Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apiclient: Add report subcommand for CIS report #3258

Merged
merged 2 commits into from
Jul 17, 2023
Merged

apiclient: Add report subcommand for CIS report #3258

merged 2 commits into from
Jul 17, 2023

Conversation

stmcginnis
Copy link
Contributor

Issue number:

Closes #2731

Description of changes:

This adds an apiclient report cis command that can generate a Bottlerocket CIS benchmark report. This report subcommand can be expanded in the future to allow generating other types of reports from the system.

Testing done:

Built and deployed EKS 1.26 cluster node.
Connected via aws ssm start-session --target $INSTANCE_ID.
Ran the following commands to get results:

[ssm-user@control]$ apiclient report
# help output show

[ssm-user@control]$ apiclient report cis -f yaml
Failed to get report: Failed GET request to '/report/cis?type=bottlerocket&format=yaml': Status 500 when GETing /report/cis?type=bottlerocket&format=yaml: Failed to generate report, exit code: 1, stderr: Error parsing option '-f' with value 'yaml': invalid format, options are 'text' or 'json'

[ssm-user@control]$ apiclient report cis
Benchmark name:  CIS Bottlerocket Benchmark
Version:         v1.0.0
Reference:       https://www.cisecurity.org/benchmark/bottlerocket
Benchmark level: 1
Start time:      2023-07-12T20:43:49.300453357Z

[SKIP] 1.2.1     Ensure software update repositories are configured (Manual)
[PASS] 1.3.1     Ensure dm-verity is configured (Automatic)
[PASS] 1.4.1     Ensure setuid programs do not create core dumps (Automatic)
[PASS] 1.4.2     Ensure address space layout randomization (ASLR) is enabled (Automatic)
[PASS] 1.4.3     Ensure unprivileged eBPF is disabled (Automatic)
[PASS] 1.5.1     Ensure SELinux is configured (Automatic)
[SKIP] 1.6       Ensure updates, patches, and additional security software are installed (Manual)
[PASS] 2.1.1.1   Ensure chrony is configured (Automatic)
[PASS] 3.2.5     Ensure broadcast ICMP requests are ignored (Automatic)
[PASS] 3.2.6     Ensure bogus ICMP responses are ignored (Automatic)
[PASS] 3.2.7     Ensure TCP SYN Cookies is enabled (Automatic)
[SKIP] 3.4.1.3   Ensure IPv4 outbound and established connections are configured (Manual)
[SKIP] 3.4.2.3   Ensure IPv6 outbound and established connections are configured (Manual)
[PASS] 4.1.1.1   Ensure journald is configured to write logs to persistent disk (Automatic)
[SKIP] 4.1.2     Ensure permissions on journal files are configured (Automatic)

Passed:          10
Failed:          0
Skipped:         5
Total checks:    15

[ssm-user@control]$ apiclient report cis -l 2 -f json | jq .
{
  "level": 2,
  "total": 28,
  "passed": 13,
  "skipped": 5,
  "failed": 10,
  "status": "FAIL",
  "timestamp": "2023-07-12T19:45:36.730414469Z",
  "name": "CIS Bottlerocket Benchmark",
  "version": "v1.0.0",
  "url": "https://www.cisecurity.org/benchmark/bottlerocket",
  "results": {
    "br01010101": {
      "name": "br01010101",
      "id": "1.1.1.1",
      "level": 2,
      "title": "Ensure mounting of udf filesystems is disabled",
      "mode": "Automatic",
      "status": "FAIL",
      "error": "udf is currently loaded"
    }
   # snipped
}

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@stmcginnis
apiclient: Add report subcommand for CIS report
7b45991 
This adds an `apiclient report cis` command that can generate a
Bottlerocket CIS benchmark report. This `report` subcommand can be
expanded in the future to allow generating other types of reports from
the system.

Signed-off-by: Sean McGinnis <[email protected]>
@stmcginnis stmcginnis requested a review from bcressey July 12, 2023 20:58
@stmcginnis
Add apiclient report docs to README
fdb1402 
This adds some basic documentation to the apiclient README file to
detail the new `apiclient report cis` subcommand.

Signed-off-by: Sean McGinnis <[email protected]>
@stmcginnis stmcginnis merged commit 31e6e4b into bottlerocket-os:develop Jul 17, 2023
@stmcginnis stmcginnis deleted the cis-agent-apiclient branch July 17, 2023 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cbgbt cbgbt cbgbt approved these changes

@bcressey bcressey bcressey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add CIS benchmark agent for easy compliance reporting
3 participants
@stmcginnis @bcressey @cbgbt