RFC: Add Scanner Capability Flag to enhance Scanner Worker Selection #89
Description
Is your feature request related to a problem? Please describe.
When it comes to Multi Tenancy there are two main axis we'd like two support with the secureCodeBox Engine:
Team Separation
This allows the association of scanners operated by the teams with that team. The scanners will then only work on scan jobs created by that team. This was implemented in #79.
Capability Separation
Not every worker deployment in a team has to be the same.
Some scanners might...
- be deployed in certain network situation which enable different scans.
- have files mounted onto their filesystem which are required to perform certain scans.
- have certain configuration / deployment requirements by the scanner to run certain kinds of scans. E.g. nmap requiring root rights / linux capabilities to run OS detection scans (See: Operating System scans need root rights scanner-infrastructure-nmap#2)
This problem can be solved by using the team separation feature by creating a new team for every team / capability combination, but that is quite tedious. These teams could look something like this:
- team42
- team42_nmap_privileged
- team42_zap_behindwaf
Creating new teams requires to assign all team members to every of their related teams, which is a big organisational overhead.
Describe the solution you'd like
I'd like to introduce capabilities into the StartSecurityTest and the LockScanJob APIs.
The addition to the startSecurity Test API would be a new optional requiredCapabilities attribute which allows the user to express which capabilities are required for the scan job.
The addition to the LockScanJob API would allow the scanners to communicate to the engine which capabilities the have.
POST https://engine.securecodebox.demo/box/securityTests
[
{
"context": "Feature Team 1",
"metaData": {},
"name": "nmap",
"target": {
"attributes": {
"NMAP_PARAMETER": "-Pn"
},
"location": "127.0.0.1",
"name": "SecureCodeBox Demo Website"
},
"tenant": "team-1",
"requiredCapabilities": [
"behind-firewall",
"privileged-deployment"
]
}
]The relevant new attribute here is requiredCapabilities.
For a scanner to be able to work on this task it would need to be configured that:
- The engine user of the scanner worker, set by the env vars:
ENGINE_SCANNERSERVICES_USERandENGINE_BASIC_AUTH_PASSWORDneed to be a member ofteam-1 - The worker need to have the (new) environment var
SCANNER_CAPABILITIESto be set to:behind-firewall,privileged-deployment(orprivileged-deployment,behind-firewall, the order should not matter)
Scanner without the SCANNER_CAPABILITIES env var will only be able to work on scan jobs without requiredCapabilities.
Example deployment (docker-compose for readability):
nmap-team42:
image: securecodebox/nmap:latest
environment:
- ENGINE_ADDRESS=http://engine:8080
- ENGINE_BASIC_AUTH_USER=team42-tu-nmap
- ENGINE_BASIC_AUTH_PASSWORD=foobar
- SCANNER_CAPABILITIES=behind-firewall,privileged-deploymentDescribe alternatives you've considered
- Multiple teams (see problem descriptions)
- Using camunda custom permissions, to prevent scanner without capabilities to access scan jobs.