Skip to content

Commit

Permalink
Add functionality for setting severity level overrides per rule. Thes…
Browse files Browse the repository at this point in the history
…e overrides replace severities set by Security Hub and are maintained manually.
  • Loading branch information
bensonce committed May 29, 2024
1 parent 56e6c70 commit f40ef4b
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 10 deletions.
20 changes: 12 additions & 8 deletions scripts/index.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,17 @@
from pathlib import Path
from typing import List

from lib.aws_config_rule import AwsConfigRule
from lib.aws_config_rule import AwsConfigRule, SeverityOverride
from lib.aws_docs_reader import generate_config_rule_data, generate_security_hub_controls_data
from lib.hcl_generator import generate_variables, generate_locals, load_source_file
from lib.hcl_reader import read_hcl_file

ROOT_PAGE = 'https://docs.aws.amazon.com/config/latest/developerguide/'
AWS_MANAGED_RULES_PAGE = ROOT_PAGE + 'managed-rules-by-aws-config.html'
SECURITY_HUB_ROOT_PAGE = "https://docs.aws.amazon.com/securityhub/latest/userguide"
SECURITY_HUB_CONTROLS_REF_PAGE = "securityhub-controls-reference.html"
CURRENT_DIR = Path(__file__).resolve().parent
SOURCE_FILE_NAME = Path(CURRENT_DIR, 'config_rule_data.json')
SEVERITY_OVERRIDES_FILE_PATH = Path(CURRENT_DIR, '..', 'etc', 'severity_overrides.yaml').resolve()
SECURITY_HUB_CONTROLS_FILE_PATH = Path(CURRENT_DIR, 'security_hub_controls.json')
LOCALS_FILE_PATH = Path(CURRENT_DIR, '..', 'managed_rules_locals.tf').resolve()
VARIABLES_FILE_PATH = Path(CURRENT_DIR, '..', 'managed_rules_variables.tf').resolve()
Expand All @@ -29,18 +29,17 @@
# Scrape AWS documentation for the latest Config Rules.
generate_config_rule_data(
root_url=ROOT_PAGE,
managed_rules_page=AWS_MANAGED_RULES_PAGE)
managed_rules_page=AWS_MANAGED_RULES_PAGE,
output_file=SOURCE_FILE_NAME)
# Scrape AWS documentation for the latest Security Hub controls.
generate_security_hub_controls_data(
root_url=SECURITY_HUB_ROOT_PAGE,
controls_ref_page=SECURITY_HUB_CONTROLS_REF_PAGE,
output_file=SECURITY_HUB_CONTROLS_FILE_PATH)

# Load the list of managed rules from the existing locals block.
data = read_hcl_file(LOCALS_FILE_PATH)
existing_rules_data = None
for _, local in enumerate(data['locals']):
existing_rules_data = local['managed_rules']
# Load the manual severity overrides.
severity_overrides_data = load_source_file(SEVERITY_OVERRIDES_FILE_PATH)
severity_overrides = [SeverityOverride(rule_name=k, data=v) for k, v in severity_overrides_data['overrides'].items()]

# Load source file with the latest Config Rule definitions.
latest_config_rules_data = load_source_file(SOURCE_FILE_NAME)
Expand All @@ -51,6 +50,11 @@
rules: List[AwsConfigRule] = []
for rule_data in latest_config_rules_data:
rule = AwsConfigRule(data=rule_data)
for override in severity_overrides:
if override.rule_name == rule.name:
logging.info(f"Updating {rule.name} severity with override -> {override.severity}")
rule.set_severity_level(override.severity)
break
for control in controls:
if rule.name == control['rule']:
logging.info(f"Updating {rule.name} severity -> {control['severity']}")
Expand Down
10 changes: 8 additions & 2 deletions scripts/lib/aws_config_rule.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
import re
import yaml

from typing import Union, List
from typing import List, Optional, Union


class AwsConfigRuleLocal:
Expand Down Expand Up @@ -200,4 +200,10 @@ def tf_variable_default_value(self) -> str:
raw_string = yaml.dump(result, default_flow_style=False, default_style='')
fixed = self.replace_colons_with_equals(raw_string)
return f"{{\n{fixed}}}"
return None
return None


class SeverityOverride:
def __init__(self, rule_name: str, data: dict) -> None:
self.rule_name: str = rule_name
self.severity: Optional[str] = data.get('severity')

0 comments on commit f40ef4b

Please sign in to comment.