cfn-nag 0.3.81 → 0.3.82
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +33 -0
- data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb +1 -25
- data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb +3 -30
- data/lib/cfn-nag/util/enforce_noecho_parameter.rb +24 -0
- data/lib/cfn-nag/util/truthy.rb +7 -0
- metadata +5 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 93fe11635dc84e8b2b2dd8da535dae76801eb495589eee4fd9563b02104d6215
|
4
|
+
data.tar.gz: 5fddddfbf4bcd954492b0a12500ff44ac7fe22826cd8d6ad3c794870c9d9e675
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9dd593f6cb582991b8e4b5da61668f18d5a59646c9e7c1484395974ad2ea5f86978b2b4a2d99179b720dd4b8aadd536f9e4dee0d5f94157501c751663ee48a73
|
7
|
+
data.tar.gz: e12af655af934e41450f5df8499ee95f539fd2285a48978af1694ae8614da24118cc50f011ea12ba94392748e7a890af17273ca1024c21ec518d32d8b60047ea
|
@@ -0,0 +1,33 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/enforce_noecho_parameter'
|
5
|
+
require_relative 'base'
|
6
|
+
|
7
|
+
# Rule class to fail on DirectoryService::SimpleAD password in template
|
8
|
+
class DirectoryServiceSimpleADPasswordRule < BaseRule
|
9
|
+
def rule_text
|
10
|
+
'DirectoryService::SimpleAD should use a parameter for password, with NoEcho'
|
11
|
+
end
|
12
|
+
|
13
|
+
def rule_type
|
14
|
+
Violation::FAILING_VIOLATION
|
15
|
+
end
|
16
|
+
|
17
|
+
def rule_id
|
18
|
+
'F31'
|
19
|
+
end
|
20
|
+
|
21
|
+
def audit_impl(cfn_model)
|
22
|
+
violating_ad = cfn_model.resources_by_type('AWS::DirectoryService::SimpleAD')
|
23
|
+
.select do |ad|
|
24
|
+
if ad.password.nil?
|
25
|
+
false
|
26
|
+
else
|
27
|
+
!no_echo_parameter_without_default?(cfn_model,
|
28
|
+
ad.password)
|
29
|
+
end
|
30
|
+
end
|
31
|
+
violating_ad.map(&:logical_resource_id)
|
32
|
+
end
|
33
|
+
end
|
@@ -1,6 +1,7 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/enforce_noecho_parameter.rb'
|
4
5
|
require_relative 'base'
|
5
6
|
|
6
7
|
class RDSInstanceMasterUserPasswordRule < BaseRule
|
@@ -34,29 +35,4 @@ class RDSInstanceMasterUserPasswordRule < BaseRule
|
|
34
35
|
|
35
36
|
violating_rdsinstances.map(&:logical_resource_id)
|
36
37
|
end
|
37
|
-
|
38
|
-
private
|
39
|
-
|
40
|
-
def to_boolean(string)
|
41
|
-
string.to_s.casecmp('true').zero?
|
42
|
-
end
|
43
|
-
|
44
|
-
def no_echo_parameter_without_default?(cfn_model, master_user_password)
|
45
|
-
# i feel like i've written this mess somewhere before
|
46
|
-
if master_user_password.is_a? Hash
|
47
|
-
if master_user_password.key? 'Ref'
|
48
|
-
if cfn_model.parameters.key? master_user_password['Ref']
|
49
|
-
parameter = cfn_model.parameters[master_user_password['Ref']]
|
50
|
-
|
51
|
-
return to_boolean(parameter.noEcho) && parameter.default.nil?
|
52
|
-
else
|
53
|
-
return false
|
54
|
-
end
|
55
|
-
else
|
56
|
-
return false
|
57
|
-
end
|
58
|
-
end
|
59
|
-
# String or anything weird will fall through here
|
60
|
-
false
|
61
|
-
end
|
62
38
|
end
|
@@ -1,6 +1,7 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/enforce_noecho_parameter'
|
4
5
|
require_relative 'base'
|
5
6
|
|
6
7
|
# cfn_nag rules related to RDS Instance master username
|
@@ -29,39 +30,11 @@ class RDSInstanceMasterUsernameRule < BaseRule
|
|
29
30
|
if instance.masterUsername.nil?
|
30
31
|
false
|
31
32
|
else
|
32
|
-
!
|
33
|
-
|
33
|
+
!no_echo_parameter_without_default?(cfn_model,
|
34
|
+
instance.masterUsername)
|
34
35
|
end
|
35
36
|
end
|
36
37
|
|
37
38
|
violating_rdsinstances.map(&:logical_resource_id)
|
38
39
|
end
|
39
|
-
|
40
|
-
private
|
41
|
-
|
42
|
-
def to_boolean(string)
|
43
|
-
if string.to_s.casecmp('true').zero?
|
44
|
-
true
|
45
|
-
else
|
46
|
-
false
|
47
|
-
end
|
48
|
-
end
|
49
|
-
|
50
|
-
def references_no_echo_parameter_without_default?(cfn_model, master_username)
|
51
|
-
if master_username.is_a? Hash
|
52
|
-
if master_username.key? 'Ref'
|
53
|
-
if cfn_model.parameters.key? master_username['Ref']
|
54
|
-
parameter = cfn_model.parameters[master_username['Ref']]
|
55
|
-
|
56
|
-
return to_boolean(parameter.noEcho) && parameter.default.nil?
|
57
|
-
else
|
58
|
-
return false
|
59
|
-
end
|
60
|
-
else
|
61
|
-
return false
|
62
|
-
end
|
63
|
-
end
|
64
|
-
# String or anything weird will fall through here
|
65
|
-
false
|
66
|
-
end
|
67
40
|
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/util/truthy.rb'
|
4
|
+
|
5
|
+
# Migrated from multiple classes, with some modifications
|
6
|
+
# Returns true if the provided key_to_check is a no-echo parameter
|
7
|
+
# without a default value; false otherwise.
|
8
|
+
def no_echo_parameter_without_default?(cfn_model, key_to_check)
|
9
|
+
if key_to_check.is_a? Hash
|
10
|
+
if key_to_check.key? 'Ref'
|
11
|
+
if cfn_model.parameters.key? key_to_check['Ref']
|
12
|
+
parameter = cfn_model.parameters[key_to_check['Ref']]
|
13
|
+
|
14
|
+
return truthy?(parameter.noEcho) && parameter.default.nil?
|
15
|
+
else
|
16
|
+
return false
|
17
|
+
end
|
18
|
+
else
|
19
|
+
return false
|
20
|
+
end
|
21
|
+
end
|
22
|
+
# String or anything weird will fall through here
|
23
|
+
false
|
24
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.3.
|
4
|
+
version: 0.3.82
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-05-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rspec
|
@@ -142,6 +142,7 @@ files:
|
|
142
142
|
- lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
|
143
143
|
- lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb
|
144
144
|
- lib/cfn-nag/custom_rules/CodeBuildEncryptionKeyRule.rb
|
145
|
+
- lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb
|
145
146
|
- lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
|
146
147
|
- lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb
|
147
148
|
- lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAtRestEncryptionRule.rb
|
@@ -209,6 +210,8 @@ files:
|
|
209
210
|
- lib/cfn-nag/rule_id_set.rb
|
210
211
|
- lib/cfn-nag/rule_registry.rb
|
211
212
|
- lib/cfn-nag/template_discovery.rb
|
213
|
+
- lib/cfn-nag/util/enforce_noecho_parameter.rb
|
214
|
+
- lib/cfn-nag/util/truthy.rb
|
212
215
|
- lib/cfn-nag/violation.rb
|
213
216
|
- lib/cfn-nag/violation_filtering.rb
|
214
217
|
homepage: https://github.com/stelligent/cfn_nag
|