sensu-plugins-aws 10.1.2 → 10.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -1
- data/README.md +2 -0
- data/bin/check-s3-bucket-visibility.rb +115 -0
- data/lib/sensu-plugins-aws/version.rb +2 -2
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a16969efd75d8180a047d23203b50d8def65e1fa1195c0d9aa01ad33d0fac551
|
|
4
|
+
data.tar.gz: 27dfefdff63801d47729edc185c112d1bc78027760338442b914431b75446d04
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 40bb528c7369ebac03a58c8a550c9cf691996bd1cb35d48e5c82907033c342abb611129cd95a76e8653d7e9d17644e71d71a7cbb26a026f1c8ea84e90acee557
|
|
7
|
+
data.tar.gz: 840436086db63a6e42b8c86d51c30c92d942efb25f2cd8451d199cc07f7205ec7a0a98a8d24f3ed71585a88349d05c19dd29bd520df2444f548bdb74c86f7eb6
|
data/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,11 @@ This CHANGELOG follows the format listed [here](https://github.com/sensu-plugins
|
|
|
5
5
|
|
|
6
6
|
## [Unreleased]
|
|
7
7
|
|
|
8
|
+
## [10.2.0] - 2018-01-20
|
|
9
|
+
### Added
|
|
10
|
+
- `check-s3-bucket-visiblity.rb` - checks an S3 bucket for existence of a website configuration or bucket policy containing `Get*`,
|
|
11
|
+
`List*` or `*` statements. (@rhussmann)
|
|
12
|
+
|
|
8
13
|
## [10.1.2] - 2018-01-13
|
|
9
14
|
### Security
|
|
10
15
|
- updated rubocop dependency to `~> 0.51.0` per: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8418. (@majormoses)
|
|
@@ -422,7 +427,8 @@ WARNING: This release contains major breaking changes that will impact all user
|
|
|
422
427
|
### Added
|
|
423
428
|
- initial release
|
|
424
429
|
|
|
425
|
-
[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-aws/compare/10.
|
|
430
|
+
[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-aws/compare/10.2.0...HEAD
|
|
431
|
+
[10.2.0]:https://github.com/sensu-plugins/sensu-plugins-aws/compare/10.1.2...10.2.0
|
|
426
432
|
[10.1.2]: https://github.com/sensu-plugins/sensu-plugins-aws/compare/10.1.1...10.1.2
|
|
427
433
|
[10.1.1]: https://github.com/sensu-plugins/sensu-plugins-aws/compare/10.1.0...10.1.1
|
|
428
434
|
[10.1.0]: https://github.com/sensu-plugins/sensu-plugins-aws/compare/10.1.0...10.0.3
|
data/README.md
CHANGED
|
@@ -0,0 +1,115 @@
|
|
|
1
|
+
#! /usr/bin/env ruby
|
|
2
|
+
#
|
|
3
|
+
# check-s3-bucket-visibility
|
|
4
|
+
#
|
|
5
|
+
# DESCRIPTION:
|
|
6
|
+
# This plugin checks a bucket for website configuration and bucket policy.
|
|
7
|
+
# It alerts if the bucket has a website configuration, or a policy that has
|
|
8
|
+
# Get or List actions.
|
|
9
|
+
#
|
|
10
|
+
# OUTPUT:
|
|
11
|
+
# plain-text
|
|
12
|
+
#
|
|
13
|
+
# PLATFORMS:
|
|
14
|
+
# Linux
|
|
15
|
+
#
|
|
16
|
+
# DEPENDENCIES:
|
|
17
|
+
# gem: aws-sdk
|
|
18
|
+
# gem: sensu-plugin
|
|
19
|
+
#
|
|
20
|
+
# USAGE:
|
|
21
|
+
# ./check-s3-bucket-visibility.rb --bucket-name mybucket --aws-region eu-west-1
|
|
22
|
+
#
|
|
23
|
+
# NOTES:
|
|
24
|
+
#
|
|
25
|
+
# LICENSE:
|
|
26
|
+
# Copyright (c) 2015, Olivier Bazoud and Ricky Hussmann,
|
|
27
|
+
# olivier.bazoud@gmail.com, ricky.hussmann@gmail.com
|
|
28
|
+
# Released under the same terms as Sensu (the MIT license); see LICENSE
|
|
29
|
+
# for details.
|
|
30
|
+
#
|
|
31
|
+
|
|
32
|
+
require 'aws-sdk'
|
|
33
|
+
require 'sensu-plugin/check/cli'
|
|
34
|
+
require 'sensu-plugins-aws'
|
|
35
|
+
|
|
36
|
+
class CheckS3Bucket < Sensu::Plugin::Check::CLI
|
|
37
|
+
include Common
|
|
38
|
+
option :aws_region,
|
|
39
|
+
short: '-r AWS_REGION',
|
|
40
|
+
long: '--aws-region REGION',
|
|
41
|
+
description: 'AWS Region (defaults to us-east-1).',
|
|
42
|
+
default: 'us-east-1'
|
|
43
|
+
|
|
44
|
+
option :bucket_names,
|
|
45
|
+
short: '-b BUCKET_NAMES',
|
|
46
|
+
long: '--bucket-names',
|
|
47
|
+
description: 'A comma seperated list of S3 buckets to check'
|
|
48
|
+
|
|
49
|
+
option :critical_on_missing,
|
|
50
|
+
short: '-m ',
|
|
51
|
+
long: '--critical-on-missing',
|
|
52
|
+
description: 'The check will fail with CRITICAL rather than WARN when a bucket is not found',
|
|
53
|
+
default: 'false'
|
|
54
|
+
|
|
55
|
+
def true?(obj)
|
|
56
|
+
!obj.nil? && obj.to_s.casecmp('true') != -1
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
def s3_client
|
|
60
|
+
@s3_client ||= Aws::S3::Client.new
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
def website_configuration?(bucket_name)
|
|
64
|
+
s3_client.get_bucket_website(bucket: bucket_name)
|
|
65
|
+
true
|
|
66
|
+
rescue Aws::S3::Errors::NoSuchWebsiteConfiguration
|
|
67
|
+
false
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
def get_bucket_policy(bucket_name)
|
|
71
|
+
JSON.parse(s3_client.get_bucket_policy(bucket: bucket_name).policy.string)
|
|
72
|
+
rescue Aws::S3::Errors::NoSuchBucketPolicy
|
|
73
|
+
{ 'Statement' => [] }
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
def policy_too_permissive?(policy)
|
|
77
|
+
policy['Statement'].any? { |s| statement_too_permissive? s }
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
def statement_too_permissive?(s)
|
|
81
|
+
actions_contain_get_or_list? Array(s['Action'])
|
|
82
|
+
end
|
|
83
|
+
|
|
84
|
+
def actions_contain_get_or_list?(actions)
|
|
85
|
+
actions.any? { |a| !Array(a).grep(/^s3:Get|s3:List|s3:\*/).empty? }
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
def run
|
|
89
|
+
errors = []
|
|
90
|
+
warnings = []
|
|
91
|
+
buckets = config[:bucket_names].split ','
|
|
92
|
+
|
|
93
|
+
buckets.each do |bucket_name|
|
|
94
|
+
begin
|
|
95
|
+
if website_configuration?(bucket_name)
|
|
96
|
+
errors.push "#{bucket_name}: website configuration found"
|
|
97
|
+
end
|
|
98
|
+
if policy_too_permissive?(get_bucket_policy(bucket_name))
|
|
99
|
+
errors.push "#{bucket_name}: bucket policy too permissive"
|
|
100
|
+
end
|
|
101
|
+
rescue Aws::S3::Errors::NoSuchBucket => _
|
|
102
|
+
mesg = "Bucket #{bucket_name} not found"
|
|
103
|
+
true?(config[:critical_on_missing]) ? errors.push(mesg) : warnings.push(mesg)
|
|
104
|
+
end
|
|
105
|
+
end
|
|
106
|
+
|
|
107
|
+
if !errors.empty?
|
|
108
|
+
critical errors.join '; '
|
|
109
|
+
elsif !warnings.empty?
|
|
110
|
+
warning warnings.join '; '
|
|
111
|
+
else
|
|
112
|
+
ok "#{buckets.join ','} not exposed via website or bucket policy"
|
|
113
|
+
end
|
|
114
|
+
end
|
|
115
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sensu-plugins-aws
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 10.
|
|
4
|
+
version: 10.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sensu-Plugins and contributors
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-01-
|
|
11
|
+
date: 2018-01-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: sensu-plugin
|
|
@@ -302,6 +302,7 @@ executables:
|
|
|
302
302
|
- check-reserved-instances.rb
|
|
303
303
|
- check-route.rb
|
|
304
304
|
- check-route53-domain-expiration.rb
|
|
305
|
+
- check-s3-bucket-visibility.rb
|
|
305
306
|
- check-s3-bucket.rb
|
|
306
307
|
- check-s3-object.rb
|
|
307
308
|
- check-s3-tag.rb
|
|
@@ -384,6 +385,7 @@ files:
|
|
|
384
385
|
- bin/check-reserved-instances.rb
|
|
385
386
|
- bin/check-route.rb
|
|
386
387
|
- bin/check-route53-domain-expiration.rb
|
|
388
|
+
- bin/check-s3-bucket-visibility.rb
|
|
387
389
|
- bin/check-s3-bucket.rb
|
|
388
390
|
- bin/check-s3-object.rb
|
|
389
391
|
- bin/check-s3-tag.rb
|