-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scopes / Networks support #273
Comments
@Donnype want to discuss this a bit further? |
@underdarknl @jpbruinsslot Thinking about this I had some thoughts about the potential complexity here. If we focus on the use-case "local network boefje" and assume scoping only applies to objects on a network, we of course want to avoid the following situation: This indeed means that "objects in these networks should produce jobs bound to the network-scope", and this scope in the case of networks could be derived by looking at the specific network the objects refers to. But I can also imagine that certain objects from a scoped job are not necessarily "scoped", like weburls found in (private) html pages. Perhaps we need to differentiate on that (in the future)? And: are there "scoped" objects that do not point to a network that we also want to support? Because that would require keeping track of scopes separately either on OOI level or job-level. If we also want to support scoping in the sense that certain runners have particular permissions (perhaps through IAM settings within your cloud provider), looking at the network also wouldn't be sufficient. But perhaps we can just focus on the network for now and only perform the check on network reference? I can add the configuration to the boefje runner environments and pass it as a query parameter to mula. |
From the scheduler side in order to filter on scope, this scope needs to be available in a BoefjeTask (the actual task that is being popped from the queue by a runner). The information in that BoefjeTask can then be filtered.
I'm gravitating towards option 2, the job runner can specify with a normal request with the additional filter options, in this case the scope, and the item with those parameters and highest priority gets popped off. |
@Donnype agreed, that situation should be avoided. My thinking is that the 'port|80' on the 'network|internet' is at least bound / referenced to an IP on the 'network|Internet', and as such creates jobs via that IP, which we know is 'network|Internet' bound. |
@underdarknl I suppose that means that the rules can be quite complex and/or specific? Perhaps we somehow have to allow users to define rules for workers? For example: For "regular" workers: scope:
boefjes: "*" For workers with access to local ip 192.168.1.1 of "my-company-network" and "my-other-network", but no internet access: scope:
boefjes:
- nmap
- nmap-ip-range
- nmap-top-250
exclude_networks: "Network|internet"
include_networks: # should check if the input oois stem from one of these root networks, default is "Network|internet"
- "Network|my-company-network"
- "Network|my-other-network"
And boefjes manifests have similar fields: boefje:
id: kat-dns
[...]
include_networks:
- "Network|internet" Regarding my observation: "But I can also imagine that certain objects from a scoped job are not necessarily "scoped", like weburls found in (private) html pages." I think the boefje should add such objects to internet explicitly (when they are rather sure). Other options as discussed above involve adding a more generic "scope" tag and not allowing objects to be used as input on workers without the scope tag that was present (or set) on their creation. I think adding fields on boefjes, boefje_tasks and OOIs is quite intrusive for the current lack of understanding/knowledge regarding such a feature. If we focus on the local-network use case, we could probably add a first version of such a feature by simple explicitely setting a network scope setting (just an env var) that contains the name(s) of the network a worker has access to, so that we can pass such a filter to the scheduler, after which the scheduler returns only tasks for OOIs belonging to those networks? That does add some significant bookkeeping to the scheduler, but it would not spill towards the boefjes and boefje_meta objects (too) much. |
In the real world there's the following: In the example of a web-url (eg a link), found on the webpage served by a local printer, inside the local Lan, we should probably argue that its a local url first (as the local DNS in that scope might resolve it to a local server), and if that fails (which will be transparent to the boefje), it will resolve to the Outside world. |
Currently, a boefje runner is considered to be al-reaching. This is obviously not true, and should be a consideration for the scheduler to give it certain jobs.
We already have a Network object which we can differentiate on. An IP or hostname is (loosely) coupled to a network, however multiple networks can exists.
The boefje job runner should have a configuration setting which the admin can set to include which networks this runner can reach. Eg, most will be able to access the Network Internet, but not all can reach certain local networks.
Objects in these networks should produce jobs bound to the network-scope in which they are reachable.
Jobrunners should then list the network-scopes in their query to the scheduler to ask for jobs that are to be executed in their scope, and should not receive jobs that they cannot execute because they cannot reach this scope.
The text was updated successfully, but these errors were encountered: