#33 Add smb cascading rule for nmap

Author: J12934

hooks/declarative-subsequent-scans/hook.ts

@@ -44,6 +44,9 @@ interface ExtendedScanSpec extends ScanSpec {
   // This is the name of the scan. Its not "really" part of the scan spec
   // But this makes the object smaller
   name: string;
+
+  // Indicates which CascadingRule was used to generate the resulting Scan
+  generatedBy: string;
 }
 
 interface HandleArgs {
@@ -57,10 +60,11 @@ export async function handle({ scan, getFindings }: HandleArgs) {
 
   const cascadingScans = getCascadingScans(scan, findings, cascadingRules);
 
-  for (const { name, scanType, parameters } of cascadingScans) {
+  for (const { name, scanType, parameters, generatedBy } of cascadingScans) {
     await startSubsequentSecureCodeBoxScan({
       name,
       parentScan: scan,
+      generatedBy,
       scanType,
       parameters,
     });
@@ -99,6 +103,7 @@ export function getCascadingScans(
           parameters: parameters.map((parameter) =>
             Mustache.render(parameter, finding)
           ),
+          generatedBy: cascadingRule.metadata.name,
         });
       }
     }

…arative-subsequent-scans/scan-helpers.js …arative-subsequent-scans/scan-helpers.tshooks/declarative-subsequent-scans/scan-helpers.js renamed to hooks/declarative-subsequent-scans/scan-helpers.ts hooks/declarative-subsequent-scans/scan-helpers.js renamed to hooks/declarative-subsequent-scans/scan-helpers.ts

@@ -1,4 +1,4 @@
-const k8s = require("@kubernetes/client-node");
+import * as k8s from "@kubernetes/client-node";
 
 // configure k8s client
 const kc = new k8s.KubeConfig();
@@ -11,6 +11,7 @@ async function startSubsequentSecureCodeBoxScan({
   parentScan,
   scanType,
   parameters,
+  generatedBy,
 }) {
   const scanDefinition = {
     apiVersion: "execution.experimental.securecodebox.io/v1",
@@ -21,8 +22,9 @@ async function startSubsequentSecureCodeBoxScan({
         ...parentScan.metadata.labels,
       },
       annotations: {
-        "securecodebox.io/hook": "nmap-subsequent-scans",
+        "securecodebox.io/hook": "declarative-subsequent-scans",
         "securecodebox.io/parent-scan": parentScan.metadata.name,
+        "cascading.securecodebox.io/generated-by": generatedBy,
       },
       ownerReferences: [
         {
@@ -80,3 +82,28 @@ async function getCascadingRulesFromCluster() {
   }
 }
 module.exports.getCascadingRulesFromCluster = getCascadingRulesFromCluster;
+
+enum LabelSelectorRequirementOperator {
+  In,
+  NotIn,
+  Exists,
+  DoesNotExist,
+}
+
+// See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselectorrequirement-v1-meta
+// Re created in TS because the included types suck 😕
+interface LabelSelectorRequirement {
+  key: string;
+  values: string;
+
+  operator: LabelSelectorRequirementOperator;
+}
+
+function generateLabelSelectorString(
+  matchExpression: Array<LabelSelectorRequirement>,
+  matchLabels: Map<string, string>
+): string {
+  // Convert matchLabels to matchExpression syntax
+  matchExpression;
+  return "";
+}

scanners/nmap/cascading-rules/smb.yaml

@@ -0,0 +1,31 @@
+apiVersion: "cascading.experimental.securecodebox.io/v1"
+kind: CascadingRule
+metadata:
+  name: "nmap-smb"
+  labels:
+    securecodebox.io/invasive: non-invasive
+    securecodebox.io/intensive: light
+spec:
+  matches:
+    anyOf:
+      - category: "Open Port"
+        attributes:
+          port: 445
+      - category: "Open Port"
+        attributes:
+          service: "microsoft-ds"
+      - category: "Open Port"
+        attributes:
+          service: "netbios-ssn"
+  scanSpec:
+    scanType: "nmap"
+    parameters:
+      # Treat all hosts as online -- skip host discovery
+      - "-Pn"
+      # Target Port of the finding
+      - "-p{{attributes.port}}"
+      # Use SMB Script
+      - "--script"
+      - "smb-protocols"
+      # Against Host
+      - "{{attributes.hostname}}"

scanners/nmap/templates/cascading-rules.yaml

@@ -0,0 +1,8 @@
+# The CascadingRules are not directly in the /templates directory as their curly bracket syntax clashes with helms templates ... :( 
+# We import them as raw files to avoid these clashes as escaping them is even more messy
+{{ range $path, $_ :=  .Files.Glob  "cascading-rules/*" }}
+# Include File
+{{ $.Files.Get $path }}
+# Separate multiple files
+---
+{{ end }}