nexpose_cyberark 0.0.5-java → 0.0.7-java

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,15 +1,7 @@
1
1
  ---
2
- !binary "U0hBMQ==":
3
- metadata.gz: !binary |-
4
- MDIzMGQ4MWQxMmJhYTEwYWUyNjI2OGNjMWE5ZDllMmViZjhhMTg1Yg==
5
- data.tar.gz: !binary |-
6
- ZDBiNTUzMWNkOGI4OTIyOWQ4Njk2YzRmZGVjOWVkMThhNGQzNzUzNg==
2
+ SHA1:
3
+ metadata.gz: 68e0232ec62a2c5b8577a31de453c00a2de0b16d
4
+ data.tar.gz: 20c1ac8801f2d86785cc06be593ca95c35430c0e
7
5
  SHA512:
8
- metadata.gz: !binary |-
9
- NTlkNTI2MTdlOWUyZDdmZjg3NWE3YjQ2OThhZDVlZjA0M2ViMDNiMmVhODQz
10
- M2ZkYWU3NWI2M2JiMmZmNmQ4YzFjNDc1ZDQyNDkyYjM4N2Y3M2I0YTZlOGUz
11
- M2ExYmFiZDJlMTQ0YTQ4MjAzMzViZjEzNmNmYzE3NzU3OGM1YmY=
12
- data.tar.gz: !binary |-
13
- ZTA1NmVmOTc4Y2RhZWVlZTcxODQ1MzA3ODE3MDBjNjc4NzUwODM0N2Q5ZmY1
14
- NjhjOWEyMjA5ODBmZWU4ZjM2ZDMxMmE1ZjdiY2VkNWE3NzZjNDllZmU1NjVl
15
- MDY2NDczZDYxNjYxNDM2MTljYjk4MDM2ZDczOTQwYzU1YjU3ZDA=
6
+ metadata.gz: 68a621af64dc0b8e4e8ff251c920ff10c26345a5c19e4632fd745a4ee21b32cfd0dd7a2e8c2613b77b8de77f5bb6d6950dd4853b74418cc515ffc02edc7a955f
7
+ data.tar.gz: 73768b500ae65ac6c9d05dc3b314cc036201a1aeaba6b8595c81f92b040d741e75b6c30e5d97f281efdc10fa9e1f788d6835ae2ea464cb245079e7fd45624ee8
data/README.md CHANGED
@@ -1,33 +1,93 @@
1
- # NexposeCyberark
1
+ # Nexpose Cyberark Integration
2
2
 
3
- The nexpose CyberArk integration allows the use of credentials stored in CyberArk Vault to be used in scanning jobs,
4
- allowing Nexpose to perform authenticated scans, increasing the confidence in fingerprinting and vulnerabilities found.
3
+ This is the official gem package for the **JRuby Nexpose Cyberark Integration**
4
+
5
+ For assistance with using the gem please email the Rapid7 integrations support team at <support@rapid7.com>
6
+
7
+ ## About
8
+
9
+ Application Identity Manager is designed to randomize and store the passwords for accounts on target systems on a regular recurring basis. Because these passwords are stored and managed by the vault, they can be retrieved via an authorised partner provided Java SDK.
10
+
11
+ This integration is designed to import credentials for assets, stored in a password Vault in CyberArk, to enable the Nexpose Console to conduct authenticated scans.
12
+
13
+ The nexpose_cyberark integration contains functionality to start a scan automatically after loading credentials into Nexpose. This feature can be disabled from within the configuration file.
14
+
15
+ Below is a brief description of the two options:
16
+
17
+ * 'Y' (Yes) - The integration will retrieve the credentials for the assets to be scanned. These credentials are stored in Nexpose and a scan is started, with these credentials being available. Once the scan is completed, the credentials are removed from Nexpose.
18
+ * 'N' (No) -­ The integration will retrieve the credentials for the assets to be scanned. These credentials are then stored as part of the site authentication information in Nexpose. The program will then exit. This mode does not delete credentials upon completion, but leaves the credentials in Nexpose for use during the next scan. These will need to be manually removed by the user, or will be removed automatically when the integration is used again.
19
+ This mode is useful for loading credentials into Nexpose for use in scheduled scans.
5
20
 
6
21
  ## Installation
7
22
 
8
- This is a JRuby Gem, it uses CyberArk's Java libraries to perform queries on CyberArk's vaults and Ruby libraries to
9
- communicate with Nexpose. As such, JRuby needs to be installed on the target system.
23
+ This is a JRuby Gem, it uses CyberArk's Java libraries to perform queries on CyberArk's vaults and Ruby libraries to communicate with Nexpose. As such, JRuby needs to be installed on the target system.
24
+
25
+ The following link shows the different options for installing JRuby on several platforms:
26
+
27
+ <http://jruby.org/>
28
+
29
+ RubyGems is the other prerequisite for using nexpose_cyberark. After successfully installing the JRuby interpreter, install RubyGems.
30
+ The following link shows the different options for installing RubyGems in several platforms:
31
+
32
+ <http://rubygems.org/>
33
+
34
+ #### BEFORE INSTALLATION:
35
+
36
+ * Install CyberArk's provided Password SDK Client on the system. Please refer to Cyberark documentation for installation and configuration of the Password SDK
37
+ * Once installed and configured we must go to out Vault and make sure the assets have the following characteristics:
38
+ 1. Naming in CyberArk
39
+ For credentials to be imported successfully into Nexpose from CyberArk, they must be commonly named so they can be resolved to a unique asset.
40
+ The nexpose_cyberark integration currently supports the following naming conventions in both Nexpose and CyberArk:
41
+
42
+ * The full-­qualified domain name of the asset.
43
+ * The IP address of the asset.
44
+
45
+ The integration is able to resolve a domain name from an IP address, and vice versa, allowing flexibility when creating and naming objects in the CyberArk vault. This will also allow flexibility when adding assets to a site and storing credentials within the vault.
46
+ IP ranges are also supported when scanning a site -­ the integration will correctly resolve and load credentials for the assets in the range.
47
+ _Note_: please ensure the host system of the integration has correctly configured DNS settings to allow the resolution of IP/FQDNs.
48
+ 2. The policy ID of the Object needs to be entered into the configuration file of the integration (see below). Policy IDs must uniquely point to either the 'Unix' OS or 'Windows' OS which tie to the authentication method Nexpose uses to conduct an authenticated scan (SSH or SMB/CIFS)
49
+ The APP ID, Safe and Folder names are required to fully configure the integration. Please refer to CyberArk documentation for more information and make a note of these.
50
+
51
+ After installing Ruby and RubyGems, install nexpose_cyberark by opening a command prompt or terminal window with JRuby and RubyGems added to the PATH and run the following command:
52
+
53
+ ```ruby
54
+ gem install nexpose_cyberark
55
+ ```
56
+
57
+ This command will install the CyberArk Integration Gem and all necessary prerequisites.
58
+
59
+ #### Configuring the CyberArk Gem
60
+
61
+ Once all dependencies have been installed, the configuration files need to be edited with the details of the target CyberArk Instance. To insert the details, open the configuration file under the config folder found in the Gem installation:
62
+
63
+ * Windows: C:\JRuby\<version\>\lib\ruby\gems\shared\gems\nexpose_cyberark-­\<version\>-java\lib\nexpose_cyberark\config
64
+ * Linux: /var/lib/gems/\<version\>/gems/nexpose_cyberark-­\<version\>-­java/lib/nexpose_cyberark/config
65
+
66
+ Your installation folder may differ; please refer to the Ruby documentation for the specific location.
67
+
68
+ To finish configuration, the following environment variables must be setup on the host:
69
+
70
+ | ENV_VAR | Description | Sample Value|
71
+ | ---------------- |:----------------------------------:| -----------:|
72
+ | NEXPOSE_URL | Address of Nexpose Server | 127.0.0.1 |
73
+ | NEXPOSE_USERNAME | User with site and scan credentials| JBloggs |
74
+ | NEXPOSE_PASSWORD | Password for user | Password |
75
+ | NEXPOSE_PORT | Nexpose port | 3780 |
10
76
 
11
- BEFORE INSTALLATION:
12
- * Install CyberArk's provided Password SDK Client on the system
13
- * Configure CyberArk vault Objects to match Nexpose scan targets:
14
- For example if a Nexpose hostname is in the form of 'systemv6.mydomain.com' your Object must be 'systemv6.mydomain.com'
15
- If the scan target is an IP address, the object name must be the IP address.
16
- * Make sure the Policy ID of your objects include the description of the OS: 'unix' or 'windows'
77
+ Please ensure the environment variables are named **_exactly_** as above
17
78
 
18
79
  ## Usage
19
80
 
20
- Configure Vault settings:
21
- o APP ID, Safe, Folder properties from CyberArk. Please refer to CyberArk documentation.
22
- Configure Nexpose settings:
23
- o A valid nexpose user, password, ip address and sites to manage.
24
- o The start scan variable. If set to true, once updated the gem will trigger a scan of the site, wait until it’s finished and deletes the credentials stored. If set to false, it’ll not kick a scan and will run on scheduled.
25
- Run the script for the first time.
26
- o The script can be run using the command from the command line:
27
- jruby nx_cyberark.rb
28
- o The script will run and perform the queries, if the start scan variable is set to false, the script will exit silently; otherwise the script will output the status of each scan
81
+ Assuming the Nexpose and CyberArk parameters are correctly configured, issue the command:
29
82
 
83
+ ```ruby
84
+ jruby nx_cyberark.rb
85
+ ```
30
86
 
31
- ## Help
87
+ from a command / bash shell within the "bin" folder of the Gem. Every time this command is executed, the service will query the site on Nexpose to retrieve the assets to be scanned, query CyberArk for the correct credentials for the assets and return them to Nexpose to validate the scan.
88
+ The script will run and perform the queries: if the start_scans variable is set to false, the script will exit silently, leaving the
89
+ credentials in Nexpose for use in the next scan; otherwise the script will output the status of each scan performed and
90
+ remove the credentials from Nexpose upon completion.
32
91
 
33
- * Email us to integrations_support@rapid7.com
92
+ Note: Passwords stored in CyberArk can be rotated before a scan is initiated. Make sure to properly synchronise the
93
+ scanning window with your password rotations.
@@ -3,7 +3,7 @@ require 'nexpose_cyberark/password_ops'
3
3
  require 'nexpose_cyberark/nexpose_ops'
4
4
  require 'nexpose_cyberark/version'
5
5
  require 'waitutil'
6
- require 'Resolv'
6
+ require 'resolv'
7
7
 
8
8
  module NexposeCyberark
9
9
  module Vault
@@ -11,8 +11,12 @@ module NexposeCyberark
11
11
  def self.update_credentials(vault_options, nexpose_options = nil)
12
12
  #Setup logger
13
13
  @log = NexposeCyberark::NxLogger.instance
14
- @log.setup_logging(nexpose_options[:logging] || true, nexpose_options[:log_level] || 'info')
15
- @log.setup_statistics_collection(NexposeCyberark::VENDOR, NexposeCyberark::PRODUCT_NAME, NexposeCyberark::VERSION)
14
+
15
+ log_enabled = nexpose_options[:logging].downcase.start_with? 'y'
16
+ @log.setup_statistics_collection(NexposeCyberark::VENDOR,
17
+ NexposeCyberark::PRODUCT_NAME,
18
+ NexposeCyberark::VERSION)
19
+ @log.setup_logging(log_enabled, nexpose_options[:log_level] || 'info')
16
20
 
17
21
  @nx = Ops::Nexpose.new(nexpose_options[:nxip], nexpose_options[:nxport], nexpose_options[:nxuser], nexpose_options[:nxpassword])
18
22
  @log.log_message('Connection to the Nexpose console complete!')
@@ -7,7 +7,7 @@ module Ops
7
7
  def initialize(nxip, nxport, nxuser, nxpasword)
8
8
  @log = NexposeCyberark::NxLogger.instance
9
9
  @log.log_message('Connecting to the Nexpose console..')
10
- @nsc = Connection.new(nxip, nxuser, nxpasword)
10
+ @nsc = Connection.new(nxip, nxuser, nxpasword, nxport)
11
11
  @nsc.login
12
12
  @log.on_connect(nxip, nxport, @nsc.session_id, '{}')
13
13
  end
@@ -97,4 +97,4 @@ module Ops
97
97
  status
98
98
  end
99
99
  end
100
- end
100
+ end
@@ -6,27 +6,23 @@ require 'singleton'
6
6
  module NexposeCyberark
7
7
  class NxLogger
8
8
  include Singleton
9
- attr_accessor :options, :statistic_key, :product, :logger_file
10
9
  LOG_PATH = "./logs/rapid7_%s.log"
11
10
  KEY_FORMAT = "external.integration.%s"
12
11
  PRODUCT_FORMAT = "%s_%s"
13
12
 
14
13
  DEFAULT_LOG = 'integration'
15
- PRODUCT_RANGE = 3..30
14
+ PRODUCT_RANGE = 4..30
16
15
  KEY_RANGE = 3..15
17
16
 
18
17
  ENDPOINT = '/data/external/statistic/'
19
18
 
20
19
  def initialize()
21
- @logger_file = get_log_path product
20
+ create_calls
21
+ @logger_file = get_log_path @product
22
22
  setup_logging(true, 'info')
23
23
  end
24
24
 
25
25
  def setup_statistics_collection(vendor, product_name, gem_version)
26
- #Remove illegal characters
27
- vendor.to_s.gsub!('-', '_')
28
- product_name.to_s.gsub!('-', '_')
29
-
30
26
  begin
31
27
  @statistic_key = get_statistic_key vendor
32
28
  @product = get_product product_name, gem_version
@@ -35,47 +31,43 @@ module NexposeCyberark
35
31
  end
36
32
  end
37
33
 
38
- def setup_logging(enabled, log_level = nil)
39
- unless enabled || @log.nil?
40
- log_message('Logging disabled.')
41
- return
42
- end
34
+ def setup_logging(enabled, log_level = 'info', stdout=false)
35
+ @stdout = stdout
43
36
 
44
- @logger_file = get_log_path product
37
+ log_message('Logging disabled.') unless enabled || @log.nil?
38
+ @enabled = enabled
39
+ return unless @enabled
40
+
41
+ @logger_file = get_log_path @product
45
42
 
46
43
  require 'logger'
47
44
  directory = File.dirname(@logger_file)
48
45
  FileUtils.mkdir_p(directory) unless File.directory?(directory)
49
- io = IO.for_fd(IO.sysopen(@logger_file, 'a'))
46
+ io = IO.for_fd(IO.sysopen(@logger_file, 'a'), 'a')
50
47
  io.autoclose = false
51
48
  io.sync = true
52
49
  @log = Logger.new(io, 'weekly')
53
- @log.level = if log_level.casecmp('info') == 0
54
- Logger::INFO
50
+ @log.level = if log_level.to_s.casecmp('info') == 0
51
+ Logger::INFO
55
52
  else
56
53
  Logger::DEBUG
57
54
  end
58
55
  log_message("Logging enabled at level <#{log_level}>")
59
56
  end
60
57
 
61
- # Logs an info message
62
- def log_message(message)
63
- @log.info(message) unless @log.nil?
64
- end
65
-
66
- # Logs a debug message
67
- def log_debug_message(message)
68
- @log.debug(message) unless @log.nil?
69
- end
70
-
71
- # Logs an error message
72
- def log_error_message(message)
73
- @log.error(message) unless @log.nil?
58
+ def create_calls
59
+ levels = [:info, :debug, :error, :warn]
60
+ levels.each do |level|
61
+ method_name =
62
+ define_singleton_method("log_#{level.to_s}_message") do |message|
63
+ puts message if @stdout
64
+ @log.send(level, message) unless !@enabled || @log.nil?
65
+ end
66
+ end
74
67
  end
75
68
 
76
- # Logs a warn message
77
- def log_warn_message(message)
78
- @log.warn(message) unless @log.nil?
69
+ def log_message(message)
70
+ log_info_message message
79
71
  end
80
72
 
81
73
  def log_stat_message(message)
@@ -92,13 +84,28 @@ module NexposeCyberark
92
84
  return nil
93
85
  end
94
86
 
87
+ vendor.gsub!('-', '_')
88
+ vendor.slice! vendor.rindex('_') until vendor.count('_') <= 1
89
+
90
+ vendor.delete! "^A-Za-z0-9\_"
91
+
95
92
  KEY_FORMAT % vendor[0...KEY_RANGE.max].downcase
96
93
  end
97
94
 
98
95
  def get_product(product, version)
99
- return nil if (product.nil? || version.nil?)
96
+ return nil if ((product.nil? || product.empty?) ||
97
+ (version.nil? || version.empty?))
98
+
99
+ product.gsub!('-', '_')
100
+ product.slice! product.rindex('_') until product.count('_') <= 1
101
+
102
+ product.delete! "^A-Za-z0-9\_"
103
+ version.delete! "^A-Za-z0-9\.\-"
104
+
100
105
  product = (PRODUCT_FORMAT % [product, version])[0...PRODUCT_RANGE.max]
101
106
 
107
+ product.slice! product.rindex(/[A-Z0-9]/i)+1..-1
108
+
102
109
  if product.length < PRODUCT_RANGE.min
103
110
  log_stat_message("Product length below minimum <#{PRODUCT_RANGE.min}>.")
104
111
  return nil
@@ -107,9 +114,12 @@ module NexposeCyberark
107
114
  end
108
115
 
109
116
  def generate_payload(statistic_value='')
110
- payload = {'statistic-key' => @statistic_key,
111
- 'statistic-value' => statistic_value,
112
- 'product' => @product}
117
+ product_name, separator, version = @product.to_s.rpartition('_')
118
+ payload_value = {'version' => version}.to_json
119
+
120
+ payload = {'statistic-key' => @statistic_key.to_s,
121
+ 'statistic-value' => payload_value,
122
+ 'product' => product_name}
113
123
  JSON.generate(payload)
114
124
  end
115
125
 
@@ -126,6 +136,7 @@ module NexposeCyberark
126
136
  log_stat_message "Received code #{response.code} from Nexpose console."
127
137
  log_stat_message "Received message #{response.msg} from Nexpose console."
128
138
  log_stat_message 'Finished sending statistics data to Nexpose.'
139
+
129
140
  response.code
130
141
  end
131
142
 
@@ -137,7 +148,7 @@ module NexposeCyberark
137
148
  log_stat_message('Statistics collection not enabled.')
138
149
  return
139
150
  end
140
-
151
+
141
152
  begin
142
153
  payload = generate_payload value
143
154
  send(nexpose_address, nexpose_port, session_id, payload)
@@ -146,5 +157,10 @@ module NexposeCyberark
146
157
  end
147
158
  end
148
159
 
160
+ #Used by net library for debugging
161
+ def <<(value)
162
+ log_debug_message(value)
163
+ end
164
+
149
165
  end
150
166
  end
@@ -1,5 +1,5 @@
1
1
  module NexposeCyberark
2
- VERSION = "0.0.5"
2
+ VERSION = "0.0.7"
3
3
  VENDOR = "Cyberark"
4
4
  PRODUCT_NAME = "nexpose_cyberark"
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: nexpose_cyberark
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.5
4
+ version: 0.0.7
5
5
  platform: java
6
6
  authors:
7
7
  - Damian Finol
@@ -9,82 +9,82 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2015-12-11 00:00:00.000000000 Z
12
+ date: 2016-09-07 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: bundler
16
16
  requirement: !ruby/object:Gem::Requirement
17
17
  requirements:
18
- - - ~>
18
+ - - "~>"
19
19
  - !ruby/object:Gem::Version
20
20
  version: '1.6'
21
21
  type: :development
22
22
  prerelease: false
23
23
  version_requirements: !ruby/object:Gem::Requirement
24
24
  requirements:
25
- - - ~>
25
+ - - "~>"
26
26
  - !ruby/object:Gem::Version
27
27
  version: '1.6'
28
28
  - !ruby/object:Gem::Dependency
29
29
  name: rake
30
30
  requirement: !ruby/object:Gem::Requirement
31
31
  requirements:
32
- - - ~>
32
+ - - "~>"
33
33
  - !ruby/object:Gem::Version
34
34
  version: '10.4'
35
35
  type: :development
36
36
  prerelease: false
37
37
  version_requirements: !ruby/object:Gem::Requirement
38
38
  requirements:
39
- - - ~>
39
+ - - "~>"
40
40
  - !ruby/object:Gem::Version
41
41
  version: '10.4'
42
42
  - !ruby/object:Gem::Dependency
43
43
  name: rspec
44
44
  requirement: !ruby/object:Gem::Requirement
45
45
  requirements:
46
- - - ~>
46
+ - - "~>"
47
47
  - !ruby/object:Gem::Version
48
48
  version: '2.1'
49
49
  type: :development
50
50
  prerelease: false
51
51
  version_requirements: !ruby/object:Gem::Requirement
52
52
  requirements:
53
- - - ~>
53
+ - - "~>"
54
54
  - !ruby/object:Gem::Version
55
55
  version: '2.1'
56
56
  - !ruby/object:Gem::Dependency
57
57
  name: nexpose
58
58
  requirement: !ruby/object:Gem::Requirement
59
59
  requirements:
60
- - - ~>
60
+ - - "~>"
61
61
  - !ruby/object:Gem::Version
62
62
  version: '2.1'
63
63
  type: :runtime
64
64
  prerelease: false
65
65
  version_requirements: !ruby/object:Gem::Requirement
66
66
  requirements:
67
- - - ~>
67
+ - - "~>"
68
68
  - !ruby/object:Gem::Version
69
69
  version: '2.1'
70
70
  - !ruby/object:Gem::Dependency
71
71
  name: waitutil
72
72
  requirement: !ruby/object:Gem::Requirement
73
73
  requirements:
74
- - - ~>
74
+ - - "~>"
75
75
  - !ruby/object:Gem::Version
76
76
  version: '0.2'
77
77
  type: :runtime
78
78
  prerelease: false
79
79
  version_requirements: !ruby/object:Gem::Requirement
80
80
  requirements:
81
- - - ~>
81
+ - - "~>"
82
82
  - !ruby/object:Gem::Version
83
83
  version: '0.2'
84
84
  description: Nexpose Cyberark integration provides credentials for authenticated scans
85
85
  in Nexpose.
86
86
  email:
87
- - integrations_support@rapid7.com
87
+ - support@rapid7.com
88
88
  executables:
89
89
  - nx_cyberark.rb
90
90
  extensions: []
@@ -112,18 +112,19 @@ require_paths:
112
112
  - lib
113
113
  required_ruby_version: !ruby/object:Gem::Requirement
114
114
  requirements:
115
- - - ! '>='
115
+ - - ">="
116
116
  - !ruby/object:Gem::Version
117
117
  version: '0'
118
118
  required_rubygems_version: !ruby/object:Gem::Requirement
119
119
  requirements:
120
- - - ! '>='
120
+ - - ">="
121
121
  - !ruby/object:Gem::Version
122
122
  version: '0'
123
123
  requirements: []
124
124
  rubyforge_project:
125
- rubygems_version: 2.2.2
125
+ rubygems_version: 2.4.3
126
126
  signing_key:
127
127
  specification_version: 4
128
128
  summary: Nexpose Cyberark integration.
129
129
  test_files: []
130
+ has_rdoc: