From 6df237e5798845a26123e37c902a87a88d045223 Mon Sep 17 00:00:00 2001 From: Jon Mosco Date: Fri, 21 Jan 2022 12:53:46 -0500 Subject: [PATCH 1/2] more updates to doc formatting --- docs/current-state.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/current-state.md b/docs/current-state.md index f468c053..e61d9305 100644 --- a/docs/current-state.md +++ b/docs/current-state.md @@ -23,6 +23,8 @@ The following 2 scrips run the sonobuoy command against the kube-bench generated * [run.sh](https://github.com/rancherfederal/security-scan/blob/master/package/run.sh) * [run_sonohuoy_plugin.sh](https://github.com/rancherfederal/security-scan/blob/master/package/run_sonobuoy_plugin.sh) +The results are outputted in json format. + ### Architecture Current cis-benchmark operator architecture: @@ -33,6 +35,7 @@ Existing repos: * [rancher/security-scan](https://github.com/rancher/security-scan) * [vmware-tanzu/sonobuoy](https://github.com/vmware-tanzu/sonobuoy) * [vmware-tanzu/sonobuoy-plugins](https://github.com/vmware-tanzu/sonobuoy-plugins/blob/main/cis-benchmarks/README.md) +* [kube-hunter sonobuoy plugin](https://github.com/vmware-tanzu/sonobuoy-plugins/tree/main/kube-hunter) Images used: ```yaml @@ -61,8 +64,8 @@ I assume this is the location to create specific ‘STIG’ configs that can the ### Existing Documentation -https://github.com/rancher/charts/blob/dev-v2.6/charts/rancher-cis-benchmark/2.0.2/app-readme.md -https://github.com/aquasecurity/kube-bench/blob/main/docs/controls.md +* https://github.com/rancher/charts/blob/dev-v2.6/charts/rancher-cis-benchmark/2.0.2/app-readme.md +* https://github.com/aquasecurity/kube-bench/blob/main/docs/controls.md Misc Sites with good info: From c12df2109f00c6e5eb852a04566c333d1136e33a Mon Sep 17 00:00:00 2001 From: Jon Mosco Date: Tue, 25 Jan 2022 10:19:16 -0500 Subject: [PATCH 2/2] removing unused tests --- README.md | 2 +- examples/benchmark-rke-cis-1.5-permissive.yaml | 8 -------- examples/clusterscancustom.yml | 7 ------- examples/clusterscaneks.yml | 7 ------- examples/clusterscangke.yml | 7 ------- examples/clusterscanrke.yml | 12 ------------ examples/clusterscanrkeperm.yml | 7 ------- examples/custombenchmarkscan.yml | 7 ------- examples/scanprofile-cis-1.5.yml | 9 --------- examples/scanprofile-rke-custom.yml | 11 ----------- examples/scanprofile-rke-hardened.yml | 9 --------- examples/scanprofile-rke-permissive.yml | 9 --------- examples/scanprofileeks.yml | 9 --------- examples/scanprofilegke.yml | 9 --------- examples/ssrkehardened.yml | 9 --------- examples/ssrkeperm.yml | 9 --------- ...s-1.5-hardened.yaml => stig-validation-rke2.yaml} | 6 +++--- 17 files changed, 4 insertions(+), 133 deletions(-) delete mode 100644 examples/benchmark-rke-cis-1.5-permissive.yaml delete mode 100644 examples/clusterscancustom.yml delete mode 100644 examples/clusterscaneks.yml delete mode 100644 examples/clusterscangke.yml delete mode 100644 examples/clusterscanrke.yml delete mode 100644 examples/clusterscanrkeperm.yml delete mode 100644 examples/custombenchmarkscan.yml delete mode 100644 examples/scanprofile-cis-1.5.yml delete mode 100644 examples/scanprofile-rke-custom.yml delete mode 100644 examples/scanprofile-rke-hardened.yml delete mode 100644 examples/scanprofile-rke-permissive.yml delete mode 100644 examples/scanprofileeks.yml delete mode 100644 examples/scanprofilegke.yml delete mode 100644 examples/ssrkehardened.yml delete mode 100644 examples/ssrkeperm.yml rename examples/{benchmark-rke-cis-1.5-hardened.yaml => stig-validation-rke2.yaml} (50%) diff --git a/README.md b/README.md index cb8bada9..5d3bf52d 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ The stig-validator-operator is a group of controllers that runs within an RKE2 K It provides a means to deploy and manage a scanner to report on compliance to the RKE2 STIG. The STIG Validator Controller checks the RKE2 clusters configuration against the criteria -defined for it in the RKE2 STIG as developed by RancherFederal along side DISA. +defined for it in the RKE2 STIG as developed by RancherFederal alongside DISA. When the controller starts it will create a default stig-rke2 CR. diff --git a/examples/benchmark-rke-cis-1.5-permissive.yaml b/examples/benchmark-rke-cis-1.5-permissive.yaml deleted file mode 100644 index 95f80c0f..00000000 --- a/examples/benchmark-rke-cis-1.5-permissive.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: rke-cis-1.5-permissive -spec: - clusterProvider: rke - minKubernetesVersion: "1.15.0" diff --git a/examples/clusterscancustom.yml b/examples/clusterscancustom.yml deleted file mode 100644 index 6ceb4c04..00000000 --- a/examples/clusterscancustom.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScan -metadata: - name: rke-custom -spec: - scanProfileName: "rke-profile-custom" diff --git a/examples/clusterscaneks.yml b/examples/clusterscaneks.yml deleted file mode 100644 index cd547e90..00000000 --- a/examples/clusterscaneks.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScan -metadata: - name: run-eks-1.0 -spec: - scanProfileName: eks-profile diff --git a/examples/clusterscangke.yml b/examples/clusterscangke.yml deleted file mode 100644 index 2360c705..00000000 --- a/examples/clusterscangke.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScan -metadata: - name: run-gke-scan -spec: - scanProfileName: gke-profile diff --git a/examples/clusterscanrke.yml b/examples/clusterscanrke.yml deleted file mode 100644 index fc05e847..00000000 --- a/examples/clusterscanrke.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScan -metadata: - name: can-you-alert -spec: - scanProfileName: rke-profile-hardened - scheduledScanConfig: - cronSchedule: "*/2 * * * *" - scanAlertRule: - alertOnComplete: true - alertOnFailure: true diff --git a/examples/clusterscanrkeperm.yml b/examples/clusterscanrkeperm.yml deleted file mode 100644 index 98068618..00000000 --- a/examples/clusterscanrkeperm.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScan -metadata: - name: rke-cis-perm -spec: - scanProfileName: "" \ No newline at end of file diff --git a/examples/custombenchmarkscan.yml b/examples/custombenchmarkscan.yml deleted file mode 100644 index 4253c47c..00000000 --- a/examples/custombenchmarkscan.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScan -metadata: - name: rke-cis-1.6-perm-custom -spec: - scanProfileName: "rke-cis-1.6-permissive" \ No newline at end of file diff --git a/examples/scanprofile-cis-1.5.yml b/examples/scanprofile-cis-1.5.yml deleted file mode 100644 index d69ae9dd..00000000 --- a/examples/scanprofile-cis-1.5.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: cis-1.5-profile - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: cis-1.5 diff --git a/examples/scanprofile-rke-custom.yml b/examples/scanprofile-rke-custom.yml deleted file mode 100644 index 68e05076..00000000 --- a/examples/scanprofile-rke-custom.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: rke-profile-custom -spec: - benchmarkVersion: rke-cis-1.5-permissive - skipTests: - - "1.1.20" - - "1.1.21" - diff --git a/examples/scanprofile-rke-hardened.yml b/examples/scanprofile-rke-hardened.yml deleted file mode 100644 index 2a981938..00000000 --- a/examples/scanprofile-rke-hardened.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: rke-profile-hardened - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: rke-cis-1.5-hardened \ No newline at end of file diff --git a/examples/scanprofile-rke-permissive.yml b/examples/scanprofile-rke-permissive.yml deleted file mode 100644 index 01266cf0..00000000 --- a/examples/scanprofile-rke-permissive.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: rke-profile-permissive - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: rke-cis-1.5-permissive diff --git a/examples/scanprofileeks.yml b/examples/scanprofileeks.yml deleted file mode 100644 index 49c7e024..00000000 --- a/examples/scanprofileeks.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: eks-profile - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: eks-1.0 \ No newline at end of file diff --git a/examples/scanprofilegke.yml b/examples/scanprofilegke.yml deleted file mode 100644 index 2ddd0686..00000000 --- a/examples/scanprofilegke.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: gke-profile - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: gke-1.0 \ No newline at end of file diff --git a/examples/ssrkehardened.yml b/examples/ssrkehardened.yml deleted file mode 100644 index 23a234eb..00000000 --- a/examples/ssrkehardened.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ScheduledScan -metadata: - name: ss-rke-cis-hard -spec: - scanProfileName: rke-profile-hardened - cronSchedule: "*/2 * * * *" - retentionCount: 3 diff --git a/examples/ssrkeperm.yml b/examples/ssrkeperm.yml deleted file mode 100644 index bbfa72c4..00000000 --- a/examples/ssrkeperm.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ScheduledScan -metadata: - name: ss-rke-cis-perm -spec: - scanProfileName: rke-profile-permissive - cronSchedule: "*/5 * * * *" - retentionCount: 3 diff --git a/examples/benchmark-rke-cis-1.5-hardened.yaml b/examples/stig-validation-rke2.yaml similarity index 50% rename from examples/benchmark-rke-cis-1.5-hardened.yaml rename to examples/stig-validation-rke2.yaml index b5627f96..cae1b180 100644 --- a/examples/benchmark-rke-cis-1.5-hardened.yaml +++ b/examples/stig-validation-rke2.yaml @@ -1,8 +1,8 @@ --- apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark +kind: STIGValidation metadata: - name: rke-cis-1.5-hardened + name: stig-ver1 spec: - clusterProvider: rke + clusterProvider: "" minKubernetesVersion: "1.15.0"