diff --git a/cloud/alibaba/oss/access-logoss-disabled.yaml b/cloud/alibaba/oss/access-logoss-disabled.yaml new file mode 100644 index 00000000000..0bb84b52f04 --- /dev/null +++ b/cloud/alibaba/oss/access-logoss-disabled.yaml @@ -0,0 +1,62 @@ +id: access-logoss-disabled + +info: + name: Access Logging for OSS Buckets - Disabled + author: DhiyaneshDK + severity: medium + description: | + Disabling access logging for OSS buckets reduces the ability to monitor and audit access, increasing the risk of undetected unauthorized activity. + reference: + - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/enable-bucket-access-logging.html + - https://www.alibabacloud.com/help/en/oss/user-guide/getting-started + - https://www.alibabacloud.com/help/en/oss/user-guide/enable-logging + metadata: + max-request: 2 + verified: true + tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-oss + +variables: + region: "cn-hangzhou" + +flow: | + code(1) + for (let BucketName of iterate(template.bucketname)) { + set("bucket", BucketName) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aliyun oss ls --region $region + + extractors: + - type: regex + name: bucketname + internal: true + regex: + - 'oss://([a-zA-Z0-9-]+)' + + - engine: + - sh + - bash + + source: | + aliyun oss logging --method get $bucket --region $region + + matchers: + - type: word + words: + - '' + - '' + condition: and + + extractors: + - type: dsl + dsl: + - 'bucket + " Access Logging for OSS Buckets is Disabled "' \ No newline at end of file diff --git a/cloud/alibaba/oss/limit-networkaccess-disabled.yaml b/cloud/alibaba/oss/limit-networkaccess-disabled.yaml new file mode 100644 index 00000000000..923b2638fd6 --- /dev/null +++ b/cloud/alibaba/oss/limit-networkaccess-disabled.yaml @@ -0,0 +1,69 @@ +id: limit-networkaccess-disabled + +info: + name: Limit Network Access to Selected Networks - Disabled + author: DhiyaneshDK + severity: medium + description: | + Limit Network Access to Selected Networks in Alibaba OSS allows you to restrict access to your object storage service (OSS) to specific IP addresses or IP ranges, enhancing security by ensuring that only trusted networks can interact with your data." + reference: + - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/publicly-accessible-oss-bucket.html + - https://www.alibabacloud.com/help/en/oss/user-guide/block-public-access + metadata: + max-request: 2 + verified: true + tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-oss + +variables: + region: "cn-hangzhou" + +flow: | + code(1) + for (let BucketName of iterate(template.bucketname)) { + set("bucket", BucketName) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aliyun oss ls --region $region + + extractors: + - type: regex + name: bucketname + internal: true + regex: + - 'oss://([a-zA-Z0-9-]+)' + + - engine: + - sh + - bash + + source: | + aliyun oss bucket-policy --method get $bucket --region $region + + matchers-condition: and + matchers: + - type: word + words: + - '"IpAddress":' + - '"acs:SourceIp":' + negative: true + + - type: word + words: + - '"Principal":' + - '"Resource":' + - '"Action":' + condition: and + + extractors: + - type: dsl + dsl: + - 'bucket + " Limit Network Access to Selected Networks is Disabled "' \ No newline at end of file diff --git a/cloud/alibaba/oss/oos-bucket-public-access.yaml b/cloud/alibaba/oss/oos-bucket-public-access.yaml new file mode 100644 index 00000000000..306fb185a9b --- /dev/null +++ b/cloud/alibaba/oss/oos-bucket-public-access.yaml @@ -0,0 +1,67 @@ +id: oos-bucket-public-access + +info: + name: OSS Bucket Public Accessible + author: DhiyaneshDK + severity: high + description: | + Ensure that your Object Storage Service (OSS) buckets are not publicly accessible to the Internet in order to protect against unauthorized access. Allowing public, anonymous access through bucket ACLs and bucket policies gives everyone the ability to access bucket contents. + reference: + - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/publicly-accessible-oss-bucket.html + - https://www.alibabacloud.com/help/en/oss/user-guide/block-public-access + metadata: + max-request: 2 + verified: true + tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-oss + +variables: + region: "cn-hangzhou" + +flow: | + code(1) + for (let BucketName of iterate(template.bucketname)) { + set("bucket", BucketName) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aliyun oss ls --region $region + + extractors: + - type: regex + name: bucketname + internal: true + regex: + - 'oss://([a-zA-Z0-9-]+)' + + - engine: + - sh + - bash + + source: | + aliyun oss stat $bucket --region $region + + matchers-condition: and + matchers: + - type: word + words: + - 'private' + negative: true + + - type: word + words: + - 'public-read' + - 'public-read-write' + condition: or + + extractors: + - type: dsl + dsl: + - 'bucket + " OSS Bucket is Public Accessible "' \ No newline at end of file diff --git a/cloud/alibaba/oss/secure-transfeross-disabled.yaml b/cloud/alibaba/oss/secure-transfeross-disabled.yaml new file mode 100644 index 00000000000..85f0d76d48a --- /dev/null +++ b/cloud/alibaba/oss/secure-transfeross-disabled.yaml @@ -0,0 +1,67 @@ +id: secure-transfeross-disabled + +info: + name: Secure Transfer for OSS Buckets - Disabled + author: DhiyaneshDK + severity: medium + description: | + Disabling secure transfer (HTTPS) for OSS buckets exposes data to potential interception. It is recommended to enable HTTPS to ensure encrypted communication and data security. + reference: + - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/enable-secure-transfer.html + - https://www.alibabacloud.com/help/en/oss/user-guide/use-bucket-policy-to-grant-permission-to-access-oss/ + metadata: + max-request: 2 + verified: true + tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-oss + +variables: + region: "cn-hangzhou" + +flow: | + code(1) + for (let BucketName of iterate(template.bucketname)) { + set("bucket", BucketName) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aliyun oss ls --region $region + + extractors: + - type: regex + name: bucketname + internal: true + regex: + - 'oss://([a-zA-Z0-9-]+)' + + - engine: + - sh + - bash + + source: | + aliyun oss bucket-policy --method get $bucket --region $region + + matchers-condition: and + matchers: + - type: word + words: + - '"acs:SecureTransport":' + negative: true + + - type: word + words: + - '"Resource":' + - '"Principal":' + condition: and + + extractors: + - type: dsl + dsl: + - 'bucket + " Secure Transfer for OSS Buckets "' \ No newline at end of file