diff options
Diffstat (limited to 'test/security')
-rwxr-xr-x | test/security/check_for_jdwp.sh | 130 | ||||
-rw-r--r-- | test/security/jdwp_whitelist.txt | 7 |
2 files changed, 95 insertions, 42 deletions
diff --git a/test/security/check_for_jdwp.sh b/test/security/check_for_jdwp.sh index e79f712bf..9343d1615 100755 --- a/test/security/check_for_jdwp.sh +++ b/test/security/check_for_jdwp.sh @@ -28,68 +28,114 @@ # Return value: Number of discovered JDWP ports # Output: List of pods and exposing JDWP interface # +usage() { + cat <<EOF +Usage: $(basename $0) <k8s-namespace> [-l <white list file>] + -l: jdpw white list ports file +EOF + exit ${1:-0} +} if [ "$#" -lt 1 ]; then - echo "Usage: $0 <k8s-namespace>" + usage exit 1 fi K8S_NAMESPACE=$1 LOCAL_PORT=12543 +FILTERED_PORTS_LIST=$(mktemp jdpw_ports_XXXXXX) +WL_RAW_FILE_PATH=$(mktemp raw_filtered_ports_XXXXXX) + +manage_white_list() { + # init filtered port list file + if [ ! -f $WL_FILE_PATH ];then + echo "File not found" + usage + fi + grep -o '^[^#]*' $WL_FILE_PATH > $WL_RAW_FILE_PATH +} + +### getopts +while : +do + case $2 in + -h|--help|help) usage;; + -l) WL_FILE_PATH=$3;manage_white_list;shift;; + -*) usage 1 ;; + *) break ;; + esac +done list_pods() { - kubectl get po --namespace=$K8S_NAMESPACE | grep Running | awk '{print $1}' | grep -v NAME + kubectl get po --namespace=$K8S_NAMESPACE | grep Running | awk '{print $1}' | grep -v NAME } do_jdwp_handshake() { - local ip="127.0.0.1" - local port=$1 - local jdwp_challenge="JDWP-Handshake\n" - local jdwp_response="JDWP-Handshake" - - # 10s timeout to avoid hangs when service doesn't answer at all - local response=`nc -w 10 $ip $port <<<$jdwp_challenge | tr '\0' '\n'` - local n_response_lines=`echo "$response" | wc -l` - if [[ "$n_response_lines" -le 1 ]] && [[ $response == *"$jdwp_response"* ]]; then - return 0 - fi - - return 1 + local ip="127.0.0.1" + local port=$1 + local jdwp_challenge="JDWP-Handshake\n" + local jdwp_response="JDWP-Handshake" + + # 10s timeout to avoid hangs when service doesn't answer at all + local response=`nc -w 10 $ip $port <<<$jdwp_challenge | tr '\0' '\n'` + local n_response_lines=`echo "$response" | wc -l` + if [[ "$n_response_lines" -le 1 ]] && [[ $response == *"$jdwp_response"* ]]; then + return 0 + fi + + return 1 } # get open ports from procfs as netstat is not always available get_open_ports_on_pod() { - local pod=$1 - local open_ports_hex=`kubectl exec --namespace=$K8S_NAMESPACE $pod cat /proc/net/tcp 2>/dev/null| grep -v "local_address" | awk '{ print $2" "$4 }' | grep '0A$' | tr ":" " " | awk '{ print $2 }' | sort | uniq` - for hex_port in $open_ports_hex; do - echo $((16#$hex_port)) - done + local pod=$1 + local open_ports_hex=`kubectl exec --namespace=$K8S_NAMESPACE $pod cat /proc/net/tcp 2>/dev/null| grep -v "local_address" | awk '{ print $2" "$4 }' | grep '0A$' | tr ":" " " | awk '{ print $2 }' | sort | uniq` + for hex_port in $open_ports_hex; do + echo $((16#$hex_port)) + done } N_PORTS=0 # go through all pods for pod in `list_pods`; do - open_ports=`get_open_ports_on_pod $pod` - # if there is no open ports just go to next pod - if [ -z "$open_ports" ]; then - continue - fi - - # let's setup a proxy and check every open port - for port in $open_ports; do - # run proxy - kubectl port-forward --namespace=$K8S_NAMESPACE $pod $LOCAL_PORT:$port &>/dev/null & - sleep 1 - proxy_pid=$! - - do_jdwp_handshake $LOCAL_PORT - if [ $? -eq 0 ]; then - echo $pod $port - ((++N_PORTS)) - fi - kill $proxy_pid 2>/dev/null - wait $proxy_pid 2>/dev/null - done + open_ports=`get_open_ports_on_pod $pod` + # if there is no open ports just go to next pod + if [ -z "$open_ports" ]; then + continue + fi + + # let's setup a proxy and check every open port + for port in $open_ports; do + # run proxy + kubectl port-forward --namespace=$K8S_NAMESPACE $pod $LOCAL_PORT:$port &>/dev/null & + sleep 1 + proxy_pid=$! + + do_jdwp_handshake $LOCAL_PORT + if [ $? -eq 0 ]; then + echo $pod $port | tee $FILTERED_PORTS_LIST + ((++N_PORTS)) + fi + kill $proxy_pid 2>/dev/null + wait $proxy_pid 2>/dev/null + done done -exit $N_PORTS +while IFS= read -r line; do + # for each line we test if it is in the white list with a regular expression + while IFS= read -r wl_line; do + wl_name=$(echo $wl_line | awk {'print $1'}) + wl_port=$(echo $wl_line | awk {'print $2'}) + if grep -e $wl_name.*$wl_port <<< "$line";then + # Found in white list, exclude it + sed -i "/$line/d" $FILTERED_PORTS_LIST + fi + done < $WL_RAW_FILE_PATH +done < $FILTERED_PORTS_LIST + +N_FILTERED_PORTS_LIST=$(cat $FILTERED_PORTS_LIST |wc -l) +echo "------------------------------------" +echo "Nb error pod(s): $N_FILTERED_PORTS_LIST" +cat $FILTERED_PORTS_LIST + +exit $N_FILTERED_PORTS_LIST diff --git a/test/security/jdwp_whitelist.txt b/test/security/jdwp_whitelist.txt new file mode 100644 index 000000000..34d5f63df --- /dev/null +++ b/test/security/jdwp_whitelist.txt @@ -0,0 +1,7 @@ +# White list for JDWP ports +# JDWP = Java Debug Wire Protocol +# The following list displays pods and their associated pod that could be +# considered as False positive +onap-dcae-redis 6379 # Redis port +onap-msb-eag 6379 # Redis port +onap-msb-iag 6379 # Redis port |