updated screenshot of aqua's site

Fixed false positive on test_run_handler (#411 )
* fixed wrong check on test run handler * changed method of testing to be using 404 with real post method
2026-03-02 17:50:41 +00:00 · 2020-11-19 18:39:15 +02:00 · 2020-11-19 17:41:33 +02:00 · 2020-11-18 11:35:13 +02:00 · 2020-11-17 15:22:06 +02:00
2 changed files with 16 additions and 10 deletions
--- a/kube-hunter-screenshot.png
+++ b/kube-hunter-screenshot.png
--- a/kube_hunter/modules/hunting/kubelet.py
+++ b/kube_hunter/modules/hunting/kubelet.py
@@ -375,8 +375,9 @@ class SecureKubeletPortHunter(Hunter):
                container_name="test",
                cmd="",
            )
-            # if we get a Method Not Allowed, we know we passed Authentication and Authorization.
-            return self.session.get(run_url, verify=False, timeout=config.network_timeout).status_code == 405
+            # if we get this message, we know we passed Authentication and Authorization, and that the endpoint is enabled.
+            status_code = self.session.post(run_url, verify=False, timeout=config.network_timeout).status_code
+            return status_code == requests.codes.NOT_FOUND

        # returns list of currently running pods
        def test_running_pods(self):
@@ -1136,11 +1137,16 @@ class ProveSystemLogs(ActiveHunter):
            f"{self.base_url}/" + KubeletHandlers.LOGS.value.format(path="audit/audit.log"),
            verify=False,
            timeout=config.network_timeout,
-        ).text
-        logger.debug(f"Audit log of host {self.event.host}: {audit_logs[:10]}")
-        # iterating over proctitles and converting them into readable strings
-        proctitles = []
-        for proctitle in re.findall(r"proctitle=(\w+)", audit_logs):
-            proctitles.append(bytes.fromhex(proctitle).decode("utf-8").replace("\x00", " "))
-        self.event.proctitles = proctitles
-        self.event.evidence = f"audit log: {proctitles}"
+        )
+
+        # TODO: add more methods for proving system logs
+        if audit_logs.status_code == requests.status_codes.codes.OK:
+            logger.debug(f"Audit log of host {self.event.host}: {audit_logs.text[:10]}")
+            # iterating over proctitles and converting them into readable strings
+            proctitles = []
+            for proctitle in re.findall(r"proctitle=(\w+)", audit_logs.text):
+                proctitles.append(bytes.fromhex(proctitle).decode("utf-8").replace("\x00", " "))
+            self.event.proctitles = proctitles
+            self.event.evidence = f"audit log: {proctitles}"
+        else:
+            self.event.evidence = "Could not parse system logs"
Author	SHA1	Message	Date
Daniel Sagi	00221336ff	updated screenshot of aqua's site	2020-11-19 18:39:15 +02:00
danielsagi	14ca1b8bce	Fixed false positive on test_run_handler (#411 ) * fixed wrong check on test run handler * changed method of testing to be using 404 with real post method	2020-11-19 17:41:33 +02:00
danielsagi	5a578fd8ab	More intuitive message when ProveSystemLogs fails (#409 ) * fixed wrong message for when proving audit logs * fixed linting	2020-11-18 11:35:13 +02:00
danielsagi	bf7023d01c	Added docs for exposed pods (#407 ) * added doc _kb for exposed pods * correlated the new khv to the Exposed pods vulnerability * fixed linting	2020-11-17 15:22:06 +02:00