heimdall_tools 1.3.39 → 1.3.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +33 -0
  3. data/lib/data/aws-config-mapping.csv +107 -107
  4. data/lib/heimdall_tools.rb +1 -0
  5. data/lib/heimdall_tools/aws_config_mapper.rb +55 -36
  6. data/lib/heimdall_tools/burpsuite_mapper.rb +7 -11
  7. data/lib/heimdall_tools/cli.rb +19 -8
  8. data/lib/heimdall_tools/command.rb +0 -2
  9. data/lib/heimdall_tools/dbprotect_mapper.rb +9 -18
  10. data/lib/heimdall_tools/fortify_mapper.rb +1 -2
  11. data/lib/heimdall_tools/hdf.rb +4 -5
  12. data/lib/heimdall_tools/help/netsparker_mapper.md +7 -0
  13. data/lib/heimdall_tools/jfrog_xray_mapper.rb +33 -26
  14. data/lib/heimdall_tools/nessus_mapper.rb +39 -46
  15. data/lib/heimdall_tools/netsparker_mapper.rb +164 -0
  16. data/lib/heimdall_tools/nikto_mapper.rb +27 -27
  17. data/lib/heimdall_tools/snyk_mapper.rb +20 -22
  18. data/lib/heimdall_tools/sonarqube_mapper.rb +23 -21
  19. data/lib/heimdall_tools/zap_mapper.rb +3 -4
  20. data/lib/utilities/xml_to_hash.rb +6 -6
  21. metadata +41 -25
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f629e9d519b119329b6bfd8a8eeb7826420262f654cbe127e6efe05b88fc9ac3
4
- data.tar.gz: 1d66b4d6505221cbd2fbb06dc4d856c179d8db11566148386b2f67bd0110e851
3
+ metadata.gz: 75e8a6020d8b250e1c11bc8c90de7b73196d430925eb8adcfe8dfa5e2b27771e
4
+ data.tar.gz: dc2596fca0d74044f64c61cba90eae4490c58268545cd68a9f7a02e794c2b8a4
5
5
  SHA512:
6
- metadata.gz: 6f7898ac0e5b94f3efaeda24117c4f8ff6dc06bf1140786d6c99eccffbdc1fa9792c93eda05847c7e6a9a1d2e5d70596a486ba4fe53bc931eace7bb6dff45146
7
- data.tar.gz: 34b4302cae0fad8bcec837e2b81df578aade9e3850a1040a0cadf1510e57078a7f110bdae8c74fd4974bec079b7c9115f1ff573536a32221936ba93e4eaf9280
6
+ metadata.gz: f51de7c47656ea8e36df9bc8e8cbe30c3f956c77a6997f65e50da918268223b70a59a3efb84aa0c9eabd45123bd347275ee5ff6952ede11dd9c86db144549a26
7
+ data.tar.gz: a49c2241be26e5d8f4d4db2db7ead81de00f6a0e506160c89040f61af079a9af266ec734c9f0e2f79d5f450ccfb5c347c0fa1125383a8280274a22fdbeb811e2
data/README.md CHANGED
@@ -15,6 +15,22 @@ HeimdallTools supplies several methods to convert output from various tools to "
15
15
  - **jfrog_xray_mapper** - package vulnerability scanner
16
16
  - **dbprotect_mapper** - database vulnerability scanner
17
17
  - **aws_config_mapper** - assess, audit, and evaluate AWS resources
18
+ - **netsparker_mapper** - web application security scanner
19
+
20
+ ## Want to recommend a mapper for another tool? Please use these steps:
21
+ 1. Create an [issue](https://github.com/mitre/heimdall_tools/issues/new), and email saf@groups.mitre.org citing the issue link so we can help
22
+ 2. Provide a sample output, preferably the most detailed the tool can provide, and also preferably in a machine-readable format, such as xml, json, or csv - whichever is natively available. If it is sensitive we'll work that in #3. (If it's an API only, we'll also just talk about it in #3)
23
+ 3. Let's arrange a time to take a close look at the data it provides to get an idea of all it has to offer. We'll suggest an initial mapping of the HDF core elements. (see https://saf.mitre.org/#/normalize)
24
+ 4. Note: if the tool doesn't provide a NIST SP 800-53 reference, we've worked on mappings to other references such as CWE or OWASP Top 10:
25
+ https://github.com/mitre/heimdall_tools/tree/master/lib/data
26
+ https://github.com/mitre/heimdall_tools/blob/master/lib/data/cwe-nist-mapping.csv
27
+ https://github.com/mitre/heimdall_tools/blob/master/lib/data/owasp-nist-mapping.csv
28
+ 5. If the tool doesn't provide something for #4, or another core element such as impact, we'll help you identify a custom mapping approach.
29
+ 6. We'll help you decide how to preserve any other information (non-core elements) the tool provides to ensure that all of the original tool's intent comes through for the user when the data is viewed in Heimdall.
30
+ 7. Finally, We'll provide final peer review and support merging your pull request.
31
+ We appreciate your contributions, but we're here to help!
32
+
33
+ ## How to Install Heimdall Tools:
18
34
 
19
35
  Ruby 2.4 or higher (check using "ruby -v")
20
36
 
@@ -234,6 +250,23 @@ FLAGS:
234
250
  example: heimdall_tools aws_config_mapper -o aws_config_results_hdf.json
235
251
  ```
236
252
 
253
+ ## netsparker_mapper
254
+
255
+ netsparker_mapper translates an Netsparker XML results file into HDF format JSON to be viewable in Heimdall.
256
+
257
+ The current iteration only works with Netsparker Enterprise Vulnerabilities Scan.
258
+
259
+ ```
260
+ USAGE: heimdall_tools netsparker_mapper [OPTIONS] -x <netsparker_results_xml> -o <hdf-scan-results.json>
261
+
262
+ FLAGS:
263
+ -x <netsparker_results_xml> : path to netsparker results XML file.
264
+ -o --output <scan-results> : path to output scan-results json.
265
+ -V --verbose : verbose run [optional].
266
+
267
+ example: heimdall_tools netsparker_mapper -x netsparker_results.xml -o netsparker_hdf.json
268
+ ```
269
+
237
270
  ## version
238
271
 
239
272
  Prints out the gem version
data/lib/data/aws-config-mapping.csv CHANGED
@@ -1,107 +1,107 @@
1
- AwsConfigRuleName,NIST-ID,Rev
2
- secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4
3
- iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4
4
- iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4
5
- access-keys-rotated,AC-2(1)|AC-2(j),4
6
- iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4
7
- securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
8
- guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
9
- cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
10
- cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
11
- multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
12
- rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
13
- cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
14
- redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4
15
- iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4
16
- s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
17
- cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
18
- root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4
19
- emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4
20
- iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
21
- iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
22
- iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4
23
- s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
24
- lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
25
- rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
26
- redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
27
- s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4
28
- s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
29
- s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
30
- dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
31
- ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
32
- sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
33
- rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
34
- lambda-inside-vpc,AC-4|SC-7|SC-7(3),4
35
- ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4
36
- restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4
37
- restricted-ssh,AC-4|SC-7|SC-7(3),4
38
- vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4
39
- vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4
40
- acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4
41
- ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
42
- elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4
43
- emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4
44
- internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4
45
- codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4
46
- ec2-imdsv2-check,AC-6,4
47
- iam-no-inline-policy-check,AC-6,4
48
- alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4
49
- redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
50
- s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
51
- elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
52
- alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
53
- elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
54
- api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
55
- elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
56
- vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
57
- wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4
58
- cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4
59
- cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4
60
- s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4
61
- cw-loggroup-retention-period-check,AU-11|SI-12,4
62
- ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4
63
- rds-enhanced-monitoring-enabled,CA-7(a)(b),4
64
- ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4
65
- ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4
66
- ec2-stopped-instance,CM-2,4
67
- ec2-volume-inuse-check,CM-2|SC-4,4
68
- elb-deletion-protection-enabled,CM-2|CP-10,4
69
- cloudtrail-security-trail-enabled,CM-2,4
70
- ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4
71
- db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4
72
- dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4
73
- elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4
74
- dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4
75
- ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
76
- efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
77
- rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4
78
- dynamodb-autoscaling-enabled,CP-10|SC-5,4
79
- rds-multi-az-support,CP-10|SC-5|SC-36,4
80
- s3-bucket-versioning-enabled,CP-10|SI-12,4
81
- vpc-vpn-2-tunnels-up,CP-10,4
82
- elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4
83
- root-account-hardware-mfa-enabled,IA-2(1)(11),4
84
- mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4
85
- iam-user-mfa-enabled,IA-2(1)(2)(11),4
86
- guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4
87
- codebuild-project-source-repo-url-check,SA-3(a),4
88
- autoscaling-group-elb-healthcheck-required,SC-5,4
89
- rds-instance-deletion-protection-enabled,SC-5,4
90
- alb-waf-enabled,SC-7|SI-4(a)(b)(c),4
91
- elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4
92
- cmk-backing-key-rotation-enabled,SC-12,4
93
- kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4
94
- api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4
95
- efs-encrypted-check,SC-13|SC-28,4
96
- elasticsearch-encrypted-at-rest,SC-13|SC-28,4
97
- encrypted-volumes,SC-13|SC-28,4
98
- rds-storage-encrypted,SC-13|SC-28,4
99
- s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4
100
- sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4
101
- sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4
102
- sns-encrypted-kms,SC-13|SC-28,4
103
- dynamodb-table-encrypted-kms,SC-13,4
104
- s3-bucket-default-lock-enabled,SC-28,4
105
- ec2-ebs-encryption-by-default,SC-28,4
106
- rds-snapshot-encrypted,SC-28,4
107
- cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4
1
+ AwsConfigRuleSourceIdentifier,AwsConfigRuleName,NIST-ID,Rev
2
+ SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK,secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4
3
+ IAM_USER_GROUP_MEMBERSHIP_CHECK,iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4
4
+ IAM_PASSWORD_POLICY,iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4
5
+ ACCESS_KEYS_ROTATED,access-keys-rotated,AC-2(1)|AC-2(j),4
6
+ IAM_USER_UNUSED_CREDENTIALS_CHECK,iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4
7
+ SECURITYHUB_ENABLED,securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
8
+ GUARDDUTY_ENABLED_CENTRALIZED,guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
9
+ CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED,cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
10
+ CLOUD_TRAIL_ENABLED,cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
11
+ MULTI_REGION_CLOUD_TRAIL_ENABLED,multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
12
+ RDS_LOGGING_ENABLED,rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
13
+ CLOUDWATCH_ALARM_ACTION_CHECK,cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
14
+ REDSHIFT_CLUSTER_CONFIGURATION_CHECK,redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4
15
+ IAM_ROOT_ACCESS_KEY_CHECK,iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4
16
+ S3_BUCKET_LOGGING_ENABLED,s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
17
+ CLOUDTRAIL_S3_DATAEVENTS_ENABLED,cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
18
+ ROOT_ACCOUNT_MFA_ENABLED,root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4
19
+ EMR_KERBEROS_ENABLED,emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4
20
+ IAM_GROUP_HAS_USERS_CHECK,iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
21
+ IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS,iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
22
+ IAM_USER_NO_POLICIES_CHECK,iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4
23
+ S3_BUCKET_PUBLIC_WRITE_PROHIBITED,s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
24
+ LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED,lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
25
+ RDS_SNAPSHOTS_PUBLIC_PROHIBITED,rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
26
+ REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK,redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
27
+ S3_BUCKET_POLICY_GRANTEE_CHECK,s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4
28
+ S3_BUCKET_PUBLIC_READ_PROHIBITED,s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
29
+ S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS,s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
30
+ DMS_REPLICATION_NOT_PUBLIC,dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
31
+ EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK,ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
32
+ SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS,sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
33
+ RDS_INSTANCE_PUBLIC_ACCESS_CHECK,rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
34
+ LAMBDA_INSIDE_VPC,lambda-inside-vpc,AC-4|SC-7|SC-7(3),4
35
+ INSTANCES_IN_VPC,ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4
36
+ RESTRICTED_INCOMING_TRAFFIC,restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4
37
+ INCOMING_SSH_DISABLED,restricted-ssh,AC-4|SC-7|SC-7(3),4
38
+ VPC_DEFAULT_SECURITY_GROUP_CLOSED,vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4
39
+ VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS,vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4
40
+ ACM_CERTIFICATE_EXPIRATION_CHECK,acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4
41
+ EC2_INSTANCE_NO_PUBLIC_IP,ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
42
+ ELASTICSEARCH_IN_VPC_ONLY,elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4
43
+ EMR_MASTER_NO_PUBLIC_IP,emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4
44
+ INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY,internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4
45
+ CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK,codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4
46
+ EC2_IMDSV2_CHECK,ec2-imdsv2-check,AC-6,4
47
+ IAM_NO_INLINE_POLICY_CHECK,iam-no-inline-policy-check,AC-6,4
48
+ ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK,alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4
49
+ REDSHIFT_REQUIRE_TLS_SSL,redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
50
+ S3_BUCKET_SSL_REQUESTS_ONLY,s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
51
+ ELB_ACM_CERTIFICATE_REQUIRED,elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
52
+ ALB_HTTP_DROP_INVALID_HEADER_ENABLED,alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
53
+ ELB_TLS_HTTPS_LISTENERS_ONLY,elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
54
+ API_GW_EXECUTION_LOGGING_ENABLED,api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
55
+ ELB_LOGGING_ENABLED,elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
56
+ VPC_FLOW_LOGS_ENABLED,vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
57
+ WAFV2_LOGGING_ENABLED,wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4
58
+ CLOUD_TRAIL_ENCRYPTION_ENABLED,cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4
59
+ CLOUDWATCH_LOG_GROUP_ENCRYPTED,cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4
60
+ S3_BUCKET_REPLICATION_ENABLED,s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4
61
+ CW_LOGGROUP_RETENTION_PERIOD_CHECK,cw-loggroup-retention-period-check,AU-11|SI-12,4
62
+ EC2_INSTANCE_DETAILED_MONITORING_ENABLED,ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4
63
+ RDS_ENHANCED_MONITORING_ENABLED,rds-enhanced-monitoring-enabled,CA-7(a)(b),4
64
+ EC2_INSTANCE_MANAGED_BY_SSM,ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4
65
+ EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK,ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4
66
+ EC2_STOPPED_INSTANCE,ec2-stopped-instance,CM-2,4
67
+ EC2_VOLUME_INUSE_CHECK,ec2-volume-inuse-check,CM-2|SC-4,4
68
+ ELB_DELETION_PROTECTION_ENABLED,elb-deletion-protection-enabled,CM-2|CP-10,4
69
+ CLOUDTRAIL_SECURITY_TRAIL_ENABLED,cloudtrail-security-trail-enabled,CM-2,4
70
+ EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK,ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4
71
+ DB_INSTANCE_BACKUP_ENABLED,db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4
72
+ DYNAMODB_PITR_ENABLED,dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4
73
+ ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK,elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4
74
+ DYNAMODB_IN_BACKUP_PLAN,dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4
75
+ EBS_IN_BACKUP_PLAN,ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
76
+ EFS_IN_BACKUP_PLAN,efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
77
+ RDS_IN_BACKUP_PLAN,rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4
78
+ DYNAMODB_AUTOSCALING_ENABLED,dynamodb-autoscaling-enabled,CP-10|SC-5,4
79
+ RDS_MULTI_AZ_SUPPORT,rds-multi-az-support,CP-10|SC-5|SC-36,4
80
+ S3_BUCKET_VERSIONING_ENABLED,s3-bucket-versioning-enabled,CP-10|SI-12,4
81
+ VPC_VPN_2_TUNNELS_UP,vpc-vpn-2-tunnels-up,CP-10,4
82
+ ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED,elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4
83
+ ROOT_ACCOUNT_HARDWARE_MFA_ENABLED,root-account-hardware-mfa-enabled,IA-2(1)(11),4
84
+ MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS,mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4
85
+ IAM_USER_MFA_ENABLED,iam-user-mfa-enabled,IA-2(1)(2)(11),4
86
+ GUARDDUTY_NON_ARCHIVED_FINDINGS,guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4
87
+ CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK,codebuild-project-source-repo-url-check,SA-3(a),4
88
+ AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED,autoscaling-group-elb-healthcheck-required,SC-5,4
89
+ RDS_INSTANCE_DELETION_PROTECTION_ENABLED,rds-instance-deletion-protection-enabled,SC-5,4
90
+ ALB_WAF_ENABLED,alb-waf-enabled,SC-7|SI-4(a)(b)(c),4
91
+ ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK,elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4
92
+ CMK_BACKING_KEY_ROTATION_ENABLED,cmk-backing-key-rotation-enabled,SC-12,4
93
+ KMS_CMK_NOT_SCHEDULED_FOR_DELETION,kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4
94
+ API_GW_CACHE_ENABLED_AND_ENCRYPTED,api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4
95
+ EFS_ENCRYPTED_CHECK,efs-encrypted-check,SC-13|SC-28,4
96
+ ELASTICSEARCH_ENCRYPTED_AT_REST,elasticsearch-encrypted-at-rest,SC-13|SC-28,4
97
+ ENCRYPTED_VOLUMES,encrypted-volumes,SC-13|SC-28,4
98
+ RDS_STORAGE_ENCRYPTED,rds-storage-encrypted,SC-13|SC-28,4
99
+ S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED,s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4
100
+ SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED,sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4
101
+ SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED,sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4
102
+ SNS_ENCRYPTED_KMS,sns-encrypted-kms,SC-13|SC-28,4
103
+ DYNAMODB_TABLE_ENCRYPTED_KMS,dynamodb-table-encrypted-kms,SC-13,4
104
+ S3_BUCKET_DEFAULT_LOCK_ENABLED,s3-bucket-default-lock-enabled,SC-28,4
105
+ EC2_EBS_ENCRYPTION_BY_DEFAULT,ec2-ebs-encryption-by-default,SC-28,4
106
+ RDS_SNAPSHOT_ENCRYPTED,rds-snapshot-encrypted,SC-28,4
107
+ CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED,cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4
data/lib/heimdall_tools.rb CHANGED
@@ -15,4 +15,5 @@ module HeimdallTools
15
15
  autoload :JfrogXrayMapper, 'heimdall_tools/jfrog_xray_mapper'
16
16
  autoload :DBProtectMapper, 'heimdall_tools/dbprotect_mapper'
17
17
  autoload :AwsConfigMapper, 'heimdall_tools/aws_config_mapper'
18
+ autoload :NetsparkerMapper, 'heimdall_tools/netsparker_mapper'
18
19
  end
data/lib/heimdall_tools/aws_config_mapper.rb CHANGED
@@ -13,17 +13,20 @@ INSUFFICIENT_DATA_MSG = 'Not enough data has been collectd to determine complian
13
13
  ##
14
14
  # HDF mapper for use with AWS Config rules.
15
15
  #
16
- # Ruby AWS Ruby SDK for ConfigService:
16
+ # Ruby AWS Ruby SDK for ConfigService:
17
17
  # - https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/ConfigService/Client.html
18
18
  #
19
- # rubocop:disable Metrics/AbcSize, Metrics/ClassLength
20
19
  module HeimdallTools
21
20
  class AwsConfigMapper
22
- def initialize(custom_mapping, verbose = false)
21
+ def initialize(custom_mapping, endpoint = nil, verbose = false)
23
22
  @verbose = verbose
24
23
  @default_mapping = get_rule_mapping(AWS_CONFIG_MAPPING_FILE)
25
24
  @custom_mapping = custom_mapping.nil? ? {} : get_rule_mapping(custom_mapping)
26
- @client = Aws::ConfigService::Client.new
25
+ if endpoint.nil?
26
+ @client = Aws::ConfigService::Client.new
27
+ else
28
+ @client = Aws::ConfigService::Client.new(endpoint: endpoint)
29
+ end
27
30
  @issues = get_all_config_rules
28
31
  end
29
32
 
@@ -35,8 +38,8 @@ module HeimdallTools
35
38
  def to_hdf
36
39
  controls = @issues.map do |issue|
37
40
  @item = {}
38
- @item['id'] = issue[:config_rule_name]
39
- @item['title'] = issue[:config_rule_name]
41
+ @item['id'] = issue[:config_rule_id]
42
+ @item['title'] = "#{get_account_id(issue[:config_rule_arn])} - #{issue[:config_rule_name]}"
40
43
  @item['desc'] = issue[:description]
41
44
  @item['impact'] = 0.5
42
45
  @item['tags'] = hdf_tags(issue)
@@ -52,27 +55,42 @@ module HeimdallTools
52
55
  @item
53
56
  end
54
57
  end
58
+
55
59
  results = HeimdallDataFormat.new(
56
60
  profile_name: 'AWS Config',
57
61
  title: 'AWS Config',
58
62
  summary: 'AWS Config',
59
63
  controls: controls,
60
- statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION }
61
- )
64
+ statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION },
65
+ )
62
66
  results.to_hdf
63
67
  end
64
68
 
65
69
  private
66
70
 
71
+ ##
72
+ # Gets the account ID from a config rule ARN
73
+ #
74
+ # https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
75
+ # https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html
76
+ #
77
+ # Params:
78
+ # - arn: The ARN of the config rule
79
+ #
80
+ # Returns: The account ID portion of the ARN
81
+ def get_account_id(arn)
82
+ /:(\d{12}):config-rule/.match(arn)&.captures&.first || 'no-account-id'
83
+ end
84
+
67
85
  ##
68
86
  # Read in a config rule -> 800-53 control mapping CSV.
69
87
  #
70
- # Params:
88
+ # Params:
71
89
  # - path: The file path to the CSV file
72
90
  #
73
91
  # Returns: A mapped version of the csv in the format { rule_name: row, ... }
74
92
  def get_rule_mapping(path)
75
- Hash[CSV.read(path, headers: true).map { |row| [row[0], row] }]
93
+ CSV.read(path, headers: true).map { |row| [row['AwsConfigRuleSourceIdentifier'], row] }.to_h
76
94
  end
77
95
 
78
96
  ##
@@ -142,7 +160,7 @@ module HeimdallTools
142
160
  end
143
161
 
144
162
  # Map based on name for easy lookup
145
- Hash[compliance_results.collect { |r| [r.config_rule_name, r.to_h] }]
163
+ compliance_results.collect { |r| [r.config_rule_name, r.to_h] }.to_h
146
164
  end
147
165
 
148
166
  ##
@@ -192,7 +210,7 @@ module HeimdallTools
192
210
  (result[:result_recorded_time] - result[:config_rule_invoked_time]).round(6)
193
211
  end
194
212
  # status
195
- hdf_result['status'] = case result.dig(:compliance_type)
213
+ hdf_result['status'] = case result[:compliance_type]
196
214
  when 'COMPLIANT'
197
215
  'passed'
198
216
  when 'NON_COMPLIANT'
@@ -209,19 +227,19 @@ module HeimdallTools
209
227
  when 'NOT_APPLICABLE'
210
228
  rule[:impact] = 0
211
229
  rule[:results] << {
212
- 'run_time': 0,
213
- 'code_desc': NOT_APPLICABLE_MSG,
214
- 'skip_message': NOT_APPLICABLE_MSG,
215
- 'start_time': DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
216
- 'status': 'skipped'
230
+ run_time: 0,
231
+ code_desc: NOT_APPLICABLE_MSG,
232
+ skip_message: NOT_APPLICABLE_MSG,
233
+ start_time: DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
234
+ status: 'skipped'
217
235
  }
218
236
  when 'INSUFFICIENT_DATA'
219
237
  rule[:results] << {
220
- 'run_time': 0,
221
- 'code_desc': INSUFFICIENT_DATA_MSG,
222
- 'skip_message': INSUFFICIENT_DATA_MSG,
223
- 'start_time': DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
224
- 'status': 'skipped'
238
+ run_time: 0,
239
+ code_desc: INSUFFICIENT_DATA_MSG,
240
+ skip_message: INSUFFICIENT_DATA_MSG,
241
+ start_time: DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
242
+ status: 'skipped'
225
243
  }
226
244
  end
227
245
  end
@@ -239,18 +257,17 @@ module HeimdallTools
239
257
  def hdf_tags(config_rule)
240
258
  result = {}
241
259
 
242
- @default_mapping
243
- @custom_mapping
260
+ source_identifier = config_rule.dig(:source, :source_identifier)
244
261
 
245
262
  # NIST tag
246
263
  result['nist'] = []
247
- default_mapping_match = @default_mapping[config_rule[:config_rule_name]]
248
-
249
- result['nist'] += default_mapping_match[1].split('|') unless default_mapping_match.nil?
264
+ default_mapping_match = @default_mapping[source_identifier]
265
+
266
+ result['nist'] += default_mapping_match['NIST-ID'].split('|') unless default_mapping_match.nil?
267
+
268
+ custom_mapping_match = @custom_mapping[source_identifier]
250
269
 
251
- custom_mapping_match = @custom_mapping[config_rule[:config_rule_name]]
252
-
253
- result['nist'] += custom_mapping_match[1].split('|').map { |name| "#{name} (user provided)" } unless custom_mapping_match.nil?
270
+ result['nist'] += custom_mapping_match['NIST-ID'].split('|').map { |name| "#{name} (user provided)" } unless custom_mapping_match.nil?
254
271
 
255
272
  result['nist'] = ['unmapped'] if result['nist'].empty?
256
273
 
@@ -258,8 +275,11 @@ module HeimdallTools
258
275
  end
259
276
 
260
277
  def check_text(config_rule)
261
- params = (JSON.parse(config_rule[:input_parameters]).map { |key, value| "#{key}: #{value}" }).join('<br/>')
262
- check_text = config_rule[:config_rule_arn]
278
+ # If no input parameters, then provide an empty JSON array to the JSON
279
+ # parser because passing nil to JSON.parse throws an exception.
280
+ params = (JSON.parse(config_rule[:input_parameters] || '[]').map { |key, value| "#{key}: #{value}" }).join('<br/>')
281
+ check_text = "ARN: #{config_rule[:config_rule_arn] || 'N/A'}"
282
+ check_text += "<br/>Source Identifier: #{config_rule.dig(:source, :source_identifier) || 'N/A'}"
263
283
  check_text += "<br/>#{params}" unless params.empty?
264
284
  check_text
265
285
  end
@@ -274,11 +294,10 @@ module HeimdallTools
274
294
  def hdf_descriptions(config_rule)
275
295
  [
276
296
  {
277
- 'label': 'check',
278
- 'data': check_text(config_rule)
279
- }
297
+ label: 'check',
298
+ data: check_text(config_rule)
299
+ },
280
300
  ]
281
301
  end
282
302
  end
283
303
  end
284
- # rubocop:enable Metrics/AbcSize, Metrics/ClassLength