I tried exporting the logs of kube hunter pod using loki, but the logs were totally unstructured.
Also I found that the kube hunter log file gives only a little information about the vulnerabilities, where to know complete details, you should enter the vulnerability IDs you find in the log file, on the website https://aquasecurity.github.io/kube-hunter/.
Personally, what I felt is, it is a bit tedious task for the user to select all the IDs from the log file and manually enter them in the website to know everything about the vulnerabilities in the cluster every time he/she runs a kube hunter pod.
So as a small solution to this, I created a Python script as a docker image that will accept the log file as a command line argument and it will give all the necessary information needed.
eg. Suppose say the log file contains the IDs khv002, khv005, and khv050, then if you run my image on the cluster, it will produce report.json along with the metadata (Node IP address,etc).
report.json :
_{
"khv002": {
"vulnerability_name": "Kubernetes version disclosure",
"severity": "LOW",
"issue_description": "The fact that your infrastructure is using Kubernetes, and the specific version of Kubernetes used is publicly available, and could be used by an attacker to target your environment with known vulnerabilities in the specific version of Kubernetes you are using.\nThis information could have been obtained from the Kubernetes API ",
"remediation": "Disable ",
"remedy_links": "No remedy links given in website!",
"other_links": [
"https://github.com/kubernetes/kubernetes/blob/4a6935b31fcc4d1498c977d90387e02b6b93288f/pkg/kubelet/server/server.go",
"https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options"
]
},
"khv005": {
"vulnerability_name": "Access to Kubernetes API",
"severity": "HIGH",
"issue_description": "Kubernetes API was accessed with Pod Service Account or without Authentication (see report message for details).",
"remediation": "Secure access to your Kubernetes API.",
"remedy_links": "No remedy links given in website!",
"other_links": [
"https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
]
},
"khv050": {
"vulnerability_name": "Read access to Pod service account token",
"severity": "MEDIUM",
"issue_description": "Every Pod in Kubernetes is associated with a Service Account which by default has access to the Kubernetes API. This access is made available to Pods by an auto-generated token that is made available to the Pod by Kubernetes. An attacker with access to a Pod can read the token and access the Kubernetes API.",
"remediation": "It is recommended to explicitly specify a Service Account for all of your workloads (",
"remedy_links": "No remedy links given in website!",
"otherlinks": [
"https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
]
}
}
I just want to know that, if there is something like this which is already been done by the Aqua security team. If so, it would be nice if you can share that, so I can use that and explore. If not, I'm eagerly waiting for your suggestions on this work, any areas to improve upon, and if it is lacking standard then how to rectify it, etc...
79
I tried exporting the logs of kube hunter pod using loki, but the logs were totally unstructured.
Also I found that the kube hunter log file gives only a little information about the vulnerabilities, where to know complete details, you should enter the vulnerability IDs you find in the log file, on the website https://aquasecurity.github.io/kube-hunter/.
Personally, what I felt is, it is a bit tedious task for the user to select all the IDs from the log file and manually enter them in the website to know everything about the vulnerabilities in the cluster every time he/she runs a kube hunter pod.
So as a small solution to this, I created a Python script as a docker image that will accept the log file as a command line argument and it will give all the necessary information needed. eg. Suppose say the log file contains the IDs khv002, khv005, and khv050, then if you run my image on the cluster, it will produce report.json along with the metadata (Node IP address,etc).
report.json : _{ "khv002": { "vulnerability_name": "Kubernetes version disclosure", "severity": "LOW", "issue_description": "The fact that your infrastructure is using Kubernetes, and the specific version of Kubernetes used is publicly available, and could be used by an attacker to target your environment with known vulnerabilities in the specific version of Kubernetes you are using.\nThis information could have been obtained from the Kubernetes API ", "remediation": "Disable ", "remedy_links": "No remedy links given in website!", "other_links": [ "https://github.com/kubernetes/kubernetes/blob/4a6935b31fcc4d1498c977d90387e02b6b93288f/pkg/kubelet/server/server.go", "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options" ] }, "khv005": { "vulnerability_name": "Access to Kubernetes API", "severity": "HIGH", "issue_description": "Kubernetes API was accessed with Pod Service Account or without Authentication (see report message for details).", "remediation": "Secure access to your Kubernetes API.", "remedy_links": "No remedy links given in website!", "other_links": [ "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" ] }, "khv050": { "vulnerability_name": "Read access to Pod service account token", "severity": "MEDIUM", "issue_description": "Every Pod in Kubernetes is associated with a Service Account which by default has access to the Kubernetes API. This access is made available to Pods by an auto-generated token that is made available to the Pod by Kubernetes. An attacker with access to a Pod can read the token and access the Kubernetes API.", "remediation": "It is recommended to explicitly specify a Service Account for all of your workloads (", "remedy_links": "No remedy links given in website!", "otherlinks": [ "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" ] } }
The image is web scraping from https://avd.aquasec.com/ to get the necessary details and creates a JSON file as above. This is the custom image I created to perform this task: https://hub.docker.com/repository/docker/nishanthvm/exporter-v1/general. You can have a look at the readme to know more about how to run the image.
I just want to know that, if there is something like this which is already been done by the Aqua security team. If so, it would be nice if you can share that, so I can use that and explore. If not, I'm eagerly waiting for your suggestions on this work, any areas to improve upon, and if it is lacking standard then how to rectify it, etc...