cfn-nag 0.0.44 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c77d505fee7be50a7cdc2e6b536e322752b3b9b2
-  data.tar.gz: 33831cb14131a221d0653cdc34988e330a46d2a3
+  metadata.gz: 905bc16ca0d4964c17e4a532a444b174541c61a6
+  data.tar.gz: 5b76a420e36c46f4adeff8506cae88ff76462b83
 SHA512:
-  metadata.gz: b460866e5500b58d732f33d6f8433b891a5fc4024c54aad491120ac460f224ae1270cf3862cbbd092bb54cdcfa4936a443dbb2e2e184d86045ed910779ad572a
-  data.tar.gz: e2b6a603ceaeab42441dfe9e97e9954e965e5c6d4cd66a249865605d1d8d89acf1e51a52f3fc77af3078177544e0ad6616b50e2accfbf8a5a449fdfc38358370
+  metadata.gz: da46ac982d9a672b38b8161dbb7b123763fb88f34a0a196c6059cee52157076796c18973a385525cc9f00c50b4bf6ab8abcf992b6ddf6cd08e201c6482efce9d
+  data.tar.gz: da78b9bf29944292f4221ab5dd0dd4cca0c03d0398f164f03b391cf29164b29fc1fbb437851b822411e24297ca31473f6feebf7e175ff83a582d5b191badf4a2

data/bin/cfn_nag

@@ -1,19 +1,17 @@
 #!/usr/bin/env ruby
 require 'trollop'
-require 'cfn_nag'
+require 'cfn-nag'
 require 'logging'
+require 'json'
 
 opts = Trollop::options do
-  opt :input_json_path, 'CloudFormation template to nag on or directory of templates - all *.json and *.template recursively', type: :io, required: true
-  opt :output_format, 'Format of results: [txt, json]', type: :string, default: 'txt'
+  usage '[options] <cloudformation template path ...>|<cloudformation template in STDIN>'
+
   opt :debug, 'Enable debug output', type: :boolean, required: false, default: false
-  opt :rule_directory, 'Extra rule directories', type: :strings, required: false, default: [], multi: true
+  opt :rule_directory, 'Extra rule directory', type: :io, required: false, default: nil
   opt :profile_path, 'Path to a profile file', type: :io, required: false, default: nil
 end
 
-Trollop::die(:output_format,
-             'Must be txt or json') unless %w(txt json).include?(opts[:output_format])
-
 CfnNag::configure_logging(opts)
 
 profile_definition = nil
@@ -21,8 +19,26 @@ unless opts[:profile_path].nil?
   profile_definition = IO.read(opts[:profile_path])
 end
 
-cfn_nag = CfnNag.new(profile_definition: profile_definition)
+cfn_nag = CfnNag.new(profile_definition: profile_definition,
+                     rule_directory: opts[:rule_directory])
+
+# trollop appears to pop args off of ARGV
+# ARGF concatenates which we don't want
+if ARGV.size == 0
+  results = cfn_nag.audit(cloudformation_string: STDIN.read)
+
+  results[:violations] = results[:violations].map { |violation| violation.to_h }
+  puts JSON.pretty_generate(results)
+  exit results[:failure_count]
+else
+  total_failure_count = 0
+  ARGV.each do |file_name|
+    results = cfn_nag.audit(cloudformation_string: IO.read(file_name))
+
+    total_failure_count += results[:failure_count]
+    results[:violations] = results[:violations].map { |violation| violation.to_h }
+    puts JSON.pretty_generate(results)
+  end
+  exit total_failure_count
+end
 
-exit cfn_nag.audit(input_json_path: opts[:input_json_path],
-                   output_format: opts[:output_format],
-                   rule_directories: opts[:rule_directory])

data/bin/cfn_nag_rules

@@ -1,9 +1,9 @@
 #!/usr/bin/env ruby
 require 'trollop'
-require 'cfn_nag'
+require 'cfn-nag'
 
 opts = Trollop::options do
-  opt :rule_directory, 'Extra rule directories', type: :strings, required: false, default: [], multi: true
+  opt :rule_directory, 'Extra rule directories', type: :io, required: false, default: nil
   opt :profile_path, 'Path to a profile file', type: :io, required: false, default: nil
 end
 
@@ -12,6 +12,7 @@ unless opts[:profile_path].nil?
   profile_definition = IO.read(opts[:profile_path])
 end
 
-cfn_nag = CfnNag.new(profile_definition: profile_definition)
+rule_dumper = CfnNagRuleDumper.new(profile_definition: profile_definition,
+                                   rule_directory: opts[:rule_directory])
 
-cfn_nag.dump_rules(rule_directories: opts[:rule_directory])
+rule_dumper.dump_rules

data/bin/cfn_nag_scan

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+require 'trollop'
+require 'cfn-nag'
+require 'logging'
+require 'json'
+
+opts = Trollop::options do
+  opt :input_path, 'CloudFormation template to nag on or directory of templates - all *.json, *.yaml, *.yml and *.template recursively', type: :io, required: true
+  opt :output_format, 'Format of results: [txt, json]', type: :string, default: 'txt'
+  opt :debug, 'Enable debug output', type: :boolean, required: false, default: false
+  opt :rule_directory, 'Extra rule directory', type: :io, required: false, default: nil
+  opt :profile_path, 'Path to a profile file', type: :io, required: false, default: nil
+end
+
+Trollop::die(:output_format,
+             'Must be txt or json') unless %w(txt json).include?(opts[:output_format])
+
+CfnNag::configure_logging(opts)
+
+profile_definition = nil
+unless opts[:profile_path].nil?
+  profile_definition = IO.read(opts[:profile_path])
+end
+
+cfn_nag = CfnNag.new(profile_definition: profile_definition,
+                     rule_directory: opts[:rule_directory])
+
+exit cfn_nag.audit_aggregate_across_files_and_render_results(input_path: opts[:input_path],
+                                                             output_format: opts[:output_format])

data/lib/cfn-nag.rb

@@ -0,0 +1,3 @@
+require 'cfn-nag/cfn_nag'
+require 'cfn-nag/violation'
+require 'cfn-nag/rule_dumper'

data/lib/cfn-nag/cfn_nag.rb

@@ -0,0 +1,115 @@
+require_relative 'custom_rule_loader'
+require_relative 'rule_registry'
+require_relative 'profile_loader'
+require_relative 'template_discovery'
+require_relative 'result_view/simple_stdout_results'
+require_relative 'result_view/json_results'
+require 'cfn-model'
+require 'logging'
+
+class CfnNag
+  def initialize(profile_definition: nil,
+                 rule_directory: nil)
+    @rule_directory = rule_directory
+    @custom_rule_loader = CustomRuleLoader.new(rule_directory: rule_directory)
+    @profile_definition = profile_definition
+  end
+
+  ##
+  # Given a file or directory path, emit aggregate results to stdout
+  #
+  # Return an aggregate failure count (for exit code usage)
+  #
+  def audit_aggregate_across_files_and_render_results(input_path:,
+                                                      output_format:'txt')
+    aggregate_results = audit_aggregate_across_files input_path: input_path
+
+    render_results(aggregate_results: aggregate_results,
+                   output_format: output_format)
+
+    aggregate_results.inject(0) do |total_failure_count, results|
+      total_failure_count + results[:file_results][:failure_count]
+    end
+  end
+
+  ##
+  # Given a file or directory path, return aggregate results
+  #
+  def audit_aggregate_across_files(input_path:)
+    templates = TemplateDiscovery.new.discover_templates(input_path)
+
+    aggregate_results = []
+    templates.each do |template|
+      aggregate_results << {
+        filename: template,
+        file_results: audit(cloudformation_string: IO.read(template))
+      }
+    end
+    aggregate_results
+  end
+
+  ##
+  # Given cloudformation json/yml, run all the rules against it
+  #
+  # Return a hash with failure count
+  #
+  def audit(cloudformation_string:)
+    stop_processing = false
+    violations = []
+
+    begin
+      cfn_model = CfnParser.new.parse cloudformation_string
+    rescue ParserError => parser_error
+      violations << Violation.new(id: 'FATAL',
+                                  type: Violation::FAILING_VIOLATION,
+                                  message: parser_error.to_s)
+      stop_processing = true
+    end
+
+    violations += @custom_rule_loader.execute_custom_rules(cfn_model) unless stop_processing == true
+
+    violations = filter_violations_by_profile violations unless stop_processing == true
+
+    {
+      failure_count: Violation.count_failures(violations),
+      violations: violations
+    }
+  end
+
+  def self.configure_logging(opts)
+    logger = Logging.logger['log']
+    if opts[:debug]
+      logger.level = :debug
+    else
+      logger.level = :info
+    end
+
+    logger.add_appenders Logging.appenders.stdout
+  end
+
+  private
+
+  def filter_violations_by_profile(violations)
+    profile = nil
+    unless @profile_definition.nil?
+      profile = ProfileLoader.new(@custom_rule_loader.rule_definitions).load(profile_definition: @profile_definition)
+    end
+
+    violations.reject do |violation|
+      not profile.nil? and not profile.execute_rule?(violation.id)
+    end
+  end
+
+  def render_results(aggregate_results:,
+                     output_format:)
+    results_renderer(output_format).new.render(aggregate_results)
+  end
+
+  def results_renderer(output_format)
+    registry = {
+      'txt' => SimpleStdoutResults,
+      'json' => JsonResults
+    }
+    registry[output_format]
+  end
+end

data/lib/cfn-nag/custom_rule_loader.rb

@@ -0,0 +1,72 @@
+require 'cfn-model'
+require 'logging'
+require_relative 'rule_registry'
+
+##
+# This object can discover the internal and custom user-provided rules and
+# apply these rules to a CfnModel object
+#
+class CustomRuleLoader
+  def initialize(rule_directory: nil)
+    @rule_directory = rule_directory
+    validate_extra_rule_directory rule_directory
+  end
+
+  def rule_definitions
+    rule_registry = RuleRegistry.new
+
+    discover_rule_classes(@rule_directory).each do |rule_class|
+      rule = rule_class.new
+      rule_registry.definition(id: rule.rule_id,
+                               type: rule.rule_type,
+                               message: rule.rule_text)
+    end
+    rule_registry
+  end
+
+  def execute_custom_rules(cfn_model)
+    Logging.logger['log'].debug "cfn_model: #{cfn_model}"
+
+    violations = []
+
+    discover_rule_classes(@rule_directory).each do |rule_class|
+      audit_result = rule_class.new.audit(cfn_model)
+      violations << audit_result unless audit_result.nil?
+    end
+    violations
+  end
+
+  private
+
+  def validate_extra_rule_directory(rule_directory)
+    unless rule_directory.nil?
+      fail "Not a real directory #{rule_directory}" unless File.directory? rule_directory
+    end
+  end
+
+  def discover_rule_filenames(rule_directory)
+    rule_filenames = []
+    unless rule_directory.nil?
+      rule_filenames += Dir[File.join(rule_directory, '*Rule.rb')].sort
+    end
+    rule_filenames += Dir[File.join(__dir__, 'custom_rules', '*Rule.rb')].sort
+    Logging.logger['log'].debug "rule_filenames: #{rule_filenames}"
+    rule_filenames
+  end
+
+  def discover_rule_classes(rule_directory)
+    rule_classes = []
+
+    rule_filenames = discover_rule_filenames(rule_directory)
+
+    rule_filenames.each do |rule_filename|
+      require(rule_filename)
+      rule_classname = File.basename(rule_filename, '.rb')
+
+      rule_classes << Object.const_get(rule_classname)
+    end
+    Logging.logger['log'].debug "rule_classes: #{rule_classes}"
+
+    rule_classes
+  end
+end

data/lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb

@@ -0,0 +1,28 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class CloudFormationAuthenticationRule < BaseRule
+  def rule_text
+    'Specifying credentials in the template itself is probably not the safest thing'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W1'
+  end
+
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+    cfn_model.raw_model['Resources'].each do |resource_name, resource|
+      unless resource['Metadata'].nil?
+        if !resource['Metadata']['AWS::CloudFormation::Authentication'].nil?
+          logical_resource_ids << resource_name
+        end
+      end
+    end
+    logical_resource_ids
+  end
+end

data/lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb

@@ -0,0 +1,24 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class CloudFrontDistributionAccessLoggingRule < BaseRule
+  def rule_text
+    'CloudFront Distribution should enable access logging'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W10'
+  end
+
+  def audit_impl(cfn_model)
+    violating_distributions = cfn_model.resources_by_type('AWS::CloudFront::Distribution').select do |distribution|
+      distribution.distributionConfig['Logging'].nil?
+    end
+
+    violating_distributions.map { |distribution| distribution.logical_resource_id }
+  end
+end

data/lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb

@@ -0,0 +1,24 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class EbsVolumeHasSseRule < BaseRule
+  def rule_text
+    'EBS volume should have server-side encryption enabled'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F1'
+  end
+
+  def audit_impl(cfn_model)
+    violating_volumes = cfn_model.resources_by_type('AWS::EC2::Volume').select do |volume|
+      volume.encrypted.nil? || volume.encrypted == false
+    end
+
+    violating_volumes.map { |violating_user| violating_user.logical_resource_id }
+  end
+end

data/lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb

@@ -0,0 +1,24 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class ElasticLoadBalancerAccessLoggingRule < BaseRule
+  def rule_text
+    'Elastic Load Balancer should have access logging enabled'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W26'
+  end
+
+  def audit_impl(cfn_model)
+    violating_elbs = cfn_model.resources_by_type('AWS::ElasticLoadBalancing::LoadBalancer').select do |elb|
+      elb.accessLoggingPolicy.nil? || elb.accessLoggingPolicy['Enabled'] != true
+    end
+
+    violating_elbs.map { |violating_user| violating_user.logical_resource_id }
+  end
+end

data/lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb

@@ -0,0 +1,25 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class IamManagedPolicyNotActionRule < BaseRule
+
+  def rule_text
+    'IAM managed policy should not allow Allow+NotAction'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W17'
+  end
+
+  def audit_impl(cfn_model)
+    violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
+      !policy.policyDocument.allows_not_action.empty?
+    end
+
+    violating_policies.map { |policy| policy.logical_resource_id }
+  end
+end