Tag Selfie's Forensic Instance Image Snapshots with Origin Account, Forensics Account and Snapshot TimeStamp

devsecops / selfie

Apache License 2.0

7 stars 6 forks source link

Tag Selfie's Forensic Instance Image Snapshots with Origin Account, Forensics Account and Snapshot TimeStamp #4

Open DLSieving opened 7 years ago

DLSieving commented 7 years ago

Context: Running selfie.

Environment: Postmortem analysis using the dso-bootcamp-forensics account.

Use Case: Making forensic instance image snapshots using selfie.

Problem: The forensics investigator may not know the origin and context of the instance image snapshot under investigation.

Scope: Add resource tags to the forensics image snapshot.

New Functionality: Tag the forensic instance images created by selfie to allow the forensics investigator to understand the origin and context of the instance under investigation. Tags to be considered at present include but are not limited to:

Instance origin account (selfie calls this the _targetaccount)
Investigator's forensics account (selfie calls this the _forensicaccount)
Timestamp indicating when the image snapshot was created.

DLSieving commented 7 years ago

Draft patch file attached. To do: Branch on the return value of _ec2.createtags to handle any error conditions, e.g. more than the maximum 10 tags have been added.

20160718.selfie.diff.txt

DLSieving commented 7 years ago

https://youtu.be/4gS682SHPR4

DLSieving commented 7 years ago

create_tags "returns an empty response" and "Adds or overwrites one or more tags", presumably overwriting the oldest tags once the maximum of 10 is exceeded. Therefore there is nothing to branch on in the response to the _createtags call, and the change set is complete except for testing (see demo).

DLSieving commented 7 years ago

At Shannon's suggestion, removed the assumer step in which the Incident Response role was assumed manually before running selfie. Selfie does all of the assuming it needs on its own and works fine if you run it as yourself.

The first screenshot is the console output of selfie without the initial changes:

The second screenshot is the console output of selfie with the initial changes in place:

The problem seems to be that the _new_snapshotids array is depopulated as it is processed in the wait method. Need to persist a copy of this array for use by _createtags once the snapshot copies have been created successfully.

DLSieving commented 7 years ago

The wait() method depopulates the snapshot ID string array as snapshot operations complete or fail. Added a clause to tag a snapshot image as soon as it has been successfully completed, before its ID is deleted due to copy completion or failure. Not tagging failed copies to avoid potential further errors.

Changes:

20160722.selfie.diff.txt

New Selfie.rb:

selfie.rb.txt

New test results:

Image tags on AWS Forensics Account:

20160722 dso selfie r02 snap1 tags 20160722 dso selfie r02 snap2 tags