From 19efeada19b1d65b36c19d52cf34889057e029ff Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Sat, 1 Oct 2022 12:50:25 +0200 Subject: [PATCH] feat: add branding and get_iam_sshkeys.py --- README.md | 11 +++- cleanup_amis.sh | 4 +- overlay/zdt/scripts/setup-common | 8 ++- .../zdt/scripts/setup.d/get_iam_sshkeys.py | 63 +++++++++++++++++++ overlay/zdt/scripts/setup.d/neofetch.conf | 2 +- overlay/zdt/scripts/setup.d/route53.py | 1 - 6 files changed, 81 insertions(+), 8 deletions(-) create mode 100755 overlay/zdt/scripts/setup.d/get_iam_sshkeys.py diff --git a/README.md b/README.md index e8593e8..19ad447 100644 --- a/README.md +++ b/README.md @@ -2,4 +2,13 @@ ZeroDownTime - Alpine golden images -AWS only for now \ No newline at end of file +AWS only for now + +## Image scanning via Trivy + +``` +modprobe nbd +qemu-nbd -c /dev/nbd0 zdt-alpine-3.16.2-x86_64-bios-tiny-minimal-r1.vhd +mount /dev/nbd0 /mnt/image +trivy filesystem /mnt/image +``` diff --git a/cleanup_amis.sh b/cleanup_amis.sh index a7d3712..672befd 100755 --- a/cleanup_amis.sh +++ b/cleanup_amis.sh @@ -5,8 +5,8 @@ echo "Are you really sure as AMIs might be used by customers !!" read #TAG_FILTER="Name=tag:project,Values=zdt-alpine" -#TAG_FILTER="Name=tag:Name,Values=zdt-alpine-3.16.0-x86_64-bios-tiny-minimal-r0" -TAG_FILTER="Name=tag:Name,Values=zdt-alpine-3.16.2-x86_64-bios-tiny-kubezero-1.23.10-r0" +TAG_FILTER="Name=tag:Name,Values=zdt-alpine-3.16.2-x86_64-bios-tiny-minimal-r1" +#TAG_FILTER="Name=tag:Name,Values=zdt-alpine-3.16.2-x86_64-bios-tiny-kubezero-1.23.10-r0" #for r in $(aws ec2 describe-regions --query "Regions[].{Name:RegionName}" --output text); do for r in ap-southeast-2 ca-central-1 eu-central-1 us-east-1 us-west-1 us-west-2; do diff --git a/overlay/zdt/scripts/setup-common b/overlay/zdt/scripts/setup-common index 8ea8449..16da507 100755 --- a/overlay/zdt/scripts/setup-common +++ b/overlay/zdt/scripts/setup-common @@ -45,7 +45,8 @@ echo 'Installed cloudbender shutdown hook' # Install tools cp $SETUP/route53.py $TARGET/usr/local/bin -echo 'Installed route53.py' +cp $SETUP/get_iam_sshkeys.py $TARGET/usr/sbin +echo 'Installed route53.py and get_iam_sshkeys.py' # ps_mem #wget https://raw.githubusercontent.com/pixelb/ps_mem/master/ps_mem.py @@ -63,12 +64,13 @@ echo 'Enable monit via init, hooked up cloudbender alerting' # QoL mv $TARGET/etc/profile.d/color_prompt.sh.disabled $TARGET/etc/profile.d/color_prompt.sh -echo 'alias rs="doas bash --login"' > $TARGET/etc/profile.d/alias.sh +echo 'alias rs="doas bash"' > $TARGET/etc/profile.d/alias.sh # branding rm -f $TARGET/etc/motd cp $SETUP/neofetch.conf $TARGET/etc/neofetch.conf cp $SETUP/zdt-ascii.txt $TARGET/etc/neofetch-logo.txt -echo 'neofetch --config /etc/neofetch.conf' > $TARGET/etc/profile.d/motd.sh +echo '[ -n "$SSH_TTY" -a "$SHLVL" -eq 1 ] && neofetch --config /etc/neofetch.conf' > $TARGET/etc/profile.d/motd.sh +echo 'Installed ZDT branding via neofetch' printf '\n# Zero Down Time config applied' diff --git a/overlay/zdt/scripts/setup.d/get_iam_sshkeys.py b/overlay/zdt/scripts/setup.d/get_iam_sshkeys.py new file mode 100755 index 0000000..e459e64 --- /dev/null +++ b/overlay/zdt/scripts/setup.d/get_iam_sshkeys.py @@ -0,0 +1,63 @@ +#!/usr/bin/python3 +import sys +import boto3 +import argparse + +parser = argparse.ArgumentParser(description="Get SSH keys from IAM users") +parser.add_argument( + "--user", dest="user", action="store", required=True, help="requested user" +) +parser.add_argument( + "--group", action="store", required=True, help="IAM group to search" +) +parser.add_argument( + "--iamRole", + dest="iamRole", + action="store", + help="IAM role ARN to assume to search for IAM users", +) +parser.add_argument( + "--allowedUser", + dest="allowedUsers", + action="append", + default=["alpine"], + help="Allowed users", +) +args = parser.parse_args() + +# Fail early if invalid user +if not args.user in args.allowedUsers: + sys.exit(0) + +session = boto3.Session() + +if args.iamRole: + sts = session.client("sts") + credentials = sts.assume_role( + RoleArn=args.iamRole, RoleSessionName="sshdKeyLookup" + )["Credentials"] + + assumed_role_session = boto3.Session( + aws_access_key_id=credentials["AccessKeyId"], + aws_secret_access_key=credentials["SecretAccessKey"], + aws_session_token=credentials["SessionToken"], + ) + iam = assumed_role_session.client("iam") + +else: + iam = session.client("iam") + +try: + for user in iam.get_group(GroupName=args.group)["Users"]: + for key_desc in iam.list_ssh_public_keys(UserName=user["UserName"])[ + "SSHPublicKeys" + ]: + key = iam.get_ssh_public_key( + UserName=user["UserName"], + SSHPublicKeyId=key_desc["SSHPublicKeyId"], + Encoding="SSH", + ) + if key["SSHPublicKey"]["Status"] == "Active": + print(key["SSHPublicKey"]["SSHPublicKeyBody"], user["UserName"]) +except: + pass diff --git a/overlay/zdt/scripts/setup.d/neofetch.conf b/overlay/zdt/scripts/setup.d/neofetch.conf index 5346986..a581496 100644 --- a/overlay/zdt/scripts/setup.d/neofetch.conf +++ b/overlay/zdt/scripts/setup.d/neofetch.conf @@ -4,7 +4,7 @@ print_info() { prin "$(color 1)Welcome to Alpine - ZeroDownTime edition" echo prin "Release Notes:" - prin " - " + prin " - " prin " - " echo diff --git a/overlay/zdt/scripts/setup.d/route53.py b/overlay/zdt/scripts/setup.d/route53.py index fe9a01e..20424de 100755 --- a/overlay/zdt/scripts/setup.d/route53.py +++ b/overlay/zdt/scripts/setup.d/route53.py @@ -49,5 +49,4 @@ action = "UPSERT" if args.delete: action = "DELETE" -print(args) update_dns(args.fqdn, args.record, action=action, ttl=args.ttl, record_type=args.record_type)