diff options
| author |   Pawel Wieczorek <p.wieczorek2@samsung.com> | 2020-03-10 15:22:55 +0100 |
|---|---|---|
| committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2020-03-10 15:30:04 +0100 |
| commit | 3a474afa535a225e47c8f6e287a46dc8ee65f1d7 (patch) | |
| tree | 04ee97a78744e1162d3c5ff94f35638625287e12 | |
| parent | 331e07bb8bc2834801c61ab8a8062a7a39a8d232 (diff) | |
Drop filtering out services recognized as HTTP
This patch extends tool used to detect plain HTTP ports to report all
non-SSL endpoints. Previously it omitted services not recognized as
HTTP.
Naming changes were made to reflect purpose of this tool better.
Issue-ID: INT-1480
Change-Id: I58a152022d48121bf4b9c6180ddc820dd4a79805
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
| -rwxr-xr-x | test/security/check_for_nonssl_endpoints.sh (renamed from test/security/check_for_http_endpoints.sh) | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/test/security/check_for_http_endpoints.sh b/test/security/check_for_nonssl_endpoints.sh index 5e2fd85ec..6056e0371 100755 --- a/test/security/check_for_http_endpoints.sh +++ b/test/security/check_for_nonssl_endpoints.sh @@ -18,21 +18,21 @@ # # COPYRIGHT NOTICE ENDS HERE -# Check all ports exposed outside of kubernetes cluster looking for plain http +# Check all ports exposed outside of kubernetes cluster looking for non-SSL # endpoints. # # Dependencies: # nmap # kubectl + config # -# Return value: Number of discovered http ports -# Output: List of pods exposing http endpoints +# Return value: Number of discovered non-SSL ports +# Output: List of pods exposing non-SSL endpoints # usage() { cat <<EOF -Usage: $(basename $0) <k8s-namespace> [-l <list of HTTP endpoints expected to fail this test>] - -l: list of HTTP endpoints expected to fail this test +Usage: $(basename $0) <k8s-namespace> [-l <list of non-SSL endpoints expected to fail this test>] + -l: list of non-SSL endpoints expected to fail this test EOF exit ${1:-0} } @@ -53,8 +53,8 @@ if [ "$#" -lt 1 ]; then fi K8S_NAMESPACE=$1 -FILTERED_PORTS_LIST=$(mktemp http_endpoints_XXXXXX) -XF_RAW_FILE_PATH=$(mktemp raw_filtered_http_endpoints_XXXXXX) +FILTERED_PORTS_LIST=$(mktemp nonssl_endpoints_XXXXXX) +XF_RAW_FILE_PATH=$(mktemp raw_filtered_nonssl_endpoints_XXXXXX) strip_white_list() { if [ ! -f $XF_FILE_PATH ]; then @@ -94,8 +94,8 @@ SCAN_RESULT=`nmap $K8S_NODE -sV -p $PORT_LIST 2>/dev/null | grep \tcp` # Concatenate scan result with service name RESULTS=`paste <(printf %s "$SVCS") <(printf %s "$SCAN_RESULT") | column -t` -# Find all plain http ports -HTTP_PORTS=`grep http <<< "$RESULTS" | grep -v ssl/http | tee "$FILTERED_PORTS_LIST"` +# Find all non-SSL ports +HTTP_PORTS=`grep -v ssl <<< "$RESULTS" | tee "$FILTERED_PORTS_LIST"` # Filter out whitelisted endpoints while IFS= read -r line; do |