From 3a474afa535a225e47c8f6e287a46dc8ee65f1d7 Mon Sep 17 00:00:00 2001 From: Pawel Wieczorek Date: Tue, 10 Mar 2020 15:22:55 +0100 Subject: Drop filtering out services recognized as HTTP This patch extends tool used to detect plain HTTP ports to report all non-SSL endpoints. Previously it omitted services not recognized as HTTP. Naming changes were made to reflect purpose of this tool better. Issue-ID: INT-1480 Change-Id: I58a152022d48121bf4b9c6180ddc820dd4a79805 Signed-off-by: Pawel Wieczorek --- test/security/check_for_nonssl_endpoints.sh | 118 ++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100755 test/security/check_for_nonssl_endpoints.sh (limited to 'test/security/check_for_nonssl_endpoints.sh') diff --git a/test/security/check_for_nonssl_endpoints.sh b/test/security/check_for_nonssl_endpoints.sh new file mode 100755 index 000000000..6056e0371 --- /dev/null +++ b/test/security/check_for_nonssl_endpoints.sh @@ -0,0 +1,118 @@ +#!/usr/bin/env bash + +# COPYRIGHT NOTICE STARTS HERE +# +# Copyright 2019 Samsung Electronics Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# COPYRIGHT NOTICE ENDS HERE + +# Check all ports exposed outside of kubernetes cluster looking for non-SSL +# endpoints. +# +# Dependencies: +# nmap +# kubectl + config +# +# Return value: Number of discovered non-SSL ports +# Output: List of pods exposing non-SSL endpoints +# + +usage() { + cat < [-l ] + -l: list of non-SSL endpoints expected to fail this test +EOF + exit ${1:-0} +} + +#Prerequisities commands list +REQ_APPS=(kubectl nmap awk column sort paste grep wc mktemp sed cat) + +# Check for prerequisites apps +for cmd in "${REQ_APPS[@]}"; do + if ! [ -x "$(command -v "$cmd")" ]; then + echo "Error: command $cmd is not installed" + exit 1 + fi +done + +if [ "$#" -lt 1 ]; then + usage 1 +fi + +K8S_NAMESPACE=$1 +FILTERED_PORTS_LIST=$(mktemp nonssl_endpoints_XXXXXX) +XF_RAW_FILE_PATH=$(mktemp raw_filtered_nonssl_endpoints_XXXXXX) + +strip_white_list() { + if [ ! -f $XF_FILE_PATH ]; then + echo "File not found" + usage 1 + fi + grep -o '^[^#]*' $XF_FILE_PATH > $XF_RAW_FILE_PATH +} + +### getopts +while : +do + case $2 in + -h|--help|help) usage ;; + -l) XF_FILE_PATH=$3; strip_white_list; shift ;; + -*) usage 1 ;; + *) break ;; + esac +done + +# Get both values on single call as this may get slow +PORTS_SVCS=`kubectl get svc --namespace=$K8S_NAMESPACE -o go-template='{{range $item := .items}}{{range $port := $item.spec.ports}}{{if .nodePort}}{{.nodePort}}{{"\t"}}{{$item.metadata.name}}{{"\n"}}{{end}}{{end}}{{end}}' | column -t | sort -n` + +# Split port number and service name +PORTS=`awk '{print $1}' <<<"$PORTS_SVCS"` +SVCS=`awk '{print $2}' <<<"$PORTS_SVCS"` + +# Create a list in nmap-compatible format +PORT_LIST=`tr "\\n" "," <<<"$PORTS" | sed 's/,$//'; echo ''` + +# Get IP address of some cluster node (both "external-ip" and "ExternalIP" labels are matched) +K8S_NODE=`kubectl describe nodes \`kubectl get nodes | grep -v NAME | head -n 1 | awk '{print $1}'\` | grep "external-ip\|ExternalIP" | awk '{print $2}'` + +# perform scan +SCAN_RESULT=`nmap $K8S_NODE -sV -p $PORT_LIST 2>/dev/null | grep \tcp` + +# Concatenate scan result with service name +RESULTS=`paste <(printf %s "$SVCS") <(printf %s "$SCAN_RESULT") | column -t` + +# Find all non-SSL ports +HTTP_PORTS=`grep -v ssl <<< "$RESULTS" | tee "$FILTERED_PORTS_LIST"` + +# Filter out whitelisted endpoints +while IFS= read -r line; do + # for each line we test if it is in the white list with a regular expression + while IFS= read -r wl_line; do + wl_name=$(echo $wl_line | awk {'print $1'}) + wl_port=$(echo $wl_line | awk {'print $2'}) + if grep -e $wl_name.*$wl_port <<< "$line"; then + # Found in white list, exclude it + sed -i "/$line/d" $FILTERED_PORTS_LIST + fi + done < $XF_RAW_FILE_PATH +done < $FILTERED_PORTS_LIST + +# Count them +N_FILTERED_PORTS_LIST=$(cat $FILTERED_PORTS_LIST | wc -l) +echo "------------------------------------" +echo "Nb error pod(s): $N_FILTERED_PORTS_LIST" +cat $FILTERED_PORTS_LIST +exit $N_FILTERED_PORTS_LIST -- cgit 1.2.3-korg