def test_oil_can_scan_for_password_rotation_with_config(self):
plugin_config = {
'password_rotation_severity_2_threshold':
180,
'password_rotation_severity_1_threshold':
90,
'password_rotation_severity_2_message':
('{days} days since last rotation for {username} '),
'password_rotation_severity_1_message':
('{days} days since last rotation for {username}'),
'password_rotation_severity_0_message':
('{username} is not violating password rotation '
'best practices'),
'password_rotation_severity_0_message':
('No password for this user'),
}
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(UserPasswordRotationPlugin, plugin_config)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('user_password_rotation', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_high_threat_ports_on_instances(self):
oil = Oil()
oil.register_barrel(EC2Barrel)
oil.register_plugin(InstanceHighThreatPortPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
ec2_results = aws_results.get('ec2', {})
plugin_results = ec2_results.get('instance_high_threat_port', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_public_ip_on_instances(self):
oil = Oil()
oil.register_barrel(EC2Barrel)
oil.register_plugin(PublicIpPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
ec2_results = aws_results.get('ec2', {})
plugin_results = ec2_results.get('public_ip', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_name_tag_compliance(self):
oil = Oil()
oil.register_barrel(EC2Barrel)
oil.register_plugin(InstanceNameTagPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
ec2_results = aws_results.get('ec2', {})
plugin_results = ec2_results.get('instance_name_tag', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_rds_public_db_instances(self):
oil = Oil()
oil.register_barrel(RDSBarrel)
oil.register_plugin(PublicDBInstancesPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
rds_results = aws_results.get('rds', {})
plugin_results = rds_results.get('public_db_instances', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_password_rotation_date_for_user(self):
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(UserPasswordRotationPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('user_password_rotation', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_active_mfa_device_for_user(self):
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(UserMFAPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('user_mfa', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_access_key_usage(self):
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(AccessKeyUsagePlugin)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('access_key_usage', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_https_usage(self):
oil = Oil()
oil.register_barrel(CloudFrontBarrel)
oil.register_plugin(HTTPSPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
cloudfront_results = aws_results.get('cloudfront', {})
plugin_results = cloudfront_results.get('https', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_s3_origin_access_identity(self):
oil = Oil()
oil.register_barrel(CloudFrontBarrel)
oil.register_plugin(S3OriginAccessIdentityPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
cloudfront_results = aws_results.get('cloudfront', {})
plugin_results = cloudfront_results.get('s3_origin_access_identity',
[])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_access_key_usage_with_custom_config(self):
plugin_config = {
'access_key_last_used_severity_two_threshold': 90,
'access_key_last_used_severity_one_threshold': 60,
}
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(AccessKeyUsagePlugin, plugin_config)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('access_key_usage', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_active_mfa_device_with_config(self):
plugin_config = {
'root_user_enabled_message': 'Enabled: {username}',
'root_user_not_enabled_message': 'Not Enabled: {username}',
'root_user_not_enabled_severity_level': 1,
'enabled_message': 'Enabled: {username}',
'not_enabled_message': 'Not Enabled: {username}',
'not_enabled_severity_level': 1,
}
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(UserMFAPlugin, plugin_config)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('user_mfa', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_total_users_with_config(self):
plugin_config = {
'total_users_severity_2_threshold': 50,
'total_users_severity_1_threshold': 20,
'total_users_severity_2_message': ('Total users: {total_users}'),
'total_users_severity_1_message': ('Total users: {total_users}'),
'total_users_severity_0_message': ('Total users: {total_users}'),
'no_users_message': ('No users in this AWS account'),
}
oil = Oil()
oil.register_barrel(IAMBarrel)
oil.register_plugin(TotalUsersPlugin, plugin_config)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('total_users', [])
self.assertNotEqual(plugin_results, [])
def test_oil_can_scan_for_total_users(self):
config = {
'aws': {
'iam': {
'plugins': [{
'name': 'total_users',
}]
}
}
}
oil = Oil(config)
oil.register_barrel(IAMBarrel)
oil.register_plugin(TotalUsersPlugin)
results = oil.scan()
aws_results = results.get('aws', {})
iam_results = aws_results.get('iam', {})
plugin_results = iam_results.get('total_users', [])
self.assertNotEqual(plugin_results, [])
