Release/v1.13.0 (#132)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, … (#93)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, 3306, 5439, 5601, 8080, 9200 and 9300

* Checking in unit test and tox.ini, made modification to remove common pkg from ec2_close_port_20.py

* Checking in README with addition aws close port rules

* Update README with correct port names for the new scripts

* PLA-26195 - Handled PrincipalNotFound Exception in sql auditing job (#98)

* PLA-24844 - Remediation job to restrict default security group access (#85)

* PLA-24844 - Remediation job to restrict default security group access

* PLA-24844 - Remediation job to restrict default security group access

* Updated the remediation job code

* PLA-25429 - Remediation job to set password reuse prevention policy (#89)

* PLA-25429 - Remediation job to set password reuse prevention policy

* PLA-25429 - Updated unit test

* Updated the remediation job code

* PLA-25428 - Remediation Job to set minimum password length (#90)

* PLA-25430 - Remediation Job to delete expired server certificate (#96)

* Initial commit for kinesis_encrypt_stream (#97)

* Initial commit for kinesis_encrypt_stream

* modified to add a return and exception to kinesis_encrypt_stream.py and unit testcases for remediate

* remove print

* update README.md

* update README.md

* remove format in kinesis_encrypt_stream.py

* update README with a correct instruction to run the script and add a missing error loggin

Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com>

* PLA-26855 - Updated azure remediation jobs to wait for the poller result (#99)

* PLA-26855 - Updated azure remediation jobs to wait for the poller result

* PLA-26855 - Update azure jobs to poll continuously and log the status

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi… (#101)

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_version_update, rds_remove_public_endpoint

* Update ebs_private_snapshot.py

* Incorporated comments and inputs from PR review

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* PLA-29176 - Fix remediation jobs for port rules (#102)

* PLA-29176 - Fix remediation jobs for port rules

* PLA-29176 - updated requirements

* PLA-29176 - Updated the public instance port remediation jobs

* PLA-29176 - Fixed readme file

* PLA-29176 - Fixed comments

* PLA-29176 - Updated all the AWS port rule remediation jobs

* PLA-29176 - Fixed requirements-dev file

* PLA-29176 - Added comments

* PLA-29459 - Update Readme and tox file (#104)

* PLA-29459 - Update Readme and tox file

* PLA-29459 - Updated readme

* Fixed requirements file (#105)

* PLA-28074 - Update py version from 1.9.0 to 1.10.0 (#108)

* Fix import issues in azure jobs (#107)

* Initial commit for aws s3 remove full access to authenticated users (#118)

* Initial commit for aws s3 remove full access to authenticated users

* Correct the ruleid, minimum permissions, removed the botocore.exceptions.ClientError as put_bucket_acl doesnot throw exception and created test case

* Updated the main readme and tox.ini file

* Included a try catch exception block in the remediation job and added test case for exception case

* Aws rds snapshot remove publicaccess (#117)

* Release/v1.8.0 (#106)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, … (#93)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, 3306, 5439, 5601, 8080, 9200 and 9300

* Checking in unit test and tox.ini, made modification to remove common pkg from ec2_close_port_20.py

* Checking in README with addition aws close port rules

* Update README with correct port names for the new scripts

* PLA-26195 - Handled PrincipalNotFound Exception in sql auditing job (#98)

* PLA-24844 - Remediation job to restrict default security group access (#85)

* PLA-24844 - Remediation job to restrict default security group access

* PLA-24844 - Remediation job to restrict default security group access

* Updated the remediation job code

* PLA-25429 - Remediation job to set password reuse prevention policy (#89)

* PLA-25429 - Remediation job to set password reuse prevention policy

* PLA-25429 - Updated unit test

* Updated the remediation job code

* PLA-25428 - Remediation Job to set minimum password length (#90)

* PLA-25430 - Remediation Job to delete expired server certificate (#96)

* Initial commit for kinesis_encrypt_stream (#97)

* Initial commit for kinesis_encrypt_stream

* modified to add a return and exception to kinesis_encrypt_stream.py and unit testcases for remediate

* remove print

* update README.md

* update README.md

* remove format in kinesis_encrypt_stream.py

* update README with a correct instruction to run the script and add a missing error loggin

Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com>

* PLA-26855 - Updated azure remediation jobs to wait for the poller result (#99)

* PLA-26855 - Updated azure remediation jobs to wait for the poller result

* PLA-26855 - Update azure jobs to poll continuously and log the status

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi… (#101)

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_version_update, rds_remove_public_endpoint

* Update ebs_private_snapshot.py

* Incorporated comments and inputs from PR review

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* PLA-29176 - Fix remediation jobs for port rules (#102)

* PLA-29176 - Fix remediation jobs for port rules

* PLA-29176 - updated requirements

* PLA-29176 - Updated the public instance port remediation jobs

* PLA-29176 - Fixed readme file

* PLA-29176 - Fixed comments

* PLA-29176 - Updated all the AWS port rule remediation jobs

* PLA-29176 - Fixed requirements-dev file

* PLA-29176 - Added comments

* PLA-29459 - Update Readme and tox file (#104)

* PLA-29459 - Update Readme and tox file

* PLA-29459 - Updated readme

* Fixed requirements file (#105)

Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com>

* Release/v1.9.0 (#113)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, … (#93)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, 3306, 5439, 5601, 8080, 9200 and 9300

* Checking in unit test and tox.ini, made modification to remove common pkg from ec2_close_port_20.py

* Checking in README with addition aws close port rules

* Update README with correct port names for the new scripts

* PLA-26195 - Handled PrincipalNotFound Exception in sql auditing job (#98)

* PLA-24844 - Remediation job to restrict default security group access (#85)

* PLA-24844 - Remediation job to restrict default security group access

* PLA-24844 - Remediation job to restrict default security group access

* Updated the remediation job code

* PLA-25429 - Remediation job to set password reuse prevention policy (#89)

* PLA-25429 - Remediation job to set password reuse prevention policy

* PLA-25429 - Updated unit test

* Updated the remediation job code

* PLA-25428 - Remediation Job to set minimum password length (#90)

* PLA-25430 - Remediation Job to delete expired server certificate (#96)

* Initial commit for kinesis_encrypt_stream (#97)

* Initial commit for kinesis_encrypt_stream

* modified to add a return and exception to kinesis_encrypt_stream.py and unit testcases for remediate

* remove print

* update README.md

* update README.md

* remove format in kinesis_encrypt_stream.py

* update README with a correct instruction to run the script and add a missing error loggin

Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com>

* PLA-26855 - Updated azure remediation jobs to wait for the poller result (#99)

* PLA-26855 - Updated azure remediation jobs to wait for the poller result

* PLA-26855 - Update azure jobs to poll continuously and log the status

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi… (#101)

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_version_update, rds_remove_public_endpoint

* Update ebs_private_snapshot.py

* Incorporated comments and inputs from PR review

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* PLA-29176 - Fix remediation jobs for port rules (#102)

* PLA-29176 - Fix remediation jobs for port rules

* PLA-29176 - updated requirements

* PLA-29176 - Updated the public instance port remediation jobs

* PLA-29176 - Fixed readme file

* PLA-29176 - Fixed comments

* PLA-29176 - Updated all the AWS port rule remediation jobs

* PLA-29176 - Fixed requirements-dev file

* PLA-29176 - Added comments

* PLA-29459 - Update Readme and tox file (#104)

* PLA-29459 - Update Readme and tox file

* PLA-29459 - Updated readme

* Fixed requirements file (#105)

* PLA-28074 - Update py version from 1.9.0 to 1.10.0 (#108)

* Fix import issues in azure jobs (#107)

Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com>

* Initial commit for aws rds snapshots remove public access

* Updated the filename and testing steps in the readme

* Corrected the ruleid, added unit test and modified the remediation logic to change the errorcode to the snapshot relevant errorcode and check if all is present in the attribute value list instead of direct equality check as attribute values is a list

* Updated tox.ini

* Corrected the ruleid in the remediation readme

Co-authored-by: Vikramjeet Singh <58273802+vikramsinghvirdi@users.noreply.github.com>
Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com>
Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com>

* Aws ec2 close port 11211 (#116)

* Release/v1.8.0 (#106)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, … (#93)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, 3306, 5439, 5601, 8080, 9200 and 9300

* Checking in unit test and tox.ini, made modification to remove common pkg from ec2_close_port_20.py

* Checking in README with addition aws close port rules

* Update README with correct port names for the new scripts

* PLA-26195 - Handled PrincipalNotFound Exception in sql auditing job (#98)

* PLA-24844 - Remediation job to restrict default security group access (#85)

* PLA-24844 - Remediation job to restrict default security group access

* PLA-24844 - Remediation job to restrict default security group access

* Updated the remediation job code

* PLA-25429 - Remediation job to set password reuse prevention policy (#89)

* PLA-25429 - Remediation job to set password reuse prevention policy

* PLA-25429 - Updated unit test

* Updated the remediation job code

* PLA-25428 - Remediation Job to set minimum password length (#90)

* PLA-25430 - Remediation Job to delete expired server certificate (#96)

* Initial commit for kinesis_encrypt_stream (#97)

* Initial commit for kinesis_encrypt_stream

* modified to add a return and exception to kinesis_encrypt_stream.py and unit testcases for remediate

* remove print

* update README.md

* update README.md

* remove format in kinesis_encrypt_stream.py

* update README with a correct instruction to run the script and add a missing error loggin

Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com>

* PLA-26855 - Updated azure remediation jobs to wait for the poller result (#99)

* PLA-26855 - Updated azure remediation jobs to wait for the poller result

* PLA-26855 - Update azure jobs to poll continuously and log the status

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi… (#101)

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_version_update, rds_remove_public_endpoint

* Update ebs_private_snapshot.py

* Incorporated comments and inputs from PR review

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* PLA-29176 - Fix remediation jobs for port rules (#102)

* PLA-29176 - Fix remediation jobs for port rules

* PLA-29176 - updated requirements

* PLA-29176 - Updated the public instance port remediation jobs

* PLA-29176 - Fixed readme file

* PLA-29176 - Fixed comments

* PLA-29176 - Updated all the AWS port rule remediation jobs

* PLA-29176 - Fixed requirements-dev file

* PLA-29176 - Added comments

* PLA-29459 - Update Readme and tox file (#104)

* PLA-29459 - Update Readme and tox file

* PLA-29459 - Updated readme

* Fixed requirements file (#105)

Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com>

* Release/v1.9.0 (#113)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, … (#93)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, 3306, 5439, 5601, 8080, 9200 and 9300

* Checking in unit test and tox.ini, made modification to remove common pkg from ec2_close_port_20.py

* Checking in README with addition aws close port rules

* Update README with correct port names for the new scripts

* PLA-26195 - Handled PrincipalNotFound Exception in sql auditing job (#98)

* PLA-24844 - Remediation job to restrict default security group access (#85)

* PLA-24844 - Remediation job to restrict default security group access

* PLA-24844 - Remediation job to restrict default security group access

* Updated the remediation job code

* PLA-25429 - Remediation job to set password reuse prevention policy (#89)

* PLA-25429 - Remediation job to set password reuse prevention policy

* PLA-25429 - Updated unit test

* Updated the remediation job code

* PLA-25428 - Remediation Job to set minimum password length (#90)

* PLA-25430 - Remediation Job to delete expired server certificate (#96)

* Initial commit for kinesis_encrypt_stream (#97)

* Initial commit for kinesis_encrypt_stream

* modified to add a return and exception to kinesis_encrypt_stream.py and unit testcases for remediate

* remove print

* update README.md

* update README.md

* remove format in kinesis_encrypt_stream.py

* update README with a correct instruction to run the script and add a missing error loggin

Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com>

* PLA-26855 - Updated azure remediation jobs to wait for the poller result (#99)

* PLA-26855 - Updated azure remediation jobs to wait for the poller result

* PLA-26855 - Update azure jobs to poll continuously and log the status

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi… (#101)

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_version_update, rds_remove_public_endpoint

* Update ebs_private_snapshot.py

* Incorporated comments and inputs from PR review

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* PLA-29176 - Fix remediation jobs for port rules (#102)

* PLA-29176 - Fix remediation jobs for port rules

* PLA-29176 - updated requirements

* PLA-29176 - Updated the public instance port remediation jobs

* PLA-29176 - Fixed readme file

* PLA-29176 - Fixed comments

* PLA-29176 - Updated all the AWS port rule remediation jobs

* PLA-29176 - Fixed requirements-dev file

* PLA-29176 - Added comments

* PLA-29459 - Update Readme and tox file (#104)

* PLA-29459 - Update Readme and tox file

* PLA-29459 - Updated readme

* Fixed requirements file (#105)

* PLA-28074 - Update py version from 1.9.0 to 1.10.0 (#108)

* Fix import issues in azure jobs (#107)

Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com>

* Initial commit for aws ec2 close port 11211

* Updated readme file to reflect the correct python file name

* Updates to readme to use the relevant python file

* Update the ruleid to use the right one and create unit test case for closing port 11211 for ec2

* Updated the main readme and the tox file

* Fixed the readme file by adding back the aws_iam_server_certificate_expired block and then including the aws_ec2_close_port_11211

Co-authored-by: Vikramjeet Singh <58273802+vikramsinghvirdi@users.noreply.github.com>
Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com>
Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com>

* Modified the remediation logic to check for protocol udp instead of tcp as the remediation is for closing the open udp port for memcache (#119)

* Fixed RDS Snapshot remove public access remediation job (#120)

* PLA-35232 - Fixed remediation jobs that does not report failures (#124)

* PLA-38601 - Fixed azure remediation jobs to wait for the poller result (#125)

* PLA-38601 - Fixed azure security port jobs (#128)

* PLA-38601 - Fixed azure remediation jobs to wait for the poller result

* PLA-38601 - Add all the required source checks for azure security group port rules

* PLA-45823 - Updated remediation job to restrict unsecured HTTP requests for S3 Bucket (#131)

Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com>
Co-authored-by: sreedevikr <90842270+sreedevikr@users.noreply.github.com>
Co-authored-by: Vikramjeet Singh <58273802+vikramsinghvirdi@users.noreply.github.com>

Author: 4 people

README.md

@@ -157,6 +157,7 @@ The table below lists all the supported jobs with their links.
 |   44.  	| 5c8c26487a550e1fb6560c4a              | RDS snapshot should restrict public access                               | [aws-rds-snapshot-remove-publicaccess](remediation_worker/jobs/aws_rds_snapshot_remove_publicaccess) 	|
 |   45.  	| 5c8c26567a550e1fb6560c5d              | S3 bucket should not give full access to all authenticated users | [aws_s3_remove_fullaccess_authenticatedusers](remediation_worker/jobs/aws_s3_remove_fullaccess_authenticatedusers) 	|
 
+
 ## Contributing
 The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq).
 All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch.

remediation_worker/jobs/aws_ec2_default_security_group_traffic/aws_ec2_default_security_group_traffic.py

@@ -101,6 +101,7 @@ def remediate(self, client, security_group_id, region, cloud_account_id):
         except Exception as e:
             logging.error(f"{str(e)}")
             raise
+
         return 0
 
     def run(self, args):

remediation_worker/jobs/aws_s3_bucket_policy_allow_https/aws_s3_bucket_policy_allow_https.py

@@ -103,7 +103,7 @@ def remediate(self, client, cloud_account_id, bucket_name):
                 "Sid": "Restrict Non-https Requests",
                 "Effect": "Deny",
                 "Principal": "*",
-                "Action": "s3:GetObject",
+                "Action": "s3:*",
                 "Resource": f"arn:aws:s3:::{bucket_name}/*",
                 "Condition": {"Bool": {"aws:SecureTransport": "false"}},
             }

remediation_worker/jobs/ec2_close_port_9200_9300/ec2_close_port_9200_9300.py

@@ -111,6 +111,7 @@ def remediate(self, client, instance_id):
         except Exception as e:
             logging.error(f"{str(e)}")
             raise
+
         return 0
 
     def run(self, args):

test/unit/test_aws_s3_bucket_policy_allow_https.py

@@ -98,7 +98,7 @@ def test_remediate_success(self):
                     "Sid": "Restrict Non-https Requests",
                     "Effect": "Deny",
                     "Principal": "*",
-                    "Action": "s3:GetObject",
+                    "Action": "s3:*",
                     "Resource": "arn:aws:s3:::bucket_name/*",
                     "Condition": {"Bool": {"aws:SecureTransport": "false"}},
                 },

tox.ini

@@ -65,6 +65,7 @@ envlist =
 	unit-aws_s3_remove_fullaccess_authenticatedusers
 
 
+
 [testenv]
 passenv =
     # Prevent Python bytecode files from being created