compliance

package

v0.0.2-0...-4ce78c8 Latest Latest Go to latest Published: Jun 17, 2021 License: Apache-2.0, Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/n9e/n9e-agentd

Documentation ¶

Overview ¶

Package compliance defines common interfaces and types for Compliance Agent

Index ¶

Constants
Variables
func CheckName(ruleID string, description string) string
type Audit
- func (a *Audit) Validate() error
type BinaryCmd
- func (c *BinaryCmd) String() string
type Check
type CheckStatus
type CheckStatusList
type CheckVisitor
type Command
- func (c *Command) String() string
type Custom
type DockerResource
type Fallback
type File
type Group
type KubernetesAPIRequest
type KubernetesResource
- func (kr *KubernetesResource) String() string
type Process
type Report
- func BuildReportForUnstructured(passed bool, obj unstructured.Unstructured) *Report
type Resource
- func (r *Resource) Kind() ResourceKind
type ResourceKind
type Rule
type RuleScope
type RuleScopeList
- func (l RuleScopeList) Includes(ruleScope RuleScope) bool
type ShellCmd
- func (c *ShellCmd) String() string
type Suite
- func ParseSuite(config string) (*Suite, error)
type SuiteMeta
type SuiteSchema

Constants ¶

View Source

const (
	// KindInvalid is set in case resource is invalid
	KindInvalid = ResourceKind("invalid")
	// KindFile is used for a file resource
	KindFile = ResourceKind("file")
	// KindProcess is used for a Process resource
	KindProcess = ResourceKind("process")
	// KindGroup is used for a Group resource
	KindGroup = ResourceKind("group")
	// KindCommand is used for a Command resource
	KindCommand = ResourceKind("command")
	// KindDocker is used for a DockerResource resource
	KindDocker = ResourceKind("docker")
	// KindAudit is used for an Audit resource
	KindAudit = ResourceKind("audit")
	// KindKubernetes is used for a KubernetesResource
	KindKubernetes = ResourceKind("kubernetes")
	// KindCustom is used for a Custom check
	KindCustom = ResourceKind("custom")
)

View Source

const (
	FileFieldPath        = "file.path"
	FileFieldPermissions = "file.permissions"
	FileFieldUser        = "file.user"
	FileFieldGroup       = "file.group"

	FileFuncJQ     = "file.jq"
	FileFuncYAML   = "file.yaml"
	FileFuncRegexp = "file.regexp"
)

Fields & functions available for File

View Source

const (
	ProcessFieldName    = "process.name"
	ProcessFieldExe     = "process.exe"
	ProcessFieldCmdLine = "process.cmdLine"

	ProcessFuncFlag    = "process.flag"
	ProcessFuncHasFlag = "process.hasFlag"
)

Fields & functions available for Process

View Source

const (
	KubeResourceFieldName      = "kube.resource.name"
	KubeResourceFieldGroup     = "kube.resource.group"
	KubeResourceFieldVersion   = "kube.resource.version"
	KubeResourceFieldNamespace = "kube.resource.namespace"
	KubeResourceFieldKind      = "kube.resource.kind"

	KubeResourceFuncJQ = "kube.resource.jq"
)

Fields & functions available for KubernetesResource

View Source

const (
	GroupFieldName  = "group.name"
	GroupFieldUsers = "group.users"
	GroupFieldID    = "group.id"
)

Fields & functions available for Group

View Source

const (
	CommandFieldExitCode = "command.exitCode"
	CommandFieldStdout   = "command.stdout"
)

Fields & functions available for Command

View Source

const (
	AuditFieldPath        = "audit.path"
	AuditFieldEnabled     = "audit.enabled"
	AuditFieldPermissions = "audit.permissions"
)

Fields & functions available for Audit

View Source

const (
	DockerImageFieldID   = "image.id"
	DockerImageFieldTags = "image.tags"

	DockerContainerFieldID    = "container.id"
	DockerContainerFieldName  = "container.name"
	DockerContainerFieldImage = "container.image"

	DockerNetworkFieldID   = "network.id"
	DockerNetworkFieldName = "network.name"

	DockerVersionFieldVersion       = "docker.version"
	DockerVersionFieldAPIVersion    = "docker.apiVersion"
	DockerVersionFieldPlatform      = "docker.platform"
	DockerVersionFieldExperimental  = "docker.experimental"
	DockerVersionFieldOS            = "docker.os"
	DockerVersionFieldArch          = "docker.arch"
	DokcerVersionFieldKernelVersion = "docker.kernelVersion"

	DockerFuncTemplate = "docker.template"
)

Fields & functions available for Docker

Variables ¶

View Source

var ErrUnsupportedSchemaVersion = errors.New("schema version not supported")

ErrUnsupportedSchemaVersion is returned for a schema version not supported by this version of the agent

Functions ¶

func CheckName ¶

func CheckName(ruleID string, description string) string

CheckName returns a canonical name of a check for a rule ID and description

Types ¶

type Audit ¶

type Audit struct {
	Path string `yaml:"path"`
}

Audit describes an audited file resource

func (*Audit) Validate ¶

func (a *Audit) Validate() error

Validate validates audit resource

type BinaryCmd ¶

type BinaryCmd struct {
	Name string   `yaml:"name"`
	Args []string `yaml:"args,omitempty"`
}

BinaryCmd describes a command in form of a name + args

func (*BinaryCmd) String ¶

func (c *BinaryCmd) String() string

type Check ¶

type Check check.Check

Check is the interface for compliance checks

type CheckStatus ¶

type CheckStatus struct {
	RuleID      string
	Name        string
	Description string
	Version     string
	Framework   string
	Source      string
	InitError   error
	LastEvent   *event.Event
}

CheckStatus describes current status for a check

type CheckStatusList ¶

type CheckStatusList []*CheckStatus

CheckStatusList describes status for all configured checks

type CheckVisitor ¶

type CheckVisitor func(rule *Rule, check Check, err error) bool

CheckVisitor defines a visitor func for compliance checks

type Command ¶

type Command struct {
	BinaryCmd      *BinaryCmd `yaml:"binary,omitempty"`
	ShellCmd       *ShellCmd  `yaml:"shell,omitempty"`
	TimeoutSeconds int        `yaml:"timeout,omitempty"`
}

Command describes a command resource usually reporting exit code or output

func (*Command) String ¶

func (c *Command) String() string

type Custom ¶

type Custom struct {
	Name      string            `yaml:"name"`
	Variables map[string]string `yaml:"variables,omitempty"`
}

Custom is a special resource handled by a dedicated function

type DockerResource ¶

type DockerResource struct {
	Kind string `yaml:"kind"`
}

DockerResource describes a resource from docker daemon

type Fallback ¶

type Fallback struct {
	Condition string   `yaml:"condition,omitempty"`
	Resource  Resource `yaml:"resource"`
}

Fallback specifies optional fallback configuration for a resource

type File ¶

type File struct {
	Path string `yaml:"path"`
}

File describes a file resource

type Group ¶

type Group struct {
	Name string `yaml:"name"`
}

Group describes a group membership resource

type KubernetesAPIRequest ¶

type KubernetesAPIRequest struct {
	Verb         string `yaml:"verb"`
	ResourceName string `yaml:"resourceName,omitempty"`
}

KubernetesAPIRequest defines it check applies to a single object or a list

type KubernetesResource ¶

type KubernetesResource struct {
	Kind      string `yaml:"kind"`
	Version   string `yaml:"version,omitempty"`
	Group     string `yaml:"group,omitempty"`
	Namespace string `yaml:"namespace,omitempty"`

	// A selector to restrict the list of returned objects by their labels.
	// Defaults to everything.
	LabelSelector string `yaml:"labelSelector,omitempty"`
	// A selector to restrict the list of returned objects by their fields.
	// Defaults to everything.
	FieldSelector string `yaml:"fieldSelector,omitempty"`

	APIRequest KubernetesAPIRequest `yaml:"apiRequest"`
}

KubernetesResource describes any object in Kubernetes (incl. CRDs)

func (*KubernetesResource) String ¶

func (kr *KubernetesResource) String() string

String returns human-friendly information string about the KubernetesResource

type Process ¶

type Process struct {
	Name string `yaml:"name"`
}

Process describes a process resource

type Report ¶

type Report struct {
	// Data contains arbitrary data linked to check evaluation
	Data event.Data
	// Passed defines whether check was successful or not
	Passed bool
}

Report contains the result of a compliance check

func BuildReportForUnstructured ¶

func BuildReportForUnstructured(passed bool, obj unstructured.Unstructured) *Report

BuildReportForUnstructured returns default Report for Kubernetes objects

type Resource ¶

type Resource struct {
	File          *File               `yaml:"file,omitempty"`
	Process       *Process            `yaml:"process,omitempty"`
	Group         *Group              `yaml:"group,omitempty"`
	Command       *Command            `yaml:"command,omitempty"`
	Audit         *Audit              `yaml:"audit,omitempty"`
	Docker        *DockerResource     `yaml:"docker,omitempty"`
	KubeApiserver *KubernetesResource `yaml:"kubeApiserver,omitempty"`
	Custom        *Custom             `yaml:"custom,omitempty"`
	Condition     string              `yaml:"condition"`
	Fallback      *Fallback           `yaml:"fallback,omitempty"`
}

Resource describes supported resource types observed by a Rule

func (*Resource) Kind ¶

func (r *Resource) Kind() ResourceKind

Kind returns ResourceKind of the resource

type ResourceKind ¶

type ResourceKind string

ResourceKind represents resource kind

type Rule ¶

type Rule struct {
	ID           string        `yaml:"id"`
	Description  string        `yaml:"description,omitempty"`
	Scope        RuleScopeList `yaml:"scope,omitempty"`
	HostSelector string        `yaml:"hostSelector,omitempty"`
	Resources    []Resource    `yaml:"resources,omitempty"`
}

Rule defines a rule in a compliance config

type RuleScope ¶

type RuleScope string

RuleScope defines scope for applicability of a rule

const (
	// DockerScope const
	DockerScope RuleScope = "docker"
	// KubernetesNodeScope const
	KubernetesNodeScope RuleScope = "kubernetesNode"
	// KubernetesClusterScope const
	KubernetesClusterScope RuleScope = "kubernetesCluster"
)

type RuleScopeList ¶

type RuleScopeList []RuleScope

RuleScopeList is a set of RuleScopes

func (RuleScopeList) Includes ¶

func (l RuleScopeList) Includes(ruleScope RuleScope) bool

Includes returns true if RuleScopeList includes the specified RuleScope value

type ShellCmd ¶

type ShellCmd struct {
	Run   string     `yaml:"run"`
	Shell *BinaryCmd `yaml:"shell,omitempty"`
}

ShellCmd describes a command to be run through a shell

func (*ShellCmd) String ¶

func (c *ShellCmd) String() string

type Suite ¶

type Suite struct {
	Meta  SuiteMeta `yaml:",inline"`
	Rules []Rule    `yaml:"rules,omitempty"`
}

Suite represents a set of compliance checks reporting events

func ParseSuite ¶

func ParseSuite(config string) (*Suite, error)

ParseSuite loads a single compliance suite

type SuiteMeta ¶

type SuiteMeta struct {
	Schema    SuiteSchema `yaml:"schema,omitempty"`
	Name      string      `yaml:"name,omitempty"`
	Framework string      `yaml:"framework,omitempty"`
	Version   string      `yaml:"version,omitempty"`
	Tags      []string    `yaml:"tags,omitempty"`
	Source    string      `yaml:"-"`
}

SuiteMeta contains metadata for a compliance suite

type SuiteSchema ¶

type SuiteSchema struct {
	Version string `yaml:"version"`
}

SuiteSchema defines versioning for a compliance suite

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
agent Package agent implements the Compliance Agent entrypoint	Package agent implements the Compliance Agent entrypoint
checks Package checks implements Compliance Agent checks	Package checks implements Compliance Agent checks
custom
env
eval
event
mocks

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL