Merge branch 'feature/add-support-encrypted-values' into feature/report_exporters
This commit is contained in:
commit
4365ed2a14
|
@ -891,6 +891,7 @@ SCHEMA = {
|
|||
}
|
||||
}
|
||||
|
||||
# This should be used for config values of array type (array of strings only)
|
||||
ENCRYPTED_CONFIG_ARRAYS = \
|
||||
[
|
||||
['basic', 'credentials', 'exploit_password_list'],
|
||||
|
@ -902,6 +903,12 @@ ENCRYPTED_CONFIG_ARRAYS = \
|
|||
# ['cnc', 'aws_config', 'aws_secret_access_key'],
|
||||
]
|
||||
|
||||
# This should be used for config values of string type
|
||||
ENCRYPTED_CONFIG_STRINGS = \
|
||||
[
|
||||
|
||||
]
|
||||
|
||||
|
||||
class ConfigService:
|
||||
default_config = None
|
||||
|
@ -941,8 +948,11 @@ class ConfigService:
|
|||
config = mongo.db.config.find_one({'name': 'initial' if is_initial_config else 'newconfig'}, {config_key: 1})
|
||||
for config_key_part in config_key_as_arr:
|
||||
config = config[config_key_part]
|
||||
if should_decrypt and (config_key_as_arr in ENCRYPTED_CONFIG_ARRAYS):
|
||||
config = [encryptor.dec(x) for x in config]
|
||||
if should_decrypt:
|
||||
if config_key_as_arr in ENCRYPTED_CONFIG_ARRAYS:
|
||||
config = [encryptor.dec(x) for x in config]
|
||||
elif config_key_as_arr in ENCRYPTED_CONFIG_STRINGS:
|
||||
config = encryptor.dec(config)
|
||||
return config
|
||||
|
||||
@staticmethod
|
||||
|
@ -1099,7 +1109,7 @@ class ConfigService:
|
|||
"""
|
||||
Same as decrypt_config but for a flat configuration
|
||||
"""
|
||||
keys = [config_arr_as_array[2] for config_arr_as_array in ENCRYPTED_CONFIG_ARRAYS]
|
||||
keys = [config_arr_as_array[2] for config_arr_as_array in (ENCRYPTED_CONFIG_ARRAYS + ENCRYPTED_CONFIG_STRINGS)]
|
||||
for key in keys:
|
||||
if isinstance(flat_config[key], collections.Sequence) and not isinstance(flat_config[key], string_types):
|
||||
# Check if we are decrypting ssh key pair
|
||||
|
@ -1113,18 +1123,26 @@ class ConfigService:
|
|||
|
||||
@staticmethod
|
||||
def _encrypt_or_decrypt_config(config, is_decrypt=False):
|
||||
for config_arr_as_array in ENCRYPTED_CONFIG_ARRAYS:
|
||||
for config_arr_as_array in (ENCRYPTED_CONFIG_ARRAYS + ENCRYPTED_CONFIG_STRINGS):
|
||||
config_arr = config
|
||||
parent_config_arr = None
|
||||
|
||||
# Because the config isn't flat, this for-loop gets the actual config value out of the config
|
||||
for config_key_part in config_arr_as_array:
|
||||
parent_config_arr = config_arr
|
||||
config_arr = config_arr[config_key_part]
|
||||
|
||||
for i in range(len(config_arr)):
|
||||
# Check if array of shh key pairs and then decrypt
|
||||
if isinstance(config_arr[i], dict) and 'public_key' in config_arr[i]:
|
||||
config_arr[i] = ConfigService.decrypt_ssh_key_pair(config_arr[i]) if is_decrypt else \
|
||||
ConfigService.decrypt_ssh_key_pair(config_arr[i], True)
|
||||
else:
|
||||
config_arr[i] = encryptor.dec(config_arr[i]) if is_decrypt else encryptor.enc(config_arr[i])
|
||||
if isinstance(config_arr, collections.Sequence) and not isinstance(config_arr, string_types):
|
||||
for i in range(len(config_arr)):
|
||||
# Check if array of shh key pairs and then decrypt
|
||||
if isinstance(config_arr[i], dict) and 'public_key' in config_arr[i]:
|
||||
config_arr[i] = ConfigService.decrypt_ssh_key_pair(config_arr[i]) if is_decrypt else \
|
||||
ConfigService.decrypt_ssh_key_pair(config_arr[i], True)
|
||||
else:
|
||||
config_arr[i] = encryptor.dec(config_arr[i]) if is_decrypt else encryptor.enc(config_arr[i])
|
||||
else:
|
||||
parent_config_arr[config_arr_as_array[-1]] =\
|
||||
encryptor.dec(config_arr) if is_decrypt else encryptor.enc(config_arr)
|
||||
|
||||
@staticmethod
|
||||
def decrypt_ssh_key_pair(pair, encrypt=False):
|
||||
|
|
|
@ -837,7 +837,7 @@ class ReportPageComponent extends AuthComponent {
|
|||
return (
|
||||
<li>
|
||||
Install Oracle <a href="http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html">
|
||||
critical patch updates.</a> Or change server version. Vulnerable versions are
|
||||
critical patch updates.</a> Or update to the latest version. Vulnerable versions are
|
||||
10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.
|
||||
<CollapsibleWellComponent>
|
||||
Oracle WebLogic server at <span className="label label-primary">{issue.machine}</span> (<span
|
||||
|
@ -857,7 +857,7 @@ class ReportPageComponent extends AuthComponent {
|
|||
Run Hadoop in secure mode (<a href="http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html">
|
||||
add Kerberos authentication</a>).
|
||||
<CollapsibleWellComponent>
|
||||
Oracle WebLogic server at <span className="label label-primary">{issue.machine}</span> (<span
|
||||
The Hadoop server at <span className="label label-primary">{issue.machine}</span> (<span
|
||||
className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
|
||||
className="label label-danger">remote code execution</span> attack.
|
||||
<br/>
|
||||
|
|
|
@ -138,12 +138,11 @@ body {
|
|||
padding-left: 40px;
|
||||
}
|
||||
}
|
||||
|
||||
.main .page-header {
|
||||
margin-top: 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
.index img {
|
||||
margin: 40px auto;
|
||||
border-radius: 4px;
|
||||
|
@ -172,6 +171,9 @@ body {
|
|||
display: none;
|
||||
}
|
||||
|
||||
.nav-tabs > li > a {
|
||||
height: 63px
|
||||
}
|
||||
/*
|
||||
* Run Monkey Page
|
||||
*/
|
||||
|
@ -491,4 +493,5 @@ body {
|
|||
.label-danger {
|
||||
background-color: #d9534f !important;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue