diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md index 1bb763d37..0ef7c1d83 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md @@ -4,11 +4,35 @@ ## Tools to analyse a cluster +### [**Steampipe - Kubernetes Compliance](https://github.com/turbot/steampipe-mod-kubernetes-compliance) + +It's will **several compliance checks over the Kubernetes cluster**. It includes support for CIS, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity technical report for Kubernetes hardening. + +```bash +# Install Steampipe +brew install turbot/tap/powerpipe +brew install turbot/tap/steampipe +steampipe plugin install kubernetes + +# Start the service +steampipe service start + +# Install the module +mkdir dashboards +cd dashboards +powerpipe mod init +powerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance + +# Run the module +powerpipe server +``` + ### [**Kubescape**](https://github.com/armosec/kubescape) [**Kubescape**](https://github.com/armosec/kubescape) is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo) , [MITRE ATT\&CKĀ®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/)), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time. ```bash +curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash kubescape scan --verbose ``` @@ -24,7 +48,7 @@ You can choose to: ### [**Kubeaudit**](https://github.com/Shopify/kubeaudit) -The tool [**kubeaudit**](https://github.com/Shopify/kubeaudit) is a command line tool and a Go package to **audit Kubernetes clusters** for various different security concerns. +**[DEPRECATED]** The tool [**kubeaudit**](https://github.com/Shopify/kubeaudit) is a command line tool and a Go package to **audit Kubernetes clusters** for various different security concerns. Kubeaudit can detect if it is running within a container in a cluster. If so, it will try to audit all Kubernetes resources in that cluster: @@ -36,14 +60,27 @@ This tool also has the argument `autofix` to **automatically fix detected issues ### [**Kube-hunter**](https://github.com/aquasecurity/kube-hunter) -The tool [**kube-hunter**](https://github.com/aquasecurity/kube-hunter) hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. +**[DEPRECATED]** The tool [**kube-hunter**](https://github.com/aquasecurity/kube-hunter) hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. ```bash kube-hunter --remote some.node.com ``` +### [Trivy](https://github.com/aquasecurity/trivy) + +[Trivy](https://github.com/aquasecurity/trivy) has scanners that look for security issues, and targets where it can find those issues: + +- Container Image +- Filesystem +- Git Repository (remote) +- Virtual Machine Image +- Kubernetes + + ### [**Kubei**](https://github.com/Erezf-p/kubei) +**[Looks like unmantained]** + [**Kubei**](https://github.com/Erezf-p/kubei) is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernetes clusters. Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods. ### [**KubiScan**](https://github.com/cyberark/KubiScan)