Class: CriticalPortsAudit::CheckingSensiblePorts

Inherits:
CriticalPortsAuditState show all
Defined in:
lib/scripts/ec2/critical_ports_audit.rb

Overview

Security groups retrieved. Start analysing them.

Instance Attribute Summary

Attributes inherited from ScriptExecutionState

#context, #logger

Instance Method Summary collapse

Methods inherited from CriticalPortsAuditState

load_state

Methods inherited from ScriptExecutionState

#done?, #end_state, #failed?, #get_superclass_name, #initialize, #register_state_change_listener, #start_state_machine, #to_s

Methods included from StateTransitionHelper

#attach_volume, #connect, #copy_distribution, #create_fs, #create_image_from_instance, #create_labeled_fs, #create_security_group_with_rules, #create_snapshot, #create_volume, #create_volume_from_snapshot, #delete_security_group, #delete_snapshot, #delete_volume, #describe_instance, #detach_volume, #determine_file, #disable_ssh_tty, #disconnect, #ec2_handler, #ec2_handler=, #enable_ssh_tty, #get_aws_kernel_image_aki, #get_aws_region_from_endpoint, #get_partition_count, #get_partition_fs_type, #get_partition_fs_type_and_label, #get_partition_label, #get_partition_table, #get_root_device_name, #get_root_partition_fs_type, #get_root_partition_fs_type_and_label, #get_root_partition_label, #get_root_volume_id, #launch_instance, #local_decompress_and_dump_file_to_device, #local_dump_and_compress_device_to_file, #local_dump_device_to_file, #local_dump_file_to_device, #mount_fs, #mount_fs_old, #register_snapshot, #remote_copy, #remote_copy_old, #remote_handler, #remote_handler=, #retrieve_instances, #retrieve_security_groups, #set_partition_table, #shut_down_instance, #snapshot_accessible, #start_instance, #stop_instance, #unmount_fs, #upload_file, #zip_volume

Methods included from VCloudTransitionHelper

#retrieve_ip_services

Constructor Details

This class inherits a constructor from ScriptExecutionState

Instance Method Details

#enterObject



53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/scripts/ec2/critical_ports_audit.rb', line 53

def enter
  @context[:result][:affected_groups] = []
  @context[:security_groups]['securityGroupInfo']['item'].each() do |group_info|
    next if !group_info['vpcId'].nil? && !group_info['vpcId'].empty?
    post_message("checking group '#{group_info['groupName']}'...")
    next if group_info['ipPermissions'] == nil || group_info['ipPermissions']['item'] == nil
    group_info['ipPermissions']['item'].each() do |permission_info|
      logger.debug("permission_info = #{permission_info.inspect}")
      next unless permission_info['groups'] == nil #ignore access rights to other groups
      next unless permission_info['ipRanges']['item'][0]['cidrIp'] == "0.0.0.0/0"
      #now check if a critical port is within the port-range
      #XXX: allow to skip the 'critical port' options if nil
      if @context[:critical_ports] == nil || @context[:critical_ports].empty?
        port = nil
        if permission_info['fromPort'].to_i == permission_info['toPort'].to_i
          port = permission_info['fromPort'].to_i
          post_message("=> found unique port #{port}")
        end
        @context[:result][:affected_groups] << {:name => group_info['groupName'],
              :from =>  permission_info['fromPort'], :to => permission_info['toPort'], 
              :concerned => port, :prot => permission_info['ipProtocol']} 
        post_message("=> found at least one port publicly opened")
      else
        @context[:critical_ports].each() do |port|
          if permission_info['fromPort'].to_i <= port && permission_info['toPort'].to_i >= port
            @context[:result][:affected_groups] << {:name => group_info['groupName'],
              :from => permission_info['fromPort'], :to => permission_info['toPort'], 
              :concerned => port, :prot => permission_info['ipProtocol']}
            post_message("=> found publically accessible port range that contains "+
                "critical port for group #{group_info['groupName']}: #{permission_info['fromPort']}-#{permission_info['toPort']}")
          end
        end
      end
    end
  end
  Done.new(@context)
end