cfn-nag 0.0.16 → 0.0.17

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3c770e0365059a4da534e9dd5c6cf5ccd9e7bdfc
-  data.tar.gz: 8f930ab8307b6248ae4940a17f8d9b4ed85b4e92
+  metadata.gz: d3284f4eba9d2cab9d7790dab39273f9401fbb09
+  data.tar.gz: e715f4800f39198bd95bc1fb6044ce1dd64644d6
 SHA512:
-  metadata.gz: cd100b68be2758194ecd45141e821fcbc6845e4f56204dbee2444913524714ecd317a8c41af36cca9fc35aaa59dff5488b3946d819b1dabaaaa9cca562a078d2
-  data.tar.gz: 464fad5e55f3d090078ed7a520304fc392d3f2106497b01bfaa2c6e4440fd3d328de5b4022dcdf8639e4e83cd4324894ceb5dac754d212e124dbf32e85a6edd6
+  metadata.gz: 06b61112e6e6cff426fcd6e07af0c0aa75f85f38914816bc1df48286e4aec04d76d9000d61202c9fae3a138e50d55c9af8ca0da56971f07644bdfde4b80f92a8
+  data.tar.gz: 43147a231964233735ee827ee0f1c9ec4894f6725904e95b137b3e8205181213d5ea5698e75ce704fd695025015e9a31467d65d1e14d0580587d79dfbdc75071

data/bin/cfn_nag_rules

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require 'cfn_nag'
+
+CfnNag.new.dump_rules

data/lib/cfn_nag.rb

@@ -4,10 +4,47 @@ require_relative 'custom_rules/user_missing_group'
 require_relative 'model/cfn_model'
 require_relative 'result_view/simple_stdout_results'
 require_relative 'result_view/json_results'
+require 'tempfile'
 
 class CfnNag
   include Rule
 
+  def initialize
+    @warning_registry = []
+    @violation_registry = []
+  end
+
+  def dump_rules
+    dummy_cfn = <<-END
+      {
+        "Resources": {
+          "resource1": {
+            "Type" : "AWS::EC2::DHCPOptions",
+            "Properties": {
+              "DomainNameServers" : [ "10.0.0.1" ]
+            }
+          }
+        }
+      }
+    END
+
+    Tempfile.open('tempfile') do |dummy_cfn_template|
+      dummy_cfn_template.write dummy_cfn
+      dummy_cfn_template.rewind
+      audit_file(input_json_path: dummy_cfn_template.path)
+    end
+
+    custom_rule_registry.each do |rule_class|
+      @violation_registry << rule_class.new.rule_text
+    end
+
+    puts 'WARNING VIOLATIONS:'
+    puts @warning_registry.sort
+    puts
+    puts 'FAILING VIOLATIONS:'
+    puts @violation_registry.sort
+  end
+
   def audit(input_json_path:,
             output_format:'txt')
 
@@ -129,13 +166,16 @@ class CfnNag
 
   def custom_rules(input_json_path)
     cfn_model = CfnModel.new.parse(IO.read(input_json_path))
-    rules = [
-      SecurityGroupMissingEgressRule,
-      UserMissingGroupRule
-    ]
-    rules.each do |rule_class|
+    custom_rule_registry.each do |rule_class|
       audit_result = rule_class.new.audit(cfn_model)
       @violations << audit_result unless audit_result.nil?
     end
   end
+
+  def custom_rule_registry
+    [
+      SecurityGroupMissingEgressRule,
+      UserMissingGroupRule
+    ]
+  end
 end

data/lib/custom_rules/security_group_missing_egress.rb

@@ -2,6 +2,10 @@ require_relative '../violation'
 
 class SecurityGroupMissingEgressRule
 
+  def rule_text
+    'Missing egress rule means all traffic is allowed outbound.  Make this explicit if it is desired configuration'
+  end
+
   def audit(cfn_model)
     logical_resource_ids = []
     cfn_model.security_groups.each do |security_group|
@@ -12,7 +16,7 @@ class SecurityGroupMissingEgressRule
 
     if logical_resource_ids.size > 0
       Violation.new(type: Violation::FAILING_VIOLATION,
-                    message: 'Missing egress rule means all traffic is allowed outbound.  Make this explicit if it is desired configuration',
+                    message: rule_text,
                     logical_resource_ids: logical_resource_ids)
     else
       nil

data/lib/custom_rules/user_missing_group.rb

@@ -2,6 +2,10 @@ require_relative '../violation'
 
 class UserMissingGroupRule
 
+  def rule_text
+    'User is not assigned to a group'
+  end
+
   def audit(cfn_model)
     logical_resource_ids = []
     cfn_model.iam_users.each do |iam_user|
@@ -12,7 +16,7 @@ class UserMissingGroupRule
 
     if logical_resource_ids.size > 0
       Violation.new(type: Violation::FAILING_VIOLATION,
-                    message: 'User is not assigned to a group',
+                    message: rule_text,
                     logical_resource_ids: logical_resource_ids)
     else
       nil

data/lib/json_rules/basic_rules.rb

@@ -1,5 +1,5 @@
 raw_fatal_assertion jq: '.Resources|length > 0',
-                    message: 'Must have at least 1 resource'
+                    message: 'A Cloudformation template must have at least 1 resource'
 
 
 %w(

data/lib/json_rules/cidr_rules.rb

@@ -28,19 +28,34 @@ warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | selec
 warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupIngress" and .Properties.CidrIp|type == "string")|select(.Properties.CidrIp | test("^\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}/(?!32)$") )]|map(.LogicalResourceId)',
         message: 'Security Group Standalone Ingress cidr found that is not /32'
 
-
-warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "object"))|select(.Properties.SecurityGroupIngress.CidrIp|type == "string")|select(.Properties.SecurityGroupIngress.CidrIp | test("^\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}/(?!32)$") )]|map(.LogicalResourceId)',
-        message: 'Security Groups found with cidr that is not /32'
-
-
-warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "array"))|select(.Properties.SecurityGroupIngress[].CidrIp|type == "string")|select(.Properties.SecurityGroupIngress[].CidrIp | if .|type=="string" then test("^\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}/(?!32)$") else false end)]|map(.LogicalResourceId)',
+non_32_cidr_jq_expression = <<END
+[.Resources |
+ with_entries(.value.LogicalResourceId = .key)[] |
+ select(.Type == "AWS::EC2::SecurityGroup") |
+ if (.Properties.SecurityGroupIngress|type == "object")
+ then (
+       select(.Properties.SecurityGroupIngress.CidrIp|type == "string")|
+       select(.Properties.SecurityGroupIngress.CidrIp|test("^\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}/(?!32)$"))
+      )
+ else (
+        if (.Properties.SecurityGroupIngress|type == "array")
+        then (
+               select(.Properties.SecurityGroupIngress[].CidrIp|type == "string")|
+               select(.Properties.SecurityGroupIngress[].CidrIp |
+                      (
+                        if (.|type=="string")
+                        then test("^\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}/(?!32)$")
+                        else empty
+                        end
+                      )
+                     )
+             )
+        else empty
+        end
+      )
+  end
+  ]|map(.LogicalResourceId)
+END
+
+warning jq: non_32_cidr_jq_expression,
         message: 'Security Groups found with cidr that is not /32'
-
-
-#for inline, this covers it, but with an externalized egress rule... the expression gets real evil
-#i guess the ideal would be to do a join of ingress and egress rules with the parent sg
-#but it gets real hairy with FnGetAtt for GroupId and all that.... think it best to
-#write some imperative code in custom rules to take care of things
-# violation '.Resources[]|select(.Type == "AWS::EC2::SecurityGroup")|select(.Properties.SecurityGroupEgress == null or .Properties.SecurityGroupEgress.length? == 0)' do |security_groups|
-#   puts "Security Groups found without egress json_rules: #{security_groups}"
-# end

data/lib/json_rules/iam_policy_rules.rb

@@ -55,7 +55,7 @@ END
 
 warning jq: allow_not_action_filter +
             "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.AssumeRolePolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
-        message: 'IAM role should not allow Allow+NotAction'
+        message: 'IAM role should not allow Allow+NotAction on trust permissinos'
 
 
 warning jq: allow_not_action_filter +

data/lib/json_rules/iam_user_rules.rb

@@ -8,5 +8,5 @@ violation jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | sel
 
 violation jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::IAM::ManagedPolicy")|'\
               'select(.Properties.Users|length > 0)]|map(.LogicalResourceId) ',
-          message: 'IAM policy should not apply directly to users.  Should be on group'
+          message: 'IAM managed policy should not apply directly to users.  Should be on group'
 

data/lib/json_rules/port_rules.rb

@@ -1,17 +1,29 @@
-warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "object"))|select(.Properties.SecurityGroupIngress.ToPort != .Properties.SecurityGroupIngress.FromPort)]|map(.LogicalResourceId)',
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | '\
+            'select(.Type == "AWS::EC2::SecurityGroup")| '\
+            'if (.Properties.SecurityGroupIngress|type == "object") '\
+            'then select(.Properties.SecurityGroupIngress.ToPort != .Properties.SecurityGroupIngress.FromPort) '\
+            'else if (.Properties.SecurityGroupIngress|type == "array") '\
+            '     then select([.Properties.SecurityGroupIngress[].ToPort] != [.Properties.SecurityGroupIngress[].FromPort]) '\
+            '     else empty '\
+            '     end '\
+            'end '\
+            ']|map(.LogicalResourceId)',
         message:  'Security Groups found ingress with port range instead of just a single port'
 
-warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "array"))|select([.Properties.SecurityGroupIngress[].ToPort] != [.Properties.SecurityGroupIngress[].FromPort])]|map(.LogicalResourceId)',
-        message:  'Security Groups found ingress with port range instead of just a single port'
-
-warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupEgress|type == "object"))|select(.Properties.SecurityGroupEgress.ToPort != .Properties.SecurityGroupEgress.FromPort)]|map(.LogicalResourceId)',
-        message:  'Security Groups found egress with port range instead of just a single port'
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupIngress")|select(.Properties.ToPort != .Properties.FromPort)]|map(.LogicalResourceId)',
+        message:  'Security Group ingress with port range instead of just a single port'
 
-warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupEgress|type == "array"))|select([.Properties.SecurityGroupEgress[].ToPort] != [.Properties.SecurityGroupEgress[].FromPort])]|map(.LogicalResourceId)',
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | '\
+            'select(.Type == "AWS::EC2::SecurityGroup")| '\
+            'if (.Properties.SecurityGroupEgress|type == "object") '\
+            'then select(.Properties.SecurityGroupEgress.ToPort != .Properties.SecurityGroupEgress.FromPort) '\
+            'else if (.Properties.SecurityGroupEgress|type == "array") '\
+            '     then select([.Properties.SecurityGroupEgress[].ToPort] != [.Properties.SecurityGroupEgress[].FromPort]) '\
+            '     else empty '\
+            '     end '\
+            'end'\
+            ']|map(.LogicalResourceId)',
         message:  'Security Groups found egress with port range instead of just a single port'
 
-warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupIngress")|select(.Properties.ToPort != .Properties.FromPort)]|map(.LogicalResourceId)',
-        message:  'Security Groups found ingress with port range instead of just a single port'
-
 warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupEgress")|select(.Properties.ToPort != .Properties.FromPort)]|map(.LogicalResourceId)',
-        message:  'Security Groups found egress with port range instead of just a single port'
+        message:  'Security Group egress with port range instead of just a single port'

data/lib/rule.rb

@@ -17,13 +17,15 @@ module Rule
   end
 
   def warning(jq:, message:)
+    @warning_registry << message
+
     return if @stop_processing
 
     Logging.logger['log'].debug jq
 
     stdout = jq_command(@input_json_path, jq)
     result = $?.exitstatus
-    scrape_jq_output_for_error(stdout)
+    scrape_jq_output_for_error(jq, stdout)
 
     resource_ids = parse_logical_resource_ids(stdout)
     new_warnings = resource_ids.size
@@ -39,7 +41,6 @@ module Rule
                  fail_if_found: false,
                  fatal: true,
                  message: message,
-                 message_type: Violation::FAILING_VIOLATION,
                  raw: true)
   end
 
@@ -47,8 +48,7 @@ module Rule
     failing_rule(jq_expression: jq,
                  fail_if_found: false,
                  fatal: true,
-                 message: message,
-                 message_type: Violation::FAILING_VIOLATION)
+                 message: message)
   end
 
   def raw_fatal_violation(jq:, message:)
@@ -56,7 +56,6 @@ module Rule
                  fail_if_found: true,
                  fatal: true,
                  message: message,
-                 message_type: Violation::FAILING_VIOLATION,
                  raw: true)
   end
 
@@ -64,22 +63,19 @@ module Rule
     failing_rule(jq_expression: jq,
                  fail_if_found: true,
                  fatal: true,
-                 message: message,
-                 message_type: Violation::FAILING_VIOLATION)
+                 message: message)
   end
 
   def violation(jq:, message:)
     failing_rule(jq_expression: jq,
                  fail_if_found: true,
-                 message: message,
-                 message_type: Violation::FAILING_VIOLATION)
+                 message: message)
   end
 
   def assertion(jq:, message:)
     failing_rule(jq_expression: jq,
                  fail_if_found: false,
-                 message: message,
-                 message_type: Violation::FAILING_VIOLATION)
+                 message: message)
   end
 
   def self.empty?(array)
@@ -129,8 +125,8 @@ module Rule
     JSON.load(stdout)
   end
 
-  def scrape_jq_output_for_error(stdout)
-    fail 'json rule is likely not complete' if stdout.match /jq: error/
+  def scrape_jq_output_for_error(command, stdout)
+    fail "jq rule is likely not correct: #{command}\n\n#{stdout}" if stdout.include? 'jq: error'
   end
 
   # fail_if_found: this is false for an assertion, true for a violation.  either way this rule ups the "failure" count
@@ -142,21 +138,21 @@ module Rule
   def failing_rule(jq_expression:,
                    fail_if_found:,
                    message:,
-                   message_type:,
                    fatal: false,
                    raw: false)
+    @violation_registry << message
     return if @stop_processing
 
     Logging.logger['log'].debug jq_expression
 
     stdout = jq_command(@input_json_path, jq_expression)
     result = $?.exitstatus
-    scrape_jq_output_for_error(stdout)
+    scrape_jq_output_for_error(jq_expression, stdout)
     if (fail_if_found and result == 0) or
        (not fail_if_found and result != 0)
 
       if raw
-        add_violation(type: message_type,
+        add_violation(type: Violation::FAILING_VIOLATION,
                       message: message,
                       violating_code: stdout)
 
@@ -167,7 +163,7 @@ module Rule
         resource_ids = parse_logical_resource_ids(stdout)
 
         if resource_ids.size > 0
-          add_violation(type: message_type,
+          add_violation(type: Violation::FAILING_VIOLATION,
                         message: message,
                         logical_resource_ids: resource_ids)
 
@@ -181,7 +177,7 @@ module Rule
 
   # the -e will return an exit code
   def jq_command(input_json_path, jq_expression)
-    command = "cat #{input_json_path} | jq '#{jq_expression}' -e"
+    command = "cat #{input_json_path} | jq '#{jq_expression}' -e 2>&1"
 
     Logging.logger['log'].debug command
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.0.16
+  version: 0.0.17
 platform: ruby
 authors:
 - someguy
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-01 00:00:00.000000000 Z
+date: 2016-03-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logging
@@ -42,10 +42,12 @@ description: Auditing tool for Cloudformation templates
 email: 
 executables:
 - cfn_nag
+- cfn_nag_rules
 extensions: []
 extra_rdoc_files: []
 files:
 - bin/cfn_nag
+- bin/cfn_nag_rules
 - lib/cfn_nag.rb
 - lib/custom_rules/security_group_missing_egress.rb
 - lib/custom_rules/user_missing_group.rb