nexpose_cyberark 0.0.1-java

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    ZjU1OTg2OGJiYTQxMzk1ZjIyOTE2ZTZkMWQwMmNkMzkyZThkMzQ5ZA==
+  data.tar.gz: !binary |-
+    NmY1YTRlYzEwYTgxMmRjNjgxOTZkZTYxYjkxNWEyZjc2MzY0NTgzMA==
+SHA512:
+  metadata.gz: !binary |-
+    MGQxMTRkMDI4OGMwN2U2MDVkNGRhZTEwMTljNTU3N2Y4NjYzMTQwNTRiNmUz
+    OWE5NjhlMzg1MzJkMTMxMDE3MzFhZjA0ZTE2NzZjNjg5YWJjNGQ5MWFlYjQ3
+    MTJiMTRjODRlOTcxN2RlOWFlMTBkZDBjNTI4NmYxMWE0NTEzMjU=
+  data.tar.gz: !binary |-
+    M2RmNDAwMTk5YWRlYjQwZDY0MGFkNmRmOTQ4NWVmOGMxNzc1MzBiOWJiNzg5
+    YjA1YjAzYzIwMDgzNDhlOTE4YTJlNzYwNTJmYmM3YmEzOWFhODhlOGU5Nzg0
+    OTFiMjFmMjQ0ZGM4ZWY0ZjYyMTQzMzIxMzA4NmZlZDVjNjM3ZTk=

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in nexpose_cyberark.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,37 @@
+PATH
+  remote: .
+  specs:
+    nexpose_cyberark (0.0.1-java)
+      nexpose (>= 0.6.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    diff-lcs (1.2.5)
+    librex (0.0.68)
+    nexpose (0.7.6)
+      librex (~> 0.0, >= 0.0.68)
+      rex (~> 1.0, >= 1.0.2)
+    rake (10.3.2)
+    rex (1.0.2)
+    rspec (3.0.0)
+      rspec-core (~> 3.0.0)
+      rspec-expectations (~> 3.0.0)
+      rspec-mocks (~> 3.0.0)
+    rspec-core (3.0.2)
+      rspec-support (~> 3.0.0)
+    rspec-expectations (3.0.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.0.0)
+    rspec-mocks (3.0.2)
+      rspec-support (~> 3.0.0)
+    rspec-support (3.0.2)
+
+PLATFORMS
+  java
+
+DEPENDENCIES
+  bundler (~> 1.6)
+  nexpose_cyberark!
+  rake
+  rspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Damian Finol
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,33 @@
+# NexposeCyberark
+
+The nexpose CyberArk integration allows the use of credentials stored in CyberArk Vault to be used in scanning jobs,
+allowing Nexpose to perform authenticated scans, increasing the confidence in fingerprinting and vulnerabilities found.
+
+## Installation
+
+This is a JRuby Gem, it uses CyberArk's Java libraries to perform queries on CyberArk's vaults and Ruby libraries to
+communicate with Nexpose. As such, JRuby needs to be installed on the target system.
+
+BEFORE INSTALLATION:
+* Install CyberArk's provided Password SDK Client on the system
+* Configure CyberArk vault Objects to match Nexpose scan targets:
+    For example if a Nexpose hostname is in the form of 'systemv6.mydomain.com' your Object must be 'systemv6.mydomain.com'
+    If the scan target is an IP address, the object name must be the IP address.
+* Make sure the Policy ID of your objects include the description of the OS: 'unix' or 'windows'
+
+## Usage
+
+ 	Configure Vault settings:
+o	APP ID, Safe, Folder properties from CyberArk. Please refer to CyberArk documentation.
+ 	Configure Nexpose settings:
+o	A valid nexpose user, password, ip address and sites to manage.
+o	The start scan variable. If set to true, once updated the gem will trigger a scan of the site, wait until it’s finished and deletes the credentials stored. If set to false, it’ll not kick a scan and will run on scheduled.
+ 	Run the script for the first time.
+o	The script can be run using the command from the command line:
+             jruby nx_cyberark.rb
+o	The script will run and perform the queries, if the start scan variable is set to false, the script will exit silently; otherwise the script will output the status of each scan
+
+
+## Help
+
+* Email us to integrations_support@rapid7.com

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+

data/bin/nx_cyberark.rb

@@ -0,0 +1,45 @@
+#!/usr/bin/env ruby
+# Nexpose Cyberark Integration
+# Please refer to the configuration documentation for instructions on how to run this gem
+# Do NOT run this gem without proper pre-configuration.
+require 'nexpose_cyberark'
+
+# ---- CyberArk Configuration ---- #
+# Vault Options
+# App ID
+app_id = 'Rapid7'
+# Safe
+safe = 'Rapid 7 Accounts'
+# Folder
+folder = 'Root'
+# Objects should have the same name as their counterparts in Nexpose
+#  IE: 'serverx01.mydomain.com' in both Cyberark and Nexpose.
+#  Individual IP's will be queried and should also correspond to Object names.
+#  For ranges, this integration will use the first IP as the credential for all the range.
+#  Finally, PolicyIDs in Cyberark should have 'unix' or 'windows' as part of their name for proper credential
+#     type assignment in Nexpose (ssh / cifs)
+# ---- End CyberArk Configuration ---- #
+
+# ---- Nexpose Configuration ---- #
+# Nexpose username
+nxuser = 'nxadmin'
+# Nexpose password
+nxpasswd = 'nxadmin'
+# Nexpose IP Address
+nxip = 'localhost'
+# Sites to process credentials, separated by commas, ie: [3, 4, 6]
+sites = [ 1 ]
+# Start scans?
+# This setting will start scans on those sites, wait for the site to complete and then remove the credentials
+# If you prefer to let the scans run on schedule, set this to false, otherwise set to true.
+start_scans = false
+# ---- End Nexpose Configuration ---- #
+
+
+
+# --- DO NOT EDIT BELOW THIS LINE --- #
+
+vault_options = { :app_id => app_id, :safe => safe, :folder => folder }
+nexpose_options = { :nxip => nxip, :nxuser => nxuser, :nxpassword => nxpasswd, :sites => sites }
+NexposeCyberark::Vault.update_credentials(vault_options, nexpose_options)
+NexposeCyberark::Vault.start_scans(nexpose_options) if start_scans

data/lib/nexpose_cyberark.rb

@@ -0,0 +1,48 @@
+require "nexpose_cyberark/version"
+Dir[File.dirname(__FILE__)+'/nexpose_cyberark/lib/java/*.jar'].each { |jar| require jar }
+require "nexpose_cyberark/password_ops"
+require "nexpose_cyberark/nexpose_ops"
+module NexposeCyberark
+  module Vault
+    def self.update_credentials(vault_options, nexpose_options = nil)
+      @nx = Ops::Nexpose.new(nexpose_options[:nxip], nexpose_options[:nxuser], nexpose_options[:nxpassword])
+      # Parse sites from config
+      nexpose_options[:sites].each do |site_id|
+        # Get ips for each site
+        site_ips = @nx.get_ips_from_site(site_id)
+        site_credentials = []
+        # Get password for each IP
+        site_ips.each do |asset|
+          host = ''
+          host = asset.host if asset.is_a?(HostName)
+          host = asset.from if asset.is_a?(IPRange)
+          range_scenario = false
+          if asset.is_a?(IPRange) then range_scenario = true  unless asset.from.nil? end
+          vault_options[:object] = host
+          asset_data = PasswordOps::get_password(vault_options)
+          host = nil if range_scenario
+          unless asset_data[:password].nil?
+            credential_cifs = Credential.for_service(asset_data[:os], 'Administrator', asset_data, nil, host)
+            site_credentials.push(credential_cifs)
+          end
+        end
+        # Save site
+        @nx.save_site(site_id, site_credentials)
+      end
+    end
+    def self.start_scans(nexpose_options = nil)
+      @nx = Ops::Nexpose.new(nexpose_options[:nxip], nexpose_options[:nxuser], nexpose_options[:nxpassword])
+      nexpose_options[:sites].each do |site_id|
+        puts "Starting scan #{site_id}"
+        scan = @nx.start_scan(site_id)
+        begin
+          sleep(30)
+          status = @nx.scan_status(scan.id)
+          puts "Waiting for scan #{scan.id} to finish"
+        end while status == Scan::Status::RUNNING
+        puts "Deleting creds for #{site_id}"
+        @nx.delete_site_credentials(site_id)
+      end
+    end
+  end
+end

data/lib/nexpose_cyberark/nexpose_ops.rb

@@ -0,0 +1,37 @@
+require 'nexpose'
+include Nexpose
+module Ops
+  class Nexpose
+    attr_accessor :nsc
+    def initialize(nxip, nxuser, nxpasword)
+      @nsc = Connection.new(nxip, nxuser, nxpasword)
+      @nsc.login
+    end
+
+    def get_ips_from_site(site_id)
+      site = Site.load(@nsc, site_id)
+      site.assets
+    end
+
+    def save_site(site_id, credentials)
+      site = Site.load(@nsc, site_id)
+      site.credentials = credentials
+      site.save(@nsc)
+    end
+
+    def delete_site_credentials(site_id)
+      site = Site.load(@nsc, site_id)
+      site.credentials = []
+      site.save(@nsc)
+    end
+
+    def start_scan(site_id)
+      site = Site.load(@nsc, site_id)
+      site.scan(@nsc)
+    end
+
+    def scan_status(scan_id)
+      @nsc.scan_status(scan_id)
+    end
+  end
+end

data/lib/nexpose_cyberark/password_ops.rb

@@ -0,0 +1,29 @@
+module PasswordOps
+
+  def self.cyberark
+    Java::javapasswordsdk
+  end
+
+  def self.get_password(vault_options = {}, password_req_sdk = nil, password_sdk = nil )
+    password_req_sdk = cyberark.PSDKPasswordRequest.new if password_req_sdk.nil?
+    asset_data = {}
+    begin
+      password_req_sdk.set_app_id(vault_options[:app_id])
+      password_req_sdk.set_safe(vault_options[:safe])
+      password_req_sdk.set_folder(vault_options[:folder])
+      password_req_sdk.set_object(vault_options[:object])
+      password_sdk = cyberark.PasswordSDK if password_sdk.nil?
+      password_result = password_sdk.getPassword(password_req_sdk)
+      if password_result.get_policy_id.downcase.include? 'unix'
+        #puts password_result.get_policy_id.downcase.include? 'unix'
+        asset_data[:os] = 'ssh'
+      else
+        asset_data[:os] = 'cifs'
+      end
+      asset_data[:password] = password_result.get_content
+    rescue Exception => e
+
+    end
+    asset_data
+  end
+end

data/lib/nexpose_cyberark/version.rb

@@ -0,0 +1,3 @@
+module NexposeCyberark
+  VERSION = "0.0.1"
+end

data/nexpose_cyberark.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'nexpose_cyberark/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'nexpose_cyberark'
+  spec.version       = NexposeCyberark::VERSION
+  spec.authors       = ['Damian Finol']
+  spec.email         = ['damian_finol@rapid7.com']
+  spec.summary       = %q{Nexpose Cyberark integration.}
+  spec.description   = %q{Nexpose Cyberark integration provides credentials for authenticated scans in Nexpose.}
+  spec.homepage      = 'http://www.rapid7.com/'
+  spec.license       = 'MIT'
+
+  spec.files         = Dir['[A-Z]*'] + Dir['lib/**/*'] + Dir['bin/**']
+  spec.files.reject! { |fn| fn.include? "CVS" }
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+  spec.platform      = 'java'
+
+  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_dependency('nexpose', '>= 0.6.0')
+end

metadata

@@ -0,0 +1,114 @@
+--- !ruby/object:Gem::Specification
+name: nexpose_cyberark
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: java
+authors:
+- Damian Finol
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-06-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: nexpose
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.6.0
+description: Nexpose Cyberark integration provides credentials for authenticated scans
+  in Nexpose.
+email:
+- damian_finol@rapid7.com
+executables:
+- nx_cyberark.rb
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/nx_cyberark.rb
+- lib/nexpose_cyberark.rb
+- lib/nexpose_cyberark/lib/java/JavaPasswordSDK.jar
+- lib/nexpose_cyberark/nexpose_ops.rb
+- lib/nexpose_cyberark/password_ops.rb
+- lib/nexpose_cyberark/version.rb
+- nexpose_cyberark.gemspec
+homepage: http://www.rapid7.com/
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Nexpose Cyberark integration.
+test_files: []