Esempio n. 1
0
    def test_oil_can_scan_for_password_rotation_with_config(self):
        plugin_config = {
            'password_rotation_severity_2_threshold':
            180,
            'password_rotation_severity_1_threshold':
            90,
            'password_rotation_severity_2_message':
            ('{days} days since last rotation for {username} '),
            'password_rotation_severity_1_message':
            ('{days} days since last rotation for {username}'),
            'password_rotation_severity_0_message':
            ('{username} is not violating password rotation '
             'best practices'),
            'password_rotation_severity_0_message':
            ('No password for this user'),
        }
        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(UserPasswordRotationPlugin, plugin_config)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('user_password_rotation', [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 2
0
    def test_oil_can_scan_for_high_threat_ports_on_instances(self):
        oil = Oil()
        oil.register_barrel(EC2Barrel)
        oil.register_plugin(InstanceHighThreatPortPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        ec2_results = aws_results.get('ec2', {})
        plugin_results = ec2_results.get('instance_high_threat_port', [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 3
0
    def test_oil_can_scan_for_public_ip_on_instances(self):
        oil = Oil()
        oil.register_barrel(EC2Barrel)
        oil.register_plugin(PublicIpPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        ec2_results = aws_results.get('ec2', {})
        plugin_results = ec2_results.get('public_ip', [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 4
0
    def test_oil_can_scan_for_name_tag_compliance(self):
        oil = Oil()
        oil.register_barrel(EC2Barrel)
        oil.register_plugin(InstanceNameTagPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        ec2_results = aws_results.get('ec2', {})
        plugin_results = ec2_results.get('instance_name_tag', [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 5
0
    def test_oil_can_scan_for_rds_public_db_instances(self):
        oil = Oil()
        oil.register_barrel(RDSBarrel)
        oil.register_plugin(PublicDBInstancesPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        rds_results = aws_results.get('rds', {})
        plugin_results = rds_results.get('public_db_instances', [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 6
0
    def test_oil_can_scan_for_password_rotation_date_for_user(self):
        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(UserPasswordRotationPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('user_password_rotation', [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 7
0
    def test_oil_can_scan_for_active_mfa_device_for_user(self):
        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(UserMFAPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('user_mfa', [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 8
0
    def test_oil_can_scan_for_access_key_usage(self):
        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(AccessKeyUsagePlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('access_key_usage', [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 9
0
    def test_oil_can_scan_for_https_usage(self):
        oil = Oil()
        oil.register_barrel(CloudFrontBarrel)
        oil.register_plugin(HTTPSPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        cloudfront_results = aws_results.get('cloudfront', {})
        plugin_results = cloudfront_results.get('https', [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 10
0
    def test_oil_can_scan_for_s3_origin_access_identity(self):
        oil = Oil()
        oil.register_barrel(CloudFrontBarrel)
        oil.register_plugin(S3OriginAccessIdentityPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        cloudfront_results = aws_results.get('cloudfront', {})
        plugin_results = cloudfront_results.get('s3_origin_access_identity',
                                                [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 11
0
    def test_oil_can_scan_for_access_key_usage_with_custom_config(self):
        plugin_config = {
            'access_key_last_used_severity_two_threshold': 90,
            'access_key_last_used_severity_one_threshold': 60,
        }

        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(AccessKeyUsagePlugin, plugin_config)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('access_key_usage', [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 12
0
    def test_oil_can_scan_for_active_mfa_device_with_config(self):
        plugin_config = {
            'root_user_enabled_message': 'Enabled: {username}',
            'root_user_not_enabled_message': 'Not Enabled: {username}',
            'root_user_not_enabled_severity_level': 1,
            'enabled_message': 'Enabled: {username}',
            'not_enabled_message': 'Not Enabled: {username}',
            'not_enabled_severity_level': 1,
        }

        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(UserMFAPlugin, plugin_config)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('user_mfa', [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 13
0
    def test_oil_can_scan_for_total_users_with_config(self):
        plugin_config = {
            'total_users_severity_2_threshold': 50,
            'total_users_severity_1_threshold': 20,
            'total_users_severity_2_message': ('Total users: {total_users}'),
            'total_users_severity_1_message': ('Total users: {total_users}'),
            'total_users_severity_0_message': ('Total users: {total_users}'),
            'no_users_message': ('No users in this AWS account'),
        }

        oil = Oil()
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(TotalUsersPlugin, plugin_config)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('total_users', [])

        self.assertNotEqual(plugin_results, [])
Esempio n. 14
0
    def test_oil_can_scan_for_total_users(self):
        config = {
            'aws': {
                'iam': {
                    'plugins': [{
                        'name': 'total_users',
                    }]
                }
            }
        }

        oil = Oil(config)
        oil.register_barrel(IAMBarrel)
        oil.register_plugin(TotalUsersPlugin)
        results = oil.scan()

        aws_results = results.get('aws', {})
        iam_results = aws_results.get('iam', {})
        plugin_results = iam_results.get('total_users', [])

        self.assertNotEqual(plugin_results, [])