google / gke-auditor Goto Github PK

License: Apache License 2.0

Shell 0.94% Java 99.06%

gke-auditor's Introduction

GKE Auditor

A tool to detect a set of common Google Kubernetes Engine misconfigurations. Aimed to help security and development teams streamline configuration parts of their processes, and save time looking for generic bugs and vulnerabilities.

The tool consists of individual modules called Detectors, each scanning for a specific vulnerability.

This is not an officially supported Google product.

Dependencies

To install the dependencies on Debian, run:

install-debian.sh

If the tool is run from a GCP Cloud shell, all the above mentioned dependencies should be pre-installed in the Shell. To access the Cloud Shell, use the Google Cloud Console or SSH into it by running

gcloud alpha cloud-shell ssh

after installing the Google Cloud SDK into your local machine.

Installation

git clone https://github.com/google/gke-auditor
cd ./gke-auditor/
./build.sh

Authentication

Before running the tool, make sure to configure access to your cluster.

gcloud init
gcloud auth login
gcloud container clusters get-credentials CLUSTER_NAME --zone=ZONE

Usage

The tool has to be built by running the build.sh script first.

Once the tool is built, it can be run using the auditor.sh script, using the following options:

 ./auditor.sh [-a] [-ast] [-c] [-d] [-h] [-i <arg>] [-p <arg>] [-q]
       [-r <arg>]
 -a,--all          Run all detectors.
 -ast,--assets     Run all detectors for each individual asset.
 -c,--color        Turns on tool output coloring.
 -d,--defaults     Runs detectors including Kubernetes default assets.
                   Disabled by default.
 -h,--help         Print help information.
 -i,--iso <arg>    Run Node Isolation detectors.
                   To run all detectors, omit the argument list.
                   To specify individual detectors to run, give a list of
                   indices:
                   1. NODE_SELECTOR_POD_REJECTED
                   2. NODE_TAINTS_POD_REJECTED
                   3. NODE_AFFINITY_POD_REJECTED
 -p,--psp <arg>    Run PSP (Pod Security Policy) detectors.
                   To run all detectors, omit the argument list.
                   To specify individual detectors to run, give a list of
                   indices:
                   1. PRIVILEGED_CONTAINERS
                   2. CONTAINERS_SHARING_HOST_PROCESS_ID_NAMESPACE
                   3. CONTAINERS_SHARING_HOST_IPC
                   4. CONTAINER_SHARING_HOST_NETWORK_NAMESPACE
                   5. CONTAINERS_ALLOW_PRIVILEGE_ESCALATION
                   6. ROOT_CONTAINERS_ADMISSION
                   7. CONTAINERS_NET_RAW_CAPABILITY
                   8. CONTAINERS_ADDED_CAPABILITIES
                   9. CONTAINERS_CAPABILITIES_ASSIGNED
 -q,--quiet        Prints out only misconfigurations, without additional
                   detector info. Disabled by default.
 -r,--rbac <arg>   Run RBAC (Role Based Access Control) detectors.
                   To run all detectors, omit the argument list.
                   To specify individual detectors to run, give a list of
                   indices:
                   1. CLUSTER_ADMIN_ROLE_USED
                   2. SECRET_ACCESS_ALLOWED
                   3. WILDCARD_USED
                   4. CREATE_PODS_ALLOWED
                   5. AUTOMOUNT_SERVICE_ACCOUNT_TOKEN_ENABLED
                   6. ESCALATING_RESOURCES_REPORT

Examples

Run all detectors

./auditor.sh

./auditor.sh --all

Run specific detectors

./auditor.sh --iso 1 --psp 2,3 --rbac

This will run the first isolation detector (NODE_SELECTOR_POD_REJECTED), second and third PSP detectors (CONTAINERS_SHARING_HOST_PROCESS_ID_NAMESPACE, CONTAINERS_SHARING_HOST_IPC) and all RBAC detectors.

Detectors can be chosen by specifying a list of indices in accordance with the lists given in the help section of the tool.

Run detectors for individual assets

./auditor.sh --assets # Runs all detectors.
./auditor.sh --assets --iso 0 --psp 1,2 --rbac  # Runs only specified detectors.

A detector auditing assets for vulnerabilities individually: instead of running a detector on all available assets, runs all detectors on a single asset at a time.

Additional features

In addition to the above listed example, the tool can be run with following options:

Coloring

./auditor.sh -c

Vulnerabilities will be colored in red.

Quiet mode

./auditor.sh -q

Quiet mode: no additional information about vulnerabilities will be printed out besides the detector names and vulnerable assets found.

Including K8s defaults

./auditor.sh -d

Includes K8s defaults in the audit.

A default K8s cluster will have some configurations which might be considered vulnerable by the tool. Those configurations are excluded from the audit by default, but including those defaults might be useful for some researchers (e.g. those auditing K8s itself).

Detector Information

For detailed information about the vulnerabilities the detectors are checking for, refer to OUTPUTS.md.

References

Some of the implemented detectors refer to CIS Benchmarks.

Contributing

See CONTRIBUTING.md.

License

Copyright 2020 Google LLC

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

gke-auditor's People

Contributors

Stargazers

Watchers

Forkers

mirnabaksa neotim marciopocebon hackmycontrolsystem riveroma jack51706 syllogy fandilladp isabella232 rimang test-mass-forker-org-1 qpc-github ghas-results

gke-auditor's Issues

[Error][UBUNTU] - An exception occurred while communicating with the API.

The build script outputs the following:

[WARNING] 
[WARNING] Some problems were encountered while building the effective model for gke-auditor:gke-auditor:jar:1.0-SNAPSHOT
[WARNING] 'dependencies.dependency.version' for org.junit.jupiter:junit-jupiter:jar is either LATEST or RELEASE (both of them are being deprecated) @ line 129, column 16
[WARNING] 'dependencies.dependency.scope' for org.junit:junit-bom:pom must be one of [provided, compile, runtime, test, system] but is 'import'. @ line 99, column 14
[WARNING] 
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING] 
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]

And test.sh fails as well:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M4:test (default-test) on project gke-auditor: There are test failures.
[ERROR] 
[ERROR] Please refer to /home/mikejones/appsec/gke-auditor/target/surefire-reports for the individual test results.
[ERROR] Please refer to dump files (if any exist) [date].dump, [date]-jvmRun[N].dump and [date].dumpstream.
[ERROR] The forked VM terminated without properly saying goodbye. VM crash or System.exit called?
[ERROR] Command was /bin/sh -c cd /home/mikejones/appsec/gke-auditor && /usr/lib/jvm/java-11-openjdk-amd64/bin/java -jar /home/mikejones/appsec/gke-auditor/target/surefire/surefirebooter17948487640006596760.jar /home/mikejones/appsec/gke-auditor/target/surefire 2020-10-22T10-26-36_719-jvmRun1 surefire16552605127534103655tmp surefire_014708953282045072273tmp
[ERROR] Process Exit Code: 0
[ERROR] Crashed tests:
[ERROR] com.google.gke.auditor.system.AssetServiceTest
[ERROR] org.apache.maven.surefire.booter.SurefireBooterForkException: The forked VM terminated without properly saying goodbye. VM crash or System.exit called?
[ERROR] Command was /bin/sh -c cd /home/mikejones/appsec/gke-auditor && /usr/lib/jvm/java-11-openjdk-amd64/bin/java -jar /home/mikejones/appsec/gke-auditor/target/surefire/surefirebooter17948487640006596760.jar /home/mikejones/appsec/gke-auditor/target/surefire 2020-10-22T10-26-36_719-jvmRun1 surefire16552605127534103655tmp surefire_014708953282045072273tmp
[ERROR] Process Exit Code: 0
[ERROR] Crashed tests:
[ERROR] com.google.gke.auditor.system.AssetServiceTest
[ERROR] 	at org.apache.maven.plugin.surefire.booterclient.ForkStarter.fork(ForkStarter.java:690)
[ERROR] 	at org.apache.maven.plugin.surefire.booterclient.ForkStarter.run(ForkStarter.java:285)
[ERROR] 	at org.apache.maven.plugin.surefire.booterclient.ForkStarter.run(ForkStarter.java:248)
[ERROR] 	at org.apache.maven.plugin.surefire.AbstractSurefireMojo.executeProvider(AbstractSurefireMojo.java:1217)
[ERROR] 	at org.apache.maven.plugin.surefire.AbstractSurefireMojo.executeAfterPreconditionsChecked(AbstractSurefireMojo.java:1063)
[ERROR] 	at org.apache.maven.plugin.surefire.AbstractSurefireMojo.execute(AbstractSurefireMojo.java:889)
[ERROR] 	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:137)
[ERROR] 	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:210)
[ERROR] 	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:156)
[ERROR] 	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:148)
[ERROR] 	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
[ERROR] 	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
[ERROR] 	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:56)
[ERROR] 	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
[ERROR] 	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:305)
[ERROR] 	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:192)
[ERROR] 	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:105)
[ERROR] 	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:957)
[ERROR] 	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:289)
[ERROR] 	at org.apache.maven.cli.MavenCli.main(MavenCli.java:193)
[ERROR] 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[ERROR] 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[ERROR] 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[ERROR] 	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
[ERROR] 	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
[ERROR] 	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
[ERROR] 	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
[ERROR] 	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
[ERROR] 
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

[Error][MAC] - An exception occurred while communicating with the API.

When executing the tool trow the error An exception occurred while communicating with the API.

Environment

MacOS Catalina 10.15.5
Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Google Cloud SDK 290.0.0
javac 12.0.1
kubectl version Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.3", GitCommit:"5e53fd6bc17c0dec8434817e69b04a25d8ae0ff0", GitTreeState:"clean", BuildDate:"2019-06-06T01:44:30Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"18+", GitVersion:"v1.18.6-gke.3504", GitCommit:"ebdafa7ed3984f94e1ab914221bf04b62a5cd1b8", GitTreeState:"clean", BuildDate:"2020-09-09T02:49:12Z", GoVersion:"go1.13.9b4", Compiler:"gc", Platform:"linux/amd64"}

Add output formatting options

I think it is essential to provide some options for outputting the results in other formats (JSON, SARIF, etc) for parsing reasons. Even with the color output disabled, bold ANSI codes are still added to the output which makes it very difficult to read anywhere but the terminal.

[Error] NullPointer exception

When I run it showed me some vulnerabilities, then it breaks with the error

$ ./auditor.sh
...
Detector: AUTOMOUNT_SERVICE_ACCOUNT_TOKENS_ENABLED
        Explanation: Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate wit
h the API server. Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromis
e a single pod in the cluster. Avoiding mounting these tokens removes this attack avenue.
        Remediation: Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.
        Useful links: [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/]
        Level: VULNERABILITY
        Severity: MEDIUM
Potential vulnerabilities: 0
Exception in thread "main" java.lang.NullPointerException
        at com.google.gke.auditor.models.Dependency.getAssetName(Dependency.java:145)
        at com.google.gke.auditor.system.AssetService.lambda$retrieveAndFilterDefaults$1(AssetService.java:401)
        at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:176)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
        at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
        at com.google.gke.auditor.system.AssetService.retrieveAndFilterDefaults(AssetService.java:402)
        at com.google.gke.auditor.system.AssetService.getAssets(AssetService.java:390)
        at com.google.gke.auditor.system.AssetService.getAssets(AssetService.java:412)
        at com.google.gke.auditor.system.DetectorRunner.runDetector(DetectorRunner.java:68)
        at com.google.gke.auditor.system.DetectorRunner.runDetectors(DetectorRunner.java:55)
        at com.google.gke.auditor.system.DetectorRunner.run(DetectorRunner.java:41)
        at com.google.gke.auditor.Main.main(Main.java:59)

Environment

Running on Google Cloud Shell and used bash install-debian.sh

google / gke-auditor Goto Github PK

gke-auditor's Introduction

GKE Auditor

Dependencies

Installation

Authentication

Usage

Examples

Run all detectors

Run specific detectors

Run detectors for individual assets

Additional features

Coloring

Quiet mode

Including K8s defaults

Detector Information

References

Contributing

License

gke-auditor's People

Contributors

Stargazers

Watchers

Forkers

gke-auditor's Issues

Environment

Environment

Recommend Projects

Recommend Topics

Recommend Org