Release/v1.8.0 (#106)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, … (#93)

* Initial commit for ec2 close port for 1433, 1521, 20, 21, 23, 27017, 3306, 5439, 5601, 8080, 9200 and 9300

* Checking in unit test and tox.ini, made modification to remove common pkg from ec2_close_port_20.py

* Checking in README with addition aws close port rules

* Update README with correct port names for the new scripts

* PLA-26195 - Handled PrincipalNotFound Exception in sql auditing job (#98)

* PLA-24844 - Remediation job to restrict default security group access (#85)

* PLA-24844 - Remediation job to restrict default security group access

* PLA-24844 - Remediation job to restrict default security group access

* Updated the remediation job code

* PLA-25429 - Remediation job to set password reuse prevention policy (#89)

* PLA-25429 - Remediation job to set password reuse prevention policy

* PLA-25429 - Updated unit test

* Updated the remediation job code

* PLA-25428 - Remediation Job to set minimum password length (#90)

* PLA-25430 - Remediation Job to delete expired server certificate (#96)

* Initial commit for kinesis_encrypt_stream (#97)

* Initial commit for kinesis_encrypt_stream

* modified to add a return and exception to kinesis_encrypt_stream.py and unit testcases for remediate

* remove print

* update README.md

* update README.md

* remove format in kinesis_encrypt_stream.py

* update README with a correct instruction to run the script and add a missing error loggin

Co-authored-by: Shrutika Kulkarni <73834811+kshrutik@users.noreply.github.com>

* PLA-26855 - Updated azure remediation jobs to wait for the poller result (#99)

* PLA-26855 - Updated azure remediation jobs to wait for the poller result

* PLA-26855 - Update azure jobs to poll continuously and log the status

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_versi… (#101)

* Initial commit for aws 3 jobs: ebs_private_snapshot, rds_enable_version_update, rds_remove_public_endpoint

* Update ebs_private_snapshot.py

* Incorporated comments and inputs from PR review

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* PLA-29176 - Fix remediation jobs for port rules (#102)

* PLA-29176 - Fix remediation jobs for port rules

* PLA-29176 - updated requirements

* PLA-29176 - Updated the public instance port remediation jobs

* PLA-29176 - Fixed readme file

* PLA-29176 - Fixed comments

* PLA-29176 - Updated all the AWS port rule remediation jobs

* PLA-29176 - Fixed requirements-dev file

* PLA-29176 - Added comments

* PLA-29459 - Update Readme and tox file (#104)

* PLA-29459 - Update Readme and tox file

* PLA-29459 - Updated readme

* Fixed requirements file (#105)

Co-authored-by: lytran2000 <44222483+lytran2000@users.noreply.github.com>

Author: kshrutik

README.md

@@ -134,6 +134,25 @@ The table below lists all the supported jobs with their links.
 |   21.  	| 688d093c-3b8d-11eb-adc1-0242ac120002 	|                     S3 bucket should allow only HTTPS requests                    	|             [aws-s3-bucket-policy-allow-https](remediation_worker/jobs/aws_s3_bucket_policy_allow_https)             	|
 |   22.  	| 09639b9d-98e8-493b-b8a4-916775a7dea9 	|            SQS queue policy should restricted access to required users            	|            [aws-sqs-queue-publicly-accessible](remediation_worker/jobs/aws_sqs_queue_publicly_accessible)            	|
 |   23.  	| 1ec4a1f2-3e08-11eb-b378-0242ac130002 	| Network ACL should restrict administration ports (3389 and 22) from public access 	| [aws-ec2-administration-ports-ingress-allowed](remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed) 	|
+|   24.  	| ce603728-d631-4bae-8657-c22da6e5944e | Kinesis data stream should be encrypted  | [kinesis-encrypt-stream](remediation_worker/jobs/kinesis_encrypt_stream) 	|
+|   25.   	|       5c8c263d7a550e1fb6560c39        |            EC2 instance should restrict public access to FTP data port (20)           |                            [ec2-close-port-20](remediation_worker/jobs/ec2_close_port_20)                            	|
+|   26.   	| 4823ede0-7bed-4af0-a182-81c2ada80203  |            EC2 instance should restrict public access to Kibana (5601)            	|                            [ec2-close-port-5601](remediation_worker/jobs/ec2_close_port_5601)                            |
+|   27.   	|       5c8c26427a550e1fb6560c41     |               EC2 instance should restrict public access to MySQL server port (3306)     |                            [ec2-close-port-3306](remediation_worker/jobs/ec2_close_port_3306)                            |
+|   28.   	|       5c8c26417a550e1fb6560c3e     |               EC2 instance should restrict public access to Oracle SQL port (1521)       |                            [ec2-close-port-1521](remediation_worker/jobs/ec2_close_port_1521)                            |
+|   29.   	|       5c8c26417a550e1fb6560c3d     |               EC2 instance should restrict public access to SQL Server port (1433)       |                            [ec2-close-port-1433](remediation_worker/jobs/ec2_close_port_1433)                            |
+|   30.   	|       5c8c263e7a550e1fb6560c3b     |               EC2 instance should restrict public access to Telnet port (23)            	|                            [ec2-close-port-23](remediation_worker/jobs/ec2_close_port_23)                            	   |
+|   31.   	|       5c8c263d7a550e1fb6560c3a     |               EC2 instance should restrict public access to FTP port (21)            	|                            [ec2-close-port-21](remediation_worker/jobs/ec2_close_port_21)                            	|
+|   32.   	| 04700175-adbe-49e1-bc7a-bc9605597ce2  |            EC2 instance should restrict public access to Elasticsearch ports (9200,9300) |                            [ec2-close-port-9200_9300](remediation_worker/jobs/ec2_close_port_9200_9300)                  |
+|   33.   	|       5c8c26427a550e1fb6560c40     |               EC2 instance should restrict public access to MongoDB port (27017)         |                            [ec2-close-port-27017](remediation_worker/jobs/ec2_close_port_27017)                          |
+|   34.   	|       5c8c26407a550e1fb6560c3c     |               EC2 instance should restrict public access to TCP port (8080)            	|                            [ec2-close-port-8080](remediation_worker/jobs/ec2_close_port_8080)                            |
+|   35.   	|       5c8c26447a550e1fb6560c44     |               EC2 instance should restrict public access to Redshift port (5439)         |                            [ec2-close-port-5439](remediation_worker/jobs/ec2_close_port_5439)                            	|
+|   36.  	| 2cdb8877-7ac3-4483-9ed0-1e792171d125 	| EBS volume snapshot should be private                                                 | [ebs-private-snapshot](remediation_worker/jobs/ebs_private_snapshot) 	|
+|   37.  	| 5c8c26467a550e1fb6560c48              | RDS instance should restrict public access                                            | [rds-remove-public-endpoint](remediation_worker/jobs/rds_remove_public_endpoint) 	|
+|   38.  	| 5c8c264a7a550e1fb6560c4c              | RDS should have automatic minor version upgrades enabled                              | [rds-enable-version-update](remediation_worker/jobs/rds_enable_version_update) 	|
+|   39.  	| 5c8c25f37a550e1fb6560bca              | EC2 VPC default security group should restrict all access                               | [aws-ec2-default-security-group-traffic](remediation_worker/jobs/aws_ec2_default_security_group_traffic) 	|
+|   40.  	| 5c8c260b7a550e1fb6560bf4              | IAM password policy should set a minimum length                               | [aws-iam-password-policy-min-length](remediation_worker/jobs/aws_iam_password_policy_min_length) 	|
+|   41.  	| 5c8c26107a550e1fb6560bfc              | IAM password policy should prevent password reuse                               | [aws-iam-password-reuse-prevention](remediation_worker/jobs/aws_iam_password_reuse_prevention) 	|
+|   42.  	| 7fe4eb28-3b82-11eb-adc1-0242ac120002              | IAM server certificates that are expired should be removed                               | [aws-iam-server-certificate-expired](remediation_worker/jobs/aws_iam_server_certificate_expired) 	|
 
 ## Contributing
 The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq).

remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed/README.md

@@ -14,7 +14,7 @@ Network ACL should restrict administration ports (3389 and 22) from public acces
 
 ### Prerequisites
 
-The provided AWS credential must have access to `ec2:DeleteNetworkAcl`, `ec2:DescribeNetworkAcls` and `ec2:ReplaceNetworkAclEntry`.
+The provided AWS credential must have access to `ec2:DeleteNetworkAclEntry`, `ec2:DescribeNetworkAcls`.
 
 You may find the latest example policy file [here](minimum_policy.json)
 

remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed/aws_ec2_administration_ports_ingress_allowed.py

@@ -61,201 +61,6 @@ def parse(self, payload):
         logging.info(return_dict)
         return return_dict
 
-    def create_list_of_rule_nos(self, network_acl_entries):
-        """Creates List of Rule Numbers in the Network Acl
-        :param network_acl_entries: List of Network Acl entries.
-        :type network_acl_id: str.
-        :returns: List of Rule Numbers.
-        :rtype: list.
-        """
-        rule_nos = []
-        for entry in network_acl_entries["Entries"]:
-            rule_nos.append(entry["RuleNumber"])
-        return rule_nos
-
-    def create_list_of_port_range(self, network_acl_entries):
-        """Creates List of Port Ranges in the Network Acl
-        :param network_acl_entries: List of Network Acl entries.
-        :type network_acl_id: str.
-        :returns: List of Port Ranges.
-        :rtype: list.
-        """
-        port_ranges = []
-        for entry in network_acl_entries["Entries"]:
-            if "PortRange" not in entry:
-                continue
-            else:
-                port = (entry["PortRange"]["From"], entry["PortRange"]["To"])
-                port_ranges.append(port)
-        return port_ranges
-
-    def check_if_nacl_exists(
-        self, network_acl_entries, port_from, port_to, port_ranges
-    ):
-        """Checks if the Network ACL Entry already exists
-        :param network_acl_entries: List of Network Acl entries.
-        :param port_from: Port Range from.
-        :param port_to: Port Range To.
-        :param port_ranges: List of port ranges.
-        :type network_acl_entries: list
-        :type port_from: int
-        :type port_to: int
-        :type port_ranges: list
-        :returns: Boolean value indicating if the entry with given port range already exists
-        :rtype: bool
-        """
-        for nacl_entry in network_acl_entries["Entries"]:
-            if "PortRange" not in nacl_entry:
-                continue
-            elif (
-                nacl_entry["PortRange"]["From"] == port_from
-                and nacl_entry["PortRange"]["To"] == port_to
-            ):
-                return True
-            else:
-                continue
-        for port in port_ranges:
-            if port[0] == port_from and port[1] == port_to:
-                return True
-        return False
-
-    def find_and_remove_port(
-        self,
-        network_acl_id,
-        client,
-        network_acl_entries,
-        port_no,
-        rule_nos,
-        port_ranges,
-    ):
-        """Find and remove port 22 and 3389 from Network Acl Entries
-        :param network_acl_id: Network Acl Id.
-        :param client: Instance of the AWS boto3 client.
-        :param network_acl_entries: List of Network Acl Entries.
-        :param port_no: Port No. to remove.
-        :param rule_nos: List of Rule Numbers.
-        :type rule_nos: list.
-        :type port_no: int.
-        :type network_acl_entries: list.
-        :type network_acl_id: str.
-        :type client: object.
-        :returns: None.
-        :rtype: None.
-        """
-        for entry in network_acl_entries["Entries"]:
-            if (
-                entry["Egress"] is False
-                and entry["RuleAction"] == "allow"
-                and entry["Protocol"] in ["6", "-1"]
-                and entry["CidrBlock"] == "0.0.0.0/0"
-            ):
-                if "PortRange" not in entry or entry["PortRange"] == {
-                    "From": port_no,
-                    "To": port_no,
-                }:
-                    client.delete_network_acl_entry(
-                        Egress=False,
-                        NetworkAclId=network_acl_id,
-                        RuleNumber=entry["RuleNumber"],
-                    )
-                elif (
-                    entry["PortRange"]["From"] < port_no
-                    and entry["PortRange"]["To"] == port_no
-                ):
-                    portrange_to = port_no - 1
-
-                    if self.check_if_nacl_exists(
-                        network_acl_entries,
-                        entry["PortRange"]["From"],
-                        portrange_to,
-                        port_ranges,
-                    ):
-                        client.delete_network_acl_entry(
-                            Egress=False,
-                            NetworkAclId=network_acl_id,
-                            RuleNumber=entry["RuleNumber"],
-                        )
-                    else:
-                        client.replace_network_acl_entry(
-                            CidrBlock=entry["CidrBlock"],
-                            Egress=entry["Egress"],
-                            NetworkAclId=network_acl_id,
-                            PortRange={
-                                "From": entry["PortRange"]["From"],
-                                "To": portrange_to,
-                            },
-                            Protocol=entry["Protocol"],
-                            RuleAction=entry["RuleAction"],
-                            RuleNumber=entry["RuleNumber"],
-                        )
-
-                        port = (entry["PortRange"]["From"], portrange_to)
-                        port_ranges.append(port)
-                elif (
-                    entry["PortRange"]["From"] < port_no
-                    and entry["PortRange"]["To"] > port_no
-                ):
-                    rule_no = entry["RuleNumber"] + 10
-
-                    while rule_no in rule_nos:
-                        rule_no = rule_no + 10
-
-                    portrange_to = port_no - 1
-
-                    if self.check_if_nacl_exists(
-                        network_acl_entries,
-                        entry["PortRange"]["From"],
-                        portrange_to,
-                        port_ranges,
-                    ):
-                        client.delete_network_acl_entry(
-                            Egress=False,
-                            NetworkAclId=network_acl_id,
-                            RuleNumber=entry["RuleNumber"],
-                        )
-                    else:
-                        client.replace_network_acl_entry(
-                            CidrBlock=entry["CidrBlock"],
-                            Egress=entry["Egress"],
-                            NetworkAclId=network_acl_id,
-                            PortRange={
-                                "From": entry["PortRange"]["From"],
-                                "To": portrange_to,
-                            },
-                            Protocol=entry["Protocol"],
-                            RuleAction=entry["RuleAction"],
-                            RuleNumber=entry["RuleNumber"],
-                        )
-
-                        port = (entry["PortRange"]["From"], portrange_to)
-                        port_ranges.append(port)
-
-                    portrange_from = port_no + 1
-
-                    if self.check_if_nacl_exists(
-                        network_acl_entries,
-                        portrange_from,
-                        entry["PortRange"]["To"],
-                        port_ranges,
-                    ):
-                        continue
-                    else:
-                        client.create_network_acl_entry(
-                            CidrBlock=entry["CidrBlock"],
-                            Egress=entry["Egress"],
-                            NetworkAclId=network_acl_id,
-                            PortRange={
-                                "From": portrange_from,
-                                "To": entry["PortRange"]["To"],
-                            },
-                            Protocol=entry["Protocol"],
-                            RuleAction=entry["RuleAction"],
-                            RuleNumber=rule_no,
-                        )
-                        rule_nos.append(rule_no)
-                        port = (portrange_from, entry["PortRange"]["To"])
-                        port_ranges.append(port)
-
     def remediate(self, region, client, network_acl_id, cloud_account_id):
         """Remove Network ACL Rules that allows public access to administration ports (3389 and 22)
         :param region: The buckets region
@@ -276,23 +81,39 @@ def remediate(self, region, client, network_acl_id, cloud_account_id):
                 logging.info(
                     "executing client.describe_network_acls to get network acl"
                 )
+                logging.info("    executing client.describe_network_acls")
+                logging.info(f"    NetworkAclId: {network_acl_id}")
+                # List network acl details
                 network_acl = client.describe_network_acls(
                     NetworkAclIds=[network_acl_id]
                 )
                 network_acl_entries = network_acl["NetworkAcls"][0]
-                #Create List of Rule Numbers
-                rule_nos = self.create_list_of_rule_nos(network_acl_entries)
-                #Create List of Port Ranges
-                port_ranges = self.create_list_of_port_range(network_acl_entries)
-                #Remove the port from the Network ACL entries
-                self.find_and_remove_port(
-                    network_acl_id,
-                    client,
-                    network_acl_entries,
-                    port_no,
-                    rule_nos,
-                    port_ranges,
-                )
+                for entry in network_acl_entries["Entries"]:
+                    #Searching for the ingress nacl entries with RuleAction = allow,
+                    #protocol as tcp or all traffic, CidrBlock="0.0.0.0/0" and the 
+                    #port range inclusive of port 22 and 3389
+                    if (
+                        entry["Egress"] is False
+                        and entry["RuleAction"] == "allow"
+                        and entry["Protocol"] in ["6", "-1"]
+                        and entry["CidrBlock"] == "0.0.0.0/0"
+                        and (
+                            "PortRange" not in entry
+                            or (
+                                entry["PortRange"]["From"] <= port_no
+                                and entry["PortRange"]["To"] >= port_no
+                            )
+                        )
+                    ):
+                        # Delete nacl entry which provides public access to administration ports (3389 and 22)
+                        logging.info("    executing client.delete_network_acl_entry")
+                        logging.info(f"    NetworkAclId: {network_acl_id}")
+                        logging.info(f"    RuleNumber: {entry['RuleNumber']}")
+                        client.delete_network_acl_entry(
+                            Egress=False,
+                            NetworkAclId=network_acl_id,
+                            RuleNumber=entry["RuleNumber"],
+                        )
             logging.info("successfully completed remediation job")
         except Exception as e:
             logging.error(f"{str(e)}")

remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed/constraints.txt

@@ -29,9 +29,9 @@ py==1.9.0 \
 pluggy==0.13.1 \
     --hash=sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0 \
     --hash=sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d
-s3transfer==0.3.4 \
-    --hash=sha256:1e28620e5b444652ed752cf87c7e0cb15b0e578972568c6609f0f18212f259ed \
-    --hash=sha256:7fdddb4f22275cf1d32129e21f056337fd2a80b6ccef1664528145b72c49e6d2
+s3transfer==0.5.0 \
+    --hash=sha256:50ed823e1dc5868ad40c8dc92072f757aa0e653a192845c94a3b676f4a62da4c \
+    --hash=sha256:9c1dc369814391a6bda20ebbf4b70a0f34630592c9aa520856bf384916af2803
 six==1.15.0 \
     --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
     --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced

remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed/minimum_policy.json

@@ -6,7 +6,7 @@
             "Effect": "Allow",
             "Action": [
                 "ec2:DescribeNetworkAcls",
-                "ec2:DeleteNetworkAcl"
+                "ec2:DeleteNetworkAclEntry"
             ],
             "Resource": "*"
         }

remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed/requirements.txt

@@ -1,6 +1,6 @@
-boto3==1.16.60 \
-    --hash=sha256:10e8d9b18a8ae15677e850c7240140b9539635a03098f01dfdd75b2042d15862 \
-    --hash=sha256:aee742f2a2315244fb31a507f65d8809fcd0029508c0b12be8611ddd2075b666
-botocore==1.19.60 \
-    --hash=sha256:423a1a9502bd7bc5db8c6e64f9374f64d8ac18e6b870278a9ff65f59d268cd58 \
-    --hash=sha256:80dd615a34c7e2c73606070a9358f7b5c1cb0c9989348306c1c9ddff45bb6ebe
+boto3==1.18.4 \
+  --hash=sha256:649ed1ca205f5ee0b0328d54580780aebc1a7a05681a24f6ee05253007ca48d8 \
+  --hash=sha256:7079b40bd6621c54a0385a8fc11240cff4318a4d487292653e393e18254f5d94
+botocore==1.21.5 \
+  --hash=sha256:0070c5e02b581db40ff5fd1b5e02db90ed88e7e861901894bd78fd998656da68 \
+  --hash=sha256:bed34fe7a007180f4208b65515bab1755cdd9fcf2c6720f74ae7ecd2e707f4b7