Merge pull request #1790 from fatima99s/settingCheckENI

Added check ENI setting for open all port plugins

Author: mehakseedat63

exports.js

@@ -965,7 +965,6 @@ module.exports = {
         'lbHttpsOnly'                   : require(__dirname + '/plugins/azure/loadbalancer/lbHttpsOnly.js'),
         'lbNoInstances'                 : require(__dirname + '/plugins/azure/loadbalancer/lbNoInstances.js'),
         'lbHasTags'                     : require(__dirname + '/plugins/azure/loadbalancer/lbHasTags.js'),
-        'applicationGatewayHasTags'     : require(__dirname + '/plugins/azure/loadbalancer/applicationGatewayHasTags.js'),
         'lbLogAnalyticsEnabled'         : require(__dirname + '/plugins/azure/loadbalancer/lbLogAnalyticsEnabled.js'),
 
         'kvRecoveryEnabled'             : require(__dirname + '/plugins/azure/keyvaults/kvRecoveryEnabled.js'),
@@ -1000,6 +999,7 @@ module.exports = {
         'enableDefenderForKeyVaults'     : require(__dirname + '/plugins/azure/defender/enableDefenderForKeyVaults.js'),
 
         'agWafEnabled'                  : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'),
+        'applicationGatewayHasTags'     : require(__dirname + '/plugins/azure/applicationGateway/applicationGatewayHasTags.js'),
         'agSecurityLoggingEnabled'      : require(__dirname + '/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js'),
         'agSslPolicy'                   : require(__dirname + '/plugins/azure/applicationGateway/agSslPolicy'),
         'agPreventionModeEnabled'       : require(__dirname + '/plugins/azure/applicationGateway/agPreventionModeEnabled.js'),        

plugins/aws/ec2/openAllPortsProtocols.js

@@ -16,6 +16,12 @@ module.exports = {
             description: 'When set to true, skip checking ports for unused security groups and produce a WARN result',
             regex: '^(true|false)$',
             default: 'false',
+        },
+        check_network_interface: {
+            name: 'Check Associated ENI',
+            description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed',
+            regex: '^(true|false)$',
+            default: 'false',
         }
     },
     compliance: {
@@ -31,9 +37,11 @@ module.exports = {
     run: function(cache, settings, callback) {
         var config = {
             ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default,
+            check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default,
         };
 
         config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true');
+        config.check_network_interface = (config.check_network_interface == 'true');
 
         var results = [];
         var source = {};
@@ -109,6 +117,9 @@ module.exports = {
                             usedGroups.length && !usedGroups.includes(groups[g].GroupId)) {
                         helpers.addResult(results, 1, `Security Group: ${groups[g].GroupId} is not in use`,
                             region, resource);
+                    } else if ( config.check_network_interface) {
+                        var resultString =  `Security group:${groups[g].GroupId} (${groups[g].GroupName}) has ${strings.join(' and ')}`;
+                        helpers.checkNetworkInterface(groups[g].GroupId, groups[g].GroupName, resultString, region, results, resource, cache);
                     } else {
                         helpers.addResult(results, 2,
                             'Security group: ' + groups[g].GroupId +

plugins/aws/ec2/openAllPortsProtocols.spec.js

@@ -76,6 +76,47 @@ const describeSecurityGroups = [
             }
         ],
         "VpcId": "vpc-99de2fe4"
+    },
+    {
+        "Description": "Allows SSh access to developer",
+        "GroupName": "spec-test-sg2",
+        "IpPermissions": [{
+            "IpProtocol": "tcp",
+            "IpRanges": [
+                {
+                    "CidrIp": "0.0.0.0/0"
+                }
+            ],
+            "Ipv6Ranges": [
+                {
+                    "CidrIpv6": "::/0"
+                }
+            ],
+            "PrefixListIds": [],
+            "UserIdGroupPairs": []
+        }],
+        "OwnerId": "12345654321",
+        "GroupId": "sg-001",
+        "IpPermissionsEgress": [
+            {
+                "FromPort": 25,
+                "IpProtocol": "tcp",
+                "IpRanges": [
+                    {
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ],
+                "Ipv6Ranges": [
+                    {
+                        "CidrIpv6": "::/0"
+                    }
+                ],
+                "PrefixListIds": [],
+                "ToPort": 25,
+                "UserIdGroupPairs": []
+            }
+        ],
+        "VpcId": "vpc-99de2fe4"
     }
 ];
 
@@ -90,7 +131,7 @@ const describeNetworkInterfaces = [
           },
           {
             "GroupName": "HTTP-Access",
-            "GroupId": "sg-02e2c70cd463dca29"
+            "GroupId": "sg-001639e564442dfec"
           },
         ],
         "InterfaceType": "interface",
@@ -261,7 +302,7 @@ describe('openAllPortsProtocols', function () {
         });
 
         it('should WARN if security group is unused', function (done) {
-            const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], []);
+            const cache = createCache([describeSecurityGroups[2]], [describeNetworkInterfaces[0]], []);
             openAllPortsProtocols.run(cache, {ec2_skip_unused_groups: 'true'}, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(1);
@@ -294,6 +335,14 @@ describe('openAllPortsProtocols', function () {
                 done();
             });
         });
+        it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) {
+            const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]);
+            openAllPortsProtocols.run(cache, {check_network_interface:'true'}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                done();
+            });
+        });
 
     });
 });

plugins/aws/ec2/openAllPortsProtocolsEgress.js

@@ -16,14 +16,22 @@ module.exports = {
             description: 'When set to true, skip checking ports for unused security groups and produce a WARN result',
             regex: '^(true|false)$',
             default: 'false',
+        },
+        check_network_interface: {
+            name: 'Check Associated ENI',
+            description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed',
+            regex: '^(true|false)$',
+            default: 'false',
         }
     },
     run: function(cache, settings, callback) {
         var config = {
             ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default,
+            check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default,
         };
 
         config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true');
+        config.check_network_interface = (config.check_network_interface == 'true');
 
         var results = [];
         var source = {};
@@ -89,6 +97,9 @@ module.exports = {
                         usedGroups.length && !usedGroups.includes(group.GroupId)) {
                         helpers.addResult(results, 1, `Security Group: ${group.GroupId} is not in use`,
                             region, resource);
+                    } else if ( config.check_network_interface) {
+                        var resultString =  `Security group:${group.GroupId} (${group.GroupName}) has ${strings.join(' and ')}`;
+                        helpers.checkNetworkInterface(group.GroupId, group.GroupName, resultString, region, results, resource, cache);
                     } else {
                         helpers.addResult(results, 2,
                             'Security group: ' + group.GroupId +

plugins/aws/ec2/openAllPortsProtocolsEgress.spec.js

@@ -76,7 +76,48 @@ const describeSecurityGroups = [
             }
         ],
         "VpcId": "vpc-99de2fe4"
-    }
+    },
+    {
+        "Description": "Allows SSh access to developer",
+        "GroupName": "spec-test-sg2",
+        "IpPermissionsEgress": [{
+            "IpProtocol": "tcp",
+            "IpRanges": [
+                {
+                    "CidrIp": "0.0.0.0/0"
+                }
+            ],
+            "Ipv6Ranges": [
+                {
+                    "CidrIpv6": "::/0"
+                }
+            ],
+            "PrefixListIds": [],
+            "UserIdGroupPairs": []
+        }],
+        "OwnerId": "12345654321",
+        "GroupId": "sg-001639e5",
+        "IpPermissions": [
+            {
+                "FromPort": 25,
+                "IpProtocol": "tcp",
+                "IpRanges": [
+                    {
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ],
+                "Ipv6Ranges": [
+                    {
+                        "CidrIpv6": "::/0"
+                    }
+                ],
+                "PrefixListIds": [],
+                "ToPort": 25,
+                "UserIdGroupPairs": []
+            }
+        ],
+        "VpcId": "vpc-99de2fe4"
+    },
 ];
 
 const describeNetworkInterfaces = [
@@ -90,7 +131,7 @@ const describeNetworkInterfaces = [
           },
           {
             "GroupName": "HTTP-Access",
-            "GroupId": "sg-02e2c70cd463dca29"
+            "GroupId": "sg-001639e564442dfec"
           },
         ],
         "InterfaceType": "interface",
@@ -261,7 +302,7 @@ describe('openAllPortsEgress', function () {
         });
 
         it('should WARN if security group is unused', function (done) {
-            const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], []);
+            const cache = createCache([describeSecurityGroups[2]], [describeNetworkInterfaces[0]], []);
             openAllPortsEgress.run(cache, {ec2_skip_unused_groups: 'true'}, (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(1);
@@ -294,6 +335,13 @@ describe('openAllPortsEgress', function () {
                 done();
             });
         });
-
+        it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) {
+            const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]);
+            openAllPortsEgress.run(cache, {check_network_interface:'true'}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                done();
+            });
+        });
     });
 });

plugins/azure/loadbalancer/applicationGatewayHasTags.js renamed to plugins/azure/applicationGateway/applicationGatewayHasTags.js

@@ -3,8 +3,8 @@ const helpers = require('../../../helpers/azure');
 
 module.exports = {
     title: 'Application Gateway Has Tags',
-    category: 'Load Balancer',
-    domain: 'Availability',
+    category: 'Application Gateway',
+    domain: 'Network Access Control',
     description: 'Ensures that Microsoft Azure Application Gateway has tags associated.',
     more_info: 'Tags help you to group resources together that are related to or associated with each other. It is a best practice to tag cloud resources to better organize and gain visibility into their usage.',
     recommended_action: 'Modify application gateways and add tags.',