Giter VIP home page Giter VIP logo

actuary's Introduction

Actuary

Circle CI

An actuary is a professional who analyzes the financial consequences of risk.

Docker's Actuary is an application that checks for dozens of common best-practices around deploying Docker containers in production. Actuary takes in a checklist of items to check, and automates the running, inspecting and aggregation of the results.

Actuary is an evolution of DockerBench, with a focus on the creation, sharing and reuse of different security profiles by the Docker security community.

Go to dockerbench.com, if you wish to view, share or create your own profiles.

To run Actuary, you simple have to provide a checklist file, or hash, and it will do the rest:

actuary <hash> or actuary -f <file>

Here is an example of running actuary with a checklist identified by the hash 472fd39b84593700bd27c7aa0564c72e6d321253

# actuary 472fd39b84593700bd27c7aa0564c72e6d321253
------------------------------------------------------------------------------
  Docker Actuary v1.0.0
------------------------------------------------------------------------------

[INFO] 1.7  - Only allow trusted users to control Docker daemon
[INFO]      * docker:x:999:diogo
[INFO] 1.11 - Audit Docker files and directories - docker-registry.service
[INFO]      * File not found
[INFO] 1.14 - Audit Docker files and directories - /etc/sysconfig/docker
[INFO]      * File not found
[INFO] 3.4  - Verify that docker-registry.service file permissions are set to 644
[INFO]      * File not found
[PASS] 3.5  - Verify that docker.socket file ownership is set to root:root
[PASS] 3.6  - Verify that docker.socket file permissions are set to 644

When passing a <hash> as input, Actuary will access dockerbench.com, download the checklist requested, and validate locally, to see if the hash of the file downloaded matches the hash provided by the console. This avoids compromise of dockerbench.com from ever providing altered profiles, as long as the hash that gets passed is trusted.

When using the -f flag, Actuary will attempt to run a local file, which should be a valid TOML file that includes the Actuary checlist you wish to run.

Running a remote check

Actuary has the ability of running against a remote Docker api. You will need to point Actuary to the remote API, and provide your TLS credentials, in case you are using them for Authentication:

# actuary --tlspath=<path to load certs from> --server=tcp://<docker host>:<port> <hash>

Running a local check

We provide convenience Dockerfiles for Actuary. You can simply checkout this directory and run:

# docker build -t actuary .

Running it against your Docker instance by mounting in the Docker socket:

# docker run -v /var/run/docker.sock:/var/run/docker.sock actuary <hash>

Machine readable output

By default, Actuary outputs the results to the console. If you wish to parse the results using any kind of program or script, you can tell Actuary to output the results in either XML or JSON:

# actuary --output=<json/xml> <hash>

actuary's People

Contributors

diogomonica avatar thanasisk avatar zubux avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

zubux bobhenkel oliviabarnett imranansari endophage introllo jmmartin92 pombredanne pentagramz umutbb odddkidout magnologan mohamed-athimni

actuary's Issues

Docker version check

Check "1.6 Keep Docker up to date" reads the latest Docker version from VERSION env. variable.

verConstr := os.Getenv("VERSION")

If Actuary is is executed inside a docker container using the provided Dockerfile, the check will return a correct result. However if Actuary is executed as a stand-alone application, there should be a hard-coded value as an alternative.

Basic testing

We need basic testing for the functionality that we're providing, specially around helper methods.

/cc @zuBux

Dockerfile doesn't work 

➜ docker build -t actuary .
...
➜ docker run actuary 
docker: Error response from daemon: Container command '/go/bin/actuary' not found or does not exist..

Create Audit type

I think we need to create a Check type:

type Check struct {}

type CheckResult struct {
    Check
    Status string
    Output string
}

func (c *Check) Run(client *client.Client) CheckResult {
...
}

func (c *Check) Description() string {
return ""
}

This would probably make the code cleaner, and gives us a good way of adding properties to Checks, such as Description.

/cc @zuBux

Remote check missing

At the moment there is no option for running a remote check. Should be added asap.

Create makefile

We should create a Makefile that allows someone to clone the repo and at least do # make binaries and # make test.

Something like:

# Root directory of the project (absolute path).
ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST))))

# Base path used to install.
DESTDIR=/usr/local

# Used to populate version variable in main package.
VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always)

# Project packages.
PACKAGES=$(shell go list ./... | grep -v /vendor/)

# Project binaries.
COMMANDS=actuary
BINARIES=$(addprefix bin/,$(COMMANDS))

GO_LDFLAGS=-ldflags "-X `go list ./version`.Version=$(VERSION)"

.PHONY: clean all fmt vet build binaries test setup coverage ci check help
.DEFAULT: default

all: check build binaries test ## run fmt, vet, lint, build the binaries and run the tests

# This only needs to be generated by hand when cutting full releases.
version/version.go:
    ./version/version.sh > $@

setup: ## install dependencies
    @go get -u github.com/golang/lint/golint

# Depends on binaries because vet will silently fail if it can't load compiled
# imports
vet: binaries
    @test -z "$$(go vet ${PACKAGES} 2>&1 | grep -v 'constant [0-9]* not a string in call to Errorf' | grep -v 'timestamp_test.go' | grep -v 'exit status 1' | tee /dev/stderr)"

lint: ## run go lint
    @test -z "$$(golint ./... | grep -v vendor/ | tee /dev/stderr)"

build: ## build the go packages
    @go build -i -tags "${DOCKER_BUILDTAGS}" -v ${GO_LDFLAGS} ${GO_GCFLAGS} ${PACKAGES}

test: ## run test
    @go test -parallel 8 -race -tags "${DOCKER_BUILDTAGS}" ${PACKAGES}

FORCE:

# Build a binary from a cmd.
bin/%: cmd/% FORCE
    @go build -i -tags "${DOCKER_BUILDTAGS}" -o $@ ${GO_LDFLAGS}  ${GO_GCFLAGS} ./$<

binaries: $(BINARIES) ## build binaries

clean: ## clean up binaries
    @rm -f $(BINARIES)

install: $(BINARIES) ## install binaries
    @mkdir -p $(DESTDIR)/bin
    @install $(BINARIES) $(DESTDIR)/bin

uninstall:
    @rm -f $(addprefix $(DESTDIR)/bin/,$(notdir $(BINARIES)))

Fix CircleCI

We need to fix the CI configuration in order to properly validate tests and test results

Clean actuary.go

Functions like consoleOutput and jsonOutput, etc, should be in an external file.

Also, the current code in actuary.go (in particular the main() method) should be under cmd/actuary.go. That is the go convention. The only things that should be in actuary.go should be our types (Check, CheckResult, etc)

/cc @zuBux

Crash while running default profile 

➜  actuary git:(master) docker run -v /var/run/docker.sock:/var/run/docker.sock actuary -f default.toml
...
2016/09/05 01:06:25 Running Audit: Container Runtime
panic: runtime error: index out of range

goroutine 1 [running]:
panic(0x866560, 0xc820014040)
    /usr/local/go/src/runtime/panic.go:464 +0x3e6
github.com/diogomonica/actuary/actuary.CheckSSHRunning(0xc8200ca180, 0xc8200f8b80, 0x3b, 0x40, 0x0, 0x0, 0x40, 0x26, 0xc8200e7600, 0x4, ...)
    /go/src/github.com/diogomonica/actuary/actuary/runtime.go:122 +0x8a8
main.main()
    /go/src/github.com/diogomonica/actuary/actuary.go:74 +0x5f9

Code repetition

There is a ton of code repetition in our tests.

When things like this show up multiple times:

    for _, container := range containers {
        info, _ := client.ContainerInspect(container.ID)
        ports := info.NetworkSettings.Ports
        for _, port := range ports {
            for _, portmap := range port {
                hostPort, _ := strconv.Atoi(portmap.HostPort)
                if hostPort < 1024 {
                    badContainers = append(badContainers, container.ID)
                }
            }
        }
    }

It might mean that we can try to abstract a method that runs a closure over each container, for example. Let's think of ways of creating good helper functions, and reducing code duplication.

/cc @zuBux

All audits should be configured solely on the contents of the .toml

The code currently has:

    for category := range tomlProfile.Audit {
        switch auditName = tomlProfile.Audit[category].Name; auditName {
        case "Host Configuration":
            actions = dockerhost.GetAuditDefinitions()      
        case "Docker daemon configuration":
            actions = dockerconf.GetAuditDefinitions()
        case "Docker daemon configuration files":
            actions = dockerfiles.GetAuditDefinitions()
        case "Container Images and Build File" :
            actions = images.GetAuditDefinitions()
        case "Container Runtime" :
            actions = runtime.GetAuditDefinitions()
        case "Docker Security Operations" :
            actions = dockersecops.GetAuditDefinitions()
        default: 
            log.Panicf("No audit category named:", auditName)
            continue
        }

We can probably find a way of not having to do this switch, and simply load all of the tests that are matching the file (so we can in theory move tests from one place to the other without code changes).

Dockerfile doesn't build 

➜  actuary git:(dev) docker build -t actuary .
...
Removing intermediate container 2f24f959f683
Step 7 : RUN $GOPATH/bin/godep go install
 ---> Running in 92fd3e64ec0d
actuary.go:8:2: cannot find package "github.com/BurntSushi/toml" in any of:
    /usr/local/go/src/github.com/BurntSushi/toml (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/BurntSushi/toml (from $GOPATH)
    /go/src/github.com/BurntSushi/toml
audit/audit.go:4:2: cannot find package "github.com/docker/engine-api/client" in any of:
    /usr/local/go/src/github.com/docker/engine-api/client (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/docker/engine-api/client (from $GOPATH)
    /go/src/github.com/docker/engine-api/client
audit/container/images/images.go:7:2: cannot find package "github.com/docker/engine-api/types" in any of:
    /usr/local/go/src/github.com/docker/engine-api/types (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/docker/engine-api/types (from $GOPATH)
    /go/src/github.com/docker/engine-api/types
audit/dockerhost/dockerhost.go:7:2: cannot find package "github.com/drael/GOnetstat" in any of:
    /usr/local/go/src/github.com/drael/GOnetstat (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/drael/GOnetstat (from $GOPATH)
    /go/src/github.com/drael/GOnetstat
actuary.go:17:2: cannot find package "github.com/fatih/color" in any of:
    /usr/local/go/src/github.com/fatih/color (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/fatih/color (from $GOPATH)
    /go/src/github.com/fatih/color
audit/dockerhost/dockerhost.go:8:2: cannot find package "github.com/hashicorp/go-version" in any of:
    /usr/local/go/src/github.com/hashicorp/go-version (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/hashicorp/go-version (from $GOPATH)
    /go/src/github.com/hashicorp/go-version
audit/audit.go:5:2: cannot find package "github.com/mitchellh/go-ps" in any of:
    /usr/local/go/src/github.com/mitchellh/go-ps (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/mitchellh/go-ps (from $GOPATH)
    /go/src/github.com/mitchellh/go-ps
audit/audit.go:6:2: cannot find package "github.com/shirou/gopsutil/process" in any of:
    /usr/local/go/src/github.com/shirou/gopsutil/process (from $GOROOT)
    /go/src/github.com/diogomonica/actuary/Godeps/_workspace/src/github.com/shirou/gopsutil/process (from $GOPATH)
    /go/src/github.com/shirou/gopsutil/process
godep: go exit status 1
The command '/bin/sh -c $GOPATH/bin/godep go install' returned a non-zero code: 1

We might also want to minimize this image. Thoughts @zuBux @konstruktoid ?

Panic when auditctl not found

This should probably not give a runtime panic, and should just skip the tests.

➜  ./main -f default.toml 
2016/05/10 12:14:17 Running Audit: Host Configuration
[WARN] - 1.1 Create a separate partition for containers 
     Containers NOT in seperate partition

[PASS] - 1.2 Use the updated Linux Kernel 
[INFO] - 1.4 Remove all non-essential services from the host 
     Host listening on 29 ports: [4371 57621 53 17500 4381 17600 17603 47856 48516 44692 33926 59646 42908 35872 54582 44670 53846 34510 36274 52994 37242 53816 52452 39380 42390 35768 39618 56460 37950]

[PASS] - 1.5 Keep Docker up to date 
[INFO] - 1.6 Only allow trusted users to control Docker daemon 
     The following users control the Docker daemon: [diogo]

2016/05/10 12:14:18 Could not find auditctl tool
panic: Could not find auditctl tool

goroutine 1 [running]:
panic(0x7afe00, 0xc8204de500)
    /usr/lib/go-1.6/src/runtime/panic.go:464 +0x3e6
log.Panicf(0x95b2c0, 0x1c, 0x0, 0x0, 0x0)
    /usr/lib/go-1.6/src/log/log.go:327 +0xd8
github.com/diogomonica/actuary/checks.checkAuditRule(0x8ff2b0, 0xf, 0xc8204f1d10)
    /home/diogo/go/src/github.com/diogomonica/actuary/checks/checks.go:250 +0x308
github.com/diogomonica/actuary/checks.AuditDockerDaemon(0xc8200f2120, 0x945ef0, 0x17, 0x0, 0x0, 0x0, 0x0)
    /home/diogo/go/src/github.com/diogomonica/actuary/checks/dockerhost.go:139 +0x85
main.main()
    /home/diogo/go/src/github.com/diogomonica/actuary/cmd/actuary/main.go:67 +0x57e

Add XML support

Currently the only available output format is JSON. We should consider adding XML as well.

Fedora 23 (possibly others) - incompatible kernel version causes application to crash

Hi all,

it looks like it is hashicorp/go-version related

Kernel Version: 4.4.6-301.fc23.x86_64

in my upcoming PR I have added a temporary handler for this kind of incompatibilities, however I believe that this should be addressed in the upstream

[akostopoulos@linux actuary]$ sudo ./actuary -f ../../default.toml
2016/04/27 09:29:36 Running Audit: Host Configuration
[WARN] - 1.1 Create a separate partition for containers 
     Containers NOT in seperate partition

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x0 pc=0x51add5]

goroutine 1 [running]:
panic(0x868d20, 0xc8200100d0)
    /usr/local/go/src/runtime/panic.go:464 +0x3e6
github.com/hashicorp/go-version.(*Version).String(0x0, 0x0, 0x0)
    /home/akostopoulos/go/src/github.com/hashicorp/go-version/version.go:242 +0x775
github.com/hashicorp/go-version.(*Version).Compare(0x0, 0xc82018e2c0, 0x8f6d90)
    /home/akostopoulos/go/src/github.com/hashicorp/go-version/version.go:85 +0x33
github.com/hashicorp/go-version.constraintGreaterThanEqual(0x0, 0xc82018e2c0, 0x8f6d90)
    /home/akostopoulos/go/src/github.com/hashicorp/go-version/constraint.go:137 +0x2b
github.com/hashicorp/go-version.(*Constraint).Check(0xc820192680, 0x0, 0x0)
    /home/akostopoulos/go/src/github.com/hashicorp/go-version/constraint.go:91 +0x32
github.com/hashicorp/go-version.Constraints.Check(0xc8201a6010, 0x1, 0x1, 0x0, 0xc82018c820)
    /home/akostopoulos/go/src/github.com/hashicorp/go-version/constraint.go:71 +0x69
github.com/diogomonica/actuary/audit/dockerhost.CheckKernelVersion(0xc820108120, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
    /home/akostopoulos/go/src/github.com/diogomonica/actuary/audit/dockerhost/dockerhost.go:77 +0x198
main.main()
    /home/akostopoulos/go/src/github.com/thanasisk/actuary/cmd/actuary/main.go:89 +0x69e

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.