From 6d71571ead3d6d24308028adfc0d14ee7cbb5a83 Mon Sep 17 00:00:00 2001 From: Robert Seedorff Date: Mon, 10 Aug 2020 12:38:54 +0200 Subject: [PATCH 1/2] Added new readme files for Hooks and introduced more header informations. --- README.md | 20 +-- hooks/declarative-subsequent-scans/README.md | 116 ++++++++++++++++++ hooks/generic-webhook/README.md | 18 +++ hooks/imperative-subsequent-scans/values.yaml | 6 +- hooks/persistence-elastic/README.md | 55 +++++++++ hooks/persistence-elastic/values.yaml | 1 + hooks/update-field/README.md | 18 +++ scanners/amass/README.md | 3 + scanners/kube-hunter/README.md | 3 + scanners/nikto/README.md | 3 + scanners/nmap/README.md | 3 + scanners/ssh_scan/README.md | 6 +- scanners/sslyze/README.md | 3 + scanners/trivy/README.md | 5 +- scanners/wpscan/README.md | 3 + scanners/zap/README.md | 3 + 16 files changed, 251 insertions(+), 15 deletions(-) create mode 100644 hooks/declarative-subsequent-scans/README.md create mode 100644 hooks/generic-webhook/README.md create mode 100644 hooks/persistence-elastic/README.md create mode 100644 hooks/update-field/README.md diff --git a/README.md b/README.md index d1d30b34..6cc18e06 100644 --- a/README.md +++ b/README.md @@ -85,15 +85,16 @@ helm -n securecodebox-system upgrade --install securecodebox-operator ./operator Optionally deploy SCB scanner charts for each security scanner you want to use. They should not be installed into the `securecodebox-system` like the operator so that different teams can use different kinds of scanners. ```bash -helm upgrade --install amass ./scanners/amass/ -helm upgrade --install kube-hunter ./scanners/kube-hunter/ -helm upgrade --install nikto ./scanners/nikto -helm upgrade --install nmap ./scanners/nmap/ -helm upgrade --install ssh-scan ./scanners/ssh_scan/ -helm upgrade --install sslyze ./scanners/sslyze/ -helm upgrade --install trivy ./scanners/trivy/ -helm upgrade --install zap ./scanners/zap/ -helm upgrade --install wpscan ./scanners/wpscan/ +kubectl create namespace scans +helm upgrade --install -n scans amass ./scanners/amass/ +helm upgrade --install -n scans kube-hunter ./scanners/kube-hunter/ +helm upgrade --install -n scans nikto ./scanners/nikto +helm upgrade --install -n scans nmap ./scanners/nmap/ +helm upgrade --install -n scans ssh-scan ./scanners/ssh_scan/ +helm upgrade --install -n scans sslyze ./scanners/sslyze/ +helm upgrade --install -n scans trivy ./scanners/trivy/ +helm upgrade --install -n scans zap ./scanners/zap/ +helm upgrade --install -n scans wpscan ./scanners/wpscan/ ``` Optional deploy some demo apps for scanning: @@ -112,6 +113,7 @@ Deploy secureCodeBox Hooks: helm upgrade --install aah ./hooks/update-field/ helm upgrade --install gwh ./hooks/generic-webhook/ helm upgrade --install issh ./hooks/imperative-subsequent-scans/ +helm upgrade --install dssh ./hooks/declarative-subsequent-scans/ ``` Persistence provider Elasticsearch: diff --git a/hooks/declarative-subsequent-scans/README.md b/hooks/declarative-subsequent-scans/README.md new file mode 100644 index 00000000..7d3c90dc --- /dev/null +++ b/hooks/declarative-subsequent-scans/README.md @@ -0,0 +1,116 @@ +--- +title: "Cascading Scans" +path: "hooks/declarative-subsequent-scans" +category: "hook" +type: "processing" +state: "released" +usecase: "Enables cascading Scans based declarative _CascadingRules_." +--- + + + +## Deployment + +Installing the Cascading Scans hook will add a ReadOnly Hook to your namespace which looks for matching _CascadingRules_ in the namespace and start the according scans. + +```bash +helm upgrade --install dssh ./hooks/declarative-subsequent-scans/ +``` + +### Verification +```bash +$ kubectl get ScanCompletionHooks +NAME TYPE IMAGE +dssh ReadOnly docker.io/scbexperimental/hook-declarative-subsequent-scans:latest +``` + +## CascadingScan Rules +The CascadingRules are included directly in each helm chart of the individual scanners. + +```bash +# Check your CascadingRules +$ kubectl get CascadingRules +NAME STARTS INVASIVENESS INTENSIVENESS +https-tls-scan sslyze non-invasive light +imaps-tls-scan sslyze non-invasive light +nikto-http nikto non-invasive medium +nmap-smb nmap non-invasive light +pop3s-tls-scan sslyze non-invasive light +smtps-tls-scan sslyze non-invasive light +ssh-scan ssh-scan non-invasive light +zap-http zap-baseline non-invasive medium +``` + +## Starting a cascading Scan +When you start a normal Scan, no CascadingRule will be applied. To use a _CascadingRule_ the scan must be marked to allow cascading rules. +This is implemented using kubernetes label selectors, meaning that scans mark the classes of scans which are allowed to be cascaded by the current one. + +### Example +```yaml +cat < + +## Deployment + +Installing the Generic WebHook hook will add a ReadOnly Hook to your namespace. + +```bash +helm upgrade --install gwh ./hooks/generic-webhook/ --set webhookUrl="http://example.com/my/webhook/target" +``` diff --git a/hooks/imperative-subsequent-scans/values.yaml b/hooks/imperative-subsequent-scans/values.yaml index 2602e491..23f83f7e 100644 --- a/hooks/imperative-subsequent-scans/values.yaml +++ b/hooks/imperative-subsequent-scans/values.yaml @@ -6,15 +6,15 @@ cascade: # Cascade nmap scans for each subdomain found by amass amassNmap: true # Cascade nmap SMB scans for each SMB Port found by nmap - nmapSmb: true + nmapSmb: false # Cascade SSH scans for each SSH Port found by nmap nmapSsh: true # Cascade SSL scans for each HTTP Port found by nmap nmapSsl: true # Cascade Nikto scans for each HTTP Port found by nmap - nmapNikto: true + nmapNikto: false # Cascade ZAP scans for each HTTP Port found by nmap - nmapZapBaseline: true + nmapZapBaseline: false image: registry: docker.io diff --git a/hooks/persistence-elastic/README.md b/hooks/persistence-elastic/README.md new file mode 100644 index 00000000..7cfd09f5 --- /dev/null +++ b/hooks/persistence-elastic/README.md @@ -0,0 +1,55 @@ +--- +title: "Elasticsearch" +path: "hooks/persistence-elastic" +category: "hook" +type: "persistenceProvider" +state: "released" +usecase: "Publishes all Scan Findings to elasticsearch (ECK)." +--- + + + +## About +The ElasticSearch persistenceProvider hook saves all findings and reports into the configured ElasticSearch index. This allows for some easy searching and visualization of the findings. To learn more about Elasticsearch visit elastic.io. + +## Deployment + +Installing the Elasticsearch persistenceProvider hook will add a _ReadOnly Hook_ to your namespace. + +```bash +helm upgrade --install elkh ./hooks/persistence-elastic/ +``` + +## Configuration +see values.yaml + +```yaml +# Define a specific index prefix +indexPrefix: "scbv2" + +# Enable this when you already have an Elastic Stack running to which you want to send your results +externalElasticStack: + enabled: false + elasticsearchAddress: "https://elasticsearch.example.com" + kibanaAddress: "https://kibana.example.com" + +# Configure authentication schema and credentials the persistence provider should use to connect to elasticsearch +# user and apikey are mutually exclusive, only set one! +authentication: + # Link a pre-existing generic secret with `username` and `password` key / value pairs + userSecret: null + # Link a pre-existing generic secret with `id` and `key` key / value pairs + apiKeySecret: null + +# Configures included Elasticsearch subchart +elasticsearch: + enabled: true + replicas: 1 + minimumMasterNodes: 1 + # image: docker.elastic.co/elasticsearch/elasticsearch-oss + +# Configures included Elasticsearch subchart +kibana: + enabled: true + # image: docker.elastic.co/kibana/kibana-oss +``` \ No newline at end of file diff --git a/hooks/persistence-elastic/values.yaml b/hooks/persistence-elastic/values.yaml index 14c714cb..697a617b 100644 --- a/hooks/persistence-elastic/values.yaml +++ b/hooks/persistence-elastic/values.yaml @@ -8,6 +8,7 @@ image: tag: latest digest: null +# Define a specific index prefix indexPrefix: "scbv2" # Enable this when you already have an Elastic Stack running to which you want to send your results diff --git a/hooks/update-field/README.md b/hooks/update-field/README.md new file mode 100644 index 00000000..c730b060 --- /dev/null +++ b/hooks/update-field/README.md @@ -0,0 +1,18 @@ +--- +title: "Generic WebHook" +path: "hooks/generic-webhook" +category: "hook" +type: "integration" +state: "released" +usecase: "Publishes Scan Findings as WebHook." +--- + + + +## Deployment + +Installing the _Update Field_ hook will add a ReadOnly Hook to your namespace. + +```bash +helm upgrade --install gwh ./hooks/generic-webhook/ --set webhookUrl="http://example.com/my/webhook/target" +``` diff --git a/scanners/amass/README.md b/scanners/amass/README.md index 4e92224e..d1cc9f8c 100644 --- a/scanners/amass/README.md +++ b/scanners/amass/README.md @@ -2,6 +2,9 @@ title: "Amass" path: "scanners/amass" category: "scanner" +type: "Network" +state: "released" +appVersion: 3.7.2 usecase: "Subdomain Enumeration Scanner" --- diff --git a/scanners/kube-hunter/README.md b/scanners/kube-hunter/README.md index 8b6e930f..bb6ec0be 100644 --- a/scanners/kube-hunter/README.md +++ b/scanners/kube-hunter/README.md @@ -2,6 +2,9 @@ title: "kube-hunter" path: "scanners/kube-hunter" category: "scanner" +type: "Kubernetes" +state: "released" +appVersion: 0.3.1 usecase: "Kubernetes Vulnerability Scanner" --- diff --git a/scanners/nikto/README.md b/scanners/nikto/README.md index 7e3fa663..75884eda 100644 --- a/scanners/nikto/README.md +++ b/scanners/nikto/README.md @@ -2,6 +2,9 @@ title: "Nikto" path: "scanners/nikto" category: "scanner" +type: "Webserver" +state: "released" +appVersion: 2.1.6 usecase: "Webserver Vulnerability Scanner" --- diff --git a/scanners/nmap/README.md b/scanners/nmap/README.md index 5fe03d75..2bb738ae 100644 --- a/scanners/nmap/README.md +++ b/scanners/nmap/README.md @@ -2,6 +2,9 @@ title: "Nmap" path: "scanners/nmap" category: "scanner" +type: "Network" +state: "released" +appVersion: 7.80 usecase: "Network Scanner" --- diff --git a/scanners/ssh_scan/README.md b/scanners/ssh_scan/README.md index b8e024e2..aab45ab4 100644 --- a/scanners/ssh_scan/README.md +++ b/scanners/ssh_scan/README.md @@ -2,10 +2,12 @@ title: "SSH" path: "scanners/ssh" category: "scanner" +type: "SSH" +state: "released" +appVersion: 0.0.43 usecase: "SSH Configuration and Policy Scanner" -release: "https://img.shields.io/github/release/secureCodeBox/scanner-infrastructure-ssh.svg" - --- + SSH_scan is an easy-to-use prototype SSH configuration and policy scanner, inspired by Mozilla OpenSSH Security Guide, which provides a reasonable baseline policy recommendation for SSH configuration parameters such as Ciphers, MACs, and KexAlgos and much more. To learn more about the ssh_scan scanner itself visit [ssh_scan GitHub]. diff --git a/scanners/sslyze/README.md b/scanners/sslyze/README.md index 3ce41db2..94b5e744 100644 --- a/scanners/sslyze/README.md +++ b/scanners/sslyze/README.md @@ -2,6 +2,9 @@ title: "SSLyze" path: "scanners/sslyze" category: "scanner" +type: "Kubernetes" +state: "SSL" +appVersion: 3.0.8 usecase: "SSL/TLS Configuration Scanner" --- diff --git a/scanners/trivy/README.md b/scanners/trivy/README.md index 3f2c4ed9..a838f478 100644 --- a/scanners/trivy/README.md +++ b/scanners/trivy/README.md @@ -2,7 +2,10 @@ title: "Trivy" path: "scanners/trivy" category: "scanner" -usecase: "Containers Vulnerability Scanner" +type: "Container" +state: "released" +appVersion: 0.10.1 +usecase: "Container Vulnerability Scanner" --- `Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive vulnerability scanner for containers and other artifacts. diff --git a/scanners/wpscan/README.md b/scanners/wpscan/README.md index 746e398c..7acee97c 100644 --- a/scanners/wpscan/README.md +++ b/scanners/wpscan/README.md @@ -2,6 +2,9 @@ title: 'WPScan' path: 'scanners/wpscan' category: 'scanner' +type: "CMS" +state: "released" +appVersion: 3.8.5 usecase: 'Wordpress Vulnerability Scanner' --- diff --git a/scanners/zap/README.md b/scanners/zap/README.md index a76383b8..8f19cbd5 100644 --- a/scanners/zap/README.md +++ b/scanners/zap/README.md @@ -2,6 +2,9 @@ title: "ZAP" path: "scanners/zap" category: "scanner" +type: "WebApplication" +state: "released" +appVersion: 2.9.0 usecase: "Webapplication Vulnerability Scanner" --- From e25b09a5946f01d7e16ff583c7c876e8f33d40bd Mon Sep 17 00:00:00 2001 From: Robert Seedorff Date: Mon, 10 Aug 2020 14:52:58 +0200 Subject: [PATCH 2/2] Bugfixing some comments. --- README.md | 22 ++++++++++---------- hooks/declarative-subsequent-scans/README.md | 6 +++--- hooks/update-field/README.md | 8 +++---- scanners/sslyze/README.md | 4 ++-- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 6cc18e06..c7b32327 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,7 @@ - [Local Scan Examples](#local-scan-examples) - [Public Scan Examples](#public-scan-examples) - [Then get the current State of the Scan by running:](#then-get-the-current-state-of-the-scan-by-running) + - [To delete a scan, use ```kubectl delete```, e.g. for localhost nmap scan:](#to-delete-a-scan-use-kubectl-delete-eg-for-localhost-nmap-scan) - [Access Services](#access-services) - [How does it work?](#how-does-it-work) - [Architecture](#architecture) @@ -85,16 +86,15 @@ helm -n securecodebox-system upgrade --install securecodebox-operator ./operator Optionally deploy SCB scanner charts for each security scanner you want to use. They should not be installed into the `securecodebox-system` like the operator so that different teams can use different kinds of scanners. ```bash -kubectl create namespace scans -helm upgrade --install -n scans amass ./scanners/amass/ -helm upgrade --install -n scans kube-hunter ./scanners/kube-hunter/ -helm upgrade --install -n scans nikto ./scanners/nikto -helm upgrade --install -n scans nmap ./scanners/nmap/ -helm upgrade --install -n scans ssh-scan ./scanners/ssh_scan/ -helm upgrade --install -n scans sslyze ./scanners/sslyze/ -helm upgrade --install -n scans trivy ./scanners/trivy/ -helm upgrade --install -n scans zap ./scanners/zap/ -helm upgrade --install -n scans wpscan ./scanners/wpscan/ +helm upgrade --install amass ./scanners/amass/ +helm upgrade --install kube-hunter ./scanners/kube-hunter/ +helm upgrade --install nikto ./scanners/nikto +helm upgrade --install nmap ./scanners/nmap/ +helm upgrade --install ssh-scan ./scanners/ssh_scan/ +helm upgrade --install sslyze ./scanners/sslyze/ +helm upgrade --install trivy ./scanners/trivy/ +helm upgrade --install zap ./scanners/zap/ +helm upgrade --install wpscan ./scanners/wpscan/ ``` Optional deploy some demo apps for scanning: @@ -110,7 +110,7 @@ helm upgrade --install swagger-petstore ./demo-apps/swagger-petstore/ Deploy secureCodeBox Hooks: ```bash -helm upgrade --install aah ./hooks/update-field/ +helm upgrade --install ufh ./hooks/update-field/ helm upgrade --install gwh ./hooks/generic-webhook/ helm upgrade --install issh ./hooks/imperative-subsequent-scans/ helm upgrade --install dssh ./hooks/declarative-subsequent-scans/ diff --git a/hooks/declarative-subsequent-scans/README.md b/hooks/declarative-subsequent-scans/README.md index 7d3c90dc..309989d2 100644 --- a/hooks/declarative-subsequent-scans/README.md +++ b/hooks/declarative-subsequent-scans/README.md @@ -19,7 +19,7 @@ helm upgrade --install dssh ./hooks/declarative-subsequent-scans/ ### Verification ```bash -$ kubectl get ScanCompletionHooks +kubectl get ScanCompletionHooks NAME TYPE IMAGE dssh ReadOnly docker.io/scbexperimental/hook-declarative-subsequent-scans:latest ``` @@ -29,7 +29,7 @@ The CascadingRules are included directly in each helm chart of the individual sc ```bash # Check your CascadingRules -$ kubectl get CascadingRules +kubectl get CascadingRules NAME STARTS INVASIVENESS INTENSIVENESS https-tls-scan sslyze non-invasive light imaps-tls-scan sslyze non-invasive light @@ -67,7 +67,7 @@ This Scan will used all CascadingRules which are labeled with a "light" intensit You can lookup which CascadingRules this selects by running: ```bash -$ kubectl get CascadingRules -l "securecodebox.io/intensive=light" +kubectl get CascadingRules -l "securecodebox.io/intensive=light" NAME STARTS INVASIVENESS INTENSIVENESS https-tls-scan sslyze non-invasive light imaps-tls-scan sslyze non-invasive light diff --git a/hooks/update-field/README.md b/hooks/update-field/README.md index c730b060..fe5f1b14 100644 --- a/hooks/update-field/README.md +++ b/hooks/update-field/README.md @@ -1,10 +1,10 @@ --- title: "Generic WebHook" -path: "hooks/generic-webhook" +path: "hooks/udapte-field" category: "hook" -type: "integration" +type: "dataProcessing" state: "released" -usecase: "Publishes Scan Findings as WebHook." +usecase: "Updates fields in finding results." --- @@ -14,5 +14,5 @@ usecase: "Publishes Scan Findings as WebHook." Installing the _Update Field_ hook will add a ReadOnly Hook to your namespace. ```bash -helm upgrade --install gwh ./hooks/generic-webhook/ --set webhookUrl="http://example.com/my/webhook/target" +helm upgrade --install ufh ./hooks/update-field/ --set attribute.name="category" --set attribute.value="my-own-category" ``` diff --git a/scanners/sslyze/README.md b/scanners/sslyze/README.md index 94b5e744..0db1f811 100644 --- a/scanners/sslyze/README.md +++ b/scanners/sslyze/README.md @@ -2,8 +2,8 @@ title: "SSLyze" path: "scanners/sslyze" category: "scanner" -type: "Kubernetes" -state: "SSL" +type: "SSL" +state: "released" appVersion: 3.0.8 usecase: "SSL/TLS Configuration Scanner" ---