Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add latest CIS benchmarks #1484

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Add latest CIS benchmarks #1484

wants to merge 18 commits into from

Conversation

damejeras
Copy link

@damejeras damejeras commented Aug 9, 2023
edited
Loading

I copied latest AKS(1.0.0), EKS(1.2.0), GKE(1.2.0) config files and adjusted them to match latest published CIS benchmarks (AKS 1.3, EKS 1.3, GKE 1.4).

EKS changes:

  • 4.5 was removed (was previously empty), 4.6.* became 4.5.*
  • 3.2.6 was removed and everything shifted

GKE changes:

  • 3.2.6 was removed and everything shifted
  • previously 3.2.9, now is 3.2.9 and its about event record qps. 0 qps can ddos cluster, so 5 or higher is recommended.
  • 5.5.4 added “When creating New Clusters - ” prefix to rule name

AKS changes:

  • 3.2.6 was removed and everything shifted in 3.2.*

@CLAassistant
Copy link

CLAassistant commented Aug 9, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@chen-keinan
Copy link
Contributor

@damejeras lets wait for @mozillazg review

@chen-keinan
Copy link
Contributor

@damejeras please rebase your branch with upstream

@mozillazg
Copy link
Collaborator

I will complete the review before next Monday.

mozillazg
mozillazg requested changes Nov 18, 2023
View reviewed changes
Copy link
Collaborator

@mozillazg mozillazg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution! I've added some comments. Please check them when you get a chance. Thanks!

cfg/aks-1.3/policies.yaml Outdated Show resolved Hide resolved
cfg/aks-1.3/policies.yaml Outdated Show resolved Hide resolved
cfg/eks-1.3.0/node.yaml Outdated Show resolved Hide resolved
cfg/eks-1.3.0/node.yaml Outdated Show resolved Hide resolved
cfg/eks-1.3.0/policies.yaml Outdated Show resolved Hide resolved
cfg/gke-1.4.0/managedservices.yaml Outdated Show resolved Hide resolved
cfg/gke-1.4.0/managedservices.yaml Outdated Show resolved Hide resolved
cfg/gke-1.4.0/managedservices.yaml Outdated Show resolved Hide resolved
cfg/gke-1.4.0/managedservices.yaml Outdated Show resolved Hide resolved
cfg/gke-1.4.0/managedservices.yaml Outdated Show resolved Hide resolved
dependabot bot and others added 17 commits November 20, 2023 15:12
@dependabot @damejeras
build(deps): bump alpine from 3.18.2 to 3.18.3 (aquasecurity#1487)
941968c 
Bumps alpine from 3.18.2 to 3.18.3.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @damejeras
build(deps): bump goreleaser/goreleaser-action from 4 to 5 (aquasecur…
44eb962 
…ity#1495)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4 to 5.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@v4...v5)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @damejeras
build(deps): bump golang from 1.20.6 to 1.21.1 (aquasecurity#1494)
fc4ef87 
Bumps golang from 1.20.6 to 1.21.1.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @damejeras
build(deps): bump crazy-max/ghaction-docker-meta from 4 to 5 (aquasec…
2a570b0 
…urity#1499)

Bumps [crazy-max/ghaction-docker-meta](https://github.com/crazy-max/ghaction-docker-meta) from 4 to 5.
- [Release notes](https://github.com/crazy-max/ghaction-docker-meta/releases)
- [Upgrade guide](https://github.com/docker/metadata-action/blob/master/UPGRADE.md)
- [Commits](docker/metadata-action@v4...v5)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-docker-meta
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@AnaisUrlichs @damejeras
updates to the readme
54f5b97 
Signed-off-by: AnaisUrlichs <[email protected]>
@chen-keinan @damejeras
release: prepare v0.6.18-rc (aquasecurity#1508)
25dbe60 
Signed-off-by: chenk <[email protected]>
@chen-keinan @damejeras
release: prepare v0.6.18 (aquasecurity#1509)
96f1370 
Signed-off-by: chenk <[email protected]>
@dependabot @chen-keinan @damejeras
build(deps): bump docker/build-push-action from 4 to 5 (aquasecurity#…
8b29128 
…1498)

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 4 to 5.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@v4...v5)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <[email protected]>
@chen-keinan @damejeras
release: prepare-0.6.19 (aquasecurity#1511)
0c7e481 
Signed-off-by: chenk <[email protected]>
@dependabot @chen-keinan @damejeras
build(deps): bump docker/setup-qemu-action from 2 to 3 (aquasecurity#…
b1ffa15 
…1503)

Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 2 to 3.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](docker/setup-qemu-action@v2...v3)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <[email protected]>
@dependabot @chen-keinan @damejeras
build(deps): bump github.com/golang/glog from 1.0.0 to 1.1.2 (aquasec…
66979f2 
…urity#1489)

Bumps [github.com/golang/glog](https://github.com/golang/glog) from 1.0.0 to 1.1.2.
- [Release notes](https://github.com/golang/glog/releases)
- [Commits](golang/glog@v1.0.0...v1.1.2)

---
updated-dependencies:
- dependency-name: github.com/golang/glog
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <[email protected]>
@dependabot @chen-keinan @damejeras
build(deps): bump golang from 1.21.1 to 1.21.3 (aquasecurity#1507)
623ec41 
Bumps golang from 1.21.1 to 1.21.3.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <[email protected]>
@dependabot @damejeras
build(deps): bump github.com/fatih/color from 1.14.1 to 1.16.0 (aquas…
5bb0178 
…ecurity#1520)

Bumps [github.com/fatih/color](https://github.com/fatih/color) from 1.14.1 to 1.16.0.
- [Release notes](https://github.com/fatih/color/releases)
- [Commits](fatih/color@v1.14.1...v1.16.0)

---
updated-dependencies:
- dependency-name: github.com/fatih/color
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@bschimke95 @damejeras
feat(cis-1.24-microk8s): Add support to CIS-1.24 for microk8s distro (a…
53bc122 
…quasecurity#1510)
@damejeras
Update new cis configurations
865ce7c
@damejeras
Update EKS 1.3 benchmark
d1c2c07
@damejeras
Merge branch 'official' into newcis
ddba985
@mozillazg
Copy link
Collaborator

@damejeras LGTM. Would you please fix the linter error? Thanks!

@mozillazg
Copy link
Collaborator

@damejeras ping~

@stephaneetje
Copy link

Hello,
Any news on this ? I have to add since that PR, gke 1.5.0 got out.

@kahirokunn
Copy link

LGTM

@hanneshofmann hanneshofmann mentioned this pull request May 24, 2024
Open
@afdesk
Copy link
Collaborator

afdesk commented Oct 15, 2024

@damejeras @mozillazg hi guys!
if this PR is still OK, I can take a look and fix linter errors.
wdyt?

@mozillazg
Copy link
Collaborator

@damejeras @mozillazg hi guys! if this PR is still OK, I can take a look and fix linter errors. wdyt?

@afdesk It's ok to continue.

@afdesk
Copy link
Collaborator

afdesk commented Oct 21, 2024

@damejeras it seems I have no permissions to fix it.
Could you update the PR?
thanks for your contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mozillazg mozillazg Awaiting requested review from mozillazg

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@damejeras @CLAassistant @chen-keinan @mozillazg @stephaneetje @kahirokunn @afdesk @AnaisUrlichs @bschimke95