Documentation
¶
Overview ¶
Package compliance defines common interfaces and types for Compliance Agent
Index ¶
- Constants
- Variables
- func CheckName(ruleID string, description string) string
- type Audit
- type BinaryCmd
- type Check
- type CheckStatus
- type CheckStatusList
- type CheckVisitor
- type Command
- type ConditionFallbackRule
- type ConstantsResource
- type Custom
- type DockerResource
- type Fallback
- type File
- type Group
- type KubeUnstructuredResource
- type KubernetesAPIRequest
- type KubernetesResource
- type Process
- type RegoInput
- type RegoRule
- type Report
- type ReportResource
- type Resource
- type ResourceCommon
- type ResourceKind
- type Rule
- type RuleCommon
- type RuleScope
- type RuleScopeList
- type ShellCmd
- type Suite
- type SuiteMeta
- type SuiteSchema
Constants ¶
const ( // KindInvalid is set in case resource is invalid KindInvalid = ResourceKind("invalid") // KindFile is used for a file resource KindFile = ResourceKind("file") // KindProcess is used for a Process resource KindProcess = ResourceKind("process") // KindGroup is used for a Group resource KindGroup = ResourceKind("group") // KindCommand is used for a Command resource KindCommand = ResourceKind("command") // KindDocker is used for a DockerResource resource KindDocker = ResourceKind("docker") // KindAudit is used for an Audit resource KindAudit = ResourceKind("audit") // KindKubernetes is used for a KubernetesResource KindKubernetes = ResourceKind("kubernetes") // KindConstants is used for Constants check KindConstants = ResourceKind("constants") // KindCustom is used for a Custom check KindCustom = ResourceKind("custom") )
const ( FileFieldGlob = "file.glob" FileFieldPath = "file.path" FileFieldPermissions = "file.permissions" FileFieldUser = "file.user" FileFieldGroup = "file.group" FileFieldContent = "file.content" FileFuncJQ = "file.jq" FileFuncYAML = "file.yaml" FileFuncRegexp = "file.regexp" )
Fields & functions available for File
const ( ProcessFieldName = "process.name" ProcessFieldExe = "process.exe" ProcessFieldCmdLine = "process.cmdLine" ProcessFieldFlags = "process.flags" ProcessFuncFlag = "process.flag" ProcessFuncHasFlag = "process.hasFlag" )
Fields & functions available for Process
const ( KubeResourceFieldName = "kube.resource.name" KubeResourceFieldGroup = "kube.resource.group" KubeResourceFieldVersion = "kube.resource.version" KubeResourceFieldNamespace = "kube.resource.namespace" KubeResourceFieldKind = "kube.resource.kind" KubeResourceFieldResource = "kube.resource.resource" KubeResourceFuncJQ = "kube.resource.jq" )
Fields & functions available for KubernetesResource
const ( GroupFieldName = "group.name" GroupFieldUsers = "group.users" GroupFieldID = "group.id" )
Fields & functions available for Group
const ( CommandFieldExitCode = "command.exitCode" CommandFieldStdout = "command.stdout" )
Fields & functions available for Command
const ( AuditFieldPath = "audit.path" AuditFieldEnabled = "audit.enabled" AuditFieldPermissions = "audit.permissions" )
Fields & functions available for Audit
const ( DockerImageFieldID = "image.id" DockerImageFieldTags = "image.tags" DockerImageInspect = "image.inspect" DockerContainerFieldID = "container.id" DockerContainerFieldName = "container.name" DockerContainerFieldImage = "container.image" DockerContainerInspect = "container.inspect" DockerNetworkFieldID = "network.id" DockerNetworkFieldName = "network.name" DockerNetworkFieldInspect = "network.inspect" DockerInfoInspect = "info.inspect" DockerVersionFieldVersion = "docker.version" DockerVersionFieldAPIVersion = "docker.apiVersion" DockerVersionFieldPlatform = "docker.platform" DockerVersionFieldExperimental = "docker.experimental" DockerVersionFieldOS = "docker.os" DockerVersionFieldArch = "docker.arch" DokcerVersionFieldKernelVersion = "docker.kernelVersion" DockerFuncTemplate = "docker.template" )
Fields & functions available for Docker
Variables ¶
var ErrUnsupportedSchemaVersion = errors.New("schema version not supported")
ErrUnsupportedSchemaVersion is returned for a schema version not supported by this version of the agent
Functions ¶
Types ¶
type Audit ¶
type Audit struct {
Path string `yaml:"path"`
}
Audit describes an audited file resource
type CheckStatus ¶
type CheckStatus struct {
RuleID string
Name string
Description string
Version string
Framework string
Source string
InitError error
LastEvent *event.Event
}
CheckStatus describes current status for a check
type CheckStatusList ¶
type CheckStatusList []*CheckStatus
CheckStatusList describes status for all configured checks
type CheckVisitor ¶
type CheckVisitor func(rule *RuleCommon, check Check, err error) bool
CheckVisitor defines a visitor func for compliance checks
type Command ¶
type Command struct {
BinaryCmd *BinaryCmd `yaml:"binary,omitempty"`
ShellCmd *ShellCmd `yaml:"shell,omitempty"`
TimeoutSeconds int `yaml:"timeout,omitempty"`
}
Command describes a command resource usually reporting exit code or output
type ConditionFallbackRule ¶
type ConditionFallbackRule struct {
RuleCommon `yaml:",inline"`
ResourceType string `yaml:"resourceType,omitempty"`
Resources []Resource `yaml:"resources,omitempty"`
}
ConditionFallbackRule defines a rule in a compliance config
func (*ConditionFallbackRule) Common ¶
func (r *ConditionFallbackRule) Common() *RuleCommon
Common returns the common field between all rules
func (*ConditionFallbackRule) ResourceCount ¶
func (r *ConditionFallbackRule) ResourceCount() int
ResourceCount returns the count of resources
type ConstantsResource ¶
type ConstantsResource struct {
Values map[string]interface{} `yaml:",inline"`
}
ConstantsResource describes a resources filled with constants
type Custom ¶
type Custom struct {
Name string `yaml:"name"`
Variables map[string]string `yaml:"variables,omitempty"`
}
Custom is a special resource handled by a dedicated function
type DockerResource ¶
type DockerResource struct {
Kind string `yaml:"kind"`
}
DockerResource describes a resource from docker daemon
type Fallback ¶
type Fallback struct {
Condition string `yaml:"condition,omitempty"`
Resource Resource `yaml:"resource"`
}
Fallback specifies optional fallback configuration for a resource
type Group ¶
type Group struct {
Name string `yaml:"name"`
}
Group describes a group membership resource
type KubeUnstructuredResource ¶
type KubeUnstructuredResource struct {
unstructured.Unstructured
}
KubeUnstructuredResource describes a Kubernetes Unstructured that implements the ReportResource interface
func NewKubeUnstructuredResource ¶
func NewKubeUnstructuredResource(obj unstructured.Unstructured) *KubeUnstructuredResource
NewKubeUnstructuredResource instantiates a new KubeUnstructuredResource
func (*KubeUnstructuredResource) ID ¶
func (kr *KubeUnstructuredResource) ID() string
ID returns the resource identifier
func (*KubeUnstructuredResource) Type ¶
func (kr *KubeUnstructuredResource) Type() string
Type returns the resource type
type KubernetesAPIRequest ¶
type KubernetesAPIRequest struct {
Verb string `yaml:"verb"`
ResourceName string `yaml:"resourceName,omitempty"`
}
KubernetesAPIRequest defines it check applies to a single object or a list
type KubernetesResource ¶
type KubernetesResource struct {
Kind string `yaml:"kind"`
Version string `yaml:"version,omitempty"`
Group string `yaml:"group,omitempty"`
Namespace string `yaml:"namespace,omitempty"`
// A selector to restrict the list of returned objects by their labels.
// Defaults to everything.
LabelSelector string `yaml:"labelSelector,omitempty"`
// A selector to restrict the list of returned objects by their fields.
// Defaults to everything.
FieldSelector string `yaml:"fieldSelector,omitempty"`
APIRequest KubernetesAPIRequest `yaml:"apiRequest"`
}
KubernetesResource describes any object in Kubernetes (incl. CRDs)
func (*KubernetesResource) String ¶
func (kr *KubernetesResource) String() string
String returns human-friendly information string about the KubernetesResource
type Process ¶
type Process struct {
Name string `yaml:"name"`
}
Process describes a process resource
type RegoInput ¶
type RegoInput struct {
ResourceCommon `yaml:",inline"`
TagName string `yaml:"tag"`
Type string `yaml:"type"`
}
RegoInput describes supported resource types observed by a Rego Rule
func (*RegoInput) ValidateInputType ¶
ValidateInputType returns the validated input type or an error
type RegoRule ¶
type RegoRule struct {
RuleCommon `yaml:",inline"`
Inputs []RegoInput `yaml:"input,omitempty"`
Module string `yaml:"module,omitempty"`
Imports []string `yaml:"imports,omitempty"`
Findings string `yaml:"findings,omitempty"`
}
RegoRule defines a rule in a compliance config
func (*RegoRule) Common ¶
func (r *RegoRule) Common() *RuleCommon
Common returns the common field between all rules
func (*RegoRule) ResourceCount ¶
ResourceCount returns the count of resources
type Report ¶
type Report struct {
// Data contains arbitrary data linked to check evaluation
Data event.Data
// Resource associated with the report
Resource ReportResource
// Passed defines whether check was successful or not
Passed bool
// Aggregated defines whether check was aggregated or not
Aggregated bool
// Evaluator defines the eval engine that was used to generate this report
Evaluator string
// Error of th check evaluation
Error error
}
Report contains the result of a compliance check
func BuildReportForError ¶
BuildReportForError returns a report for the given error
func BuildReportForUnstructured ¶
func BuildReportForUnstructured(passed, aggregated bool, obj *KubeUnstructuredResource) *Report
BuildReportForUnstructured returns default Report for Kubernetes objects
type ReportResource ¶
ReportResource holds the id and type of the resource associated with a report
type Resource ¶
type Resource struct {
ResourceCommon `yaml:",inline"`
Condition string `yaml:"condition"`
Fallback *Fallback `yaml:"fallback,omitempty"`
}
Resource describes supported resource types observed by a Rule
type ResourceCommon ¶
type ResourceCommon struct {
File *File `yaml:"file,omitempty"`
Process *Process `yaml:"process,omitempty"`
Group *Group `yaml:"group,omitempty"`
Command *Command `yaml:"command,omitempty"`
Audit *Audit `yaml:"audit,omitempty"`
Docker *DockerResource `yaml:"docker,omitempty"`
KubeApiserver *KubernetesResource `yaml:"kubeApiserver,omitempty"`
Constants *ConstantsResource `yaml:"constants,omitempty"`
Custom *Custom `yaml:"custom,omitempty"`
}
ResourceCommon describes the base fields of resource types
func (*ResourceCommon) Kind ¶
func (r *ResourceCommon) Kind() ResourceKind
Kind returns ResourceKind of the resource
type Rule ¶
type Rule interface {
ResourceCount() int
Common() *RuleCommon
}
Rule defines an interface for rego and condition-fallback rules
type RuleCommon ¶
type RuleCommon struct {
ID string `yaml:"id"`
Description string `yaml:"description,omitempty"`
Scope RuleScopeList `yaml:"scope,omitempty"`
HostSelector string `yaml:"hostSelector,omitempty"`
}
RuleCommon defines the base fields of a rule in a compliance config
type RuleScopeList ¶
type RuleScopeList []RuleScope
RuleScopeList is a set of RuleScopes
func (RuleScopeList) Includes ¶
func (l RuleScopeList) Includes(ruleScope RuleScope) bool
Includes returns true if RuleScopeList includes the specified RuleScope value
type Suite ¶
type Suite struct {
Meta SuiteMeta `yaml:",inline"`
Rules []ConditionFallbackRule `yaml:"rules,omitempty"`
RegoRules []RegoRule `yaml:"regos,omitempty"`
}
Suite represents a set of compliance checks reporting events
func ParseSuite ¶
ParseSuite loads a single compliance suite
type SuiteMeta ¶
type SuiteMeta struct {
Schema SuiteSchema `yaml:"schema,omitempty"`
Name string `yaml:"name,omitempty"`
Framework string `yaml:"framework,omitempty"`
Version string `yaml:"version,omitempty"`
Tags []string `yaml:"tags,omitempty"`
Source string `yaml:"-"`
}
SuiteMeta contains metadata for a compliance suite
type SuiteSchema ¶
type SuiteSchema struct {
Version string `yaml:"version"`
}
SuiteSchema defines versioning for a compliance suite
Source Files
Directories