def check_internet_scheme(self, elb_item):
"""
alert when an ELB has an "internet-facing" scheme.
"""
scheme = elb_item.config.get('scheme', None)
vpc = elb_item.config.get('vpc_id', None)
if scheme and scheme == u"internet-facing" and not vpc:
self.add_issue(1, 'ELB is Internet accessible.', elb_item)
elif scheme and scheme == u"internet-facing" and vpc:
# Grab each attached security group and determine if they contain
# a public IP
security_groups = elb_item.config.get('security_groups', [])
sg_items = self.get_watcher_support_items(SecurityGroup.index, elb_item.account)
for sgid in security_groups:
for sg in sg_items:
if sg.config.get('id') == sgid:
sg_cidrs = []
for rule in sg.config.get('rules', []):
cidr = rule.get('cidr_ip', '')
if rule.get('rule_type', None) == 'ingress' and cidr:
if not check_rfc_1918(cidr) and not self._check_inclusion_in_network_whitelist(cidr):
sg_cidrs.append(cidr)
if sg_cidrs:
notes = 'SG [{sgname}] via [{cidr}]'.format(
sgname=sg.name,
cidr=', '.join(sg_cidrs)
)
self.add_issue(1, 'VPC ELB is Internet accessible.', elb_item, notes=notes)
break
def check_internet_scheme(self, elb_item):
"""
alert when an ELB has an "internet-facing" scheme.
"""
scheme = elb_item.config.get("scheme", None)
vpc = elb_item.config.get("vpc_id", None)
if scheme and scheme == u"internet-facing" and not vpc:
self.add_issue(1, "ELB is Internet accessible.", elb_item)
elif scheme and scheme == u"internet-facing" and vpc:
# Grab each attached security group and determine if they contain
# a public IP
security_groups = elb_item.config.get("security_groups", [])
for sgid in security_groups:
# shouldn't be more than one with that ID.
sg = Item.query.filter(Item.name.ilike("%" + sgid + "%")).first()
if not sg:
# It's possible that the security group is new and not yet in the DB.
continue
sg_cidrs = []
config = sg.revisions[0].config
for rule in config.get("rules", []):
cidr = rule.get("cidr_ip", "")
if rule.get("rule_type", None) == "ingress" and cidr:
if not check_rfc_1918(cidr) and not self._check_inclusion_in_network_whitelist(cidr):
sg_cidrs.append(cidr)
if sg_cidrs:
notes = "SG [{sgname}] via [{cidr}]".format(sgname=sg.name, cidr=", ".join(sg_cidrs))
self.add_issue(1, "VPC ELB is Internet accessible.", elb_item, notes=notes)
def check_rds_ec2_rfc1918(self, sg_item):
"""
alert if non-vpc RDS SG contains RFC1918 CIDRS
"""
tag = "Non-VPC RDS Security Group contains private RFC-1918 CIDR"
severity = 8
if sg_item.config.get("vpc_id", None):
return
for ipr in sg_item.config.get("ip_ranges", []):
cidr = ipr.get("cidr_ip", None)
if cidr and check_rfc_1918(cidr):
self.add_issue(severity, tag, sg_item, notes=cidr)
def check_rds_ec2_rfc1918(self, sg_item):
"""
alert if non-vpc RDS SG contains RFC1918 CIDRS
"""
tag = "Non-VPC RDS Security Group contains private RFC-1918 CIDR"
severity = 8
if sg_item.config.get("vpc_id", None):
return
for ipr in sg_item.config.get("ip_ranges", []):
cidr = ipr.get("cidr_ip", None)
if cidr and check_rfc_1918(cidr):
self.add_issue(severity, tag, sg_item, notes=cidr)
def check_securitygroup_ec2_rfc1918(self, sg_item):
"""
alert if EC2 SG contains RFC1918 CIDRS
"""
tag = "Non-VPC Security Group contains private RFC-1918 CIDR"
severity = 5
if sg_item.config.get("vpc_id", None):
return
multiplier = _check_empty_security_group(sg_item)
for rule in sg_item.config.get("rules", []):
cidr = rule.get("cidr_ip", None)
if cidr and check_rfc_1918(cidr):
self.add_issue(severity * multiplier, tag, sg_item, notes=cidr)
def check_for_public_zone_with_private_records(self, route53_item):
"""
alert when a public zone has private records.
"""
if not route53_item.config.get('zoneprivate'):
for r in route53_item.config.get('records'):
for regex in self.internal_record_regex:
if re.match(regex, str(r)):
notes = ", ".join(route53_item.config.get('records'))
self.add_issue(1, 'Route53 public zone contains private record.', route53_item, notes=notes)
try:
if check_rfc_1918(r):
notes = ", ".join(route53_item.config.get('records'))
self.add_issue(1, 'Route53 public zone contains private record.', route53_item, notes=notes)
except:
# non IP's will throw an exception and that's okay.
pass
def check_internet_scheme(self, elb_item):
"""
alert when an ELB has an "internet-facing" scheme.
"""
scheme = elb_item.config.get('scheme', None)
vpc = elb_item.config.get('vpc_id', None)
if scheme and scheme == u"internet-facing" and not vpc:
self.add_issue(1, 'ELB is Internet accessible.', elb_item)
elif scheme and scheme == u"internet-facing" and vpc:
# Grab each attached security group and determine if they contain
# a public IP
security_groups = elb_item.config.get('security_groups', [])
sg_items = self.get_watcher_support_items(SecurityGroup.index,
elb_item.account)
for sgid in security_groups:
for sg in sg_items:
if sg.config.get('id') == sgid:
sg_cidrs = []
for rule in sg.config.get('rules', []):
cidr = rule.get('cidr_ip', '')
if rule.get('rule_type',
None) == 'ingress' and cidr:
if not check_rfc_1918(
cidr
) and not self._check_inclusion_in_network_whitelist(
cidr):
sg_cidrs.append(cidr)
if sg_cidrs:
notes = 'SG [{sgname}] via [{cidr}]'.format(
sgname=sg.name, cidr=', '.join(sg_cidrs))
self.add_issue(1,
'VPC ELB is Internet accessible.',
elb_item,
notes=notes)
break
