def audit_impl(self):
"""
Audit
:return: violations
"""
if self.debug:
print('SecurityGroupEgressOpenToWorldRule - audit_impl' + lineno())
violating_egresses = []
for groups in self.cfn_model.security_groups():
if self.debug:
print('group: ' + str(groups) + lineno())
print('vars: ' + str(vars(groups)) + lineno())
for egress in groups.egresses:
if self.debug:
print('egress: ' + str(egress) + lineno())
if IpAddr.ip4_open(egress,
debug=self.debug) or IpAddr.ip6_open(
egress, debug=self.debug):
if self.debug:
print('ip4/6 address is open' + lineno())
violating_egresses.append(str(groups.logical_resource_id))
routes = self.cfn_model.standalone_egress()
if self.debug:
print('routes: ' + str(routes) + lineno())
for standalone_egress in routes:
if self.debug:
print('standalone_egress: ' + str(standalone_egress) +
lineno())
print('vars: ' + str(vars(standalone_egress)) + lineno())
if IpAddr.ip4_open(standalone_egress,
debug=self.debug) or IpAddr.ip6_open(
standalone_egress, debug=self.debug):
if self.debug:
print('ip4/6 address is open' + lineno())
violating_egresses.append(
standalone_egress.logical_resource_id)
return violating_egresses
def test_ip4_not_open_list(self):
expected_result = False
dict = []
dict.append({'CidrIp':'192.168.1.0/32'})
real_result = class_to_test.ip4_open(ingress=dict, debug=True)
print('expected results: '+str(expected_result))
print('real results: '+str(real_result))
self.maxDiff = None
self.assertEqual(expected_result, real_result)
def test_ip4_not_open(self):
expected_result = False
dict = {}
dict['CidrIp'] = '192.168.1.0/32'
real_result = class_to_test.ip4_open(ingress=dict, debug=False)
print('expected results: '+str(expected_result))
print('real results: '+str(real_result))
self.maxDiff = None
self.assertEqual(expected_result, real_result)
def test_ip6_range_list(self):
expected_result = False
dict = []
dict.append({'CidrIp': '2001:0db8:85a3:0000:0000:8a2e:0370/64'})
real_result = class_to_test.ip6_cidr_range(ingress=dict, debug=False)
print('expected results: '+str(expected_result))
print('real results: '+str(real_result))
self.maxDiff = None
self.assertEqual(expected_result, real_result)
def test_ip6_no_range(self):
expected_result = True
dict = {}
dict['CidrIp'] = '2001:0db8:85a3:0000:0000:8a2e:0370/128'
real_result = class_to_test.ip6_cidr_range(ingress=dict, debug=False)
print('expected results: '+str(expected_result))
print('real results: '+str(real_result))
self.maxDiff = None
self.assertEqual(expected_result, real_result)
def test_ip6_open(self):
expected_result = True
dict = {}
dict['CidrIp'] = '::/0'
real_result = class_to_test.ip6_open(ingress=dict, debug=False)
print('expected results: '+str(expected_result))
print('real results: '+str(real_result))
self.maxDiff = None
self.assertEqual(expected_result, real_result)
def audit_impl(self):
"""
Audit
:return: violations
"""
if self.debug:
print('SecurityGroupIngressCidrNon32Rule - audit_impl'+lineno())
logical_resource_ids = []
# Iterate over each of the security groups in the cloudformation template
for groups in self.cfn_model.security_groups():
if self.debug:
print('group: '+str(groups)+lineno())
print('vars: '+str(vars(groups))+lineno())
# If the security group has ingresses
if hasattr(groups,'ingresses'):
if len(groups.ingresses)>0:
has_invalid_cidr = False
# Iterate over each on the ingresses
for ingresses in groups.ingresses:
if self.debug:
print('ingresses: '+str(ingresses)+lineno())
if type(ingresses) == type(dict()):
if self.debug:
print('ingress is a dict'+lineno())
if IpAddr.ip4_cidr_range(ingresses,debug=self.debug)==True or IpAddr.ip6_cidr_range(ingresses,debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' + lineno())
else:
if self.debug:
print('ip4/6 address does not end with /32 or /128' + lineno())
if self.debug:
print("\n\n##########################################################")
print('Resource is not valid - appending to list')
print('logical resource id: ' + str(groups.logical_resource_id) + lineno())
print("#############################################################\n")
logical_resource_ids.append(str(groups.logical_resource_id))
elif type(ingresses) == type(list()):
if self.debug:
print("ingress is a list() "+lineno())
for item in ingresses:
if IpAddr.ip4_cidr_range(item,debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' + lineno())
continue
if IpAddr.ip6_cidr_range(item,debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' + lineno())
continue
if self.debug:
print("\n\n##########################################################")
print('Resource is not valid - appending to list')
print('logical resource id: ' + str(groups.logical_resource_id) + lineno())
print("#############################################################\n")
logical_resource_ids.append(str(groups.logical_resource_id))
else:
if self.debug:
print('vars: '+str(vars(ingresses))+lineno())
print('ingress is not a list or dict'+lineno())
if hasattr(ingresses, 'cidrIp'):
if self.debug:
print('has cidrIp '+lineno())
if IpAddr.ip4_cidr_range(ingresses,debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' + lineno())
continue
if hasattr(ingresses,'cidrIpv6'):
if self.debug:
print('ip4/6 address is /32 or /128'+lineno())
if IpAddr.ip6_cidr_range(ingresses, debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' + lineno())
continue
if not hasattr(ingresses,'cidrIp') and not hasattr(ingresses,'cidrIpv6'):
if self.debug:
print('does not have a cidr entry')
continue
if self.debug:
print("\n\n##########################################################")
print('Resource is not valid - appending to list')
print('logical resource id: ' + str(groups.logical_resource_id) + lineno())
print("#############################################################\n")
logical_resource_ids.append(str(groups.logical_resource_id))
else:
sys.exit(1)
if self.debug:
print('violations: '+str(list(set(logical_resource_ids)))+lineno())
if self.debug:
print('Getting all the standalone ingress resources')
standalone_resources= self.cfn_model.standalone_ingress()
# iterate over the routes
for resource in standalone_resources:
if self.debug:
print("\n\n#########################################")
print('standalone resource: ' + str(resource) + lineno())
print('vars: ' + str(vars(resource)) + lineno())
print('type: '+str(type(resource))+lineno())
print("############################################\n")
if hasattr(resource,'cidrIp'):
if self.debug:
print('has cidrIp attributes'+lineno())
if IpAddr.ip4_cidr_range(resource.cidrIp,debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' + lineno())
continue
else:
if self.debug:
print('ip4/6 address does not end with /32 or /128' + lineno())
logical_resource_ids.append(resource.logical_resource_id)
if hasattr(resource,'cidrIpv6'):
if self.debug:
print('has cidrIpv6 attributes' + lineno())
if IpAddr.ip6_cidr_range(resource.cidrIpv6,debug=self.debug):
if self.debug:
print('ip4/6 address is /32 or /128' + lineno())
continue
else:
if self.debug:
print('ip4/6 address does not end with /32 or /128' + lineno())
logical_resource_ids.append(resource.logical_resource_id)
if self.debug:
print('violations: '+str(list(set(logical_resource_ids)))+lineno())
return logical_resource_ids