Merge branch 'main' into adding-var-lib-cni-mounts

aquasecurity · Feb 11, 2024 · 0295393 · 0295393
2 parents c435be2 + 3021706
commit 0295393
Show file tree

Hide file tree

Showing 11 changed files with 162 additions and 201 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -22,7 +22,7 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@v3
       - name: Cache Docker layers
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildxarch-${{ github.sha }}

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.21.5 AS build
+FROM golang:1.21.6 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
@@ -9,7 +9,7 @@ COPY internal/ internal/
 ARG KUBEBENCH_VERSION
 RUN make build && cp kube-bench /go/bin/kube-bench
 
-FROM alpine:3.18.3 AS run
+FROM alpine:3.19.0 AS run
 WORKDIR /opt/kube-bench/
 # add GNU ps for -C, -o cmd, and --no-headers support
 # https://github.com/aquasecurity/kube-bench/issues/109

diff --git a/Dockerfile.fips.ubi b/Dockerfile.fips.ubi
@@ -1,4 +1,4 @@
-FROM golang:1.21.5 AS build
+FROM golang:1.21.6 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
@@ -11,7 +11,7 @@ RUN make build-fips && cp kube-bench /go/bin/kube-bench
 
 
 # ubi8-minimal base image for build with ubi standards
-FROM registry.access.redhat.com/ubi8/ubi-minimal as run
+FROM registry.access.redhat.com/ubi9/ubi-minimal as run
 
 RUN microdnf install -y yum findutils openssl \
   && yum -y update-minimal --security --sec-severity=Moderate --sec-severity=Important --sec-severity=Critical \

diff --git a/Dockerfile.ubi b/Dockerfile.ubi
@@ -1,4 +1,4 @@
-FROM golang:1.21.5 AS build
+FROM golang:1.21.6 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
@@ -11,7 +11,7 @@ RUN make build && cp kube-bench /go/bin/kube-bench
 
 
 # ubi8-minimal base image for build with ubi standards
-FROM registry.access.redhat.com/ubi8/ubi-minimal as run
+FROM registry.access.redhat.com/ubi9/ubi-minimal as run
 
 RUN microdnf install -y yum findutils openssl \
   && yum -y update-minimal --security --sec-severity=Moderate --sec-severity=Important --sec-severity=Critical \

diff --git a/cfg/rh-1.0/etcd.yaml b/cfg/rh-1.0/etcd.yaml
@@ -67,7 +67,7 @@ groups:
                 op: eq
                 value: "1"
         remediation: |
-          This setting is managed by the cluster etcd operator. No remediation required.e
+          This setting is managed by the cluster etcd operator. No remediation required.
         scored: false
 
       - id: 2.4

diff --git a/cfg/rh-1.0/master.yaml b/cfg/rh-1.0/master.yaml
@@ -864,7 +864,6 @@ groups:
         remediation: |
           Follow the documentation for log forwarding. Forwarding logs to third party systems
           https://docs.openshift.com/container-platform/4.5/logging/cluster-logging-external.html
-
         scored: false
 
       - id: 1.2.24
@@ -1070,6 +1069,12 @@ groups:
       - id: 1.2.35
         text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"
         type: manual
+        audit: |
+          # verify cipher suites
+          oc get cm -n openshift-authentication v4-0-config-system-cliconfig -o jsonpath='{.data.v4\-0\-config\-system\-cliconfig}' | jq .servingInfo
+          oc get kubeapiservers.operator.openshift.io cluster -o json |jq.spec.observedConfig.servingInfo
+          oc get openshiftapiservers.operator.openshift.io cluster -o json |jq.spec.observedConfig.servingInfo
+          oc describe --namespace=openshift-ingress-operator ingresscontroller/default
         remediation: |
           Verify that the tlsSecurityProfile is set to the value you chose.
           Note: The HAProxy Ingress controller image does not support TLS 1.3

diff --git a/cfg/rh-1.0/node.yaml b/cfg/rh-1.0/node.yaml
@@ -222,15 +222,12 @@ groups:
         audit: |
           for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')
           do
-            oc debug node/${node} -- chroot /host grep clientCAFile /etc/kubernetes/kubelet.conf
+            oc debug node/${node} -- chroot /host grep clientCAFile /etc/kubernetes/kubelet.conf | awk -F': ' '{ print "clientCAFile=" $2 }'
           done 2> /dev/null
         use_multiple_values: true
         tests:
           test_items:
-            - flag: "clientCAFile"
-              compare:
-                op: eq
-                value: "/etc/kubernetes/kubelet-ca.crt"
+            - flag: clientCAFile="/etc/kubernetes/kubelet-ca.crt"
         remediation: |
           None required. Changing the clientCAFile value is unsupported.
         scored: true
@@ -278,6 +275,10 @@ groups:
               compare:
                 op: noteq
                 value: 0
+            - flag: streamingConnectionIdleTimeout
+              compare:
+                op: noteq
+                value: 0s
             - flag: "exit_code"
               compare:
                 op: eq

diff --git a/cfg/rh-1.0/policies.yaml b/cfg/rh-1.0/policies.yaml
@@ -11,6 +11,12 @@ groups:
       - id: 5.1.1
         text: "Ensure that the cluster-admin role is only used where required (Manual)"
         type: "manual"
+        audit: |
+          #To get a list of users and service accounts with the cluster-admin role
+          oc get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind |
+          grep cluster-admin
+          #To verity that kbueadmin is removed, no results should be returned
+          oc get secrets kubeadmin -n kube-system
         remediation: |
           Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
           if they need this role or if they could use a role with fewer privileges.
@@ -29,6 +35,15 @@ groups:
       - id: 5.1.3
         text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
         type: "manual"
+        audit: |
+          #needs verification
+          oc get roles --all-namespaces -o yaml
+          for i in $(oc get roles -A -o jsonpath='{.items[*].metadata.name}'); do oc
+          describe clusterrole ${i}; done
+          #Retrieve the cluster	roles defined in the cluster and review	for	wildcards
+          oc get clusterroles -o yaml
+          for i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do
+          oc describe clusterrole ${i}; done
         remediation: |
           Where possible replace any use of wildcards in clusterroles and roles with specific
           objects or actions.
@@ -213,6 +228,9 @@ groups:
       - id: 5.3.2
         text: "Ensure that all Namespaces have Network Policies defined (Manual)"
         type: "manual"
+        audit: |
+          #Run the following command and review the NetworkPolicy objects created in the cluster.
+          oc -n all get networkpolicy
         remediation: |
           Follow the documentation and create NetworkPolicy objects as you need them.
         scored: false
@@ -223,6 +241,10 @@ groups:
       - id: 5.4.1
         text: "Prefer using secrets as files over secrets as environment variables (Manual)"
         type: "manual"
+        audit: |
+          #Run the following command to find references to objects which use environment variables defined from secrets.
+          oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind}
+          {.metadata.name} {"\n"}{end}' -A
         remediation: |
           If possible, rewrite application code to read secrets from mounted secret files, rather than
           from environment variables.
@@ -252,6 +274,10 @@ groups:
       - id: 5.7.1
         text: "Create administrative boundaries between resources using namespaces (Manual)"
         type: "manual"
+        audit: |
+          #Run the following command and review the namespaces created in the cluster.
+          oc get namespaces
+          #Ensure that these namespaces are the ones you need and are adequately administered as per your requirements.
         remediation: |
           Follow the documentation and create namespaces for objects in your deployment as you need
           them.
@@ -277,6 +303,11 @@ groups:
       - id: 5.7.4
         text: "The default namespace should not be used (Manual)"
         type: "manual"
+        audit: |
+          #Run this command to list objects in default namespace
+          oc project default
+          oc get all
+          #The only entries there should be system managed resources such as the kubernetes and openshift service
         remediation: |
           Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
           resources and that all new resources are created in a specific namespace.

diff --git a/go.mod b/go.mod
@@ -3,8 +3,8 @@ module github.com/aquasecurity/kube-bench
 go 1.21
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.18.0
-	github.com/aws/aws-sdk-go-v2/config v1.18.4
+	github.com/aws/aws-sdk-go-v2 v1.24.1
+	github.com/aws/aws-sdk-go-v2/config v1.26.6
 	github.com/aws/aws-sdk-go-v2/service/securityhub v1.29.1
 	github.com/fatih/color v1.16.0
 	github.com/golang/glog v1.2.0
@@ -15,45 +15,46 @@ require (
 	github.com/spf13/viper v1.18.2
 	github.com/stretchr/testify v1.8.4
 	gopkg.in/yaml.v2 v2.4.0
-	gorm.io/driver/postgres v1.4.6
+	gorm.io/driver/postgres v1.5.4
 	gorm.io/gorm v1.25.5
-	k8s.io/apimachinery v0.26.0
-	k8s.io/client-go v0.26.0
+	k8s.io/apimachinery v0.29.1
+	k8s.io/client-go v0.29.1
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.4 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.20 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.11.26 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.17.6 // indirect
-	github.com/aws/smithy-go v1.13.5 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
+	github.com/aws/smithy-go v1.19.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.20.0 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.4.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
-	github.com/jackc/pgx/v5 v5.2.0 // indirect
+	github.com/jackc/pgx/v5 v5.4.3 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
@@ -85,11 +86,11 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.26.0 // indirect
-	k8s.io/klog/v2 v2.80.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
-	k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	k8s.io/api v0.29.1 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )