v2: refactoring all meta (#50)

* unify-metas * add_init * AwsEc2SecurityGroup * cloudtrail * fix-resources * fix-resources * impact * outputs * outputs * access-layer * fix-html * readme * redame * readme * outputs * fixes * encryption * status * fixes * readme * readme * more * readme * score * more * imgs * docs * readme
gabrielsoltz · Nov 5, 2023 · 28fde90 · 28fde90
1 parent bf15152
commit 28fde90
Show file tree

Hide file tree

Showing 92 changed files with 6,423 additions and 6,282 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -31,7 +31,7 @@ repos:
         args:
           [
             "--exclude",
-            "lib/metachecks/checks/__init__.py",
+            "lib/context/resources/__init__.py",
             "--in-place",
             "--remove-all-unused-imports",
             "--remove-unused-variable",
@@ -55,7 +55,7 @@ repos:
       - id: flake8
         args:
           [
-            "--exclude=lib/metachecks/checks/__init__.py",
+            "--exclude=lib/context/resources/__init__.py,lib/config/configuration.py",
             "--ignore=E501,W503,W605,E203",
             "lib/",
           ]
@@ -79,12 +79,12 @@ repos:
         language: system
         files: '.*\.py'
 
-      - id: trufflehog
-        name: TruffleHog
-        description: Detect secrets in your data.
-        entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
-        language: system
-        stages: ["commit", "push"]
+      # - id: trufflehog
+      #   name: TruffleHog
+      #   description: Detect secrets in your data.
+      #   entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
+      #   language: system
+      #   stages: ["commit", "push"]
 
       - id: bandit
         name: bandit

diff --git a/README.md b/README.md
diff --git a/metachecks.md → docs/context.md b/metachecks.md → docs/context.md
@@ -1,4 +1,4 @@
-# MetaChecks
+# Context Development
 
 The ResourceType defines the MetaChecks to be executed. When there is an AWS Security Hub finding for an S3 Bucket (ResourceType: AwsS3Bucket), all the MetaChecks available for that resource will execute and be added as extra information under the ARNs resource.
 
@@ -8,7 +8,7 @@ The ResourceType defines the MetaChecks to be executed. When there is an AWS Sec
 
 ## How it works
 
-MetaChecks works this way:
+Context works this way:
 
 1. Connect to the account where the resource lives assuming the provided role (`--mh-assume-role`)
 2. Describe the resource using describe functions
@@ -30,7 +30,7 @@ If you want to add MetaChecks for a ResourceType that has not yet been defined i
 
 from lib.AwsHelpers import get_boto3_client
 from lib.metachecks.checks.Base import MetaChecksBase
-from lib.metachecks.checks.MetaChecksHelpers import IamHelper
+from lib.context.resources.MetaChecksHelpers import IamHelper
 
 
 class Metacheck(MetaChecksBase):
@@ -81,7 +81,7 @@ def _get_bucket_acl(self):
 
 from lib.AwsHelpers import get_boto3_client
 from lib.metachecks.checks.Base import MetaChecksBase
-from lib.metachecks.checks.MetaChecksHelpers import IamHelper
+from lib.context.resources.MetaChecksHelpers import IamHelper
 
 
 class Metacheck(MetaChecksBase):

diff --git a/docs/imgs/diagram-metahub.drawio b/docs/imgs/diagram-metahub.drawio
diff --git a/docs/imgs/diagram-metahub.drawio-v200.png b/docs/imgs/diagram-metahub.drawio-v200.png
diff --git a/docs/imgs/html-dashboard.png b/docs/imgs/html-dashboard.png
diff --git a/docs/imgs/html-export-small.png b/docs/imgs/html-export-small.png
diff --git a/docs/imgs/metahub-min.gif → docs/imgs/metahub-min-old.gif b/docs/imgs/metahub-min.gif → docs/imgs/metahub-min-old.gif
diff --git a/docs/imgs/metahub-terminal.gif b/docs/imgs/metahub-terminal.gif
diff --git a/lib/AwsHelpers.py b/lib/AwsHelpers.py
@@ -112,47 +112,6 @@ def get_account_alias(logger, aws_account_number, role_name=None, profile=None):
     return aliases
 
 
-def get_account_alternate_contact(
-    logger, aws_account_number, role_name=None, alternate_contact_type="SECURITY"
-):
-    logger.info("Getting alternate contact for account {}".format(aws_account_number))
-    # https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-trusted-access.html
-    # https://aws.amazon.com/blogs/mt/programmatically-managing-alternate-contacts-on-member-accounts-with-aws-organizations/
-    alternate_contact = ""
-    local_account = get_account_id(logger)
-    if aws_account_number != local_account and not role_name:
-        logger.warning(
-            "Can't get alternate contact for account {}, not --mh-assume-role provided".format(
-                aws_account_number
-            )
-        )
-        return alternate_contact
-    if role_name and aws_account_number:
-        sess = assume_role(logger, aws_account_number, role_name)
-    else:
-        sess = None
-    account_client = get_boto3_client(logger, "account", "us-east-1", sess)
-    try:
-        alternate_contact = account_client.get_alternate_contact(
-            AccountId=aws_account_number, AlternateContactType=alternate_contact_type
-        ).get("AlternateContact")
-    except (NoCredentialsError, ClientError, EndpointConnectionError):
-        try:
-            alternate_contact = account_client.get_alternate_contact(
-                AlternateContactType=alternate_contact_type
-            ).get("AlternateContact")
-        except (NoCredentialsError, ClientError, EndpointConnectionError) as e:
-            if e.response["Error"]["Code"] == "ResourceNotFoundException":
-                logger.info("No alternate contact found")
-            else:
-                logger.warning(
-                    "Error getting alternate contact for account {}: {}".format(
-                        aws_account_number, e
-                    )
-                )
-    return alternate_contact
-
-
 def get_boto3_client(logger, service, region, sess, profile=None):
     if sess:
         return sess.client(service_name=service, region_name=region)

diff --git a/lib/config/configuration.py b/lib/config/configuration.py
@@ -3,10 +3,73 @@
 # Default filters for Security Hub findings, not implemented yet
 # sh_default_filters = {"RecordState": ["ACTIVE"], "WorkflowStatus": ["NEW"]}
 
-# MetaChecks configurations
+# Impact Checks Configurations
 
-# List of AWS accounts ids that are trusted and not considered as external. This is used in the is_principal_external MetaCheck for policies.
+# List of AWS accounts ids that are trusted and not considered as external.
+# This is used in check untrusted_principal for policies.
 trusted_accounts = []
 
+# Dangereous IAM actions that should be considered as a finding if used in a policy
+dangereous_iam_actions = [
+    "iam:CreatePolicyVersion",
+    "iam:SetDefaultPolicyVersion",
+    "iam:PassRole",
+    "iam:CreateAccessKey",
+    "iam:CreateLoginProfile",
+    "iam:UpdateLoginProfile",
+    "iam:AttachUserPolicy",
+    "iam:AttachGroupPolicy",
+    "iam:AttachRolePolicy",
+    "iam:PutGroupPolicy",
+    "iam:PutRolePolicy",
+    "iam:PutUserPolicy",
+    "iam:AddUserToGroup",
+    "iam:UpdateAssumeRolePolicy",
+]
+
 # Days to consider a resource (key) unrotated
 days_to_consider_unrotated = 90
+
+# Environment Tags Definition
+# tag_ENVIRONMENT = {"TAG-KEY": ["TAG-VALUE1", "TAG-VALUE1", "TAG-VALUE3"]}
+tags_production = {
+    "Environment": ["Production", "production", "prd"],
+    "Env": ["production"],
+    "environment": ["prd"],
+}
+tags_staging = {
+    "Environment": ["Staging", "staging", "stg"],
+    "Env": ["stg"],
+    "environment": ["stg"],
+}
+tags_development = {
+    "Environment": ["Development", "development", "dev"],
+    "Env": ["dev"],
+    "environment": ["dev"],
+}
+
+# Severity Values for Impact Findings Scores Calculation
+findings_severity_value = {
+    "CRITICAL": 4,
+    "HIGH": 3,
+    "MEDIUM": 1,
+    "LOW": 0.5,
+    "INFORMATIONAL": 0,
+}
+
+# Output Configurations
+
+# Columns
+# You can define the columns that will be displayed in the output HTML, CSV AND XLSX.
+# You can also use `--output-config-columns` and `--output-tags-columns` to override these values.
+# If you want all fields as columns, comment the following lines.
+config_columns = ["public"]
+tag_columns = ["Name", "Owner"]
+account_columns = ["AccountAlias"]
+impact_columns = ["score", "exposure", "access", "encryption", "status", "environment"]
+
+# Decide if you want to output as part of the findings the whole json resource policy
+output_resource_policy = True
+
+
+path_yaml_impact = "lib/config/impact.yaml"
diff --git a/lib/config/impact.yaml b/lib/config/impact.yaml
@@ -5,119 +5,75 @@
 #   Values: List of values for this property
 #     - Name: Name of the value
 #       Score: Score for this value
-#       Match Criteria: List of match criteria to apply to this value
-#         - [MetaChecks|MetaTags|MetaAccount]: List of Meta* to apply to this value
-#           - Key: Value to match
-#           - Key: Value to match
 
-attachment:
+status:
   weight: 10
   values:
     - attached:
         score: 1
-        matchs:
-          - metachecks:
-              - "is_attached": True
-    - unattached:
+    - not-attached:
         score: 0
-        matchs:
-          - metachecks:
-              - "is_attached": False
-
-status:
-  weight: 5
-  values:
     - running:
         score: 1
-        matchs:
-          - metachecks:
-              - "is_running": True
     - not-running:
         score: 0
-        matchs:
-          - metachecks:
-              - "is_running": False
+    - unknown:
+        score: 0
 
-network:
+exposure:
   weight: 1
   values:
-    - public:
+    - effectively-public:
         score: 1
-        matchs:
-          - metachecks:
-              - "is_public": True
-    - private:
+    - restricted-public:
+        score: 0.4
+    - unknown-public:
+        score: 0
+    - unrestricted-private:
+        score: 0.5
+    - restricted:
+        score: 0
+    - unknown:
         score: 0
-        matchs:
-          - metachecks:
-              - "is_public": False
 
-policy:
+access:
   weight: 1
   values:
     - unrestricted:
         score: 1
-        matchs:
-          - metachecks:
-              - "is_unrestricted": True
+    - untrusted-principal:
+        score: 0.8
+    - unrestricted-principal:
+        score: 0.5
+    - cross-account-principal:
+        score: 0.5
+    - unrestricted-actions:
+        score: 0.5
+    - dangerous-actions:
+        score: 0.5
     - restricted:
         score: 0
-        matchs:
-          - metachecks:
-              - "is_unrestricted": False
-
-key:
-  weight: 1
-  values:
-    - not-rotated:
-        score: 1
-        matchs:
-          - metachecks:
-              - "is_unrotated": True
-    - rotated:
+    - unknown:
         score: 0
-        matchs:
-          - metachecks:
-              - "is_unrotated": False
 
 encryption:
   weight: 0.1
   values:
     - unencrypted:
         score: 1
-        matchs:
-          - metachecks:
-              - "is_encrypted": False
     - encrypted:
         score: 0
-        matchs:
-          - metachecks:
-              - "is_encrypted": True
+    - unknown:
+        score: 0
 
 environment:
   weight: 1
   values:
     - production:
         score: 1
-        matchs:
-          - metatags:
-              - "Environment": "Production"
-              - "Environment": "production"
-          - metaaccount:
-              - "alias": "production"
     - staging:
         score: 0.3
-        matchs:
-          - metatags:
-              - "Environment": "Staging"
-              - "Environment": "staging"
-          - metaaccount:
-              - "alias": "staging"
     - development:
         score: 0
-        matchs:
-          - metatags:
-              - "Environment": "Development"
-              - "Environment": "development"
-          - metaaccount:
-              - "alias": "development"
+    - unknown:
+        score: 0