CN111737699B - Kubernetes safety reinforcing system and method based on CIS reference - Google Patents
Kubernetes safety reinforcing system and method based on CIS reference Download PDFInfo
- Publication number
- CN111737699B CN111737699B CN202010472757.6A CN202010472757A CN111737699B CN 111737699 B CN111737699 B CN 111737699B CN 202010472757 A CN202010472757 A CN 202010472757A CN 111737699 B CN111737699 B CN 111737699B
- Authority
- CN
- China
- Prior art keywords
- reinforcement
- module
- executing
- command
- configuration file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000003014 reinforcing effect Effects 0.000 title claims abstract description 19
- 238000000034 method Methods 0.000 title claims abstract description 14
- 230000002787 reinforcement Effects 0.000 claims abstract description 82
- 239000012634 fragment Substances 0.000 claims abstract description 34
- 238000012795 verification Methods 0.000 claims description 6
- 238000013467 fragmentation Methods 0.000 claims description 3
- 238000006062 fragmentation reaction Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a Kubernets safety reinforcing system and method based on CIS reference, wherein the system comprises: the input command analysis module is used for analyzing the input command parameters and determining to load the corresponding configuration file; the configuration file analysis module is used for analyzing a configuration file of the CIS safety standard; the automatic safety scanning module is used for executing a scanning command according to the analyzed configuration file; the fragment centralized backup module is used for encrypting and storing the fragment contents to be reinforced; the automatic safety reinforcement module is used for executing a reinforcement command according to the output of the fragment centralized backup module; the fragment centralized checking module is used for checking and decrypting fragment contents to be backed; the automatic safety backspacing module is used for executing a backspacing command according to the output of the fragment centralized checking module; and the output module is used for integrally outputting the operation result. The invention can solve the problem that the existing tool lacks automatic reinforcement and rollback functions, and ensures the safe deployment and operation of the Kubernetes cluster.
Description
Technical Field
The invention relates to the field of software security, in particular to a Kubernetes security reinforcing system and method based on CIS reference.
Background
With the increasing application scale and the widening of the field of the container cloud platform, the security of the Kubernets cluster serving as the basis of the container cloud platform is more and more emphasized, and the enhancement of the security compliance of the Kubernets cluster becomes a necessary trend.
Currently, the industry mainly scans kubernets cluster according to CIS (Center for Internet Security) Security baseline, and the main tools include Kube-bench and kubernets-CIS-bench, where Kube-bench can scan about 95% of configuration defects in kubernets cluster. However, these tools only provide a scanning function, and only manually reinforce the alarm item, and if there is a problem after manual reinforcement, the alarm item must be manually retracted one by one, so that the maintenance workload is large, and the efficiency is extremely low.
Disclosure of Invention
In order to solve the technical problems, the invention provides a Kubernets safety reinforcing system and method based on CIS reference, which solve the problem that the existing tool lacks automatic reinforcing and retracting functions and ensure the safe deployment and operation of a Kubernets cluster.
In order to achieve the purpose, the invention adopts the following technical scheme:
a CIS-based kubernets security enforcement system, comprising:
the input command analysis module is used for analyzing the input command parameters and determining to load the corresponding configuration file;
the configuration file analysis module is used for analyzing a configuration file of the CIS safety standard;
the automatic safety scanning module is used for executing a scanning command according to the analyzed configuration file;
the fragment centralized backup module is used for encrypting and storing the fragment contents to be reinforced;
the automatic safety reinforcement module is used for executing a reinforcement command according to the output of the fragment centralized backup module;
the fragment centralized checking module is used for checking and decrypting fragment contents to be backed;
the automatic safety backspacing module is used for executing a backspacing command according to the output of the fragment centralized checking module;
and the output module is used for integrally outputting the operation result.
Further, the input command parameters include: master node, worker node, scan, consolidate, rollback, password parameters, and specified configuration items.
Further, the configuration file adopts YAML format to organize the content according to CIS reference, including configuration item ID, scanning, commands needed for reinforcement and basic description.
Further, the scan command, the consolidate command, and the rollback command are all executed in parallel.
Further, the operation result output by the output module is output in a YAML format.
And further, the output scan command operation result and the reinforcement command operation result are used as configuration files for system loading and analysis.
The invention also provides a Kubernets safety reinforcement method based on CIS reference, which comprises the following steps:
inputting command parameters and determining to load a corresponding configuration file;
analyzing the configuration file;
executing automatic safety scanning and outputting a scanning report;
executing automatic security reinforcement and outputting an automatic reinforcement report;
and executing automatic safety rollback and outputting an automatic rollback report.
Further, the executing the automatic security scan specifically includes:
executing a scanning command according to the analyzed configuration file;
and extracting FAIL item ID and suggestion in the scanning result.
Further, the executing automatic security reinforcement specifically includes:
inputting a node type, a user password and an item to be reinforced;
loading a configuration file of a corresponding node type, and extracting information of an item to be reinforced;
generating a mac key and an AES key by using the input user password and the PBKDF2 algorithm;
encrypting the fragment information before and after reinforcing each item to be reinforced by using the generated AES key respectively, and calculating a mac value by using the generated mac key;
searching whether the same reinforcement items exist in reinforcement record files stored in the host machine, and if yes, updating the reinforcement items; if not, newly adding a reinforcement record;
and executing a reinforcement command on the item to be reinforced, and extracting key information.
Further, the executing automatic security rollback specifically includes:
inputting a node type and a user password during reinforcement, and designating a backspacing parameter;
loading a configuration file of a corresponding node type, and extracting information of an item to be backed;
generating a mac key and an AES key which are the same during automatic reinforcement by using the input user password and the PBKDF2 algorithm;
reading a reinforcement record file of a host machine, and acquiring a reinforcement record of an item to be backed;
checking the mac one by utilizing the generated mac key;
and executing a rollback command on the items to be rolled back which pass the verification mac, and extracting key information.
The invention has the beneficial effects that:
the invention provides a Kubernets security reinforcing system and method based on CIS reference, which comprises automatic scanning, automatic reinforcing and automatic returning functions, can greatly reduce maintenance amount related to security configuration, and enhance security of Kubernets cluster. And self-defining is supported for the items to be reinforced and the items to be backed, AES encryption storage is carried out on the fragment contents before reinforcement, and the state before reinforcement can be recovered during backing. The invention adopts containerization deployment, is easy to use and convenient to expand, and only needs to add corresponding instructions and descriptions in the configuration file when new security scanning reinforcement items need to be added.
Drawings
FIG. 1 is a schematic structural diagram of a Kubernetes security enforcement system based on CIS reference according to the present invention;
FIG. 2 is a schematic flow diagram of a Kubernets security reinforcement method based on CIS reference.
Detailed Description
In order to clearly explain the technical features of the present invention, the present invention will be explained in detail by the following embodiments and the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and processes are omitted so as to not unnecessarily limit the invention.
As shown in fig. 1, an embodiment of the present invention discloses a kubernets security enforcement system based on CIS reference, including: the system comprises an input command analysis module, a configuration file analysis module, an automatic security scanning module, a fragment centralized backup module, an automatic security reinforcement module, a fragment centralized check module, an automatic security rollback module and an output module.
The input command analysis module is used for analyzing input command parameters and determining to load a corresponding configuration file. The command parameters include master node, worker node, scan, reinforcement, rollback, password parameters, and specified configuration items. The scanning, the reinforcing and the returning are mutually exclusive, password passwords must be input during the reinforcing and the returning, configuration items can be designated, and all reinforcing or returning is defaulted.
The configuration file analysis module is used for analyzing the configuration file of the CIS safety standard. The configuration file adopts YAML format to organize the content according to CIS standard, and covers configuration item ID, scanning, commands required by reinforcement and basic description.
The automatic safety scanning module is used for executing scanning commands in parallel according to the analyzed configuration files and transmitting the execution results to the output module.
The fragment centralized backup module is used for encrypting and storing all the contents of the fragments to be reinforced by adopting an AES encryption algorithm.
And the automatic safety reinforcement module is used for executing reinforcement commands in parallel according to the output of the fragment centralized backup module and transmitting the execution results to the output module.
The fragment centralized checking module is used for checking and decrypting the content of the fragments to be rolled back, and ensuring that the rolling back is recovered to the state before reinforcement.
And the automatic safety backspacing module is used for executing backspacing commands in parallel according to the output of the fragment centralized checking module and outputting an execution result.
The output module is used for integrally outputting the operation result, supports YAML and json formats and is convenient for integrated display.
As shown in fig. 2, an embodiment of the present invention further discloses a kubernets security strengthening method based on CIS reference, including:
inputting command parameters and determining to load a corresponding configuration file;
analyzing the configuration file;
executing automatic safety scanning and outputting a scanning report;
executing automatic security reinforcement and outputting an automatic reinforcement report;
and executing automatic safety rollback and outputting an automatic rollback report.
Specifically, the executing of the automatic security scan specifically includes:
11) executing a scanning command according to the analyzed configuration file;
12) the result of each scanning item is displayed at the beginning of PASS/FAIL/INFO field, after all items are scanned, the output module extracts FAIL item ID and suggestion and outputs a scanning report, and the scanning report is stored in a host machine directory in YAML format, so that the task execution condition is conveniently checked, and meanwhile, the automatic or manual reinforcement is facilitated.
The executing automatic safety reinforcement specifically comprises the following steps:
21) inputting a node type, a user password and a reinforcement item; because the safety reinforcement has risks, the automatic safety reinforcement must specify the item to be reinforced, and the embodiment can be specified by command parameters or configuration files;
22) loading configuration files of corresponding node types, and extracting all information of items to be reinforced;
23) generating a mac key and an AES key by using the input user password and the PBKDF2 algorithm;
24) respectively encrypting the fragmentation information before and after reinforcing each item to be reinforced by using the generated AES key, and calculating a mac value by using the generated mac key;
25) searching whether the same reinforcement items exist in reinforcement record files stored in the host machine, and if yes, updating the reinforcement items; if not, newly adding a reinforcement record;
26) and executing the reinforcement command on all the specified items to be reinforced. The method specifically comprises the following steps: firstly, determining whether reinforcement is needed, and if so, executing a specific reinforcement command; if the reinforcement fails, deleting reinforcement records and printing reinforcement failures; if the reinforcement is successful, printing and reinforcing are successful; if not, printing related prompt information. Circularly executing reinforcement until all specified items to be reinforced execute reinforcement;
27) extracting key information and outputting an automatic reinforcing report in a YAML format.
The executing automatic safe rollback specifically comprises the following steps:
31) inputting a node type and a user password during reinforcement, and designating a backspacing parameter; the backspacing items can be specified by a configuration file mode, and all the reinforcement items are backspacing by default;
32) loading configuration files of corresponding node types, and extracting information of all items to be backed;
33) generating the same mac key and AES key during automatic reinforcement by using the input user password and the PBKDF2 algorithm;
34) reading a reinforcement record file of a host machine, and acquiring reinforcement records of all items to be backed;
35) verifying the mac one by using the generated mac key; if the verification is inconsistent, the rollback is not executed, and relevant prompt information is output;
36) executing a backspacing command on the items to be backspacing, which pass the verification mac; the method specifically comprises the following steps: decrypting the original reinforced fragment by using the generated AES key, comparing the decrypted reinforced fragment with the current fragment needing to be backed, and if the decrypted reinforced fragment is inconsistent with the current fragment needing to be backed, not executing the backing and outputting related prompt information; and if the two pieces are consistent, decrypting the fragments before reinforcement stored in the reinforcement record, and executing a specific rollback command. When the rollback is successful, deleting the corresponding reinforcement records, and printing and outputting results; and when the rollback fails, directly printing and outputting the result. Executing rollback circularly until all items to be rolled back which pass the verification mac execute rollback;
37) extracting key information and outputting an automatic rollback report in a YAML format.
Although the embodiments of the present invention have been described with reference to the accompanying drawings, the scope of the present invention is not limited thereto. Various modifications and alterations will occur to those skilled in the art based on the foregoing description. And are neither required nor exhaustive of all embodiments. On the basis of the technical solution of the present invention, those skilled in the art can make various modifications or variations without creative efforts and still be within the scope of the present invention.
Claims (7)
1. A Kubernets security enforcement system based on CIS reference, comprising:
the input command analysis module is used for analyzing input command parameters and determining to load a corresponding configuration file;
the configuration file analysis module is used for analyzing a configuration file of the CIS safety standard;
the automatic safety scanning module is used for executing a scanning command according to the analyzed configuration file;
the fragment centralized backup module is used for encrypting and storing the fragment content to be reinforced;
the automatic safety reinforcement module is used for executing a reinforcement command according to the output of the fragment centralized backup module;
the fragment centralized checking module is used for checking and decrypting fragment contents to be backed;
the automatic safety backspacing module is used for executing a backspacing command according to the output of the fragment centralized checking module;
the output module is used for integrating and outputting the operation result;
the automatic safety scanning module specifically comprises:
executing a scanning command according to the analyzed configuration file;
extracting FAIL item ID and suggestion in the scanning result;
the automatic safety reinforcing module specifically comprises:
inputting a node type, a user password and an item to be reinforced;
loading a configuration file of a corresponding node type, and extracting information of an item to be reinforced;
generating a mac key and an AES key by using the input user password and the PBKDF2 algorithm;
respectively encrypting the fragmentation information before and after reinforcing each item to be reinforced by using the generated AES key, and calculating a mac value by using the generated mac key;
searching whether the same reinforcement items exist in reinforcement record files stored in the host machine, and if yes, updating the reinforcement items; if not, newly adding a reinforcement record;
executing a reinforcement command on an item to be reinforced, and extracting key information;
the automatic safety rollback module specifically comprises:
inputting a node type and a user password during reinforcement, and designating a backspacing parameter;
loading a configuration file of a corresponding node type, and extracting information of an item to be backed;
generating the same mac key and AES key during automatic reinforcement by using the input user password and the PBKDF2 algorithm;
reading a reinforcement record file of a host machine, and acquiring a reinforcement record of an item to be backed;
verifying the mac one by using the generated mac key;
and executing a backspacing command on the item to be backspaced which passes the verification mac, and extracting key information.
2. A CIS-referenced kubernets security enforcement system according to claim 1, wherein the input command parameters include: master node, worker node, scan, consolidate, rollback, password parameters, and specified configuration items.
3. The CIS-reference-based kubernets security enforcement system according to claim 1, wherein the configuration file organizes content according to CIS references in YAML format, including configuration item IDs, scanning, commands required for enforcement, and basic descriptions.
4. The CIS-reference-based kubernets security enforcement system according to claim 1, wherein the scan command, the enforcement command, and the rollback command are all executed in parallel.
5. A CIS-referenced kubernets security enforcement system according to claim 1, wherein the operational results output by the output module are output in YAML format.
6. The Kubernetes security enforcement system based on CIS reference according to claim 5, characterized in that the output scan command run result and the enforcement command run result are used as configuration files for system loading and parsing.
7. A Kubernets safety reinforcing method based on CIS reference is characterized by comprising the following steps:
inputting command parameters and determining to load a corresponding configuration file;
analyzing the configuration file;
executing automatic safety scanning and outputting a scanning report;
executing automatic security reinforcement and outputting an automatic reinforcement report;
executing automatic safe rollback and outputting an automatic rollback report;
the executing of the automatic security scan specifically includes:
executing a scanning command according to the analyzed configuration file;
extracting FAIL item ID and suggestion in the scanning result;
the executing automatic safety reinforcement specifically comprises the following steps:
inputting a node type, a user password and an item to be reinforced;
loading a configuration file of a corresponding node type, and extracting information of an item to be reinforced;
generating a mac key and an AES key by using the input user password and the PBKDF2 algorithm;
respectively encrypting the fragmentation information before and after reinforcing each item to be reinforced by using the generated AES key, and calculating a mac value by using the generated mac key;
searching whether the same reinforcement items exist in reinforcement record files stored in the host machine, and if yes, updating the reinforcement items; if not, newly adding a reinforcement record;
executing a reinforcement command on the item to be reinforced, and extracting key information;
the executing automatic safe rollback specifically comprises the following steps:
inputting a node type and a user password during reinforcement, and designating a backspacing parameter;
loading a configuration file of a corresponding node type, and extracting information of an item to be backed;
generating the same mac key and AES key during automatic reinforcement by using the input user password and the PBKDF2 algorithm;
reading a reinforcement record file of a host machine, and acquiring a reinforcement record of an item to be backed;
verifying the mac one by using the generated mac key;
and executing a rollback command on the items to be rolled back which pass the verification mac, and extracting key information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010472757.6A CN111737699B (en) | 2020-05-28 | 2020-05-28 | Kubernetes safety reinforcing system and method based on CIS reference |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010472757.6A CN111737699B (en) | 2020-05-28 | 2020-05-28 | Kubernetes safety reinforcing system and method based on CIS reference |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111737699A CN111737699A (en) | 2020-10-02 |
| CN111737699B true CN111737699B (en) | 2022-05-31 |
Family
ID=72646477
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010472757.6A Active CN111737699B (en) | 2020-05-28 | 2020-05-28 | Kubernetes safety reinforcing system and method based on CIS reference |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111737699B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112346821B (en) * | 2020-12-01 | 2023-09-26 | 新华智云科技有限公司 | Application configuration management method and system based on kubernetes |
| CN112702187A (en) * | 2020-12-04 | 2021-04-23 | 苏州浪潮智能科技有限公司 | Method and device for cluster security reinforcement |
| TWI811893B (en) * | 2021-12-15 | 2023-08-11 | 中華電信股份有限公司 | Cloud workload safety protection system and method |
| FR3131405A1 (en) | 2021-12-28 | 2023-06-30 | Thales | Method for security analysis of a deployment file of an orchestration platform of a cluster of servers; Product computer program and associated orchestration platform. |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484628A (en) * | 2014-12-17 | 2015-04-01 | 西安邮电大学 | Multi-application intelligent card with encryption and decryption functions |
| CN110166278A (en) * | 2019-04-09 | 2019-08-23 | 平安科技(深圳)有限公司 | Kubernetes cluster building method, apparatus, computer equipment and storage medium |
| CN111125690A (en) * | 2019-11-29 | 2020-05-08 | 苏州浪潮智能科技有限公司 | Method and device for reinforcing host and storage medium |
-
2020
- 2020-05-28 CN CN202010472757.6A patent/CN111737699B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484628A (en) * | 2014-12-17 | 2015-04-01 | 西安邮电大学 | Multi-application intelligent card with encryption and decryption functions |
| CN110166278A (en) * | 2019-04-09 | 2019-08-23 | 平安科技(深圳)有限公司 | Kubernetes cluster building method, apparatus, computer equipment and storage medium |
| CN111125690A (en) * | 2019-11-29 | 2020-05-08 | 苏州浪潮智能科技有限公司 | Method and device for reinforcing host and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111737699A (en) | 2020-10-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111737699B (en) | Kubernetes safety reinforcing system and method based on CIS reference | |
| US20150106652A1 (en) | System repair method and device, and storage medium | |
| CN106776515B (en) | Data processing method and device | |
| CN102736978B (en) | A kind of method and device detecting the installment state of application program | |
| US20120296878A1 (en) | File set consistency verification system, file set consistency verification method, and file set consistency verification program | |
| US20150067671A1 (en) | Information processing apparatus, control method, and storage medium | |
| CN107797916B (en) | DDL statement auditing method and device | |
| WO2017041578A1 (en) | Method and device for acquiring database change information | |
| CN111125690B (en) | Method and device for reinforcing host and storage medium | |
| CN110058962B (en) | Method, apparatus and computer program product for determining consistency level of virtual machine snapshots | |
| US20150154420A1 (en) | Sensitive data discrimination method and data loss prevention system using the sensitive data discrimination method | |
| CN111506578A (en) | Service data checking method, device, equipment and storage medium | |
| CN102455952B (en) | Data backup and recovery method, device and system | |
| US6983268B2 (en) | Log analyzing method, execution apparatus for the same, and recording medium for recording process program thereof | |
| CN110063042A (en) | A kind of response method and its terminal of database failure | |
| CN112685743A (en) | Automatic reinforcing method and system for host security baseline | |
| JP4259588B2 (en) | Information processing system and information processing program | |
| CN111338759A (en) | Virtual disk check code generation method, device, equipment and storage medium | |
| RU2006103986A (en) | METHOD FOR ADMINISTRATING SOFTWARE COMPONENTS INTEGRATED INTO MOBILE SYSTEM | |
| CN112765158A (en) | Data modification method and device of database and storage medium | |
| JP7492839B2 (en) | Configuration management device, configuration management method, and configuration management program | |
| CN115858493A (en) | Data migration method and device, electronic equipment and readable storage medium | |
| CN114756623A (en) | Non-homologous database synchronization method and device | |
| CN106547756B (en) | Database creation method and device | |
| CN113868639A (en) | Linux system reinforcing method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |