Linux and Kubernetes compliance (#1)

* hipaa * kube scripts * Added Test Category * Compliance Binary Co-authored-by: Saurabh <[email protected]> Co-authored-by: Jatin Baweja <[email protected]>
deepfence · Jul 28, 2022 · 543c347 · 543c347
1 parent f6267e4
commit 543c347
Show file tree

Hide file tree

Showing 142 changed files with 16,200 additions and 10,188 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 .idea/
+.DS_Store
diff --git a/Makefile b/Makefile
@@ -0,0 +1,9 @@
+all: Compliance
+
+clean:
+	-rm ./compliance
+
+Compliance:
+	go build -o compliance
+
+.PHONY: clean
diff --git a/compliance b/compliance
diff --git a/config.go b/config.go
@@ -1,4 +1,4 @@
-package compliance
+package main
 
 import (
 	"encoding/json"
@@ -10,9 +10,10 @@ type Script struct {
 	Files []string `json:"files"`
 	Name string `json:"name"`
 	Desc string `json:"desc"`
+	Vars []string `json:"variables"`
 }
 
-const configFile = "config.json"
+const configFile = "/usr/local/bin/compliance_check/config.json"
 
 func LoadConfig() (map[string]Script, error) {
 	configFile, err := os.Open(configFile)

diff --git a/config.json b/config.json
@@ -1,32 +1,67 @@
 {
-  "dockerCheckPrerequisites": {
+
+  "hipaa": {
     "files": [
-      "scripts/host.tmpl"
+      "/usr/local/bin/compliance_check/scripts/hipaa.sh"
     ],
-    "name": "Docker Bench Tests",
-    "desc": "Docker CIS benchmark tests"
+    "name": "HIPAA Compliance Checks",
+    "desc": "HIPAA Compliance Checks",
+    "variables": ["pathPrefix"]
   },
-  "kubeBench1.6.0": {
+  "pci": {
     "files": [
-      "kube_master_1_6_0.tmpl",
-      "kube_worker_1_6_0.tmpl"
+      "/usr/local/bin/compliance_check/scripts/pci.sh"
     ],
-    "name": "Kubernetes 1.6.0 Bench Test",
-    "desc": "Bench Test for Kube 1.6.0",
-    "conditions": {
-      "version": "1.6.0"
-    }
+    "name": "PCI Compliance Checks",
+    "desc": "PCI Compliance Checks",
+    "variables": ["pathPrefix"]
   },
-  "kubeBench1.5.1": {
+  "gdpr": {
     "files": [
-      "kube_master_1_5_1.tmpl",
-      "kube_worker_1_5_1.tmpl"
+      "/usr/local/bin/compliance_check/scripts/gdpr.sh"
     ],
-    "name": "Kubernetes 1.5.1 Bench Test",
-    "desc": "Bench Test for Kube 1.5.1",
-    "conditions": {
-      "version": "1.5.1",
-      "isKubeMaster": true
-    }
+    "name": "GDPR Compliance Checks",
+    "desc": "GDPR Compliance Checks",
+    "variables": ["pathPrefix"]
+  },
+  "nist": {
+    "files": [
+      "/usr/local/bin/compliance_check/scripts/nist.sh"
+    ],
+    "name": "NIST Compliance Checks",
+    "desc": "NIST Compliance Checks",
+    "variables": ["pathPrefix"]
+  },
+  "hipaakube": {
+    "files": [
+      "/usr/local/bin/compliance_check/scripts/hipaakube.sh"
+    ],
+    "name": "HIPAA Compliance Checks",
+    "desc": "HIPAA Compliance Checks",
+    "variables": ["pathPrefix", "NODE_TYPE"]
+  },
+  "pcikube": {
+    "files": [
+      "/usr/local/bin/compliance_check/scripts/pcikube.sh"
+    ],
+    "name": "PCI Compliance Checks",
+    "desc": "PCI Compliance Checks",
+    "variables": ["pathPrefix", "NODE_TYPE"]
+  },
+  "gdprkube": {
+    "files": [
+      "/usr/local/bin/compliance_check/scripts/gdprkube.sh"
+    ],
+    "name": "GDPR Compliance Checks",
+    "desc": "GDPR Compliance Checks",
+    "variables": ["pathPrefix", "NODE_TYPE"]
+  },
+  "nistkube": {
+    "files": [
+      "/usr/local/bin/compliance_check/scripts/nistkube.sh"
+    ],
+    "name": "NIST Compliance Checks",
+    "desc": "NIST Compliance Checks",
+    "variables": ["pathPrefix", "NODE_TYPE"]
   }
 }
diff --git a/executor.go b/executor.go
@@ -1,11 +1,10 @@
-package compliance
+package main
 
 import (
 	"bufio"
 	"bytes"
+	"encoding/json"
 	"fmt"
-	"github.com/deepfence/compliance/global"
-	"github.com/deepfence/compliance/share"
 	log "github.com/sirupsen/logrus"
 	"io/ioutil"
 	"os"
@@ -27,85 +26,45 @@ type DockerReplaceOpts struct {
 }
 
 type benchItem struct {
-	level       string
-	testNum     string
-	group       string
-	header      string
-	profile     string // level 1, 2
-	scored      bool
-	automated   bool
-	message     []string
-	remediation string
+	Level       	  string
+	TestNum     	  string
+	Group       	  string
+	Header      	  string
+	Profile     	  string // level 1, 2
+	Scored      	  bool
+	Automated   	  bool
+	Message     	  string
+	Remediation 	  string
+	RemediationImpact string
+	TestCategory 	  string
 }
 
-func (b *Bench) runScript() {
-	/*var errb, outb bytes.Buffer
-	args := []string{
-		system.NSActRun, "-f", script,
-		"-m", global.SYS.GetMountNamespacePath(1),
-		"-n", global.SYS.GetNetNamespacePath(1),
-	}
-	log.WithFields(log.Fields{"type": bench}).Debug("Running Kubernetes CIS bench")
-	cmd := exec.Command(system.ExecNSTool, args...)
-	cmd.SysProcAttr = &syscall.SysProcAttr{Setsid: true}
-	cmd.Stdout = &outb
-	cmd.Stderr = &errb
-	b.childCmd = cmd
-	err := cmd.Start()
-	if err != nil {
-		log.WithFields(log.Fields{"error": err, "msg": errb.String()}).Error("Start")
-		return nil, err
-	}
-	pgid := cmd.Process.Pid
-	global.SYS.AddToolProcess(pgid, 1, "kube-bench", script)
-	err = cmd.Wait()
-	global.SYS.RemoveToolProcess(pgid, false)
-	out := outb.Bytes()
+func (b *Bench) RunScripts() ([]byte, error) {
+	for _, destPath := range b.script.Files {
 
-	b.childCmd = nil
-	if err != nil {
-		if ee, ok := err.(*exec.ExitError); ok {
-			status := global.SYS.GetExitStatus(ee)
-			if status == 2 {
-				// Not a master or worker node, ignore the error
-				log.WithFields(log.Fields{"msg": errb.String()}).Debug("Done")
-				return nil, fmt.Errorf("Node type not recognized")
+		var errb, outb bytes.Buffer
+		//fmt.Println(args)
+		cmd := exec.Command("bash", destPath)
+		cmd.Env = os.Environ()
+		for _, variable := range b.script.Vars {
+			value := os.Getenv(variable)
+			if value != "" {
+				fmt.Println("Applying env variable:" + variable + "with value: " + value)
+				cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", variable, value))
 			}
 		}
-
-		log.WithFields(log.Fields{"error": err, "msg": errb.String()}).Error("")
-		return nil, err
-	}
-
-	log.WithFields(log.Fields{"type": bench}).Debug("Finish Kubernetes CIS bench")
-	return out, nil*/
-}
-
-func (b *Bench) RunScripts() ([]byte, error) {
-	for _, tmplFile := range b.script.Files {
-		destPath := strings.Replace(tmplFile, ".tmpl", ".sh", -1)
-		err := b.replaceTemplateVars(tmplFile, destPath, nil)
-		if err != nil {
-			return nil, err
-		}
-		args := []string{"run", "-f", destPath,
-			"-m", global.SYS.GetMountNamespacePath(1), "-n", global.SYS.GetNetNamespacePath(1)}
-		var errb, outb bytes.Buffer
-		cmd := exec.Command("/usr/local/bin/nstools", args...)
 		cmd.SysProcAttr = &syscall.SysProcAttr{Setsid: true}
 		cmd.Stdout = &outb
 		cmd.Stderr = &errb
 		b.childCmd = cmd
 
-		err = cmd.Start()
+		err := cmd.Start()
 		if err != nil {
 			log.WithFields(log.Fields{"error": err, "msg": errb.String()}).Error("Start")
 			return nil, err
 		}
-		pgid := cmd.Process.Pid
 		// global.SYS.AddToolProcess(pgid, 1, "host-bench", destPath)
 		err = cmd.Wait()
-		global.SYS.RemoveToolProcess(pgid, false)
 		out := outb.Bytes()
 
 		b.childCmd = nil
@@ -117,9 +76,15 @@ func (b *Bench) RunScripts() ([]byte, error) {
 			return nil, err
 		}
 		items := b.getBenchMsg(out)
-		fmt.Println("Sending items to stdout:")
+		// fmt.Println("Sending items to stdout:")
 		for _, item := range items {
-			fmt.Println(item)
+			//fmt.Println(item)
+			s, err := json.Marshal(item)
+			if err == nil {
+				fmt.Println(string(s))
+			} else {
+				fmt.Println(err.Error())
+			}
 		}
 		return out, nil
 	}
@@ -160,35 +125,16 @@ func (b *Bench) replaceTemplateVars(srcPath, dstPath string, containers []string
 	return nil
 }
 
-func (b *Bench) getBenchMsg(out []byte) []*benchItem {
-	list := make([]*benchItem, 0)
+func (b *Bench) getBenchMsg(out []byte) []benchItem {
+	list := make([]benchItem, 0)
 	scanner := bufio.NewScanner(strings.NewReader(string(out)))
-	var last, item *benchItem
 	for scanner.Scan() {
 		// Read output line-by-line. Every check forms a item,
 		// the first line is the header and the rest form the message
 		line := scanner.Text()
-		if c, ok := b.parseBenchMsg(line); ok {
-			if c.testNum == "" && item != nil {
-				item.message = append(item.message, c.header)
-			} else {
-				if item != nil {
-					// add the last item to the result
-					if b.acceptBenchItem(last, item) {
-						list = append(list, last)
-					}
-					last = item
-				}
-				item = c
-			}
-		}
-	}
-	if item != nil {
-		// add the last item to the result
-		if b.acceptBenchItem(last, item) {
-			list = append(list, last)
-		}
-		if b.acceptBenchItem(item, nil) {
+		var item benchItem
+		err := json.Unmarshal([]byte(line), &item)
+		if err == nil && b.acceptBenchItem(&item, nil) {
 			list = append(list, item)
 		}
 	}
@@ -197,16 +143,16 @@ func (b *Bench) getBenchMsg(out []byte) []*benchItem {
 
 // check if last item should be accepted or ignored
 func (b *Bench) acceptBenchItem(last, item *benchItem) bool {
-	if last == nil {
+	/*if last == nil {
 		return false
 	}
 	// 1.2 should be ignored if the next line has 1.2. prefix
-	if item != nil && strings.HasPrefix(item.testNum, fmt.Sprintf("%s.", last.testNum)) {
+	if item != nil && strings.HasPrefix(item.TestNum, fmt.Sprintf("%s.", last.TestNum)) {
 		return false
 	}
 	// Ignore NOTE and INFO entries
-	if last.level == share.BenchLevelNote || last.level == share.BenchLevelInfo {
+	if last.Level == share.BenchLevelNote || last.Level == share.BenchLevelInfo {
 		return false
-	}
+	}*/
 	return true
 }
diff --git a/go.mod b/go.mod
@@ -6,10 +6,31 @@ replace github.com/kubernetes/cri-api => k8s.io/cri-api v0.22.3
 
 require (
 	github.com/aws/aws-sdk-go v1.42.22
+	github.com/golang/protobuf v1.5.2
 	github.com/sirupsen/logrus v1.8.1
 	github.com/vishvananda/netlink v1.1.0
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74
+	k8s.io/api v0.23.6
 // github.com/zcalusic/sysinfo latest
 )
 
-require golang.org/x/sys v0.0.0-20210423082822-04245dca01da // indirect
+require (
+	github.com/go-logr/logr v1.2.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/go-cmp v0.5.5 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect
+	golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e // indirect
+	golang.org/x/text v0.3.7 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/apimachinery v0.23.6 // indirect
+	k8s.io/klog/v2 v2.30.0 // indirect
+	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
+	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
+)