class PEntryMatchTrigger(BaseTrigger, PentryBlacklistMixin):
__lifecycle_state__ = LifecycleStates.deprecated
__trigger_name__ = 'pentrymatch'
__description__ = 'triggers if specified entire passwd entry is found in the /etc/passwd file'
pentry_blacklist = PipeDelimitedStringListParameter(
name='pentryblacklist',
example_str=
'apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin|ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin',
description=
'List of strings to do full match on in /etc/passwd that will result in trigger firing if found'
)
def evaluate(self, image_obj, context):
if not context.data.get('passwd_entries'):
return
user_entries = context.data.get('passwd_entries')
blacklisted = [x.strip() for x in self.pentry_blacklist.value()
] if self.pentry_blacklist.value() else []
for pentry, pentry in self.exec_blacklist(blacklisted, None,
user_entries):
self._fire(
msg=
"Blacklisted pentry '{}' found in image's /etc/passwd: pentry={}"
.format(pentry, str(pentry)))
return
class SecretContentMatchTrigger(BaseTrigger):
__lifecycle_state__ = LifecycleStates.deprecated
__trigger_name__ = 'contentmatch'
__description__ = 'Triggers if the content search analyzer has found any matches. If the parameter is set, then will only trigger against found matches that are also in the SECRETCHECK_CONTENTREGEXP parameter list. If the parameter is absent or blank, then the trigger will fire if the analyzer found any matches.'
secret_contentregexp = PipeDelimitedStringListParameter(name='secretcheck_contentregexp', example_str='AWS_SECRET_KEY|PRIV_KEY', description='Names of content regexps configured in the analyzer that should trigger if found in the image')
def evaluate(self, image_obj, context):
match_filter = self.secret_contentregexp.value(default_if_none=[])
if match_filter:
matches = [ensure_str(base64.b64encode(ensure_bytes(x))) for x in match_filter]
matches_decoded = match_filter
else:
matches = []
matches_decoded = []
for thefile, regexps in list(context.data.get('secret_content_regexp', {}).items()):
thefile = ensure_str(thefile)
if not regexps:
continue
for regexp in regexps.keys():
decoded_regexp = ensure_str(base64.b64decode(ensure_bytes(regexp)))
try:
regexp_name, theregexp = decoded_regexp.split("=", 1)
except:
regexp_name = None
theregexp = decoded_regexp
if not matches:
self._fire(msg='Secret search analyzer found regexp match in container: file={} regexp={}'.format(thefile, decoded_regexp))
elif regexp in matches or theregexp in matches_decoded:
self._fire(msg='Secret search analyzer found regexp match in container: file={} regexp={}'.format(thefile, decoded_regexp))
elif regexp_name and regexp_name in matches_decoded:
self._fire(msg='Secret search analyzer found regexp match in container: file={} regexp={}'.format(thefile, decoded_regexp))
class SecretContentMatchTrigger(BaseTrigger):
__trigger_name__ = 'contentmatch'
__description__ = 'Triggers if the content search analyzer has found any matches. If the parameter is set, then will only trigger against found matches that are also in the SECRETCHECK_CONTENTREGEXP parameter list. If the parameter is absent or blank, then the trigger will fire if the analyzer found any matches.'
secret_contentregexp = PipeDelimitedStringListParameter(name='secretcheck_contentregexp', description='Names of content regexps configured in the analyzer that should trigger if found in the image')
def evaluate(self, image_obj, context):
match_filter = self.secret_contentregexp.value(default_if_none=[])
if match_filter:
matches = [x.encode('base64') for x in match_filter]
matches_decoded = match_filter
else:
matches = []
matches_decoded = []
for thefile, regexps in context.data.get('secret_content_regexp', {}).items():
thefile = thefile.encode('ascii', errors='replace')
if not regexps:
continue
for regexp in regexps.keys():
try:
regexp_name, theregexp = regexp.decode('base64').split("=", 1)
except:
regexp_name = None
theregexp = regexp.decode('base64')
if not matches:
self._fire(msg='Secret search analyzer found regexp match in container: file={} regexp={}'.format(thefile, regexp.decode('base64')))
elif regexp in matches or theregexp in matches_decoded:
self._fire(msg='Secret search analyzer found regexp match in container: file={} regexp={}'.format(thefile, regexp.decode('base64')))
elif regexp_name and regexp_name in matches_decoded:
self._fire(msg='Secret search analyzer found regexp match in container: file={} regexp={}'.format(thefile, regexp.decode('base64')))
class FilenameMatchTrigger(BaseTrigger):
__trigger_name__ = 'filenamematch'
__description__ = 'Triggers if a file exists in the container that matches with any of the regular expressions given as FILECHECK_NAMEREGEXP parameters.'
regex_names = PipeDelimitedStringListParameter(name='filecheck_nameregexp', description='Pipe-delimited list of names of regexes from the FILECHECK_NAMEREGEXP parameter in the analyzer configuration')
def evaluate(self, image_obj, context):
# decode the param regexes from b64
fname_regexps = []
regex_param = self.regex_names.value()
if regex_param:
fname_regexps = regex_param
if not fname_regexps:
# Short circuit
return
if context.data.get('filenames'):
files = context.data.get('filenames')
else:
files = list(image_obj.fs.files().keys()) # returns a map of path -> entry
for thefile in files:
thefile = ensure_str(thefile)
for regexp in fname_regexps:
if re.match(regexp, thefile):
self._fire(msg='Application of regexp matched file found in container: file={} regexp={}'.format(thefile, regexp))
class ContentMatchTrigger(BaseTrigger):
__trigger_name__ = 'contentmatch'
__description__ = 'Triggers if the content search analyzer has found any matches. If the parameter is set, then will only trigger against found matches that are also in the FILECHECK_CONTENTMATCH parameter list. If the parameter is absent or blank, then the trigger will fire if the analyzer found any matches.'
contentregex_names = PipeDelimitedStringListParameter(name='filecheck_contentregexp', example_str='.*password.*|PRIV_KEY', description='Pipe delimited list of named regexes from the FILECHECK_CONTENTMATCH parameter list for the analyzers')
def evaluate(self, image_obj, context):
match_filter = self.contentregex_names.value()
if match_filter:
matches = [ensure_str(base64.b64encode(ensure_bytes(x))) for x in match_filter]
matches_decoded = match_filter
else:
matches = []
matches_decoded = []
for thefile, regexps in list(context.data.get('content_regexp', {}).items()):
thefile = ensure_str(thefile)
if not regexps:
continue
for regexp in regexps.keys():
decoded_regexp = ensure_str(base64.b64decode(ensure_bytes(regexp)))
try:
regexp_name, theregexp = decoded_regexp.split("=", 1)
except:
regexp_name = None
theregexp = decoded_regexp
if not matches:
self._fire(msg='File content analyzer found regexp match in container: file={} regexp={}'.format(thefile, decoded_regexp))
elif regexp in matches or theregexp in matches_decoded:
self._fire(msg='File content analyzer found regexp match in container: file={} regexp={}'.format(thefile, decoded_regexp))
elif regexp_name and regexp_name in matches_decoded:
self._fire(msg='File content analyzer found regexp match in container: file={} regexp={}'.format(thefile, decoded_regexp))
class PEntryMatchTrigger(BaseTrigger, PentryBlacklistMixin):
__trigger_name__ = 'PENTRYMATCH'
__description__ = 'triggers if specified entire passwd entry is found in the /etc/passwd file'
# __params__ = {
# 'PENTRYBLACKLIST': PipeDelimitedStringListValidator()
# }
pentry_blacklist = PipeDelimitedStringListParameter(
name='pentryblacklist',
description=
'List of strings to do full match on in /etc/passwd that will result in trigger firing if found'
)
def evaluate(self, image_obj, context):
if not context.data.get('passwd_entries'):
return
user_entries = context.data.get('passwd_entries')
#blacklisted = [x.strip() for x in self.eval_params['PENTRYBLACKLIST'].split('|')]
blacklisted = [x.strip() for x in self.pentry_blacklist.value()
] if self.pentry_blacklist.value() else []
for pentry, pentry in self.exec_blacklist(blacklisted, None,
user_entries):
self._fire(
msg=
"Blacklisted pentry '{}' found in image's /etc/passwd: pentry={}"
.format(pentry, str(pentry)))
return
class SecretFilenameMatchTrigger(BaseTrigger):
__lifecycle_state__ = LifecycleStates.deprecated
__trigger_name__ = 'filenamematch'
__description__ = 'Triggers if a file exists in the container that matches with any of the regular expressions given as SECRETCHECK_NAMEREGEXP parameters.'
name_regexps = PipeDelimitedStringListParameter(
name='secretcheck_nameregexp',
example_str='.*password.*|.*/.aws/.*|.*/.ssh/.*',
description=
'List of regexp names in the analyzer that should trigger if matched in the image'
)
def evaluate(self, image_obj, context):
fname_regexps = self.name_regexps.value(default_if_none=[])
if not fname_regexps:
# Short circuit
return
if context.data.get('filenames'):
files = context.data.get('filenames')
else:
files = image_obj.fs.files().keys(
) # returns a map of path -> entry
for thefile in files:
thefile = thefile.encode('ascii', errors='replace')
for regexp in fname_regexps:
if re.match(regexp, thefile):
self._fire(
msg=
'Application of regexp matched file found in container: file={} regexp={}'
.format(thefile, regexp))
class ContentMatchTrigger(BaseTrigger):
__trigger_name__ = 'CONTENTMATCH'
__description__ = 'Triggers if the content search analyzer has found any matches. If the parameter is set, then will only trigger against found matches that are also in the FILECHECK_CONTENTMATCH parameter list. If the parameter is absent or blank, then the trigger will fire if the analyzer found any matches.'
#__params__ = {
# 'FILECHECK_CONTENTREGEXP': PipeDelimitedStringListValidator()
#}
contentregex_names = PipeDelimitedStringListParameter(
name='filecheck_contentregexp',
description=
'Pipe delimited list of named regexes from the FILECHECK_CONTENTMATCH parameter list for the analyzers'
)
def evaluate(self, image_obj, context):
#match_filter = self.eval_params.get(self.__params__.keys()[0])
match_filter = self.contentregex_names.value()
if match_filter:
matches = [x.encode('base64') for x in match_filter]
matches_decoded = match_filter
else:
matches = []
matches_decoded = []
for thefile, regexps in context.data.get('content_regexp', {}).items():
thefile = thefile.encode('ascii', errors='replace')
if not regexps:
continue
for regexp in regexps.keys():
try:
regexp_name, theregexp = regexp.decode('base64').split(
"=", 1)
except:
regexp_name = None
theregexp = regexp.decode('base64')
if not matches:
self._fire(
msg=
'File content analyzer found regexp match in container: file={} regexp={}'
.format(thefile, regexp.decode('base64')))
elif regexp in matches or theregexp in matches_decoded:
self._fire(
msg=
'File content analyzer found regexp match in container: file={} regexp={}'
.format(thefile, regexp.decode('base64')))
elif regexp_name and regexp_name in matches_decoded:
self._fire(
msg=
'File content analyzer found regexp match in container: file={} regexp={}'
.format(thefile, regexp.decode('base64')))
class SecretFilenameMatchTrigger(BaseTrigger):
__trigger_name__ = 'filenamematch'
__description__ = 'Triggers if a file exists in the container that matches with any of the regular expressions given as SECRETCHECK_NAMEREGEXP parameters.'
name_regexps = PipeDelimitedStringListParameter(
name='secretcheck_nameregexp',
description=
'List of regexp names in the analyzer that should trigger if matched in the image'
)
#__params__ = {
# 'secretcheck_nameregexp': PipeDelimitedStringListValidator()
#}
def evaluate(self, image_obj, context):
# decode the param regexes from b64
fname_regexps = []
#regex_param = self.eval_params.get(self.__params__.keys()[0])
#if regex_param:
# fname_regexps = regex_param.split('|')
fname_regexps = self.name_regexps.value(default_if_none=[])
if not fname_regexps:
# Short circuit
return
if context.data.get('filenames'):
files = context.data.get('filenames')
else:
files = image_obj.fs.files().keys(
) # returns a map of path -> entry
for thefile in files:
thefile = thefile.encode('ascii', errors='replace')
for regexp in fname_regexps:
if re.match(regexp, thefile):
self._fire(
msg=
'Application of regexp matched file found in container: file={} regexp={}'
.format(thefile, regexp))