Skip to content

supports automated configuration for some cnv #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ListenerMoya wants to merge 1 commit into
base: master
Choose a base branch
from
Open

supports automated configuration for some cnv #85

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
0 ...onfigs/cap_dac_read_search-container.yaml → ...tainer/cap_dac_read_search-container.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/configs/cap_dac_read_search-container/init.sh
View file
Open in desktop
Empty file.
0 ...s_cn/configs/cap_sys_admin-container.yaml → ...in-container/cap_sys_admin-container.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/configs/cap_sys_admin-container/init.sh
View file
Open in desktop
Empty file.
0 ..._cn/configs/cap_sys_ptrace-container.yaml → ...e-container/cap_sys_ptrace-container.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/configs/cap_sys_ptrace-container/init.sh
View file
Open in desktop
Empty file.
Empty file added vulns_cn/configs/privileged-container/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/configs/privileged-container.yaml → ...leged-container/privileged-container.yaml
View file
Open in desktop
File renamed without changes.
0 vulns_cn/docker/cve-2018-15664.yaml → ...docker/cve-2018-15664/cve-2018-15664.yaml
View file
Open in desktop
File renamed without changes.
8 changes: 8 additions & 0 deletions vulns_cn/docker/cve-2018-15664/init.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
user=`env | grep USER=root`
container_name=${PWD##*/}
if [[ $user == "USER=root" ]];then
docker run -itd --name=$container_name ubuntu /bin/bash
else
sudo docker run -itd --name=$container_name ubuntu /bin/bash
fi
0 vulns_cn/docker/cve-2019-13139.yaml → ...docker/cve-2019-13139/cve-2019-13139.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/docker/cve-2019-13139/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/docker/cve-2019-14271.yaml → ...docker/cve-2019-14271/cve-2019-14271.yaml
View file
Open in desktop
File renamed without changes.
8 changes: 8 additions & 0 deletions vulns_cn/docker/cve-2019-14271/init.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
user=`env | grep USER=root`
container_name=${PWD##*/}
if [[ $user == "USER=root" ]];then
docker run -itd --name=$container_name ubuntu /bin/bash
else
sudo docker run -itd --name=$container_name ubuntu /bin/bash
fi
0 vulns_cn/docker/cve-2019-5736.yaml → ...n/docker/cve-2019-5736/cve-2019-5736.yaml
View file
Open in desktop
File renamed without changes.
8 changes: 8 additions & 0 deletions vulns_cn/docker/cve-2019-5736/init.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
user=`env | grep USER=root`
container_name=${PWD##*/}
if [[ $user == "USER=root" ]];then
docker run -itd --name=$container_name ubuntu /bin/bash
else
sudo docker run -itd --name=$container_name ubuntu /bin/bash
fi
0 vulns_cn/docker/cve-2020-15257.yaml → ...docker/cve-2020-15257/cve-2020-15257.yaml
View file
Open in desktop
File renamed without changes.
8 changes: 8 additions & 0 deletions vulns_cn/docker/cve-2020-15257/init.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
user=`env | grep USER=root`
container_name=${PWD##*/}
if [[ $user == "USER=root" ]];then
docker run -itd --net=host --name=$container_name ubuntu /bin/bash
else
sudo docker run -itd --net=host --name=$container_name ubuntu /bin/bash
fi
12 changes: 10 additions & 2 deletions vulns_cn/docker/cve-2021-30465.yaml → ...docker/cve-2021-30465/cve-2021-30465.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,16 @@ type: container_escape
dependencies:
- name: docker-ce
version: 18.03.1
versions:
- ~
versions: ~
- name: kubectl
version: 1.17.1
versions: ~
- name: kubelet
version: 1.17.1
versions: ~
- name: kubeadm
version: 1.17.1
versions: ~
links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-30465
- https://github.com/advisories/GHSA-c3xm-pvg7-gh7r
Expand Down
Empty file added vulns_cn/docker/cve-2021-30465/init.sh
View file
Open in desktop
Empty file.
Empty file added vulns_cn/kata-containers/kata-escape-2020/init.sh
View file
Open in desktop
Empty file.
0 ..._cn/kata-containers/kata-escape-2020.yaml → ...rs/kata-escape-2020/kata-escape-2020.yaml
View file
Open in desktop
File renamed without changes.
0 vulns_cn/kernel/cve-2016-5195.yaml → ...n/kernel/cve-2016-5195/cve-2016-5195.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kernel/cve-2016-5195/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kernel/cve-2016-8655.yaml → ...n/kernel/cve-2016-8655/cve-2016-8655.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kernel/cve-2016-8655/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kernel/cve-2017-1000112.yaml → ...el/cve-2017-1000112/cve-2017-1000112.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kernel/cve-2017-1000112/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kernel/cve-2017-16995.yaml → ...kernel/cve-2017-16995/cve-2017-16995.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kernel/cve-2017-16995/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kernel/cve-2017-6074.yaml → ...n/kernel/cve-2017-6074/cve-2017-6074.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kernel/cve-2017-6074/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kernel/cve-2017-7308.yaml → ...n/kernel/cve-2017-7308/cve-2017-7308.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kernel/cve-2017-7308/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kernel/cve-2018-18955.yaml → ...kernel/cve-2018-18955/cve-2018-18955.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kernel/cve-2018-18955/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kernel/cve-2020-14386.yaml → ...kernel/cve-2020-14386/cve-2020-14386.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kernel/cve-2020-14386/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kernel/cve-2021-22555.yaml → ...kernel/cve-2021-22555/cve-2021-22555.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kernel/cve-2021-22555/init.sh
View file
Open in desktop
Empty file.
29 changes: 29 additions & 0 deletions vulns_cn/kubernetes/cve-2017-1002101/config/cve_2017_1002101_policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
allowedHostPaths:
- pathPrefix: /tmp/
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
13 changes: 13 additions & 0 deletions vulns_cn/kubernetes/cve-2017-1002101/config/cve_2017_1002101_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: privileged-psp
rules:
- apiGroups:
- policy
resourceNames:
- privileged
resources:
- podsecuritypolicies
verbs:
- use
16 changes: 16 additions & 0 deletions vulns_cn/kubernetes/cve-2017-1002101/config/cve_2017_1002101_role_binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-system-psp
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: privileged-psp
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:kube-system
0 vulns_cn/kubernetes/cve-2017-1002101.yaml → ...es/cve-2017-1002101/cve-2017-1002101.yaml
View file
Open in desktop
File renamed without changes.
24 changes: 24 additions & 0 deletions vulns_cn/kubernetes/cve-2017-1002101/init.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/bash
user=`env | grep USER=root`
if [[ $user == "USER=root" ]];then
kubectl apply -f ./config/cve_2017_1002101_policy.yaml
kubectl apply -f ./config/cve_2017_1002101_role_binding.yaml
kubectl apply -f ./config/cve_2017_1002101_role.yaml
if [[ `sudo grep PodSecurityPolicy /etc/kubernetes/manifests/kube-apiserver.yaml` ]];then
echo "The policy has been added."
else
sed -i 's/\-\-admission\-control\=/\-\-admission\-control\=PodSecurityPolicy\,/g' /etc/kubernetes/manifests/kube-apiserver.yaml
echo "Configuration finished."
fi

else
sudo kubectl apply -f ./config/cve_2017_1002101_policy.yaml
sudo kubectl apply -f ./config/cve_2017_1002101_role_binding.yaml
sudo kubectl apply -f ./config/cve_2017_1002101_role.yaml
if [[ `sudo grep PodSecurityPolicy /etc/kubernetes/manifests/kube-apiserver.yaml` ]];then
echo "The policy has been added."
else
sudo sed -i 's/\-\-admission\-control\=/\-\-admission\-control\=PodSecurityPolicy\,/g' /etc/kubernetes/manifests/kube-apiserver.yaml
echo "Configuration finished."
fi
fi
5 changes: 5 additions & 0 deletions vulns_cn/kubernetes/cve-2018-1002105/config/cve_2018_1002105_namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# cve_2018_1002105_namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: test
16 changes: 16 additions & 0 deletions vulns_cn/kubernetes/cve-2018-1002105/config/cve_2018_1002105_pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# cve_2018_1002105_pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: test
namespace: test
spec:
containers:
- name: ubuntu
image: ubuntu:latest
imagePullPolicy: IfNotPresent
# Just spin & wait forever
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
serviceAccount: default
serviceAccountName: default
23 changes: 23 additions & 0 deletions vulns_cn/kubernetes/cve-2018-1002105/config/cve_2018_1002105_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# cve_2018_1002105_role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: test
namespace: test
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- delete
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- get
14 changes: 14 additions & 0 deletions vulns_cn/kubernetes/cve-2018-1002105/config/cve_2018_1002105_role_binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# cve_2018_1002105_role_binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: test
namespace: test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: test
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: test
1 change: 1 addition & 0 deletions vulns_cn/kubernetes/cve-2018-1002105/config/test-token.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
password,test,test,test
1 change: 1 addition & 0 deletions vulns_cn/kubernetes/cve-2018-1002105.yaml → ...es/cve-2018-1002105/cve-2018-1002105.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ dependencies:
version: 1.11.1
versions: ~
- name: kubelet
- name: test
version: 1.11.1
versions: ~
- name: kubeadm
Expand Down
28 changes: 28 additions & 0 deletions vulns_cn/kubernetes/cve-2018-1002105/init.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#!/bin/bash
user=`env | grep USER=root`
if [[ $user == "USER=root" ]];then
kubectl apply -f ./config/cve_2018_1002105_namespace.yaml
kubectl apply -f ./config/cve_2018_1002105_role.yaml
kubectl apply -f ./config/cve_2018_1002105_role_binding.yaml
kubectl apply -f ./config/cve_2018_1002105_pod.yaml
cp ./config/test-token.csv /etc/kubernetes/pki/test-token.csv
if [[ `sudo grep test-token.csv /etc/kubernetes/manifests/kube-apiserver.yaml` ]];then
echo "The token file has been added."
else
sed -i '/\/etc\/kubernetes\/pki\/apiserver.key/a\ - --token-auth-file=\/etc\/kubernetes\/pki\/test-token.csv' /etc/kubernetes/manifests/kube-apiserver.yaml
echo "Configuration finished."
fi

else
sudo kubectl apply -f ./config/cve_2018_1002105_namespace.yaml
sudo kubectl apply -f ./config/cve_2018_1002105_role.yaml
sudo kubectl apply -f ./config/cve_2018_1002105_role_binding.yaml
sudo kubectl apply -f ./config/cve_2018_1002105_pod.yaml
sudo cp ./config/test-token.csv /etc/kubernetes/pki/test-token.csv
if [[ `sudo grep test-token.csv /etc/kubernetes/manifests/kube-apiserver.yaml` ]];then
echo "The token file has been added."
else
sudo sed -i '/\/etc\/kubernetes\/pki\/apiserver.key/a\ - --token-auth-file=\/etc\/kubernetes\/pki\/test-token.csv' /etc/kubernetes/manifests/kube-apiserver.yaml
echo "Configuration finished."
fi
fi
0 vulns_cn/kubernetes/cve-2019-11253.yaml → ...rnetes/cve-2019-11253/cve-2019-11253.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kubernetes/cve-2019-11253/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kubernetes/cve-2019-9512.yaml → ...bernetes/cve-2019-9512/cve-2019-9512.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kubernetes/cve-2019-9512/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kubernetes/cve-2019-9514.yaml → ...bernetes/cve-2019-9514/cve-2019-9514.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kubernetes/cve-2019-9514/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kubernetes/cve-2019-9946.yaml → ...bernetes/cve-2019-9946/cve-2019-9946.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kubernetes/cve-2019-9946/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kubernetes/cve-2020-8554.yaml → ...bernetes/cve-2020-8554/cve-2020-8554.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kubernetes/cve-2020-8554/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kubernetes/cve-2020-8555.yaml → ...bernetes/cve-2020-8555/cve-2020-8555.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kubernetes/cve-2020-8555/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kubernetes/cve-2020-8557.yaml → ...bernetes/cve-2020-8557/cve-2020-8557.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kubernetes/cve-2020-8557/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kubernetes/cve-2020-8558.yaml → ...bernetes/cve-2020-8558/cve-2020-8558.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kubernetes/cve-2020-8558/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kubernetes/cve-2020-8559.yaml → ...bernetes/cve-2020-8559/cve-2020-8559.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kubernetes/cve-2020-8559/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/kubernetes/cve-2021-25741.yaml → ...rnetes/cve-2021-25741/cve-2021-25741.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/kubernetes/cve-2021-25741/init.sh
View file
Open in desktop
Empty file.
Empty file added vulns_cn/mounts/mount-docker-sock/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/mounts/mount-docker-sock.yaml → .../mount-docker-sock/mount-docker-sock.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/mounts/mount-host-etc/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/mounts/mount-host-etc.yaml → ...mounts/mount-host-etc/mount-host-etc.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/mounts/mount-host-procfs/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/mounts/mount-host-procfs.yaml → .../mount-host-procfs/mount-host-procfs.yaml
View file
Open in desktop
File renamed without changes.
Empty file added vulns_cn/no-vuln/no-vuln-ubuntu/init.sh
View file
Open in desktop
Empty file.
0 vulns_cn/no-vuln/no-vuln-ubuntu.yaml → ...o-vuln/no-vuln-ubuntu/no-vuln-ubuntu.yaml
View file
Open in desktop
File renamed without changes.