cfn-nag 0.4.37 → 0.4.38
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2fb1bee12e87bb5e68bdfe15ba0a3ff77525fa2b9aca01d75707a323365de8bb
|
|
4
|
+
data.tar.gz: b21e9a17e5131846e0440b2b254b705bfead9d360f76bbe29775391469ab211a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 34a547ee71bd06ebdeee34e4f3a6b9155e44d6999b6ebdbbd15172ab120ae36cdfcda159a8578a4d45a690f780f8b7a56d3bb2dbd277f543cbd5273e00a1e16f
|
|
7
|
+
data.tar.gz: 199fce4055e59caab622deb66a5a82111e94adf4be7923255c392243ef41b13e4080e0f655b79e32f3d6e963b09fd9351c8e8720b1ae956416d65975e595bbc0
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cfn-nag/violation'
|
|
4
|
+
require_relative 'base'
|
|
5
|
+
|
|
6
|
+
class SecurityGroupEgressAllProtocolsRule < BaseRule
|
|
7
|
+
def rule_text
|
|
8
|
+
'Security Groups egress with an IpProtocol of -1 found'
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def rule_type
|
|
12
|
+
Violation::WARNING
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def rule_id
|
|
16
|
+
'W40'
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
##
|
|
20
|
+
# This will behave slightly different than the legacy jq based rule which was
|
|
21
|
+
# targeted against inline ingress only
|
|
22
|
+
def audit_impl(cfn_model)
|
|
23
|
+
violating_security_groups = cfn_model.security_groups.select do |security_group|
|
|
24
|
+
violating_egresses = security_group.egresses.select do |egress|
|
|
25
|
+
egress.ipProtocol.to_i == -1
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
!violating_egresses.empty?
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
|
|
32
|
+
standalone_egress.ipProtocol.to_i == -1
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
violating_security_groups.map(&:logical_resource_id) + violating_egresses.map(&:logical_resource_id)
|
|
36
|
+
end
|
|
37
|
+
end
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cfn-nag/violation'
|
|
4
|
+
require_relative 'base'
|
|
5
|
+
|
|
6
|
+
class SecurityGroupIngressAllProtocolsRule < BaseRule
|
|
7
|
+
def rule_text
|
|
8
|
+
'Security Groups ingress with an ipProtocol of -1 found '
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def rule_type
|
|
12
|
+
Violation::WARNING
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def rule_id
|
|
16
|
+
'W42'
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
##
|
|
20
|
+
# This will behave slightly different than the legacy jq based rule which was
|
|
21
|
+
# targeted against inline ingress only
|
|
22
|
+
def audit_impl(cfn_model)
|
|
23
|
+
violating_security_groups = cfn_model.security_groups.select do |security_group|
|
|
24
|
+
violating_ingresses = security_group.ingresses.select do |ingress|
|
|
25
|
+
ingress.ipProtocol.to_i == -1
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
!violating_ingresses.empty?
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
|
|
32
|
+
standalone_ingress.ipProtocol.to_i == -1
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id)
|
|
36
|
+
end
|
|
37
|
+
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.38
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Kascic
|
|
@@ -228,8 +228,10 @@ files:
|
|
|
228
228
|
- lib/cfn-nag/custom_rules/S3BucketPolicyWildcardPrincipalRule.rb
|
|
229
229
|
- lib/cfn-nag/custom_rules/S3BucketPublicReadAclRule.rb
|
|
230
230
|
- lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb
|
|
231
|
+
- lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb
|
|
231
232
|
- lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb
|
|
232
233
|
- lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb
|
|
234
|
+
- lib/cfn-nag/custom_rules/SecurityGroupIngressAllProtocolsRule.rb
|
|
233
235
|
- lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb
|
|
234
236
|
- lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb
|
|
235
237
|
- lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb
|