Skip to content

Commit

Permalink
Merge branch 'master' of github.com:cloudsploit/scans
Browse files Browse the repository at this point in the history
  • Loading branch information
matthewdfuller committed May 17, 2019
2 parents 294b7d2 + 941b827 commit 3af5b43
Show file tree
Hide file tree
Showing 9 changed files with 108 additions and 90 deletions.
4 changes: 3 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
[![CloudSploit](https://cloudsploit.com/img/logo-big-text-100.png "CloudSploit")](https://cloudsploit.com)
[<img src="https://cloudsploit.com/images/logos/text-color-black-png.png" height="130">](https://cloudsploit.com)

[![Build Status](https://travis-ci.org/cloudsploit/scans.svg?branch=master)](https://travis-ci.org/cloudsploit/scans)

CloudSploit Scans
=================
Expand Down
8 changes: 4 additions & 4 deletions compliance/all.js
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
// Defines a way of filters that includes all rules. This is the default
// compliance filter if there is no other defined filter.
module.exports = {
describe: function(pluginId, plugin) {
return ''
describe: function (pluginId, plugin) {
return '';
},

includes: function (pluginId, plugin) {
// We include all plugins, so just return true
return true
return true;
}
}
};
109 changes: 61 additions & 48 deletions compliance/cis.js
Original file line number Diff line number Diff line change
@@ -1,220 +1,233 @@
// These rule mappings are based on CIS Amazon Web Services Foundation v1.2.0 - 05-23-2018
// These rule mappings are based on CIS Amazon Web Services Foundation v1.2.0
// dated 05-23-2018

var controls = {
'rootAccountInUse': {
rootAccountInUse: {
awsid: '1.1',
profile: 1,
scored: true,
title: 'Avoid the use of the "root" account'
},

'usersMfaEnabled': {
usersMfaEnabled: {
awsid: '1.2',
profile: 1,
scored: true,
title: ' Ensure multi-factor authentication (MFA) is enabled for all IAM ' +
'users that have a console password'
title: ' Ensure multi-factor authentication (MFA) is enabled for all '
+ 'IAM users that have a console password'
},

'usersPasswordLastUsed': {
usersPasswordLastUsed: {
awsid: '1.3',
profile: 1,
scored: true,
title: 'Ensure credentials unused for 90 days or greater are disabled'
},

'accessKeysLastUsed': {
accessKeysLastUsed: {
awsid: '1.3',
profile: 1,
scored: true,
title: 'Ensure credentials unused for 90 days or greater are disabled'
},

'accessKeysRotated': {
accessKeysRotated: {
awsid: '1.4',
profile: 1,
scored: true,
title: 'Ensure access keys are rotated every 90 days or less'
},

'passwordRequiresUppercase': {
passwordRequiresUppercase: {
awsid: '1.5',
profile: 1,
scored: true,
title: 'Ensure IAM password policy requires at least one uppercase letter'
title: 'Ensure IAM password policy requires at least one uppercase '
+ 'letter'
},

'passwordRequiresLowercase': {
passwordRequiresLowercase: {
awsid: '1.6',
profile: 1,
scored: true,
title: ' Ensure IAM password policy require at least one lowercase letter'
title: ' Ensure IAM password policy require at least one lowercase '
+ 'letter'
},

'passwordRequiresSymbols': {
passwordRequiresSymbols: {
awsid: '1.7',
profile: 1,
scored: true,
title: ' Ensure IAM password policy require at least one symbol'
},

'passwordRequiresNumbers': {
passwordRequiresNumbers: {
awsid: '1.8',
profile: 1,
scored: true,
title: 'Ensure IAM password policy require at least one number'
},

'minPasswordLength': {
minPasswordLength: {
awsid: '1.9',
profile: 1,
scored: true,
title: 'Ensure IAM password policy requires minimum length of 14 or greater'
title: 'Ensure IAM password policy requires minimum length of 14 or '
+ 'greater'
},

'passwordReusePrevention': {
passwordReusePrevention: {
awsid: '1.10',
profile: 1,
scored: true,
title: 'Ensure IAM password policy prevents password reuse'
},

'passwordExpiration': {
passwordExpiration: {
awsid: '1.11',
profile: 1,
scored: true,
title: 'Ensure IAM password policy expires passwords within 90 days or less'
title: 'Ensure IAM password policy expires passwords within 90 days or '
+ 'less'
},

'rootAccessKeys': {
rootAccessKeys: {
awsid: '1.12',
profile: 1,
scored: true,
title: 'Ensure no root account access key exists'
},

'rootMfaEnabled': {
rootMfaEnabled: {
awsid: '1.13',
profile: 1,
scored: true,
title: 'Ensure MFA is enabled for the "root" account'
},

'noUserIamPolicies': {
noUserIamPolicies: {
awsid: '1.16',
profile: 1,
scored: true,
title: 'Ensure IAM policies are attached only to groups or roles'
},

'cloudtrailEnabled': {
cloudtrailEnabled: {
awsid: '2.1',
profile: 1,
scored: true,
title: 'Ensure CloudTrail is enabled in all regions'
},

'cloudtrailFileValidation': {
cloudtrailFileValidation: {
awsid: '2.2',
profile: 2,
scored: true,
title: 'Ensure CloudTrail log file validation is enabled'
},

'cloudtrailBucketPrivate': {
cloudtrailBucketPrivate: {
awsid: '2.3',
profile: 1,
scored: true,
title: 'Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible'
title: 'Ensure the S3 bucket used to store CloudTrail logs is not '
+ 'publicly accessible'
},

'cloudtrailToCloudwatch': {
cloudtrailToCloudwatch: {
awsid: '2.4',
profile: 1,
scored: true,
title: 'Ensure CloudTrail trails are integrated with CloudWatch Logs'
},

'configServiceEnabled': {
configServiceEnabled: {
awsid: '2.5',
profile: 1,
scored: true,
title: ' Ensure AWS Config is enabled in all regions'
},

'cloudtrailBucketAccessLogging': {
cloudtrailBucketAccessLogging: {
awsid: '2.6',
profile: 1,
scored: true,
title: ' Ensure AWS Config is enabled in all regions'
},

'cloudtrailEncryption' : {
cloudtrailEncryption: {
awsid: '2.7',
profile: 2,
scored: true,
title: 'Ensure CloudTrail logs are encrypted at rest using KMS CMKs'
},

'kmsKeyRotation': {
kmsKeyRotation: {
awsid: '2.8',
profile: 2,
scored: true,
title: 'Ensure rotation for customer created CMKs is enabled'
},

'flowLogsEnabled': {
flowLogsEnabled: {
awsid: '2.8',
profile: 2,
scored: true,
title: 'Ensure VPC flow logging is enabled in all VPCs'
},


'monitoringMetrics': {
monitoringMetrics: {
awsid: '3',
profile: 1,
scored: true,
title: 'Monitoring'
},
'openSSH': {

openSSH: {
awsid: '4.1',
profile: 1,
scored: true,
title: 'Ensure no security groups allow ingress from 0.0.0.0/0 to port 22'
title: 'Ensure no security groups allow ingress from 0.0.0.0/0 to '
+ 'port 22'
},

'openRDP': {
openRDP: {
awsid: '4.2',
profile: 1,
scored: true,
title: 'Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389'
title: 'Ensure no security groups allow ingress from 0.0.0.0/0 to '
+ 'port 3389'
},

'defaultSecurityGroup': {
defaultSecurityGroup: {
awsid: '4.3',
profile: 2,
scored: true,
title: 'Ensure the default security group of every VPC restricts all traffic'
title: 'Ensure the default security group of every VPC restricts all '
+ 'traffic'
}
}
};

var maxProfileLevel = -1
var maxProfileLevel = -1;

// Defines a way of filtering plugins for those plugins that are related to
// PCI controls. The PCI information is defined inline, so this compliance
// checks for that information on the plugin.
module.exports = {
describe: function(pluginId, plugin) {
return controls[pluginId].title
describe: function (pluginId, plugin) {
return controls[pluginId].title;
},

includes: function (pluginId, plugin) {
return maxProfileLevel <= 0 ? controls.hasOwnProperty(pluginId) : (controls.hasOwnProperty(pluginId) && controls[pluginId].profile <= maxProfileLevel)
if (maxProfileLevel <= 0) {
return controls.hasOwnProperty(pluginId);
}

return controls.hasOwnProperty(pluginId)
&& controls[pluginId].profile <= maxProfileLevel;
},

setMaxProfile: function (level) {
maxProfileLevel = level
maxProfileLevel = level;
}
}
};
16 changes: 8 additions & 8 deletions compliance/controls.js
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
module.exports = {
create: function (names) {
// We we don't have a specified compliance, then include all plugins
if (names.length == 0) {
if (names.length === 0) {
return require('./all.js');
}

Expand All @@ -16,16 +16,16 @@ module.exports = {
return require('./cis.js');
} else if (names.includes('cis-1')) {
console.log('INFO: Compliance mode: CIS Profile 1');
var cis = require('./cis.js');
cis.setMaxProfile(1);
return cis;
var cis1 = require('./cis.js');
cis1.setMaxProfile(1);
return cis1;
} else if (names.includes('cis-2')) {
console.log('INFO: Compliance mode: CIS Profile 2');
var cis = require('./cis.js');
cis.setMaxProfile(2);
return cis;
var cis2 = require('./cis.js');
cis2.setMaxProfile(2);
return cis2;
}

return null;
}
}
};
8 changes: 4 additions & 4 deletions compliance/hipaa.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@
// HIPAA controls. The HIPAA information is defined inline, so this compliance
// checks for that information on the plugin.
module.exports = {
describe: function(pluginId, plugin) {
return plugin.compliance && plugin.compliance.hipaa
describe: function (pluginId, plugin) {
return plugin.compliance && plugin.compliance.hipaa;
},

includes: function (pluginId, plugin) {
return plugin.compliance && plugin.compliance.hipaa
return plugin.compliance && plugin.compliance.hipaa;
}
}
};
8 changes: 4 additions & 4 deletions compliance/pci.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@
// PCI controls. The PCI information is defined inline, so this compliance
// checks for that information on the plugin.
module.exports = {
describe: function(pluginId, plugin) {
return plugin.compliance && plugin.compliance.pci
describe: function (pluginId, plugin) {
return plugin.compliance && plugin.compliance.pci;
},

includes: function (pluginId, plugin) {
return plugin.compliance && plugin.compliance.pci
return plugin.compliance && plugin.compliance.pci;
}
}
};
2 changes: 1 addition & 1 deletion postprocess/output.js
Original file line number Diff line number Diff line change
Expand Up @@ -301,4 +301,4 @@ module.exports = {
}
}
}
}
}
Loading

0 comments on commit 3af5b43

Please sign in to comment.