nsauditor-ai 0.1.46 → 0.1.47
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -3
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -17,7 +17,8 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
|
|
|
17
17
|
|
|
18
18
|
## What's New
|
|
19
19
|
|
|
20
|
-
- **0.1.
|
|
20
|
+
- **0.1.47 (current)** — docs-only patch announcing **EE 0.4.8 release** (paired release narrative). **EE plugin count UNCHANGED at 20** (no new plugin in 0.4.8; existing plugin 1140 `aws-rds-auditor` grew 7 → 10 dimensions per **EE-RT.14 v3** — first ship in the 1140-line v3 extension cycle, closing the "database activity logs" SOC 2 dimension per `tasks/things-to-check.md` §4 audit-canonical checklist). 3 new audit-logging dimensions cover CC7.2 + CC7.3 continuous monitoring + event evaluation: **dim 8 pgAudit enabled** (postgres-only — `DescribeDBParameters → pgaudit.log` + cross-checks `shared_preload_libraries` contains `pgaudit` token per R-MEDIUM-2 reviewer-fold **false-PASS closure** since Postgres silently ignores the GUC when SPL omits pgaudit; new MEDIUM category `rds-pgaudit-misconfigured` surfaces the silent-ignore case), **dim 9 CloudWatch Logs exports** (`EnabledCloudwatchLogsExports` engine-dispatched essential/optional policy: postgres essential=`postgresql`; mysql/mariadb essential=`error`; oracle essential=`audit`+`trace`; sqlserver essential=`error`), **dim 10 CloudWatch Logs retention** (`logs:DescribeLogGroups` enumeration on engine-dispatched prefix per R-HIGH-1 reviewer-fold: `/aws/rds/instance/<id>/` for non-Aurora, `/aws/rds/cluster/<DBClusterIdentifier>/` for `aurora-*` engines — **pre-fold the helper hard-coded the instance path** → 0 log groups on every Aurora node = false-INFO across the whole Aurora fleet); 30-day institutional baseline (operator-tunable via `opts.auditLogRetentionPassMinDays` clamped 1..3653). **9 same-session reviewer folds across the cycle** (independent `general-purpose-agent` review yielded 12 findings; 9 folded same-session, 3 deferred to v3.1 / cross-plugin sweep). **HIGH-1 closure**: Aurora cluster log-path detection. **MEDIUM-2 closure**: pgAudit + shared_preload_libraries cross-check. **MEDIUM-3/4/5 closures**: `crossReferenceCwl===false` distinct LOW + retentionDistribution per-group spread + non-AccessDenied transient errors as distinct LOW (vs. silently degrading to INFO not-applicable). **Real-AWS smoke validation END-TO-END**: in-place modification of existing `rds-compliant-cluster` fixture (cost $0; brief Multi-AZ failover during apply-immediately reboot) validated ALL 3 v3 PASS-path classifiers (`rds-pgaudit-enabled` + `rds-cloudwatch-logs-complete` + `rds-log-retention-pass` 90 days ≥ 30 baseline); unmodified `rds-violator-db` validated HIGH path (`rds-pgaudit-disabled` + `rds-cloudwatch-logs-disabled` + `rds-log-retention-not-applicable` cascading INFO). Account-wide finding distribution post-fixture-modification: 9 PASS + 2 MEDIUM + 4 INFO + 5 HIGH. **First 0.4.x extension cycle to validate BOTH PASS-path AND HIGH-path classifiers** against real AWS in the same smoke run. **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; EE 0.4.8 adds substrate evidence depth on already-covered CC7.2 + CC7.3 via 7 new aws-rds-auditor mapping rules). EE-side stats: **+68 new tests** (49 v3 base + 19 reviewer-fold pin tests); **EE full regression: 4642/4642; 44-session 100% green streak preserved**. **`@aws-sdk/client-cloudwatch-logs` already in optionalDependencies** (used by plugin 1040 since EE 0.4.0); v3 reuses it via new `_loadCwlSdk` lazy loader. CE binary unchanged in 0.1.47 (code identical to 0.1.40 → 0.1.46); the bump carries the EE-paired-release narrative + announces plugin 1140 v3 to the npm landing page. **Fourth consecutive trio-publish across EE + CE + agent-skill in a single session** — institutionalized discipline now spans 4 ship cycles (0.4.5/0.4.6/0.4.7/0.4.8). Paired agent-skill 0.1.14 catalog refresh reflects the plugin 1140 v3 extension on the AI-coding-agent knowledge surface. Memory tag closures: `aws_string_case_normalization` extended (engine + log-name normalization in v3 classifiers; recurrence count holds at **20×** with SPLIT-SURFACE callout); `conservative_classifier_principle` reinforced in 4 new fold sites; `emit_literal_set_drift` extended with `_PGAUDIT_LIBRARY_NAME` + `_SHARED_PRELOAD_LIBRARIES_PARAM` named-constant discipline.
|
|
21
|
+
- **0.1.46 (deprecated)** — docs-only patch announcing **EE 0.4.7 release** (paired release narrative). EE plugin count grows **19 → 20** with **plugin 1190 AWS SES Email Integrity Auditor** (EE-RT.18 v1 — first plugin in the 1190-1199 ID range; closes the next-highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist after Redis closed in EE 0.4.6). Plugin 1190 v1 dimensions: **DKIM enablement + signing status** (CC6.1 / Privacy — HIGH on `SigningEnabled=false` outbound mail unsigned + transient PENDING/TEMPORARY_FAILURE/NOT_STARTED INFO + walkthroughRequired + FAILED MEDIUM on DNS drift + unknown enum LOW + evidenceGap per `conservative_classifier_principle`) + **custom MailFrom domain alignment** (Privacy substrate — INFO + walkthroughRequired on default amazonses.com / PASS on custom + Status=SUCCESS / DMARC strict alignment substrate evidence) + **configuration set TLS enforcement** (C1.1 — REQUIRE PASS / OPTIONAL HIGH SMTP-downgrade-attack-window / non-string-but-truthy distinct LOW per R-MEDIUM-7 fold with `tlsPolicyType` evidence — separates SDK-contract-violation from missing-field unverifiable) + **identity sending authorization policy permissive principals** (CC6.6 — multi-class wildcard detector covering bare `"*"` / `{AWS:"*"}` / `{Service:"*"}` / `{Federated:"*"}` / `{CanonicalUser:"*"}` / array-form `[*]` per R-HIGH-4 fold walking every Principal class value + distinct HIGH `ses-sending-auth-notprincipal-allow` per R-CRITICAL-1 fold catching universal-grant-minus-exclusion-list wildcard-EQUIVALENT class + LOW + evidenceGap `ses-sending-auth-malformed-statement` per R-HIGH-2 fold for Effect-missing send-action statements) + **dedicated IP pool sending posture** (CC7.1 substrate, account-level — INFO + walkthroughRequired on configured pools / INFO on shared-pool default) + **suppression list state** (CC7.1 deliverability substrate — ZDE invariant: NEVER reads suppressed-destination email addresses; count + reason only; verified at run() envelope boundary via sentinel-string assertion per R-LOW-8 fold). **11 same-session reviewer folds across the cycle** (independent `general-purpose-agent` review yielded 12 findings; 11 folded same-session, 1 deferred to cross-plugin Thread H sweep — **ties the single-cycle reviewer-fold record** for security-classifier-correctness-surface plugins). **CRITICAL-1 closure**: NotPrincipal+Allow distinct HIGH category (false-CLEAN class — matches plugins 1070 + 1150 NotPrincipal+Allow discipline). **HIGH-4 closure**: `_isWildcardPrincipal` walks every Principal class value (pre-fold only `principal.AWS` inspected). **HIGH-2 closure**: missing-Effect malformed-statement LOW + evidenceGap (pre-fold silently dropped). **Fourth EE plugin to ship preemptively without smoke-time SDK hotfix** — `@aws-sdk/client-ses` + `@aws-sdk/client-sesv2` both added to optionalDependencies BEFORE smoke validation. **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; EE 0.4.7 adds substrate evidence depth on already-covered CC6.1 / CC6.6 / C1.1 via 8 new aws-ses-auditor mapping rules). EE-side stats: **+116 new tests** (94 EE-RT.18 v1 unit-test suite + 22 reviewer-fold pin tests); **EE full regression: 4574/4574; 43-session 100% green streak preserved**. **No real-AWS smoke against violation-tier fixtures** — test-infra-builder has NO SES paired fixtures yet (full-stack fixtures deferred to EE-RT.18 v2 alongside DKIM CNAME DNS resolution + DMARC TXT record parsing). Empty-account smoke baseline against 522412052794 DID succeed end-to-end: plugin loads via CE→EE binding, all 4 SESv2 API enumerations succeed, baseline 2 INFO findings emit correctly, durationMs=842, ZDE invariant preserved. CE binary unchanged in 0.1.46 (code identical to 0.1.40 → 0.1.45); the bump carries the EE-paired-release narrative + announces plugin 1190 to the npm landing page. **Third consecutive trio-publish across EE + CE + agent-skill in a single session** — institutional discipline. Paired agent-skill 0.1.13 catalog refresh adds plugin 1190 to AI-coding-agent knowledge surface. Memory tag closures: `aws_string_case_normalization` at **20×** with explicit SPLIT-SURFACE callout (DKIM/Tls/MailFromStatus enums upcased / IAM Action/Effect lowercased); `conservative_classifier_principle` reinforced in 5 new fold sites; `emit_literal_set_drift` extended with `_DKIM_STATUS_VALID` + `_MAILFROM_STATUS_SUCCESS` + `_TLS_POLICY_VALID` named-constant discipline.
|
|
21
22
|
- **0.1.45 (deprecated)** — docs-only patch announcing **EE 0.4.6 release** (paired release narrative). EE plugin count grows **18 → 19** with **plugin 1180 AWS ElastiCache Redis Auditor** (EE-RT.17 v1 — first plugin in the 1170-1180 ID range; closes the highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist). Plus **EE-RT.16 v2** — plugin 1170 AWS EC2 SG Perimeter Auditor extension; **RESTRICTED_PORTS grown 13 → 23 ports** per CIS AWS Foundations Benchmark v3.0 (adds Redshift 5439, K8s API 6443, etcd 2379-2380, Kibana 5601, InfluxDB 8086, Kafka 9092, Consul 8500, ZooKeeper 2181, Vault 8200) + new `opts.additionalRestrictedPorts` operator-config knob + per-SG cardinality cap with rollup trailer + system-managed-SG name-prefix exclusion list (excludes ElasticMapReduce-, eks-cluster-sg-, AWSServiceRole, awseb- prefixes from orphan-detection). Plugin 1180 v1 dimensions: **transit encryption** (C1.1 PASS/HIGH — TransitEncryptionEnabled wraps RESP in TLS) + **at-rest encryption with KMS key custody** (C1.1 four-tier ladder: HIGH disabled → MEDIUM AWS-owned-default → MEDIUM alias/aws/elasticache → PASS customer-CMK + LOW+evidenceGap on `:key/UUID` per `conservative_classifier_principle`) + **Redis AUTH / IAM-auth user groups** (CC6.1 + CC6.2 PASS on UserGroupIds; MEDIUM no-authentication) + **Multi-AZ deployment** (A1.2 HIGH disabled / INFO standalone-not-applicable / INFO transient enabling/disabling) + **SnapshotRetentionLimit cadence** (A1.2 HIGH=0 / MEDIUM 1-6 / PASS ≥7; operator-tunable `opts.snapshotRetentionPassMinDays` clamped 1..35) + **subnet placement** (CC6.6 INFO + walkthroughRequired on default subnet group). Dual API enumeration (DescribeReplicationGroups + DescribeCacheClusters) with inter-API dedup; Memcached out-of-scope by design. **10 same-session reviewer folds across both ships** (7 EE-RT.16 v2 incl. **2 CONVERGENT-CRITICAL findings** — C1 fixed a pre-existing v1 PASS-tier titlePattern bug, C2 added 2 cardinality-cap-trailer titlePatterns silently-dropped pre-fold; 3 EE-RT.17 v1). **No coverage matrix shift** since 0.3.9 (stays 10/4/33). EE-side stats: **+97 new tests** (56 EE-RT.16 v2 + 41 EE-RT.17 v1); **EE full regression: 4458/4458; 42-session 100% green streak preserved**. **Third EE plugin to ship without smoke-time SDK hotfix** (`@aws-sdk/client-elasticache` preemptively added; plugins 1150, 1170, 1180 all shipped without hotfix). Real-AWS smoke-validated against `test-infra-builder` paired fixtures (account 522412052794, plugins 1170 v2 + 1180): `findingCount: 21`. CE binary unchanged in 0.1.45 (code identical to 0.1.40 / 0.1.41 / 0.1.42 / 0.1.43 / 0.1.44); the bump carries the EE-paired-release narrative + announces plugin 1180 to the npm landing page. **Second trio-publish across EE + CE + agent-skill in a single session** (after the 0.4.5 cycle institutionalized the pattern); paired agent-skill 0.1.12 catalog refresh adds plugin 1180 + plugin 1170 v2 to AI-coding-agent knowledge surface. Memory tag closures: `aws_string_case_normalization` at **19×** (+2 fold-sites this cycle); `conservative_classifier_principle` reinforced in 6 fold sites; `emit_literal_set_drift` holds at 17×.
|
|
22
23
|
- **0.1.44 (deprecated)** — docs-only patch announcing **EE 0.4.5 release** (paired release narrative). EE plugin count grows **17 → 18** with **plugin 1170 AWS EC2 SG Perimeter Auditor** (EE-RT.16 v1 — first plugin in the 1160-1170 ID range; orthogonal evidence to plugin 1023 zero-trust-checker — 1023 reads OBSERVED open ports, 1170 reads DECLARED SG policy via AWS API). Plus **EE-RT.14 v2** — plugin 1140 AWS RDS Auditor grown from 3 dims → 7 dims (adds BackupRetentionPeriod A1.2 / PubliclyAccessible CC6.6 / IAMDatabaseAuthenticationEnabled CC6.1 / snapshot encryption C1.1) with the headline `kms:DescribeKey` cross-reference path that promotes UNVERIFIABLE `:key/UUID` ARN shapes to deterministic PASS/MEDIUM via `KeyMetadata.KeyManager`. Plugin 1170 v1 dimensions: IPv4 0.0.0.0/0 to RESTRICTED_PORTS (CRITICAL) + IPv6 ::/0 sibling (CRITICAL) + all-protocol (-1) wildcard (CRITICAL) + public ingress to non-restricted ports (INFO substrate) + egress 0.0.0.0/0 (INFO substrate) + orphan SGs (LOW governance). RESTRICTED_PORTS covers 13 ports (SSH/RDP/MS SQL/MySQL/Postgres/Redis/Memcached/MongoDB/Elasticsearch/CouchDB/Docker/Kubelet). **9 same-session reviewer folds across both ships** (5 EE-RT.14 v2 + 4 EE-RT.16 v1). **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; EE 0.4.5 adds evidence depth on already-covered CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1). EE-side stats: **+106 new tests** (52 EE-RT.14 v2 + 54 EE-RT.16 v1); **EE full regression: 4361/4361; 40-session 100% green streak preserved**. CE binary unchanged in 0.1.44 (code identical to 0.1.40 / 0.1.41 / 0.1.42 / 0.1.43); the bump carries the EE-paired-release narrative + announces plugin 1170 to the npm landing page. Memory tags: `emit_literal_set_drift` at **17×** cross-codebase recurrence (+3 EE-RT.14 v2 fold-sites); `aws_string_case_normalization` at **17×** (+1 preemptive in plugin 1170 IpProtocol normalization); `conservative_classifier_principle` reinforced in 5 fold sites across the cycle.
|
|
23
24
|
- **0.1.43 (deprecated)** — docs-only patch announcing **EE 0.4.4 publish** (paired release narrative). EE plugin count grows **16 → 17** with **plugin 1150 AWS SQS/SNS Auditor** (EE-RT.15 v1) — second new EE plugin in the 0.4.x cycle. Covers 5 SOC 2 substrate-evidence dimensions: **SQS encryption at rest** (C1.1; SqsManagedSseEnabled OR KmsMasterKeyId with the same four-tier severity ladder as plugin 1140 — HIGH unencrypted → MEDIUM SQS-managed-SSE / `alias/aws/sqs` → PASS customer-managed CMK alias → LOW+evidenceGap on bare-UUID / `:key/UUID` form per `conservative_classifier_principle`), **SQS transit-encryption policy** (CC6.6; `aws:SecureTransport=false` Deny statement on the queue resource policy), **SNS topic encryption at rest** (C1.1; `KmsMasterKeyId` — SNS has no SQS-managed-SSE equivalent so absent = HIGH), **SNS topic-policy permissive-Principal** (CC6.6; wildcard-Principal on sensitive actions Publish/Subscribe/SetTopicAttributes/AddPermission/RemovePermission/DeleteTopic, with full **NotAction-Allow + NotPrincipal-Allow + Resource-scope** filtering per the EE-RT.15 R-HIGH-1 + R-HIGH-2 same-session reviewer folds — closes the AWS-documented wildcard-equivalent classes that plugins 1070 + 1110 already handle), and **SQS dead-letter queue presence** (A1.2 availability + CC7.1 anomaly-detection, dual-mapped — missing DLQ is the canonical silent-message-loss class for event-driven architectures). EE-RT.15 also closed **R-MEDIUM-1** (per-resource AccessDenied evidenceGap finding rather than silent-omit — same false-CLEAN class family as the EE-RT.14 v1 hotfix lineage). **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; EE-RT.15 v1 adds SQS/SNS substrate evidence under already-covered C1.1 + CC6.6 + A1.2 + CC7.1). EE-side stats: **+95 new tests** (78 EE-RT.15 v1 unit-test suite + 17 same-session reviewer-fold tests); **EE full regression: 4255/4255; 38-session 100% green streak preserved**. **First EE plugin to ship WITHOUT a smoke-time SDK hotfix** — `@aws-sdk/client-sqs` + `@aws-sdk/client-sns` were added to `optionalDependencies` PREEMPTIVELY per the 11th pre-implementation checklist item (EE-RT.14 v1 lesson). CE binary unchanged in 0.1.43 (code identical to 0.1.40 / 0.1.41 / 0.1.42); the bump exists to carry the EE-paired-release narrative + announce plugin 1150 to the npm landing page. **Real-AWS smoke-validated** against `test-infra-builder` paired fixtures (account 522412052794, 4 resources): `findingCount: 0 → 10` (3 dims × 2 queues + 2 dims × 2 topics); **C1.1 → FAIL (4)**, **CC6.6 → FAIL (4)**, **A1.2 → FAIL (2)**, **CC7.1 → FAIL (2)**; all 10 classifications match ground truth (AWS-managed `alias/aws/sqs` correctly = MEDIUM not PASS; SNS default policy wildcard-Principal-WITH-Condition correctly = HIGH not CRITICAL).
|
|
@@ -181,7 +182,7 @@ Results land in `./out/<host>_<timestamp>/`:
|
|
|
181
182
|
|
|
182
183
|
### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
|
|
183
184
|
|
|
184
|
-
**EE 0.4.
|
|
185
|
+
**EE 0.4.8 ships 20 enterprise plugins** (UNCHANGED from EE 0.4.7 — sixth-ship-cycle in the 0.4.x stream is a single-plugin EXTENSION rather than a new plugin: plugin 1140 `aws-rds-auditor` grown from 7 → 10 dimensions per **EE-RT.14 v3** with database audit-logging — pgAudit enablement + CloudWatch Logs exports + CloudWatch Logs retention; closes the "database activity logs" SOC 2 dimension per `tasks/things-to-check.md` §4 audit-canonical checklist covering CC7.2 + CC7.3 continuous monitoring + event evaluation). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
|
|
185
186
|
|
|
186
187
|
**All EE plugins follow the same institutional plumbing pattern:**
|
|
187
188
|
|
|
@@ -208,7 +209,7 @@ Results land in `./out/<host>_<timestamp>/`:
|
|
|
208
209
|
| **1110** | **IAM Effective Decrypt-Path Auditor** (NEW EE 0.4.0) | Enterprise | Cross-plugin reconciler: walks IAM policies for `kms:Decrypt` / `kms:ReEncrypt*` / `kms:GenerateDataKey` grants and cross-references against destination KMS key policies (plugin 1070) to compute the **effective decrypt path**. Closes institutional NotAction-implicit-decrypt false-PASS class (`Allow + NotAction:[...] + Resource:*` over-grants decrypt implicitly). Cross-plugin sister-fix in 1030: Effect + Action case-normalization at IAM-graph BFS boundary. CC6.1 / CC6.6 / C1.1 / C1.2. |
|
|
209
210
|
| **1120** | **AWS S3 Lifecycle + Cross-Region Replication Auditor** (NEW EE 0.4.0) | Enterprise | S3 lifecycle policy enumeration (CC7.1 retention-cadence evidence) + cross-region replication topology (A1.2 disaster-recovery substrate). Cross-region destination-bucket reachability verification closes silent-PASS class where replication source FAILED but emitted clean. C1.1 / C1.2 / A1.2. |
|
|
210
211
|
| **1130** | **AWS Backup Auditor — headline thread** (NEW EE 0.4.0; EE-RT.12 v1 → v1.24, 18-session institutional hardening arc) | Enterprise | The **largest single-plugin institutional-hardening arc in the EE codebase**: ~7800 lines / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls. Audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. **Headline capability: 12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources — 6 cryptographic-isolation mechanisms (vault TYPE air-gapped + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) PLUS 6 substrate dimensions (PITR / retention / encryption / RestoreTesting / Legal Holds / vault Access Policy). Cross-service SDK integration (`@aws-sdk/client-kms`, `@aws-sdk/client-ec2`, `@aws-sdk/client-config-service`, `@aws-sdk/client-backup`). CC6.3 / **CC6.6** / CC7.1 / CC8.1 / C1.1 / **C1.2** / **A1.2**. |
|
|
211
|
-
| **1140** | **AWS RDS Auditor** (EE 0.4.3 v1; **GROWN in EE 0.4.5 v2** — 3 dims → 7 dims + kms:DescribeKey cross-reference) | Enterprise | Audits AWS RDS DB instances against **
|
|
212
|
+
| **1140** | **AWS RDS Auditor** (EE 0.4.3 v1; **GROWN in EE 0.4.5 v2** — 3 dims → 7 dims + kms:DescribeKey cross-reference; **GROWN AGAIN in EE 0.4.8 v3** — 7 dims → 10 dims + database audit-logging) | Enterprise | Audits AWS RDS DB instances against **10 SOC 2 substrate-evidence dimensions** (v1 = 3 + v2 = 4 + v3 = 3): **v3 dim 8 pgAudit enabled** (CC7.2 + CC7.3, postgres-only — `DescribeDBParameters → pgaudit.log` non-empty AND `shared_preload_libraries` contains `pgaudit` token per R-MEDIUM-2 reviewer-fold **false-PASS closure** since Postgres silently ignores the GUC when SPL omits pgaudit; HIGH on disabled / new MEDIUM `rds-pgaudit-misconfigured` on SPL-omitted / PASS on fully configured; non-postgres engines = INFO + engine-not-applicable per `conservative_classifier_principle`); **v3 dim 9 CloudWatch Logs exports** (CC7.2 — `EnabledCloudwatchLogsExports` engine-dispatched essential/optional policy via frozen `_RDS_ENGINE_CWL_NAMES` dispatch table covering mysql/mariadb/aurora-mysql (essential=`error`) / postgres/aurora-postgresql (essential=`postgresql`) / oracle-* (essential=`audit`+`trace`) / sqlserver-* (essential=`error`); empty=HIGH, partial=MEDIUM, complete=PASS, unknown engine=INFO+engine-not-supported); **v3 dim 10 CloudWatch Logs retention** (CC7.2 + CC7.3 — `logs:DescribeLogGroups` enumeration on engine-dispatched prefix per R-HIGH-1 reviewer-fold **false-INFO closure**: `/aws/rds/instance/<id>/` for non-Aurora; `/aws/rds/cluster/<DBClusterIdentifier>/` for `aurora-*` engines — pre-fold hard-coded the instance path → 0 log groups on every Aurora node = false-INFO MEDIUM across the whole Aurora fleet; 30-day institutional baseline operator-tunable via `opts.auditLogRetentionPassMinDays` clamped 1..3653; distinct categories for never-expire INFO + below-baseline MEDIUM + cwl-opt-out LOW R-MEDIUM-3 fold + probe-failed LOW R-MEDIUM-5 fold + AccessDenied LOW + retentionDistribution per-group spread R-MEDIUM-4 fold). **v2 dim 1-7** preserved (Multi-AZ A1.2 / storage encryption + KMS-key custody with kms:DescribeKey cross-reference C1.1 / parameter-group SSL enforcement C1.1 / backup retention period A1.2 / public accessibility CC6.6 / IAM database authentication CC6.1 / snapshot encryption C1.1). **9 same-session v3 reviewer folds applied** (HIGH-1 Aurora cluster log-path; MEDIUM-2 pgAudit-SPL cross-check; MEDIUM-3 cwl-opt-out distinct; MEDIUM-4 retentionDistribution surfaced; MEDIUM-5 transient-error distinct; LOW-8 `_PGAUDIT_LIBRARY_NAME` + `_SHARED_PRELOAD_LIBRARIES_PARAM` named constants; LOW-9 engine case-norm tests; LOW-10 `truncated:bool` + `distributionTruncated:bool` flags; NIT-12 Aurora cluster integration test). 7 new v3 soc2.json titlePattern entries under CC7.2 (cumulative 25 across v1+v2+v3). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). `@aws-sdk/client-cloudwatch-logs` already in optionalDependencies (used by plugin 1040 since EE 0.4.0); v3 reuses via new `_loadCwlSdk` lazy loader. **Real-AWS smoke END-TO-END against `test-infra-builder` paired fixtures** in account 522412052794: in-place modification of `rds-compliant-cluster` (cost $0; brief Multi-AZ failover during apply-immediately reboot) validated ALL 3 v3 PASS-path classifiers; unmodified `rds-violator-db` validated HIGH path; account-wide finding distribution 9 PASS + 2 MEDIUM + 4 INFO + 5 HIGH. **First 0.4.x extension cycle to validate BOTH PASS-path AND HIGH-path classifiers** against real AWS in the same smoke run. **A1.2 / CC6.1 / CC6.6 / C1.1 / CC7.2 / CC7.3**. |
|
|
212
213
|
| **1150** | **AWS SQS/SNS Auditor** (NEW EE 0.4.4; EE-RT.15 v1 — second new EE plugin in the 0.4.x cycle) | Enterprise | Audits AWS SQS queues + SNS topics against **5 SOC 2 substrate-evidence dimensions** spanning two services in one plugin (institutional bundling — both substrate-evidence event-driven-architecture stores, both use the same SDK auth surface). **SQS encryption at rest** (C1.1 confidentiality — `GetQueueAttributes → SqsManagedSseEnabled` OR `KmsMasterKeyId`; four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed-SSE OR `alias/aws/sqs` → PASS customer-managed CMK alias → LOW+evidenceGap on bare-UUID / `:key/UUID` ARN form per `conservative_classifier_principle`); **SQS transit-encryption policy** (CC6.6 segmentation — `aws:SecureTransport=false` Deny statement defense-in-depth over the HTTPS-only transport-layer guarantee); **SNS topic encryption at rest** (C1.1 confidentiality — `GetTopicAttributes → KmsMasterKeyId`; SNS has no SQS-managed-SSE equivalent so absent = HIGH); **SNS topic-policy permissive-Principal** (CC6.6 segmentation — wildcard-Principal classifier on sensitive actions sns:Publish / Subscribe / SetTopicAttributes / AddPermission / RemovePermission / DeleteTopic + `sns:*` / `*` wildcards; includes **NotAction-Allow** handling per plugin 1110 precedent + **NotPrincipal-Allow** handling per plugin 1070 precedent + **Resource-scope filtering** to prevent false-positive emissions on statements scoped to other topics' ARNs; severity ladder CRITICAL unconditional-wildcard → HIGH wildcard-WITH-Condition → PASS no-wildcard-sensitive); and **SQS dead-letter queue presence** (A1.2 availability + CC7.1 anomaly-detection, **dual-mapped** — `RedrivePolicy` analysis; missing DLQ is the canonical silent-message-loss class for event-driven architectures where failed message processing routes through SQS to downstream Lambda/ECS consumers). **First EE plugin to ship WITHOUT a smoke-time SDK hotfix** — `@aws-sdk/client-sqs` + `@aws-sdk/client-sns` were added to `optionalDependencies` PREEMPTIVELY per the 11th pre-implementation checklist item (EE-RT.14 v1 lesson applied institutionally). 11 new soc2.json titlePattern entries (9 under C1.1 + 6 under CC6.6 + 2 under A1.2 + 1 dual-mapped DLQ under CC7.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap on BOTH SQS + SNS clients independently + ZDE sanitizer at every AWS-returned string surface + conservative classifier on UNVERIFIABLE KMS shapes + EE-RT.12.25 v1 run() scaffold + 4 preemptive `aws_string_case_normalization` fold-sites for the 16× recurrence-class memory). Three same-session reviewer folds applied (R-HIGH-1 NotAction/NotPrincipal bypass class, R-HIGH-2 Resource-scope filter, R-MEDIUM-1 per-resource AccessDenied evidenceGap — same false-CLEAN-class family as the EE-RT.14 v1 hotfix lineage). Smoke-validated against `test-infra-builder` paired fixtures (`sqs-encrypted-queue` + `sqs-cleartext-queue` + `sns-encrypted-topic` + `sns-cleartext-topic`) in account 522412052794: `findingCount: 10`, all 10 classifications match ground truth (AWS-managed `alias/aws/sqs` correctly = MEDIUM not PASS; SNS default topic policy wildcard-Principal-WITH-Condition correctly = HIGH not CRITICAL). **C1.1 / CC6.6 / A1.2 / CC7.1**. |
|
|
213
214
|
| **1170** | **AWS EC2 SG Perimeter Auditor** (EE 0.4.5 v1; **EXTENDED in EE 0.4.6 v2** — RESTRICTED_PORTS 13 → 23 ports per CIS AWS Foundations v3.0 + operator-config + per-SG cardinality cap) | Enterprise | Audits AWS EC2 Security Groups against SOC 2 CC6.6 network-segmentation evidence — reads the AWS-API DECLARED SG policy via `DescribeSecurityGroups`. **Orthogonal evidence to plugin 1023 zero-trust-checker** (1023 reads OBSERVED open ports from prior network probes; 1170 reads DECLARED SG policy). The pair gives auditors complete coverage of "is this port reachable, and is it supposed to be?" **Cross-plugin sister of EE-RT.14 v2 `_classifyPublicAccessibility`** dimension in plugin 1140 (which emits "auditor walkthrough required for SG analysis"; plugin 1170 closes that walkthrough deterministically). **6 audit dimensions:** **IPv4 0.0.0.0/0 ingress to RESTRICTED_PORTS** (CC6.6 perimeter — CRITICAL; **v2 RESTRICTED_PORTS covers 23 ports** per CIS AWS Foundations v3.0 alignment + emerging-data-tier coverage: SSH (22), RDP (3389), MS SQL (1433), MySQL (3306), Postgres (5432), Redshift (5439 — NEW v2), Redis (6379), Memcached (11211), MongoDB (27017), Elasticsearch (9200, 9300), CouchDB (5984), Docker daemon (2375), Kubelet API (10250), **K8s API server (6443 — NEW v2), etcd (2379-2380 — NEW v2), Kibana (5601 — NEW v2), InfluxDB (8086 — NEW v2), Kafka (9092 — NEW v2), Consul (8500 — NEW v2), ZooKeeper (2181 — NEW v2), Vault (8200 — NEW v2)**); **IPv6 ::/0 ingress to RESTRICTED_PORTS** (CC6.6 — CRITICAL IPv6 sibling; operators often miss while locking IPv4 down); **all-protocol (-1) ingress from 0.0.0.0/0** (CC6.6 — CRITICAL worst-possible perimeter posture; **per R-MEDIUM-1 fold suppresses dim 1+2 emissions at SG-scope** — auditor pack stays at one CRITICAL/SG instead of N+1); **public ingress to non-restricted ports** (CC6.6 substrate — INFO + walkthroughRequired; 80/443/8080-style web tier likely intentional, auditor verifies intent); **egress 0.0.0.0/0** (CC6.6 substrate — INFO; AWS-default posture; out-of-scope for SG-layer DLP concerns); **orphan SGs** (CC6.2 governance — LOW; SG with no attached ENI via `DescribeNetworkInterfaces` cross-reference; AWS-default `default` SGs per-VPC excluded; **v2 system-managed-SG name-prefix exclusion list** excludes `ElasticMapReduce-`, `eks-cluster-sg-`, `AWSServiceRole`, `awseb-` etc. from orphan-detection — these are AWS-service-controlled and structurally non-deletable). **v2 operator-config knob `opts.additionalRestrictedPorts`** — lets tenants add custom ports beyond the baseline (validated 0-65535 integer + deduped against baseline). **v2 per-SG cardinality cap via `_USER_GROUP_DISPLAY_CAP = 10`** with rollup trailer (`...and N more`) defends against finding-size DoS on 1000+ SG accounts. **`UserIdGroupPairs` (SG-as-source) rules** surfaced as INFO + evidenceGap + walkthroughRequired per R-HIGH-1 fold — v1 only analyzes CIDR-source rules; transitive SG→SG chain reachability deferred to v3 (EE-RT.16 v3). 10 new soc2.json titlePattern entries across v1 + v2 (6 CC6.6 + 1 CC6.2 from v1; 1 PASS-tier fix + 2 cardinality-cap trailers from v2). Full institutional contract applied day-1. **7 same-session v2 reviewer folds including 2 CONVERGENT-CRITICAL findings** (C1 pre-existing v1 PASS-tier titlePattern bug; C2 cardinality-cap-trailer titlePatterns silently dropped at framework-engine harvest pre-fold). Smoke-validated against `test-infra-builder` paired fixtures (`nsauditor-secure-sg` + `nsauditor-exposed-sg`) in account 522412052794. **CC6.6 / CC6.2**. |
|
|
214
215
|
| **1190** | **AWS SES Email Integrity Auditor** (NEW EE 0.4.7; EE-RT.18 v1 — first plugin in 1190-1199 ID range) | Enterprise | Audits AWS SES + SESv2 email-sending substrate against **6 SOC 2 evidence dimensions** spanning confidentiality + email-integrity. Closes the next-highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist after Redis closed in EE 0.4.6. **DKIM enablement + signing status** (CC6.1 / Privacy — `DkimAttributes.SigningEnabled` + 5-enum Status classifier: SUCCESS PASS / PENDING-TEMPORARY_FAILURE-NOT_STARTED INFO+walkthroughRequired transient / FAILED MEDIUM on DNS drift / unknown LOW+evidenceGap per `conservative_classifier_principle`; HIGH on SigningEnabled=false because outbound mail unsigned defeats SPF+DKIM+DMARC trust chain). **Custom MailFrom domain alignment** (Privacy substrate — `MailFromAttributes.MailFromDomain` + `MailFromDomainStatus`; INFO + walkthroughRequired on default amazonses.com because DMARC strict alignment impossible without custom MailFrom subdomain; PASS on custom + Status=SUCCESS). **Configuration set TLS enforcement** (C1.1 transit — `DeliveryOptions.TlsPolicy`; REQUIRE PASS / OPTIONAL HIGH opens SMTP-downgrade-attack window where network-layer adversary can strip STARTTLS from EHLO response forcing cleartext delivery of message body + headers; **distinct LOW + `tlsPolicyType` evidence branch** per R-MEDIUM-7 reviewer-fold catches non-string SDK-contract violations separately from missing-field unverifiable — pre-fold both flowed through identical narrative with empty quotes). **Identity sending authorization policy permissive principals** (CC6.6 — JSON-parsed IAM policy with **multi-class wildcard detector** covering bare `"*"` + `{AWS:"*"}` + `{Service:"*"}` + `{Federated:"*"}` + `{CanonicalUser:"*"}` + array-form `[*]` per R-HIGH-4 reviewer-fold walking every Principal class value; **distinct HIGH `ses-sending-auth-notprincipal-allow`** per R-CRITICAL-1 reviewer-fold catches NotPrincipal+Effect=Allow wildcard-EQUIVALENT class (universal grant minus exclusion list — pre-fold silently classified as bounded = false-CLEAN; matches plugins 1070 + 1150 NotPrincipal+Allow discipline); **LOW + evidenceGap `ses-sending-auth-malformed-statement`** per R-HIGH-2 reviewer-fold surfaces Effect-missing send-action statements that pre-fold were silently dropped). **Dedicated IP pool sending posture** (CC7.1 substrate, account-level — `ListDedicatedIpPools`; INFO + walkthroughRequired on configured pools / INFO on shared-pool default). **Suppression list state** (CC7.1 deliverability substrate, account-level — `ListSuppressedDestinations`; **ZDE invariant: NEVER reads suppressed-destination email addresses** — count + reason only; verified at run() envelope boundary via sentinel-string assertion per R-LOW-8 reviewer-fold). **Dual API surface discipline:** v1 uses SESv2 only (canonical modern API surface covers all 6 dimensions); `@aws-sdk/client-ses` declared in optionalDependencies for v2+ cross-API parity (per the dual-API discipline established in plugin 1180) — `_loadSesClassicSdk` dead-code load-check REMOVED per R-MEDIUM-6 reviewer-fold (false-degraded risk: pre-fold a missing classic SDK in production forced run() into "Plugin skipped" path even though v1 never exercises any classic export). 8 new soc2.json titlePattern entries (3 CC6.1 + 3 CC6.6 + 2 C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). **11 same-session reviewer folds applied** — ties the single-cycle reviewer-fold record (independent `general-purpose-agent` review yielded 12 findings; 11 folded same-session, 1 deferred to cross-plugin Thread H sweep). **Fourth EE plugin to ship without smoke-time SDK hotfix** (`@aws-sdk/client-ses` + `@aws-sdk/client-sesv2` both preemptively added to optionalDependencies). **No real-AWS smoke against violation-tier fixtures** — test-infra-builder has NO SES paired fixtures yet (full-stack fixtures deferred to EE-RT.18 v2 alongside DKIM CNAME DNS resolution + DMARC TXT record parsing). Empty-account smoke baseline against 522412052794 DID succeed end-to-end: plugin loads via CE→EE binding, all 4 SESv2 API enumerations succeed, baseline 2 INFO findings emit correctly, durationMs=842, ZDE invariant preserved. **CC6.1 / CC6.6 / C1.1 / CC7.1 (substrate) / Privacy (substrate)**. |
|