Release/v1.12.0 (#129)

kshrutik · lytran2000 · sreedevikr · web-flow · commit 463dc3a09f89 · 2022-05-16T20:56:54.000+05:30
* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, … (#93) * Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, 3306, 5439, 5601, 8080, 9200 and 9300 * Checking in unit test and tox.ini, made modification to remove common pkg from ec2_close_port_20.py * Checking in README with addition aws close port rules * Update README with correct port names for the new scripts * PLA-26195 - Handled PrincipalNotFound Exception in sql auditing job (#98) * PLA-24844 - Remediation job to restrict default security group access (#85) * PLA-24844 - Remediation job to restrict default security group access * PLA-24844 - Remediation job to restrict default security group access * Updated the remediation job code * PLA-25429 - Remediation job to set password reuse prevention policy (#89) * PLA-25429 - Remediation job to set password reuse prevention policy * PLA-25429 - Updated unit test * Updated the remediation job code * PLA-25428 - Remediation Job to set minimum password length (#90) * PLA-25430 - Remediation Job to delete expired server certificate (#96) * Initial commit for kinesis_encrypt_stream (#97) * Initial commit for kinesis_encrypt_stream * modified to add a return and exception to kinesis_encrypt_stream.py and unit testcases for remediate * remove print * update README.md * update README.md * remove format in kinesis_encrypt_stream.py * update README with a correct instruction to run the script and add a missing error loggin Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com> * PLA-26855 - Updated azure remediation jobs to wait for the poller result (#99) * PLA-26855 - Updated azure remediation jobs to wait for the poller result * PLA-26855 - Update azure jobs to poll continuously and log the status * Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi… (#101) * Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_version_update, rds_remove_public_endpoint * Update ebs_private_snapshot.py * Incorporated comments and inputs from PR review * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * PLA-29176 - Fix remediation jobs for port rules (#102) * PLA-29176 - Fix remediation jobs for port rules * PLA-29176 - updated requirements * PLA-29176 - Updated the public instance port remediation jobs * PLA-29176 - Fixed readme file * PLA-29176 - Fixed comments * PLA-29176 - Updated all the AWS port rule remediation jobs * PLA-29176 - Fixed requirements-dev file * PLA-29176 - Added comments * PLA-29459 - Update Readme and tox file (#104) * PLA-29459 - Update Readme and tox file * PLA-29459 - Updated readme * Fixed requirements file (#105) * PLA-28074 - Update py version from 1.9.0 to 1.10.0 (#108) * Fix import issues in azure jobs (#107) * Initial commit for aws s3 remove full access to authenticated users (#118) * Initial commit for aws s3 remove full access to authenticated users * Correct the ruleid, minimum permissions, removed the botocore.exceptions.ClientError as put_bucket_acl doesnot throw exception and created test case * Updated the main readme and tox.ini file * Included a try catch exception block in the remediation job and added test case for exception case * Aws rds snapshot remove publicaccess (#117) * Release/v1.8.0 (#106) * Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, … (#93) * Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, 3306, 5439, 5601, 8080, 9200 and 9300 * Checking in unit test and tox.ini, made modification to remove common pkg from ec2_close_port_20.py * Checking in README with addition aws close port rules * Update README with correct port names for the new scripts * PLA-26195 - Handled PrincipalNotFound Exception in sql auditing job (#98) * PLA-24844 - Remediation job to restrict default security group access (#85) * PLA-24844 - Remediation job to restrict default security group access * PLA-24844 - Remediation job to restrict default security group access * Updated the remediation job code * PLA-25429 - Remediation job to set password reuse prevention policy (#89) * PLA-25429 - Remediation job to set password reuse prevention policy * PLA-25429 - Updated unit test * Updated the remediation job code * PLA-25428 - Remediation Job to set minimum password length (#90) * PLA-25430 - Remediation Job to delete expired server certificate (#96) * Initial commit for kinesis_encrypt_stream (#97) * Initial commit for kinesis_encrypt_stream * modified to add a return and exception to kinesis_encrypt_stream.py and unit testcases for remediate * remove print * update README.md * update README.md * remove format in kinesis_encrypt_stream.py * update README with a correct instruction to run the script and add a missing error loggin Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com> * PLA-26855 - Updated azure remediation jobs to wait for the poller result (#99) * PLA-26855 - Updated azure remediation jobs to wait for the poller result * PLA-26855 - Update azure jobs to poll continuously and log the status * Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi… (#101) * Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_version_update, rds_remove_public_endpoint * Update ebs_private_snapshot.py * Incorporated comments and inputs from PR review * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * PLA-29176 - Fix remediation jobs for port rules (#102) * PLA-29176 - Fix remediation jobs for port rules * PLA-29176 - updated requirements * PLA-29176 - Updated the public instance port remediation jobs * PLA-29176 - Fixed readme file * PLA-29176 - Fixed comments * PLA-29176 - Updated all the AWS port rule remediation jobs * PLA-29176 - Fixed requirements-dev file * PLA-29176 - Added comments * PLA-29459 - Update Readme and tox file (#104) * PLA-29459 - Update Readme and tox file * PLA-29459 - Updated readme * Fixed requirements file (#105) Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com> * Release/v1.9.0 (#113) * Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, … (#93) * Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, 3306, 5439, 5601, 8080, 9200 and 9300 * Checking in unit test and tox.ini, made modification to remove common pkg from ec2_close_port_20.py * Checking in README with addition aws close port rules * Update README with correct port names for the new scripts * PLA-26195 - Handled PrincipalNotFound Exception in sql auditing job (#98) * PLA-24844 - Remediation job to restrict default security group access (#85) * PLA-24844 - Remediation job to restrict default security group access * PLA-24844 - Remediation job to restrict default security group access * Updated the remediation job code * PLA-25429 - Remediation job to set password reuse prevention policy (#89) * PLA-25429 - Remediation job to set password reuse prevention policy * PLA-25429 - Updated unit test * Updated the remediation job code * PLA-25428 - Remediation Job to set minimum password length (#90) * PLA-25430 - Remediation Job to delete expired server certificate (#96) * Initial commit for kinesis_encrypt_stream (#97) * Initial commit for kinesis_encrypt_stream * modified to add a return and exception to kinesis_encrypt_stream.py and unit testcases for remediate * remove print * update README.md * update README.md * remove format in kinesis_encrypt_stream.py * update README with a correct instruction to run the script and add a missing error loggin Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com> * PLA-26855 - Updated azure remediation jobs to wait for the poller result (#99) * PLA-26855 - Updated azure remediation jobs to wait for the poller result * PLA-26855 - Update azure jobs to poll continuously and log the status * Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi… (#101) * Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_version_update, rds_remove_public_endpoint * Update ebs_private_snapshot.py * Incorporated comments and inputs from PR review * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * PLA-29176 - Fix remediation jobs for port rules (#102) * PLA-29176 - Fix remediation jobs for port rules * PLA-29176 - updated requirements * PLA-29176 - Updated the public instance port remediation jobs * PLA-29176 - Fixed readme file * PLA-29176 - Fixed comments * PLA-29176 - Updated all the AWS port rule remediation jobs * PLA-29176 - Fixed requirements-dev file * PLA-29176 - Added comments * PLA-29459 - Update Readme and tox file (#104) * PLA-29459 - Update Readme and tox file * PLA-29459 - Updated readme * Fixed requirements file (#105) * PLA-28074 - Update py version from 1.9.0 to 1.10.0 (#108) * Fix import issues in azure jobs (#107) Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com> * Initial commit for aws rds snapshots remove public access * Updated the filename and testing steps in the readme * Corrected the ruleid, added unit test and modified the remediation logic to change the errorcode to the snapshot relevant errorcode and check if all is present in the attribute value list instead of direct equality check as attribute values is a list * Updated tox.ini * Corrected the ruleid in the remediation readme Co-authored-by: Vikramjeet Singh <58273802+vikramsinghvirdi@users.noreply.github.com> Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com> Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com> * Aws ec2 close port 11211 (#116) * Release/v1.8.0 (#106) * Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, … (#93) * Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, 3306, 5439, 5601, 8080, 9200 and 9300 * Checking in unit test and tox.ini, made modification to remove common pkg from ec2_close_port_20.py * Checking in README with addition aws close port rules * Update README with correct port names for the new scripts * PLA-26195 - Handled PrincipalNotFound Exception in sql auditing job (#98) * PLA-24844 - Remediation job to restrict default security group access (#85) * PLA-24844 - Remediation job to restrict default security group access * PLA-24844 - Remediation job to restrict default security group access * Updated the remediation job code * PLA-25429 - Remediation job to set password reuse prevention policy (#89) * PLA-25429 - Remediation job to set password reuse prevention policy * PLA-25429 - Updated unit test * Updated the remediation job code * PLA-25428 - Remediation Job to set minimum password length (#90) * PLA-25430 - Remediation Job to delete expired server certificate (#96) * Initial commit for kinesis_encrypt_stream (#97) * Initial commit for kinesis_encrypt_stream * modified to add a return and exception to kinesis_encrypt_stream.py and unit testcases for remediate * remove print * update README.md * update README.md * remove format in kinesis_encrypt_stream.py * update README with a correct instruction to run the script and add a missing error loggin Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com> * PLA-26855 - Updated azure remediation jobs to wait for the poller result (#99) * PLA-26855 - Updated azure remediation jobs to wait for the poller result * PLA-26855 - Update azure jobs to poll continuously and log the status * Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi… (#101) * Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_version_update, rds_remove_public_endpoint * Update ebs_private_snapshot.py * Incorporated comments and inputs from PR review * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * PLA-29176 - Fix remediation jobs for port rules (#102) * PLA-29176 - Fix remediation jobs for port rules * PLA-29176 - updated requirements * PLA-29176 - Updated the public instance port remediation jobs * PLA-29176 - Fixed readme file * PLA-29176 - Fixed comments * PLA-29176 - Updated all the AWS port rule remediation jobs * PLA-29176 - Fixed requirements-dev file * PLA-29176 - Added comments * PLA-29459 - Update Readme and tox file (#104) * PLA-29459 - Update Readme and tox file * PLA-29459 - Updated readme * Fixed requirements file (#105) Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com> * Release/v1.9.0 (#113) * Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, … (#93) * Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, 3306, 5439, 5601, 8080, 9200 and 9300 * Checking in unit test and tox.ini, made modification to remove common pkg from ec2_close_port_20.py * Checking in README with addition aws close port rules * Update README with correct port names for the new scripts * PLA-26195 - Handled PrincipalNotFound Exception in sql auditing job (#98) * PLA-24844 - Remediation job to restrict default security group access (#85) * PLA-24844 - Remediation job to restrict default security group access * PLA-24844 - Remediation job to restrict default security group access * Updated the remediation job code * PLA-25429 - Remediation job to set password reuse prevention policy (#89) * PLA-25429 - Remediation job to set password reuse prevention policy * PLA-25429 - Updated unit test * Updated the remediation job code * PLA-25428 - Remediation Job to set minimum password length (#90) * PLA-25430 - Remediation Job to delete expired server certificate (#96) * Initial commit for kinesis_encrypt_stream (#97) * Initial commit for kinesis_encrypt_stream * modified to add a return and exception to kinesis_encrypt_stream.py and unit testcases for remediate * remove print * update README.md * update README.md * remove format in kinesis_encrypt_stream.py * update README with a correct instruction to run the script and add a missing error loggin Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com> * PLA-26855 - Updated azure remediation jobs to wait for the poller result (#99) * PLA-26855 - Updated azure remediation jobs to wait for the poller result * PLA-26855 - Update azure jobs to poll continuously and log the status * Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi… (#101) * Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_version_update, rds_remove_public_endpoint * Update ebs_private_snapshot.py * Incorporated comments and inputs from PR review * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * PLA-29176 - Fix remediation jobs for port rules (#102) * PLA-29176 - Fix remediation jobs for port rules * PLA-29176 - updated requirements * PLA-29176 - Updated the public instance port remediation jobs * PLA-29176 - Fixed readme file * PLA-29176 - Fixed comments * PLA-29176 - Updated all the AWS port rule remediation jobs * PLA-29176 - Fixed requirements-dev file * PLA-29176 - Added comments * PLA-29459 - Update Readme and tox file (#104) * PLA-29459 - Update Readme and tox file * PLA-29459 - Updated readme * Fixed requirements file (#105) * PLA-28074 - Update py version from 1.9.0 to 1.10.0 (#108) * Fix import issues in azure jobs (#107) Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com> * Initial commit for aws ec2 close port 11211 * Updated readme file to reflect the correct python file name * Updates to readme to use the relevant python file * Update the ruleid to use the right one and create unit test case for closing port 11211 for ec2 * Updated the main readme and the tox file * Fixed the readme file by adding back the aws_iam_server_certificate_expired block and then including the aws_ec2_close_port_11211 Co-authored-by: Vikramjeet Singh <58273802+vikramsinghvirdi@users.noreply.github.com> Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com> Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com> * Modified the remediation logic to check for protocol udp instead of tcp as the remediation is for closing the open udp port for memcache (#119) * Fixed RDS Snapshot remove public access remediation job (#120) * PLA-35232 - Fixed remediation jobs that does not report failures (#124) * PLA-38601 - Fixed azure remediation jobs to wait for the poller result (#125) * PLA-38601 - Fixed azure security port jobs (#128) * PLA-38601 - Fixed azure remediation jobs to wait for the poller result * PLA-38601 - Add all the required source checks for azure security group port rules Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com> Co-authored-by: sreedevikr <90842270+sreedevikr@users.noreply.github.com> Co-authored-by: Vikramjeet Singh <58273802+vikramsinghvirdi@users.noreply.github.com>
diff --git a/remediation_worker/jobs/azure_network_security_group_close_port_22/azure_network_security_group_close_port_22.py b/remediation_worker/jobs/azure_network_security_group_close_port_22/azure_network_security_group_close_port_22.py
@@ -23,6 +23,7 @@
 
 logging.basicConfig(level=logging.INFO)
 
+source_address_list = ["*", "Internet", "0.0.0.0/0", "0.0.0.0", "/0", "::/0"]
 
 class NetworkSecurityGroupClosePort22(object):
     def parse(self, payload):
@@ -91,26 +92,32 @@ def remediate(self, client, resource_group_name, security_group_name):
 
         for rule in security_rules:
             if (
-                rule.access != "Allow"
-                or rule.direction != "Inbound"
-                or rule.source_address_prefix != "*"
+                rule.protocol in ["*", "TCP"]
+                and rule.direction == "Inbound"
+                and rule.access == "Allow"
+                and (
+                    rule.source_address_prefix in source_address_list
+                    or any(
+                        item in rule.source_address_prefixes
+                        for item in source_address_list
+                    )
+                )
             ):
-                continue
-            if rule.destination_port_range is not None:
-                port_range = rule.destination_port_range
-                if "-" in port_range:
-                    new_ranges = self._find_and_remove_port([port_range], port)
-                    if len(new_ranges) == 1:
-                        rule.destination_port_range = new_ranges[0]
-                    else:
-                        rule.destination_port_range = None
-                        rule.destination_port_ranges = new_ranges
-                elif int(rule.destination_port_range) == port:
-                    security_rules.remove(rule)
-            else:
-                port_ranges = rule.destination_port_ranges
-                new_ranges = self._find_and_remove_port(port_ranges, port)
-                rule.destination_port_ranges = new_ranges
+                if rule.destination_port_range is not None:
+                    port_range = rule.destination_port_range
+                    if "-" in port_range:
+                        new_ranges = self._find_and_remove_port([port_range], port)
+                        if len(new_ranges) == 1:
+                            rule.destination_port_range = new_ranges[0]
+                        else:
+                            rule.destination_port_range = None
+                            rule.destination_port_ranges = new_ranges
+                    elif int(rule.destination_port_range) == port:
+                        security_rules.remove(rule)
+                else:
+                    port_ranges = rule.destination_port_ranges
+                    new_ranges = self._find_and_remove_port(port_ranges, port)
+                    rule.destination_port_ranges = new_ranges
 
         network_security_group.security_rules = security_rules
 
diff --git a/remediation_worker/jobs/azure_network_security_group_close_port_3389/azure_network_security_group_close_port_3389.py b/remediation_worker/jobs/azure_network_security_group_close_port_3389/azure_network_security_group_close_port_3389.py
@@ -23,6 +23,8 @@
 
 logging.basicConfig(level=logging.INFO)
 
+source_address_list = ["*", "Internet", "0.0.0.0/0", "0.0.0.0", "/0", "::/0"]
+
 
 class NetworkSecurityGroupClosePort3389(object):
     def parse(self, payload):
@@ -88,26 +90,32 @@ def remediate(self, client, resource_group_name, security_group_name):
 
         for rule in security_rules:
             if (
-                rule.access != "Allow"
-                or rule.direction != "Inbound"
-                or rule.source_address_prefix != "*"
+                rule.protocol in ["*", "TCP"]
+                and rule.direction == "Inbound"
+                and rule.access == "Allow"
+                and (
+                    rule.source_address_prefix in source_address_list
+                    or any(
+                        item in rule.source_address_prefixes
+                        for item in source_address_list
+                    )
+                )
             ):
-                continue
-            if rule.destination_port_range is not None:
-                port_range = rule.destination_port_range
-                if "-" in port_range:
-                    new_ranges = self._find_and_remove_port([port_range], port)
-                    if len(new_ranges) == 1:
-                        rule.destination_port_range = new_ranges[0]
-                    else:
-                        rule.destination_port_range = None
-                        rule.destination_port_ranges = new_ranges
-                elif int(rule.destination_port_range) == port:
-                    security_rules.remove(rule)
-            else:
-                port_ranges = rule.destination_port_ranges
-                new_ranges = self._find_and_remove_port(port_ranges, port)
-                rule.destination_port_ranges = new_ranges
+                if rule.destination_port_range is not None:
+                    port_range = rule.destination_port_range
+                    if "-" in port_range:
+                        new_ranges = self._find_and_remove_port([port_range], port)
+                        if len(new_ranges) == 1:
+                            rule.destination_port_range = new_ranges[0]
+                        else:
+                            rule.destination_port_range = None
+                            rule.destination_port_ranges = new_ranges
+                    elif int(rule.destination_port_range) == port:
+                        security_rules.remove(rule)
+                else:
+                    port_ranges = rule.destination_port_ranges
+                    new_ranges = self._find_and_remove_port(port_ranges, port)
+                    rule.destination_port_ranges = new_ranges
 
         network_security_group.security_rules = security_rules
 
diff --git a/remediation_worker/jobs/azure_vm_close_port_22/azure_vm_close_port_22.py b/remediation_worker/jobs/azure_vm_close_port_22/azure_vm_close_port_22.py
@@ -24,6 +24,8 @@
 
 logging.basicConfig(level=logging.INFO)
 
+source_address_list = ["*", "Internet", "0.0.0.0/0", "0.0.0.0", "/0", "::/0"]
+
 
 class VMSecurityGroupClosePort22(object):
     def parse(self, payload):
@@ -101,18 +103,24 @@ def remediate(self, compute_client, network_client, resource_group_name, vm_name
 
             for rule in security_rules:
                 if (
-                    rule.access != "Allow"
-                    or rule.direction != "Inbound"
-                    or rule.source_address_prefix != "*"
+                    rule.protocol in ["*", "TCP"]
+                    and rule.direction == "Inbound"
+                    and rule.access == "Allow"
+                    and (
+                        rule.source_address_prefix in source_address_list
+                        or any(
+                            item in rule.source_address_prefixes
+                            for item in source_address_list
+                        )
+                    )
                 ):
-                    continue
-                if rule.destination_port_range is not None:
-                    if int(rule.destination_port_range) == port:
-                        security_rules.remove(rule)
-                else:
-                    port_ranges = rule.destination_port_ranges
-                    new_ranges = self._find_and_remove_port(port_ranges, port)
-                    rule.destination_port_ranges = new_ranges
+                    if rule.destination_port_range is not None:
+                        if int(rule.destination_port_range) == port:
+                            security_rules.remove(rule)
+                    else:
+                        port_ranges = rule.destination_port_ranges
+                        new_ranges = self._find_and_remove_port(port_ranges, port)
+                        rule.destination_port_ranges = new_ranges
 
             network_security_group.security_rules = security_rules
 
