def _get_azure_vm_blacklisted_extension_event(com, ext, blacklisted): """Evaluate Azure VM for blacklisted extensions. Arguments: com (dict): Virtual machine record `com` bucket ext (dict): Virtual machine record `ext` bucket blacklisted (list): Added blacklisted extension list Returns: dict: An event record representing VM with blacklisted extenstions """ if not blacklisted: return friendly_cloud_type = util.friendly_string(com.get('cloud_type')) reference = com.get('reference') description = ( '{} virtual machine {} has blacklisted extensions {}'.format( friendly_cloud_type, reference, util.friendly_list(blacklisted))) recommendation = ( 'Check {} virtual machine {} and remove blacklisted extensions {}'. format(friendly_cloud_type, reference, util.friendly_list(blacklisted))) event_record = { # Preserve the extended properties from the virtual # machine record because they provide useful context to # locate the virtual machine that led to the event. 'ext': util.merge_dicts(ext, {'record_type': 'vm_blacklisted_extension_event'}), 'com': { 'cloud_type': com.get('cloud_type'), 'record_type': 'vm_blacklisted_extension_event', 'reference': reference, 'description': description, 'recommendation': recommendation, } } _log.info('Generating vm_blacklisted_extension_event; %r', event_record) yield event_record
def _get_log_profile_missing_location_event(com, ext, missing_locations): """Generate log profile missing category type event. Arguments: com (dict): Log profile record `com` bucket ext (dict): Log profile record `ext` bucket missing_locations (set): Missing location set Returns: dict: An event record representing log profile which is not enabled for all locations. """ friendly_cloud_type = util.friendly_string(com.get('cloud_type')) reference = com.get('reference') description = ('{} log profile {} does not include locations {}.'.format( friendly_cloud_type, reference, util.friendly_list(missing_locations))) recommendation = ( 'Check {} log profile {} and enable locations {}.'.format( friendly_cloud_type, reference, util.friendly_list(missing_locations))) event_record = { # Preserve the extended properties from the log profile # record because they provide useful context to locate # the log profile that led to the event. 'ext': util.merge_dicts( ext, { 'record_type': 'log_profile_missing_location_event', 'missing_locations': missing_locations }), 'com': { 'cloud_type': com.get('cloud_type'), 'record_type': 'log_profile_missing_location_event', 'reference': reference, 'description': description, 'recommendation': recommendation, } } _log.info('Generating log_profile_missing_location_event; %r', event_record) return event_record
def eval(self, record): """Evaluate firewall rules to check for insecurely exposed ports. Arguments: record (dict): A firewall rule record. Yields: dict: An event record representing an insecurely exposed port. """ # If 'com' bucket is missing, we have a malformed record. Log a # warning and ignore it. com = record.get('com') if com is None: _log.warning('Firewall rule record is missing com key: %r', record) return # This plugin understands firewall rule records only, so ignore # any other record types. common_record_type = com.get('record_type') if common_record_type != 'firewall_rule': return # Ignore disabled firewall rule. if not com.get('enabled'): return # If the rule is not an ingress/inbound rule, ignore it. if com.get('direction') != 'in': return # If the rule is not an allow rule, ignore it. if com.get('access') != 'allow': return # If the rule is not a TCP port rule, ignore it. if com.get('protocol') not in ('tcp', 'all'): return # If the rule does not expose ports to the entire Internet, # ignore it. if '0.0.0.0/0' not in com.get('source_addresses'): return # Find the set of ports in self._ports that are exposed by the # firewall rule record. port_ranges = com.get('destination_ports') expanded_ports = util.expand_port_ranges(port_ranges) exposed_ports = self._ports.intersection(expanded_ports) # If there are no insecurely exposed ports, we do not need to # generate an event. if exposed_ports == set(): return # Convert the set of ports to a sorted list of ports. exposed_ports = sorted(list(exposed_ports)) # Human-friendly plain English description of the event along # with a recommendation. friendly_cloud_type = util.friendly_string(com.get('cloud_type')) port_label = util.pluralize(len(exposed_ports), 'port') friendly_exposed_ports = util.friendly_list(exposed_ports) reference = com.get('reference') description = ( '{} firewall rule {} exposes {} {} to the entire Internet.'.format( friendly_cloud_type, reference, port_label, friendly_exposed_ports)) recommendation = ( 'Check {} firewall rule {} and update rules to restrict ' 'access to {} {}.'.format(friendly_cloud_type, reference, port_label, friendly_exposed_ports)) event_record = { # Preserve the extended properties from the firewall # rule record because they provide useful context to # locate the firewall rule that led to the event. 'ext': record.get('ext', {}), 'com': { 'cloud_type': com.get('cloud_type'), 'record_type': 'firewall_rule_event', 'exposed_ports': exposed_ports, 'reference': reference, 'description': description, 'recommendation': recommendation, } } # Set the extended record type. event_record['ext']['record_type'] = 'firewall_rule_event' _log.info('Generating firewall_rule_event; %r', event_record) yield event_record
def test_friendly_list_three_items_conjunction(self): s = util.friendly_list(['apple', 'ball', 'cat'], 'or') self.assertEqual(s, 'apple, ball, or cat')
def test_friendly_list_two_items_conjunction(self): s = util.friendly_list(['apple', 'ball'], 'or') self.assertEqual(s, 'apple or ball')
def test_friendly_list_three_items(self): s = util.friendly_list(['apple', 'ball', 'cat']) self.assertEqual(s, 'apple, ball, and cat')
def test_friendly_list_two_items(self): s = util.friendly_list(['apple', 'ball']) self.assertEqual(s, 'apple and ball')
def test_friendly_list_one_item(self): s = util.friendly_list(['apple']) self.assertEqual(s, 'apple')
def test_friendly_list_zero_items(self): s = util.friendly_list([]) self.assertEqual(s, 'none')