GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → chen-keinan → kube-beacon

chen-keinan / kube-beacon

Licence: Apache-2.0 license
Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects
Makefile
30231 projects
Dockerfile
14818 projects

Labels

kubernetesscank8skubecis-benchmarkkube-benchcis-kubernetes-benchmarkcis-securitykube-beaconkube-scanaudit-checks

Projects that are alternatives of or similar to kube-beacon

Kube Bench
Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
Stars: ✭ 4,359 (+7165%)
Mutual labels:  cis-benchmark, kube-bench, cis-kubernetes-benchmark, cis-security
trivy-vulnerability-explorer
Web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table.
Stars: ✭ 63 (+5%)
Mutual labels:  scan
Php Antimalware Scanner
AMWScan (PHP Antimalware Scanner) is a free tool to scan php files and analyze your project to find any malicious code inside it.
Stars: ✭ 181 (+201.67%)
Mutual labels:  scan
prowler
Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
Stars: ✭ 8,046 (+13310%)
Mutual labels:  cis-benchmark
Nbzxing
🔥 2020年最好用的开源扫码,全方位优化,强烈推荐!! 支持多种常规zxing无法扫出的码,用就完了!! 🔥
Stars: ✭ 184 (+206.67%)
Mutual labels:  scan
sx
🖖 Fast, modern, easy-to-use network scanner
Stars: ✭ 1,267 (+2011.67%)
Mutual labels:  scan
Siem
SIEM Tactics, Techiques, and Procedures
Stars: ✭ 157 (+161.67%)
Mutual labels:  scan
scan
DeFi Scan, everything one-stop location for DeFi Blockchain. Powered by jellyfish & ocean network.
Stars: ✭ 31 (-48.33%)
Mutual labels:  scan
tugarecon
Pentest: Subdomains enumeration tool for penetration testers.
Stars: ✭ 142 (+136.67%)
Mutual labels:  scan
Bugbounty Scans
aquatone results for sites with bug bountys
Stars: ✭ 249 (+315%)
Mutual labels:  scan
Chameleon
Customizable honeypots for monitoring network traffic, bots activities and username\password credentials (DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, RDP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres and MySQL)
Stars: ✭ 230 (+283.33%)
Mutual labels:  scan
Flutter barcode scanner
Barcode scanner plugin for flutter. Supports barcode scanning for Android and iOS
Stars: ✭ 194 (+223.33%)
Mutual labels:  scan
cis benchmarks audit
Simple command line tool to check for compliance against CIS Benchmarks
Stars: ✭ 182 (+203.33%)
Mutual labels:  cis-benchmark
Biu Framework
Biu-framework🚀 Security Scan Framework For Enterprise Intranet Based Services(企业内网基础服务安全扫描框架)
Stars: ✭ 183 (+205%)
Mutual labels:  scan
WPWatcher
Wordpress Watcher is a wrapper for WPScan that manages scans on multiple sites and reports by email and/or syslog. Schedule scans and get notified when vulnerabilities, outdated plugins and other risks are found.
Stars: ✭ 34 (-43.33%)
Mutual labels:  scan
Bluetooth Library
Bluetooth client library for Android.
Stars: ✭ 172 (+186.67%)
Mutual labels:  scan
Pi.alert
WIFI / LAN intruder detector. Check the devices connected and alert you with unknown devices. It also warns of the disconnection of "always connected" devices
Stars: ✭ 209 (+248.33%)
Mutual labels:  scan
UBUNTU20-CIS
Ansible role for Ubuntu 2004 CIS Baseline
Stars: ✭ 136 (+126.67%)
Mutual labels:  cis-benchmark
nmap-formatter
A tool that allows you to convert NMAP results to html, csv, json, markdown, graphviz (dot). Simply put it's nmap converter.
Stars: ✭ 129 (+115%)
Mutual labels:  scan
k8s-security-policies
This repository provides a security policies library that is used for securing Kubernetes clusters configurations. The security policies are created based on CIS Kubernetes benchmark and rules defined in Kubesec.io.
Stars: ✭ 160 (+166.67%)
Mutual labels:  cis-kubernetes-benchmark
View All Similar Projects ➔

Go Report Card License Build Status Coverage Status Gitter
kube-beacon logo

Kube-Beacon Project

Scan your kubernetes runtime !!

Kube-Beacon is an open source audit scanner who perform audit check on a deployed kubernetes cluster and output a security report.

The audit tests are the full implementation of CIS Kubernetes Benchmark specification

NEW !! audit result now can be leveraged as webhook via user plugin(using go plugin)

Audit checks are performed on master and worker nodes and the output audit report include :

  • root cause of the security issue
  • proposed remediation for security issue

kubernetes cluster audit scan output:

k8s audit

Installation

git clone https://github.com/chen-keinan/kube-beacon
cd kube-beacon
make build
  • Note: kube-beacon require root user to be executed

Quick Start

Execute kube-eacon without any flags , execute all tests

 ./kube-beacon

Execute kube-beacon with flags , execute test on demand

Usage: kube-Beacon [--version] [--help] <command> [<args>]

Available commands are:
  -r , --report :  run audit tests and generate failure report
  -i , --include: execute only specific audit test,   example -i=1.2.3,1.4.5
  -e , --exclude: ignore specific audit tests,  example -e=1.2.3,1.4.5
  -n , --node:    execute audit tests on specific node,   example -n=master,-n=worker
  -s , --spec:    execute specific audit tests spec,   example -s=gke, default=k8s
  -v , --version:  execute specific audit tests spec version,    example -v=1.1.0,default=1.6.0

Execute tests and generate failure tests report

./kube-beacon -r

Kube-beacon as pod in k8s

  • Execute kube beacon as a pod in k8s cluster

  • Add cluster role binding with role=cluster-admin

kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default

cd jobs
  • simple k8s cluster run following job
kubectl apply -f k8s.yaml
  • gke cluster run the following job
kubectl apply -f gke.yaml
  • Check k8s pod status
kubectl get pods --all-namespaces

NAMESPACE     NAME                                                        READY   STATUS      RESTARTS   AGE
default       kube-beacon-sc8g9                                           0/1     Completed   0          111s
kube-system   event-exporter-gke-8489df9489-skcvv                         2/2     Running     0          7m24s
kube-system   fluentd-gke-7d5sl                                           2/2     Running     0          7m6s
kube-system   fluentd-gke-f6q5d                                           2/2     Running     0          6m59s
  • Check k8s pod audit output
kubectl logs kube-beacon-sc8g9
  • cleanup (remove role and delete pod)
kubectl delete clusterrolebinding default-admin

kubectl delete -f k8s.yaml

User Plugin Usage

The Kube-Beacon expose hook for user plugins Example :

  • K8sBenchAuditResultHook - this hook accepts audit benchmark results as found by audit report
Compile user plugin
go build -buildmode=plugin -o=~/<plugin folder>/bench_plugin.so /<plugin folder>/bench_plugin.go
Copy plugin to folder (.beacon folder is created on the 1st startup)
cp /<plugin folder>/bench_plugin.so ~/.beacon/plugins/compile/bench_plugin.so

Note: Plugin and binary must compile with the same linux env

Next steps

  • Add support for Amazon EKS scanning
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].