diff --git a/main.py b/main.py index 1c3070e..e32f854 100644 --- a/main.py +++ b/main.py @@ -1,10 +1,40 @@ import argparse from art import text2art - +import random +import boto3 +import os +import glob from src.logger import setup_logger from src.snapper import Snapper from src.scanner import Scanner + +def getting_all_pem_file_names(): + """ + :return: .pem file names from the red-detector directory. + """ + file_path = os.path.realpath(__file__) # getting the script's path + file_path = file_path.split("red-detector") + files_path = file_path[0] + "red-detector" # (the pem files arent in the same directory as the script.) + + lst = (glob.glob(files_path+"/*.pem")) + index = 0 + for i in lst: + lst[index] = lst[index].replace(files_path+"/", "").replace(".pem","") + index += 1 + return lst + + +def used_key_pairs(): + keypairs = [] # list of used keyPair names + ec2 = boto3.client('ec2') + response = ec2.describe_key_pairs() + + for i in response["KeyPairs"]: + keypairs.append(i["KeyName"]) + return keypairs + + if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument('--region', action='store', dest='region', type=str, @@ -31,17 +61,30 @@ snapper.create_client() if cmd_args.instance_id: - source_volume_id = snapper.get_instance_root_vol(instance_id=cmd_args.instance_id) + try: + source_volume_id = snapper.get_instance_root_vol(instance_id=cmd_args.instance_id) + except Exception as e: + print(e, " : (probably problem with the given instance id)") + exit(99) else: source_volume_id = snapper.select_ec2_instance() volume_id, selected_az, snapshot_id = snapper.snapshot2volume(volume_id=source_volume_id) - scanner = Scanner(logger=logger, region=snapper.region) if cmd_args.keypair: - scanner.keypair_name = cmd_args.keypair + scanner = Scanner(logger=logger, region=snapper.region, key_pair_name=cmd_args.keypair) else: - scanner.keypair_name = scanner.create_keypair(key_name='red_detector_key') + used_key_pairs_list_from_aws = used_key_pairs() + used_key_pairs_list_locally = getting_all_pem_file_names() + num = 0 + key_name = "red_detector_key{number}".format(number=str(num)) + while key_name in used_key_pairs_list_from_aws or key_name in used_key_pairs_list_locally: + num += 1 + key_name = "red_detector_key{number}".format(number=str(num)) + + scanner = Scanner(logger=logger, region=snapper.region, key_pair_name=key_name) + scanner.keypair_name = scanner.create_keypair(key_name=key_name) + ec2_instance_id, ec2_instance_public_ip, report_service_port = scanner.create_ec2(selected_az=selected_az) scanner.attach_volume_to_ec2(ec2_instance_id=ec2_instance_id, volume_id=volume_id) scanner.scan_and_report(ec2_instance_public_ip=ec2_instance_public_ip, diff --git a/src/remote_scripts.py b/src/remote_scripts.py index 2e66908..e048794 100644 --- a/src/remote_scripts.py +++ b/src/remote_scripts.py @@ -1,4 +1,5 @@ script_a = '''#!/bin/bash -ex + exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 apt-get update @@ -7,82 +8,69 @@ mkdir -p /home/ubuntu/vuls cd /home/ubuntu/ wget https://downloads.cisofy.com/lynis/lynis-3.0.3.tar.gz -wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz + +apt-get install chkrootkit -y + mkdir -p chkrootkit && cd chkrootkit -tar xvf /home/ubuntu/chkrootkit.tar.gz --strip-components 1 -make sense cd /home/ubuntu/vuls -docker pull vuls/go-cve-dictionary -docker pull vuls/goval-dictionary -docker pull vuls/gost -docker pull vuls/go-exploitdb -docker pull vuls/gost -docker pull vuls/vuls +sudo docker pull vuls/go-cve-dictionary +sudo docker pull vuls/goval-dictionary +sudo docker pull vuls/gost +sudo docker pull vuls/go-exploitdb +sudo docker pull vuls/gost +sudo docker pull vuls/vuls -PWD=/home/ubuntu/vuls/ -for i in `seq 2002 $(date +"%Y")`; do \ - docker run --rm -i\ +cd /home/ubuntu/vuls + +sudo docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/go-cve-dictionary-log:/var/log/vuls \ - vuls/go-cve-dictionary fetchnvd -years $i; \ - done + vuls/go-cve-dictionary fetch nvd -docker run --rm -i \ +sudo docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vuls \ - vuls/goval-dictionary fetch-redhat 5 6 7 8 + vuls/goval-dictionary fetch redhat 5 6 7 8 -docker run --rm -i \ +sudo docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vuls \ - vuls/goval-dictionary fetch-debian 7 8 9 10 + vuls/goval-dictionary fetch debian 7 8 9 10 -docker run --rm -i \ - -v $PWD:/vuls \ - -v $PWD/goval-dictionary-log:/var/log/vuls \ - vuls/goval-dictionary fetch-alpine 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 - -docker run --rm -i \ - -v $PWD:/vuls \ - -v $PWD/goval-dictionary-log:/var/log/vuls \ - vuls/goval-dictionary fetch-ubuntu 14 16 18 19 20 - -docker run --rm -i \ +sudo docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vuls \ - vuls/goval-dictionary fetch-suse -opensuse 13.2 + vuls/goval-dictionary fetch alpine 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 -docker run --rm -i \ +sudo docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vuls \ - vuls/goval-dictionary fetch-suse -suse-enterprise-server 12 + vuls/goval-dictionary fetch ubuntu 14 16 18 19 20 -docker run --rm -i \ +sudo docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vuls \ - vuls/goval-dictionary fetch-oracle + vuls/goval-dictionary fetch oracle -docker run --rm -i \ +sudo docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vuls \ - vuls/goval-dictionary fetch-amazon - -docker run --rm -i \ - -v $PWD:/vuls \ - -v $PWD/gost-log:/var/log/gost \ - vuls/gost fetch redhat + vuls/goval-dictionary fetch amazon -docker run --rm -i \ +sudo docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/go-exploitdb-log:/var/log/go-exploitdb \ vuls/go-exploitdb fetch exploitdb -docker run --rm -i \ +sudo docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/go-msfdb-log:/var/log/go-msfdb \ vuls/go-msfdb fetch msfdb - + + +touch config_scan.toml + cat > config_scan.toml < /tmp/tmp_authorized_keys sudo mv /tmp/tmp_authorized_keys /vol/root/.ssh/tmp_authorized_keys -sudo chown root:root /vol/root/.ssh/tmp_authorized_keys +sudo chown root:root /vol/root/.ssh/tmp_authorized_keys sudo chmod 600 /vol/root/.ssh/tmp_authorized_keys sudo mount -t proc none /vol/proc @@ -141,7 +128,6 @@ sudo mount -o bind /run /vol/run sudo chroot /vol /bin/mount devpts /dev/pts -t devpts - # Reporting mkdir -p /home/ubuntu/nginx/html cat > /home/ubuntu/nginx/default.conf < EOF + + sudo docker run --name docker-nginx -p {port}:80 -d -v /home/ubuntu/nginx/html:/usr/share/nginx/html -v /home/ubuntu/nginx/default.conf:/etc/nginx/conf.d/default.conf nginx + # Lynis audit + + sudo cp /home/ubuntu/lynis-3.0.3.tar.gz /vol/root/ + + sudo su -c "chroot /vol tar xvf /root/lynis-3.0.3.tar.gz -C /root/" + + sudo su -c "chroot /vol printf 'cd /root/lynis/\n./lynis audit system\n' > /vol/root/lynis/run.sh && chmod +x /vol/root/lynis/run.sh" -sudo su -c "chroot /vol /root/lynis/run.sh" | ansi2html -l > /home/ubuntu/nginx/html/lynis_report.html + + +sudo su -c "chroot /vol lynis audit system" | ansi2html > /home/ubuntu/nginx/html/lynis_report.html + # Chkrootkit scan cd /home/ubuntu/chkrootkit @@ -262,17 +260,23 @@ sudo ./chkrootkit -r /vol | ansi2html -l > /home/ubuntu/nginx/html/chkrootkit_report.html # Vuls scan + sudo su -c "chroot /vol /usr/sbin/sshd -p 2222 -o 'AuthorizedKeysFile=/root/.ssh/tmp_authorized_keys' -o 'AuthorizedKeysCommand=none' -o 'AuthorizedKeysCommandUser=none' -o 'GSSAPIAuthentication=no' -o 'UseDNS=no'" -echo "Creating ssh config" + sudo cat > ~/.ssh/config <