Skip to main content

A tool for performing static and runtime analysis using STIGs

Project description

Anchore STIG

Anchore STIG is a complete STIG solution that can be used to run STIG profile against both static images and running containers in a cluster.

Description

Use Anchore STIG to perform STIG checks against running containers in Kubernetes environments or static Docker images from a registry or stored locally. The tool executes automated scans against specific STIG Security Guide (SSG) policies. The program will output either a JSON report with a summary of STIG check results for runtime checks or XCCDF XML and OpenSCAP XML and HTML for static checks.

The runtime functionality includes the following profiles:

  • Ubuntu 20.04 (ubuntu-20.04)
  • Universal Base Image 8 (ubi8)
  • Postgres 9 (postgres9)
  • Apache Tommcat 9 (apache-tomcat9)
  • Crunchy PostgreSQL (crunchy-postgresql)
  • JBOSS (jboss)
  • Java Runtime Environment 7 (jre7)
  • MongoDB Enterprise (mongodb)
  • nginx (nginx)

The static functionality includes the following profiles:

  • CentOS 7
  • CentOS 8
  • Debian 10
  • Debian 11
  • Fedora
  • Oracle Linux 7
  • Oracle Linux 8
  • Oracle Linux 9
  • OpenSUSE
  • SUSE Linux Enterprise Server 15
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Ubuntu 16.04
  • Ubuntu 18.04
  • Ubuntu 20.04
  • Ubuntu 22.04

Getting Started

Dependencies

Overall

  • python3 >= 3.8 with pip3 installed
  • make

Static

  • docker

Runtime

  • kubectl exec privileges
  • Pods running one of the above listed software / OS types

Install

  • clone the repo
  • run make to install

Running the Program

Runtime

  • Run anchorestig runtime from the terminal.

    • NOTE: This edition of the demo has been optimized for single-container pods by default
  • The program will run in interactive mode by just executing anchorestig runtime --interactive from the terminal, however, you may also use the following CLI input parameters:

CLI Input Parameters:

Image Name:         --image (-i)        Specify profile to use. Available options are ubuntu-20.04, ubi8, postgres9, apache-tomcat9, crunchy-postgresql, jboss, jre7, mongodb, nginx
Pod Name:           --pod (-p)          Any running pod running an image that runs one of the specififed profile's software
Namespace Name:     --namespace (-n)    Namespace the pod is located in
Container Name:     --container (-c)    Container in the pod to ruun against
K8s Config Context: --usecontext (-u)   Specify the kubernetes context to use
Output File:        --outfile (-o)      Only JSON output filetype is supported (include the '.json' extension with the output file name in CLI)
AWS S3 Bucket:      --aws (-a)          Specify the S3 bucket to upload results to. Omit to skip upload
Anchore Account:    --account (-c)      Specify the Anchore STIG UI account to associate the S3 upload with. Omit to skip upload

Ex: anchore-stig runtime -u current -n test -i postgres9 -p postgres9 -c default -o postgres.json

  • NOTE: The output file will be saved to the ./outputs directory
Viewing Results

Navigate to the ./outputs directory to view the output file.

Static

  • Run the tool using anchorestig static IMAGE.
    • Ex: anchorestig static docker.io/ubi8:latest
CLI Input Parameters:

Username:             --username (-u)     Username for private registry
Password:             --password (-p)     Password for private registry
Url:                  --url (-r)          URL for private registry
Insecure:             --insecure (-s)     Allow insecure registries or registries with custom certs
Local Image:          --local-image (-l)  Run against an image stored in your local docker instance
Viewing Results

Navigate to the ./stig-results directory. The output directory containing output files will be named according to the image scanned.

Help

Use the --help flag to see more information on how to run the program:

anchorestig --help

CINC Functionality Explanation

cinc-auditor allows users to specify a target to run profiles against. This can be a number of things including SSH targets or a local system. The train-k8s-container plugin allows our STIG tool to target a kubernetes namespace, pod, and container to run cinc profiles against. When a container is set as the target, each individual control will be prepended with kubectl exec ..... and the appropriate commands to run within the container and retireve the results to make the determination of a pass or fail against the control baseline.

Modifying Controls

The policies directory contains sub-directories for the Ubuntu, UBI, and Postgres STIG profiles. Each directory has a tar.gz file that can be decompressed. From there, each control that runs is defined as a ruby gem file in the controls directory. The ID of each control (displayed in Heimdall) is pulled from the control section at the beginning of the ruby gem file. To change what is displayed, change the control id at the beginning of the file.

Adding Not-Applicable Controls

The UBI 8 and Ubuntu 20.04 policies were built with the not-applicable rules removed. To add them back, untar the tar files in each repository, move the ruby gem files from the not-applicable/ directory to the controls directory. Then run cinc-auditor archive . in the untarred directory. This will generate a new tar archive file. Replace the original archive, that you un-tarred at the beginning with the newly generated one and the newly included rules will run.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

anchorestig-0.5.0.tar.gz (29.3 kB view details)

Uploaded Source

Built Distribution

anchorestig-0.5.0-py3-none-any.whl (37.6 kB view details)

Uploaded Python 3

File details

Details for the file anchorestig-0.5.0.tar.gz.

File metadata

  • Download URL: anchorestig-0.5.0.tar.gz
  • Upload date:
  • Size: 29.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.1 CPython/3.12.6

File hashes

Hashes for anchorestig-0.5.0.tar.gz
Algorithm Hash digest
SHA256 afec121148be257098a61339f3af4f9326062492d7929354e920a453653d200e
MD5 801ed904a91bc89e8692915a22b624e6
BLAKE2b-256 e2c6cc279bde07c57ad00b35c5134da566fdc29b957eea1e7eaad831075dd5bb

See more details on using hashes here.

File details

Details for the file anchorestig-0.5.0-py3-none-any.whl.

File metadata

  • Download URL: anchorestig-0.5.0-py3-none-any.whl
  • Upload date:
  • Size: 37.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.1 CPython/3.12.6

File hashes

Hashes for anchorestig-0.5.0-py3-none-any.whl
Algorithm Hash digest
SHA256 0928c0ddef4b470332c6811026558c2805bf6e995c13fde0a153ca8a0bf42768
MD5 a38fac05acbee38a1f0e2681d13bdf65
BLAKE2b-256 a900dca750683d488960da58a9d1e93d1fcd78d57c7d314bf31762c0844a7ecb

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page