-
Notifications
You must be signed in to change notification settings - Fork 673
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2068 from AkhtarAmir/FS-AWS/GuarddutyEKSProtection
FS-AWS/GuarddutyEKSProtection
- Loading branch information
Showing
3 changed files
with
249 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
var async = require('async'); | ||
var helpers = require('../../../helpers/aws'); | ||
|
||
module.exports = { | ||
title: 'EKS GuardDuty Enabled', | ||
category: 'GuardDuty', | ||
domain: 'Management and Governance', | ||
severity: 'Medium', | ||
description: 'Ensures that GuardDuty protection is enabled for EKS clusters.' , | ||
more_info: 'Enabling GuardDuty EKS protection helps detect potential security threats in your EKS clusters by monitoring audit logs, user activities, and control plane operations. It provides enhanced security by offering proactive threat detection and automated alerting for suspicious activities and security issues within your AWS environment.', | ||
recommended_action: 'Enable GuardDuty EKS protection for all AWS accounts.', | ||
link: 'https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html', | ||
apis: ['GuardDuty:listDetectors', 'GuardDuty:getDetector', 'STS:getCallerIdentity'], | ||
realtime_triggers: ['guardduty:CreateDetector', 'guardduty:UpdateDetector', 'guardduty:DeleteDetector'], | ||
|
||
run: function(cache, settings, callback) { | ||
var results = []; | ||
var source = {}; | ||
|
||
var acctRegion = helpers.defaultRegion(settings); | ||
var awsOrGov = helpers.defaultPartition(settings); | ||
var accountId = helpers.addSource(cache, source, ['sts', 'getCallerIdentity', acctRegion, 'data']); | ||
|
||
var regions = helpers.regions(settings); | ||
|
||
async.each(regions.guardduty, function(region, rcb) { | ||
var listDetectors = helpers.addSource(cache, source, ['guardduty', 'listDetectors', region]); | ||
|
||
if (!listDetectors) return rcb(); | ||
|
||
if (listDetectors.err || !listDetectors.data) { | ||
helpers.addResult(results, 3, 'Unable to list GuardDuty detectors: ' + helpers.addError(listDetectors), region); | ||
return rcb(); | ||
} | ||
|
||
if (!listDetectors.data || !listDetectors.data.length) { | ||
helpers.addResult(results, 0, 'No GuardDuty detectors found', region); | ||
return rcb(); | ||
} | ||
|
||
listDetectors.data.forEach(function(detectorId) { | ||
|
||
var getDetector = helpers.addSource(cache, source, ['guardduty', 'getDetector', region, detectorId]); | ||
|
||
if (!getDetector) return; | ||
|
||
if (getDetector.err || !getDetector.data) { | ||
helpers.addResult(results, 3, 'Unable to get GuardDuty detector: ' + helpers.addError(getDetector),region); | ||
return; | ||
} | ||
|
||
var detector = getDetector.data; | ||
var resource = 'arn:' + awsOrGov + ':guardduty:' + region + ':' + accountId + ':detector/' + detector.detectorId; | ||
|
||
if (detector.DataSources && | ||
detector.DataSources.Kubernetes && | ||
detector.DataSources.Kubernetes.AuditLogs && | ||
detector.DataSources.Kubernetes.AuditLogs.Status && | ||
detector.DataSources.Kubernetes.AuditLogs.Status.toLowerCase() === 'disabled'){ | ||
helpers.addResult(results, 2, 'GuardDuty EKS protection is disabled', region, resource); | ||
} else { | ||
helpers.addResult(results, 0, 'GuardDuty EKS protection is enabled', region, resource); | ||
} | ||
|
||
}); | ||
|
||
rcb(); | ||
}, function(){ | ||
callback(null, results, source); | ||
}); | ||
} | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,176 @@ | ||
var expect = require('chai').expect; | ||
var eksProtectionEnabled = require('./eksProtectionEnabled'); | ||
|
||
const listDetectors = [ | ||
"6cc45a4adb18e50f5ba51f6800db03d8" | ||
]; | ||
|
||
const getDetector = [ | ||
{ | ||
"CreatedAt": "2021-11-16T15:54:17.530Z", | ||
"FindingPublishingFrequency": "SIX_HOURS", | ||
"ServiceRole": "arn:aws:iam::000011112222:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty", | ||
"Status": "ENABLED", | ||
"UpdatedAt": "2021-12-01T14:13:59.029Z", | ||
"DataSources": { | ||
"CloudTrail": { | ||
"Status": "ENABLED" | ||
}, | ||
"DNSLogs": { | ||
"Status": "ENABLED" | ||
}, | ||
"FlowLogs": { | ||
"Status": "ENABLED" | ||
}, | ||
"S3Logs": { | ||
"Status": "ENABLED" | ||
}, | ||
"Kubernetes": { | ||
"AuditLogs": { | ||
"Status": "ENABLED" | ||
} | ||
} | ||
}, | ||
"Tags": {} | ||
}, | ||
{ | ||
"CreatedAt": "2021-11-16T15:54:17.530Z", | ||
"FindingPublishingFrequency": "SIX_HOURS", | ||
"ServiceRole": "arn:aws:iam::000011112222:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty", | ||
"Status": "ENABLED", | ||
"UpdatedAt": "2021-12-01T14:13:59.029Z", | ||
"DataSources": { | ||
"CloudTrail": { | ||
"Status": "ENABLED" | ||
}, | ||
"DNSLogs": { | ||
"Status": "ENABLED" | ||
}, | ||
"FlowLogs": { | ||
"Status": "ENABLED" | ||
}, | ||
"S3Logs": { | ||
"Status": "DISABLED" | ||
}, | ||
"Kubernetes": { | ||
"AuditLogs": { | ||
"Status": "DISABLED" | ||
} | ||
} | ||
}, | ||
"Tags": {} | ||
} | ||
]; | ||
|
||
const createCache = (listDetectors, getDetector) => { | ||
let detectorId = (listDetectors.length) ? listDetectors[0] : null; | ||
return { | ||
guardduty: { | ||
listDetectors: { | ||
'us-east-1': { | ||
data: listDetectors | ||
}, | ||
}, | ||
getDetector: { | ||
'us-east-1': { | ||
[detectorId]: { | ||
data: getDetector | ||
} | ||
} | ||
} | ||
} | ||
}; | ||
}; | ||
|
||
const createErrorCache = () => { | ||
return { | ||
guardduty: { | ||
listDetectors: { | ||
'us-east-1': { | ||
err: { | ||
message: 'error desribing cache clusters' | ||
}, | ||
}, | ||
}, | ||
}, | ||
}; | ||
}; | ||
|
||
const createNullCache = () => { | ||
return { | ||
guardduty: { | ||
listDetectors: { | ||
'us-east-1': null | ||
} | ||
} | ||
}; | ||
}; | ||
|
||
|
||
describe('eksProtectionEnabled', function () { | ||
describe('run', function () { | ||
it('should FAIL if GuardDuty EKS protection is diabled', function (done) { | ||
const cache = createCache(listDetectors, getDetector[1],); | ||
eksProtectionEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(2); | ||
expect(results[0].region).to.equal('us-east-1'); | ||
expect(results[0].message).to.include('GuardDuty EKS protection is disabled'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should PASS if GuardDuty EKS protection is enabled', function (done) { | ||
const cache = createCache(listDetectors, getDetector[0]); | ||
eksProtectionEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(0); | ||
expect(results[0].region).to.equal('us-east-1'); | ||
expect(results[0].message).to.include('GuardDuty EKS protection is enabled'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should PASS if no detectors found', function (done) { | ||
const cache = createCache([]); | ||
eksProtectionEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(0); | ||
expect(results[0].region).to.equal('us-east-1'); | ||
expect(results[0].message).to.include('No GuardDuty detectors found'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should UNKNOWN unable to list GuardDuty detector', function (done) { | ||
const cache = createErrorCache(); | ||
eksProtectionEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(3); | ||
expect(results[0].region).to.equal('us-east-1'); | ||
expect(results[0].message).to.include('Unable to list GuardDuty detectors:'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should UNKNOWN unable to get GuardDuty detector', function (done) { | ||
const cache = createCache([listDetectors]); | ||
eksProtectionEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(3); | ||
expect(results[0].region).to.equal('us-east-1'); | ||
expect(results[0].message).to.include('Unable to get GuardDuty detector: '); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should not return any result if list dectectors response not found', function (done) { | ||
const cache = createNullCache(); | ||
eksProtectionEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(0); | ||
done(); | ||
}); | ||
}); | ||
}); | ||
}); | ||
|