Getting Started with KiCS Part 1: Install and a Simple Example with HTML Output

If you’ve no idea what KiCS is, head over to kics.io to learn about our open source Infrastructure as Code (IaC) scanning tool. If you can’t bear to tear yourself away from this article, just know that if you’re writing AWS CloudFormation templates, Terraform templates, Helm charts or Kubernetes YAML files, KiCS is a great way to keep your infrastructure free from dangerous misconfigurations.

In this article I’m going to walk through a simple KiCS install and scan on an Ubuntu Linux (18.04) host. Next I’ll configure the results to be exported as HTML into a folder used by NGINX as the web document root - so we can see the results in a neat web page.

There are a number of ways to install KiCS the easiest probably being a Docker container, but for this installation I’m going to tread the middle ground between a container and a full build from source, and pull down and install the binaries and files.

At the time of writing the latest version on the KiCS Github was 1.2.3. I just need to pull the zipfile for my linux host down using curl:

KiCS Example>curl -LO  https://github.com/Checkmarx/kics/releases/download/v1.2.3/kics_1.2.3_linux_x64.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   635  100   635    0     0   3342      0 --:--:-- --:--:-- --:--:--  3342
100 25.4M  100 25.4M    0     0  30.7M      0 --:--:-- --:--:-- --:--:-- 53.9M
KiCS Example>

Note the -LO arguments ‘L’ to follow redirects and ‘O’ to pull the file as a binary.

Next make a home for KiCS and extract it:

mkdir kics && tar xvfz kics_1.2.3_linux_x64.tar.gz  -C ./kics/

Now we are ready to scan our first file. For this simple example, I’m going to pick a Kubernetes YAML file that just deploys a single pod:

apiVersion: v1
kind: Pod
metadata:
  name: KiCS Demo
spec:
  containers:
  - name: sec-ctx-4
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      privileged: true
      capabilities:
        add: ["NET_ADMIN", "SYS_TIME"]

So following the example at kics.io I can run a quick and easy scan on the file to see if there are any security misconfigurations:

./kics scan -p ./priv.yaml -o results.json

This command simply scans my priv.yaml file and stores the results in the results.json output file. When we run the command, we also get the results back in the terminal. There are a number of issues with this config file, but the first one listed will service as a good example:

Container Is Privileged, Severity: HIGH, Results: 1
Description: Do not allow container to be privileged.
Platform: Kubernetes

        [1]: /home/robert_haynes/kics/priv.yaml:10

                009:     securityContext:
                010:       privileged: true
                011:       capabilities:

Here we can see that KiCS has detected that we are running our pod containers as ‘privileged’ which is a bad security practice.

The results are also stored in the results.json file which is a great input for any further automation steps

{
                        "query_name": "Container Is Privileged",
                        "query_id": "dd29336b-fe57-445b-a26e-e6aa867ae609",
                        "query_url": "https://kubernetes.io/docs/concepts/workloads/pods/#privileged-mode-for-containers",
                        "severity": "HIGH",
                        "platform": "Kubernetes",
                        "files": [
                                {
                                        "file_name": "/home/robert_haynes/kics/priv.yaml",
                                        "similarity_id": "bf9b7686a6a815c5afbe428502ccdb595e2c2607bdd6d6622fc8bfbb59f76cfd",
                                        "line": 10,
                                        "issue_type": "IncorrectValue",
                                        "search_key": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged",
                                        "search_value": "",
                                        "expected_value": "spec.containers.name={{sec-ctx-4}}.securityContext.privileged is false",
                                        "actual_value": "spec.containers.name={{sec-ctx-4}}.securityContext.privileged is true",
                                        "value": null
                                }
                        ],
                        "category": "Insecure Configurations",
                        "description": "Do not allow container to be privileged."
                },

I want to make the results more readable while I explore KiCS, so I’m going to take advantage of the other results formats that KiCS supports, and in particular HTML.

So let’s install a web server:

sudo apt install nginx

And do bit of housekeeping

sudo chown -R "$USER":www-data /var/www/html ← this is the root directory of our web server

Check we are up and running:

sudo service nginx status

You should get something a bit like this:


KiCS Example>sudo service nginx status
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: en
   Active: active (running) since Wed 2021-04-14 19:53:37 UTC; 5min ago
     Docs: man:nginx(8)
 Main PID: 3014 (nginx)
    Tasks: 3 (limit: 1123)
   CGroup: /system.slice/nginx.service
           ├─3014 nginx: master process /usr/sbin/nginx -g daemon on; master_pro
           ├─3019 nginx: worker process
           └─3020 nginx: worker process

Apr 14 19:53:37 kics-example systemd[1]: Starting A high performance web server...
Apr 14 19:53:37 kics-example systemd[1]: nginx.service: Failed to parse PID from...
Apr 14 19:53:37 kics-example systemd[1]: Started A high performance web server a...
lines 1-14/14 (END)

Now we can run our KiCS scan and make some html:

./kics scan -p ./priv.yaml -o /var/www/html/results.html --report-formats "html"

Notice I’ve redirected the output to the web root directory and used --report-formats "html"

Now, if I head to the IP of my server and check out the results.html page - I’ll get a human friendly view:

In this introduction we have installed KiCS and scanned a file, plus created a more readable (if less useful for any kind of automation) output format.

In part 2 we will take a look at the query objects that comprise the KiCS rule set.

2 Likes