Fix pmapper-data-basepath ignored in all-checks and instances race condition#127
Merged
Fix pmapper-data-basepath ignored in all-checks and instances race condition#127
Conversation
… instances module The pmapperCommand in runAllChecksCommand was missing the PmapperDataBasePath parameter, causing --pmapper-data-basepath to be ignored for the pmapper module when running all-checks. (Fixes #105) The instances module had a race condition where role analysis ran before the receiver goroutine finished collecting all MappedInstances. This caused IsAdminRole and CanPrivEscToAdmin columns to appear empty in all-checks despite pmapper data being available. Fixed by signaling the receiver to stop and waiting for it to drain before running role analysis. Version bumped to 2.0.4.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two bugs fixed that caused
--pmapper-data-basepathto be ignored andIsAdminRole?/CanPrivEscToAdmin?columns to appear empty when runningall-checks.Bug 1: pmapperCommand missing PmapperDataBasePath (Fixes #105)
The
pmapperCommandstruct inrunAllChecksCommandwas not receiving thePmapperDataBasePathparameter, causing--pmapper-data-basepathto be ignored for the pmapper module duringall-checks.Bug 2: Race condition in instances module
The instances module performed role analysis (pmapper lookup) before the receiver goroutine finished collecting all
MappedInstancesfrom the data channel. This causedIsAdminRole?andCanPrivEscToAdmin?to be empty inall-checksdespite pmapper data being available and correctly loaded. The commented-outtime.Sleep(time.Second * 2)on line 131 was a previous attempt to work around this.Fix: Signal the receiver to stop and wait for it to drain before running role analysis.
Testing
Tested with a t2.micro EC2 instance running an IAM role with AdministratorAccess and pmapper graph data:
instances(direct)all-checksall-checks(3 consecutive runs)Version bumped to 2.0.4.
Closes #105