Documentation
¶
Overview ¶
Package compliance defines common interfaces and types for Compliance Agent
Index ¶
- Constants
- Variables
- func CheckName(ruleID string, description string) string
- type Audit
- type BinaryCmd
- type Check
- type CheckStatus
- type CheckStatusList
- type CheckVisitor
- type Command
- type Custom
- type DockerResource
- type Fallback
- type File
- type Group
- type KubeUnstructuredResource
- type KubernetesAPIRequest
- type KubernetesResource
- type Process
- type Report
- type ReportResource
- type Resource
- type ResourceKind
- type Rule
- type RuleScope
- type RuleScopeList
- type ShellCmd
- type Suite
- type SuiteMeta
- type SuiteSchema
Constants ¶
const ( // KindInvalid is set in case resource is invalid KindInvalid = ResourceKind("invalid") // KindFile is used for a file resource KindFile = ResourceKind("file") // KindProcess is used for a Process resource KindProcess = ResourceKind("process") // KindGroup is used for a Group resource KindGroup = ResourceKind("group") // KindCommand is used for a Command resource KindCommand = ResourceKind("command") // KindDocker is used for a DockerResource resource KindDocker = ResourceKind("docker") // KindAudit is used for an Audit resource KindAudit = ResourceKind("audit") // KindKubernetes is used for a KubernetesResource KindKubernetes = ResourceKind("kubernetes") // KindCustom is used for a Custom check KindCustom = ResourceKind("custom") )
const ( FileFieldPath = "file.path" FileFieldPermissions = "file.permissions" FileFieldUser = "file.user" FileFieldGroup = "file.group" FileFuncJQ = "file.jq" FileFuncYAML = "file.yaml" FileFuncRegexp = "file.regexp" )
Fields & functions available for File
const ( ProcessFieldName = "process.name" ProcessFieldExe = "process.exe" ProcessFieldCmdLine = "process.cmdLine" ProcessFuncFlag = "process.flag" ProcessFuncHasFlag = "process.hasFlag" )
Fields & functions available for Process
const ( KubeResourceFieldName = "kube.resource.name" KubeResourceFieldGroup = "kube.resource.group" KubeResourceFieldVersion = "kube.resource.version" KubeResourceFieldNamespace = "kube.resource.namespace" KubeResourceFieldKind = "kube.resource.kind" KubeResourceFuncJQ = "kube.resource.jq" )
Fields & functions available for KubernetesResource
const ( GroupFieldName = "group.name" GroupFieldUsers = "group.users" GroupFieldID = "group.id" )
Fields & functions available for Group
const ( CommandFieldExitCode = "command.exitCode" CommandFieldStdout = "command.stdout" )
Fields & functions available for Command
const ( AuditFieldPath = "audit.path" AuditFieldEnabled = "audit.enabled" AuditFieldPermissions = "audit.permissions" )
Fields & functions available for Audit
const ( DockerImageFieldID = "image.id" DockerImageFieldTags = "image.tags" DockerContainerFieldID = "container.id" DockerContainerFieldName = "container.name" DockerContainerFieldImage = "container.image" DockerNetworkFieldID = "network.id" DockerNetworkFieldName = "network.name" DockerVersionFieldVersion = "docker.version" DockerVersionFieldAPIVersion = "docker.apiVersion" DockerVersionFieldPlatform = "docker.platform" DockerVersionFieldExperimental = "docker.experimental" DockerVersionFieldOS = "docker.os" DockerVersionFieldArch = "docker.arch" DokcerVersionFieldKernelVersion = "docker.kernelVersion" DockerFuncTemplate = "docker.template" )
Fields & functions available for Docker
Variables ¶
var ErrUnsupportedSchemaVersion = errors.New("schema version not supported")
ErrUnsupportedSchemaVersion is returned for a schema version not supported by this version of the agent
Functions ¶
Types ¶
type Audit ¶
type Audit struct {
Path string `yaml:"path"`
}
Audit describes an audited file resource
type CheckStatus ¶ added in v0.9.0
type CheckStatus struct {
RuleID string
Name string
Description string
Version string
Framework string
Source string
InitError error
LastEvent *event.Event
}
CheckStatus describes current status for a check
type CheckStatusList ¶ added in v0.9.0
type CheckStatusList []*CheckStatus
CheckStatusList describes status for all configured checks
type CheckVisitor ¶
CheckVisitor defines a visitor func for compliance checks
type Command ¶
type Command struct {
BinaryCmd *BinaryCmd `yaml:"binary,omitempty"`
ShellCmd *ShellCmd `yaml:"shell,omitempty"`
TimeoutSeconds int `yaml:"timeout,omitempty"`
}
Command describes a command resource usually reporting exit code or output
type Custom ¶ added in v0.9.0
type Custom struct {
Name string `yaml:"name"`
Variables map[string]string `yaml:"variables,omitempty"`
}
Custom is a special resource handled by a dedicated function
type DockerResource ¶
type DockerResource struct {
Kind string `yaml:"kind"`
}
DockerResource describes a resource from docker daemon
type Fallback ¶ added in v0.9.0
type Fallback struct {
Condition string `yaml:"condition,omitempty"`
Resource Resource `yaml:"resource"`
}
Fallback specifies optional fallback configuration for a resource
type Group ¶
type Group struct {
Name string `yaml:"name"`
}
Group describes a group membership resource
type KubeUnstructuredResource ¶ added in v0.9.0
type KubeUnstructuredResource struct {
unstructured.Unstructured
}
KubeUnstructuredResource describes a Kubernetes Unstructured that implements the ReportResource interface
func NewKubeUnstructuredResource ¶ added in v0.9.0
func NewKubeUnstructuredResource(obj unstructured.Unstructured) *KubeUnstructuredResource
NewKubeUnstructuredResource instantiates a new KubeUnstructuredResource
func (*KubeUnstructuredResource) ID ¶ added in v0.9.0
func (kr *KubeUnstructuredResource) ID() string
ID returns the resource identifier
func (*KubeUnstructuredResource) Type ¶ added in v0.9.0
func (kr *KubeUnstructuredResource) Type() string
Type returns the resource type
type KubernetesAPIRequest ¶
type KubernetesAPIRequest struct {
Verb string `yaml:"verb"`
ResourceName string `yaml:"resourceName,omitempty"`
}
KubernetesAPIRequest defines it check applies to a single object or a list
type KubernetesResource ¶
type KubernetesResource struct {
Kind string `yaml:"kind"`
Version string `yaml:"version,omitempty"`
Group string `yaml:"group,omitempty"`
Namespace string `yaml:"namespace,omitempty"`
// A selector to restrict the list of returned objects by their labels.
// Defaults to everything.
LabelSelector string `yaml:"labelSelector,omitempty"`
// A selector to restrict the list of returned objects by their fields.
// Defaults to everything.
FieldSelector string `yaml:"fieldSelector,omitempty"`
APIRequest KubernetesAPIRequest `yaml:"apiRequest"`
}
KubernetesResource describes any object in Kubernetes (incl. CRDs)
func (*KubernetesResource) String ¶
func (kr *KubernetesResource) String() string
String returns human-friendly information string about the KubernetesResource
type Process ¶
type Process struct {
Name string `yaml:"name"`
}
Process describes a process resource
type Report ¶ added in v0.9.0
type Report struct {
// Data contains arbitrary data linked to check evaluation
Data event.Data
// Resource associated with the report
Resource ReportResource
// Passed defines whether check was successful or not
Passed bool
// Aggregated defines whether check was aggregated or not
Aggregated bool
// Error of th check evaluation
Error error
}
Report contains the result of a compliance check
func BuildReportForError ¶ added in v0.9.0
BuildReportForError returns a report for the given error
func BuildReportForUnstructured ¶ added in v0.9.0
func BuildReportForUnstructured(passed, aggregated bool, obj *KubeUnstructuredResource) *Report
BuildReportForUnstructured returns default Report for Kubernetes objects
type ReportResource ¶ added in v0.9.0
ReportResource holds the id and type of the resource associated with a report
type Resource ¶
type Resource struct {
File *File `yaml:"file,omitempty"`
Process *Process `yaml:"process,omitempty"`
Group *Group `yaml:"group,omitempty"`
Command *Command `yaml:"command,omitempty"`
Audit *Audit `yaml:"audit,omitempty"`
Docker *DockerResource `yaml:"docker,omitempty"`
KubeApiserver *KubernetesResource `yaml:"kubeApiserver,omitempty"`
Custom *Custom `yaml:"custom,omitempty"`
Condition string `yaml:"condition"`
Fallback *Fallback `yaml:"fallback,omitempty"`
}
Resource describes supported resource types observed by a Rule
func (*Resource) Kind ¶
func (r *Resource) Kind() ResourceKind
Kind returns ResourceKind of the resource
type Rule ¶
type Rule struct {
ID string `yaml:"id"`
Description string `yaml:"description,omitempty"`
Scope RuleScopeList `yaml:"scope,omitempty"`
HostSelector string `yaml:"hostSelector,omitempty"`
ResourceType string `yaml:"resourceType,omitempty"`
Resources []Resource `yaml:"resources,omitempty"`
}
Rule defines a rule in a compliance config
type RuleScope ¶ added in v0.9.0
type RuleScope string
RuleScope defines scope for applicability of a rule
type RuleScopeList ¶ added in v0.9.0
type RuleScopeList []RuleScope
RuleScopeList is a set of RuleScopes
func (RuleScopeList) Includes ¶ added in v0.9.0
func (l RuleScopeList) Includes(ruleScope RuleScope) bool
Includes returns true if RuleScopeList includes the specified RuleScope value
type Suite ¶
Suite represents a set of compliance checks reporting events
func ParseSuite ¶
ParseSuite loads a single compliance suite
type SuiteMeta ¶
type SuiteMeta struct {
Schema SuiteSchema `yaml:"schema,omitempty"`
Name string `yaml:"name,omitempty"`
Framework string `yaml:"framework,omitempty"`
Version string `yaml:"version,omitempty"`
Tags []string `yaml:"tags,omitempty"`
Source string `yaml:"-"`
}
SuiteMeta contains metadata for a compliance suite
type SuiteSchema ¶ added in v0.9.0
type SuiteSchema struct {
Version string `yaml:"version"`
}
SuiteSchema defines versioning for a compliance suite
Source Files
Directories