cfn-nag 0.5.26 → 0.5.27
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f7661d4fd465896a67ff7b8a2faa3df9bd5c432f8875333e56c9f22425ea24fe
|
4
|
+
data.tar.gz: 12a7a44a1010f5842a97e7f91b312264c799dcc1a096039eaf5cca52ba294903
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 400e1ba497ef38dd8888722f227b7ae6437645ac8a3b843eb5d30c5763459baee525c4dad8a3c0ae1026831d93640f48027013dee9522a2203f19942097c3d16
|
7
|
+
data.tar.gz: 5d72fc2ea9a23cf1d8611b63162967f318c74bba3757c13cfbd105b2bcd001ba44a366f0d1b7ff15aad631303c20984d848e9ee2a1ab64df2deff1dcef46e953
|
@@ -0,0 +1,48 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'base'
|
5
|
+
|
6
|
+
class EC2NetworkAclEntryPortRangeRule < BaseRule
|
7
|
+
def rule_text
|
8
|
+
'TCP/UDP protocol NetworkACL entries possibly should not allow all ports.'
|
9
|
+
end
|
10
|
+
|
11
|
+
def rule_type
|
12
|
+
Violation::WARNING
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_id
|
16
|
+
'W67'
|
17
|
+
end
|
18
|
+
|
19
|
+
def audit_impl(cfn_model)
|
20
|
+
violating_network_acl_entries = cfn_model.resources_by_type('AWS::EC2::NetworkAclEntry')
|
21
|
+
.select do |network_acl_entry|
|
22
|
+
violating_network_acl_entries?(network_acl_entry)
|
23
|
+
end
|
24
|
+
|
25
|
+
violating_network_acl_entries.map(&:logical_resource_id)
|
26
|
+
end
|
27
|
+
|
28
|
+
private
|
29
|
+
|
30
|
+
# Port Range is required for protocols "6" (TCP) and "17" (UDP)
|
31
|
+
def tcp_or_udp_protocol?(network_acl_entry)
|
32
|
+
%w[6 17].include?(network_acl_entry.protocol)
|
33
|
+
end
|
34
|
+
|
35
|
+
def port_range_params_not_exist?(network_acl_entry)
|
36
|
+
network_acl_entry.portRange.nil? ||
|
37
|
+
network_acl_entry.portRange['From'].nil? || network_acl_entry.portRange['To'].nil?
|
38
|
+
end
|
39
|
+
|
40
|
+
def full_port_range?(network_acl_entry)
|
41
|
+
network_acl_entry.portRange['From'] == '0' && network_acl_entry.portRange['To'] == '65535'
|
42
|
+
end
|
43
|
+
|
44
|
+
def violating_network_acl_entries?(network_acl_entry)
|
45
|
+
tcp_or_udp_protocol?(network_acl_entry) && (port_range_params_not_exist?(network_acl_entry) ||
|
46
|
+
full_port_range?(network_acl_entry))
|
47
|
+
end
|
48
|
+
end
|
@@ -0,0 +1,64 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'base'
|
5
|
+
|
6
|
+
class EC2NetworkAclEntryProtocolRule < BaseRule
|
7
|
+
def rule_text
|
8
|
+
'To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 ' \
|
9
|
+
'(for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).'
|
10
|
+
end
|
11
|
+
|
12
|
+
def rule_type
|
13
|
+
Violation::WARNING
|
14
|
+
end
|
15
|
+
|
16
|
+
def rule_id
|
17
|
+
'W66'
|
18
|
+
end
|
19
|
+
|
20
|
+
def audit_impl(cfn_model)
|
21
|
+
violating_network_acl_entries = cfn_model.resources_by_type('AWS::EC2::NetworkAclEntry')
|
22
|
+
.select do |network_acl_entry|
|
23
|
+
violating_network_acl_entries?(network_acl_entry)
|
24
|
+
end
|
25
|
+
|
26
|
+
violating_network_acl_entries.map(&:logical_resource_id)
|
27
|
+
end
|
28
|
+
|
29
|
+
private
|
30
|
+
|
31
|
+
# https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html#API_CreateNetworkAclEntry_RequestParameters
|
32
|
+
# A value of "-1" means all protocols. If you specify "-1" or a protocol
|
33
|
+
# number other than "6" (TCP), "17" (UDP), or "1" (ICMP), traffic on all ports
|
34
|
+
# is allowed, regardless of any ports or ICMP types or codes that you specify.
|
35
|
+
# If you specify protocol "58" (ICMPv6) and specify an IPv4 CIDR block,
|
36
|
+
# traffic for all ICMP types and codes allowed, regardless of any that you
|
37
|
+
# specify. If you specify protocol "58" (ICMPv6) and specify an IPv6 CIDR
|
38
|
+
# block, you must specify an ICMP type and code.
|
39
|
+
|
40
|
+
def rule_action_allow?(network_acl_entry)
|
41
|
+
network_acl_entry.ruleAction == 'allow'
|
42
|
+
end
|
43
|
+
|
44
|
+
def tcp_udp_icmp_protocol?(network_acl_entry)
|
45
|
+
%w[1 6 17].include?(network_acl_entry.protocol)
|
46
|
+
end
|
47
|
+
|
48
|
+
def icmpv6_protocol?(network_acl_entry)
|
49
|
+
network_acl_entry.protocol == '58' && !network_acl_entry.ipv6CidrBlock.nil? &&
|
50
|
+
!network_acl_entry.icmp.nil? && !network_acl_entry.icmp['Code'].nil? &&
|
51
|
+
!network_acl_entry.icmp['Type'].nil?
|
52
|
+
end
|
53
|
+
|
54
|
+
def violating_network_acl_entries?(network_acl_entry)
|
55
|
+
if rule_action_allow?(network_acl_entry)
|
56
|
+
if tcp_udp_icmp_protocol?(network_acl_entry) ||
|
57
|
+
icmpv6_protocol?(network_acl_entry)
|
58
|
+
false
|
59
|
+
else
|
60
|
+
true
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.27
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-03-
|
11
|
+
date: 2020-03-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -198,6 +198,8 @@ files:
|
|
198
198
|
- lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
|
199
199
|
- lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb
|
200
200
|
- lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb
|
201
|
+
- lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb
|
202
|
+
- lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb
|
201
203
|
- lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb
|
202
204
|
- lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
|
203
205
|
- lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb
|