...
Create directory
$ mkdir ~/vuls
$ cd ~/vuls
$ mkdir go-cve-dictionary-log goval-dictionary-log gost-logFetch NVD
$ docker run --rm -it \
-v $PWD:/go-cve-dictionary \
-v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \
vuls/go-cve-dictionary fetch nvdFetch OVAL
$ docker run --rm -it \
-v $PWD:/goval-dictionary \
-v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
vuls/goval-dictionary fetch ubuntu 16 17 18 19 20Fetch gost
$ docker run --rm -i \
-v $PWD:/gost \
-v $PWD/gost-log:/var/log/gost \
vuls/gost fetch ubuntuCreate config.toml
[servers]
[servers.master]
host = "192.168.2.16"
port = "22"
user = "test-user"
keyPath = "/root/.ssh/id_rsa"Start vuls container to run tests
$ docker run --rm -it \
-v ~/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
-v $PWD/vuls-log:/var/log/vuls \
-v /etc/localtime:/etc/localtime:ro \
-e "TZ=Asia/Tokyo" \
vuls/vuls scan \
-config=./config.tomlGet the report
$ docker run --rm -it \
-v ~/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
-v $PWD/vuls-log:/var/log/vuls \
-v /etc/localtime:/etc/localtime:ro \
vuls/vuls report \
-format-list \
-config=./config.toml
Lynis
...
/Kuber-Hunter
Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test
blueprint:
name: sdtfc
layers:
- os
- k8s
os: &os
-
name: lynis
what: lynis
optional: "False"k8s: &k8s
-
name: kube-hunter
what: kube-hunter
optional: "False"Update ~/validation/bluval/volumes.yaml file
volumes:
# location of the ssh key to access the cluster
ssh_key_dir:
local: '/home/edge/.ssh'
target: '/root/.ssh'
# location of the k8s access files (config file, certificates, keys)
kube_config_dir:
local: '/home/edge/kube/'
target: '/root/.kube/'
# location of the customized variables.yaml
custom_variables_file:
local: '/home/edge/validation/tests/variables.yaml'
target: '/opt/akraino/validation/tests/variables.yaml'
# location of the bluval-<blueprint>.yaml file
blueprint_dir:
local: '/home/edge/validation/bluval'
target: '/opt/akraino/validation/bluval'
# location on where to store the results on the local jumpserver
results_dir:
local: '/home/edge/results'
target: '/opt/akraino/results'
# location on where to store openrc file
openrc:
local: ''
target: '/root/openrc'# parameters that will be passed to the container at each layer
layers:
# volumes mounted at all layers; volumes specific for a different layer are below
common:
- custom_variables_file
- blueprint_dir
- results_dir
hardware:
- ssh_key_dir
os:
- ssh_key_dir
networking:
- ssh_key_dir
docker:
- ssh_key_dir
k8s:
- ssh_key_dir
- kube_config_dir
k8s_networking:
- ssh_key_dir
- kube_config_dir
openstack:
- openrc
sds:
sdn:
vim:Update ~/validation/tests/variables.yaml file
### Input variables cluster's master host
host: <IP Address> # cluster's master host address
username: <username> # login name to connect to cluster
password: <password> # login password to connect to cluster
ssh_keyfile: /root/.ssh/id_rsa # Identity file for authenticationRun Blucon
$ bash validation/bluval/blucon.sh sdtfc
...
Expected output
Test Results
...
Lynis
Kuber-Hunter
There are 5 Vulnerabilities.
- KHV002
- KHV005
- KHV050
- CAP_NET_RAW Enabled
- Access to pod's secrets
Fix for KHV002
| $ kubectl replace -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:public-info-viewer rules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - get EOF |
Fix for KHV005, KHV050, Access to pod's secrets
| $ kubectl replace -f - <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: default namespace: default automountServiceAccountToken: false EOF |
Test Dashboards
Single pane view of how the test score looks like for the Blue print.
...