RubyGems - CloudyScripts - Versions diffs - 1.6.1 → 1.7.27 - Mend

CloudyScripts 1.6.1 → 1.7.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (176) hide show

data/Rakefile +1 -1
data/lib/audit/checks/APACHE2.group +6 -0
data/lib/audit/checks/APACHE2_CONFIG_01.check +36 -0
data/lib/audit/checks/APACHE2_CONFIG_02.check +34 -0
data/lib/audit/checks/APACHE2_CONFIG_03.check +60 -0
data/lib/audit/checks/APACHE2_CONFIG_04.check +23 -0
data/lib/audit/checks/APACHE2_CONFIG_05.check +23 -0
data/lib/audit/checks/APACHE2_CONFIG_06.check +30 -0
data/lib/audit/checks/APACHE2_INIT_1.check +14 -0
data/lib/audit/checks/APACHE2_INIT_2.check +66 -0
data/lib/audit/checks/APACHE2_INIT_3.check +13 -0
data/lib/audit/checks/APACHE2_USER_7.check +17 -0
data/lib/audit/checks/BACKUP_HOME_DOTFILES.check +26 -0
data/lib/audit/checks/BACKUP_LOG.check +24 -0
data/lib/audit/checks/BACKUP_MAIL.check +19 -0
data/lib/audit/checks/BACKUP_WEB.check +12 -0
data/lib/audit/checks/CONFIGURATION_BACKUP.check +14 -0
data/lib/audit/checks/DIRECTORY_LISTING.check +14 -0
data/lib/audit/checks/DISTRIBUTION_FACTS.check +60 -0
data/lib/audit/checks/DMESG_OUTPUT.check +14 -0
data/lib/audit/checks/FIND_GROUP_FILE.check +6 -0
data/lib/audit/checks/FIND_PASSWD_FILE.check +8 -0
data/lib/audit/checks/FIND_SHADOW_FILE.check +5 -0
data/lib/audit/checks/FIND_SUDOERS_FILE.check +6 -0
data/lib/audit/checks/FREE_SPACE.check +26 -0
data/lib/audit/checks/HAS_AWK.check +30 -0
data/lib/audit/checks/HAS_BASE.check +21 -0
data/lib/audit/checks/HAS_CAT.check +18 -0
data/lib/audit/checks/HAS_COMPRESSOR.check +30 -0
data/lib/audit/checks/HAS_CUT.check +18 -0
data/lib/audit/checks/HAS_DF.check +19 -0
data/lib/audit/checks/HAS_DPKG.check +18 -0
data/lib/audit/checks/HAS_FILE_DOWNLOADER.check +32 -0
data/lib/audit/checks/HAS_FIND.check +18 -0
data/lib/audit/checks/HAS_GREP.check +19 -0
data/lib/audit/checks/HAS_GROUPCHECK.check +23 -0
data/lib/audit/checks/HAS_GROUPS.check +19 -0
data/lib/audit/checks/HAS_HOSTNAME.check +7 -0
data/lib/audit/checks/HAS_ID.check +7 -0
data/lib/audit/checks/HAS_LSB_RELEASE.check +16 -0
data/lib/audit/checks/HAS_MOUNT.check +19 -0
data/lib/audit/checks/HAS_NETSTAT.check +20 -0
data/lib/audit/checks/HAS_PASSWD_CHECK.check +17 -0
data/lib/audit/checks/HAS_PS.check +19 -0
data/lib/audit/checks/HAS_ROUTE.check +19 -0
data/lib/audit/checks/HAS_SH.check +19 -0
data/lib/audit/checks/HAS_SORT.check +17 -0
data/lib/audit/checks/HAS_STAT.check +17 -0
data/lib/audit/checks/HAS_SUPERUSER.check +11 -0
data/lib/audit/checks/HAS_TAIL.check +16 -0
data/lib/audit/checks/HAS_TAR.check +7 -0
data/lib/audit/checks/HAS_TR.check +22 -0
data/lib/audit/checks/HAS_UNAME.check +7 -0
data/lib/audit/checks/HAS_UNIQ.check +17 -0
data/lib/audit/checks/HAS_WC.check +16 -0
data/lib/audit/checks/HAS_WHO.check +18 -0
data/lib/audit/checks/HAS_YUM.check +18 -0
data/lib/audit/checks/LASTLOG.check +28 -0
data/lib/audit/checks/LIST_ROUTES.check +33 -0
data/lib/audit/checks/LIST_USER_ACCOUNTS.check +25 -0
data/lib/audit/checks/LOADED_MODULES.check +22 -0
data/lib/audit/checks/LOCAL_NMAP.check +97 -0
data/lib/audit/checks/LOGGED_USERS.check +28 -0
data/lib/audit/checks/LYNIS_AUTH.group +9 -0
data/lib/audit/checks/LYNIS_AUTH_9204.check +43 -0
data/lib/audit/checks/LYNIS_AUTH_9208.check +35 -0
data/lib/audit/checks/LYNIS_AUTH_9216.check +24 -0
data/lib/audit/checks/LYNIS_AUTH_9222.check +25 -0
data/lib/audit/checks/LYNIS_AUTH_9226.check +24 -0
data/lib/audit/checks/LYNIS_AUTH_9228.check +24 -0
data/lib/audit/checks/LYNIS_AUTH_9252.check +19 -0
data/lib/audit/checks/MAYBE_HAS_BZIP2.check +17 -0
data/lib/audit/checks/MAYBE_HAS_CURL.check +17 -0
data/lib/audit/checks/MAYBE_HAS_DU.check +17 -0
data/lib/audit/checks/MAYBE_HAS_HOSTNAME.check +17 -0
data/lib/audit/checks/MAYBE_HAS_ID.check +17 -0
data/lib/audit/checks/MAYBE_HAS_LSB_RELEASE.check +15 -0
data/lib/audit/checks/MAYBE_HAS_SUPERUSER.check +36 -0
data/lib/audit/checks/MAYBE_HAS_TAR.check +19 -0
data/lib/audit/checks/MAYBE_HAS_UNAME.check +17 -0
data/lib/audit/checks/MAYBE_HAS_WGET.check +17 -0
data/lib/audit/checks/MOUNTED_DEVICES.check +22 -0
data/lib/audit/checks/MYSQL_HISTORY_1.check +29 -0
data/lib/audit/checks/MYSQL_INIT_1.check +9 -0
data/lib/audit/checks/MYSQL_INIT_2.check +12 -0
data/lib/audit/checks/MYSQL_INIT_3.check +7 -0
data/lib/audit/checks/PACKAGES_INSTALLED_DPKG.check +38 -0
data/lib/audit/checks/PACKAGES_INSTALLED_YUM.check +36 -0
data/lib/audit/checks/PASSWORD_INFORMATION.check +33 -0
data/lib/audit/checks/PLATFORM_FACTS.check +35 -0
data/lib/audit/checks/PORTS_OPEN_NETSTAT.check +121 -0
data/lib/audit/checks/PROCESS_LIST.check +87 -0
data/lib/audit/checks/SLOW.group +7 -0
data/lib/audit/checks/SLOW_1.check +4 -0
data/lib/audit/checks/SLOW_2.check +4 -0
data/lib/audit/checks/SLOW_3.check +4 -0
data/lib/audit/checks/SSH.group +14 -0
data/lib/audit/checks/SSH_CONFIG_01.check +12 -0
data/lib/audit/checks/SSH_CONFIG_02.check +15 -0
data/lib/audit/checks/SSH_CONFIG_03.check +13 -0
data/lib/audit/checks/SSH_CONFIG_04.check +11 -0
data/lib/audit/checks/SSH_CONFIG_05.check +12 -0
data/lib/audit/checks/SSH_CONFIG_06.check +12 -0
data/lib/audit/checks/SSH_CONFIG_07.check +11 -0
data/lib/audit/checks/SSH_CONFIG_08.check +12 -0
data/lib/audit/checks/SSH_CONFIG_09.check +12 -0
data/lib/audit/checks/SSH_CONFIG_10.check +15 -0
data/lib/audit/checks/SSH_CONFIG_11.check +14 -0
data/lib/audit/checks/SSH_INIT_1.check +9 -0
data/lib/audit/checks/SSH_INIT_2.check +12 -0
data/lib/audit/checks/SSH_KEYS_1.check +32 -0
data/lib/audit/checks/USERS_INIT_1.check +9 -0
data/lib/audit/checks/USERS_INIT_2.check +5 -0
data/lib/audit/checks/USERS_INIT_3.check +5 -0
data/lib/audit/checks/USERS_INIT_4.check +9 -0
data/lib/audit/checks/USERS_INIT_5.check +10 -0
data/lib/audit/checks/USER_INFORMATION.check +29 -0
data/lib/audit/checks/VARIOUS.group +19 -0
data/lib/audit/checks/VAR_LIST_HOME_DIRECTORIES.check +5 -0
data/lib/audit/checks/benchmark.group +6 -0
data/lib/audit/checks/footer.template +12 -0
data/lib/audit/checks/header.template +10 -0
data/lib/audit/checks/helpers/head.sh +59 -0
data/lib/audit/checks/script_header.template +69 -0
data/lib/audit/create_benchmark.sh +93 -0
data/lib/audit/lib/audit.rb +136 -0
data/lib/audit/lib/audit_facade.rb +5 -0
data/lib/audit/lib/benchmark/audit_benchmark.rb +165 -0
data/lib/audit/lib/benchmark/automatic_dependencies.rb +13 -0
data/lib/audit/lib/benchmark/benchmark_factory.rb +23 -0
data/lib/audit/lib/benchmark/benchmark_result.rb +25 -0
data/lib/audit/lib/benchmark/check.rb +34 -0
data/lib/audit/lib/benchmark/group.rb +30 -0
data/lib/audit/lib/benchmark/item_exception.rb +13 -0
data/lib/audit/lib/benchmark/result_code.rb +11 -0
data/lib/audit/lib/benchmark/rule_result.rb +42 -0
data/lib/audit/lib/benchmark/rule_role.rb +5 -0
data/lib/audit/lib/benchmark/rule_severity.rb +13 -0
data/lib/audit/lib/benchmark/yaml_benchmark.rb +133 -0
data/lib/audit/lib/connection/ami_connection.rb +4 -0
data/lib/audit/lib/connection/connection_factory.rb +27 -0
data/lib/audit/lib/connection/ssh_connection.rb +243 -0
data/lib/audit/lib/ec2_utils.rb +245 -0
data/lib/audit/lib/http_fingerprint.rb +116 -0
data/lib/audit/lib/lazy.rb +37 -0
data/lib/audit/lib/linear_script_generator.rb +31 -0
data/lib/audit/lib/main.rb +13 -0
data/lib/audit/lib/my_option_parser.rb +106 -0
data/lib/audit/lib/nessus_new.rb +290 -0
data/lib/audit/lib/nessus_utils.rb +102 -0
data/lib/audit/lib/parser/command/abstract_command.rb +32 -0
data/lib/audit/lib/parser/command/abstract_command_result.rb +30 -0
data/lib/audit/lib/parser/command/attach_file_command.rb +63 -0
data/lib/audit/lib/parser/command/check_finished_command.rb +45 -0
data/lib/audit/lib/parser/command/cpe_name_command.rb +37 -0
data/lib/audit/lib/parser/command/data_command.rb +43 -0
data/lib/audit/lib/parser/command/listening_port_command.rb +46 -0
data/lib/audit/lib/parser/command/message_command.rb +21 -0
data/lib/audit/lib/parser/command/program_name_command.rb +42 -0
data/lib/audit/lib/parser/parse_exception.rb +2 -0
data/lib/audit/lib/parser/result_type.rb +13 -0
data/lib/audit/lib/parser/script_output_parser.rb +201 -0
data/lib/audit/lib/parser/stdout_line_buffer.rb +43 -0
data/lib/audit/lib/ssh_fingerprint.rb +220 -0
data/lib/audit/lib/ssh_fingerprint2.rb +170 -0
data/lib/audit/lib/ssh_utils.rb +292 -0
data/lib/audit/lib/transformers/web_view_transformer.rb +171 -0
data/lib/audit/lib/transformers/yaml_transformer.rb +50 -0
data/lib/audit/lib/util/random_string.rb +22 -0
data/lib/audit/lib/version.rb +7 -0
data/lib/help/ec2_helper.rb +65 -2
data/lib/help/remote_command_handler.rb +17 -0
data/lib/help/state_transition_helper.rb +8 -0
data/lib/scripts/ec2/open_port_checker.rb +112 -0
data/lib/scripts/ec2/port_range_detector.rb +0 -1
metadata +175 -16

data/lib/audit/lib/transformers/web_view_transformer.rb ADDED Viewed

@@ -0,0 +1,171 @@
+# To change this template, choose Tools | Templates
+# and open the template in the editor.
+# icons taken from http://www.famfamfam.com/lab/icons/silk/
+require 'benchmark/audit_benchmark'
+require 'parser/result_type'
+require 'logger'
+class WebViewTransformer
+  IMAGE_PREFIX = "/images"
+  BENCHMARK_ID = "BENCHMARK"
+  @@LOG = Logger.new(STDOUT)
+  def self.get(audit, id)
+    if (id == :root) then
+      item = audit.benchmark
+     return {
+      'data'     => {
+        'title'    => item.name || item.id,
+        'attr'     => {},
+        'icon'     => 'folder'},
+      'attr'     => {
+        'id'       => BENCHMARK_ID},
+      'state'    => 'closed'}
+    else
+      return self.get_children(audit, id)
+    end
+  end
+  def self.get_children(audit, id)
+    if id == BENCHMARK_ID then
+      item = audit.benchmark
+    else
+      item = audit.results[id] || audit.benchmark.item_repository[id]
+    end
+    if item.kind_of? AuditBenchmark then
+      return item.children.map {|x| self.get_item(audit, x.id)}
+    elsif item.kind_of? Group then
+      return item.children.map {|x| self.get_item(audit, x.id)}
+    elsif item.kind_of? RuleResult then
+      if item.rule.description then
+        results = [{
+              'data'     => {
+               'title'    => item.rule.description,
+               'icon'     => "#{IMAGE_PREFIX}/tag_blue.png"},
+              'state'    => 'opened',
+              'children' => []
+            }]
+      else
+        results = []
+      end
+      results = results + item.check.reject do|x|
+         x.methods.include?(:visible?) && (!x.visible?())
+      end.map do |x|
+          case x.type
+          when ResultType::MESSAGE then
+            {
+              'data' => {
+                'title' => x.to_string(),
+                'icon' => "#{IMAGE_PREFIX}/script.png"},
+              'state' => 'opened',
+              'children' => []
+            }
+          when ResultType::DATA then
+            {
+              'data' => {
+                'title' => x.to_string(),
+                'icon' => "#{IMAGE_PREFIX}/brick.png"},
+              'state' => 'opened',
+              'children' => []
+            }
+          when ResultType::PROGRAM_NAME then
+            {
+              'data' => {
+                'title' => x.to_string(),
+                'icon' => "#{IMAGE_PREFIX}/cog.png"},
+              'state' => 'opened',
+              'children' => []
+            }
+          else
+            {
+              'data' => {
+                'title' => x.to_string(),
+                'icon' => "file"},
+              'state' => 'opened',
+              'children' => []
+            }
+          end
+      end
+      return results
+    elsif item.kind_of? Check then
+      #check was not executed, thus no result
+      if item.description then
+        return [{
+              'data'     => {
+                'title'    => item.description,
+                'icon'     => "#{IMAGE_PREFIX}/tag_blue.png"},
+              'state'    => 'opened',
+              'children' => []
+            }]
+      else
+        return []
+      end
+    else
+      raise "Unknown item type #{item.class.name}"
+    end
+  end
+  def self.get_item(audit, id)
+    item = audit.results[id] || audit.benchmark.item_repository[id]
+    if item.kind_of? AuditBenchmark then
+      return {
+      'data'     => {
+        'title'    => item.name || item.id,
+        'icon'     => 'folder'},
+      'attr'     => {'id' => 'BENCHMARK'},
+      'state'    => 'closed'}
+    elsif item.kind_of? Group then
+      return {
+      'data'     => {
+        'title'    => item.name || item.id,
+        'icon'     => 'folder'},
+        'attr'     => {'id' => item.id},
+      'state'    => 'closed'}
+    elsif item.kind_of? RuleResult then
+       return {
+        'data'     => {
+          'title'    => item.rule.name || item.rule.id,
+          'icon'     => case item.result
+              when ResultCode::PASS then "#{IMAGE_PREFIX}/tick.png"
+              when ResultCode::FAIL then
+                if (item.severity == RuleSeverity::LOW || item.severity == RuleSeverity::INFO) then
+                  "#{IMAGE_PREFIX}/warning.png"
+                else
+                  "#{IMAGE_PREFIX}/fail.png"
+                end
+              else "#{IMAGE_PREFIX}/question.png"
+            end},
+        'attr'     => { 'id' => item.rule.id},
+        'state'    => 'closed'}
+    elsif item.kind_of? Check then
+      if item.description then
+        return {
+        'data'     => {
+          'title'    => item.name || item.id,
+          'icon'     => "#{IMAGE_PREFIX}/hourglass.png"},
+        'attr'     => {'id' => item.id},
+        'state'    => 'closed'}
+      else
+        return {
+        'data'     => {
+          'title'    => item.name || item.id,
+          'icon'     => "#{IMAGE_PREFIX}/hourglass.png"},
+        'attr'     => {'id' => item.id},
+        'state'    => 'opened',
+        'children' => []}
+      end
+    else
+      raise "Unknown item type #{item.class.name} for id #{id}"
+    end
+  end
+end

data/lib/audit/lib/transformers/yaml_transformer.rb ADDED Viewed

@@ -0,0 +1,50 @@
+# To change this template, choose Tools | Templates
+# and open the template in the editor.
+class YamlTransformer
+  def initialize
+  end
+  def self.transform(report)
+    self.transform_node(report, report.get_root)
+  end
+  def self.transform_node(report, node)
+    if node.kind_of? AuditBenchmark then
+      return self.transform_benchmark(report, node)
+    elsif node.kind_of? Group then
+      return self.transform_group(report, node)
+    elsif node.kind_of? RuleResult then
+      return self.transform_rule_result(report, node)
+    else
+      raise "Unknown report node type #{node.class.name}"
+    end
+  end
+  def self.transform_benchmark(report, node)
+    return {:id => node.id,
+            :name => node.name,
+            :description => node.description,
+            :children => node.children.map {|x| self.transform_node(report, report.get(x.id))}}
+  end
+  def self.transform_group(report, node)
+    return {:id => node.id,
+            :name => node.name,
+            :description => node.description,
+            :children => node.children.map {|x| self.transform_node(report, report.get(x.id))}}
+  end
+  def self.transform_rule_result(report, node)
+    return {:rule_refid => node.rule.id,
+            :name => node.rule.name,
+            :description => node.rule.description,
+            :check => node.check.map {|x| self.transform_check(x)}
+    }
+  end
+  def self.transform_check(check)
+    return check.to_hash()
+  end
+end

data/lib/audit/lib/util/random_string.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# To change this template, choose Tools | Templates
+# and open the template in the editor.
+# Ruby 1.8 does not contains sample() function
+class Array
+  def sample()
+    return self.choice()
+  end
+end
+class RandomString
+  def initialize
+  end
+  def self.generate(length = 20, alphabet = ('A' .. 'Z').to_a + ('a' .. 'z').to_a + ('0' .. '9').to_a)
+    return (0 .. length).map { alphabet.sample }.join
+  end
+  def self.generate_name(length = 20)
+    return (('A' .. 'Z').to_a + ('a' .. 'z').to_a).sample + generate(length - 1)
+  end
+end

data/lib/audit/lib/version.rb ADDED Viewed

@@ -0,0 +1,7 @@
+require 'uri'
+class Version
+	attr_accessor :description
+	attr_accessor :timestamp
+	attr_accessor :updateUri
+end

data/lib/help/ec2_helper.rb CHANGED Viewed

@@ -106,8 +106,10 @@ class Ec2Helper
     end
   end
-  def instance_prop(instance_id, prop)
-    instances = @ec2_api.describe_instances(:instance_id => instance_id)
+  def instance_prop(instance_id, prop, instances = nil)
+    if instances == nil
+      instances = @ec2_api.describe_instances(:instance_id => instance_id)
+    end
     begin
       if instances['reservationSet']['item'][0]['instancesSet']['item'].size == 0
         raise Exception.new("instance #{instance_id} not found")
@@ -157,4 +159,65 @@ class Ec2Helper
     false
   end
+  # From the information retrieved via EC2::describe_security_groups, look up
+  # all open ports for the group specified
+  def get_security_group_info(group_name, group_infos)
+    group_infos['securityGroupInfo']['item'].each() do |group_info|
+      return group_info if group_info['groupName'] == group_name
+    end
+    nil
+  end
+  # From the information retrieved via EC2::describe_instances for a specific
+  # instance, retrieve the names of the security groups belonging to that instance.
+  def lookup_security_group_names(instance_info)
+    group_names = []
+    puts "lookup_security_group_names(#{instance_info.inspect})"
+    instance_info['groupSet']['item'].each() {|group_info|
+      group_name = group_info['groupName'] || group_info['groupId']
+      group_names << group_name
+    }
+    group_names
+  end
+  # From the information retrieved via EC2::describe_security_groups, look up
+  # all open ports for the group specified
+  def lookup_open_ports(group_name, group_infos)
+    puts "group_infos = #{group_infos.inspect}"
+    group_info = get_security_group_info(group_name, group_infos)
+    puts "group_info for #{group_name} = #{group_info.inspect}"
+    open_ports = []
+    group_info['ipPermissions']['item'].each() {|permission|
+      if permission['ipRanges'] == nil
+        #no IP-Ranges defined (group based mode): ignore
+        next
+      end
+      prot = permission['ipProtocol']
+      from_port = permission['fromPort'].to_i
+      to_port = permission['toPort'].to_i
+      next if from_port != to_port #ignore port ranges
+      permission['ipRanges']['item'].each() {|ipRange|
+        if ipRange['cidrIp'] == "0.0.0.0/0"
+          #found one
+          open_ports << {:protocol => prot, :port => from_port}
+        end
+      }
+    }
+    open_ports
+  end
+  # Looks up the instanceId for the output retrieved by EC2::describe_instances(:instance_id => xxx)
+  # without the reservation set.
+  def get_instance_id(instance_info)
+    puts "look up instanceId in #{instance_info.inspect}"
+    instance_info['instancesSet']['item'][0]['instanceId']
+  end
+  # Looks up the instanceId for the output retrieved by EC2::describe_instances(:instance_id => xxx)
+  # without the reservation set.
+  def get_instance_prop(instance_info, prop)
+    puts "look up #{prop} in #{instance_info.inspect}"
+    instance_info['instancesSet']['item'][0][prop.to_s]
+  end
 end

data/lib/help/remote_command_handler.rb CHANGED Viewed

@@ -11,6 +11,23 @@ class RemoteCommandHandler
     @use_sudo = false
   end
+  # Checks for a given IP/port if there's a response on that port.
+  def is_port_open?(ip, port)
+    begin
+      Timeout::timeout(5) do
+        begin
+          s = TCPSocket.new(ip, port)
+          s.close
+          return true
+        rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH
+          return false
+        end
+      end
+    rescue Timeout::Error
+      return false
+    end
+  end
   # Connect to the machine as root using a keyfile.
   # Params:
   # * ip: ip address of the machine to connect to

data/lib/help/state_transition_helper.rb CHANGED Viewed

@@ -179,6 +179,14 @@ module StateTransitionHelper
     @logger.info("found #{sgs.size} security groups")
     @context[:security_groups] = sgs
   end
+  def retrieve_instances()
+    @context[:script].post_message("going to retrieve all instances...")
+    inst = @context[:ec2_api_handler].describe_instances()
+    @context[:script].post_message("found #{inst.size} instances")
+    @logger.info("found #{inst.size} instances")
+    @context[:ec2_instances] = inst
+  end
   # Creates a new EBS volume.
   # Input Parameters:

data/lib/scripts/ec2/open_port_checker.rb ADDED Viewed

@@ -0,0 +1,112 @@
+require "help/script_execution_state"
+require "scripts/ec2/ec2_script"
+require "help/remote_command_handler"
+#require "help/dm_crypt_helper"
+require "help/ec2_helper"
+require "AWS"
+# Identifies all server instances with their ports open and checks if
+# there are instances where no service runs on that port. Port ranges are
+# ignored.
+#
+class OpenPortChecker < Ec2Script
+  # Input parameters
+  # * ec2_api_handler => object that allows to access the EC2 API
+  def initialize(input_params)
+    super(input_params)
+  end
+  def check_input_parameters()
+    if @input_params[:ec2_api_handler] == nil
+      raise Exception.new("no EC2 handler specified")
+    end
+  end
+  def load_initial_state()
+    OpenPortCheckerState.load_state(@input_params)
+  end
+  private
+  # Here begins the state machine implementation
+  class OpenPortCheckerState < ScriptExecutionState
+    def self.load_state(context)
+      state = context[:initial_state] == nil ? InitialState.new(context) : context[:initial_state]
+      state
+    end
+  end
+  # Nothing done yet. Retrieve all security groups
+  class InitialState < OpenPortCheckerState
+    def enter
+      retrieve_instances()
+      InstancesRetrievedState.new(@context)
+    end
+  end
+  # Got all instances. If there are some, check security groups
+  class InstancesRetrievedState < OpenPortCheckerState
+    def enter
+      if @context[:ec2_instances].size == 0
+        Done.new(@context)
+      else
+        retrieve_security_groups()
+        SecurityGroupsRetrievedState.new(@context)
+      end
+    end
+  end
+  # Got all instances. If there are some, check security groups
+  class SecurityGroupsRetrievedState < OpenPortCheckerState
+    def enter
+      @context[:result][:port_checks] = []
+      ec2_helper = Ec2Helper.new(@context[:ec2_api_handler])
+      @context[:ec2_instances]['reservationSet']['item'].each() do |instance_info|
+        instance_id = ec2_helper.get_instance_id(instance_info)
+        @logger.debug("instance_info = #{instance_info.inspect}")
+        instance_ip = ec2_helper.get_instance_prop(instance_info, 'dnsName')
+        instance_state = ec2_helper.get_instance_prop(instance_info, 'instanceState')['name']
+        if instance_state != "running"
+          post_message("ignore instance #{instance_id} since not running")
+          next
+        end
+        sec_groups = ec2_helper.lookup_security_group_names(instance_info)
+        @logger.debug("group lookup for #{instance_id} => #{sec_groups.inspect}")
+        sec_groups.each() do |group_name|
+          port_infos = ec2_helper.lookup_open_ports(group_name, @context[:security_groups])
+          @logger.debug("port_infos for group #{group_name} #{port_infos.inspect}")
+          port_infos.each() do |port_info|
+            result = false
+            begin
+              result = @context[:remote_command_handler].is_port_open?(instance_ip, port_info[:port])
+              post_message("check port #{port_info[:port]} for instance #{instance_id} (on #{instance_ip}) #{result ? "successful" : "failed"}")
+            rescue Exception => e
+              @logger.warn("exception during executing port check: #{e}")
+            end
+            @context[:result][:port_checks] << {:instance => instance_id, :protocol => port_info[:protocol],
+              :port => port_info[:port], :success => result, :group_name => group_name
+            }
+          end
+        end
+      end
+      AnalysisDone.new(@context)
+    end
+  end
+  # Nothing done yet. Retrieve all security groups
+  class AnalysisDone < OpenPortCheckerState
+    def enter
+      Done.new(@context)
+    end
+  end
+  # Script done.
+  class Done < OpenPortCheckerState
+    def done?
+      true
+    end
+  end
+end