aboutsummaryrefslogtreecommitdiffstats
path: root/security/README.md
blob: 6821d2ea59b16d8fdb6f7bec68de91c0be44d8f2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# Security

## Goal

This security docker includes the test suites dealing with security aspects
of an ONAP deployment.

It includes 6 tests:

- root_pods: check that pods are nor using root user or started as root
- unlimitted_pods: check that limits are set for pods
- cis_kubernetes: perform the k8s cis test suite (upstream src aquasecurity)
- http_public_endpoints: check that there is no public http endpoints exposed in
  ONAP cluster
- nonssl_endpoints: check that all public HTTP endpoints exposed in ONAP
  cluster use SSL tunnels
- jdpw_ports: check that there are no internal java ports
- kube_hunter: security suite to search k8s vulnerabilities (upstream src
  aquasecurity)
- versions: check that Java and Python are available only in versions
  recommended by SECCOM. This test is long and run only in Weekly CI chains\
  (https://logs.onap.org/onap-integration/weekly).

## Usage

### Configuration

Mandatory:

- The kubernetes configuration: usually hosted on the.kube/config of your
  jumphost. It corresponds the kubernetes credentials and are needed to perform
  the different operations. This file shall be copied in /root/.kube/config in
  the docker.

Optional:

- The local result directory path: to store the results in your local
  environement. It shall corresponds to the internal result docker path
  /var/lib/xtesting/results

### Command

You can run this docker by typing:

```
docker run -v <the kube config>:/root/.kube/config -v
<result directory>:/var/lib/xtesting/results
nexus3.onap.org:10003/onap/xtesting-security:master
```

Options:

- \-r: by default the reporting to the Database is not enabled. You need to
  specify the -r option in the command line. Please note that in this case, you
  must precise some env variables.

environment variables:

- Mandatory (if you want to report the results in the database):
  - TEST_DB_URL: the url of the target Database with the env variable .
  - NODE_NAME: the name of your test environement. It must be declared in the
    test database (e.g. windriver-SB00)
- Optionnal
  - INSTALLER_TYPE: precise how your ONAP has been installed (e.g. kubespray-oom,
    rke-oom)
  - BUILD_TAG: a unique tag of your CI system. It can be usefull to get all the
    tests of one CI run. It uses the regex (dai|week)ly-(.+?)-\[0-9]\* to find the
    version (e.g. daily-elalto-123456789).

The command becomes:

```
docker run -v <the kube config>:/root/.kube/config -v
<result directory>:/var/lib/xtesting/results
nexus3.onap.org:10003/onap/xtesting-security:master
/bin/bash -c "run_tests -r -t all"
```

Note that you can run only a subset of the tests and decide if you report the
results to the test BD or not.
The following commands are correct:

```
docker run -v <the kube config>:/root/.kube/config -v
<result directory>:/var/lib/xtesting/results
nexus3.onap.org:10003/onap/xtesting-security:master
/bin/bash -c "run_tests -t root_pods"
```

You can also run the docker in interactive mode, so you can run the tests from
inside the docker and directly modify the code of the test if you want.

```
docker run -it -v <the kube config>:/root/.kube/config -v
<result directory>:/var/lib/xtesting/results
nexus3.onap.org:10003/onap/xtesting-security:master bash
```

In this case you will get the bash prompt, you can run the test by typing in
the console

```
# run_tests -t unlimitted_pods
```

The code of the tests is in the docker. For python test, have a look at
/usr/lib/python3.8/site-packages, for security tests they are usually located
at /. See the Dockerfile for more information.

### Output

```
+-----------------------+------------+------------+-----------+
|       TEST CASE       |  PROJECT   |  DURATION  |  RESULT   |
+-----------------------+------------+------------+-----------+
|       root_pods       |  security  |   03:48    |   PASS    |
|    unlimitted_pods    |  security  |   00:37    |   FAIL    |
|     cis_kubernetes    |  security  |   00:01    |   PASS    |
|     kube_hunter       |  security  |   00:03    |   PASS    |
| http_public_endpoints |  security  |   00:01    |   PASS    |
|       jdpw_ports      |  security  |   05:39    |   PASS    |
+-----------------------+------------+------------+-----------+
```