Nx pkg patch 1

.github/workflows/build.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Setup golangci-lint
         uses: golangci/golangci-lint-action@v4
         with:
-          version: latest
+          version: v1.57.2
           args: --verbose
   unit:
     name: Unit tests

.goreleaser.yml

@@ -2,10 +2,15 @@
 project_name: kube-bench
 env:
   - GO111MODULE=on
+  - CGO_ENABLED=0
   - KUBEBENCH_CFG=/etc/kube-bench/cfg
 builds:
   - main: main.go
     binary: kube-bench
+    tags:
+      - osusergo
+      - netgo
+      - static_build
     goos:
       - linux
       - darwin
@@ -19,6 +24,9 @@ builds:
       - 6
       - 7
     ldflags:
+      - "-s"
+      - "-w"
+      - "-extldflags '-static'"
       - "-X github.com/khulnasoft/kube-bench/cmd.KubeBenchVersion={{.Version}}"
       - "-X github.com/khulnasoft/kube-bench/cmd.cfgDir={{.Env.KUBEBENCH_CFG}}"
 # Archive customization
@@ -33,7 +41,7 @@ nfpms:
   -
     vendor: Khulnasoft Security
     description: "The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices"
-    maintainer: Yoav Rotem <yoav.rotem@khulnasoft.com>
+    maintainer: KhulnaSoft DevOps <security@khulnasoft.com>
     license: Apache-2.0
     homepage: https://github.com/khulnasoft/kube-bench
     file_name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{.Arm }}{{ end }}'

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.22.1 AS build
+FROM golang:1.22.2 AS build
 WORKDIR /go/src/github.com/khulnasoft/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./

Dockerfile.fips.ubi

@@ -1,4 +1,4 @@
-FROM golang:1.22.1 AS build
+FROM golang:1.22.2 AS build
 WORKDIR /go/src/github.com/khulnasoft/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./

Dockerfile.ubi

@@ -1,4 +1,4 @@
-FROM golang:1.22.1 AS build
+FROM golang:1.22.2 AS build
 WORKDIR /go/src/github.com/khulnasoft/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./

cfg/config.yaml

@@ -95,6 +95,7 @@ master:
     datadirs:
       - /var/lib/etcd/default.etcd
       - /var/lib/etcd/data.etcd
+      - /var/lib/rancher/k3s/server/db/etcd
     confs:
       - /etc/kubernetes/manifests/etcd.yaml
       - /etc/kubernetes/manifests/etcd.yml
@@ -105,6 +106,7 @@ master:
       - /var/snap/microk8s/current/args/etcd
       - /usr/lib/systemd/system/etcd.service
       - /var/lib/rancher/rke2/server/db/etcd/config
+      - /var/lib/rancher/k3s/server/db/etcd/config
     defaultconf: /etc/kubernetes/manifests/etcd.yaml
     defaultdatadir: /var/lib/etcd/default.etcd
 
@@ -234,6 +236,7 @@ etcd:
     datadirs:
       - /var/lib/etcd/default.etcd
       - /var/lib/etcd/data.etcd
+      - /var/lib/rancher/k3s/server/db/etcd
     confs:
       - /etc/kubernetes/manifests/etcd.yaml
       - /etc/kubernetes/manifests/etcd.yml

cfg/k3s-cis-1.23/config.yaml

@@ -20,6 +20,9 @@ master:
   controllermanager:
     bins:
       - containerd
+
+    datadirs:
+      - /var/lib/rancher/k3s/server/db/etcd
 
   etcd:
     bins:

cfg/k3s-cis-1.23/etcd.yaml

@@ -10,15 +10,13 @@ groups:
     checks:
       - id: 2.1
         text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.1"
+        audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
         tests:
           bin_op: and
           test_items:
             - flag: "cert-file"
-              env: "ETCD_CERT_FILE"
               set: true
             - flag: "key-file"
-              env: "ETCD_KEY_FILE"
               set: true
         remediation: |
           Follow the etcd service documentation and configure TLS encryption.
@@ -30,14 +28,13 @@ groups:
 
       - id: 2.2
         text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.2"
+        audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
         tests:
           bin_op: or
           test_items:
             - flag: "--client-cert-auth"
               set: true
             - flag: "client-cert-auth"
-              env: "ETCD_CLIENT_CERT_AUTH"
               compare:
                 op: eq
                 value: true
@@ -50,15 +47,13 @@ groups:
 
       - id: 2.3
         text: "Ensure that the --auto-tls argument is not set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.3"
+        audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi"
         tests:
           bin_op: or
           test_items:
             - flag: "--auto-tls"
-              env: "ETCD_AUTO_TLS"
               set: false
             - flag: "--auto-tls"
-              env: "ETCD_AUTO_TLS"
               compare:
                 op: eq
                 value: false
@@ -70,15 +65,13 @@ groups:
 
       - id: 2.4
         text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.4"
+        audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
         tests:
           bin_op: and
           test_items:
             - flag: "cert-file"
-              env: "ETCD_PEER_CERT_FILE"
               set: true
             - flag: "key-file"
-              env: "ETCD_PEER_KEY_FILE"
               set: true
         remediation: |
           Follow the etcd service documentation and configure peer TLS encryption as appropriate
@@ -91,14 +84,13 @@ groups:
 
       - id: 2.5
         text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.5"
+        audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
         tests:
           bin_op: or
           test_items:
             - flag: "--client-cert-auth"
               set: true
             - flag: "client-cert-auth"
-              env: "ETCD_PEER_CLIENT_CERT_AUTH"
               compare:
                 op: eq
                 value: true
@@ -111,15 +103,13 @@ groups:
 
       - id: 2.6
         text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.6"
+        audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi"
         tests:
           bin_op: or
           test_items:
             - flag: "--peer-auto-tls"
-              env: "ETCD_PEER_AUTO_TLS"
               set: false
             - flag: "--peer-auto-tls"
-              env: "ETCD_PEER_AUTO_TLS"
               compare:
                 op: eq
                 value: false
@@ -132,11 +122,10 @@ groups:
 
       - id: 2.7
         text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
-        audit: "check_for_k3s_etcd.sh 2.7"
+        audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi"
         tests:
           test_items:
             - flag: "trusted-ca-file"
-              env: "ETCD_TRUSTED_CA_FILE"
               set: true
         remediation: |
           [Manual test]

cfg/k3s-cis-1.23/master.yaml

@@ -155,7 +155,7 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: "stat -c %a $etcddatadir"
         tests:
           test_items:
             - flag: "700"
@@ -736,7 +736,7 @@ groups:
 
       - id: 1.2.26
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: "journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver'"
         tests:
           bin_op: and
           test_items:

cfg/k3s-cis-1.24/config.yaml

@@ -25,6 +25,9 @@ master:
     bins:
       - containerd
 
+    datadirs:
+      - /var/lib/rancher/k3s/server/db/etcd
+
   node:
     components:
       - kubelet

cfg/k3s-cis-1.24/etcd.yaml

@@ -10,15 +10,13 @@ groups:
     checks:
       - id: 2.1
         text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.1"
+        audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
         tests:
           bin_op: and
           test_items:
             - flag: "cert-file"
-              env: "ETCD_CERT_FILE"
               set: true
             - flag: "key-file"
-              env: "ETCD_KEY_FILE"
               set: true
         remediation: |
           Follow the etcd service documentation and configure TLS encryption.
@@ -30,14 +28,13 @@ groups:
 
       - id: 2.2
         text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.2"
+        audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
         tests:
           bin_op: or
           test_items:
             - flag: "--client-cert-auth"
               set: true
             - flag: "client-cert-auth"
-              env: "ETCD_CLIENT_CERT_AUTH"
               compare:
                 op: eq
                 value: true
@@ -50,15 +47,13 @@ groups:
 
       - id: 2.3
         text: "Ensure that the --auto-tls argument is not set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.3"
+        audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi"
         tests:
           bin_op: or
           test_items:
             - flag: "--auto-tls"
-              env: "ETCD_AUTO_TLS"
               set: false
             - flag: "--auto-tls"
-              env: "ETCD_AUTO_TLS"
               compare:
                 op: eq
                 value: false
@@ -70,15 +65,13 @@ groups:
 
       - id: 2.4
         text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.4"
+        audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
         tests:
           bin_op: and
           test_items:
             - flag: "cert-file"
-              env: "ETCD_PEER_CERT_FILE"
               set: true
             - flag: "key-file"
-              env: "ETCD_PEER_KEY_FILE"
               set: true
         remediation: |
           Follow the etcd service documentation and configure peer TLS encryption as appropriate
@@ -91,14 +84,13 @@ groups:
 
       - id: 2.5
         text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.5"
+        audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
         tests:
           bin_op: or
           test_items:
             - flag: "--client-cert-auth"
               set: true
             - flag: "client-cert-auth"
-              env: "ETCD_PEER_CLIENT_CERT_AUTH"
               compare:
                 op: eq
                 value: true
@@ -111,15 +103,13 @@ groups:
 
       - id: 2.6
         text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.6"
+        audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi"
         tests:
           bin_op: or
           test_items:
             - flag: "--peer-auto-tls"
-              env: "ETCD_PEER_AUTO_TLS"
               set: false
             - flag: "--peer-auto-tls"
-              env: "ETCD_PEER_AUTO_TLS"
               compare:
                 op: eq
                 value: false
@@ -132,11 +122,10 @@ groups:
 
       - id: 2.7
         text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.7"
+        audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi"
         tests:
           test_items:
             - flag: "trusted-ca-file"
-              env: "ETCD_TRUSTED_CA_FILE"
               set: true
         remediation: |
           [Manual test]

cfg/k3s-cis-1.24/master.yaml

@@ -155,7 +155,7 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: "stat -c %a $etcddatadir"
         tests:
           test_items:
             - flag: "700"
@@ -735,7 +735,7 @@ groups:
 
       - id: 1.2.26
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: "journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver'"
         tests:
           bin_op: and
           test_items:

cfg/k3s-cis-1.7/config.yaml

@@ -32,6 +32,9 @@ master:
     bins:
       - containerd
 
+    datadirs:
+      - /var/lib/rancher/k3s/server/db/etcd
+
   node:
     components:
       - kubelet