Esempio n. 1
0
    def audit_impl(self):
        """
    Audit
    :return: violations 
    """
        if self.debug:
            print('SecurityGroupEgressOpenToWorldRule - audit_impl' + lineno())
        violating_egresses = []

        for groups in self.cfn_model.security_groups():
            if self.debug:
                print('group: ' + str(groups) + lineno())
                print('vars: ' + str(vars(groups)) + lineno())

            for egress in groups.egresses:
                if self.debug:
                    print('egress: ' + str(egress) + lineno())

                if IpAddr.ip4_open(egress,
                                   debug=self.debug) or IpAddr.ip6_open(
                                       egress, debug=self.debug):
                    if self.debug:
                        print('ip4/6 address is open' + lineno())
                    violating_egresses.append(str(groups.logical_resource_id))

        routes = self.cfn_model.standalone_egress()

        if self.debug:
            print('routes: ' + str(routes) + lineno())
        for standalone_egress in routes:
            if self.debug:
                print('standalone_egress: ' + str(standalone_egress) +
                      lineno())
                print('vars: ' + str(vars(standalone_egress)) + lineno())

            if IpAddr.ip4_open(standalone_egress,
                               debug=self.debug) or IpAddr.ip6_open(
                                   standalone_egress, debug=self.debug):
                if self.debug:
                    print('ip4/6 address is open' + lineno())
                violating_egresses.append(
                    standalone_egress.logical_resource_id)

        return violating_egresses
Esempio n. 2
0
    def test_ip4_not_open_list(self):


      expected_result = False


      dict = []
      dict.append({'CidrIp':'192.168.1.0/32'})

      real_result = class_to_test.ip4_open(ingress=dict, debug=True)

      print('expected results: '+str(expected_result))
      print('real results: '+str(real_result))

      self.maxDiff = None
      self.assertEqual(expected_result, real_result)
Esempio n. 3
0
    def test_ip4_not_open(self):


      expected_result = False


      dict = {}
      dict['CidrIp'] = '192.168.1.0/32'

      real_result = class_to_test.ip4_open(ingress=dict, debug=False)

      print('expected results: '+str(expected_result))
      print('real results: '+str(real_result))

      self.maxDiff = None
      self.assertEqual(expected_result, real_result)
Esempio n. 4
0
    def test_ip6_range_list(self):


      expected_result = False


      dict = []
      dict.append({'CidrIp': '2001:0db8:85a3:0000:0000:8a2e:0370/64'})

      real_result = class_to_test.ip6_cidr_range(ingress=dict, debug=False)

      print('expected results: '+str(expected_result))
      print('real results: '+str(real_result))

      self.maxDiff = None
      self.assertEqual(expected_result, real_result)
Esempio n. 5
0
    def test_ip6_no_range(self):


      expected_result = True


      dict = {}
      dict['CidrIp'] = '2001:0db8:85a3:0000:0000:8a2e:0370/128'

      real_result = class_to_test.ip6_cidr_range(ingress=dict, debug=False)

      print('expected results: '+str(expected_result))
      print('real results: '+str(real_result))

      self.maxDiff = None
      self.assertEqual(expected_result, real_result)
Esempio n. 6
0
    def test_ip6_open(self):


      expected_result = True


      dict = {}
      dict['CidrIp'] = '::/0'

      real_result = class_to_test.ip6_open(ingress=dict, debug=False)

      print('expected results: '+str(expected_result))
      print('real results: '+str(real_result))

      self.maxDiff = None
      self.assertEqual(expected_result, real_result)
Esempio n. 7
0
    def audit_impl(self):
        """
        Audit
        :return: violations
        """
        if self.debug:
            print('SecurityGroupIngressCidrNon32Rule - audit_impl'+lineno())
        logical_resource_ids = []

        # Iterate over each of the security groups in the cloudformation template
        for groups in self.cfn_model.security_groups():

            if self.debug:
                print('group: '+str(groups)+lineno())
                print('vars: '+str(vars(groups))+lineno())

            # If the security group has ingresses
            if hasattr(groups,'ingresses'):
                if len(groups.ingresses)>0:

                    has_invalid_cidr = False

                    # Iterate over each on the ingresses
                    for ingresses in groups.ingresses:

                        if self.debug:
                          print('ingresses: '+str(ingresses)+lineno())

                        if type(ingresses) == type(dict()):

                            if self.debug:
                                print('ingress is a dict'+lineno())

                            if IpAddr.ip4_cidr_range(ingresses,debug=self.debug)==True or IpAddr.ip6_cidr_range(ingresses,debug=self.debug):
                                if self.debug:
                                    print('ip4/6 address is /32 or /128' + lineno())

                            else:
                                if self.debug:
                                    print('ip4/6 address does not end with /32 or /128' + lineno())

                                if self.debug:
                                    print("\n\n##########################################################")
                                    print('Resource is not valid - appending to list')
                                    print('logical resource id: ' + str(groups.logical_resource_id) + lineno())
                                    print("#############################################################\n")
                                logical_resource_ids.append(str(groups.logical_resource_id))

                        elif type(ingresses) == type(list()):

                            if self.debug:
                                print("ingress is a list() "+lineno())

                            for item in ingresses:

                                if IpAddr.ip4_cidr_range(item,debug=self.debug):
                                    if self.debug:
                                        print('ip4/6 address is /32 or /128' + lineno())
                                    continue

                                if IpAddr.ip6_cidr_range(item,debug=self.debug):
                                    if self.debug:
                                        print('ip4/6 address is /32 or /128' + lineno())
                                    continue

                            if self.debug:
                                print("\n\n##########################################################")
                                print('Resource is not valid - appending to list')
                                print('logical resource id: ' + str(groups.logical_resource_id) + lineno())
                                print("#############################################################\n")
                            logical_resource_ids.append(str(groups.logical_resource_id))

                        else:

                            if self.debug:
                                print('vars: '+str(vars(ingresses))+lineno())
                                print('ingress is not a list or dict'+lineno())

                            if hasattr(ingresses, 'cidrIp'):
                                if self.debug:
                                    print('has cidrIp '+lineno())

                                if IpAddr.ip4_cidr_range(ingresses,debug=self.debug):

                                    if self.debug:
                                        print('ip4/6 address is /32 or /128' + lineno())

                                    continue

                            if hasattr(ingresses,'cidrIpv6'):

                                if self.debug:
                                    print('ip4/6 address is /32 or /128'+lineno())

                                if IpAddr.ip6_cidr_range(ingresses, debug=self.debug):
                                    if self.debug:
                                        print('ip4/6 address is /32 or /128' + lineno())

                                continue

                            if not hasattr(ingresses,'cidrIp') and not hasattr(ingresses,'cidrIpv6'):
                                if self.debug:
                                    print('does not have a cidr entry')
                                continue

                            if self.debug:
                                print("\n\n##########################################################")
                                print('Resource is not valid - appending to list')
                                print('logical resource id: ' + str(groups.logical_resource_id) + lineno())
                                print("#############################################################\n")
                            logical_resource_ids.append(str(groups.logical_resource_id))
            else:
              sys.exit(1)

        if self.debug:
            print('violations: '+str(list(set(logical_resource_ids)))+lineno())

        if self.debug:
            print('Getting all the standalone ingress resources')

        standalone_resources= self.cfn_model.standalone_ingress()

        # iterate over the routes
        for resource in standalone_resources:

            if self.debug:
                print("\n\n#########################################")
                print('standalone resource: ' + str(resource) + lineno())
                print('vars: ' + str(vars(resource)) + lineno())
                print('type: '+str(type(resource))+lineno())
                print("############################################\n")

            if hasattr(resource,'cidrIp'):

                if self.debug:
                    print('has cidrIp attributes'+lineno())

                if IpAddr.ip4_cidr_range(resource.cidrIp,debug=self.debug):
                    if self.debug:
                        print('ip4/6 address is /32 or /128' + lineno())
                    continue

                else:
                    if self.debug:
                        print('ip4/6 address does not end with /32 or /128' + lineno())
                    logical_resource_ids.append(resource.logical_resource_id)

            if hasattr(resource,'cidrIpv6'):
                if self.debug:
                    print('has cidrIpv6 attributes' + lineno())

                if  IpAddr.ip6_cidr_range(resource.cidrIpv6,debug=self.debug):
                    if self.debug:
                        print('ip4/6 address is /32 or /128' + lineno())
                    continue

                else:
                    if self.debug:
                        print('ip4/6 address does not end with /32 or /128' + lineno())
                    logical_resource_ids.append(resource.logical_resource_id)

        if self.debug:
            print('violations: '+str(list(set(logical_resource_ids)))+lineno())


        return logical_resource_ids