compliance

package
v0.0.0-...-45a9bcf Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 3, 2024 License: Apache-2.0 Imports: 74 Imported by: 0

Documentation

Overview

Package compliance implements a specific part of the datadog-agent responsible for scanning host and containers and report various misconfigurations and compliance issues.

Index

Constants

View Source
const (
	//revive:disable
	XCCDF_RESULT_PASS = iota + 1
	XCCDF_RESULT_FAIL
	XCCDF_RESULT_ERROR
	XCCDF_RESULT_UNKNOWN
	XCCDF_RESULT_NOT_APPLICABLE
	XCCDF_RESULT_NOT_CHECKED
	XCCDF_RESULT_NOT_SELECTED
)

Variables

View Source
var ErrIncompatibleEnvironment = errors.New("environment not compatible this type of input")

ErrIncompatibleEnvironment is returns by the resolver to signal that the given rule's inputs are not resolvable in the current environment.

Functions

func DefaultDockerProvider

func DefaultDockerProvider(ctx context.Context) (docker.CommonAPIClient, error)

DefaultDockerProvider returns the default Docker client.

func DefaultRuleFilter

func DefaultRuleFilter(r *Rule) bool

DefaultRuleFilter implements the default filtering of benchmarks' rules. It will exclude rules based on the evaluation context / environment running the benchmark.

func FinishXCCDFBenchmark

func FinishXCCDFBenchmark(_ context.Context, benchmark *Benchmark)

FinishXCCDFBenchmark finishes an XCCDF benchmark by terminating the oscap-io processes.

Types

type Agent

type Agent struct {
	// contains filtered or unexported fields
}

Agent is the compliance agent that is responsible for running compliance continuously benchmarks and configuration checking.

func NewAgent

func NewAgent(telemetrySender telemetry.SimpleTelemetrySender, wmeta workloadmeta.Component, opts AgentOptions) *Agent

NewAgent returns a new compliance agent.

func (*Agent) Start

func (a *Agent) Start() error

Start starts the compliance agent.

func (*Agent) StatusProvider

func (a *Agent) StatusProvider() statusComp.Provider

StatusProvider returns the compliance status provider

func (*Agent) Stop

func (a *Agent) Stop()

Stop stops the compliance agent.

type AgentOptions

type AgentOptions struct {
	// ResolverOptions is the options passed to the constructed resolvers
	// internally. See resolver.go.
	ResolverOptions

	// ConfigDir is the directory in which benchmarks files and assets are
	// defined.
	ConfigDir string

	// Reporter is the output interface of the events that are gathered by the
	// agent.
	Reporter *LogReporter

	// RuleFilter allow specifying a global rule filtering that will be
	// applied on all loaded benchmarks.
	RuleFilter RuleFilter

	// CheckInterval is the period at which benchmarks are being run. It
	// should also be roughly the interval at which rule checks are being run.
	// By default: 20 minutes.
	CheckInterval time.Duration

	// CheckIntervalLowPriority is like CheckInterval but for low-priority
	// benchmarks.
	CheckIntervalLowPriority time.Duration

	// EnabledConfigurationExporters lists configuration exporter that shall be
	// enabled.
	EnabledConfigurationExporters []ConfigurationExporter

	// SysProbeClient is the HTTP client to allow the execution of benchmarks
	// from system-probe. see: cmd/system-probe/modules/compliance.go
	SysProbeClient *http.Client
}

AgentOptions holds the different options to configure the compliance agent.

type Benchmark

type Benchmark struct {
	Name        string   `yaml:"name,omitempty" json:"name,omitempty"`
	FrameworkID string   `yaml:"framework,omitempty" json:"framework,omitempty"`
	Version     string   `yaml:"version,omitempty" json:"version,omitempty"`
	Tags        []string `yaml:"tags,omitempty" json:"tags,omitempty"`
	Rules       []*Rule  `yaml:"rules,omitempty" json:"rules,omitempty"`
	Source      string   `yaml:"-" json:"-"`
	Schema      struct {
		Version string `yaml:"version" json:"version"`
	} `yaml:"schema,omitempty" json:"schema,omitempty"`
	// contains filtered or unexported fields
}

Benchmark represents a set of rules that have a common identity, typically part of the same framework. It holds metadata that are shared between these rules. Rules of a same Benchmark are typically run together.

func LoadBenchmarks

func LoadBenchmarks(rootDir, glob string, ruleFilter RuleFilter) ([]*Benchmark, error)

LoadBenchmarks will read the benchmark files that are contained in the given root directory, with a name matching the specified glob. If a ruleFilter is specified, the loaded benchmarks' rules are filtered. If a benchmarks has no rules after the filter is applied, it is not part of the results.

func (*Benchmark) Valid

func (b *Benchmark) Valid() error

Valid is a validation check required for a Benchmark to be considered valid and be executed. It checks that all rules and input specs are actually valid.

type CheckContainerMeta

type CheckContainerMeta struct {
	ContainerID string `json:"container_id"`
	ImageID     string `json:"image_id"`
	ImageName   string `json:"image_name"`
	ImageTag    string `json:"image_tag"`
}

CheckContainerMeta holds metadata related to the container that has been checked.

type CheckEvent

type CheckEvent struct {
	AgentVersion string                 `json:"agent_version,omitempty"`
	RuleID       string                 `json:"agent_rule_id,omitempty"`
	RuleVersion  int                    `json:"agent_rule_version,omitempty"`
	FrameworkID  string                 `json:"agent_framework_id,omitempty"`
	Evaluator    Evaluator              `json:"evaluator,omitempty"`
	ExpireAt     *time.Time             `json:"expire_at,omitempty"`
	Result       CheckResult            `json:"result,omitempty"`
	ResourceType string                 `json:"resource_type,omitempty"`
	ResourceID   string                 `json:"resource_id,omitempty"`
	Container    *CheckContainerMeta    `json:"container,omitempty"`
	K8SManaged   *string                `json:"k8s_managed,omitempty"`
	Tags         []string               `json:"tags"`
	Data         map[string]interface{} `json:"data"`
	// contains filtered or unexported fields
}

CheckEvent is the data structure sent to the backend as a result of a rule evaluation.

func CheckEventFromError

func CheckEventFromError(evaluator Evaluator, rule *Rule, benchmark *Benchmark, err error) *CheckEvent

CheckEventFromError wraps any error into a correct CheckEvent, detecting if the underlying error should be marked as skipped or not.

func EvaluateRegoRule

func EvaluateRegoRule(ctx context.Context, resolvedInputs ResolvedInputs, benchmark *Benchmark, rule *Rule) []*CheckEvent

EvaluateRegoRule evaluates the given rule and resolved inputs map against the rule's rego program.

func EvaluateXCCDFRule

func EvaluateXCCDFRule(ctx context.Context, hostname string, statsdClient statsd.ClientInterface, benchmark *Benchmark, rule *Rule) []*CheckEvent

EvaluateXCCDFRule evaluates the given rule using OpenSCAP tool.

func NewCheckError

func NewCheckError(
	evaluator Evaluator,
	errReason error,
	resourceID,
	resourceType string,
	rule *Rule,
	benchmark *Benchmark,
) *CheckEvent

NewCheckError returns a CheckEvent with error status and associated error reason.

func NewCheckEvent

func NewCheckEvent(
	evaluator Evaluator,
	result CheckResult,
	data map[string]interface{},
	resourceID,
	resourceType string,
	rule *Rule,
	benchmark *Benchmark,
) *CheckEvent

NewCheckEvent returns a CheckEvent with given status.

func NewCheckSkipped

func NewCheckSkipped(
	evaluator Evaluator,
	skipReason error,
	resourceID,
	resourceType string,
	rule *Rule,
	benchmark *Benchmark,
) *CheckEvent

NewCheckSkipped returns a CheckEvent with skipped status.

func (*CheckEvent) String

func (e *CheckEvent) String() string

type CheckResult

type CheckResult string

CheckResult lists the different states of a check result.

const (
	// CheckPassed is used to report successful result of a rule check
	// (condition passed)
	CheckPassed CheckResult = "passed"
	// CheckFailed is used to report unsuccessful result of a rule check
	// (condition failed)
	CheckFailed CheckResult = "failed"
	// CheckError is used to report result of a rule check that resulted in an
	// error (unable to evaluate condition)
	CheckError CheckResult = "error"
	// CheckSkipped is used to report result of a rule that is being skipped.
	CheckSkipped CheckResult = "skipped"
)

type CheckStatus added in v0.9.0

type CheckStatus struct {
	RuleID      string
	Name        string
	Description string
	Version     string
	Framework   string
	Source      string
	InitError   error
	LastEvent   *CheckEvent
}

CheckStatus is used to store the last current status of each rule inside our compliance agent.

type ConfigurationExporter

type ConfigurationExporter int

ConfigurationExporter is an enum type defining all configuration export configuration processes.

const (
	// KubernetesExporter exports Kubernetes components configuration running
	// on the system.
	KubernetesExporter ConfigurationExporter = iota

	// AptExporter exports local APT configuration data.
	AptExporter

	// DBExporter exports local or containerized DB application configuration
	// data.
	DBExporter
)

type DockerProvider

type DockerProvider func(context.Context) (docker.CommonAPIClient, error)

DockerProvider is a function returning a Docker client.

type Evaluator

type Evaluator string

Evaluator is a string representing the type of evaluator that produced the event.

const (
	// RegoEvaluator uses the rego engine to evaluate a check.
	RegoEvaluator Evaluator = "rego"
	// XCCDFEvaluator uses OpenSCAP to evaluate a check.
	XCCDFEvaluator Evaluator = "xccdf"
)

type FileWatchRule

type FileWatchRule rule.FileWatchRule

FileWatchRule is used to audit access to particular files or directories that you may be interested in.

func (*FileWatchRule) Resolve

func (r *FileWatchRule) Resolve() interface{}

Resolve the file watch rule

type InputSpec

type InputSpec struct {
	File          *InputSpecFile          `yaml:"file,omitempty" json:"file,omitempty"`
	Process       *InputSpecProcess       `yaml:"process,omitempty" json:"process,omitempty"`
	Group         *InputSpecGroup         `yaml:"group,omitempty" json:"group,omitempty"`
	Audit         *InputSpecAudit         `yaml:"audit,omitempty" json:"audit,omitempty"`
	Docker        *InputSpecDocker        `yaml:"docker,omitempty" json:"docker,omitempty"`
	KubeApiserver *InputSpecKubeapiserver `yaml:"kubeApiserver,omitempty" json:"kubeApiserver,omitempty"`
	Package       *InputSpecPackage       `yaml:"package,omitempty" json:"package,omitempty"`
	XCCDF         *InputSpecXCCDF         `yaml:"xccdf,omitempty" json:"xccdf,omitempty"`
	Constants     *InputSpecConstants     `yaml:"constants,omitempty" json:"constants,omitempty"`

	TagName string `yaml:"tag,omitempty" json:"tag,omitempty"`
	Type    string `yaml:"type,omitempty" json:"type,omitempty"`
}

InputSpec is a union type that holds the description of a set of inputs to be gathered typically by a Resolver.

func (*InputSpec) Valid

func (i *InputSpec) Valid() error

Valid is a validation check required for InputSpec to be executed.

type InputSpecAudit

type InputSpecAudit struct {
	Path string `yaml:"path" json:"path"`
}

InputSpecAudit describes the spec to resolve a Linux Audit informations.

type InputSpecConstants

type InputSpecConstants map[string]interface{}

InputSpecConstants can be used to pass constants data to the evaluator.

type InputSpecDocker

type InputSpecDocker struct {
	Kind string `yaml:"kind" json:"kind"`
}

InputSpecDocker describes the spec to resolve a Docker resource informations.

type InputSpecFile

type InputSpecFile struct {
	Path   string `yaml:"path" json:"path"`
	Glob   string `yaml:"glob" json:"glob"`
	Parser string `yaml:"parser,omitempty" json:"parser,omitempty"`
}

InputSpecFile describes the spec to resolve file informations.

type InputSpecGroup

type InputSpecGroup struct {
	Name string `yaml:"name" json:"name"`
}

InputSpecGroup describes the spec to resolve a unix group informations.

type InputSpecKubeapiserver

type InputSpecKubeapiserver struct {
	Kind          string `yaml:"kind" json:"kind"`
	Version       string `yaml:"version,omitempty" json:"version,omitempty"`
	Group         string `yaml:"group,omitempty" json:"group,omitempty"`
	Namespace     string `yaml:"namespace,omitempty" json:"namespace,omitempty"`
	LabelSelector string `yaml:"labelSelector,omitempty" json:"labelSelector,omitempty"`
	FieldSelector string `yaml:"fieldSelector,omitempty" json:"fieldSelector,omitempty"`
	APIRequest    struct {
		Verb         string `yaml:"verb" json:"verb"`
		ResourceName string `yaml:"resourceName,omitempty" json:"resourceName,omitempty"`
	} `yaml:"apiRequest" json:"apiRequest"`
}

InputSpecKubeapiserver describes the spec to resolve a Kubernetes resource information from from kube-apiserver.

type InputSpecPackage

type InputSpecPackage struct {
	Names []string `yaml:"names" json:"names"`
}

InputSpecPackage defines the names of the software packages that need to be resolved

type InputSpecProcess

type InputSpecProcess struct {
	Name string   `yaml:"name" json:"name"`
	Envs []string `yaml:"envs,omitempty" json:"envs,omitempty"`
}

InputSpecProcess describes the spec to resolve process informations.

type InputSpecXCCDF

type InputSpecXCCDF struct {
	Name    string   `yaml:"name" json:"name"`
	Profile string   `yaml:"profile" json:"profile"`
	Rule    string   `yaml:"rule" json:"rule"`
	Rules   []string `yaml:"rules,omitempty" json:"rules,omitempty"`
}

InputSpecXCCDF describes the spec to resolve a XCCDF evaluation result.

type KubernetesProvider

KubernetesProvider is a function returning a Kubernetes client.

type LinuxAuditClient

type LinuxAuditClient interface {
	GetFileWatchRules() ([]*FileWatchRule, error)
	Close() error
}

LinuxAuditClient is an interface that implements the capability of parsing Linux Audit rules.

func DefaultLinuxAuditProvider

func DefaultLinuxAuditProvider(_ context.Context) (LinuxAuditClient, error)

DefaultLinuxAuditProvider returns the default Linux Audit client.

type LinuxAuditProvider

type LinuxAuditProvider func(context.Context) (LinuxAuditClient, error)

LinuxAuditProvider is a function returning a Linux Audit client.

type LogReporter

type LogReporter struct {
	// contains filtered or unexported fields
}

LogReporter is responsible for sending compliance logs to DataDog backends.

func NewLogReporter

func NewLogReporter(hostname string, sourceName, sourceType string, endpoints *config.Endpoints, dstcontext *client.DestinationsContext) *LogReporter

NewLogReporter instantiates a new log LogReporter

func (*LogReporter) Endpoints

func (r *LogReporter) Endpoints() *config.Endpoints

Endpoints returns the endpoints associated with the log reporter.

func (*LogReporter) ReportEvent

func (r *LogReporter) ReportEvent(event interface{})

ReportEvent should be used to send an event to the backend.

func (*LogReporter) Stop

func (r *LogReporter) Stop()

Stop stops the LogReporter

type ResolvedInputs

type ResolvedInputs map[string]interface{}

ResolvedInputs is the generic data structure that is returned by a Resolver and passed to the rego evaluator.

Ideally if Go did support inline JSON struct tag, this type would be: see https://github.com/golang/go/issues/6213

struct {
	Context  *ResolvingContext      `json:"context"`
	Resolved map[string]interface{} `json:",inline"`
}

func NewResolvedInputs

func NewResolvedInputs(resolvingContext ResolvingContext, resolved map[string]interface{}) (ResolvedInputs, error)

NewResolvedInputs builds a ResolvedInputs map from the given resolving context and generic resolved data.

func (ResolvedInputs) GetContext

func (r ResolvedInputs) GetContext() *ResolvingContext

GetContext returns the ResolvingContext associated with this resolved inputs.

type Resolver

type Resolver interface {
	ResolveInputs(ctx context.Context, rule *Rule) (ResolvedInputs, error)
	Close()
}

Resolver interface defines a generic method to resolve the inputs associated with a given rule. The Close() method should be called whenever the resolver is stopped being used to cleanup underlying resources.

func NewResolver

func NewResolver(ctx context.Context, opts ResolverOptions) Resolver

NewResolver returns the default inputs resolver that is able to resolve any kind of supported inputs. It holds a small cache for loaded file metadata and different client connexions that may be used for inputs resolution.

type ResolverOptions

type ResolverOptions struct {
	// Hostname is the name of the host running the resolver.
	Hostname string

	// HostRoot is the path to the mountpoint of host root filesystem. In case
	// the compliance module is run as part of a container.
	HostRoot string

	// HostRootPID sets the resolving context relative to a specific process
	// ID (optional)
	HostRootPID int32

	// StatsdClient is the statsd client used internally by the compliance
	// resolver (optional)
	StatsdClient statsd.ClientInterface

	DockerProvider
	KubernetesProvider
	LinuxAuditProvider
}

ResolverOptions is an options struct required to instantiate a Resolver instance.

type ResolvingContext

type ResolvingContext struct {
	RuleID            string                `json:"ruleID"`
	Hostname          string                `json:"hostname"`
	KubernetesCluster string                `json:"kubernetes_cluster"`
	ContainerID       string                `json:"container_id"`
	InputSpecs        map[string]*InputSpec `json:"input"`
}

ResolvingContext is part of the resolved inputs data that should be passed as the "context" field in the rego evaluator input. Note that because of the way rego bails when dereferencing an undefined key, we do not mark any json tag as "omitempty".

type ResourceLog

type ResourceLog struct {
	AgentVersion string              `json:"agent_version,omitempty"`
	ExpireAt     *time.Time          `json:"expire_at,omitempty"`
	ResourceType string              `json:"resource_type,omitempty"`
	ResourceID   string              `json:"resource_id,omitempty"`
	ResourceData interface{}         `json:"resource_data,omitempty"`
	Container    *CheckContainerMeta `json:"container,omitempty"`
	Tags         []string            `json:"tags"`
}

ResourceLog is the data structure holding a resource configuration data.

func NewResourceLog

func NewResourceLog(resourceID, resourceType string, resource interface{}) *ResourceLog

NewResourceLog returns a ResourceLog.

type Rule

type Rule struct {
	ID          string       `yaml:"id" json:"id"`
	Description string       `yaml:"description,omitempty" json:"description,omitempty"`
	SkipOnK8s   bool         `yaml:"skipOnKubernetes,omitempty" json:"skipOnKubernetes,omitempty"`
	Module      string       `yaml:"module,omitempty" json:"module,omitempty"`
	Scopes      []RuleScope  `yaml:"scope,omitempty" json:"scope,omitempty"`
	InputSpecs  []*InputSpec `yaml:"input,omitempty" json:"input,omitempty"`
	Imports     []string     `yaml:"imports,omitempty" json:"imports,omitempty"`
	Period      string       `yaml:"period,omitempty" json:"period,omitempty"`
	Filters     []string     `yaml:"filters,omitempty" json:"filters,omitempty"`
}

Rule defines a list of inputs against which we can evaluate properties. It also holds all metadata associated with the rule.

func (*Rule) HasScope

func (r *Rule) HasScope(scope RuleScope) bool

HasScope tests if the rule has the given scope.

func (*Rule) IsRego

func (r *Rule) IsRego() bool

IsRego returns true if the rule is a rego rule.

func (*Rule) IsXCCDF

func (r *Rule) IsXCCDF() bool

IsXCCDF returns true if the rule is a XCCDF / OpenSCAP rule.

type RuleFilter

type RuleFilter func(*Rule) bool

RuleFilter defines a function type that can be used to filter rules.

type RuleScope added in v0.9.0

type RuleScope string

RuleScope defines the different context in which the rule is allowed to run.

const (
	// Unscoped scope used when no particular scope is required
	Unscoped RuleScope = "none"
	// DockerScope used for rules requiring a Docker daemon running.
	DockerScope RuleScope = "docker"
	// KubernetesNodeScope used for rules requireing a kubelet process running.
	KubernetesNodeScope RuleScope = "kubernetesNode"
	// KubernetesClusterScope used for rules requireing a kube-apiserver process running.
	KubernetesClusterScope RuleScope = "kubernetesCluster"
)

Directories

Path Synopsis
Package aptconfig is a compliance submodule that is able to parse the APT tool configuration and export it as a log.
Package aptconfig is a compliance submodule that is able to parse the APT tool configuration and export it as a log.
Package dbconfig is a compliance submodule that is able to parse and export databases applications configurations.
Package dbconfig is a compliance submodule that is able to parse and export databases applications configurations.
Package k8sconfig is a compliance submodule that is able to parse the Kubernetes components configurations and export it as a log.
Package k8sconfig is a compliance submodule that is able to parse the Kubernetes components configurations and export it as a log.
Package metrics implements everything related to metrics of the pkg/compliance module.
Package metrics implements everything related to metrics of the pkg/compliance module.
Package scap implements some internal parsing of the OpenSCAP analysis results.
Package scap implements some internal parsing of the OpenSCAP analysis results.
tools
k8s_schema_generator
Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
k8s_types_generator
Package main is the entrypoint of the compliance k8s_types_generator tool that is responsible for generating various configuration types of Kubernetes components.
Package main is the entrypoint of the compliance k8s_types_generator tool that is responsible for generating various configuration types of Kubernetes components.
Package utils is a compliance internal submodule implementing various utilies.
Package utils is a compliance internal submodule implementing various utilies.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL