RubyGems - CloudyScripts - Versions diffs - 2.11.47 → 2.11.48 - Mend

CloudyScripts 2.11.47 → 2.11.48

Files changed (7) hide show

data/Rakefile +1 -1
data/lib/help/ec2_helper.rb +28 -0
data/lib/help/state_transition_helper.rb +1 -0
data/lib/scripts/ec2/critical_ports_audit.rb +24 -10
data/lib/scripts/ec2/open_port_checker.rb +5 -0
data/lib/scripts/ec2/vpc_critical_ports_audit.rb +126 -0
metadata +5 -4

data/Rakefile CHANGED Viewed

@@ -12,7 +12,7 @@ require 'rake/testtask'
 spec = Gem::Specification.new do |s|
   s.name = 'CloudyScripts'
-  s.version = '2.11.47'
+  s.version = '2.11.48'
   s.has_rdoc = true
   s.extra_rdoc_files = ['README.rdoc', 'LICENSE']
   s.summary = 'Scripts to facilitate programming for infrastructure clouds.'

data/lib/help/ec2_helper.rb CHANGED Viewed

@@ -12,6 +12,34 @@ class AWS::EC2::Base
   end
 end
+#XXX: use last AWS EC2 API, add VPC function
+module AWS
+  module EC2
+    class Base < AWS::Base
+      API_VERSION_HACKED = '2011-11-01'
+      def api_version
+        API_VERSION_HACKED
+      end
+      def describe_vpcs( options = {} )
+        options = { :vpc_id => [] }.merge(options)
+        params = pathlist("VpcId", options[:vpc_id])
+        return response_generator(:action => "DescribeVpcs", :params => params)
+      end
+      def describe_internetgateways( options = {} )
+        options = { :interetgateway_id => [] }.merge(options)
+        params = pathlist("internetGatewayId", options[:interetgateway_id])
+        return response_generator(:action => "DescribeInternetGateways", :params => params)
+      end
+    end
+  end
+end
 class Ec2Helper
   # expects an instance of AWS::EC2::Base from the amazon-ec2 gem
   def initialize(ec2_api)

data/lib/help/state_transition_helper.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 require 'net/scp'
 require "AWS"
 # Contains methods that are used by the scripts in the state-machines. Since
 # they are reused by different scripts, they are factored into this module.
 #

data/lib/scripts/ec2/critical_ports_audit.rb CHANGED Viewed

@@ -21,9 +21,9 @@ class CriticalPortsAudit < Ec2Script
     if @input_params[:ec2_api_handler] == nil
       raise Exception.new("no EC2 handler specified")
     end
-    if @input_params[:critical_ports] == nil
-      raise Exception.new("no ports specified")
-    end
+    #if @input_params[:critical_ports] == nil
+    #  raise Exception.new("no ports specified")
+    #end
   end
   def load_initial_state()
@@ -53,6 +53,7 @@ class CriticalPortsAudit < Ec2Script
     def enter
       @context[:result][:affected_groups] = []
       @context[:security_groups]['securityGroupInfo']['item'].each() do |group_info|
+        next if !group_info['vpcId'].nil? && !group_info['vpcId'].empty?
         post_message("checking group '#{group_info['groupName']}'...")
         next if group_info['ipPermissions'] == nil || group_info['ipPermissions']['item'] == nil
         group_info['ipPermissions']['item'].each() do |permission_info|
@@ -60,13 +61,26 @@ class CriticalPortsAudit < Ec2Script
           next unless permission_info['groups'] == nil #ignore access rights to other groups
           next unless permission_info['ipRanges']['item'][0]['cidrIp'] == "0.0.0.0/0"
           #now check if a critical port is within the port-range
-          @context[:critical_ports].each() do |port|
-            if permission_info['fromPort'].to_i <= port && permission_info['toPort'].to_i >= port
-              @context[:result][:affected_groups] << {:name => group_info['groupName'],
-                :from => permission_info['fromPort'], :to => permission_info['toPort'],
-                :concerned => port, :prot => permission_info['protocol']}
-              post_message("=> found publically accessible port range that contains "+
-                  "critical port for group #{group_info['groupName']}: #{permission_info['fromPort']}-#{permission_info['toPort']}")
+          #XXX: allow to skip the 'critical port' options if nil
+          if @context[:critical_ports] == nil || @context[:critical_ports].empty?
+            port = nil
+            if permission_info['fromPort'].to_i == permission_info['toPort'].to_i
+              port = permission_info['fromPort'].to_i
+              post_message("=> found unique port #{port}")
+            end
+            @context[:result][:affected_groups] << {:name => group_info['groupName'],
+                  :from =>  permission_info['fromPort'], :to => permission_info['toPort'],
+                  :concerned => port, :prot => permission_info['ipProtocol']}
+            post_message("=> found at least one port publicly opened")
+          else
+            @context[:critical_ports].each() do |port|
+              if permission_info['fromPort'].to_i <= port && permission_info['toPort'].to_i >= port
+                @context[:result][:affected_groups] << {:name => group_info['groupName'],
+                  :from => permission_info['fromPort'], :to => permission_info['toPort'],
+                  :concerned => port, :prot => permission_info['ipProtocol']}
+                post_message("=> found publically accessible port range that contains "+
+                    "critical port for group #{group_info['groupName']}: #{permission_info['fromPort']}-#{permission_info['toPort']}")
+              end
             end
           end
         end

data/lib/scripts/ec2/open_port_checker.rb CHANGED Viewed

@@ -67,6 +67,11 @@ class OpenPortChecker < Ec2Script
         @context[:ec2_instances]['reservationSet']['item'].each() do |instance_info|
           instance_id = ec2_helper.get_instance_id(instance_info)
           @logger.debug("instance_info = #{instance_info.inspect}")
+          vpc_instance = ec2_helper.get_instance_prop(instance_info, 'vpcId')
+          if !vpc_instance.nil? && !vpc_instance.empty?
+            post_message("ignore VPC instance #{instance_id}")
+            next
+          end
           instance_ip = ec2_helper.get_instance_prop(instance_info, 'dnsName')
           instance_state = ec2_helper.get_instance_prop(instance_info, 'instanceState')['name']
           if instance_state != "running"

data/lib/scripts/ec2/vpc_critical_ports_audit.rb ADDED Viewed

@@ -0,0 +1,126 @@
+require "help/script_execution_state"
+require "scripts/ec2/ec2_script"
+require "help/remote_command_handler"
+#require "help/dm_crypt_helper"
+require "help/ec2_helper"
+require "AWS"
+require 'pp'
+# Checks for all security groups if sensible ports are opened for the wide
+# public.
+#
+class VpcCriticalPortsAudit < Ec2Script
+  # Input parameters
+  # * ec2_api_handler => object that allows to access the EC2 API
+  # * :critical_ports => arrays of ports to be checked
+  def initialize(input_params)
+    super(input_params)
+  end
+  def check_input_parameters()
+    if @input_params[:ec2_api_handler] == nil
+      raise Exception.new("no EC2 handler specified")
+    end
+    #if @input_params[:critical_ports] == nil
+    #  raise Exception.new("no ports specified")
+    #end
+  end
+  def load_initial_state()
+    CriticalPortsAuditState.load_state(@input_params)
+  end
+  private
+  # Here begins the state machine implementation
+  class CriticalPortsAuditState < ScriptExecutionState
+    def self.load_state(context)
+      state = context[:initial_state] == nil ? RetrievingSecurityGroups.new(context) : context[:initial_state]
+      state
+    end
+  end
+  # Nothing done yet. Retrieve all security groups
+  class RetrievingSecurityGroups < CriticalPortsAuditState
+    def enter
+      retrieve_security_groups()
+      CheckingSensiblePorts.new(@context)
+    end
+  end
+  # Security groups retrieved. Start analysing them.
+  class CheckingSensiblePorts< CriticalPortsAuditState
+    def enter
+      @context[:result][:affected_groups] = []
+      @context[:security_groups]['securityGroupInfo']['item'].each() do |group_info|
+        #check only VPC SecurityGroups
+        next if group_info['vpcId'].nil? || group_info['vpcId'].empty?
+        post_message("checking VPC SecurityGroup '#{group_info['groupName']}'...")
+        vpc = @context[:ec2_api_handler].describe_vpcs(:vpc_id => group_info['vpcId'])
+        vpc_ref = ""
+        vpc_item = vpc['vpcSet']['item'][0]
+        if !vpc_item['name'].nil? && !vpc_item['name'].empty?
+          vpc_ref = vpc_item['name']
+        else
+          #XXX: shold be the same as "group_info['vpcId']"
+          vpc_ref = vpc_item['vpcId']
+        end
+        igw = @context[:ec2_api_handler].describe_internetgateways()
+        igw_ref = ""
+        found = false
+        igw['internetGatewaySet']['item'].each {|igw_item|
+          break if found == true
+          igw_id = igw_item['internetGatewayId']
+          igw_item['attachmentSet']['item'].each {|vpc_item|
+            if vpc_item['vpcId'].eql?("#{group_info['vpcId']}")
+              igw_ref = igw_id
+              found = true
+              break
+            end
+          }
+        }
+        next if group_info['ipPermissions'] == nil || group_info['ipPermissions']['item'] == nil
+        group_info['ipPermissions']['item'].each() do |permission_info|
+          logger.debug("permission_info = #{permission_info.inspect}")
+          next unless permission_info['groups'] == nil #ignore access rights to other groups
+          next unless permission_info['ipRanges']['item'][0]['cidrIp'] == "0.0.0.0/0"
+          #now check if a critical port is within the port-range
+          #XXX: allow to skip the 'critical port' options if nil
+          if @context[:critical_ports] == nil || @context[:critical_ports].empty?
+            port = nil
+            if permission_info['fromPort'].to_i == permission_info['toPort'].to_i
+              port = permission_info['fromPort'].to_i
+              post_message("=> found unique port: #{port}")
+            end
+            @context[:result][:affected_groups] << {:name => group_info['groupName'],
+                  :from =>  permission_info['fromPort'], :to => permission_info['toPort'],
+                  :concerned => port, :prot => permission_info['ipProtocol'],
+                  :vpc_ref => vpc_ref, :igw_ref => igw_ref}
+            post_message("=> found at least one port publicly opened")
+          else
+            @context[:critical_ports].each() do |port|
+              if permission_info['fromPort'].to_i <= port && permission_info['toPort'].to_i >= port
+                @context[:result][:affected_groups] << {:name => group_info['groupName'],
+                  :from => permission_info['fromPort'], :to => permission_info['toPort'],
+                  :concerned => port, :prot => permission_info['ipProtocol'],
+                  :vpc_ref => vpc_ref, :igw_ref => igw_ref}
+                post_message("=> found publically accessible port range that contains "+
+                    "critical port for group #{group_info['groupName']}: #{permission_info['fromPort']}-#{permission_info['toPort']}")
+              end
+            end
+          end
+        end
+      end
+      Done.new(@context)
+    end
+  end
+  # Script done.
+  class Done < CriticalPortsAuditState
+    def done?
+      true
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: CloudyScripts
 version: !ruby/object:Gem::Version
-  hash: 125
+  hash: 67
   prerelease: false
   segments:
   - 2
   - 11
-  - 47
-  version: 2.11.47
+  - 48
+  version: 2.11.48
 platform: ruby
 authors:
 - Matthias Jung
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-11-17 00:00:00 +00:00
+date: 2011-11-29 00:00:00 +00:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -253,6 +253,7 @@ files:
 - lib/scripts/vCloud/open_port_checker_vm.rb
 - lib/scripts/ec2/port_range_detector.rb
 - lib/scripts/ec2/dm_encrypt.rb
+- lib/scripts/ec2/vpc_critical_ports_audit.rb
 - lib/scripts/ec2/ami2_ebs_conversion.rb
 - lib/scripts/ec2/audit_via_ssh.rb
 - lib/scripts/ec2/open_port_checker.rb