def run(self, aws_config):
for finding_path in self.rules:
for rule in self.rules[finding_path]:
if not rule.enabled: # or rule.service not in []: # TODO: handle this...
continue
printDebug('Processing %s rule[%s]: "%s"' %
(rule.service, rule.filename, rule.description))
finding_path = rule.path
path = finding_path.split('.')
service = path[0]
manage_dictionary(aws_config['services'][service],
self.ruleset.rule_type, {})
aws_config['services'][service][self.ruleset.rule_type][
rule.key] = {}
aws_config['services'][service][self.ruleset.rule_type][
rule.key]['description'] = rule.description
aws_config['services'][service][self.ruleset.rule_type][
rule.key]['path'] = rule.path
for attr in ['level', 'id_suffix', 'display_path']:
if hasattr(rule, attr):
aws_config['services'][service][
self.ruleset.rule_type][rule.key][attr] = getattr(
rule, attr)
try:
setattr(rule, 'checked_items', 0)
aws_config['services'][service][self.ruleset.rule_type][
rule.key]['items'] = recurse(aws_config['services'],
aws_config['services'],
path, [], rule, True)
aws_config['services'][service][self.ruleset.rule_type][
rule.key]['dashboard_name'] = rule.dashboard_name
aws_config['services'][service][self.ruleset.rule_type][
rule.key]['checked_items'] = rule.checked_items
aws_config['services'][service][self.ruleset.rule_type][
rule.key]['flagged_items'] = len(
aws_config['services'][service][
self.ruleset.rule_type][rule.key]['items'])
aws_config['services'][service][self.ruleset.rule_type][
rule.key]['service'] = rule.service
aws_config['services'][service][self.ruleset.rule_type][
rule.key]['rationale'] = rule.rationale if hasattr(
rule, 'rationale') else 'N/A'
except Exception as e:
printException(e)
printError('Failed to process rule defined in %s' %
rule.filename)
# Fallback if process rule failed to ensure report creation and data dump still happen
aws_config['services'][service][self.ruleset.rule_type][
rule.key]['checked_items'] = 0
aws_config['services'][service][self.ruleset.rule_type][
rule.key]['flagged_items'] = 0
def analyze(self, aws_config):
"""
:param aws_config:
"""
printInfo('Analyzing AWS config...')
# TODO: reset violations for all services in scope (maybe this can be done somewhere else (e.g. loading)
for finding_path in self.rules:
for rule in self.rules[finding_path]:
printDebug('Processing %s rule[%s]: "%s"' %
(finding_path.split('.')[0], self.rule_type[:-1],
self.rules[finding_path][rule]['description']))
path = finding_path.split('.')
service = path[0]
manage_dictionary(aws_config['services'][service],
self.rule_type, {})
aws_config['services'][service][self.rule_type][rule] = {}
aws_config['services'][service][
self.rule_type][rule]['description'] = self.rules[
finding_path][rule]['description']
aws_config['services'][service][self.rule_type][rule][
'path'] = self.rules[finding_path][rule]['path']
if self.rule_type == 'findings':
aws_config['services'][service][self.rule_type][rule][
'level'] = self.rules[finding_path][rule]['level']
if 'id_suffix' in self.rules[finding_path][rule]:
aws_config['services'][service][
self.rule_type][rule]['id_suffix'] = self.rules[
finding_path][rule]['id_suffix']
if 'display_path' in self.rules[finding_path][rule]:
aws_config['services'][service][
self.rule_type][rule]['display_path'] = self.rules[
finding_path][rule]['display_path']
try:
aws_config['services'][service][
self.rule_type][rule]['items'] = recurse(
aws_config['services'], aws_config['services'],
path, [], self.rules[finding_path][rule], True)
aws_config['services'][service][self.rule_type][rule][
'dashboard_name'] = self.rules[finding_path][rule][
'dashboard_name'] if 'dashboard_name' in self.rules[
finding_path][rule] else '??'
aws_config['services'][service][self.rule_type][rule][
'checked_items'] = self.rules[finding_path][rule][
'checked_items'] if 'checked_items' in self.rules[
finding_path][rule] else 0
aws_config['services'][service][
self.rule_type][rule]['flagged_items'] = len(
aws_config['services'][service][
self.rule_type][rule]['items'])
aws_config['services'][service][
self.rule_type][rule]['service'] = service
aws_config['services'][service][self.rule_type][rule][
'rationale'] = self.rules[finding_path][rule][
'rationale'] if 'rationale' in self.rules[
finding_path][rule] else 'N/A'
except Exception as e:
printError('Failed to process rule defined in %s.json' %
rule)
# Fallback if process rule failed to ensure report creation and data dump still happen
aws_config['services'][service][
self.rule_type][rule]['checked_items'] = 0
aws_config['services'][service][
self.rule_type][rule]['flagged_items'] = 0
printException(e)
def run(self, aws_config, skip_dashboard = False):
# Clean up existing findings
for service in aws_config['services']:
aws_config['services'][service][self.ruleset.rule_type] = {}
# Process each rule
for finding_path in self.rules:
for rule in self.rules[finding_path]:
if not rule.enabled: # or rule.service not in []: # TODO: handle this...
continue
printDebug('Processing %s rule[%s]: "%s"' % (rule.service, rule.filename, rule.description))
finding_path = rule.path
path = finding_path.split('.')
service = path[0]
manage_dictionary(aws_config['services'][service], self.ruleset.rule_type, {})
aws_config['services'][service][self.ruleset.rule_type][rule.key] = {}
aws_config['services'][service][self.ruleset.rule_type][rule.key]['description'] = rule.description
aws_config['services'][service][self.ruleset.rule_type][rule.key]['path'] = rule.path
for attr in ['level', 'id_suffix', 'display_path']:
if hasattr(rule, attr):
aws_config['services'][service][self.ruleset.rule_type][rule.key][attr] = getattr(rule, attr)
try:
setattr(rule, 'checked_items', 0)
aws_config['services'][service][self.ruleset.rule_type][rule.key]['items'] = recurse(aws_config['services'], aws_config['services'], path, [], rule, True)
if skip_dashboard:
continue
aws_config['services'][service][self.ruleset.rule_type][rule.key]['dashboard_name'] = rule.dashboard_name
aws_config['services'][service][self.ruleset.rule_type][rule.key]['checked_items'] = rule.checked_items
aws_config['services'][service][self.ruleset.rule_type][rule.key]['flagged_items'] = len(aws_config['services'][service][self.ruleset.rule_type][rule.key]['items'])
aws_config['services'][service][self.ruleset.rule_type][rule.key]['service'] = rule.service
aws_config['services'][service][self.ruleset.rule_type][rule.key]['rationale'] = rule.rationale if hasattr(rule, 'rationale') else 'N/A'
except Exception as e:
printException(e)
printError('Failed to process rule defined in %s' % rule.filename)
# Fallback if process rule failed to ensure report creation and data dump still happen
aws_config['services'][service][self.ruleset.rule_type][rule.key]['checked_items'] = 0
aws_config['services'][service][self.ruleset.rule_type][rule.key]['flagged_items'] = 0
def main():
# Parse arguments
parser = ListallArgumentParser()
args = parser.parse_args()
# Configure the debug level
configPrintException(args.debug)
# Check version of opinel
if not check_requirements(os.path.realpath(__file__)):
return 42
# Support multiple environments
for profile_name in args.profile:
# Load the config
report = Scout2Report(profile_name, args.report_dir, args.timestamp)
aws_config = report.jsrw.load_from_file(AWSCONFIG)
services = aws_config['service_list']
# Create a ruleset with only whatever rules were specified...
if args.config:
ruleset = Ruleset(filename='sample', load_rules=False)
ruleset.ruleset['rules'][0]['filename'] = args.config
ruleset.init_rules(services, args.ip_ranges, '',
False) # aws_config['aws_account_id, False)
# Need to set the arguments values args.config_args
else:
# TODO:
#args = args
#config = {}
#config['conditions'] = args.conditions if hasattr(args, 'conditions') else []
#config['mapping'] = args.mapping if hasattr(args, 'mapping') else []
pass
# Get single rule... TODO: clean
tmp = ruleset.rules.pop(ruleset.rules.keys()[0])
rule = tmp.pop(tmp.keys()[0])
# Set the keys to output
if len(args.keys):
# 1. Explicitly provided on the CLI
rule['keys'] = args.keys
elif len(args.keys_file):
# 2. Explicitly provided files that contain the list of keys
rule['keys'] = []
for filename in args.keys_file:
with open(filename, 'rt') as f:
rule['keys'] += json.load(f)['keys']
else:
try:
# 3. Load default set of keys based on path
target_path = config[
'display_path'] if 'display_path' in config else config[
'path']
with open('listall-configs/%s.json' % target_path) as f:
rule['keys'] = json.load(f)['keys']
except:
# 4. Print the object name
rule['keys'] = ['name']
# Recursion
if len(args.path):
rule['path'] = args.path[0]
target_path = rule['path'].split('.')
current_path = []
resources = recurse(aws_config['services'], aws_config['services'],
target_path, current_path, rule)
# Prepare the output format
(lines, template) = format_listall_output(args.format_file, 'foo',
args.format, rule)
# Print the output
printInfo(
generate_listall_output(lines, resources, aws_config, template,
[]))