kube_auto_analyzer 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8eef7acfe04e5060eb6da88237f8e5f719815625
-  data.tar.gz: 6fc041eaefc06167d3bc444c278447d3f1109d06
+  metadata.gz: 1d00aa23fd9d10f06f08ca8dbb0ce90f4ebe4418
+  data.tar.gz: 20b0155fa55984544566af728ea62ef13ddab85d
 SHA512:
-  metadata.gz: d98679c3423bf84bbcfd24420b119cb0a23c191f20aa251d5a708c4e41c000785d6fa9d9d20ff08bf06abeca4f07b3519d98f27b43df15d81c477d41f70a009f
-  data.tar.gz: 0b36c63d370ca496e80887ede180407552b923a27a63baab4ec51c251a529c3bad0e3f09cb3ece71f82eaf690dfeff83b0fb80ba7b20240d53e42811edd7f4a9
+  metadata.gz: 4fed5d88cdf8af7f495462bfe3432708861946d6fe19e21b8bd1c546a90cc20e01fbd9da88a02711fe15fd3c82ae7f84c8c9fd5b86ac371c2962efd7edaf6abf
+  data.tar.gz: d9b66e719e362dc057cd50b078c8a82fd7cff214e7bb0f474a3abe003088e1b6140eac1b7f899d411052d67ed14ee00c5c6135fc10e5b6a9f444837022f7afeb

data/lib/kube_auto_analyzer/reporting.rb

@@ -51,7 +51,6 @@ module KubeAutoAnalyzer
   end
 
   def self.html_report
-    base_report = File.open(@report_file_name + '.txt','r').read
     logo_path = File.join(__dir__, "data-logo.b64")
     logo = File.open(logo_path).read
     @log.debug("Starting HTML Report")
@@ -257,6 +256,20 @@ module KubeAutoAnalyzer
       @html_report_file.puts "</table>"
     end
 
+    if @options.agent_checks
+      @html_report_file.puts '<br><h3>Default Service Token In Use</h3>'
+      @html_report_file.puts "<table><thead><tr><th>API endpoint</th><th>Result</th></thead>"
+      @results[@options.target_server]['vulns']['service_token'].each do |node, result|
+        unless (result =~ /Forbidden/ || result =~ /Not Open/)
+          output = "Vulnerable"
+        else
+          output = result
+        end
+        @html_report_file.puts "<tr><td>#{node}</td><td>#{output}</td></tr>"
+      end
+      @html_report_file.puts "</table>"
+    end
+
 
 
     @html_report_file.puts "<br><br><h2>Vulnerability Evidence</h2><br>"
@@ -277,6 +290,11 @@ module KubeAutoAnalyzer
         @html_report_file.puts "<tr><td>Internal Insecure API Server Access</td><td>#{node}</td><td>#{result}</td></tr>"   
       end
     end
+    if @options.agent_checks
+      @results[@options.target_server]['vulns']['service_token'].each do |node, result|
+        @html_report_file.puts "<tr><td>Default Service Token In Use</td><td>#{node}</td><td>#{result}</td></tr>"   
+      end
+    end
     @html_report_file.puts "</table>"
 
 

data/lib/kube_auto_analyzer/version.rb

@@ -1,3 +1,3 @@
 module KubeAutoAnalyzer
-  VERSION = "0.0.2"
+  VERSION = "0.0.3"
 end

data/lib/kube_auto_analyzer/vuln_checks/service_token.rb

@@ -0,0 +1,40 @@
+module KubeAutoAnalyzer
+
+  #This is somewhat awkward placement.  Deployment mechanism sits more with the agent checks
+  #But from a "what it's looking for" perspective, as a weakness in Kubelet, it makes more sense here.
+  def self.test_service_token_internal
+    require 'json'
+
+    @log.debug("Doing the internal Service Token check")
+    target = @options.target_server
+    @results[target]['vulns']['service_token'] = Hash.new
+    api_server_url = @client.api_endpoint.to_s
+    container_name = "kaakubeletunauthtest"
+    pod = Kubeclient::Resource.new
+    pod.metadata = {}
+    pod.metadata.name = container_name
+    pod.metadata.namespace = "default"
+    pod.spec = {}
+    pod.spec.restartPolicy = "Never"
+    pod.spec.containers = {}
+    pod.spec.containers = [{name: "kubeautoanalyzerservicetokentest", image: "raesene/kaa-agent:latest"}]
+    pod.spec.containers[0].args = ["/service-token-checker.rb",api_server_url]
+    begin
+      @log.debug("About to start Service Token Check pod")
+      @client.create_pod(pod)
+      @log.debug("Executed the create pod")
+      begin
+        sleep(5) until @client.get_pod(container_name,"default")['status']['containerStatuses'][0]['state']['terminated']['reason'] == "Completed"
+      rescue
+        retry
+      end
+      @log.debug ("started Service Token Check pod")
+      results = JSON.parse(@client.get_pod_log(container_name,"default"))
+      results.each do |node, results|
+        @results[target]['vulns']['service_token'][api_server_url] = results
+      end
+    ensure
+      @client.delete_pod(container_name,"default")
+    end
+  end
+end

data/lib/kube_auto_analyzer.rb

@@ -7,6 +7,7 @@ module KubeAutoAnalyzer
   require "kube_auto_analyzer/agent_checks/process_checks"
   require "kube_auto_analyzer/vuln_checks/kubelet"
   require "kube_auto_analyzer/vuln_checks/api_server"
+  require "kube_auto_analyzer/vuln_checks/service_token"
   require "kube_auto_analyzer/utility/network"
   
 
@@ -31,7 +32,8 @@ module KubeAutoAnalyzer
     @log.debug("Target API Server is " + @options.target_server)
 
     @report_file_name = @base_dir + '/' + @options.report_file
-    @report_file = File.new(@report_file_name + '.txt','w+')
+    #Remove the Text report for now as we're not using this option
+    #@report_file = File.new(@report_file_name + '.txt','w+')
     @html_report_file = File.new(@report_file_name + '.html','w+')
     @log.debug("New Report File created #{@report_file_name}")
         
@@ -88,6 +90,7 @@ module KubeAutoAnalyzer
     if @options.agent_checks
       test_unauth_kubelet_internal
       test_insecure_api_internal
+      test_service_token_internal
       check_files
       check_kubelet_process
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kube_auto_analyzer
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Rory McCune
@@ -74,6 +74,7 @@ files:
 - lib/kube_auto_analyzer/version.rb
 - lib/kube_auto_analyzer/vuln_checks/api_server.rb
 - lib/kube_auto_analyzer/vuln_checks/kubelet.rb
+- lib/kube_auto_analyzer/vuln_checks/service_token.rb
 homepage: https://github.com/nccgroup/kube-auto-analyzer
 licenses:
 - AGPL