Skip to content
This repository has been archived by the owner on Oct 14, 2020. It is now read-only.

Latest commit

 

History

History
138 lines (108 loc) · 3.89 KB

README.md

File metadata and controls

138 lines (108 loc) · 3.89 KB
Raw
title path category
User Guide
docs/user-guide
use

Using the secureCodeBox

Page under construction.

Declarative Combined Scans

Install Hook

Installing the Declarative Combined Scan hook will add a ReadOnly Hook to your namespace which looks for matching CascadingRules in the namespace and starts subsequent scans accordingly.

helm install combined-scans ./hooks/declarative-subsequent-scans

Verify Hook Installation

Successful installation can be verified by retrieving installed ScanCompletionHooks.

kubectl get ScanCompletionHooks

The result should contain a hook for declarative subsequent scans.

NAME                                          TYPE       IMAGE
combined-scans-declarative-subsequent-scans   ReadOnly   docker.io/securecodebox/hook-declarative-subsequent-scans:latest

Verify CascadingRules

CascadingRules are included in each individual scanner's Helm chart.

kubectl get CascadingRules

Output should show these CascadingRules:

NAME             STARTS         INVASIVENESS   INTENSIVENESS
https-tls-scan   sslyze         non-invasive   light
imaps-tls-scan   sslyze         non-invasive   light
nikto-http       nikto          non-invasive   medium
nmap-smb         nmap           non-invasive   light
pop3s-tls-scan   sslyze         non-invasive   light
smtps-tls-scan   sslyze         non-invasive   light
ssh-scan         ssh-scan       non-invasive   light
zap-http         zap-baseline   non-invasive   medium

Start Scans

When you start a normal Scan, no CascadingRule will be applied. To use CascadingRules the scan must be marked to allow cascading rules.

This is implemented using kubernetes label selectors, meaning that scans mark the classes of scans which are allowed to be cascaded by the current one.

Example

cat <<EOF | kubectl apply -f -
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "example.com"
spec:
  scanType: nmap
  parameters:
    - -p22,80,443
    - example.com
  cascades:
    matchLabels:
      securecodebox.io/intensive: light
EOF

This Scan will used all CascadingRules which are labeled with a "light" intensity.

You can lookup which CascadingRules this selects by running:

kubectl get CascadingRules -l "securecodebox.io/intensive=light"
NAME             STARTS     INVASIVENESS   INTENSIVENESS
https-tls-scan   sslyze     non-invasive   light
imaps-tls-scan   sslyze     non-invasive   light
nmap-smb         nmap       non-invasive   light
pop3s-tls-scan   sslyze     non-invasive   light
smtps-tls-scan   sslyze     non-invasive   light
ssh-scan         ssh-scan   non-invasive   light

The label selectors also allow the more powerful matchExpression selectors:

cat <<EOF | kubectl apply -f -
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "example.com"
spec:
  scanType: nmap
  parameters:
    - -p22,80,443
    - example.com
  cascades:
    # Using matchExpression instead of matchLabels
    matchExpression:
      key: "securecodebox.io/intensive"
      operator: In
      # This select both light and medium intensity rules
      values: [light, medium]
EOF

This selection can be replicated in kubectl using:

kubectl get CascadingRules -l "securecodebox.io/intensive in (light,medium)"
NAME             STARTS         INVASIVENESS   INTENSIVENESS
https-tls-scan   sslyze         non-invasive   light
imaps-tls-scan   sslyze         non-invasive   light
nikto-http       nikto          non-invasive   medium
nmap-smb         nmap           non-invasive   light
pop3s-tls-scan   sslyze         non-invasive   light
smtps-tls-scan   sslyze         non-invasive   light
ssh-scan         ssh-scan       non-invasive   light
zap-http         zap-baseline   non-invasive   medium