1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-21 23:58:06 +00:00

ASFF: add node name to the finding id (#1214)

This commit is contained in:
Huang Huang 2022-06-19 16:48:40 +08:00 committed by GitHub
parent ce53cffc70
commit 907d952fb3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 5 deletions

View File

@ -208,11 +208,11 @@ func (controls *Controls) JUnit() ([]byte, error) {
// ASFF encodes the results of last run to AWS Security Finding Format(ASFF). // ASFF encodes the results of last run to AWS Security Finding Format(ASFF).
func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) { func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
fs := []*securityhub.AwsSecurityFinding{} fs := []*securityhub.AwsSecurityFinding{}
a, err := getConfig("AWS_ACCOUNT") account, err := getConfig("AWS_ACCOUNT")
if err != nil { if err != nil {
return nil, err return nil, err
} }
c, err := getConfig("CLUSTER_ARN") cluster, err := getConfig("CLUSTER_ARN")
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -220,6 +220,7 @@ func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
nodeName, _ := getConfig("NODE_NAME")
arn := fmt.Sprintf(ARN, region) arn := fmt.Sprintf(ARN, region)
ti := time.Now() ti := time.Now()
@ -244,12 +245,16 @@ func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
if len(check.Reason) > 1024 { if len(check.Reason) > 1024 {
reason = check.Reason[0:1023] reason = check.Reason[0:1023]
} }
id := aws.String(fmt.Sprintf("%s%sEKSnodeID+%s+%s", arn, account, check.ID, cluster))
if nodeName != "" {
id = aws.String(fmt.Sprintf("%s%sEKSnodeID+%s+%s+%s", arn, account, check.ID, cluster, nodeName))
}
f := securityhub.AwsSecurityFinding{ f := securityhub.AwsSecurityFinding{
AwsAccountId: aws.String(a), AwsAccountId: aws.String(account),
Confidence: aws.Int64(100), Confidence: aws.Int64(100),
GeneratorId: aws.String(fmt.Sprintf("%s/cis-kubernetes-benchmark/%s/%s", arn, controls.Version, check.ID)), GeneratorId: aws.String(fmt.Sprintf("%s/cis-kubernetes-benchmark/%s/%s", arn, controls.Version, check.ID)),
Id: aws.String(fmt.Sprintf("%s%sEKSnodeID+%s+%s", arn, a, check.ID, c)), Id: id,
CreatedAt: aws.String(tf), CreatedAt: aws.String(tf),
Description: aws.String(check.Text), Description: aws.String(check.Text),
ProductArn: aws.String(arn), ProductArn: aws.String(arn),
@ -274,7 +279,7 @@ func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
}, },
Resources: []*securityhub.Resource{ Resources: []*securityhub.Resource{
{ {
Id: aws.String(c), Id: aws.String(cluster),
Type: aws.String(TYPE), Type: aws.String(TYPE),
}, },
}, },

View File

@ -43,6 +43,11 @@ spec:
"eks-1.0.1", "eks-1.0.1",
"--asff", "--asff",
] ]
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet