-
Notifications
You must be signed in to change notification settings - Fork 53
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Remove default exemption for ports 80 and 443 on Open Security Group …
…rules (#196) * Remove default exemption for ports 80 and 443 on Open Security Group rules * Update filter to perform equality check on the powerset of allowed ports Co-authored-by: Oliver Crawford <oliver.crawford@skyscanner.net>
- Loading branch information
1 parent
1bc3ff4
commit 869eb58
Showing
8 changed files
with
129 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
VERSION = (1, 1, 2) | ||
VERSION = (1, 2, 0) | ||
|
||
__version__ = ".".join(map(str, VERSION)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
46 changes: 46 additions & 0 deletions
46
cfripper/config/rule_configs/allow_http_ports_open_to_world.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
from itertools import chain, combinations | ||
|
||
from cfripper.config.filter import Filter | ||
from cfripper.model.enums import RuleMode | ||
|
||
""" | ||
To use this Filter, or any Filter, make sure to include it in the `Config` instantiation. | ||
```python | ||
FILTERS = [allow_http_ports_open_to_world_rules_config_filter] | ||
config = Config( | ||
... | ||
rules_filters=FILTERS, | ||
) | ||
``` | ||
""" | ||
|
||
|
||
ALLOWED_PORTS = [80, 443] | ||
|
||
|
||
def powerset(iterable): | ||
# https://docs.python.org/3/library/itertools.html#itertools-recipes | ||
# powerset([1,2,3]) --> () (1,) (2,) (3,) (1,2) (1,3) (2,3) (1,2,3) | ||
s = list(iterable) | ||
return chain.from_iterable(combinations(s, r) for r in range(len(s) + 1)) | ||
|
||
|
||
allow_http_ports_open_to_world_rules_config_filter = Filter( | ||
reason="It can be acceptable to have Security Groups publicly available on ports 80 or 443.", | ||
rule_mode=RuleMode.ALLOWED, | ||
eval={ | ||
"and": [ | ||
{"exists": {"ref": "open_ports"}}, | ||
{ | ||
"or": [ | ||
{"eq": [list(subset_allowed_ports), {"ref": "open_ports"}]} | ||
for subset_allowed_ports in powerset(ALLOWED_PORTS) | ||
if subset_allowed_ports | ||
] | ||
}, | ||
] | ||
}, | ||
rules={"EC2SecurityGroupOpenToWorldRule", "EC2SecurityGroupIngressOpenToWorldRule"}, | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,12 @@ | ||
from cfripper.config.rule_config import RuleConfig | ||
from cfripper.config.rule_configs.allow_http_ports_open_to_world import ( | ||
allow_http_ports_open_to_world_rules_config_filter, | ||
) | ||
from cfripper.config.rule_configs.firehose_ips import firehose_ips_rules_config_filter | ||
from cfripper.model.enums import RuleMode | ||
|
||
RULES_CONFIG = { | ||
"EC2SecurityGroupMissingEgressRule": RuleConfig(rule_mode=RuleMode.DISABLED), | ||
} | ||
|
||
FILTERS = [firehose_ips_rules_config_filter] | ||
FILTERS = [allow_http_ports_open_to_world_rules_config_filter, firehose_ips_rules_config_filter] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
...est_templates/rules/EC2SecurityGroupOpenToWorldRule/invalid_security_group_port78_81.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
{ | ||
"AWSTemplateFormatVersion": "2010-09-09", | ||
"Resources": { | ||
"SecurityGroup": { | ||
"Type": "AWS::EC2::SecurityGroup", | ||
"Properties": { | ||
"GroupDescription": "description", | ||
"SecurityGroupIngress": [ | ||
{ | ||
"IpProtocol": "tcp", | ||
"CidrIp": "0.0.0.0/0", | ||
"FromPort": 78, | ||
"ToPort": 81 | ||
} | ||
] | ||
} | ||
} | ||
} | ||
} |