diogomonica / actuary Goto Github PK
View Code? Open in Web Editor NEWAn actuary is a business professional who analyzes the financial consequences of risk.
actuary's Issues
Panic when auditctl not found
This should probably not give a runtime panic, and should just skip the tests.
➜ ./main -f default.toml
2016/05/10 12:14:17 Running Audit: Host Configuration
[WARN] - 1.1 Create a separate partition for containers
Containers NOT in seperate partition
[PASS] - 1.2 Use the updated Linux Kernel
[INFO] - 1.4 Remove all non-essential services from the host
Host listening on 29 ports: [4371 57621 53 17500 4381 17600 17603 47856 48516 44692 33926 59646 42908 35872 54582 44670 53846 34510 36274 52994 37242 53816 52452 39380 42390 35768 39618 56460 37950]
[PASS] - 1.5 Keep Docker up to date
[INFO] - 1.6 Only allow trusted users to control Docker daemon
The following users control the Docker daemon: [diogo]
2016/05/10 12:14:18 Could not find auditctl tool
panic: Could not find auditctl tool
goroutine 1 [running]:
panic(0x7afe00, 0xc8204de500)
/usr/lib/go-1.6/src/runtime/panic.go:464 +0x3e6
log.Panicf(0x95b2c0, 0x1c, 0x0, 0x0, 0x0)
/usr/lib/go-1.6/src/log/log.go:327 +0xd8
github.com/diogomonica/actuary/checks.checkAuditRule(0x8ff2b0, 0xf, 0xc8204f1d10)
/home/diogo/go/src/github.com/diogomonica/actuary/checks/checks.go:250 +0x308
github.com/diogomonica/actuary/checks.AuditDockerDaemon(0xc8200f2120, 0x945ef0, 0x17, 0x0, 0x0, 0x0, 0x0)
/home/diogo/go/src/github.com/diogomonica/actuary/checks/dockerhost.go:139 +0x85
main.main()
/home/diogo/go/src/github.com/diogomonica/actuary/cmd/actuary/main.go:67 +0x57e
Migrate to CIS Security Benchmark 1.11
Since the new benchmark for Docker 1.11 has been released, we should review the checks made by Actuary.
Remote check missing
At the moment there is no option for running a remote check. Should be added asap.
All audits should be configured solely on the contents of the .toml
The code currently has:
for category := range tomlProfile.Audit {
switch auditName = tomlProfile.Audit[category].Name; auditName {
case "Host Configuration":
actions = dockerhost.GetAuditDefinitions()
case "Docker daemon configuration":
actions = dockerconf.GetAuditDefinitions()
case "Docker daemon configuration files":
actions = dockerfiles.GetAuditDefinitions()
case "Container Images and Build File" :
actions = images.GetAuditDefinitions()
case "Container Runtime" :
actions = runtime.GetAuditDefinitions()
case "Docker Security Operations" :
actions = dockersecops.GetAuditDefinitions()
default:
log.Panicf("No audit category named:", auditName)
continue
}
We can probably find a way of not having to do this switch, and simply load all of the tests that are matching the file (so we can in theory move tests from one place to the other without code changes).
Default cgroup usage wrong output
Running actuary on a host with default cgroup enabled, actuary returns an incorrect result
Create Audit type
I think we need to create a Check type:
type Check struct {}
type CheckResult struct {
Check
Status string
Output string
}
func (c *Check) Run(client *client.Client) CheckResult {
...
}
func (c *Check) Description() string {
return ""
}
This would probably make the code cleaner, and gives us a good way of adding properties to Checks, such as Description.
/cc @zuBux
Create makefile
We should create a Makefile that allows someone to clone the repo and at least do # make binaries and # make test.
Something like:
# Root directory of the project (absolute path).
ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST))))
# Base path used to install.
DESTDIR=/usr/local
# Used to populate version variable in main package.
VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always)
# Project packages.
PACKAGES=$(shell go list ./... | grep -v /vendor/)
# Project binaries.
COMMANDS=actuary
BINARIES=$(addprefix bin/,$(COMMANDS))
GO_LDFLAGS=-ldflags "-X `go list ./version`.Version=$(VERSION)"
.PHONY: clean all fmt vet build binaries test setup coverage ci check help
.DEFAULT: default
all: check build binaries test ## run fmt, vet, lint, build the binaries and run the tests
# This only needs to be generated by hand when cutting full releases.
version/version.go:
./version/version.sh > $@
setup: ## install dependencies
@go get -u github.com/golang/lint/golint
# Depends on binaries because vet will silently fail if it can't load compiled
# imports
vet: binaries
@test -z "$$(go vet ${PACKAGES} 2>&1 | grep -v 'constant [0-9]* not a string in call to Errorf' | grep -v 'timestamp_test.go' | grep -v 'exit status 1' | tee /dev/stderr)"
lint: ## run go lint
@test -z "$$(golint ./... | grep -v vendor/ | tee /dev/stderr)"
build: ## build the go packages
@go build -i -tags "${DOCKER_BUILDTAGS}" -v ${GO_LDFLAGS} ${GO_GCFLAGS} ${PACKAGES}
test: ## run test
@go test -parallel 8 -race -tags "${DOCKER_BUILDTAGS}" ${PACKAGES}
FORCE:
# Build a binary from a cmd.
bin/%: cmd/% FORCE
@go build -i -tags "${DOCKER_BUILDTAGS}" -o $@ ${GO_LDFLAGS} ${GO_GCFLAGS} ./$<
binaries: $(BINARIES) ## build binaries
clean: ## clean up binaries
@rm -f $(BINARIES)
install: $(BINARIES) ## install binaries
@mkdir -p $(DESTDIR)/bin
@install $(BINARIES) $(DESTDIR)/bin
uninstall:
@rm -f $(addprefix $(DESTDIR)/bin/,$(notdir $(BINARIES)))
Docker version check
Check "1.6 Keep Docker up to date" reads the latest Docker version from VERSION env. variable.
verConstr := os.Getenv("VERSION")
If Actuary is is executed inside a docker container using the provided Dockerfile, the check will return a correct result. However if Actuary is executed as a stand-alone application, there should be a hard-coded value as an alternative.
Fedora 23 (possibly others) - incompatible kernel version causes application to crash
Hi all,
it looks like it is hashicorp/go-version related
Kernel Version: 4.4.6-301.fc23.x86_64
in my upcoming PR I have added a temporary handler for this kind of incompatibilities, however I believe that this should be addressed in the upstream
[akostopoulos@linux actuary]$ sudo ./actuary -f ../../default.toml
2016/04/27 09:29:36 Running Audit: Host Configuration
[WARN] - 1.1 Create a separate partition for containers
Containers NOT in seperate partition
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x0 pc=0x51add5]
goroutine 1 [running]:
panic(0x868d20, 0xc8200100d0)
/usr/local/go/src/runtime/panic.go:464 +0x3e6
github.com/hashicorp/go-version.(*Version).String(0x0, 0x0, 0x0)
/home/akostopoulos/go/src/github.com/hashicorp/go-version/version.go:242 +0x775
github.com/hashicorp/go-version.(*Version).Compare(0x0, 0xc82018e2c0, 0x8f6d90)
/home/akostopoulos/go/src/github.com/hashicorp/go-version/version.go:85 +0x33
github.com/hashicorp/go-version.constraintGreaterThanEqual(0x0, 0xc82018e2c0, 0x8f6d90)
/home/akostopoulos/go/src/github.com/hashicorp/go-version/constraint.go:137 +0x2b
github.com/hashicorp/go-version.(*Constraint).Check(0xc820192680, 0x0, 0x0)
/home/akostopoulos/go/src/github.com/hashicorp/go-version/constraint.go:91 +0x32
github.com/hashicorp/go-version.Constraints.Check(0xc8201a6010, 0x1, 0x1, 0x0, 0xc82018c820)
/home/akostopoulos/go/src/github.com/hashicorp/go-version/constraint.go:71 +0x69
github.com/diogomonica/actuary/audit/dockerhost.CheckKernelVersion(0xc820108120, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
/home/akostopoulos/go/src/github.com/diogomonica/actuary/audit/dockerhost/dockerhost.go:77 +0x198
main.main()
/home/akostopoulos/go/src/github.com/thanasisk/actuary/cmd/actuary/main.go:89 +0x69e
Clean actuary.go
Functions like consoleOutput and jsonOutput, etc, should be in an external file.
Also, the current code in actuary.go (in particular the main() method) should be under cmd/actuary.go. That is the go convention. The only things that should be in actuary.go should be our types (Check, CheckResult, etc)
/cc @zuBux
Add XML support
Currently the only available output format is JSON. We should consider adding XML as well.
Crash while running default profile
➜ actuary git:(master) docker run -v /var/run/docker.sock:/var/run/docker.sock actuary -f default.toml
...
2016/09/05 01:06:25 Running Audit: Container Runtime
panic: runtime error: index out of range
goroutine 1 [running]:
panic(0x866560, 0xc820014040)
/usr/local/go/src/runtime/panic.go:464 +0x3e6
github.com/diogomonica/actuary/actuary.CheckSSHRunning(0xc8200ca180, 0xc8200f8b80, 0x3b, 0x40, 0x0, 0x0, 0x40, 0x26, 0xc8200e7600, 0x4, ...)
/go/src/github.com/diogomonica/actuary/actuary/runtime.go:122 +0x8a8
main.main()
/go/src/github.com/diogomonica/actuary/actuary.go:74 +0x5f9
Basic testing
We need basic testing for the functionality that we're providing, specially around helper methods.
/cc @zuBux
Dockerfile doesn't work
➜ docker build -t actuary .
...
➜ docker run actuary
docker: Error response from daemon: Container command '/go/bin/actuary' not found or does not exist..
Dockerfile doesn't build
➜ actuary git:(dev) docker build -t actuary .
...
Removing intermediate container 2f24f959f683
Step 7 : RUN $GOPATH/bin/godep go install
---> Running in 92fd3e64ec0d
actuary.go:8:2: cannot find package "github.com/BurntSushi/toml" in any of:
/usr/local/go/src/github.com/BurntSushi/toml (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/BurntSushi/toml (from $GOPATH)
/go/src/github.com/BurntSushi/toml
audit/audit.go:4:2: cannot find package "github.com/docker/engine-api/client" in any of:
/usr/local/go/src/github.com/docker/engine-api/client (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/docker/engine-api/client (from $GOPATH)
/go/src/github.com/docker/engine-api/client
audit/container/images/images.go:7:2: cannot find package "github.com/docker/engine-api/types" in any of:
/usr/local/go/src/github.com/docker/engine-api/types (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/docker/engine-api/types (from $GOPATH)
/go/src/github.com/docker/engine-api/types
audit/dockerhost/dockerhost.go:7:2: cannot find package "github.com/drael/GOnetstat" in any of:
/usr/local/go/src/github.com/drael/GOnetstat (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/drael/GOnetstat (from $GOPATH)
/go/src/github.com/drael/GOnetstat
actuary.go:17:2: cannot find package "github.com/fatih/color" in any of:
/usr/local/go/src/github.com/fatih/color (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/fatih/color (from $GOPATH)
/go/src/github.com/fatih/color
audit/dockerhost/dockerhost.go:8:2: cannot find package "github.com/hashicorp/go-version" in any of:
/usr/local/go/src/github.com/hashicorp/go-version (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/hashicorp/go-version (from $GOPATH)
/go/src/github.com/hashicorp/go-version
audit/audit.go:5:2: cannot find package "github.com/mitchellh/go-ps" in any of:
/usr/local/go/src/github.com/mitchellh/go-ps (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/mitchellh/go-ps (from $GOPATH)
/go/src/github.com/mitchellh/go-ps
audit/audit.go:6:2: cannot find package "github.com/shirou/gopsutil/process" in any of:
/usr/local/go/src/github.com/shirou/gopsutil/process (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/shirou/gopsutil/process (from $GOPATH)
/go/src/github.com/shirou/gopsutil/process
godep: go exit status 1
The command '/bin/sh -c $GOPATH/bin/godep go install' returned a non-zero code: 1
We might also want to minimize this image. Thoughts @zuBux @konstruktoid ?
Code repetition
There is a ton of code repetition in our tests.
When things like this show up multiple times:
for _, container := range containers {
info, _ := client.ContainerInspect(container.ID)
ports := info.NetworkSettings.Ports
for _, port := range ports {
for _, portmap := range port {
hostPort, _ := strconv.Atoi(portmap.HostPort)
if hostPort < 1024 {
badContainers = append(badContainers, container.ID)
}
}
}
}
It might mean that we can try to abstract a method that runs a closure over each container, for example. Let's think of ways of creating good helper functions, and reducing code duplication.
/cc @zuBux
Fix CircleCI
We need to fix the CI configuration in order to properly validate tests and test results
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.