Giter Club home page Giter Club logo

actuary's Issues

Panic when auditctl not found

This should probably not give a runtime panic, and should just skip the tests.

➜  ./main -f default.toml 
2016/05/10 12:14:17 Running Audit: Host Configuration
[WARN] - 1.1 Create a separate partition for containers 
     Containers NOT in seperate partition

[PASS] - 1.2 Use the updated Linux Kernel 
[INFO] - 1.4 Remove all non-essential services from the host 
     Host listening on 29 ports: [4371 57621 53 17500 4381 17600 17603 47856 48516 44692 33926 59646 42908 35872 54582 44670 53846 34510 36274 52994 37242 53816 52452 39380 42390 35768 39618 56460 37950]

[PASS] - 1.5 Keep Docker up to date 
[INFO] - 1.6 Only allow trusted users to control Docker daemon 
     The following users control the Docker daemon: [diogo]

2016/05/10 12:14:18 Could not find auditctl tool
panic: Could not find auditctl tool

goroutine 1 [running]:
panic(0x7afe00, 0xc8204de500)
    /usr/lib/go-1.6/src/runtime/panic.go:464 +0x3e6
log.Panicf(0x95b2c0, 0x1c, 0x0, 0x0, 0x0)
    /usr/lib/go-1.6/src/log/log.go:327 +0xd8
github.com/diogomonica/actuary/checks.checkAuditRule(0x8ff2b0, 0xf, 0xc8204f1d10)
    /home/diogo/go/src/github.com/diogomonica/actuary/checks/checks.go:250 +0x308
github.com/diogomonica/actuary/checks.AuditDockerDaemon(0xc8200f2120, 0x945ef0, 0x17, 0x0, 0x0, 0x0, 0x0)
    /home/diogo/go/src/github.com/diogomonica/actuary/checks/dockerhost.go:139 +0x85
main.main()
    /home/diogo/go/src/github.com/diogomonica/actuary/cmd/actuary/main.go:67 +0x57e

Remote check missing

At the moment there is no option for running a remote check. Should be added asap.

All audits should be configured solely on the contents of the .toml

The code currently has:

    for category := range tomlProfile.Audit {
        switch auditName = tomlProfile.Audit[category].Name; auditName {
        case "Host Configuration":
            actions = dockerhost.GetAuditDefinitions()      
        case "Docker daemon configuration":
            actions = dockerconf.GetAuditDefinitions()
        case "Docker daemon configuration files":
            actions = dockerfiles.GetAuditDefinitions()
        case "Container Images and Build File" :
            actions = images.GetAuditDefinitions()
        case "Container Runtime" :
            actions = runtime.GetAuditDefinitions()
        case "Docker Security Operations" :
            actions = dockersecops.GetAuditDefinitions()
        default: 
            log.Panicf("No audit category named:", auditName)
            continue
        }

We can probably find a way of not having to do this switch, and simply load all of the tests that are matching the file (so we can in theory move tests from one place to the other without code changes).

Create Audit type

I think we need to create a Check type:

type Check struct {}

type CheckResult struct {
    Check
    Status string
    Output string
}

func (c *Check) Run(client *client.Client) CheckResult {
...
}

func (c *Check) Description() string {
return ""
}

This would probably make the code cleaner, and gives us a good way of adding properties to Checks, such as Description.

/cc @zuBux

Create makefile

We should create a Makefile that allows someone to clone the repo and at least do # make binaries and # make test.

Something like:

# Root directory of the project (absolute path).
ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST))))

# Base path used to install.
DESTDIR=/usr/local

# Used to populate version variable in main package.
VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always)

# Project packages.
PACKAGES=$(shell go list ./... | grep -v /vendor/)

# Project binaries.
COMMANDS=actuary
BINARIES=$(addprefix bin/,$(COMMANDS))

GO_LDFLAGS=-ldflags "-X `go list ./version`.Version=$(VERSION)"

.PHONY: clean all fmt vet build binaries test setup coverage ci check help
.DEFAULT: default

all: check build binaries test ## run fmt, vet, lint, build the binaries and run the tests

# This only needs to be generated by hand when cutting full releases.
version/version.go:
    ./version/version.sh > $@

setup: ## install dependencies
    @go get -u github.com/golang/lint/golint

# Depends on binaries because vet will silently fail if it can't load compiled
# imports
vet: binaries
    @test -z "$$(go vet ${PACKAGES} 2>&1 | grep -v 'constant [0-9]* not a string in call to Errorf' | grep -v 'timestamp_test.go' | grep -v 'exit status 1' | tee /dev/stderr)"

lint: ## run go lint
    @test -z "$$(golint ./... | grep -v vendor/ | tee /dev/stderr)"

build: ## build the go packages
    @go build -i -tags "${DOCKER_BUILDTAGS}" -v ${GO_LDFLAGS} ${GO_GCFLAGS} ${PACKAGES}

test: ## run test
    @go test -parallel 8 -race -tags "${DOCKER_BUILDTAGS}" ${PACKAGES}

FORCE:

# Build a binary from a cmd.
bin/%: cmd/% FORCE
    @go build -i -tags "${DOCKER_BUILDTAGS}" -o $@ ${GO_LDFLAGS}  ${GO_GCFLAGS} ./$<

binaries: $(BINARIES) ## build binaries

clean: ## clean up binaries
    @rm -f $(BINARIES)

install: $(BINARIES) ## install binaries
    @mkdir -p $(DESTDIR)/bin
    @install $(BINARIES) $(DESTDIR)/bin

uninstall:
    @rm -f $(addprefix $(DESTDIR)/bin/,$(notdir $(BINARIES)))

Docker version check

Check "1.6 Keep Docker up to date" reads the latest Docker version from VERSION env. variable.

verConstr := os.Getenv("VERSION")

If Actuary is is executed inside a docker container using the provided Dockerfile, the check will return a correct result. However if Actuary is executed as a stand-alone application, there should be a hard-coded value as an alternative.

Fedora 23 (possibly others) - incompatible kernel version causes application to crash

Hi all,

it looks like it is hashicorp/go-version related

Kernel Version: 4.4.6-301.fc23.x86_64

in my upcoming PR I have added a temporary handler for this kind of incompatibilities, however I believe that this should be addressed in the upstream

[akostopoulos@linux actuary]$ sudo ./actuary -f ../../default.toml
2016/04/27 09:29:36 Running Audit: Host Configuration
[WARN] - 1.1 Create a separate partition for containers 
     Containers NOT in seperate partition

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x0 pc=0x51add5]

goroutine 1 [running]:
panic(0x868d20, 0xc8200100d0)
    /usr/local/go/src/runtime/panic.go:464 +0x3e6
github.com/hashicorp/go-version.(*Version).String(0x0, 0x0, 0x0)
    /home/akostopoulos/go/src/github.com/hashicorp/go-version/version.go:242 +0x775
github.com/hashicorp/go-version.(*Version).Compare(0x0, 0xc82018e2c0, 0x8f6d90)
    /home/akostopoulos/go/src/github.com/hashicorp/go-version/version.go:85 +0x33
github.com/hashicorp/go-version.constraintGreaterThanEqual(0x0, 0xc82018e2c0, 0x8f6d90)
    /home/akostopoulos/go/src/github.com/hashicorp/go-version/constraint.go:137 +0x2b
github.com/hashicorp/go-version.(*Constraint).Check(0xc820192680, 0x0, 0x0)
    /home/akostopoulos/go/src/github.com/hashicorp/go-version/constraint.go:91 +0x32
github.com/hashicorp/go-version.Constraints.Check(0xc8201a6010, 0x1, 0x1, 0x0, 0xc82018c820)
    /home/akostopoulos/go/src/github.com/hashicorp/go-version/constraint.go:71 +0x69
github.com/diogomonica/actuary/audit/dockerhost.CheckKernelVersion(0xc820108120, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
    /home/akostopoulos/go/src/github.com/diogomonica/actuary/audit/dockerhost/dockerhost.go:77 +0x198
main.main()
    /home/akostopoulos/go/src/github.com/thanasisk/actuary/cmd/actuary/main.go:89 +0x69e

Clean actuary.go

Functions like consoleOutput and jsonOutput, etc, should be in an external file.

Also, the current code in actuary.go (in particular the main() method) should be under cmd/actuary.go. That is the go convention. The only things that should be in actuary.go should be our types (Check, CheckResult, etc)

/cc @zuBux

Add XML support

Currently the only available output format is JSON. We should consider adding XML as well.

Crash while running default profile

➜  actuary git:(master) docker run -v /var/run/docker.sock:/var/run/docker.sock actuary -f default.toml
...
2016/09/05 01:06:25 Running Audit: Container Runtime
panic: runtime error: index out of range

goroutine 1 [running]:
panic(0x866560, 0xc820014040)
    /usr/local/go/src/runtime/panic.go:464 +0x3e6
github.com/diogomonica/actuary/actuary.CheckSSHRunning(0xc8200ca180, 0xc8200f8b80, 0x3b, 0x40, 0x0, 0x0, 0x40, 0x26, 0xc8200e7600, 0x4, ...)
    /go/src/github.com/diogomonica/actuary/actuary/runtime.go:122 +0x8a8
main.main()
    /go/src/github.com/diogomonica/actuary/actuary.go:74 +0x5f9

Basic testing

We need basic testing for the functionality that we're providing, specially around helper methods.

/cc @zuBux

Dockerfile doesn't work

➜ docker build -t actuary .
...
➜ docker run actuary 
docker: Error response from daemon: Container command '/go/bin/actuary' not found or does not exist..

Dockerfile doesn't build

➜  actuary git:(dev) docker build -t actuary .
...
Removing intermediate container 2f24f959f683
Step 7 : RUN $GOPATH/bin/godep go install
 ---> Running in 92fd3e64ec0d
actuary.go:8:2: cannot find package "github.com/BurntSushi/toml" in any of:
    /usr/local/go/src/github.com/BurntSushi/toml (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/BurntSushi/toml (from $GOPATH)
    /go/src/github.com/BurntSushi/toml
audit/audit.go:4:2: cannot find package "github.com/docker/engine-api/client" in any of:
    /usr/local/go/src/github.com/docker/engine-api/client (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/docker/engine-api/client (from $GOPATH)
    /go/src/github.com/docker/engine-api/client
audit/container/images/images.go:7:2: cannot find package "github.com/docker/engine-api/types" in any of:
    /usr/local/go/src/github.com/docker/engine-api/types (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/docker/engine-api/types (from $GOPATH)
    /go/src/github.com/docker/engine-api/types
audit/dockerhost/dockerhost.go:7:2: cannot find package "github.com/drael/GOnetstat" in any of:
    /usr/local/go/src/github.com/drael/GOnetstat (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/drael/GOnetstat (from $GOPATH)
    /go/src/github.com/drael/GOnetstat
actuary.go:17:2: cannot find package "github.com/fatih/color" in any of:
    /usr/local/go/src/github.com/fatih/color (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/fatih/color (from $GOPATH)
    /go/src/github.com/fatih/color
audit/dockerhost/dockerhost.go:8:2: cannot find package "github.com/hashicorp/go-version" in any of:
    /usr/local/go/src/github.com/hashicorp/go-version (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/hashicorp/go-version (from $GOPATH)
    /go/src/github.com/hashicorp/go-version
audit/audit.go:5:2: cannot find package "github.com/mitchellh/go-ps" in any of:
    /usr/local/go/src/github.com/mitchellh/go-ps (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/mitchellh/go-ps (from $GOPATH)
    /go/src/github.com/mitchellh/go-ps
audit/audit.go:6:2: cannot find package "github.com/shirou/gopsutil/process" in any of:
    /usr/local/go/src/github.com/shirou/gopsutil/process (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/shirou/gopsutil/process (from $GOPATH)
    /go/src/github.com/shirou/gopsutil/process
godep: go exit status 1
The command '/bin/sh -c $GOPATH/bin/godep go install' returned a non-zero code: 1

We might also want to minimize this image. Thoughts @zuBux @konstruktoid ?

Code repetition

There is a ton of code repetition in our tests.

When things like this show up multiple times:

    for _, container := range containers {
        info, _ := client.ContainerInspect(container.ID)
        ports := info.NetworkSettings.Ports
        for _, port := range ports {
            for _, portmap := range port {
                hostPort, _ := strconv.Atoi(portmap.HostPort)
                if hostPort < 1024 {
                    badContainers = append(badContainers, container.ID)
                }
            }
        }
    }

It might mean that we can try to abstract a method that runs a closure over each container, for example. Let's think of ways of creating good helper functions, and reducing code duplication.

/cc @zuBux

Fix CircleCI

We need to fix the CI configuration in order to properly validate tests and test results

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.