{ "info": { "author": "Terbium Labs", "author_email": "infrastructure@terbiumlabs.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 2 - Pre-Alpha", "Environment :: Console", "Intended Audience :: Developers", "License :: OSI Approved :: GNU General Public License v3 (GPLv3)", "Operating System :: MacOS", "Operating System :: Microsoft :: Windows", "Operating System :: POSIX :: Linux", "Operating System :: Unix", "Programming Language :: Python", "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: Implementation :: PyPy", "Topic :: Software Development :: Libraries", "Topic :: Software Development :: Libraries :: Python Modules", "Topic :: Utilities" ], "description": "=======\nnessaws\n=======\n\n.. image:: https://img.shields.io/pypi/v/nessaws.svg\n :target: https://pypi.python.org/pypi/nessaws\n\n.. image:: https://img.shields.io/pypi/pyversions/nessaws.svg\n :target: https://pypi.python.org/pypi/nessaws\n\n.. image:: https://travis-ci.org/TerbiumLabs/nessaws.svg?branch=master\n :target: https://travis-ci.org/TerbiumLabs/nessaws\n\n.. image:: https://img.shields.io/coveralls/TerbiumLabs/nessaws.svg\n :target: https://coveralls.io/github/TerbiumLabs/nessaws\n\nAutomate Nessus scans against AWS EC2/RDS endpoints.\n\nIntroduction\n------------\n\nWant to automate scanning multiple AWS accounts with a single Nessus Professional license?\nThis is the tool for you!\n\n**nessaws** is a small Python package that automates Nessus scans against AWS EC2/RDS\ninstances. It can also submit the `penetration test request to AWS`_\nfor you!\n\nAll you need to do is tag your EC2/RDS instances with a desired value and a Nessus scan name\nto execute. **nessaws** will query EC2/RDS instances with the tagged values, get the IP\naddresses of each instance, and submit a penetration testing request to AWS (via email).\nAfter the request has been approved, **nessaws** can be launched again to start the\ndesired Nessus scans against the discovered instances.\n\nAfter each scan is complete, **nessaws** can combine all scan results into a\nsingle Microsoft Excel (.xlsx) file. As an added bonus, each host in the scan will\nbe checked to ensure authenticated checks have succeeded.\n\nInstallation & Configuration\n----------------------------\n\nTo install directly from `PyPi`_, run:\n\n::\n\n $ pip install nessaws\n\nAlternatively, clone from source and install via setup.py:\n\n::\n\n $ python setup.py install\n\nAfter installation, a configuration file must be initialized. See `config.yml.sample`_\nfor an example. The following options are configurable:\n\n- **nessus_url** (Optional str): The URL to your Nessus scanner (including \\https:// and the port). Defaults to *\\https://localhost:8834*.\n- **nessus_username** (Required str): The username used to authenticate to the Nessus scanner.\n- **nessus_password** (Required str): The password used to authenticate to the Nessus scanner.\n- **nessus_secure** (Optional bool): Whether to enable SSL certificate checks when communicating with the Nessus scanner. If using self-signed certificates on your Nessus scanner, this should be set to *False*. Defaults to *True*.\n- **nessus_source** (Required str): The IP address of the Nessus scanner as it will be seen across the AWS network, used for submitting the penetration test request. If using a Nessus scannner launched as an EC2 instance, include the instance identifier.\n- **aws_accounts** (Required str): A list of AWS accounts that will be scanned. Configurable options for each account are documented below:\n - **aws_access_key_id** (Optional str): An AWS access key that has permissions to query EC2/RDS instances. Defaults to *None*, which will require a valid IAM role or other boto configuration to ensure proper authentication.\n - **aws_secret_access_key** (Optional str): An AWS secret access key that has permissions to query EC2/RDS instances. Defaults to *None*, which will require a valid IAM role or other boto configuration to ensure proper authentication.\n - **region** (Optional str): The AWS region to authenticate to. Defaults to *us-east-1*.\n - **root_email** (Required str): The AWS account's root email address, used for submitting the penetration test request.\n - **tag_key** (Optional str): The EC2/RDS tag key to query on each instance. Defaults to *NessAWS*.\n - **account_name** (Required str): The name of the AWS account, used for submitting the penetration test request and included in the final report.\n - **account_number** (Required int): The AWS account number, used for submitting the penetration test request.\n- **always_use_private_ip** (Optional bool): Whether to always use the private IP address when scanning EC2 instances. This option should be set to True if your Nessus scanner is located in a private subnet. Defaults to *False*.\n- **smtp_host** (Required str): The hostname of the SMTP server to send outgoing mail through.\n- **smtp_port** (Optional int): The port of the SMTP server to send outgoing mail. Defaults to *25*.\n- **smtp_username** (Optional str): The username (if required) to authenticate to the SMTP server. Defaults to *None*.\n- **smtp_password** (Optional str): The password (if required) to authenticate to the SMTP server. Defaults to *None*.\n- **smtp_sendas** (Required str): The email address to send the penetration request email as.\n- **smtp_to** (Optional str): The email address to send the penetration request email to. Defaults to *aws-pentest-email@aws.com*.\n- **smtp_tls** (Optional bool): Whether or not the SMTP server should use TLS to connect. Defaults to *False*.\n- **smtp_cc** (Required str): A comma separated string of email addresses to CC on the penetration test request email.\n- **smtp_subject** (Optional str): The subject line of the email to send with the penetration test request. Defaults to *AWS Pentest Request*.\n- **comments** (Optional str): Additional comments to attach with the penetration test request. Defaults to *None*.\n- **start_date** (Required str): The RFC 1123 datetime that the scan will begin, used for submitting the penetration test request.\n- **end_date** (Required str): The RFC 1123 datetime that the scan will complete, used for submitting the penetration test request.\n- **output** (Optional str): Specify one output option. Currently supported options are *excel*, *raw_csv*, or *none*. Specifying *excel* will export and combine all scans into one Microsoft Excel spreadsheet. Specifying *raw_csv* will export the scan files to CSV in the location where **nessaws** is ran. Specifying *none* will only run the Nessus scans but perform no exporting. Defaults to *excel*.\n\nEC2/RDS instances that you wish to be scanned must be tagged appropriately. Tags should\nconfigured like:\n\n+-------------------+-----------------------------------------+\n| Key | Value |\n+===================+=========================================+\n| | : |\n+-------------------+-----------------------------------------+\n\nThe corresponds to the **tag_key** specified in the configuration\nfile above (defaults to *NessAWS*). The should be set by the user, and\nmay be a scan cadence (such as weekly, monthly, etc.) or an instance role (such\nas webserver, database, etc.). The **tag values** will be specified explicitly by\nthe user when running the **pentest-request** command. The \nshould correspond to an existing Nessus scan already configured (with proper\ncredentials and settings). The scan targets will be updated on-the-fly as instances\nare discovered.\n\nThus, tags may look like:\n\n+---------+-----------------------+\n| Key | Value |\n+=========+=======================+\n| NessAWS | weekly : test_scan |\n+---------+-----------------------+\n\nor\n\n+---------+-----------------------+\n| Key | Value |\n+=========+=======================+\n| NessAWS | database : mysql_scan |\n+---------+-----------------------+\n\n\nRunning nessaws\n---------------\n\nPenetration test request\n~~~~~~~~~~~~~~~~~~~~~~~~\n\nAfter installing **nessaws**, setting up the configuration file, and tagging EC2/RDS\ninstances appropriately, you will first need to submit a penetration test request.\n**nessaws** automates this process for you by finding EC2/RDS instances with specified\ntag values, filtering out any nano, micro, or small instance types, and sending an email\nto AWS from the root account's email address.\n\nThe following command will submit a penetration test request for instances tagged\nwith the value \"weekly\":\n\n::\n\n $ nessaws --config config.yml pentest-request -t weekly\n\nMultiple tags can be specified simultaneously. The following command will submit\na penetration test request for instances tagged with the value \"weekly\" OR \"daily\":\n\n::\n\n $ nessaws --config config.yml pentest-request -t weekly -t daily\n\nIf you would like to preview the penetration test request that will be sent, you\ncan pass the *--dry-run* option. This will send a copy of the email to the\naddresses in the **smtp_cc** configuration detailed above.\n\nIf you wish to edit the contents of the penetration test email, see the *templates/request-template.html*\nfile.\n\nPerforming Nessus scans\n~~~~~~~~~~~~~~~~~~~~~~~~\n\nAfter the penetration test request has been approved by AWS, you can perform the\nNessus scans by executing the **perform-scan** command. This command reads from\na \"state file\" that is populated from the **pentest-request** command. Thus,\nno additional options are required, as the instances to scan have already been\ncataloged.\n\n::\n\n $ nessaws --config config.yml perform-scan\n\nThis command will also check to see that the current date on the system is within\nthe start and end dates configured in the penetration test request. This can be\nbypassed if necessary:\n\n::\n\n $ nessaws --config config.yml perform-scan\n\n The current system time is not within the submitted start time and end time. Are you sure you want to continue?\n\n Type \"yes\" or \"no\":\n yes\n\nIf *excel* was entered in the output configuration, a Microsoft Excel report\n(.xlsx) will be output at the completion of all scans. This\nreport contains a summary sheet that includes each scan that was performed, its\noutcome, and the targets that were scanned. A results sheet containing the output\nfrom all scans is also included. The results are colored based on risk, and also\nmapped back to the EC2/RDS instance IDs or Name tags.\n\nIf you wish to run the scan again (perhaps after remediation), simply run the\n`perform-scan` command again. There is no need to submit another penetration test\nrequest as long as the date is within the requested time period.\n\n\nScanning without a Penetration Test Request\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nIf you wish to perform a scan without submitting a penetration test request\nthrough **nessaws** (for example, if you prefer to do this manually or another\nautomated process), you will need to use the `--dry-run` option in the\n`pentest-request` command. This command will won't send the email to AWS, but\nis needed to populate a \"state file\" that inventories the AWS instances to scan.\nYou don't need a valid SMTP server, even if the email does not send, the state\nwill be populated successfully.\n\nRequired IAM Permissions\n------------------------\n\nThe following IAM permissions are required for operation:\n\n::\n\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DescribeInstances\",\n \"rds:DescribeDBInstances\",\n \"rds:ListTagsForResource\"\n ],\n \"Resource\": \"*\"\n }\n ]\n }\n\n\nContributing\n------------\n\nBug reports and pull requests are welcome. If you would like to\ncontribute, please create a pull request against master. Include unit\ntests if necessary, and ensure that your code passes all linters (see\n`tox.ini`_).\n\n.. _penetration test request to AWS: https://aws.amazon.com/security/penetration-testing/\n.. _PyPi: https://pypi.python.org/pypi/nessaws\n.. _config.yml.sample: https://github.com/TerbiumLabs/nessaws/blob/master/config.yml.sample\n.. _tox.ini: https://github.com/TerbiumLabs/nessaws/blob/master/tox.ini\n\n\n", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/TerbiumLabs/nessaws", "keywords": "", "license": "", "maintainer": "", "maintainer_email": "", "name": "nessaws", "package_url": "https://pypi.org/project/nessaws/", "platform": "", "project_url": "https://pypi.org/project/nessaws/", "project_urls": { "Homepage": "https://github.com/TerbiumLabs/nessaws" }, "release_url": "https://pypi.org/project/nessaws/0.0.2/", "requires_dist": [ "PyYAML", "boto3 (>=1.4.4)", "botocore", "click", "colander", "colander-tools", "docutils", "et-xmlfile", "future", "futures", "iso8601", "jdcal", "jmespath", "netaddr", "openpyxl", "progress", "python-dateutil", "python-slugify", "pytz", "requests", "s3transfer", "six", "translationstring" ], "requires_python": "", "summary": "nessaws: Automate Nessus scans against AWS EC2/RDS endpoints.", "version": "0.0.2" }, "last_serial": 3098899, "releases": { "0.0.1": [ { "comment_text": "", "digests": { "md5": "0cfbd36297b69b3dc3c3e930030867a9", "sha256": "e65ae6d459517023ecc6b6a05efcfffc774599aa8dd85c6c2395e8769ce85efa" }, "downloads": -1, "filename": "nessaws-0.0.1-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "0cfbd36297b69b3dc3c3e930030867a9", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 73862, "upload_time": "2017-07-06T21:14:13", "url": "https://files.pythonhosted.org/packages/45/8e/16b862d653f7269a34c26533b48ade72e3257b545d48d6e069a875cd0f82/nessaws-0.0.1-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "f3a17b16308380ced20898594e33a0b0", "sha256": "11c57d12669a256e0a7cf8e67fd73b1c41e59efb37c5991c015d5919f9330583" }, "downloads": -1, "filename": "nessaws-0.0.1.tar.gz", "has_sig": false, "md5_digest": "f3a17b16308380ced20898594e33a0b0", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 87004, "upload_time": "2017-07-06T21:14:14", "url": "https://files.pythonhosted.org/packages/3f/e0/3ea8791cdeb9dd2a7f56f9b8b0eaa9685ab8d13da69c4b5f5164efb10a94/nessaws-0.0.1.tar.gz" } ], "0.0.2": [ { "comment_text": "", "digests": { "md5": "28bb335bc82d8e6c027313ba85d4884f", "sha256": "ac901121066a7ecb904a444fee4c1ef5d20023ba1aa47ed0a0fc533c77a16f38" }, "downloads": -1, "filename": "nessaws-0.0.2-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "28bb335bc82d8e6c027313ba85d4884f", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 73989, "upload_time": "2017-08-15T19:34:40", "url": "https://files.pythonhosted.org/packages/fa/30/631af445589fa1f5e5be493a601e7047dc90041287203ad0600de033e68b/nessaws-0.0.2-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "0f196d600af323400529db77c68d7442", "sha256": "239b22911f1fb385a5d25dc98b0e2562baa2ebd25aabe8eff1c51f8e311d7a4d" }, "downloads": -1, "filename": "nessaws-0.0.2.tar.gz", "has_sig": false, "md5_digest": "0f196d600af323400529db77c68d7442", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 87633, "upload_time": "2017-08-15T19:34:41", "url": "https://files.pythonhosted.org/packages/6e/0f/9f97fd664b0b3748edaaf465bce651f3c065ddd7c1b4917eb6a51a17c2ba/nessaws-0.0.2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "28bb335bc82d8e6c027313ba85d4884f", "sha256": "ac901121066a7ecb904a444fee4c1ef5d20023ba1aa47ed0a0fc533c77a16f38" }, "downloads": -1, "filename": "nessaws-0.0.2-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "28bb335bc82d8e6c027313ba85d4884f", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 73989, "upload_time": "2017-08-15T19:34:40", "url": "https://files.pythonhosted.org/packages/fa/30/631af445589fa1f5e5be493a601e7047dc90041287203ad0600de033e68b/nessaws-0.0.2-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "0f196d600af323400529db77c68d7442", "sha256": "239b22911f1fb385a5d25dc98b0e2562baa2ebd25aabe8eff1c51f8e311d7a4d" }, "downloads": -1, "filename": "nessaws-0.0.2.tar.gz", "has_sig": false, "md5_digest": "0f196d600af323400529db77c68d7442", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 87633, "upload_time": "2017-08-15T19:34:41", "url": "https://files.pythonhosted.org/packages/6e/0f/9f97fd664b0b3748edaaf465bce651f3c065ddd7c1b4917eb6a51a17c2ba/nessaws-0.0.2.tar.gz" } ] }