Age | Commit message (Collapse) | Author | Files | Lines |
|
To follow a common protocol of testing Golang based
applications in CI we need a 'build' target for doing
a local (non-docker) build to verify 'go build' routine.
It's however not added to "all" target as that one already
references docker based build by default.
Change-Id: I2e380ef09a1ae18456d7288f853d085617149338
Issue-ID: SECCOM-261
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Moving CSV data conversion and "expected failure" filtering away from
main function made testing these features easier. Utility behaviour
remained unchanged.
Issue-ID: SECCOM-261
Change-Id: I4cabfc7b352434c84a613c02f44af3c9630be970
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch makes scanner compatible with its shell predecessor. The same
"expected failure" list format is used i.e.
# Comment line; will be ignored
SERVICE1 NODEPORT1
SERVICE2 NODEPORT2
Single space character is used as a field separator.
Issue-ID: SECCOM-261
Change-Id: Ieedd4e98a83ffe242c695133fdf7342e17efa9a2
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-261
Change-Id: I465282a8793191c45d288284a127e80e1fecf513
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Each node might be described with 3 types of addresses [1]. Some
providers also use node annotations [2] for assigned addresses.
This patch filters out all IP addresses from nodes list. External IPs
take precedence over internal ones. The first address on the extracted
slice will be later used to run the scan on.
This behaviour could be later modified to e.g. loop over all extracted
IP addresses (if scan fails).
[1] https://kubernetes.io/docs/concepts/architecture/nodes/#addresses
[2] https://github.com/rancher/rke/blob/master/k8s/node.go#L18
Issue-ID: SECCOM-261
Change-Id: Ifd094447f778da378dfe1aee765f552b6ebd669f
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Utility "sslendpoints" and related packages make use of idiomatic Go
testing commands, i.e. go test [./...]. Thanks to Go Modules [1] nothing
else is needed to run internal tests for this tool.
Unfortunately it's not the case for all Go-based Integration tools. In
order to use a single automated verification script in CI additional
"make" target is required. It will provide temporary compatibility layer
with utilities setting up test environment on their own with "make test"
target.
This patch should be reverted upon removal of such cases (currently:
after dropping "../k8s/check" tool in favour of Aquasec solution).
[1] https://blog.golang.org/using-go-modules (see "Adding a dependency"
test execution explanation)
Issue-ID: INT-1498
Change-Id: I14c83f7f193c7688590366db988ff02c13c036a4
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch has not made "sslendpoints" fully compatible with
"check_for_nonssl_endpoints.sh" script yet. It sets up basic development
environment for Golang-based checkers, though.
Tool output will be added to the README after reaching full
compatibility with previous (script) version.
Development environment brought by this patch is heavily based on:
https://github.com/SamsungSLAV/boruta
Issue-ID: SECCOM-261
Change-Id: I8f035b63bea13785c40971ede5fdbbc9b6810168
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch introduces a series of patches that will provide tools which
will succeed current security check scripts. Its two main reasons are:
* increasing tools verifiability by providing internal tests,
* improving "expected failure" support by suppressing carefully selected
set of special cases.
Each tool will use following directory structure (generated with
"tree -a --charset=ascii" command):
.
`-- check_module
|-- Dockerfile
|-- .dockerignore
|-- .gitignore
|-- go.mod
|-- main.go
|-- Makefile
|-- README
|-- README.rst -> README
`-- submodule
|-- submodule.go
`-- submodule_test.go
This will allow using Go Modules mechanism within its limitations [1]
for "non-go-get-able modules" [2][3][4] - also in case of separating
code into several modules used by multiple "check modules", e.g.
.
|-- common
| |-- common.go
| |-- common_test.go
| `-- go.mod
`-- check_module
|-- go.mod
`-- ...
It would require migration from separate Dockerfiles to a single one
(multi-stage), though.
Provided Makefiles are intended to simplify local development
(Docker-less building) and container images preparation. READMEs clarify
utility requirements and usage - file without extension is for VCS
reference, symlink for proper syntax rendering.
[1] https://github.com/golang/go/wiki/Modules#is-it-possible-to-add-a-module-to-a-multi-module-repository
[2] https://github.com/golang/go/wiki/Modules#can-i-work-entirely-outside-of-vcs-on-my-local-filesystem
[3] https://github.com/golang/go/issues/26645#issuecomment-408572701
[4] https://www.dim13.org/go-get-cgit
Issue-ID: SECCOM-261
Change-Id: I48eeeda66bd5570d249e96e101e431e6bab75cb3
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: INT-1480
Change-Id: Iabd7932e0eb8f8981d064aee0f4d8c44df65a379
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch ignores closed and filtered ports from scan results. It is
intended to keep "expected failure" list minimal.
Issue-ID: INT-1480
Change-Id: Idb93cf4e19284bc121aa45ea950d28405c29e222
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
in CI we got an error sed: unsupported command o
due to space management in the sed command
Issue-ID: INT-1480
Signed-off-by: mrichomme <morgan.richomme@orange.com>
Change-Id: I44c6ecd7c47ec02b76c7932bb86de0a58726d93d
|
|
List of expected failures for non-SSL services test has not been renamed
together with corresponding check script and might have been confusing.
Issue-ID: INT-1480
Change-Id: I4f88a09ddb90a14500498892f1fda99e1c3febf0
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: INT-1480
Change-Id: I755a3e65897f94e3f42f27bbf798c9bcd9c2868f
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
to be consistent with xfail lists introduced in security tests
by Pawel Wieczorek [1]
Issue-ID: INT-1435
[1]: https://gerrit.onap.org/r/c/integration/+/103444
Signed-off-by: mrichomme <morgan.richomme@orange.com>
Change-Id: I5345607931e443f3335f34823c5cd80290425a45
Signed-off-by: mrichomme <morgan.richomme@orange.com>
|
|
This patch extends tool used to detect plain HTTP ports to report all
non-SSL endpoints. Previously it omitted services not recognized as
HTTP.
Naming changes were made to reflect purpose of this tool better.
Issue-ID: INT-1480
Change-Id: I58a152022d48121bf4b9c6180ddc820dd4a79805
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch is heavily based on previous work by
Morgan Richomme <morgan.richomme@orange.com>
(Change-Id: Ibaed4c5c0e5ae179af0ae317e543c1efdc9ddef2)
It is intended to suppress failure reports on known plain HTTP
endpoints. Introduced list of "expected failures" (or "xfail" for short)
will be shrunk after resolving tickets related to INT-1480 and this
patch will be eventually reverted.
Issue-ID: INT-1480
Change-Id: I4edbf3efaf66bfa2dbe2f265983eb0a27048ed4e
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
The port scanned can be the default redis port.
A white list must be included to avoid false positive.
Open quesiton, should this list be passed as argument?
It is relatively static so for the moment, I created a list to exclude
through grep -V the false positive
Issue-ID: INT-1435
Signed-off-by: mrichomme <morgan.richomme@orange.com>
Change-Id: Ibaed4c5c0e5ae179af0ae317e543c1efdc9ddef2
Signed-off-by: mrichomme <morgan.richomme@orange.com>
|
|
Change-Id: Ic0d2a32a964a4cf5ff1580ffd06103c450a0e8b0
Issue-ID: INT-1427
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Reported by pylint.
Change-Id: I9d5ee152f3587bb2d7e8abee919e4ffe47d8ae85
Issue-ID: INT-1427
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Change-Id: I77bcf667d4a639b001258d026f2633fce2bfb0e6
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
Issue-ID: INT-1451
|
|
Casablanca release reached End of Life (EOL) stage on July 8th 2019 [1].
This patch also fixes comments for test fixtures.
This whole test subtree will be deleted upon migrating Aquasec
kube-bench [2] for CIS Benchmark [3] integrated by Orange [4] to ONAP
xtesting [5].
[1] https://wiki.onap.org/display/DW/Long+Term+Roadmap
[2] https://github.com/aquasecurity/kube-bench
[3] https://www.cisecurity.org/benchmark/kubernetes/
[4] https://gitlab.com/Orange-OpenSource/lfn/onap/integration/xtesting
[5] https://git.onap.org/integration/xtesting/
Issue-ID: SECCOM-235
Change-Id: Ifc7d9c775c27d4cfafdd1932809288530cffceff
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Information for etcd extracted from container on a RKE-based cluster
does not include process name.
Issue-ID: SECCOM-235
Change-Id: Ie6aee550868431d5f4d27c3b3d262e17e1aa6156
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Rancher does not provide information on etcd as container arguments.
Its collection requires implementation of a new information extraction
method.
RKE does not include etcd process name in container arguments.
Issue-ID: SECCOM-235
Change-Id: I7576474fb2848962360771d2850aeb3f3869790a
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.3.1 and 1.3.4 -
1.3.5).
Issue-ID: SECCOM-235
Change-Id: I418034ea98423142f4875b97a8e6a22e8b4cd112
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch also fixes minor typo.
Issue-ID: SECCOM-261
Change-Id: I4326106f14381ec652eb493bf0a87fb1d82ea3fb
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This tool reads K8S NodePort and Ingress service configurations
and scans for service availability
Signed-off-by: Lucjan Bryndza <l.bryndza@samsung.com>
Change-Id: Ie9681ffe957317ed1f1c77ac9d6c90d677df294b
Issue-ID: OOM-2240
Signed-off-by: Lucjan Bryndza <l.bryndza@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.3.2 - 1.3.3
and 1.3.6).
Issue-ID: SECCOM-235
Change-Id: I9c2921faf40ad9445e983f2b9bd0610e556cfe15
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Checker collects information on cluster by Docker queries:
$ docker ps ARGS... # Casablanca
$ docker inspect ARGS... # Dublin
Arrays of values are then filtered from those. They include:
* opening bracket ('['),
* closing bracket (']'),
* new line.
Additional characters affect check results if last flag (including
"]\n") requires specific value.
Issue-ID: SECCOM-235
Change-Id: I6838342b7e2ecdc44a47ffe02286266003e0b4d3
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Running Casablanca and Dublin virtual environments at the same time led
to networking issues - the same IP had been assigned to cluster nodes.
Issue-ID: SECCOM-235
Change-Id: I2a59d023115326f5b132782a32190fd8f7dc1f48
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.3.7).
Issue-ID: SECCOM-235
Change-Id: Id3f4bcb9a506dae3c7c0a884ad6c704dfae2a6d8
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-235
Change-Id: Ieceb6337f935e6a5a6b94248ccf072229116510a
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-235
Change-Id: I61df142e99a7f1da335471acab88e5a47d72df15
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-235
Change-Id: I7da645737440172d3cf11f33069daa2697f83056
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-235
Change-Id: Ic5997b67d0512bea51c3b4a4c71805987fa6f011
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Common command and service name extraction is intended to limit
execution to small set of allowed processes.
This patch also drops unnecessary use of "Kubernetes" name because this
whole subproject concerns its clusters.
Issue-ID: SECCOM-235
Change-Id: I8babfeb4f24cf3baa4d236ca622c21170ab6205e
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Previous way of choosing it led to impractical calls, e.g.
$ ./check -rke # (works fine)
$ ./check -ranchercli # "Not supported."
$ ./check -ranchercli -rke=false # (works fine)
Disabling default cluster access method is no longer necessary.
Issue-ID: SECCOM-235
Change-Id: I2b4d5bff10c5470e567351abeac0431bed3b7938
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-235
Change-Id: I7d4efd08b8c0258f2f9c33772bf1b1b02cedebfa
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-235
Change-Id: Ia5d75628b1c5211f378c239f84e9689d45697a04
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.38).
Issue-ID: SECCOM-235
Change-Id: Ic1f175d577c79013ddb49e02b8de69137535c964
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.32).
It also fixes wrong documentation comment for similar validator
(1.1.19).
Issue-ID: SECCOM-235
Change-Id: I00cb8a458871b091b16fe60fc0087b7972aa3b6b
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.30).
It also covers its duplicate (1.1.39).
Issue-ID: SECCOM-235
Change-Id: I0f3031c080cf225e7c2c03e65dd0bfc780326307
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.22, 1.1.25 -
1.1.26 and 1.1.28).
Issue-ID: SECCOM-235
Change-Id: Ic61a796653dc868d20fe69c3ed508e7fa8ba52db
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.21, 1.1.29
and 1.1.31).
Issue-ID: SECCOM-235
Change-Id: Ia2f55f6962885a7aa878c970a406189902cfab10
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.16 - 1.1.18).
Issue-ID: SECCOM-235
Change-Id: I27b63e37fc3203cf3574b9e1cdc43333041f2a36
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.15).
Issue-ID: SECCOM-235
Change-Id: Ia1d27ed7a9e439bb0abf4bd8941bdd4573a50bd5
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-235
Change-Id: I25ebd2930afec6eb259f0a678fffbf7727eb315b
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.19).
Issue-ID: SECCOM-235
Change-Id: I00c9600fd0d351afb7141a5fa16f348eab67b12d
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.14).
Issue-ID: SECCOM-235
Change-Id: I63c2f8a5b94bfd6c9963805aae85595e6b6ad6d7
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.11 - 1.1.13,
1.1.24, 1.1.27, 1.1.33 and 1.1.36).
Issue-ID: SECCOM-235
Change-Id: I920bfd42014b8458126be251648f5bf3dcd84c16
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.10).
However, CIS Kubernetes Benchmark v1.3.0 mismatches official
documentation: Kubernetes 1.10+ already provides safe defaults from
security standpoint [1] (ONAP Casablanca uses 1.11).
Deprecated admission control plugin flag has also been validated since
it was still available in Kubernetes provided by Rancher [2].
[1] https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use
[2] https://github.com/rancher/rancher/issues/15064
Issue-ID: SECCOM-235
Change-Id: I0e8fe9f885861f155cb8265df085fa93dbdff6d2
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|