github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/docs/flags-and-commands.md (about) 1 ## Commands 2 Command | Description 3 --- | --- 4 help | Prints help about any command 5 run | List of components to run 6 version | Print kube-bench version 7 8 ## Flags 9 Flag | Description 10 --- | --- 11 --alsologtostderr | log to standard error as well as files 12 --asff | Send findings to AWS Security Hub for any benchmark tests that fail or that generate a warning. See [this page][kube-bench-aws-security-hub] for more information on how to enable the kube-bench integration with AWS Security Hub. 13 --benchmark | Manually specify CIS benchmark version 14 -c, --check | A comma-delimited list of checks to run as specified in Benchmark document. 15 --config | config file (default is ./cfg/config.yaml) 16 --exit-code | Specify the exit code for when checks fail 17 --group | Run all the checks under this comma-delimited list of groups. 18 --include-test-output | Prints the actual result when test fails. 19 --json | Prints the results as JSON 20 --junit | Prints the results as JUnit 21 --log_backtrace_at traceLocation | when logging hits line file:N, emit a stack trace (default :0) 22 --logtostderr | log to standard error instead of files 23 --noremediations | Disable printing of remediations section to stdout. 24 --noresults | Disable printing of results section to stdout. 25 --nototals | Disable calculating and printing of totals for failed, passed, ... checks across all sections 26 --outputfile | Writes the results to output file when run with --json or --junit 27 --pgsql | Save the results to PostgreSQL 28 --scored | Run the scored CIS checks (default true) 29 --skip string | List of comma separated values of checks to be skipped 30 --stderrthreshold severity | logs at or above this threshold go to stderr (default 2) 31 -v, --v Level | log level for V logs (default 0) 32 --unscored | Run the unscored CIS checks (default true) 33 --version string | Manually specify Kubernetes version, automatically detected if unset 34 --vmodule moduleSpec | comma-separated list of pattern=N settings for file-filtered logging 35 36 ### Examples 37 38 #### Report kube-bench findings to AWS Security Hub 39 40 You can configure kube-bench with the `--asff` option to send findings to AWS Security Hub for any benchmark tests that fail or that generate a warning. See [this page](asff.md) for more information on how to enable the kube-bench integration with AWS Security Hub. 41 42 #### Specifying the benchmark or Kubernetes version 43 44 `kube-bench` uses the Kubernetes API, or access to the `kubectl` or `kubelet` executables to try to determine the Kubernetes version, and hence which benchmark to run. If you wish to override this, or if none of these methods are available, you can specify either the Kubernetes version or CIS Benchmark as a command line parameter. 45 46 You can specify a particular version of Kubernetes by setting the `--version` flag or with the `KUBE_BENCH_VERSION` environment variable. The value of `--version` takes precedence over the value of `KUBE_BENCH_VERSION`. 47 48 For example, run kube-bench using the tests for Kubernetes version 1.13: 49 50 ``` 51 kube-bench --version 1.13 52 ``` 53 54 55 You can specify `--benchmark` to run a specific CIS Benchmark version: 56 57 ``` 58 kube-bench --benchmark cis-1.5 59 ``` 60 61 **Note:** It is an error to specify both `--version` and `--benchmark` flags together 62 63 #### Specifying Benchmark sections 64 65 If you want to run specific CIS Benchmark sections (i.e master, node, etcd, etc...) 66 you can use the `run --targets` subcommand. 67 68 ``` 69 kube-bench run --targets master,node 70 ``` 71 72 or 73 74 ``` 75 kube-bench run --targets master,node,etcd,policies 76 ``` 77 78 79 If no targets are specified, `kube-bench` will determine the appropriate targets based on the CIS Benchmark version and the components detected on the node. The detection is done by verifying which components are running, as defined in the config files (see [Configuration](controls.md#configuration-and-variables). 80 81 #### Run specific check or group 82 83 `kube-bench` supports running individual checks by specifying the check's `id` 84 as a comma-delimited list on the command line with the `--check` | `-c` flag. 85 `kube-bench --check="1.1.1,1.1.2,1.2.1,1.3.3"` 86 87 `kube-bench` supports running all checks under group by specifying the group's `id` 88 as a comma-delimited list on the command line with the `--group` | `-g` flag. 89 `kube-bench --check="1.1,2.2"` 90 Will run all checks 1.1.X and 2.2.X. 91 92 #### Skip specific check or group 93 94 `kube-bench` supports skipping checks or groups by specifying the `id` 95 as a comma-delimited list on the command line with the `--skip` flag. 96 `kube-bench --skip="1.1,1.2.1,1.3.3"` 97 Will skip 1.1.X group and individual checks 1.2.1, 1.3.3. 98 Skipped checks returns [INFO] output. 99 100 #### Exit code 101 102 `kube-bench` supports using uniqe exit code when failing a check or more. 103 `kube-bench --exit-code 42` 104 Will return 42 if one check or more failed, and 0 incase none failed. 105 **Note:** [WARN] is not [FAIL]. 106 107 #### Output manipulation flags 108 109 There are four output states: 110 - [PASS] indicates that the test was run successfully, and passed. 111 - [FAIL] indicates that the test was run successfully, and failed. The remediation output describes how to correct the configuration, or includes an error message describing why the test could not be run. 112 - [WARN] means this test needs further attention, for example it is a test that needs to be run manually. Check the remediation output for further information. 113 - [INFO] is informational output that needs no further action. 114 115 Note: 116 - Some tests with `Automated` in their description must still be run manually 117 - If the user has to run a test manually, this always generates WARN 118 - If the test is Scored, and kube-bench was unable to run the test, this generates FAIL (because the test has not been passed, and as a Scored test, if it doesn't pass then it must be considered a failure). 119 - If the test is Not Scored, and kube-bench was unable to run the test, this generates WARN. 120 - If the test is Scored, type is empty, and there are no `test_items` present, it generates a WARN. This is to highlight tests that appear to be incompletely defined. 121 122 `kube-bench` supports multiple output manipulation flags. 123 `kube-bench --include-test-output` will print failing checks output in the results section 124 ``` 125 [INFO] 1 Master Node Security Configuration 126 [INFO] 1.1 Master Node Configuration Files 127 [FAIL] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated) 128 **permissions=777** 129 ``` 130 131 **Note:** `--noresults` `--noremediations` and `--include-test-output` **will not** effect the json output but only stdout. 132 Only `--nototals` will effect the json output and thats because it will not call the function to calculate totals. 133 134 135 #### Troubleshooting 136 137 Running `kube-bench` with the `-v 3` parameter will generate debug logs that can be very helpful for debugging problems. 138 139 If you are using one of the example `job*.yaml` files, you will need to edit the `command` field, for example `["kube-bench", "-v", "3"]`. Once the job has run, the logs can be retrieved using `kubectl logs` on the job's pod.