1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-16 04:49:19 +00:00
kube-bench/check/controls.go

331 lines
9.2 KiB
Go
Raw Normal View History

2017-05-26 09:25:29 +00:00
// Copyright © 2017 Aqua Security Software Ltd. <info@aquasec.com>
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package check
import (
"bytes"
2017-05-26 09:25:29 +00:00
"encoding/json"
"encoding/xml"
2017-05-26 09:25:29 +00:00
"fmt"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/securityhub"
"github.com/golang/glog"
"github.com/onsi/ginkgo/reporters"
"github.com/spf13/viper"
"gopkg.in/yaml.v2"
2017-05-26 09:25:29 +00:00
)
const (
// UNKNOWN is when the AWS account can't be found
UNKNOWN = "Unknown"
// ARN for the AWS Security Hub service
ARN = "arn:aws:securityhub:%s::product/aqua-security/kube-bench"
// SCHEMA for the AWS Security Hub service
SCHEMA = "2018-10-08"
// TYPE is type of Security Hub finding
TYPE = "Software and Configuration Checks/Industry and Regulatory Standards/CIS Kubernetes Benchmark"
)
Refactor group skip (#783) * Add example IAM policy * Pass RotateKubeletServerCertificate related checks if it's not found (#767) * Allow for environment variables to be checked in tests (#755) * Initial commit for checking environment variables for etcd * Revert config changes * Remove redundant struct data * Fix issues with failing tests * Initial changes based on code review * Add option to disable envTesting + Update docs * Initial tests * Finished testing * Fix broken tests * Add a total summary and always show all tests. (#759) Whether the total summary is shown can be specified with an option. Fixes #528 Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud> * Update Readme.md file with link to Contribution guide (#754) * Update License with the year and the owner name Please add this to make your license agreement strong * Updated Readme.md file with license and proper documentation links I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks. * Update LICENSE * Update README.md * Update README.md * Remove erroneous license info Co-authored-by: Liz Rice <liz@lizrice.com> * Support auto-detect platform when running on EKS or GKE (#683) * Support auto-detect platform when running on EKS or GKE * Change to get platform name from `kubectl version` * fix regexp and add test * Update Server Version match for EKS * try to get version info from api sever at first * Refactor group skip changed group 'skip' from being a bool to be 'type' string as done in check * Change skip: true -> type: skip Co-authored-by: Huang Huang <mozillazg101@gmail.com> Co-authored-by: Wicked <jason_attwood@hotmail.co.uk> Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com> Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com> Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2020-12-21 11:18:54 +00:00
type OverallControls struct {
Controls []*Controls
Totals Summary
}
2017-05-26 09:25:29 +00:00
// Controls holds all controls to check for master nodes.
type Controls struct {
ID string `yaml:"id" json:"id"`
Version string `json:"version"`
DetectedVersion string `json:"detected_version,omitempty"`
Text string `json:"text"`
Type NodeType `json:"node_type"`
Groups []*Group `json:"tests"`
2017-05-26 09:25:29 +00:00
Summary
}
// Group is a collection of similar checks.
type Group struct {
ID string `yaml:"id" json:"section"`
Refactor group skip (#783) * Add example IAM policy * Pass RotateKubeletServerCertificate related checks if it's not found (#767) * Allow for environment variables to be checked in tests (#755) * Initial commit for checking environment variables for etcd * Revert config changes * Remove redundant struct data * Fix issues with failing tests * Initial changes based on code review * Add option to disable envTesting + Update docs * Initial tests * Finished testing * Fix broken tests * Add a total summary and always show all tests. (#759) Whether the total summary is shown can be specified with an option. Fixes #528 Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud> * Update Readme.md file with link to Contribution guide (#754) * Update License with the year and the owner name Please add this to make your license agreement strong * Updated Readme.md file with license and proper documentation links I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks. * Update LICENSE * Update README.md * Update README.md * Remove erroneous license info Co-authored-by: Liz Rice <liz@lizrice.com> * Support auto-detect platform when running on EKS or GKE (#683) * Support auto-detect platform when running on EKS or GKE * Change to get platform name from `kubectl version` * fix regexp and add test * Update Server Version match for EKS * try to get version info from api sever at first * Refactor group skip changed group 'skip' from being a bool to be 'type' string as done in check * Change skip: true -> type: skip Co-authored-by: Huang Huang <mozillazg101@gmail.com> Co-authored-by: Wicked <jason_attwood@hotmail.co.uk> Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com> Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com> Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2020-12-21 11:18:54 +00:00
Type string `yaml:"type" json:"type"`
Pass int `json:"pass"`
Fail int `json:"fail"`
Warn int `json:"warn"`
Info int `json:"info"`
Text string `json:"desc"`
Checks []*Check `json:"results"`
2017-05-26 09:25:29 +00:00
}
// Summary is a summary of the results of control checks run.
type Summary struct {
Pass int `json:"total_pass"`
Fail int `json:"total_fail"`
Warn int `json:"total_warn"`
Info int `json:"total_info"`
2017-05-26 09:25:29 +00:00
}
// Predicate a predicate on the given Group and Check arguments.
type Predicate func(group *Group, check *Check) bool
2017-05-26 09:25:29 +00:00
// NewControls instantiates a new master Controls object.
func NewControls(t NodeType, in []byte, detectedVersion string) (*Controls, error) {
2017-05-26 09:25:29 +00:00
c := new(Controls)
err := yaml.Unmarshal(in, c)
2017-05-26 09:25:29 +00:00
if err != nil {
return nil, fmt.Errorf("failed to unmarshal YAML: %s", err)
2017-05-26 09:25:29 +00:00
}
if t != c.Type {
return nil, fmt.Errorf("non-%s controls file specified", t)
2017-05-26 09:25:29 +00:00
}
c.DetectedVersion = detectedVersion
return c, nil
2017-05-26 09:25:29 +00:00
}
// RunChecks runs the checks with the given Runner. Only checks for which the filter Predicate returns `true` will run.
func (controls *Controls) RunChecks(runner Runner, filter Predicate, skipIDMap map[string]bool) Summary {
var g []*Group
m := make(map[string]*Group)
controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn, controls.Info = 0, 0, 0, 0
2017-05-26 09:25:29 +00:00
for _, group := range controls.Groups {
for _, check := range group.Checks {
2017-05-26 09:25:29 +00:00
if !filter(group, check) {
continue
2017-05-26 09:25:29 +00:00
}
_, groupSkippedViaCmd := skipIDMap[group.ID]
_, checkSkippedViaCmd := skipIDMap[check.ID]
Refactor group skip (#783) * Add example IAM policy * Pass RotateKubeletServerCertificate related checks if it's not found (#767) * Allow for environment variables to be checked in tests (#755) * Initial commit for checking environment variables for etcd * Revert config changes * Remove redundant struct data * Fix issues with failing tests * Initial changes based on code review * Add option to disable envTesting + Update docs * Initial tests * Finished testing * Fix broken tests * Add a total summary and always show all tests. (#759) Whether the total summary is shown can be specified with an option. Fixes #528 Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud> * Update Readme.md file with link to Contribution guide (#754) * Update License with the year and the owner name Please add this to make your license agreement strong * Updated Readme.md file with license and proper documentation links I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks. * Update LICENSE * Update README.md * Update README.md * Remove erroneous license info Co-authored-by: Liz Rice <liz@lizrice.com> * Support auto-detect platform when running on EKS or GKE (#683) * Support auto-detect platform when running on EKS or GKE * Change to get platform name from `kubectl version` * fix regexp and add test * Update Server Version match for EKS * try to get version info from api sever at first * Refactor group skip changed group 'skip' from being a bool to be 'type' string as done in check * Change skip: true -> type: skip Co-authored-by: Huang Huang <mozillazg101@gmail.com> Co-authored-by: Wicked <jason_attwood@hotmail.co.uk> Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com> Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com> Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2020-12-21 11:18:54 +00:00
if group.Type == SKIP || groupSkippedViaCmd || checkSkippedViaCmd {
check.Type = SKIP
}
state := runner.Run(check)
check.TestInfo = append(check.TestInfo, check.Remediation)
2017-05-26 09:25:29 +00:00
// Check if we have already added this checks group.
if v, ok := m[group.ID]; !ok {
// Create a group with same info
w := &Group{
ID: group.ID,
Text: group.Text,
Checks: []*Check{},
}
2017-05-26 09:25:29 +00:00
// Add this check to the new group
w.Checks = append(w.Checks, check)
summarizeGroup(w, state)
2017-05-26 09:25:29 +00:00
// Add to groups we have visited.
m[w.ID] = w
g = append(g, w)
} else {
v.Checks = append(v.Checks, check)
summarizeGroup(v, state)
2017-05-26 09:25:29 +00:00
}
summarize(controls, state)
2017-05-26 09:25:29 +00:00
}
}
controls.Groups = g
return controls.Summary
}
// JSON encodes the results of last run to JSON.
func (controls *Controls) JSON() ([]byte, error) {
return json.Marshal(controls)
}
// JUnit encodes the results of last run to JUnit.
func (controls *Controls) JUnit() ([]byte, error) {
suite := reporters.JUnitTestSuite{
Name: controls.Text,
TestCases: []reporters.JUnitTestCase{},
Tests: controls.Summary.Pass + controls.Summary.Fail + controls.Summary.Info + controls.Summary.Warn,
Failures: controls.Summary.Fail,
}
for _, g := range controls.Groups {
for _, check := range g.Checks {
jsonCheck := ""
jsonBytes, err := json.Marshal(check)
if err != nil {
jsonCheck = fmt.Sprintf("Failed to marshal test into JSON: %v. Test as text: %#v", err, check)
} else {
jsonCheck = string(jsonBytes)
}
tc := reporters.JUnitTestCase{
Name: fmt.Sprintf("%v %v", check.ID, check.Text),
ClassName: g.Text,
// Store the entire json serialization as system out so we don't lose data in cases where deeper debugging is necessary.
SystemOut: jsonCheck,
}
switch check.State {
case FAIL:
tc.FailureMessage = &reporters.JUnitFailureMessage{Message: check.Remediation}
case WARN, INFO:
// WARN and INFO are two different versions of skipped tests. Either way it would be a false positive/negative to report
// it any other way.
tc.Skipped = &reporters.JUnitSkipped{}
case PASS:
default:
glog.Warningf("Unrecognized state %s", check.State)
}
suite.TestCases = append(suite.TestCases, tc)
}
}
var b bytes.Buffer
encoder := xml.NewEncoder(&b)
encoder.Indent("", " ")
err := encoder.Encode(suite)
if err != nil {
return nil, fmt.Errorf("Failed to generate JUnit report: %s", err.Error())
}
return b.Bytes(), nil
}
// ASFF encodes the results of last run to AWS Security Finding Format(ASFF).
func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
fs := []*securityhub.AwsSecurityFinding{}
account, err := getConfig("AWS_ACCOUNT")
if err != nil {
return nil, err
}
cluster, err := getConfig("CLUSTER_ARN")
if err != nil {
return nil, err
}
region, err := getConfig("AWS_REGION")
if err != nil {
return nil, err
}
nodeName, _ := getConfig("NODE_NAME")
arn := fmt.Sprintf(ARN, region)
ti := time.Now()
tf := ti.Format(time.RFC3339)
for _, g := range controls.Groups {
for _, check := range g.Checks {
if check.State == FAIL || check.State == WARN {
// ASFF ProductFields['Actual result'] can't be longer than 1024 characters
actualValue := check.ActualValue
remediation := check.Remediation
reason := check.Reason
if len(check.ActualValue) > 1024 {
actualValue = check.ActualValue[0:1023]
}
// Fix issue https://github.com/aquasecurity/kube-bench/issues/903
if len(check.Remediation) > 512 {
remediation = check.Remediation[0:511]
}
if len(check.Reason) > 1024 {
reason = check.Reason[0:1023]
}
id := aws.String(fmt.Sprintf("%s%sEKSnodeID+%s+%s", arn, account, check.ID, cluster))
if nodeName != "" {
id = aws.String(fmt.Sprintf("%s%sEKSnodeID+%s+%s+%s", arn, account, check.ID, cluster, nodeName))
}
f := securityhub.AwsSecurityFinding{
AwsAccountId: aws.String(account),
Confidence: aws.Int64(100),
GeneratorId: aws.String(fmt.Sprintf("%s/cis-kubernetes-benchmark/%s/%s", arn, controls.Version, check.ID)),
Id: id,
CreatedAt: aws.String(tf),
Description: aws.String(check.Text),
ProductArn: aws.String(arn),
SchemaVersion: aws.String(SCHEMA),
Title: aws.String(fmt.Sprintf("%s %s", check.ID, check.Text)),
UpdatedAt: aws.String(tf),
Types: []*string{aws.String(TYPE)},
Severity: &securityhub.Severity{
Label: aws.String(securityhub.SeverityLabelHigh),
},
Remediation: &securityhub.Remediation{
Recommendation: &securityhub.Recommendation{
Text: aws.String(remediation),
},
},
ProductFields: map[string]*string{
"Reason": aws.String(reason),
"Actual result": aws.String(actualValue),
"Expected result": aws.String(check.ExpectedResult),
"Section": aws.String(fmt.Sprintf("%s %s", controls.ID, controls.Text)),
"Subsection": aws.String(fmt.Sprintf("%s %s", g.ID, g.Text)),
},
Resources: []*securityhub.Resource{
{
Id: aws.String(cluster),
Type: aws.String(TYPE),
},
},
}
fs = append(fs, &f)
}
}
}
return fs, nil
}
func getConfig(name string) (string, error) {
r := viper.GetString(name)
if len(r) == 0 {
return "", fmt.Errorf("%s not set", name)
}
return r, nil
}
func summarize(controls *Controls, state State) {
switch state {
2017-05-26 09:25:29 +00:00
case PASS:
controls.Summary.Pass++
case FAIL:
controls.Summary.Fail++
case WARN:
controls.Summary.Warn++
case INFO:
controls.Summary.Info++
default:
glog.Warningf("Unrecognized state %s", state)
2017-05-26 09:25:29 +00:00
}
}
func summarizeGroup(group *Group, state State) {
switch state {
case PASS:
group.Pass++
case FAIL:
group.Fail++
case WARN:
group.Warn++
case INFO:
group.Info++
default:
glog.Warningf("Unrecognized state %s", state)
}
}