def _target_tags_valid(self, target_tags, error_cat='TARGET_TAGS'): """ Check to see if target tags are present. """ errors = [] if not target_tags: ae = make_audit_issue(error_cat, 'FOUND', 'NOT') errors.append(ae) return errors
def _source_ranges_open(self, source_ranges, error_cat='SOURCE_RANGES'): """ Check to see if the source range field is set to allow all traffic """ errors = [] open_range = '0.0.0.0/0' for source_range in source_ranges: if source_range == open_range: ae = make_audit_issue(error_cat, 'OPEN', 'TRAFFIC') errors.append(ae) return errors
def _target_tags_valid(self, target_tags, error_cat='TARGET_TAGS'): """ Check to see if target tags are present. """ errors = [] if not target_tags: ae = make_audit_issue( error_cat, 'FOUND', 'NOT') errors.append(ae) return errors
def _source_ranges_open(self, source_ranges, error_cat='SOURCE_RANGES'): """ Check to see if the source range field is set to allow all traffic """ errors = [] open_range = '0.0.0.0/0' for source_range in source_ranges: if source_range == open_range: ae = make_audit_issue( error_cat, 'OPEN', 'TRAFFIC') errors.append(ae) return errors
def _max_keys(self, key_count, error_cat='SA'): """ Alert when a service account has too many keys. return: [list of AuditIssues] """ errors = [] if key_count > self.gcp_config.MAX_SERVICEACCOUNT_KEYS: ae = make_audit_issue(error_cat, 'MAX', 'KEYS') ae.notes = 'Too Many Keys (count: %s, max: %s)' % ( key_count, self.gcp_config.MAX_SERVICEACCOUNT_KEYS) errors.append(ae) return errors
def _actor_role(self, policies, error_cat='SA'): """ Determine if a serviceaccount actor is specified. return: [list of AuditIssues] """ errors = [] for policy in policies: role = policy.get('Role') if role and role == 'iam.serviceAccountActor': ae = make_audit_issue(error_cat, 'POLICY', 'ROLE', 'ACTOR') errors.append(ae) return errors
def _max_keys(self, key_count, error_cat='SA'): """ Alert when a service account has too many keys. return: [list of AuditIssues] """ errors = [] if key_count > self.gcp_config.MAX_SERVICEACCOUNT_KEYS: ae = make_audit_issue( error_cat, 'MAX', 'KEYS') ae.notes = 'Too Many Keys (count: %s, max: %s)' % ( key_count, self.gcp_config.MAX_SERVICEACCOUNT_KEYS) errors.append(ae) return errors
def _port_range_exists(self, allowed_list, error_cat='ALLOWED'): """ Check to see if a port range exists in the allowed field. """ errors = [] for allowed in allowed_list: ports = allowed.get('ports', None) if ports: for port in ports: if str(port).find('-') > -1: ae = make_audit_issue(error_cat, 'EXISTS', 'PORTRANGE') ae.notes = '%s:%s' % (allowed['IPProtocol'], port) errors.append(ae) return errors
def _actor_role(self, policies, error_cat='SA'): """ Determine if a serviceaccount actor is specified. return: [list of AuditIssues] """ errors = [] for policy in policies: role = policy.get('Role') if role and role == 'iam.serviceAccountActor': ae = make_audit_issue( error_cat, 'POLICY', 'ROLE', 'ACTOR') errors.append(ae) return errors
def _port_range_exists(self, allowed_list, error_cat='ALLOWED'): """ Check to see if a port range exists in the allowed field. """ errors = [] for allowed in allowed_list: ports = allowed.get('ports', None) if ports: for port in ports: if str(port).find('-') > -1: ae = make_audit_issue( error_cat, 'EXISTS', 'PORTRANGE') ae.notes = '%s:%s' % (allowed['IPProtocol'], port) errors.append(ae) return errors
def _legacy_exists(self, network, error_cat='NET'): """ Look for legacy-style (non-subnetwork style) network. return: [list of AuditIssues] """ errors = [] subnetworks = network.get('Subnetworks', None) auto_create_subnetworks = network.get('AutoCreateSubnetworks', None) # A network is considered 'legacy' if 'Subnetworks' AND 'AutoCreateSubnetworks' # do not exist in the dictionary. if subnetworks is None and auto_create_subnetworks is None: ae = make_audit_issue(error_cat, 'EXISTS', 'LEGACY') errors.append(ae) return errors
def _acl_allusers_exists(self, acl_list, error_cat='ACL'): """ Looks for allUsers in acl. return: [list of AuditIssues] """ allusers = 'allUsers' errors = [] for acl in acl_list: entity = acl.get('entity') role = acl.get('role') if entity == allusers: # TODO(supertom): notes ae = make_audit_issue(error_cat, 'ROLE', allusers, role) errors.append(ae) return errors
def _cors_method(self, cors_list, error_cat='CORS'): """ Looks at the CORS method. Anything other than GET is flagged. return: [list of AuditIssues] """ errors = [] for cors in cors_list: methods = cors.get('method') for method in methods: if method == '*': method = 'ALL' if method != 'GET': ae = make_audit_issue(error_cat, 'METHOD', method) errors.append(ae) return errors
def _cors_method(self, cors_list, error_cat='CORS'): """ Looks at the CORS method. Anything other than GET is flagged. return: [list of AuditIssues] """ errors = [] for cors in cors_list: methods = cors.get('method') for method in methods: if method == '*': method = 'ALL' if method != 'GET': ae = make_audit_issue( error_cat, 'METHOD', method) errors.append(ae) return errors
def _legacy_exists(self, network, error_cat='NET'): """ Look for legacy-style (non-subnetwork style) network. return: [list of AuditIssues] """ errors = [] subnetworks = network.get('Subnetworks', None) auto_create_subnetworks = network.get( 'AutoCreateSubnetworks', None) # A network is considered 'legacy' if 'Subnetworks' AND 'AutoCreateSubnetworks' # do not exist in the dictionary. if subnetworks is None and auto_create_subnetworks is None: ae = make_audit_issue( error_cat, 'EXISTS', 'LEGACY') errors.append(ae) return errors
def _acl_max_owners(self, acl_list, error_cat='ACL'): """ Looks for Max OWNERS in acl. return: [list of AuditIssues] """ errors = [] if self.gcp_config.MAX_OWNERS_PER_BUCKET: owner = 'OWNER' count = 0 for acl in acl_list: role = acl.get('role') if role == owner: count += 1 if count > self.gcp_config.MAX_OWNERS_PER_BUCKET: ae = make_audit_issue(error_cat, 'MAX', owner) errors.append(ae) return errors
def inspect_acl(self, item): """ Driver for Bucket ACL. Calls helpers as needed. return: (bool, [list of AuditIssues]) """ acl = item.config.get('Acl') errors_acl = [] if acl: err = self._acl_allusers_exists(acl, 'ACL') errors_acl.extend(err) if err else None err = self._acl_max_owners(acl, 'ACL') errors_acl.extend(err) if err else None if errors_acl: return (False, errors_acl) return (True, None) else: return (False, [make_audit_issue("ACL", 'FOUND', "NOT")])
def _acl_max_owners(self, acl_list, error_cat='ACL'): """ Looks for Max OWNERS in acl. return: [list of AuditIssues] """ errors = [] if self.gcp_config.MAX_OWNERS_PER_BUCKET: owner = 'OWNER' count = 0 for acl in acl_list: role = acl.get('role') if role == owner: count += 1 if count > self.gcp_config.MAX_OWNERS_PER_BUCKET: ae = make_audit_issue( error_cat, 'MAX', owner) errors.append(ae) return errors
def inspect_default_object_acl(self, item): """ Driver for Default Object ACL. Calls helpers as needed. return: (bool, [list of AuditIssues]) """ def_obj_acl = item.config.get('DefaultObjectAcl') errors_acl = [] if def_obj_acl: err = self._acl_allusers_exists(def_obj_acl, 'DEFAULT_OBJECT_ACL') errors_acl.extend(err) if err else None err = self._acl_max_owners(def_obj_acl, 'DEFAULT_OBJECT_ACL') errors_acl.extend(err) if err else None if errors_acl: return (False, errors_acl) return (True, None) else: return (False, [make_audit_issue("DEFAULT_OBJECT_ACL", 'FOUND', "NOT")])