target addresses of listening ports and add control for troubleshooting #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
arlimus reviewed Oct 4, 2016
Member
arlimus left a comment
arlimus left a comment There was a problem hiding this comment.
Also I'm not sure if we need the Debug resource; how do you envision it?
controls/ssl_test.rb Outdated
Member
There was a problem hiding this comment.
Maybe as a different suggestion: (still not happy here)
invalid_addrs = %w{ 127.0.0.1 0.0.0.0 ::1 :: } tcpports = ... enabled_sockets = ... ssl_list = enabled_sockets.map do |s| params = { port: s.port } params[:host] = s.address unless invalid_addrs.include?(s.address) [s, ssl(params)] end control 'tls1.2' do title 'Run TLS 1.2 whenever SSL is active on a port' impact 0.5 ssl_list.each do |socket, ssl_socket| # create a description proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})" describe ssl_socket.protocols('tls1.2') do it(proc_desc) { should be_enabled } it { should be_enabled } end end end 
alexpop force-pushed the ap/target-addresses branch from bcb9285 to 88d54ef Compare 
alexpop force-pushed the ap/target-addresses branch from 88d54ef to 12b8fcf Compare 
Collaborator Author
| Thanks for the feedback Dom. Also getting the hostname only once instead of 6 times per port. I've also made a few more cosmetic changes. I would keep the debugging control until we iron out all the edge cases. |
alexpop changed the title Collaborator Author
|
^ sample scan with this profile |
Member
Member
| Thank you @alexpop |
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Listening ports can be bound on any interface available on the node. If this is the case, the ssl resource needs to use that IP address and not localhost or target IP.