def _target_tags_valid(self, target_tags, error_cat='TARGET_TAGS'):
"""
Check to see if target tags are present.
"""
errors = []
if not target_tags:
ae = make_audit_issue(error_cat, 'FOUND', 'NOT')
errors.append(ae)
return errors
def _source_ranges_open(self, source_ranges, error_cat='SOURCE_RANGES'):
"""
Check to see if the source range field is set to allow all traffic
"""
errors = []
open_range = '0.0.0.0/0'
for source_range in source_ranges:
if source_range == open_range:
ae = make_audit_issue(error_cat, 'OPEN', 'TRAFFIC')
errors.append(ae)
return errors
def _target_tags_valid(self, target_tags, error_cat='TARGET_TAGS'):
"""
Check to see if target tags are present.
"""
errors = []
if not target_tags:
ae = make_audit_issue(
error_cat, 'FOUND', 'NOT')
errors.append(ae)
return errors
def _source_ranges_open(self, source_ranges, error_cat='SOURCE_RANGES'):
"""
Check to see if the source range field is set to allow all traffic
"""
errors = []
open_range = '0.0.0.0/0'
for source_range in source_ranges:
if source_range == open_range:
ae = make_audit_issue(
error_cat, 'OPEN', 'TRAFFIC')
errors.append(ae)
return errors
def _max_keys(self, key_count, error_cat='SA'):
"""
Alert when a service account has too many keys.
return: [list of AuditIssues]
"""
errors = []
if key_count > self.gcp_config.MAX_SERVICEACCOUNT_KEYS:
ae = make_audit_issue(error_cat, 'MAX', 'KEYS')
ae.notes = 'Too Many Keys (count: %s, max: %s)' % (
key_count, self.gcp_config.MAX_SERVICEACCOUNT_KEYS)
errors.append(ae)
return errors
def _actor_role(self, policies, error_cat='SA'):
"""
Determine if a serviceaccount actor is specified.
return: [list of AuditIssues]
"""
errors = []
for policy in policies:
role = policy.get('Role')
if role and role == 'iam.serviceAccountActor':
ae = make_audit_issue(error_cat, 'POLICY', 'ROLE', 'ACTOR')
errors.append(ae)
return errors
def _max_keys(self, key_count, error_cat='SA'):
"""
Alert when a service account has too many keys.
return: [list of AuditIssues]
"""
errors = []
if key_count > self.gcp_config.MAX_SERVICEACCOUNT_KEYS:
ae = make_audit_issue(
error_cat, 'MAX', 'KEYS')
ae.notes = 'Too Many Keys (count: %s, max: %s)' % (
key_count, self.gcp_config.MAX_SERVICEACCOUNT_KEYS)
errors.append(ae)
return errors
def _port_range_exists(self, allowed_list, error_cat='ALLOWED'):
"""
Check to see if a port range exists in the allowed field.
"""
errors = []
for allowed in allowed_list:
ports = allowed.get('ports', None)
if ports:
for port in ports:
if str(port).find('-') > -1:
ae = make_audit_issue(error_cat, 'EXISTS', 'PORTRANGE')
ae.notes = '%s:%s' % (allowed['IPProtocol'], port)
errors.append(ae)
return errors
def _actor_role(self, policies, error_cat='SA'):
"""
Determine if a serviceaccount actor is specified.
return: [list of AuditIssues]
"""
errors = []
for policy in policies:
role = policy.get('Role')
if role and role == 'iam.serviceAccountActor':
ae = make_audit_issue(
error_cat, 'POLICY', 'ROLE', 'ACTOR')
errors.append(ae)
return errors
def _port_range_exists(self, allowed_list, error_cat='ALLOWED'):
"""
Check to see if a port range exists in the allowed field.
"""
errors = []
for allowed in allowed_list:
ports = allowed.get('ports', None)
if ports:
for port in ports:
if str(port).find('-') > -1:
ae = make_audit_issue(
error_cat, 'EXISTS', 'PORTRANGE')
ae.notes = '%s:%s' % (allowed['IPProtocol'], port)
errors.append(ae)
return errors
def _legacy_exists(self, network, error_cat='NET'):
"""
Look for legacy-style (non-subnetwork style) network.
return: [list of AuditIssues]
"""
errors = []
subnetworks = network.get('Subnetworks', None)
auto_create_subnetworks = network.get('AutoCreateSubnetworks', None)
# A network is considered 'legacy' if 'Subnetworks' AND 'AutoCreateSubnetworks'
# do not exist in the dictionary.
if subnetworks is None and auto_create_subnetworks is None:
ae = make_audit_issue(error_cat, 'EXISTS', 'LEGACY')
errors.append(ae)
return errors
def _acl_allusers_exists(self, acl_list, error_cat='ACL'):
"""
Looks for allUsers in acl.
return: [list of AuditIssues]
"""
allusers = 'allUsers'
errors = []
for acl in acl_list:
entity = acl.get('entity')
role = acl.get('role')
if entity == allusers:
# TODO(supertom): notes
ae = make_audit_issue(error_cat, 'ROLE', allusers, role)
errors.append(ae)
return errors
def _acl_allusers_exists(self, acl_list, error_cat='ACL'):
"""
Looks for allUsers in acl.
return: [list of AuditIssues]
"""
allusers = 'allUsers'
errors = []
for acl in acl_list:
entity = acl.get('entity')
role = acl.get('role')
if entity == allusers:
# TODO(supertom): notes
ae = make_audit_issue(error_cat, 'ROLE', allusers, role)
errors.append(ae)
return errors
def _cors_method(self, cors_list, error_cat='CORS'):
"""
Looks at the CORS method. Anything other than GET is flagged.
return: [list of AuditIssues]
"""
errors = []
for cors in cors_list:
methods = cors.get('method')
for method in methods:
if method == '*':
method = 'ALL'
if method != 'GET':
ae = make_audit_issue(error_cat, 'METHOD', method)
errors.append(ae)
return errors
def _cors_method(self, cors_list, error_cat='CORS'):
"""
Looks at the CORS method. Anything other than GET is flagged.
return: [list of AuditIssues]
"""
errors = []
for cors in cors_list:
methods = cors.get('method')
for method in methods:
if method == '*':
method = 'ALL'
if method != 'GET':
ae = make_audit_issue(
error_cat, 'METHOD', method)
errors.append(ae)
return errors
def _legacy_exists(self, network, error_cat='NET'):
"""
Look for legacy-style (non-subnetwork style) network.
return: [list of AuditIssues]
"""
errors = []
subnetworks = network.get('Subnetworks', None)
auto_create_subnetworks = network.get(
'AutoCreateSubnetworks', None)
# A network is considered 'legacy' if 'Subnetworks' AND 'AutoCreateSubnetworks'
# do not exist in the dictionary.
if subnetworks is None and auto_create_subnetworks is None:
ae = make_audit_issue(
error_cat, 'EXISTS', 'LEGACY')
errors.append(ae)
return errors
def _acl_max_owners(self, acl_list, error_cat='ACL'):
"""
Looks for Max OWNERS in acl.
return: [list of AuditIssues]
"""
errors = []
if self.gcp_config.MAX_OWNERS_PER_BUCKET:
owner = 'OWNER'
count = 0
for acl in acl_list:
role = acl.get('role')
if role == owner:
count += 1
if count > self.gcp_config.MAX_OWNERS_PER_BUCKET:
ae = make_audit_issue(error_cat, 'MAX', owner)
errors.append(ae)
return errors
def inspect_acl(self, item):
"""
Driver for Bucket ACL. Calls helpers as needed.
return: (bool, [list of AuditIssues])
"""
acl = item.config.get('Acl')
errors_acl = []
if acl:
err = self._acl_allusers_exists(acl, 'ACL')
errors_acl.extend(err) if err else None
err = self._acl_max_owners(acl, 'ACL')
errors_acl.extend(err) if err else None
if errors_acl:
return (False, errors_acl)
return (True, None)
else:
return (False, [make_audit_issue("ACL", 'FOUND', "NOT")])
def _acl_max_owners(self, acl_list, error_cat='ACL'):
"""
Looks for Max OWNERS in acl.
return: [list of AuditIssues]
"""
errors = []
if self.gcp_config.MAX_OWNERS_PER_BUCKET:
owner = 'OWNER'
count = 0
for acl in acl_list:
role = acl.get('role')
if role == owner:
count += 1
if count > self.gcp_config.MAX_OWNERS_PER_BUCKET:
ae = make_audit_issue(
error_cat, 'MAX', owner)
errors.append(ae)
return errors
def inspect_default_object_acl(self, item):
"""
Driver for Default Object ACL. Calls helpers as needed.
return: (bool, [list of AuditIssues])
"""
def_obj_acl = item.config.get('DefaultObjectAcl')
errors_acl = []
if def_obj_acl:
err = self._acl_allusers_exists(def_obj_acl, 'DEFAULT_OBJECT_ACL')
errors_acl.extend(err) if err else None
err = self._acl_max_owners(def_obj_acl, 'DEFAULT_OBJECT_ACL')
errors_acl.extend(err) if err else None
if errors_acl:
return (False, errors_acl)
return (True, None)
else:
return (False,
[make_audit_issue("DEFAULT_OBJECT_ACL", 'FOUND', "NOT")])
