From 02a626f3f495b56450d33e07265e60b1d63f8cdb Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sun, 19 Feb 2023 00:53:21 +0500 Subject: [PATCH 1/8] alb security groups plugin --- exports.js | 1 + .../elbv2/albAssociatedWithSecurityGroup.js | 53 ++++++++ .../albAssociatedWithSecurityGroup.spec.js | 124 ++++++++++++++++++ 3 files changed, 178 insertions(+) create mode 100644 plugins/aws/elbv2/albAssociatedWithSecurityGroup.js create mode 100644 plugins/aws/elbv2/albAssociatedWithSecurityGroup.spec.js diff --git a/exports.js b/exports.js index 8b40dba49e..e86e681cf3 100644 --- a/exports.js +++ b/exports.js @@ -270,6 +270,7 @@ module.exports = { 'elbv2HasTags' : require(__dirname + '/plugins/aws/elbv2/elbv2HasTags.js'), 'elbv2DeprecatedSslPolicies' : require(__dirname + '/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js'), 'elbv2InsecureCiphers' : require(__dirname + '/plugins/aws/elbv2/elbv2InsecureCiphers.js'), + 'albAssociatedWithSecurityGroup': require(__dirname + '/plugins/aws/elbv2/albAssociatedWithSecurityGroup'), 'elasticacheDefaultPorts' : require(__dirname + '/plugins/aws/elasticache/elasticacheDefaultPorts.js'), diff --git a/plugins/aws/elbv2/albAssociatedWithSecurityGroup.js b/plugins/aws/elbv2/albAssociatedWithSecurityGroup.js new file mode 100644 index 0000000000..ed0fabcd17 --- /dev/null +++ b/plugins/aws/elbv2/albAssociatedWithSecurityGroup.js @@ -0,0 +1,53 @@ +var async = require('async'); +var helpers = require('../../../helpers/aws'); + +module.exports = { + title: 'ALB Associated With Security Group', + category: 'ELBv2', + domain: 'Content Delivery', + description: 'EEnsure Application Load Balancers are associated with security group.', + more_info: 'It is a security best practice to always have application load balancers associated with security groups to avoid any data loss or unauthorized access..', + link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html', + recommended_action: 'Modify Application Load Balancer and Add Security Groups', + apis: ['ELBv2:describeLoadBalancers'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var regions = helpers.regions(settings); + + async.each(regions.elbv2, function(region, rcb){ + var describeLoadBalancers = helpers.addSource(cache, source, + ['elbv2', 'describeLoadBalancers', region]); + + if (!describeLoadBalancers) return rcb(); + + if (describeLoadBalancers.err || !describeLoadBalancers.data) { + helpers.addResult(results, 3, + 'Unable to query for load balancers: ' + helpers.addError(describeLoadBalancers), + region); + return rcb(); + } + + if (!describeLoadBalancers.data.length) { + helpers.addResult(results, 0, 'No load balancers found', region); + return rcb(); + } + + for (let alb of describeLoadBalancers.data){ + + if (!alb.LoadBalancerArn || (!alb.Type && alb.Type.toLowerCase() === 'application')) continue; + + if (alb.SecurityGroups && alb.SecurityGroups.length){ + helpers.addResult(results, 0, 'Application Load Balancer has security group associated', region,alb.LoadBalancerArn); + } else { + helpers.addResult(results, 2, 'Application Load Balancer does not have security group associated', region,alb.LoadBalancerArn); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/aws/elbv2/albAssociatedWithSecurityGroup.spec.js b/plugins/aws/elbv2/albAssociatedWithSecurityGroup.spec.js new file mode 100644 index 0000000000..0cf131b7c7 --- /dev/null +++ b/plugins/aws/elbv2/albAssociatedWithSecurityGroup.spec.js @@ -0,0 +1,124 @@ +var expect = require('chai').expect; +const albAssociatedWithSecurityGroup = require('./albAssociatedWithSecurityGroup'); + +const loadBalancers = [ + { + "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:111122223333:loadbalancer/app/test-lb-43/8e680c7bace394a7", + "DNSName": "test-lb-43-148538634.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneId": "Z35SXDOTRQ7X7K", + "CreatedTime": "2020-08-30T22:55:21.030Z", + "LoadBalancerName": "test-lb-43", + "Scheme": "internet-facing", + "VpcId": "vpc-99de2fe4", + "State": { + "Code": "active" + }, + "Type": "application", + "SecurityGroups": [ + "sg-06cccc47e5b3e1ee9" + ], + "IpAddressType": "ipv4" + }, + { + "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:111122223333:loadbalancer/app/test-lb-43/8e680c7bace394a8", + "DNSName": "test-lb-43-148538634.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneId": "Z35SXDOTRQ7X7K", + "CreatedTime": "2020-08-30T22:55:21.030Z", + "LoadBalancerName": "test-lb-43", + "Scheme": "internet-facing", + "VpcId": "vpc-99de2fe4", + "State": { + "Code": "active" + }, + "Type": "application", + "SecurityGroups": [], + "IpAddressType": "ipv4" + } +]; + + +const createCache = (elbv2) => { + return { + elbv2:{ + describeLoadBalancers: { + 'us-east-1': { + data: elbv2 + }, + }, + }, + }; +}; + +const createErrorCache = () => { + return { + elbv2: { + describeLoadBalancers: { + 'us-east-1': { + err: { + message: 'error describing load balancers' + }, + }, + }, + } + }; +}; + +const createNullCache = () => { + return { + elbv2: { + describeLoadBalancers: { + 'us-east-1': null, + }, + }, + }; +}; + +describe('albAssociatedWithSecurityGroup', function () { + describe('run', function () { + it('should PASS if load balancer has security groups associated', function (done) { + const cache = createCache([loadBalancers[0]]); + albAssociatedWithSecurityGroup.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); + expect(results[0].message).include('Application Load Balancer has security group associated'); + done(); + }); + }); + + it('should FAIL if load balancer does not have security groups associated', function (done) { + const cache = createCache([loadBalancers[1]]); + albAssociatedWithSecurityGroup.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].region).to.equal('us-east-1'); + expect(results[0].message).include('Application Load Balancer does not have security group associated'); + done(); + }); + }); + + it('should UNKNOWN if error while describing load balancers', function (done) { + const cache = createErrorCache(); + albAssociatedWithSecurityGroup.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].region).to.equal('us-east-1'); + expect(results[0].message).include('Unable to query for load balancers:'); + done(); + }); + }); + + it('should PASS if no load balancer found', function (done) { + const cache = createCache([]); + albAssociatedWithSecurityGroup.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); + expect(results[0].message).include('No load balancers found'); + done(); + }); + }); + + + }); +}); From 4b12a51e6185fb4fea279489d09b46087495a3d4 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 25 Feb 2023 18:04:44 +0500 Subject: [PATCH 2/8] lint --- plugins/aws/elbv2/albAssociatedWithSecurityGroup.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/aws/elbv2/albAssociatedWithSecurityGroup.js b/plugins/aws/elbv2/albAssociatedWithSecurityGroup.js index ed0fabcd17..94be9f0a27 100644 --- a/plugins/aws/elbv2/albAssociatedWithSecurityGroup.js +++ b/plugins/aws/elbv2/albAssociatedWithSecurityGroup.js @@ -5,8 +5,8 @@ module.exports = { title: 'ALB Associated With Security Group', category: 'ELBv2', domain: 'Content Delivery', - description: 'EEnsure Application Load Balancers are associated with security group.', - more_info: 'It is a security best practice to always have application load balancers associated with security groups to avoid any data loss or unauthorized access..', + description: 'Ensure Application Load Balancers are associated with security group.', + more_info: 'It is a security best practice to always have application load balancers associated with security groups to avoid any data loss or unauthorized access.', link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html', recommended_action: 'Modify Application Load Balancer and Add Security Groups', apis: ['ELBv2:describeLoadBalancers'], From bb4bbff2e88747e37cd46925d647ed4fc7c1223d Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Tue, 6 Jun 2023 23:44:57 +0500 Subject: [PATCH 3/8] files name changed --- config_example.js | 4 ++++ exports.js | 2 +- ...iatedWithSecurityGroup.js => albSecurityGroup.js} | 0 ...ecurityGroup.spec.js => albSecurityGroup.spec.js} | 12 ++++++------ 4 files changed, 11 insertions(+), 7 deletions(-) rename plugins/aws/elbv2/{albAssociatedWithSecurityGroup.js => albSecurityGroup.js} (100%) rename plugins/aws/elbv2/{albAssociatedWithSecurityGroup.spec.js => albSecurityGroup.spec.js} (89%) diff --git a/config_example.js b/config_example.js index e11d0e7bfd..1e566abc2c 100644 --- a/config_example.js +++ b/config_example.js @@ -20,6 +20,10 @@ module.exports = { // session_token: process.env.AWS_SESSION_TOKEN || '', }, azure: { + application_id: process.env.AZURE_APPLICATION_ID || '17e14067-428b-4746-9483-ea033812e642', + key_value: process.env.AZURE_KEY_VALUE || 'VMn8Q~7qds5YBfo7xWh4HRuDybKNIkmOkFMqadtq', + directory_id: process.env.AZURE_DIRECTORY_ID || 'd207c7bd-fcb1-4dd3-855a-cfd2f9b651e8', + subscription_id: process.env.AZURE_SUBSCRIPTION_ID || '26a1a07e-06dd-4892-92c9-e4996b0fc546' // OPTION 1: If using a credential JSON file, enter the path below // credential_file: '/path/to/file.json', // OPTION 2: If using hard-coded credentials, enter them below diff --git a/exports.js b/exports.js index e86e681cf3..50fdc63adc 100644 --- a/exports.js +++ b/exports.js @@ -270,7 +270,7 @@ module.exports = { 'elbv2HasTags' : require(__dirname + '/plugins/aws/elbv2/elbv2HasTags.js'), 'elbv2DeprecatedSslPolicies' : require(__dirname + '/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js'), 'elbv2InsecureCiphers' : require(__dirname + '/plugins/aws/elbv2/elbv2InsecureCiphers.js'), - 'albAssociatedWithSecurityGroup': require(__dirname + '/plugins/aws/elbv2/albAssociatedWithSecurityGroup'), + 'albSecurityGroup' : require(__dirname + '/plugins/aws/elbv2/albSecurityGroup'), 'elasticacheDefaultPorts' : require(__dirname + '/plugins/aws/elasticache/elasticacheDefaultPorts.js'), diff --git a/plugins/aws/elbv2/albAssociatedWithSecurityGroup.js b/plugins/aws/elbv2/albSecurityGroup.js similarity index 100% rename from plugins/aws/elbv2/albAssociatedWithSecurityGroup.js rename to plugins/aws/elbv2/albSecurityGroup.js diff --git a/plugins/aws/elbv2/albAssociatedWithSecurityGroup.spec.js b/plugins/aws/elbv2/albSecurityGroup.spec.js similarity index 89% rename from plugins/aws/elbv2/albAssociatedWithSecurityGroup.spec.js rename to plugins/aws/elbv2/albSecurityGroup.spec.js index 0cf131b7c7..5d28005eda 100644 --- a/plugins/aws/elbv2/albAssociatedWithSecurityGroup.spec.js +++ b/plugins/aws/elbv2/albSecurityGroup.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -const albAssociatedWithSecurityGroup = require('./albAssociatedWithSecurityGroup'); +const albSecurityGroup = require('./albSecurityGroup'); const loadBalancers = [ { @@ -73,11 +73,11 @@ const createNullCache = () => { }; }; -describe('albAssociatedWithSecurityGroup', function () { +describe('albSecurityGroup', function () { describe('run', function () { it('should PASS if load balancer has security groups associated', function (done) { const cache = createCache([loadBalancers[0]]); - albAssociatedWithSecurityGroup.run(cache, {}, (err, results) => { + albSecurityGroup.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].region).to.equal('us-east-1'); @@ -88,7 +88,7 @@ describe('albAssociatedWithSecurityGroup', function () { it('should FAIL if load balancer does not have security groups associated', function (done) { const cache = createCache([loadBalancers[1]]); - albAssociatedWithSecurityGroup.run(cache, {}, (err, results) => { + albSecurityGroup.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].region).to.equal('us-east-1'); @@ -99,7 +99,7 @@ describe('albAssociatedWithSecurityGroup', function () { it('should UNKNOWN if error while describing load balancers', function (done) { const cache = createErrorCache(); - albAssociatedWithSecurityGroup.run(cache, {}, (err, results) => { + albSecurityGroup.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].region).to.equal('us-east-1'); @@ -110,7 +110,7 @@ describe('albAssociatedWithSecurityGroup', function () { it('should PASS if no load balancer found', function (done) { const cache = createCache([]); - albAssociatedWithSecurityGroup.run(cache, {}, (err, results) => { + albSecurityGroup.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].region).to.equal('us-east-1'); From 7b45e21baff5b8872daafb42b126a97e6951a50c Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Tue, 6 Jun 2023 23:46:34 +0500 Subject: [PATCH 4/8] test failing --- plugins/aws/lambda/lambdaOldRuntimes.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/lambda/lambdaOldRuntimes.spec.js b/plugins/aws/lambda/lambdaOldRuntimes.spec.js index e5ecabaade..4b6139cba4 100644 --- a/plugins/aws/lambda/lambdaOldRuntimes.spec.js +++ b/plugins/aws/lambda/lambdaOldRuntimes.spec.js @@ -5,7 +5,7 @@ const listFunctions = [ { "FunctionName": "test-lambda", "FunctionArn": "arn:aws:lambda:us-east-1:000011112222:function:test-lambda", - "Runtime": "nodejs12.x", + "Runtime": "nodejs16.x", "Role": "arn:aws:iam::000011112222:role/lambda-role", "Handler": "index.handler", "TracingConfig": { "Mode": "PassThrough" } From 472921919b6324834bb1f55cc0dde6f1af890b88 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Wed, 7 Jun 2023 02:28:13 +0500 Subject: [PATCH 5/8] credential removed --- config_example.js | 4 ---- 1 file changed, 4 deletions(-) diff --git a/config_example.js b/config_example.js index 1e566abc2c..e11d0e7bfd 100644 --- a/config_example.js +++ b/config_example.js @@ -20,10 +20,6 @@ module.exports = { // session_token: process.env.AWS_SESSION_TOKEN || '', }, azure: { - application_id: process.env.AZURE_APPLICATION_ID || '17e14067-428b-4746-9483-ea033812e642', - key_value: process.env.AZURE_KEY_VALUE || 'VMn8Q~7qds5YBfo7xWh4HRuDybKNIkmOkFMqadtq', - directory_id: process.env.AZURE_DIRECTORY_ID || 'd207c7bd-fcb1-4dd3-855a-cfd2f9b651e8', - subscription_id: process.env.AZURE_SUBSCRIPTION_ID || '26a1a07e-06dd-4892-92c9-e4996b0fc546' // OPTION 1: If using a credential JSON file, enter the path below // credential_file: '/path/to/file.json', // OPTION 2: If using hard-coded credentials, enter them below From 518a59d980a374c268a9b55e8bdf03c3fda9a5e0 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 4 Dec 2023 23:06:04 +0500 Subject: [PATCH 6/8] resolved --- plugins/aws/elbv2/albSecurityGroup.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/plugins/aws/elbv2/albSecurityGroup.js b/plugins/aws/elbv2/albSecurityGroup.js index 94be9f0a27..293a664a4e 100644 --- a/plugins/aws/elbv2/albSecurityGroup.js +++ b/plugins/aws/elbv2/albSecurityGroup.js @@ -36,7 +36,9 @@ module.exports = { for (let alb of describeLoadBalancers.data){ - if (!alb.LoadBalancerArn || (!alb.Type && alb.Type.toLowerCase() === 'application')) continue; + if (!alb.LoadBalancerArn || (!alb.Type || alb.Type.toLowerCase() !== 'application')) { + continue; + } if (alb.SecurityGroups && alb.SecurityGroups.length){ helpers.addResult(results, 0, 'Application Load Balancer has security group associated', region,alb.LoadBalancerArn); From 26ab4e83fed589c3c0be8f66f735c9460e9ec671 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 13:11:35 +0500 Subject: [PATCH 7/8] Apply suggestions from code review --- plugins/aws/elbv2/albSecurityGroup.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/aws/elbv2/albSecurityGroup.js b/plugins/aws/elbv2/albSecurityGroup.js index 293a664a4e..4ab5c61393 100644 --- a/plugins/aws/elbv2/albSecurityGroup.js +++ b/plugins/aws/elbv2/albSecurityGroup.js @@ -2,13 +2,13 @@ var async = require('async'); var helpers = require('../../../helpers/aws'); module.exports = { - title: 'ALB Associated With Security Group', + title: 'ALB Security Group', category: 'ELBv2', domain: 'Content Delivery', description: 'Ensure Application Load Balancers are associated with security group.', more_info: 'It is a security best practice to always have application load balancers associated with security groups to avoid any data loss or unauthorized access.', link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html', - recommended_action: 'Modify Application Load Balancer and Add Security Groups', + recommended_action: 'Modify Application Load Balancer and add security group.', apis: ['ELBv2:describeLoadBalancers'], run: function(cache, settings, callback) { @@ -41,9 +41,9 @@ module.exports = { } if (alb.SecurityGroups && alb.SecurityGroups.length){ - helpers.addResult(results, 0, 'Application Load Balancer has security group associated', region,alb.LoadBalancerArn); + helpers.addResult(results, 0, 'Application Load Balancer has security group associated', region, alb.LoadBalancerArn); } else { - helpers.addResult(results, 2, 'Application Load Balancer does not have security group associated', region,alb.LoadBalancerArn); + helpers.addResult(results, 2, 'Application Load Balancer does not have security group associated', region, alb.LoadBalancerArn); } } From ba3ff94737dc4833753c50ce2e61dd182c97fa77 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 13:13:55 +0500 Subject: [PATCH 8/8] Update plugins/aws/elbv2/albSecurityGroup.js --- plugins/aws/elbv2/albSecurityGroup.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/elbv2/albSecurityGroup.js b/plugins/aws/elbv2/albSecurityGroup.js index 4ab5c61393..095e2faf8d 100644 --- a/plugins/aws/elbv2/albSecurityGroup.js +++ b/plugins/aws/elbv2/albSecurityGroup.js @@ -5,7 +5,7 @@ module.exports = { title: 'ALB Security Group', category: 'ELBv2', domain: 'Content Delivery', - description: 'Ensure Application Load Balancers are associated with security group.', + description: 'Ensures that Application Load Balancer has security group associated.', more_info: 'It is a security best practice to always have application load balancers associated with security groups to avoid any data loss or unauthorized access.', link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html', recommended_action: 'Modify Application Load Balancer and add security group.',