Documentation
¶
Index ¶
- Constants
- Variables
- func CheckEmptyPasswdRoot(fs api.FileSystem) ([]*event.EscapeDetail, error)
- func ContainerCVECheck(fs api.FileSystem) ([]*event.EscapeDetail, error)
- func ContainerDockerAPiCheck(fs api.FileSystem) ([]*event.EscapeDetail, error)
- func ContainerUnsafeCapCheck(fs api.FileSystem) ([]*event.EscapeDetail, error)
- func ContainerUnsafeMount(fs api.FileSystem) ([]*event.EscapeDetail, error)
- func SudoFileCheck(fs api.FileSystem) ([]*event.EscapeDetail, error)
- func UnsafePrivCheck(fs api.FileSystem) ([]*event.EscapeDetail, error)
- func UnsafeSuidCheck(fs api.FileSystem) ([]*event.EscapeDetail, error)
- type CVE
- type CheckFunc
Constants ¶
View Source
const ( WRITE checkMode = 2 READ checkMode = 4 KERNELPATTERN string = `([0-9]{1,})\.([0-9]{1,})\.([0-9]{1,})-[0-9]{1,}-[a-zA-Z]{1,}` SUDOREGEX string = `(\w{1,})\s\w{1,}=\(.*\)\s(.*)` CVEREASON string = "Your system has an insecure kernel version that is affected by a CVE vulnerability:" DOCKERAPIREASON string = "Docker remote API is opened which is can be used for escalating" SUDOREASON string = "This file is granted sudo privileges and can be used for escalating,you can check it in /etc/sudoers" MOUNTREASON string = "There are some sensitive files or directory mounted" READREASON string = "This file is sensitive and is readable to all users" WRITEREASON string = "This file is sensitive and is writable to all users" SUIDREASON string = "This file is granted suid privileges and belongs to root. And this file can be interacted with, there is a risk of elevation" EMPTYPASSWDREASON string = "This user is privileged but does not have a password set" CAPREASON string = "There are unsafe linux capability granted" )
Variables ¶
View Source
var ( ImageCheckList = make([]CheckFunc, 0) ContainerCheckList = make([]CheckFunc, 0) )
View Source
var UnSafeCapList = []string{"CAP_DAC_READ_SEARCH", "CAP_SYS_MODULE", "CAP_SYS_PTRACE", "CAP_SYS_ADMIN", "CAP_DAC_OVERRIDE"}
View Source
var UnsafeMountPaths = []string{
"/lxcfs",
"/",
"/etc",
"/var",
"/proc",
"/sys",
"/etc/crontab",
"/etc/passwd",
"/etc/shadow",
"/root/.ssh",
"/var/run/docker.sock",
"/run/containerd.sock",
"/var/run/crio/crio.sock",
"/var/lib/kubelet",
"/var/lib/kubelet/pki",
"/etc/kubernetes",
"/etc/kubernetes/manifests",
"/var/log",
}
Functions ¶
func CheckEmptyPasswdRoot ¶
func CheckEmptyPasswdRoot(fs api.FileSystem) ([]*event.EscapeDetail, error)
func ContainerCVECheck ¶
func ContainerCVECheck(fs api.FileSystem) ([]*event.EscapeDetail, error)
ContainerCVECheck 此处传入fs api.FileSystem只是为了和其他检测函数统一格式,实际并无作用
func ContainerDockerAPiCheck ¶
func ContainerDockerAPiCheck(fs api.FileSystem) ([]*event.EscapeDetail, error)
func ContainerUnsafeCapCheck ¶
func ContainerUnsafeCapCheck(fs api.FileSystem) ([]*event.EscapeDetail, error)
func ContainerUnsafeMount ¶
func ContainerUnsafeMount(fs api.FileSystem) ([]*event.EscapeDetail, error)
func SudoFileCheck ¶
func SudoFileCheck(fs api.FileSystem) ([]*event.EscapeDetail, error)
func UnsafePrivCheck ¶
func UnsafePrivCheck(fs api.FileSystem) ([]*event.EscapeDetail, error)
func UnsafeSuidCheck ¶
func UnsafeSuidCheck(fs api.FileSystem) ([]*event.EscapeDetail, error)
Types ¶
type CheckFunc ¶
type CheckFunc func(api.FileSystem) ([]*event.EscapeDetail, error)
Source Files
Click to show internal directories.
Click to hide internal directories.