cfn-nag 0.4.37 → 0.4.38
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2fb1bee12e87bb5e68bdfe15ba0a3ff77525fa2b9aca01d75707a323365de8bb
|
4
|
+
data.tar.gz: b21e9a17e5131846e0440b2b254b705bfead9d360f76bbe29775391469ab211a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 34a547ee71bd06ebdeee34e4f3a6b9155e44d6999b6ebdbbd15172ab120ae36cdfcda159a8578a4d45a690f780f8b7a56d3bb2dbd277f543cbd5273e00a1e16f
|
7
|
+
data.tar.gz: 199fce4055e59caab622deb66a5a82111e94adf4be7923255c392243ef41b13e4080e0f655b79e32f3d6e963b09fd9351c8e8720b1ae956416d65975e595bbc0
|
@@ -0,0 +1,37 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'base'
|
5
|
+
|
6
|
+
class SecurityGroupEgressAllProtocolsRule < BaseRule
|
7
|
+
def rule_text
|
8
|
+
'Security Groups egress with an IpProtocol of -1 found'
|
9
|
+
end
|
10
|
+
|
11
|
+
def rule_type
|
12
|
+
Violation::WARNING
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_id
|
16
|
+
'W40'
|
17
|
+
end
|
18
|
+
|
19
|
+
##
|
20
|
+
# This will behave slightly different than the legacy jq based rule which was
|
21
|
+
# targeted against inline ingress only
|
22
|
+
def audit_impl(cfn_model)
|
23
|
+
violating_security_groups = cfn_model.security_groups.select do |security_group|
|
24
|
+
violating_egresses = security_group.egresses.select do |egress|
|
25
|
+
egress.ipProtocol.to_i == -1
|
26
|
+
end
|
27
|
+
|
28
|
+
!violating_egresses.empty?
|
29
|
+
end
|
30
|
+
|
31
|
+
violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
|
32
|
+
standalone_egress.ipProtocol.to_i == -1
|
33
|
+
end
|
34
|
+
|
35
|
+
violating_security_groups.map(&:logical_resource_id) + violating_egresses.map(&:logical_resource_id)
|
36
|
+
end
|
37
|
+
end
|
@@ -0,0 +1,37 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'base'
|
5
|
+
|
6
|
+
class SecurityGroupIngressAllProtocolsRule < BaseRule
|
7
|
+
def rule_text
|
8
|
+
'Security Groups ingress with an ipProtocol of -1 found '
|
9
|
+
end
|
10
|
+
|
11
|
+
def rule_type
|
12
|
+
Violation::WARNING
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_id
|
16
|
+
'W42'
|
17
|
+
end
|
18
|
+
|
19
|
+
##
|
20
|
+
# This will behave slightly different than the legacy jq based rule which was
|
21
|
+
# targeted against inline ingress only
|
22
|
+
def audit_impl(cfn_model)
|
23
|
+
violating_security_groups = cfn_model.security_groups.select do |security_group|
|
24
|
+
violating_ingresses = security_group.ingresses.select do |ingress|
|
25
|
+
ingress.ipProtocol.to_i == -1
|
26
|
+
end
|
27
|
+
|
28
|
+
!violating_ingresses.empty?
|
29
|
+
end
|
30
|
+
|
31
|
+
violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
|
32
|
+
standalone_ingress.ipProtocol.to_i == -1
|
33
|
+
end
|
34
|
+
|
35
|
+
violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id)
|
36
|
+
end
|
37
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.38
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
@@ -228,8 +228,10 @@ files:
|
|
228
228
|
- lib/cfn-nag/custom_rules/S3BucketPolicyWildcardPrincipalRule.rb
|
229
229
|
- lib/cfn-nag/custom_rules/S3BucketPublicReadAclRule.rb
|
230
230
|
- lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb
|
231
|
+
- lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb
|
231
232
|
- lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb
|
232
233
|
- lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb
|
234
|
+
- lib/cfn-nag/custom_rules/SecurityGroupIngressAllProtocolsRule.rb
|
233
235
|
- lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb
|
234
236
|
- lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb
|
235
237
|
- lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb
|