polscan (short for "Policy Scanner")
Policies are implemented by small shell snippets and thus polscan is easily extensible by your own specific policies. To make it easy to use it comes with host discovery solutions for typical automation setups (Chef, Puppet, MCollective).
Detecting automation issues...
Product | Host Discovery | Resource Coverage |
---|---|---|
kube-bench | y | kube-bench results per host |
Puppet2/3/4 | y | Mounts, Users, SSH Keys, ulimit, sysctl, sudoers, 3rd party APT repos, Crons |
Chef | y | % |
Ansible | y | % |
SaltStack | y | % |
Mcollective | y | % |
Detecting package issues...
Providers | Detection | Upgrade Check | Error Check | CVE Check |
---|---|---|---|---|
Helm2 | yes | no | ||
apt | % | yes | yes | |
dpkg | % | % | yes | yes (debsecan) |
Gem | yes | yes | ||
PECL | yes | yes | ||
PIP | yes | yes | ||
CPAN | no | |||
NPM | no |
Collects inventories for
Graphs network topologies
Provides vulnerabilities statistics per CVE using debsecan.
Overview Page
Host Map per Finding Type
Visualizing Network Connections
Note: polscan is intentionally limited to Debian and for simplicity tries not to implement any distro-specific dependencies.
polscan keeps results on a daily basis so it makes sense to set up a daily cron.
Or just run it from the source directory
./polscan # To re-scan all hosts
./polscan -l 'server1 server2' # To scan specific hosts
./polscan -t systemd-no-failed.sh # Test scanner on all hosts
./polscan -t systemd-no-failed.sh -l server1 # Test scanner on single host
./polscan -t all -l server1 # Test results on single host
./polscan -r 2017-10-09 # Recreate result JSON
Start the GUI server with
npm start