def run(self, aws_config): for finding_path in self.rules: for rule in self.rules[finding_path]: if not rule.enabled: # or rule.service not in []: # TODO: handle this... continue printDebug('Processing %s rule[%s]: "%s"' % (rule.service, rule.filename, rule.description)) finding_path = rule.path path = finding_path.split('.') service = path[0] manage_dictionary(aws_config['services'][service], self.ruleset.rule_type, {}) aws_config['services'][service][self.ruleset.rule_type][ rule.key] = {} aws_config['services'][service][self.ruleset.rule_type][ rule.key]['description'] = rule.description aws_config['services'][service][self.ruleset.rule_type][ rule.key]['path'] = rule.path for attr in ['level', 'id_suffix', 'display_path']: if hasattr(rule, attr): aws_config['services'][service][ self.ruleset.rule_type][rule.key][attr] = getattr( rule, attr) try: setattr(rule, 'checked_items', 0) aws_config['services'][service][self.ruleset.rule_type][ rule.key]['items'] = recurse(aws_config['services'], aws_config['services'], path, [], rule, True) aws_config['services'][service][self.ruleset.rule_type][ rule.key]['dashboard_name'] = rule.dashboard_name aws_config['services'][service][self.ruleset.rule_type][ rule.key]['checked_items'] = rule.checked_items aws_config['services'][service][self.ruleset.rule_type][ rule.key]['flagged_items'] = len( aws_config['services'][service][ self.ruleset.rule_type][rule.key]['items']) aws_config['services'][service][self.ruleset.rule_type][ rule.key]['service'] = rule.service aws_config['services'][service][self.ruleset.rule_type][ rule.key]['rationale'] = rule.rationale if hasattr( rule, 'rationale') else 'N/A' except Exception as e: printException(e) printError('Failed to process rule defined in %s' % rule.filename) # Fallback if process rule failed to ensure report creation and data dump still happen aws_config['services'][service][self.ruleset.rule_type][ rule.key]['checked_items'] = 0 aws_config['services'][service][self.ruleset.rule_type][ rule.key]['flagged_items'] = 0
def analyze(self, aws_config): """ :param aws_config: """ printInfo('Analyzing AWS config...') # TODO: reset violations for all services in scope (maybe this can be done somewhere else (e.g. loading) for finding_path in self.rules: for rule in self.rules[finding_path]: printDebug('Processing %s rule[%s]: "%s"' % (finding_path.split('.')[0], self.rule_type[:-1], self.rules[finding_path][rule]['description'])) path = finding_path.split('.') service = path[0] manage_dictionary(aws_config['services'][service], self.rule_type, {}) aws_config['services'][service][self.rule_type][rule] = {} aws_config['services'][service][ self.rule_type][rule]['description'] = self.rules[ finding_path][rule]['description'] aws_config['services'][service][self.rule_type][rule][ 'path'] = self.rules[finding_path][rule]['path'] if self.rule_type == 'findings': aws_config['services'][service][self.rule_type][rule][ 'level'] = self.rules[finding_path][rule]['level'] if 'id_suffix' in self.rules[finding_path][rule]: aws_config['services'][service][ self.rule_type][rule]['id_suffix'] = self.rules[ finding_path][rule]['id_suffix'] if 'display_path' in self.rules[finding_path][rule]: aws_config['services'][service][ self.rule_type][rule]['display_path'] = self.rules[ finding_path][rule]['display_path'] try: aws_config['services'][service][ self.rule_type][rule]['items'] = recurse( aws_config['services'], aws_config['services'], path, [], self.rules[finding_path][rule], True) aws_config['services'][service][self.rule_type][rule][ 'dashboard_name'] = self.rules[finding_path][rule][ 'dashboard_name'] if 'dashboard_name' in self.rules[ finding_path][rule] else '??' aws_config['services'][service][self.rule_type][rule][ 'checked_items'] = self.rules[finding_path][rule][ 'checked_items'] if 'checked_items' in self.rules[ finding_path][rule] else 0 aws_config['services'][service][ self.rule_type][rule]['flagged_items'] = len( aws_config['services'][service][ self.rule_type][rule]['items']) aws_config['services'][service][ self.rule_type][rule]['service'] = service aws_config['services'][service][self.rule_type][rule][ 'rationale'] = self.rules[finding_path][rule][ 'rationale'] if 'rationale' in self.rules[ finding_path][rule] else 'N/A' except Exception as e: printError('Failed to process rule defined in %s.json' % rule) # Fallback if process rule failed to ensure report creation and data dump still happen aws_config['services'][service][ self.rule_type][rule]['checked_items'] = 0 aws_config['services'][service][ self.rule_type][rule]['flagged_items'] = 0 printException(e)
def run(self, aws_config, skip_dashboard = False): # Clean up existing findings for service in aws_config['services']: aws_config['services'][service][self.ruleset.rule_type] = {} # Process each rule for finding_path in self.rules: for rule in self.rules[finding_path]: if not rule.enabled: # or rule.service not in []: # TODO: handle this... continue printDebug('Processing %s rule[%s]: "%s"' % (rule.service, rule.filename, rule.description)) finding_path = rule.path path = finding_path.split('.') service = path[0] manage_dictionary(aws_config['services'][service], self.ruleset.rule_type, {}) aws_config['services'][service][self.ruleset.rule_type][rule.key] = {} aws_config['services'][service][self.ruleset.rule_type][rule.key]['description'] = rule.description aws_config['services'][service][self.ruleset.rule_type][rule.key]['path'] = rule.path for attr in ['level', 'id_suffix', 'display_path']: if hasattr(rule, attr): aws_config['services'][service][self.ruleset.rule_type][rule.key][attr] = getattr(rule, attr) try: setattr(rule, 'checked_items', 0) aws_config['services'][service][self.ruleset.rule_type][rule.key]['items'] = recurse(aws_config['services'], aws_config['services'], path, [], rule, True) if skip_dashboard: continue aws_config['services'][service][self.ruleset.rule_type][rule.key]['dashboard_name'] = rule.dashboard_name aws_config['services'][service][self.ruleset.rule_type][rule.key]['checked_items'] = rule.checked_items aws_config['services'][service][self.ruleset.rule_type][rule.key]['flagged_items'] = len(aws_config['services'][service][self.ruleset.rule_type][rule.key]['items']) aws_config['services'][service][self.ruleset.rule_type][rule.key]['service'] = rule.service aws_config['services'][service][self.ruleset.rule_type][rule.key]['rationale'] = rule.rationale if hasattr(rule, 'rationale') else 'N/A' except Exception as e: printException(e) printError('Failed to process rule defined in %s' % rule.filename) # Fallback if process rule failed to ensure report creation and data dump still happen aws_config['services'][service][self.ruleset.rule_type][rule.key]['checked_items'] = 0 aws_config['services'][service][self.ruleset.rule_type][rule.key]['flagged_items'] = 0
def main(): # Parse arguments parser = ListallArgumentParser() args = parser.parse_args() # Configure the debug level configPrintException(args.debug) # Check version of opinel if not check_requirements(os.path.realpath(__file__)): return 42 # Support multiple environments for profile_name in args.profile: # Load the config report = Scout2Report(profile_name, args.report_dir, args.timestamp) aws_config = report.jsrw.load_from_file(AWSCONFIG) services = aws_config['service_list'] # Create a ruleset with only whatever rules were specified... if args.config: ruleset = Ruleset(filename='sample', load_rules=False) ruleset.ruleset['rules'][0]['filename'] = args.config ruleset.init_rules(services, args.ip_ranges, '', False) # aws_config['aws_account_id, False) # Need to set the arguments values args.config_args else: # TODO: #args = args #config = {} #config['conditions'] = args.conditions if hasattr(args, 'conditions') else [] #config['mapping'] = args.mapping if hasattr(args, 'mapping') else [] pass # Get single rule... TODO: clean tmp = ruleset.rules.pop(ruleset.rules.keys()[0]) rule = tmp.pop(tmp.keys()[0]) # Set the keys to output if len(args.keys): # 1. Explicitly provided on the CLI rule['keys'] = args.keys elif len(args.keys_file): # 2. Explicitly provided files that contain the list of keys rule['keys'] = [] for filename in args.keys_file: with open(filename, 'rt') as f: rule['keys'] += json.load(f)['keys'] else: try: # 3. Load default set of keys based on path target_path = config[ 'display_path'] if 'display_path' in config else config[ 'path'] with open('listall-configs/%s.json' % target_path) as f: rule['keys'] = json.load(f)['keys'] except: # 4. Print the object name rule['keys'] = ['name'] # Recursion if len(args.path): rule['path'] = args.path[0] target_path = rule['path'].split('.') current_path = [] resources = recurse(aws_config['services'], aws_config['services'], target_path, current_path, rule) # Prepare the output format (lines, template) = format_listall_output(args.format_file, 'foo', args.format, rule) # Print the output printInfo( generate_listall_output(lines, resources, aws_config, template, []))