From fe2b324a6a470e20da6dc213c82c7bf00e887e72 Mon Sep 17 00:00:00 2001 From: KuetTai Date: Fri, 26 Apr 2024 17:42:57 +0000 Subject: [PATCH 1/6] Fix new features error handling --- Screener.py | 8 +++++++- frameworks/Framework.py | 3 +++ frameworks/FrameworkPageBuilder.py | 2 +- frameworks/NIST/map.json | 6 +++--- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/Screener.py b/Screener.py index e745dce..63ab0ab 100644 --- a/Screener.py +++ b/Screener.py @@ -102,7 +102,13 @@ def scanByService(service, regions, filters): GLOBALRESOURCES = Config.get(globalKey, []) if len(GLOBALRESOURCES) > 0: - contexts[service[0]]['GLOBAL'] = GLOBALRESOURCES + garr = {} + ginfo = {} + for identifier, obj in GLOBALRESOURCES.items(): + garr[identifier] = obj['results'] + ginfo[identifier] = obj['info'] + + contexts[service[0]]['GLOBAL'] = arr time_end = time.time() scanned = Config.get(scannedKey) diff --git a/frameworks/Framework.py b/frameworks/Framework.py index 6ba10be..221c512 100644 --- a/frameworks/Framework.py +++ b/frameworks/Framework.py @@ -100,6 +100,9 @@ def formatTitle(self, title): return '

' + title + '

' def getContent(self, _m): + if len(_m) == 0: + return + serv, check = _m.split(".") if check == '$length': cnt = self.getResourceCount(serv) diff --git a/frameworks/FrameworkPageBuilder.py b/frameworks/FrameworkPageBuilder.py index d34da39..3983eb8 100644 --- a/frameworks/FrameworkPageBuilder.py +++ b/frameworks/FrameworkPageBuilder.py @@ -6,7 +6,7 @@ from frameworks.WAFS.WAFS import WAFS from frameworks.MSR.MSR import MSR from frameworks.CIS.CIS import CIS -from frameworks.CIS.CIS import NIST +from frameworks.NIST.NIST import NIST class FrameworkPageBuilder(PageBuilder): COMPLIANCE_STATUS = ["Not available", "Compliant", "Need Attention"] diff --git a/frameworks/NIST/map.json b/frameworks/NIST/map.json index fd9c3b6..e821474 100644 --- a/frameworks/NIST/map.json +++ b/frameworks/NIST/map.json @@ -96,7 +96,7 @@ "2": ["ec2.SGDefaultDisallowTraffic"], "3": ["ec2.EBSInUse", "ec2.EBSEncrypted"], "4": ["ec2.EC2Active"], - "5": [""], + "5": [], "6": [], "7": ["ec2.EBSEncrypted"], "8": ["ec2.ASGIMDSv2"], @@ -297,7 +297,7 @@ "22": [], "23": [], "24": ["rds.DefaultMasterAdmin"], - "25": ["rdsDefaultMasterAdmin"], + "25": ["rds.DefaultMasterAdmin"], "26": [], "27": ["rds.StorageEncrypted"], "34": [], @@ -331,7 +331,7 @@ "13": ["s3.BucketLifecycle"], "14": ["s3.BucketVersioning"], "15": ["s3.ObjectLock"], - "17": ["ServerSideEncrypted", "s3.SSEWithKMS"], + "17": ["s3.ServerSideEncrypted", "s3.SSEWithKMS"], "19": [], "20": ["s3.MFADelete"] }, From 6f0c06abc0dbedf967c2d178cb05515a2338906f Mon Sep 17 00:00:00 2001 From: KuetTai Date: Mon, 29 Apr 2024 07:14:17 +0000 Subject: [PATCH 2/6] Typo on CloudTrail reporter --- services/cloudwatch/cloudwatch.reporter.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/cloudwatch/cloudwatch.reporter.json b/services/cloudwatch/cloudwatch.reporter.json index 0a2ccd5..fd95d08 100644 --- a/services/cloudwatch/cloudwatch.reporter.json +++ b/services/cloudwatch/cloudwatch.reporter.json @@ -155,7 +155,7 @@ "[CIS Cloudwatch Guide 12]" ] }, - "trailWOMASecGroup13": { + "trailWOMARouteTable13": { "category": "O", "^description": "CIS recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path.", "shortDesc": "Create alarm: Route Table changes", From 3b35d3ff53f038615759d282b04e076f323d3b1d Mon Sep 17 00:00:00 2001 From: KuetTai Date: Mon, 29 Apr 2024 08:14:28 +0000 Subject: [PATCH 3/6] Added workshop link to SSB Framework --- frameworks/SSB/map.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frameworks/SSB/map.json b/frameworks/SSB/map.json index a4dac84..4207e0a 100644 --- a/frameworks/SSB/map.json +++ b/frameworks/SSB/map.json @@ -3,7 +3,7 @@ "originator": "AWS", "shortname": "SSB", "fullname": "AWS Startup Security Baseline", - "description": "The AWS Startup Security Baseline (SSB) is a set of controls that create a minimum foundation for businesses to build securely on AWS without decreasing their agility. These controls form the basis of your security posture and are focused on securing credentials, enabling logging and visibility, managing contact information, and implementing basic data boundaries.

The controls in this guide are designed with early startups in mind, mitigating the most common security risks without requiring significant effort. Many startups begin their journey in the AWS Cloud with a single AWS account. As organizations grow, they migrate to multi-account architectures. The guidance in this guide is designed for single-account architectures, but it helps you set up security controls that are easily migrated or modified as you transition to a multi-account architecture.

The controls in the AWS SSB are separated into two categories: account and workload. Account controls help keep your AWS account secure. It includes recommendations for setting up user access, policies, and permissions, and it includes recommendations for how to monitor your account for unauthorized or potentially malicious activity. Workload controls help secure your resources and code in the cloud, such as applications, backend processes, and data. It includes recommendations such as encryption and reducing the scope of access.", + "description": "The AWS Startup Security Baseline (SSB) is a set of controls that create a minimum foundation for businesses to build securely on AWS without decreasing their agility. These controls form the basis of your security posture and are focused on securing credentials, enabling logging and visibility, managing contact information, and implementing basic data boundaries.

The controls in this guide are designed with early startups in mind, mitigating the most common security risks without requiring significant effort. Many startups begin their journey in the AWS Cloud with a single AWS account. As organizations grow, they migrate to multi-account architectures. The guidance in this guide is designed for single-account architectures, but it helps you set up security controls that are easily migrated or modified as you transition to a multi-account architecture.

The controls in the AWS SSB are separated into two categories: account and workload. Account controls help keep your AWS account secure. It includes recommendations for setting up user access, policies, and permissions, and it includes recommendations for how to monitor your account for unauthorized or potentially malicious activity. Workload controls help secure your resources and code in the cloud, such as applications, backend processes, and data. It includes recommendations such as encryption and reducing the scope of access. You can find guides/information on this workshop: https://catalog.workshops.aws/startup-security-baseline/en-US to learn more about it", "_": "https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-startup-security-baseline/welcome.html", "emptyCheckDefaultMsg": "" }, From e893563d149f733189f518a0aab38734e4f10aaa Mon Sep 17 00:00:00 2001 From: KuetTai Date: Mon, 29 Apr 2024 08:14:59 +0000 Subject: [PATCH 4/6] on Item #87, High Risk - Group by Service to remove 0 item category to be shown on chart --- services/cloudfront/drivers/cloudfrontDist.py | 3 +++ services/dashboard/DashboardPageBuilder.py | 15 +++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/services/cloudfront/drivers/cloudfrontDist.py b/services/cloudfront/drivers/cloudfrontDist.py index 3117ba3..de4162d 100644 --- a/services/cloudfront/drivers/cloudfrontDist.py +++ b/services/cloudfront/drivers/cloudfrontDist.py @@ -51,6 +51,9 @@ def _checkDeprecatedSSL(self): if not 'CustomOriginConfig' in y: continue + if y['CustomOriginConfig']['OriginProtocolPolicy'] == 'http-only': + continue + if 'SSLv3' in y['CustomOriginConfig']['OriginSslProtocols']['Items']: self.results['DeprecatedSSLProtocol'] = [-1, ''] break diff --git a/services/dashboard/DashboardPageBuilder.py b/services/dashboard/DashboardPageBuilder.py index 6de26e1..7b6c886 100644 --- a/services/dashboard/DashboardPageBuilder.py +++ b/services/dashboard/DashboardPageBuilder.py @@ -85,6 +85,8 @@ def buildContentDetail_dashboard(self): donutR = {} dataSetsL = {} dataSetsR = {} + filterDonutL = {} + filterDonutR = {} regions = self.regions services = self.services @@ -111,13 +113,22 @@ def buildContentDetail_dashboard(self): donutL[region] += hri donutR[serv] += hri + for region, cnt in donutL.items(): + if cnt > 0: + filterDonutL[region] = cnt + + for serv, cnt in donutR.items(): + if cnt > 0: + filterDonutR[serv] = cnt + + # card = self.generateCard(pid=pid, html=html, cardClass='danger', title='No. Criticality', titleBadge='', collapse=False, noPadding=False) - html = self.generateDonutPieChart(donutL, 'hriByRegion', 'doughnut') + html = self.generateDonutPieChart(filterDonutL, 'hriByRegion', 'doughnut') card = self.generateCard(pid=self.getHtmlId('chartServRegion'), html=html, cardClass='warning', title='High Risk - Group by Region', titleBadge='', collapse=True, noPadding=False) items = [[card, '']] - html = self.generateDonutPieChart(donutR, 'hriByService', 'pie') + html = self.generateDonutPieChart(filterDonutR, 'hriByService', 'pie') card = self.generateCard(pid=self.getHtmlId('pieHriByService'), html=html, cardClass='warning', title='High Risk - Group by Service', titleBadge='', collapse=True, noPadding=False) items.append([card, '']) From 57c0c473af591ea7dd6a223574ef8aa32057e637 Mon Sep 17 00:00:00 2001 From: KuetTai Date: Mon, 29 Apr 2024 17:34:53 +0800 Subject: [PATCH 5/6] Update cloudwatch.reporter.json --- services/cloudwatch/cloudwatch.reporter.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/cloudwatch/cloudwatch.reporter.json b/services/cloudwatch/cloudwatch.reporter.json index fd95d08..69b1c49 100644 --- a/services/cloudwatch/cloudwatch.reporter.json +++ b/services/cloudwatch/cloudwatch.reporter.json @@ -168,7 +168,7 @@ "[CIS Cloudwatch Guide 13]" ] }, - "trailWOMAGateway14": { + "trailWOMAVPC14": { "category": "O", "^description": "CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact.", "shortDesc": "Create alarm: VPC Changes", @@ -233,4 +233,4 @@ "[CIS Cloudwatch Guide 16]" ] } -} \ No newline at end of file +} From 7d562e17d0d63f209cdf829f6aca0621d8e34229 Mon Sep 17 00:00:00 2001 From: KuetTai Date: Mon, 29 Apr 2024 20:44:21 +0800 Subject: [PATCH 6/6] Fix EFS not proper and checks Fix EFS not proper and checks --- services/efs/drivers/EfsDriver.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/efs/drivers/EfsDriver.py b/services/efs/drivers/EfsDriver.py index 2e4944a..f6d5ccd 100644 --- a/services/efs/drivers/EfsDriver.py +++ b/services/efs/drivers/EfsDriver.py @@ -9,12 +9,12 @@ def __init__(self, efs, efs_client): self.results = {} self.init() - def __check_encrypted(self): + def _checkEncrypted(self): self.results['EncryptedAtRest'] = [1, 'Enabled'] if self.efs['Encrypted'] != 1: self.results['EncryptedAtRest'] = [-1, 'Disabled'] - def __check_lifecycle_configuration(self): + def _checkLifecycle_configuration(self): self.results['Lifecycle'] = [1, 'Enabled'] efs_id = self.efs['FileSystemId'] @@ -25,7 +25,7 @@ def __check_lifecycle_configuration(self): if len(life_cycle['LifecyclePolicies']) == 0: self.results['EnabledLifecycle'] = [-1, 'Disabled'] - def __check_backup_policy(self): + def _checkBackupPolicy(self): self.results['AutomatedBackup'] = [1, 'Enabled'] efs_id = self.efs['FileSystemId'] @@ -34,4 +34,4 @@ def __check_backup_policy(self): ) if backup['BackupPolicy']['Status'] == 'DISABLED': - self.results['AutomatedBackup'] = [-1, 'Disabled'] \ No newline at end of file + self.results['AutomatedBackup'] = [-1, 'Disabled']