CloudyScripts 1.9.41 → 1.10.43
Sign up to get free protection for your applications and to get access to all the features.
- data/Rakefile +1 -1
- data/lib/help/state_transition_helper.rb +12 -4
- data/lib/scripts/ec2/critical_ports_audit.rb +85 -0
- data/lib/scripts/ec2/ec2_script.rb +1 -0
- metadata +6 -16
data/Rakefile
CHANGED
@@ -12,7 +12,7 @@ require 'rake/testtask'
|
|
12
12
|
|
13
13
|
spec = Gem::Specification.new do |s|
|
14
14
|
s.name = 'CloudyScripts'
|
15
|
-
s.version = '1.
|
15
|
+
s.version = '1.10.43'
|
16
16
|
s.has_rdoc = true
|
17
17
|
s.extra_rdoc_files = ['README.rdoc', 'LICENSE']
|
18
18
|
s.summary = 'Scripts to facilitate programming for infrastructure clouds.'
|
@@ -231,16 +231,24 @@ module StateTransitionHelper
|
|
231
231
|
def retrieve_security_groups()
|
232
232
|
@context[:script].post_message("going to retrieve security groups...")
|
233
233
|
sgs = @context[:ec2_api_handler].describe_security_groups()
|
234
|
-
|
235
|
-
|
234
|
+
n = 0
|
235
|
+
unless sgs['securityGroupInfo'] == nil
|
236
|
+
n = sgs['securityGroupInfo']['item'].size
|
237
|
+
end
|
238
|
+
@context[:script].post_message("found #{n} security groups")
|
239
|
+
@logger.info("found #{n} security groups")
|
236
240
|
@context[:security_groups] = sgs
|
237
241
|
end
|
238
242
|
|
239
243
|
def retrieve_instances()
|
240
244
|
@context[:script].post_message("going to retrieve all instances...")
|
241
245
|
inst = @context[:ec2_api_handler].describe_instances()
|
242
|
-
|
243
|
-
|
246
|
+
n = 0
|
247
|
+
unless inst['reservationSet'] == nil
|
248
|
+
n = inst['reservationSet']['item'].size
|
249
|
+
end
|
250
|
+
@context[:script].post_message("found #{n} instances")
|
251
|
+
@logger.info("found #{n} instances")
|
244
252
|
@context[:ec2_instances] = inst
|
245
253
|
end
|
246
254
|
|
@@ -0,0 +1,85 @@
|
|
1
|
+
require "help/script_execution_state"
|
2
|
+
require "scripts/ec2/ec2_script"
|
3
|
+
require "help/remote_command_handler"
|
4
|
+
#require "help/dm_crypt_helper"
|
5
|
+
require "help/ec2_helper"
|
6
|
+
require "AWS"
|
7
|
+
|
8
|
+
# Checks for all security groups if sensible ports are opened for the wide
|
9
|
+
# public.
|
10
|
+
#
|
11
|
+
|
12
|
+
class CriticalPortsAudit < Ec2Script
|
13
|
+
# Input parameters
|
14
|
+
# * ec2_api_handler => object that allows to access the EC2 API
|
15
|
+
# * :critical_ports => arrays of ports to be checked
|
16
|
+
def initialize(input_params)
|
17
|
+
super(input_params)
|
18
|
+
end
|
19
|
+
|
20
|
+
def check_input_parameters()
|
21
|
+
if @input_params[:ec2_api_handler] == nil
|
22
|
+
raise Exception.new("no EC2 handler specified")
|
23
|
+
end
|
24
|
+
if @input_params[:critical_ports] == nil
|
25
|
+
raise Exception.new("no ports specified")
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
def load_initial_state()
|
30
|
+
CriticalPortsAuditState.load_state(@input_params)
|
31
|
+
end
|
32
|
+
|
33
|
+
private
|
34
|
+
|
35
|
+
# Here begins the state machine implementation
|
36
|
+
class CriticalPortsAuditState < ScriptExecutionState
|
37
|
+
def self.load_state(context)
|
38
|
+
state = context[:initial_state] == nil ? RetrievingSecurityGroups.new(context) : context[:initial_state]
|
39
|
+
state
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
# Nothing done yet. Retrieve all security groups
|
44
|
+
class RetrievingSecurityGroups < CriticalPortsAuditState
|
45
|
+
def enter
|
46
|
+
retrieve_security_groups()
|
47
|
+
CheckingSensiblePorts.new(@context)
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
# Security groups retrieved. Start analysing them.
|
52
|
+
class CheckingSensiblePorts< CriticalPortsAuditState
|
53
|
+
def enter
|
54
|
+
@context[:result][:affected_groups] = []
|
55
|
+
@context[:security_groups]['securityGroupInfo']['item'].each() do |group_info|
|
56
|
+
post_message("checking group '#{group_info['groupName']}'...")
|
57
|
+
next if group_info['ipPermissions'] == nil || group_info['ipPermissions']['item'] == nil
|
58
|
+
group_info['ipPermissions']['item'].each() do |permission_info|
|
59
|
+
logger.debug("permission_info = #{permission_info.inspect}")
|
60
|
+
next unless permission_info['groups'] == nil #ignore access rights to other groups
|
61
|
+
next unless permission_info['ipRanges']['item'][0]['cidrIp'] == "0.0.0.0/0"
|
62
|
+
#now check if a critical port is within the port-range
|
63
|
+
@context[:critical_ports].each() do |port|
|
64
|
+
if permission_info['fromPort'].to_i <= port && permission_info['toPort'].to_i >= port
|
65
|
+
@context[:result][:affected_groups] << {:name => group_info['groupName'],
|
66
|
+
:from => permission_info['fromPort'], :to => permission_info['toPort'],
|
67
|
+
:concerned => port, :prot => permission_info['protocol']}
|
68
|
+
post_message("=> found publically accessible port range that contains "+
|
69
|
+
"critical port for group #{group_info['groupName']}: #{permission_info['fromPort']}-#{permission_info['toPort']}")
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
Done.new(@context)
|
75
|
+
end
|
76
|
+
end
|
77
|
+
|
78
|
+
# Script done.
|
79
|
+
class Done < CriticalPortsAuditState
|
80
|
+
def done?
|
81
|
+
true
|
82
|
+
end
|
83
|
+
end
|
84
|
+
|
85
|
+
end
|
metadata
CHANGED
@@ -1,13 +1,12 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: CloudyScripts
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash: 97
|
5
4
|
prerelease: false
|
6
5
|
segments:
|
7
6
|
- 1
|
8
|
-
-
|
9
|
-
-
|
10
|
-
version: 1.
|
7
|
+
- 10
|
8
|
+
- 43
|
9
|
+
version: 1.10.43
|
11
10
|
platform: ruby
|
12
11
|
authors:
|
13
12
|
- Matthias Jung
|
@@ -15,18 +14,16 @@ autorequire:
|
|
15
14
|
bindir: bin
|
16
15
|
cert_chain: []
|
17
16
|
|
18
|
-
date: 2011-09-
|
17
|
+
date: 2011-09-02 00:00:00 +02:00
|
19
18
|
default_executable:
|
20
19
|
dependencies:
|
21
20
|
- !ruby/object:Gem::Dependency
|
22
21
|
name: amazon-ec2
|
23
22
|
prerelease: false
|
24
23
|
requirement: &id001 !ruby/object:Gem::Requirement
|
25
|
-
none: false
|
26
24
|
requirements:
|
27
25
|
- - ">="
|
28
26
|
- !ruby/object:Gem::Version
|
29
|
-
hash: 3
|
30
27
|
segments:
|
31
28
|
- 0
|
32
29
|
version: "0"
|
@@ -36,11 +33,9 @@ dependencies:
|
|
36
33
|
name: net-ssh
|
37
34
|
prerelease: false
|
38
35
|
requirement: &id002 !ruby/object:Gem::Requirement
|
39
|
-
none: false
|
40
36
|
requirements:
|
41
37
|
- - ">="
|
42
38
|
- !ruby/object:Gem::Version
|
43
|
-
hash: 3
|
44
39
|
segments:
|
45
40
|
- 0
|
46
41
|
version: "0"
|
@@ -50,11 +45,9 @@ dependencies:
|
|
50
45
|
name: net-scp
|
51
46
|
prerelease: false
|
52
47
|
requirement: &id003 !ruby/object:Gem::Requirement
|
53
|
-
none: false
|
54
48
|
requirements:
|
55
49
|
- - ">="
|
56
50
|
- !ruby/object:Gem::Version
|
57
|
-
hash: 3
|
58
51
|
segments:
|
59
52
|
- 0
|
60
53
|
version: "0"
|
@@ -261,6 +254,7 @@ files:
|
|
261
254
|
- lib/scripts/ec2/audit_via_ssh.rb
|
262
255
|
- lib/scripts/ec2/copy_ami.rb
|
263
256
|
- lib/scripts/ec2/copy_snapshot.rb
|
257
|
+
- lib/scripts/ec2/critical_ports_audit.rb
|
264
258
|
- lib/scripts/ec2/dm_encrypt.rb
|
265
259
|
- lib/scripts/ec2/download_snapshot.rb
|
266
260
|
- lib/scripts/ec2/ec2_script.rb
|
@@ -277,27 +271,23 @@ rdoc_options: []
|
|
277
271
|
require_paths:
|
278
272
|
- lib
|
279
273
|
required_ruby_version: !ruby/object:Gem::Requirement
|
280
|
-
none: false
|
281
274
|
requirements:
|
282
275
|
- - ">="
|
283
276
|
- !ruby/object:Gem::Version
|
284
|
-
hash: 3
|
285
277
|
segments:
|
286
278
|
- 0
|
287
279
|
version: "0"
|
288
280
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
289
|
-
none: false
|
290
281
|
requirements:
|
291
282
|
- - ">="
|
292
283
|
- !ruby/object:Gem::Version
|
293
|
-
hash: 3
|
294
284
|
segments:
|
295
285
|
- 0
|
296
286
|
version: "0"
|
297
287
|
requirements: []
|
298
288
|
|
299
289
|
rubyforge_project: cloudyscripts
|
300
|
-
rubygems_version: 1.3.
|
290
|
+
rubygems_version: 1.3.6
|
301
291
|
signing_key:
|
302
292
|
specification_version: 3
|
303
293
|
summary: Scripts to facilitate programming for infrastructure clouds.
|