Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Os 46 #9

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 48 additions & 5 deletions main.py
Original file line number Diff line number Diff line change
@@ -1,10 +1,40 @@
import argparse
from art import text2art

import random
import boto3
import os
import glob
from src.logger import setup_logger
from src.snapper import Snapper
from src.scanner import Scanner


def getting_all_pem_file_names():
"""
:return: .pem file names from the red-detector directory.
"""
file_path = os.path.realpath(__file__) # getting the script's path
file_path = file_path.split("red-detector")
files_path = file_path[0] + "red-detector" # (the pem files arent in the same directory as the script.)

lst = (glob.glob(files_path+"/*.pem"))
index = 0
for i in lst:
lst[index] = lst[index].replace(files_path+"/", "").replace(".pem","")
index += 1
return lst


def used_key_pairs():
keypairs = [] # list of used keyPair names
ec2 = boto3.client('ec2')
response = ec2.describe_key_pairs()

for i in response["KeyPairs"]:
keypairs.append(i["KeyName"])
return keypairs


if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('--region', action='store', dest='region', type=str,
Expand All @@ -31,17 +61,30 @@
snapper.create_client()

if cmd_args.instance_id:
source_volume_id = snapper.get_instance_root_vol(instance_id=cmd_args.instance_id)
try:
source_volume_id = snapper.get_instance_root_vol(instance_id=cmd_args.instance_id)
except Exception as e:
print(e, " : (probably problem with the given instance id)")
exit(99)
else:
source_volume_id = snapper.select_ec2_instance()

volume_id, selected_az, snapshot_id = snapper.snapshot2volume(volume_id=source_volume_id)

scanner = Scanner(logger=logger, region=snapper.region)
if cmd_args.keypair:
scanner.keypair_name = cmd_args.keypair
scanner = Scanner(logger=logger, region=snapper.region, key_pair_name=cmd_args.keypair)
else:
scanner.keypair_name = scanner.create_keypair(key_name='red_detector_key')
used_key_pairs_list_from_aws = used_key_pairs()
used_key_pairs_list_locally = getting_all_pem_file_names()
num = 0
key_name = "red_detector_key{number}".format(number=str(num))
while key_name in used_key_pairs_list_from_aws or key_name in used_key_pairs_list_locally:
num += 1
key_name = "red_detector_key{number}".format(number=str(num))

scanner = Scanner(logger=logger, region=snapper.region, key_pair_name=key_name)
scanner.keypair_name = scanner.create_keypair(key_name=key_name)

ec2_instance_id, ec2_instance_public_ip, report_service_port = scanner.create_ec2(selected_az=selected_az)
scanner.attach_volume_to_ec2(ec2_instance_id=ec2_instance_id, volume_id=volume_id)
scanner.scan_and_report(ec2_instance_public_ip=ec2_instance_public_ip,
Expand Down
125 changes: 73 additions & 52 deletions src/remote_scripts.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
script_a = '''#!/bin/bash -ex

exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1

apt-get update
Expand All @@ -7,82 +8,69 @@
mkdir -p /home/ubuntu/vuls
cd /home/ubuntu/
wget https://downloads.cisofy.com/lynis/lynis-3.0.3.tar.gz
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

apt-get install chkrootkit -y

mkdir -p chkrootkit && cd chkrootkit
tar xvf /home/ubuntu/chkrootkit.tar.gz --strip-components 1
make sense

cd /home/ubuntu/vuls
docker pull vuls/go-cve-dictionary
docker pull vuls/goval-dictionary
docker pull vuls/gost
docker pull vuls/go-exploitdb
docker pull vuls/gost
docker pull vuls/vuls
sudo docker pull vuls/go-cve-dictionary
sudo docker pull vuls/goval-dictionary
sudo docker pull vuls/gost
sudo docker pull vuls/go-exploitdb
sudo docker pull vuls/gost
sudo docker pull vuls/vuls

PWD=/home/ubuntu/vuls/
for i in `seq 2002 $(date +"%Y")`; do \
docker run --rm -i\
cd /home/ubuntu/vuls

sudo docker run --rm -i \
-v $PWD:/vuls \
-v $PWD/go-cve-dictionary-log:/var/log/vuls \
vuls/go-cve-dictionary fetchnvd -years $i; \
done
vuls/go-cve-dictionary fetch nvd

docker run --rm -i \
sudo docker run --rm -i \
-v $PWD:/vuls \
-v $PWD/goval-dictionary-log:/var/log/vuls \
vuls/goval-dictionary fetch-redhat 5 6 7 8
vuls/goval-dictionary fetch redhat 5 6 7 8

docker run --rm -i \
sudo docker run --rm -i \
-v $PWD:/vuls \
-v $PWD/goval-dictionary-log:/var/log/vuls \
vuls/goval-dictionary fetch-debian 7 8 9 10
vuls/goval-dictionary fetch debian 7 8 9 10

docker run --rm -i \
-v $PWD:/vuls \
-v $PWD/goval-dictionary-log:/var/log/vuls \
vuls/goval-dictionary fetch-alpine 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11

docker run --rm -i \
-v $PWD:/vuls \
-v $PWD/goval-dictionary-log:/var/log/vuls \
vuls/goval-dictionary fetch-ubuntu 14 16 18 19 20

docker run --rm -i \
sudo docker run --rm -i \
-v $PWD:/vuls \
-v $PWD/goval-dictionary-log:/var/log/vuls \
vuls/goval-dictionary fetch-suse -opensuse 13.2
vuls/goval-dictionary fetch alpine 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11

docker run --rm -i \
sudo docker run --rm -i \
-v $PWD:/vuls \
-v $PWD/goval-dictionary-log:/var/log/vuls \
vuls/goval-dictionary fetch-suse -suse-enterprise-server 12
vuls/goval-dictionary fetch ubuntu 14 16 18 19 20

docker run --rm -i \
sudo docker run --rm -i \
-v $PWD:/vuls \
-v $PWD/goval-dictionary-log:/var/log/vuls \
vuls/goval-dictionary fetch-oracle
vuls/goval-dictionary fetch oracle

docker run --rm -i \
sudo docker run --rm -i \
-v $PWD:/vuls \
-v $PWD/goval-dictionary-log:/var/log/vuls \
vuls/goval-dictionary fetch-amazon

docker run --rm -i \
-v $PWD:/vuls \
-v $PWD/gost-log:/var/log/gost \
vuls/gost fetch redhat
vuls/goval-dictionary fetch amazon

docker run --rm -i \
sudo docker run --rm -i \
-v $PWD:/vuls \
-v $PWD/go-exploitdb-log:/var/log/go-exploitdb \
vuls/go-exploitdb fetch exploitdb

docker run --rm -i \
sudo docker run --rm -i \
-v $PWD:/vuls \
-v $PWD/go-msfdb-log:/var/log/go-msfdb \
vuls/go-msfdb fetch msfdb



touch config_scan.toml

cat > config_scan.toml <<EOF
[servers]
[servers.host]
Expand Down Expand Up @@ -115,7 +103,6 @@
type = "sqlite3"
SQLite3Path = "/vuls/go-msfdb.sqlite3"
EOF

touch /tmp/userData.finished
'''

Expand All @@ -132,7 +119,7 @@
ssh-keygen -q -f ~/.ssh/id_rsa_vuls -N ""
sudo cat ~/.ssh/id_rsa_vuls.pub > /tmp/tmp_authorized_keys
sudo mv /tmp/tmp_authorized_keys /vol/root/.ssh/tmp_authorized_keys
sudo chown root:root /vol/root/.ssh/tmp_authorized_keys
sudo chown root:root /vol/root/.ssh/tmp_authorized_keys
sudo chmod 600 /vol/root/.ssh/tmp_authorized_keys

sudo mount -t proc none /vol/proc
Expand All @@ -141,7 +128,6 @@
sudo mount -o bind /run /vol/run

sudo chroot /vol /bin/mount devpts /dev/pts -t devpts

# Reporting
mkdir -p /home/ubuntu/nginx/html
cat > /home/ubuntu/nginx/default.conf <<EOF
Expand All @@ -153,13 +139,13 @@
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location /vuls/ {{
proxy_pass http://172.17.0.1:8000/;
proxy_pass http://172.18.0.1:8000/;
}}
location / {{
root /usr/share/nginx/html;
index index.html index.htm;
}}

#error_page 404 /404.html;

# redirect server error pages to the static page /50x.html
Expand Down Expand Up @@ -248,31 +234,49 @@
</body>
</html>
EOF


sudo docker run --name docker-nginx -p {port}:80 -d -v /home/ubuntu/nginx/html:/usr/share/nginx/html -v /home/ubuntu/nginx/default.conf:/etc/nginx/conf.d/default.conf nginx


# Lynis audit


sudo cp /home/ubuntu/lynis-3.0.3.tar.gz /vol/root/


sudo su -c "chroot /vol tar xvf /root/lynis-3.0.3.tar.gz -C /root/"


sudo su -c "chroot /vol printf 'cd /root/lynis/\n./lynis audit system\n' > /vol/root/lynis/run.sh && chmod +x /vol/root/lynis/run.sh"
sudo su -c "chroot /vol /root/lynis/run.sh" | ansi2html -l > /home/ubuntu/nginx/html/lynis_report.html


sudo su -c "chroot /vol lynis audit system" | ansi2html > /home/ubuntu/nginx/html/lynis_report.html


# Chkrootkit scan
cd /home/ubuntu/chkrootkit
# sudo ./chkrootkit -r /vol | sed -n '/INFECTED/,/Searching/p' | head -n -1 | ansi2html -l > /home/ubuntu/nginx/html/chkrootkit_report.html
sudo ./chkrootkit -r /vol | ansi2html -l > /home/ubuntu/nginx/html/chkrootkit_report.html

# Vuls scan

sudo su -c "chroot /vol /usr/sbin/sshd -p 2222 -o 'AuthorizedKeysFile=/root/.ssh/tmp_authorized_keys' -o 'AuthorizedKeysCommand=none' -o 'AuthorizedKeysCommandUser=none' -o 'GSSAPIAuthentication=no' -o 'UseDNS=no'"

echo "Creating ssh config"

sudo cat > ~/.ssh/config <<EOF
Host *
StrictHostKeyChecking no
EOF


PWD=/home/ubuntu/vuls/
cd /home/ubuntu/vuls


sudo apt-get install debian-goodies -y


echo "Scanning..."
sudo docker run --rm -i \
-v /home/ubuntu/.ssh:/root/.ssh:ro \
Expand All @@ -284,7 +288,22 @@
-config=./config_scan.toml


echo "Creating report..."
sudo docker run --rm -i \
-v $PWD:/goval-dictionary \
-v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
vuls/goval-dictionary fetch ubuntu 19 20


sudo docker run --rm -i \
-v $PWD:/goval-dictionary \
-v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
vuls/goval-dictionary fetch amazon 2

sudo docker run --rm -i \
-v $PWD:/goval-dictionary \
-v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
vuls/goval-dictionary fetch amazon

sudo docker run --rm -i \
-v /home/ubuntu/.ssh:/root/.ssh:ro \
-v /home/ubuntu/vuls:/vuls \
Expand All @@ -294,9 +313,11 @@
-format-list \
-config=./config_db.toml


touch /tmp/script.finished
sudo pkill -9 -f "/usr/sbin/sshd -p 2222" & sudo umount /vol/proc & sudo umount /vol/sys & sudo umount /vol/run & sudo umount /vol/dev/pts & sudo umount /vol/dev & sudo umount {mount_point}
fi

'''

script_c = '''
Expand Down
17 changes: 10 additions & 7 deletions src/scanner.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import time

import boto3
import subprocess
import paramiko
import requests
from botocore.exceptions import ClientError, WaiterError
Expand All @@ -12,14 +13,15 @@


class Scanner:
def __init__(self, logger, region):
def __init__(self, logger, region, key_pair_name):
self.logger = logger
self.region = region
self.key_pair_name = key_pair_name
self.client = boto3.client('ec2', region_name=region)
self.ec2 = boto3.resource('ec2', region_name=region)
self.keypair_name = None

def create_keypair(self, key_name='red_detector_key'):
def create_keypair(self, key_name):
try:
new_keypair = self.ec2.create_key_pair(KeyName=key_name)
except ClientError as err:
Expand All @@ -30,9 +32,10 @@ def create_keypair(self, key_name='red_detector_key'):
return key_name
self.logger.error(f"create key pair: {err}")
exit(99)
self.logger.info(f'creating key pair: "red_detector_key"')
with open('red_detector_key.pem', 'w') as f:
self.logger.info('creating key pair: {red_detector_key}'.format(red_detector_key=self.key_pair_name))
with open(self.key_pair_name+'.pem', 'w') as f: # NEED TO OPEN A LOCAL FILE FOR "OLD" KEY PAIR TOO.
f.write(new_keypair.key_material)
output = subprocess.getoutput("chmod 400 "+self.key_pair_name+'.pem')
return key_name

@staticmethod
Expand Down Expand Up @@ -137,7 +140,7 @@ def create_ec2(self, selected_az):
MinCount=1,
MaxCount=1,
InstanceType='t2.large',
KeyName=self.keypair_name,
KeyName=self.key_pair_name,
UserData=user_data,
SecurityGroupIds=[
security_group_id,
Expand Down Expand Up @@ -208,14 +211,14 @@ def attach_volume_to_ec2(self, ec2_instance_id, volume_id):
def scan_and_report(self, ec2_instance_public_ip, report_service_port, ec2_instance_id, snapshot_id):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
privet_key = paramiko.RSAKey.from_private_key_file("red_detector_key.pem")
privet_key = paramiko.RSAKey.from_private_key_file(self.key_pair_name+".pem")
connect = 0
while not connect:
try:
ssh.connect(hostname=ec2_instance_public_ip, username='ubuntu', pkey=privet_key)
connect = 1
except Exception as err:
self.logger.error(f"failed connecting to EC2 instance: {err}")
self.logger.error(f"failed connecting to EC2 instance: {err}. Trying again...")

wait_4_update = True
c = 0
Expand Down