RubyGems - heimdall_tools - Versions diffs - 1.3.40 → 1.3.45 - Mend

heimdall_tools 1.3.40 → 1.3.45

Files changed (19) hide show

checksums.yaml +4 -4
data/README.md +15 -0
data/lib/data/aws-config-mapping.csv +107 -107
data/lib/heimdall_tools/aws_config_mapper.rb +55 -37
data/lib/heimdall_tools/burpsuite_mapper.rb +7 -12
data/lib/heimdall_tools/cli.rb +9 -21
data/lib/heimdall_tools/command.rb +0 -2
data/lib/heimdall_tools/dbprotect_mapper.rb +13 -26
data/lib/heimdall_tools/fortify_mapper.rb +2 -4
data/lib/heimdall_tools/hdf.rb +4 -5
data/lib/heimdall_tools/jfrog_xray_mapper.rb +26 -28
data/lib/heimdall_tools/nessus_mapper.rb +41 -48
data/lib/heimdall_tools/netsparker_mapper.rb +21 -28
data/lib/heimdall_tools/nikto_mapper.rb +27 -28
data/lib/heimdall_tools/snyk_mapper.rb +20 -23
data/lib/heimdall_tools/sonarqube_mapper.rb +23 -21
data/lib/heimdall_tools/zap_mapper.rb +4 -6
data/lib/utilities/xml_to_hash.rb +6 -6
metadata +39 -25

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a306a3ebf9a2755760b9cc825f1123a62291723d92d215c03d3e9d958d22497
-  data.tar.gz: 5e551876a20872c32126a6c96d08e3c6cd6acdf73bc31abf1ba918693764d4e9
+  metadata.gz: 87936a7488cf8da17690bb3c35d5138a2e9442d8d4c48b307307f4d44423b987
+  data.tar.gz: 28f172cc25391e697910bb1b2b79fea29c82956cbca953f1e7978080b4e1d646
 SHA512:
-  metadata.gz: 4ed8a026a5fbbd63d3da4ebb4211d8ee8cc371ae29e57f4deb10f9e188491af29b2988e17524aa5ab4c064f62a44349edfa9b626641c89d6a958ff040df39e40
-  data.tar.gz: 2874bbd8f062e601ed1fb65b53ec53ee5267d7c17457cef91f936dd28936bac6f35b4387c3d452c301c593cdb13e01ea6d587c1885a88b1a6f025ac3ee38bdaa
+  metadata.gz: bf394cd989527e58e45755881a01ad5d91761201f0a054e5a92a69ae3ac9b943569ef400298d31afee4514b72f3f7b77212b8bcc189107e355c45e1c2758e41d
+  data.tar.gz: 54c1a3447b631b28c024f0bc77559834464bccc518463a2fee0313d7b19f6252db9d624058eda3118423178f736e080ccffa5601b2cc7ec2daa98332a90d1e8f

data/README.md CHANGED Viewed

@@ -17,6 +17,21 @@ HeimdallTools supplies several methods to convert output from various tools to "
 - **aws_config_mapper** - assess, audit, and evaluate AWS resources
 - **netsparker_mapper** - web application security scanner
+## Want to recommend a mapper for another tool? Please use these steps:
+  1. Create an [issue](https://github.com/mitre/heimdall_tools/issues/new), and email saf@groups.mitre.org citing the issue link so we can help
+  2. Provide a sample output, preferably the most detailed the tool can provide, and also preferably in a machine-readable format, such as xml, json, or csv - whichever is natively available. If it is sensitive we'll work that in #3. (If it's an API only, we'll also just talk about it in #3)
+  3. Let's arrange a time to take a close look at the data it provides to get an idea of all it has to offer. We'll suggest an initial mapping of the HDF core elements. (see https://saf.mitre.org/#/normalize)
+  4. Note: if the tool doesn't provide a NIST SP 800-53 reference, we've worked on mappings to other references such as CWE or OWASP Top 10:
+    https://github.com/mitre/heimdall_tools/tree/master/lib/data
+    https://github.com/mitre/heimdall_tools/blob/master/lib/data/cwe-nist-mapping.csv
+    https://github.com/mitre/heimdall_tools/blob/master/lib/data/owasp-nist-mapping.csv
+  5. If the tool doesn't provide something for #4, or another core element such as impact, we'll help you identify a custom mapping approach.
+  6. We'll help you decide how to preserve any other information (non-core elements) the tool provides to ensure that all of the original tool's intent comes through for the user when the data is viewed in Heimdall.
+  7. Finally, We'll provide final peer review and support merging your pull request.
+We appreciate your contributions, but we're here to help!
+## How to Install Heimdall Tools:
 Ruby 2.4 or higher (check using "ruby -v")
 If installation of Ruby is required, perform these steps:

data/lib/data/aws-config-mapping.csv CHANGED Viewed

@@ -1,107 +1,107 @@
-AwsConfigRuleName,NIST-ID,Rev
-secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4
-iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4
-iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4
-access-keys-rotated,AC-2(1)|AC-2(j),4
-iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4
-securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
-guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
-cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
-cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
-multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
-rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
-cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
-redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4
-iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4
-s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
-cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
-root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4
-emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4
-iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
-iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
-iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4
-s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4
-s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-lambda-inside-vpc,AC-4|SC-7|SC-7(3),4
-ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4
-restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4
-restricted-ssh,AC-4|SC-7|SC-7(3),4
-vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4
-vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4
-acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4
-ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4
-emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4
-internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4
-codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4
-ec2-imdsv2-check,AC-6,4
-iam-no-inline-policy-check,AC-6,4
-alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4
-redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
-s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
-elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
-alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
-elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
-api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
-elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
-vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
-wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4
-cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4
-cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4
-s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4
-cw-loggroup-retention-period-check,AU-11|SI-12,4
-ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4
-rds-enhanced-monitoring-enabled,CA-7(a)(b),4
-ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4
-ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4
-ec2-stopped-instance,CM-2,4
-ec2-volume-inuse-check,CM-2|SC-4,4
-elb-deletion-protection-enabled,CM-2|CP-10,4
-cloudtrail-security-trail-enabled,CM-2,4
-ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4
-db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4
-dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4
-elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4
-dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4
-ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
-efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
-rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4
-dynamodb-autoscaling-enabled,CP-10|SC-5,4
-rds-multi-az-support,CP-10|SC-5|SC-36,4
-s3-bucket-versioning-enabled,CP-10|SI-12,4
-vpc-vpn-2-tunnels-up,CP-10,4
-elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4
-root-account-hardware-mfa-enabled,IA-2(1)(11),4
-mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4
-iam-user-mfa-enabled,IA-2(1)(2)(11),4
-guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4
-codebuild-project-source-repo-url-check,SA-3(a),4
-autoscaling-group-elb-healthcheck-required,SC-5,4
-rds-instance-deletion-protection-enabled,SC-5,4
-alb-waf-enabled,SC-7|SI-4(a)(b)(c),4
-elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4
-cmk-backing-key-rotation-enabled,SC-12,4
-kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4
-api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4
-efs-encrypted-check,SC-13|SC-28,4
-elasticsearch-encrypted-at-rest,SC-13|SC-28,4
-encrypted-volumes,SC-13|SC-28,4
-rds-storage-encrypted,SC-13|SC-28,4
-s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4
-sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4
-sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4
-sns-encrypted-kms,SC-13|SC-28,4
-dynamodb-table-encrypted-kms,SC-13,4
-s3-bucket-default-lock-enabled,SC-28,4
-ec2-ebs-encryption-by-default,SC-28,4
-rds-snapshot-encrypted,SC-28,4
-cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4
+AwsConfigRuleSourceIdentifier,AwsConfigRuleName,NIST-ID,Rev
+SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK,secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4
+IAM_USER_GROUP_MEMBERSHIP_CHECK,iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4
+IAM_PASSWORD_POLICY,iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4
+ACCESS_KEYS_ROTATED,access-keys-rotated,AC-2(1)|AC-2(j),4
+IAM_USER_UNUSED_CREDENTIALS_CHECK,iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4
+SECURITYHUB_ENABLED,securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
+GUARDDUTY_ENABLED_CENTRALIZED,guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
+CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED,cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
+CLOUD_TRAIL_ENABLED,cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+MULTI_REGION_CLOUD_TRAIL_ENABLED,multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+RDS_LOGGING_ENABLED,rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+CLOUDWATCH_ALARM_ACTION_CHECK,cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
+REDSHIFT_CLUSTER_CONFIGURATION_CHECK,redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4
+IAM_ROOT_ACCESS_KEY_CHECK,iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4
+S3_BUCKET_LOGGING_ENABLED,s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+CLOUDTRAIL_S3_DATAEVENTS_ENABLED,cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+ROOT_ACCOUNT_MFA_ENABLED,root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4
+EMR_KERBEROS_ENABLED,emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4
+IAM_GROUP_HAS_USERS_CHECK,iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
+IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS,iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
+IAM_USER_NO_POLICIES_CHECK,iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4
+S3_BUCKET_PUBLIC_WRITE_PROHIBITED,s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED,lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+RDS_SNAPSHOTS_PUBLIC_PROHIBITED,rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK,redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+S3_BUCKET_POLICY_GRANTEE_CHECK,s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4
+S3_BUCKET_PUBLIC_READ_PROHIBITED,s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS,s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+DMS_REPLICATION_NOT_PUBLIC,dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK,ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS,sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+RDS_INSTANCE_PUBLIC_ACCESS_CHECK,rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+LAMBDA_INSIDE_VPC,lambda-inside-vpc,AC-4|SC-7|SC-7(3),4
+INSTANCES_IN_VPC,ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4
+RESTRICTED_INCOMING_TRAFFIC,restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4
+INCOMING_SSH_DISABLED,restricted-ssh,AC-4|SC-7|SC-7(3),4
+VPC_DEFAULT_SECURITY_GROUP_CLOSED,vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4
+VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS,vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4
+ACM_CERTIFICATE_EXPIRATION_CHECK,acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4
+EC2_INSTANCE_NO_PUBLIC_IP,ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+ELASTICSEARCH_IN_VPC_ONLY,elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4
+EMR_MASTER_NO_PUBLIC_IP,emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4
+INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY,internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4
+CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK,codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4
+EC2_IMDSV2_CHECK,ec2-imdsv2-check,AC-6,4
+IAM_NO_INLINE_POLICY_CHECK,iam-no-inline-policy-check,AC-6,4
+ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK,alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4
+REDSHIFT_REQUIRE_TLS_SSL,redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
+S3_BUCKET_SSL_REQUESTS_ONLY,s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
+ELB_ACM_CERTIFICATE_REQUIRED,elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
+ALB_HTTP_DROP_INVALID_HEADER_ENABLED,alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
+ELB_TLS_HTTPS_LISTENERS_ONLY,elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
+API_GW_EXECUTION_LOGGING_ENABLED,api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
+ELB_LOGGING_ENABLED,elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
+VPC_FLOW_LOGS_ENABLED,vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
+WAFV2_LOGGING_ENABLED,wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4
+CLOUD_TRAIL_ENCRYPTION_ENABLED,cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4
+CLOUDWATCH_LOG_GROUP_ENCRYPTED,cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4
+S3_BUCKET_REPLICATION_ENABLED,s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4
+CW_LOGGROUP_RETENTION_PERIOD_CHECK,cw-loggroup-retention-period-check,AU-11|SI-12,4
+EC2_INSTANCE_DETAILED_MONITORING_ENABLED,ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4
+RDS_ENHANCED_MONITORING_ENABLED,rds-enhanced-monitoring-enabled,CA-7(a)(b),4
+EC2_INSTANCE_MANAGED_BY_SSM,ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4
+EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK,ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4
+EC2_STOPPED_INSTANCE,ec2-stopped-instance,CM-2,4
+EC2_VOLUME_INUSE_CHECK,ec2-volume-inuse-check,CM-2|SC-4,4
+ELB_DELETION_PROTECTION_ENABLED,elb-deletion-protection-enabled,CM-2|CP-10,4
+CLOUDTRAIL_SECURITY_TRAIL_ENABLED,cloudtrail-security-trail-enabled,CM-2,4
+EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK,ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4
+DB_INSTANCE_BACKUP_ENABLED,db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4
+DYNAMODB_PITR_ENABLED,dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4
+ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK,elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4
+DYNAMODB_IN_BACKUP_PLAN,dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4
+EBS_IN_BACKUP_PLAN,ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
+EFS_IN_BACKUP_PLAN,efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
+RDS_IN_BACKUP_PLAN,rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4
+DYNAMODB_AUTOSCALING_ENABLED,dynamodb-autoscaling-enabled,CP-10|SC-5,4
+RDS_MULTI_AZ_SUPPORT,rds-multi-az-support,CP-10|SC-5|SC-36,4
+S3_BUCKET_VERSIONING_ENABLED,s3-bucket-versioning-enabled,CP-10|SI-12,4
+VPC_VPN_2_TUNNELS_UP,vpc-vpn-2-tunnels-up,CP-10,4
+ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED,elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4
+ROOT_ACCOUNT_HARDWARE_MFA_ENABLED,root-account-hardware-mfa-enabled,IA-2(1)(11),4
+MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS,mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4
+IAM_USER_MFA_ENABLED,iam-user-mfa-enabled,IA-2(1)(2)(11),4
+GUARDDUTY_NON_ARCHIVED_FINDINGS,guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4
+CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK,codebuild-project-source-repo-url-check,SA-3(a),4
+AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED,autoscaling-group-elb-healthcheck-required,SC-5,4
+RDS_INSTANCE_DELETION_PROTECTION_ENABLED,rds-instance-deletion-protection-enabled,SC-5,4
+ALB_WAF_ENABLED,alb-waf-enabled,SC-7|SI-4(a)(b)(c),4
+ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK,elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4
+CMK_BACKING_KEY_ROTATION_ENABLED,cmk-backing-key-rotation-enabled,SC-12,4
+KMS_CMK_NOT_SCHEDULED_FOR_DELETION,kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4
+API_GW_CACHE_ENABLED_AND_ENCRYPTED,api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4
+EFS_ENCRYPTED_CHECK,efs-encrypted-check,SC-13|SC-28,4
+ELASTICSEARCH_ENCRYPTED_AT_REST,elasticsearch-encrypted-at-rest,SC-13|SC-28,4
+ENCRYPTED_VOLUMES,encrypted-volumes,SC-13|SC-28,4
+RDS_STORAGE_ENCRYPTED,rds-storage-encrypted,SC-13|SC-28,4
+S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED,s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4
+SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED,sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4
+SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED,sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4
+SNS_ENCRYPTED_KMS,sns-encrypted-kms,SC-13|SC-28,4
+DYNAMODB_TABLE_ENCRYPTED_KMS,dynamodb-table-encrypted-kms,SC-13,4
+S3_BUCKET_DEFAULT_LOCK_ENABLED,s3-bucket-default-lock-enabled,SC-28,4
+EC2_EBS_ENCRYPTION_BY_DEFAULT,ec2-ebs-encryption-by-default,SC-28,4
+RDS_SNAPSHOT_ENCRYPTED,rds-snapshot-encrypted,SC-28,4
+CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED,cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4

data/lib/heimdall_tools/aws_config_mapper.rb CHANGED Viewed

@@ -13,17 +13,19 @@ INSUFFICIENT_DATA_MSG = 'Not enough data has been collectd to determine complian
 ##
 # HDF mapper for use with AWS Config rules.
 #
-# Ruby AWS Ruby SDK for ConfigService:
+# Ruby AWS Ruby SDK for ConfigService:
 # - https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/ConfigService/Client.html
 #
-# rubocop:disable Metrics/AbcSize, Metrics/ClassLength
 module HeimdallTools
   class AwsConfigMapper
-    def initialize(custom_mapping, verbose = false)
-      @verbose = verbose
+    def initialize(custom_mapping, endpoint = nil)
       @default_mapping = get_rule_mapping(AWS_CONFIG_MAPPING_FILE)
       @custom_mapping = custom_mapping.nil? ? {} : get_rule_mapping(custom_mapping)
-      @client = Aws::ConfigService::Client.new
+      if endpoint.nil?
+        @client = Aws::ConfigService::Client.new
+      else
+        @client = Aws::ConfigService::Client.new(endpoint: endpoint)
+      end
       @issues = get_all_config_rules
     end
@@ -35,8 +37,8 @@ module HeimdallTools
     def to_hdf
       controls = @issues.map do |issue|
         @item = {}
-        @item['id']              = issue[:config_rule_name]
-        @item['title']           = issue[:config_rule_name]
+        @item['id']              = issue[:config_rule_id]
+        @item['title']           = "#{get_account_id(issue[:config_rule_arn])} - #{issue[:config_rule_name]}"
         @item['desc']            = issue[:description]
         @item['impact']          = 0.5
         @item['tags']            = hdf_tags(issue)
@@ -52,27 +54,42 @@ module HeimdallTools
           @item
         end
       end
       results = HeimdallDataFormat.new(
         profile_name: 'AWS Config',
          title: 'AWS Config',
          summary: 'AWS Config',
          controls: controls,
-         statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION }
-        )
+         statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION },
+      )
       results.to_hdf
     end
     private
+    ##
+    # Gets the account ID from a config rule ARN
+    #
+    # https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    # https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html
+    #
+    # Params:
+    # - arn: The ARN of the config rule
+    #
+    # Returns: The account ID portion of the ARN
+    def get_account_id(arn)
+      /:(\d{12}):config-rule/.match(arn)&.captures&.first || 'no-account-id'
+    end
     ##
     # Read in a config rule -> 800-53 control mapping CSV.
     #
-    # Params:
+    # Params:
     # - path: The file path to the CSV file
     #
     # Returns: A mapped version of the csv in the format { rule_name: row, ... }
     def get_rule_mapping(path)
-      Hash[CSV.read(path, headers: true).map { |row| [row[0], row] }]
+      CSV.read(path, headers: true).map { |row| [row['AwsConfigRuleSourceIdentifier'], row] }.to_h
     end
     ##
@@ -142,7 +159,7 @@ module HeimdallTools
       end
       # Map based on name for easy lookup
-      Hash[compliance_results.collect { |r| [r.config_rule_name, r.to_h] }]
+      compliance_results.collect { |r| [r.config_rule_name, r.to_h] }.to_h
     end
     ##
@@ -192,7 +209,7 @@ module HeimdallTools
                                      (result[:result_recorded_time] - result[:config_rule_invoked_time]).round(6)
                                    end
           # status
-          hdf_result['status'] = case result.dig(:compliance_type)
+          hdf_result['status'] = case result[:compliance_type]
                                  when 'COMPLIANT'
                                    'passed'
                                  when 'NON_COMPLIANT'
@@ -209,19 +226,19 @@ module HeimdallTools
         when 'NOT_APPLICABLE'
           rule[:impact] = 0
           rule[:results] << {
-            'run_time': 0,
-            'code_desc': NOT_APPLICABLE_MSG,
-            'skip_message': NOT_APPLICABLE_MSG,
-            'start_time': DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
-            'status': 'skipped'
+            run_time: 0,
+            code_desc: NOT_APPLICABLE_MSG,
+            skip_message: NOT_APPLICABLE_MSG,
+            start_time: DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
+            status: 'skipped'
           }
         when 'INSUFFICIENT_DATA'
           rule[:results] << {
-            'run_time': 0,
-            'code_desc': INSUFFICIENT_DATA_MSG,
-            'skip_message': INSUFFICIENT_DATA_MSG,
-            'start_time': DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
-            'status': 'skipped'
+            run_time: 0,
+            code_desc: INSUFFICIENT_DATA_MSG,
+            skip_message: INSUFFICIENT_DATA_MSG,
+            start_time: DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
+            status: 'skipped'
           }
         end
       end
@@ -239,18 +256,17 @@ module HeimdallTools
     def hdf_tags(config_rule)
       result = {}
-      @default_mapping
-      @custom_mapping
+      source_identifier = config_rule.dig(:source, :source_identifier)
       # NIST tag
       result['nist'] = []
-      default_mapping_match = @default_mapping[config_rule[:config_rule_name]]
-      result['nist'] += default_mapping_match[1].split('|') unless default_mapping_match.nil?
+      default_mapping_match = @default_mapping[source_identifier]
+      result['nist'] += default_mapping_match['NIST-ID'].split('|') unless default_mapping_match.nil?
+      custom_mapping_match = @custom_mapping[source_identifier]
-      custom_mapping_match = @custom_mapping[config_rule[:config_rule_name]]
-      result['nist'] += custom_mapping_match[1].split('|').map { |name| "#{name} (user provided)" } unless custom_mapping_match.nil?
+      result['nist'] += custom_mapping_match['NIST-ID'].split('|').map { |name| "#{name} (user provided)" } unless custom_mapping_match.nil?
       result['nist'] = ['unmapped'] if result['nist'].empty?
@@ -258,8 +274,11 @@ module HeimdallTools
     end
     def check_text(config_rule)
-      params = (JSON.parse(config_rule[:input_parameters]).map { |key, value| "#{key}: #{value}" }).join('<br/>')
-      check_text = config_rule[:config_rule_arn]
+      # If no input parameters, then provide an empty JSON array to the JSON
+      # parser because passing nil to JSON.parse throws an exception.
+      params = (JSON.parse(config_rule[:input_parameters] || '[]').map { |key, value| "#{key}: #{value}" }).join('<br/>')
+      check_text = "ARN: #{config_rule[:config_rule_arn] || 'N/A'}"
+      check_text += "<br/>Source Identifier: #{config_rule.dig(:source, :source_identifier) || 'N/A'}"
       check_text += "<br/>#{params}" unless params.empty?
       check_text
     end
@@ -274,11 +293,10 @@ module HeimdallTools
     def hdf_descriptions(config_rule)
       [
         {
-          'label': 'check',
-          'data': check_text(config_rule)
-        }
+          label: 'check',
+          data: check_text(config_rule)
+        },
       ]
     end
   end
 end
-# rubocop:enable Metrics/AbcSize, Metrics/ClassLength

data/lib/heimdall_tools/burpsuite_mapper.rb CHANGED Viewed

@@ -16,15 +16,12 @@ IMPACT_MAPPING = {
 CWE_REGEX = 'CWE-(\d*):'.freeze
-DEFAULT_NIST_TAG = ["SA-11", "RA-5", "Rev_4"].freeze
-# rubocop:disable Metrics/AbcSize
+DEFAULT_NIST_TAG = %w{SA-11 RA-5 Rev_4}.freeze
 module HeimdallTools
   class BurpSuiteMapper
-    def initialize(burps_xml, name=nil, verbose = false)
+    def initialize(burps_xml, _name = nil)
       @burps_xml = burps_xml
-      @verbose = verbose
       begin
         @cwe_nist_mapping = parse_mapper
@@ -33,11 +30,9 @@ module HeimdallTools
         @issues = data['issues']['issue']
         @burpVersion = data['issues']['burpVersion']
         @timestamp = data['issues']['exportTime']
       rescue StandardError => e
         raise "Invalid Burpsuite XML file provided Exception: #{e}"
       end
     end
     def parse_html(block)
@@ -86,17 +81,17 @@ module HeimdallTools
     end
     def desc_tags(data, label)
-      { "data": data || NA_STRING, "label": label || NA_STRING }
+      { data: data || NA_STRING, label: label || NA_STRING }
     end
     # Burpsuite report could have multiple issue entries for multiple findings of same issue type.
-    # The meta data is identical across entries
+    # The meta data is identical across entries
     # method collapse_duplicates return unique controls with applicable findings collapsed into it.
     def collapse_duplicates(controls)
       unique_controls = []
       controls.map { |x| x['id'] }.uniq.each do |id|
-        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map {|x| x['results']}
+        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map { |x| x['results'] }
         unique_control = controls.find { |x| x['id'].eql?(id) }
         unique_control['results'] = collapsed_results.flatten
         unique_controls << unique_control
@@ -129,8 +124,8 @@ module HeimdallTools
       controls = collapse_duplicates(controls)
       results = HeimdallDataFormat.new(profile_name: 'BurpSuite Pro Scan',
                                        version: @burpVersion,
-                                       title: "BurpSuite Pro Scan",
-                                       summary: "BurpSuite Pro Scan",
+                                       title: 'BurpSuite Pro Scan',
+                                       summary: 'BurpSuite Pro Scan',
                                        controls: controls)
       results.to_hdf
     end