RubyGems - kube_auto_analyzer - Versions diffs - 0.0.3 → 0.0.4 - Mend

kube_auto_analyzer 0.0.3 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/lib/kube_auto_analyzer/api_checks/master_node.rb +30 -6
data/lib/kube_auto_analyzer/reporting.rb +24 -0
data/lib/kube_auto_analyzer/utility/network.rb +2 -0
data/lib/kube_auto_analyzer/version.rb +2 -2
data/lib/kube_auto_analyzer/vuln_checks/amicontained.rb +50 -0
data/lib/kube_auto_analyzer.rb +2 -0
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1d00aa23fd9d10f06f08ca8dbb0ce90f4ebe4418
-  data.tar.gz: 20b0155fa55984544566af728ea62ef13ddab85d
+  metadata.gz: e0356e457db66e2456e2a1aec7b6c26324690279
+  data.tar.gz: 4850a960a8827606b9f1f180fafd3aa992b705d5
 SHA512:
-  metadata.gz: 4fed5d88cdf8af7f495462bfe3432708861946d6fe19e21b8bd1c546a90cc20e01fbd9da88a02711fe15fd3c82ae7f84c8c9fd5b86ac371c2962efd7edaf6abf
-  data.tar.gz: d9b66e719e362dc057cd50b078c8a82fd7cff214e7bb0f474a3abe003088e1b6140eac1b7f899d411052d67ed14ee00c5c6135fc10e5b6a9f444837022f7afeb
+  metadata.gz: a7efa8ea0b79bf980ad966e75ec5dd309277fec0eb1a3f4ec17e29ebca0bfb9e122b75015850c24fb15e1f2bbffa2f3139e0c161f7bbd9a21860bf6b1c4bfd59
+  data.tar.gz: e296498d5128895ef21e6c11515cc1071c248629ff6d4d4a43078ff4dfd44d7e0ea97beeac2ef2f52f9ba2815d831afbdde5bcd94cd04c0828fbae23434100de

data/lib/kube_auto_analyzer/api_checks/master_node.rb CHANGED Viewed

@@ -219,6 +219,24 @@ module KubeAutoAnalyzer
       @results[target]['api_server']['CIS 1.1.31 - Ensure that the --etcd-cafile argument is set as appropriate'] = "Pass"
     end
+    unless api_server_command_line.index{|line| line =~ /--authorization-mode\S*Node/}
+      @results[target]['api_server']['CIS 1.1.32 - Ensure that the --authorization-mode argument is set to Node'] = "Fail"
+    else
+      @results[target]['api_server']['CIS 1.1.32 - Ensure that the --authorization-mode argument is set to Node'] = "Pass"
+    end
+    unless api_server_command_line.index{|line| line =~ /--admission-control\S*NodeRestriction/}
+      @results[target]['api_server']['CIS 1.1.33 - Ensure that the admission control policy is set to NodeRestriction'] = "Fail"
+    else
+      @results[target]['api_server']['CIS 1.1.33 - Ensure that the admission control policy is set to NodeRestriction'] = "Pass"
+    end
+    unless api_server_command_line.index{|line| line =~ /--experimental-encryption-provider-config/}
+      @results[target]['api_server']['CIS 1.1.34 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate'] = "Fail"
+    else
+      @results[target]['api_server']['CIS 1.1.34 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate'] = "Pass"
+    end
     @results[target]['evidence']['API Server'] = api_server_command_line
   end
@@ -286,21 +304,27 @@ module KubeAutoAnalyzer
     end
     unless controller_manager_command_line.index{|line| line =~ /--use-service-account-credentials=true/}
-      @results[target]['controller_manager']['CIS 1.3.4 - Ensure that the --use-service-account-credentials argument is set to true'] = "Fail"
+      @results[target]['controller_manager']['CIS 1.3.3 - Ensure that the --use-service-account-credentials argument is set to true'] = "Fail"
     else
-      @results[target]['controller_manager']['CIS 1.3.4 - Ensure that the --use-service-account-credentials argument is set to true'] = "Pass"
+      @results[target]['controller_manager']['CIS 1.3.3 - Ensure that the --use-service-account-credentials argument is set to true'] = "Pass"
     end
     unless controller_manager_command_line.index{|line| line =~ /--service-account-private-key-file/}
-      @results[target]['controller_manager']['CIS 1.3.5 - Ensure that the --service-account-private-key-file argument is set as appropriate'] = "Fail"
+      @results[target]['controller_manager']['CIS 1.3.4 - Ensure that the --service-account-private-key-file argument is set as appropriate'] = "Fail"
     else
-      @results[target]['controller_manager']['CIS 1.3.5 - Ensure that the --service-account-private-key-file argument is set as appropriate'] = "Pass"
+      @results[target]['controller_manager']['CIS 1.3.4 - Ensure that the --service-account-private-key-file argument is set as appropriate'] = "Pass"
     end
     unless controller_manager_command_line.index{|line| line =~ /--root-ca-file/}
-      @results[target]['controller_manager']['CIS 1.3.6 - Ensure that the --root-ca-file argument is set as appropriate'] = "Fail"
+      @results[target]['controller_manager']['CIS 1.3.5 - Ensure that the --root-ca-file argument is set as appropriate'] = "Fail"
+    else
+      @results[target]['controller_manager']['CIS 1.3.5 - Ensure that the --root-ca-file argument is set as appropriate'] = "Pass"
+    end
+    unless controller_manager_command_line.index{|line| line =~ /RotateKubeletServerCertificate=true/}
+      @results[target]['controller_manager']['CIS 1.3.7 - Ensure that the RotateKubeletServerCertificate argument is set to true'] = "Fail"
     else
-      @results[target]['controller_manager']['CIS 1.3.6 - Ensure that the --root-ca-file argument is set as appropriate'] = "Pass"
+      @results[target]['controller_manager']['CIS 1.3.7 - Ensure that the RotateKubeletServerCertificate argument is set to true'] = "Pass"
     end
     @results[target]['evidence']['Controller Manager'] = controller_manager_command_line

data/lib/kube_auto_analyzer/reporting.rb CHANGED Viewed

@@ -270,6 +270,24 @@ module KubeAutoAnalyzer
       @html_report_file.puts "</table>"
     end
+    if @options.agent_checks
+      @html_report_file.puts '<br><h3>Container Configuration checks</h3>'
+      @results[@options.target_server]['vulns']['amicontained'].each do |node, result|
+        @html_report_file.puts "<br><b>#{node} Container Checks</b>"
+        @html_report_file.puts "<table><thead><tr><th>Container item</th><th>Result</th></thead>"
+        @html_report_file.puts "<tr><td>Runtime in Use</td><td>#{result['runtime']}</td></tr>"
+        @html_report_file.puts "<tr><td>Host PID namespace used?</td><td>#{result['hostpid']}</td></tr>"
+        @html_report_file.puts "<tr><td>AppArmor Profile</td><td>#{result['apparmor']}</td></tr>"
+        @html_report_file.puts "<tr><td>User Namespaces in use?</td><td>#{result['uid_map']}</td></tr>"
+        @html_report_file.puts "<tr><td>Inherited Capabilities</td><td>#{result['cap_inh']}</td></tr>"
+        @html_report_file.puts "<tr><td>Effective Capabilities</td><td>#{result['cap_eff']}</td></tr>"
+        @html_report_file.puts "<tr><td>Permitted Capabilities</td><td>#{result['cap_per']}</td></tr>"
+        @html_report_file.puts "<tr><td>Bounded Capabilities</td><td>#{result['cap_bnd']}</td></tr>"
+        @html_report_file.puts "</table>"
+      end
+    end
     @html_report_file.puts "<br><br><h2>Vulnerability Evidence</h2><br>"
@@ -295,6 +313,12 @@ module KubeAutoAnalyzer
         @html_report_file.puts "<tr><td>Default Service Token In Use</td><td>#{node}</td><td>#{result}</td></tr>"
       end
     end
+    if @options.agent_checks
+      @results[@options.target_server]['vulns']['amicontained'].each do |node, result|
+        @html_report_file.puts "<tr><td>Am I Contained Output</td><td>#{node}</td><td>#{result}</td></tr>"
+      end
+    end
     @html_report_file.puts "</table>"

data/lib/kube_auto_analyzer/utility/network.rb CHANGED Viewed

@@ -8,6 +8,8 @@ def self.is_port_open?(ip, port)
     return false
   rescue Errno::ETIMEDOUT
     return false
+  rescue Errno::ENETUNREACH
+    return false
   end
   true
 end

data/lib/kube_auto_analyzer/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module KubeAutoAnalyzer
-  VERSION = "0.0.3"
-end
+  VERSION = "0.0.4"
+end

data/lib/kube_auto_analyzer/vuln_checks/amicontained.rb ADDED Viewed

@@ -0,0 +1,50 @@
+module KubeAutoAnalyzer
+  #This is somewhat awkward placement.  Deployment mechanism sits more with the agent checks
+  #But from a "what it's looking for" perspective, its more with the vuln. checks as there's not a CIS check for it.
+  def self.check_amicontained
+    require 'json'
+    @log.debug("Doing Am I contained check")
+    target = @options.target_server
+    @results[target]['vulns']['amicontained'] = Hash.new
+    nodes = Array.new
+    @client.get_nodes.each do |node|
+      unless node.spec.taints.to_s =~ /NoSchedule/
+        nodes << node
+      end
+    end
+    nodes.each do |nod|
+      node_hostname = nod.metadata.labels['kubernetes.io/hostname']
+      node_ip = nod['status']['addresses'][0]['address']
+      container_name = "kaa" + node_hostname
+      pod = Kubeclient::Resource.new
+      pod.metadata = {}
+      pod.metadata.name = container_name
+      pod.metadata.namespace = "default"
+      pod.spec = {}
+      pod.spec.restartPolicy = "Never"
+      pod.spec.containers = {}
+      pod.spec.containers = [{name: "kubeautoanalyzerkubelettest", image: "raesene/kaa-agent:latest"}]
+      pod.spec.containers[0].args = ["/amicontained.rb"]
+      pod.spec.nodeselector = {}
+      pod.spec.nodeselector['kubernetes.io/hostname'] = node_hostname
+      begin
+        @log.debug("About to start amicontained pod")
+        @client.create_pod(pod)
+        @log.debug("Executed the create pod")
+        begin
+          sleep(5) until @client.get_pod(container_name,"default")['status']['containerStatuses'][0]['state']['terminated']['reason'] == "Completed"
+        rescue
+          retry
+        end
+        @log.debug ("started amicontained pod")
+        results = JSON.parse(@client.get_pod_log(container_name,"default"))
+        @results[target]['vulns']['amicontained'][node_ip] = results
+      ensure
+        @client.delete_pod(container_name,"default")
+      end
+    end
+  end
+end

data/lib/kube_auto_analyzer.rb CHANGED Viewed

@@ -8,6 +8,7 @@ module KubeAutoAnalyzer
   require "kube_auto_analyzer/vuln_checks/kubelet"
   require "kube_auto_analyzer/vuln_checks/api_server"
   require "kube_auto_analyzer/vuln_checks/service_token"
+  require "kube_auto_analyzer/vuln_checks/amicontained"
   require "kube_auto_analyzer/utility/network"
@@ -93,6 +94,7 @@ module KubeAutoAnalyzer
       test_service_token_internal
       check_files
       check_kubelet_process
+      check_amicontained
     end
     html_report
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kube_auto_analyzer
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - Rory McCune
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-06-14 00:00:00.000000000 Z
+date: 2017-09-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -72,6 +72,7 @@ files:
 - lib/kube_auto_analyzer/reporting.rb
 - lib/kube_auto_analyzer/utility/network.rb
 - lib/kube_auto_analyzer/version.rb
+- lib/kube_auto_analyzer/vuln_checks/amicontained.rb
 - lib/kube_auto_analyzer/vuln_checks/api_server.rb
 - lib/kube_auto_analyzer/vuln_checks/kubelet.rb
 - lib/kube_auto_analyzer/vuln_checks/service_token.rb
@@ -95,10 +96,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.2.2
+rubygems_version: 2.4.8
 signing_key:
 specification_version: 4
 summary: A Gem which provides a script and class analyze the security of a Kubernetes
   cluster.
 test_files: []
-has_rdoc: