nsauditor-ai-agent-skill 0.1.41 → 0.1.43
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +15 -1
- package/README.md +1 -1
- package/SKILL.md +2 -2
- package/package.json +1 -1
- package/references/plugins.md +1 -0
package/CHANGELOG.md
CHANGED
|
@@ -4,7 +4,21 @@ Release notes for **`nsauditor-ai-agent-skill`** — installable knowledge packa
|
|
|
4
4
|
|
|
5
5
|
---
|
|
6
6
|
|
|
7
|
-
## 0.1.
|
|
7
|
+
## 0.1.43 (STAGED — paired trio publish pending) — Paired-release pin for EE 0.13.1 + CE 0.1.76 — CIS-Hardened-Image LIVE detection + plugin 1210
|
|
8
|
+
|
|
9
|
+
Paired-release pin for the EE 0.13.1 cycle: CIS-Hardened-Image detection goes LIVE, NEW **plugin 1210 `aws-ec2-instance-auditor`** (AWS EC2 instance-level audit + Hardened-Image producer) takes the EE plugin count **24 → 25**, Azure (1022) + GCP (1021) gain `cisImageInventory` capture (multi-cloud detection end-to-end), the CIS Controls v8 matrix grows 17/21/115 → **17/22/114** (Safeguard 9.5 DMARC OOS→partial), and all four ISO 0.12.1 deferrals close. SKILL.md + README + `references/plugins.md` updated to the full 25-plugin catalog (1020-1210). No standalone agent-skill code changes.
|
|
10
|
+
|
|
11
|
+
## 0.1.42 (PUBLISHED 2026-05-24) — Paired-release pin for EE 0.13.0 + CE 0.1.75 — CIS Critical Security Controls v8 sixth-framework introduction
|
|
12
|
+
|
|
13
|
+
**Cycle hook**: EE 0.13.0 ships CIS Critical Security Controls v8 (Center for Internet Security, May 2021; v8.1 errata June 2024) as the sixth Track 3 framework — **17 covered + 21 partial + 115 OOS across 153 Safeguards / 18 Controls / 3 cumulative Implementation Groups** (engine substrate IG1 23-of-56 / IG2-cumulative 36-of-130 / IG3-cumulative 38-of-153). Implementation Group cumulative discipline (IG1=56 cyber-insurance baseline / IG2 cumulative=130 / IG3 cumulative=153; smallest-IG-membership tagging) + no-certification-body attestation discipline (CSAT / CIS-CAT Pro self-attestation, never "CIS certified") + Cloud Companion Guide v8 shared-responsibility + CIS-Hardened-Image substrate-evidence credit (4.1/4.2/4.6) + 5 Security Functions NOT 6 (no Govern) + 6 Asset Types + MS-ISAC/EI-ISAC/H-ISAC sector baselines + v7.1-to-v8 cross-reference. Skill #19 `audit-cis-controls-v8-implementation-group-perspective` authored 2026-05-24 via /skill-creator (833 lines / 5 files) per the institutional Per-Framework Adversarial-Audit Skill Pairing pattern. **`compliance_check` SKILL.md row updated FIVE → SIX shipped frameworks** with CIS Safeguard examples + IG-cumulative + no-cert-body attestation framing. No other agent-skill code changes — paired-publish for trio-publish discipline + customer discoverability.
|
|
14
|
+
|
|
15
|
+
**Plugin catalog**: UNCHANGED at 24 plugins; MCP tool signatures unchanged; schemas unchanged; workflows unchanged. **SOC 2 + HIPAA + NIST CSF + PCI DSS + ISO 27001 matrices ALL UNCHANGED**; **CIS Controls v8 matrix NEW at 17/21/115 across 153 Safeguards**.
|
|
16
|
+
|
|
17
|
+
**THIRTY-SECOND consecutive trio-publish** institutionalized 0.4.5–0.13.0.
|
|
18
|
+
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
## 0.1.41 (PUBLISHED 2026-05-24) — Paired-release pin for EE 0.12.0 + CE 0.1.74 — ISO/IEC 27001:2022 fifth-framework introduction
|
|
8
22
|
|
|
9
23
|
**Cycle hook**: EE 0.12.0 ships ISO/IEC 27001:2022 as the fifth Track 3 framework — 17 covered + 14 partial + 62 OOS across 93 Annex A controls (the complete Annex A universe across 4 themes). Statement of Applicability per Clause 6.1.3.d discipline + ISMS Clauses 4-10 OOS-by-design framing + 11 NEW 2022 controls + 5-attribute taxonomy + 2013-to-2022 transition discipline. Skill #18 `audit-iso-27001-2022-statement-of-applicability` authored 2026-05-24 via /skill-creator (705 lines / 5 files) per the institutional Per-Framework Adversarial-Audit Skill Pairing pattern. No agent-skill code changes — paired-publish for trio-publish discipline + customer discoverability.
|
|
10
24
|
|
package/README.md
CHANGED
|
@@ -109,7 +109,7 @@ This package provides **knowledge about** NSAuditor AI. To actually **run** scan
|
|
|
109
109
|
|---------|-------|-----------|
|
|
110
110
|
| **Community** | Free / MIT | 27 plugins (service probes + host/network discovery + intelligence/meta), basic AI, SARIF, CTEM, scan history |
|
|
111
111
|
| **Pro** | $49/mo | + CVE matching, verification probes, risk scoring, 3 Pro plugins (040 TLS / 050 TRIBE / 060 DNS) |
|
|
112
|
-
| **Enterprise** | $2k+/yr | +
|
|
112
|
+
| **Enterprise** | $2k+/yr | + 23 cloud-substrate auditor plugins (1020-1210 range; AWS / GCP / Azure SOC 2 evidence-pack), Zero Trust, RFC 3161 timestamps, chain-of-custody attestations, air-gapped deployment |
|
|
113
113
|
|
|
114
114
|
→ [Pricing](https://www.nsauditor.com/ai/pricing/)
|
|
115
115
|
|
package/SKILL.md
CHANGED
|
@@ -144,7 +144,7 @@ These tools return a license upgrade prompt on CE installations:
|
|
|
144
144
|
| `save_finding` | Pro | Persist a validated finding to the finding queue |
|
|
145
145
|
| `start_assessment` | Enterprise | Multi-host orchestrated security assessment |
|
|
146
146
|
| `prioritize_risks` | Enterprise | Cross-host risk prioritization and ranking |
|
|
147
|
-
| `compliance_check` | Enterprise | SOC 2 (AICPA TSC 2017) + HIPAA (§164.312 Technical Safeguards) + NIST CSF 2.0 Core + PCI DSS v4.0.1 (sub-requirement-level for QSA RoC; PCI SSC June 2024 errata) +
|
|
147
|
+
| `compliance_check` | Enterprise | SOC 2 (AICPA TSC 2017) + HIPAA (§164.312 Technical Safeguards) + NIST CSF 2.0 Core + PCI DSS v4.0.1 (sub-requirement-level for QSA RoC; PCI SSC June 2024 errata) + ISO/IEC 27001:2022 (per-Annex-A-code-level for ISO/IEC 17021-1 certification body assessors; ISO + IEC October 2022; 2013 edition retired October 31, 2025) + **CIS Critical Security Controls v8** (per-Safeguard-level; Center for Internet Security May 2021, v8.1 errata June 2024) gap analysis — all six shipped (SOC 2 EE 0.3.x; HIPAA EE 0.9.0; NIST CSF 2.0 EE 0.10.0; PCI DSS v4.0.1 EE 0.11.0; ISO/IEC 27001:2022 EE 0.12.0; **CIS Controls v8 EE 0.13.0**). Multi-framework via `--compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8` (any CSV subset; hexa-framework one-scan produces six complete auditor-ready evidence packs). **CIS Controls v8**: 17 covered + 22 partial + 114 OOS across 153 Safeguards / 18 Controls. **Implementation Group cumulative discipline** — IG1=56 (cyber-insurance baseline; ~50-70% of mid-market policies require IG1 attestation), IG2 cumulative=130, IG3 cumulative=153; smallest-IG-membership tagging (NEVER report IG2 as 74-of-74 in isolation). **No-certification-body attestation discipline** — engine output is INPUT to CSAT / CIS-CAT Pro self-attestation OR a SOC 2 auditor cross-validating CIS scope, never "CIS certified." Cloud Companion Guide v8 shared-responsibility + CIS-Hardened-Image substrate-evidence credit (Safeguards 4.1/4.2/4.6) + 5 Security Functions (NOT 6 — no Govern) + 6 Asset Types + MS-ISAC/EI-ISAC/H-ISAC sector baselines + v7.1-to-v8 cross-reference. CIS Safeguard examples: `3.3` Data Access Control Lists, `5.4` Restrict Administrator Privileges, `6.3` MFA for Externally-Exposed Applications, `8.2` Collect Audit Logs, `11.4` Isolated Recovery Data Instance. ISO 27001 Annex A code examples: `A.5.15` Access control, `A.5.23` NEW 2022 Cloud services, `A.8.5` Secure authentication, `A.8.9` NEW 2022 Configuration management, `A.8.16` NEW 2022 Monitoring activities, `A.8.24` Use of cryptography. Statement of Applicability per Clause 6.1.3.d discipline + ISMS Clauses 4-10 OOS-by-design framing (7 Major Nonconformity classes — absence of internal audit per Clause 9.2 or management review per Clause 9.3 = auto-fail Stage 2) + 5-attribute taxonomy NEW in 2022 (controlType / informationSecurityProperties / cybersecurityConcepts [5 categories, NOT 6 like NIST CSF 2.0] / operationalCapabilities / securityDomains) + 2013-to-2022 transition discipline. Pair with ISO-aware GRC (Drata ISO 27001 / Vanta ISO 27001 / AuditBoard / OneTrust ISMS / Secureframe ISO 27001) for SoA workflow + internal audit + management review. PCI DSS sub-requirement examples: `Req 1.2.1` NSC config standards, `Req 8.4.1` MFA on non-console admin, `Req 10.2.1` audit logs enabled, `Req 11.3.1` quarterly internal vuln scans. Defined-vs-Customized Approach discipline per Appendix E (15 Defined-only sub-requirements enforced at schema layer; CHD Scope operator-attested via CDE DFD per Req 1.2.4; card-brand AOC enforcement view — Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC). |
|
|
148
148
|
| `export_report` | Enterprise | Formatted compliance/risk report (PDF, HTML) |
|
|
149
149
|
|
|
150
150
|
---
|
|
@@ -488,7 +488,7 @@ Add to your MCP configuration with the same command/args pattern.
|
|
|
488
488
|
|---------|-------|-------------|
|
|
489
489
|
| **Community** | Free / MIT | 27 plugins (service probes + host/network discovery + intelligence/meta), basic AI, CTEM, SARIF, scan history |
|
|
490
490
|
| **Pro** | $49/mo | + CVE matching, verification probes, risk scoring, Pro plugins (040 TLS / 050 TRIBE / 060 DNS) |
|
|
491
|
-
| **Enterprise** | $2k+/yr | +
|
|
491
|
+
| **Enterprise** | $2k+/yr | + 23 cloud-substrate auditor plugins (1020-1210 range) covering AWS / GCP / Azure against SOC 2 (10 covered + 4 partial controls); Zero Trust; SOC 2 evidence-pack generation; RFC 3161 timestamps; chain-of-custody attestations; air-gapped deployment |
|
|
492
492
|
|
|
493
493
|
→ [Pricing](https://www.nsauditor.com/ai/pricing/)
|
|
494
494
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "nsauditor-ai-agent-skill",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.43",
|
|
4
4
|
"description": "AI Agent Skill for NSAuditor AI — gives any AI coding agent built-in knowledge of NSAuditor's MCP tools, schemas, plugins, and security audit workflows.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"nsauditor",
|
package/references/plugins.md
CHANGED
|
@@ -189,6 +189,7 @@ listings, and default pages.
|
|
|
189
189
|
| 1180 | AWS ElastiCache Redis Auditor (v2 — extended in EE 0.4.9) | Enterprise | First plugin in 1170-1180 ID range. **6 SOC 2 substrate-evidence dimensions** (v1 unchanged in count; v2 grew dims 2 + 6 in scope). **v1 dims preserved:** transit encryption (TransitEncryptionEnabled wraps RESP in TLS; HIGH on disabled) + Redis AUTH/IAM-auth user groups (PASS on UserGroupIds; MEDIUM no-authentication) + Multi-AZ deployment (HIGH disabled / INFO standalone-not-applicable / INFO+evidenceGap on transient enabling/disabling states) + SnapshotRetentionLimit cadence (HIGH=0 / MEDIUM 1-6 / PASS ≥7; operator-tunable `opts.snapshotRetentionPassMinDays`). Dual API enumeration (DescribeReplicationGroups + DescribeCacheClusters) with inter-API dedup. **v2 GROWN dims (EE 0.4.9 EE-RT.17 v2):** **dim 2 at-rest encryption + KMS key custody** — original four-tier ladder (HIGH disabled → MEDIUM AWS-owned-default → MEDIUM `alias/aws/elasticache` → PASS customer-managed CMK + LOW+evidenceGap on `:key/UUID` per conservative-classifier-principle) **PLUS v2 kms:DescribeKey cross-reference promotion** (mirrors plugin 1140 v2): UNVERIFIABLE `:key/UUID` ARN shapes promoted via KeyMetadata.KeyManager to deterministic PASS `elasticache-at-rest-customer-managed-kms-promoted` (CUSTOMER) / MEDIUM `elasticache-at-rest-aws-managed-kms-promoted` (AWS); conservative on AccessDenied/NotFound/unknown KeyManager. **dim 6 subnet routing** — v1 INFO substrate (`elasticache-subnet-group-substrate`) plus **v2 ec2:DescribeRouteTables verifier** that walks the cache subnet group's subnets via elasticache:DescribeCacheSubnetGroups + filtered ec2:DescribeRouteTables, classifying each subnet on Internet Gateway route presence via /^igw-[a-f0-9]+$/i (correctly excludes egress-only eigw-): HIGH `elasticache-subnet-public-route-detected` (with per-subnet `igwDestinationsBySubnet` evidence per R-HIGH-1 fold) / PASS `elasticache-subnet-private-verified` (all subnets verified IGW-free) / LOW + evidenceGap `elasticache-subnet-main-rt-inheritance` per R-MEDIUM-2 false-NEGATIVE closure (default-VPC main-RT typically routes `0.0.0.0/0 → igw-*`) / LOW + evidenceGap `elasticache-subnet-verification-unverifiable` on AccessDenied. **Cross-plugin sister of plugin 1170 SG perimeter** (layer-3 subnet→IGW vs layer-4 SG ingress policy). **7 same-session v2 reviewer folds** (HIGH-1 IGW destination evidence; MEDIUM-2 main-RT-inheritance false-NEGATIVE closure; MEDIUM-3 cache-key naming; LOW-6/7/9/10/11 + NIT-12). **Per-resource caching** prevents N×M API explosion (kmsKeyManagerCache + subnetGroupCache + subnetSetRoutingCache). **No new SDK deps** — @aws-sdk/client-kms + @aws-sdk/client-ec2 reused from EE 0.4.5. **Real-AWS smoke END-TO-END against <operator-test-account>**: R-MEDIUM-2 fold escalation demonstrably firing in production (`redis-leaky-cache` → dim 6 LOW main-RT-inheritance). | CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1 |
|
|
190
190
|
| 1200 | AWS Inspector2 / GuardDuty Enablement Auditor (NEW EE 0.6.1, EXTENDED EE 0.6.2 v2 multi-region + FindingPublishingFrequency + Inspector2 baseline expansion, EXTENDED EE 0.6.3 v3 alerting-destination dim closes substrate-without-sink false-PASS class, EXTENDED EE 0.6.4 v4 EventBridge target verification + multi-failedAccount + trigger uniformity, EXTENDED EE 0.6.5 v5 dead-target companion-LOW + sentinel observability + R-NIT named-constants, **EXTENDED EE 0.6.6 v6** — dead-target probe warm-up (IAM role + EventBridge API destination + CloudWatch Logs); plugin count UNCHANGED at 22 — existing plugin grew ~870 → ~1400 → ~2100 → ~2400 → ~2800 → ~3000 lines) | Enterprise | **v6 EE 0.6.6 dead-target probe warm-up** (closes the 0.6.5 R2-deferred long tail of unverifiable ARN shapes): three new branches in `_probeTargetLiveness` — **IAM role** (`iam:GetRole` on path-stripped role NAME extracted from `arn:aws:iam::ACCOUNT:role/[path/]NAME`; new SDK dep `@aws-sdk/client-iam`) + **EventBridge API destination** (`events:DescribeApiDestination` reuses existing `_EventBridgeSdk`) + **CloudWatch Logs log group** (`logs:DescribeLogGroups` with `logGroupNamePrefix` filter + **exact-name disambiguation guard** `groups.some((g) => g.logGroupName === logGroupName)` so prefix-match siblings don't false-LIVE; new SDK dep `@aws-sdk/client-cloudwatch-logs`). Companion-LOW emission contract unchanged (existing CC7.1 titlePattern is target-type-agnostic). **5 v6 R1 reviewer folds** (0 R-CRITICAL — clean review pass; 1 R-HIGH + 2 R-MEDIUM + 2 R-LOW): R-HIGH-1 (plugin 1170 v3) BFS short-circuits enqueue past per-target cap + **R-MEDIUM-1 IAM `NoSuchEntityException` / `NoSuchEntity` lifted into `_DEAD_TARGET_NOTFOUND_ERROR_NAMES` Set** (pre-fold the bare disjunction `err.name === "NoSuchEntityException"` at the IAM catch site bypassed the Set AND silently disabled `_retryOnNotFound` for IAM — the canonical worst-case for AWS eventual consistency with IAM lag 10-30s documented; **9th cumulative recurrence** of the `[[emit_literal_set_drift]]` class across the EE codebase; post-fold bare disjunction collapsed to `_isDeadTargetNotFoundError(err)` and eventual-consistency retry restored for IAM) + **R-MEDIUM-2 IAM partition-routing contract documented** at `_loadIamSdk` (`iam:GetRole` is a global API resolving per-partition — orchestrators wiring `opts._iamClient` must construct a single global IAM client per-partition NOT per-region; passing a commercial region in GovCloud / aws-cn / ISO flips the partition and routes to a wrong endpoint) + **R-LOW-2 (plugin 1200 v6) API destination ARN regex future-proofed** (trailing `/` made optional in `:api-destination\/([^/]+)` so future AWS ARN shapes without UUID suffix don't false-malformed). **v6.1 EE 0.6.7 closes the CloudWatch Logs probe retry-on-empty parity R2-deferred item**: `_retryOnNotFound` accepts an optional retry-on-result predicate; CWL Logs call site passes a predicate that fires retry when the response carries no exact-name match (covers both empty and prefix-only-sibling responses). **Restructured to two-phase to cap total network calls at 2 on compound paths** — Phase 1 = initial call + thrown-NotFound retry; Phase 2 = result-based retry; phases are MUTUALLY EXCLUSIVE (single retry total). A nested-try design would have layered both retries on compound paths (first-call empty → retry → second-call throws RNF → retry again), producing 3 network calls. The per-call-site outer catch routes a second-call thrown error (NotFound → DEAD; AccessDenied → UNVERIFIABLE). Existing call sites (Lambda / SNS / SQS / IAM / EventBridge API destination) pass only two args; the default `retryOnResultPredicate = null` cleanly skips Phase 2. **v6.1 R-LOW-1 fold**: compound-path coverage locked with 2 tests — transient empty → second-call AccessDenied → UNVERIFIABLE / transient empty → second-call thrown RNF → DEAD; both verify total network calls = 2 (drove the two-phase restructure decision). No new soc2.json mappings (companion-LOW pattern target-type-agnostic). v6 tests: +5 (2 IAM retry-regression: transient-NoSuchEntity-retry-succeeds + lowercase-NoSuchEntity-retry-then-DEAD; reviewer-fold regression pins also include 3 plugin 1170 v3 fixtures: hub-and-spoke per-target-cap + depthCapHit-true + depthCapHit-false). **v5 EE 0.6.5 v4-reviewer-cleanup cycle** (closes 4 R2-deferred items from EE-RT.20.3): **Dead-target companion-LOW** — closes the EE 0.6.4 R-HIGH-2 documented limitation. Per-target liveness probes for Lambda (`lambda:GetFunction` on full qualified ARN — alias/version correctness verified server-side) + SNS (`sns:GetTopicAttributes`) + SQS (`sqs:GetQueueUrl` + `GetQueueAttributes` — partition-aware via SDK URL resolution; works on aws-cn / aws-us-gov / aws-iso). New `_probeTargetLiveness` helper with parallel probes via Promise.all + per-target timeout (default 2s; operator-tunable via `deadTargetProbeTimeoutMs`). One-retry on NotFound with 750ms backoff (eventual-consistency defense). New MEDIUM verdict `*-alerting-destination-dead-targets` emitted as companion alongside PASS when at least one Target.Arn points to deleted resource. `deadTargetArnsTotal` + `deadTargetArnsTruncated` for JSON-consumer visibility on 11+ case. IAM role + API destination + CloudWatch Logs target probes deferred to 0.6.6 (3-4 more IAM grants). New operator opt `skipTargetLivenessProbe: true`. **Sentinel observability** — rule shape extended with `targetVerificationReason` (AccessDenied / SdkUnavailable / BeyondCap / SkippedByOpts) stable enum; classifier surfaces `targetVerificationReasonBreakdown` in unverifiable verdict details. **R-NIT named-constants** — `SH_HUB_NOT_ENABLED_ERROR_NAMES` frozen Set replaces 2 bare-string sites in SecurityHub helpers per `[[emit_literal_set_drift]]`. **Cross-plugin sessionToken sweep (catalog-wide)** — 18 EE AWS plugins (1020-1200) all thread `sessionToken` through their AWS-SDK credentials block. Closes AssumeRole-style auditor credential gap — auditors using `aws sts assume-role` (canonical cross-account audit pattern) had all auto-loaded clients fail signing pre-fold. **5 v5 R1 reviewer folds** (0 R-CRITICAL — clean review pass): R-HIGH-1 case-insensitive NotFound matching (defends against future AWS SDK case changes per `[[aws_string_case_normalization]]` 15× recurrent class) + R-HIGH-2 one-retry on NotFound (eventual-consistency defense; freshly-created resources transiently return NotFound for ~30s) + R-HIGH-3 Lambda probe passes FULL ARN to GetFunction.FunctionName (alias `PROD` pointing to deleted version surfaces as DEAD instead of false-LIVE) + R-HIGH (Explore) parallel probes via Promise.all + per-target timeout + R-MEDIUM-1 SQS partition-aware via `GetQueueUrl` (pre-fold synthesized `amazonaws.com` URL would have crashed on aws-cn / aws-us-gov / aws-iso partitions) + R-LOW-1 cap-constant lift to module-level + R-MEDIUM-2 truncation fields + R-NIT JSDoc accuracy. **R2 reviewer-deferred** (queued for 0.6.6): IAM role + API destination + CloudWatch Logs target liveness probes. 1 new soc2.json mapping rule (CC7.1 companion-LOW dead-target). New SDK deps `@aws-sdk/client-lambda` + `@aws-sdk/client-sns` + `@aws-sdk/client-sqs` (all already in optionalDependencies from prior cycles). v5 tests: +48 (1 R-NIT + 8 sentinel + 20 sessionToken-sweep + 15 dead-target base + 4 R-HIGH-fold regression pins). **v4 EE 0.6.4 reviewer-cleanup cycle** (closes 3 of 4 R2-deferred items from EE-RT.20.2): **R-HIGH-2 EventBridge target verification** — new `_listEventBridgeRuleTargets` helper with defensive NextToken pagination (hard cap 500); per-rule target verification via `events:ListTargetsByRule` (cap default 10 via `opts.targetVerificationRuleCap`; opt-out via `opts.skipEventBridgeTargetVerification`); new MEDIUM verdict `*-alerting-destination-targetless` for sink-less rules (zero Targets — substrate-without-sink at the rule level). **R-MEDIUM-2 multi-failedAccount surface** — Inspector2 helper return-shape `{accountStatus, accessDenied, failedAccounts: array}` (renamed plural; capped at AWS-documented 100); caller emits one LOW per failed account with per-region emission cap 10 + rollup LOW per region. **R-LOW-2 trigger uniformity** — GuardDuty alerting-destination trigger gates on `detector.Status === ENABLED` (matches Inspector2 enabled-only semantic). **5 v4 R1 reviewer folds** (0 R-CRITICAL — clean review pass): R-HIGH-1 cap-skew classifier branch (LOW UNVERIFIABLE not MEDIUM TARGETLESS when cap-exceeded rules could be the actual sink per `[[conservative_classifier_principle]]`) + R-HIGH consolidated `_listEventBridgeRuleTargets` pagination + JSDoc clarity + R-MEDIUM-1 multi-failedAccount per-region emission cap (10 + rollup LOW) + R-MEDIUM-4 boundary tests + R-HIGH-2 dead-target documented-limitation note (per-target liveness probes deferred to 0.6.5 companion-LOW; ~6 new IAM grants). **R2 reviewer-deferred** (queued for 0.6.5): R-LOW-3 sessionToken cross-plugin sweep (18 plugins) + companion-LOW for dead-target ARNs + `targetCount: null` sentinel observability + R-NIT named-constants for InvalidAccessException / ResourceNotFoundException. 1 new soc2.json mapping rule (CC7.1 MEDIUM TARGETLESS). v4 tests: +29 (3 R-LOW-2 + 6 R-MEDIUM-2 + 14 R-HIGH-2 base + 6 R1-fold regression pins). **v3 EE 0.6.3 alerting-destination dim (item c)** — closes the substrate-without-sink false-PASS class. Verifies at least one of EventBridge rule (source=`aws.guardduty`/`aws.inspector2`; `_eventBridgeSourceMatches` recognizes string + `{prefix}` + `{wildcard}` content-filter forms case-insensitively, regex-meta escape in wildcard glob defends against operator IaC) AND/OR SecurityHub product subscription (`_shArnMatchesProduct` boundary-anchored helper; constants `/aws/guardduty` + `/aws/inspector2` strict — does NOT match deprecated Inspector Classic). Verdict tiers per service per region: PASS `*-alerting-destination-present` (EB rule present) / MEDIUM `*-alerting-destination-sh-only` (R-HIGH-1 fold — SH aggregates but doesn't guarantee proactive paging; auditor walkthrough to confirm `aws.securityhub` EventBridge downstream rule) / HIGH `*-alerting-destination-missing` (no path; substrate-without-sink class) / LOW `*-alerting-destination-unverifiable` (AccessDenied / SDK unavailable; conservative classifier). New SDK deps `@aws-sdk/client-eventbridge` + `@aws-sdk/client-securityhub` (optionalDependencies). Operator opt: `skipAlertingDestination: true`. Soft-degrade on auto-load failure → fall back to LOW UNVERIFIABLE. **v3 R-MEDIUM-2 fold** — `_getInspector2AccountStatus` returns `{accountStatus, accessDenied, failedAccount}` distinguishing true AccessDenied from empty-body / SDK-unavailable (was `null | <obj>` pre-fold; caller emitted false `_CAT_INS_ACCESSDENIED` LOW on empty body). **v3 item (d) fold** — surfaces AWS-published `failedAccounts[].errorCode + errorMessage` via new `_CAT_INS_FAILED_ACCOUNT` LOW. **v3 R1 reviewer folds applied** (4 total; 1 R-CRITICAL + 2 R-HIGH + 1 R-LOW): R-CRITICAL-1 SH product ARN substring collision closure (`/aws/inspector` would have matched BOTH Inspector Classic deprecated-2024 AND Inspector2 — false-PASS for stale Classic subscriptions emitting zero findings; boundary-anchored helper + strict `/aws/inspector2` constant) + R-HIGH-1 SH-only PASS narrative split (PASS requires EB rule; SH-only → MEDIUM) + R-HIGH-3 EventBridge content-filter grammar (prefix + wildcard matchers) + R-LOW-1 source case normalization. **R2 reviewer-deferred** (queued for 0.6.4): R-HIGH-2 EB target verification (events:ListTargetsByRule + IAM grant) + R-LOW-2 asymmetric trigger uniformity + R-MEDIUM-2 multi-failedAccount surface + R-LOW-3 sessionToken support cross-plugin sweep. 5 new soc2.json titlePattern entries (4 CC7.1 + 1 CC7.2 PASS) all anchored to actual emission strings per `[[soc2_titlepattern_anchor_drift]]`. v3 tests: +61 (+8 suites) — 5 R-MEDIUM-2 + 5 item-(d) + 30 item-(c) base + 21 R1-fold regression pins. **v2 EE 0.6.2 dims preserved** (4 dims; v2 (a) multi-region enumeration via ec2:DescribeRegions + (b) FindingPublishingFrequency check + (e) Inspector2 baseline expansion +lambdaCode +codeRepository per Inspector2 GA 2024+; operator opts `regions[]` / `skipMultiRegion` / `regionListCap` / `gdFrequencyPassFrequency`; closes FedRAMP / StateRAMP / IL5+ false-PASS class for GovCloud + ISO regions via 4-part region regex fold). **v1 EE 0.6.1 base** — 4 active dims (dim 5 org-scope deferred to 0.6.4): Dim 1 GuardDuty Detector enablement per region (CC7.1 — HIGH `gd-not-enabled`) + Dim 2 GuardDuty protection-feature coverage (CC7.1 institutional baseline) + Dim 3 Inspector2 enablement (CC7.1 + CC7.2 — DISABLED/SUSPENDED = HIGH) + Dim 4 Inspector2 scan-target coverage (CC7.1 zero / CC7.2 partial). Plugin 1200 audits AWS GuardDuty + AWS Inspector2 enablement state across **all opted-in regions** — **foundation-layer institutional evidence for CC7.1 detection procedures + CC7.2 monitoring** (an audit pack without managed-threat-detection evidence has no AWS-native anomaly-detection or CVE-detection stream). **v2 EE 0.6.2 GROWN scope** (closes 3 of 4 R2-deferred items from EE-RT.20 v1): **(a) Multi-region enumeration** — `ec2:DescribeRegions` enumerates opted-in regions (AllRegions=false defensively); per-region GuardDuty + Inspector2 dispatch; per-region findings carry region tag. Operator opts: `regions: string[]` (filter to subset, validated + deduped + capped 64 default), `skipMultiRegion: true` (cost-sensitive opt-out), `regionListCap` (1..256 clamp). Soft-degrade: EC2 SDK load failure / DescribeRegions AccessDenied → fall back to `config.region` + distinct `_CAT_REGION_ENUM_ACCESSDENIED` LOW finding. Back-compat: legacy single-region opts (`_guardDutyClient` / `_inspector2Client` singular) still respected. **(b) GuardDuty FindingPublishingFrequency check** — CC7.1 detection-latency. `_classifyGuardDutyFrequency` 4 outcomes: PASS `gd-frequency-optimal` / LOW `gd-frequency-suboptimal` / LOW `gd-frequency-unverifiable` (null detector or unknown enum). Operator-tunable: `gdFrequencyPassFrequency` (FIFTEEN_MINUTES / ONE_HOUR / SIX_HOURS; default FIFTEEN_MINUTES). **Ordering-based comparison** via `_GD_FREQUENCY_RANK` map (R-HIGH-2 fold) — stricter actual = PASS even when operator tuned baseline upward. **(e) Inspector2 baseline expansion** — `lambdaCode` (Lambda code scanning) + `codeRepository` (Inspector2 GitHub/GitLab scanning, GA 2024+) added to `_INS_INSTITUTIONAL_BASELINE_RESOURCES` (was {ec2, ecr, lambda}; now {ec2, ecr, lambda, lambdaCode, codeRepository}). **v1 dims preserved (4 active dims; dim 5 org-scope deferred to 0.6.3):** Dim 1 GuardDuty Detector enablement per region (CC7.1 — HIGH `gd-not-enabled`) + Dim 2 GuardDuty protection-feature coverage (CC7.1 — institutional baseline S3_DATA_EVENTS / EKS_AUDIT_LOGS / EBS_MALWARE_PROTECTION / RDS_LOGIN_EVENTS / LAMBDA_NETWORK_LOGS / RUNTIME_MONITORING) + Dim 3 Inspector2 enablement (CC7.1 + CC7.2 — DISABLED/SUSPENDED = HIGH) + Dim 4 Inspector2 scan-target coverage (CC7.1 zero / CC7.2 partial). **4 same-session R1 v2 reviewer folds** (network-security + Explore in parallel; 0 R-CRITICAL clean review pass): **R-HIGH-1 region regex GovCloud + ISO support** — pre-fold `^[a-z]{2,}-[a-z]+-[0-9]+$` silently dropped 4-part region IDs (`us-gov-east-1` / `us-iso-east-1` / `us-isob-east-1` / `us-isof-south-1`); operator passing `regions: ["us-gov-east-1"]` got silent skip + false-PASS — institutional-critical for FedRAMP / StateRAMP / IL5+ scope. Post-fold `^[a-z]{2,}(-[a-z]+){1,2}-[0-9]+$` admits 3- AND 4-part IDs. + **R-HIGH-2 frequency ordering not equality** (described above). + **R-MEDIUM-1 `_REGION_LIST_CAP` defensibility** — pre-fold hardcoded 32 silently truncated 4-part regions (AWS has ~40+ regions in 2026); post-fold default raised to 64 + operator-tunable + explicit truncation warning. + **R-LOW-1 EC2 client instrumentation** — operator-supplied `_ec2Client` now receives Thread-H AccessDenied counter + throttle-retry contract uniformly. **R2 reviewer-deferred** (queued in EE-RT.20.2 / 0.6.3): alerting-destination check (item c — needs `@aws-sdk/client-eventbridge` + `@aws-sdk/client-securityhub` integrations) + BatchGetAccountStatus contract verification (item d) + R-MEDIUM-2 `_getInspector2AccountStatus` return-shape refactor + optional dim 5 org-scope. **6 R1 v1 folds (EE 0.6.1) preserved as regression pins**: R1-CRITICAL-1 soc2.json titlePattern misalignment closure (4 patterns) + R1-CRITICAL-1 AccessDenied distinct findings + R1-CRITICAL-2 legacy DataSources case normalization + R1-HIGH-2 SUSPENDED/DISABLED Detector Status guard + R1-HIGH-3/4 dead-code drift closures. **No new SDK deps** — `@aws-sdk/client-guardduty` + `@aws-sdk/client-inspector2` + `@aws-sdk/client-ec2` already in optionalDependencies. 7 new soc2.json titlePattern entries from v1 still anchored. v2 tests: +27 (21 base + 6 R1-fold regression pins). Synthetic-mock validation only — no multi-region GuardDuty/Inspector2 paired fixtures yet in operator's internal test infrastructure. | CC7.1 / CC7.2 |
|
|
191
191
|
| 1190 | AWS SES Email Integrity Auditor (NEW EE 0.4.7; EXTENDED EE 0.5.0 v2; CONSOLIDATED EE 0.5.2 v2.1; **EXTENDED EE 0.5.3 v3** — Part A DKIM public-key fingerprint capture/pin + Part B in-band DMARC alignment classifier; 5 same-session reviewer folds incl. 1 R-CRITICAL false-CLEAN closure on truncated DKIM keys via new `_stripControlCharsNoTruncate` helper; v2.1 closed — 7 deferred reviewer-fold items closed + new MEDIUM `ses-dkim-dns-partial-with-transients` category + module-load-time disjointness IIFE + silent-loss-class closure on SES classic API quota exhaustion via `cause: "classic-sdk-quota-exhausted"`) | Enterprise | **v2 EE 0.5.0 GROWN dims:** **dim 1 DKIM** — original substrate **PLUS v2 DKIM CNAME DNS resolution promotion**: each `<token>._domainkey.<domain>` CNAME resolved via node:dns/promises + matched against `<token>.dkim.amazonses.com` (case-insensitive per RFC 1035 §2.3.3); four outcomes PASS `ses-dkim-dns-verified` / MEDIUM `ses-dkim-dns-partial` / **HIGH `ses-dkim-dns-missing` (false-CLEAN closure: SES Status=SUCCESS but DNS removed)** / LOW + evidenceGap `ses-dkim-dns-unverifiable`. **dim 2 MailFrom** — original substrate **PLUS v2 DMARC TXT record parser + MailFrom promotion**: RFC 7489 §6.4 tag-list parser + `_dmarc.<identityDomain>` TXT lookup; five outcomes PASS `ses-dmarc-policy-reject` / MEDIUM `ses-dmarc-policy-quarantine` / HIGH `ses-dmarc-policy-none` / HIGH `ses-dmarc-missing` / LOW + evidenceGap `ses-dmarc-unverifiable`. **R-CRITICAL-1 fold (false-CLEAN closure)**: `pct=0` on `p=reject`/`p=quarantine` functionally equivalent to `p=none`; now routes to HIGH `ses-dmarc-policy-none`. **R-HIGH-1 fold (subdomain-takeover false-NEGATIVE closure)**: `sp` subdomain-policy override now evaluated — `p=reject; sp=none` downgrades to HIGH with `dmarcSpWeakens` (subdomain phishing wide open while apex protected). **dim 4 sending-auth policies** — original IAM-policy classifier **PLUS v2 SES classic GetIdentityPolicies parity**: `_loadSesClassicSdk` restored; cross-API discrepancy emits HIGH `ses-classic-policy-discrepancy` (classic-only — canonical false-NEGATIVE class) / MEDIUM (`_canonicalSort` JSON deep-equal ignores whitespace + key-order drift) / INFO (v2-only benign). Conservative on classic SDK unavailable / AccessDenied → LOW + evidenceGap. **v1 dims preserved unchanged:** TLS enforcement (dim 3) + dedicated IP pool (dim 5) + suppression list (dim 6 ZDE — count + reason only). **v2 promoter pattern**: sync v1 classifiers unchanged; async promoters walk collected findings post-classification. **R-HIGH-2 fold**: brittle `inTestMode = !!opts._client` coupling replaced with explicit `_skipV2Promotion` master switch + 3 orthogonal kill-switches. **First plugin in EE to depend on node:dns/promises** for live DNS cross-reference. **8 same-session v2 reviewer folds** (1 CRITICAL + 3 HIGH + 2 MEDIUM + 2 LOW); 6 queued in Pick-up Block. **Real-DNS smoke validation END-TO-END** against production resolvers (`_dmarc.nsasoft.us` parsed correctly: `p=reject, sp=reject, pct=100`; forward-compat `fo=1` tag preserved). Empty-account SESv2 enumeration baseline succeeded end-to-end against <operator-test-account>. **v1 base (preserved):** First plugin in 1190-1199 ID range. Closes the next-highest-priority gap from `tasks/things-to-check.md` AWS SOC 2 audit-canonical compliance checklist after Redis closed in 0.4.6. **6 audit dimensions:** **DKIM enablement + signing status** (CC6.1 / Privacy — HIGH on `SigningEnabled=false`; transient PENDING/TEMPORARY_FAILURE/NOT_STARTED INFO + walkthroughRequired; FAILED MEDIUM on DNS drift; unknown enum LOW + evidenceGap per conservative-classifier-principle) + **custom MailFrom domain alignment** (Privacy substrate — INFO + walkthroughRequired on default amazonses.com / PASS on custom + Status=SUCCESS) + **configuration set TLS enforcement** (C1.1 — REQUIRE PASS / OPTIONAL HIGH SMTP-downgrade-attack window / non-string-but-truthy distinct LOW with `tlsPolicyType` evidence per R-MEDIUM-7 fold) + **identity sending authorization policy permissive principals** (CC6.6 — multi-class wildcard detector covering bare `"*"` / `{AWS:"*"}` / `{Service:"*"}` / `{Federated:"*"}` / `{CanonicalUser:"*"}` / array-form `[*]` per R-HIGH-4 fold + distinct HIGH `ses-sending-auth-notprincipal-allow` per R-CRITICAL-1 fold catching NotPrincipal+Allow wildcard-EQUIVALENT class + LOW + evidenceGap `ses-sending-auth-malformed-statement` per R-HIGH-2 fold) + **dedicated IP pool sending posture** (CC7.1 substrate, account-level — INFO + walkthroughRequired on configured pools / INFO on shared-pool default) + **suppression list state** (CC7.1 deliverability substrate — **ZDE invariant: NEVER reads suppressed-destination email addresses**; count + reason only; verified at run() envelope boundary via sentinel-string assertion per R-LOW-8 fold). Dual API surface discipline: v1 uses SESv2 only (canonical modern API); `@aws-sdk/client-ses` declared in optionalDependencies for v2+ cross-API parity. **11 same-session reviewer folds** — ties single-cycle reviewer-fold record. **CRITICAL-1 closure**: NotPrincipal+Allow false-CLEAN class (matches plugins 1070 + 1150 discipline). **HIGH-4 closure**: `_isWildcardPrincipal` walks every Principal class value (pre-fold only `principal.AWS` inspected, leaking `{Service:"*"}` + `{Federated:"*"}` as silent CLEAN). **No real-AWS smoke against violation-tier fixtures** — operator's internal test infrastructure has NO SES paired fixtures yet (full-stack fixtures deferred to v2 alongside DKIM CNAME DNS resolution + DMARC TXT record parsing); empty-account smoke baseline against <operator-test-account> DID succeed end-to-end. | CC6.1 / CC6.6 / C1.1 / CC7.1 (substrate) / Privacy (substrate) |
|
|
192
|
+
| 1210 | AWS EC2 Instance Auditor (**NEW EE 0.13.1** — first new plugin since 1200; plugin count 24 → 25; the AWS producer for CIS-Hardened-Image detection + EC2 instance-level + EBS-encryption coverage) | Enterprise | Audits EC2 instances (orthogonal to plugin 1170 which audits the SG perimeter policy). **Multi-region** via ec2:DescribeRegions (single-region fallback emits an evidence-gap). Dimensions: **IMDSv1 enabled** (CC6.1 — MEDIUM when an IAM instance profile is attached / LOW without; **IMDSv2 hop-limit > 1** re-opens container credential theft) + **EBS volume unencrypted** (C1.1 + CIS 3.11 — HIGH; resolves every attached BlockDeviceMappings volume via DescribeVolumes) + **account default-EBS-encryption disabled** (C1.1 preventive — GetEbsEncryptionByDefault) + **public-IP exposure** incl. secondary-ENI/EIP + IPv6 GUA (CC6.6 substrate, INFO) + **instance-store (ephemeral) volume** evidence-gap. **DIM 4 — AMI inventory** → result.cisImageInventory (the producer feed that makes CIS-Hardened-Image detection LIVE on Safeguards 4.1/4.2/4.6; Azure 1022 + GCP 1021 feed the same contract). Conservative classifier: LOW + evidenceGap on indeterminate metadata; AccessDenied → INFO + evidenceGap (never silent-PASS); terminated/shutting-down instances skipped. Survived 3 review rounds / 5 adversarial skill lenses (network-security-audit + CIS + IAM-effective-permissions + soc2-evidence + cloud-plugin-false-negatives). `@aws-sdk/client-ec2` reused. | CC6.1 / C1.1 / CC6.6 |
|
|
192
193
|
|
|
193
194
|
---
|
|
194
195
|
|