update version of used cis rulesets (#345)

* update version of used cis rulesets

* fix accidental indentation in ruleset yaml

.gitignore

@@ -5,3 +5,4 @@ node_modules
 .cache
 .venv
 .devbox
+.DS_Store

cmd/controller/state/kubebench/spec/aks.go

@@ -56,7 +56,7 @@ func AKS(nodeName, jobName string) *batchv1.Job {
 								"--config-dir", "/etc/kubebench-rules/",
 								"run",
 								"--targets", "node",
-								"--benchmark", "aks-1.3",
+								"--benchmark", "aks-1.4",
 								"--json",
 							},
 							VolumeMounts: []corev1.VolumeMount{

cmd/controller/state/kubebench/spec/eks.go

@@ -56,7 +56,7 @@ func EKS(nodeName, jobName string) *batchv1.Job {
 								"--config-dir", "/etc/kubebench-rules/",
 								"run",
 								"--targets", "node",
-								"--benchmark", "eks-1.3.0",
+								"--benchmark", "eks-1.4.0",
 								"--json",
 							},
 							VolumeMounts: []corev1.VolumeMount{

cmd/controller/state/kubebench/spec/gke.go

@@ -57,7 +57,7 @@ func GKE(nodeName, jobName string) *batchv1.Job {
 								"run",
 								"--targets",
 								"node,policies,managedservices",
-								"--benchmark", "gke-1.4.0",
+								"--benchmark", "gke-1.5.0",
 								"--json",
 							},
 							VolumeMounts: []corev1.VolumeMount{

cmd/linter/kubebench/common.go

@@ -18,7 +18,6 @@ import (
 	"bufio"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"sort"
@@ -71,7 +70,7 @@ func runChecks(nodetype check2.NodeType, testYamlFile, detectedVersion string) {
 		os.Exit(1)
 	}
 
-	in, err := ioutil.ReadFile(testYamlFile)
+	in, err := os.ReadFile(testYamlFile)
 	if err != nil {
 		exitWithError(fmt.Errorf("error opening %s test file: %v", testYamlFile, err))
 	}

cmd/linter/kubebench/kubebench-rules/aks-1.4.0/config.yaml

@@ -0,0 +1,2 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml

cmd/linter/kubebench/kubebench-rules/aks-1.4.0/controlplane.yaml

@@ -0,0 +1,31 @@
+---
+controls:
+version: "aks-1.4"
+id: 2
+text: "Control Plane Configuration"
+type: "controlplane"
+groups:
+  - id: 2.1
+    text: "Logging"
+    checks:
+      - id: 2.1.1
+        text: "Enable audit Logs"
+        type: "manual"
+        remediation: |
+          Azure audit logs are enabled and managed in the Azure portal. To enable log collection for
+          the Kubernetes master components in your AKS cluster, open the Azure portal in a web
+          browser and complete the following steps:
+          1. Select the resource group for your AKS cluster, such as myResourceGroup. Don't
+             select the resource group that contains your individual AKS cluster resources, such
+             as MC_myResourceGroup_myAKSCluster_eastus.
+          2. On the left-hand side, choose Diagnostic settings.
+          3. Select your AKS cluster, such as myAKSCluster, then choose to Add diagnostic setting.
+          4. Enter a name, such as myAKSClusterLogs, then select the option to Send to Log Analytics.
+          5. Select an existing workspace or create a new one. If you create a workspace, provide
+             a workspace name, a resource group, and a location.
+          6. In the list of available logs, select the logs you wish to enable. For this example,
+             enable the kube-audit and kube-audit-admin logs. Common logs include the kube-
+             apiserver, kube-controller-manager, and kube-scheduler. You can return and change
+             the collected logs once Log Analytics workspaces are enabled.
+          7. When ready, select Save to enable collection of the selected logs.
+        scored: false

cmd/linter/kubebench/kubebench-rules/aks-1.4.0/managedservices.yaml

@@ -0,0 +1,144 @@
+---
+controls:
+version: "aks-1.4"
+id: 5
+text: "Managed Services"
+type: "managedservices"
+groups:
+  - id: 5.1
+    text: "Image Registry and Image Scanning"
+    checks:
+      - id: 5.1.1
+        text: "Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false
+
+      - id: 5.1.2
+        text: "Minimize user access to Azure Container Registry (ACR) (Manual)"
+        type: "manual"
+        remediation: |
+          Azure Container Registry
+          If you use Azure Container Registry (ACR) as your container image store, you need to grant
+          permissions to the service principal for your AKS cluster to read and pull images. Currently,
+          the recommended configuration is to use the az aks create or az aks update command to
+          integrate with a registry and assign the appropriate role for the service principal. For
+          detailed steps, see Authenticate with Azure Container Registry from Azure Kubernetes
+          Service.
+          To avoid needing an Owner or Azure account administrator role, you can configure a
+          service principal manually or use an existing service principal to authenticate ACR from
+          AKS. For more information, see ACR authentication with service principals or Authenticate
+          from Kubernetes with a pull secret.
+        scored: false
+
+      - id: 5.1.3
+        text: "Minimize cluster access to read-only for Azure Container Registry (ACR) (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false
+
+      - id: 5.1.4
+        text: "Minimize Container Registries to only those approved (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false
+
+  - id: 5.2
+    text: "Access and identity options for Azure Kubernetes Service (AKS)"
+    checks:
+      - id: 5.2.1
+        text: "Prefer using dedicated AKS Service Accounts (Manual)"
+        type: "manual"
+        remediation: |
+          Azure Active Directory integration
+          The security of AKS clusters can be enhanced with the integration of Azure Active Directory
+          (AD). Built on decades of enterprise identity management, Azure AD is a multi-tenant,
+          cloud-based directory, and identity management service that combines core directory
+          services, application access management, and identity protection. With Azure AD, you can
+          integrate on-premises identities into AKS clusters to provide a single source for account
+          management and security.
+          Azure Active Directory integration with AKS clusters
+          With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes
+          resources within a namespace or across the cluster. To obtain a kubectl configuration
+          context, a user can run the az aks get-credentials command. When a user then interacts
+          with the AKS cluster with kubectl, they're prompted to sign in with their Azure AD
+          credentials. This approach provides a single source for user account management and
+          password credentials. The user can only access the resources as defined by the cluster
+          administrator.
+          Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect
+          is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID
+          Connect, see the Open ID connect documentation. From inside of the Kubernetes cluster,
+          Webhook Token Authentication is used to verify authentication tokens. Webhook token
+          authentication is configured and managed as part of the AKS cluster.
+        scored: false
+
+  - id: 5.3
+    text: "Key Management Service (KMS)"
+    checks:
+      - id: 5.3.1
+        text: "Ensure Kubernetes Secrets are encrypted (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false
+
+  - id: 5.4
+    text: "Cluster Networking"
+    checks:
+      - id: 5.4.1
+        text: "Restrict Access to the Control Plane Endpoint (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false
+
+      - id: 5.4.2
+        text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false
+
+      - id: 5.4.3
+        text: "Ensure clusters are created with Private Nodes (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false
+
+      - id: 5.4.4
+        text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false
+
+      - id: 5.4.5
+        text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false
+
+
+  - id: 5.5
+    text: "Authentication and Authorization"
+    checks:
+      - id: 5.5.1
+        text: "Manage Kubernetes RBAC users with Azure AD (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false
+      - id: 5.5.2
+        text: "Use Azure RBAC for Kubernetes Authorization (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false
+
+  - id: 5.6
+    text: "Other Cluster Configurations"
+    checks:
+      - id: 5.6.1
+        text: "Restrict untrusted workloads (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false
+      - id: 5.6.2
+        text: "Hostile multi-tenant workloads (Manual)"
+        type: "manual"
+        remediation: "No remediation"
+        scored: false

cmd/linter/kubebench/kubebench-rules/aks-1.4.0/master.yaml

@@ -0,0 +1,6 @@
+---
+controls:
+version: "aks-1.4"
+id: 1
+text: "Control Plane Components"
+type: "master"