RubyGems - CloudyScripts - Versions diffs - 2.11.47 → 2.11.48 - Mend

CloudyScripts 2.11.47 → 2.11.48

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

data/Rakefile +1 -1
data/lib/help/ec2_helper.rb +28 -0
data/lib/help/state_transition_helper.rb +1 -0
data/lib/scripts/ec2/critical_ports_audit.rb +24 -10
data/lib/scripts/ec2/open_port_checker.rb +5 -0
data/lib/scripts/ec2/vpc_critical_ports_audit.rb +126 -0
metadata +5 -4

data/Rakefile CHANGED Viewed

@@ -12,7 +12,7 @@ require 'rake/testtask'
 spec = Gem::Specification.new do |s|
   s.name = 'CloudyScripts'
-  s.version = '2.11.47'
+  s.version = '2.11.48'
   s.has_rdoc = true
   s.extra_rdoc_files = ['README.rdoc', 'LICENSE']
   s.summary = 'Scripts to facilitate programming for infrastructure clouds.'

data/lib/help/ec2_helper.rb CHANGED Viewed

@@ -12,6 +12,34 @@ class AWS::EC2::Base
   end
 end
+#XXX: use last AWS EC2 API, add VPC function
+module AWS
+  module EC2
+    class Base < AWS::Base
+      API_VERSION_HACKED = '2011-11-01'
+      def api_version
+        API_VERSION_HACKED
+      end
+      def describe_vpcs( options = {} )
+        options = { :vpc_id => [] }.merge(options)
+        params = pathlist("VpcId", options[:vpc_id])
+        return response_generator(:action => "DescribeVpcs", :params => params)
+      end
+      def describe_internetgateways( options = {} )
+        options = { :interetgateway_id => [] }.merge(options)
+        params = pathlist("internetGatewayId", options[:interetgateway_id])
+        return response_generator(:action => "DescribeInternetGateways", :params => params)
+      end
+    end
+  end
+end
 class Ec2Helper
   # expects an instance of AWS::EC2::Base from the amazon-ec2 gem
   def initialize(ec2_api)

data/lib/help/state_transition_helper.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 require 'net/scp'
 require "AWS"
 # Contains methods that are used by the scripts in the state-machines. Since
 # they are reused by different scripts, they are factored into this module.
 #

data/lib/scripts/ec2/critical_ports_audit.rb CHANGED Viewed

@@ -21,9 +21,9 @@ class CriticalPortsAudit < Ec2Script
     if @input_params[:ec2_api_handler] == nil
       raise Exception.new("no EC2 handler specified")
     end
-    if @input_params[:critical_ports] == nil
-      raise Exception.new("no ports specified")
-    end
+    #if @input_params[:critical_ports] == nil
+    #  raise Exception.new("no ports specified")
+    #end
   end
   def load_initial_state()
@@ -53,6 +53,7 @@ class CriticalPortsAudit < Ec2Script
     def enter
       @context[:result][:affected_groups] = []
       @context[:security_groups]['securityGroupInfo']['item'].each() do |group_info|
+        next if !group_info['vpcId'].nil? && !group_info['vpcId'].empty?
         post_message("checking group '#{group_info['groupName']}'...")
         next if group_info['ipPermissions'] == nil || group_info['ipPermissions']['item'] == nil
         group_info['ipPermissions']['item'].each() do |permission_info|
@@ -60,13 +61,26 @@ class CriticalPortsAudit < Ec2Script
           next unless permission_info['groups'] == nil #ignore access rights to other groups
           next unless permission_info['ipRanges']['item'][0]['cidrIp'] == "0.0.0.0/0"
           #now check if a critical port is within the port-range
-          @context[:critical_ports].each() do |port|
-            if permission_info['fromPort'].to_i <= port && permission_info['toPort'].to_i >= port
-              @context[:result][:affected_groups] << {:name => group_info['groupName'],
-                :from => permission_info['fromPort'], :to => permission_info['toPort'],
-                :concerned => port, :prot => permission_info['protocol']}
-              post_message("=> found publically accessible port range that contains "+
-                  "critical port for group #{group_info['groupName']}: #{permission_info['fromPort']}-#{permission_info['toPort']}")
+          #XXX: allow to skip the 'critical port' options if nil
+          if @context[:critical_ports] == nil || @context[:critical_ports].empty?
+            port = nil
+            if permission_info['fromPort'].to_i == permission_info['toPort'].to_i
+              port = permission_info['fromPort'].to_i
+              post_message("=> found unique port #{port}")
+            end
+            @context[:result][:affected_groups] << {:name => group_info['groupName'],
+                  :from =>  permission_info['fromPort'], :to => permission_info['toPort'],
+                  :concerned => port, :prot => permission_info['ipProtocol']}
+            post_message("=> found at least one port publicly opened")
+          else
+            @context[:critical_ports].each() do |port|
+              if permission_info['fromPort'].to_i <= port && permission_info['toPort'].to_i >= port
+                @context[:result][:affected_groups] << {:name => group_info['groupName'],
+                  :from => permission_info['fromPort'], :to => permission_info['toPort'],
+                  :concerned => port, :prot => permission_info['ipProtocol']}
+                post_message("=> found publically accessible port range that contains "+
+                    "critical port for group #{group_info['groupName']}: #{permission_info['fromPort']}-#{permission_info['toPort']}")
+              end
             end
           end
         end

data/lib/scripts/ec2/open_port_checker.rb CHANGED Viewed

@@ -67,6 +67,11 @@ class OpenPortChecker < Ec2Script
         @context[:ec2_instances]['reservationSet']['item'].each() do |instance_info|
           instance_id = ec2_helper.get_instance_id(instance_info)
           @logger.debug("instance_info = #{instance_info.inspect}")
+          vpc_instance = ec2_helper.get_instance_prop(instance_info, 'vpcId')
+          if !vpc_instance.nil? && !vpc_instance.empty?
+            post_message("ignore VPC instance #{instance_id}")
+            next
+          end
           instance_ip = ec2_helper.get_instance_prop(instance_info, 'dnsName')
           instance_state = ec2_helper.get_instance_prop(instance_info, 'instanceState')['name']
           if instance_state != "running"

data/lib/scripts/ec2/vpc_critical_ports_audit.rb ADDED Viewed

@@ -0,0 +1,126 @@
+require "help/script_execution_state"
+require "scripts/ec2/ec2_script"
+require "help/remote_command_handler"
+#require "help/dm_crypt_helper"
+require "help/ec2_helper"
+require "AWS"
+require 'pp'
+# Checks for all security groups if sensible ports are opened for the wide
+# public.
+#
+class VpcCriticalPortsAudit < Ec2Script
+  # Input parameters
+  # * ec2_api_handler => object that allows to access the EC2 API
+  # * :critical_ports => arrays of ports to be checked
+  def initialize(input_params)
+    super(input_params)
+  end
+  def check_input_parameters()
+    if @input_params[:ec2_api_handler] == nil
+      raise Exception.new("no EC2 handler specified")
+    end
+    #if @input_params[:critical_ports] == nil
+    #  raise Exception.new("no ports specified")
+    #end
+  end
+  def load_initial_state()
+    CriticalPortsAuditState.load_state(@input_params)
+  end
+  private
+  # Here begins the state machine implementation
+  class CriticalPortsAuditState < ScriptExecutionState
+    def self.load_state(context)
+      state = context[:initial_state] == nil ? RetrievingSecurityGroups.new(context) : context[:initial_state]
+      state
+    end
+  end
+  # Nothing done yet. Retrieve all security groups
+  class RetrievingSecurityGroups < CriticalPortsAuditState
+    def enter
+      retrieve_security_groups()
+      CheckingSensiblePorts.new(@context)
+    end
+  end
+  # Security groups retrieved. Start analysing them.
+  class CheckingSensiblePorts< CriticalPortsAuditState
+    def enter
+      @context[:result][:affected_groups] = []
+      @context[:security_groups]['securityGroupInfo']['item'].each() do |group_info|
+        #check only VPC SecurityGroups
+        next if group_info['vpcId'].nil? || group_info['vpcId'].empty?
+        post_message("checking VPC SecurityGroup '#{group_info['groupName']}'...")
+        vpc = @context[:ec2_api_handler].describe_vpcs(:vpc_id => group_info['vpcId'])
+        vpc_ref = ""
+        vpc_item = vpc['vpcSet']['item'][0]
+        if !vpc_item['name'].nil? && !vpc_item['name'].empty?
+          vpc_ref = vpc_item['name']
+        else
+          #XXX: shold be the same as "group_info['vpcId']"
+          vpc_ref = vpc_item['vpcId']
+        end
+        igw = @context[:ec2_api_handler].describe_internetgateways()
+        igw_ref = ""
+        found = false
+        igw['internetGatewaySet']['item'].each {|igw_item|
+          break if found == true
+          igw_id = igw_item['internetGatewayId']
+          igw_item['attachmentSet']['item'].each {|vpc_item|
+            if vpc_item['vpcId'].eql?("#{group_info['vpcId']}")
+              igw_ref = igw_id
+              found = true
+              break
+            end
+          }
+        }
+        next if group_info['ipPermissions'] == nil || group_info['ipPermissions']['item'] == nil
+        group_info['ipPermissions']['item'].each() do |permission_info|
+          logger.debug("permission_info = #{permission_info.inspect}")
+          next unless permission_info['groups'] == nil #ignore access rights to other groups
+          next unless permission_info['ipRanges']['item'][0]['cidrIp'] == "0.0.0.0/0"
+          #now check if a critical port is within the port-range
+          #XXX: allow to skip the 'critical port' options if nil
+          if @context[:critical_ports] == nil || @context[:critical_ports].empty?
+            port = nil
+            if permission_info['fromPort'].to_i == permission_info['toPort'].to_i
+              port = permission_info['fromPort'].to_i
+              post_message("=> found unique port: #{port}")
+            end
+            @context[:result][:affected_groups] << {:name => group_info['groupName'],
+                  :from =>  permission_info['fromPort'], :to => permission_info['toPort'],
+                  :concerned => port, :prot => permission_info['ipProtocol'],
+                  :vpc_ref => vpc_ref, :igw_ref => igw_ref}
+            post_message("=> found at least one port publicly opened")
+          else
+            @context[:critical_ports].each() do |port|
+              if permission_info['fromPort'].to_i <= port && permission_info['toPort'].to_i >= port
+                @context[:result][:affected_groups] << {:name => group_info['groupName'],
+                  :from => permission_info['fromPort'], :to => permission_info['toPort'],
+                  :concerned => port, :prot => permission_info['ipProtocol'],
+                  :vpc_ref => vpc_ref, :igw_ref => igw_ref}
+                post_message("=> found publically accessible port range that contains "+
+                    "critical port for group #{group_info['groupName']}: #{permission_info['fromPort']}-#{permission_info['toPort']}")
+              end
+            end
+          end
+        end
+      end
+      Done.new(@context)
+    end
+  end
+  # Script done.
+  class Done < CriticalPortsAuditState
+    def done?
+      true
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: CloudyScripts
 version: !ruby/object:Gem::Version
-  hash: 125
+  hash: 67
   prerelease: false
   segments:
   - 2
   - 11
-  - 47
-  version: 2.11.47
+  - 48
+  version: 2.11.48
 platform: ruby
 authors:
 - Matthias Jung
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-11-17 00:00:00 +00:00
+date: 2011-11-29 00:00:00 +00:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -253,6 +253,7 @@ files:
 - lib/scripts/vCloud/open_port_checker_vm.rb
 - lib/scripts/ec2/port_range_detector.rb
 - lib/scripts/ec2/dm_encrypt.rb
+- lib/scripts/ec2/vpc_critical_ports_audit.rb
 - lib/scripts/ec2/ami2_ebs_conversion.rb
 - lib/scripts/ec2/audit_via_ssh.rb
 - lib/scripts/ec2/open_port_checker.rb