2017-05-26 09:25:29 +00:00
|
|
|
// Copyright © 2017 Aqua Security Software Ltd. <info@aquasec.com>
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
package check
|
|
|
|
|
|
|
|
import (
|
2017-06-30 11:40:39 +00:00
|
|
|
"bytes"
|
2017-05-26 09:25:29 +00:00
|
|
|
"fmt"
|
|
|
|
"io"
|
|
|
|
"os/exec"
|
|
|
|
"strings"
|
2017-07-25 00:34:07 +00:00
|
|
|
|
|
|
|
"github.com/golang/glog"
|
2017-05-26 09:25:29 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// NodeType indicates the type of node (master, node, federated).
|
|
|
|
type NodeType string
|
|
|
|
|
|
|
|
// State is the state of a control check.
|
|
|
|
type State string
|
|
|
|
|
|
|
|
const (
|
|
|
|
// PASS check passed.
|
|
|
|
PASS State = "PASS"
|
|
|
|
// FAIL check failed.
|
|
|
|
FAIL = "FAIL"
|
|
|
|
// WARN could not carry out check.
|
|
|
|
WARN = "WARN"
|
2017-06-20 08:54:17 +00:00
|
|
|
// INFO informational message
|
|
|
|
INFO = "INFO"
|
2017-05-26 09:25:29 +00:00
|
|
|
|
|
|
|
// MASTER a master node
|
|
|
|
MASTER NodeType = "master"
|
|
|
|
// NODE a node
|
|
|
|
NODE NodeType = "node"
|
|
|
|
// FEDERATED a federated deployment.
|
|
|
|
FEDERATED NodeType = "federated"
|
|
|
|
)
|
|
|
|
|
2017-07-07 17:01:30 +00:00
|
|
|
func handleError(err error, context string) (errmsg string) {
|
|
|
|
if err != nil {
|
|
|
|
errmsg = fmt.Sprintf("%s, error: %s\n", context, err)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2017-05-26 09:25:29 +00:00
|
|
|
// Check contains information about a recommendation in the
|
|
|
|
// CIS Kubernetes 1.6+ document.
|
|
|
|
type Check struct {
|
|
|
|
ID string `yaml:"id" json:"id"`
|
|
|
|
Text string
|
|
|
|
Audit string `json:"omit"`
|
|
|
|
Commands []*exec.Cmd `json:"omit"`
|
|
|
|
Tests *tests `json:"omit"`
|
|
|
|
Set bool `json:"omit"`
|
|
|
|
Remediation string
|
|
|
|
State
|
|
|
|
}
|
|
|
|
|
|
|
|
// Run executes the audit commands specified in a check and outputs
|
|
|
|
// the results.
|
2017-07-25 00:34:07 +00:00
|
|
|
func (c *Check) Run() {
|
2017-07-05 12:56:01 +00:00
|
|
|
var out bytes.Buffer
|
2017-07-07 17:01:30 +00:00
|
|
|
var errmsgs string
|
2017-05-26 09:25:29 +00:00
|
|
|
|
|
|
|
// Check if command exists or exit with WARN.
|
|
|
|
for _, cmd := range c.Commands {
|
|
|
|
_, err := exec.LookPath(cmd.Path)
|
|
|
|
if err != nil {
|
|
|
|
c.State = WARN
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Run commands.
|
2017-06-30 11:40:39 +00:00
|
|
|
n := len(c.Commands)
|
|
|
|
if n == 0 {
|
2017-05-26 09:25:29 +00:00
|
|
|
// Likely a warning message.
|
|
|
|
c.State = WARN
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2017-06-30 11:40:39 +00:00
|
|
|
// Each command runs,
|
|
|
|
// cmd0 out -> cmd1 in, cmd1 out -> cmd2 in ... cmdn out -> os.stdout
|
|
|
|
// cmd0 err should terminate chain
|
|
|
|
cs := c.Commands
|
|
|
|
|
2017-07-04 17:04:31 +00:00
|
|
|
// Initialize command pipeline
|
2017-06-30 11:40:39 +00:00
|
|
|
cs[n-1].Stdout = &out
|
|
|
|
i := 1
|
|
|
|
|
|
|
|
var err error
|
2017-07-07 17:01:30 +00:00
|
|
|
errmsgs = ""
|
|
|
|
|
2017-06-30 11:40:39 +00:00
|
|
|
for i < n {
|
|
|
|
cs[i-1].Stdout, err = cs[i].StdinPipe()
|
2017-07-07 17:01:30 +00:00
|
|
|
errmsgs += handleError(
|
|
|
|
err,
|
2017-07-13 01:01:18 +00:00
|
|
|
fmt.Sprintf("failed to run: %s\nfailed command: %s",
|
2017-07-07 17:01:30 +00:00
|
|
|
c.Audit,
|
|
|
|
cs[i].Args,
|
|
|
|
),
|
|
|
|
)
|
|
|
|
|
2017-06-30 11:40:39 +00:00
|
|
|
i++
|
2017-05-26 09:25:29 +00:00
|
|
|
}
|
|
|
|
|
2017-07-04 17:04:31 +00:00
|
|
|
// Start command pipeline
|
2017-06-30 11:40:39 +00:00
|
|
|
i = 0
|
|
|
|
for i < n {
|
2017-07-05 12:56:01 +00:00
|
|
|
err := cs[i].Start()
|
2017-07-07 17:01:30 +00:00
|
|
|
errmsgs += handleError(
|
|
|
|
err,
|
2017-07-13 01:01:18 +00:00
|
|
|
fmt.Sprintf("failed to run: %s\nfailed command: %s",
|
2017-07-07 17:01:30 +00:00
|
|
|
c.Audit,
|
|
|
|
cs[i].Args,
|
|
|
|
),
|
|
|
|
)
|
2017-07-04 17:04:31 +00:00
|
|
|
i++
|
|
|
|
}
|
2017-05-26 09:25:29 +00:00
|
|
|
|
2017-07-04 17:04:31 +00:00
|
|
|
// Complete command pipeline
|
|
|
|
i = 0
|
|
|
|
for i < n {
|
2017-07-05 12:56:01 +00:00
|
|
|
err := cs[i].Wait()
|
2017-07-07 17:01:30 +00:00
|
|
|
errmsgs += handleError(
|
|
|
|
err,
|
2017-07-13 01:01:18 +00:00
|
|
|
fmt.Sprintf("failed to run: %s\nfailed command:%s",
|
2017-07-07 17:01:30 +00:00
|
|
|
c.Audit,
|
|
|
|
cs[i].Args,
|
|
|
|
),
|
|
|
|
)
|
2017-05-26 09:25:29 +00:00
|
|
|
|
2017-06-30 11:40:39 +00:00
|
|
|
if i < n-1 {
|
|
|
|
cs[i].Stdout.(io.Closer).Close()
|
|
|
|
}
|
2017-07-04 17:04:31 +00:00
|
|
|
|
2017-06-30 11:40:39 +00:00
|
|
|
i++
|
2017-05-26 09:25:29 +00:00
|
|
|
}
|
|
|
|
|
2017-07-25 00:34:07 +00:00
|
|
|
glog.V(2).Info("%s\n", errmsgs)
|
2017-07-07 17:01:30 +00:00
|
|
|
|
2017-06-30 11:40:39 +00:00
|
|
|
res := c.Tests.execute(out.String())
|
2017-05-26 09:25:29 +00:00
|
|
|
if res {
|
|
|
|
c.State = PASS
|
|
|
|
} else {
|
|
|
|
c.State = FAIL
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// textToCommand transforms a text representation of commands to be
|
|
|
|
// run into a slice of commands.
|
|
|
|
// TODO: Make this more robust.
|
|
|
|
func textToCommand(s string) []*exec.Cmd {
|
|
|
|
cmds := []*exec.Cmd{}
|
|
|
|
|
|
|
|
cp := strings.Split(s, "|")
|
|
|
|
// fmt.Println("check.toCommand:", cp)
|
|
|
|
|
|
|
|
for _, v := range cp {
|
|
|
|
v = strings.Trim(v, " ")
|
|
|
|
cs := strings.Split(v, " ")
|
|
|
|
|
|
|
|
cmd := exec.Command(cs[0], cs[1:]...)
|
|
|
|
cmds = append(cmds, cmd)
|
|
|
|
}
|
|
|
|
|
|
|
|
return cmds
|
|
|
|
}
|