Merge pull request #161 from Cloud-Architects/new-security-checs

New security checks
Cloud-Architects · Nov 17, 2020 · 6290ae5 · 6290ae5
2 parents f07961b + 08fc2a4
commit 6290ae5
Show file tree

Hide file tree

Showing 6 changed files with 114 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -313,6 +313,8 @@ This features is experimental, but now you can run commands to check and analyze
 *   EBS Encryption enabled
 *   EC2 IMDSV2 Check
 *   DynamoDB PITR Enabled
+*   Incoming SSH Disabled
+*   Cloudtrail enabled
 
 ## Using a Docker container
 To build docker container using Dockerfile

diff --git a/cloudiscovery/__init__.py b/cloudiscovery/__init__.py
@@ -43,11 +43,11 @@
 
 # pylint: enable=wrong-import-position
 # Check version
-if sys.version_info < (3, 6):
-    print("Python 3.6 or newer is required", file=sys.stderr)
+if sys.version_info < (3, 8):
+    print("Python 3.8 or newer is required", file=sys.stderr)
     sys.exit(1)
 
-__version__ = "2.2.4"
+__version__ = "2.3"
 
 AVAILABLE_LANGUAGES = ["en_US", "pt_BR"]
 DEFAULT_REGION = "us-east-1"

diff --git a/cloudiscovery/provider/security/data/commands_enabled.py b/cloudiscovery/provider/security/data/commands_enabled.py
@@ -13,6 +13,14 @@
         "method": "ebs_encryption",
         "short_description": "Check that Amazon Elastic Block Store (EBS) encryption is enabled by default.",
     },
+    "restricted-ssh": {
+        "parameters": [
+            {"name": "restricted_ssh", "default_value": "no", "type": "bool"}
+        ],
+        "class": "EC2",
+        "method": "restricted_ssh",
+        "short_description": "Checks whether SG that are in use disallow unrestricted incoming SSH traffic.",
+    },
     "imdsv2-check": {
         "parameters": [{"name": "imdsv2_check", "default_value": "no", "type": "bool"}],
         "class": "EC2",
@@ -25,4 +33,12 @@
         "method": "pitr_enabled",
         "short_description": "Checks that point in time recovery is enabled for Amazon DynamoDB tables.",
     },
+    "cloudtrail-enabled": {
+        "parameters": [
+            {"name": "cloudtrail_enabled", "default_value": "no", "type": "bool"}
+        ],
+        "class": "CLOUDTRAIL",
+        "method": "cloudtrail_enabled",
+        "short_description": "Checks whether AWS CloudTrail is enabled in your AWS account.",
+    },
 }
diff --git a/cloudiscovery/provider/security/resource/commands/CLOUDTRAIL.py b/cloudiscovery/provider/security/resource/commands/CLOUDTRAIL.py
@@ -0,0 +1,37 @@
+from provider.security.command import SecurityOptions
+
+from shared.common import (
+    Resource,
+    ResourceDigest,
+    SecurityValues,
+)
+
+
+class CLOUDTRAIL:
+    def __init__(self, options: SecurityOptions):
+        self.options = options
+
+    def cloudtrail_enabled(self, cloudtrail_enabled):
+
+        client = self.options.client("cloudtrail")
+
+        trails = client.list_trails()
+
+        resources_found = []
+
+        if not trails["Trails"]:
+            resources_found.append(
+                Resource(
+                    digest=ResourceDigest(id="cloudtrail", type="cloudtrail_enabled"),
+                    details="CLOUDTRAIL disabled",
+                    name="cloudtrail",
+                    group="cloudtrail_security",
+                    security=SecurityValues(
+                        status="CRITICAL",
+                        parameter="cloudtrail_enabled",
+                        value="False",
+                    ),
+                )
+            )
+
+        return resources_found
diff --git a/cloudiscovery/provider/security/resource/commands/EC2.py b/cloudiscovery/provider/security/resource/commands/EC2.py
@@ -70,3 +70,59 @@ def imdsv2_check(self, imdsv2_check):
                     )
 
         return resources_found
+
+    def restricted_ssh(self, restricted_ssh):
+
+        client = self.options.client("ec2")
+
+        security_groups = client.describe_security_groups()
+
+        resources_found = []
+
+        # pylint: disable=too-many-nested-blocks
+        for security_group in security_groups["SecurityGroups"]:
+            for ip_permission in security_group["IpPermissions"]:
+                if "FromPort" in ip_permission and "ToPort" in ip_permission:
+                    # Port 22 possible opened using port range
+                    if ip_permission["FromPort"] <= 22 >= ip_permission["ToPort"]:
+                        # IPv4
+                        for cidr in ip_permission["IpRanges"]:
+                            if cidr["CidrIp"] == "0.0.0.0/0":
+                                resources_found.append(
+                                    Resource(
+                                        digest=ResourceDigest(
+                                            id=security_group["GroupId"],
+                                            type="restricted_ssh",
+                                        ),
+                                        details="The SSH port of this security group is opened to the world.",
+                                        name=security_group["GroupName"],
+                                        group="ec2_security",
+                                        security=SecurityValues(
+                                            status="CRITICAL",
+                                            parameter="restricted_ssh",
+                                            value="False",
+                                        ),
+                                    )
+                                )
+
+                        # IPv6
+                        for cidr in ip_permission["Ipv6Ranges"]:
+                            if cidr["CidrIpv6"] == "::/0":
+                                resources_found.append(
+                                    Resource(
+                                        digest=ResourceDigest(
+                                            id=security_group["GroupId"],
+                                            type="restricted_ssh",
+                                        ),
+                                        details="The SSH port of this security group is opened to the world.",
+                                        name=security_group["GroupName"],
+                                        group="ec2_security",
+                                        security=SecurityValues(
+                                            status="CRITICAL",
+                                            parameter="restricted_ssh",
+                                            value="False",
+                                        ),
+                                    )
+                                )
+
+        return resources_found
diff --git a/setup.py b/setup.py
@@ -79,8 +79,6 @@ def run(self):
         "Natural Language :: English",
         "License :: OSI Approved :: Apache Software License",
         "Programming Language :: Python",
-        "Programming Language :: Python :: 3.6",
-        "Programming Language :: Python :: 3.7",
         "Programming Language :: Python :: 3.8",
     ],
     cmdclass={"verify": VerifyVersionCommand},