Skip to content

Commit a767327

Browse files
shanebouldenshaneboulden
committed
add UBI version policy and reporting script
1 parent b4cb016 commit a767327

File tree

3 files changed

+174
-0
lines changed

3 files changed

+174
-0
lines changed

policies/ubi-versions.json

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
{
2+
"policies": [
3+
{
4+
"id": "53e1d1fb-bc1e-4ef3-98c3-8df0dd5679b8",
5+
"name": "UBI version compliance",
6+
"description": "All images on the cluster using the Red Hat Universal Base Image (UBI) must use at least versions 8.5 or 9.3",
7+
"rationale": "Using an older UBI image potentially exposes the workload to additional vulnerabilities",
8+
"remediation": "Update the base image to at least UBI 8.5 or 9.3",
9+
"disabled": true,
10+
"categories": [
11+
"Package Management"
12+
],
13+
"lifecycleStages": [
14+
"DEPLOY"
15+
],
16+
"eventSource": "NOT_APPLICABLE",
17+
"exclusions": [
18+
{
19+
"name": "",
20+
"deployment": {
21+
"name": "",
22+
"scope": {
23+
"cluster": "",
24+
"namespace": "openshift-*",
25+
"label": null
26+
}
27+
},
28+
"image": null,
29+
"expiration": null
30+
},
31+
{
32+
"name": "",
33+
"deployment": {
34+
"name": "",
35+
"scope": {
36+
"cluster": "",
37+
"namespace": "stackrox",
38+
"label": null
39+
}
40+
},
41+
"image": null,
42+
"expiration": null
43+
}
44+
],
45+
"scope": [],
46+
"severity": "MEDIUM_SEVERITY",
47+
"enforcementActions": [],
48+
"notifiers": [],
49+
"SORTName": "",
50+
"SORTLifecycleStage": "",
51+
"SORTEnforcement": false,
52+
"policyVersion": "1.1",
53+
"policySections": [
54+
{
55+
"sectionName": "Rule 1",
56+
"policyGroups": [
57+
{
58+
"fieldName": "Image Component",
59+
"booleanOperator": "OR",
60+
"negate": false,
61+
"values": [
62+
{
63+
"value": "redhat-release=8\\.[0-4]-[0-9]+(?:\\.[0-9]+)?\\.el8"
64+
},
65+
{
66+
"value": "redhat-release=9\\.[0-2]-[0-9]+(?:\\.[0-9]+)?\\.el9"
67+
},
68+
{
69+
"value": "redhat-release=[6-7].*"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"mitreAttackVectors": [],
77+
"criteriaLocked": false,
78+
"mitreVectorsLocked": false,
79+
"isDefault": false,
80+
"source": "IMPERATIVE"
81+
}
82+
]
83+
}

util-scripts/ubi-versions/README.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
# ubi-versions.sh
2+
## Description
3+
This script exports deployments that are using older Red Hat Universal Base Image (UBI) versions into a CSV file.
4+
5+
Exported values for deployments include:
6+
- Cluster name
7+
- Namespace
8+
- Deployment name
9+
- Image
10+
- Universal Base Image (UBI) version
11+
12+
## Required environment vars
13+
ROX_ENDPOINT - Host for StackRox central (central.example.com)
14+
15+
ROX_API_TOKEN - Token data from StackRox API token [How to generate an API Token](https://docs.openshift.com/acs/4.6/configuration/configure-api-token.html)
16+
17+
## Required policies
18+
This policy relies on the 'UBI version compliance' policy having been imported to the cluster (also available in this repository)
19+
20+
## Usage
21+
Run the script ./ubi-versions results.csv to generate a file with all deployment information.

util-scripts/ubi-versions/ubi-versions.sh

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
#! /bin/bash
2+
# This script is designed to report on container images that use a specific UBI version. It is designed to be used
3+
# with a policy that creates violations for specific versions of the `redhat-release` package.
4+
5+
# To use this image, set ROX_ENDPOINT to the ACS central instance and set ROX_API_TOKEN
6+
# to an ACS 'admin' token created.
7+
8+
# e.g. export ROX_ENDPOINT=central-acs-central.apps.cluster1.example.com:443
9+
# export ROX_API_TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6Imp3dGsw...
10+
# ./ubi-versions.sh images.csv
11+
12+
set -e
13+
14+
if [[ -z "${ROX_ENDPOINT}" ]]; then
15+
echo >&2 "ROX_ENDPOINT must be set"
16+
exit 1
17+
fi
18+
19+
if [[ -z "${ROX_API_TOKEN}" ]]; then
20+
echo >&2 "ROX_API_TOKEN must be set"
21+
exit 1
22+
fi
23+
24+
if [[ -z "$1" ]]; then
25+
echo >&2 "usage: ubi-versions.sh <output filename>"
26+
exit 1
27+
fi
28+
29+
output_file="$1"
30+
echo '"Cluster Name", "Namespace", "Deployment", "Image", "UBI version"' > "${output_file}"
31+
32+
function curl_central() {
33+
curl -sk -H "Authorization: Bearer ${ROX_API_TOKEN}" "https://${ROX_ENDPOINT}/$1"
34+
}
35+
36+
# Collect all alerts
37+
res="$(curl_central "v1/alerts?query=Policy%3AUBI%20version%20compliance")"
38+
39+
# Iterate over all deployments and get the full deployment
40+
for deployment_id in $(echo "${res}" | jq -r .alerts[].deployment.id); do
41+
deployment_res="$(curl_central "v1/deployments/${deployment_id}")"
42+
if [[ "$(echo "${deployment_res}" | jq -rc .name)" == null ]]; then
43+
continue;
44+
fi
45+
46+
if [[ "$(echo "${deployment_res}" | jq '.containers | length')" == "0" ]]; then
47+
continue;
48+
fi
49+
50+
export deployment_name="$(echo "${deployment_res}" | jq -rc .name)"
51+
export namespace="$(echo "${deployment_res}" | jq -rc .namespace)"
52+
export clusterName="$(echo "${deployment_res}" | jq -rc .clusterName)"
53+
54+
# Iterate over all images within the deployment and render the CSV Lines
55+
for image_id in $(echo "${deployment_res}" | jq -r 'select(.containers != null) | .containers[].image.id'); do
56+
if [[ "${image_id}" != "" ]]; then
57+
image_res="$(curl_central "v1/images/${image_id}" | jq -rc)"
58+
if [[ "$(echo "${image_res}" | jq -rc .name)" == null ]]; then
59+
continue;
60+
fi
61+
62+
image_name="$(echo "${image_res}" | jq -rc '.name.fullName')"
63+
export image_name
64+
65+
# find the redhat-release version and format lines
66+
export ubi_version="$(echo "${image_res}" | jq '.scan.components[] | select(.name=="redhat-release") | .version'| grep -o '[0-9]\.[0-9]\+' | head -1 )"
67+
echo "${clusterName},${namespace},${deployment_name},${image_name},${ubi_version}" >> "${output_file}"
68+
fi
69+
done
70+
done

0 commit comments

Comments
 (0)