From 622212f3e318c8e19d96eacc5326bf983c456eb5 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 5 Dec 2023 16:00:38 +0500 Subject: [PATCH 1/5] Added check ENI seeting for open all port plugins --- plugins/aws/ec2/openAllPortsProtocols.js | 11 ++++ plugins/aws/ec2/openAllPortsProtocols.spec.js | 53 +++++++++++++++++- .../aws/ec2/openAllPortsProtocolsEgress.js | 11 ++++ .../ec2/openAllPortsProtocolsEgress.spec.js | 56 +++++++++++++++++-- 4 files changed, 125 insertions(+), 6 deletions(-) diff --git a/plugins/aws/ec2/openAllPortsProtocols.js b/plugins/aws/ec2/openAllPortsProtocols.js index 5d03950029..4ddaec2383 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.js +++ b/plugins/aws/ec2/openAllPortsProtocols.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'flase', } }, compliance: { @@ -31,9 +37,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; @@ -109,6 +117,9 @@ module.exports = { usedGroups.length && !usedGroups.includes(groups[g].GroupId)) { helpers.addResult(results, 1, `Security Group: ${groups[g].GroupId} is not in use`, region, resource); + } else if( config.check_network_interface) { + var resultString = `Security group:${groups[g].GroupId} (${groups[g].GroupName}) has ${strings.join(' and ')}`; + helpers.checkNetworkInterface(groups[g].GroupId, groups[g].GroupName, resultString, region, results, resource, cache); } else { helpers.addResult(results, 2, 'Security group: ' + groups[g].GroupId + diff --git a/plugins/aws/ec2/openAllPortsProtocols.spec.js b/plugins/aws/ec2/openAllPortsProtocols.spec.js index 56ed709542..791ce54ae5 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.spec.js +++ b/plugins/aws/ec2/openAllPortsProtocols.spec.js @@ -76,6 +76,47 @@ const describeSecurityGroups = [ } ], "VpcId": "vpc-99de2fe4" + }, + { + "Description": "Allows SSh access to developer", + "GroupName": "spec-test-sg2", + "IpPermissions": [{ + "IpProtocol": "tcp", + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ], + "Ipv6Ranges": [ + { + "CidrIpv6": "::/0" + } + ], + "PrefixListIds": [], + "UserIdGroupPairs": [] + }], + "OwnerId": "12345654321", + "GroupId": "sg-001", + "IpPermissionsEgress": [ + { + "FromPort": 25, + "IpProtocol": "tcp", + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ], + "Ipv6Ranges": [ + { + "CidrIpv6": "::/0" + } + ], + "PrefixListIds": [], + "ToPort": 25, + "UserIdGroupPairs": [] + } + ], + "VpcId": "vpc-99de2fe4" } ]; @@ -90,7 +131,7 @@ const describeNetworkInterfaces = [ }, { "GroupName": "HTTP-Access", - "GroupId": "sg-02e2c70cd463dca29" + "GroupId": "sg-001639e564442dfec" }, ], "InterfaceType": "interface", @@ -261,7 +302,7 @@ describe('openAllPortsProtocols', function () { }); it('should WARN if security group is unused', function (done) { - const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], []); + const cache = createCache([describeSecurityGroups[2]], [describeNetworkInterfaces[0]], []); openAllPortsProtocols.run(cache, {ec2_skip_unused_groups: 'true'}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(1); @@ -294,6 +335,14 @@ describe('openAllPortsProtocols', function () { done(); }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openAllPortsProtocols.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); }); }); diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.js index 6b9d4e9e8b..303ae4438c 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.js @@ -16,14 +16,22 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'flase', } }, run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; @@ -89,6 +97,9 @@ module.exports = { usedGroups.length && !usedGroups.includes(group.GroupId)) { helpers.addResult(results, 1, `Security Group: ${group.GroupId} is not in use`, region, resource); + } else if( config.check_network_interface) { + var resultString = `Security group:${group.GroupId} (${group.GroupName}) has ${strings.join(' and ')}`; + helpers.checkNetworkInterface(group.GroupId, group.GroupName, resultString, region, results, resource, cache); } else { helpers.addResult(results, 2, 'Security group: ' + group.GroupId + diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.spec.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.spec.js index ef79214a63..07815e77c4 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.spec.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.spec.js @@ -76,7 +76,48 @@ const describeSecurityGroups = [ } ], "VpcId": "vpc-99de2fe4" - } + }, + { + "Description": "Allows SSh access to developer", + "GroupName": "spec-test-sg2", + "IpPermissionsEgress": [{ + "IpProtocol": "tcp", + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ], + "Ipv6Ranges": [ + { + "CidrIpv6": "::/0" + } + ], + "PrefixListIds": [], + "UserIdGroupPairs": [] + }], + "OwnerId": "12345654321", + "GroupId": "sg-001639e5", + "IpPermissions": [ + { + "FromPort": 25, + "IpProtocol": "tcp", + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ], + "Ipv6Ranges": [ + { + "CidrIpv6": "::/0" + } + ], + "PrefixListIds": [], + "ToPort": 25, + "UserIdGroupPairs": [] + } + ], + "VpcId": "vpc-99de2fe4" + }, ]; const describeNetworkInterfaces = [ @@ -90,7 +131,7 @@ const describeNetworkInterfaces = [ }, { "GroupName": "HTTP-Access", - "GroupId": "sg-02e2c70cd463dca29" + "GroupId": "sg-001639e564442dfec" }, ], "InterfaceType": "interface", @@ -261,7 +302,7 @@ describe('openAllPortsEgress', function () { }); it('should WARN if security group is unused', function (done) { - const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], []); + const cache = createCache([describeSecurityGroups[2]], [describeNetworkInterfaces[0]], []); openAllPortsEgress.run(cache, {ec2_skip_unused_groups: 'true'}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(1); @@ -294,6 +335,13 @@ describe('openAllPortsEgress', function () { done(); }); }); - + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openAllPortsEgress.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); }); }); From 46160f2aeeb7bb98f8a7ff364ff36e38e8c43594 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 5 Dec 2023 16:01:58 +0500 Subject: [PATCH 2/5] lint --- plugins/aws/ec2/openAllPortsProtocols.js | 2 +- plugins/aws/ec2/openAllPortsProtocolsEgress.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/aws/ec2/openAllPortsProtocols.js b/plugins/aws/ec2/openAllPortsProtocols.js index 4ddaec2383..420f23853c 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.js +++ b/plugins/aws/ec2/openAllPortsProtocols.js @@ -117,7 +117,7 @@ module.exports = { usedGroups.length && !usedGroups.includes(groups[g].GroupId)) { helpers.addResult(results, 1, `Security Group: ${groups[g].GroupId} is not in use`, region, resource); - } else if( config.check_network_interface) { + } else if ( config.check_network_interface) { var resultString = `Security group:${groups[g].GroupId} (${groups[g].GroupName}) has ${strings.join(' and ')}`; helpers.checkNetworkInterface(groups[g].GroupId, groups[g].GroupName, resultString, region, results, resource, cache); } else { diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.js index 303ae4438c..7b1bf389e0 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.js @@ -97,7 +97,7 @@ module.exports = { usedGroups.length && !usedGroups.includes(group.GroupId)) { helpers.addResult(results, 1, `Security Group: ${group.GroupId} is not in use`, region, resource); - } else if( config.check_network_interface) { + } else if ( config.check_network_interface) { var resultString = `Security group:${group.GroupId} (${group.GroupName}) has ${strings.join(' and ')}`; helpers.checkNetworkInterface(group.GroupId, group.GroupName, resultString, region, results, resource, cache); } else { From 0a1c4484c6a745095cb6c8385435b023a552e566 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Tue, 5 Dec 2023 16:41:25 +0500 Subject: [PATCH 3/5] Update openAllPortsProtocols.js --- plugins/aws/ec2/openAllPortsProtocols.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/ec2/openAllPortsProtocols.js b/plugins/aws/ec2/openAllPortsProtocols.js index 420f23853c..584f3996a9 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.js +++ b/plugins/aws/ec2/openAllPortsProtocols.js @@ -21,7 +21,7 @@ module.exports = { name: 'Check Associated ENI', description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', regex: '^(true|false)$', - default: 'flase', + default: 'false', } }, compliance: { From 9543b548faf98670dd85975b120359e884caf902 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Tue, 5 Dec 2023 16:41:45 +0500 Subject: [PATCH 4/5] Update openAllPortsProtocolsEgress.js --- plugins/aws/ec2/openAllPortsProtocolsEgress.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.js index 7b1bf389e0..c02270ec94 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.js @@ -21,7 +21,7 @@ module.exports = { name: 'Check Associated ENI', description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', regex: '^(true|false)$', - default: 'flase', + default: 'false', } }, run: function(cache, settings, callback) { From 61e87dffc73b92fdabe4f1b0db41981645e16d1d Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 5 Dec 2023 16:52:53 +0500 Subject: [PATCH 5/5] change the catagory for azure plugin --- exports.js | 2 +- .../applicationGatewayHasTags.js | 4 ++-- .../applicationGatewayHasTags.spec.js | 0 3 files changed, 3 insertions(+), 3 deletions(-) rename plugins/azure/{loadbalancer => applicationGateway}/applicationGatewayHasTags.js (96%) rename plugins/azure/{loadbalancer => applicationGateway}/applicationGatewayHasTags.spec.js (100%) diff --git a/exports.js b/exports.js index 53c1523d03..b209b104ef 100644 --- a/exports.js +++ b/exports.js @@ -940,7 +940,6 @@ module.exports = { 'lbHttpsOnly' : require(__dirname + '/plugins/azure/loadbalancer/lbHttpsOnly.js'), 'lbNoInstances' : require(__dirname + '/plugins/azure/loadbalancer/lbNoInstances.js'), 'lbHasTags' : require(__dirname + '/plugins/azure/loadbalancer/lbHasTags.js'), - 'applicationGatewayHasTags' : require(__dirname + '/plugins/azure/loadbalancer/applicationGatewayHasTags.js'), 'lbLogAnalyticsEnabled' : require(__dirname + '/plugins/azure/loadbalancer/lbLogAnalyticsEnabled.js'), 'kvRecoveryEnabled' : require(__dirname + '/plugins/azure/keyvaults/kvRecoveryEnabled.js'), @@ -976,6 +975,7 @@ module.exports = { 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'agPreventionModeEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agPreventionModeEnabled.js'), + 'applicationGatewayHasTags' : require(__dirname + '/plugins/azure/applicationGateway/applicationGatewayHasTags.js'), 'subscriptionHasTags' : require(__dirname + '/plugins/azure/subscription/subscriptionHasTags.js'), 'rgHasTags' : require(__dirname + '/plugins/azure/resourceGroup/rgHasTags.js'), diff --git a/plugins/azure/loadbalancer/applicationGatewayHasTags.js b/plugins/azure/applicationGateway/applicationGatewayHasTags.js similarity index 96% rename from plugins/azure/loadbalancer/applicationGatewayHasTags.js rename to plugins/azure/applicationGateway/applicationGatewayHasTags.js index f5c4cd2d08..1007dd3012 100644 --- a/plugins/azure/loadbalancer/applicationGatewayHasTags.js +++ b/plugins/azure/applicationGateway/applicationGatewayHasTags.js @@ -3,8 +3,8 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Application Gateway Has Tags', - category: 'Load Balancer', - domain: 'Availability', + category: 'Application Gateway', + domain: 'Network Access Control', description: 'Ensures that Microsoft Azure Application Gateway has tags associated.', more_info: 'Tags help you to group resources together that are related to or associated with each other. It is a best practice to tag cloud resources to better organize and gain visibility into their usage.', recommended_action: 'Modify application gateways and add tags.', diff --git a/plugins/azure/loadbalancer/applicationGatewayHasTags.spec.js b/plugins/azure/applicationGateway/applicationGatewayHasTags.spec.js similarity index 100% rename from plugins/azure/loadbalancer/applicationGatewayHasTags.spec.js rename to plugins/azure/applicationGateway/applicationGatewayHasTags.spec.js