konsthol/SecDep
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Is there an achievement for this?

Browse Source
This commit is contained in:
konsthol
2023-05-29 21:46:02 +03:00
parent c98b7444d8
commit 7cbae4d58f
2 changed files with 52 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
harden
View File

@@ -257,8 +257,12 @@ function kernelSecurityModuleInit {
function dockerInit { function dockerInit {
# Add user to docker group to avoid using sudo when running docker commands # Add user to docker group to avoid using sudo when running docker commands
sudo usermod -aG docker "$USER" sudo usermod -aG docker "$USER"
# Create a new docker network to dissalow communication between containers
sudo docker network create --driver bridge -o "com.docker.network.bridge.enable_icc"="false" dockerNetworkNoICC
# Get all arguments passed to the function and store them in the dockerImages array # Get all arguments passed to the function and store them in the dockerImages array
local dockerImages=("$@") local dockerImages=("$@")
# Check if there is a docker-compose.yml file in the user's home directory
[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d # If there is, run it
# Check if the dockerImages array is empty and return 0 if it is # Check if the dockerImages array is empty and return 0 if it is
[[ "${#dockerImages[@]}" -eq 0 ]] && return 0 [[ "${#dockerImages[@]}" -eq 0 ]] && return 0
# Loop through the dockerImages array # Loop through the dockerImages array
@@ -270,8 +274,12 @@ function dockerInit {
# The --security-opt=no-new-privileges option will prevent the docker image from gaining new privileges # The --security-opt=no-new-privileges option will prevent the docker image from gaining new privileges
# The --cap-drop all option will drop all capabilities from the docker image # The --cap-drop all option will drop all capabilities from the docker image
# The --cap-add NET_ADMIN option will add the NET_ADMIN capability to the docker image # The --cap-add NET_ADMIN option will add the NET_ADMIN capability to the docker image
docker run -d --restart always --name "$dockerImage" --security-opt=no-new-privileges --cap-drop all --cap-add NET_ADMIN # The --read-only option will mount the docker image as read-only
"$dockerImage" # The --tmpfs /opt option will mount the /opt directory as a tmpfs
# The --network dockerNetworkNoICC option will connect the docker image to the dockerNetworkNoICC network
# # The --user secdep option will run the docker image as the secdep user to prevent privilege escalation
docker run -d --restart always --name "$dockerImage" --security-opt=no-new-privileges --cap-drop all --cap-add NET_ADMIN --read-only --tmpfs /opt --network dockerNetworkNoICC "$dockerImage"
#docker run -d --restart always --name "$dockerImage" --security-opt=no-new-privileges --cap-drop all --cap-add NET_ADMIN --user secdep "$dockerImage"
done done
} }

38
secdep.py
View File

@@ -47,10 +47,12 @@ pretty.install()
# Declare the ENV_FILE variable as such to always reside in the same directory as the script # Declare the ENV_FILE variable as such to always reside in the same directory as the script
# We use os.path.join to make sure the path is correct for every OS # We use os.path.join to make sure the path is correct for every OS
# Also do the same for the ssh keys and the script to be used during deployment # Also do the same for the ssh keys and the script to be used during deployment
# Finally we declare the docker-compose.yml file in case the user wants to use that in addition to the list of docker images
ENV_FILE = os.path.join(os.path.dirname(__file__), ".env") ENV_FILE = os.path.join(os.path.dirname(__file__), ".env")
SECDEP_SSH_PUBLIC_KEY = os.path.join(os.path.dirname(__file__), "secdep.pub") SECDEP_SSH_PUBLIC_KEY = os.path.join(os.path.dirname(__file__), "secdep.pub")
SECDEP_SSH_PRIVATE_KEY = os.path.join(os.path.dirname(__file__), "secdep") SECDEP_SSH_PRIVATE_KEY = os.path.join(os.path.dirname(__file__), "secdep")
SECDEP_DEPLOY_SCRIPT = os.path.join(os.path.dirname(__file__), "harden") SECDEP_DEPLOY_SCRIPT = os.path.join(os.path.dirname(__file__), "harden")
SECDEP_DOCKER_COMPOSE = os.path.join(os.path.dirname(__file__), "docker-compose.yml")
# Available choices when the action flag is used # Available choices when the action flag is used
action_choices = ["delete","start","stop","reboot","deleteall","startall","stopall","rebootall"] action_choices = ["delete","start","stop","reboot","deleteall","startall","stopall","rebootall"]
@@ -71,6 +73,7 @@ parser.add_argument('-v', '--version', help='Show secdep\'s version', action='st
parser.add_argument('-P', '--provider', help='Cloud provider', choices=['gce', 'azure', 'aws']) parser.add_argument('-P', '--provider', help='Cloud provider', choices=['gce', 'azure', 'aws'])
parser.add_argument('-a', '--action', help='Action to perform on a single provider with -P PROVIDER or all instances. Valid options are delete[all] start[all] stop[all] reboot[all]', choices=action_choices, metavar='ACTION') parser.add_argument('-a', '--action', help='Action to perform on a single provider with -P PROVIDER or all instances. Valid options are delete[all] start[all] stop[all] reboot[all]', choices=action_choices, metavar='ACTION')
parser.add_argument('-c', '--create', help='Create an instance', action='store_true') parser.add_argument('-c', '--create', help='Create an instance', action='store_true')
parser.add_argument('-dc', '--docker-compose', help='Run the docker-compose.yml file', action='store_true')
parser.add_argument('-dep', '--deploy', help='Docker images to deploy', type=str, nargs='*', default=None, required=False) parser.add_argument('-dep', '--deploy', help='Docker images to deploy', type=str, nargs='*', default=None, required=False)
parser.add_argument('-I', '--listimages', help='List images', action='store_true') parser.add_argument('-I', '--listimages', help='List images', action='store_true')
parser.add_argument('-S', '--listsizes', help='List sizes', action='store_true') parser.add_argument('-S', '--listsizes', help='List sizes', action='store_true')
@@ -1023,10 +1026,15 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
driver.ex_create_firewall(name="allow-all-inbound", allowed=[{"IPProtocol": "tcp", "ports": ["0-65534"]},{"IPProtocol": "udp", "ports": ["0-65534"]}], network='default', direction='INGRESS', priority=1000, source_service_accounts=sa_scopes, target_service_accounts=sa_scopes) driver.ex_create_firewall(name="allow-all-inbound", allowed=[{"IPProtocol": "tcp", "ports": ["0-65534"]},{"IPProtocol": "udp", "ports": ["0-65534"]}], network='default', direction='INGRESS', priority=1000, source_service_accounts=sa_scopes, target_service_accounts=sa_scopes)
if args.deploy: if args.deploy:
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True) actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose:
sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
msd = MultiStepDeployment([sendDockerCompose, actualDeployScript])
node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
else:
node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep") node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout)) console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout))
console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr)) console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr))
console. print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status)) console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status))
else: else:
node = driver.create_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata) node = driver.create_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata)
elif provider == "azure": elif provider == "azure":
@@ -1080,6 +1088,11 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
# Create the node # Create the node
if args.deploy: if args.deploy:
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True) actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose:
sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
msd = MultiStepDeployment([sendDockerCompose, actualDeployScript])
node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
else:
node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep") node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout)) console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout))
console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr)) console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr))
@@ -1117,6 +1130,10 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
deploy = ScriptDeployment(script=SCRIPT, name="initialization.sh", delete=True) deploy = ScriptDeployment(script=SCRIPT, name="initialization.sh", delete=True)
if args.deploy: if args.deploy:
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True) actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose:
sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
msd = MultiStepDeployment([deploy, sendDockerCompose, actualDeployScript])
else:
msd = MultiStepDeployment([deploy, actualDeployScript]) msd = MultiStepDeployment([deploy, actualDeployScript])
node = driver.deploy_node(name=name, image=image, size=size, ex_keyname=keyname, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_alternate_usernames=["admin", "ec2-user", "centos", "fedora", "ubuntu"]) node = driver.deploy_node(name=name, image=image, size=size, ex_keyname=keyname, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_alternate_usernames=["admin", "ec2-user", "centos", "fedora", "ubuntu"])
console.print('[bold white]deploy stdout: %s[/bold white]' % (deploy.stdout)) console.print('[bold white]deploy stdout: %s[/bold white]' % (deploy.stdout))
@@ -1150,10 +1167,15 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
driver.ex_create_firewall(name="allow-all-inbound", allowed=[{"IPProtocol": "tcp", "ports": ["0-65534"]},{"IPProtocol": "udp", "ports": ["0-65534"]}], network='default', direction='INGRESS', priority=1000, source_service_accounts=sa_scopes, target_service_accounts=sa_scopes) driver.ex_create_firewall(name="allow-all-inbound", allowed=[{"IPProtocol": "tcp", "ports": ["0-65534"]},{"IPProtocol": "udp", "ports": ["0-65534"]}], network='default', direction='INGRESS', priority=1000, source_service_accounts=sa_scopes, target_service_accounts=sa_scopes)
if args.deploy: if args.deploy:
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True) actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose:
sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
msd = MultiStepDeployment([sendDockerCompose, actualDeployScript])
node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
else:
node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep") node = driver.deploy_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout)) console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout))
console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr)) console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr))
console. print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status)) console.print('[bold white]harden exit_code: %s[/bold white]' % (actualDeployScript.exit_status))
else: else:
node = driver.create_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata) node = driver.create_node(name=name, image=image, size=size, location=location, ex_service_accounts=sa_scopes, ex_metadata=metadata)
elif provider == "azure": elif provider == "azure":
@@ -1207,6 +1229,11 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
# Create the node # Create the node
if args.deploy: if args.deploy:
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True) actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose:
sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
msd = MultiStepDeployment([sendDockerCompose, actualDeployScript])
node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
else:
node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep") node = driver.deploy_node(name=name, size=size, image=image, location=location, auth=auth, ex_user_name="secdep", ex_resource_group=res_group.name, ex_use_managed_disks=True, ex_nic=newnic, ex_os_disk_delete=True, deploy=actualDeployScript, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_username="secdep")
console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout)) console.print('[bold white]harden stdout: %s[/bold white]' % (actualDeployScript.stdout))
console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr)) console.print('[bold red]harden stderr: %s[/bold red]' % (actualDeployScript.stderr))
@@ -1244,6 +1271,10 @@ def create_node(provider, name=None, location=None, size=None, image=None, confi
deploy = ScriptDeployment(script=SCRIPT, name="initialization.sh", delete=True) deploy = ScriptDeployment(script=SCRIPT, name="initialization.sh", delete=True)
if args.deploy: if args.deploy:
actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True) actualDeployScript = ScriptFileDeployment(script_file=SECDEP_DEPLOY_SCRIPT, args=args.deploy, name="harden", delete=True)
if os.path.exists(SECDEP_DOCKER_COMPOSE) and args.docker-compose:
sendDockerCompose = FileDeployment(SECDEP_DOCKER_COMPOSE, target="/home/secdep")
msd = MultiStepDeployment([deploy, sendDockerCompose, actualDeployScript])
else:
msd = MultiStepDeployment([deploy, actualDeployScript]) msd = MultiStepDeployment([deploy, actualDeployScript])
node = driver.deploy_node(name=name, image=image, size=size, ex_keyname=keyname, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_alternate_usernames=["admin", "ec2-user", "centos", "fedora", "ubuntu"]) node = driver.deploy_node(name=name, image=image, size=size, ex_keyname=keyname, deploy=msd, ssh_key=SECDEP_SSH_PRIVATE_KEY, ssh_alternate_usernames=["admin", "ec2-user", "centos", "fedora", "ubuntu"])
console.print('[bold white]deploy stdout: %s[/bold white]' % (deploy.stdout)) console.print('[bold white]deploy stdout: %s[/bold white]' % (deploy.stdout))
@@ -1560,6 +1591,9 @@ if args.ssh:
if args.image or args.size or args.name or args.region or args.yes or args.deploy and not args.create: if args.image or args.size or args.name or args.region or args.yes or args.deploy and not args.create:
console.print("Image, size, name, region, yes and deploy parameters [u]only[/u] go along with the create flag", style="bold red") console.print("Image, size, name, region, yes and deploy parameters [u]only[/u] go along with the create flag", style="bold red")
exit(0) exit(0)
if args.docker-compose and not args.deploy:
console.print("Docker compose [u]only[/u] goes along with the deploy flag", style="bold red")
exit(0)
if args.print and not args.list or args.listimages or args.listsizes or args.listlocations: if args.print and not args.list or args.listimages or args.listsizes or args.listlocations:
console.print("The print flag [u]only[/u] goes together with the list, list images, list sizes or list locations", style="bold red") console.print("The print flag [u]only[/u] goes together with the list, list images, list sizes or list locations", style="bold red")
exit(0) exit(0)