GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → darkarnium → perimeterator

darkarnium / perimeterator

Licence: MIT license
'Continuous' AWS perimeter monitoring: Periodically scan internet facing AWS resources to detect misconfigured services.

Programming Languages

python
139335 projects - #7 most used programming language
HCL
1544 projects
Dockerfile
14818 projects

Labels

awssecuritydevopsaws-lambdaterraformsecdevopsdevsecops

Projects that are alternatives of or similar to perimeterator

Archerysec
Centralize Vulnerability Assessment and Management for DevSecOps Team
Stars: ✭ 1,802 (+2954.24%)
Mutual labels:  secdevops, devsecops
ggshield-action
GitGuardian Shield GitHub Action - Find exposed credentials in your commits
Stars: ✭ 304 (+415.25%)
Mutual labels:  devsecops
Containerssh
ContainerSSH: Launch containers on demand
Stars: ✭ 195 (+230.51%)
Mutual labels:  devsecops
rest-api
REST API backend for Reconmap
Stars: ✭ 48 (-18.64%)
Mutual labels:  secdevops
Whispers
Identify hardcoded secrets and dangerous behaviours
Stars: ✭ 66 (+11.86%)
Mutual labels:  devsecops
sdp-pipeline-framework
The Solutions Delivery Platform runtime pipeline framework
Stars: ✭ 41 (-30.51%)
Mutual labels:  devsecops
Awesome Devsecops
Curating the best DevSecOps resources and tooling.
Stars: ✭ 188 (+218.64%)
Mutual labels:  devsecops
lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
Stars: ✭ 1,261 (+2037.29%)
Mutual labels:  devsecops
DevSecOps
Ultimate DevSecOps library
Stars: ✭ 4,450 (+7442.37%)
Mutual labels:  devsecops
caddy-security
🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
Stars: ✭ 696 (+1079.66%)
Mutual labels:  secdevops
Gg Shield Action
GitGuardian Shield GitHub Action - Find exposed credentials in your commits
Stars: ✭ 248 (+320.34%)
Mutual labels:  devsecops
Awesome Devsecops
An authoritative list of awesome devsecops tools with the help from community experiments and contributions.
Stars: ✭ 2,805 (+4654.24%)
Mutual labels:  devsecops
prowler
Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
Stars: ✭ 8,046 (+13537.29%)
Mutual labels:  devsecops
Riskassessmentframework
The Secure Coding Framework
Stars: ✭ 201 (+240.68%)
Mutual labels:  devsecops
kdt
CLI to interact with Kondukto
Stars: ✭ 18 (-69.49%)
Mutual labels:  devsecops
Checkov
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
Stars: ✭ 3,572 (+5954.24%)
Mutual labels:  devsecops
Sast Scan
Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.
Stars: ✭ 234 (+296.61%)
Mutual labels:  devsecops
privapi
Detect Sensitive REST API communication using Deep Neural Networks
Stars: ✭ 42 (-28.81%)
Mutual labels:  devsecops
dep-scan
Fully open-source security audit for project dependencies based on known vulnerabilities and advisories. Supports both local repos and container images. Integrates with various CI environments such as Azure Pipelines, CircleCI and Google CloudBuild. No server required!
Stars: ✭ 346 (+486.44%)
Mutual labels:  devsecops
ggshield
Find and fix 360+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
Stars: ✭ 1,272 (+2055.93%)
Mutual labels:  devsecops
View All Similar Projects ➔

Perimeterator

Perimeterator is a small project intended to allow for continuous auditing of internet facing AWS services. It can be quickly deployed into AWS and will periodically enumerate internet-facing IP addresses for a number of commonly misconfigured AWS resources.

The results from this enumeration process are pushed into a work queue for scanning by external scanner 'workers' in order to locate open network services. Scanner 'workers' can be deployed anywhere, and are intended to be deployed into non-trusted networks in order to provide a representation of access to services from the "general internet".

Currently, the following AWS resource types are supported:

  • EC2
  • ELB
  • ELBv2
  • RDS
  • ES

All communication between Perimeterator components occurs asynchronously through the use of AWS SQS queues.

Architecture

Demo

asciicast

Getting Started / Deployment

Perimeterator requires a few components in order to function. However, in order to make getting started as easy as possible, a number of Terraform configs have been provided inside of the terraform/ directory.

To get started, please see the terraform/README.md file.

Components

Perimeterator has a number of components, due to its distributed nature. A brief overview of each of these components has been provided below.

Enumerator (enumerator.py)

This component is responsible for enumerating internet facing IP addresses which will be passed to downstream monitoring workers for scanning. This is intended to be run in Lambda, or somewhere inside of AWS which has access to perform the required "Describe" operations.

As this is intended to be run in Lambda, configuration is currently only possible through environment variables. A brief summary of these exposed variables is as follows:

  • ENUMERATOR_REGIONS
    • A comma-delimited list of AWS regions to enumerate resources from.
    • This is set automatically if the provided Terraform configs are used.
  • ENUMERATOR_SQS_QUEUE
    • The URL of the SQS scan queue.
    • This is created automatically if the provided Terraform configs are used.

Scanner (scanner.py)

This component is responsible for performing scanning of the IPs enumerated by the Enumerator. This component should be run from an "untrusted" network in order to gain a better insight into exposure from the perspective of the "general internet".

Currently, the Scanner only uses nmap with the default nmap-services provided port range for TCP/UDP services. This is in order to prevent scans from taking an extremely long time to complete per host, at the cost of some accuracy in the case where uncommon ports are in use. This is likely to be made user configurable in the near future.

An example Dockerfile for this component can be found in the root of this repository. As this component is likely not running inside of AWS, an IAM user and associated Access Key and Secret Key is created automatically for you if using the included Terraform configs for deployment.

The following configuration is required to operate correctly. Once again, configuration is only possible through environment variables. A brief summary of these variables is as follows:

  • AWS_DEFAULT_REGION
    • The default AWS region to interact with.
    • This is set by default to us-west-2.
  • AWS_ACCESS_KEY_ID
    • The AWS access key associated with a user able to interact with SQS.
    • This is created automatically if the provided Terraform configs are used.
  • AWS_SECRET_ACCESS_KEY
    • The AWS secret key associated with a user able to interact with SQS.
    • This is created automatically if the provided Terraform configs are used.
  • ENUMERATOR_SQS_QUEUE
    • The URL of the SQS scan queue (input).
    • This is created automatically if the provided Terraform configs are used.
  • SCANNER_SQS_QUEUE
    • The URL of the SQS results queue (output).
    • This is created automatically if the provided Terraform configs are used.

Building and executing this container can be performed by executing the following. Of course, the blank fields will need to be populated with the appropriate values. However, these match the names of the outputs from Terraform if Perimeterator is deployed using the provided Terraform configs.

docker build -t perimeterator-scanner:master .
docker run \
    -e AWS_ACCESS_KEY_ID= \
    -e AWS_SECRET_ACCESS_KEY= \
    -e SCANNER_SQS_QUEUE= \
    -e ENUMERATOR_SQS_QUEUE= \
    perimeterator-scanner:master

Notify (notify.py)

This component is in progress, but is not yet complete.

Results

Result data from scans is currently written to an SQS queue ready for downstream processing. Fetching and processing this data is still left as an "exercise for the reader", however, a reporting mechanism which consumes this data and generates a "diff" of results is actively being worked on.

The format of the output data, currently, is as follows:

{
    "metadata": {
        "scanner": "nmap",
        "arguments": "-Pn -sT -sU -T4 -n",
    },
    "results": {
        "arn:aws:ec2:12345678:instance/i-coffee": {
            "192.0.2.0": [
                {
                    "port": "22",
                    "state": "open",
                    "protocol": "tcp"
                },
                {
                    "port": "80",
                    "state": "open",
                    "protocol": "tcp"
                }
            ]
        }
    }
}

Further to this, and if required, the ARN of the resource from which the scanned address was found is present in the SQS message attributes as a string value named Identifier.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].