Merge remote-tracking branch 'origin' into go2rego-aws-1

commands/kubernetes/adminConfFileOwnership.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %U:%G /etc/kubernetes/admin.conf
   platforms:
     - k8s
+    - rke2

commands/kubernetes/adminConfFilePermissions.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %a /etc/kubernetes/admin.conf
   platforms:
     - k8s
+    - rke2

commands/kubernetes/certificateAuthoritiesFileOwnership.yaml

@@ -8,3 +8,4 @@
     /dev/null
   platforms:
     - k8s
+    - rke2

commands/kubernetes/certificateAuthoritiesFilePermissions.yaml

@@ -8,3 +8,4 @@
     /dev/null
   platforms:
     - k8s
+    - rke2

commands/kubernetes/containerNetworkInterfaceFileOwnership.yaml

@@ -6,3 +6,5 @@
   audit: stat -c %U:%G /*/cni/*
   platforms:
     - k8s
+    - rke2
+

commands/kubernetes/containerNetworkInterfaceFilePermissions.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %a /*/cni/*
   platforms:
     - k8s
+    - rke2

commands/kubernetes/controllerManagerConfFileOwnership.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %U:%G $controllermanager.kubeconfig
   platforms:
     - k8s
+    - rke2

commands/kubernetes/controllerManagerConfFilePermissions.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %a $controllermanager.kubeconfig
   platforms:
     - k8s
+    - rke2

commands/kubernetes/etcdDataDirectoryOwnershipRancher.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0046
+  key: etcdDataDirectoryOwnership
+  title: Etcd data directory Ownership
+  nodeType: master
+  audit: stat -c %U:%G /node/var/lib/etcd
+  platforms:
+    - rke2

commands/kubernetes/etcdDataDirectoryPermissionsRancher.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0047
+  key: etcdDataDirectoryPermissions
+  title: Etcd data directory permissions
+  nodeType: master
+  audit: stat -c %a /node/var/lib/etcd
+  platforms:
+    - rke2

commands/kubernetes/kubeAPIServerSpecFileOwnership.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %U:%G $apiserver.confs
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeAPIServerSpecFilePermission.yaml

@@ -6,4 +6,5 @@
   audit: stat -c %a $apiserver.confs
   platforms:
     - k8s
+    - rke2
 

commands/kubernetes/kubeControllerManagerSpecFileOwnership.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %U:%G $controllermanager.confs
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeControllerManagerSpecFilePermission.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %a $controllermanager.confs
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeEtcdSpecFileOwnership.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %U:%G $etcd.confs
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeEtcdSpecFilePermission.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %a $etcd.confs
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubePKIDirectoryFileOwnershipRancher.yaml

@@ -0,0 +1,9 @@
+---
+- id: CMD-0048
+  key: kubePKIDirectoryFileOwnership
+  title: Kubernetes PKI directory and file ownership
+  nodeType: master
+  audit: stat -c %U:%G $(ls -R /node/etc/kubernetes/ssl | awk
+    '/:$/&&f{s=$0;f=0}/:$/&&!f{sub(/:$/,"");s=$0;f=1;next}NF&&f{print s"/"$0 }')
+  platforms:
+    - rke2

commands/kubernetes/kubePKIKeyFilePermissionsRancher.yaml

@@ -0,0 +1,10 @@
+---
+- id: CMD-0050
+  key: kubePKIKeyFilePermissions
+  title: Kubernetes PKI certificate file permissions
+  nodeType: master
+  audit: stat -c %a $(ls -aR /node/etc/kubernetes/ssl | awk
+    '/:$/&&f{s=$0;f=0}/:$/&&!f{sub(/:$/,"");s=$0;f=1;next}NF&&f{print s"/"$0}' |
+    grep \.key$)
+  platforms:
+    - rke

commands/kubernetes/kubeSchedulerSpecFileOwnership.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %U:%G $scheduler.confs
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeSchedulerSpecFilePermission.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %a $scheduler.confs
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeconfigFileExistsOwnership.yaml

@@ -8,3 +8,4 @@
     2>/dev/null` || echo $output
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeconfigFileExistsPermissions.yaml

@@ -8,3 +8,4 @@
     2>/dev/null` || echo $output
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeletAnonymousAuthArgumentSet.yaml

@@ -8,3 +8,4 @@
   platforms:
     - k8s
     - eks
+    - rke2

commands/kubernetes/kubeletAuthorizationModeArgumentSet.yaml

@@ -7,3 +7,4 @@
     --authorization-mode=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeletClientCaFileArgumentSet.yaml

@@ -8,3 +8,4 @@
   platforms:
     - k8s
     - eks
+    - rke2

commands/kubernetes/kubeletConfFileOwnership.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %U:%G $kubelet.kubeconfig
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeletConfFilePermissions.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %a $kubelet.kubeconfig
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeletConfigYamlConfigurationFileOwnership.yaml

@@ -7,3 +7,4 @@
   platforms:
     - k8s
     - eks
+    - rke2

commands/kubernetes/kubeletConfigYamlConfigurationFilePermission.yaml

@@ -7,3 +7,4 @@
   platforms:
     - k8s
     - eks
+    - rke2

commands/kubernetes/kubeletEventQpsArgumentSet.yaml

@@ -7,3 +7,4 @@
     --event-qps=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeletHostnameOverrideArgumentSet.yaml

@@ -7,3 +7,4 @@
     --hostname-override=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeletMakeIptablesUtilChainsArgumentSet.yaml

@@ -9,3 +9,4 @@
   platforms:
     - k8s
     - eks
+    - rke2

commands/kubernetes/kubeletOnlyUseStrongCryptographic.yaml

@@ -7,3 +7,4 @@
     'TLSCipherSuites=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeletProtectKernelDefaultsArgumentSet.yaml

@@ -8,3 +8,4 @@
     1'
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeletReadOnlyPortArgumentSet.yaml

@@ -8,3 +8,4 @@
   platforms:
     - k8s
     - eks
+    - rke2

commands/kubernetes/kubeletRotateCertificatesArgumentSet.yaml

@@ -8,3 +8,4 @@
   platforms:
     - k8s
     - eks
+    - rke2

commands/kubernetes/kubeletRotateKubeletServerCertificateArgumentSet.yaml

@@ -9,3 +9,4 @@
   platforms:
     - k8s
     - eks
+    - rke2

commands/kubernetes/kubeletServiceFileOwnership.yaml

@@ -7,3 +7,4 @@
   platforms:
     - k8s
     - eks
+    - rke2

commands/kubernetes/kubeletServiceFilePermissions.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %a $kubelet.svc
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeletStreamingConnectionIdleTimeoutArgumentSet.yaml

@@ -9,3 +9,4 @@
   platforms:
     - k8s
     - eks
+    - rke2

commands/kubernetes/kubeletTlsCertFileTlsArgumentSet.yaml

@@ -7,3 +7,4 @@
     --tls-cert-file=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubeletTlsPrivateKeyFileArgumentSet.yaml

@@ -7,3 +7,4 @@
     --tls-private-key-file=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
   platforms:
     - k8s
+    - rke2

commands/kubernetes/kubernetesPKICertificateFilePermissionsRancher.yaml

@@ -0,0 +1,10 @@
+---
+- id: CMD-0049
+  key: kubernetesPKICertificateFilePermissions
+  title: Kubernetes PKI certificate file permissions
+  nodeType: master
+  audit: stat -c %a $(ls -aR /node/etc/kubernetes/ssl |
+    awk'/:$/&&f{s=$0;f=0}/:$/&&!f{sub(/:$/,"");s=$0;f=1;next}NF&&f{print
+    s"/"$0}' | grep \.crt$)
+  platforms:
+    - rke2

commands/kubernetes/schedulerConfFileOwnership.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %U:%G $scheduler.kubeconfig
   platforms:
     - k8s
+    - rke2

commands/kubernetes/schedulerConfFilePermissions.yaml

@@ -6,3 +6,4 @@
   audit: stat -c %a $scheduler.kubeconfig
   platforms:
     - k8s
+    - rke2

go.mod

@@ -5,7 +5,7 @@ go 1.22.0
 toolchain go1.22.2
 
 require (
-	github.com/aquasecurity/trivy v0.52.1-0.20240617222922-ec68c9ab4580
+	github.com/aquasecurity/trivy v0.52.1-0.20240619054236-36b3b772df21
 	github.com/docker/docker v26.1.3+incompatible
 	github.com/liamg/iamgo v0.0.9
 	github.com/liamg/memoryfs v1.6.0
@@ -82,7 +82,7 @@ require (
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-getter v1.7.4 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
@@ -158,7 +158,7 @@ require (
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect
 	go.opentelemetry.io/otel v1.27.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 // indirect
 	go.opentelemetry.io/otel/metric v1.27.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.27.0 // indirect

go.sum

@@ -216,8 +216,8 @@ github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
 github.com/aquasecurity/go-version v0.0.0-20240603093900-cf8a8d29271d h1:4zour5Sh9chOg+IqIinIcJ3qtr3cIf8FdFY6aArlXBw=
 github.com/aquasecurity/go-version v0.0.0-20240603093900-cf8a8d29271d/go.mod h1:1cPOp4BaQZ1G2F5fnw4dFz6pkOyXJI9KTuak8ghIl3U=
-github.com/aquasecurity/trivy v0.52.1-0.20240617222922-ec68c9ab4580 h1:u/rCvrCz/r5gUX/uvCKHd8pIlYdlQ5Mjaw4mxzOkp2Y=
-github.com/aquasecurity/trivy v0.52.1-0.20240617222922-ec68c9ab4580/go.mod h1:n6nge/wMfmdNfWxKnSFMDoOYStcYDrZDGrbkP2KASIk=
+github.com/aquasecurity/trivy v0.52.1-0.20240619054236-36b3b772df21 h1:iNOllxng7JZvCjf4UG6IZhZ9FjyGn3qH/+G631u4y7g=
+github.com/aquasecurity/trivy v0.52.1-0.20240619054236-36b3b772df21/go.mod h1:NSz5jJqsVcABONnEr90DYBeUyy0r6voIw+riatbT3XY=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
@@ -479,8 +479,8 @@ github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-getter v1.7.4 h1:3yQjWuxICvSpYwqSayAdKRFcvBl1y/vogCxczWSmix0=
@@ -738,8 +738,8 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 h1:9l89oX4
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0/go.mod h1:XLZfZboOJWHNKUv7eH0inh0E9VV6eWDFB/9yJyTLPp0=
 go.opentelemetry.io/otel v1.27.0 h1:9BZoF3yMK/O1AafMiQTVu0YDj5Ea4hPhxCs7sGva+cg=
 go.opentelemetry.io/otel v1.27.0/go.mod h1:DMpAK8fzYRzs+bi3rS5REupisuqTheUlSZJ1WnZaPAQ=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 h1:R9DE4kQ4k+YtfLI2ULwX82VtNQ2J8yZmA7ZIF/D+7Mc=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0/go.mod h1:OQFyQVrDlbe+R7xrEyDr/2Wr67Ol0hRUgsfA+V5A95s=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0/go.mod h1:zgBdWWAu7oEEMC06MMKc5NLbA/1YDXV1sMpSqEeLQLg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 h1:tIqheXEFWAZ7O8A7m+J0aPTmpJN3YQ7qetUAdkkkKpk=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0/go.mod h1:nUeKExfxAQVbiVFn32YXpXZZHZ61Cc3s3Rn1pDBGAb0=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 h1:digkEZCJWobwBqMwC0cwCq8/wkkRy/OowZg5OArWZrM=

pkg/spec/spec.go

@@ -1,7 +1,7 @@
 package spec
 
 import (
-	"github.com/aquasecurity/trivy-checks/specs"
+	"github.com/aquasecurity/trivy-checks/pkg/specs"
 )
 
 // Loader access compliance specs

specs/compliance/aws-cis-1.2.yaml → pkg/specs/compliance/aws-cis-1.2.yaml

@@ -3,6 +3,8 @@ spec:
   title: AWS CIS Foundations v1.2
   description: AWS CIS Foundations
   version: "1.2"
+  platfrom: aws
+  type: cis
   relatedResources:
   - https://www.cisecurity.org/benchmark/amazon_web_services
   controls:

specs/compliance/aws-cis-1.4.yaml → pkg/specs/compliance/aws-cis-1.4.yaml

@@ -3,6 +3,8 @@ spec:
   title: AWS CIS Foundations v1.4
   description: AWS CIS Foundations
   version: "1.4"
+  platfrom: aws
+  type: cis
   relatedResources:
   - https://www.cisecurity.org/benchmark/amazon_web_services
   controls:

specs/compliance/docker-cis.yaml → pkg/specs/compliance/docker-cis-1.6.0.yaml

@@ -1,11 +1,13 @@
 ---
 spec:
-  id: docker-cis
+  id: docker-cis-1.6.0
   title: CIS Docker Community Edition Benchmark v1.6.0
   description: CIS Docker Community Edition Benchmark
   relatedResources : 
     - https://www.cisecurity.org/benchmark/docker
   version: "1.6.0"
+  platfrom: docker
+  type: cis
   controls:
     - id: '4.1'
       name: Ensure a user for the container has been created

specs/compliance/eks-cis-1.4.yaml → pkg/specs/compliance/eks-cis-1.4.yaml

@@ -1,8 +1,10 @@
 spec:
-  id: eks-cis
+  id: eks-cis-1.4
   title: AWS EKS CIS Foundations v1.4
   description: AWS EKS CIS Foundations
   version: "1.4"
+  platfrom: eks
+  type: cis
   relatedResources:
   - https://www.cisecurity.org/benchmark/amazon_web_services
   controls:

specs/compliance/k8s-cis-1.23.yaml → pkg/specs/compliance/k8s-cis-1.23.yaml

@@ -1,9 +1,11 @@
 ---
 spec:
-  id: k8s-cis
+  id: k8s-cis-1.23
   title: CIS Kubernetes Benchmarks v1.23
   description: CIS Kubernetes Benchmarks
   version: "1.23"
+  platfrom: k8s
+  type: cis
   relatedResources:
     - https://www.cisecurity.org/benchmark/kubernetes
   controls:

specs/compliance/k8s-nsa-1.0.yaml → pkg/specs/compliance/k8s-nsa-1.0.yaml

@@ -1,11 +1,13 @@
 ---
 spec:
-  id: k8s-nsa
+  id: k8s-nsa-1.0
   title: National Security Agency - Kubernetes Hardening Guidance v1.0
   description: National Security Agency - Kubernetes Hardening Guidance 
   relatedResources : 
     - https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/
   version: "1.0"
+  platfrom: k8s
+  type: nsa
   controls:
     - name: Non-root containers
       description: 'Check that container is not running as root'