heimdall_tools 1.3.39 → 1.3.44

Sign up to get free protection for your applications and to get access to all the features.
Files changed (21) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +33 -0
  3. data/lib/data/aws-config-mapping.csv +107 -107
  4. data/lib/heimdall_tools.rb +1 -0
  5. data/lib/heimdall_tools/aws_config_mapper.rb +55 -36
  6. data/lib/heimdall_tools/burpsuite_mapper.rb +7 -11
  7. data/lib/heimdall_tools/cli.rb +19 -8
  8. data/lib/heimdall_tools/command.rb +0 -2
  9. data/lib/heimdall_tools/dbprotect_mapper.rb +9 -18
  10. data/lib/heimdall_tools/fortify_mapper.rb +1 -2
  11. data/lib/heimdall_tools/hdf.rb +4 -5
  12. data/lib/heimdall_tools/help/netsparker_mapper.md +7 -0
  13. data/lib/heimdall_tools/jfrog_xray_mapper.rb +33 -26
  14. data/lib/heimdall_tools/nessus_mapper.rb +39 -46
  15. data/lib/heimdall_tools/netsparker_mapper.rb +164 -0
  16. data/lib/heimdall_tools/nikto_mapper.rb +27 -27
  17. data/lib/heimdall_tools/snyk_mapper.rb +20 -22
  18. data/lib/heimdall_tools/sonarqube_mapper.rb +23 -21
  19. data/lib/heimdall_tools/zap_mapper.rb +3 -4
  20. data/lib/utilities/xml_to_hash.rb +6 -6
  21. metadata +41 -25
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f629e9d519b119329b6bfd8a8eeb7826420262f654cbe127e6efe05b88fc9ac3
4
- data.tar.gz: 1d66b4d6505221cbd2fbb06dc4d856c179d8db11566148386b2f67bd0110e851
3
+ metadata.gz: 75e8a6020d8b250e1c11bc8c90de7b73196d430925eb8adcfe8dfa5e2b27771e
4
+ data.tar.gz: dc2596fca0d74044f64c61cba90eae4490c58268545cd68a9f7a02e794c2b8a4
5
5
  SHA512:
6
- metadata.gz: 6f7898ac0e5b94f3efaeda24117c4f8ff6dc06bf1140786d6c99eccffbdc1fa9792c93eda05847c7e6a9a1d2e5d70596a486ba4fe53bc931eace7bb6dff45146
7
- data.tar.gz: 34b4302cae0fad8bcec837e2b81df578aade9e3850a1040a0cadf1510e57078a7f110bdae8c74fd4974bec079b7c9115f1ff573536a32221936ba93e4eaf9280
6
+ metadata.gz: f51de7c47656ea8e36df9bc8e8cbe30c3f956c77a6997f65e50da918268223b70a59a3efb84aa0c9eabd45123bd347275ee5ff6952ede11dd9c86db144549a26
7
+ data.tar.gz: a49c2241be26e5d8f4d4db2db7ead81de00f6a0e506160c89040f61af079a9af266ec734c9f0e2f79d5f450ccfb5c347c0fa1125383a8280274a22fdbeb811e2
data/README.md CHANGED
@@ -15,6 +15,22 @@ HeimdallTools supplies several methods to convert output from various tools to "
15
15
  - **jfrog_xray_mapper** - package vulnerability scanner
16
16
  - **dbprotect_mapper** - database vulnerability scanner
17
17
  - **aws_config_mapper** - assess, audit, and evaluate AWS resources
18
+ - **netsparker_mapper** - web application security scanner
19
+
20
+ ## Want to recommend a mapper for another tool? Please use these steps:
21
+ 1. Create an [issue](https://github.com/mitre/heimdall_tools/issues/new), and email saf@groups.mitre.org citing the issue link so we can help
22
+ 2. Provide a sample output, preferably the most detailed the tool can provide, and also preferably in a machine-readable format, such as xml, json, or csv - whichever is natively available. If it is sensitive we'll work that in #3. (If it's an API only, we'll also just talk about it in #3)
23
+ 3. Let's arrange a time to take a close look at the data it provides to get an idea of all it has to offer. We'll suggest an initial mapping of the HDF core elements. (see https://saf.mitre.org/#/normalize)
24
+ 4. Note: if the tool doesn't provide a NIST SP 800-53 reference, we've worked on mappings to other references such as CWE or OWASP Top 10:
25
+ https://github.com/mitre/heimdall_tools/tree/master/lib/data
26
+ https://github.com/mitre/heimdall_tools/blob/master/lib/data/cwe-nist-mapping.csv
27
+ https://github.com/mitre/heimdall_tools/blob/master/lib/data/owasp-nist-mapping.csv
28
+ 5. If the tool doesn't provide something for #4, or another core element such as impact, we'll help you identify a custom mapping approach.
29
+ 6. We'll help you decide how to preserve any other information (non-core elements) the tool provides to ensure that all of the original tool's intent comes through for the user when the data is viewed in Heimdall.
30
+ 7. Finally, We'll provide final peer review and support merging your pull request.
31
+ We appreciate your contributions, but we're here to help!
32
+
33
+ ## How to Install Heimdall Tools:
18
34
 
19
35
  Ruby 2.4 or higher (check using "ruby -v")
20
36
 
@@ -234,6 +250,23 @@ FLAGS:
234
250
  example: heimdall_tools aws_config_mapper -o aws_config_results_hdf.json
235
251
  ```
236
252
 
253
+ ## netsparker_mapper
254
+
255
+ netsparker_mapper translates an Netsparker XML results file into HDF format JSON to be viewable in Heimdall.
256
+
257
+ The current iteration only works with Netsparker Enterprise Vulnerabilities Scan.
258
+
259
+ ```
260
+ USAGE: heimdall_tools netsparker_mapper [OPTIONS] -x <netsparker_results_xml> -o <hdf-scan-results.json>
261
+
262
+ FLAGS:
263
+ -x <netsparker_results_xml> : path to netsparker results XML file.
264
+ -o --output <scan-results> : path to output scan-results json.
265
+ -V --verbose : verbose run [optional].
266
+
267
+ example: heimdall_tools netsparker_mapper -x netsparker_results.xml -o netsparker_hdf.json
268
+ ```
269
+
237
270
  ## version
238
271
 
239
272
  Prints out the gem version
data/lib/data/aws-config-mapping.csv CHANGED
@@ -1,107 +1,107 @@
1
- AwsConfigRuleName,NIST-ID,Rev
2
- secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4
3
- iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4
4
- iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4
5
- access-keys-rotated,AC-2(1)|AC-2(j),4
6
- iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4
7
- securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
8
- guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
9
- cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
10
- cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
11
- multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
12
- rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
13
- cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
14
- redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4
15
- iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4
16
- s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
17
- cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
18
- root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4
19
- emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4
20
- iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
21
- iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
22
- iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4
23
- s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
24
- lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
25
- rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
26
- redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
27
- s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4
28
- s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
29
- s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
30
- dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
31
- ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
32
- sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
33
- rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
34
- lambda-inside-vpc,AC-4|SC-7|SC-7(3),4
35
- ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4
36
- restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4
37
- restricted-ssh,AC-4|SC-7|SC-7(3),4
38
- vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4
39
- vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4
40
- acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4
41
- ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
42
- elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4
43
- emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4
44
- internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4
45
- codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4
46
- ec2-imdsv2-check,AC-6,4
47
- iam-no-inline-policy-check,AC-6,4
48
- alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4
49
- redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
50
- s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
51
- elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
52
- alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
53
- elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
54
- api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
55
- elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
56
- vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
57
- wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4
58
- cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4
59
- cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4
60
- s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4
61
- cw-loggroup-retention-period-check,AU-11|SI-12,4
62
- ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4
63
- rds-enhanced-monitoring-enabled,CA-7(a)(b),4
64
- ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4
65
- ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4
66
- ec2-stopped-instance,CM-2,4
67
- ec2-volume-inuse-check,CM-2|SC-4,4
68
- elb-deletion-protection-enabled,CM-2|CP-10,4
69
- cloudtrail-security-trail-enabled,CM-2,4
70
- ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4
71
- db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4
72
- dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4
73
- elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4
74
- dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4
75
- ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
76
- efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
77
- rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4
78
- dynamodb-autoscaling-enabled,CP-10|SC-5,4
79
- rds-multi-az-support,CP-10|SC-5|SC-36,4
80
- s3-bucket-versioning-enabled,CP-10|SI-12,4
81
- vpc-vpn-2-tunnels-up,CP-10,4
82
- elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4
83
- root-account-hardware-mfa-enabled,IA-2(1)(11),4
84
- mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4
85
- iam-user-mfa-enabled,IA-2(1)(2)(11),4
86
- guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4
87
- codebuild-project-source-repo-url-check,SA-3(a),4
88
- autoscaling-group-elb-healthcheck-required,SC-5,4
89
- rds-instance-deletion-protection-enabled,SC-5,4
90
- alb-waf-enabled,SC-7|SI-4(a)(b)(c),4
91
- elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4
92
- cmk-backing-key-rotation-enabled,SC-12,4
93
- kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4
94
- api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4
95
- efs-encrypted-check,SC-13|SC-28,4
96
- elasticsearch-encrypted-at-rest,SC-13|SC-28,4
97
- encrypted-volumes,SC-13|SC-28,4
98
- rds-storage-encrypted,SC-13|SC-28,4
99
- s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4
100
- sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4
101
- sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4
102
- sns-encrypted-kms,SC-13|SC-28,4
103
- dynamodb-table-encrypted-kms,SC-13,4
104
- s3-bucket-default-lock-enabled,SC-28,4
105
- ec2-ebs-encryption-by-default,SC-28,4
106
- rds-snapshot-encrypted,SC-28,4
107
- cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4
1
+ AwsConfigRuleSourceIdentifier,AwsConfigRuleName,NIST-ID,Rev
2
+ SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK,secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4
3
+ IAM_USER_GROUP_MEMBERSHIP_CHECK,iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4
4
+ IAM_PASSWORD_POLICY,iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4
5
+ ACCESS_KEYS_ROTATED,access-keys-rotated,AC-2(1)|AC-2(j),4
6
+ IAM_USER_UNUSED_CREDENTIALS_CHECK,iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4
7
+ SECURITYHUB_ENABLED,securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
8
+ GUARDDUTY_ENABLED_CENTRALIZED,guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
9
+ CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED,cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
10
+ CLOUD_TRAIL_ENABLED,cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
11
+ MULTI_REGION_CLOUD_TRAIL_ENABLED,multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
12
+ RDS_LOGGING_ENABLED,rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
13
+ CLOUDWATCH_ALARM_ACTION_CHECK,cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
14
+ REDSHIFT_CLUSTER_CONFIGURATION_CHECK,redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4
15
+ IAM_ROOT_ACCESS_KEY_CHECK,iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4
16
+ S3_BUCKET_LOGGING_ENABLED,s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
17
+ CLOUDTRAIL_S3_DATAEVENTS_ENABLED,cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
18
+ ROOT_ACCOUNT_MFA_ENABLED,root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4
19
+ EMR_KERBEROS_ENABLED,emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4
20
+ IAM_GROUP_HAS_USERS_CHECK,iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
21
+ IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS,iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
22
+ IAM_USER_NO_POLICIES_CHECK,iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4
23
+ S3_BUCKET_PUBLIC_WRITE_PROHIBITED,s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
24
+ LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED,lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
25
+ RDS_SNAPSHOTS_PUBLIC_PROHIBITED,rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
26
+ REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK,redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
27
+ S3_BUCKET_POLICY_GRANTEE_CHECK,s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4
28
+ S3_BUCKET_PUBLIC_READ_PROHIBITED,s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
29
+ S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS,s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
30
+ DMS_REPLICATION_NOT_PUBLIC,dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
31
+ EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK,ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
32
+ SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS,sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
33
+ RDS_INSTANCE_PUBLIC_ACCESS_CHECK,rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
34
+ LAMBDA_INSIDE_VPC,lambda-inside-vpc,AC-4|SC-7|SC-7(3),4
35
+ INSTANCES_IN_VPC,ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4
36
+ RESTRICTED_INCOMING_TRAFFIC,restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4
37
+ INCOMING_SSH_DISABLED,restricted-ssh,AC-4|SC-7|SC-7(3),4
38
+ VPC_DEFAULT_SECURITY_GROUP_CLOSED,vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4
39
+ VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS,vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4
40
+ ACM_CERTIFICATE_EXPIRATION_CHECK,acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4
41
+ EC2_INSTANCE_NO_PUBLIC_IP,ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
42
+ ELASTICSEARCH_IN_VPC_ONLY,elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4
43
+ EMR_MASTER_NO_PUBLIC_IP,emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4
44
+ INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY,internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4
45
+ CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK,codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4
46
+ EC2_IMDSV2_CHECK,ec2-imdsv2-check,AC-6,4
47
+ IAM_NO_INLINE_POLICY_CHECK,iam-no-inline-policy-check,AC-6,4
48
+ ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK,alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4
49
+ REDSHIFT_REQUIRE_TLS_SSL,redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
50
+ S3_BUCKET_SSL_REQUESTS_ONLY,s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
51
+ ELB_ACM_CERTIFICATE_REQUIRED,elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
52
+ ALB_HTTP_DROP_INVALID_HEADER_ENABLED,alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
53
+ ELB_TLS_HTTPS_LISTENERS_ONLY,elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
54
+ API_GW_EXECUTION_LOGGING_ENABLED,api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
55
+ ELB_LOGGING_ENABLED,elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
56
+ VPC_FLOW_LOGS_ENABLED,vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
57
+ WAFV2_LOGGING_ENABLED,wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4
58
+ CLOUD_TRAIL_ENCRYPTION_ENABLED,cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4
59
+ CLOUDWATCH_LOG_GROUP_ENCRYPTED,cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4
60
+ S3_BUCKET_REPLICATION_ENABLED,s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4
61
+ CW_LOGGROUP_RETENTION_PERIOD_CHECK,cw-loggroup-retention-period-check,AU-11|SI-12,4
62
+ EC2_INSTANCE_DETAILED_MONITORING_ENABLED,ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4
63
+ RDS_ENHANCED_MONITORING_ENABLED,rds-enhanced-monitoring-enabled,CA-7(a)(b),4
64
+ EC2_INSTANCE_MANAGED_BY_SSM,ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4
65
+ EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK,ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4
66
+ EC2_STOPPED_INSTANCE,ec2-stopped-instance,CM-2,4
67
+ EC2_VOLUME_INUSE_CHECK,ec2-volume-inuse-check,CM-2|SC-4,4
68
+ ELB_DELETION_PROTECTION_ENABLED,elb-deletion-protection-enabled,CM-2|CP-10,4
69
+ CLOUDTRAIL_SECURITY_TRAIL_ENABLED,cloudtrail-security-trail-enabled,CM-2,4
70
+ EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK,ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4
71
+ DB_INSTANCE_BACKUP_ENABLED,db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4
72
+ DYNAMODB_PITR_ENABLED,dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4
73
+ ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK,elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4
74
+ DYNAMODB_IN_BACKUP_PLAN,dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4
75
+ EBS_IN_BACKUP_PLAN,ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
76
+ EFS_IN_BACKUP_PLAN,efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
77
+ RDS_IN_BACKUP_PLAN,rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4
78
+ DYNAMODB_AUTOSCALING_ENABLED,dynamodb-autoscaling-enabled,CP-10|SC-5,4
79
+ RDS_MULTI_AZ_SUPPORT,rds-multi-az-support,CP-10|SC-5|SC-36,4
80
+ S3_BUCKET_VERSIONING_ENABLED,s3-bucket-versioning-enabled,CP-10|SI-12,4
81
+ VPC_VPN_2_TUNNELS_UP,vpc-vpn-2-tunnels-up,CP-10,4
82
+ ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED,elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4
83
+ ROOT_ACCOUNT_HARDWARE_MFA_ENABLED,root-account-hardware-mfa-enabled,IA-2(1)(11),4
84
+ MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS,mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4
85
+ IAM_USER_MFA_ENABLED,iam-user-mfa-enabled,IA-2(1)(2)(11),4
86
+ GUARDDUTY_NON_ARCHIVED_FINDINGS,guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4
87
+ CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK,codebuild-project-source-repo-url-check,SA-3(a),4
88
+ AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED,autoscaling-group-elb-healthcheck-required,SC-5,4
89
+ RDS_INSTANCE_DELETION_PROTECTION_ENABLED,rds-instance-deletion-protection-enabled,SC-5,4
90
+ ALB_WAF_ENABLED,alb-waf-enabled,SC-7|SI-4(a)(b)(c),4
91
+ ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK,elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4
92
+ CMK_BACKING_KEY_ROTATION_ENABLED,cmk-backing-key-rotation-enabled,SC-12,4
93
+ KMS_CMK_NOT_SCHEDULED_FOR_DELETION,kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4
94
+ API_GW_CACHE_ENABLED_AND_ENCRYPTED,api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4
95
+ EFS_ENCRYPTED_CHECK,efs-encrypted-check,SC-13|SC-28,4
96
+ ELASTICSEARCH_ENCRYPTED_AT_REST,elasticsearch-encrypted-at-rest,SC-13|SC-28,4
97
+ ENCRYPTED_VOLUMES,encrypted-volumes,SC-13|SC-28,4
98
+ RDS_STORAGE_ENCRYPTED,rds-storage-encrypted,SC-13|SC-28,4
99
+ S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED,s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4
100
+ SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED,sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4
101
+ SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED,sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4
102
+ SNS_ENCRYPTED_KMS,sns-encrypted-kms,SC-13|SC-28,4
103
+ DYNAMODB_TABLE_ENCRYPTED_KMS,dynamodb-table-encrypted-kms,SC-13,4
104
+ S3_BUCKET_DEFAULT_LOCK_ENABLED,s3-bucket-default-lock-enabled,SC-28,4
105
+ EC2_EBS_ENCRYPTION_BY_DEFAULT,ec2-ebs-encryption-by-default,SC-28,4
106
+ RDS_SNAPSHOT_ENCRYPTED,rds-snapshot-encrypted,SC-28,4
107
+ CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED,cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4
data/lib/heimdall_tools.rb CHANGED
@@ -15,4 +15,5 @@ module HeimdallTools
15
15
  autoload :JfrogXrayMapper, 'heimdall_tools/jfrog_xray_mapper'
16
16
  autoload :DBProtectMapper, 'heimdall_tools/dbprotect_mapper'
17
17
  autoload :AwsConfigMapper, 'heimdall_tools/aws_config_mapper'
18
+ autoload :NetsparkerMapper, 'heimdall_tools/netsparker_mapper'
18
19
  end
data/lib/heimdall_tools/aws_config_mapper.rb CHANGED
@@ -13,17 +13,20 @@ INSUFFICIENT_DATA_MSG = 'Not enough data has been collectd to determine complian
13
13
  ##
14
14
  # HDF mapper for use with AWS Config rules.
15
15
  #
16
- # Ruby AWS Ruby SDK for ConfigService:
16
+ # Ruby AWS Ruby SDK for ConfigService:
17
17
  # - https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/ConfigService/Client.html
18
18
  #
19
- # rubocop:disable Metrics/AbcSize, Metrics/ClassLength
20
19
  module HeimdallTools
21
20
  class AwsConfigMapper
22
- def initialize(custom_mapping, verbose = false)
21
+ def initialize(custom_mapping, endpoint = nil, verbose = false)
23
22
  @verbose = verbose
24
23
  @default_mapping = get_rule_mapping(AWS_CONFIG_MAPPING_FILE)
25
24
  @custom_mapping = custom_mapping.nil? ? {} : get_rule_mapping(custom_mapping)
26
- @client = Aws::ConfigService::Client.new
25
+ if endpoint.nil?
26
+ @client = Aws::ConfigService::Client.new
27
+ else
28
+ @client = Aws::ConfigService::Client.new(endpoint: endpoint)
29
+ end
27
30
  @issues = get_all_config_rules
28
31
  end
29
32
 
@@ -35,8 +38,8 @@ module HeimdallTools
35
38
  def to_hdf
36
39
  controls = @issues.map do |issue|
37
40
  @item = {}
38
- @item['id'] = issue[:config_rule_name]
39
- @item['title'] = issue[:config_rule_name]
41
+ @item['id'] = issue[:config_rule_id]
42
+ @item['title'] = "#{get_account_id(issue[:config_rule_arn])} - #{issue[:config_rule_name]}"
40
43
  @item['desc'] = issue[:description]
41
44
  @item['impact'] = 0.5
42
45
  @item['tags'] = hdf_tags(issue)
@@ -52,27 +55,42 @@ module HeimdallTools
52
55
  @item
53
56
  end
54
57
  end
58
+
55
59
  results = HeimdallDataFormat.new(
56
60
  profile_name: 'AWS Config',
57
61
  title: 'AWS Config',
58
62
  summary: 'AWS Config',
59
63
  controls: controls,
60
- statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION }
61
- )
64
+ statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION },
65
+ )
62
66
  results.to_hdf
63
67
  end
64
68
 
65
69
  private
66
70
 
71
+ ##
72
+ # Gets the account ID from a config rule ARN
73
+ #
74
+ # https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
75
+ # https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html
76
+ #
77
+ # Params:
78
+ # - arn: The ARN of the config rule
79
+ #
80
+ # Returns: The account ID portion of the ARN
81
+ def get_account_id(arn)
82
+ /:(\d{12}):config-rule/.match(arn)&.captures&.first || 'no-account-id'
83
+ end
84
+
67
85
  ##
68
86
  # Read in a config rule -> 800-53 control mapping CSV.
69
87
  #
70
- # Params:
88
+ # Params:
71
89
  # - path: The file path to the CSV file
72
90
  #
73
91
  # Returns: A mapped version of the csv in the format { rule_name: row, ... }
74
92
  def get_rule_mapping(path)
75
- Hash[CSV.read(path, headers: true).map { |row| [row[0], row] }]
93
+ CSV.read(path, headers: true).map { |row| [row['AwsConfigRuleSourceIdentifier'], row] }.to_h
76
94
  end
77
95
 
78
96
  ##
@@ -142,7 +160,7 @@ module HeimdallTools
142
160
  end
143
161
 
144
162
  # Map based on name for easy lookup
145
- Hash[compliance_results.collect { |r| [r.config_rule_name, r.to_h] }]
163
+ compliance_results.collect { |r| [r.config_rule_name, r.to_h] }.to_h
146
164
  end
147
165
 
148
166
  ##
@@ -192,7 +210,7 @@ module HeimdallTools
192
210
  (result[:result_recorded_time] - result[:config_rule_invoked_time]).round(6)
193
211
  end
194
212
  # status
195
- hdf_result['status'] = case result.dig(:compliance_type)
213
+ hdf_result['status'] = case result[:compliance_type]
196
214
  when 'COMPLIANT'
197
215
  'passed'
198
216
  when 'NON_COMPLIANT'
@@ -209,19 +227,19 @@ module HeimdallTools
209
227
  when 'NOT_APPLICABLE'
210
228
  rule[:impact] = 0
211
229
  rule[:results] << {
212
- 'run_time': 0,
213
- 'code_desc': NOT_APPLICABLE_MSG,
214
- 'skip_message': NOT_APPLICABLE_MSG,
215
- 'start_time': DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
216
- 'status': 'skipped'
230
+ run_time: 0,
231
+ code_desc: NOT_APPLICABLE_MSG,
232
+ skip_message: NOT_APPLICABLE_MSG,
233
+ start_time: DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
234
+ status: 'skipped'
217
235
  }
218
236
  when 'INSUFFICIENT_DATA'
219
237
  rule[:results] << {
220
- 'run_time': 0,
221
- 'code_desc': INSUFFICIENT_DATA_MSG,
222
- 'skip_message': INSUFFICIENT_DATA_MSG,
223
- 'start_time': DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
224
- 'status': 'skipped'
238
+ run_time: 0,
239
+ code_desc: INSUFFICIENT_DATA_MSG,
240
+ skip_message: INSUFFICIENT_DATA_MSG,
241
+ start_time: DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
242
+ status: 'skipped'
225
243
  }
226
244
  end
227
245
  end
@@ -239,18 +257,17 @@ module HeimdallTools
239
257
  def hdf_tags(config_rule)
240
258
  result = {}
241
259
 
242
- @default_mapping
243
- @custom_mapping
260
+ source_identifier = config_rule.dig(:source, :source_identifier)
244
261
 
245
262
  # NIST tag
246
263
  result['nist'] = []
247
- default_mapping_match = @default_mapping[config_rule[:config_rule_name]]
248
-
249
- result['nist'] += default_mapping_match[1].split('|') unless default_mapping_match.nil?
264
+ default_mapping_match = @default_mapping[source_identifier]
265
+
266
+ result['nist'] += default_mapping_match['NIST-ID'].split('|') unless default_mapping_match.nil?
267
+
268
+ custom_mapping_match = @custom_mapping[source_identifier]
250
269
 
251
- custom_mapping_match = @custom_mapping[config_rule[:config_rule_name]]
252
-
253
- result['nist'] += custom_mapping_match[1].split('|').map { |name| "#{name} (user provided)" } unless custom_mapping_match.nil?
270
+ result['nist'] += custom_mapping_match['NIST-ID'].split('|').map { |name| "#{name} (user provided)" } unless custom_mapping_match.nil?
254
271
 
255
272
  result['nist'] = ['unmapped'] if result['nist'].empty?
256
273
 
@@ -258,8 +275,11 @@ module HeimdallTools
258
275
  end
259
276
 
260
277
  def check_text(config_rule)
261
- params = (JSON.parse(config_rule[:input_parameters]).map { |key, value| "#{key}: #{value}" }).join('<br/>')
262
- check_text = config_rule[:config_rule_arn]
278
+ # If no input parameters, then provide an empty JSON array to the JSON
279
+ # parser because passing nil to JSON.parse throws an exception.
280
+ params = (JSON.parse(config_rule[:input_parameters] || '[]').map { |key, value| "#{key}: #{value}" }).join('<br/>')
281
+ check_text = "ARN: #{config_rule[:config_rule_arn] || 'N/A'}"
282
+ check_text += "<br/>Source Identifier: #{config_rule.dig(:source, :source_identifier) || 'N/A'}"
263
283
  check_text += "<br/>#{params}" unless params.empty?
264
284
  check_text
265
285
  end
@@ -274,11 +294,10 @@ module HeimdallTools
274
294
  def hdf_descriptions(config_rule)
275
295
  [
276
296
  {
277
- 'label': 'check',
278
- 'data': check_text(config_rule)
279
- }
297
+ label: 'check',
298
+ data: check_text(config_rule)
299
+ },
280
300
  ]
281
301
  end
282
302
  end
283
303
  end
284
- # rubocop:enable Metrics/AbcSize, Metrics/ClassLength