- Abstract
- Quick Start Guide
- Job Execution
- Logging
- Contributing
- Repository Administrator Resources
- VMware Resources
These jobs represent open-sourced remediation jobs to be used in conjunction with the SecureState remediation worker for python. In order to make use of this code, you must utilize the worker and have a SecureState workergroup properly set up.
There are a couple conventions that must be followed in order to contribute working jobs to this repository:
- The directory structure and
- The file names
Each job must be entire self-contained within a directory, which is where the job gets its name from.
For example, a directory by the name of s3-remove-public-access
will result in a job
called s3-remove-public-access
In order to execute a python job, the file must be named the same as the directory with a .py
extension.
For example, the job s3-remove-public-access
must have a s3-remove-publc-access.py
file within that directory.
The requirements.txt
file and the constraints.txt
file are optional but recommended. This ensures
the worker can install the requirements in a repeatable fashion, which ensures the SecureState
application will not invalidate jobs due to new requirements being installed.
When the worker runs, all requirements found in the (optional) requirements.txt
and constraints.txt
files will be installed relative to the job
directory. When the job is executed, the python runtime is restricted to the requirements in that relative path.
This ensures all code being executed is known to the SecureState worker and can be verified
via checksum. The worker also moves the entire folder to a separate working directory to
ensure local imports will not work.
The worker executes jobs in a fashion similar to running python ./s3-remove-publc-access/s3-remove-publc-access.py {... finding payload json ...}
The finding payload is in the form:
{
"cloudAccount": {
"provider": <string>,
"roleArn": <string,omitempty>,
"subscriptionId": <string,omitempty>,
"applicationId": <string,omitempty>
},
"notificationInfo": {
"RuleID": <string>,
"RuleName": <string>,
"RuleDisplayName": <string>,
"Level": <string>,
"Service": <string>,
"FindingInfo": {
"FindingId": <string>,
"ObjectId": <string>,
"ObjectChain": <string>,
"CloudTags": {
"<key1>": "<value1>",
"<key2>": "<value2>",
},
"RiskScore": <integer>,
"Region": <string>,
"Service": <string>
}
},
"autoRemediate": <boolean>
}
All stdout and stderr logs are sent to the SecureState web application for display in the user interface. Take care when logging and make sure not to log sensitive data.
The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our FAQ. All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch.
For more detailed information, refer to CONTRIBUTING.md.
Board members are volunteers from the community and VMware staff members, board members are not held responsible for any issues which may occur from running of samples from this repository.
Members:
- Paul Allen (VMware)
If you find a bug, please open a GitHub issue.