Fixes Issue aquasecurity#494 - add tests for CIS 1.5 (aquasecurity#530)

* Initial commit.

* Add master and node config.

* Add section 5 of CIS 1.5.1.

* Split sections into section files

* Fix YAML issues.

* adds target translation

* adds target translation

* adds cis-1.5 mapping

* fixed tests

* fixes are per PR

* fixed intergration test

* integration kind test file to appropriate ks8 version

* fixed etcd text

* fixed README

* fixed text

* etcd: fixed grep path

* etcd: fixes

* fixed error message bug

* Update README.md

Co-Authored-By: Liz Rice <liz@lizrice.com>

* Update README.md

Co-Authored-By: Liz Rice <liz@lizrice.com>

* fixes as per PR review

Author: robertojrojas

README.md

@@ -42,12 +42,13 @@ Table of Contents
 
 ## CIS Kubernetes Benchmark support
 
-kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.3.0 to 1.4.1 respectively. 
+kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.3.0 to 1.5.0 respectively. 
 
 | CIS Kubernetes Benchmark | kube-bench config | Kubernetes versions |
 |---|---|---|
 | 1.3.0| cis-1.3 | 1.11-1.12 |
-| 1.4.1| cis-1.4 | 1.13- |
+| 1.4.1| cis-1.4 | 1.13-1.14 |
+| 1.5.0 | cis-1.5 | 1.15- |
 
 
 By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
@@ -97,6 +98,25 @@ Alternatively, you can specify `--benchmark` to run a specific CIS Benchmark ver
 kube-bench node --benchmark cis-1.4
 ```
 
+If you want to target specific CIS Benchmark `target` (i.e master, node, etcd, etc...)
+you can use the `run --targets` subcommand.
+```
+kube-bench --benchmark cis-1.4 run --targets master,node
+```
+or
+```
+kube-bench --benchmark cis-1.5 run --targets master,node,etcd,policies
+```
+
+The following table shows the valid targets based on the CIS Benchmark version.
+| CIS Benchmark | Targets |
+|---|---|
+| cis-1.3| master, node |
+| cis-1.4| master, node |
+| cis-1.5| master, controlplane, node, etcd, policies |
+
+If no targets are specified, `kube-bench` will determine the appropriate targets based on the CIS Benchmark version.
+
 `controls` for the various versions of CIS Benchmark can be found in directories
 with same name as the CIS Benchmark versions under `cfg/`, for example `cfg/cis-1.4`.
 

cfg/cis-1.5/config.yaml

@@ -0,0 +1,2 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml

cfg/cis-1.5/controlplane.yaml

@@ -0,0 +1,35 @@
+---
+controls:
+version: 1.5
+id: 3
+text: "Control Plane Configuration"
+type: "controlplane"
+groups:
+- id: 3.1
+  text: "Authentication and Authorization"
+  checks:
+  - id: 3.1.1
+    text: "Client certificate authentication should not be used for users (Not Scored) "
+    type: "manual"
+    remediation: |
+      Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 
+      implemented in place of client certificates. 
+    scored: false
+
+- id: 3.2
+  text: "Logging"
+  checks:
+  - id: 3.2.1
+    text: "Ensure that a minimal audit policy is created (Scored) "
+    type: "manual"
+    remediation: |
+      Create an audit policy file for your cluster. 
+    scored: true
+
+  - id: 3.2.2
+    text: "Ensure that the audit policy covers key security concerns (Not Scored) "
+    type: "manual"
+    remediation: |
+      Consider modification of the audit policy in use on the cluster to include these items, at a 
+      minimum. 
+    scored: false

cfg/cis-1.5/etcd.yaml

@@ -0,0 +1,131 @@
+---
+controls:
+version: 1.15
+id: 2
+text: "Etcd Node Configuration"
+type: "etcd"
+groups:
+- id: 2
+  text: "Etcd Node Configuration Files"
+  checks:
+  - id: 2.1
+    text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
+    audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+    tests:
+      bin_op: and
+      test_items:
+      - flag: "--cert-file"
+        set: true
+      - flag:  "--key-file"
+        set: true
+    remediation: |
+      Follow the etcd service documentation and configure TLS encryption.
+      Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml 
+      on the master node and set the below parameters.
+      --cert-file=</path/to/ca-file>
+      --key-file=</path/to/key-file>
+    scored: true
+    
+  - id: 2.2
+    text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
+    audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+    tests:
+      test_items:
+      - flag: "--client-cert-auth"
+        compare:
+          op: eq
+          value: true
+        set: true
+    remediation: |
+      Edit the etcd pod specification file $etcdconf on the master
+      node and set the below parameter.
+      --client-cert-auth="true"
+    scored: true
+
+  - id: 2.3
+    text: "Ensure that the --auto-tls argument is not set to true (Scored)"
+    audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "--auto-tls"
+        set: false
+      - flag: "--auto-tls"
+        compare:
+          op: eq
+          value: false
+    remediation: |
+      Edit the etcd pod specification file $etcdconf on the master
+      node and either remove the --auto-tls parameter or set it to false.
+        --auto-tls=false
+    scored: true
+    
+  - id: 2.4
+    text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
+    set as appropriate (Scored)"
+    audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+    tests:
+      bin_op: and
+      test_items:
+      - flag: "--peer-cert-file"
+        set: true
+      - flag: "--peer-key-file"
+        set: true
+    remediation: |
+      Follow the etcd service documentation and configure peer TLS encryption as appropriate
+      for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the
+      master node and set the below parameters.
+      --peer-client-file=</path/to/peer-cert-file>
+      --peer-key-file=</path/to/peer-key-file>
+    scored: true
+    
+  - id: 2.5
+    text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
+    audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+    tests:
+      test_items:
+      - flag: "--peer-client-cert-auth"
+        compare:
+          op: eq
+          value: true
+        set: true
+    remediation: |
+      Edit the etcd pod specification file $etcdconf on the master
+      node and set the below parameter.
+      --peer-client-cert-auth=true
+    scored: true
+    
+  - id: 2.6
+    text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
+    audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "--peer-auto-tls"
+        set: false
+      - flag: "--peer-auto-tls"
+        compare:
+          op: eq
+          value: false
+        set: true
+    remediation: |
+      Edit the etcd pod specification file $etcdconf on the master
+      node and either remove the --peer-auto-tls parameter or set it to false.
+      --peer-auto-tls=false
+    scored: true
+    
+  - id: 2.7
+    text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
+    audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+    tests:
+      test_items:
+      - flag: "--trusted-ca-file"
+        set: true
+    remediation: |
+      [Manual test]
+      Follow the etcd documentation and create a dedicated certificate authority setup for the
+      etcd service.
+      Then, edit the etcd pod specification file $etcdconf on the
+      master node and set the below parameter.
+      --trusted-ca-file=</path/to/ca-file>
+    scored: false