sssnake/Autarch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Autarch/modules/container_sec.py

1483 lines
60 KiB
Python
Raw Permalink Normal View History

v2.3.0 — RCS exploit v2.0, Starlink hack, SMS forge, Archon RCS module Major RCS/SMS exploitation rewrite (v2.0): - bugle_db direct extraction (plaintext messages, no decryption needed) - CVE-2024-0044 run-as privilege escalation (Android 12-13) - AOSP RCS provider queries (content://rcs/) - Archon app relay for Shizuku-elevated bugle_db access - 7-tab web UI: Extract, Database, Forge, Modify, Exploit, Backup, Monitor - SQL query interface for extracted databases - Full backup/restore/clone with SMS Backup & Restore XML support - Known CVE database (CVE-2023-24033, CVE-2024-49415, CVE-2025-48593) - IMS/RCS diagnostics, Phenotype verbose logging, Pixel tools New modules: Starlink hack, SMS forge, SDR drone detection Archon Android app: RCS messaging module with Shizuku integration Updated manuals to v2.3, 60 web blueprints confirmed Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 13:50:29 -08:00
"""AUTARCH Container Security
Docker auditing, Kubernetes assessment, container image scanning,
escape detection, Dockerfile linting, and runtime monitoring.
"""
DESCRIPTION = "Container security — Docker & Kubernetes auditing"
AUTHOR = "darkHal"
VERSION = "1.0"
CATEGORY = "defense"
import os
import re
import sys
import json
import subprocess
import platform
import time
from pathlib import Path
from datetime import datetime
from typing import Dict, List, Optional, Any
try:
from core.paths import get_data_dir, find_tool
except ImportError:
def get_data_dir():
return str(Path(__file__).parent.parent / 'data')
import shutil
def find_tool(name):
return shutil.which(name)
sys.path.insert(0, str(Path(__file__).parent.parent))
try:
from core.banner import Colors, clear_screen, display_banner
except ImportError:
class Colors:
RED = YELLOW = GREEN = CYAN = WHITE = DIM = RESET = BOLD = ''
def clear_screen():
pass
def display_banner():
pass
# ── Dangerous Docker capabilities ───────────────────────────────────────────
DANGEROUS_CAPS = [
'SYS_ADMIN', 'NET_ADMIN', 'SYS_PTRACE', 'SYS_RAWIO',
'DAC_OVERRIDE', 'FOWNER', 'NET_RAW', 'MKNOD', 'SYS_CHROOT',
'AUDIT_WRITE', 'SETFCAP', 'MAC_OVERRIDE', 'MAC_ADMIN',
'SYSLOG', 'DAC_READ_SEARCH', 'LINUX_IMMUTABLE', 'SYS_BOOT',
'SYS_MODULE', 'SYS_TIME', 'KILL',
]
SENSITIVE_MOUNTS = [
'/var/run/docker.sock', '/run/docker.sock',
'/proc', '/sys', '/dev', '/etc/shadow', '/etc/passwd',
'/root', '/home', '/var/log',
]
DEFAULT_SECCOMP_PROFILE = 'runtime/default'
# ── Dockerfile Lint Rules ───────────────────────────────────────────────────
DOCKERFILE_RULES = {
'DL001': {'severity': 'high', 'title': 'FROM uses :latest tag',
'desc': 'Pin image versions for reproducible builds.'},
'DL002': {'severity': 'high', 'title': 'No USER directive',
'desc': 'Container runs as root by default. Add a USER directive.'},
'DL003': {'severity': 'medium', 'title': 'ADD used instead of COPY',
'desc': 'Use COPY for local files. ADD auto-extracts and supports URLs.'},
'DL004': {'severity': 'high', 'title': 'Secrets in ENV/ARG',
'desc': 'Avoid passing secrets via ENV or ARG. Use build secrets.'},
'DL005': {'severity': 'low', 'title': 'Missing HEALTHCHECK',
'desc': 'Add HEALTHCHECK for container orchestration readiness.'},
'DL006': {'severity': 'medium', 'title': 'apt-get without --no-install-recommends',
'desc': 'Use --no-install-recommends to reduce image size.'},
'DL007': {'severity': 'low', 'title': 'Missing cache cleanup',
'desc': 'Run apt-get clean / rm -rf /var/lib/apt/lists/* after install.'},
'DL008': {'severity': 'medium', 'title': 'EXPOSE all interfaces',
'desc': 'Avoid EXPOSE with 0.0.0.0; bind to specific interfaces.'},
'DL009': {'severity': 'high', 'title': 'COPY / ADD of sensitive files',
'desc': 'Avoid copying .env, credentials, or private keys into image.'},
'DL010': {'severity': 'medium', 'title': 'Using sudo in RUN',
'desc': 'Avoid sudo in Dockerfiles. Use USER directive instead.'},
'DL011': {'severity': 'low', 'title': 'Multiple consecutive RUN commands',
'desc': 'Chain RUN commands with && to reduce layers.'},
}
SECRET_PATTERNS = re.compile(
r'(password|secret|token|api_key|apikey|access_key|private_key|'
r'aws_secret|db_pass|database_url|auth_token)',
re.IGNORECASE
)
SENSITIVE_FILE_PATTERNS = re.compile(
r'\.(pem|key|p12|pfx|env|credentials|htpasswd|pgpass)$',
re.IGNORECASE
)
# ── ContainerSecurity Class ─────────────────────────────────────────────────
class ContainerSecurity:
"""Docker and Kubernetes security auditing engine."""
_instance = None
def __init__(self):
data = Path(str(get_data_dir())) / 'container_sec'
data.mkdir(parents=True, exist_ok=True)
self._data_dir = data
self._results_path = data / 'results.json'
self._results = {
'docker_host': [],
'container_audits': {},
'image_scans': {},
'dockerfile_lints': [],
'k8s_audits': {},
'escape_checks': {},
'timestamp': None,
}
self._is_win = platform.system() == 'Windows'
# ── helpers ──────────────────────────────────────────────────────────────
def _run(self, cmd: str, timeout: int = 30) -> tuple:
"""Run a shell command. Returns (success: bool, stdout: str)."""
try:
result = subprocess.run(
cmd, shell=True, capture_output=True, text=True, timeout=timeout
)
return result.returncode == 0, result.stdout.strip()
except subprocess.TimeoutExpired:
return False, 'Command timed out'
except Exception as e:
return False, str(e)
def _run_json(self, cmd: str, timeout: int = 30) -> tuple:
"""Run command expecting JSON output. Returns (success, parsed_data)."""
ok, raw = self._run(cmd, timeout=timeout)
if not ok:
return False, raw
try:
return True, json.loads(raw)
except (json.JSONDecodeError, ValueError):
return False, raw
def _save_results(self):
self._results['timestamp'] = datetime.utcnow().isoformat()
try:
with open(self._results_path, 'w') as f:
json.dump(self._results, f, indent=2, default=str)
except Exception:
pass
# ── tool checks ──────────────────────────────────────────────────────────
def check_docker_installed(self) -> dict:
"""Check if Docker CLI is available."""
docker = find_tool('docker')
if not docker:
return {'installed': False, 'path': None, 'version': None}
ok, ver = self._run(f'"{docker}" --version')
return {
'installed': True,
'path': docker,
'version': ver if ok else 'unknown',
}
def check_kubectl_installed(self) -> dict:
"""Check if kubectl CLI is available."""
kubectl = find_tool('kubectl')
if not kubectl:
return {'installed': False, 'path': None, 'version': None, 'context': None}
ok, ver = self._run(f'"{kubectl}" version --client --short 2>/dev/null || "{kubectl}" version --client')
ctx_ok, ctx = self._run(f'"{kubectl}" config current-context 2>/dev/null')
return {
'installed': True,
'path': kubectl,
'version': ver if ok else 'unknown',
'context': ctx if ctx_ok else None,
}
# ── Docker Host Audit ────────────────────────────────────────────────────
def audit_docker_host(self) -> list:
"""Comprehensive Docker host security audit."""
findings = []
docker = find_tool('docker')
if not docker:
return [{'check': 'Docker CLI', 'severity': 'critical',
'status': 'fail', 'detail': 'Docker not found on system'}]
# 1. Daemon configuration
daemon_cfg_path = '/etc/docker/daemon.json'
if self._is_win:
daemon_cfg_path = os.path.expandvars(r'%ProgramData%\docker\config\daemon.json')
daemon_cfg = {}
if os.path.isfile(daemon_cfg_path):
try:
with open(daemon_cfg_path) as f:
daemon_cfg = json.load(f)
findings.append({
'check': 'Daemon Config',
'severity': 'info',
'status': 'pass',
'detail': f'Found {daemon_cfg_path}',
})
except Exception as e:
findings.append({
'check': 'Daemon Config',
'severity': 'medium',
'status': 'warn',
'detail': f'Cannot parse {daemon_cfg_path}: {e}',
})
else:
findings.append({
'check': 'Daemon Config',
'severity': 'medium',
'status': 'warn',
'detail': f'No daemon.json found at {daemon_cfg_path}',
})
# 2. Docker socket permissions (Linux only)
if not self._is_win:
sock = '/var/run/docker.sock'
if os.path.exists(sock):
try:
stat = os.stat(sock)
mode = oct(stat.st_mode)[-3:]
world_rw = mode[2] in ('6', '7', '2', '3')
if world_rw:
findings.append({
'check': 'Docker Socket Permissions',
'severity': 'high',
'status': 'fail',
'detail': f'{sock} is world-accessible (mode {mode}). Restrict to docker group.',
})
else:
findings.append({
'check': 'Docker Socket Permissions',
'severity': 'info',
'status': 'pass',
'detail': f'{sock} permissions: {mode}',
})
except Exception:
findings.append({
'check': 'Docker Socket Permissions',
'severity': 'low',
'status': 'warn',
'detail': 'Cannot stat docker socket',
})
# 3. TLS configuration
tls_verify = daemon_cfg.get('tls', False) or daemon_cfg.get('tlsverify', False)
if tls_verify:
findings.append({
'check': 'TLS Configuration',
'severity': 'info',
'status': 'pass',
'detail': 'Docker daemon TLS is enabled',
})
else:
findings.append({
'check': 'TLS Configuration',
'severity': 'medium',
'status': 'warn',
'detail': 'Docker daemon TLS is not configured in daemon.json',
})
# 4. User namespace remapping
userns = daemon_cfg.get('userns-remap', '')
if userns:
findings.append({
'check': 'User Namespace Remapping',
'severity': 'info',
'status': 'pass',
'detail': f'Remapped to: {userns}',
})
else:
findings.append({
'check': 'User Namespace Remapping',
'severity': 'medium',
'status': 'warn',
'detail': 'Not enabled. Containers run as host UID 0.',
})
# 5. Content trust
content_trust = os.environ.get('DOCKER_CONTENT_TRUST', '0')
if content_trust == '1':
findings.append({
'check': 'Content Trust (DCT)',
'severity': 'info',
'status': 'pass',
'detail': 'DOCKER_CONTENT_TRUST=1 — signed images enforced',
})
else:
findings.append({
'check': 'Content Trust (DCT)',
'severity': 'low',
'status': 'warn',
'detail': 'DOCKER_CONTENT_TRUST not set. Unsigned images accepted.',
})
# 6. Live restore
live_restore = daemon_cfg.get('live-restore', False)
if live_restore:
findings.append({
'check': 'Live Restore',
'severity': 'info',
'status': 'pass',
'detail': 'Containers survive daemon restarts',
})
else:
findings.append({
'check': 'Live Restore',
'severity': 'low',
'status': 'warn',
'detail': 'live-restore not enabled in daemon.json',
})
# 7. Logging driver
log_driver = daemon_cfg.get('log-driver', 'json-file')
log_opts = daemon_cfg.get('log-opts', {})
max_size = log_opts.get('max-size', 'unlimited')
findings.append({
'check': 'Logging Driver',
'severity': 'low' if log_driver == 'json-file' and max_size == 'unlimited' else 'info',
'status': 'warn' if max_size == 'unlimited' else 'pass',
'detail': f'Driver: {log_driver}, max-size: {max_size}',
})
# 8. Docker info — check swarm, runtimes
ok, info_raw = self._run(f'"{docker}" info --format "{{{{json .}}}}"')
if ok:
try:
info = json.loads(info_raw)
# Check default runtime
rt = info.get('DefaultRuntime', 'runc')
findings.append({
'check': 'Default Runtime',
'severity': 'info',
'status': 'pass' if rt in ('runc', 'crun') else 'info',
'detail': f'Runtime: {rt}',
})
# Swarm mode
swarm = info.get('Swarm', {})
swarm_active = swarm.get('LocalNodeState', 'inactive') == 'active'
if swarm_active:
findings.append({
'check': 'Swarm Mode',
'severity': 'info',
'status': 'info',
'detail': 'Swarm is active. Ensure manager auto-lock is enabled.',
})
except (json.JSONDecodeError, ValueError):
pass
self._results['docker_host'] = findings
self._save_results()
return findings
# ── Container Listing / Inspection ───────────────────────────────────────
def list_containers(self, all: bool = True) -> list:
"""List Docker containers."""
docker = find_tool('docker')
if not docker:
return []
flag = '-a' if all else ''
fmt = '{{json .}}'
ok, raw = self._run(f'"{docker}" ps {flag} --format "{fmt}"')
if not ok:
return []
containers = []
for line in raw.splitlines():
line = line.strip()
if not line:
continue
try:
c = json.loads(line)
containers.append({
'id': c.get('ID', ''),
'name': c.get('Names', ''),
'image': c.get('Image', ''),
'status': c.get('Status', ''),
'ports': c.get('Ports', ''),
'created': c.get('CreatedAt', ''),
'state': c.get('State', ''),
})
except (json.JSONDecodeError, ValueError):
continue
return containers
def inspect_container(self, container_id: str) -> dict:
"""Inspect a container and extract security-relevant config."""
docker = find_tool('docker')
if not docker:
return {'error': 'Docker not found'}
ok, data = self._run_json(f'"{docker}" inspect {container_id}')
if not ok or not isinstance(data, list) or len(data) == 0:
return {'error': f'Cannot inspect container {container_id}'}
info = data[0]
host_cfg = info.get('HostConfig', {})
cfg = info.get('Config', {})
# Capabilities
cap_add = host_cfg.get('CapAdd') or []
cap_drop = host_cfg.get('CapDrop') or []
# Mounts
mounts = []
for m in info.get('Mounts', []):
mounts.append({
'source': m.get('Source', ''),
'destination': m.get('Destination', ''),
'mode': m.get('Mode', ''),
'rw': m.get('RW', True),
'type': m.get('Type', ''),
})
# Security options
sec_opts = host_cfg.get('SecurityOpt') or []
return {
'id': info.get('Id', '')[:12],
'name': info.get('Name', '').lstrip('/'),
'image': cfg.get('Image', ''),
'privileged': host_cfg.get('Privileged', False),
'cap_add': cap_add,
'cap_drop': cap_drop,
'mounts': mounts,
'network_mode': host_cfg.get('NetworkMode', ''),
'user': cfg.get('User', '') or 'root',
'pid_mode': host_cfg.get('PidMode', ''),
'ipc_mode': host_cfg.get('IpcMode', ''),
'read_only_rootfs': host_cfg.get('ReadonlyRootfs', False),
'security_opt': sec_opts,
'memory_limit': host_cfg.get('Memory', 0),
'cpu_shares': host_cfg.get('CpuShares', 0),
'pids_limit': host_cfg.get('PidsLimit', 0),
'restart_policy': host_cfg.get('RestartPolicy', {}).get('Name', ''),
'env': cfg.get('Env', []),
}
# ── Container Security Audit ─────────────────────────────────────────────
def audit_container(self, container_id: str) -> dict:
"""Full security audit of a running container."""
info = self.inspect_container(container_id)
if 'error' in info:
return info
findings = []
passed = 0
total = 0
def check(name, ok, detail='', severity='medium'):
nonlocal passed, total
total += 1
if ok:
passed += 1
findings.append({
'check': name,
'status': 'pass' if ok else 'fail',
'severity': severity if not ok else 'info',
'detail': detail,
})
# 1. Privileged mode
check('Privileged Mode',
not info['privileged'],
'Container is running in privileged mode!' if info['privileged']
else 'Not privileged',
severity='critical')
# 2. Dangerous capabilities
dangerous_found = [c for c in info['cap_add'] if c in DANGEROUS_CAPS]
check('Capabilities',
len(dangerous_found) == 0,
f'Dangerous capabilities added: {", ".join(dangerous_found)}' if dangerous_found
else f'No dangerous capabilities ({len(info["cap_drop"])} dropped)',
severity='high')
# 3. Sensitive mounts
sensitive_found = []
for m in info['mounts']:
for s in SENSITIVE_MOUNTS:
if m['destination'].startswith(s) or m['source'].startswith(s):
sensitive_found.append(f'{m["source"]} -> {m["destination"]}')
break
check('Sensitive Mounts',
len(sensitive_found) == 0,
f'Sensitive paths mounted: {"; ".join(sensitive_found)}' if sensitive_found
else 'No sensitive host paths mounted',
severity='high')
# 4. Running as root
check('User',
info['user'] not in ('', 'root', '0'),
f'Running as: {info["user"]}' if info['user'] not in ('', 'root', '0')
else 'Running as root. Use USER directive.',
severity='medium')
# 5. Read-only root filesystem
check('Read-only Rootfs',
info['read_only_rootfs'],
'Root filesystem is read-only' if info['read_only_rootfs']
else 'Root filesystem is writable. Consider --read-only.',
severity='low')
# 6. Resource limits — memory
check('Memory Limit',
info['memory_limit'] > 0,
f'Memory limit: {info["memory_limit"] // (1024*1024)}MB' if info['memory_limit'] > 0
else 'No memory limit set. Container can exhaust host memory.',
severity='medium')
# 7. Resource limits — PID
pids = info['pids_limit']
has_pids = pids is not None and pids > 0 and pids != -1
check('PID Limit',
has_pids,
f'PID limit: {pids}' if has_pids
else 'No PID limit. Fork bomb possible.',
severity='low')
# 8. Seccomp profile
seccomp_set = any('seccomp' in opt for opt in info['security_opt'])
no_seccomp = any('seccomp=unconfined' in opt for opt in info['security_opt'])
check('Seccomp Profile',
seccomp_set and not no_seccomp,
'Seccomp profile disabled (unconfined)!' if no_seccomp
else ('Custom seccomp profile applied' if seccomp_set
else 'Default seccomp profile (OK for Docker default)'),
severity='high' if no_seccomp else 'low')
# 9. AppArmor profile
apparmor_set = any('apparmor' in opt for opt in info['security_opt'])
no_apparmor = any('apparmor=unconfined' in opt for opt in info['security_opt'])
check('AppArmor Profile',
not no_apparmor,
'AppArmor disabled (unconfined)!' if no_apparmor
else ('AppArmor profile applied' if apparmor_set
else 'No explicit AppArmor profile (using Docker default)'),
severity='medium' if no_apparmor else 'low')
# 10. Network mode
check('Network Mode',
info['network_mode'] not in ('host',),
f'Network mode: {info["network_mode"]}',
severity='high' if info['network_mode'] == 'host' else 'info')
# 11. PID mode
check('PID Mode',
info['pid_mode'] != 'host',
'PID namespace shared with host!' if info['pid_mode'] == 'host'
else f'PID mode: {info["pid_mode"] or "container (isolated)"}',
severity='high')
# 12. Secrets in environment
env_secrets = []
for e in info.get('env', []):
key = e.split('=', 1)[0] if '=' in e else e
if SECRET_PATTERNS.search(key):
env_secrets.append(key)
check('Environment Secrets',
len(env_secrets) == 0,
f'Possible secrets in ENV: {", ".join(env_secrets)}' if env_secrets
else 'No obvious secrets in environment variables',
severity='medium')
score = int((passed / total) * 100) if total > 0 else 0
result = {
'container_id': container_id,
'name': info.get('name', ''),
'image': info.get('image', ''),
'score': score,
'passed': passed,
'total': total,
'findings': findings,
}
self._results['container_audits'][container_id] = result
self._save_results()
return result
# ── Image Operations ─────────────────────────────────────────────────────
def list_images(self) -> list:
"""List local Docker images."""
docker = find_tool('docker')
if not docker:
return []
fmt = '{{json .}}'
ok, raw = self._run(f'"{docker}" images --format "{fmt}"')
if not ok:
return []
images = []
for line in raw.splitlines():
line = line.strip()
if not line:
continue
try:
img = json.loads(line)
images.append({
'id': img.get('ID', ''),
'repo': img.get('Repository', ''),
'tag': img.get('Tag', ''),
'size': img.get('Size', ''),
'created': img.get('CreatedAt', img.get('CreatedSince', '')),
})
except (json.JSONDecodeError, ValueError):
continue
return images
def scan_image(self, image_name: str) -> dict:
"""Scan a container image for CVEs using trivy or grype."""
# Try trivy first
trivy = find_tool('trivy')
if trivy:
ok, raw = self._run(
f'"{trivy}" image --format json --severity CRITICAL,HIGH,MEDIUM,LOW '
f'--quiet "{image_name}"',
timeout=120
)
if ok:
return self._parse_trivy(raw, image_name)
# Fallback to grype
grype = find_tool('grype')
if grype:
ok, raw = self._run(
f'"{grype}" "{image_name}" -o json --quiet',
timeout=120
)
if ok:
return self._parse_grype(raw, image_name)
return {
'image': image_name,
'scanner': None,
'error': 'No scanner available. Install trivy or grype.',
'vulnerabilities': [],
'summary': {},
}
def _parse_trivy(self, raw: str, image_name: str) -> dict:
"""Parse Trivy JSON output."""
vulns = []
summary = {'CRITICAL': 0, 'HIGH': 0, 'MEDIUM': 0, 'LOW': 0}
try:
data = json.loads(raw)
results = data.get('Results', [])
for r in results:
for v in r.get('Vulnerabilities', []):
sev = v.get('Severity', 'UNKNOWN').upper()
entry = {
'cve': v.get('VulnerabilityID', ''),
'severity': sev,
'package': v.get('PkgName', ''),
'installed_version': v.get('InstalledVersion', ''),
'fixed_version': v.get('FixedVersion', ''),
'title': v.get('Title', ''),
}
vulns.append(entry)
if sev in summary:
summary[sev] += 1
except (json.JSONDecodeError, ValueError):
return {'image': image_name, 'scanner': 'trivy',
'error': 'Failed to parse trivy output', 'vulnerabilities': [], 'summary': {}}
result = {
'image': image_name,
'scanner': 'trivy',
'vulnerabilities': vulns,
'summary': summary,
'total': len(vulns),
}
self._results['image_scans'][image_name] = result
self._save_results()
return result
def _parse_grype(self, raw: str, image_name: str) -> dict:
"""Parse Grype JSON output."""
vulns = []
summary = {'CRITICAL': 0, 'HIGH': 0, 'MEDIUM': 0, 'LOW': 0}
try:
data = json.loads(raw)
for m in data.get('matches', []):
v = m.get('vulnerability', {})
sev = v.get('severity', 'Unknown').upper()
pkg = m.get('artifact', {})
fixed = ''
fix_vers = v.get('fix', {}).get('versions', [])
if fix_vers:
fixed = fix_vers[0]
entry = {
'cve': v.get('id', ''),
'severity': sev,
'package': pkg.get('name', ''),
'installed_version': pkg.get('version', ''),
'fixed_version': fixed,
'title': v.get('description', '')[:120],
}
vulns.append(entry)
if sev in summary:
summary[sev] += 1
except (json.JSONDecodeError, ValueError):
return {'image': image_name, 'scanner': 'grype',
'error': 'Failed to parse grype output', 'vulnerabilities': [], 'summary': {}}
result = {
'image': image_name,
'scanner': 'grype',
'vulnerabilities': vulns,
'summary': summary,
'total': len(vulns),
}
self._results['image_scans'][image_name] = result
self._save_results()
return result
# ── Dockerfile Linting ───────────────────────────────────────────────────
def lint_dockerfile(self, content: str) -> list:
"""Lint a Dockerfile for security issues."""
findings = []
lines = content.splitlines()
has_user = False
has_healthcheck = False
consecutive_run = 0
max_consecutive_run = 0
for i, raw_line in enumerate(lines, 1):
line = raw_line.strip()
if not line or line.startswith('#'):
consecutive_run = 0
continue
upper = line.upper()
# FROM :latest
if upper.startswith('FROM '):
img = line[5:].strip().split(' ')[0]
if ':' not in img or img.endswith(':latest'):
findings.append({
'rule': 'DL001', 'line': i,
'severity': DOCKERFILE_RULES['DL001']['severity'],
'title': DOCKERFILE_RULES['DL001']['title'],
'detail': f'Image "{img}" — pin a specific version tag.',
})
# USER directive
if upper.startswith('USER '):
has_user = True
# HEALTHCHECK
if upper.startswith('HEALTHCHECK '):
has_healthcheck = True
# ADD vs COPY
if upper.startswith('ADD ') and not line.strip().startswith('ADD --from'):
parts = line[4:].strip()
# Skip if it's a URL (ADD has valid URL use)
if not parts.startswith('http://') and not parts.startswith('https://'):
findings.append({
'rule': 'DL003', 'line': i,
'severity': DOCKERFILE_RULES['DL003']['severity'],
'title': DOCKERFILE_RULES['DL003']['title'],
'detail': f'Line {i}: prefer COPY over ADD for local files.',
})
# Secrets in ENV/ARG
if upper.startswith('ENV ') or upper.startswith('ARG '):
key = line.split()[1] if len(line.split()) > 1 else ''
key = key.split('=')[0]
if SECRET_PATTERNS.search(key):
findings.append({
'rule': 'DL004', 'line': i,
'severity': DOCKERFILE_RULES['DL004']['severity'],
'title': DOCKERFILE_RULES['DL004']['title'],
'detail': f'Line {i}: "{key}" looks like a secret. Use --secret instead.',
})
# apt-get without --no-install-recommends
if 'apt-get install' in line and '--no-install-recommends' not in line:
findings.append({
'rule': 'DL006', 'line': i,
'severity': DOCKERFILE_RULES['DL006']['severity'],
'title': DOCKERFILE_RULES['DL006']['title'],
'detail': f'Line {i}: add --no-install-recommends to reduce image size.',
})
# COPY/ADD of sensitive files
if upper.startswith('COPY ') or upper.startswith('ADD '):
if SENSITIVE_FILE_PATTERNS.search(line):
findings.append({
'rule': 'DL009', 'line': i,
'severity': DOCKERFILE_RULES['DL009']['severity'],
'title': DOCKERFILE_RULES['DL009']['title'],
'detail': f'Line {i}: copying potentially sensitive file into image.',
})
# sudo in RUN
if upper.startswith('RUN ') and 'sudo ' in line:
findings.append({
'rule': 'DL010', 'line': i,
'severity': DOCKERFILE_RULES['DL010']['severity'],
'title': DOCKERFILE_RULES['DL010']['title'],
'detail': f'Line {i}: avoid sudo in Dockerfiles.',
})
# Consecutive RUN
if upper.startswith('RUN '):
consecutive_run += 1
if consecutive_run > max_consecutive_run:
max_consecutive_run = consecutive_run
else:
consecutive_run = 0
# Post-scan checks
if not has_user:
findings.append({
'rule': 'DL002', 'line': 0,
'severity': DOCKERFILE_RULES['DL002']['severity'],
'title': DOCKERFILE_RULES['DL002']['title'],
'detail': 'No USER directive found. Container will run as root.',
})
if not has_healthcheck:
findings.append({
'rule': 'DL005', 'line': 0,
'severity': DOCKERFILE_RULES['DL005']['severity'],
'title': DOCKERFILE_RULES['DL005']['title'],
'detail': 'No HEALTHCHECK instruction. Add one for orchestration.',
})
if max_consecutive_run >= 3:
findings.append({
'rule': 'DL011', 'line': 0,
'severity': DOCKERFILE_RULES['DL011']['severity'],
'title': DOCKERFILE_RULES['DL011']['title'],
'detail': f'{max_consecutive_run} consecutive RUN commands. Chain with && to reduce layers.',
})
# Check for missing cache cleanup
if 'apt-get install' in content and 'rm -rf /var/lib/apt/lists' not in content:
findings.append({
'rule': 'DL007', 'line': 0,
'severity': DOCKERFILE_RULES['DL007']['severity'],
'title': DOCKERFILE_RULES['DL007']['title'],
'detail': 'apt-get install used without cleaning /var/lib/apt/lists/*.',
})
self._results['dockerfile_lints'] = findings
self._save_results()
return findings
# ── Container Escape Detection ───────────────────────────────────────────
def check_escape_vectors(self, container_id: str) -> dict:
"""Check for container escape possibilities."""
info = self.inspect_container(container_id)
if 'error' in info:
return info
vectors = []
def vec(name, risk, exploitable, detail):
vectors.append({
'vector': name,
'risk': risk,
'exploitable': exploitable,
'detail': detail,
})
# 1. Privileged mode — full escape
if info['privileged']:
vec('Privileged Mode', 'critical', True,
'Container has full access to host devices and kernel. '
'Trivial escape via mounting host filesystem.')
# 2. Docker socket mount
sock_mounted = any(
'/var/run/docker.sock' in m.get('source', '') or
'/run/docker.sock' in m.get('source', '')
for m in info['mounts']
)
if sock_mounted:
vec('Docker Socket Mount', 'critical', True,
'Docker socket mounted inside container. Attacker can spawn '
'privileged containers on the host.')
# 3. SYS_ADMIN capability
if 'SYS_ADMIN' in info.get('cap_add', []):
vec('SYS_ADMIN Capability', 'high', True,
'SYS_ADMIN allows mounting filesystems, modifying cgroups. '
'Combined with other misconfigs, can lead to escape.')
# 4. SYS_PTRACE capability
if 'SYS_PTRACE' in info.get('cap_add', []):
vec('SYS_PTRACE Capability', 'high', True,
'SYS_PTRACE allows process injection and debugging. '
'Can be used to escape via process injection into host PID.')
# 5. Host PID namespace
if info.get('pid_mode') == 'host':
vec('Host PID Namespace', 'high', True,
'Container shares PID namespace with host. Processes visible '
'and injectable from container.')
# 6. Host network namespace
if info.get('network_mode') == 'host':
vec('Host Network Namespace', 'medium', False,
'Container shares host network stack. Can sniff host traffic '
'and access services on localhost.')
# 7. /proc write access
proc_mounted = any(
m.get('destination', '').startswith('/proc') and m.get('rw', True)
for m in info['mounts']
)
if proc_mounted:
vec('/proc Write Access', 'high', True,
'Writable /proc mount can enable kernel parameter modification '
'and cgroup escape techniques.')
# 8. Kernel version (check for known container escape CVEs)
ok, uname = self._run('uname -r 2>/dev/null')
if ok and uname:
kernel = uname.strip()
# Known vulnerable kernel ranges (simplified check)
vec('Kernel Version', 'info', False,
f'Host kernel: {kernel}. Check against CVE-2022-0185, '
f'CVE-2022-0847 (DirtyPipe), CVE-2021-22555.')
# 9. Cgroup escape
if info['privileged'] or 'SYS_ADMIN' in info.get('cap_add', []):
vec('Cgroup Escape', 'critical' if info['privileged'] else 'high', True,
'Privileged + cgroup v1 release_agent technique enables full '
'host command execution.')
# 10. Seccomp disabled
if any('seccomp=unconfined' in opt for opt in info.get('security_opt', [])):
vec('Seccomp Disabled', 'medium', False,
'No seccomp filter. All syscalls available including '
'those needed for escape techniques.')
# 11. AppArmor disabled
if any('apparmor=unconfined' in opt for opt in info.get('security_opt', [])):
vec('AppArmor Disabled', 'medium', False,
'No AppArmor confinement. Reduced protection against '
'filesystem and network abuse.')
risk_score = 0
for v in vectors:
w = {'critical': 40, 'high': 25, 'medium': 10, 'low': 5, 'info': 0}
risk_score += w.get(v['risk'], 0)
risk_score = min(risk_score, 100)
result = {
'container_id': container_id,
'name': info.get('name', ''),
'vectors': vectors,
'risk_score': risk_score,
'total_vectors': len(vectors),
'exploitable': sum(1 for v in vectors if v['exploitable']),
}
self._results['escape_checks'][container_id] = result
self._save_results()
return result
# ── Kubernetes Operations ────────────────────────────────────────────────
def _kubectl(self, args: str, timeout: int = 30) -> tuple:
kubectl = find_tool('kubectl')
if not kubectl:
return False, 'kubectl not found'
return self._run(f'"{kubectl}" {args}', timeout=timeout)
def _kubectl_json(self, args: str, timeout: int = 30) -> tuple:
kubectl = find_tool('kubectl')
if not kubectl:
return False, 'kubectl not found'
return self._run_json(f'"{kubectl}" {args} -o json', timeout=timeout)
def k8s_get_namespaces(self) -> list:
"""List Kubernetes namespaces."""
ok, data = self._kubectl_json('get namespaces')
if not ok:
return []
namespaces = []
for item in data.get('items', []):
meta = item.get('metadata', {})
namespaces.append({
'name': meta.get('name', ''),
'status': item.get('status', {}).get('phase', ''),
'age': meta.get('creationTimestamp', ''),
})
return namespaces
def k8s_get_pods(self, namespace: str = 'default') -> list:
"""List pods in a namespace."""
ok, data = self._kubectl_json(f'get pods -n {namespace}')
if not ok:
return []
pods = []
for item in data.get('items', []):
meta = item.get('metadata', {})
spec = item.get('spec', {})
status = item.get('status', {})
containers = [c.get('name', '') for c in spec.get('containers', [])]
pod_status = status.get('phase', 'Unknown')
conditions = status.get('conditions', [])
ready = any(c.get('type') == 'Ready' and c.get('status') == 'True'
for c in conditions)
pods.append({
'name': meta.get('name', ''),
'namespace': meta.get('namespace', namespace),
'status': pod_status,
'ready': ready,
'containers': containers,
'node': spec.get('nodeName', ''),
'age': meta.get('creationTimestamp', ''),
'restart_count': sum(
cs.get('restartCount', 0)
for cs in status.get('containerStatuses', [])
),
})
return pods
def k8s_audit_rbac(self, namespace: Optional[str] = None) -> dict:
"""Audit RBAC for overly permissive bindings."""
findings = []
# Cluster role bindings
ok, data = self._kubectl_json('get clusterrolebindings')
if ok:
for item in data.get('items', []):
meta = item.get('metadata', {})
role_ref = item.get('roleRef', {})
subjects = item.get('subjects', [])
if role_ref.get('name') == 'cluster-admin':
for subj in subjects:
findings.append({
'severity': 'critical',
'type': 'cluster-admin binding',
'binding': meta.get('name', ''),
'subject': f'{subj.get("kind", "")}/{subj.get("name", "")}',
'detail': 'cluster-admin grants full cluster access',
})
# Check for wildcard permissions in cluster roles
ok, data = self._kubectl_json('get clusterroles')
if ok:
for item in data.get('items', []):
meta = item.get('metadata', {})
role_name = meta.get('name', '')
for rule in item.get('rules', []):
verbs = rule.get('verbs', [])
resources = rule.get('resources', [])
api_groups = rule.get('apiGroups', [])
if '*' in verbs and '*' in resources:
findings.append({
'severity': 'high',
'type': 'wildcard permissions',
'binding': role_name,
'subject': '',
'detail': f'Role "{role_name}" has wildcard verbs and resources '
f'on apiGroups: {api_groups}',
})
# Check service account token automount
ns_flag = f'-n {namespace}' if namespace else '--all-namespaces'
ok, data = self._kubectl_json(f'get serviceaccounts {ns_flag}')
if ok:
for item in data.get('items', []):
meta = item.get('metadata', {})
automount = item.get('automountServiceAccountToken', True)
if automount and meta.get('name') != 'default':
findings.append({
'severity': 'low',
'type': 'token automount',
'binding': meta.get('name', ''),
'subject': f'namespace/{meta.get("namespace", "")}',
'detail': f'SA "{meta.get("name")}" has automountServiceAccountToken enabled',
})
result = {'findings': findings, 'total': len(findings)}
self._results['k8s_audits']['rbac'] = result
self._save_results()
return result
def k8s_check_secrets(self, namespace: str = 'default') -> dict:
"""Check for exposed or unencrypted secrets."""
findings = []
ok, data = self._kubectl_json(f'get secrets -n {namespace}')
if not ok:
return {'error': 'Cannot list secrets', 'findings': []}
for item in data.get('items', []):
meta = item.get('metadata', {})
secret_type = item.get('type', '')
secret_name = meta.get('name', '')
data_keys = list((item.get('data') or {}).keys())
# Check for default token (legacy, pre-1.24)
if secret_type == 'kubernetes.io/service-account-token':
findings.append({
'severity': 'info',
'name': secret_name,
'type': secret_type,
'detail': f'SA token secret with keys: {", ".join(data_keys)}',
})
# Check for Opaque secrets with suspicious names
if secret_type == 'Opaque':
for key in data_keys:
if SECRET_PATTERNS.search(key):
findings.append({
'severity': 'medium',
'name': secret_name,
'type': secret_type,
'detail': f'Key "{key}" may contain credentials',
})
# Check which pods mount secrets
ok, pod_data = self._kubectl_json(f'get pods -n {namespace}')
if ok:
for pod in pod_data.get('items', []):
pod_name = pod.get('metadata', {}).get('name', '')
volumes = pod.get('spec', {}).get('volumes', [])
for vol in volumes:
if vol.get('secret'):
findings.append({
'severity': 'info',
'name': vol['secret'].get('secretName', ''),
'type': 'mounted',
'detail': f'Secret mounted in pod "{pod_name}"',
})
result = {'findings': findings, 'total': len(findings), 'namespace': namespace}
self._results['k8s_audits']['secrets'] = result
self._save_results()
return result
def k8s_check_network_policies(self, namespace: str = 'default') -> dict:
"""Check if network policies exist and find unprotected pods."""
findings = []
ok, data = self._kubectl_json(f'get networkpolicies -n {namespace}')
policies = data.get('items', []) if ok else []
if not policies:
findings.append({
'severity': 'high',
'type': 'no_policies',
'detail': f'No NetworkPolicies found in namespace "{namespace}". '
f'All pod-to-pod traffic is allowed.',
})
return {'findings': findings, 'total': 1, 'namespace': namespace,
'policy_count': 0, 'unprotected_pods': []}
# Collect pod selectors covered by policies
covered_labels = set()
for pol in policies:
spec = pol.get('spec', {})
selector = spec.get('podSelector', {})
match_labels = selector.get('matchLabels', {})
if not match_labels:
covered_labels.add('__all__')
else:
for k, v in match_labels.items():
covered_labels.add(f'{k}={v}')
# Check pods without matching policies
unprotected = []
if '__all__' not in covered_labels:
ok, pod_data = self._kubectl_json(f'get pods -n {namespace}')
if ok:
for pod in pod_data.get('items', []):
meta = pod.get('metadata', {})
labels = meta.get('labels', {})
pod_labels = {f'{k}={v}' for k, v in labels.items()}
if not pod_labels.intersection(covered_labels):
unprotected.append(meta.get('name', ''))
if unprotected:
findings.append({
'severity': 'medium',
'type': 'unprotected_pods',
'detail': f'{len(unprotected)} pod(s) not covered by any NetworkPolicy',
})
result = {
'findings': findings,
'total': len(findings),
'namespace': namespace,
'policy_count': len(policies),
'unprotected_pods': unprotected,
}
self._results['k8s_audits']['network_policies'] = result
self._save_results()
return result
def k8s_audit_pod(self, pod_name: str, namespace: str = 'default') -> dict:
"""Security audit of a Kubernetes pod."""
ok, data = self._kubectl_json(f'get pod {pod_name} -n {namespace}')
if not ok:
return {'error': f'Cannot get pod {pod_name}'}
spec = data.get('spec', {})
findings = []
passed = 0
total = 0
def check(name, ok, detail='', severity='medium'):
nonlocal passed, total
total += 1
if ok:
passed += 1
findings.append({
'check': name,
'status': 'pass' if ok else 'fail',
'severity': severity if not ok else 'info',
'detail': detail,
})
# Host namespaces
check('Host Network',
not spec.get('hostNetwork', False),
'Pod uses host network namespace!' if spec.get('hostNetwork') else 'Isolated',
severity='high')
check('Host PID',
not spec.get('hostPID', False),
'Pod uses host PID namespace!' if spec.get('hostPID') else 'Isolated',
severity='high')
check('Host IPC',
not spec.get('hostIPC', False),
'Pod uses host IPC namespace!' if spec.get('hostIPC') else 'Isolated',
severity='high')
# Per-container checks
for container in spec.get('containers', []):
c_name = container.get('name', 'unknown')
sec_ctx = container.get('securityContext', {})
# Privileged
priv = sec_ctx.get('privileged', False)
check(f'{c_name}: Privileged',
not priv,
'Container is privileged!' if priv else 'Not privileged',
severity='critical')
# Run as root
run_as_user = sec_ctx.get('runAsUser')
run_as_non_root = sec_ctx.get('runAsNonRoot', False)
is_root = run_as_user == 0 or (run_as_user is None and not run_as_non_root)
check(f'{c_name}: Root User',
not is_root,
f'Runs as UID {run_as_user}' if run_as_user and run_as_user != 0
else ('runAsNonRoot=true' if run_as_non_root else 'May run as root'),
severity='medium')
# Read-only root filesystem
ro = sec_ctx.get('readOnlyRootFilesystem', False)
check(f'{c_name}: Read-only Rootfs',
ro,
'Root filesystem is read-only' if ro else 'Writable root filesystem',
severity='low')
# Resource limits
resources = container.get('resources', {})
limits = resources.get('limits', {})
has_limits = bool(limits.get('memory') or limits.get('cpu'))
check(f'{c_name}: Resource Limits',
has_limits,
f'Limits: {limits}' if has_limits else 'No resource limits set',
severity='medium')
# Capabilities
caps = sec_ctx.get('capabilities', {})
cap_add = caps.get('add', [])
dangerous = [c for c in cap_add if c in DANGEROUS_CAPS]
all_dropped = 'ALL' in caps.get('drop', [])
check(f'{c_name}: Capabilities',
len(dangerous) == 0 and (all_dropped or not cap_add),
f'Dangerous caps: {", ".join(dangerous)}' if dangerous
else ('All capabilities dropped' if all_dropped else 'Default capabilities'),
severity='high' if dangerous else 'info')
# Privilege escalation
allow_escalation = sec_ctx.get('allowPrivilegeEscalation', True)
check(f'{c_name}: Privilege Escalation',
not allow_escalation,
'allowPrivilegeEscalation=true' if allow_escalation
else 'Privilege escalation disabled',
severity='medium')
# Service account
sa = spec.get('serviceAccountName', 'default')
automount = spec.get('automountServiceAccountToken', True)
check('Service Account',
sa != 'default' or not automount,
f'SA: {sa}, automount: {automount}',
severity='low')
score = int((passed / total) * 100) if total > 0 else 0
result = {
'pod': pod_name,
'namespace': namespace,
'score': score,
'passed': passed,
'total': total,
'findings': findings,
}
self._results['k8s_audits'][f'pod:{namespace}/{pod_name}'] = result
self._save_results()
return result
# ── Export ────────────────────────────────────────────────────────────────
def export_results(self, fmt: str = 'json') -> dict:
"""Export all audit results."""
self._results['timestamp'] = datetime.utcnow().isoformat()
if fmt == 'json':
path = self._data_dir / f'container_sec_export_{int(time.time())}.json'
with open(path, 'w') as f:
json.dump(self._results, f, indent=2, default=str)
return {'path': str(path), 'format': 'json', 'success': True}
return {'error': f'Unsupported format: {fmt}'}
# ── Singleton ────────────────────────────────────────────────────────────────
_instance = None
def get_container_sec() -> ContainerSecurity:
global _instance
if _instance is None:
_instance = ContainerSecurity()
return _instance
# ── CLI Entry Point ──────────────────────────────────────────────────────────
def run():
"""CLI entry point for Container Security module."""
cs = get_container_sec()
while True:
print(f"\n{'='*60}")
print(f" Container Security")
print(f"{'='*60}")
print()
print(" 1 — Audit Docker Host")
print(" 2 — List Containers")
print(" 3 — Audit Container")
print(" 4 — Scan Image")
print(" 5 — Lint Dockerfile")
print(" 6 — K8s Pods")
print(" 7 — K8s RBAC Audit")
print(" 0 — Back")
print()
choice = input(" > ").strip()
if choice == '0':
break
elif choice == '1':
print("\n [*] Auditing Docker host...")
findings = cs.audit_docker_host()
if not findings:
print(" [-] No findings.")
for f in findings:
sev = f.get('severity', 'info').upper()
status = f.get('status', 'info').upper()
color = {'CRITICAL': Colors.RED, 'HIGH': Colors.RED,
'MEDIUM': Colors.YELLOW, 'LOW': Colors.CYAN,
'INFO': Colors.GREEN}.get(sev, Colors.WHITE)
print(f" {color}[{sev}]{Colors.RESET} {f['check']}: {f['detail']}")
elif choice == '2':
containers = cs.list_containers(all=True)
if not containers:
print(" [-] No containers found.")
else:
print(f"\n {'ID':<14} {'Name':<25} {'Image':<30} {'Status':<15}")
print(f" {'-'*14} {'-'*25} {'-'*30} {'-'*15}")
for c in containers:
print(f" {c['id']:<14} {c['name']:<25} {c['image']:<30} {c['status']:<15}")
elif choice == '3':
cid = input(" Container ID or name: ").strip()
if cid:
print(f"\n [*] Auditing container {cid}...")
result = cs.audit_container(cid)
if 'error' in result:
print(f" [!] {result['error']}")
else:
print(f"\n Security Score: {result['score']}% ({result['passed']}/{result['total']})")
for f in result['findings']:
sym = '+' if f['status'] == 'pass' else '!'
color = Colors.GREEN if f['status'] == 'pass' else Colors.YELLOW
print(f" {color}[{sym}]{Colors.RESET} {f['check']}: {f['detail']}")
elif choice == '4':
img = input(" Image name (e.g., nginx:latest): ").strip()
if img:
print(f"\n [*] Scanning {img} for vulnerabilities...")
result = cs.scan_image(img)
if result.get('error'):
print(f" [!] {result['error']}")
else:
s = result.get('summary', {})
print(f" Scanner: {result.get('scanner', '?')}")
print(f" Total: {result.get('total', 0)} vulnerabilities")
print(f" Critical: {s.get('CRITICAL', 0)} High: {s.get('HIGH', 0)} "
f"Medium: {s.get('MEDIUM', 0)} Low: {s.get('LOW', 0)}")
for v in result.get('vulnerabilities', [])[:20]:
print(f" {v['severity']:<8} {v['cve']:<18} {v['package']:<20} "
f"{v['installed_version']} -> {v.get('fixed_version', 'n/a')}")
elif choice == '5':
path = input(" Path to Dockerfile: ").strip()
if path and os.path.isfile(path):
with open(path) as f:
content = f.read()
findings = cs.lint_dockerfile(content)
if not findings:
print(" [+] No issues found.")
else:
print(f"\n Found {len(findings)} issue(s):")
for f in findings:
sev = f.get('severity', 'info').upper()
line = f"line {f['line']}" if f.get('line') else 'general'
print(f" [{sev}] {f['rule']}: {f['title']} ({line})")
print(f" {f['detail']}")
else:
print(" [!] File not found.")
elif choice == '6':
ns = input(" Namespace (default): ").strip() or 'default'
pods = cs.k8s_get_pods(namespace=ns)
if not pods:
print(" [-] No pods found.")
else:
print(f"\n {'Name':<35} {'Status':<12} {'Node':<20} {'Restarts':<10}")
print(f" {'-'*35} {'-'*12} {'-'*20} {'-'*10}")
for p in pods:
print(f" {p['name']:<35} {p['status']:<12} {p['node']:<20} {p['restart_count']:<10}")
elif choice == '7':
ns = input(" Namespace (blank for all): ").strip() or None
print("\n [*] Auditing RBAC...")
result = cs.k8s_audit_rbac(namespace=ns)
if not result.get('findings'):
print(" [+] No RBAC issues found.")
else:
print(f" Found {result['total']} issue(s):")
for f in result['findings']:
sev = f.get('severity', 'info').upper()
print(f" [{sev}] {f['type']}: {f.get('binding', '')}{f['detail']}")
Reference in New Issue Copy Permalink