sraverify 0.1.0__py3-none-any.whl

sraverify/services/guardduty/checks/sra_guardduty_23.py

@@ -0,0 +1,154 @@
+"""
+Check if GuardDuty Runtime Monitoring is configured for auto-enablement.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+from sraverify.core.logging import logger
+
+
+class SRA_GUARDDUTY_23(GuardDutyCheck):
+    """Check if GuardDuty Runtime Monitoring is configured for auto-enablement."""
+
+    def __init__(self):
+        """Initialize GuardDuty Runtime Monitoring auto-enablement check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-23"
+        self.check_name = "GuardDuty Runtime Monitoring auto-enablement configured"
+        self.description = ("This check verifies whether Runtime Monitoring and its components (ECS Fargate Agent Management, "
+                           "EC2 Agent Management, and EKS Addon Management) are configured for auto-enablement "
+                           "in GuardDuty for all member accounts. Runtime Monitoring provides threat detection for "
+                           "runtime behavior of resources, helping to identify malicious activities.")
+        self.severity = "HIGH"
+        self.check_logic = "Check if RUNTIME_MONITORING feature and its components are configured with AutoEnable set to ALL."
+        self.account_type = "audit"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get organization configuration for GuardDuty
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if there was an error in the response
+            if "Error" in org_config:
+                error_code = org_config["Error"].get("Code", "Unknown")
+                error_message = org_config["Error"].get("Message", "Unknown error")
+                
+                # Handle BadRequestException specifically for non-management accounts
+                if error_code == "BadRequestException":
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"{error_code} {error_message}", 
+                        remediation="Verify that GuardDuty is the delegated admin in this Region and run the check again."
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="ERROR", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Error accessing GuardDuty organization configuration: {error_code}", 
+                        remediation="Check permissions and AWS Organizations configuration"
+                    ))
+                continue
+            
+            # Check if Runtime Monitoring is configured for auto-enablement
+            # Look for RUNTIME_MONITORING in Features
+            runtime_monitoring_found = False
+            runtime_monitoring_auto_enable = "NOT_CONFIGURED"
+            additional_config = {}
+            features = org_config.get('Features', [])
+            
+            for feature in features:
+                if feature.get('Name') == 'RUNTIME_MONITORING':
+                    runtime_monitoring_found = True
+                    runtime_monitoring_auto_enable = feature.get('AutoEnable', 'NONE')
+                    
+                    # Check additional configuration for the three components
+                    additional_configuration = feature.get('AdditionalConfiguration', [])
+                    for config in additional_configuration:
+                        config_name = config.get('Name')
+                        config_auto_enable = config.get('AutoEnable', 'NONE')
+                        additional_config[config_name] = config_auto_enable
+                    
+                    break
+            
+            # Check if all required components are properly configured
+            required_components = {
+                'ECS_FARGATE_AGENT_MANAGEMENT': 'ALL',
+                'EC2_AGENT_MANAGEMENT': 'ALL',
+                'EKS_ADDON_MANAGEMENT': 'ALL'
+            }
+            
+            missing_components = []
+            misconfigured_components = []
+            
+            for component, expected_value in required_components.items():
+                if component not in additional_config:
+                    missing_components.append(component)
+                elif additional_config[component] != expected_value:
+                    misconfigured_components.append(f"{component}={additional_config[component]}")
+            
+            # Determine the status based on the findings
+            if runtime_monitoring_found and runtime_monitoring_auto_enable == 'ALL' and not missing_components and not misconfigured_components:
+                findings.append(self.create_finding(
+                    status="PASS", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="GuardDuty Runtime Monitoring and all its components are configured for auto-enablement for all accounts (AutoEnable=ALL)", 
+                    remediation=""
+                ))
+            elif not runtime_monitoring_found:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty Runtime Monitoring feature is not configured", 
+                    remediation=f"Enable Runtime Monitoring feature and configure auto-enablement for all accounts in {region}"
+                ))
+            elif runtime_monitoring_auto_enable != 'ALL':
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty Runtime Monitoring is configured with AutoEnable={runtime_monitoring_auto_enable}, but should be ALL", 
+                    remediation=f"Configure Runtime Monitoring auto-enablement for all accounts in {region} by setting AutoEnable to ALL"
+                ))
+            elif missing_components:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty Runtime Monitoring is missing the following components: {', '.join(missing_components)}", 
+                    remediation=f"Configure all required Runtime Monitoring components in {region}"
+                ))
+            elif misconfigured_components:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty Runtime Monitoring has misconfigured components: {', '.join(misconfigured_components)}", 
+                    remediation=f"Set AutoEnable to ALL for all Runtime Monitoring components in {region}"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_24.py

@@ -0,0 +1,111 @@
+"""
+Check if GuardDuty Lambda Network Logs are configured for auto-enablement.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+from sraverify.core.logging import logger
+
+
+class SRA_GUARDDUTY_24(GuardDutyCheck):
+    """Check if GuardDuty Lambda Network Logs are configured for auto-enablement."""
+
+    def __init__(self):
+        """Initialize GuardDuty Lambda Network Logs auto-enablement check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-24"
+        self.check_name = "GuardDuty Lambda Network Logs auto-enablement configured"
+        self.description = ("This check verifies whether Lambda Network Logs are configured for auto-enablement "
+                           "in GuardDuty for all member accounts. Lambda Network Logs monitoring analyzes VPC flow logs "
+                           "for Lambda functions to detect potentially suspicious network activity.")
+        self.severity = "HIGH"
+        self.check_logic = "Check if LAMBDA_NETWORK_LOGS feature is configured with AutoEnable set to ALL."
+        self.account_type = "audit"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get organization configuration for GuardDuty
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if there was an error in the response
+            if "Error" in org_config:
+                error_code = org_config["Error"].get("Code", "Unknown")
+                error_message = org_config["Error"].get("Message", "Unknown error")
+                
+                # Handle BadRequestException specifically for non-management accounts
+                if error_code == "BadRequestException":
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"{error_code} {error_message}", 
+                        remediation="Verify that GuardDuty is the delegated admin in this Region and run the check again."
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="ERROR", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Error accessing GuardDuty organization configuration: {error_code}", 
+                        remediation="Check permissions and AWS Organizations configuration"
+                    ))
+                continue
+            
+            # Check if Lambda Network Logs are configured for auto-enablement
+            # Look for LAMBDA_NETWORK_LOGS in Features
+            lambda_network_logs_found = False
+            lambda_network_logs_auto_enable = "NOT_CONFIGURED"
+            features = org_config.get('Features', [])
+            
+            for feature in features:
+                if feature.get('Name') == 'LAMBDA_NETWORK_LOGS':
+                    lambda_network_logs_found = True
+                    lambda_network_logs_auto_enable = feature.get('AutoEnable', 'NONE')
+                    break
+            
+            if lambda_network_logs_found and lambda_network_logs_auto_enable == 'ALL':
+                findings.append(self.create_finding(
+                    status="PASS", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="GuardDuty Lambda Network Logs are configured for auto-enablement for all accounts (AutoEnable=ALL)", 
+                    remediation=""
+                ))
+            elif lambda_network_logs_found:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty Lambda Network Logs are configured with AutoEnable={lambda_network_logs_auto_enable}, but should be ALL", 
+                    remediation=f"Configure Lambda Network Logs auto-enablement for all accounts in {region} by setting AutoEnable to ALL"
+                ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty Lambda Network Logs feature is not configured", 
+                    remediation=f"Enable Lambda Network Logs feature and configure auto-enablement for all accounts in {region}"
+                ))
+        
+        return findings

sraverify/services/guardduty/checks/sra_guardduty_25.py

@@ -0,0 +1,111 @@
+"""
+Check if GuardDuty RDS Login Events are configured for auto-enablement.
+"""
+from typing import Dict, List, Any
+from sraverify.services.guardduty.base import GuardDutyCheck
+from sraverify.core.logging import logger
+
+
+class SRA_GUARDDUTY_25(GuardDutyCheck):
+    """Check if GuardDuty RDS Login Events are configured for auto-enablement."""
+
+    def __init__(self):
+        """Initialize GuardDuty RDS Login Events auto-enablement check."""
+        super().__init__()
+        self.check_id = "SRA-GUARDDUTY-25"
+        self.check_name = "GuardDuty RDS Login Events auto-enablement configured"
+        self.description = ("This check verifies whether RDS Login Events are configured for auto-enablement "
+                           "in GuardDuty for all member accounts. RDS Login Events monitoring analyzes database "
+                           "login activity to detect potentially suspicious login attempts to RDS databases.")
+        self.severity = "HIGH"
+        self.check_logic = "Check if RDS_LOGIN_EVENTS feature is configured with AutoEnable set to ALL."
+        self.account_type = "audit"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        
+        Returns:
+            List of findings
+        """
+        findings = []        
+        # Check all regions
+        for region in self.regions:
+            detector_id = self.get_detector_id(region)
+            
+            # Handle regions where we can't access GuardDuty
+            if not detector_id:
+                findings.append(self.create_finding(
+                    status="ERROR", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}", 
+                    actual_value="Unable to access GuardDuty in this region", 
+                    remediation="Check permissions or if GuardDuty is supported in this region"
+                ))
+                continue
+                
+            # Get organization configuration for GuardDuty
+            org_config = self.get_organization_configuration(region)
+            
+            # Check if there was an error in the response
+            if "Error" in org_config:
+                error_code = org_config["Error"].get("Code", "Unknown")
+                error_message = org_config["Error"].get("Message", "Unknown error")
+                
+                # Handle BadRequestException specifically for non-management accounts
+                if error_code == "BadRequestException":
+                    findings.append(self.create_finding(
+                        status="FAIL", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"{error_code} {error_message}", 
+                        remediation="Verify that GuardDuty is the delegated admin in this Region and run the check again."
+                    ))
+                else:
+                    findings.append(self.create_finding(
+                        status="ERROR", 
+                        region=region, 
+                        resource_id=f"guardduty:{region}:{detector_id}", 
+                        actual_value=f"Error accessing GuardDuty organization configuration: {error_code}", 
+                        remediation="Check permissions and AWS Organizations configuration"
+                    ))
+                continue
+            
+            # Check if RDS Login Events are configured for auto-enablement
+            # Look for RDS_LOGIN_EVENTS in Features
+            rds_login_events_found = False
+            rds_login_events_auto_enable = "NOT_CONFIGURED"
+            features = org_config.get('Features', [])
+            
+            for feature in features:
+                if feature.get('Name') == 'RDS_LOGIN_EVENTS':
+                    rds_login_events_found = True
+                    rds_login_events_auto_enable = feature.get('AutoEnable', 'NONE')
+                    break
+            
+            if rds_login_events_found and rds_login_events_auto_enable == 'ALL':
+                findings.append(self.create_finding(
+                    status="PASS", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value="GuardDuty RDS Login Events are configured for auto-enablement for all accounts (AutoEnable=ALL)", 
+                    remediation=""
+                ))
+            elif rds_login_events_found:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty RDS Login Events are configured with AutoEnable={rds_login_events_auto_enable}, but should be ALL", 
+                    remediation=f"Configure RDS Login Events auto-enablement for all accounts in {region} by setting AutoEnable to ALL"
+                ))
+            else:
+                findings.append(self.create_finding(
+                    status="FAIL", 
+                    region=region, 
+                    resource_id=f"guardduty:{region}:{detector_id}", 
+                    actual_value=f"GuardDuty RDS Login Events feature is not configured", 
+                    remediation=f"Enable RDS Login Events feature and configure auto-enablement for all accounts in {region}"
+                ))
+        
+        return findings

sraverify/services/guardduty/client.py

@@ -0,0 +1,107 @@
+"""
+GuardDuty client for interacting with AWS GuardDuty service.
+"""
+from typing import Dict, List, Optional, Any
+import boto3
+from botocore.exceptions import ClientError
+from sraverify.core.logging import logger
+
+
+class GuardDutyClient:
+    """Client for interacting with AWS GuardDuty service."""
+    
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize GuardDuty client for a specific region.
+        
+        Args:
+            region: AWS region name
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('guardduty', region_name=region)
+    
+    def get_detector_id(self) -> Optional[str]:
+        """
+        Get the detector ID for the current region.
+        
+        Returns:
+            Detector ID if GuardDuty is enabled, None otherwise
+        """
+        try:
+            response = self.client.list_detectors()
+            detector_ids = response.get('DetectorIds', [])
+            if detector_ids:
+                return detector_ids[0]
+            logger.debug(f"No detector found in {self.region}")
+            return None
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            logger.error(f"Error getting detector ID in {self.region}: {error_message}")
+            # Return a special error indicator instead of None
+            return f"ERROR:{error_code}:{error_message}"
+    
+    def get_detector_details(self, detector_id: str) -> Dict[str, Any]:
+        """
+        Get details for a specific detector.
+        
+        Args:
+            detector_id: GuardDuty detector ID
+            
+        Returns:
+            Dictionary containing detector details
+        """
+        try:
+            return self.client.get_detector(DetectorId=detector_id)
+        except ClientError as e:
+            logger.error(f"Error getting detector details for {detector_id} in {self.region}: {e}")
+            return {}
+    
+    def describe_organization_configuration(self, detector_id: str) -> Dict[str, Any]:
+        """
+        Get organization configuration for a specific detector.
+        
+        Args:
+            detector_id: GuardDuty detector ID
+            
+        Returns:
+            Dictionary containing organization configuration details or error information
+        """
+        try:
+            return self.client.describe_organization_configuration(DetectorId=detector_id)
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            logger.error(f"Error getting organization configuration for {detector_id} in {self.region}: {error_message}")
+            
+            # Return a dictionary with error information
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }
+            
+    def list_organization_admin_accounts(self) -> Dict[str, Any]:
+        """
+        List organization admin accounts for GuardDuty.
+        
+        Returns:
+            Dictionary containing organization admin accounts details or error information
+        """
+        try:
+            return self.client.list_organization_admin_accounts()
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            error_message = str(e)
+            logger.error(f"Error listing organization admin accounts for GuardDuty in {self.region}: {error_message}")
+            
+            # Return a dictionary with error information
+            return {
+                "Error": {
+                    "Code": error_code,
+                    "Message": error_message
+                }
+            }

sraverify/services/inspector/__init__.py

@@ -0,0 +1,29 @@
+"""
+Inspector security checks.
+"""
+from sraverify.services.inspector.checks.sra_inspector_01 import SRA_INSPECTOR_01
+from sraverify.services.inspector.checks.sra_inspector_02 import SRA_INSPECTOR_02
+from sraverify.services.inspector.checks.sra_inspector_03 import SRA_INSPECTOR_03
+from sraverify.services.inspector.checks.sra_inspector_04 import SRA_INSPECTOR_04
+from sraverify.services.inspector.checks.sra_inspector_05 import SRA_INSPECTOR_05
+from sraverify.services.inspector.checks.sra_inspector_06 import SRA_INSPECTOR_06
+from sraverify.services.inspector.checks.sra_inspector_07 import SRA_INSPECTOR_07
+from sraverify.services.inspector.checks.sra_inspector_08 import SRA_INSPECTOR_08
+from sraverify.services.inspector.checks.sra_inspector_09 import SRA_INSPECTOR_09
+from sraverify.services.inspector.checks.sra_inspector_10 import SRA_INSPECTOR_10
+from sraverify.services.inspector.checks.sra_inspector_11 import SRA_INSPECTOR_11
+
+# Register checks
+CHECKS = {
+    "SRA-INSPECTOR-01": SRA_INSPECTOR_01,
+    "SRA-INSPECTOR-02": SRA_INSPECTOR_02,
+    "SRA-INSPECTOR-03": SRA_INSPECTOR_03,
+    "SRA-INSPECTOR-04": SRA_INSPECTOR_04,
+    "SRA-INSPECTOR-05": SRA_INSPECTOR_05,
+    "SRA-INSPECTOR-06": SRA_INSPECTOR_06,
+    "SRA-INSPECTOR-07": SRA_INSPECTOR_07,
+    "SRA-INSPECTOR-08": SRA_INSPECTOR_08,
+    "SRA-INSPECTOR-09": SRA_INSPECTOR_09,
+    "SRA-INSPECTOR-10": SRA_INSPECTOR_10,
+    "SRA-INSPECTOR-11": SRA_INSPECTOR_11,
+}