rancher
/
security-scan
mirror of https://github.com/rancher/security-scan.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
875 Commits 9 Branches 182 Tags 18 MiB
Commit Graph

453 Commits

Author SHA1 Message Date
Andy Pitcher 9916954324
fix: 4.2.4 (read-only-port) change test and remediation to reflect k3s' new default 
---
K3s enforces by default --read-only-port to 0, so we only verify the presence of --read-only-port=0.
 2025-10-13 21:41:17 +02:00
Andy Pitcher e25836747b
feat: Add cis-1.11 generic and update configmap 2025-09-30 15:00:00 +02:00
Paulo Gomes dda498661d
Merge pull request #521 from andypitcher/rke2-cis-1.11 
Add rke2-cis-1.11
 2025-09-15 14:33:03 +01:00
Andy Pitcher a007e70ca2
rke2-cis-1.11 
- Generate placeholder files
  - master: 1.2.30 Ensure that the --service-account-extend-token-expiration parameter is set to false
  - master: 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated)
    - Changed from 600 to 644
    - Changed from Manual to Automated
  - node: 4.2.14 Ensure that the --seccomp-default parameter is set to true (Manual)
  - node: 4.2.4 Verify that if defined, the --read-only-port argument is set to 0 (Automated)
    - Add 'if defined'
  - policies: 5.1.1 to 5.1.6 from (Automated) to (Manual)
  - policies: section titled 'General Policies' was renumbered from 5.7 in v1.10 to 5.6
 2025-09-12 21:27:33 +02:00
Andy Pitcher 2a527d460b
k3s-cis-1.11 
- Generate placeholder files
   - add target mapping and versions
   - master: 1.2.30 Ensure that the --service-account-extend-token-expiration parameter is set to false
   - master: 1.2.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)
     - Changed from 600 to 644
     - Changed from Manual to Automated
   - node: 4.2.14 Ensure that the --seccomp-default parameter is set to true (Manual)
   - node: 4.2.4 Verify that if defined, the --read-only-port argument is set to 0 (Automated)
     - Add 'if defined'
   - policies: 5.1.1 to 5.1.6 from (Automated) to (Manual)
   - policies: section titled 'General Policies' was renumbered from 5.7 in v1.10 to 5.6
 2025-09-12 21:22:26 +02:00
renovate-rancher[bot] b7c298b095
chore(deps): update registry.suse.com/bci/golang docker tag to v1.25 2025-09-09 04:39:19 +00:00
Andy Pitcher 929f3a237c
Merge pull request #456 from andypitcher/cis-1.10 
Add cis-1.10 generic and update configmap
 2025-08-04 15:48:13 -04:00
Andy Pitcher 01235496a6
Merge pull request #457 from dereknola/rke2_cis_110 
Add RKE2 cis-1.10 benchmark
 2025-08-04 15:37:50 -04:00
Paulo Gomes f0835bece3
Revert 'Remove default profiles' 
Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
 2025-07-23 10:29:04 +01:00
Paulo Gomes bd909b7f05
Merge pull request #474 from rancher/renovate/main-registry.suse.com-bci-bci-micro-15.x 
chore(deps): update registry.suse.com/bci/bci-micro docker tag to v15.7 (main)
 2025-06-19 12:29:53 +01:00
renovate-rancher[bot] 2e97e4339a
chore(deps): update registry.suse.com/bci/bci-micro docker tag to v15.7 2025-06-19 04:42:40 +00:00
renovate-rancher[bot] 6afd20550c
chore(deps): update rancher/mirrored-tonistiigi-xx docker tag to v1.6.1 2025-06-19 04:42:36 +00:00
Paulo Gomes 5e0f790bb2
build: Bump Go images to 1.24 
Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
 2025-06-17 14:22:28 +01:00
Paulo Gomes 99c7316743
Remove default profiles 
Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
 2025-06-12 16:40:14 +01:00
Paulo Gomes 16a44a7c4a
Add VERBOSE option to cat log file on error 
Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
 2025-06-11 12:57:34 +01:00
Paulo Gomes 315c8dea71
Transition into compliance-operator 
Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
 2025-06-11 11:36:07 +01:00
Derek Nola 3f79726117
Fix check for 5.2.9 using sh syntax 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2025-04-07 10:47:31 -07:00
Derek Nola 6e0a9f9290
Fix default 5.2.9 check and add whitelist 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2025-04-07 10:45:37 -07:00
Derek Nola 71b63cfe18
Add whitelist for 5.2.5 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2025-04-07 10:20:54 -07:00
Derek Nola 81b148bb20
Add whitelist to 5.2.2 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2025-04-07 10:20:54 -07:00
Derek Nola 1a62cb359c
Add new 5.2.X manual checks 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2025-04-07 09:19:14 -07:00
Derek Nola c0e2cf174b
Add base rke2-cis-1.10 benchmark 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2025-04-07 09:19:14 -07:00
Andy Pitcher fe9201f30c Add cis-1.10 generic and update configmap 2025-04-04 16:46:53 +02:00
Derek Nola d2e0ef324f
Add 5.2.9 k3s whitelist 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2025-04-03 09:05:18 -04:00
Derek Nola 9fe308dc25
Add k3s-cis-1.10 benchmark 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2025-03-19 10:11:29 -07:00
Derek Nola 712b4bfc4f
Use new kubelet config file 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2025-03-10 10:35:05 -07:00
vardhaman22 c5dd9bb48c added eks 1.2.0 2025-02-24 14:32:10 +05:30
vardhaman22 ff96991c48 added eks 1.5.0 support 2025-02-14 22:19:30 +05:30
renovate-rancher[bot] 09ee7f2444
chore(deps): update registry.suse.com/bci/golang docker tag to v1.23 2025-01-24 04:34:39 +00:00
vardhaman22 a7b5f3eede fix 5.1.5 in rke2-cis-1.9 and k3s-cis-1.9 2025-01-13 21:51:04 +05:30
vardhaman22 e3e4f3eed6 Revert "Change 5.1.5 check from Automated to Manual in k3s-cis-1.9" 
This reverts commit 0a9114fd15.
 2025-01-13 21:24:00 +05:30
vardhaman22 1780f9296c set type:manual for 5.1.2 and 5.1.4 checks for rke2 cis 1.9 2025-01-10 20:09:41 +05:30
Andy Pitcher 37109b9cbf
Merge pull request #324 from dereknola/rke2-cis-1.9 
RKE2 cis-1.9 profile
 2025-01-10 15:21:30 +01:00
vardhaman22 8b82a8e978 k3s-cis-1.9: set 5.1.2 and 5.1.4 type as manual 2025-01-08 17:00:06 +05:30
Derek Nola b81266a62b
yamllint fix 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2024-12-30 09:52:04 -08:00
Derek Nola a8718b9552
Fix manual score 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2024-12-23 09:04:19 -08:00
Derek Nola badf75e1e0
Fix lingering mistakes for k3s-cis-1.9 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2024-12-18 12:54:38 -08:00
Derek Nola 3006b4414e
Modify policies with RKE2 specific information 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2024-12-18 12:54:37 -08:00
Derek Nola 1afd78fd01
Initial land of rke2-cis-1.9 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2024-12-18 12:54:37 -08:00
Andy Pitcher 0a9114fd15 Change 5.1.5 check from Automated to Manual in k3s-cis-1.9 
By default (and apart from kube-system whitelisting) K3s doesn't enforce automoutServiceAccountToken to false for the following default svcs:
  	 **namespace: default              service_account: default    automountServiceAccountToken: notset is_compliant: false
	 **namespace: kube-node-lease      service_account: default    automountServiceAccountToken: notset is_compliant: false
	 **namespace: kube-public          service_account: default    automountServiceAccountToken: notset is_compliant: false
	 **namespace: kube-system          service_account: default    automountServiceAccountToken: notset is_compliant: true
   To Pass the check, the admin needs to manualy modify them (see check remediation). This is why the check should be changed to Manual.
 2024-12-09 16:04:57 +01:00
Andy Pitcher 276e8aaf3b Add comments for version_mapping and target_mapping 2024-11-27 09:53:10 +01:00
Andy Pitcher ef601fd8ed Remove generic profiles dir inside package/cfg 
Reason: The generic profiles are downloaded from upstream, no need to have them here anymore (ref. https://github.com/aquasecurity/kube-bench/tree/main/cfg).
 2024-11-25 21:36:18 +01:00
Andy Pitcher 1b169e2d7a Add cis-1.9 generic version 2024-11-25 21:36:00 +01:00
Andy Pitcher ff3a4c22c7 Remove old versions in ConfigMap 
- Generic:
  	- cis-1.4
  	- cis-1.5
  	- cis-1.6
  	- cis-1.20
	- cis-1.23
  - K3s:
  	- k3s-cis-1.6-hardened
  	- k3s-cis-1.6-permissive
  	- k3s-cis-1.20-hardened
  	- k3s-cis-1.20-permissive
  - RKE1:
    	- rke-cis-1.4
  	- rke-cis-1.5-hardened
  	- rke-cis-1.5-permissive
  	- rke-cis-1.6-hardened
  	- rke-cis-1.6-permissive
  	- rke-cis-1.20-hardened
  	- rke-cis-1.20-permissive
  - RKE2:
	- rke2-cis-1.5-hardened
    	- rke2-cis-1.5-permissive
  	- rke2-cis-1.6-hardened
  	- rke2-cis-1.6-permissive
  	- rke2-cis-1.20-hardened
  	- rke2-cis-1.20-permissive

Add version_mappings for:
  - Generic:
	- cis-1.23
	- cis-1.24
	- cis-1.7
	- cis-1.8
 2024-11-25 19:38:49 +01:00
Andy Pitcher a85f27daa0
Merge pull request #251 from dereknola/k3s-cis-1.9 
K3s cis-1.9 profile
 2024-11-13 14:32:25 +01:00
Derek Nola b43f257054
Typo fix 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2024-11-06 10:38:05 -08:00
Derek Nola 2d18014b15
Add exception for 5.1.5 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2024-11-06 10:34:52 -08:00
Derek Nola 9bdb58e69e
Revert "Change cr_whitelist to bash array" 
This reverts commit 72449a0354.
 2024-11-06 09:10:13 -08:00
Derek Nola 72449a0354
Change cr_whitelist to bash array 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2024-11-05 11:34:35 -08:00
Derek Nola 5ccabca0bb
lint fix 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2024-11-05 08:38:10 -08:00