Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
lloesche committed Mar 5, 2024
0 parents commit 9c9aac3
Show file tree
Hide file tree
Showing 46 changed files with 7,694 additions and 0 deletions.
35 changes: 35 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
__pycache__
this
.idea/
tmp/
runner.env
artifacts/
*~
*backups
.cache
docker-tag
.tox/
.*.swp
*.egg-info
wheelhouse/
test/build/*
PASSED
FAILED
test/.vagrant/*
.pytest_cache
.eggs/
venv*
/config/
*.code-workspace
*/build/
docs/_build/
.DS_Store
.coverage
.dccache
fixshell/backup_*
fixcore/tools/Assets
out/
*.iml
**/.hypothesis/
.sandbox/*
.env
2 changes: 2 additions & 0 deletions MANIFEST.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
include README.md
recursive-include fixcompliance/data *
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# `fixcompliance`
Fix Inventory Compliance Benchmarks and Checks
53 changes: 53 additions & 0 deletions fixcompliance/__init__.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
import os
import json
import time
import threading
from typing import Any, Dict
from pkg_resources import resource_filename

__version__ = "0.4.1"

Json = Dict[str, Any]
CACHE_TIMEOUT = 3600
_cache = {}
_cache_lock = threading.Lock()


def benchmarks_from_files() -> Dict[str, Json]:
return _from_files("data/benchmark", add_id=True)


def checks_from_files() -> Dict[str, Json]:
return _from_files("data/checks", add_id=False)


def _from_files(json_path: str, add_id: bool = False) -> dict[str, Json]:
static_path = os.path.abspath(resource_filename(__package__, json_path))
result = {}
if os.path.exists(static_path):
for provider in (d.path for d in os.scandir(static_path) if d.is_dir()):
for path in (d.path for d in os.scandir(provider) if d.is_file() and d.name.endswith(".json")):
item_id = os.path.basename(path).rsplit(".", maxsplit=1)[0]
item = cached_json_loads(path)
if add_id:
item["id"] = item_id
result[item_id] = item
return result


def cached_json_loads(file_path: str) -> Json:
global _cache
now = time.time()
mtime = os.path.getmtime(file_path)

cache_entry = _cache.get(file_path)
if cache_entry and cache_entry["mtime"] == mtime and now - cache_entry["cached"] < CACHE_TIMEOUT:
return cache_entry["content"]
else:
with open(file_path, "rt", encoding="utf-8") as f:
content = json.load(f)
with _cache_lock:
cache_entry = _cache.get(file_path)
if not (cache_entry and cache_entry["mtime"] == mtime and now - cache_entry["cached"] < CACHE_TIMEOUT):
_cache[file_path] = {"content": content, "mtime": mtime, "cached": now}
return content
521 changes: 521 additions & 0 deletions fixcompliance/data/benchmark/aws/aws_cis_1_5.json

Large diffs are not rendered by default.

514 changes: 514 additions & 0 deletions fixcompliance/data/benchmark/aws/aws_cis_2_0.json

Large diffs are not rendered by default.

Large diffs are not rendered by default.

5 changes: 5 additions & 0 deletions fixcompliance/data/benchmark/aws/waf_notes.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

- SEC02-BP06: check all custom permissions if they allow privilege escalation
e.g. iam:*, (iam:PassRole and ec2:RunInstances), (iam:PassRole and lambda:CreateFunction and lambda:InvokeFunction)
- SEC03-BP07: SQS queue and SNS topic not publicly accessible check is missing (policy)
- SEC04-BP04: Cloudwatch: ensure alerts for log metric filters are configured
17 changes: 17 additions & 0 deletions fixcompliance/data/benchmark_template.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"title": "",
"framework": "",
"clouds": ["aws"],
"version": "",
"description": "",
"documentation": "can contain markdown",
"children": [
{
"title": "",
"description": "",
"documentation": "can contain markdown",
"checks": [],
"children": []
}
]
}
33 changes: 33 additions & 0 deletions fixcompliance/data/check_template.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{
"name": "",
"title": "",
"result_kinds": ["result kind returned by the query"],
"categories": [
"insights",
"security",
"compliance",
"cost"
],
"risk": "",
"severity": "critical|high|medium|low|info",
"url": "",
"detect": {
"fix": "is(resource)",
"fix_cmd": "search is(resource) | do_something",
"sql": "select * from table where column = 'value'"
},
"remediation": {
"action": {
"aws_cli": null,
"fix": null,
"xxx": null
},
"text": "",
"url": "",
"complexity": "high|medium|low"
},
"related": [],
"internal_notes": ""
}


35 changes: 35 additions & 0 deletions fixcompliance/data/checks/aws/aws_acm.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
{
"provider": "aws",
"service": "acm",
"checks": [
{
"name": "certificate_transparency_logging_enabled",
"title": "Ensure ACM Certificate Transparency Is Enabled to Enhance Website Security and Detect Unauthorized SSL/TLS Certificates",
"result_kinds": [
"aws_acm_certificate"
],
"categories": [
"security",
"compliance"
],
"risk": "Without ACM certificate transparency, the risk of unauthorized SSL/TLS certificates going undetected increases, posing a threat to website and infrastructure security.",
"severity": "medium",
"detect": {
"fix": "is(aws_acm_certificate) and type!=IMPORTED and certificate_transparency_logging!=ENABLED"
},
"remediation": {
"text": "To fix this issue, select the certificate you want to check in ACM. In the certificate details, look for the 'Certificate Transparency Logging' attribute and ensure it is enabled.",
"url": "https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency",
"complexity": "low"
},
"url": "https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency",
"localizations": {
"de": {
"title": "Stellen Sie sicher, dass die ACM-Zertifikatstransparenz aktiviert ist, um die Sicherheit der Website zu verbessern und nicht autorisierte SSL/TLS-Zertifikate zu erkennen.",
"risk": "Ohne die ACM-Zertifikatstransparenz besteht ein erhöhtes Risiko, dass nicht autorisierte SSL/TLS-Zertifikate unbemerkt bleiben und eine Bedrohung für die Sicherheit der Website und der Infrastruktur darstellen.",
"remediation": "Um dieses Problem zu beheben, wählen Sie das Zertifikat aus, das Sie überprüfen möchten, in ACM aus. In den Zertifikatdetails suchen Sie nach dem Attribut 'Zertifikatstransparenzprotokollierung' und stellen Sie sicher, dass es aktiviert ist."
}
}
}
]
}
120 changes: 120 additions & 0 deletions fixcompliance/data/checks/aws/aws_apigateway.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
{
"provider": "aws",
"service": "apigateway",
"checks": [
{
"name": "authorizers_enabled",
"title": "Ensure API Gateway Is Configured with Authorizers",
"result_kinds": [
"aws_apigateway_rest_api"
],
"categories": [
"security",
"compliance"
],
"risk": "Without a defined authorizer, your service could be exposed to unsanctioned use. This lack of control poses a security risk and can lead to unauthorized access and misuse.",
"severity": "medium",
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html",
"detect": {
"fix": "is(aws_apigateway_rest_api) with(empty, --> is(aws_apigateway_authorizer))"
},
"remediation": {
"text": "Implement an authorizer by adding an Amazon Cognito user pool or attaching an AWS Lambda function. This will provide controlled access for users interacting with your API.",
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html",
"complexity": "high"
},
"localizations": {
"de": {
"title": "Stellen Sie sicher, dass das API Gateway mit Authorizern konfiguriert ist",
"risk": "Ohne definierten Authorizer könnte Ihr Service unautorisierten Zugriffen ausgesetzt sein. Diese mangelnde Kontrolle stellt ein Sicherheitsrisiko dar und kann zu unbefugtem Zugriff und Missbrauch führen.",
"remediation": "Implementieren Sie einen Authorizer, indem Sie einen Amazon Cognito Benutzerpool hinzufügen oder eine AWS Lambda Funktion anhängen. Dadurch wird kontrollierter Zugriff für Benutzer ermöglicht, die mit Ihrer API interagieren."
}
}
},
{
"name": "client_certificate_enabled",
"title": "Ensure That Client Certificate Is Enabled on API Gateway for Backend Endpoint Access",
"result_kinds": [
"aws_apigateway_stage"
],
"categories": [
"security",
"compliance"
],
"risk": "Without client certificate enforcement, potential 'man-in-the-middle' attacks can occur, jeopardizing data integrity and confidentiality. Unsecured API calls may also be intercepted, leading to unauthorized data access.",
"severity": "medium",
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-mutual-tls.html",
"detect": {
"fix": "is(aws_apigateway_stage) and stage_client_certificate_id==null <-[2]- is(aws_apigateway_rest_api)"
},
"remediation": {
"text": "Enable the client certificate and implement mutual TLS for secure data transit. Mutual TLS is highly recommended for B2B applications, adhering to norms such as Open Banking. Amazon API Gateway provides integral mutual TLS authentication at no additional cost.",
"url": "https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/",
"complexity": "high"
},
"localizations": {
"de": {
"title": "Stellen Sie sicher, dass das Clientzertifikat für Backend-Endpunktzugriff in der API Gateway aktiviert ist",
"risk": "Ohne Durchsetzung des Clientzertifikats können potenzielle 'Man-in-the-Middle'-Angriffe auftreten, bei denen die Integrität und Vertraulichkeit von Daten gefährdet werden. Nicht gesicherte API-Aufrufe können ebenfalls abgefangen werden, was zu unbefugtem Datenzugriff führt.",
"remediation": "Aktivieren Sie das Clientzertifikat und implementieren Sie Mutual TLS für sicheren Datentransit. Mutual TLS wird für B2B-Anwendungen dringend empfohlen und entspricht Normen wie Open Banking. Amazon API Gateway bietet eine integrierte Mutual TLS-Authentifizierung ohne zusätzliche Kosten."
}
}
},
{
"name": "logging_enabled",
"title": "Ensure API Gateway Stages Have Logging Enabled",
"result_kinds": [
"aws_apigateway_stage"
],
"categories": [
"compliance"
],
"risk": "Without enabling logging, you compromise on the visibility and traceability of your service usage, potentially missing crucial operational insights, security vulnerabilities, and debugging information.",
"severity": "medium",
"detect": {
"fix": "is(aws_apigateway_stage) and stage_method_settings!={}"
},
"remediation": {
"text": "To remediate, ensure you enable monitoring in all parts of your AWS solution. Particularly, ensure CloudTrail is active for logging API Gateway actions, which can offer insights like the nature of requests, originating IP address, the executor of the request, and more.",
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html",
"complexity": "low"
},
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/logging-and-monitoring.html",
"localizations": {
"de": {
"title": "Stellen Sie sicher, dass API Gateway-Stufen das Logging aktiviert haben",
"risk": "Wenn das Logging nicht aktiviert ist, beeinträchtigen Sie die Sichtbarkeit und Nachverfolgbarkeit der Nutzung Ihres Dienstes. Dadurch können wesentliche betriebliche Erkenntnisse, Sicherheitsschwachstellen und Debugging-Informationen übersehen werden.",
"remediation": "Um das Problem zu beheben, stellen Sie sicher, dass Sie die Überwachung in allen Teilen Ihrer AWS-Lösung aktivieren. Stellen Sie insbesondere sicher, dass CloudTrail für das Protokollieren von API Gateway-Aktionen aktiviert ist. Dadurch erhalten Sie Einblicke wie die Art der Anfragen, die IP-Adresse des Ursprungs, den Ausführer der Anfrage und mehr."
}
}
},
{
"name": "waf_acl_attached",
"title": "Ensure API Gateway Has a WAF ACL Attached",
"result_kinds": [
"aws_apigateway_stage"
],
"categories": [
"security"
],
"risk": "Without a WAF ACL, API Gateway could be exposed to common web threats such as SQL injection and XSS attacks. These could compromise security, affect availability and performance, and consume excessive resources.",
"severity": "medium",
"detect": {
"fix": "is(aws_apigateway_stage) and stage_web_acl_arn==null"
},
"remediation": {
"text": "Mitigate this risk by using AWS WAF to protect your API Gateway from threats. AWS WAF can block these common web attacks, safeguarding both service performance and security.",
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html",
"complexity": "medium"
},
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html",
"localizations": {
"de": {
"title": "Stellen Sie sicher, dass API Gateway einen WAF ACL angehängt hat.",
"risk": "Ohne einen WAF ACL kann API Gateway gängigen Web-Bedrohungen wie SQL-Injektionen und XSS-Angriffen ausgesetzt sein. Diese könnten die Sicherheit beeinträchtigen, die Verfügbarkeit und Leistung beeinträchtigen und übermäßige Ressourcen verbrauchen.",
"remediation": "Verringern Sie dieses Risiko, indem Sie AWS WAF verwenden, um Ihr API Gateway vor Bedrohungen zu schützen. AWS WAF kann diese gängigen Web-Angriffe blockieren und sowohl die Leistung als auch die Sicherheit des Dienstes schützen."
}
}
}
]
}
34 changes: 34 additions & 0 deletions fixcompliance/data/checks/aws/aws_autoscaling.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{
"provider": "aws",
"service": "autoscaling",
"checks": [
{
"name": "launch_template_public_ip_disabled",
"title": "Ensure Auto-Scaling Launch Templates Do Not Automatically Assign Public IP Addresses",
"result_kinds": [
"aws_autoscaling_group"
],
"categories": [
"security",
"compliance"
],
"risk": "Auto-assigning public IP addresses in Auto Scaling launch templates can lead to unintended public exposure of EC2 instances. This increases the risk of malicious activities such as brute force attacks, data breaches, or unauthorized access, compromising instance security and data integrity.",
"severity": "medium",
"detect": {
"fix": "is(aws_autoscaling_group) with (any, --> is(aws_ec2_launch_template) and launch_template_data.network_interfaces[*].associate_public_ip_address==true)"
},
"remediation": {
"text": "To fix the issue, modify the Auto Scaling launch template. Set 'AssociatePublicIpAddress' to false for all network interfaces in the launch template. Additionally, ensure instances are launched in private subnets where public access is not required.",
"url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#launch-template-network",
"complexity": "low"
},
"localizations": {
"de": {
"title": "Stellen Sie sicher, dass Auto Scaling Launch-Vorlagen keine öffentlichen IP-Adressen automatisch zuweisen",
"risk": "Die automatische Zuweisung öffentlicher IP-Adressen in Auto Scaling Launch-Vorlagen kann zu unbeabsichtigter öffentlicher Zugänglichkeit von EC2-Instanzen führen. Dadurch steigt das Risiko von bösartigen Aktivitäten wie Brute-Force-Angriffen, Datenschutzverletzungen oder unberechtigtem Zugriff, was die Sicherheit und Datenintegrität der Instanz gefährdet.",
"remediation": "Um das Problem zu beheben, ändern Sie die Auto Scaling Launch-Vorlage. Setzen Sie 'AssociatePublicIpAddress' für alle Netzwerkschnittstellen in der Launch-Vorlage auf false. Stellen Sie außerdem sicher, dass Instanzen in privaten Subnetzen gestartet werden, wo kein öffentlicher Zugriff erforderlich ist."
}
}
}
]
}
34 changes: 34 additions & 0 deletions fixcompliance/data/checks/aws/aws_cloudformation.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{
"provider": "aws",
"service": "cloudformation",
"checks": [
{
"name": "no_secrets_in_output",
"title": "Ensure There Are No Secrets in CloudFormation Outputs",
"result_kinds": [
"aws_cloudformation_stack"
],
"categories": [
"security",
"compliance"
],
"risk": "Using secrets hardcoded into CloudFormation outputs can enable malware and bad actors to gain unauthorized access to other services, leading to potential data breaches and compromised infrastructure.",
"severity": "critical",
"detect": {
"fix_cmd": "search is(aws_cloudformation_stack) | detect-secrets --path stack_outputs --with-secrets"
},
"remediation": {
"text": "To fix this issue, avoid including secrets in CloudFormation outputs. Instead, use the AWS Secrets Manager service to securely store and retrieve passwords and other sensitive information.",
"url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html",
"complexity": "low"
},
"localizations": {
"de": {
"title": "Stellen Sie sicher, dass in den CloudFormation-Ausgaben keine Geheimnisse enthalten sind",
"risk": "Die Verwendung von in CloudFormation-Ausgaben fest codierten Geheimnissen kann Malware und bösartigen Akteuren ermöglichen, unbefugten Zugriff auf andere Dienste zu erlangen, was zu potenziellen Datenschutzverletzungen und beeinträchtigter Infrastruktur führen kann.",
"remediation": "Um dieses Problem zu beheben, vermeiden Sie die Verwendung von Geheimnissen in den CloudFormation-Ausgaben. Verwenden Sie stattdessen den AWS Secrets Manager-Dienst, um Passwörter und andere sensitive Informationen sicher zu speichern und abzurufen."
}
}
}
]
}
Loading

0 comments on commit 9c9aac3

Please sign in to comment.