Skip to content
This repository was archived by the owner on Feb 26, 2021. It is now read-only.
This repository was archived by the owner on Feb 26, 2021. It is now read-only.

RFC: Add Scanner Capability Flag to enhance Scanner Worker Selection #89

Open
Open
RFC: Add Scanner Capability Flag to enhance Scanner Worker Selection#89
Assignees
rfelberJ12934
Labels
RFCFeatures suggestions which need more opinions
Milestone
v1.1.0
@J12934

Description

@J12934
J12934
opened on Jul 3, 2019

Is your feature request related to a problem? Please describe.

When it comes to Multi Tenancy there are two main axis we'd like two support with the secureCodeBox Engine:

Team Separation

This allows the association of scanners operated by the teams with that team. The scanners will then only work on scan jobs created by that team. This was implemented in #79.

Capability Separation

Not every worker deployment in a team has to be the same.

Some scanners might...

  • be deployed in certain network situation which enable different scans.
  • have files mounted onto their filesystem which are required to perform certain scans.
  • have certain configuration / deployment requirements by the scanner to run certain kinds of scans. E.g. nmap requiring root rights / linux capabilities to run OS detection scans (See: Operating System scans need root rights scanner-infrastructure-nmap#2)

This problem can be solved by using the team separation feature by creating a new team for every team / capability combination, but that is quite tedious. These teams could look something like this:

  • team42
  • team42_nmap_privileged
  • team42_zap_behindwaf

Creating new teams requires to assign all team members to every of their related teams, which is a big organisational overhead.

scb-multi-tenancy

Describe the solution you'd like

I'd like to introduce capabilities into the StartSecurityTest and the LockScanJob APIs.

The addition to the startSecurity Test API would be a new optional requiredCapabilities attribute which allows the user to express which capabilities are required for the scan job.

The addition to the LockScanJob API would allow the scanners to communicate to the engine which capabilities the have.

POST https://engine.securecodebox.demo/box/securityTests

[
  {
    "context": "Feature Team 1",
    "metaData": {},
    "name": "nmap",
    "target": {
      "attributes": {
        "NMAP_PARAMETER": "-Pn"
      },
      "location": "127.0.0.1",
      "name": "SecureCodeBox Demo Website"
    },
    "tenant": "team-1",
	"requiredCapabilities": [
		"behind-firewall",
  		"privileged-deployment"
	]
  }
]

The relevant new attribute here is requiredCapabilities.

For a scanner to be able to work on this task it would need to be configured that:

  • The engine user of the scanner worker, set by the env vars: ENGINE_SCANNERSERVICES_USER and ENGINE_BASIC_AUTH_PASSWORD need to be a member of team-1
  • The worker need to have the (new) environment var SCANNER_CAPABILITIES to be set to: behind-firewall,privileged-deployment (or privileged-deployment,behind-firewall, the order should not matter)

Scanner without the SCANNER_CAPABILITIES env var will only be able to work on scan jobs without requiredCapabilities.

Example deployment (docker-compose for readability):

nmap-team42:
    image: securecodebox/nmap:latest
    environment:
      - ENGINE_ADDRESS=http://engine:8080
      - ENGINE_BASIC_AUTH_USER=team42-tu-nmap
      - ENGINE_BASIC_AUTH_PASSWORD=foobar
      - SCANNER_CAPABILITIES=behind-firewall,privileged-deployment

Describe alternatives you've considered

  • Multiple teams (see problem descriptions)
  • Using camunda custom permissions, to prevent scanner without capabilities to access scan jobs.

Metadata

Metadata

Assignees

Labels

RFCFeatures suggestions which need more opinions

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions