def audit_impl(self):
"""
Audit
:return: violations
"""
if self.debug:
print('SecurityGroupEgressOpenToWorldRule - audit_impl' + lineno())
violating_egresses = []
for groups in self.cfn_model.security_groups():
if self.debug:
print('group: ' + str(groups) + lineno())
print('vars: ' + str(vars(groups)) + lineno())
for egress in groups.egresses:
if self.debug:
print('egress: ' + str(egress) + lineno())
if IpAddr.ip4_open(egress,
debug=self.debug) or IpAddr.ip6_open(
egress, debug=self.debug):
if self.debug:
print('ip4/6 address is open' + lineno())
violating_egresses.append(str(groups.logical_resource_id))
routes = self.cfn_model.standalone_egress()
if self.debug:
print('routes: ' + str(routes) + lineno())
for standalone_egress in routes:
if self.debug:
print('standalone_egress: ' + str(standalone_egress) +
lineno())
print('vars: ' + str(vars(standalone_egress)) + lineno())
if IpAddr.ip4_open(standalone_egress,
debug=self.debug) or IpAddr.ip6_open(
standalone_egress, debug=self.debug):
if self.debug:
print('ip4/6 address is open' + lineno())
violating_egresses.append(
standalone_egress.logical_resource_id)
return violating_egresses
def test_ip6_open(self):
expected_result = True
dict = {}
dict['CidrIp'] = '::/0'
real_result = class_to_test.ip6_open(ingress=dict, debug=False)
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.maxDiff = None
self.assertEqual(expected_result, real_result)
def test_ip4_not_open_list(self):
expected_result = False
dict = []
dict.append({'CidrIp': '192.168.1.0/32'})
real_result = class_to_test.ip4_open(ingress=dict, debug=True)
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.maxDiff = None
self.assertEqual(expected_result, real_result)
def test_ip4_not_open(self):
expected_result = False
dict = {}
dict['CidrIp'] = '192.168.1.0/32'
real_result = class_to_test.ip4_open(ingress=dict, debug=False)
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.maxDiff = None
self.assertEqual(expected_result, real_result)
def test_ip6_range_list(self):
expected_result = False
dict = []
dict.append({'CidrIp': '2001:0db8:85a3:0000:0000:8a2e:0370/64'})
real_result = class_to_test.ip6_cidr_range(ingress=dict, debug=False)
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.maxDiff = None
self.assertEqual(expected_result, real_result)
def test_ip6_no_range(self):
expected_result = True
dict = {}
dict['CidrIp'] = '2001:0db8:85a3:0000:0000:8a2e:0370/128'
real_result = class_to_test.ip6_cidr_range(ingress=dict, debug=False)
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.maxDiff = None
self.assertEqual(expected_result, real_result)
def audit_impl(self):
"""
Audit
:return: violations
"""
if self.debug:
print('SecurityGroupIngressCidrNon32Rule - audit_impl' + lineno())
logical_resource_ids = []
# Iterate over each of the security groups in the cloudformation template
for groups in self.cfn_model.security_groups():
if self.debug:
print('group: ' + str(groups) + lineno())
print('vars: ' + str(vars(groups)) + lineno())
# If the security group has ingresses
if hasattr(groups, 'ingresses'):
if len(groups.ingresses) > 0:
has_invalid_cidr = False
# Iterate over each on the ingresses
for ingresses in groups.ingresses:
if self.debug:
print('ingresses: ' + str(ingresses) + lineno())
if type(ingresses) == type(dict()):
if self.debug:
print('ingress is a dict' + lineno())
if IpAddr.ip4_cidr_range(
ingresses, debug=self.debug
) == True or IpAddr.ip6_cidr_range(
ingresses, debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' +
lineno())
else:
if self.debug:
print(
'ip4/6 address does not end with /32 or /128'
+ lineno())
if self.debug:
print(
"\n\n##########################################################"
)
print(
'Resource is not valid - appending to list'
)
print('logical resource id: ' +
str(groups.logical_resource_id) +
lineno())
print(
"#############################################################\n"
)
logical_resource_ids.append(
str(groups.logical_resource_id))
elif type(ingresses) == type(list()):
if self.debug:
print("ingress is a list() " + lineno())
for item in ingresses:
if IpAddr.ip4_cidr_range(item,
debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' +
lineno())
continue
if IpAddr.ip6_cidr_range(item,
debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' +
lineno())
continue
if self.debug:
print(
"\n\n##########################################################"
)
print(
'Resource is not valid - appending to list'
)
print('logical resource id: ' +
str(groups.logical_resource_id) +
lineno())
print(
"#############################################################\n"
)
logical_resource_ids.append(
str(groups.logical_resource_id))
else:
if self.debug:
print('vars: ' + str(vars(ingresses)) +
lineno())
print('ingress is not a list or dict' +
lineno())
if hasattr(ingresses, 'cidrIp'):
if self.debug:
print('has cidrIp ' + lineno())
if IpAddr.ip4_cidr_range(ingresses,
debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' +
lineno())
continue
if hasattr(ingresses, 'cidrIpv6'):
if self.debug:
print('ip4/6 address is /32 or /128' +
lineno())
if IpAddr.ip6_cidr_range(ingresses,
debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' +
lineno())
continue
if not hasattr(ingresses,
'cidrIp') and not hasattr(
ingresses, 'cidrIpv6'):
if self.debug:
print('does not have a cidr entry')
continue
if self.debug:
print(
"\n\n##########################################################"
)
print(
'Resource is not valid - appending to list'
)
print('logical resource id: ' +
str(groups.logical_resource_id) +
lineno())
print(
"#############################################################\n"
)
logical_resource_ids.append(
str(groups.logical_resource_id))
else:
sys.exit(1)
if self.debug:
print('violations: ' + str(list(set(logical_resource_ids))) +
lineno())
if self.debug:
print('Getting all the standalone ingress resources')
standalone_resources = self.cfn_model.standalone_ingress()
# iterate over the routes
for resource in standalone_resources:
if self.debug:
print("\n\n#########################################")
print('standalone resource: ' + str(resource) + lineno())
print('vars: ' + str(vars(resource)) + lineno())
print('type: ' + str(type(resource)) + lineno())
print("############################################\n")
if hasattr(resource, 'cidrIp'):
if self.debug:
print('has cidrIp attributes' + lineno())
if IpAddr.ip4_cidr_range(resource.cidrIp, debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' + lineno())
continue
else:
if self.debug:
print('ip4/6 address does not end with /32 or /128' +
lineno())
logical_resource_ids.append(resource.logical_resource_id)
if hasattr(resource, 'cidrIpv6'):
if self.debug:
print('has cidrIpv6 attributes' + lineno())
if IpAddr.ip6_cidr_range(resource.cidrIpv6, debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' + lineno())
continue
else:
if self.debug:
print('ip4/6 address does not end with /32 or /128' +
lineno())
logical_resource_ids.append(resource.logical_resource_id)
if self.debug:
print('violations: ' + str(list(set(logical_resource_ids))) +
lineno())
return logical_resource_ids