From 3a75f0c4ebb02d057b976c0d01b6cc8055e58a8c Mon Sep 17 00:00:00 2001 From: jinyoungmoonDEV Date: Fri, 29 Nov 2024 14:14:47 +0900 Subject: [PATCH 1/2] add: add vulnerable_ports logic --- src/plugin/conf/cloud_service_conf.py | 1 + src/plugin/main.py | 15 ++++++- .../manager/ec2/security_group_manager.py | 42 +++++++++++++++---- 3 files changed, 50 insertions(+), 8 deletions(-) diff --git a/src/plugin/conf/cloud_service_conf.py b/src/plugin/conf/cloud_service_conf.py index 836df39..9f85bd6 100644 --- a/src/plugin/conf/cloud_service_conf.py +++ b/src/plugin/conf/cloud_service_conf.py @@ -9,6 +9,7 @@ DEFAULT_REGION = "us-east-1" FILTER_FORMAT = [] BOTO3_HTTPS_VERIFIED = None +DEFAULT_VULNERABLE_PORTS = "22,3306" ASSET_URL = "https://spaceone-custom-assets.s3.ap-northeast-2.amazonaws.com/console-assets/icons/cloud-services/aws" diff --git a/src/plugin/main.py b/src/plugin/main.py index a24a947..9dda5b7 100644 --- a/src/plugin/main.py +++ b/src/plugin/main.py @@ -1,5 +1,7 @@ import logging from spaceone.inventory.plugin.collector.lib.server import CollectorPluginServer + +from .conf.cloud_service_conf import DEFAULT_VULNERABLE_PORTS from .manager.base import ResourceManager _LOGGER = logging.getLogger("cloudforet") @@ -311,6 +313,17 @@ def _create_init_metadata(): "inventory.Region", "inventory.ErrorResource", ], - "options_schema": {}, + "options_schema": { + "required": ["vulnerable_ports"], + "type": "object", + "properties": { + "vulnerable_ports": { + "title": "Vulnerable Ports Option", + "type": "string", + "default": DEFAULT_VULNERABLE_PORTS, + "description": "Ex) 22,8080,3306 (Default = 22,3306)", + } + }, + }, } } diff --git a/src/plugin/manager/ec2/security_group_manager.py b/src/plugin/manager/ec2/security_group_manager.py index 49d20b7..c80521a 100644 --- a/src/plugin/manager/ec2/security_group_manager.py +++ b/src/plugin/manager/ec2/security_group_manager.py @@ -1,7 +1,8 @@ import copy from spaceone.inventory.plugin.collector.lib import * from ..base import ResourceManager -from ...conf.cloud_service_conf import ASSET_URL, INSTANCE_FILTERS +from ...conf.cloud_service_conf import ASSET_URL, INSTANCE_FILTERS, DEFAULT_VULNERABLE_PORTS +from ...error.custom import ERROR_VULNERABLE_PORTS class SecurityGroupManager(ResourceManager): @@ -35,6 +36,9 @@ def create_cloud_service_type(self): def create_cloud_service(self, region, options, secret_data, schema): cloudtrail_resource_type = "AWS::EC2::SecurityGroup" + # If Port Filter Option Exist + vulnerable_ports = self.options.get("vulnerable_ports", DEFAULT_VULNERABLE_PORTS) + # Get default VPC default_vpcs = self._get_default_vpc() @@ -62,7 +66,7 @@ def create_cloud_service(self, region, options, secret_data, schema): in_rule_copy = copy.deepcopy(in_rule) inbound_rules.append( self.custom_security_group_rule_info( - in_rule_copy, _ip_range, "ip_ranges" + in_rule_copy, _ip_range, "ip_ranges",vulnerable_ports ) ) @@ -73,6 +77,7 @@ def create_cloud_service(self, region, options, secret_data, schema): in_rule_copy, _user_group_pairs, "user_id_group_pairs", + vulnerable_ports, ) ) @@ -80,7 +85,7 @@ def create_cloud_service(self, region, options, secret_data, schema): in_rule_copy = copy.deepcopy(in_rule) inbound_rules.append( self.custom_security_group_rule_info( - in_rule_copy, _ip_v6_range, "ipv6_ranges" + in_rule_copy, _ip_v6_range, "ipv6_ranges",vulnerable_ports ) ) @@ -91,7 +96,7 @@ def create_cloud_service(self, region, options, secret_data, schema): out_rule_copy = copy.deepcopy(out_rule) outbound_rules.append( self.custom_security_group_rule_info( - out_rule_copy, _ip_range, "ip_ranges" + out_rule_copy, _ip_range, "ip_ranges",vulnerable_ports ) ) @@ -101,7 +106,7 @@ def create_cloud_service(self, region, options, secret_data, schema): self.custom_security_group_rule_info( out_rule_copy, _user_group_pairs, - "user_id_group_pairs", + "user_id_group_pairs",vulnerable_ports, ) ) @@ -109,7 +114,7 @@ def create_cloud_service(self, region, options, secret_data, schema): out_rule_copy = copy.deepcopy(out_rule) outbound_rules.append( self.custom_security_group_rule_info( - out_rule_copy, _ip_v6_range, "ipv6_ranges" + out_rule_copy, _ip_v6_range, "ipv6_ranges",vulnerable_ports ) ) @@ -160,7 +165,7 @@ def create_cloud_service(self, region, options, secret_data, schema): region_name=region, ) - def custom_security_group_rule_info(self, raw_rule, remote, remote_type): + def custom_security_group_rule_info(self, raw_rule, remote, remote_type, vulnerable_ports): raw_rule.update( { "protocol_display": self._get_protocol_display( @@ -170,6 +175,7 @@ def custom_security_group_rule_info(self, raw_rule, remote, remote_type): "source_display": self._get_source_display(remote), "description_display": self._get_description_display(remote), remote_type: remote, + "vulnerable_ports": self._get_vulnerable_ports(raw_rule, vulnerable_ports) } ) @@ -287,3 +293,25 @@ def get_instance_name_from_tags(instance): return _tag.get("Value") return "" + + @staticmethod + def _get_vulnerable_ports(raw_rule, vulnerable_ports): + is_port_all = False + + try: + toPort = int(raw_rule.get("ToPort")) + fromPort = int(raw_rule.get("FromPort")) + except (ValueError, TypeError): + is_port_all = True + toPort, fromPort = None, None + + ports = [] + try: + for port in map(str.strip, vulnerable_ports.split(',')): + target_port = int(port) + if is_port_all or (fromPort <= target_port <= toPort): + ports.append(target_port) + + return ports + except Exception: + raise ERROR_VULNERABLE_PORTS(vulnerable_ports) From 4abebbe42f045abea92640fab9f40ca8e0921a66 Mon Sep 17 00:00:00 2001 From: jinyoungmoonDEV Date: Fri, 29 Nov 2024 17:06:58 +0900 Subject: [PATCH 2/2] add: add vulnerable_ports logic --- .../manager/ec2/security_group_manager.py | 39 +++++++++---------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/src/plugin/manager/ec2/security_group_manager.py b/src/plugin/manager/ec2/security_group_manager.py index c80521a..266da15 100644 --- a/src/plugin/manager/ec2/security_group_manager.py +++ b/src/plugin/manager/ec2/security_group_manager.py @@ -37,7 +37,7 @@ def create_cloud_service(self, region, options, secret_data, schema): cloudtrail_resource_type = "AWS::EC2::SecurityGroup" # If Port Filter Option Exist - vulnerable_ports = self.options.get("vulnerable_ports", DEFAULT_VULNERABLE_PORTS) + vulnerable_ports = options.get("vulnerable_ports", DEFAULT_VULNERABLE_PORTS) # Get default VPC default_vpcs = self._get_default_vpc() @@ -166,16 +166,15 @@ def create_cloud_service(self, region, options, secret_data, schema): ) def custom_security_group_rule_info(self, raw_rule, remote, remote_type, vulnerable_ports): + protocol_display = self._get_protocol_display(raw_rule.get("IpProtocol")) raw_rule.update( { - "protocol_display": self._get_protocol_display( - raw_rule.get("IpProtocol") - ), + "protocol_display": protocol_display, "port_display": self._get_port_display(raw_rule), "source_display": self._get_source_display(remote), "description_display": self._get_description_display(remote), remote_type: remote, - "vulnerable_ports": self._get_vulnerable_ports(raw_rule, vulnerable_ports) + "vulnerable_ports": self._get_vulnerable_ports(protocol_display, raw_rule, vulnerable_ports) } ) @@ -295,23 +294,21 @@ def get_instance_name_from_tags(instance): return "" @staticmethod - def _get_vulnerable_ports(raw_rule, vulnerable_ports): - is_port_all = False - + def _get_vulnerable_ports(protocol_display: str, raw_rule: dict, vulnerable_ports: str): try: - toPort = int(raw_rule.get("ToPort")) - fromPort = int(raw_rule.get("FromPort")) - except (ValueError, TypeError): - is_port_all = True - toPort, fromPort = None, None + if protocol_display == "ALL": + return [int(port.strip()) for port in vulnerable_ports.split(',')] - ports = [] - try: - for port in map(str.strip, vulnerable_ports.split(',')): - target_port = int(port) - if is_port_all or (fromPort <= target_port <= toPort): - ports.append(target_port) + to_port = raw_rule.get("ToPort") + from_port = raw_rule.get("FromPort") + + if to_port is None or from_port is None: + return [] - return ports - except Exception: + return [ + int(port.strip()) + for port in vulnerable_ports.split(',') + if from_port <= int(port.strip()) <= to_port + ] + except ValueError: raise ERROR_VULNERABLE_PORTS(vulnerable_ports)