def collect_exposure(args, db_table):
myCI = al_ci_client.CloudInsight(args)
myEnv = myCI.get_environments()
if myEnv:
remediations = myCI.get_remediations_short()
item_payload = []
for remediation in remediations["remediations"]["assets"]:
for exposure in remediation["vulnerabilities"]:
exposure["remediation_id"] = remediation["remediation_id"]
exposure["deployment_id"] = remediation["deployment_id"]
exposure["account_id"] = remediation["account_id"]
exposure["vul_map_sort_key"] = str(
remediation["deployment_id"]) + "/" + str(
args["date_marker"])
item_payload.append(exposure)
logger.info(
"Batch write to: {0} - CID: {1} - EnvId: {2} - Total: {3}".format(
args['db_name'], myEnv["account_id"], myEnv["id"],
len(item_payload)))
if db_table.write_to_table(item_payload,
args["date_marker"],
['vulnerability_id', 'vul_map_sort_key'],
ttl=create_ttl_time(int(args["ttl"]))):
logger.info("Batch write Completed")
else:
logger.error("Cant read environment ID: {0}".format(args['env_id']))
def find_all_child(args):
myCI = al_ci_client.CloudInsight(args)
CID_DICT = myCI.get_all_child()
COMBINED_PLAN = []
#Grab Parent CID and search per Environment
logger.info("### PROCESSING PARENT CID ###")
COMBINED_PLAN.append(monitor_per_cid(args))
#Loop through the child and find all private IP's
if len(CID_DICT["accounts"]) > 0:
logger.info("### PROCESSING CHILD CID ###")
for CHILD in CID_DICT["accounts"]:
child_args = deepcopy(args)
child_args["acc_id"] = CHILD["id"]
CHILD_PLAN = monitor_per_cid(child_args)
if CHILD_PLAN['environments']:
COMBINED_PLAN.append(CHILD_PLAN)
logger.info("\nAll CID results: {0}".format(
json.dumps(COMBINED_PLAN, sort_keys=True, indent=2)))
FINAL_FILE_NAME = str(
time.strftime("%Y%m%d-%H%M%S")) + "_final_output.json"
args["file_name"] = FINAL_FILE_NAME
write_to_s3(
args,
json.dumps(COMBINED_PLAN, indent=2, sort_keys=True, ensure_ascii=True))
logger.info("Results stored in: {0}".format(FINAL_FILE_NAME))
def get_disposed_asset_item(args):
myCI = al_ci_client.CloudInsight(args)
query_args = {}
query_args["asset_types"] = "v:vulnerability"
query_args["v.disposed"] = "true"
query_args["v.remediation_id"] = args["remediation_id"]
return myCI.get_asset_custom(query_args)
def collect_total_host_scanned(args):
myCI = al_ci_client.CloudInsight(args)
myEnv = myCI.get_scheduler_summary()
if myEnv:
return myEnv["summary"]
else:
return False
def temp_count_host_with_aws_config_vul(args):
myCI = al_ci_client.CloudInsight(args)
myEnv = myCI.get_environments()
if myEnv:
#ALL VULNERABILITY RELATED TO HOST (AWS CONFIG + APP LEVEL)
query_args = {}
query_args["asset_types"] = "h:host,v:vulnerability"
query_args["v.severity"] = "$VAR"
query_args["VAR.type"] = "string[]"
query_args["VAR.value"] = "info,low,medium,high"
query_args["VAR.comparison"] = "member_of"
query_args["query_format"] = "v2"
host_all_vulnerability = myCI.get_asset_custom(query_args)
#ALL APP LEVEL VULNERABILITY RELATED TO HOST
query_args = {}
query_args["asset_types"] = "h:host,v:vulnerability"
query_args["v.scope_scan_severity"] = "$VAR"
query_args["VAR.type"] = "string[]"
query_args["VAR.value"] = "Info,Low,Medium,High"
query_args["VAR.comparison"] = "member_of"
query_args["query_format"] = "v2"
host_app_vulnerability = myCI.get_asset_custom(query_args)
result = int(host_all_vulnerability["rows"]) - int(
host_app_vulnerability["rows"])
return result
else:
return 0
def validate_cid(args):
myCID = al_ci_client.CloudInsight(args)
cid_response = myCID.get_cid_details(args['id'])
if cid_response:
return cid_response['active']
else:
return False
def validate_cred(args):
try:
print(args)
myCred = al_ci_client.CloudInsight(args)
logger.info(myCred.token)
return myCred.token
except ClientError as e:
logger.error(e.response['Error']['Message'])
return False
def collect_remediation(args, db_table):
myCI = al_ci_client.CloudInsight(args)
myEnv = myCI.get_environments()
if myEnv:
remediations = myCI.get_remediations_short()
logger.info(
"Batch write to: {0} - CID: {1} - EnvId: {2} - Total: {3}".format(
args['db_name'], myEnv["account_id"], myEnv["id"],
remediations["remediations"]["rows"]))
if db_table.write_to_table(remediations["remediations"]["assets"],
args["date_marker"],
ttl=create_ttl_time(int(args["ttl"]))):
logger.info("Batch write Completed")
else:
error_handler(args, "collect_remediation")
else:
logger.error("Cant read environment ID: {0}".format(args['env_id']))
def find_all_child(args):
#Get and decrypt credentials
args["password"] = boto3.client('kms').decrypt(
CiphertextBlob=b64decode(os.environ["PASSWORD"]))['Plaintext']
args["user"] = os.environ["USER_NAME"]
args["acc_id"] = os.environ["CID"]
args['s3_bucket'] = os.environ["S3_BUCKET_NAME"]
args['yarp'] = os.environ["YARP"]
args['source'] = "driver-disposed-report"
args['log_level'] = "info"
args['type'] = "find_disposed"
WORKER_NAME = os.environ["WORKER_NAME"]
WORKER_INVOCATION = os.environ["WORKER_INVOCATION"]
myCI = al_ci_client.CloudInsight(args)
#Grab Parent CID and find disposed report
logger.info("### PROCESSING PARENT CID ###")
lambda_client = boto3.client('lambda')
response = invoke_lambda(WORKER_NAME, args, lambda_client,
WORKER_INVOCATION)
logger.info("Invoke: {0}:{1} - for CID: {2} - Status: {3}".format(
WORKER_NAME, args['type'], args['acc_id'], response))
if os.environ["FIND_CHILD"] == "True":
#Loop through the child and make recurvise call to find disposed report
CID_DICT = myCI.get_all_child()
if len(CID_DICT["accounts"]) > 0:
logger.info("### PROCESSING CHILD CID ###")
for CHILD in CID_DICT["accounts"]:
child_args = deepcopy(args)
child_args["acc_id"] = CHILD["id"]
response = invoke_lambda(WORKER_NAME, child_args, lambda_client,
WORKER_INVOCATION)
logger.info("Invoke: {0}:{1} - for CID: {2} - Status: {3}".format(
WORKER_NAME, child_args['type'], child_args['acc_id'],
response))
else:
logger.info("### SKIP CHILD CID ###")
def collect_vulnerability(args, db_table):
myCI = al_ci_client.CloudInsight(args)
myEnv = myCI.get_environments()
if myEnv:
query_args = {}
query_args["asset_types"] = "vulnerability"
vulnerabilities = myCI.get_asset_custom(query_args)
item_payload = []
for vulnerability in vulnerabilities["assets"]:
temp_item = {}
temp_item["account_id"] = myEnv["account_id"]
temp_item["deployment_id"] = myEnv["id"]
temp_item["key"] = vulnerability[0]["key"]
temp_item["name"] = vulnerability[0]["name"]
temp_item["vulnerability_id"] = vulnerability[0][
"vulnerability_id"]
temp_item["threat_score"] = vulnerability[0]["threat_score"]
#DynamoDB did not support empty attributes value
if vulnerability[0]["details"] != "":
temp_item["details"] = vulnerability[0]["details"]
else:
temp_item["details"] = "N/A"
temp_item["disposed"] = vulnerability[0]["disposed"]
temp_item["cvss_score"] = vulnerability[0]["cvss_score"]
item_payload.append(temp_item)
logger.info(
"Batch write to: {0} - CID: {1} - EnvId: {2} - Total: {3}".format(
args['db_name'], myEnv["account_id"], myEnv["id"],
len(item_payload)))
db_table.write_to_table(item_payload,
args["date_marker"],
ttl=create_ttl_time(int(args["ttl"])))
logger.info("Batch write sent")
else:
logger.error("Cant read environment ID: {0}".format(args['env_id']))
def collect_host_that_vulnerable(args):
myCI = al_ci_client.CloudInsight(args)
myEnv = myCI.get_environments()
if myEnv:
query_args = {}
query_args["asset_types"] = "h:host,v:vulnerability"
query_args["v.severity"] = "$VAR"
query_args["VAR.type"] = "string[]"
query_args["VAR.value"] = "info,low,medium,high"
query_args["VAR.comparison"] = "member_of"
query_args["query_format"] = "v2"
host_that_vulnerable = myCI.get_asset_custom(query_args)
host_that_vulnerable_high = []
host_that_vulnerable_medium = []
host_that_vulnerable_low = []
host_that_vulnerable_info = []
host_that_vulnerable_total = []
host_that_vulnerable_high_or_medium = []
for host in host_that_vulnerable["assets"]:
if host[1]["severity"] == "high":
host_that_vulnerable_high.append(host[0]["instance_id"])
host_that_vulnerable_high_or_medium.append(
host[0]["instance_id"])
elif host[1]["severity"] == "medium":
host_that_vulnerable_medium.append(host[0]["instance_id"])
host_that_vulnerable_high_or_medium.append(
host[0]["instance_id"])
elif host[1]["severity"] == "low":
host_that_vulnerable_low.append(host[0]["instance_id"])
elif host[1]["severity"] == "info":
host_that_vulnerable_info.append(host[0]["instance_id"])
host_that_vulnerable_total.append(host[0]["instance_id"])
result = {}
result["total"] = len(set(host_that_vulnerable_total))
result["high"] = len(set(host_that_vulnerable_high))
result["medium"] = len(set(host_that_vulnerable_medium))
result["low"] = len(set(host_that_vulnerable_low))
result["info"] = len(set(host_that_vulnerable_info))
result["high_medium"] = len(set(host_that_vulnerable_high_or_medium))
logger.info(
"CID: {0} - EnvId: {1} - Total Unique Host with vulnerabilities: {2}"
.format(myEnv["account_id"], myEnv["id"], result["total"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Host with vulnerability High: {2}"
.format(myEnv["account_id"], myEnv["id"], result["high"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Host with vulnerability Medium: {2}"
.format(myEnv["account_id"], myEnv["id"], result["medium"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Host with vulnerability Low: {2}"
.format(myEnv["account_id"], myEnv["id"], result["low"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Host with vulnerability Info: {2}"
.format(myEnv["account_id"], myEnv["id"], result["info"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Host with vulnerability High & Medium: {2}"
.format(myEnv["account_id"], myEnv["id"], result["high_medium"]))
return result
else:
return False
def find_all_child(args):
myCI = al_ci_client.CloudInsight(args)
CID_DICT = myCI.get_all_child()
grand_total_host_vulnerability = {}
grand_total_host_vulnerability["high"] = 0
grand_total_host_vulnerability["medium"] = 0
grand_total_host_vulnerability["low"] = 0
grand_total_host_vulnerability["info"] = 0
grand_total_non_host_vulnerability = {}
grand_total_non_host_vulnerability["high"] = 0
grand_total_non_host_vulnerability["medium"] = 0
grand_total_non_host_vulnerability["low"] = 0
grand_total_non_host_vulnerability["info"] = 0
grand_total_host_with_vulnerability = {}
grand_total_host_with_vulnerability["total"] = 0
grand_total_host_with_vulnerability["high"] = 0
grand_total_host_with_vulnerability["medium"] = 0
grand_total_host_with_vulnerability["low"] = 0
grand_total_host_with_vulnerability["info"] = 0
grand_total_host_with_vulnerability["high_medium"] = 0
grand_total_host = {}
grand_total_host["scanned"] = 0
grand_total_host["total"] = 0
#Grab Parent CID vulnerability
logger.info("### PROCESSING PARENT CID ###")
per_cid_total_host_vulnerability, per_cid_total_non_host_vulnerability, per_cid_total_host_with_vulnerability, per_cid_total_host = monitor_per_cid(
args)
grand_total_host_vulnerability["high"] = grand_total_host_vulnerability[
"high"] + per_cid_total_host_vulnerability["high"]
grand_total_host_vulnerability["medium"] = grand_total_host_vulnerability[
"medium"] + per_cid_total_host_vulnerability["medium"]
grand_total_host_vulnerability["low"] = grand_total_host_vulnerability[
"low"] + per_cid_total_host_vulnerability["low"]
grand_total_host_vulnerability["info"] = grand_total_host_vulnerability[
"info"] + per_cid_total_host_vulnerability["info"]
grand_total_non_host_vulnerability[
"high"] = grand_total_non_host_vulnerability[
"high"] + per_cid_total_non_host_vulnerability["high"]
grand_total_non_host_vulnerability[
"medium"] = grand_total_non_host_vulnerability[
"medium"] + per_cid_total_non_host_vulnerability["medium"]
grand_total_non_host_vulnerability[
"low"] = grand_total_non_host_vulnerability[
"low"] + per_cid_total_non_host_vulnerability["low"]
grand_total_non_host_vulnerability[
"info"] = grand_total_non_host_vulnerability[
"info"] + per_cid_total_non_host_vulnerability["info"]
grand_total_host_with_vulnerability[
"total"] = grand_total_host_with_vulnerability[
"total"] + per_cid_total_host_with_vulnerability["total"]
grand_total_host_with_vulnerability[
"high"] = grand_total_host_with_vulnerability[
"high"] + per_cid_total_host_with_vulnerability["high"]
grand_total_host_with_vulnerability[
"medium"] = grand_total_host_with_vulnerability[
"medium"] + per_cid_total_host_with_vulnerability["medium"]
grand_total_host_with_vulnerability[
"low"] = grand_total_host_with_vulnerability[
"low"] + per_cid_total_host_with_vulnerability["low"]
grand_total_host_with_vulnerability[
"info"] = grand_total_host_with_vulnerability[
"info"] + per_cid_total_host_with_vulnerability["info"]
grand_total_host_with_vulnerability[
"high_medium"] = grand_total_host_with_vulnerability[
"high_medium"] + per_cid_total_host_with_vulnerability[
"high_medium"]
grand_total_host["scanned"] = grand_total_host[
"scanned"] + per_cid_total_host["scanned"]
grand_total_host[
"total"] = grand_total_host["total"] + per_cid_total_host["total"]
#Loop through the child for vulnerability
if len(CID_DICT["accounts"]) > 0:
logger.info("### PROCESSING CHILD CID ###")
for CHILD in CID_DICT["accounts"]:
child_args = deepcopy(args)
child_args["acc_id"] = CHILD["id"]
per_cid_total_host_vulnerability, per_cid_total_non_host_vulnerability, per_cid_total_host_with_vulnerability, per_cid_total_host = monitor_per_cid(
child_args)
grand_total_host_vulnerability[
"high"] = grand_total_host_vulnerability[
"high"] + per_cid_total_host_vulnerability["high"]
grand_total_host_vulnerability[
"medium"] = grand_total_host_vulnerability[
"medium"] + per_cid_total_host_vulnerability["medium"]
grand_total_host_vulnerability["low"] = grand_total_host_vulnerability[
"low"] + per_cid_total_host_vulnerability["low"]
grand_total_host_vulnerability[
"info"] = grand_total_host_vulnerability[
"info"] + per_cid_total_host_vulnerability["info"]
grand_total_non_host_vulnerability[
"high"] = grand_total_non_host_vulnerability[
"high"] + per_cid_total_non_host_vulnerability["high"]
grand_total_non_host_vulnerability[
"medium"] = grand_total_non_host_vulnerability[
"medium"] + per_cid_total_non_host_vulnerability["medium"]
grand_total_non_host_vulnerability[
"low"] = grand_total_non_host_vulnerability[
"low"] + per_cid_total_non_host_vulnerability["low"]
grand_total_non_host_vulnerability[
"info"] = grand_total_non_host_vulnerability[
"info"] + per_cid_total_non_host_vulnerability["info"]
grand_total_host_with_vulnerability[
"total"] = grand_total_host_with_vulnerability[
"total"] + per_cid_total_host_with_vulnerability["total"]
grand_total_host_with_vulnerability[
"high"] = grand_total_host_with_vulnerability[
"high"] + per_cid_total_host_with_vulnerability["high"]
grand_total_host_with_vulnerability[
"medium"] = grand_total_host_with_vulnerability[
"medium"] + per_cid_total_host_with_vulnerability["medium"]
grand_total_host_with_vulnerability[
"low"] = grand_total_host_with_vulnerability[
"low"] + per_cid_total_host_with_vulnerability["low"]
grand_total_host_with_vulnerability[
"info"] = grand_total_host_with_vulnerability[
"info"] + per_cid_total_host_with_vulnerability["info"]
grand_total_host_with_vulnerability[
"high_medium"] = grand_total_host_with_vulnerability[
"high_medium"] + per_cid_total_host_with_vulnerability[
"high_medium"]
grand_total_host["scanned"] = grand_total_host[
"scanned"] + per_cid_total_host["scanned"]
grand_total_host[
"total"] = grand_total_host["total"] + per_cid_total_host["total"]
logger.info("### GRAND TOTAL VULNERABILITIES RELATED TO HOST ###")
logger.info("Grand Total Host vulnerability High: {0} ".format(
grand_total_host_vulnerability["high"]))
logger.info("Grand Total Host vulnerability Medium: {0} ".format(
grand_total_host_vulnerability["medium"]))
logger.info("Grand Total Host vulnerability Low: {0} ".format(
grand_total_host_vulnerability["low"]))
logger.info("Grand Total Host vulnerability Info: {0} ".format(
grand_total_host_vulnerability["info"]))
logger.info("### GRAND TOTAL VULNERABILITIES RELATED TO NON HOST ###")
logger.info("Grand Total Non Host vulnerability High: {0} ".format(
grand_total_non_host_vulnerability["high"]))
logger.info("Grand Total Non Host vulnerability Medium: {0} ".format(
grand_total_non_host_vulnerability["medium"]))
logger.info("Grand Total Non Host vulnerability Low: {0} ".format(
grand_total_non_host_vulnerability["low"]))
logger.info("Grand Total Non Host vulnerability Info: {0} ".format(
grand_total_non_host_vulnerability["info"]))
logger.info("### GRAND TOTAL ALL VULNERABILITIES ###")
logger.info("Grand Total Vulnerabilities: {0} ".format(
(grand_total_non_host_vulnerability["high"] +
grand_total_host_vulnerability["high"] +
grand_total_non_host_vulnerability["medium"] +
grand_total_host_vulnerability["medium"] +
grand_total_non_host_vulnerability["low"] +
grand_total_host_vulnerability["low"] +
grand_total_non_host_vulnerability["info"] +
grand_total_host_vulnerability["info"])))
logger.info("Grand Total Vulnerability High: {0} ".format(
(grand_total_non_host_vulnerability["high"] +
grand_total_host_vulnerability["high"])))
logger.info("Grand Total Vulnerability Medium: {0} ".format(
(grand_total_non_host_vulnerability["medium"] +
grand_total_host_vulnerability["medium"])))
logger.info("Grand Total Vulnerability Low: {0} ".format(
(grand_total_non_host_vulnerability["low"] +
grand_total_host_vulnerability["low"])))
logger.info("Grand Total Vulnerability Info: {0} ".format(
(grand_total_non_host_vulnerability["info"] +
grand_total_host_vulnerability["info"])))
logger.info("### GRAND TOTAL HOST WITH VULNERABILITIES ###")
logger.info("Grand Total Unique Host with vulnerabilities: {0} ".format(
grand_total_host_with_vulnerability["total"]))
logger.info("Grand Total Host with vulnerability High: {0} ".format(
grand_total_host_with_vulnerability["high"]))
logger.info("Grand Total Host with vulnerability Medium: {0} ".format(
grand_total_host_with_vulnerability["medium"]))
logger.info("Grand Total Host with vulnerability Low: {0} ".format(
grand_total_host_with_vulnerability["low"]))
logger.info("Grand Total Host with vulnerability Info: {0} ".format(
grand_total_host_with_vulnerability["info"]))
logger.info(
"Grand Total Host with vulnerability High & Medium: {0} ".format(
grand_total_host_with_vulnerability["high_medium"]))
logger.info("### GRAND TOTAL HOST TALLY ###")
logger.info("|- CID: {0} - Grand Total Number of Host: {1} ".format(
args["acc_id"], grand_total_host["total"]))
logger.info(
"|- CID: {0} - Grand Total Number of Host Scanned by Alert Logic: {1} "
.format(args["acc_id"], grand_total_host["scanned"]))
LOG_LEVEL = logging.INFO
logging.basicConfig(format='%(message)s')
logoutput = logging.getLogger(__name__)
logoutput.setLevel(LOG_LEVEL)
logoutput.info("\n")
logoutput.info("Alert Logic Total Host with Vuln's: {0}".format(
grand_total_host_with_vulnerability["total"]))
logoutput.info("Total hosts scanned by Alert Logic: {0}".format(
grand_total_host["scanned"]))
if (grand_total_host["scanned"] > 0):
percent_host_vulnerable = float(
grand_total_host_with_vulnerability["total"]) / float(
grand_total_host["scanned"]) * 100
percent_host_vulnerable_high_medium = float(
grand_total_host_with_vulnerability["high_medium"]) / float(
grand_total_host["scanned"]) * 100
else:
percent_host_vulnerable = 0
percent_host_vulnerable_high_medium = 0
logoutput.info("% Vulnerable Host in Alert Logic: {0}".format(
percent_host_vulnerable))
logoutput.info("Total hosts with High vulnerability: {0}".format(
grand_total_host_with_vulnerability["high"]))
logoutput.info("Total hosts with Med vulnerability: {0}".format(
grand_total_host_with_vulnerability["medium"]))
logoutput.info("Total hosts with Low vulnerability: {0}".format(
grand_total_host_with_vulnerability["low"]))
logoutput.info("\n")
logoutput.info(
"% Vulnerable Host (High & Medium) in Alert Logic: {0}".format(
percent_host_vulnerable_high_medium))
logoutput.info("Total hosts with High & Medium vulnerability: {0}".format(
grand_total_host_with_vulnerability["high_medium"]))
logoutput.info("\n")
total_all_vulnerability = grand_total_non_host_vulnerability[
"high"] + grand_total_host_vulnerability[
"high"] + grand_total_non_host_vulnerability[
"medium"] + grand_total_host_vulnerability[
"medium"] + grand_total_non_host_vulnerability[
"low"] + grand_total_host_vulnerability["low"]
logoutput.info("Alert Logic total vulnerabilities: {0}".format(
total_all_vulnerability))
logoutput.info("AL (Host only) Vulnerabilities High: {0}".format(
grand_total_host_vulnerability["high"]))
logoutput.info("AL (Host only) Vulnerabilities Medium: {0}".format(
grand_total_host_vulnerability["medium"]))
logoutput.info("AL (Host only) Vulnerabilities Low: {0}".format(
grand_total_host_vulnerability["low"]))
logoutput.info("\n")
logoutput.info("Alert Logic all instances Vuln's High: {0}".format(
grand_total_non_host_vulnerability["high"] +
grand_total_host_vulnerability["high"]))
logoutput.info("Alert Logic all instances Vuln's Medium: {0}".format(
grand_total_non_host_vulnerability["medium"] +
grand_total_host_vulnerability["medium"]))
logoutput.info("Alert Logic all instances Vuln's Low: {0}".format(
grand_total_non_host_vulnerability["low"] +
grand_total_host_vulnerability["low"]))
logoutput.info("\n")
def get_disposed_rem_item(args):
myCI = al_ci_client.CloudInsight(args)
query_args = {}
query_args["asset_types"] = "r:remediation-item"
query_args["r.state"] = "disposed"
return myCI.get_asset_custom(query_args)
def collect_vulnerability(args):
myCI = al_ci_client.CloudInsight(args)
myEnv = myCI.get_environments()
if myEnv:
query_args = {}
query_args["asset_types"] = "vulnerability"
vulnerabilities = myCI.get_asset_custom(query_args)
host_vulnerability_count = {}
host_vulnerability_count["high"] = 0
host_vulnerability_count["medium"] = 0
host_vulnerability_count["low"] = 0
host_vulnerability_count["info"] = 0
non_host_vulnerability_count = {}
non_host_vulnerability_count["high"] = 0
non_host_vulnerability_count["medium"] = 0
non_host_vulnerability_count["low"] = 0
non_host_vulnerability_count["info"] = 0
for vulnerability in vulnerabilities["assets"]:
if "scope_scan_ip_address" in vulnerability[0]:
vulnerability_type = "host"
else:
vulnerability_type = "non-host"
if vulnerability[0]["severity"] == "high":
if vulnerability_type == "host":
host_vulnerability_count[
"high"] = host_vulnerability_count["high"] + 1
else:
non_host_vulnerability_count[
"high"] = non_host_vulnerability_count["high"] + 1
elif vulnerability[0]["severity"] == "medium":
if vulnerability_type == "host":
host_vulnerability_count[
"medium"] = host_vulnerability_count["medium"] + 1
else:
non_host_vulnerability_count[
"medium"] = non_host_vulnerability_count["medium"] + 1
elif vulnerability[0]["severity"] == "low":
if vulnerability_type == "host":
host_vulnerability_count[
"low"] = host_vulnerability_count["low"] + 1
else:
non_host_vulnerability_count[
"low"] = non_host_vulnerability_count["low"] + 1
elif vulnerability[0]["severity"] == "info":
if vulnerability_type == "host":
host_vulnerability_count[
"info"] = host_vulnerability_count["info"] + 1
else:
non_host_vulnerability_count[
"info"] = non_host_vulnerability_count["info"] + 1
logger.info(
"CID: {0} - EnvId: {1} - Total vulnerabilities: {2}".format(
myEnv["account_id"], myEnv["id"], vulnerabilities["rows"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Host vulnerability High: {2}".
format(myEnv["account_id"], myEnv["id"],
host_vulnerability_count["high"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Host vulnerability Medium: {2}".
format(myEnv["account_id"], myEnv["id"],
host_vulnerability_count["medium"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Host vulnerability Low: {2}".
format(myEnv["account_id"], myEnv["id"],
host_vulnerability_count["low"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Host vulnerability Info: {2}".
format(myEnv["account_id"], myEnv["id"],
host_vulnerability_count["info"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Non Host vulnerability High: {2}"
.format(myEnv["account_id"], myEnv["id"],
non_host_vulnerability_count["high"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Non Host vulnerability Medium: {2}"
.format(myEnv["account_id"], myEnv["id"],
non_host_vulnerability_count["medium"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Non Host vulnerability Low: {2}".
format(myEnv["account_id"], myEnv["id"],
non_host_vulnerability_count["low"]))
logger.info(
"|- CID: {0} - EnvId: {1} - Total Non Host vulnerability Info: {2}"
.format(myEnv["account_id"], myEnv["id"],
non_host_vulnerability_count["info"]))
return host_vulnerability_count, non_host_vulnerability_count
def get_remediaton_detail_by_id(args, remediation_id):
myCI = al_ci_client.CloudInsight(args)
return myCI.get_remediations_map_custom(remediation_id)
def get_user_name_by_id(args, user_id):
myCI = al_ci_client.CloudInsight(args)
return myCI.get_user_name_by_id(user_id)
def ci_get_env_cid(args):
myCI = al_ci_client.CloudInsight(args)
query_args = {}
query_args['type'] = 'aws'
query_args['defender_support'] = 'false'
return myCI.get_environments_by_cid_custom(query_args)
"{0} - END - Generate new SSH Key and update it in AWS Secret Manager"
.format(str(datetime.datetime.now().strftime("%Y-%m-%d %H:%M"))))
#store the public key as environment variable in EB option settings
eb_option = {}
eb_option["OptionName"] = "SSH_KEY"
eb_option["Namespace"] = "aws:elasticbeanstalk:application:environment"
#eb_option["Value"] = str(keys['public']).replace('\\n', '\n')
eb_option["Value"] = payload.publickey().exportKey('OpenSSH')
option_settings.append(eb_option)
#Store SSH key to Cloud Insight as scan credentials
logger.info(
"\n{0} - START - Update private key to Cloud Insight as scan credentials"
.format(str(datetime.datetime.now().strftime("%Y-%m-%d %H:%M"))))
myCI = al_ci_client.CloudInsight(ci_args)
asset_type = "vpc"
asset_key = "aws/us-west-2/vpc/vpc-d58792ac"
cred_type = "ssh"
cred_sub_type = "key"
ci_secret_response = register_secret_in_cloud_insight(
ci_client=myCI,
secret_name=secret_name,
asset_type=asset_type,
asset_key=asset_key,
payload=keys,
user_name=user_name,
cred_type=cred_type,
cred_sub_type=cred_sub_type)
if ci_secret_response:
logger.info("Success : {0}".format(ci_secret_response))
def read_report_findings(args, db_table, index_name, index_partition_key,
index_partition_value, index_sort_key,
index_sort_value, table_partition_key, table_sort_key,
read_mode, severity_filter):
try:
result = ""
#Query list of ADDED / REMOVED vulnerability based on ENV ID and Date Marker index
todays_report = db_table.query_table_with_index(
"SPECIFIC_ATTRIBUTES",
Key(index_partition_key).eq(index_partition_value)
& Key(index_sort_key).eq(index_sort_value), index_name, "#a,#b", {
"#a": table_partition_key,
"#b": table_sort_key
}, True)
if len(todays_report["Items"]) > 0:
vul_event = copy.deepcopy(args)
vul_event['db_name'] = args['db_name_vul_data']
myVulLookupTable = AWSDynamo.DynamoDBClient(vul_event)
vul_detail_event = copy.deepcopy(args)
vul_detail_event['db_name'] = args['db_name_vul_key']
myVulDetailTable = AWSDynamo.DynamoDBClient(vul_detail_event)
for item in todays_report["Items"]:
#Query the exposure name based on vulnerability ID
exposure_name = myVulLookupTable.query_table(
"ALL_ATTRIBUTES",
Key("id").eq(item["vulnerability_id"]))
if exposure_name["Count"] == 0:
logger.info(
"Cache miss for exposure id: {0} - attempting to query Cloud Insight API"
.format(item["vulnerability_id"]))
myCI = al_ci_client.CloudInsight(args)
#TODO: tidy up this mess - currently I am trying to match the returned data structure from DynamoDB query
exposure_name = {}
exposure_name["Items"] = []
exposure_name["Items"].append(
myCI.get_vulnerability_map_custom(
item["vulnerability_id"]))
exposure_name["Items"][0]["TTL"] = create_ttl_time(
int(args["db_ttl_vul_data"]))
if len(exposure_name["Items"]) > 0:
logger.info(
"Found exposure id: {0} in CI API - attempting to store in DynamoDB cache"
.format(item["vulnerability_id"]))
if myVulLookupTable.single_write_to_table(
exposure_name["Items"][0]):
logger.info(
"Successfully stored exposure id {0} in DynamoDB cache"
.format(item["vulnerability_id"]))
else:
logger.error(
"Failed to store exposure id {0} in DynamoDB cache"
.format(item["vulnerability_id"]))
else:
logger.error(
"Failed to find exposure id {0} in CI API - this vulnerability exposure will not be recorded"
.format(item["vulnerability_id"]))
if exposure_name["Items"][0]["severity"] in severity_filter:
logger.info("Exposure: {0} - {1}".format(
exposure_name["Items"][0]["description"],
exposure_name["Items"][0]["severity"]))
result = result + "Exposure: {0} - {1}\n".format(
exposure_name["Items"][0]["description"],
exposure_name["Items"][0]["severity"])
#Query the vulnerability detail based on vulnerability ID and sort key (date marker)
vulnerabilities = db_table.query_table(
"ALL_ATTRIBUTES",
Key(table_partition_key).eq(item["vulnerability_id"])
& Key(table_sort_key).eq(item["vul_key_sort_key"]))
#For each vulnerability keys, query the detail about that particular asset vulnerability
counter = 1
for vulnerability in vulnerabilities["Items"]:
#TODO: fix this upstream - where vulnerability_items can be duplicate when reporter worker run more than once
for vulnerability_key in set(
vulnerability["vulnerability_items"]):
if read_mode == "removed":
date_marker = args["previousdate"]
elif read_mode == "added":
date_marker = args["currentdate"]
vulnerability_detail = myVulDetailTable.query_table(
"ALL_ATTRIBUTES",
Key("key").eq(vulnerability_key)
& Key("date_marker").eq(date_marker))
logger.info("{0}.{1} - {2}".format(
counter,
vulnerability_detail["Items"][0]["key"],
vulnerability_detail["Items"][0]
["threat_score"]))
result = result + "{0}.{1} - {2}\n".format(
counter,
vulnerability_detail["Items"][0]["key"],
vulnerability_detail["Items"][0]
["threat_score"])
counter += 1
logger.info(" ")
result = result + "\n"
if result == "":
logger.info("No new vulnerability {0}\n".format(read_mode))
result = "There is no vulnerability {0}.\n\n".format(read_mode)
return result
else:
logger.info("No new vulnerability {0}\n".format(read_mode))
result = "There is no vulnerability {0}.\n\n".format(read_mode)
return result
except ClientError as e:
logger.error(e.response['Error']['Message'] + ": " +
str(self.db_table))
return None
