From ea66cadb7bac8487c9abf02ce2fedcc580bb0e8d Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 18 Dec 2024 10:34:06 +0530 Subject: [PATCH 1/2] Alibaba OSS Templates --- cloud/alibaba/oss/access-logoss-disabled.yaml | 62 ++++++++++++++++ .../oss/limit-networkaccess-disabled.yaml | 71 +++++++++++++++++++ .../alibaba/oss/oos-bucket-public-access.yaml | 69 ++++++++++++++++++ .../oss/secure-transfeross-disabled.yaml | 69 ++++++++++++++++++ 4 files changed, 271 insertions(+) create mode 100644 cloud/alibaba/oss/access-logoss-disabled.yaml create mode 100644 cloud/alibaba/oss/limit-networkaccess-disabled.yaml create mode 100644 cloud/alibaba/oss/oos-bucket-public-access.yaml create mode 100644 cloud/alibaba/oss/secure-transfeross-disabled.yaml diff --git a/cloud/alibaba/oss/access-logoss-disabled.yaml b/cloud/alibaba/oss/access-logoss-disabled.yaml new file mode 100644 index 00000000000..0bb84b52f04 --- /dev/null +++ b/cloud/alibaba/oss/access-logoss-disabled.yaml @@ -0,0 +1,62 @@ +id: access-logoss-disabled + +info: + name: Access Logging for OSS Buckets - Disabled + author: DhiyaneshDK + severity: medium + description: | + Disabling access logging for OSS buckets reduces the ability to monitor and audit access, increasing the risk of undetected unauthorized activity. + reference: + - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/enable-bucket-access-logging.html + - https://www.alibabacloud.com/help/en/oss/user-guide/getting-started + - https://www.alibabacloud.com/help/en/oss/user-guide/enable-logging + metadata: + max-request: 2 + verified: true + tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-oss + +variables: + region: "cn-hangzhou" + +flow: | + code(1) + for (let BucketName of iterate(template.bucketname)) { + set("bucket", BucketName) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aliyun oss ls --region $region + + extractors: + - type: regex + name: bucketname + internal: true + regex: + - 'oss://([a-zA-Z0-9-]+)' + + - engine: + - sh + - bash + + source: | + aliyun oss logging --method get $bucket --region $region + + matchers: + - type: word + words: + - '' + - '' + condition: and + + extractors: + - type: dsl + dsl: + - 'bucket + " Access Logging for OSS Buckets is Disabled "' \ No newline at end of file diff --git a/cloud/alibaba/oss/limit-networkaccess-disabled.yaml b/cloud/alibaba/oss/limit-networkaccess-disabled.yaml new file mode 100644 index 00000000000..4891faf0b5e --- /dev/null +++ b/cloud/alibaba/oss/limit-networkaccess-disabled.yaml @@ -0,0 +1,71 @@ +id: limit-networkaccess-disabled + +info: + name: Limit Network Access to Selected Networks - Disabled + author: DhiyaneshDK + severity: medium + description: | + Limit Network Access to Selected Networks in Alibaba OSS allows you to restrict access to your object storage service (OSS) to specific IP addresses or IP ranges, enhancing security by ensuring that only trusted networks can interact with your data." + reference: + - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/publicly-accessible-oss-bucket.html + - https://www.alibabacloud.com/help/en/oss/user-guide/block-public-access + metadata: + max-request: 2 + verified: true + tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-oss + +variables: + region: "cn-hangzhou" + +flow: | + code(1) + for (let BucketName of iterate(template.bucketname)) { + set("bucket", BucketName) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aliyun oss ls --region $region + + extractors: + - type: regex + name: bucketname + internal: true + regex: + - 'oss://([a-zA-Z0-9-]+)' + + - engine: + - sh + - bash + + source: | + aliyun oss bucket-policy --method get $bucket --region $region + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"IpAddress":' + - '"acs:SourceIp":' + negative: true + + - type: word + part: body + words: + - '"Principal":' + - '"Resource":' + - '"Action":' + condition: and + + extractors: + - type: dsl + dsl: + - 'bucket + " Limit Network Access to Selected Networks is Disabled "' \ No newline at end of file diff --git a/cloud/alibaba/oss/oos-bucket-public-access.yaml b/cloud/alibaba/oss/oos-bucket-public-access.yaml new file mode 100644 index 00000000000..28edc5c293f --- /dev/null +++ b/cloud/alibaba/oss/oos-bucket-public-access.yaml @@ -0,0 +1,69 @@ +id: oos-bucket-public-access + +info: + name: OSS Bucket Public Accessible + author: DhiyaneshDK + severity: high + description: | + Ensure that your Object Storage Service (OSS) buckets are not publicly accessible to the Internet in order to protect against unauthorized access. Allowing public, anonymous access through bucket ACLs and bucket policies gives everyone the ability to access bucket contents. + reference: + - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/publicly-accessible-oss-bucket.html + - https://www.alibabacloud.com/help/en/oss/user-guide/block-public-access + metadata: + max-request: 2 + verified: true + tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-oss + +variables: + region: "cn-hangzhou" + +flow: | + code(1) + for (let BucketName of iterate(template.bucketname)) { + set("bucket", BucketName) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aliyun oss ls --region $region + + extractors: + - type: regex + name: bucketname + internal: true + regex: + - 'oss://([a-zA-Z0-9-]+)' + + - engine: + - sh + - bash + + source: | + aliyun oss stat $bucket --region $region + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'private' + negative: true + + - type: word + part: body + words: + - 'public-read' + - 'public-read-write' + condition: or + + extractors: + - type: dsl + dsl: + - 'bucket + " OSS Bucket is Public Accessible "' \ No newline at end of file diff --git a/cloud/alibaba/oss/secure-transfeross-disabled.yaml b/cloud/alibaba/oss/secure-transfeross-disabled.yaml new file mode 100644 index 00000000000..d9de42b3389 --- /dev/null +++ b/cloud/alibaba/oss/secure-transfeross-disabled.yaml @@ -0,0 +1,69 @@ +id: secure-transfeross-disabled + +info: + name: Secure Transfer for OSS Buckets - Disabled + author: DhiyaneshDK + severity: medium + description: | + Disabling secure transfer (HTTPS) for OSS buckets exposes data to potential interception. It is recommended to enable HTTPS to ensure encrypted communication and data security. + reference: + - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/enable-secure-transfer.html + - https://www.alibabacloud.com/help/en/oss/user-guide/use-bucket-policy-to-grant-permission-to-access-oss/ + metadata: + max-request: 2 + verified: true + tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-oss + +variables: + region: "cn-hangzhou" + +flow: | + code(1) + for (let BucketName of iterate(template.bucketname)) { + set("bucket", BucketName) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aliyun oss ls --region $region + + extractors: + - type: regex + name: bucketname + internal: true + regex: + - 'oss://([a-zA-Z0-9-]+)' + + - engine: + - sh + - bash + + source: | + aliyun oss bucket-policy --method get $bucket --region $region + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"acs:SecureTransport":' + negative: true + + - type: word + part: body + words: + - '"Resource":' + - '"Principal":' + condition: and + + extractors: + - type: dsl + dsl: + - 'bucket + " Secure Transfer for OSS Buckets "' \ No newline at end of file From 06c612231c8220dc736cfa531559b67f908d158f Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 23 Dec 2024 15:34:48 +0530 Subject: [PATCH 2/2] updated matchers --- cloud/alibaba/oss/limit-networkaccess-disabled.yaml | 2 -- cloud/alibaba/oss/oos-bucket-public-access.yaml | 2 -- cloud/alibaba/oss/secure-transfeross-disabled.yaml | 2 -- 3 files changed, 6 deletions(-) diff --git a/cloud/alibaba/oss/limit-networkaccess-disabled.yaml b/cloud/alibaba/oss/limit-networkaccess-disabled.yaml index 4891faf0b5e..923b2638fd6 100644 --- a/cloud/alibaba/oss/limit-networkaccess-disabled.yaml +++ b/cloud/alibaba/oss/limit-networkaccess-disabled.yaml @@ -51,14 +51,12 @@ code: matchers-condition: and matchers: - type: word - part: body words: - '"IpAddress":' - '"acs:SourceIp":' negative: true - type: word - part: body words: - '"Principal":' - '"Resource":' diff --git a/cloud/alibaba/oss/oos-bucket-public-access.yaml b/cloud/alibaba/oss/oos-bucket-public-access.yaml index 28edc5c293f..306fb185a9b 100644 --- a/cloud/alibaba/oss/oos-bucket-public-access.yaml +++ b/cloud/alibaba/oss/oos-bucket-public-access.yaml @@ -51,13 +51,11 @@ code: matchers-condition: and matchers: - type: word - part: body words: - 'private' negative: true - type: word - part: body words: - 'public-read' - 'public-read-write' diff --git a/cloud/alibaba/oss/secure-transfeross-disabled.yaml b/cloud/alibaba/oss/secure-transfeross-disabled.yaml index d9de42b3389..85f0d76d48a 100644 --- a/cloud/alibaba/oss/secure-transfeross-disabled.yaml +++ b/cloud/alibaba/oss/secure-transfeross-disabled.yaml @@ -51,13 +51,11 @@ code: matchers-condition: and matchers: - type: word - part: body words: - '"acs:SecureTransport":' negative: true - type: word - part: body words: - '"Resource":' - '"Principal":'