cfn-nag 0.1.7 → 0.1.8
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bd5906c9788032280ede5ed4140f22b9654044a2
|
4
|
+
data.tar.gz: 1afc86b72e29a99ec4a91566b00ff2ee5b973078
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e4bbe81af76602d8c5bdb0705bf5fd92b898bf5a11d630a644d97f557ba5cf772272649483aaadbc58f9e4872bee768a6e919b38f2c0681f0f9e0dd4e7cd5eba
|
7
|
+
data.tar.gz: c5b85b35db56051f6196ab02a60c665592768ae2e15f5ef3d49440c6a1bf0232789b603f58b048394d9d73ce3c01d659c01c2853b55de0b9329a8112bbcfd980
|
@@ -1,7 +1,9 @@
|
|
1
1
|
require 'cfn-nag/violation'
|
2
2
|
require_relative 'base'
|
3
|
+
require 'cfn-nag/ip_addr'
|
3
4
|
|
4
5
|
class SecurityGroupEgressOpenToWorldRule < BaseRule
|
6
|
+
include IpAddr
|
5
7
|
|
6
8
|
def rule_text
|
7
9
|
'Security Groups found with cidr open to world on egress'
|
@@ -21,8 +23,7 @@ class SecurityGroupEgressOpenToWorldRule < BaseRule
|
|
21
23
|
logical_resource_ids = []
|
22
24
|
cfn_model.security_groups.each do |security_group|
|
23
25
|
violating_egresses = security_group.securityGroupEgress.select do |egress|
|
24
|
-
|
25
|
-
egress.cidrIp.is_a?(String) && egress.cidrIp == '0.0.0.0/0'
|
26
|
+
ip4_open?(egress) || ip6_open?(egress)
|
26
27
|
end
|
27
28
|
|
28
29
|
unless violating_egresses.empty?
|
@@ -31,7 +32,7 @@ class SecurityGroupEgressOpenToWorldRule < BaseRule
|
|
31
32
|
end
|
32
33
|
|
33
34
|
violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
|
34
|
-
|
35
|
+
ip4_open?(standalone_egress) || ip6_open?(standalone_egress)
|
35
36
|
end
|
36
37
|
|
37
38
|
logical_resource_ids + violating_egresses.map { |egress| egress.logical_resource_id}
|
@@ -1,7 +1,9 @@
|
|
1
1
|
require 'cfn-nag/violation'
|
2
2
|
require_relative 'base'
|
3
|
+
require 'cfn-nag/ip_addr'
|
3
4
|
|
4
5
|
class SecurityGroupIngressCidrNon32Rule < BaseRule
|
6
|
+
include IpAddr
|
5
7
|
|
6
8
|
def rule_text
|
7
9
|
'Security Groups found with ingress cidr that is not /32'
|
@@ -21,8 +23,7 @@ class SecurityGroupIngressCidrNon32Rule < BaseRule
|
|
21
23
|
logical_resource_ids = []
|
22
24
|
cfn_model.security_groups.each do |security_group|
|
23
25
|
violating_ingresses = security_group.securityGroupIngress.select do |ingress|
|
24
|
-
|
25
|
-
ingress.cidrIp.is_a?(String) && !ingress.cidrIp.end_with?('/32')
|
26
|
+
ip4_cidr_range?(ingress) || ip6_cidr_range?(ingress)
|
26
27
|
end
|
27
28
|
|
28
29
|
unless violating_ingresses.empty?
|
@@ -31,7 +32,7 @@ class SecurityGroupIngressCidrNon32Rule < BaseRule
|
|
31
32
|
end
|
32
33
|
|
33
34
|
violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
|
34
|
-
|
35
|
+
ip4_cidr_range?(standalone_ingress) || ip6_cidr_range?(standalone_ingress)
|
35
36
|
end
|
36
37
|
|
37
38
|
logical_resource_ids + violating_ingresses.map { |ingress| ingress.logical_resource_id}
|
@@ -1,8 +1,10 @@
|
|
1
1
|
require 'cfn-nag/violation'
|
2
2
|
require_relative 'base'
|
3
|
+
require 'cfn-nag/ip_addr'
|
3
4
|
|
4
5
|
class SecurityGroupIngressOpenToWorldRule < BaseRule
|
5
|
-
|
6
|
+
include IpAddr
|
7
|
+
|
6
8
|
def rule_text
|
7
9
|
'Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB'
|
8
10
|
end
|
@@ -21,8 +23,7 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
|
|
21
23
|
logical_resource_ids = []
|
22
24
|
cfn_model.security_groups.each do |security_group|
|
23
25
|
violating_ingresses = security_group.securityGroupIngress.select do |ingress|
|
24
|
-
|
25
|
-
ingress.cidrIp.is_a?(String) && ingress.cidrIp == '0.0.0.0/0'
|
26
|
+
ip4_open?(ingress) || ip6_open?(ingress)
|
26
27
|
end
|
27
28
|
|
28
29
|
unless violating_ingresses.empty?
|
@@ -31,7 +32,7 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
|
|
31
32
|
end
|
32
33
|
|
33
34
|
violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
|
34
|
-
|
35
|
+
ip4_open?(standalone_ingress) || ip6_open?(standalone_ingress)
|
35
36
|
end
|
36
37
|
|
37
38
|
logical_resource_ids + violating_ingresses.map { |ingress| ingress.logical_resource_id}
|
@@ -0,0 +1,44 @@
|
|
1
|
+
require 'netaddr'
|
2
|
+
|
3
|
+
module IpAddr
|
4
|
+
def ip4_open?(ingress)
|
5
|
+
# only care about literals. if a Hash/Ref not going to chase it down given likely a Parameter with external val
|
6
|
+
ingress.cidrIp.is_a?(String) && ingress.cidrIp == '0.0.0.0/0'
|
7
|
+
end
|
8
|
+
|
9
|
+
|
10
|
+
def ip6_open?(ingress)
|
11
|
+
normalized_cidr_ip6 = normalize_cidr_ip6(ingress)
|
12
|
+
return false if normalized_cidr_ip6.nil?
|
13
|
+
|
14
|
+
# only care about literals. if a Hash/Ref not going to chase it down given likely a Parameter with external val
|
15
|
+
(NetAddr::CIDRv6.create(normalized_cidr_ip6) == NetAddr::CIDRv6.create('::/0'))
|
16
|
+
end
|
17
|
+
|
18
|
+
def ip4_cidr_range?(ingress)
|
19
|
+
ingress.cidrIp.is_a?(String) && !ingress.cidrIp.end_with?('/32')
|
20
|
+
end
|
21
|
+
|
22
|
+
def ip6_cidr_range?(ingress)
|
23
|
+
normalized_cidr_ip6 = normalize_cidr_ip6(ingress)
|
24
|
+
return false if normalized_cidr_ip6.nil?
|
25
|
+
|
26
|
+
# only care about literals. if a Hash/Ref not going to chase it down given likely a Parameter with external val
|
27
|
+
!NetAddr::CIDRv6.create(normalized_cidr_ip6).to_s.end_with?('/128')
|
28
|
+
end
|
29
|
+
|
30
|
+
##
|
31
|
+
# If it's a string, just pass through
|
32
|
+
# If it's a symbol - probably because the YAML.load call treats an unquoted ::/0 as a the symbol :':/0'
|
33
|
+
# Otherwise it's probably a Ref or whatever and we aren't going to do anything with it
|
34
|
+
#
|
35
|
+
def normalize_cidr_ip6(ingress)
|
36
|
+
if ingress.cidrIpv6.is_a?(Symbol)
|
37
|
+
":#{ingress.cidrIpv6.to_s}"
|
38
|
+
elsif ingress.cidrIpv6.is_a?(String)
|
39
|
+
ingress.cidrIpv6
|
40
|
+
else
|
41
|
+
nil
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.8
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-07-
|
11
|
+
date: 2017-07-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: logging
|
@@ -66,6 +66,20 @@ dependencies:
|
|
66
66
|
- - '='
|
67
67
|
- !ruby/object:Gem::Version
|
68
68
|
version: 1.3.1
|
69
|
+
- !ruby/object:Gem::Dependency
|
70
|
+
name: netaddr
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
72
|
+
requirements:
|
73
|
+
- - '='
|
74
|
+
- !ruby/object:Gem::Version
|
75
|
+
version: 1.5.1
|
76
|
+
type: :runtime
|
77
|
+
prerelease: false
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
79
|
+
requirements:
|
80
|
+
- - '='
|
81
|
+
- !ruby/object:Gem::Version
|
82
|
+
version: 1.5.1
|
69
83
|
description: Auditing tool for CloudFormation templates
|
70
84
|
email:
|
71
85
|
executables:
|
@@ -129,6 +143,7 @@ files:
|
|
129
143
|
- lib/cfn-nag/custom_rules/base.rb
|
130
144
|
- lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb
|
131
145
|
- lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb
|
146
|
+
- lib/cfn-nag/ip_addr.rb
|
132
147
|
- lib/cfn-nag/jmes_path_discovery.rb
|
133
148
|
- lib/cfn-nag/jmes_path_evaluator.rb
|
134
149
|
- lib/cfn-nag/profile.rb
|