-
Notifications
You must be signed in to change notification settings - Fork 673
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' of https://github.com/ali-imran7/cloudsploit in…
…to feature/AKD-191
- Loading branch information
Showing
50 changed files
with
4,204 additions
and
51 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| var async = require('async'); | ||
| var helpers = require('../../../helpers/alibaba'); | ||
|
|
||
| module.exports = { | ||
| title: 'Open Custom Ports', | ||
| category: 'ECS', | ||
| description: 'Ensure that defined custom ports are not open to public.', | ||
| more_info: 'Security groups should restrict access to ports from known networks.', | ||
| link: 'https://www.alibabacloud.com/help/doc-detail/25471.htm', | ||
| recommended_action: 'Modify the security group to ensure the defined custom ports are not exposed publicly', | ||
| apis: ['ECS:DescribeSecurityGroups', 'ECS:DescribeSecurityGroupAttribute', 'STS:GetCallerIdentity'], | ||
| settings: { | ||
| restricted_open_ports: { | ||
| name: 'Restricted Open Ports', | ||
| description: 'Comma separated list of ports/port-ranges that should be restricted and not publicly open. Example: tcp:80,tcp:443,tcp:80-443', | ||
| regex: '[a-zA-Z0-9,:]', | ||
| default: '' | ||
| }, | ||
| }, | ||
|
|
||
| run: function(cache, settings, callback) { | ||
| var results = []; | ||
| var source = {}; | ||
| var regions = helpers.regions(settings); | ||
|
|
||
| var restricted_open_ports = settings.restricted_open_ports || this.settings.restricted_open_ports.default; | ||
|
|
||
| if (!restricted_open_ports.length) return callback(); | ||
|
|
||
| restricted_open_ports = restricted_open_ports.split(','); | ||
|
|
||
| var ports = {}; | ||
| restricted_open_ports.forEach(port => { | ||
| var [protocol, portNo] = port.split(':'); | ||
| if (ports[protocol]) { | ||
| ports[protocol].push(portNo); | ||
| } else { | ||
| ports[protocol] = [portNo]; | ||
| } | ||
| }); | ||
|
|
||
| async.each(regions.ecs, function(region, rcb){ | ||
| var describeSecurityGroups = helpers.addSource(cache, source, | ||
| ['ecs', 'DescribeSecurityGroups', region]); | ||
|
|
||
| if (!describeSecurityGroups) return rcb(); | ||
|
|
||
| if (describeSecurityGroups.err || !describeSecurityGroups.data) { | ||
| helpers.addResult(results, 3, | ||
| `Unable to describe security groups: ${helpers.addError(describeSecurityGroups)}`, region); | ||
| return rcb(); | ||
| } | ||
|
|
||
| if (!describeSecurityGroups.data.length) { | ||
| helpers.addResult(results, 0, 'No security groups found', region); | ||
| return rcb(); | ||
| } | ||
|
|
||
| helpers.findOpenPorts(cache, describeSecurityGroups.data, ports, 'custom', region, results); | ||
|
|
||
| rcb(); | ||
| }, function(){ | ||
| callback(null, results, source); | ||
| }); | ||
| } | ||
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,145 @@ | ||
| var expect = require('chai').expect; | ||
| const openCustomPorts = require('./openCustomPorts'); | ||
|
|
||
| const describeSecurityGroups = [ | ||
| { | ||
| "Description": "System created security group.", | ||
| "SecurityGroupName": "sg-rj998kwpxbxh3muao6nx", | ||
| "VpcId": "vpc-rj9vu86hdve3qr173ew17", | ||
| "ServiceManaged": false, | ||
| "ResourceGroupId": "", | ||
| "SecurityGroupId": "sg-rj998kwpxbxh3muao6nx", | ||
| "CreationTime": "2021-04-30T09:57:23Z", | ||
| "SecurityGroupType": "normal", | ||
| "Tags": { | ||
| "Tag": [] | ||
| } | ||
| } | ||
| ]; | ||
|
|
||
| const describeSecurityGroupAttribute = [ | ||
| { | ||
| "Description": "System created security group.", | ||
| "RequestId": "B417712F-F2D9-4D84-9E14-53642866EC41", | ||
| "SecurityGroupName": "sg-rj998kwpxbxh3muao6nx", | ||
| "VpcId": "vpc-rj9vu86hdve3qr173ew17", | ||
| "SecurityGroupId": "sg-rj998kwpxbxh3muao6nx", | ||
| "Permissions": { | ||
| "Permission": [ | ||
| { | ||
| "Direction": "ingress", | ||
| "SourceGroupName": "", | ||
| "PortRange": "443/443", | ||
| "SourceCidrIp": "0.0.0.0/0", | ||
| "IpProtocol": "TCP" | ||
| } | ||
| ] | ||
| } | ||
| }, | ||
| { | ||
| "Description": "System created security group.", | ||
| "RequestId": "BCC3A7D9-93A5-44AA-85C1-A0C94A53DDBD", | ||
| "SecurityGroupName": "sg-0xijcm5n3s67cgnlklmi", | ||
| "VpcId": "vpc-0xitjib9awrnrv6i3sk9y", | ||
| "SecurityGroupId": "sg-0xijcm5n3s67cgnlklmi", | ||
| "Permissions": { | ||
| "Permission": [ | ||
| { | ||
| "SourceGroupId": "", | ||
| "Policy": "Accept", | ||
| "Description": "System created rule.", | ||
| "SourcePortRange": "", | ||
| "Priority": 100, | ||
| "CreateTime": "2021-04-29T22:40:41Z", | ||
| "DestPrefixListName": "", | ||
| "Ipv6SourceCidrIp": "", | ||
| "NicType": "intranet", | ||
| "DestGroupId": "", | ||
| "Direction": "ingress", | ||
| "SourceGroupName": "", | ||
| "PortRange": "53/80", | ||
| "DestGroupOwnerAccount": "", | ||
| "DestPrefixListId": "", | ||
| "SourceCidrIp": "0.0.0.0/0", | ||
| "SourcePrefixListName": "", | ||
| "IpProtocol": "TCP", | ||
| "DestCidrIp": "", | ||
| "DestGroupName": "", | ||
| "SourceGroupOwnerAccount": "", | ||
| "Ipv6DestCidrIp": "", | ||
| "SourcePrefixListId": "" | ||
| }, | ||
| ] | ||
| } | ||
| } | ||
| ]; | ||
|
|
||
| const createCache = (securityGroups, describeSecurityGroupAttribute, securityGroupsErr, describeSecurityGroupAttributeErr) => { | ||
| const securityGroupId = (securityGroups && securityGroups.length) ? securityGroups[0].SecurityGroupId : null; | ||
| return { | ||
| ecs:{ | ||
| DescribeSecurityGroups: { | ||
| 'cn-hangzhou': { | ||
| err: securityGroupsErr, | ||
| data: securityGroups | ||
| } | ||
| }, | ||
| DescribeSecurityGroupAttribute: { | ||
| 'cn-hangzhou': { | ||
| [securityGroupId]: { | ||
| err: describeSecurityGroupAttributeErr, | ||
| data: describeSecurityGroupAttribute | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }; | ||
| }; | ||
|
|
||
| describe('openCustomPorts', function () { | ||
| describe('run', function () { | ||
| it('should PASS if no public open ports found', function (done) { | ||
| const cache = createCache(describeSecurityGroups, describeSecurityGroupAttribute[0]); | ||
| openCustomPorts.run(cache, { restricted_open_ports: 'tcp:22' }, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(0); | ||
| expect(results[0].message).to.include('No public open ports found'); | ||
| expect(results[0].region).to.equal('cn-hangzhou'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should FAIL if security group has custom ports open to public', function (done) { | ||
| const cache = createCache(describeSecurityGroups, describeSecurityGroupAttribute[1]); | ||
| openCustomPorts.run(cache, { restricted_open_ports: 'tcp:60,tcp:65-70' }, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(2); | ||
| expect(results[0].message).to.include('has custom:TCP:60, some of TCP:65-70 open to 0.0.0.0/0'); | ||
| expect(results[0].region).to.equal('cn-hangzhou'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should PASS if no security groups found', function (done) { | ||
| const cache = createCache([]); | ||
| openCustomPorts.run(cache, { restricted_open_ports: 'tcp:22' }, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(0); | ||
| expect(results[0].message).to.include('No security groups found'); | ||
| expect(results[0].region).to.equal('cn-hangzhou'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should UNKNWON unable to describe security groups', function (done) { | ||
| const cache = createCache(null, { message: 'Unable to describe security groups'}); | ||
| openCustomPorts.run(cache, { restricted_open_ports: 'tcp:22' }, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(3); | ||
| expect(results[0].message).to.include('Unable to describe security groups'); | ||
| expect(results[0].region).to.equal('cn-hangzhou'); | ||
| done(); | ||
| }); | ||
| }); | ||
| }); | ||
| }); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| var async = require('async'); | ||
| var helpers = require('../../../helpers/alibaba'); | ||
|
|
||
| module.exports = { | ||
| title: 'Open Oracle Auto Data Warehouse', | ||
| category: 'ECS', | ||
| description: 'Ensure that security groups does not have TCP port 1522 for Oracle Auto Data Warehouse open to the public.', | ||
| more_info: 'While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Oracle Auto Data Warehouse should be restricted to known IP addresses.', | ||
| link: 'https://www.alibabacloud.com/help/doc-detail/25471.htm', | ||
| recommended_action: 'Restrict TCP port 1522 for Oracle Auto Data Warehouse to known IP addresses', | ||
| apis: ['ECS:DescribeSecurityGroups', 'ECS:DescribeSecurityGroupAttribute', 'STS:GetCallerIdentity'], | ||
|
|
||
| run: function(cache, settings, callback) { | ||
| var results = []; | ||
| var source = {}; | ||
| var regions = helpers.regions(settings); | ||
|
|
||
| var ports = { | ||
| 'tcp': [1522] | ||
| }; | ||
|
|
||
| var service = 'Oracle Auto Data Warehouse'; | ||
|
|
||
| async.each(regions.ecs, function(region, rcb){ | ||
| var describeSecurityGroups = helpers.addSource(cache, source, | ||
| ['ecs', 'DescribeSecurityGroups', region]); | ||
|
|
||
| if (!describeSecurityGroups) return rcb(); | ||
|
|
||
| if (describeSecurityGroups.err || !describeSecurityGroups.data) { | ||
| helpers.addResult(results, 3, | ||
| `Unable to describe security groups: ${helpers.addError(describeSecurityGroups)}`, region); | ||
| return rcb(); | ||
| } | ||
|
|
||
| if (!describeSecurityGroups.data.length) { | ||
| helpers.addResult(results, 0, 'No security groups found', region); | ||
| return rcb(); | ||
| } | ||
|
|
||
| helpers.findOpenPorts(cache, describeSecurityGroups.data, ports, service, region, results); | ||
| rcb(); | ||
| }, function(){ | ||
| callback(null, results, source); | ||
| }); | ||
| } | ||
| }; |
Oops, something went wrong.