norad_cli 0.1.15 → 0.1.16
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +3 -0
- data/lib/norad_cli/cli/sectest.rb +38 -35
- data/lib/norad_cli/support/sectest_container.rb +3 -3
- data/lib/norad_cli/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8860651242fcd0bf3b1705504a70f600823d6aac
|
|
4
|
+
data.tar.gz: 21aa5ac57a4b9a8c76ead029a59d4e6d57b9762d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cd71776227fa2fe192b53349624b8f09d4f2843554b0146d48c172c1a8339692e6fc338d00ac022032e71539a26f552dbc2935be61eb135cbbc413329c5989c9
|
|
7
|
+
data.tar.gz: b05c1f5a97cb2bca7a72239e04f99fb4d74e0a35f6a20a8a095baabb0217d99dd7b3e3694df6af78c48beabdf606f327bc3d12e42c29fa505c56ca4a6cdd0fe7
|
data/.rubocop.yml
CHANGED
|
@@ -15,13 +15,14 @@ class Sectest < Thor
|
|
|
15
15
|
ssh_user: ['-u', 'If the sectest requires authentication, then the username for authentication'],
|
|
16
16
|
ssh_key: ['-k', 'If the sectest requires authentication, then the path to the ssh key file'],
|
|
17
17
|
port: ['-p', 'The port to use for testing'],
|
|
18
|
-
service_username: ['-e', '
|
|
19
|
-
service_password: ['-r', '
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
18
|
+
service_username: ['-e', 'Username to authenticate with the service, e.g. web application, database server, etc'],
|
|
19
|
+
service_password: ['-r', 'Password to authenticate with the service'],
|
|
20
|
+
web_service_protocol: ['-c', 'Protocol used to load the web application, http or https'],
|
|
21
|
+
web_service_url_blacklist: ['-b', 'Comma separated list of words to avoid when spidering web application links'],
|
|
22
|
+
web_service_auth_type: ['-a', 'Authentication method used by the web application'],
|
|
23
|
+
web_service_starting_page_path: ['-g', 'Path where web application scan should begin, e.g. /'],
|
|
24
|
+
web_service_login_form_username_field_name: ['-l', 'HTML form field name for the username portion of web application authentication'],
|
|
25
|
+
web_service_login_form_password_field_name: ['-m', 'HTML form field name for the password portion of web application authentication'] }
|
|
25
26
|
|
|
26
27
|
def self.source_root
|
|
27
28
|
File.join(File.dirname(File.expand_path(__FILE__)), '../templates/')
|
|
@@ -29,20 +30,24 @@ class Sectest < Thor
|
|
|
29
30
|
|
|
30
31
|
# Loads a manifest file depending on the command
|
|
31
32
|
# rubocop:disable Style/GuardClause
|
|
32
|
-
def self.load_manifest
|
|
33
|
-
|
|
33
|
+
def self.load_manifest(sectest_name)
|
|
34
|
+
@@sectest_manifest = {}
|
|
34
35
|
|
|
35
36
|
# Set defaults just in case no manifest.yml to overwrite
|
|
36
|
-
|
|
37
|
-
|
|
37
|
+
@@sectest_manifest['registry'] = 'norad-registry.cisco.com:5000'
|
|
38
|
+
@@sectest_manifest['version'] = 'latest'
|
|
38
39
|
|
|
39
40
|
# Dynamically add options and description based on the needs of the sectest container
|
|
40
|
-
if %w(build build:all build:image build:specs execute).include?(ARGV[1]) &&
|
|
41
|
+
if %w(build build:all build:image build:specs execute).include?(ARGV[1]) && sectest_name && !sectest_name.start_with?('-', '--')
|
|
41
42
|
# Read in the program arguments
|
|
42
|
-
if File.exist?("sectests/#{
|
|
43
|
-
|
|
43
|
+
if File.exist?("sectests/#{sectest_name}/manifest.yml")
|
|
44
|
+
@@sectest_manifest = YAML.safe_load(File.read("sectests/#{sectest_name}/manifest.yml"))
|
|
45
|
+
|
|
46
|
+
# Precautionary, remove all leading and trailing whitespace
|
|
47
|
+
@@sectest_manifest['registry'].strip!
|
|
48
|
+
@@sectest_manifest['version'].strip!
|
|
44
49
|
else
|
|
45
|
-
puts Rainbow("Error: #{
|
|
50
|
+
puts Rainbow("Error: #{sectest_name} sectest does not exist or it is missing sectests/#{sectest_name}/manifest.yml").red
|
|
46
51
|
puts Rainbow('Exiting...').red
|
|
47
52
|
exit(1)
|
|
48
53
|
end
|
|
@@ -59,12 +64,12 @@ class Sectest < Thor
|
|
|
59
64
|
|
|
60
65
|
# Load the manifest file if necessary
|
|
61
66
|
# Correct set default registry and version
|
|
62
|
-
load_manifest
|
|
67
|
+
load_manifest(ARGV[2])
|
|
63
68
|
|
|
64
69
|
desc 'scaffold TESTNAME', 'Create a new security test with standard files + testing'
|
|
65
70
|
option :test_type, aliases: '-t', default: 'whole_host', desc: 'The security test type, Options: [authenticated|web_application|brute_force|ssl_crypto|ssh_crypto|whole_host]'
|
|
66
|
-
option :registry, aliases: '-r', default:
|
|
67
|
-
option :version, aliases: '-v', default:
|
|
71
|
+
option :registry, aliases: '-r', default: @@sectest_manifest['registry'], desc: 'The Docker registry to store docker images'
|
|
72
|
+
option :version, aliases: '-v', default: @@sectest_manifest['version'], desc: 'The version of the security test'
|
|
68
73
|
option :base_image, aliases: '-b', default: 'norad-registry.cisco.com:5000/norad:0.0.1', desc: 'Base Docker image to use (i.e. FROM field in the Dockerfile)'
|
|
69
74
|
option :configurable, type: :boolean, aliases: '-c', desc: 'Is the security test configurable (e.g. Qualys username and password)'
|
|
70
75
|
def scaffold(sectest_name)
|
|
@@ -105,26 +110,29 @@ class Sectest < Thor
|
|
|
105
110
|
|
|
106
111
|
desc 'build', 'Build all sectest images and specs for the entire repository'
|
|
107
112
|
option :debug, aliases: '-d', type: :boolean, default: true, desc: 'Turn on debugging messages (e.g. Docker build logs to stdout)'
|
|
108
|
-
option :registry, aliases: '-r', default: @sectest_manifest['registry'], desc: 'The Docker registry for Docker images'
|
|
109
|
-
option :version, aliases: '-v', default: @sectest_manifest['version'], desc: 'The version of the sectest container to build'
|
|
110
113
|
def build
|
|
111
114
|
# Error check to ensure this is a plugin directory
|
|
112
115
|
Dir.glob('sectests/*').select do |f|
|
|
113
|
-
if
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
116
|
+
# Skip if the entry is not a directory
|
|
117
|
+
next if !File.directory? f
|
|
118
|
+
|
|
119
|
+
# Grab the name of the sectest
|
|
120
|
+
sectest_name = f.split('/')[-1]
|
|
121
|
+
|
|
122
|
+
# Load the manifest for the sectest
|
|
123
|
+
Sectest.load_manifest(sectest_name)
|
|
124
|
+
|
|
125
|
+
# Build all for the sectest
|
|
126
|
+
send('build:all', sectest_name)
|
|
117
127
|
end
|
|
118
128
|
end
|
|
119
129
|
|
|
120
130
|
# Define arguments and options
|
|
121
131
|
desc 'build:image SECTESTNAME', 'Build the docker image for the security test SECTESTNAME'
|
|
122
132
|
option :debug, aliases: '-d', type: :boolean, default: true, desc: 'Turn on debugging messages (e.g. Docker build logs to stdout)'
|
|
123
|
-
option :registry, aliases: '-r', default: @sectest_manifest['registry'], desc: 'The Docker registry for Docker images'
|
|
124
|
-
option :version, aliases: '-v', default: @sectest_manifest['version'], desc: 'The version of the sectest container to build'
|
|
125
133
|
define_method 'build:image' do |name|
|
|
126
134
|
imgs_to_build = {}
|
|
127
|
-
imgs_to_build["sectests/#{name}"] = "#{
|
|
135
|
+
imgs_to_build["sectests/#{name}"] = "#{@@sectest_manifest['registry']}/#{name}:#{@@sectest_manifest['version']}"
|
|
128
136
|
|
|
129
137
|
# Check for the Dockerfile
|
|
130
138
|
if !dockerfile?(imgs_to_build.keys[0])
|
|
@@ -152,8 +160,6 @@ class Sectest < Thor
|
|
|
152
160
|
# Define arguments and options
|
|
153
161
|
desc 'build:specs SECTESTNAME', 'Build the spec images (test images) for the security test SECTESTNAME'
|
|
154
162
|
option :debug, aliases: '-d', type: :boolean, default: true, desc: 'Turn on debugging messages (e.g. Docker build logs to stdout)'
|
|
155
|
-
option :registry, aliases: '-r', default: @sectest_manifest['registry'], desc: 'The Docker registry for Docker images'
|
|
156
|
-
option :version, aliases: '-v', default: @sectest_manifest['version'], desc: 'The version of the sectest container to build'
|
|
157
163
|
define_method 'build:specs' do |name|
|
|
158
164
|
imgs_to_build = {}
|
|
159
165
|
imgs_to_build["#{File.expand_path(File.dirname(__FILE__))}/../templates/spec/support/Dockerfile.testserver"] = 'docker-images-test-results-server:latest'
|
|
@@ -182,8 +188,6 @@ class Sectest < Thor
|
|
|
182
188
|
# Define arguments and options
|
|
183
189
|
desc 'build:all SECTESTNAME', 'Build sectest images for SECTESTNAME and all testing images for SECTESTNAME'
|
|
184
190
|
option :debug, aliases: '-d', type: :boolean, default: true, desc: 'Turn on debugging messages (e.g. Docker build logs to stdout)'
|
|
185
|
-
option :registry, aliases: '-r', default: @sectest_manifest['registry'], desc: 'The Docker registry for Docker images'
|
|
186
|
-
option :version, aliases: '-v', default: @sectest_manifest['version'], desc: 'The version of the sectest container to build'
|
|
187
191
|
define_method 'build:all' do |name|
|
|
188
192
|
# Build the sectest image
|
|
189
193
|
send('build:image', name)
|
|
@@ -197,7 +201,7 @@ class Sectest < Thor
|
|
|
197
201
|
desc "execute #{ARGV[2]}", "Execute #{ARGV[2]} against an arbitrary target"
|
|
198
202
|
|
|
199
203
|
# Dynamically create options
|
|
200
|
-
|
|
204
|
+
@@sectest_manifest['prog_args'].scan(/{(.*?)}/).each do |ar|
|
|
201
205
|
if @reserved_sectest_args.key?(ar[0].to_sym)
|
|
202
206
|
option ar[0].to_sym, aliases: @reserved_sectest_args[ar[0].to_sym][0], desc: @reserved_sectest_args[ar[0].to_sym][1]
|
|
203
207
|
else
|
|
@@ -209,8 +213,6 @@ class Sectest < Thor
|
|
|
209
213
|
end
|
|
210
214
|
option :debug, aliases: '-d', type: :boolean, default: false, desc: 'Turn on debugging messages (e.g. Docker build logs to stdout)'
|
|
211
215
|
option :format, aliases: '-f', type: :boolean, default: false, desc: 'Print the JSON results formatted'
|
|
212
|
-
option :registry, aliases: '-r', default: @sectest_manifest['registry'], desc: 'The Docker registry for Docker images'
|
|
213
|
-
option :version, aliases: '-v', default: @sectest_manifest['version'], desc: 'The version of the sectest container to build'
|
|
214
216
|
def execute(sectest_name)
|
|
215
217
|
# Ensure the results server is built by building the images specs (code reuse)
|
|
216
218
|
send('build:specs', sectest_name)
|
|
@@ -219,7 +221,8 @@ class Sectest < Thor
|
|
|
219
221
|
send('build:image', sectest_name)
|
|
220
222
|
|
|
221
223
|
# Allocate an instance of the sectest
|
|
222
|
-
sectest_instance = NoradCli::SecTestContainer.new(ARGV[2],
|
|
224
|
+
sectest_instance = NoradCli::SecTestContainer.new(ARGV[2], @@sectest_manifest['registry'],
|
|
225
|
+
@@sectest_manifest['version'], options)
|
|
223
226
|
|
|
224
227
|
# Start the test
|
|
225
228
|
sectest_instance.start
|
|
@@ -11,11 +11,11 @@ module NoradCli
|
|
|
11
11
|
attr_accessor :sectest_image
|
|
12
12
|
attr_accessor :results_server
|
|
13
13
|
|
|
14
|
-
def initialize(sectest_name, options)
|
|
14
|
+
def initialize(sectest_name, registry, version, options)
|
|
15
15
|
# Generate a random assessment id
|
|
16
16
|
@assessment_id = SecureRandom.hex(32)
|
|
17
17
|
|
|
18
|
-
@sectest_image = "#{
|
|
18
|
+
@sectest_image = "#{registry}/#{sectest_name}:#{version}"
|
|
19
19
|
|
|
20
20
|
# Create a results server
|
|
21
21
|
@results_server = NoradCli::ResultsServer.new('docker-images-test-results-server')
|
|
@@ -39,7 +39,7 @@ module NoradCli
|
|
|
39
39
|
# Grab the program arguments (minus other function options)
|
|
40
40
|
# Options is a Thor::CoreExt::HashWithIndifferentAccess (except does not work)
|
|
41
41
|
prog_arg_hash = options.each_with_object({}) do |(k, v), hsh|
|
|
42
|
-
hsh[k.to_sym] = v unless k == 'debug'
|
|
42
|
+
hsh[k.to_sym] = v unless k == 'debug'
|
|
43
43
|
end
|
|
44
44
|
|
|
45
45
|
# Load the prog_arg format
|
data/lib/norad_cli/version.rb
CHANGED