Skip to content

Commit

Permalink
Added new security commands
Browse files Browse the repository at this point in the history
  • Loading branch information
@leandrodamascena
leandrodamascena committed Nov 16, 2020
1 parent f07961b commit 400f636
Show file tree
Hide file tree
Showing 3 changed files with 109 additions and 0 deletions.
16 changes: 16 additions & 0 deletions cloudiscovery/provider/security/data/commands_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,14 @@
"method": "ebs_encryption",
"short_description": "Check that Amazon Elastic Block Store (EBS) encryption is enabled by default.",
},
"restricted-ssh": {
"parameters": [
{"name": "restricted_ssh", "default_value": "no", "type": "bool"}
],
"class": "EC2",
"method": "restricted_ssh",
"short_description": "Checks whether SG that are in use disallow unrestricted incoming SSH traffic.",
},
"imdsv2-check": {
"parameters": [{"name": "imdsv2_check", "default_value": "no", "type": "bool"}],
"class": "EC2",
Expand All @@ -25,4 +33,12 @@
"method": "pitr_enabled",
"short_description": "Checks that point in time recovery is enabled for Amazon DynamoDB tables.",
},
"cloudtrail-enabled": {
"parameters": [
{"name": "cloudtrail_enabled", "default_value": "no", "type": "bool"}
],
"class": "CLOUDTRAIL",
"method": "cloudtrail_enabled",
"short_description": "Checks whether AWS CloudTrail is enabled in your AWS account.",
},
}
37 changes: 37 additions & 0 deletions cloudiscovery/provider/security/resource/commands/CLOUDTRAIL.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
from provider.security.command import SecurityOptions

from shared.common import (
Resource,
ResourceDigest,
SecurityValues,
)


class CLOUDTRAIL:
def __init__(self, options: SecurityOptions):
self.options = options

def cloudtrail_enabled(self, cloudtrail_enabled):

client = self.options.client("cloudtrail")

trails = client.list_trails()

resources_found = []

if not trails["Trails"]:
resources_found.append(
Resource(
digest=ResourceDigest(id="cloudtrail", type="cloudtrail_enabled"),
details="CLOUDTRAIL disabled",
name="cloudtrail",
group="cloudtrail_security",
security=SecurityValues(
status="CRITICAL",
parameter="cloudtrail_enabled",
value="False",
),
)
)

return resources_found
56 changes: 56 additions & 0 deletions cloudiscovery/provider/security/resource/commands/EC2.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,3 +70,59 @@ def imdsv2_check(self, imdsv2_check):
)

return resources_found

def restricted_ssh(self, restricted_ssh):

client = self.options.client("ec2")

security_groups = client.describe_security_groups()

resources_found = []

# pylint: disable=too-many-nested-blocks
for security_group in security_groups["SecurityGroups"]:
for ip_permission in security_group["IpPermissions"]:
if "FromPort" in ip_permission and "ToPort" in ip_permission:
# Port 22 possible opened using port range
if ip_permission["FromPort"] <= 22 >= ip_permission["ToPort"]:
# IPv4
for cidr in ip_permission["IpRanges"]:
if cidr["CidrIp"] == "0.0.0.0/0":
resources_found.append(
Resource(
digest=ResourceDigest(
id=security_group["GroupId"],
type="restricted_ssh",
),
details="The SSH port of this security group is opened to the world.",
name=security_group["GroupName"],
group="ec2_security",
security=SecurityValues(
status="CRITICAL",
parameter="restricted_ssh",
value="False",
),
)
)

# IPv6
for cidr in ip_permission["Ipv6Ranges"]:
if cidr["CidrIpv6"] == "::/0":
resources_found.append(
Resource(
digest=ResourceDigest(
id=security_group["GroupId"],
type="restricted_ssh",
),
details="The SSH port of this security group is opened to the world.",
name=security_group["GroupName"],
group="ec2_security",
security=SecurityValues(
status="CRITICAL",
parameter="restricted_ssh",
value="False",
),
)
)

return resources_found

0 comments on commit 400f636

Please sign in to comment.