Environment  

Aqua CSP API, version 2. 


Deployment  

Use curl to retrieve Kubernetes/Docker CIS Benchmark results for individual nodes. 


The steps listed below are intended to retrieve the CIS Kubernetes results. 


See “Related Information below for a summary of the API calls for CIS Docker. 
 
Aqua CSP assigns a host/node ID that is required in the API call body to retrieve the data. 
 
The @user.json contains the user login information and optionally extends the validity of the retrieved bearer token (default 9 hours). e.g. 
{ 
"id": "administrator", 
"password": "SuperSafe", 
"remember": true                                  

 } 

For a 30 day lease, use the "remember”:true parameter 

The token can be stored in a variable e.g. $TOKEN 

Deployment Steps  

  1. Retrieve the Authorization Token. 

    curl -i -X POST -H "Content-Type:application/json" -d @user.json http(s)://aqua-console-ip/fqdn:port/api/v1/login 

  1. Retrieve the node ID; the node name (e.g. K8-Type2.k8node1) can be retrieved from the Aqua CSP console under the Infrastructure tab. 

   

 curl -X GET -H "Authorization: Bearer $TOKEN" http(s)://aqua-console-ip/fqdn:port/api/v2/infrastructure/node/K8-    Type2.k8node1 | json_pp 

{ 

   "name" : "K8-Type2.k8node1", 

   "id" : 2, 

   "node_id" : "69e74e78-9fdf-48f8-8380-4ae8535c24fb", 

   "is_enforced" : true, 

   "data" : {}, 

   "created_date" : "0001-01-01T00:00:00Z", 

   "type" : "node", 

   "security_issues" : { 

      "neg_vulns" : 0, 

      "last_vuln_scan" : 0, 

      "high_vulns" : 0, 

      "malware" : 0, 

      "crit_vulns" : 0, 

      "low_vulns" : 0, 

      "med_vulns" : 0 

   }, 

   "cluster_id" : 0 

} 

[ This unique ID will be used in our curl request in step 3 - you will need to replace it with the specific one in your own use case ] 

  1. Get the Kubernetes CIS Benchmark results for node K8-Type2.k8node1 and save them to a file. 

curl -H "Authorization: Bearer $TOKEN" http(s)://aqua-console-ip/fqdn:port/api/v2/risks/bench/kube/69e74e78-9fdf-48f8-8380-4ae8535c24fb /csv > /tmp/ K8-Type2.k8node1.csv 


Raw output 

Logical Name,Host Name,Scan Date,Section,Section Description,Test Status,Test Number,Test Description,Audit Command,Expected Result,Actual Result,Remediation 

K8-Type2.k8master,k8master,1579096642,1.1,API Server,WARN,1.1.1,Ensure that the --anonymous-auth argument is set to false (Not Scored),ps -ef | grep kube-apiserver | grep -v grep,'--anonymous-auth' is present,"root      2869  2811  3 13:48 ?        00:00:19 kube-apiserv 

er --advertise-address=192.168.0.41 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-cert 

file=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --insecure-port=0 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/et 

c/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed- 

names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-a 

ccount-key-file=/etc/kubernetes/pki/sa.pub --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key 

","Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 

on the master node and set the below parameter. 

--anonymous-auth=false 

" 

...Output shortened due to excessive output  

 

Related information  

  • Node related data; includes node ID. 

GET /api/v2/infrastructure/node/node_name 

 

  • All nodes Kubernetes CIS benchmark. 

GET /api/v2/risks/bench/kube/hosts/csv 

  

  • All hosts Docker CIS benchmark. 

  

GET /api/v2/risks/bench/docker/hosts/csv 

  

  • A specific Kubernetes node CIS benchmark. 

  

GET /api/v2/risks/bench/kube/node-ID/csv 

  

  • A specific Docker host CIS benchmark. 

  

GET /api/v2/risks/bench/docker/node-ID/csv