68 lines
3.2 KiB
Bash
Executable File
68 lines
3.2 KiB
Bash
Executable File
#!/bin/bash
|
|
set -eou pipefail
|
|
|
|
function main(){
|
|
## validation: Benchmarks (cfgs) with yamllint and kube-bench (dry-run)
|
|
echo "Running: yamllint against security-scan cfgs"
|
|
|
|
# CFGS lists all benchmark directories such as cis-1.7
|
|
CFGS="$(find package/cfg/ -mindepth 1 -type d -printf "%f\n")"
|
|
|
|
FAILED_CFGS_YML=()
|
|
FAILED_CFGS_KB=()
|
|
FAILED_CHECKS_TYPE=()
|
|
|
|
# Loop through all benchmarks
|
|
for cfg in ${CFGS}; do
|
|
set -x
|
|
# yammlint is configured with ../.yamllint.yaml, to catch any liniting errors for a given benchmark. If result isn't empty, FAILED_CFGS_YML is appended with the failing benchmark.
|
|
if [ -n "$(yamllint -s package/cfg/$cfg)" ]; then
|
|
FAILED_CFGS_YML+=("$cfg")
|
|
fi
|
|
# verify each check content to confirm type Automated matches scored to true and type Manual matches scored to false.
|
|
for component in $(find package/cfg/$cfg -type f -name "*.yaml" ! -name "config.yaml"); do
|
|
readarray checks < <(yq -o=j -I=0 '.groups[].checks[]' $component )
|
|
for check in "${checks[@]}"; do
|
|
id=$(echo $check | yq '.id')
|
|
text=$(echo $check | yq '.text')
|
|
scored=$(echo $check | yq '.scored')
|
|
type=$(echo $text | sed -n 's/.*(\(.*\)).*/\1/p')
|
|
# check if type is present and spelled correctly.
|
|
if [[ "$type" == "Automated" || "$type" == "Manual" ]]; then
|
|
# check if type is Automated with scored to true or type is Manual with scored to false.
|
|
if [[ "$type" == "Automated" && "$scored" != "true" ]] || [[ "$type" == "Manual" && "$scored" != "false" ]] ; then
|
|
echo "Error mismatch found in $id: $text - 'type' is $type but 'scored' is $scored."
|
|
FAILED_CHECKS_TYPE+=("$cfg:$id")
|
|
fi
|
|
else
|
|
echo "Error in $id: $text - type is misspelled or not recognized. Make sure to set title type to Manual/Automated."
|
|
FAILED_CHECKS_TYPE+=("$cfg:$id")
|
|
fi
|
|
done
|
|
done
|
|
# kube-bench dry-run to detect any errors for a given benchmark's files - check 1.1 is common to all benchmarks and used to speed up the test. If kube-bench commands fails, FAILED_CFGS_KB is appended with the failing benchmark.
|
|
if kube-bench --config-dir package/cfg --config package/cfg/config.yaml --benchmark "$cfg" --check 1.1 --noremediations --noresults --nosummary --nototals; then
|
|
echo "$cfg is OK"
|
|
else
|
|
FAILED_CFGS_KB+=("$cfg")
|
|
fi
|
|
set +x
|
|
done
|
|
|
|
# Test if any profiles have errors, either FAILED_CFGS_YML or FAILED_CFGS_KB or FAILED_CHECKS_TYPE is greater than 0, fails.
|
|
if [ ${#FAILED_CFGS_YML[@]} -gt 0 ]; then
|
|
echo "Error - yamllint failed for these cfgs: ${FAILED_CFGS_YML[@]}"
|
|
exit 1
|
|
fi
|
|
if [ ${#FAILED_CFGS_KB[@]} -gt 0 ]; then
|
|
echo "Error - kube-bench dry-run failed for these cfgs: ${FAILED_CFGS_KB[@]}"
|
|
exit 1
|
|
fi
|
|
if [ ${#FAILED_CHECKS_TYPE[@]} -gt 0 ]; then
|
|
echo "Error - check type verification failed for these checks: ${FAILED_CHECKS_TYPE[@]}"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
main
|