def audit_impl(self): """ Audit :return: violations """ if self.debug: print('SecurityGroupEgressOpenToWorldRule - audit_impl' + lineno()) violating_egresses = [] for groups in self.cfn_model.security_groups(): if self.debug: print('group: ' + str(groups) + lineno()) print('vars: ' + str(vars(groups)) + lineno()) for egress in groups.egresses: if self.debug: print('egress: ' + str(egress) + lineno()) if IpAddr.ip4_open(egress, debug=self.debug) or IpAddr.ip6_open( egress, debug=self.debug): if self.debug: print('ip4/6 address is open' + lineno()) violating_egresses.append(str(groups.logical_resource_id)) routes = self.cfn_model.standalone_egress() if self.debug: print('routes: ' + str(routes) + lineno()) for standalone_egress in routes: if self.debug: print('standalone_egress: ' + str(standalone_egress) + lineno()) print('vars: ' + str(vars(standalone_egress)) + lineno()) if IpAddr.ip4_open(standalone_egress, debug=self.debug) or IpAddr.ip6_open( standalone_egress, debug=self.debug): if self.debug: print('ip4/6 address is open' + lineno()) violating_egresses.append( standalone_egress.logical_resource_id) return violating_egresses
def test_ip4_not_open_list(self): expected_result = False dict = [] dict.append({'CidrIp':'192.168.1.0/32'}) real_result = class_to_test.ip4_open(ingress=dict, debug=True) print('expected results: '+str(expected_result)) print('real results: '+str(real_result)) self.maxDiff = None self.assertEqual(expected_result, real_result)
def test_ip4_not_open(self): expected_result = False dict = {} dict['CidrIp'] = '192.168.1.0/32' real_result = class_to_test.ip4_open(ingress=dict, debug=False) print('expected results: '+str(expected_result)) print('real results: '+str(real_result)) self.maxDiff = None self.assertEqual(expected_result, real_result)
def test_ip6_range_list(self): expected_result = False dict = [] dict.append({'CidrIp': '2001:0db8:85a3:0000:0000:8a2e:0370/64'}) real_result = class_to_test.ip6_cidr_range(ingress=dict, debug=False) print('expected results: '+str(expected_result)) print('real results: '+str(real_result)) self.maxDiff = None self.assertEqual(expected_result, real_result)
def test_ip6_no_range(self): expected_result = True dict = {} dict['CidrIp'] = '2001:0db8:85a3:0000:0000:8a2e:0370/128' real_result = class_to_test.ip6_cidr_range(ingress=dict, debug=False) print('expected results: '+str(expected_result)) print('real results: '+str(real_result)) self.maxDiff = None self.assertEqual(expected_result, real_result)
def test_ip6_open(self): expected_result = True dict = {} dict['CidrIp'] = '::/0' real_result = class_to_test.ip6_open(ingress=dict, debug=False) print('expected results: '+str(expected_result)) print('real results: '+str(real_result)) self.maxDiff = None self.assertEqual(expected_result, real_result)
def audit_impl(self): """ Audit :return: violations """ if self.debug: print('SecurityGroupIngressCidrNon32Rule - audit_impl'+lineno()) logical_resource_ids = [] # Iterate over each of the security groups in the cloudformation template for groups in self.cfn_model.security_groups(): if self.debug: print('group: '+str(groups)+lineno()) print('vars: '+str(vars(groups))+lineno()) # If the security group has ingresses if hasattr(groups,'ingresses'): if len(groups.ingresses)>0: has_invalid_cidr = False # Iterate over each on the ingresses for ingresses in groups.ingresses: if self.debug: print('ingresses: '+str(ingresses)+lineno()) if type(ingresses) == type(dict()): if self.debug: print('ingress is a dict'+lineno()) if IpAddr.ip4_cidr_range(ingresses,debug=self.debug)==True or IpAddr.ip6_cidr_range(ingresses,debug=self.debug): if self.debug: print('ip4/6 address is /32 or /128' + lineno()) else: if self.debug: print('ip4/6 address does not end with /32 or /128' + lineno()) if self.debug: print("\n\n##########################################################") print('Resource is not valid - appending to list') print('logical resource id: ' + str(groups.logical_resource_id) + lineno()) print("#############################################################\n") logical_resource_ids.append(str(groups.logical_resource_id)) elif type(ingresses) == type(list()): if self.debug: print("ingress is a list() "+lineno()) for item in ingresses: if IpAddr.ip4_cidr_range(item,debug=self.debug): if self.debug: print('ip4/6 address is /32 or /128' + lineno()) continue if IpAddr.ip6_cidr_range(item,debug=self.debug): if self.debug: print('ip4/6 address is /32 or /128' + lineno()) continue if self.debug: print("\n\n##########################################################") print('Resource is not valid - appending to list') print('logical resource id: ' + str(groups.logical_resource_id) + lineno()) print("#############################################################\n") logical_resource_ids.append(str(groups.logical_resource_id)) else: if self.debug: print('vars: '+str(vars(ingresses))+lineno()) print('ingress is not a list or dict'+lineno()) if hasattr(ingresses, 'cidrIp'): if self.debug: print('has cidrIp '+lineno()) if IpAddr.ip4_cidr_range(ingresses,debug=self.debug): if self.debug: print('ip4/6 address is /32 or /128' + lineno()) continue if hasattr(ingresses,'cidrIpv6'): if self.debug: print('ip4/6 address is /32 or /128'+lineno()) if IpAddr.ip6_cidr_range(ingresses, debug=self.debug): if self.debug: print('ip4/6 address is /32 or /128' + lineno()) continue if not hasattr(ingresses,'cidrIp') and not hasattr(ingresses,'cidrIpv6'): if self.debug: print('does not have a cidr entry') continue if self.debug: print("\n\n##########################################################") print('Resource is not valid - appending to list') print('logical resource id: ' + str(groups.logical_resource_id) + lineno()) print("#############################################################\n") logical_resource_ids.append(str(groups.logical_resource_id)) else: sys.exit(1) if self.debug: print('violations: '+str(list(set(logical_resource_ids)))+lineno()) if self.debug: print('Getting all the standalone ingress resources') standalone_resources= self.cfn_model.standalone_ingress() # iterate over the routes for resource in standalone_resources: if self.debug: print("\n\n#########################################") print('standalone resource: ' + str(resource) + lineno()) print('vars: ' + str(vars(resource)) + lineno()) print('type: '+str(type(resource))+lineno()) print("############################################\n") if hasattr(resource,'cidrIp'): if self.debug: print('has cidrIp attributes'+lineno()) if IpAddr.ip4_cidr_range(resource.cidrIp,debug=self.debug): if self.debug: print('ip4/6 address is /32 or /128' + lineno()) continue else: if self.debug: print('ip4/6 address does not end with /32 or /128' + lineno()) logical_resource_ids.append(resource.logical_resource_id) if hasattr(resource,'cidrIpv6'): if self.debug: print('has cidrIpv6 attributes' + lineno()) if IpAddr.ip6_cidr_range(resource.cidrIpv6,debug=self.debug): if self.debug: print('ip4/6 address is /32 or /128' + lineno()) continue else: if self.debug: print('ip4/6 address does not end with /32 or /128' + lineno()) logical_resource_ids.append(resource.logical_resource_id) if self.debug: print('violations: '+str(list(set(logical_resource_ids)))+lineno()) return logical_resource_ids