def test_expand_port_ranges_invalid_port_in_port_range(self):
with self.assertRaises(util.PortRangeError):
util.expand_port_ranges(['8080a-8089'])
def eval(self, record):
"""Evaluate firewall rules to check for insecurely exposed ports.
Arguments:
record (dict): A firewall rule record.
Yields:
dict: An event record representing an insecurely exposed port.
"""
# If 'com' bucket is missing, we have a malformed record. Log a
# warning and ignore it.
com = record.get('com')
if com is None:
_log.warning('Firewall rule record is missing com key: %r', record)
return
# This plugin understands firewall rule records only, so ignore
# any other record types.
common_record_type = com.get('record_type')
if common_record_type != 'firewall_rule':
return
# Ignore disabled firewall rule.
if not com.get('enabled'):
return
# If the rule is not an ingress/inbound rule, ignore it.
if com.get('direction') != 'in':
return
# If the rule is not an allow rule, ignore it.
if com.get('access') != 'allow':
return
# If the rule is not a TCP port rule, ignore it.
if com.get('protocol') not in ('tcp', 'all'):
return
# If the rule does not expose ports to the entire Internet,
# ignore it.
if '0.0.0.0/0' not in com.get('source_addresses'):
return
# Find the set of ports in self._ports that are exposed by the
# firewall rule record.
port_ranges = com.get('destination_ports')
expanded_ports = util.expand_port_ranges(port_ranges)
exposed_ports = self._ports.intersection(expanded_ports)
# If there are no insecurely exposed ports, we do not need to
# generate an event.
if exposed_ports == set():
return
# Convert the set of ports to a sorted list of ports.
exposed_ports = sorted(list(exposed_ports))
# Human-friendly plain English description of the event along
# with a recommendation.
friendly_cloud_type = util.friendly_string(com.get('cloud_type'))
port_label = util.pluralize(len(exposed_ports), 'port')
friendly_exposed_ports = util.friendly_list(exposed_ports)
reference = com.get('reference')
description = (
'{} firewall rule {} exposes {} {} to the entire Internet.'.format(
friendly_cloud_type, reference, port_label,
friendly_exposed_ports))
recommendation = (
'Check {} firewall rule {} and update rules to restrict '
'access to {} {}.'.format(friendly_cloud_type, reference,
port_label, friendly_exposed_ports))
event_record = {
# Preserve the extended properties from the firewall
# rule record because they provide useful context to
# locate the firewall rule that led to the event.
'ext': record.get('ext', {}),
'com': {
'cloud_type': com.get('cloud_type'),
'record_type': 'firewall_rule_event',
'exposed_ports': exposed_ports,
'reference': reference,
'description': description,
'recommendation': recommendation,
}
}
# Set the extended record type.
event_record['ext']['record_type'] = 'firewall_rule_event'
_log.info('Generating firewall_rule_event; %r', event_record)
yield event_record
def test_expand_port_ranges_empty_range(self):
ports = util.expand_port_ranges(['81-80'])
self.assertEqual(ports, set())
def test_expand_port_ranges_single_port_range(self):
ports = util.expand_port_ranges(['80-80'])
self.assertEqual(ports, {80})
def test_expand_port_ranges_overlapping_ranges(self):
ports = util.expand_port_ranges(['80-89', '85-99'])
self.assertEqual(ports, set(range(80, 100)))
def test_expand_port_ranges_all(self):
ports = util.expand_port_ranges(['0-65535'])
self.assertEqual(ports, set(range(0, 65536)))
def test_expand_port_ranges_single_range(self):
ports = util.expand_port_ranges(['80-89'])
self.assertEqual(ports, set(range(80, 90)))
def test_expand_port_ranges_duplicate_port_numbers(self):
ports = util.expand_port_ranges(['80', '80'])
self.assertEqual(ports, {80, 80})
def test_expand_port_ranges_empty_list(self):
ports = util.expand_port_ranges([])
self.assertEqual(ports, set())
def test_expand_port_ranges_invalid_port_in_port_range(self):
ports = util.expand_port_ranges(['7070-7075', '808a-8085'])
self.assertEqual(ports, {7070, 7071, 7072, 7073, 7074, 7075})
def test_expand_port_ranges_invalid_port_range(self):
ports = util.expand_port_ranges(['8080', '8081a', '8082'])
self.assertEqual(ports, {8080, 8082})
