コード例 #1
0
ファイル: cli.py プロジェクト: wxdublin/aws_ir
    def parse_args(self, args):

        parser = argparse.ArgumentParser(description="""
                Incident Response command line for Amazon Web Services.
                This command line interface is designed to process host and key
                based incursions without delay or error.
            """)

        optional_args = parser.add_argument_group()

        optional_args.add_argument(
            '--version',
            action='version',
            version="%(prog)s {ver}".format(ver=__version__))

        optional_args.add_argument('--verbose',
                                   action='store_true',
                                   help='log debug messages')

        optional_args.add_argument('--profile',
                                   default='default',
                                   help="""
                A named boto profile to use instead of the default profile.
                """)

        optional_args.add_argument('--case-number',
                                   default=None,
                                   help="""
                The case number to use., usually of the form
                "cr-16-053018-2d2d"
                """)

        optional_args.add_argument('--examiner-cidr-range',
                                   default='0.0.0.0/0',
                                   help="""
                The IP/CIDR for the examiner and/or the tool.
                This will be added as the only allowed range
                in the isolated security group.
            """)

        optional_args.add_argument('--bucket-name',
                                   default=None,
                                   help="""
                Optional.
                The id of the s3 bucket to use.
                This must already exist
            """)

        optional_args.add_argument('--dry-run',
                                   action='store_true',
                                   help="""
                Dry run. Pass dry run
                parameter to perform API calls
                but will not modify any resources.
            """)

        subparsers = parser.add_subparsers(dest="compromise-type")
        subparsers.required = True

        instance_compromise_parser = subparsers.add_parser(
            'instance-compromise', help='')

        instance_compromise_parser.add_argument('--target',
                                                required=False,
                                                help="""
                instance-id|instance-ip
            """)

        instance_compromise_parser.add_argument('--targets',
                                                required=False,
                                                help="""
                File of resources to process instance-id or ip-address.
            """)

        instance_compromise_parser.add_argument('--user',
                                                required=False,
                                                help="""
                this is the privileged ssh user
                for acquiring memory from the instance.
                Required for memory only.
            """)
        instance_compromise_parser.add_argument(
            '--ssh-key',
            required=False,
            help=
            'provide the path to the ssh private key for the user. Required for memory only.'
        )

        instance_compromise_parser.add_argument(
            '--plugins',
            required=False,
            default="gather_host,isolate_host,"
            "tag_host,snapshotdisks_host,"
            "examineracl_host,get_memory,stop_host",
            help="Run some or all of the plugins in a custom order. "
            "Provided as a comma separated list of "
            "supported plugins: \n"
            "{p}".format(p=plugin.Core().instance_plugins()))

        instance_compromise_parser.set_defaults(func="instance_compromise")

        key_compromise_parser = subparsers.add_parser('key-compromise',
                                                      help='')

        key_compromise_parser.add_argument('--access-key-id',
                                           required=True,
                                           help='')

        key_compromise_parser.add_argument(
            '--plugins',
            default="disableaccess_key,revokests_key",
            required=False,
            help="Run some or all of the plugins in a custom order."
            " Provided as a comma separated list"
            "Supported plugins: \n"
            "{p}".format(p=plugin.Core().key_plugins()))

        key_compromise_parser.set_defaults(func="key_compromise")

        return parser.parse_args(args)
コード例 #2
0
ファイル: key.py プロジェクト: bbhunt-2020/Canivete
    def __init__(self,
                 examiner_cidr_range='0.0.0.0/0',
                 compromised_access_key_id=None,
                 region='us-west-2',
                 case=None,
                 steps=None):

        if compromised_access_key_id is None:
            raise ValueError(
                'Must specify an access_key_id for the compromised key.')

        self.case_type = 'Key'
        self.compromised_access_key_id = compromised_access_key_id
        self.region = region
        self.case = case
        self.plugins = plugin.Core()
        self.steps = steps_to_list(steps)

    def mitigate(self):
        """Any steps that run as part of key compromises."""
        access_key = self.compromised_access_key_id
        compromised_resource = compromised.CompromisedMetadata(
            compromised_object_inventory={
                'access_key_id': access_key,
                'region': self.region
            },
            case_number=self.case.case_number,
            type_of_compromise='key_compromise').data()

        session = connection.Connection(type='session',
                                        region='us-west-2').connect()