def scan_all_modules(self, agent_id):
scan_types = ["csm", "svm"]
command_ids = []
unfinished_statuses = ['queued', 'pending']
server_module = cloudpassage.Server(self.halo_session)
scan_module = cloudpassage.Scan(self.halo_session)
raw_scan_results = []
# Initiate scans
print "Initiating scans for agent %s" % agent_id
for scan_type in scan_types:
command_id = scan_module.initiate_scan(agent_id, scan_type)["id"]
command_ids.append(command_id)
print command_id
# Wait until all are complete
print "Waiting for all scan jobs to be run"
while len(command_ids) > 0:
time.sleep(30)
for command_id in command_ids:
print "Checking status of command %s" % command_id
status = server_module.command_details(agent_id, command_id)
if status not in unfinished_statuses:
command_ids.remove(command_id)
# Get results
print "Getting scan results"
for scan_type in scan_types:
try:
results = scan_module.last_scan_results(agent_id, scan_type)
except CloudPassageValidation as e:
message = "Error encountered: %s" % str(e)
result = {"result": message}
raw_scan_results.append(results)
# Process and print scan results
pretty = self.print_pretty_scans(raw_scan_results)
return
def __init__(self, config):
session = cloudpassage.HaloSession(config.halo_key,
config.halo_secret,
api_host=config.halo_url)
self.server_obj = cloudpassage.Server(session)
self.request_obj = cloudpassage.HttpHelper(session)
self.sva_key = config.key
def build_server_object(self):
session = cloudpassage.HaloSession(key_id,
secret_key,
api_host=api_hostname,
api_port=api_port,
integration_string="SDK-Smoke")
return (cloudpassage.Server(session))
def main():
# Set up config and Halo objects.
config = cloudpassage.ApiKeyManager()
server_id = os.getenv("SERVER_ID")
crit_threshold = int(os.getenv("CRITICAL_THRESHOLD"))
non_crit_threshold = int(os.getenv("NON_CRITICAL_THRESHOLD"))
halo_session = cloudpassage.HaloSession(config.key_id,
config.secret_key,
api_host=config.api_hostname)
server_obj = cloudpassage.Server(halo_session)
scan_obj = cloudpassage.Scan(halo_session)
# Initiate a scan of the target server
print("Initiating scan...")
job_id = scan_obj.initiate_scan(server_id, 'sca')["id"]
incomplete_statuses = ["queued", "pending", "running"]
scan_status = "queued"
while scan_status in incomplete_statuses:
time.sleep(20)
print("Waiting for scan %s on server %s to finish (status %s)" %
(job_id, server_id, scan_status)) # NOQA
scan_status = server_obj.command_details(server_id, job_id)["status"]
scan_results = scan_obj.last_scan_results(server_id, 'sca')["scan"]
over_threshold = False
threshold_msg = ""
crit_findings = scan_results["critical_findings_count"]
non_crit_findings = scan_results["non_critical_findings_count"]
# Test criticality against threshold
if crit_findings > crit_threshold:
threshold_msg += "Critical findings: %s Threshold: %s\n" % (
crit_findings, crit_threshold) # NOQA
if crit_threshold != -1:
over_threshold = True
else:
threshold_msg += "Critical threshold set to -1, not failing.\n"
if non_crit_findings > non_crit_threshold:
threshold_msg += "Non-critical findings: %s Threshold: %s\n" % (
non_crit_findings, non_crit_threshold) # NOQA
if non_crit_threshold != -1:
over_threshold = True
else:
threshold_msg += "Non-critical threshold set to -1, not failing.\n"
# Build findings text
failed_items = ""
bad_findings = [
f for f in scan_results["findings"] if f["status"] == 'bad'
] # NOQA
for finding in bad_findings:
msg = "Critical: %s Rule: %s\n" % (str(
finding["critical"]), finding["rule_name"])
failed_items += msg
output_msg = "\n---\n".join([failed_items, threshold_msg])
print(output_msg)
# Exit with 1 if we are over threshold.
if over_threshold:
print("Threshold exceeded, this job will be marked Failed")
sys.exit(1)
else:
print("Nothing exceeds thresholds; this job will be marked Passed.")
def test_validate_bad_list(self):
search_criteria_list = ["ephemeral", "cats", "!!!LOSER"]
server_object = cloudpassage.Server(None)
platform = server_object.validate_platform(search_criteria_list)
kb = server_object.validate_kb_id(search_criteria_list)
cve = server_object.validate_cve_id(search_criteria_list)
assert platform is False
assert kb is False
assert cve is False
def __init__(self):
self.key = os.getenv("HALO_API_KEY")
self.secret = os.getenv("HALO_API_SECRET_KEY")
self.session = cloudpassage.HaloSession(self.key, self.secret)
# We go ahead and grab an auth token for all abstractions to use.
self.session.authenticate_client()
self.servers = cloudpassage.Server(self.session)
self.scans = cloudpassage.Scan(self.session)
return
def get_ip_report(self, target):
"""This wraps the report_server_by_id by accepting IP as target"""
servers = cloudpassage.Server(self.session)
report = "Unknown IP: \n" + target
try:
s_id = servers.list_all(connecting_ip_address=target)[0]["id"]
report = self.tasks.report_server_formatted(s_id)
except:
pass
return report
def get_svm_issues(session, server_issue_type):
## Top 4 CSP accounts by SVA/SVM issues on Server
# Get all the servers issues for each server, get the SVM
# count then update the output dict with the lastes numbers
#
# dict for the csp level issues output
csp_level_issues = {}
# Get server info from API
serverList = cloudpassage.Server(session)
list_of_servers = serverList.list_all()
# process list of servers and look for issues_sorted
for s in list_of_servers:
#pp.pprint(s)
issues = serverList.issues(s["id"])
if server_issue_type in issues:
critical_count = 0
non_critical_count = 0
if debug > 2:
print(
"CSP Account ID: {} ID: {} Critical Count: {} Non critical count: {}"
.format(s["csp_account_id"], issues["id"],
issues["svm"]["critical_findings_count"],
issues["svm"]["non_critical_findings_count"]))
if s["csp_account_id"] in csp_level_issues:
critical_count = csp_level_issues[
s["csp_account_id"]]["critical_findings_count"]
non_critical_count = csp_level_issues[
s["csp_account_id"]]["non_critical_findings_count"]
dict_update = {
"critical_findings_count":
issues["svm"]["critical_findings_count"] + critical_count,
"non_critical_findings_count":
issues["svm"]["non_critical_findings_count"] +
non_critical_count
}
csp_level_issues[s["csp_account_id"]] = dict_update
#Add the critical and non critical. I am keeping them seperate for now, I would like them to be shown that way but that was not the request.
csp_level_issues_temp = {}
for i in csp_level_issues:
csp_level_issues_temp[i] = csp_level_issues[i][
"critical_findings_count"] + csp_level_issues[i][
"non_critical_findings_count"]
csp_level_issues_sorted = sorted(csp_level_issues_temp.items(),
key=lambda kv: (kv[1], kv[0]),
reverse=True)
# Make sure our output is not less than the limit or we will have index errors.
limit = MAX_REPORT
if len(csp_level_issues_sorted) < 10:
limit = len(csp_level_issues_sorted)
for i in range(0, limit):
print(csp_level_issues_sorted[i][0], " |",
csp_level_issues_sorted[i][1])
def get_halo_servers_id(session):
NO_SERVERS = 0
target_halo_server_group = ""
cp_server_ob = cloudpassage.Server(session)
cp_server_group_ob = cloudpassage.ServerGroup(session)
if target_halo_server_group == "":
halo_server_list = cp_server_ob.list_all(state="active")
else:
server_group_id = \
get_server_group_id_by_name(cp_server_group_ob,
target_halo_server_group)
halo_server_list = cp_server_group_ob.list_members(server_group_id)
if len(halo_server_list) == NO_SERVERS:
print "No server to use... exiting...\n"
sys.exit(1)
halo_server_id_list = []
for server in halo_server_list:
if 'aws_ec2' in server:
ec2_data = server['aws_ec2']
halo_server_id_list.append({
'halo_server_id':
server['id'],
'aws_instance_id':
ec2_data['ec2_instance_id'],
'aws_account_id':
ec2_data['ec2_account_id']
})
elif server['server_label'] and "_" in server['server_label']\
and server['server_label'] is not None:
server_label = server['server_label']
server_label_parts = server_label.split("_")
server_label_account = server_label_parts[0]
server_label_instance = server_label_parts[1]
halo_server_id_list.append({
'halo_server_id': server['id'],
'aws_instance_id': server_label_instance,
'aws_account_id': server_label_account
})
else:
halo_server_id_list.append({
'halo_server_id': server['id'],
'aws_instance_id': "N/A",
'aws_account_id': "N/A"
})
halo_instance_id_list = halo_server_id_list
print "Halo Server ID and AWS Account ID Lookup Complete "\
+ time.strftime("%Y%m%d-%H%M%S")
return halo_instance_id_list
def __init__(self, config):
"""Pass in a quarantine.ConfigHelper object on instantiation."""
self.ua = config.ua_string
self.session = cloudpassage.HaloSession(config.halo_key,
config.halo_secret,
integration_string=self.ua)
self.server_obj = cloudpassage.Server(self.session)
self.event_obj = cloudpassage.Event(self.session)
self.group_obj = cloudpassage.ServerGroup(self.session)
self.target_group_id = self.get_groupid(config.quarantine_grp_name)
return
def test_describe_asset_server(self):
"""Requires one server in the account."""
asset_type = 'server'
halo_obj = self.get_halo_object()
halo_server_object = cloudpassage.Server(halo_obj.session)
state = "active,missing,deactivated"
query_result = halo_server_object.list_all(state=state)
one_server_url = query_result[0]['url']
result = halo_obj.describe(one_server_url)
assert result != {}
assert "id" in result
def get_active_linux_host(self):
"""This test requires an active Linux host in order to run
successfilly.
"""
session = cloudpassage.HaloSession(key_id,
secret_key,
api_host=api_hostname,
api_port=api_port)
server = cloudpassage.Server(session)
list_of_active_linux_servers = server.list_all(state="active",
platform="linux")
return list_of_active_linux_servers[0]["id"]
def main():
global FAIL_EXIT_CODE
FAIL_EXIT_CODE = int(os.getenv("FAIL_EXIT_CODE", 2))
start_time = datetime.datetime.now()
copy_tree("static", "reports/html/static")
Path("reports/html/cve").mkdir(parents=True, exist_ok=True)
key = os.getenv("HALO_API_KEY")
secret = os.getenv("HALO_API_SECRET_KEY")
module_str = os.getenv("SCAN_MODULE")
modules = module_str.split(",")
instance_id = os.getenv("INSTANCE_ID")
timeout = os.getenv("TIMEOUT")
max_cvss_threshold = float(os.getenv("MAX_CVSS", 7))
modules = [module.lower() for module in modules]
modules = list(set(modules))
session = cloudpassage.HaloSession(key, secret)
validate_input(session, modules, instance_id, max_cvss_threshold)
server = cloudpassage.Server(session)
scan = cloudpassage.Scan(session)
group = cloudpassage.ServerGroup(session)
scanned_server = get_server(server, instance_id, start_time, timeout)
server_id = scanned_server["id"]
print(f"Server ID: {server_id}")
modules = validate_csm(modules, scanned_server, group)
scans = {}
for module in modules:
while True:
try:
scan_output = scan.last_scan_results(server_id, module)
except cloudpassage.CloudPassageResourceExistence:
check_timeout(start_time, timeout)
print("Waiting on {} scan to complete...".format(module))
time.sleep(30)
if scan_output and "scan" in scan_output:
scans[module] = scan_output["scan"]
break
check_timeout(start_time, timeout)
print("Waiting on {} scan to complete...".format(module))
time.sleep(30)
build_success = process_scan(scans, scanned_server, session)
if not build_success:
print("Security scan results did not meet pass criteria")
sys.exit(FAIL_EXIT_CODE)
def test_sam_historical_is_unsupported(self):
rejected = False
session = cloudpassage.HaloSession(key_id, secret_key,
api_host=api_hostname,
api_port=api_port)
scanner = cloudpassage.Scan(session)
server = cloudpassage.Server(session)
scan_type = "sam"
server_id = server.list_all()[0]["id"]
try:
scanner.last_scan_results(server_id, scan_type)
except cloudpassage.CloudPassageValidation:
rejected = True
assert rejected
def __new__(cls):
session = cloudpassage.HaloSession(CONFIG['key_id'],
CONFIG['secret_key'],
api_port=CONFIG["api_port"],
api_host=CONFIG["api_hostname"])
return cloudpassage.Server(session)
def test_instantiation(self):
session = cloudpassage.HaloSession(key_id, secret_key,
api_host=api_hostname,
api_port=api_port)
assert cloudpassage.Server(session)
def test_instantiation(self):
assert cloudpassage.Server(None)
def main():
# Suspect package names
suspect_packages = "kubectl,kubeadm,kubelet"
# Suspect processes URL
procs_url = "/v2/servers?process_name=kubelet,kubeadm,kubectl,kube-proxy"
# Minimum versions safe from API auth bug
kube_min_ver = {
"1.10": "1.10.11",
"1.11": "1.11.5",
"1.12": "1.12.3",
"1.13": "1.13.0-rc.1"
}
# Get Halo auth info
key = os.getenv("HALO_API_KEY")
secret = os.getenv("HALO_API_SECRET_KEY")
# Set up CloudPassage API abstractions
session = cloudpassage.HaloSession(key, secret)
servers = cloudpassage.Server(session)
scans = cloudpassage.Scan(session)
helper = cloudpassage.HttpHelper(session)
# Get servers with suspect packages installed
servers_installed_kube = [
x for x in servers.list_all(package_name=suspect_packages)
]
# Get servers with suspect processes
servers_running_kube = [
x for x in helper.get_paginated(procs_url, "servers", 99)
]
# Print preliminary metrics
print("Installation match: %s" % len(servers_installed_kube))
print("Running process match: %s" % len(servers_running_kube))
# Get a list of all servers with K8s-related procs or packages
kube_servers = merge_server_lists(servers_installed_kube,
servers_running_kube)
# Create a dictionary of packages, processes, and metadata for each server.
inventory = {
x["id"]: {
"packages":
get_package_listing_from_scan(
scans.last_scan_results(x["id"], "svm")), # NOQA
"processes":
servers.list_processes(x["id"]),
"server_metadata":
x
}
for x in kube_servers
}
# Print a report to stdout
print("{}{}{}{}{}{}{}".format(
"Halo ID".ljust(40), "CSP account".ljust(40), "CSP Instance".ljust(40),
"kubectl version".ljust(20), "kubeadm version".ljust(20),
"kubelet version".ljust(20), "kubectl vulnerable".ljust(25),
"kubeadm vulnerable".ljust(25), "kubelet vulnerable".ljust(25),
"k8s processes(below)"))
for x in inventory.items():
server_id = x[0]
server_csp_id = x[1]["server_metadata"][
"csp_account_id"] if "csp_account_id" in x[1][
"server_metadata"] else "" # NOQA
server_instance_id = x[1]["server_metadata"][
"csp_instance_id"] if "csp_instance_id" in x[1][
"server_metadata"] else "" # NOQA
kubectl_version = get_package_version(x[1]["packages"], "kubectl")
kubeadm_version = get_package_version(x[1]["packages"], "kubeadm")
kubelet_version = get_package_version(x[1]["packages"], "kubelet")
kube_procs = get_kube_procs(x[1]["processes"])
kubectl_vulnerable = is_kube_vulnerable(kube_min_ver, kubectl_version)
kubeadm_vulnerable = is_kube_vulnerable(kube_min_ver, kubeadm_version)
kubelet_vulnerable = is_kube_vulnerable(kube_min_ver, kubelet_version)
print("{}{}{}{}{}{}{}{}{}\n{}\n\n".format(server_id.ljust(40),
server_csp_id.ljust(40),
server_instance_id.ljust(40),
kubectl_version.ljust(16),
kubeadm_version.ljust(16),
kubelet_version.ljust(16),
kubectl_vulnerable.ljust(20),
kubeadm_vulnerable.ljust(20),
kubelet_vulnerable.ljust(20),
kube_procs))
dump_to_csv(inventory, kube_min_ver)
dump_to_json(inventory)
def get_servers(halo_session):
servers_object = cloudpassage.Server(halo_session)
all_servers = servers_object.list_all()
return all_servers
def __init__(self):
super(ServerController, self).__init__()
self.api = cloudpassage.HttpHelper(self.session)
self.srv_obj = cloudpassage.Server(self.session)
def get_servers(self):
"""Return a current list of servers in Halo."""
server_obj = cloudpassage.Server(self.session)
return server_obj.list_all()
def __init__(self, *kwargs):
# Groups and prod lists to be replace by yaml template
self.cwd = path.realpath(path.join(getcwd(), path.dirname(__file__)))
self.api_key = environ['CLOUDP_KEY']
self.api_secret = environ['CLOUDP_SECRET']
self.session = cloudpassage.HaloSession(self.api_key, self.api_secret)
self.server = cloudpassage.Server(self.session)
self.policies = cloudpassage.FirewallPolicy(self.session)
self.policy_init = cloudpassage.policy.Policy(self.session)
self.poldetails = cloudpassage.FirewallRule(self.session)
self.firewall_services = cloudpassage.FirewallService(self.session)
self.http_helper = cloudpassage.HttpHelper(self.session)
self.args = args
self.firewall_ports = {}
self.filtered_ports = {}
self.rules = []
self.myrules = {}
self.users = {}
self.user_id = {}
self.filtered_rules = {}
self.rule_ids = []
self.filtered_rule_ids = {}
self.log_positions = {}
self.pol_positions = {}
self.list_of_servers = self.server.list_all()
self.list_of_policies = self.policies.list_all()
self.list_of_services = self.firewall_services.list_all()
self.policy_names = []
self.filtered_groups = []
self.policy_ids = []
self.filtered_policy_ids = []
self.unfiltered_policy_ids = []
self.filtered_policies = {}
self.activerules = {}
self.myactiverules = {}
self.activecomments = {}
self.activeurls = {}
self.activepolicies = {}
self.user = {}
self.json = {}
self.group = kwargs[0]
self.chain = kwargs[1]
self.active = kwargs[2]
self.source = kwargs[3]
self.destination = kwargs[4]
self.states = kwargs[5]
self.action = kwargs[6]
self.username = kwargs[11]
self.all = kwargs[12]
# Split without spaces being added
self.service = kwargs[7]
self.filtered_service = {}
self.unfiltered_service = {}
self.log = kwargs[8]
self.log_prefix = kwargs[9]
self.comment = kwargs[10]
self.wildcard = kwargs[13]
self.setactive = kwargs[14]
self.setinactive = kwargs[15]
self.dryrun = kwargs[16]
self.subtractfromlastrule = kwargs[17]
self.deleteinactive = kwargs[18]
self.fullbackup = kwargs[19]
self.fullrestore = kwargs[20]
self.filename = kwargs[21]
def get_all_servers(self):
"""Get all servers from Halo API."""
server_obj = cloudpassage.Server(self.session)
result = server_obj.list_all()
return result
