def main():
# Parse arguments
parser = Scout2ArgumentParser()
args = parser.parse_args()
# Configure the debug level
configPrintException(args.debug)
# Check version of opinel
if not check_requirements(os.path.realpath(__file__)):
return 42
# Set the profile name
profile_name = args.profile[0]
# Search for AWS credentials
if not args.fetch_local:
credentials = read_creds(args.profile[0], args.csv_credentials,
args.mfa_serial, args.mfa_code)
if credentials['AccessKeyId'] is None:
return 42
# Create a new Scout2 config
report = Scout2Report(profile_name, args.report_dir, args.timestamp)
aws_config = Scout2Config(profile_name, args.report_dir, args.timestamp,
args.services, args.skipped_services,
args.thread_config)
if not args.fetch_local:
# Fetch data from AWS APIs if not running a local analysis
try:
aws_config.fetch(credentials,
regions=args.regions,
partition_name=get_partition_name(credentials))
except KeyboardInterrupt:
printInfo('\nCancelled by user')
return 130
aws_config = report.jsrw.to_dict(aws_config)
# Set the account ID
aws_config['aws_account_id'] = get_aws_account_id(credentials)
# Update means we reload the whole config and overwrite part of it
if args.update == True:
new_aws_config = copy.deepcopy(aws_config)
aws_config = report.jsrw.load_from_file(AWSCONFIG)
for service in new_aws_config['service_list']:
# Per service only for now, may add per region & per VPC later...
aws_config['services'][service] = new_aws_config['services'][
service]
# Update the metadata too
aws_config['metadata'] = Scout2Config('default', None, None, [],
[]).metadata
else:
# Reload to flatten everything into a python dictionary
aws_config = report.jsrw.load_from_file(AWSCONFIG)
# Pre processing
preprocessing(aws_config, args.ip_ranges, args.ip_ranges_name_key)
# Analyze config
finding_rules = Ruleset(profile_name,
filename=args.ruleset,
ip_ranges=args.ip_ranges,
aws_account_id=aws_config['aws_account_id'])
pe = ProcessingEngine(finding_rules)
pe.run(aws_config)
# Create display filters
filter_rules = Ruleset(filename='filters.json',
rule_type='filters',
aws_account_id=aws_config['aws_account_id'])
pe = ProcessingEngine(filter_rules)
pe.run(aws_config)
# Handle exceptions
try:
exceptions = RuleExceptions(profile_name, args.exceptions[0])
exceptions.process(aws_config)
exceptions = exceptions.exceptions
except Exception as e:
printDebug(
'Warning, failed to load exceptions. The file may not exist or may have an invalid format.'
)
exceptions = {}
# Finalize
postprocessing(aws_config, report.current_time, finding_rules)
# Get organization data if it exists
try:
profile = AWSProfiles.get(profile_name)[0]
if 'source_profile' in profile.attributes:
organization_info_file = os.path.join(
os.path.expanduser('~/.aws/recipes/%s/organization.json' %
profile.attributes['source_profile']))
if os.path.isfile(organization_info_file):
with open(organization_info_file, 'rt') as f:
org = {}
accounts = json.load(f)
for account in accounts:
account_id = account.pop('Id')
org[account_id] = account
aws_config['organization'] = org
except:
pass
if args.json:
printInfo('Writing to results.json')
fp = open('results.json', 'w')
json.dump(aws_config, fp, default=json_helper)
fp.close()
sys.exit()
# Save config and create HTML report
html_report_path = report.save(aws_config, exceptions, args.force_write,
args.debug)
# Open the report by default
if not args.no_browser:
printInfo('Opening the HTML report...')
url = 'file://%s' % os.path.abspath(html_report_path)
webbrowser.open(url, new=2)
def main():
# Parse arguments
parser = Scout2ArgumentParser()
args = parser.parse_args()
# Configure the debug level
configPrintException(args.debug)
# Check version of opinel
if not check_requirements(os.path.realpath(__file__)):
return 42
# Set the profile name
profile_name = args.profile[0]
# Search for AWS credentials
if not args.fetch_local:
credentials = read_creds(args.profile[0], args.csv_credentials, args.mfa_serial, args.mfa_code)
if credentials['AccessKeyId'] is None:
return 42
# Create a new Scout2 config
report = Scout2Report(profile_name, args.report_dir, args.timestamp)
aws_config = Scout2Config(profile_name, args.report_dir, args.timestamp, args.services, args.skipped_services)
if not args.fetch_local:
# Fetch data from AWS APIs if not running a local analysis
try:
aws_config.fetch(credentials, regions=args.regions, partition_name=args.partition_name)
except KeyboardInterrupt:
printInfo('\nCancelled by user')
return 130
aws_config = report.jsrw.to_dict(aws_config)
# Update means we reload the whole config and overwrite part of it
if args.update == True:
new_aws_config = copy.deepcopy(aws_config)
aws_config = report.jsrw.load_from_file(AWSCONFIG)
for service in new_aws_config['service_list']:
# Per service only for now, may add per region & per VPC later...
aws_config['services'][service] = new_aws_config['services'][service]
else:
# Reload to flatten everything into a python dictionary
aws_config = report.jsrw.load_from_file(AWSCONFIG)
# Pre processing
preprocessing(aws_config, args.ip_ranges, args.ip_ranges_name_key)
# Analyze config
ruleset = Ruleset(profile_name, filename = args.ruleset, ip_ranges = args.ip_ranges)
ruleset.analyze(aws_config)
# Create display filters
filters = Ruleset(filename = 'filters.json', rule_type = 'filters')
filters.analyze(aws_config)
# Handle exceptions
process_exceptions(aws_config, args.exceptions[0])
# Finalize
postprocessing(aws_config, report.current_time, ruleset)
# Save config and create HTML report
html_report_path = report.save(aws_config, {}, args.force_write, args.debug)
# Open the report by default
if not args.no_browser:
printInfo('Opening the HTML report...')
url = 'file://%s' % os.path.abspath(html_report_path)
webbrowser.open(url, new=2)
def main():
# Parse arguments
parser = ListallArgumentParser()
args = parser.parse_args()
# Configure the debug level
configPrintException(args.debug)
# Check version of opinel
if not check_requirements(os.path.realpath(__file__)):
return 42
# Support multiple environments
for profile_name in args.profile:
# Load the config
try:
report = Scout2Report(profile_name, args.report_dir,
args.timestamp)
aws_config = report.jsrw.load_from_file(AWSCONFIG)
services = aws_config['service_list']
except Exception as e:
printException(e)
printError(
'Error, failed to load the configuration for profile %s' %
profile_name)
continue
# Create a ruleset with only whatever rules were specified...
if args.config:
rule_filename = args.config
ruleset = TmpRuleset(rule_dirs=[os.getcwd()],
rule_filename=args.config,
rule_args=args.config_args)
elif len(args.path) > 0:
# Create a local tmp rule
rule_dict = {'description': 'artifact'}
rule_dict['path'] = args.path[0]
rule_dict['conditions'] = []
rule_filename = 'listall-artifact.json'
with open(os.path.join(os.getcwd(), rule_filename), 'wt') as f:
f.write(json.dumps(rule_dict))
ruleset = TmpRuleset(rule_dirs=[os.getcwd()],
rule_filename=rule_filename,
rule_args=[])
else:
printError(
'Error, you must provide either a rule configuration file or the path to the resources targeted.'
)
continue
# Process the rule
pe = ProcessingEngine(ruleset)
pe.run(aws_config, skip_dashboard=True)
# Retrieve items
rule = ruleset.rules[rule_filename][0]
rule_service = rule.service.lower()
rule_key = rule.key
rule_type = rule.rule_type
resources = aws_config['services'][rule_service][rule_type][rule_key][
'items']
# Set the keys to output
if len(args.keys):
# 1. Explicitly provided on the CLI
rule.keys = args.keys
elif len(args.keys_file):
# 2. Explicitly provided files that contain the list of keys
rule.keys = []
for filename in args.keys_file:
with open(filename, 'rt') as f:
rule.keys += json.load(f)['keys']
else:
try:
# 3. Load default set of keys based on path
target_path = rule.display_path if hasattr(
rule, 'display_path') else rule.path
listall_configs_dir = os.path.join(
os.path.dirname(os.path.realpath(__file__)),
'output/data/listall-configs')
target_file = os.path.join(listall_configs_dir,
'%s.json' % target_path)
if os.path.isfile(target_file):
with open(target_file, 'rt') as f:
rule.keys = json.load(f)['keys']
except:
# 4. Print the object name
rule.keys = ['name']
# Prepare the output format
(lines, template) = format_listall_output(args.format_file[0], None,
args.format, rule)
# Print the output
printInfo(
generate_listall_output(lines, resources, aws_config, template,
[]))
def main():
# Parse arguments
parser = ListallArgumentParser()
args = parser.parse_args()
# Configure the debug level
configPrintException(args.debug)
# Check version of opinel
if not check_requirements(os.path.realpath(__file__)):
return 42
# Support multiple environments
for profile_name in args.profile:
# Load the config
report = Scout2Report(profile_name, args.report_dir, args.timestamp)
aws_config = report.jsrw.load_from_file(AWSCONFIG)
services = aws_config['service_list']
# Create a ruleset with only whatever rules were specified...
if args.config:
ruleset = Ruleset(filename='sample', load_rules=False)
ruleset.ruleset['rules'][0]['filename'] = args.config
ruleset.init_rules(services, args.ip_ranges, '',
False) # aws_config['aws_account_id, False)
# Need to set the arguments values args.config_args
else:
# TODO:
#args = args
#config = {}
#config['conditions'] = args.conditions if hasattr(args, 'conditions') else []
#config['mapping'] = args.mapping if hasattr(args, 'mapping') else []
pass
# Get single rule... TODO: clean
tmp = ruleset.rules.pop(ruleset.rules.keys()[0])
rule = tmp.pop(tmp.keys()[0])
# Set the keys to output
if len(args.keys):
# 1. Explicitly provided on the CLI
rule['keys'] = args.keys
elif len(args.keys_file):
# 2. Explicitly provided files that contain the list of keys
rule['keys'] = []
for filename in args.keys_file:
with open(filename, 'rt') as f:
rule['keys'] += json.load(f)['keys']
else:
try:
# 3. Load default set of keys based on path
target_path = config[
'display_path'] if 'display_path' in config else config[
'path']
with open('listall-configs/%s.json' % target_path) as f:
rule['keys'] = json.load(f)['keys']
except:
# 4. Print the object name
rule['keys'] = ['name']
# Recursion
if len(args.path):
rule['path'] = args.path[0]
target_path = rule['path'].split('.')
current_path = []
resources = recurse(aws_config['services'], aws_config['services'],
target_path, current_path, rule)
# Prepare the output format
(lines, template) = format_listall_output(args.format_file, 'foo',
args.format, rule)
# Print the output
printInfo(
generate_listall_output(lines, resources, aws_config, template,
[]))