cfn-nag 0.5.35 → 0.5.36

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3e5338b162d25636bc602f0161527f9394c760e2dab622191e94f340756d351b
-  data.tar.gz: 3f6f6d92d96c2e18425e59c83627de39bce7e6e647f928339f127dea6e704c86
+  metadata.gz: 119f2cf6f8a066fa49f8989b468b04543ffeab2a75f59e65da7af19675f1fd6e
+  data.tar.gz: f3728a32066dc37441a033e37e15975249c68f5767fd4a4cbc45db60f318b41a
 SHA512:
-  metadata.gz: f968043cdf5b3e02672fda69ceb9fed7d743cb4f1d7f6b3a0a2a283b251a9e3402e27afb3bc6f8f2b7ebab55ea74af939196b18de6e1cd24603f60dec2cee969
-  data.tar.gz: f317896d07e97ec51b24ad9550e629216768c30a1d3b1d9107614f7eb23ff02f5f8b577c62c8d855e0fcbe83816d9debbf6c39202c51a1659e3dccd0bfb1ba6c
+  metadata.gz: a1dcbe870ebd0c978c2a1173d0f1252f45c5121c51c557686ffd58b92d9d7dda8fa1900d2a1f744d844aa819acafe8db0e87453928354042c7d6d7441bbcdb9a
+  data.tar.gz: 0b5acc1571328b6497bed2e4f52295d4404a0dc26649b7b05efb78a7e674e177707991eb676d694f2f7e3ee5c3a460ea1dcbf3c2f8ca901f4fbd4ab40c3a2589

data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryDuplicateRule.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class EC2NetworkAclEntryDuplicateRule < BaseRule
+  def rule_text
+    'A NetworkACL\'s rule numbers cannot be repeated unless one is egress and one is ingress.'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F79'
+  end
+
+  def audit_impl(cfn_model)
+    violating_nacl_entries = []
+    cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl|
+      violating_nacl_entries += violating_nacl_entries(nacl)
+    end
+
+    violating_nacl_entries.map(&:logical_resource_id)
+  end
+
+  private
+
+  def duplicate_rule_numbers(nacl_entries)
+    nacl_entries.group_by(&:ruleNumber).select { |_, entries| entries.size > 1 }.map { |_, entries| entries }.flatten
+  end
+
+  def egress(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      truthy?(nacl_entry.egress)
+    end
+  end
+
+  def ingress(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      not_truthy?(nacl_entry.egress)
+    end
+  end
+
+  def violating_nacl_entries(nacl)
+    duplicate_rule_numbers(egress(nacl.network_acl_entries)) +
+      duplicate_rule_numbers(ingress(nacl.network_acl_entries))
+  end
+end

data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class EC2NetworkAclEntryIneffectiveDenyRule < BaseRule
+  def rule_text
+    'NetworkACL Entry Deny rules should affect all CIDR ranges.'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W71'
+  end
+
+  def audit_impl(cfn_model)
+    violating_nacl_entries = []
+    cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl|
+      violating_nacl_entries += violating_nacl_entries(nacl)
+    end
+
+    violating_nacl_entries.map(&:logical_resource_id)
+  end
+
+  private
+
+  def deny_does_not_cover_all_cidrs(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      nacl_entry.ruleAction == 'deny' && not_all_cidrs_covered?(nacl_entry)
+    end
+  end
+
+  def not_all_cidrs_covered?(nacl_entry)
+    (!nacl_entry.cidrBlock.nil? &&
+      nacl_entry.cidrBlock != '0.0.0.0/0') ||
+      (!nacl_entry.ipv6CidrBlock.nil? && nacl_entry.ipv6CidrBlock != '::/0')
+  end
+
+  def egress(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      truthy?(nacl_entry.egress)
+    end
+  end
+
+  def ingress(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      not_truthy?(nacl_entry.egress)
+    end
+  end
+
+  def violating_nacl_entries(nacl)
+    deny_does_not_cover_all_cidrs(egress(nacl.network_acl_entries)) +
+      deny_does_not_cover_all_cidrs(ingress(nacl.network_acl_entries))
+  end
+end

data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class EC2NetworkAclEntryOverlappingPortsRule < BaseRule
+  def rule_text
+    'NetworkACL Entries are reusing or overlapping ports which may create ineffective rules.'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W72'
+  end
+
+  def audit_impl(cfn_model)
+    violating_nacl_entries = []
+    cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl|
+      violating_nacl_entries += violating_nacl_entries(nacl)
+    end
+    violating_nacl_entries.map(&:logical_resource_id)
+  end
+
+  private
+
+  def overlapping_port_entries(nacl_entries)
+    unique_pairs(nacl_entries).select do |nacl_entry_pair|
+      overlap?(nacl_entry_pair[0], nacl_entry_pair[1])
+    end
+  end
+
+  def unique_pairs(arr)
+    pairs_without_dupes = arr.product(arr).select { |pair| pair[0] != pair[1] }
+    pairs_without_dupes.reduce(Set.new) { |set_of_sets, pair| set_of_sets << Set.new(pair) }.to_a.map(&:to_a)
+  end
+
+  def overlap?(entry1, entry2)
+    roverlap?(entry1, entry2) || loverlap?(entry1, entry2)
+  end
+
+  def roverlap?(entry1, entry2)
+    entry1.portRange['From'].between?(entry2.portRange['From'], entry2.portRange['To']) ||
+      entry1.portRange['To'].between?(entry2.portRange['From'], entry2.portRange['To'])
+  end
+
+  def loverlap?(entry1, entry2)
+    entry2.portRange['From'].between?(entry1.portRange['From'], entry1.portRange['To']) ||
+      entry2.portRange['To'].between?(entry1.portRange['From'], entry1.portRange['To'])
+  end
+
+  def egress_entries(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      truthy?(nacl_entry.egress)
+    end
+  end
+
+  def ingress_entries(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      not_truthy?(nacl_entry.egress)
+    end
+  end
+
+  def violating_nacl_entries(nacl)
+    overlapping_port_entries(egress_entries(nacl.network_acl_entries)).flatten.uniq &&
+      overlapping_port_entries(ingress_entries(nacl.network_acl_entries)).flatten.uniq
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.5.35
+  version: 0.5.36
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-15 00:00:00.000000000 Z
+date: 2020-04-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.4.26
+        version: 0.4.28
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.4.26
+        version: 0.4.28
 - !ruby/object:Gem::Dependency
   name: logging
   requirement: !ruby/object:Gem::Requirement
@@ -201,6 +201,9 @@ files:
 - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
 - lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb
 - lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb
+- lib/cfn-nag/custom_rules/EC2NetworkAclEntryDuplicateRule.rb
+- lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb
+- lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb
 - lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb
 - lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb
 - lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb