Пример #1
0
    def check_internet_scheme(self, elb_item):
        """
        alert when an ELB has an "internet-facing" scheme.
        """
        scheme = elb_item.config.get('scheme', None)
        vpc = elb_item.config.get('vpc_id', None)
        if scheme and scheme == u"internet-facing" and not vpc:
            self.add_issue(1, 'ELB is Internet accessible.', elb_item)
        elif scheme and scheme == u"internet-facing" and vpc:
            # Grab each attached security group and determine if they contain
            # a public IP
            security_groups = elb_item.config.get('security_groups', [])
            sg_items = self.get_watcher_support_items(SecurityGroup.index, elb_item.account)
            for sgid in security_groups:
                for sg in sg_items:
                    if sg.config.get('id') == sgid:
                        sg_cidrs = []
                        for rule in sg.config.get('rules', []):
                            cidr = rule.get('cidr_ip', '')
                            if rule.get('rule_type', None) == 'ingress' and cidr:
                                if not check_rfc_1918(cidr) and not self._check_inclusion_in_network_whitelist(cidr):
                                    sg_cidrs.append(cidr)

                        if sg_cidrs:
                            notes = 'SG [{sgname}] via [{cidr}]'.format(
                                sgname=sg.name,
                                cidr=', '.join(sg_cidrs)
                            )
                            self.add_issue(1, 'VPC ELB is Internet accessible.', elb_item, notes=notes)
                        break
Пример #2
0
    def check_internet_scheme(self, elb_item):
        """
        alert when an ELB has an "internet-facing" scheme.
        """
        scheme = elb_item.config.get("scheme", None)
        vpc = elb_item.config.get("vpc_id", None)
        if scheme and scheme == u"internet-facing" and not vpc:
            self.add_issue(1, "ELB is Internet accessible.", elb_item)
        elif scheme and scheme == u"internet-facing" and vpc:
            # Grab each attached security group and determine if they contain
            # a public IP
            security_groups = elb_item.config.get("security_groups", [])
            for sgid in security_groups:
                # shouldn't be more than one with that ID.
                sg = Item.query.filter(Item.name.ilike("%" + sgid + "%")).first()
                if not sg:
                    # It's possible that the security group is new and not yet in the DB.
                    continue

                sg_cidrs = []
                config = sg.revisions[0].config
                for rule in config.get("rules", []):
                    cidr = rule.get("cidr_ip", "")
                    if rule.get("rule_type", None) == "ingress" and cidr:
                        if not check_rfc_1918(cidr) and not self._check_inclusion_in_network_whitelist(cidr):
                            sg_cidrs.append(cidr)
                if sg_cidrs:
                    notes = "SG [{sgname}] via [{cidr}]".format(sgname=sg.name, cidr=", ".join(sg_cidrs))
                    self.add_issue(1, "VPC ELB is Internet accessible.", elb_item, notes=notes)
    def check_rds_ec2_rfc1918(self, sg_item):
        """
        alert if non-vpc RDS SG contains RFC1918 CIDRS
        """
        tag = "Non-VPC RDS Security Group contains private RFC-1918 CIDR"
        severity = 8

        if sg_item.config.get("vpc_id", None):
            return

        for ipr in sg_item.config.get("ip_ranges", []):
            cidr = ipr.get("cidr_ip", None)
            if cidr and check_rfc_1918(cidr):
                self.add_issue(severity, tag, sg_item, notes=cidr)
Пример #4
0
    def check_rds_ec2_rfc1918(self, sg_item):
        """
        alert if non-vpc RDS SG contains RFC1918 CIDRS
        """
        tag = "Non-VPC RDS Security Group contains private RFC-1918 CIDR"
        severity = 8

        if sg_item.config.get("vpc_id", None):
            return

        for ipr in sg_item.config.get("ip_ranges", []):
            cidr = ipr.get("cidr_ip", None)
            if cidr and check_rfc_1918(cidr):
                self.add_issue(severity, tag, sg_item, notes=cidr)
Пример #5
0
    def check_securitygroup_ec2_rfc1918(self, sg_item):
        """
        alert if EC2 SG contains RFC1918 CIDRS
        """
        tag = "Non-VPC Security Group contains private RFC-1918 CIDR"
        severity = 5

        if sg_item.config.get("vpc_id", None):
            return

        multiplier = _check_empty_security_group(sg_item)

        for rule in sg_item.config.get("rules", []):
            cidr = rule.get("cidr_ip", None)
            if cidr and check_rfc_1918(cidr):
                self.add_issue(severity * multiplier, tag, sg_item, notes=cidr)
Пример #6
0
 def check_for_public_zone_with_private_records(self, route53_item):
     """
     alert when a public zone has private records.
     """
     if not route53_item.config.get('zoneprivate'):
         for r in route53_item.config.get('records'):
             for regex in self.internal_record_regex:
                 if re.match(regex, str(r)):
                     notes = ", ".join(route53_item.config.get('records'))
                     self.add_issue(1, 'Route53 public zone contains private record.', route53_item, notes=notes)
             try:
                 if check_rfc_1918(r):
                     notes = ", ".join(route53_item.config.get('records'))
                     self.add_issue(1, 'Route53 public zone contains private record.', route53_item, notes=notes)
             except:
                 # non IP's will throw an exception and that's okay.
                 pass
Пример #7
0
    def check_internet_scheme(self, elb_item):
        """
        alert when an ELB has an "internet-facing" scheme.
        """
        scheme = elb_item.config.get('scheme', None)
        vpc = elb_item.config.get('vpc_id', None)
        if scheme and scheme == u"internet-facing" and not vpc:
            self.add_issue(1, 'ELB is Internet accessible.', elb_item)
        elif scheme and scheme == u"internet-facing" and vpc:
            # Grab each attached security group and determine if they contain
            # a public IP
            security_groups = elb_item.config.get('security_groups', [])
            sg_items = self.get_watcher_support_items(SecurityGroup.index,
                                                      elb_item.account)
            for sgid in security_groups:
                for sg in sg_items:
                    if sg.config.get('id') == sgid:
                        sg_cidrs = []
                        for rule in sg.config.get('rules', []):
                            cidr = rule.get('cidr_ip', '')
                            if rule.get('rule_type',
                                        None) == 'ingress' and cidr:
                                if not check_rfc_1918(
                                        cidr
                                ) and not self._check_inclusion_in_network_whitelist(
                                        cidr):
                                    sg_cidrs.append(cidr)

                        if sg_cidrs:
                            notes = 'SG [{sgname}] via [{cidr}]'.format(
                                sgname=sg.name, cidr=', '.join(sg_cidrs))
                            self.add_issue(1,
                                           'VPC ELB is Internet accessible.',
                                           elb_item,
                                           notes=notes)
                        break