Class: VpcCriticalPortsAudit::CheckingSensiblePorts
- Inherits:
-
CriticalPortsAuditState
- Object
- ScriptExecutionState
- CriticalPortsAuditState
- VpcCriticalPortsAudit::CheckingSensiblePorts
- Defined in:
- lib/scripts/ec2/vpc_critical_ports_audit.rb
Overview
Security groups retrieved. Start analysing them.
Instance Attribute Summary
Attributes inherited from ScriptExecutionState
Instance Method Summary collapse
Methods inherited from CriticalPortsAuditState
Methods inherited from ScriptExecutionState
#done?, #end_state, #failed?, #get_superclass_name, #initialize, #register_state_change_listener, #start_state_machine, #to_s
Methods included from StateTransitionHelper
#attach_volume, #connect, #copy_distribution, #create_fs, #create_image_from_instance, #create_labeled_fs, #create_security_group_with_rules, #create_snapshot, #create_volume, #create_volume_from_snapshot, #delete_security_group, #delete_snapshot, #delete_volume, #describe_instance, #detach_volume, #determine_file, #disable_ssh_tty, #disconnect, #ec2_handler, #ec2_handler=, #enable_ssh_tty, #get_aws_kernel_image_aki, #get_aws_region_from_endpoint, #get_partition_count, #get_partition_fs_type, #get_partition_fs_type_and_label, #get_partition_label, #get_partition_table, #get_root_device_name, #get_root_partition_fs_type, #get_root_partition_fs_type_and_label, #get_root_partition_label, #get_root_volume_id, #launch_instance, #local_decompress_and_dump_file_to_device, #local_dump_and_compress_device_to_file, #local_dump_device_to_file, #local_dump_file_to_device, #mount_fs, #mount_fs_old, #register_snapshot, #remote_copy, #remote_copy_old, #remote_handler, #remote_handler=, #retrieve_instances, #retrieve_security_groups, #set_partition_table, #shut_down_instance, #snapshot_accessible, #start_instance, #stop_instance, #unmount_fs, #upload_file, #zip_volume
Methods included from VCloudTransitionHelper
Constructor Details
This class inherits a constructor from ScriptExecutionState
Instance Method Details
#enter ⇒ Object
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 |
# File 'lib/scripts/ec2/vpc_critical_ports_audit.rb', line 54 def enter @context[:result][:affected_groups] = [] @context[:security_groups]['securityGroupInfo']['item'].each() do |group_info| #check only VPC SecurityGroups next if group_info['vpcId'].nil? || group_info['vpcId'].empty? ("checking VPC SecurityGroup '#{group_info['groupName']}'...") vpc = @context[:ec2_api_handler].describe_vpcs(:vpc_id => group_info['vpcId']) vpc_ref = "" vpc_item = vpc['vpcSet']['item'][0] if !vpc_item['name'].nil? && !vpc_item['name'].empty? vpc_ref = vpc_item['name'] else #XXX: shold be the same as "group_info['vpcId']" vpc_ref = vpc_item['vpcId'] end igw = @context[:ec2_api_handler].describe_internetgateways() igw_ref = "" found = false igw['internetGatewaySet']['item'].each {|igw_item| break if found == true igw_id = igw_item['internetGatewayId'] igw_item['attachmentSet']['item'].each {|vpc_item| if vpc_item['vpcId'].eql?("#{group_info['vpcId']}") igw_ref = igw_id found = true break end } } next if group_info['ipPermissions'] == nil || group_info['ipPermissions']['item'] == nil group_info['ipPermissions']['item'].each() do || logger.debug("permission_info = #{.inspect}") next unless ['groups'] == nil #ignore access rights to other groups next unless ['ipRanges']['item'][0]['cidrIp'] == "0.0.0.0/0" #now check if a critical port is within the port-range #XXX: allow to skip the 'critical port' options if nil if @context[:critical_ports] == nil || @context[:critical_ports].empty? port = nil if ['fromPort'].to_i == ['toPort'].to_i port = ['fromPort'].to_i ("=> found unique port: #{port}") end @context[:result][:affected_groups] << {:name => group_info['groupName'], :from => ['fromPort'], :to => ['toPort'], :concerned => port, :prot => ['ipProtocol'], :vpc_ref => vpc_ref, :igw_ref => igw_ref} ("=> found at least one port publicly opened") else @context[:critical_ports].each() do |port| if ['fromPort'].to_i <= port && ['toPort'].to_i >= port @context[:result][:affected_groups] << {:name => group_info['groupName'], :from => ['fromPort'], :to => ['toPort'], :concerned => port, :prot => ['ipProtocol'], :vpc_ref => vpc_ref, :igw_ref => igw_ref} ("=> found publically accessible port range that contains "+ "critical port for group #{group_info['groupName']}: #{['fromPort']}-#{['toPort']}") end end end end end Done.new(@context) end |