From 8bf2cdf137577a6d574088082c83d7dd0b16ee5d Mon Sep 17 00:00:00 2001 From: Mischa Taylor Date: Sat, 18 Nov 2023 13:53:07 -0500 Subject: [PATCH] Add cinc-auditor --- .github/workflows/bootstrap.yml | 35 +++++++- cinc/cinc-auditor/Containerfile | 66 ++++++++++++++ cinc/cinc-auditor/README.md | 140 ++++++++++++++++++++++++++++++ cinc/cinc-auditor/docker-bake.hcl | 40 +++++++++ 4 files changed, 280 insertions(+), 1 deletion(-) create mode 100644 cinc/cinc-auditor/Containerfile create mode 100644 cinc/cinc-auditor/README.md create mode 100644 cinc/cinc-auditor/docker-bake.hcl diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml index bf9d7df..1e5ff3f 100644 --- a/.github/workflows/bootstrap.yml +++ b/.github/workflows/bootstrap.yml @@ -11,7 +11,7 @@ on: - 'hadolint/**' workflow_dispatch: jobs: - build: + hadolint: runs-on: ubuntu-latest defaults: run: @@ -46,3 +46,36 @@ jobs: username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }} password: ${{ secrets.CONTAINER_DESCRIPTION_PASSWORD }} repository: boxcutter/hadolint + + cinc_auditor: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install QEMU static binaries + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to DockerHub + if: github.event_name == 'push' + uses: docker/login-action@v3 + with: + username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }} + password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }} + + - name: Build and push + if: github.event_name == 'push' + uses: docker/bake-action@v4 + with: + workdir: cinc/cinc-auditor + push: true + + - name: Update Docker Hub Description + if: github.event_name == 'push' + uses: peter-evans/dockerhub-description@v3 + with: + username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }} + password: ${{ secrets.CONTAINER_DESCRIPTION_PASSWORD }} + repository: boxcutter/cinc-auditor diff --git a/cinc/cinc-auditor/Containerfile b/cinc/cinc-auditor/Containerfile new file mode 100644 index 0000000..efe6fcc --- /dev/null +++ b/cinc/cinc-auditor/Containerfile @@ -0,0 +1,66 @@ +# syntax=docker/dockerfile:1 +ARG CONTAINER_REGISTRY=docker.io +FROM $CONTAINER_REGISTRY/ubuntu:jammy-20231004 as base + +ARG DEBIAN_FRONTEND=noninteractive + +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +RUN < +% docker container run --rm --interactive --tty \ + --mount type=bind,source="$(pwd)",target=/share \ + docker.io/boxcutter/cinc-auditor exec . +``` + +The exit codes return test result status: +``` +exit codes: + 0 normal exit, all tests passed + 1 usage or general error + 2 error in plugin system + 3 fatal deprecation encountered + 100 normal exit, at least one test failed + 101 normal exit, at least one test skipped but none failed + 172 chef license not accepted +``` + +The only issue with using the above is the test environment would be container, +which is usually not the environment in which you want to test. You will +typically use subcommands so that cinc-auditor will run the profile against +remote environments. + +### Testing against a remote machine via ssh + +```bash +docker container run --rm --interactive --tty \ + --mount type=bind,source="$(pwd)",target=/share \ + docker.io/boxcutter/cinc-auditor exec example \ + --key-files /path/keys/ssh.key \ + --target ssh://root@192.168.1.12 +``` + +### Testing a container image + +If you need to run an InSpec profile against a container image, make sure you +start the other image first, sitting at a shell prompt, detached. Then also bind +mount `/var/run/docker.sock` so the docker tools in the container work when you +run cinc-auditor in a container: + +```bash +# Easiest to save the container ID that is returned, as you'll need to destroy it. +# You could use a pre-defined name, but it should be unique so that it's possible to perform multiple cinc-auditor runs +# with the same image, so best to just use the returned container ID. +# We're using the nginx container image here as an example - you would typically use the name of some locally built image: +% CONTAINER_ID=$(docker container run --detach nginx) + +# Verify the container is actually running with docker ps +% docker ps +CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +dd6e9a9ce3df nginx "/docker-entrypoint.…" 14 seconds ago Up 14 seconds 80/tcp suspicious_shtern + +# Run the inspec profile against the container ID - need to mount /var/run/docker.sock for the docker tools inside the +# container image to work +% docker container run --rm --interactive --tty \ + --env=CONTAINER_ID \ + --mount type=bind,source="$(pwd)",target=/share \ + --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ + docker.io/boxcutter/cinc-auditor exec . -t docker://${CONTAINER_ID} + +# Stop the container under test - give a chance for PID 1 to clean up processes +% docker container stop ${CONTAINER_ID} +dd6e9a9ce3df1b6cf8164ed093da6fcd309d411f5a45ddcc2cbebb518de3ad40 +# Fully clean up and remove the container image +% docker container rm ${CONTAINER_ID} +dd6e9a9ce3df1b6cf8164ed093da6fcd309d411f5a45ddcc2cbebb518de3ad40 +``` + +# CLI + +``` +% docker container run -it --rm docker.io/boxcutter/cinc-auditor --help +Commands: + cinc-auditor archive PATH # archive a prof... + cinc-auditor automate SUBCOMMAND or compliance SUBCOMMAND # Cinc Dashboard... + cinc-auditor check PATH # verify all tes... + cinc-auditor clear_cache # clears the InS... + cinc-auditor detect # detect the tar... + cinc-auditor env # Output shell-a... + cinc-auditor exec LOCATIONS # Run all tests ... + cinc-auditor export PATH # read the profi... + cinc-auditor habitat SUBCOMMAND # Manage Habitat... + cinc-auditor help [COMMAND] # Describe avail... + cinc-auditor init SUBCOMMAND # Generate InSpe... + cinc-auditor json PATH # read all tests... + cinc-auditor plugin SUBCOMMAND # Manage Cinc Au... + cinc-auditor shell # open an intera... + cinc-auditor sign SUBCOMMAND # Manage Cinc Au... + cinc-auditor supermarket SUBCOMMAND ... # Supermarket co... + cinc-auditor vendor PATH # Download all d... + cinc-auditor version # prints the ver... + +Options: + l, [--log-level=LOG_LEVEL] # Set the log level: info (default), debug, warn, error + [--log-location=LOG_LOCATION] # Location to send diagnostic log messages to. (default: $stdout or Inspec::Log.error) + [--diagnose], [--no-diagnose] # Show diagnostics (versions, configurations) + [--color], [--no-color] # Use colors in output. + [--interactive], [--no-interactive] # Allow or disable user interaction + [--disable-user-plugins] # Disable loading all plugins that the user installed. + [--enable-telemetry], [--no-enable-telemetry] # Allow or disable telemetry + [--chef-license=CHEF_LICENSE] # Accept the license for this product and any contained products: accept, accept-no-persist, accept-silent + + +About Cinc Auditor: + Patents: chef.io/patents +``` diff --git a/cinc/cinc-auditor/docker-bake.hcl b/cinc/cinc-auditor/docker-bake.hcl new file mode 100644 index 0000000..b2e31dc --- /dev/null +++ b/cinc/cinc-auditor/docker-bake.hcl @@ -0,0 +1,40 @@ +variable "IMAGE_NAME" { + default = "cinc-auditor" +} + +variable "VERSION" { + default = "5.21.29" +} + +variable "CONTAINER_REGISTRY" { + default = "docker.io/boxcutter" +} + +# There's no darwin-based Docker, so if we're running on macOS, change the platform to linux +variable "LOCAL_PLATFORM" { + default = regex_replace("${BAKE_LOCAL_PLATFORM}", "^(darwin)", "linux") +} + +target "lint" { + dockerfile = "../../hadolint/Containerfile" + target = "lint" + output = ["type=cacheonly"] +} + +target "_common" { + dockerfile = "Containerfile" + tags = [ + "${CONTAINER_REGISTRY}/${IMAGE_NAME}:${VERSION}", + "${CONTAINER_REGISTRY}/${IMAGE_NAME}:latest" + ] +} + +target "local" { + inherits = ["_common"] + platforms = ["${LOCAL_PLATFORM}"] +} + +target "default" { + inherits = ["_common"] + platforms = ["linux/amd64", "linux/arm64/v8"] +} \ No newline at end of file