├── LICENSE ├── README.md ├── main.py ├── red-detector-policy.json ├── requirements.txt ├── src ├── logger.py ├── remote_scripts.py ├── scanner.py └── snapper.py └── static ├── red-detector.png └── vuls-gif.gif /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![red-detector](static/red-detector.png) 2 | 3 | # Red-Detector 4 | 5 | ## Description 6 | Scan your EC2 instance to find its vulnerabilities using Vuls (https://vuls.io/en/). 7 | 8 | Audit your EC2 instance to find security misconfigurations using Lynis (https://cisofy.com/solutions/#lynis). 9 | 10 | Scan your EC2 instance for signs of a rootkit using Chkrootkit (http://www.chkrootkit.org/). 11 | ![](static/vuls-gif.gif) 12 | 13 | 14 | ## Requirements 15 | 1. Configured AWS account with the EC2 actions mentioned below. The policy containing these requirements can be found in red-detector-policy.json. 16 | 17 | Actions details: 18 | 19 | | Required action premission | Why it is required | 20 | | --------------------- | ------------------------------------------ | 21 | | "AttachVolume" | Enables attaching the volume with the taken snapshot to the EC2 instance that is being used for the vulnerabilities scan. | 22 | | "AuthorizeSecurityGroupIngress" | Enables attaching security group to the EC2 instance. Contains IP premmisions to ssh port and a random port generated for the scan UI access. | 23 | | "DescribeInstances" | Enables access to the clients EC2 instances details. | 24 | | "CreateKeyPair" | Enables the creation of a key pair that is being used as the key of the EC2 instance. | 25 | | "CreateTags" | Enabled the creation of Tags on the Volume and Snapshot. | 26 | | "DescribeRegions" | Enables access to the clients active regions to enable the user select the relevant one for the scan. | 27 | | "RunInstances" | Enables the creation of an EC2 instance under the users client. | 28 | | "ReportInstanceStatus" | Enables getting the current status of the created EC2 instance to make sure it is running. | 29 | | "DescribeSnapshots" | Enables getting the current status of the taken snapshot to make sure it is available. | 30 | | "DescribeImages" | Enables querying AMI's to get the latest Ubuntu AMI. | 31 | | "DescribeVolumeStatus" | Enables getting the current status of the volume being created. | 32 | | "DescribeVolumes" | Enables getting details about a volume. | 33 | | "CreateVolume" | Enables the creation of a volume, in order to attach it the taken snapshot and attach it to the EC2 instance used for the vulnerabilities scan. | 34 | | "DescribeAvailabilityZones" | Enables access to the clients active availability zones to select one for the created volume that is being attach to the EC2 instance. | 35 | | "DescribeVpcs" | Enables getting the clients default vpc. Used for the EC2s security group generation. | 36 | | "CreateSecurityGroup" | Enables the creation of a security group that is being attached to the EC2 instance. | 37 | | "CreateSnapshot" | Enables taking a snapshot. Used to take a snapshot of the chosen EC2 instance. | 38 | | "DeleteSnapshot" | Enables deleting the stale snapshot was created during the process | 39 | 40 | 41 | 2. Running EC2 instance - Make sure you know the region and instance id of the EC2 instance you would like to scan. 42 | Supported versions: 43 | - Ubuntu: 14, 16, 18, 19, 20 44 | - Debian: 6, 8, 9 45 | - Redhat: 7, 8 46 | - Suse: 12 47 | - Amazon: 2 48 | - Oracle: 8 49 | 50 | 51 | ## Installation 52 | ```bash 53 | sudo git clone https://github.com/lightspin-tech/red-detector.git 54 | pip3 install -r requirements.txt 55 | ``` 56 | 57 | 58 | 59 | ## Usage 60 | ### Interactive 61 | ```bash 62 | python3 main.py 63 | ``` 64 | ### Command arguments 65 | ```bash 66 | usage: main.py [-h] [--region REGION] [--instance-id INSTANCE_ID] [--keypair KEYPAIR] [--log-level LOG_LEVEL] 67 | 68 | optional arguments: 69 | -h, --help show this help message and exit 70 | --region REGION region name 71 | --instance-id INSTANCE_ID EC2 instance id 72 | --keypair KEYPAIR existing key pair name 73 | --log-level LOG_LEVEL log level 74 | ``` 75 | 76 | ## Flow 77 | 1. Run main.py. 78 | 2. Region selection: use default region (us-east-1) or select a region. 79 | Notice that if the selected region does not contain any EC2 instances you will be asked to choose another region. 80 | 2. EC2 inatance-id selection: you will get a list of all EC2 instances ids under your selected region and you will be asked to choose the inatance you would like to scan. 81 | Make sure to choose a valide answer (the number left to the desired id). 82 | 3. Track the process progress... It takes about 30 minutes. 83 | 4. Get a link to your report! 84 | 85 | ## Troubleshooting 86 | ### verbouse logging 87 | ```python3 main.py --log-level DEBUG``` 88 | ### scanners databases update process 89 | 1. connect to the EC2 instance created ```ssh ubuntu@PUBLICIP -i KEYPAIR.pem``` 90 | 2. watch the progress ```tail /var/log/user-data.log``` 91 | 92 | ### Contact Us 93 | For technical information, contact us at support@lightspin.io. 94 | 95 | Want to see this capability on steroids? Check [Lightspin.io](https://lightspin.io) 96 | 97 | ## License 98 | This repository is available under the [Apache License 2.0](https://github.com/lightspin-tech/red-detector/blob/main/LICENSE). 99 | -------------------------------------------------------------------------------- /main.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from art import text2art 3 | 4 | from src.logger import setup_logger 5 | from src.snapper import Snapper 6 | from src.scanner import Scanner 7 | 8 | if __name__ == "__main__": 9 | parser = argparse.ArgumentParser() 10 | parser.add_argument('--region', action='store', dest='region', type=str, 11 | help='region name', required=False) 12 | parser.add_argument('--instance-id', action='store', dest='instance_id', type=str, 13 | help='EC2 instance id', required=False) 14 | parser.add_argument('--keypair', action='store', dest='keypair', type=str, 15 | help='existing key pair name', required=False) 16 | parser.add_argument('--log-level', action='store', dest='log_level', type=str, 17 | help='log level', required=False, default="INFO") 18 | 19 | text_art = text2art("RED DETECTOR") 20 | print(text_art) 21 | print(" +++ WELCOME RED-DETECTOR - CVE SCANNER USING VULS +++\n\n") 22 | 23 | cmd_args = parser.parse_args() 24 | logger = setup_logger(log_level=cmd_args.log_level) 25 | snapper = Snapper(logger=logger) 26 | if cmd_args.region: 27 | snapper.region = cmd_args.region 28 | else: 29 | snapper.region = snapper.select_region() 30 | 31 | snapper.create_client() 32 | 33 | if cmd_args.instance_id: 34 | source_volume_id = snapper.get_instance_root_vol(instance_id=cmd_args.instance_id) 35 | else: 36 | source_volume_id = snapper.select_ec2_instance() 37 | 38 | volume_id, selected_az, snapshot_id = snapper.snapshot2volume(volume_id=source_volume_id) 39 | 40 | scanner = Scanner(logger=logger, region=snapper.region) 41 | if cmd_args.keypair: 42 | scanner.keypair_name = cmd_args.keypair 43 | else: 44 | scanner.keypair_name = scanner.create_keypair(key_name='red_detector_key') 45 | ec2_instance_id, ec2_instance_public_ip, report_service_port = scanner.create_ec2(selected_az=selected_az) 46 | scanner.attach_volume_to_ec2(ec2_instance_id=ec2_instance_id, volume_id=volume_id) 47 | scanner.scan_and_report(ec2_instance_public_ip=ec2_instance_public_ip, 48 | report_service_port=report_service_port, ec2_instance_id=ec2_instance_id, 49 | snapshot_id=snapshot_id) 50 | -------------------------------------------------------------------------------- /red-detector-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "VisualEditor0", 6 | "Effect": "Allow", 7 | "Action": [ 8 | "ec2:AttachVolume", 9 | "ec2:AuthorizeSecurityGroupIngress", 10 | "ec2:DeleteSnapshot", 11 | "ec2:DescribeInstances", 12 | "ec2:CreateKeyPair", 13 | "ec2:CreateTags", 14 | "ec2:DescribeRegions", 15 | "ec2:RunInstances", 16 | "ec2:ReportInstanceStatus", 17 | "ec2:DescribeSnapshots", 18 | "ec2:CreateVolume", 19 | "ec2:DescribeImages", 20 | "ec2:DescribeVolumeStatus", 21 | "ec2:DescribeAvailabilityZones", 22 | "ec2:DescribeVpcs", 23 | "ec2:CreateSecurityGroup", 24 | "ec2:DescribeVolumes", 25 | "ec2:CreateSnapshot" 26 | ], 27 | "Resource": "*" 28 | } 29 | ] 30 | } -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | boto3 2 | art 3 | paramiko 4 | python-dateutil 5 | requests -------------------------------------------------------------------------------- /src/logger.py: -------------------------------------------------------------------------------- 1 | import logging 2 | 3 | 4 | def setup_logger(log_level="INFO"): 5 | logger = logging.getLogger(__name__) 6 | log_handler = logging.StreamHandler() 7 | logger.setLevel(log_level) 8 | log_format = logging.Formatter('%(asctime)s - %(levelname)s - %(message)s') 9 | log_handler.setFormatter(log_format) 10 | logger.addHandler(log_handler) 11 | return logger 12 | -------------------------------------------------------------------------------- /src/remote_scripts.py: -------------------------------------------------------------------------------- 1 | script_a = '''#!/bin/bash -ex 2 | exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 3 | 4 | apt-get update 5 | apt install docker.io build-essential binutils colorized-logs -y 6 | 7 | mkdir -p /home/ubuntu/vuls 8 | cd /home/ubuntu/ 9 | wget https://downloads.cisofy.com/lynis/lynis-3.0.3.tar.gz 10 | wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz 11 | mkdir -p chkrootkit && cd chkrootkit 12 | tar xvf /home/ubuntu/chkrootkit.tar.gz --strip-components 1 13 | make sense 14 | 15 | cd /home/ubuntu/vuls 16 | docker pull vuls/go-cve-dictionary 17 | docker pull vuls/goval-dictionary 18 | docker pull vuls/gost 19 | docker pull vuls/go-exploitdb 20 | docker pull vuls/gost 21 | docker pull vuls/vuls 22 | 23 | PWD=/home/ubuntu/vuls/ 24 | for i in `seq 2002 $(date +"%Y")`; do \ 25 | docker run --rm -i\ 26 | -v $PWD:/vuls \ 27 | -v $PWD/go-cve-dictionary-log:/var/log/vuls \ 28 | vuls/go-cve-dictionary fetchnvd -years $i; \ 29 | done 30 | 31 | docker run --rm -i \ 32 | -v $PWD:/vuls \ 33 | -v $PWD/goval-dictionary-log:/var/log/vuls \ 34 | vuls/goval-dictionary fetch-redhat 5 6 7 8 35 | 36 | docker run --rm -i \ 37 | -v $PWD:/vuls \ 38 | -v $PWD/goval-dictionary-log:/var/log/vuls \ 39 | vuls/goval-dictionary fetch-debian 7 8 9 10 40 | 41 | docker run --rm -i \ 42 | -v $PWD:/vuls \ 43 | -v $PWD/goval-dictionary-log:/var/log/vuls \ 44 | vuls/goval-dictionary fetch-alpine 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 45 | 46 | docker run --rm -i \ 47 | -v $PWD:/vuls \ 48 | -v $PWD/goval-dictionary-log:/var/log/vuls \ 49 | vuls/goval-dictionary fetch-ubuntu 14 16 18 19 20 50 | 51 | docker run --rm -i \ 52 | -v $PWD:/vuls \ 53 | -v $PWD/goval-dictionary-log:/var/log/vuls \ 54 | vuls/goval-dictionary fetch-suse -opensuse 13.2 55 | 56 | docker run --rm -i \ 57 | -v $PWD:/vuls \ 58 | -v $PWD/goval-dictionary-log:/var/log/vuls \ 59 | vuls/goval-dictionary fetch-suse -suse-enterprise-server 12 60 | 61 | docker run --rm -i \ 62 | -v $PWD:/vuls \ 63 | -v $PWD/goval-dictionary-log:/var/log/vuls \ 64 | vuls/goval-dictionary fetch-oracle 65 | 66 | docker run --rm -i \ 67 | -v $PWD:/vuls \ 68 | -v $PWD/goval-dictionary-log:/var/log/vuls \ 69 | vuls/goval-dictionary fetch-amazon 70 | 71 | docker run --rm -i \ 72 | -v $PWD:/vuls \ 73 | -v $PWD/gost-log:/var/log/gost \ 74 | vuls/gost fetch redhat 75 | 76 | docker run --rm -i \ 77 | -v $PWD:/vuls \ 78 | -v $PWD/go-exploitdb-log:/var/log/go-exploitdb \ 79 | vuls/go-exploitdb fetch exploitdb 80 | 81 | docker run --rm -i \ 82 | -v $PWD:/vuls \ 83 | -v $PWD/go-msfdb-log:/var/log/go-msfdb \ 84 | vuls/go-msfdb fetch msfdb 85 | 86 | cat > config_scan.toml < config_db.toml < /tmp/tmp_authorized_keys 134 | sudo mv /tmp/tmp_authorized_keys /vol/root/.ssh/tmp_authorized_keys 135 | sudo chown root:root /vol/root/.ssh/tmp_authorized_keys 136 | sudo chmod 600 /vol/root/.ssh/tmp_authorized_keys 137 | 138 | sudo mount -t proc none /vol/proc 139 | sudo mount -o bind /dev /vol/dev 140 | sudo mount -o bind /sys /vol/sys 141 | sudo mount -o bind /run /vol/run 142 | 143 | sudo chroot /vol /bin/mount devpts /dev/pts -t devpts 144 | 145 | # Reporting 146 | mkdir -p /home/ubuntu/nginx/html 147 | cat > /home/ubuntu/nginx/default.conf < /home/ubuntu/nginx/html/index.html < 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 231 |
232 |
233 |
234 |
235 | 236 |
237 |
238 |
239 |
240 | 241 | 242 | 243 |
244 |
245 |
246 |
247 |