GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → GoogleCloudPlatform → inspec-gke-cis-benchmark

GoogleCloudPlatform / inspec-gke-cis-benchmark

Licence: Apache-2.0 License
GKE CIS 1.1.0 Benchmark InSpec Profile

Programming Languages

ruby
36898 projects - #4 most used programming language
shell
77523 projects
Dockerfile
14818 projects

Labels

securityauditingbenchmarkcisgcpgkecomplianceinspec

Projects that are alternatives of or similar to inspec-gke-cis-benchmark

Audit-Test-Automation
The Audit Test Automation Package gives you the ability to get an overview about the compliance status of several systems. You can easily create HTML-reports and have a transparent overview over compliance and non-compliance of explicit setttings and configurations in comparison to industry standards and hardening guides.
Stars: ✭ 37 (+37.04%)
Mutual labels:  benchmark, cis, compliance
Inspec Gcp Cis Benchmark
GCP CIS 1.1.0 Benchmark InSpec Profile
Stars: ✭ 69 (+155.56%)
Mutual labels:  auditing, gcp, compliance
cis benchmarks audit
Simple command line tool to check for compliance against CIS Benchmarks
Stars: ✭ 182 (+574.07%)
Mutual labels:  cis, compliance
Networking-and-Kubernetes
This is the code repo for Networking and Kubernetes: A Layered Approach. https://learning.oreilly.com/library/view/networking-and-kubernetes/9781492081647/
Stars: ✭ 103 (+281.48%)
Mutual labels:  gcp, gke
k8s-digester
Add digests to container and init container images in Kubernetes pod and pod template specs. Use either as a mutating admission webhook, or as a client-side KRM function with kpt or kustomize.
Stars: ✭ 65 (+140.74%)
Mutual labels:  gcp, gke
Windows Secure Host Baseline
Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber
Stars: ✭ 1,288 (+4670.37%)
Mutual labels:  auditing, compliance
Information Security Tasks
This repository is created only for infosec professionals whom work day to day basis to equip ourself with uptodate skillset, We can daily contribute daily one hour for day to day tasks and work on problem statements daily, Please contribute by providing problem statements and solutions
Stars: ✭ 108 (+300%)
Mutual labels:  auditing, compliance
gke-anthos-holistic-demo
This repository guides you through deploying a private GKE cluster and provides a base platform for hands-on exploration of several GKE related topics which leverage or integrate with that infrastructure. After completing the exercises in all topic areas, you will have a deeper understanding of several core components of GKE and GCP as configure…
Stars: ✭ 55 (+103.7%)
Mutual labels:  gcp, gke
Scoutsuite
Multi-Cloud Security Auditing Tool
Stars: ✭ 3,803 (+13985.19%)
Mutual labels:  auditing, gcp
intercept
INTERCEPT / Policy as Code Static Analysis Auditing / SAST
Stars: ✭ 54 (+100%)
Mutual labels:  auditing, compliance
gke-demo
Demonstration of complete, fully-featured CI/CD and cloud automation for microservices, done with GCP/GKE
Stars: ✭ 47 (+74.07%)
Mutual labels:  gcp, gke
google-managed-certs-gke
DEPRECATED: How to use Google Managed SSL Certificates on GKE
Stars: ✭ 16 (-40.74%)
Mutual labels:  gcp, gke
Lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
Stars: ✭ 9,137 (+33740.74%)
Mutual labels:  auditing, compliance
prowler
Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
Stars: ✭ 8,046 (+29700%)
Mutual labels:  gcp, compliance
Rudder
Continuous Auditing & Configuration
Stars: ✭ 314 (+1062.96%)
Mutual labels:  auditing, compliance
cli
The universal GraphQL API and CSPM tool for AWS, Azure, GCP, K8s, and tencent.
Stars: ✭ 811 (+2903.7%)
Mutual labels:  cis, gcp
Prowler
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, ISO27001, GDPR, HIPAA, SOC2, ENS and other security frameworks.
Stars: ✭ 4,561 (+16792.59%)
Mutual labels:  cis, compliance
gtoken
Securely access AWS services from GKE cluster
Stars: ✭ 43 (+59.26%)
Mutual labels:  gcp, gke
gke-ip-address-management
An application to help with IP Address Management (IPAM) for Google Kubernetes Engine (GKE) clusters. Easily allows the calculation of the subnets required to spin up GKE clusters in VPC-native mode. See it at: https://googlecloudplatform.github.io/gke-ip-address-management/
Stars: ✭ 45 (+66.67%)
Mutual labels:  gcp, gke
cis-benchmark-centOS-8
Auditing Script based on CIS-BENCHMARK CENTOS 8
Stars: ✭ 34 (+25.93%)
Mutual labels:  auditing, cis
View All Similar Projects ➔

GKE CIS 1.1.0 Benchmark Inspec Profile

This repository holds the Google Kubernetes Engine (GKE) Center for Internet Security (CIS) version 1.1 Benchmark.

Required Disclaimer

This is not an officially supported Google product. This code is intended to help users assess their security posture on the GKE against the CIS Benchmark. This code is not certified by CIS.

Coverage

The benchmark contains of three Inspec profiles which can be found in the subdirectories inspec-gke-cis-gcp, inspec-gke-cis-k8s and inspec-gke-cis-ssh. The profiles are separated, since each profile needs to run against a different target (-t) option when running inspec exec. Targets which are used:

  • inspec-gke-cis-gcp uses inspec-gcp
  • inspec-gke-cis-k8s uses inspec-k8s
  • inspec-gke-cis-ssh uses the SSH protocol for remote access (requires root privileges).

A wrapper script run_profiles.sh is provided in the root directory of the repository which executes all profiles sequentially and stores reports in a dedicated folder /reports. Note, that you need to configure access via the Identity-Aware Proxy (IAP) to cluster nodes for this script to run successfully.

Prerequisites

  • Configure access via the Identity-Aware Proxy (IAP) to cluster nodes for the inspec-gke-cis-ssh profile to run successfully
  • Follow the setup steps for inspec-k8s as explained here

CLI Example (Cloud Shell)

# install inspec (later version might work but not tested)
$ gem install inspec-bin -v 4.41.2 --no-document --quiet

# clone the Git Repo
$ git clone https://github.com/GoogleCloudPlatform/inspec-gke-cis-benchmark.git
$ cd inspec-gke-cis-benchmark

# Write an inputs file, see basic example below
$ cat <<EOF > inputs.yml
gcp_project_id: "<YOUR PROJECT ID>"
gcp_gke_locations:
 - 'us-central1-c'
gce_zones:
 - 'us-central1'
 - 'us-central1-c'
EOF

# Connect to GKE Cluster (getting credentials in ~/.kubeconfig, validate using kubectl)
$ gcloud container clusters get-credentials <cluster name> \
  --zone <zone> --project <YOUR PROJECT ID>

# install inspec-k8s and relevant gems (needs to run in directory of Gemfile)
# (refer to the inspec-k8s docs for details and troubleshooting)
$ bundle install

# install InSpec plugin train-kubernetes
$ inspec plugin install train-kubernetes

# Add the host you are running from to the master-authorized-networks to allow access to Private K8S Clusters
$ gcloud container clusters update <cluster name> \
  --zone <zone> \
  --enable-master-authorized-networks \
  --master-authorized-networks <your host's IP address>/32



# make sure you're authenticated to GCP
$ gcloud auth list

# acquire credentials to use with Application Default Credentials
$ gcloud auth application-default login


# Create a file inputs.yml which contains the required and optional inputs to the profiles in the subdirectories
$ ./run_profiles.sh -c <cluster name> -u <ssh user> -k <keyfile path> -z <cluster zone> -i inputs.yml

Profile Inputs (combined across all profiles)

  • gcp_project_id - (Default: "", type: string) - The target GCP Project that must be specified.
  • gcp_gke_locations - (Default: "", type: array) - The list of regions and/or zone names where GKE clusters are running. An empty array searches all locations
  • gce_zones - (Default: "", type: array) - The list of zone names where GCE instances are running. An empty array searches all locations.
  • registry_storage_admin_list - (Default: "", type: array) - The allowed list of Storage Admins on Registry image bucket
  • registry_storage_object_admin_list - (Default: "", type: array) - The allowed list of Storage Object Admins on Registry image bucket
  • registry_storage_object_creator_list - (Default: "", type: array) - The allowed list of Storage Object Admins on Registry image bucket
  • registry_storage_object_creator_list - (Default: "", type: array) - The allowed list of Storage Object Creators on Registry image bucket
  • registry_storage_legacy_bucket_owner_list - (Default: "", type: array) - The allowed list of Storage Legacy Bucket Owners on Registry image bucket
  • registry_storage_legacy_bucket_writer_list - (Default: "", type: array) - The allowed list of Storage Legacy Bucket Writers on Registry image bucket
  • registry_storage_legacy_object_owner_list - (Default: "", type: array) - The allowed list of Storage Legacy Object Owners on Registry image bucket
  • client_ca_file_path - (Default: "/etc/srv/kubernetes/pki/ca-certificates.crt", type: string) - Path to the client ca file used in Kubelet config
  • event_record_qps - (Default: "0", type: string) - --event-qps flag of Kubelet config (see control 3.2.9)
  • tls_cert_file - (Default: "", type: string) - Location of the certificate file to use to identify the Kubelet
  • tls_private_key_file - (Default: "", type: string) - Location of the corresponding private key file to use to identify the Kubelet

Cloud Shell Walkthrough

Use this Cloud Shell walkthrough for a hands-on example.

Open this project in Cloud Shell

Required Permissions

The following permissions are required to run the CIS benchmark profile on project level:

  • compute.regions.list
  • compute.zones.list
  • container.clusters.get
  • container.clusters.list
  • serviceusage.services.get
  • storage.buckets.get
  • storage.buckets.getIamPolicy
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].