Open Source runtime scanner for OpenShift cluster and perform security audit checks based on CIS RedHat OpenShift Benchmark specification

License test coverage badge Gitter
openshift-ordeal logo

OpenShift-Ordeal

Scan your Openshift cluster !!

OpenShift-Ordeal is an open source audit scanner who perform audit check on OpenShift Cluster and output it security report.

The audit tests are the full implementation of CIS openshift Benchmark specification

audit result now can be leveraged as webhook via user plugin(using go plugin)

Audit checks are performed on OpenShift cluster, and output audit report include :

  1. root cause of the security issue.
  2. proposed remediation for security issue

Openshift cluster scan output:


Installation

git clone https://github.com/chen-keinan/openshift-ordeal
cd openshift-ordeal
make build
./openshift-ordeal

Note : openshift-ordeal require privileged user to execute tests.

Quick Start

Usage: openshift-ordeal [--version] [--help] <command> [<args>]

Available commands are:
  -r , --report :  run audit tests and generate failure and warn report
  -i , --include:  execute only specific audit test,   example -i=1.2.3,1.4.5
  -e , --exclude:  ignore specific audit tests,  example -e=1.2.3,1.4.5
  -c , --classic:  test report in classic view,  example -c

User Plugin Usage

The openshift-ordeal expose hook for user plugins Example :

  • openshiftBenchAuditResultHook - this hook accepts audit benchmark results as found by audit test
Compile user plugin
go build -buildmode=plugin -o=~/<plugin folder>/bench_plugin.so /<plugin folder>/bench_plugin.go
Copy plugin to folder (.openshift-ordeal folder is created on the 1st startup)
cp /<plugin folder>/bench_plugin.so ~/.openshift-ordeal/plugins/compile/bench_plugin.so

Note: Plugin and binary must compile with the same linux env

Supported Specs

The openshift-ordeal support cis specs and can be easily extended:

  • master config file change spec CIS openshift Benchmark specification both specs can be easily extended by amended the spec files under ~/.openshift-ordeal/benchmarks/openshift/v1.0.0 folder

Contribution

  • code contribution is welcome !! , contribution with tests and passing linter is more than welcome :)
  • /.dev folder include vagrantfile to be used for development : Dev Instruction
Owner
chenk
open-source enthusiasts, coder, passionate about technology and delivering secure software
chenk
Similar Resources

Go-gke-pulumi - A simple example that deploys a GKE cluster and an application to the cluster using pulumi

This example deploys a Google Cloud Platform (GCP) Google Kubernetes Engine (GKE) cluster and an application to it

Jan 25, 2022

kubetnl tunnels TCP connections from within a Kubernetes cluster to a cluster-external endpoint, e.g. to your local machine. (the perfect complement to kubectl port-forward)

kubetnl kubetnl (kube tunnel) is a command line utility to tunnel TCP connections from within a Kubernetes to a cluster-external endpoint, e.g. to you

Nov 16, 2021

A pod scaler golang app that can scale replicas either inside of cluster or out of the cluster

pod-scaler A simple pod scaler golang application that can scale replicas via manipulating the deployment Technologies The project has been created us

Oct 24, 2021

Influxdb-cluster - InfluxDB Cluster for replacing InfluxDB Enterprise

InfluxDB ATTENTION: Around January 11th, 2019, master on this repository will be

Sep 27, 2022

A Terraform module to manage cluster authentication (aws-auth) for an Elastic Kubernetes (EKS) cluster on AWS.

Archive Notice The terraform-aws-modules/eks/aws v.18.20.0 release has brought back support aws-auth configmap! For this reason, I highly encourage us

Sep 14, 2022

runtime - an abstraction library on top of the Open Policy Agent (OPA)

runtime - an abstraction library on top of the Open Policy Agent (OPA) Introduction The "runtime" project is a library that sits on top of OPA. The go

Jul 2, 2022

go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data. Installation Usage Cont

Feb 5, 2022

GitHub Action: Compose multiple (conditional) checks into a single check based on file paths in a pull request

GitHub Action: Compose multiple (conditional) checks into a single check based on file paths in a pull request

GitHub Action: Composite Example Usage --- name: All Checks on: pull_request: branches: - main jobs: meta: runs-on: - ubuntu-20.

Jul 19, 2022

A TUI interface to navigate and view OpenShift 4 must-gather logs

A TUI interface to navigate and view OpenShift 4 must-gather logs

MGR "Must Gather Reader" MGR "not the final name" is a simple TUI interface to navigate and view OpenShift 4 must-gather files. How to run it: Downloa

May 30, 2022
Open Source runtime tool which help to detect malware code execution and run time mis-configuration change on a kubernetes cluster
Open Source runtime tool which help to detect malware code execution and run time mis-configuration change on a kubernetes cluster

Kube-Knark Project Trace your kubernetes runtime !! Kube-Knark is an open source tracer uses pcap & ebpf technology to perform runtime tracing on a de

Sep 19, 2022
Kubelet-bench - Example Go-based e2e benchmark for various Kubelet operations without spinning up whole K8s cluster

kubelet-bench An example of Go based e2e benchmark for various Kubelet operation

Mar 17, 2022
Savoir - A tool to perform tasks during internal security assessment

Savoir Savoir is a tool to perform tasks during internal security assessment. Th

Jul 26, 2022
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.

Vilicus Table of Contents Overview How does it work? Architecture Development Run deployment manually Usage Example of analysis Overview Vilicus is an

Aug 31, 2022
Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment, for more information checkout:
Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment, for more information checkout:

Kubei is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernet

Sep 21, 2022
An open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developersAn open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developers
An open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developersAn open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developers

Developer-oriented Continuous Delivery Product ⁣ English | 简体中文 Table of Contents Zadig Table of Contents What is Zadig Quick start How to use? How to

Oct 19, 2021
🔥 🔥 Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. 🔥 🔥
🔥 🔥   Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. 🔥 🔥

CVE-2021-44228 Log4J Vulnerability can be detected at runtime and attack paths can be visualized by ThreatMapper. Live demo of Log4J Vulnerability her

Sep 21, 2022
Audit your egress connections and finally populate this OUTPUT chain !

egress-auditor Audit your egress connections and finally populate this OUTPUT chain ! Summary egress-auditor will monitor new outbound connections and

Aug 9, 2022
🔭 Kubernetes out-cluster vulnerability scanner
🔭 Kubernetes out-cluster vulnerability scanner

Kubnerable Kubnerable is an out-cluster vulnerability scanner tool for Kubernetes resources. It comes with a predefined vulnerability database (vulner

Mar 26, 2022
cluster-api-state-metrics (CASM) is a service that listens to the Kubernetes API server and generates metrics about the state of custom resource objects related of Kubernetes Cluster API.

Overview cluster-api-state-metrics (CASM) is a service that listens to the Kubernetes API server and generates metrics about the state of custom resou

Aug 16, 2022