Add Jenkins Setup Admin Password rule

praetorian-inc · Nov 20, 2024 · ead14b1 · ead14b1
1 parent 6709c75
commit ead14b1
Show file tree

Hide file tree

Showing 7 changed files with 66 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -32,6 +32,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
   - `Credentials in MongoDB Connection String` ([#232](https://github.com/praetorian-inc/noseyparker/pull/232))
   - `Credentials in PostgreSQL Connection URI` ([#227](https://github.com/praetorian-inc/noseyparker/pull/227))
   - `Django Secret Key` ([#227](https://github.com/praetorian-inc/noseyparker/pull/227))
+  - `Jenkins Setup Admin Password`
   - `Jina Search Foundation API Key`
   - `JSON Web Token Secret` ([#232](https://github.com/praetorian-inc/noseyparker/pull/232))
   - `HTTP Basic Authentication`

diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ Nosey Parker is a command-line tool that finds secrets and sensitive information
 
 **Key features:**
 - It natively scans files, directories, and Git repository history
-- It uses regular expression matching with a set of [154 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements
+- It uses regular expression matching with a set of [155 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements
 - It deduplicates its findings, grouping matches together that share the same secret, which in practice can reduce review burden by 100x or more compared to other tools
 - It is fast: it can scan at hundreds of megabytes per second on a single core, and is able to scan 100GB of Linux kernel source history in less than 2 minutes on an older MacBook Pro
 - It scales: it has scanned inputs as large as 20TiB during security engagements

diff --git a/...oseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap b/...oseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap
@@ -2,4 +2,4 @@
 source: crates/noseyparker-cli/tests/rules/mod.rs
 expression: stdout
 ---
-154 rules and 3 rulesets: no issues detected
+155 rules and 3 rulesets: no issues detected
diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap
@@ -1796,6 +1796,27 @@ expression: stdout
         ]
       }
     },
+    {
+      "id": "np.jenkins.2",
+      "structural_id": "2f99a1df52be6853e8c824b292b2a18a157ce57e",
+      "name": "Jenkins Setup Admin Password",
+      "syntax": {
+        "name": "Jenkins Setup Admin Password",
+        "id": "np.jenkins.2",
+        "pattern": "(?x)(?m)\nPlease\\ use\\ the\\ following\\ password\\ to\\ proceed\\ to\\ installation:\n(?: \\n\\n | \\r\\n\\r\\n )\n([a-f0-9]{30,36})$\n",
+        "examples": [
+          "*************************************************************\n*************************************************************\n*************************************************************\n\nJenkins initial setup is required. An admin user has been created and a password generated.\nPlease use the following password to proceed to installation:\n\nbd9627decc6346d780b3b6ab6ea8fe1f\n\nThis may also be found at: /root/.jenkins/secrets/initialAdminPassword\n\n*************************************************************\n*************************************************************\n*************************************************************\n"
+        ],
+        "negative_examples": [],
+        "references": [
+          "https://www.jenkins.io/doc/book/installing/linux/#setup-wizard"
+        ],
+        "categories": [
+          "fuzzy",
+          "secret"
+        ]
+      }
+    },
     {
       "id": "np.jina.1",
       "structural_id": "63bcdb8ecf540be4558d57248a668b2e1f642f78",
@@ -3735,7 +3756,7 @@ expression: stdout
     {
       "id": "default",
       "name": "Nosey Parker default rules",
-      "num_rules": 133
+      "num_rules": 134
     },
     {
       "id": "np.assets",

diff --git a/...s/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap b/...s/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap
@@ -79,6 +79,7 @@ expression: stdout
  np.http.2            HTTP Bearer Token                                         fuzzy, generic, secret 
  np.huggingface.1     HuggingFace User Access Token                             api, secret 
  np.jenkins.1         Jenkins Token or Crumb                                    api, fuzzy, secret 
+ np.jenkins.2         Jenkins Setup Admin Password                              fuzzy, secret 
  np.jina.1            Jina Search Foundation API Key                            api, secret 
  np.jwt.1             JSON Web Token (base64url-encoded)                        api 
  np.jwt.2             JSON Web Token Secret                                     fuzzy, secret 
@@ -161,6 +162,6 @@ expression: stdout
 
  Ruleset ID   Ruleset Name                         Rules 
 ─────────────────────────────────────────────────────────
- default      Nosey Parker default rules             133 
+ default      Nosey Parker default rules             134 
  np.assets    Nosey Parker asset detection rules      15 
  np.hashes    Nosey Parker password hash rules         6
diff --git a/crates/noseyparker/data/default/builtin/rules/jenkins.yml b/crates/noseyparker/data/default/builtin/rules/jenkins.yml
@@ -35,3 +35,41 @@ rules:
   references:
   - https://www.jenkins.io/blog/2018/07/02/new-api-token-system/
   - https://www.jenkins.io/doc/book/security/csrf-protection/
+
+
+- name: Jenkins Setup Admin Password
+  id: np.jenkins.2
+
+  pattern: |
+    (?x)(?m)
+    Please\ use\ the\ following\ password\ to\ proceed\ to\ installation:
+    (?: \n\n | \r\n\r\n )
+    ([a-f0-9]{30,36})$
+
+  examples:
+  - |
+      *************************************************************
+      *************************************************************
+      *************************************************************
+
+      Jenkins initial setup is required. An admin user has been created and a password generated.
+      Please use the following password to proceed to installation:
+
+      bd9627decc6346d780b3b6ab6ea8fe1f
+
+      This may also be found at: /root/.jenkins/secrets/initialAdminPassword
+
+      *************************************************************
+      *************************************************************
+      *************************************************************
+
+  categories: [fuzzy, secret]
+
+  description: |
+    A Jenkins setup wizard admin user password was detected.
+    This password is used to configure a new Jenkins installation.
+    An attacker with possession of this password could control the Jenkins instance.
+    This could enable exfiltration of proprietary code, insertion of backdoors, or lateral movement to other resources.
+
+  references:
+  - https://www.jenkins.io/doc/book/installing/linux/#setup-wizard
diff --git a/crates/noseyparker/data/default/builtin/rulesets/default.yml b/crates/noseyparker/data/default/builtin/rulesets/default.yml
@@ -79,6 +79,7 @@ rulesets:
   - np.http.2         # HTTP Bearer Token
   - np.huggingface.1  # HuggingFace User Access Token
   - np.jenkins.1      # Jenkins Token or Crumb
+  - np.jenkins.2      # Jenkins Setup Admin Password
   - np.jina.1         # Jina Search Foundation API Key
   - np.jwt.1          # JSON Web Token (base64url-encoded)
   - np.jwt.2          # JSON Web Token Secret