From b36d983f9a985f0c33f9c6dbea24bc05c779adad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 11:56:44 +0100 Subject: [PATCH 01/43] use input instead of attribute MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the last versions of Inspec and cinc-auditor, attribute is deprecated and input should be used. https://docs.chef.io/workstation/cookstyle/inspec_deprecations_attributehelper/ Signed-off-by: Michée Lengronne --- .../1_1_master_node_configuration_files.rb | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/controls/1_1_master_node_configuration_files.rb b/controls/1_1_master_node_configuration_files.rb index addc5c2..b29e927 100755 --- a/controls/1_1_master_node_configuration_files.rb +++ b/controls/1_1_master_node_configuration_files.rb @@ -1,14 +1,14 @@ title '1.1 Master Node: Configuration Files' -apiserver_manifest = attribute('apiserver-manifest') -controller_manager_manifest = attribute('controller_manager-manifest') -scheduler_manifest = attribute('scheduler-manifest') -etcd_manifest = attribute('etcd-manifest') -etcd_regex = Regexp.new(attribute('etcd')) -admin_conf = attribute('admin-conf') -scheduler_conf = attribute('scheduler-conf') -controller_manager_conf = attribute('controller_manager-conf') -kubernetes_pki = attribute('kubernetes-pki') +apiserver_manifest = input('apiserver-manifest') +controller_manager_manifest = input('controller_manager-manifest') +scheduler_manifest = input('scheduler-manifest') +etcd_manifest = input('etcd-manifest') +etcd_regex = Regexp.new(input('etcd')) +admin_conf = input('admin-conf') +scheduler_conf = input('scheduler-conf') +controller_manager_conf = input('controller_manager-conf') +kubernetes_pki = input('kubernetes-pki') control 'cis-kubernetes-benchmark-1.1.1' do title 'Ensure that the API server pod specification file permissions are set to 644 or more restrictive' From 71d8f290ae4d1ed1b7a6af7239d0504715511053 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 11:57:28 +0100 Subject: [PATCH 02/43] Update 1_2_master_node_api_server.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/1_2_master_node_api_server.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/1_2_master_node_api_server.rb b/controls/1_2_master_node_api_server.rb index b8b8740..a47b3c0 100755 --- a/controls/1_2_master_node_api_server.rb +++ b/controls/1_2_master_node_api_server.rb @@ -1,6 +1,6 @@ title '1.2 Master Node: API Server' -apiserver = attribute('apiserver') +apiserver = input('apiserver') # fallback if apiserver attribute is not defined apiserver = kubernetes.apiserver_bin if apiserver.empty? From c88028ff63871c265c6d38499399c30be773bf9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 11:57:45 +0100 Subject: [PATCH 03/43] Update 1_3_master_node_controller_manager.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/1_3_master_node_controller_manager.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/1_3_master_node_controller_manager.rb b/controls/1_3_master_node_controller_manager.rb index 96eb561..e3f4adf 100644 --- a/controls/1_3_master_node_controller_manager.rb +++ b/controls/1_3_master_node_controller_manager.rb @@ -1,6 +1,6 @@ title '1.3 Master Node: Controller Manager' -controller_manager = attribute('controller_manager') +controller_manager = input('controller_manager') # fallback if scheduler attribute is not defined controller_manager = kubernetes.controllermanager_bin if controller_manager.empty? From 0b7d15bdd4e9542998566014a3faa2faf06e71ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 11:58:01 +0100 Subject: [PATCH 04/43] Update 1_4_master_node_scheduler.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/1_4_master_node_scheduler.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/1_4_master_node_scheduler.rb b/controls/1_4_master_node_scheduler.rb index adcf4dc..357d781 100644 --- a/controls/1_4_master_node_scheduler.rb +++ b/controls/1_4_master_node_scheduler.rb @@ -1,6 +1,6 @@ title '1.4 Master Node: Scheduler' -scheduler = attribute('scheduler') +scheduler = input('scheduler') # fallback if scheduler attribute is not defined scheduler = kubernetes.scheduler_bin if scheduler.empty? From 464ffbcb3640a1a1484705dca550e063229fb441 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 11:58:20 +0100 Subject: [PATCH 05/43] Update 2_etcd_node.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/2_etcd_node.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/2_etcd_node.rb b/controls/2_etcd_node.rb index d5b4993..6935992 100755 --- a/controls/2_etcd_node.rb +++ b/controls/2_etcd_node.rb @@ -1,6 +1,6 @@ title '2 Etcd Node' -etcd_regex = Regexp.new(attribute('etcd')) +etcd_regex = Regexp.new(input('etcd')) etcd_process = processes(etcd_regex) etcd_env_vars = process_env_var(etcd_regex) From 04d64923dafe6bd4732ae9028dada70097c66d54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 11:58:41 +0100 Subject: [PATCH 06/43] Update 3_2_control_plane_logging.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/3_2_control_plane_logging.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/3_2_control_plane_logging.rb b/controls/3_2_control_plane_logging.rb index 8279642..d5cb431 100644 --- a/controls/3_2_control_plane_logging.rb +++ b/controls/3_2_control_plane_logging.rb @@ -1,6 +1,6 @@ title '3.2 Logging' -apiserver = attribute('apiserver') +apiserver = input('apiserver') # fallback if apiserver attribute is not defined apiserver = kubernetes.apiserver_bin if apiserver.empty? From 85fbc7a0a8e440eb3b83e47e5c2704f337b2bc4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 11:59:06 +0100 Subject: [PATCH 07/43] Update 4_1_worker_node_configuration_files.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/4_1_worker_node_configuration_files.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/4_1_worker_node_configuration_files.rb b/controls/4_1_worker_node_configuration_files.rb index 5e4786e..ab4f288 100755 --- a/controls/4_1_worker_node_configuration_files.rb +++ b/controls/4_1_worker_node_configuration_files.rb @@ -1,9 +1,9 @@ title '4.1.1 Worker Node: Configuration Files' -kubelet = attribute('kubelet') +kubelet = input('kubelet') # fallback if kubelet attribute is not defined kubelet = kubernetes.kubelet_bin if kubelet.empty? -kubelet_conf = attribute('kubelet-conf') +kubelet_conf = input('kubelet-conf') only_if('kubelet not found') do processes(kubelet).exists? From 774721a31526cf3da9b1c5da4082ea7f5a696d2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 11:59:22 +0100 Subject: [PATCH 08/43] Update 4_2_worker_node_kubelet.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/4_2_worker_node_kubelet.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/4_2_worker_node_kubelet.rb b/controls/4_2_worker_node_kubelet.rb index f3769b1..75fb6db 100755 --- a/controls/4_2_worker_node_kubelet.rb +++ b/controls/4_2_worker_node_kubelet.rb @@ -1,6 +1,6 @@ title '4.2 Worker Node: Kubelet' -kubelet = attribute('kubelet') +kubelet = input('kubelet') # fallback if kubelet attribute is not defined kubelet = kubernetes.kubelet_bin if kubelet.empty? From eef711316c7f721052e4632fccb588a6e2d47990 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 12:00:01 +0100 Subject: [PATCH 09/43] Update 5_2_policies_pod_security_policies.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/5_2_policies_pod_security_policies.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/5_2_policies_pod_security_policies.rb b/controls/5_2_policies_pod_security_policies.rb index 1740bdb..62d8dbf 100755 --- a/controls/5_2_policies_pod_security_policies.rb +++ b/controls/5_2_policies_pod_security_policies.rb @@ -1,4 +1,4 @@ -cis_level = attribute('cis_level') +cis_level = input('cis_level') title '5.2 Policies: Pod Security Policies' From 0ce3377d143edba143c83bab1f729142f6089d31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 12:01:07 +0100 Subject: [PATCH 10/43] Update 5_3_policies_network_policies_and_cni.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/5_3_policies_network_policies_and_cni.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/5_3_policies_network_policies_and_cni.rb b/controls/5_3_policies_network_policies_and_cni.rb index 7ff01d9..803fbe4 100644 --- a/controls/5_3_policies_network_policies_and_cni.rb +++ b/controls/5_3_policies_network_policies_and_cni.rb @@ -1,4 +1,4 @@ -cis_level = attribute('cis_level') +cis_level = input('cis_level') title '5.3 Policies: Network Policies and CNI' From 1c91b391b3a9d2f34099c98517e5a9be56232ae5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 12:01:22 +0100 Subject: [PATCH 11/43] Update 5_4_policies_secrets_management.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/5_4_policies_secrets_management.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/5_4_policies_secrets_management.rb b/controls/5_4_policies_secrets_management.rb index a5be887..419ce1d 100644 --- a/controls/5_4_policies_secrets_management.rb +++ b/controls/5_4_policies_secrets_management.rb @@ -1,4 +1,4 @@ -cis_level = attribute('cis_level') +cis_level = input('cis_level') title '5.4 Policies: Secrets Management' From 1689138ddf728154e88390ad25d366b972bfc7d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 12:01:37 +0100 Subject: [PATCH 12/43] Update 5_5_policies_extensible_admission_control.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/5_5_policies_extensible_admission_control.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/5_5_policies_extensible_admission_control.rb b/controls/5_5_policies_extensible_admission_control.rb index 3fdf611..0d4630f 100644 --- a/controls/5_5_policies_extensible_admission_control.rb +++ b/controls/5_5_policies_extensible_admission_control.rb @@ -1,4 +1,4 @@ -cis_level = attribute('cis_level') +cis_level = input('cis_level') title '5.5 Policies: Extensible Admission Control' From 0c670f3dbf4c6007aea3602238e1c76ce4f3c4e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 12:01:56 +0100 Subject: [PATCH 13/43] Update 5_6_policies_general_policies.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/5_6_policies_general_policies.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/5_6_policies_general_policies.rb b/controls/5_6_policies_general_policies.rb index aaa57b5..456be13 100644 --- a/controls/5_6_policies_general_policies.rb +++ b/controls/5_6_policies_general_policies.rb @@ -1,4 +1,4 @@ -cis_level = attribute('cis_level') +cis_level = input('cis_level') title '5.6 Policies: General Policies' From 8b792689175e51a871a7e97f630445214ce11743 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 12:34:31 +0100 Subject: [PATCH 14/43] Update inspec.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- inspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inspec.yml b/inspec.yml index ac3a21a..f88c928 100755 --- a/inspec.yml +++ b/inspec.yml @@ -7,7 +7,7 @@ copyright_email: kvlaardingerbroek@schubergphilis.com license: Apache-2.0 summary: An InSpec Compliance profile for the CIS Kubernetes Benchmark version: 1.0.2 -inspec_version: '>= 2.3.5' +inspec_version: '>= 4.6.3' supports: - platform-family: unix attributes: From 5e536b26cf18e3ae2996a11c8936da92d8700f71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 13:00:42 +0100 Subject: [PATCH 15/43] Create test.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- .github/workflows/test.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..33f4a5c --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,27 @@ +name: Test + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '0 6 * * *' + +jobs: + test: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + ruby-version: ['2.6', '2.7', '3.0'] + + steps: + - uses: actions/checkout@v2 + - name: Set up Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: ${{ matrix.ruby-version }} + bundler-cache: true # runs 'bundle install' and caches installed gems automatically + - name: Run tests + run: bundle exec rake From a968559c624acd9984c3fa67fa3cfd20bc4cb56c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 13:01:14 +0100 Subject: [PATCH 16/43] Update Rakefile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- Rakefile | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/Rakefile b/Rakefile index 7dd39b5..7b611cd 100644 --- a/Rakefile +++ b/Rakefile @@ -1,3 +1,6 @@ +#!/usr/bin/env rake +# frozen_string_literal: true + require 'rake/testtask' require 'rubocop/rake_task' @@ -17,23 +20,30 @@ task default: [:lint, 'test:check'] namespace :test do # run inspec check to verify that the profile is properly configured task :check do - dir = File.join(File.dirname(__FILE__)) - sh("bundle exec inspec check #{dir}") + require 'inspec' + puts "Checking profile with InSpec Version: #{Inspec::VERSION}" + profile = Inspec::Profile.for_target('.', backend: Inspec::Backend.create(Inspec::Config.mock)) + pp profile.check end end -# Automatically generate a changelog for this project. Only loaded if -# the necessary gem is installed. By default its picking up the version from -# inspec.yml. You can override that behavior with s`rake changelog to=1.2.0` -begin +task :changelog do + # Automatically generate a changelog for this project. Only loaded if + # the necessary gem is installed. By default its picking up the version from + # inspec.yml. You can override that behavior with `rake changelog to=1.2.0` + require 'yaml' metadata = YAML.load_file('inspec.yml') v = ENV['to'] || metadata['version'] - puts "Generate changelog for version #{v}" + puts " * Generating changelog for version #{v}" require 'github_changelog_generator/task' GitHubChangelogGenerator::RakeTask.new :changelog do |config| config.future_release = v + config.user = 'dev-sec' + config.project = 'ssh-baseline' end + Rake::Task[:changelog].execute rescue LoadError puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks' + end From 5959b2764f3ecf9397478e3666a0daaa6a116d8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 13:14:42 +0100 Subject: [PATCH 17/43] Update Rakefile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- Rakefile | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/Rakefile b/Rakefile index 7b611cd..ed8b932 100644 --- a/Rakefile +++ b/Rakefile @@ -1,4 +1,3 @@ -#!/usr/bin/env rake # frozen_string_literal: true require 'rake/testtask' @@ -26,24 +25,3 @@ namespace :test do pp profile.check end end - -task :changelog do - # Automatically generate a changelog for this project. Only loaded if - # the necessary gem is installed. By default its picking up the version from - # inspec.yml. You can override that behavior with `rake changelog to=1.2.0` - - require 'yaml' - metadata = YAML.load_file('inspec.yml') - v = ENV['to'] || metadata['version'] - puts " * Generating changelog for version #{v}" - require 'github_changelog_generator/task' - GitHubChangelogGenerator::RakeTask.new :changelog do |config| - config.future_release = v - config.user = 'dev-sec' - config.project = 'ssh-baseline' - end - Rake::Task[:changelog].execute -rescue LoadError - puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks' - -end From 9beb7bc51ff893ad4c36bfebc880c5b6dbeb0464 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:10:21 +0100 Subject: [PATCH 18/43] Update Gemfile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- Gemfile | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/Gemfile b/Gemfile index 311912b..a076fc4 100644 --- a/Gemfile +++ b/Gemfile @@ -1,11 +1,18 @@ +# frozen_string_literal: true + source 'https://rubygems.org' -gem 'highline', '~> 1.6.0' -gem 'inspec', '~> 3' -gem 'rack', '>= 1.6.11' +gem 'highline' +gem 'rack' gem 'rake' -gem 'rubocop', '~> 0.49.0' +gem 'rubocop' group :tools do - gem 'github_changelog_generator', '~> 1.12.0' + gem 'github_changelog_generator' + gem 'pry-coolline' +end + +source 'https://packagecloud.io/cinc-project/stable' do + gem 'chef-config' + gem 'cinc-auditor-bin' end From 6e7ef4813cc38099698c74c69297b83cfdcf8190 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:12:50 +0100 Subject: [PATCH 19/43] Update .rubocop.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- .rubocop.yml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index 7c8f0bd..e836519 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,9 +1,10 @@ --- +AllCops: + Exclude: + - vendor/**/* Documentation: Enabled: false -AlignParameters: - Enabled: true -Encoding: +Layout/ParameterAlignment: Enabled: true HashSyntax: Enabled: true @@ -11,16 +12,25 @@ LineLength: Enabled: false EmptyLinesAroundBlockBody: Enabled: false +Style/Encoding: + Enabled: false MethodLength: Max: 40 +NumericLiterals: + MinDigits: 10 Metrics/BlockLength: - Max: 30 + Max: 45 # needed for 6.1.1 Metrics/CyclomaticComplexity: Max: 10 Metrics/PerceivedComplexity: Max: 10 Metrics/AbcSize: - Max: 29 -Style/MethodMissing: - Exclude: - - 'libraries/process_env_var.rb' + Max: 30 +# Lint/AmbiguousBlockAssociation is incompatible with RSpec +# https://github.com/rubocop-hq/rubocop/issues/4222 +Lint/AmbiguousBlockAssociation: + Enabled: false +Lint/AmbiguousRegexpLiteral: + Enabled: false +Style/NumericPredicate: + Enabled: false From 32950d8e9063f80e5b9f457a71ac4174a60bf71f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:15:38 +0100 Subject: [PATCH 20/43] Update 1_1_master_node_configuration_files.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/1_1_master_node_configuration_files.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/1_1_master_node_configuration_files.rb b/controls/1_1_master_node_configuration_files.rb index b29e927..740075a 100755 --- a/controls/1_1_master_node_configuration_files.rb +++ b/controls/1_1_master_node_configuration_files.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + title '1.1 Master Node: Configuration Files' apiserver_manifest = input('apiserver-manifest') From 86795d5d6a60fa5930d47324b5efecebbd5016f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:15:53 +0100 Subject: [PATCH 21/43] Update 1_2_master_node_api_server.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/1_2_master_node_api_server.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/1_2_master_node_api_server.rb b/controls/1_2_master_node_api_server.rb index a47b3c0..716009c 100755 --- a/controls/1_2_master_node_api_server.rb +++ b/controls/1_2_master_node_api_server.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + title '1.2 Master Node: API Server' apiserver = input('apiserver') From 36ef970d964347192d36749e9dee8201f70d3e70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:16:06 +0100 Subject: [PATCH 22/43] Update 1_3_master_node_controller_manager.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/1_3_master_node_controller_manager.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/1_3_master_node_controller_manager.rb b/controls/1_3_master_node_controller_manager.rb index e3f4adf..7eeac71 100644 --- a/controls/1_3_master_node_controller_manager.rb +++ b/controls/1_3_master_node_controller_manager.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + title '1.3 Master Node: Controller Manager' controller_manager = input('controller_manager') From 40627d8fc39c7ecfc8884b0ccc0b1e73c9745129 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:16:18 +0100 Subject: [PATCH 23/43] Update 1_4_master_node_scheduler.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/1_4_master_node_scheduler.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/1_4_master_node_scheduler.rb b/controls/1_4_master_node_scheduler.rb index 357d781..49438b8 100644 --- a/controls/1_4_master_node_scheduler.rb +++ b/controls/1_4_master_node_scheduler.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + title '1.4 Master Node: Scheduler' scheduler = input('scheduler') From a991c66ca513e03d60e881d93a6fffdb75663981 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:16:31 +0100 Subject: [PATCH 24/43] Update 2_etcd_node.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/2_etcd_node.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/2_etcd_node.rb b/controls/2_etcd_node.rb index 6935992..883e6a4 100755 --- a/controls/2_etcd_node.rb +++ b/controls/2_etcd_node.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + title '2 Etcd Node' etcd_regex = Regexp.new(input('etcd')) From 28b7e27dea586c3fcacf4f3c7a82b5e5d4a16d0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:16:44 +0100 Subject: [PATCH 25/43] Update 3_1_control_plane_authn_and_authz.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/3_1_control_plane_authn_and_authz.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/3_1_control_plane_authn_and_authz.rb b/controls/3_1_control_plane_authn_and_authz.rb index aa79bd2..d4e1d4b 100644 --- a/controls/3_1_control_plane_authn_and_authz.rb +++ b/controls/3_1_control_plane_authn_and_authz.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + title '3.1 Control Plane Configuration' control 'cis-kubernetes-benchmark-3.1.1' do From dfd29cc5238bdbe19d6af358ac93a4be109e5524 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:16:56 +0100 Subject: [PATCH 26/43] Update 3_2_control_plane_logging.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/3_2_control_plane_logging.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/3_2_control_plane_logging.rb b/controls/3_2_control_plane_logging.rb index d5cb431..fd890d2 100644 --- a/controls/3_2_control_plane_logging.rb +++ b/controls/3_2_control_plane_logging.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + title '3.2 Logging' apiserver = input('apiserver') From 2e9cb5cef2abb3969888f2a780c0ff271061dc1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:17:08 +0100 Subject: [PATCH 27/43] Update 4_1_worker_node_configuration_files.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/4_1_worker_node_configuration_files.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/4_1_worker_node_configuration_files.rb b/controls/4_1_worker_node_configuration_files.rb index ab4f288..0378288 100755 --- a/controls/4_1_worker_node_configuration_files.rb +++ b/controls/4_1_worker_node_configuration_files.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + title '4.1.1 Worker Node: Configuration Files' kubelet = input('kubelet') From 66e58c8a8fa0cd6ef014a793bfa65e5353e5b53f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:17:21 +0100 Subject: [PATCH 28/43] Update 4_2_worker_node_kubelet.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/4_2_worker_node_kubelet.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/4_2_worker_node_kubelet.rb b/controls/4_2_worker_node_kubelet.rb index 75fb6db..ec6ed19 100755 --- a/controls/4_2_worker_node_kubelet.rb +++ b/controls/4_2_worker_node_kubelet.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + title '4.2 Worker Node: Kubelet' kubelet = input('kubelet') From e0a159dc41ecfc8135836995410b86fe61089a29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:17:36 +0100 Subject: [PATCH 29/43] Update 5_1_policies_rbac_and_service_accounts.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/5_1_policies_rbac_and_service_accounts.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/5_1_policies_rbac_and_service_accounts.rb b/controls/5_1_policies_rbac_and_service_accounts.rb index 42d479a..e89c80f 100755 --- a/controls/5_1_policies_rbac_and_service_accounts.rb +++ b/controls/5_1_policies_rbac_and_service_accounts.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + title '5.1 Policies: RBAC and Service Accounts' control 'cis-kubernetes-benchmark-5.1.1' do From 1e9453d333daf80fa70d8ec4edb2dbf02412fc65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:17:49 +0100 Subject: [PATCH 30/43] Update 5_2_policies_pod_security_policies.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/5_2_policies_pod_security_policies.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/5_2_policies_pod_security_policies.rb b/controls/5_2_policies_pod_security_policies.rb index 62d8dbf..df06c46 100755 --- a/controls/5_2_policies_pod_security_policies.rb +++ b/controls/5_2_policies_pod_security_policies.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + cis_level = input('cis_level') title '5.2 Policies: Pod Security Policies' From 995cd4d7b3871b94119074028352e747346681ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:18:07 +0100 Subject: [PATCH 31/43] Update 5_3_policies_network_policies_and_cni.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/5_3_policies_network_policies_and_cni.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/5_3_policies_network_policies_and_cni.rb b/controls/5_3_policies_network_policies_and_cni.rb index 803fbe4..c84ee7e 100644 --- a/controls/5_3_policies_network_policies_and_cni.rb +++ b/controls/5_3_policies_network_policies_and_cni.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + cis_level = input('cis_level') title '5.3 Policies: Network Policies and CNI' From 2eaf484960cf6bb150ccafb331bc08e9ec15d7d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:18:20 +0100 Subject: [PATCH 32/43] Update 5_4_policies_secrets_management.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/5_4_policies_secrets_management.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/5_4_policies_secrets_management.rb b/controls/5_4_policies_secrets_management.rb index 419ce1d..c51e5c3 100644 --- a/controls/5_4_policies_secrets_management.rb +++ b/controls/5_4_policies_secrets_management.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + cis_level = input('cis_level') title '5.4 Policies: Secrets Management' From 173f75415ac3cb1557f0e1c54a36863621907bf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:18:32 +0100 Subject: [PATCH 33/43] Update 5_5_policies_extensible_admission_control.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/5_5_policies_extensible_admission_control.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/5_5_policies_extensible_admission_control.rb b/controls/5_5_policies_extensible_admission_control.rb index 0d4630f..d99bcd5 100644 --- a/controls/5_5_policies_extensible_admission_control.rb +++ b/controls/5_5_policies_extensible_admission_control.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + cis_level = input('cis_level') title '5.5 Policies: Extensible Admission Control' From 01dbcb0e9835f52aa83d6fe0ad4fcc7fa9232574 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:18:44 +0100 Subject: [PATCH 34/43] Update 5_6_policies_general_policies.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/5_6_policies_general_policies.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/5_6_policies_general_policies.rb b/controls/5_6_policies_general_policies.rb index 456be13..7263c9b 100644 --- a/controls/5_6_policies_general_policies.rb +++ b/controls/5_6_policies_general_policies.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + cis_level = input('cis_level') title '5.6 Policies: General Policies' From 5430456bca06efef9509e1cf4be1a9c20214106a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:20:39 +0100 Subject: [PATCH 35/43] Update kubernetes.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- libraries/kubernetes.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/libraries/kubernetes.rb b/libraries/kubernetes.rb index 0132fe7..7a9682e 100644 --- a/libraries/kubernetes.rb +++ b/libraries/kubernetes.rb @@ -3,6 +3,7 @@ class Kubernetes < Inspec.resource(1) desc 'Custom resource which abstracts the various kubernetes runtimes like hyperkube' def initialize + super @is_hyperkube = inspec.file('/usr/bin/hyperkube').file? Log.debug("The kubernetes installation uses hyperkube: #{@is_hyperkube}") end From bc9fafd97ece6b912e45c8673073d808a0136b73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:27:04 +0100 Subject: [PATCH 36/43] Update process_env_var.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- libraries/process_env_var.rb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libraries/process_env_var.rb b/libraries/process_env_var.rb index a1b18af..6e60c10 100644 --- a/libraries/process_env_var.rb +++ b/libraries/process_env_var.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + class ProcessEnvVar < Inspec.resource(1) name 'process_env_var' desc 'Custom resource to lookup environment variables for a process' @@ -8,14 +10,19 @@ class ProcessEnvVar < Inspec.resource(1) " def initialize(process) + super @process = inspec.processes(process) end + def respond_to_missing?(name, include_private) + Log.debug("Missing #{name.to_s}") + end + def method_missing(name) read_params[name.to_s] || '' end - def read_params + def params return @params if defined?(@params) @file = inspec.file("/proc/#{@process.pids.first}/environ") From 6d3e666ffcfee8e31a9b4bb67a5a3f768185fe8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:29:40 +0100 Subject: [PATCH 37/43] Update kubernetes.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- libraries/kubernetes.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libraries/kubernetes.rb b/libraries/kubernetes.rb index 7a9682e..e1fc28d 100644 --- a/libraries/kubernetes.rb +++ b/libraries/kubernetes.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + class Kubernetes < Inspec.resource(1) name 'kubernetes' desc 'Custom resource which abstracts the various kubernetes runtimes like hyperkube' From 2991766157623aa26e0865443ca2d5f9460f166b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:30:22 +0100 Subject: [PATCH 38/43] Update process_env_var.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- libraries/process_env_var.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libraries/process_env_var.rb b/libraries/process_env_var.rb index 6e60c10..c5b7434 100644 --- a/libraries/process_env_var.rb +++ b/libraries/process_env_var.rb @@ -14,10 +14,10 @@ def initialize(process) @process = inspec.processes(process) end - def respond_to_missing?(name, include_private) - Log.debug("Missing #{name.to_s}") + def respond_to_missing?(name) + Log.debug("Missing #{name}") end - + def method_missing(name) read_params[name.to_s] || '' end From 38784459b2fa42bd9fe4bacd462a023c1570c00c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:31:59 +0100 Subject: [PATCH 39/43] Update process_env_var.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- libraries/process_env_var.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/process_env_var.rb b/libraries/process_env_var.rb index c5b7434..79b69e8 100644 --- a/libraries/process_env_var.rb +++ b/libraries/process_env_var.rb @@ -10,7 +10,7 @@ class ProcessEnvVar < Inspec.resource(1) " def initialize(process) - super + super(process) @process = inspec.processes(process) end From 3f34c5fc3a50ce91b80a5d5b96d2f3b5b9924986 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:35:05 +0100 Subject: [PATCH 40/43] Update process_env_var.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- libraries/process_env_var.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/libraries/process_env_var.rb b/libraries/process_env_var.rb index 79b69e8..682ff8e 100644 --- a/libraries/process_env_var.rb +++ b/libraries/process_env_var.rb @@ -10,7 +10,6 @@ class ProcessEnvVar < Inspec.resource(1) " def initialize(process) - super(process) @process = inspec.processes(process) end From b8c3bea19d7d07692a3e04cf44217a0f3a5d746a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:38:19 +0100 Subject: [PATCH 41/43] Update process_env_var.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- libraries/process_env_var.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/libraries/process_env_var.rb b/libraries/process_env_var.rb index 682ff8e..c5b7434 100644 --- a/libraries/process_env_var.rb +++ b/libraries/process_env_var.rb @@ -10,6 +10,7 @@ class ProcessEnvVar < Inspec.resource(1) " def initialize(process) + super @process = inspec.processes(process) end From bec3a9686daac7921f9bcc0e18d436203d5637eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:46:19 +0100 Subject: [PATCH 42/43] Update process_env_var.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- libraries/process_env_var.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libraries/process_env_var.rb b/libraries/process_env_var.rb index c5b7434..e6369ae 100644 --- a/libraries/process_env_var.rb +++ b/libraries/process_env_var.rb @@ -9,8 +9,10 @@ class ProcessEnvVar < Inspec.resource(1) end " + # As described here https://github.com/inspec/inspec/blob/main/lib/inspec/resource.rb#L111 + # Inspec has a weird behaviour concerning super + # rubocop:disable Lint/MissingSuper def initialize(process) - super @process = inspec.processes(process) end From 500c84d8c569986d33a08fba72287c8b1abf6542 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 14:48:16 +0100 Subject: [PATCH 43/43] Update process_env_var.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- libraries/process_env_var.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/libraries/process_env_var.rb b/libraries/process_env_var.rb index e6369ae..e6b315a 100644 --- a/libraries/process_env_var.rb +++ b/libraries/process_env_var.rb @@ -15,6 +15,7 @@ class ProcessEnvVar < Inspec.resource(1) def initialize(process) @process = inspec.processes(process) end + # rubocop:enable Lint/MissingSuper def respond_to_missing?(name) Log.debug("Missing #{name}")