def check_internet_scheme(self, elb_item): """ alert when an ELB has an "internet-facing" scheme. """ scheme = elb_item.config.get('scheme', None) vpc = elb_item.config.get('vpc_id', None) if scheme and scheme == u"internet-facing" and not vpc: self.add_issue(1, 'ELB is Internet accessible.', elb_item) elif scheme and scheme == u"internet-facing" and vpc: # Grab each attached security group and determine if they contain # a public IP security_groups = elb_item.config.get('security_groups', []) for sgid in security_groups: # shouldn't be more than one with that ID. sg = Item.query.filter(Item.name.ilike('%'+sgid+'%')).first() if not sg: # It's possible that the security group is new and not yet in the DB. continue sg_cidrs = [] config = sg.revisions[0].config for rule in config.get('rules', []): cidr = rule.get('cidr_ip', '') if rule.get('rule_type', None) == 'ingress' and cidr: if not _check_rfc_1918(cidr) and not self._check_inclusion_in_network_whitelist(cidr): sg_cidrs.append(cidr) if sg_cidrs: notes = 'SG [{sgname}] via [{cidr}]'.format( sgname=sg.name, cidr=', '.join(sg_cidrs) ) self.add_issue(1, 'VPC ELB is Internet accessible.', elb_item, notes=notes)
def check_rds_ec2_rfc1918(self, sg_item): """ alert if non-vpc RDS SG contains RFC1918 CIDRS """ tag = "Non-VPC RDS Security Group contains private RFC-1918 CIDR" severity = 8 if sg_item.config.get("vpc_id", None): return for ipr in sg_item.config.get("ip_ranges", []): cidr = ipr.get("cidr_ip", None) if cidr and _check_rfc_1918(cidr): self.add_issue(severity, tag, sg_item, notes=cidr)
def check_internet_scheme(self, elb_item): """ alert when an ELB has an "internet-facing" scheme. """ scheme = elb_item.config.get('scheme', None) vpc = elb_item.config.get('vpc_id', None) if scheme and scheme == u"internet-facing" and not vpc: self.add_issue(1, 'ELB is Internet accessible.', elb_item) elif scheme and scheme == u"internet-facing" and vpc: # Grab each attached security group and determine if they contain # a public IP security_groups = elb_item.config.get('security_groups', []) for sgid in security_groups: # shouldn't be more than one with that ID. sg = Item.query.filter(Item.name.ilike('%' + sgid + '%')).first() if not sg: # It's possible that the security group is new and not yet in the DB. continue sg_cidrs = [] config = sg.revisions[0].config for rule in config.get('rules', []): cidr = rule.get('cidr_ip', '') if rule.get('rule_type', None) == 'ingress' and cidr: if not _check_rfc_1918( cidr ) and not self._check_inclusion_in_network_whitelist( cidr): sg_cidrs.append(cidr) if sg_cidrs: notes = 'SG [{sgname}] via [{cidr}]'.format( sgname=sg.name, cidr=', '.join(sg_cidrs)) self.add_issue(1, 'VPC ELB is Internet accessible.', elb_item, notes=notes)