-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathstackrox_compliance_scan.sh
executable file
·73 lines (53 loc) · 3.42 KB
/
stackrox_compliance_scan.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/bin/bash
# supported standards CIS_Kubernetes_v1_5 HIPAA_164 NIST_800_190 NIST_SP_800_53_Rev_4 PCI_DSS_3_2 CIS_Docker_v1_2_0
standardId="NIST_800_190"
# output formats are json or csv
output_format=json
###### no more edits
RED=$(tput setaf 1)
GREEN=$(tput setaf 2)
NORMAL=$(tput sgr0)
function setup () { # setup role and token
echo -e "\n Creating the API token. Admin password required. "
#read the admin password
echo -n " - StackRox Admin Password for $serverUrl: "; read -s password; echo
# check to see if the role is there.
if [ $(curl -sk -u admin:$password https://$serverUrl/v1/roles | jq '.roles[] | select(.name=="Compliance")' | wc -l) = 0 ]; then
# create the role
curl -sk -u admin:$password -X POST 'https://'$serverUrl'/v1/roles/Compliance' \
-H 'accept: application/json, text/plain, */*' \
-d '{"name":"Compliance","globalAccess":"NO_ACCESS","resourceToAccess":{"Cluster": "READ_ACCESS","Compliance":"READ_WRITE_ACCESS","ComplianceRunSchedule":"READ_WRITE_ACCESS","ComplianceRuns":"READ_WRITE_ACCESS"}}'
fi
# create token with new role
curl -sk -X POST -u admin:$password https://$serverUrl/v1/apitokens/generate -d '{"name":"compliance","role":null,"roles":["Compliance"]}'| jq -r .token > stackrox_api.token
echo -e "\n----------------------------------------------------------------------------------"
}
echo -e "\n StackRox Complaince Automation Script"
echo " - Inputs: ./stackrox_compliance_scan.sh <SERVER NAME>"
echo " - Outputs: <SERVERNAME>_<CLUSTERNAME>_<STANDARD>_Results_$(date +"%m-%d-%y").$output_format"
echo -e "----------------------------------------------------------------------------------\n"
serverUrl=$1
if [ -z $serverUrl ]; then echo "$RED [warn]$NORMAL Please add the server name to the command."; echo ""; exit; fi
# if stackrox_api.token exists
if [ ! -f stackrox_api.token ]; then setup; fi
# get api
export token=$(cat stackrox_api.token)
echo -n "Running $standardId scan on $serverUrl "
# get clusterId, can be tuned per cluster
clusterId=$(curl -sk -H "Authorization: Bearer $token" https://$serverUrl/v1/clusters | jq -r .clusters[0].id)
# get the clustername from id
clusterName=$(curl -sk -H "Authorization: Bearer $token" https://$serverUrl/v1/clusters/$clusterId | jq -r .cluster.name)
# run a scan and get the runid
runId=$(curl -sk -X POST -H "Authorization: Bearer $token" https://$serverUrl/v1/compliancemanagement/runs -d '{"selection": { "clusterId": "'"$clusterId"'", "standardId": "'"$standardId"'" }}' | jq -r .startedRuns[0].id)
# wait for scan to complete
until [ "$(curl -sk -H "Authorization: Bearer $token" https://$serverUrl/v1/complianceManagement/runs | jq -r '.complianceRuns[]|select(.id=="'"$runId"'") | .state' )" == "FINISHED" ]; do echo -n "."; sleep 1; done
if [[ "$output_format" = "json" ]]; then
# get results in json
curl -sk -H "Authorization: Bearer $token" https://$serverUrl/v1/compliance/runresults?clusterId="$clusterId"'&standardId='$standardId'&runId='$runId'' | jq . > "$serverUrl"_"$clusterName"_"$standardId"_Results_$(date +"%m-%d-%y").json
fi
if [[ "$output_format" = "csv" ]]; then
# get results in csv
curl -sk -H "Authorization: Bearer $token" https://$serverUrl/api/compliance/export/csv?clusterId="$clusterId"'&standardId='$standardId'&runId='$runId'' > "$serverUrl"_"$clusterName"_"$standardId"_Results_$(date +"%m-%d-%y").csv
fi
echo -e "$GREEN" "[ok]" "$NORMAL\n"