Skip to content

Commit

Permalink
Release/v1.8.0 (#106)
Browse files Browse the repository at this point in the history 
* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, … (#93)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, 3306, 5439, 5601, 8080, 9200 and 9300

* Checking in unit test and tox.ini, made modification to remove common pkg from ec2_close_port_20.py

* Checking in README with addition aws close port rules

* Update README with correct port names for the new scripts

* PLA-26195 - Handled PrincipalNotFound Exception in sql auditing job (#98)

* PLA-24844 - Remediation job to restrict default security group access (#85)

* PLA-24844 - Remediation job to restrict default security group access

* PLA-24844 - Remediation job to restrict default security group access

* Updated the remediation job code

* PLA-25429 - Remediation job to set password reuse prevention policy (#89)

* PLA-25429 - Remediation job to set password reuse prevention policy

* PLA-25429 - Updated unit test

* Updated the remediation job code

* PLA-25428 - Remediation Job to set minimum password length (#90)

* PLA-25430 - Remediation Job to delete expired server certificate (#96)

* Initial commit for kinesis_encrypt_stream (#97)

* Initial commit for kinesis_encrypt_stream

* modified to add a return and exception to kinesis_encrypt_stream.py and unit testcases for remediate

* remove print

* update README.md

* update README.md

* remove format in kinesis_encrypt_stream.py

* update README with a correct instruction to run the script and add a missing error loggin

Co-authored-by: Shrutika Kulkarni <[email protected]>

* PLA-26855 - Updated azure remediation jobs to wait for the poller result (#99)

* PLA-26855 - Updated azure remediation jobs to wait for the poller result

* PLA-26855 - Update azure jobs to poll continuously and log the status

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi… (#101)

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_version_update, rds_remove_public_endpoint

* Update ebs_private_snapshot.py

* Incorporated comments and inputs from PR review

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* PLA-29176 - Fix remediation jobs for port rules (#102)

* PLA-29176 - Fix remediation jobs for port rules

* PLA-29176 - updated requirements

* PLA-29176 - Updated the public instance port remediation jobs

* PLA-29176 - Fixed readme file

* PLA-29176 - Fixed comments

* PLA-29176 - Updated all the AWS port rule remediation jobs

* PLA-29176 - Fixed requirements-dev file

* PLA-29176 - Added comments

* PLA-29459 - Update Readme and tox file (#104)

* PLA-29459 - Update Readme and tox file

* PLA-29459 - Updated readme

* Fixed requirements file (#105)

Co-authored-by: lytran2000 <[email protected]>
  • Loading branch information
@kshrutik @lytran2000
kshrutik and lytran2000 authored Aug 6, 2021
1 parent c958afc commit f8159ff
Show file tree
Hide file tree
Showing 198 changed files with 6,550 additions and 563 deletions.
19 changes: 19 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,25 @@ The table below lists all the supported jobs with their links.
| 21. | 688d093c-3b8d-11eb-adc1-0242ac120002 | S3 bucket should allow only HTTPS requests | [aws-s3-bucket-policy-allow-https](remediation_worker/jobs/aws_s3_bucket_policy_allow_https) |
| 22. | 09639b9d-98e8-493b-b8a4-916775a7dea9 | SQS queue policy should restricted access to required users | [aws-sqs-queue-publicly-accessible](remediation_worker/jobs/aws_sqs_queue_publicly_accessible) |
| 23. | 1ec4a1f2-3e08-11eb-b378-0242ac130002 | Network ACL should restrict administration ports (3389 and 22) from public access | [aws-ec2-administration-ports-ingress-allowed](remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed) |
| 24. | ce603728-d631-4bae-8657-c22da6e5944e | Kinesis data stream should be encrypted | [kinesis-encrypt-stream](remediation_worker/jobs/kinesis_encrypt_stream) |
| 25. | 5c8c263d7a550e1fb6560c39 | EC2 instance should restrict public access to FTP data port (20) | [ec2-close-port-20](remediation_worker/jobs/ec2_close_port_20) |
| 26. | 4823ede0-7bed-4af0-a182-81c2ada80203 | EC2 instance should restrict public access to Kibana (5601) | [ec2-close-port-5601](remediation_worker/jobs/ec2_close_port_5601) |
| 27. | 5c8c26427a550e1fb6560c41 | EC2 instance should restrict public access to MySQL server port (3306) | [ec2-close-port-3306](remediation_worker/jobs/ec2_close_port_3306) |
| 28. | 5c8c26417a550e1fb6560c3e | EC2 instance should restrict public access to Oracle SQL port (1521) | [ec2-close-port-1521](remediation_worker/jobs/ec2_close_port_1521) |
| 29. | 5c8c26417a550e1fb6560c3d | EC2 instance should restrict public access to SQL Server port (1433) | [ec2-close-port-1433](remediation_worker/jobs/ec2_close_port_1433) |
| 30. | 5c8c263e7a550e1fb6560c3b | EC2 instance should restrict public access to Telnet port (23) | [ec2-close-port-23](remediation_worker/jobs/ec2_close_port_23) |
| 31. | 5c8c263d7a550e1fb6560c3a | EC2 instance should restrict public access to FTP port (21) | [ec2-close-port-21](remediation_worker/jobs/ec2_close_port_21) |
| 32. | 04700175-adbe-49e1-bc7a-bc9605597ce2 | EC2 instance should restrict public access to Elasticsearch ports (9200,9300) | [ec2-close-port-9200_9300](remediation_worker/jobs/ec2_close_port_9200_9300) |
| 33. | 5c8c26427a550e1fb6560c40 | EC2 instance should restrict public access to MongoDB port (27017) | [ec2-close-port-27017](remediation_worker/jobs/ec2_close_port_27017) |
| 34. | 5c8c26407a550e1fb6560c3c | EC2 instance should restrict public access to TCP port (8080) | [ec2-close-port-8080](remediation_worker/jobs/ec2_close_port_8080) |
| 35. | 5c8c26447a550e1fb6560c44 | EC2 instance should restrict public access to Redshift port (5439) | [ec2-close-port-5439](remediation_worker/jobs/ec2_close_port_5439) |
| 36. | 2cdb8877-7ac3-4483-9ed0-1e792171d125 | EBS volume snapshot should be private | [ebs-private-snapshot](remediation_worker/jobs/ebs_private_snapshot) |
| 37. | 5c8c26467a550e1fb6560c48 | RDS instance should restrict public access | [rds-remove-public-endpoint](remediation_worker/jobs/rds_remove_public_endpoint) |
| 38. | 5c8c264a7a550e1fb6560c4c | RDS should have automatic minor version upgrades enabled | [rds-enable-version-update](remediation_worker/jobs/rds_enable_version_update) |
| 39. | 5c8c25f37a550e1fb6560bca | EC2 VPC default security group should restrict all access | [aws-ec2-default-security-group-traffic](remediation_worker/jobs/aws_ec2_default_security_group_traffic) |
| 40. | 5c8c260b7a550e1fb6560bf4 | IAM password policy should set a minimum length | [aws-iam-password-policy-min-length](remediation_worker/jobs/aws_iam_password_policy_min_length) |
| 41. | 5c8c26107a550e1fb6560bfc | IAM password policy should prevent password reuse | [aws-iam-password-reuse-prevention](remediation_worker/jobs/aws_iam_password_reuse_prevention) |
| 42. | 7fe4eb28-3b82-11eb-adc1-0242ac120002 | IAM server certificates that are expired should be removed | [aws-iam-server-certificate-expired](remediation_worker/jobs/aws_iam_server_certificate_expired) |

## Contributing
The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq).
Expand Down
2 changes: 1 addition & 1 deletion remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ Network ACL should restrict administration ports (3389 and 22) from public acces

### Prerequisites

The provided AWS credential must have access to `ec2:DeleteNetworkAcl`, `ec2:DescribeNetworkAcls` and `ec2:ReplaceNetworkAclEntry`.
The provided AWS credential must have access to `ec2:DeleteNetworkAclEntry`, `ec2:DescribeNetworkAcls`.

You may find the latest example policy file [here](minimum_policy.json)

Expand Down
237 changes: 29 additions & 208 deletions ..._ec2_administration_ports_ingress_allowed/aws_ec2_administration_ports_ingress_allowed.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,201 +61,6 @@ def parse(self, payload):
logging.info(return_dict)
return return_dict

def create_list_of_rule_nos(self, network_acl_entries):
"""Creates List of Rule Numbers in the Network Acl
:param network_acl_entries: List of Network Acl entries.
:type network_acl_id: str.
:returns: List of Rule Numbers.
:rtype: list.
"""
rule_nos = []
for entry in network_acl_entries["Entries"]:
rule_nos.append(entry["RuleNumber"])
return rule_nos

def create_list_of_port_range(self, network_acl_entries):
"""Creates List of Port Ranges in the Network Acl
:param network_acl_entries: List of Network Acl entries.
:type network_acl_id: str.
:returns: List of Port Ranges.
:rtype: list.
"""
port_ranges = []
for entry in network_acl_entries["Entries"]:
if "PortRange" not in entry:
continue
else:
port = (entry["PortRange"]["From"], entry["PortRange"]["To"])
port_ranges.append(port)
return port_ranges

def check_if_nacl_exists(
self, network_acl_entries, port_from, port_to, port_ranges
):
"""Checks if the Network ACL Entry already exists
:param network_acl_entries: List of Network Acl entries.
:param port_from: Port Range from.
:param port_to: Port Range To.
:param port_ranges: List of port ranges.
:type network_acl_entries: list
:type port_from: int
:type port_to: int
:type port_ranges: list
:returns: Boolean value indicating if the entry with given port range already exists
:rtype: bool
"""
for nacl_entry in network_acl_entries["Entries"]:
if "PortRange" not in nacl_entry:
continue
elif (
nacl_entry["PortRange"]["From"] == port_from
and nacl_entry["PortRange"]["To"] == port_to
):
return True
else:
continue
for port in port_ranges:
if port[0] == port_from and port[1] == port_to:
return True
return False

def find_and_remove_port(
self,
network_acl_id,
client,
network_acl_entries,
port_no,
rule_nos,
port_ranges,
):
"""Find and remove port 22 and 3389 from Network Acl Entries
:param network_acl_id: Network Acl Id.
:param client: Instance of the AWS boto3 client.
:param network_acl_entries: List of Network Acl Entries.
:param port_no: Port No. to remove.
:param rule_nos: List of Rule Numbers.
:type rule_nos: list.
:type port_no: int.
:type network_acl_entries: list.
:type network_acl_id: str.
:type client: object.
:returns: None.
:rtype: None.
"""
for entry in network_acl_entries["Entries"]:
if (
entry["Egress"] is False
and entry["RuleAction"] == "allow"
and entry["Protocol"] in ["6", "-1"]
and entry["CidrBlock"] == "0.0.0.0/0"
):
if "PortRange" not in entry or entry["PortRange"] == {
"From": port_no,
"To": port_no,
}:
client.delete_network_acl_entry(
Egress=False,
NetworkAclId=network_acl_id,
RuleNumber=entry["RuleNumber"],
)
elif (
entry["PortRange"]["From"] < port_no
and entry["PortRange"]["To"] == port_no
):
portrange_to = port_no - 1

if self.check_if_nacl_exists(
network_acl_entries,
entry["PortRange"]["From"],
portrange_to,
port_ranges,
):
client.delete_network_acl_entry(
Egress=False,
NetworkAclId=network_acl_id,
RuleNumber=entry["RuleNumber"],
)
else:
client.replace_network_acl_entry(
CidrBlock=entry["CidrBlock"],
Egress=entry["Egress"],
NetworkAclId=network_acl_id,
PortRange={
"From": entry["PortRange"]["From"],
"To": portrange_to,
},
Protocol=entry["Protocol"],
RuleAction=entry["RuleAction"],
RuleNumber=entry["RuleNumber"],
)

port = (entry["PortRange"]["From"], portrange_to)
port_ranges.append(port)
elif (
entry["PortRange"]["From"] < port_no
and entry["PortRange"]["To"] > port_no
):
rule_no = entry["RuleNumber"] + 10

while rule_no in rule_nos:
rule_no = rule_no + 10

portrange_to = port_no - 1

if self.check_if_nacl_exists(
network_acl_entries,
entry["PortRange"]["From"],
portrange_to,
port_ranges,
):
client.delete_network_acl_entry(
Egress=False,
NetworkAclId=network_acl_id,
RuleNumber=entry["RuleNumber"],
)
else:
client.replace_network_acl_entry(
CidrBlock=entry["CidrBlock"],
Egress=entry["Egress"],
NetworkAclId=network_acl_id,
PortRange={
"From": entry["PortRange"]["From"],
"To": portrange_to,
},
Protocol=entry["Protocol"],
RuleAction=entry["RuleAction"],
RuleNumber=entry["RuleNumber"],
)

port = (entry["PortRange"]["From"], portrange_to)
port_ranges.append(port)

portrange_from = port_no + 1

if self.check_if_nacl_exists(
network_acl_entries,
portrange_from,
entry["PortRange"]["To"],
port_ranges,
):
continue
else:
client.create_network_acl_entry(
CidrBlock=entry["CidrBlock"],
Egress=entry["Egress"],
NetworkAclId=network_acl_id,
PortRange={
"From": portrange_from,
"To": entry["PortRange"]["To"],
},
Protocol=entry["Protocol"],
RuleAction=entry["RuleAction"],
RuleNumber=rule_no,
)
rule_nos.append(rule_no)
port = (portrange_from, entry["PortRange"]["To"])
port_ranges.append(port)

def remediate(self, region, client, network_acl_id, cloud_account_id):
"""Remove Network ACL Rules that allows public access to administration ports (3389 and 22)
:param region: The buckets region
Expand All @@ -276,23 +81,39 @@ def remediate(self, region, client, network_acl_id, cloud_account_id):
logging.info(
"executing client.describe_network_acls to get network acl"
)
logging.info(" executing client.describe_network_acls")
logging.info(f" NetworkAclId: {network_acl_id}")
# List network acl details
network_acl = client.describe_network_acls(
NetworkAclIds=[network_acl_id]
)
network_acl_entries = network_acl["NetworkAcls"][0]
#Create List of Rule Numbers
rule_nos = self.create_list_of_rule_nos(network_acl_entries)
#Create List of Port Ranges
port_ranges = self.create_list_of_port_range(network_acl_entries)
#Remove the port from the Network ACL entries
self.find_and_remove_port(
network_acl_id,
client,
network_acl_entries,
port_no,
rule_nos,
port_ranges,
)
for entry in network_acl_entries["Entries"]:
#Searching for the ingress nacl entries with RuleAction = allow,
#protocol as tcp or all traffic, CidrBlock="0.0.0.0/0" and the
#port range inclusive of port 22 and 3389
if (
entry["Egress"] is False
and entry["RuleAction"] == "allow"
and entry["Protocol"] in ["6", "-1"]
and entry["CidrBlock"] == "0.0.0.0/0"
and (
"PortRange" not in entry
or (
entry["PortRange"]["From"] <= port_no
and entry["PortRange"]["To"] >= port_no
)
)
):
# Delete nacl entry which provides public access to administration ports (3389 and 22)
logging.info(" executing client.delete_network_acl_entry")
logging.info(f" NetworkAclId: {network_acl_id}")
logging.info(f" RuleNumber: {entry['RuleNumber']}")
client.delete_network_acl_entry(
Egress=False,
NetworkAclId=network_acl_id,
RuleNumber=entry["RuleNumber"],
)
logging.info("successfully completed remediation job")
except Exception as e:
logging.error(f"{str(e)}")
Expand Down
6 changes: 3 additions & 3 deletions remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed/constraints.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,9 @@ py==1.9.0 \
pluggy==0.13.1 \
--hash=sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0 \
--hash=sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d
s3transfer==0.3.4 \
--hash=sha256:1e28620e5b444652ed752cf87c7e0cb15b0e578972568c6609f0f18212f259ed \
--hash=sha256:7fdddb4f22275cf1d32129e21f056337fd2a80b6ccef1664528145b72c49e6d2
s3transfer==0.5.0 \
--hash=sha256:50ed823e1dc5868ad40c8dc92072f757aa0e653a192845c94a3b676f4a62da4c \
--hash=sha256:9c1dc369814391a6bda20ebbf4b70a0f34630592c9aa520856bf384916af2803
six==1.15.0 \
--hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
--hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced
Expand Down
2 changes: 1 addition & 1 deletion remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed/minimum_policy.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkAcls",
"ec2:DeleteNetworkAcl"
"ec2:DeleteNetworkAclEntry"
],
"Resource": "*"
}
Expand Down
12 changes: 6 additions & 6 deletions remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed/requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
boto3==1.16.60 \
--hash=sha256:10e8d9b18a8ae15677e850c7240140b9539635a03098f01dfdd75b2042d15862 \
--hash=sha256:aee742f2a2315244fb31a507f65d8809fcd0029508c0b12be8611ddd2075b666
botocore==1.19.60 \
--hash=sha256:423a1a9502bd7bc5db8c6e64f9374f64d8ac18e6b870278a9ff65f59d268cd58 \
--hash=sha256:80dd615a34c7e2c73606070a9358f7b5c1cb0c9989348306c1c9ddff45bb6ebe
boto3==1.18.4 \
--hash=sha256:649ed1ca205f5ee0b0328d54580780aebc1a7a05681a24f6ee05253007ca48d8 \
--hash=sha256:7079b40bd6621c54a0385a8fc11240cff4318a4d487292653e393e18254f5d94
botocore==1.21.5 \
--hash=sha256:0070c5e02b581db40ff5fd1b5e02db90ed88e7e861901894bd78fd998656da68 \
--hash=sha256:bed34fe7a007180f4208b65515bab1755cdd9fcf2c6720f74ae7ecd2e707f4b7
Loading

0 comments on commit f8159ff

Please sign in to comment.