From eff147e064464ac0bf12e00d6a2d1ba867813c5d Mon Sep 17 00:00:00 2001 From: Garret Fick Date: Thu, 16 May 2019 08:31:19 -0400 Subject: [PATCH] Fix some styling to match the existing decisions (#174) --- compliance/all.js | 8 +-- compliance/cis.js | 109 ++++++++++++++++++++--------------- compliance/controls.js | 16 ++--- compliance/hipaa.js | 8 +-- compliance/pci.js | 8 +-- postprocess/output.js | 2 +- postprocess/suppress.js | 8 +-- postprocess/suppress.spec.js | 35 ++++++----- 8 files changed, 105 insertions(+), 89 deletions(-) diff --git a/compliance/all.js b/compliance/all.js index 895041fa98..f98b986630 100644 --- a/compliance/all.js +++ b/compliance/all.js @@ -1,12 +1,12 @@ // Defines a way of filters that includes all rules. This is the default // compliance filter if there is no other defined filter. module.exports = { - describe: function(pluginId, plugin) { - return '' + describe: function (pluginId, plugin) { + return ''; }, includes: function (pluginId, plugin) { // We include all plugins, so just return true - return true + return true; } -} \ No newline at end of file +}; diff --git a/compliance/cis.js b/compliance/cis.js index a8137f45a5..d45f52eec3 100644 --- a/compliance/cis.js +++ b/compliance/cis.js @@ -1,220 +1,233 @@ -// These rule mappings are based on CIS Amazon Web Services Foundation v1.2.0 - 05-23-2018 +// These rule mappings are based on CIS Amazon Web Services Foundation v1.2.0 +// dated 05-23-2018 var controls = { - 'rootAccountInUse': { + rootAccountInUse: { awsid: '1.1', profile: 1, scored: true, title: 'Avoid the use of the "root" account' }, - 'usersMfaEnabled': { + usersMfaEnabled: { awsid: '1.2', profile: 1, scored: true, - title: ' Ensure multi-factor authentication (MFA) is enabled for all IAM ' + - 'users that have a console password' + title: ' Ensure multi-factor authentication (MFA) is enabled for all ' + + 'IAM users that have a console password' }, - 'usersPasswordLastUsed': { + usersPasswordLastUsed: { awsid: '1.3', profile: 1, scored: true, title: 'Ensure credentials unused for 90 days or greater are disabled' }, - 'accessKeysLastUsed': { + accessKeysLastUsed: { awsid: '1.3', profile: 1, scored: true, title: 'Ensure credentials unused for 90 days or greater are disabled' }, - 'accessKeysRotated': { + accessKeysRotated: { awsid: '1.4', profile: 1, scored: true, title: 'Ensure access keys are rotated every 90 days or less' }, - 'passwordRequiresUppercase': { + passwordRequiresUppercase: { awsid: '1.5', profile: 1, scored: true, - title: 'Ensure IAM password policy requires at least one uppercase letter' + title: 'Ensure IAM password policy requires at least one uppercase ' + + 'letter' }, - 'passwordRequiresLowercase': { + passwordRequiresLowercase: { awsid: '1.6', profile: 1, scored: true, - title: ' Ensure IAM password policy require at least one lowercase letter' + title: ' Ensure IAM password policy require at least one lowercase ' + + 'letter' }, - 'passwordRequiresSymbols': { + passwordRequiresSymbols: { awsid: '1.7', profile: 1, scored: true, title: ' Ensure IAM password policy require at least one symbol' }, - 'passwordRequiresNumbers': { + passwordRequiresNumbers: { awsid: '1.8', profile: 1, scored: true, title: 'Ensure IAM password policy require at least one number' }, - 'minPasswordLength': { + minPasswordLength: { awsid: '1.9', profile: 1, scored: true, - title: 'Ensure IAM password policy requires minimum length of 14 or greater' + title: 'Ensure IAM password policy requires minimum length of 14 or ' + + 'greater' }, - 'passwordReusePrevention': { + passwordReusePrevention: { awsid: '1.10', profile: 1, scored: true, title: 'Ensure IAM password policy prevents password reuse' }, - 'passwordExpiration': { + passwordExpiration: { awsid: '1.11', profile: 1, scored: true, - title: 'Ensure IAM password policy expires passwords within 90 days or less' + title: 'Ensure IAM password policy expires passwords within 90 days or ' + + 'less' }, - 'rootAccessKeys': { + rootAccessKeys: { awsid: '1.12', profile: 1, scored: true, title: 'Ensure no root account access key exists' }, - 'rootMfaEnabled': { + rootMfaEnabled: { awsid: '1.13', profile: 1, scored: true, title: 'Ensure MFA is enabled for the "root" account' }, - 'noUserIamPolicies': { + noUserIamPolicies: { awsid: '1.16', profile: 1, scored: true, title: 'Ensure IAM policies are attached only to groups or roles' }, - 'cloudtrailEnabled': { + cloudtrailEnabled: { awsid: '2.1', profile: 1, scored: true, title: 'Ensure CloudTrail is enabled in all regions' }, - 'cloudtrailFileValidation': { + cloudtrailFileValidation: { awsid: '2.2', profile: 2, scored: true, title: 'Ensure CloudTrail log file validation is enabled' }, - 'cloudtrailBucketPrivate': { + cloudtrailBucketPrivate: { awsid: '2.3', profile: 1, scored: true, - title: 'Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible' + title: 'Ensure the S3 bucket used to store CloudTrail logs is not ' + + 'publicly accessible' }, - 'cloudtrailToCloudwatch': { + cloudtrailToCloudwatch: { awsid: '2.4', profile: 1, scored: true, title: 'Ensure CloudTrail trails are integrated with CloudWatch Logs' }, - 'configServiceEnabled': { + configServiceEnabled: { awsid: '2.5', profile: 1, scored: true, title: ' Ensure AWS Config is enabled in all regions' }, - 'cloudtrailBucketAccessLogging': { + cloudtrailBucketAccessLogging: { awsid: '2.6', profile: 1, scored: true, title: ' Ensure AWS Config is enabled in all regions' }, - 'cloudtrailEncryption' : { + cloudtrailEncryption: { awsid: '2.7', profile: 2, scored: true, title: 'Ensure CloudTrail logs are encrypted at rest using KMS CMKs' }, - 'kmsKeyRotation': { + kmsKeyRotation: { awsid: '2.8', profile: 2, scored: true, title: 'Ensure rotation for customer created CMKs is enabled' }, - 'flowLogsEnabled': { + flowLogsEnabled: { awsid: '2.8', profile: 2, scored: true, title: 'Ensure VPC flow logging is enabled in all VPCs' }, - - 'monitoringMetrics': { + monitoringMetrics: { awsid: '3', profile: 1, scored: true, title: 'Monitoring' }, - - 'openSSH': { + + openSSH: { awsid: '4.1', profile: 1, scored: true, - title: 'Ensure no security groups allow ingress from 0.0.0.0/0 to port 22' + title: 'Ensure no security groups allow ingress from 0.0.0.0/0 to ' + + 'port 22' }, - 'openRDP': { + openRDP: { awsid: '4.2', profile: 1, scored: true, - title: 'Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389' + title: 'Ensure no security groups allow ingress from 0.0.0.0/0 to ' + + 'port 3389' }, - 'defaultSecurityGroup': { + defaultSecurityGroup: { awsid: '4.3', profile: 2, scored: true, - title: 'Ensure the default security group of every VPC restricts all traffic' + title: 'Ensure the default security group of every VPC restricts all ' + + 'traffic' } -} +}; -var maxProfileLevel = -1 +var maxProfileLevel = -1; // Defines a way of filtering plugins for those plugins that are related to // PCI controls. The PCI information is defined inline, so this compliance // checks for that information on the plugin. module.exports = { - describe: function(pluginId, plugin) { - return controls[pluginId].title + describe: function (pluginId, plugin) { + return controls[pluginId].title; }, includes: function (pluginId, plugin) { - return maxProfileLevel <= 0 ? controls.hasOwnProperty(pluginId) : (controls.hasOwnProperty(pluginId) && controls[pluginId].profile <= maxProfileLevel) + if (maxProfileLevel <= 0) { + return controls.hasOwnProperty(pluginId); + } + + return controls.hasOwnProperty(pluginId) + && controls[pluginId].profile <= maxProfileLevel; }, setMaxProfile: function (level) { - maxProfileLevel = level + maxProfileLevel = level; } -} \ No newline at end of file +}; diff --git a/compliance/controls.js b/compliance/controls.js index 0936eec640..e657879768 100644 --- a/compliance/controls.js +++ b/compliance/controls.js @@ -1,7 +1,7 @@ module.exports = { create: function (names) { // We we don't have a specified compliance, then include all plugins - if (names.length == 0) { + if (names.length === 0) { return require('./all.js'); } @@ -16,16 +16,16 @@ module.exports = { return require('./cis.js'); } else if (names.includes('cis-1')) { console.log('INFO: Compliance mode: CIS Profile 1'); - var cis = require('./cis.js'); - cis.setMaxProfile(1); - return cis; + var cis1 = require('./cis.js'); + cis1.setMaxProfile(1); + return cis1; } else if (names.includes('cis-2')) { console.log('INFO: Compliance mode: CIS Profile 2'); - var cis = require('./cis.js'); - cis.setMaxProfile(2); - return cis; + var cis2 = require('./cis.js'); + cis2.setMaxProfile(2); + return cis2; } return null; } -} \ No newline at end of file +}; diff --git a/compliance/hipaa.js b/compliance/hipaa.js index 6c4768f5bd..dc386e7cff 100644 --- a/compliance/hipaa.js +++ b/compliance/hipaa.js @@ -2,11 +2,11 @@ // HIPAA controls. The HIPAA information is defined inline, so this compliance // checks for that information on the plugin. module.exports = { - describe: function(pluginId, plugin) { - return plugin.compliance && plugin.compliance.hipaa + describe: function (pluginId, plugin) { + return plugin.compliance && plugin.compliance.hipaa; }, includes: function (pluginId, plugin) { - return plugin.compliance && plugin.compliance.hipaa + return plugin.compliance && plugin.compliance.hipaa; } -} \ No newline at end of file +}; diff --git a/compliance/pci.js b/compliance/pci.js index 054e4e770b..cf4d25010e 100644 --- a/compliance/pci.js +++ b/compliance/pci.js @@ -2,11 +2,11 @@ // PCI controls. The PCI information is defined inline, so this compliance // checks for that information on the plugin. module.exports = { - describe: function(pluginId, plugin) { - return plugin.compliance && plugin.compliance.pci + describe: function (pluginId, plugin) { + return plugin.compliance && plugin.compliance.pci; }, includes: function (pluginId, plugin) { - return plugin.compliance && plugin.compliance.pci + return plugin.compliance && plugin.compliance.pci; } -} \ No newline at end of file +}; diff --git a/postprocess/output.js b/postprocess/output.js index b2a3d615fd..9ff8e591a2 100644 --- a/postprocess/output.js +++ b/postprocess/output.js @@ -301,4 +301,4 @@ module.exports = { } } } -} \ No newline at end of file +} diff --git a/postprocess/suppress.js b/postprocess/suppress.js index 865cce9b85..6a95e4a9d0 100644 --- a/postprocess/suppress.js +++ b/postprocess/suppress.js @@ -16,16 +16,16 @@ module.exports = { .map(function (expr) { return [ expr, - new RegExp("^" + expr.split("*").join(".*") + "$") + new RegExp('^' + expr.split('*').join('.*') + '$') ]; }); return function (result) { var match = expressions.find(function (expression) { return expression[1].test(result); - }) + }); return match && match[0]; - } + }; } -} \ No newline at end of file +}; diff --git a/postprocess/suppress.spec.js b/postprocess/suppress.spec.js index 36f3e5e6bc..a88c6a0e4f 100644 --- a/postprocess/suppress.spec.js +++ b/postprocess/suppress.spec.js @@ -1,26 +1,29 @@ -var assert = require('assert'); var expect = require('chai').expect; -var suppress = require('./suppress') +var suppress = require('./suppress'); describe('create', function () { it('should return undefined when no filter specified', function () { - var filter = suppress.create([]) - expect(filter('any')).to.be.undefined - }) + var filter = suppress.create([]); + + expect(filter('any')).to.be.undefined; + }); it('should return the filter if matches', function () { - var filter = suppress.create(['--suppress=*n*']) - console.log(filter('n')) - expect(filter('any')).to.equal('*n*') - }) + var filter = suppress.create(['--suppress=*n*']); + + expect(filter('any')).to.equal('*n*'); + }); it('should return the filter if matches whole word', function () { - var filter = suppress.create(['--suppress=*longer*']) - expect(filter('longer')).to.equal('*longer*') - }) + var filter = suppress.create(['--suppress=*longer*']); + + expect(filter('longer')).to.equal('*longer*'); + }); it('should return the filter if multiple and second matches', function () { - var filter = suppress.create(['--suppress=*first*', '--suppress=second']) - expect(filter('second')).to.equal('second') - }) -}) \ No newline at end of file + var filter = suppress.create(['--suppress=*first*', + '--suppress=second']); + + expect(filter('second')).to.equal('second'); + }); +});