Skip to content

Commit

Permalink
Modification: Modified index and engine files to fix azure remediatio…
Browse files Browse the repository at this point in the history 
…n invalid token issue (#623)

* SPLOIT-113: Added Plain Text Parameters plugin for CloudFormation

* Added vpcEndpointAcceptance plugin and spec file

* SPLOIT-113: Added Plain Text Parameters plugin for CloudFormation

* Added plugin and spec file for launch wizard security groups

* Refactored code in plaintextParameters plugin and spec file

* SPLOIT-113: Updated custom settings

* Made PR requested changes

* SPLOIT-113: Added regex to check if NoEcho is enabled

* Accommodated PR changes

* Fixed eslint issues

* Update exports.js

* Fixed eslint issues

* Update index.js

* Update index.js

* Added cloudformation in china and gov regions

* Accomodated PR changes

* Updated status in result of failure

* SPLOIT-113: Added Plain Text Parameters plugin for CloudFormation

* Added plugin and spec file for launch wizard security groups

* Added vpcEndpointAcceptance plugin and spec file

* Refactored code in plaintextParameters plugin and spec file

* SPLOIT-113: Updated custom settings

* Made PR requested changes

* SPLOIT-113: Added regex to check if NoEcho is enabled

* Accommodated PR changes

* Fixed eslint issues

* Update index.js

* Update index.js

* Accomodated PR changes

* Updated status in result of failure

* SPLOIT-113: Added Plain Text Parameters plugin for CloudFormation

* Added plugin and spec file for launch wizard security groups

* Added vpcEndpointAcceptance plugin and spec file

* Refactored code in plaintextParameters plugin and spec file

* SPLOIT-113: Updated custom settings

* Made PR requested changes

* SPLOIT-113: Added regex to check if NoEcho is enabled

* Accommodated PR changes

* Fixed eslint issues

* Update index.js

* Update index.js

* Accomodated PR changes

* Updated status in result of failure

* SPLOIT-113: Added Plain Text Parameters plugin for CloudFormation

* SPLOIT-113: Added Plain Text Parameters plugin for CloudFormation

* Added plugin and spec file for launch wizard security groups

* Added vpcEndpointAcceptance plugin and spec file

* Refactored code in plaintextParameters plugin and spec file

* SPLOIT-113: Updated custom settings

* Made PR requested changes

* SPLOIT-113: Added regex to check if NoEcho is enabled

* Accommodated PR changes

* Fixed eslint issues

* Update exports.js

* Update index.js

* Update index.js

* Accomodated PR changes

* Updated status in result of failure

* Removed unnecesary rebase changes

* Added superlinter

* Added scans ci

* Updated Ci file

* Updated Node version in CI file

* removed spech check command

* Delete scan_ci.yml

* Added spellcheck

* Azure MySQL Enforce SSL Connection remediated

* Modified index and engine files to fix azure remediation invalid token issue

* Update engine.js
  • Loading branch information
@AkhtarAmir
AkhtarAmir authored Apr 16, 2021
1 parent 772f443 commit 25d6145
Show file tree
Hide file tree
Showing 3 changed files with 155 additions and 80 deletions.
17 changes: 17 additions & 0 deletions config_example.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,14 @@ module.exports = {
// session_token: process.env.AWS_SESSION_TOKEN || '',
// plugins_remediate: ['bucketEncryptionInTransit']
},
aws_remediate: {
// OPTION 1: If using a credential JSON file, enter the path below
// credential_file: '/path/to/file.json',
// OPTION 2: If using hard-coded credentials, enter them below
// access_key: process.env.AWS_ACCESS_KEY_ID || '',
// secret_access_key: process.env.AWS_SECRET_ACCESS_KEY || '',
// session_token: process.env.AWS_SESSION_TOKEN || '',
},
azure: {
// OPTION 1: If using a credential JSON file, enter the path below
// credential_file: '/path/to/file.json',
Expand All @@ -20,6 +28,15 @@ module.exports = {
// directory_id: process.env.AZURE_DIRECTORY_ID || '',
// subscription_id: process.env.AZURE_SUBSCRIPTION_ID || ''
},
azure_remediate: {
// OPTION 1: If using a credential JSON file, enter the path below
// credential_file: '/path/to/file.json',
// OPTION 2: If using hard-coded credentials, enter them below
// application_id: process.env.AZURE_APPLICATION_ID || '',
// key_value: process.env.AZURE_KEY_VALUE || '',
// directory_id: process.env.AZURE_DIRECTORY_ID || '',
// subscription_id: process.env.AZURE_SUBSCRIPTION_ID || ''
},
google: {
// OPTION 1: If using a credential JSON file, enter the path below
// credential_file: process.env.GOOGLE_APPLICATION_CREDENTIALS || '/path/to/file.json',
Expand Down
181 changes: 101 additions & 80 deletions engine.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,17 @@ var async = require('async');
var exports = require('./exports.js');
var suppress = require('./postprocess/suppress.js');
var output = require('./postprocess/output.js');

var azureHelper = require('./helpers/azure/auth.js');

function runAuth(settings, remediateConfig, callback) {
if (settings.cloud && settings.cloud == 'azure') {
azureHelper.login(remediateConfig, function(err, loginData) {
if (err) return (callback(err));
remediateConfig.token = loginData.token;
return callback();
});
} else callback();
}
/**
* The main function to execute CloudSploit scans.
* @param cloudConfig The configuration for the cloud provider.
Expand Down Expand Up @@ -138,91 +148,102 @@ var engine = function(cloudConfig, settings) {
console.log('INFO: Analysis complete. Scan report to follow...');

var maximumStatus = 0;

async.mapValuesLimit(plugins, 10, function(plugin, key, pluginDone) {
if (skippedPlugins.indexOf(key) > -1) return pluginDone(null, 0);

var postRun = function(err, results) {
if (err) return console.log(`ERROR: ${err}`);
if (!results || !results.length) {
console.log(`Plugin ${plugin.title} returned no results. There may be a problem with this plugin.`);
} else {
for (var r in results) {
// If we have suppressed this result, then don't process it
// so that it doesn't affect the return code.
if (suppressionFilter([key, results[r].region || 'any', results[r].resource || 'any'].join(':'))) {
continue;
}

var complianceMsg = [];
if (settings.compliance && settings.compliance.length) {
settings.compliance.forEach(function(c) {
if (plugin.compliance && plugin.compliance[c]) {
complianceMsg.push(`${c.toUpperCase()}: ${plugin.compliance[c]}`);
}
});
}
complianceMsg = complianceMsg.join('; ');
if (!complianceMsg.length) complianceMsg = null;

// Write out the result (to console or elsewhere)
outputHandler.writeResult(results[r], plugin, key, complianceMsg);

// Add this to our tracking for the worst status to calculate
// the exit code
maximumStatus = Math.max(maximumStatus, results[r].status);
// Remediation
if (settings.remediate && settings.remediate.length) {
if (settings.remediate.indexOf(key) > -1) {
if (results[r].status === 2) {
var resource = results[r].resource;
var event = {};
event.region = results[r].region;
event['remediation_file'] = {};
event['remediation_file'] = initializeFile(event['remediation_file'], 'execute', key, resource);
plugin.remediate(cloudConfig, collection, event, resource, (err, result) => {
if (err) return console.log(err);
return console.log(result);
});

function executePlugins(cloudRemediateConfig) {
async.mapValuesLimit(plugins, 10, function(plugin, key, pluginDone) {
if (skippedPlugins.indexOf(key) > -1) return pluginDone(null, 0);

var postRun = function(err, results) {
if (err) return console.log(`ERROR: ${err}`);
if (!results || !results.length) {
console.log(`Plugin ${plugin.title} returned no results. There may be a problem with this plugin.`);
} else {
for (var r in results) {
// If we have suppressed this result, then don't process it
// so that it doesn't affect the return code.
if (suppressionFilter([key, results[r].region || 'any', results[r].resource || 'any'].join(':'))) {
continue;
}

var complianceMsg = [];
if (settings.compliance && settings.compliance.length) {
settings.compliance.forEach(function(c) {
if (plugin.compliance && plugin.compliance[c]) {
complianceMsg.push(`${c.toUpperCase()}: ${plugin.compliance[c]}`);
}
});
}
complianceMsg = complianceMsg.join('; ');
if (!complianceMsg.length) complianceMsg = null;

// Write out the result (to console or elsewhere)
outputHandler.writeResult(results[r], plugin, key, complianceMsg);

// Add this to our tracking for the worst status to calculate
// the exit code
maximumStatus = Math.max(maximumStatus, results[r].status);
// Remediation
if (settings.remediate && settings.remediate.length) {
if (settings.remediate.indexOf(key) > -1) {
if (results[r].status === 2) {
var resource = results[r].resource;
var event = {};
event.region = results[r].region;
event['remediation_file'] = {};
event['remediation_file'] = initializeFile(event['remediation_file'], 'execute', key, resource);
plugin.remediate(cloudRemediateConfig, collection, event, resource, (err, result) => {
if (err) return console.log(err);
return console.log(result);
});
}
}
}
}

}

setTimeout(function() { pluginDone(err, maximumStatus); }, 0);
};

if (plugin.asl) {
console.log(`INFO: Using custom ASL for plugin: ${plugin.title}`);
// Inject APIs and resource maps
plugin.asl.apis = plugin.apis;
var aslConfig = require('./helpers/asl/config.json');
var aslVersion = plugin.asl.version ? plugin.asl.version : aslConfig.current_version;
let aslRunner;
try {
aslRunner = require(`./helpers/asl/asl-${aslVersion}.js`);

} catch (e) {
postRun('Error: ASL: Wrong ASL Version: ', e);
}

aslRunner(collection, plugin.asl, resourceMap, postRun);
} else {
plugin.run(collection, settings, postRun);
}
setTimeout(function() { pluginDone(err, maximumStatus); }, 0);
};

if (plugin.asl) {
console.log(`INFO: Using custom ASL for plugin: ${plugin.title}`);
// Inject APIs and resource maps
plugin.asl.apis = plugin.apis;
var aslConfig = require('./helpers/asl/config.json');
var aslVersion = plugin.asl.version ? plugin.asl.version : aslConfig.current_version;
let aslRunner;
try {
aslRunner = require(`./helpers/asl/asl-${aslVersion}.js`);

} catch (e) {
postRun('Error: ASL: Wrong ASL Version: ', e);
}, function(err) {
if (err) return console.log(err);
// console.log(JSON.stringify(collection, null, 2));
outputHandler.close();
if (settings.exit_code) {
// The original cloudsploit always has a 0 exit code. With this option, we can have
// the exit code depend on the results (useful for integration with CI systems)
console.log(`INFO: Exiting with exit code: ${maximumStatus}`);
process.exitCode = maximumStatus;
}

aslRunner(collection, plugin.asl, resourceMap, postRun);
} else {
plugin.run(collection, settings, postRun);
}
}, function(err) {
if (err) return console.log(err);
// console.log(JSON.stringify(collection, null, 2));
outputHandler.close();
if (settings.exit_code) {
// The original cloudsploit always has a 0 exit code. With this option, we can have
// the exit code depend on the results (useful for integration with CI systems)
console.log(`INFO: Exiting with exit code: ${maximumStatus}`);
process.exitCode = maximumStatus;
}
console.log('INFO: Scan complete');
});
console.log('INFO: Scan complete');
});
}

if (settings.remediate && settings.remediate.length && cloudConfig.remediate) {
runAuth(settings, cloudConfig.remediate, function(err) {
if (err) return console.log(err);
executePlugins(cloudConfig.remediate);
});
} else {
executePlugins(cloudConfig);
}
});
};

Expand Down
37 changes: 37 additions & 0 deletions index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,5 +205,42 @@ if (config.credentials.aws.credential_file) {
process.exit(1);
}

if (settings.remediate && settings.remediate.length) {
if (!config.credentials[`${settings.cloud}_remediate`]) {
console.error('ERROR: No credentials provided for remediation.');
process.exit(1);
}
if (config.credentials.aws_remediate && config.credentials.aws_remediate.credential_file) {
cloudConfig.remediate = loadHelperFile(config.credentials.aws_remediate.credential_file);
if (!cloudConfig.remediate || !cloudConfig.remediate.accessKeyId || !cloudConfig.remediate.secretAccessKey) {
console.error('ERROR: AWS credential file for remediation does not have accessKeyId or secretAccessKey properties');
process.exit(1);
}
} else if (config.credentials.aws_remediate && config.credentials.aws_remediate.access_key) {
checkRequiredKeys(config.credentials.aws_remediate, ['secret_access_key']);
cloudConfig.remediate = {
accessKeyId: config.credentials.aws_remediate.access_key,
secretAccessKey: config.credentials.aws_remediate.secret_access_key,
sessionToken: config.credentials.aws_remediate.session_token
};
} else if (config.credentials.azure_remediate && config.credentials.azure_remediate.credential_file) {
cloudConfig.remediate = loadHelperFile(config.credentials.azure_remediate.credential_file);
if (!cloudConfig.remediate || !cloudConfig.remediate.ApplicationID || !cloudConfig.remediate.KeyValue || !cloudConfig.remediate.DirectoryID || !cloudConfig.remediate.SubscriptionID) {
console.error('ERROR: Azure credential file for remediation does not have ApplicationID, KeyValue, DirectoryID, or SubscriptionID');
process.exit(1);
}
} else if (config.credentials.azure_remediate && config.credentials.azure_remediate.application_id) {
checkRequiredKeys(config.credentials.azure_remediate, ['key_value', 'directory_id', 'subscription_id']);
cloudConfig.remediate = {
ApplicationID: config.credentials.azure_remediate.application_id,
KeyValue: config.credentials.azure_remediate.key_value,
DirectoryID: config.credentials.azure_remediate.directory_id,
SubscriptionID: config.credentials.azure_remediate.subscription_id
};
} else {
console.error('ERROR: Config file does not contain any valid credential configs for remediation.');
process.exit(1);
}
}
// Now execute the scans using the defined configuration information.
engine(cloudConfig, settings);

0 comments on commit 25d6145

Please sign in to comment.