Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/chen-keinan/lxd-probe

Open Source runtime scanner for Linux containers (LXD / LXC), It performs security audit checks based on CIS Linux containers Benchmark specification
https://github.com/chen-keinan/lxd-probe

audit cis-benchmark containers linux linuxcontainers lxd security

Last synced: about 2 months ago
JSON representation

Open Source runtime scanner for Linux containers (LXD / LXC), It performs security audit checks based on CIS Linux containers Benchmark specification

Awesome Lists containing this project

README

        

[![Go Report Card](https://goreportcard.com/badge/github.com/chen-keinan/lxd-probe)](https://goreportcard.com/report/github.com/chen-keinan/lxd-probe)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/chen-keinan/lxd-probe/blob/main/LICENSE)
[![Build Status](https://travis-ci.com/chen-keinan/lxd-probe.svg?branch=master)](https://travis-ci.com/chen-keinan/lxd-probe)
test coverage badge
[![Gitter](https://badges.gitter.im/beacon-sec/lxd-probe.svg)](https://gitter.im/beacon-sec/lxd-probe?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)


lxd-probe logo

# lxd-probe

### Scan your Linux container (LXD / LXC) runtime !!
Lxd-Probe is an open source audit scanner who perform audit check on a linux container manager and output it security report.

The audit tests are the full implementation of [CIS Lxd Benchmark specification](https://www.cisecurity.org/benchmark/lxd/)

audit result now can be leveraged as webhook via user plugin(using go plugin)
#### Audit checks are performed on linux containers, and output audit report include :
1. root cause of the security issue.
2. proposed remediation for security issue

#### Linux container audit scan output:
![lxd-probe](./pkg/img/lxd-probe.gif)

--------------------------------------------------------------------------------------------------------

* [Installation](#installation)
* [Quick Start](#quick-start)
* [User Plugin Usage](#user-plugin-usage)
* [Supported Specs](#supported-specs)
* [Contribution](#Contribution)

## Installation

```
git clone https://github.com/chen-keinan/lxd-probe
cd lxd-probe
make build
./lxd-probe
```

Note : lxd-probe require privileged user to execute tests.

## Quick Start

```
Usage: lxd-probe [--version] [--help] []

Available commands are:
-r , --report : run audit tests and generate failure and warn report
-i , --include: execute only specific audit test, example -i=1.2.3,1.4.5
-e , --exclude: ignore specific audit tests, example -e=1.2.3,1.4.5
-c , --classic: test report in classic view, example -c

```
## User Plugin Usage
The lxd-probe expose hook for user plugins [Example](https://github.com/chen-keinan/lxd-probe/tree/master/examples/plugins) :
- **LxdBenchAuditResultHook** - this hook accepts audit benchmark results as found by audit test

##### Compile user plugin
```
go build -buildmode=plugin -o=~//bench_plugin.so //bench_plugin.go
```
##### Copy plugin to folder (.lxd-probe folder is created on the 1st startup)
```
cp //bench_plugin.so ~/.lxd-probe/plugins/compile/bench_plugin.so
```
Note: Plugin and binary must compile with the same linux env
## Supported Specs
The lxd-probe support cis specs and can be easily extended:
- master config file change spec [CIS Lxd Benchmark specification](https://www.cisecurity.org/benchmark/lxd/)
both specs can be easily extended by amended the spec files under ```~/.lxd-probe/benchmarks/lxd/v1.0.0``` folder

## Contribution
- code contribution is welcome !! , contribution with tests and passing linter is more than welcome :)
- /.dev folder include vagrantfile to be used for development : [Dev Instruction](https://github.com/chen-keinan/lxd-probe/tree/master/.dev)