cfn-nag 0.0.34 → 0.0.35
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/cfn_nag +13 -4
- data/bin/cfn_nag_rules +14 -1
- data/lib/cfn_nag.rb +52 -24
- data/lib/custom_rule_loader.rb +9 -2
- data/lib/custom_rules/security_group_missing_egress.rb +10 -1
- data/lib/custom_rules/unencrypted_s3_put_allowed.rb +10 -1
- data/lib/custom_rules/user_missing_group.rb +10 -1
- data/lib/json_rules/basic_rules.rb +8 -4
- data/lib/json_rules/cfn_rules.rb +2 -1
- data/lib/json_rules/cidr_rules.rb +16 -8
- data/lib/json_rules/cloudfront_rules.rb +2 -1
- data/lib/json_rules/ebs_rules.rb +2 -1
- data/lib/json_rules/iam_policy_rules.rb +42 -21
- data/lib/json_rules/iam_user_rules.rb +6 -3
- data/lib/json_rules/lambda_rules.rb +4 -2
- data/lib/json_rules/loadbalancer_rules.rb +4 -2
- data/lib/json_rules/port_rules.rb +8 -4
- data/lib/json_rules/s3_bucket_rules.rb +10 -5
- data/lib/json_rules/sns_rules.rb +4 -2
- data/lib/json_rules/sqs_rules.rb +4 -2
- data/lib/profile.rb +18 -0
- data/lib/profile_loader.rb +27 -0
- data/lib/result_view/simple_stdout_results.rb +1 -1
- data/lib/rule.rb +43 -21
- data/lib/rule_registry.rb +45 -0
- data/lib/violation.rb +7 -3
- metadata +4 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 599ac76a7c5bb73f2e8ad348f408f1945c9556c8
|
|
4
|
+
data.tar.gz: 13521f759054aba5f2abcd434e71b46c36b95dc7
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 02d05593b7c89b552b8b5ffe3c0cbb353b9a3d80f15c27a3920279b88a57f0639026b5eb220adaaff5b4ad8cbdd6172f0d2a38931789147e0f7fc73e2167bd26
|
|
7
|
+
data.tar.gz: 4ad062cf1e1040dd21549569d3ebc621dd8c63005851f6c9bdcb5858eb5294cdfdeec1ad0e235f93c3e111412c35e786ebc31e0c5ed3aa49f6fdfc801a242b8a
|
data/bin/cfn_nag
CHANGED
|
@@ -7,13 +7,22 @@ opts = Trollop::options do
|
|
|
7
7
|
opt :input_json_path, 'CloudFormation template to nag on or directory of templates - all *.json and *.template recursively', type: :io, required: true
|
|
8
8
|
opt :output_format, 'Format of results: [txt, json]', type: :string, default: 'txt'
|
|
9
9
|
opt :debug, 'Enable debug output', type: :boolean, required: false, default: false
|
|
10
|
-
opt :rule_directory, 'Extra rule directories', type: :strings,
|
|
10
|
+
opt :rule_directory, 'Extra rule directories', type: :strings, required: false, default: [], multi: true
|
|
11
|
+
opt :profile_path, 'Path to a profile file', type: :io, required: false, default: nil
|
|
11
12
|
end
|
|
12
13
|
|
|
13
14
|
Trollop::die(:output_format,
|
|
14
15
|
'Must be txt or json') unless %w(txt json).include?(opts[:output_format])
|
|
15
16
|
|
|
16
17
|
CfnNag::configure_logging(opts)
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
18
|
+
|
|
19
|
+
profile_definition = nil
|
|
20
|
+
unless opts[:profile_path].nil?
|
|
21
|
+
profile_definition = IO.read(opts[:profile_path])
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
cfn_nag = CfnNag.new(profile_definition: profile_definition)
|
|
25
|
+
|
|
26
|
+
exit cfn_nag.audit(input_json_path: opts[:input_json_path],
|
|
27
|
+
output_format: opts[:output_format],
|
|
28
|
+
rule_directories: opts[:rule_directory])
|
data/bin/cfn_nag_rules
CHANGED
|
@@ -1,4 +1,17 @@
|
|
|
1
1
|
#!/usr/bin/env ruby
|
|
2
|
+
require 'trollop'
|
|
2
3
|
require 'cfn_nag'
|
|
3
4
|
|
|
4
|
-
|
|
5
|
+
opts = Trollop::options do
|
|
6
|
+
opt :rule_directory, 'Extra rule directories', type: :strings, required: false, default: [], multi: true
|
|
7
|
+
opt :profile_path, 'Path to a profile file', type: :io, required: false, default: nil
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
profile_definition = nil
|
|
11
|
+
unless opts[:profile_path].nil?
|
|
12
|
+
profile_definition = IO.read(opts[:profile_path])
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
cfn_nag = CfnNag.new(profile_definition: profile_definition)
|
|
16
|
+
|
|
17
|
+
cfn_nag.dump_rules(rule_directories: opts[:rule_directory])
|
data/lib/cfn_nag.rb
CHANGED
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
require_relative 'rule'
|
|
2
2
|
require_relative 'custom_rule_loader'
|
|
3
|
+
require_relative 'rule_registry'
|
|
4
|
+
require_relative 'profile_loader'
|
|
3
5
|
require_relative 'model/cfn_model'
|
|
4
6
|
require_relative 'result_view/simple_stdout_results'
|
|
5
7
|
require_relative 'result_view/json_results'
|
|
@@ -8,12 +10,17 @@ require 'tempfile'
|
|
|
8
10
|
class CfnNag
|
|
9
11
|
include Rule
|
|
10
12
|
|
|
11
|
-
def initialize
|
|
13
|
+
def initialize(profile_definition: nil)
|
|
12
14
|
@warning_registry = []
|
|
13
15
|
@violation_registry = []
|
|
16
|
+
@rule_registry = RuleRegistry.new
|
|
17
|
+
@custom_rule_loader = CustomRuleLoader.new(@rule_registry)
|
|
18
|
+
@profile_definition = profile_definition
|
|
14
19
|
end
|
|
15
20
|
|
|
16
|
-
def dump_rules
|
|
21
|
+
def dump_rules(rule_directories: [])
|
|
22
|
+
validate_extra_rule_directories(rule_directories)
|
|
23
|
+
|
|
17
24
|
dummy_cfn = <<-END
|
|
18
25
|
{
|
|
19
26
|
"Resources": {
|
|
@@ -30,18 +37,32 @@ class CfnNag
|
|
|
30
37
|
Tempfile.open('tempfile') do |dummy_cfn_template|
|
|
31
38
|
dummy_cfn_template.write dummy_cfn
|
|
32
39
|
dummy_cfn_template.rewind
|
|
33
|
-
audit_file(input_json_path: dummy_cfn_template.path,
|
|
40
|
+
audit_file(input_json_path: dummy_cfn_template.path,
|
|
41
|
+
rule_directories: rule_directories)
|
|
34
42
|
end
|
|
35
43
|
|
|
36
|
-
|
|
37
|
-
|
|
44
|
+
profile = nil
|
|
45
|
+
unless @profile_definition.nil?
|
|
46
|
+
profile = ProfileLoader.new(@rule_registry).load(profile_definition: @profile_definition)
|
|
38
47
|
end
|
|
39
48
|
|
|
40
49
|
puts 'WARNING VIOLATIONS:'
|
|
41
|
-
|
|
42
|
-
|
|
50
|
+
@rule_registry.warnings.sort {|left, right| left.id <=> right.id}.each do |warning|
|
|
51
|
+
if profile.nil?
|
|
52
|
+
puts "#{warning.id} #{warning.message}"
|
|
53
|
+
else
|
|
54
|
+
puts "#{warning.id} #{warning.message}" if profile.execute_rule?(warning.id)
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
end
|
|
43
58
|
puts 'FAILING VIOLATIONS:'
|
|
44
|
-
|
|
59
|
+
@rule_registry.failings.sort {|left, right| left.id <=> right.id}.each do |failing|
|
|
60
|
+
if profile.nil?
|
|
61
|
+
puts "#{failing.id} #{failing.message}"
|
|
62
|
+
else
|
|
63
|
+
puts "#{failing.id} #{failing.message}" if profile.execute_rule?(failing.id)
|
|
64
|
+
end
|
|
65
|
+
end
|
|
45
66
|
end
|
|
46
67
|
|
|
47
68
|
def audit(input_json_path:,
|
|
@@ -88,12 +109,14 @@ class CfnNag
|
|
|
88
109
|
logger.add_appenders Logging.appenders.stdout
|
|
89
110
|
end
|
|
90
111
|
|
|
91
|
-
def audit_template(input_json:,
|
|
112
|
+
def audit_template(input_json:,
|
|
113
|
+
rule_directories: [])
|
|
92
114
|
@stop_processing = false
|
|
93
115
|
@violations = []
|
|
94
116
|
|
|
95
117
|
unless legal_json?(input_json)
|
|
96
|
-
@violations << Violation.new(
|
|
118
|
+
@violations << Violation.new(id: 'FATAL',
|
|
119
|
+
type: Violation::FAILING_VIOLATION,
|
|
97
120
|
message: 'not even legit JSON',
|
|
98
121
|
violating_code: input_json)
|
|
99
122
|
@stop_processing = true
|
|
@@ -103,6 +126,8 @@ class CfnNag
|
|
|
103
126
|
|
|
104
127
|
@violations += custom_rules input_json unless @stop_processing == true
|
|
105
128
|
|
|
129
|
+
@violations = filter_violations_by_profile @violations
|
|
130
|
+
|
|
106
131
|
{
|
|
107
132
|
failure_count: Rule::count_failures(@violations),
|
|
108
133
|
violations: @violations
|
|
@@ -111,6 +136,17 @@ class CfnNag
|
|
|
111
136
|
|
|
112
137
|
private
|
|
113
138
|
|
|
139
|
+
def filter_violations_by_profile(violations)
|
|
140
|
+
profile = nil
|
|
141
|
+
unless @profile_definition.nil?
|
|
142
|
+
profile = ProfileLoader.new(@rule_registry).load(profile_definition: @profile_definition)
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
violations.reject do |violation|
|
|
146
|
+
not profile.nil? and not profile.execute_rule?(violation.id)
|
|
147
|
+
end
|
|
148
|
+
end
|
|
149
|
+
|
|
114
150
|
def validate_extra_rule_directories(rule_directories)
|
|
115
151
|
rule_directories.flatten.each do |rule_directory|
|
|
116
152
|
fail "Not a real directory #{rule_directory}" unless File.directory? rule_directory
|
|
@@ -118,11 +154,13 @@ class CfnNag
|
|
|
118
154
|
end
|
|
119
155
|
|
|
120
156
|
|
|
121
|
-
def render_results(aggregate_results:,
|
|
157
|
+
def render_results(aggregate_results:,
|
|
158
|
+
output_format:)
|
|
122
159
|
results_renderer(output_format).new.render(aggregate_results)
|
|
123
160
|
end
|
|
124
161
|
|
|
125
|
-
def audit_file(input_json_path:,
|
|
162
|
+
def audit_file(input_json_path:,
|
|
163
|
+
rule_directories:)
|
|
126
164
|
audit_template(input_json: IO.read(input_json_path),
|
|
127
165
|
rule_directories: rule_directories)
|
|
128
166
|
end
|
|
@@ -169,21 +207,11 @@ class CfnNag
|
|
|
169
207
|
not system("#{command} > /dev/null 2>&1").nil?
|
|
170
208
|
end
|
|
171
209
|
|
|
172
|
-
def jruby_in_a_jar?
|
|
173
|
-
__dir__.start_with? '/uri:classloader'
|
|
174
|
-
end
|
|
175
|
-
|
|
176
210
|
def generic_json_rules(input_json, rule_directories)
|
|
177
211
|
unless command? 'jq'
|
|
178
212
|
fail 'jq executable must be available in PATH'
|
|
179
213
|
end
|
|
180
|
-
|
|
181
|
-
if jruby_in_a_jar?
|
|
182
|
-
rules = %w(basic_rules cfn_rules cidr_rules cloudfront_rules ebs_rules iam_policy_rules iam_user_rules lambda_rules loadbalancer_rules port_rules s3_bucket_rules sns_rules sqs_rules)
|
|
183
|
-
rules = rules.map { |rule| File.join(__dir__, 'json_rules', "#{rule}.rb")[1..-1] }
|
|
184
|
-
else
|
|
185
|
-
rules = Dir[File.join(__dir__, 'json_rules', '*.rb')].sort
|
|
186
|
-
end
|
|
214
|
+
rules = Dir[File.join(__dir__, 'json_rules', '*.rb')].sort
|
|
187
215
|
|
|
188
216
|
rules.each do |rule_file|
|
|
189
217
|
@input_json = input_json
|
|
@@ -201,6 +229,6 @@ class CfnNag
|
|
|
201
229
|
end
|
|
202
230
|
|
|
203
231
|
def custom_rules(input_json)
|
|
204
|
-
|
|
232
|
+
@custom_rule_loader.custom_rules(input_json)
|
|
205
233
|
end
|
|
206
234
|
end
|
data/lib/custom_rule_loader.rb
CHANGED
|
@@ -18,19 +18,26 @@ class CustomRuleLoader
|
|
|
18
18
|
@custom_rule_directory
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
-
def initialize
|
|
21
|
+
def initialize(rule_registry)
|
|
22
22
|
@custom_rule_registry = [
|
|
23
23
|
SecurityGroupMissingEgressRule,
|
|
24
24
|
UserMissingGroupRule,
|
|
25
25
|
UnencryptedS3PutObjectAllowedRule
|
|
26
26
|
]
|
|
27
27
|
@violations = []
|
|
28
|
+
@rule_registry = rule_registry
|
|
29
|
+
discover_rules
|
|
28
30
|
end
|
|
29
31
|
|
|
30
32
|
def custom_rules(input_json)
|
|
31
|
-
|
|
33
|
+
@violations = []
|
|
34
|
+
|
|
32
35
|
@custom_rule_registry.each do |rule_class|
|
|
33
36
|
rule = rule_class.new
|
|
37
|
+
@rule_registry.definition(id: rule.rule_id,
|
|
38
|
+
type: rule.rule_type,
|
|
39
|
+
message: rule.rule_text)
|
|
40
|
+
|
|
34
41
|
if rule.respond_to? 'custom_parsers'
|
|
35
42
|
rule.custom_parsers.each do |custom_parser|
|
|
36
43
|
ParserRegistry.instance.add_parser custom_parser[0], custom_parser[1]
|
|
@@ -6,6 +6,14 @@ class SecurityGroupMissingEgressRule
|
|
|
6
6
|
'Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration'
|
|
7
7
|
end
|
|
8
8
|
|
|
9
|
+
def rule_type
|
|
10
|
+
Violation::FAILING_VIOLATION
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def rule_id
|
|
14
|
+
'F1000'
|
|
15
|
+
end
|
|
16
|
+
|
|
9
17
|
def audit(cfn_model)
|
|
10
18
|
logical_resource_ids = []
|
|
11
19
|
cfn_model.security_groups.each do |security_group|
|
|
@@ -15,7 +23,8 @@ class SecurityGroupMissingEgressRule
|
|
|
15
23
|
end
|
|
16
24
|
|
|
17
25
|
if logical_resource_ids.size > 0
|
|
18
|
-
Violation.new(
|
|
26
|
+
Violation.new(id: rule_id,
|
|
27
|
+
type: rule_type,
|
|
19
28
|
message: rule_text,
|
|
20
29
|
logical_resource_ids: logical_resource_ids)
|
|
21
30
|
else
|
|
@@ -7,6 +7,14 @@ class UnencryptedS3PutObjectAllowedRule
|
|
|
7
7
|
'It appears that the S3 Bucket Policy allows s3:PutObject without server-side encryption'
|
|
8
8
|
end
|
|
9
9
|
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::WARNING
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'W1000'
|
|
16
|
+
end
|
|
17
|
+
|
|
10
18
|
def audit(cfn_model)
|
|
11
19
|
logical_resource_ids = []
|
|
12
20
|
cfn_model.bucket_policies.each do |bucket_policy|
|
|
@@ -19,7 +27,8 @@ class UnencryptedS3PutObjectAllowedRule
|
|
|
19
27
|
end
|
|
20
28
|
|
|
21
29
|
if logical_resource_ids.size > 0
|
|
22
|
-
Violation.new(
|
|
30
|
+
Violation.new(id: rule_id,
|
|
31
|
+
type: rule_type,
|
|
23
32
|
message: rule_text,
|
|
24
33
|
logical_resource_ids: logical_resource_ids)
|
|
25
34
|
else
|
|
@@ -6,6 +6,14 @@ class UserMissingGroupRule
|
|
|
6
6
|
'User is not assigned to a group'
|
|
7
7
|
end
|
|
8
8
|
|
|
9
|
+
def rule_type
|
|
10
|
+
Violation::FAILING_VIOLATION
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def rule_id
|
|
14
|
+
'F2000'
|
|
15
|
+
end
|
|
16
|
+
|
|
9
17
|
def audit(cfn_model)
|
|
10
18
|
logical_resource_ids = []
|
|
11
19
|
cfn_model.iam_users.each do |iam_user|
|
|
@@ -15,7 +23,8 @@ class UserMissingGroupRule
|
|
|
15
23
|
end
|
|
16
24
|
|
|
17
25
|
if logical_resource_ids.size > 0
|
|
18
|
-
Violation.new(
|
|
26
|
+
Violation.new(id: rule_id,
|
|
27
|
+
type: rule_type,
|
|
19
28
|
message: rule_text,
|
|
20
29
|
logical_resource_ids: logical_resource_ids)
|
|
21
30
|
else
|
|
@@ -1,4 +1,5 @@
|
|
|
1
|
-
raw_fatal_assertion
|
|
1
|
+
raw_fatal_assertion id: 'FATAL',
|
|
2
|
+
jq: '.Resources|length > 0',
|
|
2
3
|
message: 'A CloudFormation template must have at least 1 resource'
|
|
3
4
|
|
|
4
5
|
|
|
@@ -14,7 +15,8 @@ raw_fatal_assertion jq: '.Resources|length > 0',
|
|
|
14
15
|
AWS::EC2::SecurityGroupIngress
|
|
15
16
|
AWS::EC2::SecurityGroupEgress
|
|
16
17
|
).each do |resource_must_have_properties|
|
|
17
|
-
fatal_violation
|
|
18
|
+
fatal_violation id: 'FATAL',
|
|
19
|
+
jq: "[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == \"#{resource_must_have_properties}\" and .Properties == null)]|map(.LogicalResourceId)",
|
|
18
20
|
message: "#{resource_must_have_properties} must have Properties"
|
|
19
21
|
end
|
|
20
22
|
|
|
@@ -32,7 +34,8 @@ missing_reference_jq = <<END
|
|
|
32
34
|
)|if length==0 then false else . end
|
|
33
35
|
END
|
|
34
36
|
|
|
35
|
-
raw_fatal_violation
|
|
37
|
+
raw_fatal_violation id: 'FATAL',
|
|
38
|
+
jq: missing_reference_jq,
|
|
36
39
|
message: 'All Ref and Fn::GetAtt must reference existing logical resource ids'
|
|
37
40
|
|
|
38
41
|
|
|
@@ -40,6 +43,7 @@ raw_fatal_violation jq: missing_reference_jq,
|
|
|
40
43
|
AWS::EC2::SecurityGroupIngress
|
|
41
44
|
AWS::EC2::SecurityGroupEgress
|
|
42
45
|
).each do |xgress|
|
|
43
|
-
fatal_violation
|
|
46
|
+
fatal_violation id: 'FATAL',
|
|
47
|
+
jq: "[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == \"#{xgress}\" and .Properties.GroupName != null)]|map(.LogicalResourceId)",
|
|
44
48
|
message: "#{xgress} must not have GroupName - EC2 classic is a no-go!"
|
|
45
49
|
end
|
data/lib/json_rules/cfn_rules.rb
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
-
warning
|
|
1
|
+
warning id: 'W1',
|
|
2
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Metadata."AWS::CloudFormation::Authentication") ]|'\
|
|
2
3
|
'map(.LogicalResourceId) ',
|
|
3
4
|
message: 'Specifying credentials in the template itself is probably not the safest thing'
|
|
@@ -1,31 +1,38 @@
|
|
|
1
1
|
##### inline ingress
|
|
2
|
-
warning
|
|
2
|
+
warning id: 'W2',
|
|
3
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "object"))|select(.Properties.SecurityGroupIngress.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
|
|
3
4
|
message: 'Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB'
|
|
4
5
|
|
|
5
|
-
warning
|
|
6
|
+
warning id: 'W3',
|
|
7
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "array"))|first(select(.Properties.SecurityGroupIngress[].CidrIp? == "0.0.0.0/0"))]|map(.LogicalResourceId)',
|
|
6
8
|
message: 'Security Groups found with cidr open to world on ingress array. This should never be true on instance. Permissible on ELB'
|
|
7
9
|
|
|
8
10
|
##### external ingress
|
|
9
|
-
warning
|
|
11
|
+
warning id: 'W4',
|
|
12
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupIngress")|select(.Properties.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
|
|
10
13
|
message: 'Security Group Standalone Ingress found with cidr open to world. This should never be true on instance. Permissible on ELB'
|
|
11
14
|
|
|
12
15
|
|
|
13
16
|
###### inline egress
|
|
14
|
-
warning
|
|
17
|
+
warning id: 'W5',
|
|
18
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupEgress|type == "object"))|select(.Properties.SecurityGroupEgress.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
|
|
15
19
|
message: 'Security Groups found with cidr open to world on egress'
|
|
16
20
|
|
|
17
21
|
|
|
18
|
-
warning
|
|
22
|
+
warning id: 'W6',
|
|
23
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupEgress|type == "array"))|first(select(.Properties.SecurityGroupEgress[].CidrIp? == "0.0.0.0/0"))]|map(.LogicalResourceId)',
|
|
19
24
|
message: 'Security Groups found with cidr open to world on egress array'
|
|
20
25
|
|
|
21
26
|
|
|
22
27
|
##### external egress
|
|
23
|
-
warning
|
|
28
|
+
warning id: 'W7',
|
|
29
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupEgress")|select(.Properties.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
|
|
24
30
|
message: 'Security Group Standalone Egress found with cidr open to world.'
|
|
25
31
|
|
|
26
32
|
|
|
27
33
|
# BEWARE with escapes \d -> \\\d because of how the escapes get munged from ruby through to shell
|
|
28
|
-
warning
|
|
34
|
+
warning id: 'W8',
|
|
35
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupIngress" and .Properties.CidrIp|type == "string")|select(.Properties.CidrIp | test("^\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}/(?!32)$") )]|map(.LogicalResourceId)',
|
|
29
36
|
message: 'Security Group Standalone Ingress cidr found that is not /32'
|
|
30
37
|
|
|
31
38
|
non_32_cidr_jq_expression = <<END
|
|
@@ -57,5 +64,6 @@ non_32_cidr_jq_expression = <<END
|
|
|
57
64
|
]|map(.LogicalResourceId)
|
|
58
65
|
END
|
|
59
66
|
|
|
60
|
-
warning
|
|
67
|
+
warning id: 'W9',
|
|
68
|
+
jq: non_32_cidr_jq_expression,
|
|
61
69
|
message: 'Security Groups found with cidr that is not /32'
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
-
warning
|
|
1
|
+
warning id: 'W10',
|
|
2
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::CloudFront::Distribution")|'\
|
|
2
3
|
'select(.Properties.DistributionConfig.Logging == null)]|map(.LogicalResourceId) ',
|
|
3
4
|
message: 'CloudFront Distribution should enable access logging'
|
data/lib/json_rules/ebs_rules.rb
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
-
violation
|
|
1
|
+
violation id: 'F1',
|
|
2
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::Volume")|'\
|
|
2
3
|
'select(.Properties.Encrypted == null or .Properties.Encrypted == false)]|map(.LogicalResourceId) ',
|
|
3
4
|
message: 'EBS volume should have server-side encryption enabled'
|
|
@@ -6,21 +6,25 @@ def wildcard_action:
|
|
|
6
6
|
end;
|
|
7
7
|
END
|
|
8
8
|
|
|
9
|
-
violation
|
|
9
|
+
violation id: 'F2',
|
|
10
|
+
jq: wildcard_action_filter +
|
|
10
11
|
"[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.AssumeRolePolicyDocument|wildcard_action)]|map(.LogicalResourceId) ",
|
|
11
12
|
message: 'IAM role should not allow * action on its trust policy'
|
|
12
13
|
|
|
13
|
-
violation
|
|
14
|
+
violation id: 'F3',
|
|
15
|
+
jq: wildcard_action_filter +
|
|
14
16
|
"[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.Policies !=null)|select(.Properties.Policies[].PolicyDocument|wildcard_action)]|map(.LogicalResourceId)",
|
|
15
17
|
message: 'IAM role should not allow * action on its permissions policy'
|
|
16
18
|
|
|
17
19
|
|
|
18
|
-
violation
|
|
20
|
+
violation id: 'F4',
|
|
21
|
+
jq: wildcard_action_filter +
|
|
19
22
|
"[#{resources_by_type('AWS::IAM::Policy')}|select(.Properties.PolicyDocument|wildcard_action)]|map(.LogicalResourceId) ",
|
|
20
23
|
message: 'IAM policy should not allow * action'
|
|
21
24
|
|
|
22
25
|
|
|
23
|
-
violation
|
|
26
|
+
violation id: 'F5',
|
|
27
|
+
jq: wildcard_action_filter +
|
|
24
28
|
"[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|wildcard_action)]|map(.LogicalResourceId) ",
|
|
25
29
|
message: 'IAM managed policy should not allow * action'
|
|
26
30
|
|
|
@@ -32,16 +36,19 @@ def wildcard_resource:
|
|
|
32
36
|
end;
|
|
33
37
|
END
|
|
34
38
|
|
|
35
|
-
warning
|
|
39
|
+
warning id: 'W11',
|
|
40
|
+
jq: wildcard_resource_filter +
|
|
36
41
|
"[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.Policies !=null)|select(.Properties.Policies[].PolicyDocument|wildcard_resource)]|map(.LogicalResourceId)",
|
|
37
42
|
message: 'IAM role should not allow * resource on its permissions policy'
|
|
38
43
|
|
|
39
44
|
|
|
40
|
-
warning
|
|
45
|
+
warning id: 'W12',
|
|
46
|
+
jq: wildcard_resource_filter +
|
|
41
47
|
"[#{resources_by_type('AWS::IAM::Policy')}|select(.Properties.PolicyDocument|wildcard_resource)]|map(.LogicalResourceId)",
|
|
42
48
|
message: 'IAM policy should not allow * resource'
|
|
43
49
|
|
|
44
|
-
warning
|
|
50
|
+
warning id: 'W13',
|
|
51
|
+
jq: wildcard_resource_filter +
|
|
45
52
|
"[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|wildcard_resource)]|map(.LogicalResourceId)",
|
|
46
53
|
message: 'IAM managed policy should not allow * resource'
|
|
47
54
|
|
|
@@ -53,34 +60,41 @@ def allow_not_action:
|
|
|
53
60
|
end;
|
|
54
61
|
END
|
|
55
62
|
|
|
56
|
-
warning
|
|
63
|
+
warning id: 'W14',
|
|
64
|
+
jq: allow_not_action_filter +
|
|
57
65
|
"[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.AssumeRolePolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
58
66
|
message: 'IAM role should not allow Allow+NotAction on trust permissinos'
|
|
59
67
|
|
|
60
68
|
|
|
61
|
-
warning
|
|
69
|
+
warning id: 'W15',
|
|
70
|
+
jq: allow_not_action_filter +
|
|
62
71
|
"[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.Policies !=null)|select(.Properties.Policies[].PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
63
72
|
message: 'IAM role should not allow Allow+NotAction'
|
|
64
73
|
|
|
65
74
|
|
|
66
|
-
warning
|
|
75
|
+
warning id: 'W16',
|
|
76
|
+
jq: allow_not_action_filter +
|
|
67
77
|
"[#{resources_by_type('AWS::IAM::Policy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
68
78
|
message: 'IAM policy should not allow Allow+NotAction'
|
|
69
79
|
|
|
70
80
|
|
|
71
|
-
warning
|
|
81
|
+
warning id: 'W17',
|
|
82
|
+
jq: allow_not_action_filter +
|
|
72
83
|
"[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
73
84
|
message: 'IAM managed policy should not allow Allow+NotAction'
|
|
74
85
|
|
|
75
|
-
warning
|
|
86
|
+
warning id: 'W18',
|
|
87
|
+
jq: allow_not_action_filter +
|
|
76
88
|
"[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
77
89
|
message: 'SQS Queue policy should not allow Allow+NotAction'
|
|
78
90
|
|
|
79
|
-
warning
|
|
91
|
+
warning id: 'W19',
|
|
92
|
+
jq: allow_not_action_filter +
|
|
80
93
|
"[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
81
94
|
message: 'SNS Topic policy should not allow Allow+NotAction'
|
|
82
95
|
|
|
83
|
-
warning
|
|
96
|
+
warning id: 'W20',
|
|
97
|
+
jq: allow_not_action_filter +
|
|
84
98
|
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
85
99
|
message: 'S3 Bucket policy should not allow Allow+NotAction'
|
|
86
100
|
|
|
@@ -92,17 +106,20 @@ def allow_not_resource:
|
|
|
92
106
|
end;
|
|
93
107
|
END
|
|
94
108
|
|
|
95
|
-
warning
|
|
109
|
+
warning id: 'W21',
|
|
110
|
+
jq: allow_not_resource_filter +
|
|
96
111
|
"[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.Policies !=null)|select(.Properties.Policies[].PolicyDocument|allow_not_resource)]|map(.LogicalResourceId)",
|
|
97
112
|
message: 'IAM role should not allow Allow+NotResource'
|
|
98
113
|
|
|
99
114
|
|
|
100
|
-
warning
|
|
115
|
+
warning id: 'W22',
|
|
116
|
+
jq: allow_not_resource_filter +
|
|
101
117
|
"[#{resources_by_type('AWS::IAM::Policy')}|select(.Properties.PolicyDocument|allow_not_resource)]|map(.LogicalResourceId)",
|
|
102
118
|
message: 'IAM policy should not allow Allow+NotResource'
|
|
103
119
|
|
|
104
120
|
|
|
105
|
-
warning
|
|
121
|
+
warning id: 'W23',
|
|
122
|
+
jq: allow_not_resource_filter +
|
|
106
123
|
"[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|allow_not_resource)]|map(.LogicalResourceId)",
|
|
107
124
|
message: 'IAM managed policy should not allow Allow+NotResource'
|
|
108
125
|
|
|
@@ -115,18 +132,22 @@ def allow_not_principal:
|
|
|
115
132
|
end;
|
|
116
133
|
END
|
|
117
134
|
|
|
118
|
-
violation
|
|
135
|
+
violation id: 'F6',
|
|
136
|
+
jq: allow_not_principal_filter +
|
|
119
137
|
"[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.AssumeRolePolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
|
|
120
138
|
message: 'IAM role should not allow Allow+NotPrincipal in its trust policy'
|
|
121
139
|
|
|
122
|
-
violation
|
|
140
|
+
violation id: 'F7',
|
|
141
|
+
jq: allow_not_principal_filter +
|
|
123
142
|
"[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
|
|
124
143
|
message: 'SQS Queue policy should not allow Allow+NotPrincipal'
|
|
125
144
|
|
|
126
|
-
violation
|
|
145
|
+
violation id: 'F8',
|
|
146
|
+
jq: allow_not_principal_filter +
|
|
127
147
|
"[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
|
|
128
148
|
message: 'SNS Topic policy should not allow Allow+NotPrincipal'
|
|
129
149
|
|
|
130
|
-
violation
|
|
150
|
+
violation id: 'F9',
|
|
151
|
+
jq: allow_not_principal_filter +
|
|
131
152
|
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
|
|
132
153
|
message: 'S3 Bucket policy should not allow Allow+NotPrincipal'
|
|
@@ -1,12 +1,15 @@
|
|
|
1
|
-
violation
|
|
1
|
+
violation id: 'F10',
|
|
2
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::IAM::User")|'\
|
|
2
3
|
'select(.Properties.Policies|length > 0)]|map(.LogicalResourceId) ',
|
|
3
4
|
message: 'IAM user should not have any directly attached policies. Should be on group'
|
|
4
5
|
|
|
5
|
-
violation
|
|
6
|
+
violation id: 'F11',
|
|
7
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::IAM::Policy")|'\
|
|
6
8
|
'select(.Properties.Users|length > 0)]|map(.LogicalResourceId) ',
|
|
7
9
|
message: 'IAM policy should not apply directly to users. Should be on group'
|
|
8
10
|
|
|
9
|
-
violation
|
|
11
|
+
violation id: 'F12',
|
|
12
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::IAM::ManagedPolicy")|'\
|
|
10
13
|
'select(.Properties.Users|length > 0)]|map(.LogicalResourceId) ',
|
|
11
14
|
message: 'IAM managed policy should not apply directly to users. Should be on group'
|
|
12
15
|
|
|
@@ -1,7 +1,9 @@
|
|
|
1
|
-
warning
|
|
1
|
+
warning id: 'W24',
|
|
2
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::Lambda::Permission")|'\
|
|
2
3
|
'select(.Properties.Action != "lambda:InvokeFunction")]|map(.LogicalResourceId) ',
|
|
3
4
|
message: 'Lambda permission beside InvokeFunction might not be what you want? Not sure!?'
|
|
4
5
|
|
|
5
|
-
violation
|
|
6
|
+
violation id: 'F13',
|
|
7
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::Lambda::Permission")|'\
|
|
6
8
|
'select(.Properties.Principal == "*")]|map(.LogicalResourceId) ',
|
|
7
9
|
message: 'Lambda permission principal should not be wildcard'
|
|
@@ -1,7 +1,9 @@
|
|
|
1
|
-
warning
|
|
1
|
+
warning id: 'W25',
|
|
2
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::ElasticLoadBalancing::LoadBalancer")|'\
|
|
2
3
|
'select(.Properties.AccessLoggingPolicy == null)]|map(.LogicalResourceId) ',
|
|
3
4
|
message: 'Elastic Load Balancer should have access logging configured'
|
|
4
5
|
|
|
5
|
-
warning
|
|
6
|
+
warning id: 'W26',
|
|
7
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::ElasticLoadBalancing::LoadBalancer")|'\
|
|
6
8
|
'select(.Properties.AccessLoggingPolicy?.Enabled == false)]|map(.LogicalResourceId) ',
|
|
7
9
|
message: 'Elastic Load Balancer should have access logging enabled'
|
|
@@ -1,4 +1,5 @@
|
|
|
1
|
-
warning
|
|
1
|
+
warning id: 'W27',
|
|
2
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | '\
|
|
2
3
|
'select(.Type == "AWS::EC2::SecurityGroup")| '\
|
|
3
4
|
'if (.Properties.SecurityGroupIngress|type == "object") '\
|
|
4
5
|
'then select(.Properties.SecurityGroupIngress.ToPort != .Properties.SecurityGroupIngress.FromPort) '\
|
|
@@ -10,10 +11,12 @@ warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | '\
|
|
|
10
11
|
']|map(.LogicalResourceId)',
|
|
11
12
|
message: 'Security Groups found ingress with port range instead of just a single port'
|
|
12
13
|
|
|
13
|
-
warning
|
|
14
|
+
warning id: 'W28',
|
|
15
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupIngress")|select(.Properties.ToPort != .Properties.FromPort)]|map(.LogicalResourceId)',
|
|
14
16
|
message: 'Security Group ingress with port range instead of just a single port'
|
|
15
17
|
|
|
16
|
-
warning
|
|
18
|
+
warning id: 'W29',
|
|
19
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | '\
|
|
17
20
|
'select(.Type == "AWS::EC2::SecurityGroup")| '\
|
|
18
21
|
'if (.Properties.SecurityGroupEgress|type == "object") '\
|
|
19
22
|
'then select(.Properties.SecurityGroupEgress.ToPort != .Properties.SecurityGroupEgress.FromPort) '\
|
|
@@ -25,5 +28,6 @@ warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | '\
|
|
|
25
28
|
']|map(.LogicalResourceId)',
|
|
26
29
|
message: 'Security Groups found egress with port range instead of just a single port'
|
|
27
30
|
|
|
28
|
-
warning
|
|
31
|
+
warning id: 'W30',
|
|
32
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupEgress")|select(.Properties.ToPort != .Properties.FromPort)]|map(.LogicalResourceId)',
|
|
29
33
|
message: 'Security Group egress with port range instead of just a single port'
|
|
@@ -1,8 +1,10 @@
|
|
|
1
|
-
warning
|
|
1
|
+
warning id: 'W31',
|
|
2
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::S3::Bucket")|'\
|
|
2
3
|
'select(.Properties.AccessControl? == "PublicRead")]|map(.LogicalResourceId) ',
|
|
3
4
|
message: 'S3 Bucket likely should not have a public read acl'
|
|
4
5
|
|
|
5
|
-
violation
|
|
6
|
+
violation id: 'F14',
|
|
7
|
+
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::S3::Bucket")|'\
|
|
6
8
|
'select(.Properties.AccessControl? == "PublicReadWrite")]|map(.LogicalResourceId) ',
|
|
7
9
|
message: 'S3 Bucket should not have a public read-write acl'
|
|
8
10
|
|
|
@@ -33,14 +35,17 @@ def s3_wildcard_aws_principal:
|
|
|
33
35
|
END
|
|
34
36
|
|
|
35
37
|
|
|
36
|
-
violation
|
|
38
|
+
violation id: 'F15',
|
|
39
|
+
jq: s3_wildcard_action_filter +
|
|
37
40
|
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|s3_wildcard_action)]|map(.LogicalResourceId) ",
|
|
38
41
|
message: 'S3 Bucket policy should not allow * action'
|
|
39
42
|
|
|
40
|
-
violation
|
|
43
|
+
violation id: 'F16',
|
|
44
|
+
jq: s3_wildcard_principal_filter +
|
|
41
45
|
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|s3_wildcard_principal)]|map(.LogicalResourceId) ",
|
|
42
46
|
message: 'S3 Bucket policy should not allow * principal'
|
|
43
47
|
|
|
44
|
-
violation
|
|
48
|
+
violation id: 'F17',
|
|
49
|
+
jq: s3_wildcard_aws_principal_filter +
|
|
45
50
|
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|s3_wildcard_aws_principal)]|map(.LogicalResourceId) ",
|
|
46
51
|
message: 'S3 Bucket policy should not allow * AWS principal'
|
data/lib/json_rules/sns_rules.rb
CHANGED
|
@@ -18,10 +18,12 @@ END
|
|
|
18
18
|
|
|
19
19
|
#sns action wildcard doesnt seem to be accepted by sns so dont sweat it
|
|
20
20
|
|
|
21
|
-
violation
|
|
21
|
+
violation id: 'F18',
|
|
22
|
+
jq: sns_wildcard_principal_filter +
|
|
22
23
|
"[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|sns_wildcard_principal)]|map(.LogicalResourceId) ",
|
|
23
24
|
message: 'SNS topic policy should not allow * principal'
|
|
24
25
|
|
|
25
|
-
violation
|
|
26
|
+
violation id: 'F19',
|
|
27
|
+
jq: sns_wildcard_aws_principal_filter +
|
|
26
28
|
"[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|sns_wildcard_aws_principal)]|map(.LogicalResourceId) ",
|
|
27
29
|
message: 'SNS topic policy should not allow * AWS principal'
|
data/lib/json_rules/sqs_rules.rb
CHANGED
|
@@ -14,10 +14,12 @@ def sqs_wildcard_principal:
|
|
|
14
14
|
end;
|
|
15
15
|
END
|
|
16
16
|
|
|
17
|
-
violation
|
|
17
|
+
violation id: 'F20',
|
|
18
|
+
jq: sqs_wildcard_action_filter +
|
|
18
19
|
"[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|sqs_wildcard_action)]|map(.LogicalResourceId) ",
|
|
19
20
|
message: 'SQS Queue policy should not allow * action'
|
|
20
21
|
|
|
21
|
-
violation
|
|
22
|
+
violation id: 'F21',
|
|
23
|
+
jq: sqs_wildcard_principal_filter +
|
|
22
24
|
"[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|sqs_wildcard_principal)]|map(.LogicalResourceId) ",
|
|
23
25
|
message: 'SQS Queue policy should not allow * principal'
|
data/lib/profile.rb
ADDED
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
require_relative 'profile'
|
|
2
|
+
|
|
3
|
+
class ProfileLoader
|
|
4
|
+
|
|
5
|
+
def initialize(rules_registry)
|
|
6
|
+
@rules_registry = rules_registry
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def load(profile_definition:)
|
|
10
|
+
|
|
11
|
+
if profile_definition.nil? or profile_definition.strip == ''
|
|
12
|
+
raise 'Empty profile'
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
new_profile = Profile.new
|
|
16
|
+
|
|
17
|
+
profile_definition.each_line do |line|
|
|
18
|
+
rule_id = line.chomp
|
|
19
|
+
if @rules_registry.by_id(rule_id) == []
|
|
20
|
+
raise "#{rule_id} is not a legal rule identifier"
|
|
21
|
+
else
|
|
22
|
+
new_profile.add_rule rule_id
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
new_profile
|
|
26
|
+
end
|
|
27
|
+
end
|
|
@@ -9,7 +9,7 @@ class SimpleStdoutResults
|
|
|
9
9
|
(1..60).each { print '-' }
|
|
10
10
|
|
|
11
11
|
result[:file_results][:violations].each do |violation|
|
|
12
|
-
message message_type: violation.type,
|
|
12
|
+
message message_type: "#{violation.type} #{violation.id}",
|
|
13
13
|
message: violation.message,
|
|
14
14
|
logical_resource_ids: violation.logical_resource_ids,
|
|
15
15
|
violating_code: violation.violating_code
|
data/lib/rule.rb
CHANGED
|
@@ -16,8 +16,10 @@ module Rule
|
|
|
16
16
|
"#{resources}| select(.Type == \"#{resource}\")"
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
-
def warning(jq:, message:)
|
|
20
|
-
@
|
|
19
|
+
def warning(id:, jq:, message:)
|
|
20
|
+
warning_def = @rule_registry.definition(id: id,
|
|
21
|
+
type: Violation::WARNING,
|
|
22
|
+
message: message)
|
|
21
23
|
|
|
22
24
|
return if @stop_processing
|
|
23
25
|
|
|
@@ -30,50 +32,57 @@ module Rule
|
|
|
30
32
|
resource_ids = parse_logical_resource_ids(stdout)
|
|
31
33
|
new_warnings = resource_ids.size
|
|
32
34
|
if result == 0 and new_warnings > 0
|
|
33
|
-
add_violation(
|
|
35
|
+
add_violation(id: warning_def.id,
|
|
36
|
+
type: Violation::WARNING,
|
|
34
37
|
message: message,
|
|
35
38
|
logical_resource_ids: resource_ids)
|
|
36
39
|
end
|
|
37
40
|
end
|
|
38
41
|
|
|
39
|
-
def raw_fatal_assertion(jq:, message:)
|
|
40
|
-
failing_rule(
|
|
42
|
+
def raw_fatal_assertion(id:, jq:, message:)
|
|
43
|
+
failing_rule(id: id,
|
|
44
|
+
jq_expression: jq,
|
|
41
45
|
fail_if_found: false,
|
|
42
46
|
fatal: true,
|
|
43
47
|
message: message,
|
|
44
48
|
raw: true)
|
|
45
49
|
end
|
|
46
50
|
|
|
47
|
-
def fatal_assertion(jq:, message:)
|
|
48
|
-
failing_rule(
|
|
51
|
+
def fatal_assertion(id:, jq:, message:)
|
|
52
|
+
failing_rule(id: id,
|
|
53
|
+
jq_expression: jq,
|
|
49
54
|
fail_if_found: false,
|
|
50
55
|
fatal: true,
|
|
51
56
|
message: message)
|
|
52
57
|
end
|
|
53
58
|
|
|
54
|
-
def raw_fatal_violation(jq:, message:)
|
|
55
|
-
failing_rule(
|
|
59
|
+
def raw_fatal_violation(id:, jq:, message:)
|
|
60
|
+
failing_rule(id: id,
|
|
61
|
+
jq_expression: jq,
|
|
56
62
|
fail_if_found: true,
|
|
57
63
|
fatal: true,
|
|
58
64
|
message: message,
|
|
59
65
|
raw: true)
|
|
60
66
|
end
|
|
61
67
|
|
|
62
|
-
def fatal_violation(jq:, message:)
|
|
63
|
-
failing_rule(
|
|
68
|
+
def fatal_violation(id:, jq:, message:)
|
|
69
|
+
failing_rule(id: id,
|
|
70
|
+
jq_expression: jq,
|
|
64
71
|
fail_if_found: true,
|
|
65
72
|
fatal: true,
|
|
66
73
|
message: message)
|
|
67
74
|
end
|
|
68
75
|
|
|
69
|
-
def violation(jq:, message:)
|
|
70
|
-
failing_rule(
|
|
76
|
+
def violation(id:, jq:, message:)
|
|
77
|
+
failing_rule(id: id,
|
|
78
|
+
jq_expression: jq,
|
|
71
79
|
fail_if_found: true,
|
|
72
80
|
message: message)
|
|
73
81
|
end
|
|
74
82
|
|
|
75
|
-
def assertion(jq:, message:)
|
|
76
|
-
failing_rule(
|
|
83
|
+
def assertion(id:, jq:, message:)
|
|
84
|
+
failing_rule(id: id,
|
|
85
|
+
jq_expression: jq,
|
|
77
86
|
fail_if_found: false,
|
|
78
87
|
message: message)
|
|
79
88
|
end
|
|
@@ -108,11 +117,17 @@ module Rule
|
|
|
108
117
|
end
|
|
109
118
|
end
|
|
110
119
|
|
|
111
|
-
|
|
120
|
+
# this is to record a violation as opposed to "registering" a violation
|
|
121
|
+
#
|
|
122
|
+
# not super keen on this looking at it after the fact.... @violations
|
|
123
|
+
# will have to live in the object this Rule is mixed into i.e. CfnNag
|
|
124
|
+
def add_violation(id:,
|
|
125
|
+
type:,
|
|
112
126
|
message:,
|
|
113
127
|
logical_resource_ids: nil,
|
|
114
128
|
violating_code: nil)
|
|
115
|
-
violation = Violation.new(
|
|
129
|
+
violation = Violation.new(id: id,
|
|
130
|
+
type: type,
|
|
116
131
|
message: message,
|
|
117
132
|
logical_resource_ids: logical_resource_ids,
|
|
118
133
|
violating_code: violating_code)
|
|
@@ -135,12 +150,17 @@ module Rule
|
|
|
135
150
|
# failure count by 1
|
|
136
151
|
#
|
|
137
152
|
# fatal: if true, any match of the rule causes immediate shutdown to avoid more complicated downstream error checking
|
|
138
|
-
def failing_rule(
|
|
153
|
+
def failing_rule(id:,
|
|
154
|
+
jq_expression:,
|
|
139
155
|
fail_if_found:,
|
|
140
156
|
message:,
|
|
141
157
|
fatal: false,
|
|
142
158
|
raw: false)
|
|
143
|
-
|
|
159
|
+
|
|
160
|
+
fail_def = @rule_registry.definition(id: id,
|
|
161
|
+
type: Violation::FAILING_VIOLATION,
|
|
162
|
+
message: message)
|
|
163
|
+
|
|
144
164
|
return if @stop_processing
|
|
145
165
|
|
|
146
166
|
Logging.logger['log'].debug jq_expression
|
|
@@ -152,7 +172,8 @@ module Rule
|
|
|
152
172
|
(not fail_if_found and result != 0)
|
|
153
173
|
|
|
154
174
|
if raw
|
|
155
|
-
add_violation(
|
|
175
|
+
add_violation(id: fail_def.id,
|
|
176
|
+
type: Violation::FAILING_VIOLATION,
|
|
156
177
|
message: message,
|
|
157
178
|
violating_code: stdout)
|
|
158
179
|
|
|
@@ -163,7 +184,8 @@ module Rule
|
|
|
163
184
|
resource_ids = parse_logical_resource_ids(stdout)
|
|
164
185
|
|
|
165
186
|
if resource_ids.size > 0
|
|
166
|
-
add_violation(
|
|
187
|
+
add_violation(id: fail_def.id,
|
|
188
|
+
type: Violation::FAILING_VIOLATION,
|
|
167
189
|
message: message,
|
|
168
190
|
logical_resource_ids: resource_ids)
|
|
169
191
|
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
require_relative 'violation'
|
|
2
|
+
|
|
3
|
+
class RuleRegistry
|
|
4
|
+
|
|
5
|
+
attr_reader :rules
|
|
6
|
+
|
|
7
|
+
def initialize
|
|
8
|
+
@rules = []
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def definition(id:,
|
|
12
|
+
type:,
|
|
13
|
+
message:)
|
|
14
|
+
violation_def = Violation.new(id: id,
|
|
15
|
+
type: type,
|
|
16
|
+
message: message)
|
|
17
|
+
existing_def = @rules.find { |definition| definition == violation_def }
|
|
18
|
+
|
|
19
|
+
if existing_def.nil?
|
|
20
|
+
add_rule violation_def
|
|
21
|
+
else
|
|
22
|
+
existing_def
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
# FATAL applies to multiple rules
|
|
27
|
+
def by_id(id)
|
|
28
|
+
@rules.select { |rule| rule.id == id }
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
def warnings
|
|
32
|
+
@rules.select { |rule| rule.type == Violation::WARNING }
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def failings
|
|
36
|
+
@rules.select { |rule| rule.type == Violation::FAILING_VIOLATION }
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
private
|
|
40
|
+
|
|
41
|
+
def add_rule(violation_def)
|
|
42
|
+
@rules << violation_def
|
|
43
|
+
violation_def
|
|
44
|
+
end
|
|
45
|
+
end
|
data/lib/violation.rb
CHANGED
|
@@ -1,14 +1,17 @@
|
|
|
1
1
|
require 'json'
|
|
2
|
+
|
|
2
3
|
class Violation
|
|
3
4
|
WARNING = 'WARN'
|
|
4
5
|
FAILING_VIOLATION = 'FAIL'
|
|
5
6
|
|
|
6
|
-
attr_reader :type, :message, :logical_resource_ids, :violating_code
|
|
7
|
+
attr_reader :id, :type, :message, :logical_resource_ids, :violating_code
|
|
7
8
|
|
|
8
|
-
def initialize(
|
|
9
|
+
def initialize(id:,
|
|
10
|
+
type:,
|
|
9
11
|
message:,
|
|
10
12
|
logical_resource_ids: nil,
|
|
11
13
|
violating_code: nil)
|
|
14
|
+
@id = id
|
|
12
15
|
@type = type
|
|
13
16
|
@message = message
|
|
14
17
|
@logical_resource_ids = logical_resource_ids
|
|
@@ -19,11 +22,12 @@ class Violation
|
|
|
19
22
|
end
|
|
20
23
|
|
|
21
24
|
def to_s
|
|
22
|
-
puts "#{@type} #{@message} #{@logical_resource_ids} #{@violating_code}"
|
|
25
|
+
puts "#{@id} #{@type} #{@message} #{@logical_resource_ids} #{@violating_code}"
|
|
23
26
|
end
|
|
24
27
|
|
|
25
28
|
def to_h
|
|
26
29
|
{
|
|
30
|
+
id: @id,
|
|
27
31
|
type: @type,
|
|
28
32
|
message: @message,
|
|
29
33
|
logical_resource_ids: @logical_resource_ids,
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.35
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- someguy
|
|
@@ -73,9 +73,12 @@ files:
|
|
|
73
73
|
- lib/model/s3_bucket_policy.rb
|
|
74
74
|
- lib/model/s3_bucket_policy_parser.rb
|
|
75
75
|
- lib/model/security_group_parser.rb
|
|
76
|
+
- lib/profile.rb
|
|
77
|
+
- lib/profile_loader.rb
|
|
76
78
|
- lib/result_view/json_results.rb
|
|
77
79
|
- lib/result_view/simple_stdout_results.rb
|
|
78
80
|
- lib/rule.rb
|
|
81
|
+
- lib/rule_registry.rb
|
|
79
82
|
- lib/violation.rb
|
|
80
83
|
homepage: https://github.com/stelligent/cfn_nag
|
|
81
84
|
licenses:
|