Example #1
0
    def check_internet_scheme(self, elb_item):
        """
        alert when an ELB has an "internet-facing" scheme.
        """
        scheme = elb_item.config.get('scheme', None)
        vpc = elb_item.config.get('vpc_id', None)
        if scheme and scheme == u"internet-facing" and not vpc:
            self.add_issue(1, 'ELB is Internet accessible.', elb_item)
        elif scheme and scheme == u"internet-facing" and vpc:
            # Grab each attached security group and determine if they contain
            # a public IP
            security_groups = elb_item.config.get('security_groups', [])
            for sgid in security_groups:
                # shouldn't be more than one with that ID.
                sg = Item.query.filter(Item.name.ilike('%'+sgid+'%')).first()
                if not sg:
                    # It's possible that the security group is new and not yet in the DB.
                    continue

                sg_cidrs = []
                config = sg.revisions[0].config
                for rule in config.get('rules', []):
                    cidr = rule.get('cidr_ip', '')
                    if rule.get('rule_type', None) == 'ingress' and cidr:
                        if not _check_rfc_1918(cidr) and not self._check_inclusion_in_network_whitelist(cidr):
                            sg_cidrs.append(cidr)
                if sg_cidrs:
                    notes = 'SG [{sgname}] via [{cidr}]'.format(
                        sgname=sg.name,
                        cidr=', '.join(sg_cidrs)
                    )
                    self.add_issue(1, 'VPC ELB is Internet accessible.', elb_item, notes=notes)
    def check_rds_ec2_rfc1918(self, sg_item):
        """
        alert if non-vpc RDS SG contains RFC1918 CIDRS
        """
        tag = "Non-VPC RDS Security Group contains private RFC-1918 CIDR"
        severity = 8

        if sg_item.config.get("vpc_id", None):
            return

        for ipr in sg_item.config.get("ip_ranges", []):
            cidr = ipr.get("cidr_ip", None)
            if cidr and _check_rfc_1918(cidr):
                self.add_issue(severity, tag, sg_item, notes=cidr)
    def check_rds_ec2_rfc1918(self, sg_item):
        """
        alert if non-vpc RDS SG contains RFC1918 CIDRS
        """
        tag = "Non-VPC RDS Security Group contains private RFC-1918 CIDR"
        severity = 8

        if sg_item.config.get("vpc_id", None):
            return

        for ipr in sg_item.config.get("ip_ranges", []):
            cidr = ipr.get("cidr_ip", None)
            if cidr and _check_rfc_1918(cidr):
                self.add_issue(severity, tag, sg_item, notes=cidr)
Example #4
0
    def check_internet_scheme(self, elb_item):
        """
        alert when an ELB has an "internet-facing" scheme.
        """
        scheme = elb_item.config.get('scheme', None)
        vpc = elb_item.config.get('vpc_id', None)
        if scheme and scheme == u"internet-facing" and not vpc:
            self.add_issue(1, 'ELB is Internet accessible.', elb_item)
        elif scheme and scheme == u"internet-facing" and vpc:
            # Grab each attached security group and determine if they contain
            # a public IP
            security_groups = elb_item.config.get('security_groups', [])
            for sgid in security_groups:
                # shouldn't be more than one with that ID.
                sg = Item.query.filter(Item.name.ilike('%' + sgid +
                                                       '%')).first()
                if not sg:
                    # It's possible that the security group is new and not yet in the DB.
                    continue

                sg_cidrs = []
                config = sg.revisions[0].config
                for rule in config.get('rules', []):
                    cidr = rule.get('cidr_ip', '')
                    if rule.get('rule_type', None) == 'ingress' and cidr:
                        if not _check_rfc_1918(
                                cidr
                        ) and not self._check_inclusion_in_network_whitelist(
                                cidr):
                            sg_cidrs.append(cidr)
                if sg_cidrs:
                    notes = 'SG [{sgname}] via [{cidr}]'.format(
                        sgname=sg.name, cidr=', '.join(sg_cidrs))
                    self.add_issue(1,
                                   'VPC ELB is Internet accessible.',
                                   elb_item,
                                   notes=notes)