Merge pull request #256 from cisagov/feature/allow-kalis-to-ssh-to-ne…

…ssus-instances Allow Kali instances to ssh to Nessus instances
cisagov · Oct 25, 2024 · 8b367e9 · 8b367e9
2 parents ee698cc + a394dd9
commit 8b367e9
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -361,6 +361,7 @@ the COOL environment.
 | [aws_security_group_rule.ingress_from_sts_endpoint_client_to_sts_endpoint_via_https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.ingress_from_teamserver_to_gophish_via_ssh_and_smtp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.kali_egress_to_gophish_via_ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.kali_egress_to_nessus_via_ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.kali_egress_to_nessus_via_web_ui](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.kali_egress_to_pentestportal_via_ssh_and_web](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.kali_egress_to_teamserver_instances_via_5000_to_5999](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
@@ -370,6 +371,7 @@ the COOL environment.
 | [aws_security_group_rule.kali_ingress_from_windows_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.kali_to_kali_via_ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.nessus_ingress_from_debiandesktop_via_web_ui](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.nessus_ingress_from_kali_via_ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.nessus_ingress_from_kali_via_web_ui](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.nessus_ingress_from_windows_via_web_ui](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.pentestportal_egress_to_anywhere_via_http_and_https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

diff --git a/kali_sg.tf b/kali_sg.tf
@@ -138,3 +138,16 @@ resource "aws_security_group_rule" "kali_egress_to_gophish_via_ssh" {
   to_port                  = 22
   type                     = "egress"
 }
+
+# Allow egress to Nessus instances via port 22 (SSH) for Ansible
+# configuration.  Requested in cool-system-internal#37.
+resource "aws_security_group_rule" "kali_egress_to_nessus_via_ssh" {
+  provider = aws.provisionassessment
+
+  from_port                = 22
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.kali.id
+  source_security_group_id = aws_security_group.nessus.id
+  to_port                  = 22
+  type                     = "egress"
+}
diff --git a/nessus_sg.tf b/nessus_sg.tf
@@ -50,6 +50,19 @@ resource "aws_security_group_rule" "nessus_ingress_from_windows_via_web_ui" {
   type                     = "ingress"
 }
 
+# Allow ingress from Kali instances via port 22 (SSH) for Ansible
+# configuration.  Requested in cool-system-internal#37.
+resource "aws_security_group_rule" "nessus_ingress_from_kali_via_ssh" {
+  provider = aws.provisionassessment
+
+  from_port                = 22
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.nessus.id
+  source_security_group_id = aws_security_group.kali.id
+  to_port                  = 22
+  type                     = "ingress"
+}
+
 # Allow ingress from anywhere via the allowed ports
 resource "aws_security_group_rule" "ingress_from_anywhere_to_nessus_via_allowed_ports" {
   provider = aws.provisionassessment