lightspin-tech · IdanR-lighspin · Oct 25, 2021 · Oct 25, 2021 · Oct 27, 2021 · Oct 27, 2021
diff --git a/main.py b/main.py
@@ -1,10 +1,40 @@
 import argparse
 from art import text2art
-
+import random
+import boto3
+import os
+import glob
 from src.logger import setup_logger
 from src.snapper import Snapper
 from src.scanner import Scanner
 
+
+def getting_all_pem_file_names():
+    """
+    :return: .pem file names from the red-detector directory.
+    """
+    file_path = os.path.realpath(__file__)  # getting the script's path
+    file_path = file_path.split("red-detector")
+    files_path = file_path[0] + "red-detector"  # (the pem files arent in the same directory as the script.)
+
+    lst = (glob.glob(files_path+"/*.pem"))
+    index = 0
+    for i in lst:
+        lst[index] = lst[index].replace(files_path+"/", "").replace(".pem","")
+        index += 1
+    return lst
+
+
+def used_key_pairs():
+    keypairs = []  # list of used keyPair names
+    ec2 = boto3.client('ec2')
+    response = ec2.describe_key_pairs()
+
+    for i in response["KeyPairs"]:
+        keypairs.append(i["KeyName"])
+    return keypairs
+
+
 if __name__ == "__main__":
     parser = argparse.ArgumentParser()
     parser.add_argument('--region', action='store', dest='region', type=str,
@@ -31,17 +61,30 @@
     snapper.create_client()
 
     if cmd_args.instance_id:
-        source_volume_id = snapper.get_instance_root_vol(instance_id=cmd_args.instance_id)
+        try:
+            source_volume_id = snapper.get_instance_root_vol(instance_id=cmd_args.instance_id)
+        except Exception as e:
+            print(e, " : (probably problem with the given instance id or internet connection)")
+            exit(99)
     else:
         source_volume_id = snapper.select_ec2_instance()
 
     volume_id, selected_az, snapshot_id = snapper.snapshot2volume(volume_id=source_volume_id)
 
-    scanner = Scanner(logger=logger, region=snapper.region)
     if cmd_args.keypair:
-        scanner.keypair_name = cmd_args.keypair
+        scanner = Scanner(logger=logger, region=snapper.region, key_pair_name=cmd_args.keypair)
     else:
-        scanner.keypair_name = scanner.create_keypair(key_name='red_detector_key')
+        used_key_pairs_list_from_aws = used_key_pairs()
+        used_key_pairs_list_locally = getting_all_pem_file_names()
+        num = 0
+        key_name = "red_detector_key{number}".format(number=str(num))
+        while key_name in used_key_pairs_list_from_aws or key_name in used_key_pairs_list_locally:
+            num += 1
+            key_name = "red_detector_key{number}".format(number=str(num))
+
+        scanner = Scanner(logger=logger, region=snapper.region, key_pair_name=key_name)
+        scanner.keypair_name = scanner.create_keypair(key_name=key_name)
+
     ec2_instance_id, ec2_instance_public_ip, report_service_port = scanner.create_ec2(selected_az=selected_az)
     scanner.attach_volume_to_ec2(ec2_instance_id=ec2_instance_id, volume_id=volume_id)
     scanner.scan_and_report(ec2_instance_public_ip=ec2_instance_public_ip,

diff --git a/src/remote_scripts.py b/src/remote_scripts.py
@@ -1,4 +1,5 @@
 script_a = '''#!/bin/bash -ex
+
 exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1
 
 apt-get update
@@ -7,82 +8,64 @@
 mkdir -p /home/ubuntu/vuls
 cd /home/ubuntu/
 wget https://downloads.cisofy.com/lynis/lynis-3.0.3.tar.gz
-wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
+
+apt-get install chkrootkit -y
+
 mkdir -p chkrootkit && cd chkrootkit
-tar xvf /home/ubuntu/chkrootkit.tar.gz --strip-components 1
-make sense
 
 cd /home/ubuntu/vuls
-docker pull vuls/go-cve-dictionary
-docker pull vuls/goval-dictionary
-docker pull vuls/gost
-docker pull vuls/go-exploitdb
-docker pull vuls/gost
-docker pull vuls/vuls
-
-PWD=/home/ubuntu/vuls/
-for i in `seq 2002 $(date +"%Y")`; do \
-    docker run --rm -i\
-    -v $PWD:/vuls \
-    -v $PWD/go-cve-dictionary-log:/var/log/vuls \
-    vuls/go-cve-dictionary fetchnvd -years $i; \
-  done
+sudo docker pull vuls/go-cve-dictionary
+sudo docker pull vuls/goval-dictionary
+sudo docker pull vuls/gost
+sudo docker pull vuls/go-exploitdb
+sudo docker pull vuls/gost
+sudo docker pull vuls/vuls
+sudo apt install python3-pip -y
+pip3 install subprocess.run
+pip install subprocess.run
 
-docker run --rm -i \
-    -v $PWD:/vuls \
-    -v $PWD/goval-dictionary-log:/var/log/vuls \
-    vuls/goval-dictionary fetch-redhat 5 6 7 8
 
-docker run --rm -i \
-    -v $PWD:/vuls \
-    -v $PWD/goval-dictionary-log:/var/log/vuls \
-    vuls/goval-dictionary fetch-debian 7 8 9 10
-
-docker run --rm -i \
+cd /home/ubuntu/vuls
+sudo docker run --rm -i \
     -v $PWD:/vuls \
-    -v $PWD/goval-dictionary-log:/var/log/vuls \
-    vuls/goval-dictionary fetch-alpine 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11
-
-docker run --rm -i \
+    -v $PWD/go-cve-dictionary-log:/var/log/vuls \
+    vuls/go-cve-dictionary fetch nvd
+sudo docker run --rm -i \
     -v $PWD:/vuls \
     -v $PWD/goval-dictionary-log:/var/log/vuls \
-    vuls/goval-dictionary fetch-ubuntu 14 16 18 19 20
+    vuls/goval-dictionary fetch redhat 5 6 7 8
 
-docker run --rm -i \
+sudo docker run --rm -i \
     -v $PWD:/vuls \
     -v $PWD/goval-dictionary-log:/var/log/vuls \
-    vuls/goval-dictionary fetch-suse -opensuse 13.2
-
-docker run --rm -i \
+    vuls/goval-dictionary fetch alpine 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11
+sudo docker run --rm -i \
     -v $PWD:/vuls \
     -v $PWD/goval-dictionary-log:/var/log/vuls \
-    vuls/goval-dictionary fetch-suse -suse-enterprise-server 12  
-
-docker run --rm -i \
+    vuls/goval-dictionary fetch ubuntu 14 16 18 19 20
+sudo docker run --rm -i \
     -v $PWD:/vuls \
     -v $PWD/goval-dictionary-log:/var/log/vuls \
-    vuls/goval-dictionary fetch-oracle 
+    vuls/goval-dictionary fetch oracle 
 
-docker run --rm -i \
+sudo docker run --rm -i \
     -v $PWD:/vuls \
     -v $PWD/goval-dictionary-log:/var/log/vuls \
-    vuls/goval-dictionary fetch-amazon  
+    vuls/goval-dictionary fetch amazon  
 
-docker run --rm -i \
-    -v $PWD:/vuls \
-    -v $PWD/gost-log:/var/log/gost \
-    vuls/gost fetch redhat
-
-docker run --rm -i \
+sudo docker run --rm -i \
     -v $PWD:/vuls \
     -v $PWD/go-exploitdb-log:/var/log/go-exploitdb \
     vuls/go-exploitdb fetch exploitdb
 
-docker run --rm -i \
+sudo docker run --rm -i \
     -v $PWD:/vuls \
     -v $PWD/go-msfdb-log:/var/log/go-msfdb \
     vuls/go-msfdb fetch msfdb
-
+
+
+touch config_scan.toml
+
 cat > config_scan.toml <<EOF
 [servers]
 [servers.host]
@@ -115,24 +98,30 @@
 type = "sqlite3"
 SQLite3Path = "/vuls/go-msfdb.sqlite3"
 EOF
-
 touch /tmp/userData.finished
 '''
 
 script_b = '''
+
 set -ex
 
 sudo mkdir -p /vol/
+
 sudo mount {mount_point} /vol/
 
 FILE="/vol/usr/sbin/sshd"
-if [ -f "$FILE" ]; then
+
 /bin/rm -f ~/.ssh/id_rsa_vuls
+
 /bin/rm -f ~/.ssh/id_rsa_vuls.pub
 ssh-keygen -q -f ~/.ssh/id_rsa_vuls -N ""
+
 sudo cat ~/.ssh/id_rsa_vuls.pub > /tmp/tmp_authorized_keys
+
 sudo mv /tmp/tmp_authorized_keys /vol/root/.ssh/tmp_authorized_keys
-sudo chown root:root /vol/root/.ssh/tmp_authorized_keys 
+
+sudo chown root:root /vol/root/.ssh/tmp_authorized_keys
+
 sudo chmod 600 /vol/root/.ssh/tmp_authorized_keys
 
 sudo mount -t proc none /vol/proc
@@ -141,9 +130,9 @@
 sudo mount -o bind /run /vol/run
 
 sudo chroot /vol /bin/mount devpts /dev/pts -t devpts
-
 # Reporting
 mkdir -p /home/ubuntu/nginx/html
+
 cat > /home/ubuntu/nginx/default.conf <<EOF
 server {{
     listen       80;
@@ -159,7 +148,7 @@
         root   /usr/share/nginx/html;
         index  index.html index.htm;
     }}
-  
+
     #error_page  404              /404.html;
 
     # redirect server error pages to the static page /50x.html
@@ -248,23 +237,35 @@
 </body>
 </html>
 EOF
+
 sudo docker run --name docker-nginx -p {port}:80 -d -v /home/ubuntu/nginx/html:/usr/share/nginx/html -v /home/ubuntu/nginx/default.conf:/etc/nginx/conf.d/default.conf nginx
 
 # Lynis audit
-sudo cp /home/ubuntu/lynis-3.0.3.tar.gz /vol/root/
-sudo su -c "chroot /vol tar xvf /root/lynis-3.0.3.tar.gz -C /root/"
-sudo su -c "chroot /vol printf 'cd /root/lynis/\n./lynis audit system\n' > /vol/root/lynis/run.sh && chmod +x /vol/root/lynis/run.sh"
-sudo su -c "chroot /vol /root/lynis/run.sh" | ansi2html -l > /home/ubuntu/nginx/html/lynis_report.html
+
+sudo su -c "chroot /vol apt install lynis -y"
+sudo su -c "chroot /vol lynis audit system" | ansi2html > /home/ubuntu/nginx/html/lynis_report.html
 
-# Chkrootkit scan
+# Chkrootkit scan 
 cd /home/ubuntu/chkrootkit
 # sudo ./chkrootkit -r /vol | sed -n '/INFECTED/,/Searching/p' | head -n -1 | ansi2html -l > /home/ubuntu/nginx/html/chkrootkit_report.html
-sudo ./chkrootkit -r /vol | ansi2html -l > /home/ubuntu/nginx/html/chkrootkit_report.html
-
+# sudo ./chkrootkit -r /vol | ansi2html -l > /home/ubuntu/nginx/html/chkrootkit_report.html
+sudo touch chkrootkit_script.py
+sudo chmod 777 chkrootkit_script.py
+
+cat > chkrootkit_script.py <<EOF
+import subprocess
+command = "sudo chkrootkit -r /vol | ansi2html"
+chkrootkit_output = subprocess.getoutput(command)
+create_folders1=subprocess.getoutput("cd /; cd home/ubuntu; sudo mkdir nginx; cd nginx; sudo mkdir html")
+create_file=subprocess.getoutput("cd /; cd home/ubuntu; cd nginx/html; sudo touch chkrootkit_report.html")
+permissions = subprocess.getoutput("cd; cd nginx/html; sudo chmod 777 chkrootkit_report.html")
+with open ("/home/ubuntu/nginx/html/chkrootkit_report.html",'w') as f:
+    f.write(str(chkrootkit_output))
+EOF
+python3 chkrootkit_script.py
 # Vuls scan
 sudo su -c "chroot /vol /usr/sbin/sshd -p 2222 -o 'AuthorizedKeysFile=/root/.ssh/tmp_authorized_keys' -o 'AuthorizedKeysCommand=none' -o 'AuthorizedKeysCommandUser=none' -o 'GSSAPIAuthentication=no' -o 'UseDNS=no'"
 
-echo "Creating ssh config"
 sudo cat > ~/.ssh/config <<EOF
 Host *
     StrictHostKeyChecking no
@@ -273,6 +274,8 @@
 PWD=/home/ubuntu/vuls/
 cd /home/ubuntu/vuls
 
+sudo apt-get install debian-goodies -y
+
 echo "Scanning..."
 sudo docker run --rm -i \
 -v /home/ubuntu/.ssh:/root/.ssh:ro \
@@ -283,8 +286,21 @@
 vuls/vuls scan \
 -config=./config_scan.toml
 
+sudo docker run --rm -i \
+    -v $PWD:/goval-dictionary \
+    -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
+    vuls/goval-dictionary fetch ubuntu 19 20
+
+sudo docker run --rm -i \
+    -v $PWD:/goval-dictionary \
+    -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
+    vuls/goval-dictionary fetch amazon 2
+
+sudo docker run --rm -i \
+    -v $PWD:/goval-dictionary \
+    -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
+    vuls/goval-dictionary fetch amazon
 
-echo "Creating report..."
 sudo docker run --rm -i \
     -v /home/ubuntu/.ssh:/root/.ssh:ro \
     -v /home/ubuntu/vuls:/vuls \
@@ -296,9 +312,7 @@
 
 touch /tmp/script.finished
 sudo pkill -9 -f "/usr/sbin/sshd -p 2222" & sudo umount /vol/proc  & sudo umount /vol/sys & sudo umount /vol/run & sudo umount /vol/dev/pts & sudo umount /vol/dev & sudo umount {mount_point}
-fi
 '''
-
 script_c = '''
 set -ex
 echo "Starting report webUI..."