evaluate

package
v1.5.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 23, 2026 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ProfileBasic      = "basic"
	ProfileExtended   = "extended"
	ProfileAdditional = "additional"
)

Variables

View Source 
var (
	CategorySystemInfo = CategorySpec{
		ID:              "information.system",
		Title:           "Information Gathering - System Info",
		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
		Order:           100,
	}
	CategoryServices = CategorySpec{
		ID:              "information.services",
		Title:           "Information Gathering - Services",
		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
		Order:           200,
	}
	CategoryCommands = CategorySpec{
		ID:              "information.commands",
		Title:           "Information Gathering - Commands and Capabilities",
		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
		Order:           300,
	}
	CategoryMounts = CategorySpec{
		ID:              "information.mounts",
		Title:           "Information Gathering - Mounts",
		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
		Order:           400,
	}
	CategoryNetNamespace = CategorySpec{
		ID:              "information.netns",
		Title:           "Information Gathering - Net Namespace",
		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
		Order:           500,
	}
	CategorySysctl = CategorySpec{
		ID:              "information.sysctl",
		Title:           "Information Gathering - Sysctl Variables",
		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
		Order:           600,
	}
	CategoryDNS = CategorySpec{
		ID:              "information.dns",
		Title:           "Information Gathering - DNS-Based Service Discovery",
		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
		Order:           700,
	}
	CategoryK8sAPIServer = CategorySpec{
		ID:              "discovery.k8s_api",
		Title:           "Discovery - K8s API Server",
		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
		Order:           800,
	}
	CategoryK8sServiceAccount = CategorySpec{
		ID:              "discovery.k8s_sa",
		Title:           "Discovery - K8s Service Account",
		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
		Order:           900,
	}
	CategoryCloudMetadata = CategorySpec{
		ID:              "discovery.cloud_metadata",
		Title:           "Discovery - Cloud Provider Metadata API",
		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
		Order:           1000,
	}
	CategoryKernel = CategorySpec{
		ID:              "exploit.kernel",
		Title:           "Exploit Pre - Kernel Exploits",
		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
		Order:           1100,
	}
	CategorySensitiveFiles = CategorySpec{
		ID:              "information.sensitive_files",
		Title:           "Information Gathering - Sensitive Files",
		DefaultProfiles: []string{ProfileExtended, ProfileAdditional},
		Order:           1200,
	}
	CategoryASLR = CategorySpec{
		ID:              "information.aslr",
		Title:           "Information Gathering - ASLR",
		DefaultProfiles: []string{ProfileExtended, ProfileAdditional},
		Order:           1300,
	}
	CategoryCgroups = CategorySpec{
		ID:              "information.cgroups",
		Title:           "Information Gathering - Cgroups",
		DefaultProfiles: []string{ProfileExtended, ProfileAdditional},
		Order:           1400,
	}
	CategorySecurity = CategorySpec{
		ID:              "information.security",
		Title:           "Information Gathering - Container Security",
		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
		Order:           1500,
	}
)
View Source 
var RouteLocalNetProcPath = "/proc/sys/net/ipv4/conf/all/route_localnet"

Functions

func ASLR added in v1.0.1 

func ASLR()

func BasicSysInfo 

func BasicSysInfo()

func CallAddedFunc added in v1.4.1 

func CallAddedFunc()

CallAddedFunc executes the additional evaluation profile.

func CallBasics added in v1.4.1 

func CallBasics()

CallBasics executes the baseline evaluation profile.

func CheckAppArmor added in v1.5.6 

func CheckAppArmor()

CheckAppArmor inspects kernel compile options, boot parameters, runtime status, and the active AppArmor profile for the current process.

func CheckCloudMetadataAPI 

func CheckCloudMetadataAPI()

func CheckK8sAnonymousLogin 

func CheckK8sAnonymousLogin() bool

func CheckNamespaceIsolation added in v1.5.6 

func CheckNamespaceIsolation()

CheckNamespaceIsolation compares /proc/1/ns/<ns> and /proc/self/ns/<ns> for each namespace type. If the symlink targets differ, the namespace is isolated.

func CheckNetNamespace 

func CheckNetNamespace()

func CheckPrivilegedK8sServiceAccount added in v1.0.1 

func CheckPrivilegedK8sServiceAccount(tokenPath string) bool

func CheckRouteLocalNetworkValue 

func CheckRouteLocalNetworkValue()

func CheckSELinux added in v1.5.6 

func CheckSELinux()

CheckSELinux detects whether SELinux is present and enforcing.

func CheckSeccompKernelSupport added in v1.5.6 

func CheckSeccompKernelSupport()

CheckSeccompKernelSupport reports whether the running kernel was compiled with Seccomp support by checking for the Seccomp field in /proc/self/status and, optionally, the kernel config.

func CheckSeccompStatus added in v1.5.6 

func CheckSeccompStatus()

CheckSeccompStatus reads the Seccomp field from /proc/self/status and reports whether Seccomp is disabled (0), strict (1), or filter (2) mode.

func CommandAllow added in v1.4.1 

func CommandAllow()

CommandAllow check command allow to run

func DNSBasedServiceDiscovery added in v1.1.0 

func DNSBasedServiceDiscovery()

https://github.com/kubernetes/dns/blob/master/docs/specification.md

func DumpCgroup added in v1.1.0 

func DumpCgroup()

func FindSidFiles added in v1.4.1 

func FindSidFiles()

FindSidFiles such as run `find /bin/. -perm -4000 -type f `

func GetProcCapabilities 

func GetProcCapabilities() bool

func MountEscape 

func MountEscape()

func RegisterCheck added in v1.5.6 

func RegisterCheck(category CategorySpec, check Check, profiles ...string)

RegisterCheck registers a check with the given category and optional profile list.

func RegisterContextCheck added in v1.5.6 

func RegisterContextCheck(category CategorySpec, id, title string, fn CheckFunc, profiles ...string)

RegisterContextCheck registers a check backed by a function that consumes Context.

func RegisterSimpleCheck added in v1.5.6 

func RegisterSimpleCheck(category CategorySpec, id, title string, fn func(), profiles ...string)

RegisterSimpleCheck registers a check backed by a parameterless function.

func SearchAvailableCommands 

func SearchAvailableCommands()

func SearchLocalFilePath 

func SearchLocalFilePath()

func SearchSensitiveEnv 

func SearchSensitiveEnv()

func SearchSensitiveService 

func SearchSensitiveService()

Types

type Category added in v1.5.6 

type Category struct {
	ID     string
	Title  string
	Checks []Check
}

Category groups related checks under a shared heading.

type CategorySpec added in v1.5.6 

type CategorySpec struct {
	ID              string
	Title           string
	DefaultProfiles []string
	Order           int
}

CategorySpec describes where a check is shown and its display metadata.

type Check added in v1.5.6 

type Check struct {
	ID          string
	Title       string
	Description string
	Run         CheckFunc
}

Check describes an actionable evaluation task.

type CheckFunc added in v1.5.6 

type CheckFunc func(*Context) error

CheckFunc represents the executable unit for a security check.

type Context added in v1.5.6 

type Context struct {
	Logger *log.Logger
}

Context carries shared dependencies for evaluation checks.

func NewContext added in v1.5.6 

func NewContext(logger *log.Logger) *Context

NewContext constructs a Context instance with a default logger when none is provided.

type Evaluator added in v1.5.6 

type Evaluator struct {
	// contains filtered or unexported fields
}

Evaluator coordinates profile registration and execution.

func NewEvaluator added in v1.5.6 

func NewEvaluator() *Evaluator

NewEvaluator returns an Evaluator with the default profiles registered.

func (*Evaluator) Profile added in v1.5.6 

func (e *Evaluator) Profile(id string) (Profile, bool)

Profile returns a copy of the profile and a boolean indicating whether it exists.

func (*Evaluator) Profiles added in v1.5.6 

func (e *Evaluator) Profiles() []Profile

Profiles returns the registered profiles sorted by their identifier.

func (*Evaluator) RegisterProfile added in v1.5.6 

func (e *Evaluator) RegisterProfile(profile Profile)

RegisterProfile adds or replaces a profile definition.

func (*Evaluator) RunProfile added in v1.5.6 

func (e *Evaluator) RunProfile(id string, ctx *Context) error

RunProfile executes every category within the selected profile.

type Profile added in v1.5.6 

type Profile struct {
	ID         string
	Title      string
	Categories []Category
}

Profile combines categories into a runnable unit.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.