Mozilla scribe host policy evaluator
Перейти к файлу
Zack Mullaly e1a49b3e2c Replacing database interactions with a much simpler naming scheme and calls through the Clair API 2018-06-29 17:59:49 -04:00
scribecmd gofmt some missed files 2017-07-19 10:41:34 -05:00
scribevulnpolicy Replacing database interactions with a much simpler naming scheme and calls through the Clair API 2018-06-29 17:59:49 -04:00
test make raw test a go test 2017-07-19 16:58:20 -05:00
vendor vendor lib/pq 2017-07-18 16:57:29 -05:00
.gitignore update gitignore to ignore generated test json files 2017-07-18 15:02:41 -05:00
.travis.yml Update travis-ci to 1.6 2016-03-18 13:25:25 -04:00
LICENSE Initial commit 2015-07-07 10:48:31 -05:00
Makefile remove external testing reference from Makefile 2017-07-19 16:59:11 -05:00
README.md fix typo in README 2017-07-19 11:48:27 -05:00
chain.go Use standard GOPATH 2016-03-18 13:25:25 -04:00
concat.go Use standard GOPATH 2016-03-18 13:25:25 -04:00
document.go remove exported GetTest and make existing getTest exported 2017-07-19 15:30:14 -05:00
evr.go fix various golint warnings 2017-07-19 11:20:19 -05:00
evrops.go fix various golint warnings 2017-07-19 11:20:19 -05:00
evrops_test.go make evr tests actual go tests 2017-07-19 14:42:16 -05:00
exactmatch.go fix various golint warnings 2017-07-19 11:20:19 -05:00
filecontent.go fix various golint warnings 2017-07-19 11:20:19 -05:00
filename.go fix various golint warnings 2017-07-19 11:20:19 -05:00
fileops_test.go make filename tests a go test 2017-07-19 16:44:01 -05:00
hasline.go fix various golint warnings 2017-07-19 11:20:19 -05:00
meta_test.go make raw test a go test 2017-07-19 16:58:20 -05:00
noop.go Use standard GOPATH 2016-03-18 13:25:25 -04:00
object.go fix various golint warnings 2017-07-19 11:20:19 -05:00
package.go fix various golint warnings 2017-07-19 11:20:19 -05:00
package_test.go remove duplicate code and add a generic policy runner for tests 2017-07-19 16:31:30 -05:00
parser.go fix various golint warnings 2017-07-19 11:20:19 -05:00
pkgmgr.go fix various golint warnings 2017-07-19 11:20:19 -05:00
raw.go fix various golint warnings 2017-07-19 11:20:19 -05:00
regexp.go fix various golint warnings 2017-07-19 11:20:19 -05:00
result.go remove exported GetTest and make existing getTest exported 2017-07-19 15:30:14 -05:00
scribe.go fix various golint warnings 2017-07-19 11:20:19 -05:00
scribe_test.go remove duplicate code and add a generic policy runner for tests 2017-07-19 16:31:30 -05:00
test.go remove exported GetTest and make existing getTest exported 2017-07-19 15:30:14 -05:00
variable.go fix various golint warnings 2017-07-19 11:20:19 -05:00

README.md

scribe

scribe is a host policy evaluator written in Go.

Build Status Go Report Card

Overview

scribe is a Go library and frontend used to evaluate policies on systems. Policies are specified as a JSON or YAML document containing a series of tests, and these tests return a status indicating if the test criteria matched or not.

Tests reference objects in the policy file. An object can be considered an abstraction of some data from the system, for example a package version or the contents of a specific file. The tests also specify criteria that will be applied to the referenced object. For example, if an object returns a line from a given file, the test could indicate that the data must match specific content. If the match succeeeds, the test returns true.

It is intended to perform functions such as:

  • Identification of software versions that do not meet a specific requirement
  • Evaluation of hardening criteria or other system security policies
  • Any other functions involving extraction and analysis of host information

The software is designed to return only test status criteria, and meta-data associated with the test. It runs directly on the system being evaluated, and requires no data from the system to be returned to a central server for additional processing.

It's primary purpose is integration with Mozilla MIG which allows investigators to perform system evaluation by sending a policy to the MIG agent for execution. It is also suited to executing policies as part of an instance build and testing process, or periodically on an installed system.

Usage

Scribe policies can be evaluated using the scribecmd command line tool, or alternatively the scribe library can be included in another go application.

This example shows evaluation of a given policy file, where only tests that return true are displayed in the results.

$ ./scribecmd -f mypolicy.json -T

scribecmd supports other runtime options, see the usage output for details.

Vulnerability scanning

scribe can be used to perform vulnerability scanning directly on the system using a suitable policy file. The library implements various criteria specifications such as EVR (epoch/version/release) testing that can be used to determine if a given package version is less than what is required.

scribevulnpolicy is a policy generator that integrates with clair for vulnerability data. This tool can be used to generate scribe vulnerability check policies for supported platforms. For details on usage see the documentation for scribevulnpolicy.

Additional documentation

Additional documentation on the library is available at godoc.org.