Lxd-Probe is an open source audit scanner who perform audit check on a linux container manager and output it security report.
The audit tests are the full implementation of CIS Lxd Benchmark specification
audit result now can be leveraged as webhook via user plugin(using go plugin)
- root cause of the security issue.
- proposed remediation for security issue
git clone https://github.com/chen-keinan/lxd-probe
cd lxd-probe
make build
./lxd-probe
Note : lxd-probe require privileged user to execute tests.
Usage: lxd-probe [--version] [--help] <command> [<args>]
Available commands are:
-r , --report : run audit tests and generate failure and warn report
-i , --include: execute only specific audit test, example -i=1.2.3,1.4.5
-e , --exclude: ignore specific audit tests, example -e=1.2.3,1.4.5
-c , --classic: test report in classic view, example -c
The lxd-probe expose hook for user plugins Example :
- LxdBenchAuditResultHook - this hook accepts audit benchmark results as found by audit test
go build -buildmode=plugin -o=~/<plugin folder>/bench_plugin.so /<plugin folder>/bench_plugin.go
cp /<plugin folder>/bench_plugin.so ~/.lxd-probe/plugins/compile/bench_plugin.so
Note: Plugin and binary must compile with the same linux env
The lxd-probe support cis specs and can be easily extended:
- master config file change spec CIS Lxd Benchmark specification
both specs can be easily extended by amended the spec files under
~/.lxd-probe/benchmarks/lxd/v1.0.0folder
- code contribution is welcome !! , contribution with tests and passing linter is more than welcome :)
- /.dev folder include vagrantfile to be used for development : Dev Instruction