def collect_exposure(args, db_table): myCI = al_ci_client.CloudInsight(args) myEnv = myCI.get_environments() if myEnv: remediations = myCI.get_remediations_short() item_payload = [] for remediation in remediations["remediations"]["assets"]: for exposure in remediation["vulnerabilities"]: exposure["remediation_id"] = remediation["remediation_id"] exposure["deployment_id"] = remediation["deployment_id"] exposure["account_id"] = remediation["account_id"] exposure["vul_map_sort_key"] = str( remediation["deployment_id"]) + "/" + str( args["date_marker"]) item_payload.append(exposure) logger.info( "Batch write to: {0} - CID: {1} - EnvId: {2} - Total: {3}".format( args['db_name'], myEnv["account_id"], myEnv["id"], len(item_payload))) if db_table.write_to_table(item_payload, args["date_marker"], ['vulnerability_id', 'vul_map_sort_key'], ttl=create_ttl_time(int(args["ttl"]))): logger.info("Batch write Completed") else: logger.error("Cant read environment ID: {0}".format(args['env_id']))
def find_all_child(args): myCI = al_ci_client.CloudInsight(args) CID_DICT = myCI.get_all_child() COMBINED_PLAN = [] #Grab Parent CID and search per Environment logger.info("### PROCESSING PARENT CID ###") COMBINED_PLAN.append(monitor_per_cid(args)) #Loop through the child and find all private IP's if len(CID_DICT["accounts"]) > 0: logger.info("### PROCESSING CHILD CID ###") for CHILD in CID_DICT["accounts"]: child_args = deepcopy(args) child_args["acc_id"] = CHILD["id"] CHILD_PLAN = monitor_per_cid(child_args) if CHILD_PLAN['environments']: COMBINED_PLAN.append(CHILD_PLAN) logger.info("\nAll CID results: {0}".format( json.dumps(COMBINED_PLAN, sort_keys=True, indent=2))) FINAL_FILE_NAME = str( time.strftime("%Y%m%d-%H%M%S")) + "_final_output.json" args["file_name"] = FINAL_FILE_NAME write_to_s3( args, json.dumps(COMBINED_PLAN, indent=2, sort_keys=True, ensure_ascii=True)) logger.info("Results stored in: {0}".format(FINAL_FILE_NAME))
def get_disposed_asset_item(args): myCI = al_ci_client.CloudInsight(args) query_args = {} query_args["asset_types"] = "v:vulnerability" query_args["v.disposed"] = "true" query_args["v.remediation_id"] = args["remediation_id"] return myCI.get_asset_custom(query_args)
def collect_total_host_scanned(args): myCI = al_ci_client.CloudInsight(args) myEnv = myCI.get_scheduler_summary() if myEnv: return myEnv["summary"] else: return False
def temp_count_host_with_aws_config_vul(args): myCI = al_ci_client.CloudInsight(args) myEnv = myCI.get_environments() if myEnv: #ALL VULNERABILITY RELATED TO HOST (AWS CONFIG + APP LEVEL) query_args = {} query_args["asset_types"] = "h:host,v:vulnerability" query_args["v.severity"] = "$VAR" query_args["VAR.type"] = "string[]" query_args["VAR.value"] = "info,low,medium,high" query_args["VAR.comparison"] = "member_of" query_args["query_format"] = "v2" host_all_vulnerability = myCI.get_asset_custom(query_args) #ALL APP LEVEL VULNERABILITY RELATED TO HOST query_args = {} query_args["asset_types"] = "h:host,v:vulnerability" query_args["v.scope_scan_severity"] = "$VAR" query_args["VAR.type"] = "string[]" query_args["VAR.value"] = "Info,Low,Medium,High" query_args["VAR.comparison"] = "member_of" query_args["query_format"] = "v2" host_app_vulnerability = myCI.get_asset_custom(query_args) result = int(host_all_vulnerability["rows"]) - int( host_app_vulnerability["rows"]) return result else: return 0
def validate_cid(args): myCID = al_ci_client.CloudInsight(args) cid_response = myCID.get_cid_details(args['id']) if cid_response: return cid_response['active'] else: return False
def validate_cred(args): try: print(args) myCred = al_ci_client.CloudInsight(args) logger.info(myCred.token) return myCred.token except ClientError as e: logger.error(e.response['Error']['Message']) return False
def collect_remediation(args, db_table): myCI = al_ci_client.CloudInsight(args) myEnv = myCI.get_environments() if myEnv: remediations = myCI.get_remediations_short() logger.info( "Batch write to: {0} - CID: {1} - EnvId: {2} - Total: {3}".format( args['db_name'], myEnv["account_id"], myEnv["id"], remediations["remediations"]["rows"])) if db_table.write_to_table(remediations["remediations"]["assets"], args["date_marker"], ttl=create_ttl_time(int(args["ttl"]))): logger.info("Batch write Completed") else: error_handler(args, "collect_remediation") else: logger.error("Cant read environment ID: {0}".format(args['env_id']))
def find_all_child(args): #Get and decrypt credentials args["password"] = boto3.client('kms').decrypt( CiphertextBlob=b64decode(os.environ["PASSWORD"]))['Plaintext'] args["user"] = os.environ["USER_NAME"] args["acc_id"] = os.environ["CID"] args['s3_bucket'] = os.environ["S3_BUCKET_NAME"] args['yarp'] = os.environ["YARP"] args['source'] = "driver-disposed-report" args['log_level'] = "info" args['type'] = "find_disposed" WORKER_NAME = os.environ["WORKER_NAME"] WORKER_INVOCATION = os.environ["WORKER_INVOCATION"] myCI = al_ci_client.CloudInsight(args) #Grab Parent CID and find disposed report logger.info("### PROCESSING PARENT CID ###") lambda_client = boto3.client('lambda') response = invoke_lambda(WORKER_NAME, args, lambda_client, WORKER_INVOCATION) logger.info("Invoke: {0}:{1} - for CID: {2} - Status: {3}".format( WORKER_NAME, args['type'], args['acc_id'], response)) if os.environ["FIND_CHILD"] == "True": #Loop through the child and make recurvise call to find disposed report CID_DICT = myCI.get_all_child() if len(CID_DICT["accounts"]) > 0: logger.info("### PROCESSING CHILD CID ###") for CHILD in CID_DICT["accounts"]: child_args = deepcopy(args) child_args["acc_id"] = CHILD["id"] response = invoke_lambda(WORKER_NAME, child_args, lambda_client, WORKER_INVOCATION) logger.info("Invoke: {0}:{1} - for CID: {2} - Status: {3}".format( WORKER_NAME, child_args['type'], child_args['acc_id'], response)) else: logger.info("### SKIP CHILD CID ###")
def collect_vulnerability(args, db_table): myCI = al_ci_client.CloudInsight(args) myEnv = myCI.get_environments() if myEnv: query_args = {} query_args["asset_types"] = "vulnerability" vulnerabilities = myCI.get_asset_custom(query_args) item_payload = [] for vulnerability in vulnerabilities["assets"]: temp_item = {} temp_item["account_id"] = myEnv["account_id"] temp_item["deployment_id"] = myEnv["id"] temp_item["key"] = vulnerability[0]["key"] temp_item["name"] = vulnerability[0]["name"] temp_item["vulnerability_id"] = vulnerability[0][ "vulnerability_id"] temp_item["threat_score"] = vulnerability[0]["threat_score"] #DynamoDB did not support empty attributes value if vulnerability[0]["details"] != "": temp_item["details"] = vulnerability[0]["details"] else: temp_item["details"] = "N/A" temp_item["disposed"] = vulnerability[0]["disposed"] temp_item["cvss_score"] = vulnerability[0]["cvss_score"] item_payload.append(temp_item) logger.info( "Batch write to: {0} - CID: {1} - EnvId: {2} - Total: {3}".format( args['db_name'], myEnv["account_id"], myEnv["id"], len(item_payload))) db_table.write_to_table(item_payload, args["date_marker"], ttl=create_ttl_time(int(args["ttl"]))) logger.info("Batch write sent") else: logger.error("Cant read environment ID: {0}".format(args['env_id']))
def collect_host_that_vulnerable(args): myCI = al_ci_client.CloudInsight(args) myEnv = myCI.get_environments() if myEnv: query_args = {} query_args["asset_types"] = "h:host,v:vulnerability" query_args["v.severity"] = "$VAR" query_args["VAR.type"] = "string[]" query_args["VAR.value"] = "info,low,medium,high" query_args["VAR.comparison"] = "member_of" query_args["query_format"] = "v2" host_that_vulnerable = myCI.get_asset_custom(query_args) host_that_vulnerable_high = [] host_that_vulnerable_medium = [] host_that_vulnerable_low = [] host_that_vulnerable_info = [] host_that_vulnerable_total = [] host_that_vulnerable_high_or_medium = [] for host in host_that_vulnerable["assets"]: if host[1]["severity"] == "high": host_that_vulnerable_high.append(host[0]["instance_id"]) host_that_vulnerable_high_or_medium.append( host[0]["instance_id"]) elif host[1]["severity"] == "medium": host_that_vulnerable_medium.append(host[0]["instance_id"]) host_that_vulnerable_high_or_medium.append( host[0]["instance_id"]) elif host[1]["severity"] == "low": host_that_vulnerable_low.append(host[0]["instance_id"]) elif host[1]["severity"] == "info": host_that_vulnerable_info.append(host[0]["instance_id"]) host_that_vulnerable_total.append(host[0]["instance_id"]) result = {} result["total"] = len(set(host_that_vulnerable_total)) result["high"] = len(set(host_that_vulnerable_high)) result["medium"] = len(set(host_that_vulnerable_medium)) result["low"] = len(set(host_that_vulnerable_low)) result["info"] = len(set(host_that_vulnerable_info)) result["high_medium"] = len(set(host_that_vulnerable_high_or_medium)) logger.info( "CID: {0} - EnvId: {1} - Total Unique Host with vulnerabilities: {2}" .format(myEnv["account_id"], myEnv["id"], result["total"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Host with vulnerability High: {2}" .format(myEnv["account_id"], myEnv["id"], result["high"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Host with vulnerability Medium: {2}" .format(myEnv["account_id"], myEnv["id"], result["medium"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Host with vulnerability Low: {2}" .format(myEnv["account_id"], myEnv["id"], result["low"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Host with vulnerability Info: {2}" .format(myEnv["account_id"], myEnv["id"], result["info"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Host with vulnerability High & Medium: {2}" .format(myEnv["account_id"], myEnv["id"], result["high_medium"])) return result else: return False
def find_all_child(args): myCI = al_ci_client.CloudInsight(args) CID_DICT = myCI.get_all_child() grand_total_host_vulnerability = {} grand_total_host_vulnerability["high"] = 0 grand_total_host_vulnerability["medium"] = 0 grand_total_host_vulnerability["low"] = 0 grand_total_host_vulnerability["info"] = 0 grand_total_non_host_vulnerability = {} grand_total_non_host_vulnerability["high"] = 0 grand_total_non_host_vulnerability["medium"] = 0 grand_total_non_host_vulnerability["low"] = 0 grand_total_non_host_vulnerability["info"] = 0 grand_total_host_with_vulnerability = {} grand_total_host_with_vulnerability["total"] = 0 grand_total_host_with_vulnerability["high"] = 0 grand_total_host_with_vulnerability["medium"] = 0 grand_total_host_with_vulnerability["low"] = 0 grand_total_host_with_vulnerability["info"] = 0 grand_total_host_with_vulnerability["high_medium"] = 0 grand_total_host = {} grand_total_host["scanned"] = 0 grand_total_host["total"] = 0 #Grab Parent CID vulnerability logger.info("### PROCESSING PARENT CID ###") per_cid_total_host_vulnerability, per_cid_total_non_host_vulnerability, per_cid_total_host_with_vulnerability, per_cid_total_host = monitor_per_cid( args) grand_total_host_vulnerability["high"] = grand_total_host_vulnerability[ "high"] + per_cid_total_host_vulnerability["high"] grand_total_host_vulnerability["medium"] = grand_total_host_vulnerability[ "medium"] + per_cid_total_host_vulnerability["medium"] grand_total_host_vulnerability["low"] = grand_total_host_vulnerability[ "low"] + per_cid_total_host_vulnerability["low"] grand_total_host_vulnerability["info"] = grand_total_host_vulnerability[ "info"] + per_cid_total_host_vulnerability["info"] grand_total_non_host_vulnerability[ "high"] = grand_total_non_host_vulnerability[ "high"] + per_cid_total_non_host_vulnerability["high"] grand_total_non_host_vulnerability[ "medium"] = grand_total_non_host_vulnerability[ "medium"] + per_cid_total_non_host_vulnerability["medium"] grand_total_non_host_vulnerability[ "low"] = grand_total_non_host_vulnerability[ "low"] + per_cid_total_non_host_vulnerability["low"] grand_total_non_host_vulnerability[ "info"] = grand_total_non_host_vulnerability[ "info"] + per_cid_total_non_host_vulnerability["info"] grand_total_host_with_vulnerability[ "total"] = grand_total_host_with_vulnerability[ "total"] + per_cid_total_host_with_vulnerability["total"] grand_total_host_with_vulnerability[ "high"] = grand_total_host_with_vulnerability[ "high"] + per_cid_total_host_with_vulnerability["high"] grand_total_host_with_vulnerability[ "medium"] = grand_total_host_with_vulnerability[ "medium"] + per_cid_total_host_with_vulnerability["medium"] grand_total_host_with_vulnerability[ "low"] = grand_total_host_with_vulnerability[ "low"] + per_cid_total_host_with_vulnerability["low"] grand_total_host_with_vulnerability[ "info"] = grand_total_host_with_vulnerability[ "info"] + per_cid_total_host_with_vulnerability["info"] grand_total_host_with_vulnerability[ "high_medium"] = grand_total_host_with_vulnerability[ "high_medium"] + per_cid_total_host_with_vulnerability[ "high_medium"] grand_total_host["scanned"] = grand_total_host[ "scanned"] + per_cid_total_host["scanned"] grand_total_host[ "total"] = grand_total_host["total"] + per_cid_total_host["total"] #Loop through the child for vulnerability if len(CID_DICT["accounts"]) > 0: logger.info("### PROCESSING CHILD CID ###") for CHILD in CID_DICT["accounts"]: child_args = deepcopy(args) child_args["acc_id"] = CHILD["id"] per_cid_total_host_vulnerability, per_cid_total_non_host_vulnerability, per_cid_total_host_with_vulnerability, per_cid_total_host = monitor_per_cid( child_args) grand_total_host_vulnerability[ "high"] = grand_total_host_vulnerability[ "high"] + per_cid_total_host_vulnerability["high"] grand_total_host_vulnerability[ "medium"] = grand_total_host_vulnerability[ "medium"] + per_cid_total_host_vulnerability["medium"] grand_total_host_vulnerability["low"] = grand_total_host_vulnerability[ "low"] + per_cid_total_host_vulnerability["low"] grand_total_host_vulnerability[ "info"] = grand_total_host_vulnerability[ "info"] + per_cid_total_host_vulnerability["info"] grand_total_non_host_vulnerability[ "high"] = grand_total_non_host_vulnerability[ "high"] + per_cid_total_non_host_vulnerability["high"] grand_total_non_host_vulnerability[ "medium"] = grand_total_non_host_vulnerability[ "medium"] + per_cid_total_non_host_vulnerability["medium"] grand_total_non_host_vulnerability[ "low"] = grand_total_non_host_vulnerability[ "low"] + per_cid_total_non_host_vulnerability["low"] grand_total_non_host_vulnerability[ "info"] = grand_total_non_host_vulnerability[ "info"] + per_cid_total_non_host_vulnerability["info"] grand_total_host_with_vulnerability[ "total"] = grand_total_host_with_vulnerability[ "total"] + per_cid_total_host_with_vulnerability["total"] grand_total_host_with_vulnerability[ "high"] = grand_total_host_with_vulnerability[ "high"] + per_cid_total_host_with_vulnerability["high"] grand_total_host_with_vulnerability[ "medium"] = grand_total_host_with_vulnerability[ "medium"] + per_cid_total_host_with_vulnerability["medium"] grand_total_host_with_vulnerability[ "low"] = grand_total_host_with_vulnerability[ "low"] + per_cid_total_host_with_vulnerability["low"] grand_total_host_with_vulnerability[ "info"] = grand_total_host_with_vulnerability[ "info"] + per_cid_total_host_with_vulnerability["info"] grand_total_host_with_vulnerability[ "high_medium"] = grand_total_host_with_vulnerability[ "high_medium"] + per_cid_total_host_with_vulnerability[ "high_medium"] grand_total_host["scanned"] = grand_total_host[ "scanned"] + per_cid_total_host["scanned"] grand_total_host[ "total"] = grand_total_host["total"] + per_cid_total_host["total"] logger.info("### GRAND TOTAL VULNERABILITIES RELATED TO HOST ###") logger.info("Grand Total Host vulnerability High: {0} ".format( grand_total_host_vulnerability["high"])) logger.info("Grand Total Host vulnerability Medium: {0} ".format( grand_total_host_vulnerability["medium"])) logger.info("Grand Total Host vulnerability Low: {0} ".format( grand_total_host_vulnerability["low"])) logger.info("Grand Total Host vulnerability Info: {0} ".format( grand_total_host_vulnerability["info"])) logger.info("### GRAND TOTAL VULNERABILITIES RELATED TO NON HOST ###") logger.info("Grand Total Non Host vulnerability High: {0} ".format( grand_total_non_host_vulnerability["high"])) logger.info("Grand Total Non Host vulnerability Medium: {0} ".format( grand_total_non_host_vulnerability["medium"])) logger.info("Grand Total Non Host vulnerability Low: {0} ".format( grand_total_non_host_vulnerability["low"])) logger.info("Grand Total Non Host vulnerability Info: {0} ".format( grand_total_non_host_vulnerability["info"])) logger.info("### GRAND TOTAL ALL VULNERABILITIES ###") logger.info("Grand Total Vulnerabilities: {0} ".format( (grand_total_non_host_vulnerability["high"] + grand_total_host_vulnerability["high"] + grand_total_non_host_vulnerability["medium"] + grand_total_host_vulnerability["medium"] + grand_total_non_host_vulnerability["low"] + grand_total_host_vulnerability["low"] + grand_total_non_host_vulnerability["info"] + grand_total_host_vulnerability["info"]))) logger.info("Grand Total Vulnerability High: {0} ".format( (grand_total_non_host_vulnerability["high"] + grand_total_host_vulnerability["high"]))) logger.info("Grand Total Vulnerability Medium: {0} ".format( (grand_total_non_host_vulnerability["medium"] + grand_total_host_vulnerability["medium"]))) logger.info("Grand Total Vulnerability Low: {0} ".format( (grand_total_non_host_vulnerability["low"] + grand_total_host_vulnerability["low"]))) logger.info("Grand Total Vulnerability Info: {0} ".format( (grand_total_non_host_vulnerability["info"] + grand_total_host_vulnerability["info"]))) logger.info("### GRAND TOTAL HOST WITH VULNERABILITIES ###") logger.info("Grand Total Unique Host with vulnerabilities: {0} ".format( grand_total_host_with_vulnerability["total"])) logger.info("Grand Total Host with vulnerability High: {0} ".format( grand_total_host_with_vulnerability["high"])) logger.info("Grand Total Host with vulnerability Medium: {0} ".format( grand_total_host_with_vulnerability["medium"])) logger.info("Grand Total Host with vulnerability Low: {0} ".format( grand_total_host_with_vulnerability["low"])) logger.info("Grand Total Host with vulnerability Info: {0} ".format( grand_total_host_with_vulnerability["info"])) logger.info( "Grand Total Host with vulnerability High & Medium: {0} ".format( grand_total_host_with_vulnerability["high_medium"])) logger.info("### GRAND TOTAL HOST TALLY ###") logger.info("|- CID: {0} - Grand Total Number of Host: {1} ".format( args["acc_id"], grand_total_host["total"])) logger.info( "|- CID: {0} - Grand Total Number of Host Scanned by Alert Logic: {1} " .format(args["acc_id"], grand_total_host["scanned"])) LOG_LEVEL = logging.INFO logging.basicConfig(format='%(message)s') logoutput = logging.getLogger(__name__) logoutput.setLevel(LOG_LEVEL) logoutput.info("\n") logoutput.info("Alert Logic Total Host with Vuln's: {0}".format( grand_total_host_with_vulnerability["total"])) logoutput.info("Total hosts scanned by Alert Logic: {0}".format( grand_total_host["scanned"])) if (grand_total_host["scanned"] > 0): percent_host_vulnerable = float( grand_total_host_with_vulnerability["total"]) / float( grand_total_host["scanned"]) * 100 percent_host_vulnerable_high_medium = float( grand_total_host_with_vulnerability["high_medium"]) / float( grand_total_host["scanned"]) * 100 else: percent_host_vulnerable = 0 percent_host_vulnerable_high_medium = 0 logoutput.info("% Vulnerable Host in Alert Logic: {0}".format( percent_host_vulnerable)) logoutput.info("Total hosts with High vulnerability: {0}".format( grand_total_host_with_vulnerability["high"])) logoutput.info("Total hosts with Med vulnerability: {0}".format( grand_total_host_with_vulnerability["medium"])) logoutput.info("Total hosts with Low vulnerability: {0}".format( grand_total_host_with_vulnerability["low"])) logoutput.info("\n") logoutput.info( "% Vulnerable Host (High & Medium) in Alert Logic: {0}".format( percent_host_vulnerable_high_medium)) logoutput.info("Total hosts with High & Medium vulnerability: {0}".format( grand_total_host_with_vulnerability["high_medium"])) logoutput.info("\n") total_all_vulnerability = grand_total_non_host_vulnerability[ "high"] + grand_total_host_vulnerability[ "high"] + grand_total_non_host_vulnerability[ "medium"] + grand_total_host_vulnerability[ "medium"] + grand_total_non_host_vulnerability[ "low"] + grand_total_host_vulnerability["low"] logoutput.info("Alert Logic total vulnerabilities: {0}".format( total_all_vulnerability)) logoutput.info("AL (Host only) Vulnerabilities High: {0}".format( grand_total_host_vulnerability["high"])) logoutput.info("AL (Host only) Vulnerabilities Medium: {0}".format( grand_total_host_vulnerability["medium"])) logoutput.info("AL (Host only) Vulnerabilities Low: {0}".format( grand_total_host_vulnerability["low"])) logoutput.info("\n") logoutput.info("Alert Logic all instances Vuln's High: {0}".format( grand_total_non_host_vulnerability["high"] + grand_total_host_vulnerability["high"])) logoutput.info("Alert Logic all instances Vuln's Medium: {0}".format( grand_total_non_host_vulnerability["medium"] + grand_total_host_vulnerability["medium"])) logoutput.info("Alert Logic all instances Vuln's Low: {0}".format( grand_total_non_host_vulnerability["low"] + grand_total_host_vulnerability["low"])) logoutput.info("\n")
def get_disposed_rem_item(args): myCI = al_ci_client.CloudInsight(args) query_args = {} query_args["asset_types"] = "r:remediation-item" query_args["r.state"] = "disposed" return myCI.get_asset_custom(query_args)
def collect_vulnerability(args): myCI = al_ci_client.CloudInsight(args) myEnv = myCI.get_environments() if myEnv: query_args = {} query_args["asset_types"] = "vulnerability" vulnerabilities = myCI.get_asset_custom(query_args) host_vulnerability_count = {} host_vulnerability_count["high"] = 0 host_vulnerability_count["medium"] = 0 host_vulnerability_count["low"] = 0 host_vulnerability_count["info"] = 0 non_host_vulnerability_count = {} non_host_vulnerability_count["high"] = 0 non_host_vulnerability_count["medium"] = 0 non_host_vulnerability_count["low"] = 0 non_host_vulnerability_count["info"] = 0 for vulnerability in vulnerabilities["assets"]: if "scope_scan_ip_address" in vulnerability[0]: vulnerability_type = "host" else: vulnerability_type = "non-host" if vulnerability[0]["severity"] == "high": if vulnerability_type == "host": host_vulnerability_count[ "high"] = host_vulnerability_count["high"] + 1 else: non_host_vulnerability_count[ "high"] = non_host_vulnerability_count["high"] + 1 elif vulnerability[0]["severity"] == "medium": if vulnerability_type == "host": host_vulnerability_count[ "medium"] = host_vulnerability_count["medium"] + 1 else: non_host_vulnerability_count[ "medium"] = non_host_vulnerability_count["medium"] + 1 elif vulnerability[0]["severity"] == "low": if vulnerability_type == "host": host_vulnerability_count[ "low"] = host_vulnerability_count["low"] + 1 else: non_host_vulnerability_count[ "low"] = non_host_vulnerability_count["low"] + 1 elif vulnerability[0]["severity"] == "info": if vulnerability_type == "host": host_vulnerability_count[ "info"] = host_vulnerability_count["info"] + 1 else: non_host_vulnerability_count[ "info"] = non_host_vulnerability_count["info"] + 1 logger.info( "CID: {0} - EnvId: {1} - Total vulnerabilities: {2}".format( myEnv["account_id"], myEnv["id"], vulnerabilities["rows"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Host vulnerability High: {2}". format(myEnv["account_id"], myEnv["id"], host_vulnerability_count["high"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Host vulnerability Medium: {2}". format(myEnv["account_id"], myEnv["id"], host_vulnerability_count["medium"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Host vulnerability Low: {2}". format(myEnv["account_id"], myEnv["id"], host_vulnerability_count["low"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Host vulnerability Info: {2}". format(myEnv["account_id"], myEnv["id"], host_vulnerability_count["info"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Non Host vulnerability High: {2}" .format(myEnv["account_id"], myEnv["id"], non_host_vulnerability_count["high"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Non Host vulnerability Medium: {2}" .format(myEnv["account_id"], myEnv["id"], non_host_vulnerability_count["medium"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Non Host vulnerability Low: {2}". format(myEnv["account_id"], myEnv["id"], non_host_vulnerability_count["low"])) logger.info( "|- CID: {0} - EnvId: {1} - Total Non Host vulnerability Info: {2}" .format(myEnv["account_id"], myEnv["id"], non_host_vulnerability_count["info"])) return host_vulnerability_count, non_host_vulnerability_count
def get_remediaton_detail_by_id(args, remediation_id): myCI = al_ci_client.CloudInsight(args) return myCI.get_remediations_map_custom(remediation_id)
def get_user_name_by_id(args, user_id): myCI = al_ci_client.CloudInsight(args) return myCI.get_user_name_by_id(user_id)
def ci_get_env_cid(args): myCI = al_ci_client.CloudInsight(args) query_args = {} query_args['type'] = 'aws' query_args['defender_support'] = 'false' return myCI.get_environments_by_cid_custom(query_args)
"{0} - END - Generate new SSH Key and update it in AWS Secret Manager" .format(str(datetime.datetime.now().strftime("%Y-%m-%d %H:%M")))) #store the public key as environment variable in EB option settings eb_option = {} eb_option["OptionName"] = "SSH_KEY" eb_option["Namespace"] = "aws:elasticbeanstalk:application:environment" #eb_option["Value"] = str(keys['public']).replace('\\n', '\n') eb_option["Value"] = payload.publickey().exportKey('OpenSSH') option_settings.append(eb_option) #Store SSH key to Cloud Insight as scan credentials logger.info( "\n{0} - START - Update private key to Cloud Insight as scan credentials" .format(str(datetime.datetime.now().strftime("%Y-%m-%d %H:%M")))) myCI = al_ci_client.CloudInsight(ci_args) asset_type = "vpc" asset_key = "aws/us-west-2/vpc/vpc-d58792ac" cred_type = "ssh" cred_sub_type = "key" ci_secret_response = register_secret_in_cloud_insight( ci_client=myCI, secret_name=secret_name, asset_type=asset_type, asset_key=asset_key, payload=keys, user_name=user_name, cred_type=cred_type, cred_sub_type=cred_sub_type) if ci_secret_response: logger.info("Success : {0}".format(ci_secret_response))
def read_report_findings(args, db_table, index_name, index_partition_key, index_partition_value, index_sort_key, index_sort_value, table_partition_key, table_sort_key, read_mode, severity_filter): try: result = "" #Query list of ADDED / REMOVED vulnerability based on ENV ID and Date Marker index todays_report = db_table.query_table_with_index( "SPECIFIC_ATTRIBUTES", Key(index_partition_key).eq(index_partition_value) & Key(index_sort_key).eq(index_sort_value), index_name, "#a,#b", { "#a": table_partition_key, "#b": table_sort_key }, True) if len(todays_report["Items"]) > 0: vul_event = copy.deepcopy(args) vul_event['db_name'] = args['db_name_vul_data'] myVulLookupTable = AWSDynamo.DynamoDBClient(vul_event) vul_detail_event = copy.deepcopy(args) vul_detail_event['db_name'] = args['db_name_vul_key'] myVulDetailTable = AWSDynamo.DynamoDBClient(vul_detail_event) for item in todays_report["Items"]: #Query the exposure name based on vulnerability ID exposure_name = myVulLookupTable.query_table( "ALL_ATTRIBUTES", Key("id").eq(item["vulnerability_id"])) if exposure_name["Count"] == 0: logger.info( "Cache miss for exposure id: {0} - attempting to query Cloud Insight API" .format(item["vulnerability_id"])) myCI = al_ci_client.CloudInsight(args) #TODO: tidy up this mess - currently I am trying to match the returned data structure from DynamoDB query exposure_name = {} exposure_name["Items"] = [] exposure_name["Items"].append( myCI.get_vulnerability_map_custom( item["vulnerability_id"])) exposure_name["Items"][0]["TTL"] = create_ttl_time( int(args["db_ttl_vul_data"])) if len(exposure_name["Items"]) > 0: logger.info( "Found exposure id: {0} in CI API - attempting to store in DynamoDB cache" .format(item["vulnerability_id"])) if myVulLookupTable.single_write_to_table( exposure_name["Items"][0]): logger.info( "Successfully stored exposure id {0} in DynamoDB cache" .format(item["vulnerability_id"])) else: logger.error( "Failed to store exposure id {0} in DynamoDB cache" .format(item["vulnerability_id"])) else: logger.error( "Failed to find exposure id {0} in CI API - this vulnerability exposure will not be recorded" .format(item["vulnerability_id"])) if exposure_name["Items"][0]["severity"] in severity_filter: logger.info("Exposure: {0} - {1}".format( exposure_name["Items"][0]["description"], exposure_name["Items"][0]["severity"])) result = result + "Exposure: {0} - {1}\n".format( exposure_name["Items"][0]["description"], exposure_name["Items"][0]["severity"]) #Query the vulnerability detail based on vulnerability ID and sort key (date marker) vulnerabilities = db_table.query_table( "ALL_ATTRIBUTES", Key(table_partition_key).eq(item["vulnerability_id"]) & Key(table_sort_key).eq(item["vul_key_sort_key"])) #For each vulnerability keys, query the detail about that particular asset vulnerability counter = 1 for vulnerability in vulnerabilities["Items"]: #TODO: fix this upstream - where vulnerability_items can be duplicate when reporter worker run more than once for vulnerability_key in set( vulnerability["vulnerability_items"]): if read_mode == "removed": date_marker = args["previousdate"] elif read_mode == "added": date_marker = args["currentdate"] vulnerability_detail = myVulDetailTable.query_table( "ALL_ATTRIBUTES", Key("key").eq(vulnerability_key) & Key("date_marker").eq(date_marker)) logger.info("{0}.{1} - {2}".format( counter, vulnerability_detail["Items"][0]["key"], vulnerability_detail["Items"][0] ["threat_score"])) result = result + "{0}.{1} - {2}\n".format( counter, vulnerability_detail["Items"][0]["key"], vulnerability_detail["Items"][0] ["threat_score"]) counter += 1 logger.info(" ") result = result + "\n" if result == "": logger.info("No new vulnerability {0}\n".format(read_mode)) result = "There is no vulnerability {0}.\n\n".format(read_mode) return result else: logger.info("No new vulnerability {0}\n".format(read_mode)) result = "There is no vulnerability {0}.\n\n".format(read_mode) return result except ClientError as e: logger.error(e.response['Error']['Message'] + ": " + str(self.db_table)) return None