RubyGems - CloudyScripts - Versions diffs - 1.6.1 → 1.7.27 - Mend

CloudyScripts 1.6.1 → 1.7.27

Files changed (176) hide show

data/Rakefile +1 -1
data/lib/audit/checks/APACHE2.group +6 -0
data/lib/audit/checks/APACHE2_CONFIG_01.check +36 -0
data/lib/audit/checks/APACHE2_CONFIG_02.check +34 -0
data/lib/audit/checks/APACHE2_CONFIG_03.check +60 -0
data/lib/audit/checks/APACHE2_CONFIG_04.check +23 -0
data/lib/audit/checks/APACHE2_CONFIG_05.check +23 -0
data/lib/audit/checks/APACHE2_CONFIG_06.check +30 -0
data/lib/audit/checks/APACHE2_INIT_1.check +14 -0
data/lib/audit/checks/APACHE2_INIT_2.check +66 -0
data/lib/audit/checks/APACHE2_INIT_3.check +13 -0
data/lib/audit/checks/APACHE2_USER_7.check +17 -0
data/lib/audit/checks/BACKUP_HOME_DOTFILES.check +26 -0
data/lib/audit/checks/BACKUP_LOG.check +24 -0
data/lib/audit/checks/BACKUP_MAIL.check +19 -0
data/lib/audit/checks/BACKUP_WEB.check +12 -0
data/lib/audit/checks/CONFIGURATION_BACKUP.check +14 -0
data/lib/audit/checks/DIRECTORY_LISTING.check +14 -0
data/lib/audit/checks/DISTRIBUTION_FACTS.check +60 -0
data/lib/audit/checks/DMESG_OUTPUT.check +14 -0
data/lib/audit/checks/FIND_GROUP_FILE.check +6 -0
data/lib/audit/checks/FIND_PASSWD_FILE.check +8 -0
data/lib/audit/checks/FIND_SHADOW_FILE.check +5 -0
data/lib/audit/checks/FIND_SUDOERS_FILE.check +6 -0
data/lib/audit/checks/FREE_SPACE.check +26 -0
data/lib/audit/checks/HAS_AWK.check +30 -0
data/lib/audit/checks/HAS_BASE.check +21 -0
data/lib/audit/checks/HAS_CAT.check +18 -0
data/lib/audit/checks/HAS_COMPRESSOR.check +30 -0
data/lib/audit/checks/HAS_CUT.check +18 -0
data/lib/audit/checks/HAS_DF.check +19 -0
data/lib/audit/checks/HAS_DPKG.check +18 -0
data/lib/audit/checks/HAS_FILE_DOWNLOADER.check +32 -0
data/lib/audit/checks/HAS_FIND.check +18 -0
data/lib/audit/checks/HAS_GREP.check +19 -0
data/lib/audit/checks/HAS_GROUPCHECK.check +23 -0
data/lib/audit/checks/HAS_GROUPS.check +19 -0
data/lib/audit/checks/HAS_HOSTNAME.check +7 -0
data/lib/audit/checks/HAS_ID.check +7 -0
data/lib/audit/checks/HAS_LSB_RELEASE.check +16 -0
data/lib/audit/checks/HAS_MOUNT.check +19 -0
data/lib/audit/checks/HAS_NETSTAT.check +20 -0
data/lib/audit/checks/HAS_PASSWD_CHECK.check +17 -0
data/lib/audit/checks/HAS_PS.check +19 -0
data/lib/audit/checks/HAS_ROUTE.check +19 -0
data/lib/audit/checks/HAS_SH.check +19 -0
data/lib/audit/checks/HAS_SORT.check +17 -0
data/lib/audit/checks/HAS_STAT.check +17 -0
data/lib/audit/checks/HAS_SUPERUSER.check +11 -0
data/lib/audit/checks/HAS_TAIL.check +16 -0
data/lib/audit/checks/HAS_TAR.check +7 -0
data/lib/audit/checks/HAS_TR.check +22 -0
data/lib/audit/checks/HAS_UNAME.check +7 -0
data/lib/audit/checks/HAS_UNIQ.check +17 -0
data/lib/audit/checks/HAS_WC.check +16 -0
data/lib/audit/checks/HAS_WHO.check +18 -0
data/lib/audit/checks/HAS_YUM.check +18 -0
data/lib/audit/checks/LASTLOG.check +28 -0
data/lib/audit/checks/LIST_ROUTES.check +33 -0
data/lib/audit/checks/LIST_USER_ACCOUNTS.check +25 -0
data/lib/audit/checks/LOADED_MODULES.check +22 -0
data/lib/audit/checks/LOCAL_NMAP.check +97 -0
data/lib/audit/checks/LOGGED_USERS.check +28 -0
data/lib/audit/checks/LYNIS_AUTH.group +9 -0
data/lib/audit/checks/LYNIS_AUTH_9204.check +43 -0
data/lib/audit/checks/LYNIS_AUTH_9208.check +35 -0
data/lib/audit/checks/LYNIS_AUTH_9216.check +24 -0
data/lib/audit/checks/LYNIS_AUTH_9222.check +25 -0
data/lib/audit/checks/LYNIS_AUTH_9226.check +24 -0
data/lib/audit/checks/LYNIS_AUTH_9228.check +24 -0
data/lib/audit/checks/LYNIS_AUTH_9252.check +19 -0
data/lib/audit/checks/MAYBE_HAS_BZIP2.check +17 -0
data/lib/audit/checks/MAYBE_HAS_CURL.check +17 -0
data/lib/audit/checks/MAYBE_HAS_DU.check +17 -0
data/lib/audit/checks/MAYBE_HAS_HOSTNAME.check +17 -0
data/lib/audit/checks/MAYBE_HAS_ID.check +17 -0
data/lib/audit/checks/MAYBE_HAS_LSB_RELEASE.check +15 -0
data/lib/audit/checks/MAYBE_HAS_SUPERUSER.check +36 -0
data/lib/audit/checks/MAYBE_HAS_TAR.check +19 -0
data/lib/audit/checks/MAYBE_HAS_UNAME.check +17 -0
data/lib/audit/checks/MAYBE_HAS_WGET.check +17 -0
data/lib/audit/checks/MOUNTED_DEVICES.check +22 -0
data/lib/audit/checks/MYSQL_HISTORY_1.check +29 -0
data/lib/audit/checks/MYSQL_INIT_1.check +9 -0
data/lib/audit/checks/MYSQL_INIT_2.check +12 -0
data/lib/audit/checks/MYSQL_INIT_3.check +7 -0
data/lib/audit/checks/PACKAGES_INSTALLED_DPKG.check +38 -0
data/lib/audit/checks/PACKAGES_INSTALLED_YUM.check +36 -0
data/lib/audit/checks/PASSWORD_INFORMATION.check +33 -0
data/lib/audit/checks/PLATFORM_FACTS.check +35 -0
data/lib/audit/checks/PORTS_OPEN_NETSTAT.check +121 -0
data/lib/audit/checks/PROCESS_LIST.check +87 -0
data/lib/audit/checks/SLOW.group +7 -0
data/lib/audit/checks/SLOW_1.check +4 -0
data/lib/audit/checks/SLOW_2.check +4 -0
data/lib/audit/checks/SLOW_3.check +4 -0
data/lib/audit/checks/SSH.group +14 -0
data/lib/audit/checks/SSH_CONFIG_01.check +12 -0
data/lib/audit/checks/SSH_CONFIG_02.check +15 -0
data/lib/audit/checks/SSH_CONFIG_03.check +13 -0
data/lib/audit/checks/SSH_CONFIG_04.check +11 -0
data/lib/audit/checks/SSH_CONFIG_05.check +12 -0
data/lib/audit/checks/SSH_CONFIG_06.check +12 -0
data/lib/audit/checks/SSH_CONFIG_07.check +11 -0
data/lib/audit/checks/SSH_CONFIG_08.check +12 -0
data/lib/audit/checks/SSH_CONFIG_09.check +12 -0
data/lib/audit/checks/SSH_CONFIG_10.check +15 -0
data/lib/audit/checks/SSH_CONFIG_11.check +14 -0
data/lib/audit/checks/SSH_INIT_1.check +9 -0
data/lib/audit/checks/SSH_INIT_2.check +12 -0
data/lib/audit/checks/SSH_KEYS_1.check +32 -0
data/lib/audit/checks/USERS_INIT_1.check +9 -0
data/lib/audit/checks/USERS_INIT_2.check +5 -0
data/lib/audit/checks/USERS_INIT_3.check +5 -0
data/lib/audit/checks/USERS_INIT_4.check +9 -0
data/lib/audit/checks/USERS_INIT_5.check +10 -0
data/lib/audit/checks/USER_INFORMATION.check +29 -0
data/lib/audit/checks/VARIOUS.group +19 -0
data/lib/audit/checks/VAR_LIST_HOME_DIRECTORIES.check +5 -0
data/lib/audit/checks/benchmark.group +6 -0
data/lib/audit/checks/footer.template +12 -0
data/lib/audit/checks/header.template +10 -0
data/lib/audit/checks/helpers/head.sh +59 -0
data/lib/audit/checks/script_header.template +69 -0
data/lib/audit/create_benchmark.sh +93 -0
data/lib/audit/lib/audit.rb +136 -0
data/lib/audit/lib/audit_facade.rb +5 -0
data/lib/audit/lib/benchmark/audit_benchmark.rb +165 -0
data/lib/audit/lib/benchmark/automatic_dependencies.rb +13 -0
data/lib/audit/lib/benchmark/benchmark_factory.rb +23 -0
data/lib/audit/lib/benchmark/benchmark_result.rb +25 -0
data/lib/audit/lib/benchmark/check.rb +34 -0
data/lib/audit/lib/benchmark/group.rb +30 -0
data/lib/audit/lib/benchmark/item_exception.rb +13 -0
data/lib/audit/lib/benchmark/result_code.rb +11 -0
data/lib/audit/lib/benchmark/rule_result.rb +42 -0
data/lib/audit/lib/benchmark/rule_role.rb +5 -0
data/lib/audit/lib/benchmark/rule_severity.rb +13 -0
data/lib/audit/lib/benchmark/yaml_benchmark.rb +133 -0
data/lib/audit/lib/connection/ami_connection.rb +4 -0
data/lib/audit/lib/connection/connection_factory.rb +27 -0
data/lib/audit/lib/connection/ssh_connection.rb +243 -0
data/lib/audit/lib/ec2_utils.rb +245 -0
data/lib/audit/lib/http_fingerprint.rb +116 -0
data/lib/audit/lib/lazy.rb +37 -0
data/lib/audit/lib/linear_script_generator.rb +31 -0
data/lib/audit/lib/main.rb +13 -0
data/lib/audit/lib/my_option_parser.rb +106 -0
data/lib/audit/lib/nessus_new.rb +290 -0
data/lib/audit/lib/nessus_utils.rb +102 -0
data/lib/audit/lib/parser/command/abstract_command.rb +32 -0
data/lib/audit/lib/parser/command/abstract_command_result.rb +30 -0
data/lib/audit/lib/parser/command/attach_file_command.rb +63 -0
data/lib/audit/lib/parser/command/check_finished_command.rb +45 -0
data/lib/audit/lib/parser/command/cpe_name_command.rb +37 -0
data/lib/audit/lib/parser/command/data_command.rb +43 -0
data/lib/audit/lib/parser/command/listening_port_command.rb +46 -0
data/lib/audit/lib/parser/command/message_command.rb +21 -0
data/lib/audit/lib/parser/command/program_name_command.rb +42 -0
data/lib/audit/lib/parser/parse_exception.rb +2 -0
data/lib/audit/lib/parser/result_type.rb +13 -0
data/lib/audit/lib/parser/script_output_parser.rb +201 -0
data/lib/audit/lib/parser/stdout_line_buffer.rb +43 -0
data/lib/audit/lib/ssh_fingerprint.rb +220 -0
data/lib/audit/lib/ssh_fingerprint2.rb +170 -0
data/lib/audit/lib/ssh_utils.rb +292 -0
data/lib/audit/lib/transformers/web_view_transformer.rb +171 -0
data/lib/audit/lib/transformers/yaml_transformer.rb +50 -0
data/lib/audit/lib/util/random_string.rb +22 -0
data/lib/audit/lib/version.rb +7 -0
data/lib/help/ec2_helper.rb +65 -2
data/lib/help/remote_command_handler.rb +17 -0
data/lib/help/state_transition_helper.rb +8 -0
data/lib/scripts/ec2/open_port_checker.rb +112 -0
data/lib/scripts/ec2/port_range_detector.rb +0 -1
metadata +175 -16

data/lib/audit/lib/transformers/web_view_transformer.rb ADDED Viewed

@@ -0,0 +1,171 @@
+# To change this template, choose Tools | Templates
+# and open the template in the editor.
+# icons taken from http://www.famfamfam.com/lab/icons/silk/
+require 'benchmark/audit_benchmark'
+require 'parser/result_type'
+require 'logger'
+class WebViewTransformer
+  IMAGE_PREFIX = "/images"
+  BENCHMARK_ID = "BENCHMARK"
+  @@LOG = Logger.new(STDOUT)
+  def self.get(audit, id)
+    if (id == :root) then
+      item = audit.benchmark
+     return {
+      'data'     => {
+        'title'    => item.name || item.id,
+        'attr'     => {},
+        'icon'     => 'folder'},
+      'attr'     => {
+        'id'       => BENCHMARK_ID},
+      'state'    => 'closed'}
+    else
+      return self.get_children(audit, id)
+    end
+  end
+  def self.get_children(audit, id)
+    if id == BENCHMARK_ID then
+      item = audit.benchmark
+    else
+      item = audit.results[id] || audit.benchmark.item_repository[id]
+    end
+    if item.kind_of? AuditBenchmark then
+      return item.children.map {|x| self.get_item(audit, x.id)}
+    elsif item.kind_of? Group then
+      return item.children.map {|x| self.get_item(audit, x.id)}
+    elsif item.kind_of? RuleResult then
+      if item.rule.description then
+        results = [{
+              'data'     => {
+               'title'    => item.rule.description,
+               'icon'     => "#{IMAGE_PREFIX}/tag_blue.png"},
+              'state'    => 'opened',
+              'children' => []
+            }]
+      else
+        results = []
+      end
+      results = results + item.check.reject do|x|
+         x.methods.include?(:visible?) && (!x.visible?())
+      end.map do |x|
+          case x.type
+          when ResultType::MESSAGE then
+            {
+              'data' => {
+                'title' => x.to_string(),
+                'icon' => "#{IMAGE_PREFIX}/script.png"},
+              'state' => 'opened',
+              'children' => []
+            }
+          when ResultType::DATA then
+            {
+              'data' => {
+                'title' => x.to_string(),
+                'icon' => "#{IMAGE_PREFIX}/brick.png"},
+              'state' => 'opened',
+              'children' => []
+            }
+          when ResultType::PROGRAM_NAME then
+            {
+              'data' => {
+                'title' => x.to_string(),
+                'icon' => "#{IMAGE_PREFIX}/cog.png"},
+              'state' => 'opened',
+              'children' => []
+            }
+          else
+            {
+              'data' => {
+                'title' => x.to_string(),
+                'icon' => "file"},
+              'state' => 'opened',
+              'children' => []
+            }
+          end
+      end
+      return results
+    elsif item.kind_of? Check then
+      #check was not executed, thus no result
+      if item.description then
+        return [{
+              'data'     => {
+                'title'    => item.description,
+                'icon'     => "#{IMAGE_PREFIX}/tag_blue.png"},
+              'state'    => 'opened',
+              'children' => []
+            }]
+      else
+        return []
+      end
+    else
+      raise "Unknown item type #{item.class.name}"
+    end
+  end
+  def self.get_item(audit, id)
+    item = audit.results[id] || audit.benchmark.item_repository[id]
+    if item.kind_of? AuditBenchmark then
+      return {
+      'data'     => {
+        'title'    => item.name || item.id,
+        'icon'     => 'folder'},
+      'attr'     => {'id' => 'BENCHMARK'},
+      'state'    => 'closed'}
+    elsif item.kind_of? Group then
+      return {
+      'data'     => {
+        'title'    => item.name || item.id,
+        'icon'     => 'folder'},
+        'attr'     => {'id' => item.id},
+      'state'    => 'closed'}
+    elsif item.kind_of? RuleResult then
+       return {
+        'data'     => {
+          'title'    => item.rule.name || item.rule.id,
+          'icon'     => case item.result
+              when ResultCode::PASS then "#{IMAGE_PREFIX}/tick.png"
+              when ResultCode::FAIL then
+                if (item.severity == RuleSeverity::LOW || item.severity == RuleSeverity::INFO) then
+                  "#{IMAGE_PREFIX}/warning.png"
+                else
+                  "#{IMAGE_PREFIX}/fail.png"
+                end
+              else "#{IMAGE_PREFIX}/question.png"
+            end},
+        'attr'     => { 'id' => item.rule.id},
+        'state'    => 'closed'}
+    elsif item.kind_of? Check then
+      if item.description then
+        return {
+        'data'     => {
+          'title'    => item.name || item.id,
+          'icon'     => "#{IMAGE_PREFIX}/hourglass.png"},
+        'attr'     => {'id' => item.id},
+        'state'    => 'closed'}
+      else
+        return {
+        'data'     => {
+          'title'    => item.name || item.id,
+          'icon'     => "#{IMAGE_PREFIX}/hourglass.png"},
+        'attr'     => {'id' => item.id},
+        'state'    => 'opened',
+        'children' => []}
+      end
+    else
+      raise "Unknown item type #{item.class.name} for id #{id}"
+    end
+  end
+end

data/lib/audit/lib/transformers/yaml_transformer.rb ADDED Viewed

@@ -0,0 +1,50 @@
+# To change this template, choose Tools | Templates
+# and open the template in the editor.
+class YamlTransformer
+  def initialize
+  end
+  def self.transform(report)
+    self.transform_node(report, report.get_root)
+  end
+  def self.transform_node(report, node)
+    if node.kind_of? AuditBenchmark then
+      return self.transform_benchmark(report, node)
+    elsif node.kind_of? Group then
+      return self.transform_group(report, node)
+    elsif node.kind_of? RuleResult then
+      return self.transform_rule_result(report, node)
+    else
+      raise "Unknown report node type #{node.class.name}"
+    end
+  end
+  def self.transform_benchmark(report, node)
+    return {:id => node.id,
+            :name => node.name,
+            :description => node.description,
+            :children => node.children.map {|x| self.transform_node(report, report.get(x.id))}}
+  end
+  def self.transform_group(report, node)
+    return {:id => node.id,
+            :name => node.name,
+            :description => node.description,
+            :children => node.children.map {|x| self.transform_node(report, report.get(x.id))}}
+  end
+  def self.transform_rule_result(report, node)
+    return {:rule_refid => node.rule.id,
+            :name => node.rule.name,
+            :description => node.rule.description,
+            :check => node.check.map {|x| self.transform_check(x)}
+    }
+  end
+  def self.transform_check(check)
+    return check.to_hash()
+  end
+end

data/lib/audit/lib/util/random_string.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# To change this template, choose Tools | Templates
+# and open the template in the editor.
+# Ruby 1.8 does not contains sample() function
+class Array
+  def sample()
+    return self.choice()
+  end
+end
+class RandomString
+  def initialize
+  end
+  def self.generate(length = 20, alphabet = ('A' .. 'Z').to_a + ('a' .. 'z').to_a + ('0' .. '9').to_a)
+    return (0 .. length).map { alphabet.sample }.join
+  end
+  def self.generate_name(length = 20)
+    return (('A' .. 'Z').to_a + ('a' .. 'z').to_a).sample + generate(length - 1)
+  end
+end

data/lib/audit/lib/version.rb ADDED Viewed

@@ -0,0 +1,7 @@
+require 'uri'
+class Version
+	attr_accessor :description
+	attr_accessor :timestamp
+	attr_accessor :updateUri
+end

data/lib/help/ec2_helper.rb CHANGED Viewed

@@ -106,8 +106,10 @@ class Ec2Helper
     end
   end
-  def instance_prop(instance_id, prop)
-    instances = @ec2_api.describe_instances(:instance_id => instance_id)
+  def instance_prop(instance_id, prop, instances = nil)
+    if instances == nil
+      instances = @ec2_api.describe_instances(:instance_id => instance_id)
+    end
     begin
       if instances['reservationSet']['item'][0]['instancesSet']['item'].size == 0
         raise Exception.new("instance #{instance_id} not found")
@@ -157,4 +159,65 @@ class Ec2Helper
     false
   end
+  # From the information retrieved via EC2::describe_security_groups, look up
+  # all open ports for the group specified
+  def get_security_group_info(group_name, group_infos)
+    group_infos['securityGroupInfo']['item'].each() do |group_info|
+      return group_info if group_info['groupName'] == group_name
+    end
+    nil
+  end
+  # From the information retrieved via EC2::describe_instances for a specific
+  # instance, retrieve the names of the security groups belonging to that instance.
+  def lookup_security_group_names(instance_info)
+    group_names = []
+    puts "lookup_security_group_names(#{instance_info.inspect})"
+    instance_info['groupSet']['item'].each() {|group_info|
+      group_name = group_info['groupName'] || group_info['groupId']
+      group_names << group_name
+    }
+    group_names
+  end
+  # From the information retrieved via EC2::describe_security_groups, look up
+  # all open ports for the group specified
+  def lookup_open_ports(group_name, group_infos)
+    puts "group_infos = #{group_infos.inspect}"
+    group_info = get_security_group_info(group_name, group_infos)
+    puts "group_info for #{group_name} = #{group_info.inspect}"
+    open_ports = []
+    group_info['ipPermissions']['item'].each() {|permission|
+      if permission['ipRanges'] == nil
+        #no IP-Ranges defined (group based mode): ignore
+        next
+      end
+      prot = permission['ipProtocol']
+      from_port = permission['fromPort'].to_i
+      to_port = permission['toPort'].to_i
+      next if from_port != to_port #ignore port ranges
+      permission['ipRanges']['item'].each() {|ipRange|
+        if ipRange['cidrIp'] == "0.0.0.0/0"
+          #found one
+          open_ports << {:protocol => prot, :port => from_port}
+        end
+      }
+    }
+    open_ports
+  end
+  # Looks up the instanceId for the output retrieved by EC2::describe_instances(:instance_id => xxx)
+  # without the reservation set.
+  def get_instance_id(instance_info)
+    puts "look up instanceId in #{instance_info.inspect}"
+    instance_info['instancesSet']['item'][0]['instanceId']
+  end
+  # Looks up the instanceId for the output retrieved by EC2::describe_instances(:instance_id => xxx)
+  # without the reservation set.
+  def get_instance_prop(instance_info, prop)
+    puts "look up #{prop} in #{instance_info.inspect}"
+    instance_info['instancesSet']['item'][0][prop.to_s]
+  end
 end

data/lib/help/remote_command_handler.rb CHANGED Viewed

@@ -11,6 +11,23 @@ class RemoteCommandHandler
     @use_sudo = false
   end
+  # Checks for a given IP/port if there's a response on that port.
+  def is_port_open?(ip, port)
+    begin
+      Timeout::timeout(5) do
+        begin
+          s = TCPSocket.new(ip, port)
+          s.close
+          return true
+        rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH
+          return false
+        end
+      end
+    rescue Timeout::Error
+      return false
+    end
+  end
   # Connect to the machine as root using a keyfile.
   # Params:
   # * ip: ip address of the machine to connect to

data/lib/help/state_transition_helper.rb CHANGED Viewed

@@ -179,6 +179,14 @@ module StateTransitionHelper
     @logger.info("found #{sgs.size} security groups")
     @context[:security_groups] = sgs
   end
+  def retrieve_instances()
+    @context[:script].post_message("going to retrieve all instances...")
+    inst = @context[:ec2_api_handler].describe_instances()
+    @context[:script].post_message("found #{inst.size} instances")
+    @logger.info("found #{inst.size} instances")
+    @context[:ec2_instances] = inst
+  end
   # Creates a new EBS volume.
   # Input Parameters:

data/lib/scripts/ec2/open_port_checker.rb ADDED Viewed

@@ -0,0 +1,112 @@
+require "help/script_execution_state"
+require "scripts/ec2/ec2_script"
+require "help/remote_command_handler"
+#require "help/dm_crypt_helper"
+require "help/ec2_helper"
+require "AWS"
+# Identifies all server instances with their ports open and checks if
+# there are instances where no service runs on that port. Port ranges are
+# ignored.
+#
+class OpenPortChecker < Ec2Script
+  # Input parameters
+  # * ec2_api_handler => object that allows to access the EC2 API
+  def initialize(input_params)
+    super(input_params)
+  end
+  def check_input_parameters()
+    if @input_params[:ec2_api_handler] == nil
+      raise Exception.new("no EC2 handler specified")
+    end
+  end
+  def load_initial_state()
+    OpenPortCheckerState.load_state(@input_params)
+  end
+  private
+  # Here begins the state machine implementation
+  class OpenPortCheckerState < ScriptExecutionState
+    def self.load_state(context)
+      state = context[:initial_state] == nil ? InitialState.new(context) : context[:initial_state]
+      state
+    end
+  end
+  # Nothing done yet. Retrieve all security groups
+  class InitialState < OpenPortCheckerState
+    def enter
+      retrieve_instances()
+      InstancesRetrievedState.new(@context)
+    end
+  end
+  # Got all instances. If there are some, check security groups
+  class InstancesRetrievedState < OpenPortCheckerState
+    def enter
+      if @context[:ec2_instances].size == 0
+        Done.new(@context)
+      else
+        retrieve_security_groups()
+        SecurityGroupsRetrievedState.new(@context)
+      end
+    end
+  end
+  # Got all instances. If there are some, check security groups
+  class SecurityGroupsRetrievedState < OpenPortCheckerState
+    def enter
+      @context[:result][:port_checks] = []
+      ec2_helper = Ec2Helper.new(@context[:ec2_api_handler])
+      @context[:ec2_instances]['reservationSet']['item'].each() do |instance_info|
+        instance_id = ec2_helper.get_instance_id(instance_info)
+        @logger.debug("instance_info = #{instance_info.inspect}")
+        instance_ip = ec2_helper.get_instance_prop(instance_info, 'dnsName')
+        instance_state = ec2_helper.get_instance_prop(instance_info, 'instanceState')['name']
+        if instance_state != "running"
+          post_message("ignore instance #{instance_id} since not running")
+          next
+        end
+        sec_groups = ec2_helper.lookup_security_group_names(instance_info)
+        @logger.debug("group lookup for #{instance_id} => #{sec_groups.inspect}")
+        sec_groups.each() do |group_name|
+          port_infos = ec2_helper.lookup_open_ports(group_name, @context[:security_groups])
+          @logger.debug("port_infos for group #{group_name} #{port_infos.inspect}")
+          port_infos.each() do |port_info|
+            result = false
+            begin
+              result = @context[:remote_command_handler].is_port_open?(instance_ip, port_info[:port])
+              post_message("check port #{port_info[:port]} for instance #{instance_id} (on #{instance_ip}) #{result ? "successful" : "failed"}")
+            rescue Exception => e
+              @logger.warn("exception during executing port check: #{e}")
+            end
+            @context[:result][:port_checks] << {:instance => instance_id, :protocol => port_info[:protocol],
+              :port => port_info[:port], :success => result, :group_name => group_name
+            }
+          end
+        end
+      end
+      AnalysisDone.new(@context)
+    end
+  end
+  # Nothing done yet. Retrieve all security groups
+  class AnalysisDone < OpenPortCheckerState
+    def enter
+      Done.new(@context)
+    end
+  end
+  # Script done.
+  class Done < OpenPortCheckerState
+    def done?
+      true
+    end
+  end
+end