Added new security commands

Author: leandrodamascena

cloudiscovery/provider/security/data/commands_enabled.py

@@ -13,6 +13,14 @@
         "method": "ebs_encryption",
         "short_description": "Check that Amazon Elastic Block Store (EBS) encryption is enabled by default.",
     },
+    "restricted-ssh": {
+        "parameters": [
+            {"name": "restricted_ssh", "default_value": "no", "type": "bool"}
+        ],
+        "class": "EC2",
+        "method": "restricted_ssh",
+        "short_description": "Checks whether SG that are in use disallow unrestricted incoming SSH traffic.",
+    },
     "imdsv2-check": {
         "parameters": [{"name": "imdsv2_check", "default_value": "no", "type": "bool"}],
         "class": "EC2",
@@ -25,4 +33,12 @@
         "method": "pitr_enabled",
         "short_description": "Checks that point in time recovery is enabled for Amazon DynamoDB tables.",
     },
+    "cloudtrail-enabled": {
+        "parameters": [
+            {"name": "cloudtrail_enabled", "default_value": "no", "type": "bool"}
+        ],
+        "class": "CLOUDTRAIL",
+        "method": "cloudtrail_enabled",
+        "short_description": "Checks whether AWS CloudTrail is enabled in your AWS account.",
+    },
 }

cloudiscovery/provider/security/resource/commands/CLOUDTRAIL.py

@@ -0,0 +1,37 @@
+from provider.security.command import SecurityOptions
+
+from shared.common import (
+    Resource,
+    ResourceDigest,
+    SecurityValues,
+)
+
+
+class CLOUDTRAIL:
+    def __init__(self, options: SecurityOptions):
+        self.options = options
+
+    def cloudtrail_enabled(self, cloudtrail_enabled):
+
+        client = self.options.client("cloudtrail")
+
+        trails = client.list_trails()
+
+        resources_found = []
+
+        if not trails["Trails"]:
+            resources_found.append(
+                Resource(
+                    digest=ResourceDigest(id="cloudtrail", type="cloudtrail_enabled"),
+                    details="CLOUDTRAIL disabled",
+                    name="cloudtrail",
+                    group="cloudtrail_security",
+                    security=SecurityValues(
+                        status="CRITICAL",
+                        parameter="cloudtrail_enabled",
+                        value="False",
+                    ),
+                )
+            )
+
+        return resources_found

cloudiscovery/provider/security/resource/commands/EC2.py

@@ -70,3 +70,59 @@ def imdsv2_check(self, imdsv2_check):
                     )
 
         return resources_found
+
+    def restricted_ssh(self, restricted_ssh):
+
+        client = self.options.client("ec2")
+
+        security_groups = client.describe_security_groups()
+
+        resources_found = []
+
+        # pylint: disable=too-many-nested-blocks
+        for security_group in security_groups["SecurityGroups"]:
+            for ip_permission in security_group["IpPermissions"]:
+                if "FromPort" in ip_permission and "ToPort" in ip_permission:
+                    # Port 22 possible opened using port range
+                    if ip_permission["FromPort"] <= 22 >= ip_permission["ToPort"]:
+                        # IPv4
+                        for cidr in ip_permission["IpRanges"]:
+                            if cidr["CidrIp"] == "0.0.0.0/0":
+                                resources_found.append(
+                                    Resource(
+                                        digest=ResourceDigest(
+                                            id=security_group["GroupId"],
+                                            type="restricted_ssh",
+                                        ),
+                                        details="The SSH port of this security group is opened to the world.",
+                                        name=security_group["GroupName"],
+                                        group="ec2_security",
+                                        security=SecurityValues(
+                                            status="CRITICAL",
+                                            parameter="restricted_ssh",
+                                            value="False",
+                                        ),
+                                    )
+                                )
+
+                        # IPv6
+                        for cidr in ip_permission["Ipv6Ranges"]:
+                            if cidr["CidrIpv6"] == "::/0":
+                                resources_found.append(
+                                    Resource(
+                                        digest=ResourceDigest(
+                                            id=security_group["GroupId"],
+                                            type="restricted_ssh",
+                                        ),
+                                        details="The SSH port of this security group is opened to the world.",
+                                        name=security_group["GroupName"],
+                                        group="ec2_security",
+                                        security=SecurityValues(
+                                            status="CRITICAL",
+                                            parameter="restricted_ssh",
+                                            value="False",
+                                        ),
+                                    )
+                                )
+
+        return resources_found