modification/SAAS-2065: Modified BigQuery, Kubernetes and DNS plugin …

…to display resource names (aquasecurity#797) * SPLOIT-113: Added Plain Text Parameters plugin for CloudFormation * Added vpcEndpointAcceptance plugin and spec file * SPLOIT-113: Added Plain Text Parameters plugin for CloudFormation * Added plugin and spec file for launch wizard security groups * Refactored code in plaintextParameters plugin and spec file * SPLOIT-113: Updated custom settings * Made PR requested changes * SPLOIT-113: Added regex to check if NoEcho is enabled * Accommodated PR changes * Fixed eslint issues * Update exports.js * Fixed eslint issues * Update index.js * Update index.js * Added cloudformation in china and gov regions * Accomodated PR changes * Updated status in result of failure * SPLOIT-113: Added Plain Text Parameters plugin for CloudFormation * Added plugin and spec file for launch wizard security groups * Added vpcEndpointAcceptance plugin and spec file * Refactored code in plaintextParameters plugin and spec file * SPLOIT-113: Updated custom settings * Made PR requested changes * SPLOIT-113: Added regex to check if NoEcho is enabled * Accommodated PR changes * Fixed eslint issues * Update index.js * Update index.js * Accomodated PR changes * Updated status in result of failure * SPLOIT-113: Added Plain Text Parameters plugin for CloudFormation * Added plugin and spec file for launch wizard security groups * Added vpcEndpointAcceptance plugin and spec file * Refactored code in plaintextParameters plugin and spec file * SPLOIT-113: Updated custom settings * Made PR requested changes * SPLOIT-113: Added regex to check if NoEcho is enabled * Accommodated PR changes * Fixed eslint issues * Update index.js * Update index.js * Accomodated PR changes * Updated status in result of failure * SPLOIT-113: Added Plain Text Parameters plugin for CloudFormation * SPLOIT-113: Added Plain Text Parameters plugin for CloudFormation * Added plugin and spec file for launch wizard security groups * Added vpcEndpointAcceptance plugin and spec file * Refactored code in plaintextParameters plugin and spec file * SPLOIT-113: Updated custom settings * Made PR requested changes * SPLOIT-113: Added regex to check if NoEcho is enabled * Accommodated PR changes * Fixed eslint issues * Update exports.js * Update index.js * Update index.js * Accomodated PR changes * Updated status in result of failure * Removed unnecesary rebase changes * Added superlinter * Added scans ci * Updated Ci file * Updated Node version in CI file * removed spech check command * Delete scan_ci.yml * Added spellcheck * HOTFIX/sqs-public-access: Logic will check policy condition as well * Modified BigQuery, Kubernetes and DNS plugin to display resource names
pmalkki · Jul 15, 2021 · 90b0197 · 90b0197
1 parent 2e4224a
commit 90b0197
Show file tree

Hide file tree

Showing 43 changed files with 667 additions and 121 deletions.
diff --git a/helpers/google/functions.js b/helpers/google/functions.js
@@ -258,12 +258,35 @@ function listToObj(resultObj, listData, onKey) {
     });
 }
 
+function createResourceName(resourceType, resourceId, project, locationType, location) {
+    let resourceName = '';
+    if (project) resourceName = `projects/${project}/`;
+    switch(locationType) {
+        case 'global':
+            resourceName = `${resourceName}global/${resourceType}/${resourceId}`;
+            break;
+        case 'region':
+            resourceName = `${resourceName}regions/${location}/${resourceType}/${resourceId}`;
+            break;
+        case 'zone':
+            resourceName = `${resourceName}zones/${location}/${resourceType}/${resourceId}`;
+            break;
+        case 'location':
+            resourceName = `${resourceName}locations/${location}/${resourceType}/${resourceId}`;
+            break;
+        default:
+            resourceName = `${resourceName}${resourceType}/${resourceId}`;
+    }
+    return resourceName;
+}
+
 module.exports = {
     addResult: addResult,
     findOpenPorts: findOpenPorts,
     findOpenAllPorts: findOpenAllPorts,
     hasBuckets: hasBuckets,
     createResourceName: createResourceName,
     getProtectionLevel: getProtectionLevel,
-    listToObj: listToObj
+    listToObj: listToObj,
+    createResourceName: createResourceName
 };
diff --git a/plugins/google/bigquery/datasetAllUsersPolicy.js b/plugins/google/bigquery/datasetAllUsersPolicy.js
@@ -8,13 +8,24 @@ module.exports = {
     more_info: 'Granting permissions to allUsers or allAuthenticatedUsers allows anyone to access the dataset. Such access might not be desirable if sensitive data is being stored in the dataset.',
     link: 'https://cloud.google.com/bigquery/docs/dataset-access-controls',
     recommended_action: 'Ensure that each dataset is configured so that no member is set to allUsers or allAuthenticatedUsers.',
-    apis: ['datasets:list', 'datasets:get'],
+    apis: ['datasets:list', 'datasets:get', 'projects:get'],
 
     run: function(cache, settings, callback) {
         var results = [];
         var source = {};
         var regions = helpers.regions();
 
+        let projects = helpers.addSource(cache, source,
+            ['projects','get', 'global']);
+
+        if (!projects || projects.err || !projects.data || !projects.data.length) {
+            helpers.addResult(results, 3,
+                'Unable to query for projects: ' + helpers.addError(projects), 'global', null, null, (projects) ? projects.err : null);
+            return callback(null, results, source);
+        }
+
+        var project = projects.data[0].name;
+
         async.each(regions.datasets, function(region, rcb){
             let datasetsGet = helpers.addSource(cache, source,
                 ['datasets', 'get', region]);
@@ -34,6 +45,7 @@ module.exports = {
             async.each(datasetsGet.data, (dataset, dcb) => {
                 if (!dataset.id) return dcb();
 
+                let resource = helpers.createResourceName('datasets', dataset.id.split(':')[1] || dataset.id, project);
                 var permissionStr = [];
                 if (dataset.access) {
                     for (let rolePermission of dataset.access) {
@@ -49,14 +61,14 @@ module.exports = {
 
                     if (permissionStr.length) {
                         helpers.addResult(results, 2,
-                            `BigQuery dataset provides ${permissionStr.join(',')}`, region, dataset.id);
+                            `BigQuery dataset provides ${permissionStr.join(',')}`, region, resource);
                     } else {
                         helpers.addResult(results, 0,
-                            'BigQuery dataset does not provide public access', region, dataset.id);
+                            'BigQuery dataset does not provide public access', region, resource);
                     }
                 } else {
                     helpers.addResult(results, 0,
-                        'BigQuery dataset does not provide public access', region, dataset.id);
+                        'BigQuery dataset does not provide public access', region, resource);
                 }
             });
 

diff --git a/plugins/google/bigquery/datasetAllUsersPolicy.spec.js b/plugins/google/bigquery/datasetAllUsersPolicy.spec.js
@@ -46,6 +46,13 @@ const createCache = (err, data) => {
                     data: data
                 }
             }
+        },
+        projects: {
+            get: {
+                'global': {
+                    data: [ { name: 'testproj' }]
+                }
+            }
         }
     }
 };

diff --git a/plugins/google/dns/dnsSecEnabled.js b/plugins/google/dns/dnsSecEnabled.js
@@ -8,13 +8,24 @@ module.exports = {
     more_info: 'DNS Security is a feature that authenticates all responses to domain name lookups. This prevents attackers from committing DNS hijacking or man in the middle attacks.',
     link: 'https://cloud.google.com/dns/docs/dnssec',
     recommended_action: 'Ensure DNSSEC is enabled for all managed zones in the cloud DNS service.',
-    apis: ['managedZones:list'],
+    apis: ['managedZones:list', 'projects:get'],
 
     run: function(cache, settings, callback) {
         var results = [];
         var source = {};
         var regions = helpers.regions();
 
+        let projects = helpers.addSource(cache, source,
+            ['projects','get', 'global']);
+
+        if (!projects || projects.err || !projects.data || !projects.data.length) {
+            helpers.addResult(results, 3,
+                'Unable to query for projects: ' + helpers.addError(projects), 'global', null, null, (projects) ? projects.err : null);
+            return callback(null, results, source);
+        }
+
+        var project = projects.data[0].name;
+
         async.each(regions.managedZones, function(region, rcb){
             let managedZones = helpers.addSource(cache, source,
                 ['managedZones', 'list', region]);
@@ -32,16 +43,17 @@ module.exports = {
             }
 
             managedZones.data.forEach(managedZone => {
-               if (!managedZone.dnssecConfig ||
-                    (managedZone.dnssecConfig &&
-                        (!managedZone.dnssecConfig.state ||
-                            (managedZone.dnssecConfig.state &&
-                             managedZone.dnssecConfig.state !== 'on')))) {
-                   helpers.addResult(results, 2,
-                       `The managed zone does not have DNS security enabled`, region, managedZone.id);
-               } else {
-                   helpers.addResult(results, 0, 'The managed zone has DNS security enabled', region, managedZone.id);
-               }
+                let resource = helpers.createResourceName('zones', managedZone.name, project);
+                if (!managedZone.dnssecConfig ||
+                        (managedZone.dnssecConfig &&
+                            (!managedZone.dnssecConfig.state ||
+                                (managedZone.dnssecConfig.state &&
+                                managedZone.dnssecConfig.state !== 'on')))) {
+                    helpers.addResult(results, 2,
+                        `The managed zone does not have DNS security enabled`, region, resource);
+                } else {
+                    helpers.addResult(results, 0, 'The managed zone has DNS security enabled', region, resource);
+                }
             });
 
             rcb();

diff --git a/plugins/google/dns/dnsSecEnabled.spec.js b/plugins/google/dns/dnsSecEnabled.spec.js
@@ -11,6 +11,13 @@ const createCache = (err, data) => {
                     data: data
                 }
             }
+        },
+        projects: {
+            get: {
+                'global': {
+                    data: [ { name: 'testproj' }]
+                }
+            }
         }
     }
 };

diff --git a/plugins/google/dns/dnsSecSigningAlgorithm.js b/plugins/google/dns/dnsSecSigningAlgorithm.js
@@ -8,13 +8,24 @@ module.exports = {
     more_info: 'DNS Security is a feature that authenticates all responses to domain name lookups. This prevents attackers from committing DNS hijacking or man in the middle attacks.',
     link: 'https://cloud.google.com/dns/docs/dnssec',
     recommended_action: 'Ensure that all managed zones using DNSSEC are not using the RSASHA1 algorithm for key or zone signing.',
-    apis: ['managedZones:list'],
+    apis: ['managedZones:list', 'projects:get'],
 
     run: function(cache, settings, callback) {
         var results = [];
         var source = {};
         var regions = helpers.regions();
 
+        let projects = helpers.addSource(cache, source,
+            ['projects','get', 'global']);
+
+        if (!projects || projects.err || !projects.data || !projects.data.length) {
+            helpers.addResult(results, 3,
+                'Unable to query for projects: ' + helpers.addError(projects), 'global', null, null, (projects) ? projects.err : null);
+            return callback(null, results, source);
+        }
+
+        var project = projects.data[0].name;
+
         async.each(regions.managedZones, function(region, rcb){
             let managedZones = helpers.addSource(cache, source,
                 ['managedZones', 'list', region]);
@@ -33,6 +44,8 @@ module.exports = {
             }
 
             managedZones.data.forEach(managedZone => {
+                let resource = helpers.createResourceName('zones', managedZone.name, project);
+
                 if (managedZone.dnssecConfig &&
                     managedZone.dnssecConfig.state &&
                     managedZone.dnssecConfig.state === 'on' &&
@@ -42,25 +55,25 @@ module.exports = {
                         if (keySpec.keyType === 'keySigning') {
                             if (keySpec.algorithm.toLowerCase() === 'rsasha1') {
                                 helpers.addResult(results, 2,
-                                    'RSASHA1 algorithm is being used for key signing', region, managedZone.id);
+                                    'RSASHA1 algorithm is being used for key signing', region, resource);
                             } else {
                                 helpers.addResult(results, 0,
-                                    'RSASHA1 algorithm is not being for key signing', region, managedZone.id);
+                                    'RSASHA1 algorithm is not being for key signing', region, resource);
                             }
                         } else if (keySpec.keyType === 'zoneSigning') {
                             if (keySpec.algorithm.toLowerCase() === 'rsasha1') {
                                 helpers.addResult(results, 2,
-                                    'RSASHA1 algorithm is being used for zone signing', region, managedZone.id);
+                                    'RSASHA1 algorithm is being used for zone signing', region, resource);
                             } else {
                                 helpers.addResult(results, 0,
-                                    'RSASHA1 algorithm is not being used for zone signing', region, managedZone.id);
+                                    'RSASHA1 algorithm is not being used for zone signing', region, resource);
                             }
                         }
                     });
                 } else {
                     // DNSSEC not enabled
                     helpers.addResult(results, 0,
-                        'RSASHA1 algorithm is not being used for zone signing', region, managedZone.id);
+                        'RSASHA1 algorithm is not being used for zone signing', region, resource);
                 }
             });
 

diff --git a/plugins/google/dns/dnsSecSigningAlgorithm.spec.js b/plugins/google/dns/dnsSecSigningAlgorithm.spec.js
@@ -11,6 +11,13 @@ const createCache = (err, data) => {
                     data: data
                 }
             }
+        },
+        projects: {
+            get: {
+                'global': {
+                    data: [ { name: 'testproj' }]
+                }
+            }
         }
     }
 };

diff --git a/plugins/google/kubernetes/aliasIpRangesEnabled.js b/plugins/google/kubernetes/aliasIpRangesEnabled.js
@@ -8,13 +8,24 @@ module.exports = {
     more_info: 'Alias IP ranges allow users to assign ranges of internal IP addresses as alias to a network interface.',
     link: 'https://cloud.google.com/monitoring/kubernetes-engine/',
     recommended_action: 'Ensure that Kubernetes clusters have alias IP ranges enabled.',
-    apis: ['clusters:list'],
+    apis: ['clusters:list', 'projects:get'],
 
     run: function(cache, settings, callback) {
         var results = [];
         var source = {};
         var regions = helpers.regions();
 
+        let projects = helpers.addSource(cache, source,
+            ['projects','get', 'global']);
+
+        if (!projects || projects.err || !projects.data || !projects.data.length) {
+            helpers.addResult(results, 3,
+                'Unable to query for projects: ' + helpers.addError(projects), 'global', null, null, (projects) ? projects.err : null);
+            return callback(null, results, source);
+        }
+
+        var project = projects.data[0].name;
+
         async.each(regions.clusters, function(region, rcb){
             let clusters = helpers.addSource(cache, source,
                 ['clusters', 'list', region]);
@@ -32,11 +43,17 @@ module.exports = {
             }
 
             clusters.data.forEach(cluster => {
+                let location;
+                if (cluster.locations) {
+                    location = cluster.locations.length === 1 ? cluster.locations[0] : cluster.locations[0].substring(0, cluster.locations[0].length - 2);
+                } else location = region;
+
+                let resource = helpers.createResourceName('clusters', cluster.name, project, 'location', location);
                 if (cluster.ipAllocationPolicy &&
                     cluster.ipAllocationPolicy.useIpAliases) {
-                    helpers.addResult(results, 0, 'Kubernetes alias IP ranges enabled', region, cluster.name);
+                    helpers.addResult(results, 0, 'Kubernetes alias IP ranges enabled', region, resource);
                 } else {
-                    helpers.addResult(results, 2, 'Kubernetes alias IP ranges disabled', region, cluster.name);
+                    helpers.addResult(results, 2, 'Kubernetes alias IP ranges disabled', region, resource);
 
                 }
             });

diff --git a/plugins/google/kubernetes/aliasIpRangesEnabled.spec.js b/plugins/google/kubernetes/aliasIpRangesEnabled.spec.js
@@ -11,6 +11,13 @@ const createCache = (err, data) => {
                     data: data
                 }
             }
+        },
+        projects: {
+            get: {
+                'global': {
+                    data: [ { name: 'testproj' }]
+                }
+            }
         }
     }
 };

diff --git a/plugins/google/kubernetes/autoNodeRepairEnabled.js b/plugins/google/kubernetes/autoNodeRepairEnabled.js
@@ -8,13 +8,24 @@ module.exports = {
     more_info: 'When automatic repair on nodes is enabled, the Kubernetes engine performs health checks on all nodes, automatically repairing nodes that fail health checks. This ensures that the Kubernetes environment stays optimal.',
     link: 'https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair',
     recommended_action: 'Ensure that automatic node repair is enabled on all node pools in Kubernetes clusters',
-    apis: ['clusters:list'],
+    apis: ['clusters:list', 'projects:get'],
 
     run: function(cache, settings, callback) {
         var results = [];
         var source = {};
         var regions = helpers.regions();
 
+        let projects = helpers.addSource(cache, source,
+            ['projects','get', 'global']);
+
+        if (!projects || projects.err || !projects.data || !projects.data.length) {
+            helpers.addResult(results, 3,
+                'Unable to query for projects: ' + helpers.addError(projects), 'global', null, null, (projects) ? projects.err : null);
+            return callback(null, results, source);
+        }
+
+        var project = projects.data[0].name;
+
         async.each(regions.clusters, function(region, rcb){
             let clusters = helpers.addSource(cache, source,
                 ['clusters', 'list', region]);
@@ -32,20 +43,32 @@ module.exports = {
             }
 
             clusters.data.forEach(cluster => {
+                let location;
+                if (cluster.locations) {
+                    location = cluster.locations.length === 1 ? cluster.locations[0] : cluster.locations[0].substring(0, cluster.locations[0].length - 2);
+                } else location = region;
+
+                let found = false;
+                let nonAutoRepairNodes = [];
+                let resource = helpers.createResourceName('clusters', cluster.name, project, 'location', location);
                 if (cluster.nodePools &&
                     cluster.nodePools.length) {
+                    found = true;
                     cluster.nodePools.forEach(nodePool => {
-                        if (nodePool.management &&
-                            nodePool.management.autoRepair) {
-                            helpers.addResult(results, 0,
-                                `Auto repair is enabled for the node pool of the cluster: ${cluster.name}`, region, nodePool.name);
-                        } else {
-                            helpers.addResult(results, 2,
-                                `Auto repair is disabled for the node pool of the cluster: ${cluster.name}`, region, nodePool.name);
-                        }
-                    })
+                        if (!nodePool.management || !nodePool.management.autoRepair) nonAutoRepairNodes.push(nodePool.name);
+                    });
+                }
+
+                if (nonAutoRepairNodes.length) {
+                    helpers.addResult(results, 2,
+                        `Auto repair is disabled for these node pools: ${nonAutoRepairNodes.join(', ')}`, region, resource);
                 } else {
-                    helpers.addResult(results, 0, 'No node pools found', region, cluster.name);
+                    helpers.addResult(results, 0,
+                        'Auto repair is enabled for all node pools', region, resource);
+                }
+
+                if (!found) {
+                    helpers.addResult(results, 0, 'No node pools found', region, resource);
                 }
             });