quarkslab / kdigger Goto Github PK

Given that kdigger is written in Go it should be fairly straightforward to provide those builds.

While kdigger gen the namespace flag is missing. It will be good to have the namespace flag during kdigger gen.
One can still use ./kdigger gen | kubectl -n <namespace> apply -f - but adding a flag will help in generation of manifest along with namespace and then editing the same manifest after that.

/assign

Salut,

first of all great tool, I'm loving it.

I was just testing it and noticed that it failed to retrieve the ServiceAccount token from a privileged pod. I guess that the source of the issue is that in the token.go file, the tokenPath is set as /run/secrets/kubernetes.io/serviceaccount instead of /var/run/secrets/kubernetes.io/serviceaccount:

Hi,
I enjoy kdigger, it is helpful during pentests.
Would it be possible to extend the gen command for fuzzing Kubernetes admission controllers?

Wouldn't it be great if it could generate Kubernetes YAML manifests with all cutting edge container spec and security context fields?
This should include pods with privileged initContainer and ephemeralContainers, as well as windows node specific security context fields.
This could be used to test admission controls more thoroughly.

Implementation ideas:

• The existing Kubernetes mutating webhook logic could be extracted from K8s codebase and used to implement this
• The tool could fetches the latest kubernetes OpenAPI spec for apps and use this as basis to generate valid manifests with all possible values for dangerous spec fields mutated
• In order to fine-tune the mutator, the dangerous configs from the api spec must be studied to identify problematic combinations.
• A small yet versatile base image should be used in the generated manifests that has sudo pre-installed (for allowPrivilegeescalation checks)

Let me know your opinion about such a feature :-)

While invoking the command kdigger dig mount we get all the mounted file systems. I tried looking for mounts with read and write permissions.

bash-5.1# kdigger dig mount | grep rw
| overlay    | /                               | overlay    | rw,relatime,lowerdir=/var/lib/c |
| proc       | /proc                           | proc       | rw,nosuid,nodev,noexec,relatime |
| tmpfs      | /dev                            | tmpfs      | rw,nosuid,size=65536k,mode=755  |
| devpts     | /dev/pts                        | devpts     | rw,nosuid,noexec,relatime,gid=5 |
| mqueue     | /dev/mqueue                     | mqueue     | rw,nosuid,nodev,noexec,relatime |
| shm        | /dev/shm                        | tmpfs      | rw,nosuid,nodev,noexec,relatime |
| /dev/sda1  | /dev/termination-log            | ext4       | rw,relatime,commit=30           |
| /dev/sda1  | /etc/hosts                      | ext4       | rw,relatime,commit=30           |
| /dev/sda1  | /etc/hostname                   | ext4       | rw,nosuid,nodev,relatime,commit |
| /dev/sda1  | /etc/resolv.conf                | ext4       | rw,nosuid,nodev,relatime,commit |
| shm        | /run/containerd/io.containerd.g | tmpfs      | rw,nosuid,nodev,noexec,relatime |
| overlay    | /run/containerd/io.containerd.r | overlay    | rw,relatime,lowerdir=/var/lib/c |
| overlay    | /run/containerd/io.containerd.r | overlay    | rw,relatime,lowerdir=/var/lib/c |
| shm        | /run/containerd/io.containerd.g | tmpfs      | rw,nosuid,nodev,noexec,relatime |

You can notice that some of the longer paths in the second column are getting squeezed. It will be great to have a flag that will only print the rw mounts.

Another similar flag can be developed for socks as well.

bash-5.1# kdigger dig mount | grep sock 
| tmpfs      | /run/containerd/containerd.sock | tmpfs      | ro,size=804600k,nr_inodes=81920 |

cc @mtardy

aarch64-linux support tracker

Current build issues:

# github.com/quarkslab/kdigger/pkg/plugins/syscalls
pkg/plugins/syscalls/syscalls.go:155:7: undefined: unix.SYS_SELECT
pkg/plugins/syscalls/syscalls.go:156:7: undefined: unix.SYS_PAUSE
pkg/plugins/syscalls/syscalls.go:163:7: undefined: unix.SYS_FORK
pkg/plugins/syscalls/syscalls.go:164:7: undefined: unix.SYS_VFORK
pkg/plugins/syscalls/syscalls.go:173:47: undefined: unix.SYS_SELECT
pkg/plugins/syscalls/syscalls.go:173:72: undefined: unix.SYS_PAUSE
pkg/plugins/syscalls/syscalls.go:183:40: undefined: unix.SYS_FORK
pkg/plugins/syscalls/syscalls.go:183:63: undefined: unix.SYS_VFORK
pkg/plugins/syscalls/syscalls.go:230:12: undefined: unix.SYS_OPEN
pkg/plugins/syscalls/syscalls.go:234:12: undefined: unix.SYS_STAT
pkg/plugins/syscalls/syscalls.go:234:12: too many errors
github.com/quarkslab/kdigger/pkg/plugins/authorization

# github.com/quarkslab/kdigger/pkg/plugins/syscalls
pkg/plugins/syscalls/syscalls.go:155:7: undefined: unix.SYS_SELECT
pkg/plugins/syscalls/syscalls.go:156:7: undefined: unix.SYS_PAUSE
pkg/plugins/syscalls/syscalls.go:163:7: undefined: unix.SYS_FORK
pkg/plugins/syscalls/syscalls.go:164:7: undefined: unix.SYS_VFORK
pkg/plugins/syscalls/syscalls.go:173:47: undefined: unix.SYS_SELECT
pkg/plugins/syscalls/syscalls.go:173:72: undefined: unix.SYS_PAUSE
pkg/plugins/syscalls/syscalls.go:183:40: undefined: unix.SYS_FORK
pkg/plugins/syscalls/syscalls.go:183:63: undefined: unix.SYS_VFORK
pkg/plugins/syscalls/syscalls.go:230:12: undefined: unix.SYS_OPEN
pkg/plugins/syscalls/syscalls.go:234:12: undefined: unix.SYS_STAT
pkg/plugins/syscalls/syscalls.go:234:12: too many errors
github.com/quarkslab/kdigger/pkg/plugins/authorization