From a347f9e8a897faaff4277739a1c1b8543fcc2bf7 Mon Sep 17 00:00:00 2001 From: Shrutika Kulkarni Date: Wed, 4 Aug 2021 20:58:13 +0530 Subject: [PATCH 1/2] PLA-29459 - Update Readme and tox file --- README.md | 4 ++++ tox.ini | 54 +++++++++++++++++++++++++++++++++++++++--------------- 2 files changed, 43 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 8e31468..79b74ae 100644 --- a/README.md +++ b/README.md @@ -149,6 +149,10 @@ The table below lists all the supported jobs with their links. | 36. | 2cdb8877-7ac3-4483-9ed0-1e792171d125 | EBS volume snapshot should be private | [ebs-private-snapshot](remediation_worker/jobs/ebs_private_snapshot) | | 37. | 5c8c26467a550e1fb6560c48 | RDS instance should restrict public access | [rds-remove-public-endpoint](remediation_worker/jobs/rds_remove_public_endpoint) | | 38. | 5c8c264a7a550e1fb6560c4c | RDS should have automatic minor version upgrades enabled | [rds-enable-version-update](remediation_worker/jobs/rds_enable_version_update) | +| 39. | 5c8c25f37a550e1fb6560bca | EC2 VPC default security group should restrict all access | [aws-ec2-default-security-group-traffic](remediation_worker/jobs/aws_ec2_default_security_group_traffic) | +| 40. | 5c8c260b7a550e1fb6560bf4 | IAM password policy should set a minimum length | [aws-iam-password-policy-min-length](remediation_worker/jobs/aws_iam_password_policy_min_length) | +| 41. | 5c8c26107a550e1fb6560bfc | IAM password policy should prevent password reuse | [aws-iam-password-reuse-prevention](remediation_worker/jobs/aws_iam_password_reuse_prevention) | +| 42. | 7fe4eb28-3b82-11eb-adc1-0242ac120002 | IAM server certificates that are expired should be removed | [aws-iam-server-certificate-expired](remediation_worker/jobs/aws_iam_server_certificate_expired) | ## Contributing The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq). diff --git a/tox.ini b/tox.ini index 7d3972a..6b5443e 100644 --- a/tox.ini +++ b/tox.ini @@ -2,17 +2,21 @@ minversion = 3.6.0 skip_missing_interpreters = true envlist = - unit-ec2-close-port-5601 - unit-ec2-close-port-5439 - unit-ec2-close-port-3306 - unit-ec2-close-port-27017 - unit-ec2-close-port-23 - unit-ec2-close-port-21 - unit-ec2-close-port-20 - unit-ec2-close-port-1521 - unit-ec2-close-port-1433 - unit-ec2-close-port-8080 - unit-ec2-close-port-8200-9300 + unit-aws-ec2-default-security-group-traffic + unit-aws-iam-password-policy-min-length + unit-aws-iam-password-reuse-prevention + unit-aws-iam-server-certificate-expired + unit-ec2-close-port-5601 + unit-ec2-close-port-5439 + unit-ec2-close-port-3306 + unit-ec2-close-port-27017 + unit-ec2-close-port-23 + unit-ec2-close-port-21 + unit-ec2-close-port-20 + unit-ec2-close-port-1521 + unit-ec2-close-port-1433 + unit-ec2-close-port-8080 + unit-ec2-close-port-8200-9300 unit-security-group-close-port-5432 unit-s3-remove-public-admin-acl unit-s3-enable-access-logging @@ -52,10 +56,10 @@ envlist = unit-azure-postgresql-allow-access-to-azure-service-disabled unit-aws-s3-bucket-policy-allow-https unit-aws-sqs-queue-publicly-accessible - unit-ebs-private-snapshot - unit-rds-remove-public-endpoint - unit-rds_enable_version_update - unit-kinesis-encrypt-stream + unit-ebs-private-snapshot + unit-rds-remove-public-endpoint + unit-rds_enable_version_update + unit-kinesis-encrypt-stream [testenv] @@ -390,3 +394,23 @@ deps = -r remediation_worker/jobs/ec2_close_port_9200_9300/requirements-dev.txt changedir = test pytest --capture=no --basetemp="{envtmpdir}" unit/test_ec2_close_port_8080.py deps = -r remediation_worker/jobs/ec2_close_port_8080/requirements-dev.txt + +[testenv:unit-aws-ec2-default-security-group-traffic] +changedir = test +pytest --capture=no --basetemp="{envtmpdir}" unit/test_aws_ec2_default_security_group_traffic.py +deps = -r remediation_worker/jobs/aws_ec2_default_security_group_traffic/requirements-dev.txt + +[testenv:unit-aws-iam-password-policy-min-length] +changedir = test +pytest --capture=no --basetemp="{envtmpdir}" unit/test_aws_iam_password_policy_min_length.py +deps = -r remediation_worker/jobs/aws_iam_password_policy_min_length/requirements-dev.txt + +[testenv:unit-aws-iam-password-reuse-prevention] +changedir = test +pytest --capture=no --basetemp="{envtmpdir}" unit/test_aws_iam_password_reuse_prevention.py +deps = -r remediation_worker/jobs/aws_iam_password_reuse_prevention/requirements-dev.txt + +[testenv:unit-aws-iam-server-certificate-expired] +changedir = test +pytest --capture=no --basetemp="{envtmpdir}" unit/test_aws_iam_server_certificate_expired.py +deps = -r remediation_worker/jobs/aws_iam_server_certificate_expired/requirements-dev.txt From 9323a0e50db5e88d8fd16f75159a9bdb03a267cc Mon Sep 17 00:00:00 2001 From: Shrutika Kulkarni Date: Wed, 4 Aug 2021 21:20:35 +0530 Subject: [PATCH 2/2] PLA-29459 - Updated readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 79b74ae..fffc546 100644 --- a/README.md +++ b/README.md @@ -134,7 +134,7 @@ The table below lists all the supported jobs with their links. | 21. | 688d093c-3b8d-11eb-adc1-0242ac120002 | S3 bucket should allow only HTTPS requests | [aws-s3-bucket-policy-allow-https](remediation_worker/jobs/aws_s3_bucket_policy_allow_https) | | 22. | 09639b9d-98e8-493b-b8a4-916775a7dea9 | SQS queue policy should restricted access to required users | [aws-sqs-queue-publicly-accessible](remediation_worker/jobs/aws_sqs_queue_publicly_accessible) | | 23. | 1ec4a1f2-3e08-11eb-b378-0242ac130002 | Network ACL should restrict administration ports (3389 and 22) from public access | [aws-ec2-administration-ports-ingress-allowed](remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed) | -| 24. | ce603728-d631-4bae-8657-c22da6e5944e | Kinesis data stream should be encrypted +| 24. | ce603728-d631-4bae-8657-c22da6e5944e | Kinesis data stream should be encrypted | [kinesis-encrypt-stream](remediation_worker/jobs/kinesis_encrypt_stream) | | 25. | 5c8c263d7a550e1fb6560c39 | EC2 instance should restrict public access to FTP data port (20) | [ec2-close-port-20](remediation_worker/jobs/ec2_close_port_20) | | 26. | 4823ede0-7bed-4af0-a182-81c2ada80203 | EC2 instance should restrict public access to Kibana (5601) | [ec2-close-port-5601](remediation_worker/jobs/ec2_close_port_5601) | | 27. | 5c8c26427a550e1fb6560c41 | EC2 instance should restrict public access to MySQL server port (3306) | [ec2-close-port-3306](remediation_worker/jobs/ec2_close_port_3306) |