Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#409 Ineffective NACL rules #423

Merged
21 commits merged into from
Apr 21, 2020
Merged

#409 Ineffective NACL rules #423

21 commits merged into from
Apr 21, 2020

Conversation

thegonch
Copy link
Contributor

@thegonch thegonch commented Apr 1, 2020
edited
Loading

In reference to #409.

  • Updates cfn-model gem to 0.4.28
  • Creates rules around ineffective NACL entry rules, which are separated by egress and ingress since they can each have the same reused rule number, including:
    • Failing on duplicate rule numbers
    • Warning on deny rules that do not cover the full CIDR range
    • Warning when reusing port ranges
  • Spec tests for the above

@thegonch
Add NACL rules for VPC ID, Protocol, and Port Range
b439f1e
@thegonch
Merge remote-tracking branch 'origin/master' into feature/10_nacl_rules
88d065b
@thegonch
#10 Remove EC2NetworkAclMissingVpcIdRule and its tests. Remove check …
cfdc423 
…and test for ec2 network acl where port ranges could be set to '-1' as it does not seem to be possible for Cloudformation. Other general cleanup per Eric Kascic's PR review.
@thegonch
Update EC2NetworkAclEntryPortRangeRule text
7ce77da
@thegonch
Merge remote-tracking branch 'origin/master' into feature/10_nacl_rules
67d8fb9
@thegonch
Merge remote-tracking branch 'origin/master' into feature/10_nacl_rules
45c8b2d
@thegonch
Merge remote-tracking branch 'origin/master' into feature/10_nacl_rules
bb2759c
@thegonch
#10 Add check for allow rules only for NACL Protocol Rule opening all…
a49d573 
… ports with appropriate tests and warning text updates
@thegonch
Merge remote-tracking branch 'origin/master' into feature/409_ineffec…
146530d 
…tive_nacl_rules
@thegonch
#409 Add ineffective NACL rules including ineffective deny, reusing p…
53d6f8b 
…orts, and duplicate rule numbers, along with their spec tests.
@thegonch
Merge remote-tracking branch 'origin/master' into feature/409_ineffec…
1d58f72 
…tive_nacl_rules
@thegonch
Merge remote-tracking branch 'origin/master' into feature/409_ineffec…
b91f15c 
…tive_nacl_rules
@thegonch
#409 Update cfn-model to 0.4.27
e2479a0
@thegonch thegonch requested a review from a team April 1, 2020 16:36
ghost
ghost suggested changes Apr 2, 2020
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there a number of places in this code where select/each/map are/aren't being used the way they should be. i'd advocate using select/map where you can instead of each with outside state (the code is using select with outside state which doesn't make sense). i think the rules themselves make sense. if the port range stuff overlaps... think it's a good way to warn developers they could be making trouble for themselves.

@thegonch
Copy link
Contributor Author

thegonch commented Apr 7, 2020

there a number of places in this code where select/each/map are/aren't being used the way they should be. i'd advocate using select/map where you can instead of each with outside state (the code is using select with outside state which doesn't make sense). i think the rules themselves make sense. if the port range stuff overlaps... think it's a good way to warn developers they could be making trouble for themselves.

@erickascic I've updated the code here though it is pending the review/merge of stelligent/cfn-model#77 to pull in the updated cfn-model gem.

@thegonch thegonch requested a review from a user April 7, 2020 20:01
@thegonch thegonch mentioned this pull request Apr 7, 2020
Merged
@thegonch thegonch requested a review from a user April 8, 2020 18:18
@thegonch thegonch linked an issue Apr 15, 2020 that may be closed by this pull request
Rule for considering order of NACL entries #409
Closed
ghost
ghost reviewed Apr 16, 2020
View reviewed changes
lib/cfn-nag/custom_rules/EC2NetworkAclEntryReusedPortsRule.rb Outdated
if ports.nil?
nacl_entry_range
else
port_min = nacl_entry_range.min < ports.min ? nacl_entry_range.min : ports.min
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i believe this code is same as [nacl_entry_rnage.min, ports.min].min

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not a big deal - but you save 1 point per statement on CCM

ghost
ghost reviewed Apr 16, 2020
View reviewed changes
lib/cfn-nag/custom_rules/EC2NetworkAclEntryReusedPortsRule.rb Outdated
violating_nacl_entries += violating_nacl_entries(nacl)
end

violating_nacl_entries.uniq.map(&:logical_resource_id)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is the use of uniq necessary and tested? i don't believe hash or eql? are defined for the nacl entry model element?

ghost
ghost suggested changes Apr 16, 2020
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

inline plus the cross-product bit we discussed offline

@thegonch
Change rule name from lib/cfn-nag/custom_rules/EC2NetworkAclEntryReus…
b44242e 
…edPortsRule.rb to lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb. Clean up overlap logic.
@ghost ghost merged commit ee9d923 into master Apr 21, 2020
@ghost ghost deleted the feature/409_ineffective_nacl_rules branch April 27, 2020 14:58
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Rule for considering order of NACL entries
1 participant
@thegonch