diogomonica / actuary Goto Github PK
View Code? Open in Web Editor NEWAn actuary is a business professional who analyzes the financial consequences of risk.
An actuary is a business professional who analyzes the financial consequences of risk.
This should probably not give a runtime panic, and should just skip the tests.
➜ ./main -f default.toml
2016/05/10 12:14:17 Running Audit: Host Configuration
[WARN] - 1.1 Create a separate partition for containers
Containers NOT in seperate partition
[PASS] - 1.2 Use the updated Linux Kernel
[INFO] - 1.4 Remove all non-essential services from the host
Host listening on 29 ports: [4371 57621 53 17500 4381 17600 17603 47856 48516 44692 33926 59646 42908 35872 54582 44670 53846 34510 36274 52994 37242 53816 52452 39380 42390 35768 39618 56460 37950]
[PASS] - 1.5 Keep Docker up to date
[INFO] - 1.6 Only allow trusted users to control Docker daemon
The following users control the Docker daemon: [diogo]
2016/05/10 12:14:18 Could not find auditctl tool
panic: Could not find auditctl tool
goroutine 1 [running]:
panic(0x7afe00, 0xc8204de500)
/usr/lib/go-1.6/src/runtime/panic.go:464 +0x3e6
log.Panicf(0x95b2c0, 0x1c, 0x0, 0x0, 0x0)
/usr/lib/go-1.6/src/log/log.go:327 +0xd8
github.com/diogomonica/actuary/checks.checkAuditRule(0x8ff2b0, 0xf, 0xc8204f1d10)
/home/diogo/go/src/github.com/diogomonica/actuary/checks/checks.go:250 +0x308
github.com/diogomonica/actuary/checks.AuditDockerDaemon(0xc8200f2120, 0x945ef0, 0x17, 0x0, 0x0, 0x0, 0x0)
/home/diogo/go/src/github.com/diogomonica/actuary/checks/dockerhost.go:139 +0x85
main.main()
/home/diogo/go/src/github.com/diogomonica/actuary/cmd/actuary/main.go:67 +0x57e
Since the new benchmark for Docker 1.11 has been released, we should review the checks made by Actuary.
At the moment there is no option for running a remote check. Should be added asap.
The code currently has:
for category := range tomlProfile.Audit {
switch auditName = tomlProfile.Audit[category].Name; auditName {
case "Host Configuration":
actions = dockerhost.GetAuditDefinitions()
case "Docker daemon configuration":
actions = dockerconf.GetAuditDefinitions()
case "Docker daemon configuration files":
actions = dockerfiles.GetAuditDefinitions()
case "Container Images and Build File" :
actions = images.GetAuditDefinitions()
case "Container Runtime" :
actions = runtime.GetAuditDefinitions()
case "Docker Security Operations" :
actions = dockersecops.GetAuditDefinitions()
default:
log.Panicf("No audit category named:", auditName)
continue
}
We can probably find a way of not having to do this switch, and simply load all of the tests that are matching the file (so we can in theory move tests from one place to the other without code changes).
Running actuary on a host with default cgroup enabled, actuary returns an incorrect result
I think we need to create a Check
type:
type Check struct {}
type CheckResult struct {
Check
Status string
Output string
}
func (c *Check) Run(client *client.Client) CheckResult {
...
}
func (c *Check) Description() string {
return ""
}
This would probably make the code cleaner, and gives us a good way of adding properties to Checks, such as Description.
/cc @zuBux
We should create a Makefile
that allows someone to clone the repo and at least do # make binaries
and # make test
.
Something like:
# Root directory of the project (absolute path).
ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST))))
# Base path used to install.
DESTDIR=/usr/local
# Used to populate version variable in main package.
VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always)
# Project packages.
PACKAGES=$(shell go list ./... | grep -v /vendor/)
# Project binaries.
COMMANDS=actuary
BINARIES=$(addprefix bin/,$(COMMANDS))
GO_LDFLAGS=-ldflags "-X `go list ./version`.Version=$(VERSION)"
.PHONY: clean all fmt vet build binaries test setup coverage ci check help
.DEFAULT: default
all: check build binaries test ## run fmt, vet, lint, build the binaries and run the tests
# This only needs to be generated by hand when cutting full releases.
version/version.go:
./version/version.sh > $@
setup: ## install dependencies
@go get -u github.com/golang/lint/golint
# Depends on binaries because vet will silently fail if it can't load compiled
# imports
vet: binaries
@test -z "$$(go vet ${PACKAGES} 2>&1 | grep -v 'constant [0-9]* not a string in call to Errorf' | grep -v 'timestamp_test.go' | grep -v 'exit status 1' | tee /dev/stderr)"
lint: ## run go lint
@test -z "$$(golint ./... | grep -v vendor/ | tee /dev/stderr)"
build: ## build the go packages
@go build -i -tags "${DOCKER_BUILDTAGS}" -v ${GO_LDFLAGS} ${GO_GCFLAGS} ${PACKAGES}
test: ## run test
@go test -parallel 8 -race -tags "${DOCKER_BUILDTAGS}" ${PACKAGES}
FORCE:
# Build a binary from a cmd.
bin/%: cmd/% FORCE
@go build -i -tags "${DOCKER_BUILDTAGS}" -o $@ ${GO_LDFLAGS} ${GO_GCFLAGS} ./$<
binaries: $(BINARIES) ## build binaries
clean: ## clean up binaries
@rm -f $(BINARIES)
install: $(BINARIES) ## install binaries
@mkdir -p $(DESTDIR)/bin
@install $(BINARIES) $(DESTDIR)/bin
uninstall:
@rm -f $(addprefix $(DESTDIR)/bin/,$(notdir $(BINARIES)))
Check "1.6 Keep Docker up to date" reads the latest Docker version from VERSION env. variable.
verConstr := os.Getenv("VERSION")
If Actuary is is executed inside a docker container using the provided Dockerfile, the check will return a correct result. However if Actuary is executed as a stand-alone application, there should be a hard-coded value as an alternative.
Hi all,
it looks like it is hashicorp/go-version related
Kernel Version: 4.4.6-301.fc23.x86_64
in my upcoming PR I have added a temporary handler for this kind of incompatibilities, however I believe that this should be addressed in the upstream
[akostopoulos@linux actuary]$ sudo ./actuary -f ../../default.toml
2016/04/27 09:29:36 Running Audit: Host Configuration
[WARN] - 1.1 Create a separate partition for containers
Containers NOT in seperate partition
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x0 pc=0x51add5]
goroutine 1 [running]:
panic(0x868d20, 0xc8200100d0)
/usr/local/go/src/runtime/panic.go:464 +0x3e6
github.com/hashicorp/go-version.(*Version).String(0x0, 0x0, 0x0)
/home/akostopoulos/go/src/github.com/hashicorp/go-version/version.go:242 +0x775
github.com/hashicorp/go-version.(*Version).Compare(0x0, 0xc82018e2c0, 0x8f6d90)
/home/akostopoulos/go/src/github.com/hashicorp/go-version/version.go:85 +0x33
github.com/hashicorp/go-version.constraintGreaterThanEqual(0x0, 0xc82018e2c0, 0x8f6d90)
/home/akostopoulos/go/src/github.com/hashicorp/go-version/constraint.go:137 +0x2b
github.com/hashicorp/go-version.(*Constraint).Check(0xc820192680, 0x0, 0x0)
/home/akostopoulos/go/src/github.com/hashicorp/go-version/constraint.go:91 +0x32
github.com/hashicorp/go-version.Constraints.Check(0xc8201a6010, 0x1, 0x1, 0x0, 0xc82018c820)
/home/akostopoulos/go/src/github.com/hashicorp/go-version/constraint.go:71 +0x69
github.com/diogomonica/actuary/audit/dockerhost.CheckKernelVersion(0xc820108120, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
/home/akostopoulos/go/src/github.com/diogomonica/actuary/audit/dockerhost/dockerhost.go:77 +0x198
main.main()
/home/akostopoulos/go/src/github.com/thanasisk/actuary/cmd/actuary/main.go:89 +0x69e
Functions like consoleOutput
and jsonOutput
, etc, should be in an external file.
Also, the current code in actuary.go
(in particular the main()
method) should be under cmd/actuary.go
. That is the go convention. The only things that should be in actuary.go should be our types (Check
, CheckResult
, etc)
/cc @zuBux
Currently the only available output format is JSON. We should consider adding XML as well.
➜ actuary git:(master) docker run -v /var/run/docker.sock:/var/run/docker.sock actuary -f default.toml
...
2016/09/05 01:06:25 Running Audit: Container Runtime
panic: runtime error: index out of range
goroutine 1 [running]:
panic(0x866560, 0xc820014040)
/usr/local/go/src/runtime/panic.go:464 +0x3e6
github.com/diogomonica/actuary/actuary.CheckSSHRunning(0xc8200ca180, 0xc8200f8b80, 0x3b, 0x40, 0x0, 0x0, 0x40, 0x26, 0xc8200e7600, 0x4, ...)
/go/src/github.com/diogomonica/actuary/actuary/runtime.go:122 +0x8a8
main.main()
/go/src/github.com/diogomonica/actuary/actuary.go:74 +0x5f9
We need basic testing for the functionality that we're providing, specially around helper methods.
/cc @zuBux
➜ docker build -t actuary .
...
➜ docker run actuary
docker: Error response from daemon: Container command '/go/bin/actuary' not found or does not exist..
➜ actuary git:(dev) docker build -t actuary .
...
Removing intermediate container 2f24f959f683
Step 7 : RUN $GOPATH/bin/godep go install
---> Running in 92fd3e64ec0d
actuary.go:8:2: cannot find package "github.com/BurntSushi/toml" in any of:
/usr/local/go/src/github.com/BurntSushi/toml (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/BurntSushi/toml (from $GOPATH)
/go/src/github.com/BurntSushi/toml
audit/audit.go:4:2: cannot find package "github.com/docker/engine-api/client" in any of:
/usr/local/go/src/github.com/docker/engine-api/client (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/docker/engine-api/client (from $GOPATH)
/go/src/github.com/docker/engine-api/client
audit/container/images/images.go:7:2: cannot find package "github.com/docker/engine-api/types" in any of:
/usr/local/go/src/github.com/docker/engine-api/types (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/docker/engine-api/types (from $GOPATH)
/go/src/github.com/docker/engine-api/types
audit/dockerhost/dockerhost.go:7:2: cannot find package "github.com/drael/GOnetstat" in any of:
/usr/local/go/src/github.com/drael/GOnetstat (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/drael/GOnetstat (from $GOPATH)
/go/src/github.com/drael/GOnetstat
actuary.go:17:2: cannot find package "github.com/fatih/color" in any of:
/usr/local/go/src/github.com/fatih/color (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/fatih/color (from $GOPATH)
/go/src/github.com/fatih/color
audit/dockerhost/dockerhost.go:8:2: cannot find package "github.com/hashicorp/go-version" in any of:
/usr/local/go/src/github.com/hashicorp/go-version (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/hashicorp/go-version (from $GOPATH)
/go/src/github.com/hashicorp/go-version
audit/audit.go:5:2: cannot find package "github.com/mitchellh/go-ps" in any of:
/usr/local/go/src/github.com/mitchellh/go-ps (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/mitchellh/go-ps (from $GOPATH)
/go/src/github.com/mitchellh/go-ps
audit/audit.go:6:2: cannot find package "github.com/shirou/gopsutil/process" in any of:
/usr/local/go/src/github.com/shirou/gopsutil/process (from $GOROOT)
/go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/shirou/gopsutil/process (from $GOPATH)
/go/src/github.com/shirou/gopsutil/process
godep: go exit status 1
The command '/bin/sh -c $GOPATH/bin/godep go install' returned a non-zero code: 1
We might also want to minimize this image. Thoughts @zuBux @konstruktoid ?
There is a ton of code repetition in our tests.
When things like this show up multiple times:
for _, container := range containers {
info, _ := client.ContainerInspect(container.ID)
ports := info.NetworkSettings.Ports
for _, port := range ports {
for _, portmap := range port {
hostPort, _ := strconv.Atoi(portmap.HostPort)
if hostPort < 1024 {
badContainers = append(badContainers, container.ID)
}
}
}
}
It might mean that we can try to abstract a method that runs a closure over each container, for example. Let's think of ways of creating good helper functions, and reducing code duplication.
/cc @zuBux
We need to fix the CI configuration in order to properly validate tests and test results
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.