RubyGems - heimdall_tools - Versions diffs - 1.3.40 → 1.3.45 - Mend

heimdall_tools 1.3.40 → 1.3.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

checksums.yaml +4 -4
data/README.md +15 -0
data/lib/data/aws-config-mapping.csv +107 -107
data/lib/heimdall_tools/aws_config_mapper.rb +55 -37
data/lib/heimdall_tools/burpsuite_mapper.rb +7 -12
data/lib/heimdall_tools/cli.rb +9 -21
data/lib/heimdall_tools/command.rb +0 -2
data/lib/heimdall_tools/dbprotect_mapper.rb +13 -26
data/lib/heimdall_tools/fortify_mapper.rb +2 -4
data/lib/heimdall_tools/hdf.rb +4 -5
data/lib/heimdall_tools/jfrog_xray_mapper.rb +26 -28
data/lib/heimdall_tools/nessus_mapper.rb +41 -48
data/lib/heimdall_tools/netsparker_mapper.rb +21 -28
data/lib/heimdall_tools/nikto_mapper.rb +27 -28
data/lib/heimdall_tools/snyk_mapper.rb +20 -23
data/lib/heimdall_tools/sonarqube_mapper.rb +23 -21
data/lib/heimdall_tools/zap_mapper.rb +4 -6
data/lib/utilities/xml_to_hash.rb +6 -6
metadata +39 -25

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a306a3ebf9a2755760b9cc825f1123a62291723d92d215c03d3e9d958d22497
-  data.tar.gz: 5e551876a20872c32126a6c96d08e3c6cd6acdf73bc31abf1ba918693764d4e9
+  metadata.gz: 87936a7488cf8da17690bb3c35d5138a2e9442d8d4c48b307307f4d44423b987
+  data.tar.gz: 28f172cc25391e697910bb1b2b79fea29c82956cbca953f1e7978080b4e1d646
 SHA512:
-  metadata.gz: 4ed8a026a5fbbd63d3da4ebb4211d8ee8cc371ae29e57f4deb10f9e188491af29b2988e17524aa5ab4c064f62a44349edfa9b626641c89d6a958ff040df39e40
-  data.tar.gz: 2874bbd8f062e601ed1fb65b53ec53ee5267d7c17457cef91f936dd28936bac6f35b4387c3d452c301c593cdb13e01ea6d587c1885a88b1a6f025ac3ee38bdaa
+  metadata.gz: bf394cd989527e58e45755881a01ad5d91761201f0a054e5a92a69ae3ac9b943569ef400298d31afee4514b72f3f7b77212b8bcc189107e355c45e1c2758e41d
+  data.tar.gz: 54c1a3447b631b28c024f0bc77559834464bccc518463a2fee0313d7b19f6252db9d624058eda3118423178f736e080ccffa5601b2cc7ec2daa98332a90d1e8f

data/README.md CHANGED Viewed

@@ -17,6 +17,21 @@ HeimdallTools supplies several methods to convert output from various tools to "
 - **aws_config_mapper** - assess, audit, and evaluate AWS resources
 - **netsparker_mapper** - web application security scanner
+## Want to recommend a mapper for another tool? Please use these steps:
+  1. Create an [issue](https://github.com/mitre/heimdall_tools/issues/new), and email saf@groups.mitre.org citing the issue link so we can help
+  2. Provide a sample output, preferably the most detailed the tool can provide, and also preferably in a machine-readable format, such as xml, json, or csv - whichever is natively available. If it is sensitive we'll work that in #3. (If it's an API only, we'll also just talk about it in #3)
+  3. Let's arrange a time to take a close look at the data it provides to get an idea of all it has to offer. We'll suggest an initial mapping of the HDF core elements. (see https://saf.mitre.org/#/normalize)
+  4. Note: if the tool doesn't provide a NIST SP 800-53 reference, we've worked on mappings to other references such as CWE or OWASP Top 10:
+    https://github.com/mitre/heimdall_tools/tree/master/lib/data
+    https://github.com/mitre/heimdall_tools/blob/master/lib/data/cwe-nist-mapping.csv
+    https://github.com/mitre/heimdall_tools/blob/master/lib/data/owasp-nist-mapping.csv
+  5. If the tool doesn't provide something for #4, or another core element such as impact, we'll help you identify a custom mapping approach.
+  6. We'll help you decide how to preserve any other information (non-core elements) the tool provides to ensure that all of the original tool's intent comes through for the user when the data is viewed in Heimdall.
+  7. Finally, We'll provide final peer review and support merging your pull request.
+We appreciate your contributions, but we're here to help!
+## How to Install Heimdall Tools:
 Ruby 2.4 or higher (check using "ruby -v")
 If installation of Ruby is required, perform these steps:

data/lib/data/aws-config-mapping.csv CHANGED Viewed

@@ -1,107 +1,107 @@
-AwsConfigRuleName,NIST-ID,Rev
-secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4
-iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4
-iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4
-access-keys-rotated,AC-2(1)|AC-2(j),4
-iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4
-securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
-guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
-cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
-cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
-multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
-rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
-cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
-redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4
-iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4
-s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
-cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
-root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4
-emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4
-iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
-iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
-iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4
-s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4
-s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-lambda-inside-vpc,AC-4|SC-7|SC-7(3),4
-ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4
-restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4
-restricted-ssh,AC-4|SC-7|SC-7(3),4
-vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4
-vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4
-acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4
-ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
-elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4
-emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4
-internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4
-codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4
-ec2-imdsv2-check,AC-6,4
-iam-no-inline-policy-check,AC-6,4
-alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4
-redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
-s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
-elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
-alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
-elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
-api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
-elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
-vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
-wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4
-cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4
-cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4
-s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4
-cw-loggroup-retention-period-check,AU-11|SI-12,4
-ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4
-rds-enhanced-monitoring-enabled,CA-7(a)(b),4
-ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4
-ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4
-ec2-stopped-instance,CM-2,4
-ec2-volume-inuse-check,CM-2|SC-4,4
-elb-deletion-protection-enabled,CM-2|CP-10,4
-cloudtrail-security-trail-enabled,CM-2,4
-ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4
-db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4
-dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4
-elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4
-dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4
-ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
-efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
-rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4
-dynamodb-autoscaling-enabled,CP-10|SC-5,4
-rds-multi-az-support,CP-10|SC-5|SC-36,4
-s3-bucket-versioning-enabled,CP-10|SI-12,4
-vpc-vpn-2-tunnels-up,CP-10,4
-elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4
-root-account-hardware-mfa-enabled,IA-2(1)(11),4
-mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4
-iam-user-mfa-enabled,IA-2(1)(2)(11),4
-guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4
-codebuild-project-source-repo-url-check,SA-3(a),4
-autoscaling-group-elb-healthcheck-required,SC-5,4
-rds-instance-deletion-protection-enabled,SC-5,4
-alb-waf-enabled,SC-7|SI-4(a)(b)(c),4
-elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4
-cmk-backing-key-rotation-enabled,SC-12,4
-kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4
-api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4
-efs-encrypted-check,SC-13|SC-28,4
-elasticsearch-encrypted-at-rest,SC-13|SC-28,4
-encrypted-volumes,SC-13|SC-28,4
-rds-storage-encrypted,SC-13|SC-28,4
-s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4
-sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4
-sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4
-sns-encrypted-kms,SC-13|SC-28,4
-dynamodb-table-encrypted-kms,SC-13,4
-s3-bucket-default-lock-enabled,SC-28,4
-ec2-ebs-encryption-by-default,SC-28,4
-rds-snapshot-encrypted,SC-28,4
-cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4
+AwsConfigRuleSourceIdentifier,AwsConfigRuleName,NIST-ID,Rev
+SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK,secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4
+IAM_USER_GROUP_MEMBERSHIP_CHECK,iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4
+IAM_PASSWORD_POLICY,iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4
+ACCESS_KEYS_ROTATED,access-keys-rotated,AC-2(1)|AC-2(j),4
+IAM_USER_UNUSED_CREDENTIALS_CHECK,iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4
+SECURITYHUB_ENABLED,securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
+GUARDDUTY_ENABLED_CENTRALIZED,guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
+CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED,cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
+CLOUD_TRAIL_ENABLED,cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+MULTI_REGION_CLOUD_TRAIL_ENABLED,multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+RDS_LOGGING_ENABLED,rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+CLOUDWATCH_ALARM_ACTION_CHECK,cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
+REDSHIFT_CLUSTER_CONFIGURATION_CHECK,redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4
+IAM_ROOT_ACCESS_KEY_CHECK,iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4
+S3_BUCKET_LOGGING_ENABLED,s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+CLOUDTRAIL_S3_DATAEVENTS_ENABLED,cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
+ROOT_ACCOUNT_MFA_ENABLED,root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4
+EMR_KERBEROS_ENABLED,emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4
+IAM_GROUP_HAS_USERS_CHECK,iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
+IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS,iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
+IAM_USER_NO_POLICIES_CHECK,iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4
+S3_BUCKET_PUBLIC_WRITE_PROHIBITED,s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED,lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+RDS_SNAPSHOTS_PUBLIC_PROHIBITED,rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK,redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+S3_BUCKET_POLICY_GRANTEE_CHECK,s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4
+S3_BUCKET_PUBLIC_READ_PROHIBITED,s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS,s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+DMS_REPLICATION_NOT_PUBLIC,dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK,ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS,sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+RDS_INSTANCE_PUBLIC_ACCESS_CHECK,rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+LAMBDA_INSIDE_VPC,lambda-inside-vpc,AC-4|SC-7|SC-7(3),4
+INSTANCES_IN_VPC,ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4
+RESTRICTED_INCOMING_TRAFFIC,restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4
+INCOMING_SSH_DISABLED,restricted-ssh,AC-4|SC-7|SC-7(3),4
+VPC_DEFAULT_SECURITY_GROUP_CLOSED,vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4
+VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS,vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4
+ACM_CERTIFICATE_EXPIRATION_CHECK,acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4
+EC2_INSTANCE_NO_PUBLIC_IP,ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
+ELASTICSEARCH_IN_VPC_ONLY,elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4
+EMR_MASTER_NO_PUBLIC_IP,emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4
+INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY,internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4
+CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK,codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4
+EC2_IMDSV2_CHECK,ec2-imdsv2-check,AC-6,4
+IAM_NO_INLINE_POLICY_CHECK,iam-no-inline-policy-check,AC-6,4
+ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK,alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4
+REDSHIFT_REQUIRE_TLS_SSL,redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
+S3_BUCKET_SSL_REQUESTS_ONLY,s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
+ELB_ACM_CERTIFICATE_REQUIRED,elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
+ALB_HTTP_DROP_INVALID_HEADER_ENABLED,alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
+ELB_TLS_HTTPS_LISTENERS_ONLY,elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
+API_GW_EXECUTION_LOGGING_ENABLED,api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
+ELB_LOGGING_ENABLED,elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
+VPC_FLOW_LOGS_ENABLED,vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
+WAFV2_LOGGING_ENABLED,wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4
+CLOUD_TRAIL_ENCRYPTION_ENABLED,cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4
+CLOUDWATCH_LOG_GROUP_ENCRYPTED,cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4
+S3_BUCKET_REPLICATION_ENABLED,s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4
+CW_LOGGROUP_RETENTION_PERIOD_CHECK,cw-loggroup-retention-period-check,AU-11|SI-12,4
+EC2_INSTANCE_DETAILED_MONITORING_ENABLED,ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4
+RDS_ENHANCED_MONITORING_ENABLED,rds-enhanced-monitoring-enabled,CA-7(a)(b),4
+EC2_INSTANCE_MANAGED_BY_SSM,ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4
+EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK,ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4
+EC2_STOPPED_INSTANCE,ec2-stopped-instance,CM-2,4
+EC2_VOLUME_INUSE_CHECK,ec2-volume-inuse-check,CM-2|SC-4,4
+ELB_DELETION_PROTECTION_ENABLED,elb-deletion-protection-enabled,CM-2|CP-10,4
+CLOUDTRAIL_SECURITY_TRAIL_ENABLED,cloudtrail-security-trail-enabled,CM-2,4
+EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK,ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4
+DB_INSTANCE_BACKUP_ENABLED,db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4
+DYNAMODB_PITR_ENABLED,dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4
+ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK,elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4
+DYNAMODB_IN_BACKUP_PLAN,dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4
+EBS_IN_BACKUP_PLAN,ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
+EFS_IN_BACKUP_PLAN,efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
+RDS_IN_BACKUP_PLAN,rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4
+DYNAMODB_AUTOSCALING_ENABLED,dynamodb-autoscaling-enabled,CP-10|SC-5,4
+RDS_MULTI_AZ_SUPPORT,rds-multi-az-support,CP-10|SC-5|SC-36,4
+S3_BUCKET_VERSIONING_ENABLED,s3-bucket-versioning-enabled,CP-10|SI-12,4
+VPC_VPN_2_TUNNELS_UP,vpc-vpn-2-tunnels-up,CP-10,4
+ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED,elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4
+ROOT_ACCOUNT_HARDWARE_MFA_ENABLED,root-account-hardware-mfa-enabled,IA-2(1)(11),4
+MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS,mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4
+IAM_USER_MFA_ENABLED,iam-user-mfa-enabled,IA-2(1)(2)(11),4
+GUARDDUTY_NON_ARCHIVED_FINDINGS,guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4
+CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK,codebuild-project-source-repo-url-check,SA-3(a),4
+AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED,autoscaling-group-elb-healthcheck-required,SC-5,4
+RDS_INSTANCE_DELETION_PROTECTION_ENABLED,rds-instance-deletion-protection-enabled,SC-5,4
+ALB_WAF_ENABLED,alb-waf-enabled,SC-7|SI-4(a)(b)(c),4
+ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK,elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4
+CMK_BACKING_KEY_ROTATION_ENABLED,cmk-backing-key-rotation-enabled,SC-12,4
+KMS_CMK_NOT_SCHEDULED_FOR_DELETION,kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4
+API_GW_CACHE_ENABLED_AND_ENCRYPTED,api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4
+EFS_ENCRYPTED_CHECK,efs-encrypted-check,SC-13|SC-28,4
+ELASTICSEARCH_ENCRYPTED_AT_REST,elasticsearch-encrypted-at-rest,SC-13|SC-28,4
+ENCRYPTED_VOLUMES,encrypted-volumes,SC-13|SC-28,4
+RDS_STORAGE_ENCRYPTED,rds-storage-encrypted,SC-13|SC-28,4
+S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED,s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4
+SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED,sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4
+SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED,sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4
+SNS_ENCRYPTED_KMS,sns-encrypted-kms,SC-13|SC-28,4
+DYNAMODB_TABLE_ENCRYPTED_KMS,dynamodb-table-encrypted-kms,SC-13,4
+S3_BUCKET_DEFAULT_LOCK_ENABLED,s3-bucket-default-lock-enabled,SC-28,4
+EC2_EBS_ENCRYPTION_BY_DEFAULT,ec2-ebs-encryption-by-default,SC-28,4
+RDS_SNAPSHOT_ENCRYPTED,rds-snapshot-encrypted,SC-28,4
+CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED,cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4

data/lib/heimdall_tools/aws_config_mapper.rb CHANGED Viewed

@@ -13,17 +13,19 @@ INSUFFICIENT_DATA_MSG = 'Not enough data has been collectd to determine complian
 ##
 # HDF mapper for use with AWS Config rules.
 #
-# Ruby AWS Ruby SDK for ConfigService:
+# Ruby AWS Ruby SDK for ConfigService:
 # - https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/ConfigService/Client.html
 #
-# rubocop:disable Metrics/AbcSize, Metrics/ClassLength
 module HeimdallTools
   class AwsConfigMapper
-    def initialize(custom_mapping, verbose = false)
-      @verbose = verbose
+    def initialize(custom_mapping, endpoint = nil)
       @default_mapping = get_rule_mapping(AWS_CONFIG_MAPPING_FILE)
       @custom_mapping = custom_mapping.nil? ? {} : get_rule_mapping(custom_mapping)
-      @client = Aws::ConfigService::Client.new
+      if endpoint.nil?
+        @client = Aws::ConfigService::Client.new
+      else
+        @client = Aws::ConfigService::Client.new(endpoint: endpoint)
+      end
       @issues = get_all_config_rules
     end
@@ -35,8 +37,8 @@ module HeimdallTools
     def to_hdf
       controls = @issues.map do |issue|
         @item = {}
-        @item['id']              = issue[:config_rule_name]
-        @item['title']           = issue[:config_rule_name]
+        @item['id']              = issue[:config_rule_id]
+        @item['title']           = "#{get_account_id(issue[:config_rule_arn])} - #{issue[:config_rule_name]}"
         @item['desc']            = issue[:description]
         @item['impact']          = 0.5
         @item['tags']            = hdf_tags(issue)
@@ -52,27 +54,42 @@ module HeimdallTools
           @item
         end
       end
       results = HeimdallDataFormat.new(
         profile_name: 'AWS Config',
          title: 'AWS Config',
          summary: 'AWS Config',
          controls: controls,
-         statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION }
-        )
+         statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION },
+      )
       results.to_hdf
     end
     private
+    ##
+    # Gets the account ID from a config rule ARN
+    #
+    # https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    # https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html
+    #
+    # Params:
+    # - arn: The ARN of the config rule
+    #
+    # Returns: The account ID portion of the ARN
+    def get_account_id(arn)
+      /:(\d{12}):config-rule/.match(arn)&.captures&.first || 'no-account-id'
+    end
     ##
     # Read in a config rule -> 800-53 control mapping CSV.
     #
-    # Params:
+    # Params:
     # - path: The file path to the CSV file
     #
     # Returns: A mapped version of the csv in the format { rule_name: row, ... }
     def get_rule_mapping(path)
-      Hash[CSV.read(path, headers: true).map { |row| [row[0], row] }]
+      CSV.read(path, headers: true).map { |row| [row['AwsConfigRuleSourceIdentifier'], row] }.to_h
     end
     ##
@@ -142,7 +159,7 @@ module HeimdallTools
       end
       # Map based on name for easy lookup
-      Hash[compliance_results.collect { |r| [r.config_rule_name, r.to_h] }]
+      compliance_results.collect { |r| [r.config_rule_name, r.to_h] }.to_h
     end
     ##
@@ -192,7 +209,7 @@ module HeimdallTools
                                      (result[:result_recorded_time] - result[:config_rule_invoked_time]).round(6)
                                    end
           # status
-          hdf_result['status'] = case result.dig(:compliance_type)
+          hdf_result['status'] = case result[:compliance_type]
                                  when 'COMPLIANT'
                                    'passed'
                                  when 'NON_COMPLIANT'
@@ -209,19 +226,19 @@ module HeimdallTools
         when 'NOT_APPLICABLE'
           rule[:impact] = 0
           rule[:results] << {
-            'run_time': 0,
-            'code_desc': NOT_APPLICABLE_MSG,
-            'skip_message': NOT_APPLICABLE_MSG,
-            'start_time': DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
-            'status': 'skipped'
+            run_time: 0,
+            code_desc: NOT_APPLICABLE_MSG,
+            skip_message: NOT_APPLICABLE_MSG,
+            start_time: DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
+            status: 'skipped'
           }
         when 'INSUFFICIENT_DATA'
           rule[:results] << {
-            'run_time': 0,
-            'code_desc': INSUFFICIENT_DATA_MSG,
-            'skip_message': INSUFFICIENT_DATA_MSG,
-            'start_time': DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
-            'status': 'skipped'
+            run_time: 0,
+            code_desc: INSUFFICIENT_DATA_MSG,
+            skip_message: INSUFFICIENT_DATA_MSG,
+            start_time: DateTime.now.strftime('%Y-%m-%dT%H:%M:%S%:z'),
+            status: 'skipped'
           }
         end
       end
@@ -239,18 +256,17 @@ module HeimdallTools
     def hdf_tags(config_rule)
       result = {}
-      @default_mapping
-      @custom_mapping
+      source_identifier = config_rule.dig(:source, :source_identifier)
       # NIST tag
       result['nist'] = []
-      default_mapping_match = @default_mapping[config_rule[:config_rule_name]]
-      result['nist'] += default_mapping_match[1].split('|') unless default_mapping_match.nil?
+      default_mapping_match = @default_mapping[source_identifier]
+      result['nist'] += default_mapping_match['NIST-ID'].split('|') unless default_mapping_match.nil?
+      custom_mapping_match = @custom_mapping[source_identifier]
-      custom_mapping_match = @custom_mapping[config_rule[:config_rule_name]]
-      result['nist'] += custom_mapping_match[1].split('|').map { |name| "#{name} (user provided)" } unless custom_mapping_match.nil?
+      result['nist'] += custom_mapping_match['NIST-ID'].split('|').map { |name| "#{name} (user provided)" } unless custom_mapping_match.nil?
       result['nist'] = ['unmapped'] if result['nist'].empty?
@@ -258,8 +274,11 @@ module HeimdallTools
     end
     def check_text(config_rule)
-      params = (JSON.parse(config_rule[:input_parameters]).map { |key, value| "#{key}: #{value}" }).join('<br/>')
-      check_text = config_rule[:config_rule_arn]
+      # If no input parameters, then provide an empty JSON array to the JSON
+      # parser because passing nil to JSON.parse throws an exception.
+      params = (JSON.parse(config_rule[:input_parameters] || '[]').map { |key, value| "#{key}: #{value}" }).join('<br/>')
+      check_text = "ARN: #{config_rule[:config_rule_arn] || 'N/A'}"
+      check_text += "<br/>Source Identifier: #{config_rule.dig(:source, :source_identifier) || 'N/A'}"
       check_text += "<br/>#{params}" unless params.empty?
       check_text
     end
@@ -274,11 +293,10 @@ module HeimdallTools
     def hdf_descriptions(config_rule)
       [
         {
-          'label': 'check',
-          'data': check_text(config_rule)
-        }
+          label: 'check',
+          data: check_text(config_rule)
+        },
       ]
     end
   end
 end
-# rubocop:enable Metrics/AbcSize, Metrics/ClassLength

data/lib/heimdall_tools/burpsuite_mapper.rb CHANGED Viewed

@@ -16,15 +16,12 @@ IMPACT_MAPPING = {
 CWE_REGEX = 'CWE-(\d*):'.freeze
-DEFAULT_NIST_TAG = ["SA-11", "RA-5", "Rev_4"].freeze
-# rubocop:disable Metrics/AbcSize
+DEFAULT_NIST_TAG = %w{SA-11 RA-5 Rev_4}.freeze
 module HeimdallTools
   class BurpSuiteMapper
-    def initialize(burps_xml, name=nil, verbose = false)
+    def initialize(burps_xml, _name = nil)
       @burps_xml = burps_xml
-      @verbose = verbose
       begin
         @cwe_nist_mapping = parse_mapper
@@ -33,11 +30,9 @@ module HeimdallTools
         @issues = data['issues']['issue']
         @burpVersion = data['issues']['burpVersion']
         @timestamp = data['issues']['exportTime']
       rescue StandardError => e
         raise "Invalid Burpsuite XML file provided Exception: #{e}"
       end
     end
     def parse_html(block)
@@ -86,17 +81,17 @@ module HeimdallTools
     end
     def desc_tags(data, label)
-      { "data": data || NA_STRING, "label": label || NA_STRING }
+      { data: data || NA_STRING, label: label || NA_STRING }
     end
     # Burpsuite report could have multiple issue entries for multiple findings of same issue type.
-    # The meta data is identical across entries
+    # The meta data is identical across entries
     # method collapse_duplicates return unique controls with applicable findings collapsed into it.
     def collapse_duplicates(controls)
       unique_controls = []
       controls.map { |x| x['id'] }.uniq.each do |id|
-        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map {|x| x['results']}
+        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map { |x| x['results'] }
         unique_control = controls.find { |x| x['id'].eql?(id) }
         unique_control['results'] = collapsed_results.flatten
         unique_controls << unique_control
@@ -129,8 +124,8 @@ module HeimdallTools
       controls = collapse_duplicates(controls)
       results = HeimdallDataFormat.new(profile_name: 'BurpSuite Pro Scan',
                                        version: @burpVersion,
-                                       title: "BurpSuite Pro Scan",
-                                       summary: "BurpSuite Pro Scan",
+                                       title: 'BurpSuite Pro Scan',
+                                       summary: 'BurpSuite Pro Scan',
                                        controls: controls)
       results.to_hdf
     end