cfn-nag 0.5.35 → 0.5.36
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 119f2cf6f8a066fa49f8989b468b04543ffeab2a75f59e65da7af19675f1fd6e
|
4
|
+
data.tar.gz: f3728a32066dc37441a033e37e15975249c68f5767fd4a4cbc45db60f318b41a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a1dcbe870ebd0c978c2a1173d0f1252f45c5121c51c557686ffd58b92d9d7dda8fa1900d2a1f744d844aa819acafe8db0e87453928354042c7d6d7441bbcdb9a
|
7
|
+
data.tar.gz: 0b5acc1571328b6497bed2e4f52295d4404a0dc26649b7b05efb78a7e674e177707991eb676d694f2f7e3ee5c3a460ea1dcbf3c2f8ca901f4fbd4ab40c3a2589
|
@@ -0,0 +1,51 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/truthy'
|
5
|
+
require_relative 'base'
|
6
|
+
|
7
|
+
class EC2NetworkAclEntryDuplicateRule < BaseRule
|
8
|
+
def rule_text
|
9
|
+
'A NetworkACL\'s rule numbers cannot be repeated unless one is egress and one is ingress.'
|
10
|
+
end
|
11
|
+
|
12
|
+
def rule_type
|
13
|
+
Violation::FAILING_VIOLATION
|
14
|
+
end
|
15
|
+
|
16
|
+
def rule_id
|
17
|
+
'F79'
|
18
|
+
end
|
19
|
+
|
20
|
+
def audit_impl(cfn_model)
|
21
|
+
violating_nacl_entries = []
|
22
|
+
cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl|
|
23
|
+
violating_nacl_entries += violating_nacl_entries(nacl)
|
24
|
+
end
|
25
|
+
|
26
|
+
violating_nacl_entries.map(&:logical_resource_id)
|
27
|
+
end
|
28
|
+
|
29
|
+
private
|
30
|
+
|
31
|
+
def duplicate_rule_numbers(nacl_entries)
|
32
|
+
nacl_entries.group_by(&:ruleNumber).select { |_, entries| entries.size > 1 }.map { |_, entries| entries }.flatten
|
33
|
+
end
|
34
|
+
|
35
|
+
def egress(nacl_entries)
|
36
|
+
nacl_entries.select do |nacl_entry|
|
37
|
+
truthy?(nacl_entry.egress)
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
def ingress(nacl_entries)
|
42
|
+
nacl_entries.select do |nacl_entry|
|
43
|
+
not_truthy?(nacl_entry.egress)
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
def violating_nacl_entries(nacl)
|
48
|
+
duplicate_rule_numbers(egress(nacl.network_acl_entries)) +
|
49
|
+
duplicate_rule_numbers(ingress(nacl.network_acl_entries))
|
50
|
+
end
|
51
|
+
end
|
@@ -0,0 +1,59 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/truthy'
|
5
|
+
require_relative 'base'
|
6
|
+
|
7
|
+
class EC2NetworkAclEntryIneffectiveDenyRule < BaseRule
|
8
|
+
def rule_text
|
9
|
+
'NetworkACL Entry Deny rules should affect all CIDR ranges.'
|
10
|
+
end
|
11
|
+
|
12
|
+
def rule_type
|
13
|
+
Violation::WARNING
|
14
|
+
end
|
15
|
+
|
16
|
+
def rule_id
|
17
|
+
'W71'
|
18
|
+
end
|
19
|
+
|
20
|
+
def audit_impl(cfn_model)
|
21
|
+
violating_nacl_entries = []
|
22
|
+
cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl|
|
23
|
+
violating_nacl_entries += violating_nacl_entries(nacl)
|
24
|
+
end
|
25
|
+
|
26
|
+
violating_nacl_entries.map(&:logical_resource_id)
|
27
|
+
end
|
28
|
+
|
29
|
+
private
|
30
|
+
|
31
|
+
def deny_does_not_cover_all_cidrs(nacl_entries)
|
32
|
+
nacl_entries.select do |nacl_entry|
|
33
|
+
nacl_entry.ruleAction == 'deny' && not_all_cidrs_covered?(nacl_entry)
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
37
|
+
def not_all_cidrs_covered?(nacl_entry)
|
38
|
+
(!nacl_entry.cidrBlock.nil? &&
|
39
|
+
nacl_entry.cidrBlock != '0.0.0.0/0') ||
|
40
|
+
(!nacl_entry.ipv6CidrBlock.nil? && nacl_entry.ipv6CidrBlock != '::/0')
|
41
|
+
end
|
42
|
+
|
43
|
+
def egress(nacl_entries)
|
44
|
+
nacl_entries.select do |nacl_entry|
|
45
|
+
truthy?(nacl_entry.egress)
|
46
|
+
end
|
47
|
+
end
|
48
|
+
|
49
|
+
def ingress(nacl_entries)
|
50
|
+
nacl_entries.select do |nacl_entry|
|
51
|
+
not_truthy?(nacl_entry.egress)
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
def violating_nacl_entries(nacl)
|
56
|
+
deny_does_not_cover_all_cidrs(egress(nacl.network_acl_entries)) +
|
57
|
+
deny_does_not_cover_all_cidrs(ingress(nacl.network_acl_entries))
|
58
|
+
end
|
59
|
+
end
|
@@ -0,0 +1,71 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/truthy'
|
5
|
+
require_relative 'base'
|
6
|
+
|
7
|
+
class EC2NetworkAclEntryOverlappingPortsRule < BaseRule
|
8
|
+
def rule_text
|
9
|
+
'NetworkACL Entries are reusing or overlapping ports which may create ineffective rules.'
|
10
|
+
end
|
11
|
+
|
12
|
+
def rule_type
|
13
|
+
Violation::WARNING
|
14
|
+
end
|
15
|
+
|
16
|
+
def rule_id
|
17
|
+
'W72'
|
18
|
+
end
|
19
|
+
|
20
|
+
def audit_impl(cfn_model)
|
21
|
+
violating_nacl_entries = []
|
22
|
+
cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl|
|
23
|
+
violating_nacl_entries += violating_nacl_entries(nacl)
|
24
|
+
end
|
25
|
+
violating_nacl_entries.map(&:logical_resource_id)
|
26
|
+
end
|
27
|
+
|
28
|
+
private
|
29
|
+
|
30
|
+
def overlapping_port_entries(nacl_entries)
|
31
|
+
unique_pairs(nacl_entries).select do |nacl_entry_pair|
|
32
|
+
overlap?(nacl_entry_pair[0], nacl_entry_pair[1])
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
def unique_pairs(arr)
|
37
|
+
pairs_without_dupes = arr.product(arr).select { |pair| pair[0] != pair[1] }
|
38
|
+
pairs_without_dupes.reduce(Set.new) { |set_of_sets, pair| set_of_sets << Set.new(pair) }.to_a.map(&:to_a)
|
39
|
+
end
|
40
|
+
|
41
|
+
def overlap?(entry1, entry2)
|
42
|
+
roverlap?(entry1, entry2) || loverlap?(entry1, entry2)
|
43
|
+
end
|
44
|
+
|
45
|
+
def roverlap?(entry1, entry2)
|
46
|
+
entry1.portRange['From'].between?(entry2.portRange['From'], entry2.portRange['To']) ||
|
47
|
+
entry1.portRange['To'].between?(entry2.portRange['From'], entry2.portRange['To'])
|
48
|
+
end
|
49
|
+
|
50
|
+
def loverlap?(entry1, entry2)
|
51
|
+
entry2.portRange['From'].between?(entry1.portRange['From'], entry1.portRange['To']) ||
|
52
|
+
entry2.portRange['To'].between?(entry1.portRange['From'], entry1.portRange['To'])
|
53
|
+
end
|
54
|
+
|
55
|
+
def egress_entries(nacl_entries)
|
56
|
+
nacl_entries.select do |nacl_entry|
|
57
|
+
truthy?(nacl_entry.egress)
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
def ingress_entries(nacl_entries)
|
62
|
+
nacl_entries.select do |nacl_entry|
|
63
|
+
not_truthy?(nacl_entry.egress)
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
def violating_nacl_entries(nacl)
|
68
|
+
overlapping_port_entries(egress_entries(nacl.network_acl_entries)).flatten.uniq &&
|
69
|
+
overlapping_port_entries(ingress_entries(nacl.network_acl_entries)).flatten.uniq
|
70
|
+
end
|
71
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.36
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-04-
|
11
|
+
date: 2020-04-21 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -72,14 +72,14 @@ dependencies:
|
|
72
72
|
requirements:
|
73
73
|
- - '='
|
74
74
|
- !ruby/object:Gem::Version
|
75
|
-
version: 0.4.
|
75
|
+
version: 0.4.28
|
76
76
|
type: :runtime
|
77
77
|
prerelease: false
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
79
79
|
requirements:
|
80
80
|
- - '='
|
81
81
|
- !ruby/object:Gem::Version
|
82
|
-
version: 0.4.
|
82
|
+
version: 0.4.28
|
83
83
|
- !ruby/object:Gem::Dependency
|
84
84
|
name: logging
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
@@ -201,6 +201,9 @@ files:
|
|
201
201
|
- lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
|
202
202
|
- lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb
|
203
203
|
- lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb
|
204
|
+
- lib/cfn-nag/custom_rules/EC2NetworkAclEntryDuplicateRule.rb
|
205
|
+
- lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb
|
206
|
+
- lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb
|
204
207
|
- lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb
|
205
208
|
- lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb
|
206
209
|
- lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb
|