this causes problems. /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/formatters/json_formatter.rb:56:in
encode': "\xE2" from ASCII-8BIT to UTF-8 (Encoding::UndefinedConversionError)
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/formatters/json_formatter.rb:56:in to_json' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/formatters/json_formatter.rb:56:in
close'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:206:in block in notify' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:205:in
each'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:205:in notify' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:238:in
close'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:193:in close_after' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:171:in
finish'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:81:in report' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/runner.rb:112:in
run_specs'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.45.13/lib/inspec/runner_rspec.rb:77:in run' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.45.13/lib/inspec/runner.rb:116:in
run_tests'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.45.13/lib/inspec/runner.rb:100:in run' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.45.13/lib/inspec/base_cli.rb:83:in
run_tests'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.45.13/lib/inspec/cli.rb:158:in exec' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/thor-0.19.1/lib/thor/command.rb:27:in
run'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in invoke_command' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/thor-0.19.1/lib/thor.rb:359:in
dispatch'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/thor-0.19.1/lib/thor/base.rb:440:in start' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.45.13/bin/inspec:12:in
<top (required)>'
from /usr/bin/inspec:23:in load' from /usr/bin/inspec:23:in
I used the etcd cookbook to setup etcd, it seems to use only a single dash for cli options to etcd, ( -data-dir instead of --data-dir ) etcd does not seem to care either way.
This results in etcd_env_vars getting exercised and throwing exceptions such as:
/opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/resources/platform.rb:18:in
initialize': stack level too deep (
SystemStackError)
from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/inspec/plugins/resource.rb:64:in initialize' from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/inspec/backend.rb:80:in
new'
from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/inspec/backend.rb:80:in block (3 levels) in create ' from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/resources/file.rb:40:in
initialize'
from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/inspec/plugins/resource.rb:64:in initialize' from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/inspec/backend.rb:80:in
new'
from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/inspec/backend.rb:80:in block (3 levels) in create ' from libraries/process_env_var.rb:38:in
read_params'
... 11381 levels...
from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/thor-0.19.1/lib/thor/base.rb:440:in start' from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/bin/inspec:12:in
<top (required)>'
from /opt/chefdk/bin/inspec:250:in load' from /opt/chefdk/bin/inspec:250:in
Time permitting I should be able to create a pull request for this soon.
Hi, nice work. I was working on something similar, but now I think I can leverage this tool instead!
Request:
Can you provide a bit more on how to invoke the checks more specifically than just "all"?
Can you provide guidance on your reference cluster that passes all the checks?
Thanks!
Thanks for putting this project together- are there any plans to support for testing hyperkube based deployments?
New benchmark v.1.5.0 is released.
Is your feature request related to a problem? Please describe.
Currently this benchmark implements version 1.4.0. Lets compare the differences and implement the missing controls.
Describe the solution you'd like
Describe alternatives you've considered
n/a
Additional context
n/a
The following files reference a metadata-only audit policy in order to prevent logging request/response contents for sensitive resources:
A recent bugfix resolves logging of subresource requests which would previously fail with an error. The serviceaccounts/token
subresource responds to TokenRequest
API calls with a newly minted service account token.
The serviceaccounts/token
resource should also be included in the metadata-only audit policy if credentials are not intended to appear in the audit log.
I am unable to run InSpec.io cis-k8s-benchmark on my EKS cluster, it'd be nice to have a flag via the cli to provide the cluster arn resource and to run the benchmark against the remote eks cluster.
I couldn't find any information in the README.md file, maybe you have a solution in place you could share with me?
I just noticed that 1.2.0 was released last week. You can find it here. It looks like it supports Kubernetes 1.8.
I am looking at running this InSpec profile against the Azure Kubernetes Service, however I'm not sure this is actually possible. I looked at a different (closed) issue, and it states that we need to run this scan against the master/worker nodes.
However, based on the AKS documentation, I do not believe that we have access to the master. There documentation states this:
AKS provides a single-tenant cluster master, with a dedicated API server, Scheduler, etc. You define the number and size of the nodes, and the Azure platform configures the secure communication between the cluster master and nodes. Interaction with the cluster master occurs through Kubernetes APIs, such as kubectl or the Kubernetes dashboard.
This managed cluster master means that you do not need to configure components like a highly available etcd store, but it also means that you cannot access the cluster master directly. Upgrades to Kubernetes are orchestrated through the Azure CLI or Azure portal, which upgrades the cluster master and then the nodes.
In AKS, the Kubernetes master components are part of the managed service provided by Microsoft. Each AKS cluster has their own single-tenanted, dedicated Kubernetes master to provide the API Server, Scheduler, etc. This master is managed and maintained by Microsoft
Based on the above, we have access to the API Server endpoint and access via kubectl.
I'm curious if you know of a way to run the benchmark in this setup against the applicable checks?
Reference:
https://docs.microsoft.com/en-us/azure/aks/concepts-clusters-workloads#cluster-master
Hello and thanks for making this available!
Would definitely love to see a CHANGELOG.md. I understand the README declares the current CIS benchmark, but a changelog would be helpful for high level progress without digging into individual commits.
Thanks.
Describe the bug
Encountering various errors when executing etcd
controls (2.*
).
Expected behavior
I expect to receive passed
/failed
/skipped
results based on observed system & application state.
Actual behavior
undefined method `empty?'
error encountered in controls 2.1
, 2.2
, 2.4
, & 2.5
:
...
× cis-kubernetes-benchmark:2.1: Ensure that the --cert-file and --key-file arguments are set as appropriate (4 failed)
× ["/usr/bin/etcd -name=...\"] is expected to match /--cert-file=/
...
× Enviroment variables for Processes /\/usr\/bin\/etcd/ ETCD_CERT_FILE
undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000006453908>
undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000005d4c6a0>
× ["/usr/bin/etcd -name=...\"]" to match /--key-file=/
...
× Enviroment variables for Processes /\/usr\/bin\/etcd/ ETCD_KEY_FILE
undefined method `empty?' for #<#<Class:0x000000000443df60>:0x000000000643f250>
undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000005d1bb18>
× cis-kubernetes-benchmark:2.2: Ensure that the --client-cert-auth argument is set to true (2 failed)
× ["/usr/bin/etcd -name=...\"]" to match /--client-cert-auth=true/
...
× Enviroment variables for Processes /\/usr\/bin\/etcd/ ETCD_CLIENT_CERT_AUTH
undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000006125a10>
undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000005bc9198>
...
× cis-kubernetes-benchmark:2.4: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (4 failed)
× ["/usr/bin/etcd -name=...\"]" to match /--peer-cert-file=/
...
× Enviroment variables for Processes /\/usr\/bin\/etcd/ ETCD_PEER_CERT_FILE
undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000006303e90>
undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000005ba25e8>
× ["/usr/bin/etcd -name=...\"] is expected to match /--peer-key-file=/
...
× Enviroment variables for Processes /\/usr\/bin\/etcd/ ETCD_PEER_KEY_FILE
undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000005e12378>
undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000005b901b8>
...
The last result in each control is the issue.
Control Source Code Error
encountered in control 2.7
:
× cis-kubernetes-benchmark:2.7: Ensure that a unique Certificate Authority is used for etcd
× Control Source Code Error cis-kubernetes-benchmark-1.0.2/controls/2_etcd_node.rb:133
undefined local variable or method `cis_level' for #<Inspec::Rule:0x0000000005d64138>
Example code
inspec exec https://github.com/dev-sec/cis-kubernetes-benchmark/archive/1.0.2.tar.gz --color --show-progress -i ~/.ssh/id_rsa --chef-license=accept --no-create-lockfile --bastion-user=bastion_user --bastion-host=bastion.dev.com -t=ssh://[email protected]
OS / Environment
Linux ... 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Inspec Version
4.26.4
Baseline Version
6a960bc7872df07ee38876c5cb750f6637ff026b
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.