Skip to content

Instantly share code, notes, and snippets.

@na0AaooQ

na0AaooQ/AmazonInspectorRunAssessmentポリシー

Last active November 19, 2016 02:02
Show Gist options
  • Save na0AaooQ/b0d85d5d3010a181c1956fb6a6224b72 to your computer and use it in GitHub Desktop.
Save na0AaooQ/b0d85d5d3010a181c1956fb6a6224b72 to your computer and use it in GitHub Desktop.
Download ZIP
AWS Lambda で Amazon Inspector によるEC2のセキュリティ脆弱性評価を実行する ref: http://qiita.com/na0AaooQ/items/9cfd66ac0e83de651f98
Raw
AmazonInspectorRunAssessmentポリシー
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"inspector:Get*",
"inspector:List*",
"inspector:Preview*",
"inspector:Describe*",
"inspector:StartAssessmentRun",
"inspector:StartDataCollection",
"inspector:AddAttributesToFindings",
"inspector:AttachAssessmentAndRulesPackage",
"inspector:DetachAssessmentAndRulesPackage",
"inspector:GetAssessmentTelemetry",
"inspector:LocalizeText",
"inspector:PreviewAgentsForResourceGroup",
"inspector:RegisterCrossAccountAccessRole",
"inspector:RemoveAttributesFromFindings",
"inspector:RetireRulesPackage",
"inspector:RunAssessment",
"inspector:SetTagsForResource",
"inspector:UpdateApplication",
"inspector:UpdateAssessment",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"sns:ListTopics"
],
"Resource": "*"
}
]
}
Raw
example-lambda-amazon-inspector-assessmentファンクションのコード
'use strict';
// http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Inspector.html#startAssessmentRun-property
var AWS = require('aws-sdk')
, inspector = new AWS.Inspector({ apiVersion: '2016-02-16' })
;
exports.handler = (event, context) => {
console.log('Start Amazon Inspector AssessmentRun');
// Add timedate to description
var date = new Date();
var year = date.getFullYear();
var month = date.getMonth() + 1;
var day = date.getDate();
var hour = date.getHours();
var minutes = date.getMinutes();
if ( day < 10 ) {
day = '0' + day;
}
// UTC to JST
hour += 9;
if ( hour < 10 ) {
hour = '0' + hour;
}
if ( minutes < 10 ) {
minutes = '0' + minutes;
}
var assessmentRunDate = '-' + year.toString() + month.toString() + day.toString() + '-' + hour.toString() + minutes.toString();
var params = {
assessmentTemplateArn: 'arn:aws:inspector:ap-northeast-1:XXXXXXXXXXXX:target/0-XXXXXXXX/template/X-XXXXXXXX',
assessmentRunName: 'example-server' + assessmentRunDate
};
inspector.startAssessmentRun(params, function(err, data) {
if (err) context.done(err, err.stack);
else context.done(null, data);
});
};
Raw
ExampleLambdaFunctionOutPutCloudWatchLogsポリシー
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
Raw
file1.txt
[ec2-user@example-server ~]$ chkconfig --list | grep awsagent
awsagent 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[ec2-user@example-server ~]$
Raw
file12.txt
[ec2-user@example-server ~]$ sudo cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.ORG
[ec2-user@example-server ~]$ diff /etc/ssh/sshd_config /etc/ssh/sshd_config.ORG
[ec2-user@example-server ~]$
Raw
file13.txt
[ec2-user@example-server ~]$ sudo vi /etc/ssh/sshd_config
PermitRootLogin forced-commands-only
 ↓
PermitRootLogin no
[ec2-user@example-server ~]$
Raw
file14.txt
[ec2-user@example-server ~]$ grep PermitRootLogin /etc/ssh/sshd_config | grep -v ^#
PermitRootLogin no
[ec2-user@example-server ~]$
Raw
file15.txt
[ec2-user@example-server ~]$ sudo cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.ORG
[ec2-user@example-server ~]$ diff /etc/ssh/sshd_config /etc/ssh/sshd_config.ORG
[ec2-user@example-server ~]$
Raw
file16.txt
[ec2-user@example-server ~]$ sudo cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.ORG
[ec2-user@example-server ~]$ diff /etc/ssh/sshd_config /etc/ssh/sshd_config.ORG
[ec2-user@example-server ~]$
Raw
file17.txt
[ec2-user@example-server ~]$ sudo vi /etc/ssh/sshd_config
PermitRootLogin forced-commands-only
 ↓
PermitRootLogin no
[ec2-user@example-server ~]$
Raw
file18.txt
[ec2-user@example-server ~]$ grep PermitRootLogin /etc/ssh/sshd_config | grep -v ^#
PermitRootLogin no
[ec2-user@example-server ~]$
Raw
file19.txt
[ec2-user@example-server ~]$ diff /etc/ssh/sshd_config /etc/ssh/sshd_config.ORG
51c51
< PermitRootLogin no
---
> PermitRootLogin forced-commands-only
[ec2-user@example-server ~]$
Raw
file2.txt
[ec2-user@example-server ~]$ rpm -qa | grep AwsAgent
AwsAgentKernelModule__amzn__4.4.30-32.54.amzn1-1.0.18.10-0.x86_64
AwsAgent-1.0.536.0-100536.x86_64
AwsAgentKernelModule__amzn__4.4.23-31.54.amzn1-1.0.18.5-0.x86_64
[ec2-user@example-server ~]$
Raw
file20.txt
[ec2-user@example-server ~]$ sudo /etc/init.d/sshd restart
sshd を停止中: [ OK ]
sshd を起動中: [ OK ]
[ec2-user@example-server ~]$
Raw
file21.txt
[ec2-user@example-server ~]$ ps awux | grep -v grep | grep sshd
root 3686 0.0 0.6 117812 6692 ? Ss 10:44 0:00 sshd: ec2-user [priv]
ec2-user 3688 0.0 0.3 117812 3964 ? S 10:44 0:00 sshd: ec2-user@pts/0
root 3771 0.0 0.2 77844 2744 ? Ss 10:48 0:00 /usr/sbin/sshd
[ec2-user@example-server ~]$
Raw
file22.txt
$ ssh -i EC2インスタンスログイン用のpemファイル ec2-user@EC2インスタンスのIPアドレス
[ec2-user@example-server ~]$
Raw
file23.txt
$ ssh -i root@EC2インスタンスのIPアドレス
Raw
file3.txt
[ec2-user@example-server ~]$ ps awux | grep -v grep | grep awsagent
root 2616 0.1 3.6 570932 37508 ? Ssl 10:04 0:20 /opt/aws/awsagent/bin/awsagent
[ec2-user@example-server ~]$
Raw
file4.txt
[ec2-user@example-server ~]$ /usr/bin/aws inspector start-assessment-run --region ap-northeast-1 --assessment-template-arn "arn:aws:inspector:ap-northeast-1:XXXXXXXXXXXX:target/0-XXXXXXXX/template/X-XXXXXXXX" --assessment-run-name "`/bin/hostname`-`/bin/date '+%Y%m%d-%H%M%S'`"
{
"assessmentRunArn": "arn:aws:inspector:ap-northeast-1:XXXXXXXXXXXX:target/0-XXXXXXXX/template/X-XXXXXXXX/run/0-XXXXXXXX"
}
[ec2-user@example-server ~]$
Raw
file5.txt
/usr/bin/aws inspector start-assessment-run --region ap-northeast-1 --assessment-template-arn "arn:aws:inspector:ap-northeast-1:XXXXXXXXXXXX:target/0-XXXXXXXX/template/X-XXXXXXXX" --assessment-run-name "`/bin/hostname`-`/bin/date '+%Y%m%d-%H%M%S'`"
Raw
file6.txt
[ec2-user@example-server ~]$ /bin/hostname
example-server
[ec2-user@example-server ~]$ /bin/date '+%Y%m%d-%H%M%S'
20161116-213151
[ec2-user@example-server ~]$
Raw
file7.txt
[ec2-user@example-server ~]$ /usr/bin/aws inspector start-assessment-run --region ap-northeast-1 --assessment-template-arn "arn:aws:inspector:ap-northeast-1:XXXXXXXXXXXX:target/0-XXXXXXXX/template/X-XXXXXXXX" --assessment-run-name "`/bin/hostname`-`/bin/date '+%Y%m%d-%H%M%S'`"
{
"assessmentRunArn": "arn:aws:inspector:ap-northeast-1:XXXXXXXXXXXX:target/0-XXXXXXXX/template/X-XXXXXXXX/run/0-XXXXXXXX"
}
[ec2-user@example-server ~]$
Raw
file8.txt
{
"assessmentRunArn": "arn:aws:inspector:ap-northeast-1:XXXXXXXXXXXX:target/0-G6DLCZXC/template/X-XXXXXXXX/run/0-XXXXXXXX"
<img width="1241" alt="スクリーンショット 2016-11-16 22.18.01.png" src="https://qiita-image-store.s3.amazonaws.com/0/63647/8c1615ec-1955-6de2-bffe-7420567aec0b.png">
}
Raw
Lambdaファンクション実行結果
{
"assessmentRunArn": "arn:aws:inspector:ap-northeast-1:XXXXXXXXXXXX:target/0-XXXXXXXX/template/X-XXXXXXXX/run/0-XXXXXXXX"
}
Raw
「推奨事項」
It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd.
Raw
「結果」の例
Instance i-XXXXXXXX is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack.
Raw
「説明」の例
This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root.
Raw
脆弱性評価対象EC2インスタンスのOSバージョン
[ec2-user@example-server ~]$ uname -a
Linux example-server 4.4.30-32.54.amzn1.x86_64 #1 SMP Thu Nov 10 15:52:05 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[ec2-user@example-server ~]$
[ec2-user@example-server ~]$ cat /etc/system-release
Amazon Linux AMI release 2016.09
[ec2-user@example-server ~]$
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment