getcert_ce's Introduction

getCert CE - SSL Certificates for BMC Discovery


License	Apache License 2.0
Version	1.7.0 (ED-209)

Overview

Traversys getCert is an extension to BMC Discovery. It operates independently of Discovery scans in either a Docker container or a standalone script. getCert non-invasively collect information about externally facing SSL certificates (accessible via open web/application ports) against your data center infrastructure.

getCet triggers an event to Discovery via the API which contains a temporary key to unlock the encrypted capture data stored with the getCert application files. The getCert pattern module will then trigger on the event and scan the getCert data source to retrieve and build a list of certificate Detail nodes. If any SoftwareInstances match the certificate IP or common name and port getCert will automatically attempt to map the Detail to the SI, alternatively, for other network devices - getCert will map directly to the device node.

getCert comes with a beta CMDB sync pattern which follows the schema of BMC's TLS Certificate OOTB mappings - and will sync any SSL Certificate details mapped directly to a SoftwareInstance to BMC_Document.

getCert is highly configurable, with the option to scan subnets, websites, DNS hostnames or IP addresses, and the discovered data can be added to the model in different ways with custom extensions.

Quickstart

Install and configure Docker
Run docker build --tag getcert --progress=plain -f dockerbuild/Dockerfile .
Make a note of the password generated by the build script
Startup the Container

docker run -t -d -p 2222:22 --name getCert -v ${PWD}:/opt/Traversys/getCert getcert:latest

Access the shell: docker exec -it getCert /bin/bash
Navigate to /opt/Traversys/getCert
Run the installation script python3 install.py
Run getCert

$ screen
$ python3 /opt/Traversys/getCert/getcert.py --instance <Discovery URL/IP> --config /opt/Traversys/getCert/config.ini

Scan Modes

getCert will commence in the background and export details to an encrypted data file.

There are 3 modes you can use and are set in the config file:

Scan for SSL Certificates on the test ips/subnet string
Scan for a list of ips/subnets in the specified input file
Run the query (appliance login needed) to export a list of ips/subnets

Full Documentation: https://traversys.github.io/getCert_CE/

getcert_ce's People

Contributors

Stargazers

Watchers

getcert_ce's Issues

cron.sh file has wrong binary name.

echo "$cron $root/get" >> traversys_getCert.cron

Should be

echo "$cron $root/getcert" >> traversys_getCert.cron

Release notes table out of alignment

Row Entry: 1.3.0.

https://traversys.github.io/getCert_CE/

Not configured for IPv6

fe80::c054:b507:4348:74bd looks like an IPv6 target specification -- you have to use the -6 option.

All Web App Reports

All Web App Ports should include total count (for prioritising):

<report name="Traversys.getCert.WebAppAllPorts">
        <title>All Web App Listening Ports</title>
        <description>Web and Application server instances with listening ports</description>
        <kind>DiscoveredListeningPort</kind>
        <show>
            local_port processwith unique(0)
        </show>
        <order-by>local_port</order-by>
    </report>

Recommend Projects