Permalink
Fetching contributors…
Cannot retrieve contributors at this time
134 lines (112 sloc) 4.59 KB
name "Security Group with High Open Ports"
rs_pt_ver 20180301
type "policy"
short_description "A policy that sends email notifications when a security group has unapproved open ports. See the [README](https://github.com/rightscale/policy_templates/tree/master/security/security_groups/high_open_ports) and [docs.rightscale.com/policies](http://docs.rightscale.com/policies/) to learn more."
long_description "Version: 1.4"
severity "high"
category "Security"
permission "general_permissions" do
resources "rs_cm.clouds", "rs_cm.security_groups", "rs_cm.security_group_rules"
actions "rs_cm.index","rs_cm.show"
end
parameter "param_email" do
type "list"
label "Email addresses of the recipients you wish to notify"
end
parameter "param_port_info" do
type "number"
label "Beginning High Port"
default 1024
end
auth "rs", type: "rightscale"
resources "clouds", type: "rs_cm.clouds"
resources "security_groups", type: "rs_cm.security_groups" do
iterate @clouds
cloud_href href(iter_item)
end
resources "security_group_rules", type: "rs_cm.security_group_rules"
resources "networks", type: "rs_cm.networks"
datasource "ds_security_groups" do
iterate @security_groups
field "resource_uid", val(iter_item, "resource_uid")
field "name", val(iter_item, "name")
field "href", href(iter_item)
field "network_href", jmes_path(iter_item, "links[?rel=='network'].href | [0]")
end
datasource "ds_networks" do
iterate @networks
field "name", val(iter_item, "name")
field "href", href(iter_item)
end
datasource "ds_security_group_rules" do
iterate @security_group_rules
field "href", href(iter_item)
field "protocol", val(iter_item, "protocol")
field "source_type", val(iter_item, "source_type")
field "description", val(iter_item, "description")
field "security_group_href", jmes_path(iter_item, "links[?rel=='security_group'].href | [0]")
field "end_port", val(iter_item, "end_port")
field "start_port", val(iter_item,"start_port")
end
datasource "ds_munged_security_groups" do
run_script $js_munge_sec_group, $ds_security_groups, $ds_security_group_rules, $ds_networks, rs_project_id, rs_cm_host
end
script "js_munge_sec_group", type: "javascript" do
parameters "ds_security_groups", "ds_security_group_rules", "ds_networks", "rs_project_id", "rs_cm_host"
result "groups_and_rules"
code <<-EOS
var security_groups = {};
for (var index = 0; index < ds_security_groups.length; index++) {
var security_group = ds_security_groups[index];
security_groups[security_group.href] = security_group;
}
var networks = {};
for (var index = 0; index < ds_networks.length; index++) {
var network = ds_networks[index];
networks[network.href] = network;
}
var groups_and_rules=[];
var base_url="https://" + rs_cm_host + "/acct/"
for (var index = 0; index < ds_security_group_rules.length; index++) {
var security_group_rule = ds_security_group_rules[index];
var security_group = security_groups[security_group_rule.security_group_href];
var network = networks[security_group.network_href];
if (network) {
var security_group_access_link_root = base_url.concat(rs_project_id, '/network_manager#networks/', network.href.split('/')[3], '/security_groups/', security_group.href.split('/')[5]);
} else {
network = {};
}
groups_and_rules.push({
security_group_name: security_group.name,
security_group_href: security_group.href,
href: security_group_rule.href,
protocol: security_group_rule.protocol,
source_type: security_group_rule.source_type,
description: security_group_rule.description,
start_port: security_group_rule.start_port,
end_port: security_group_rule.end_port,
network_href: network.href,
network_name: network.name,
security_group_access_link_root: security_group_access_link_root
})
};
EOS
end
escalation "report_security_groups_with_open_ports" do
email $param_email
end
policy "rule_open_ports" do
validate_each $ds_munged_security_groups do
summary_template "{{ rs_project_name }} (Account ID: {{ rs_project_id }}): {{ len data }} Security Group Rules With High Open Ports"
detail_template <<-EOS
# Security Group Rules With High Open Ports
| Security Group Name | Start Port | End Port | Protocol | Network Name | Security Group Access Link |
| ------------------- | ---------- | -------- | -------- | ------------ | -------------------------- |
{{ range data -}}
| {{ .security_group_name }} | {{.start_port }} | {{ .end_port }} | {{.protocol}} | {{.network_name}} | {{.security_group_access_link_root}} |
{{ end -}}
EOS
escalate $report_security_groups_with_open_ports
check lt(to_n(val(item,"end_port")), $param_port_info)
end
end