Added ECS Open Port plugins and test cases (#735)

aquasecurity · May 28, 2021 · e60dfb2 · e60dfb2
1 parent 3b1a255
commit e60dfb2
Show file tree

Hide file tree

Showing 18 changed files with 1,545 additions and 1 deletion.
diff --git a/exports.js b/exports.js
@@ -755,6 +755,14 @@ module.exports = {
         'openNetBIOS'                   : require(__dirname + '/plugins/alibaba/ecs/openNetBIOS.js'),
         'openOracle'                    : require(__dirname + '/plugins/alibaba/ecs/openOracle.js'),
         'dataDisksEncrypted'            : require(__dirname + '/plugins/alibaba/ecs/dataDisksEncrypted.js'),
+        'openOracleAutoDataWarehouse'   : require(__dirname + '/plugins/alibaba/ecs/openOracleAutoDataWarehouse.js'),
+        'openSalt'                      : require(__dirname + '/plugins/alibaba/ecs/openSalt.js'),
+        'openSMTP'                      : require(__dirname + '/plugins/alibaba/ecs/openSMTP.js'),
+        'openSMBoTCP'                   : require(__dirname + '/plugins/alibaba/ecs/openSMBoTCP.js'),
+        'openSQLServer'                 : require(__dirname + '/plugins/alibaba/ecs/openSQLServer.js'),
+        'openTelnet'                    : require(__dirname + '/plugins/alibaba/ecs/openTelnet.js'),
+        'openVNCClient'                 : require(__dirname + '/plugins/alibaba/ecs/openVNCClient.js'),
+        'openVNCServer'                 : require(__dirname + '/plugins/alibaba/ecs/openVNCServer.js'),
 
         'bucketLoggingEnabled'          : require(__dirname + '/plugins/alibaba/oss/bucketLoggingEnabled.js'),
         'ossBucketPrivate'              : require(__dirname + '/plugins/alibaba/oss/ossBucketPrivate.js'),

diff --git a/plugins/alibaba/ecs/openOracleAutoDataWarehouse.js b/plugins/alibaba/ecs/openOracleAutoDataWarehouse.js
@@ -0,0 +1,47 @@
+var async = require('async');
+var helpers = require('../../../helpers/alibaba');
+
+module.exports = {
+    title: 'Open Oracle Auto Data Warehouse',
+    category: 'ECS',
+    description: 'Ensure that security groups does not have TCP port 1522 for Oracle Auto Data Warehouse open to the public.',
+    more_info: 'While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Oracle Auto Data Warehouse should be restricted to known IP addresses.',
+    link: 'https://www.alibabacloud.com/help/doc-detail/25471.htm',
+    recommended_action: 'Restrict TCP port 1522 for Oracle Auto Data Warehouse to known IP addresses',
+    apis: ['ECS:DescribeSecurityGroups', 'ECS:DescribeSecurityGroupAttribute', 'STS:GetCallerIdentity'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+
+        var ports = {
+            'tcp': [1522]
+        };
+
+        var service = 'Oracle Auto Data Warehouse';
+
+        async.each(regions.ecs, function(region, rcb){
+            var describeSecurityGroups = helpers.addSource(cache, source,
+                ['ecs', 'DescribeSecurityGroups', region]);
+
+            if (!describeSecurityGroups) return rcb();
+
+            if (describeSecurityGroups.err || !describeSecurityGroups.data) {
+                helpers.addResult(results, 3,
+                    `Unable to describe security groups: ${helpers.addError(describeSecurityGroups)}`, region);
+                return rcb();
+            }
+
+            if (!describeSecurityGroups.data.length) {
+                helpers.addResult(results, 0, 'No security groups found', region);
+                return rcb();
+            }
+
+            helpers.findOpenPorts(cache, describeSecurityGroups.data, ports, service, region, results);
+            rcb();
+        }, function(){
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/alibaba/ecs/openOracleAutoDataWarehouse.spec.js b/plugins/alibaba/ecs/openOracleAutoDataWarehouse.spec.js
@@ -0,0 +1,145 @@
+var expect = require('chai').expect;
+const openOracleAutoDataWarehouse = require('./openOracleAutoDataWarehouse');
+
+const describeSecurityGroups = [
+    {
+        "Description": "System created security group.",
+        "SecurityGroupName": "sg-rj998kwpxbxh3muao6nx",
+        "VpcId": "vpc-rj9vu86hdve3qr173ew17",
+        "ServiceManaged": false,
+        "ResourceGroupId": "",
+        "SecurityGroupId": "sg-rj998kwpxbxh3muao6nx",
+        "CreationTime": "2021-04-30T09:57:23Z",
+        "SecurityGroupType": "normal",
+        "Tags": {
+            "Tag": []
+        }
+    }
+];
+
+const describeSecurityGroupAttribute = [
+    {
+        "Description": "System created security group.",
+        "RequestId": "B417712F-F2D9-4D84-9E14-53642866EC41",
+        "SecurityGroupName": "sg-rj998kwpxbxh3muao6nx",
+        "VpcId": "vpc-rj9vu86hdve3qr173ew17",
+        "SecurityGroupId": "sg-rj998kwpxbxh3muao6nx",
+        "Permissions": {
+          "Permission": [
+            {
+                "Direction": "ingress",
+                "SourceGroupName": "",
+                "PortRange": "443/443",
+                "SourceCidrIp": "0.0.0.0/0",
+                "IpProtocol": "TCP"
+            }
+          ]
+        }
+    },
+    {
+        "Description": "System created security group.",
+        "RequestId": "BCC3A7D9-93A5-44AA-85C1-A0C94A53DDBD",
+        "SecurityGroupName": "sg-0xijcm5n3s67cgnlklmi",
+        "VpcId": "vpc-0xitjib9awrnrv6i3sk9y",
+        "SecurityGroupId": "sg-0xijcm5n3s67cgnlklmi",
+        "Permissions": {
+            "Permission": [
+                {
+                    "SourceGroupId": "",
+                    "Policy": "Accept",
+                    "Description": "System created rule.",
+                    "SourcePortRange": "",
+                    "Priority": 100,
+                    "CreateTime": "2021-04-29T22:40:41Z",
+                    "DestPrefixListName": "",
+                    "Ipv6SourceCidrIp": "",
+                    "NicType": "intranet",
+                    "DestGroupId": "",
+                    "Direction": "ingress",
+                    "SourceGroupName": "",
+                    "PortRange": "1522/1522",
+                    "DestGroupOwnerAccount": "",
+                    "DestPrefixListId": "",
+                    "SourceCidrIp": "0.0.0.0/0",
+                    "SourcePrefixListName": "",
+                    "IpProtocol": "TCP",
+                    "DestCidrIp": "",
+                    "DestGroupName": "",
+                    "SourceGroupOwnerAccount": "",
+                    "Ipv6DestCidrIp": "",
+                    "SourcePrefixListId": ""
+                },
+            ]
+        }
+    }
+];
+
+const createCache = (securityGroups, describeSecurityGroupAttribute, securityGroupsErr, describeSecurityGroupAttributeErr) => {
+    const securityGroupId = (securityGroups && securityGroups.length) ? securityGroups[0].SecurityGroupId : null;
+    return {
+        ecs:{
+            DescribeSecurityGroups: {
+                'cn-hangzhou': {
+                    err: securityGroupsErr,
+                    data: securityGroups
+                }
+            },
+            DescribeSecurityGroupAttribute: {
+                'cn-hangzhou': {
+                    [securityGroupId]: {
+                        err: describeSecurityGroupAttributeErr,
+                        data: describeSecurityGroupAttribute
+                    }
+                }
+            }
+        }
+    };
+};
+
+describe('openOracleAutoDataWarehouse', function () {
+    describe('run', function () {
+        it('should PASS if no public open ports found', function (done) {
+            const cache = createCache(describeSecurityGroups, describeSecurityGroupAttribute[0]);
+            openOracleAutoDataWarehouse.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No public open ports found');
+                expect(results[0].region).to.equal('cn-hangzhou');
+                done();
+            });
+        });
+
+        it('should FAIL if security group has Oracle Auto Data Warehouse TCP 1522 port open to public', function (done) {
+            const cache = createCache(describeSecurityGroups, describeSecurityGroupAttribute[1]);
+            openOracleAutoDataWarehouse.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('has Oracle Auto Data Warehouse:TCP:1522 open to 0.0.0.0/0');
+                expect(results[0].region).to.equal('cn-hangzhou');
+                done();
+            });
+        });
+
+        it('should PASS if no security groups found', function (done) {
+            const cache = createCache([]);
+            openOracleAutoDataWarehouse.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No security groups found');
+                expect(results[0].region).to.equal('cn-hangzhou');
+                done();
+            });
+        });
+
+        it('should UNKNWON unable to describe security groups', function (done) {
+            const cache = createCache(null, { message: 'Unable to describe security groups'});
+            openOracleAutoDataWarehouse.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to describe security groups');
+                expect(results[0].region).to.equal('cn-hangzhou');
+                done();
+            });
+        });
+    });
+});
diff --git a/plugins/alibaba/ecs/openSMBoTCP.js b/plugins/alibaba/ecs/openSMBoTCP.js
@@ -0,0 +1,47 @@
+var async = require('async');
+var helpers = require('../../../helpers/alibaba');
+
+module.exports = {
+    title: 'Open SMBoTCP',
+    category: 'ECS',
+    description: 'Ensure that security groups does not have TCP port 445 for Windows SMB over TCP open to the public.',
+    more_info: 'While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SMBoTCP should be restricted to known IP addresses.',
+    link: 'https://www.alibabacloud.com/help/doc-detail/25471.htm',
+    recommended_action: 'Restrict TCP port 445 to known IP addresses',
+    apis: ['ECS:DescribeSecurityGroups', 'ECS:DescribeSecurityGroupAttribute', 'STS:GetCallerIdentity'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+
+        var ports = {
+            'tcp': [445]
+        };
+
+        var service = 'SMBoTCP';
+
+        async.each(regions.ecs, function(region, rcb){
+            var describeSecurityGroups = helpers.addSource(cache, source,
+                ['ecs', 'DescribeSecurityGroups', region]);
+
+            if (!describeSecurityGroups) return rcb();
+
+            if (describeSecurityGroups.err || !describeSecurityGroups.data) {
+                helpers.addResult(results, 3,
+                    `Unable to describe security groups: ${helpers.addError(describeSecurityGroups)}`, region);
+                return rcb();
+            }
+
+            if (!describeSecurityGroups.data.length) {
+                helpers.addResult(results, 0, 'No security groups found', region);
+                return rcb();
+            }
+
+            helpers.findOpenPorts(cache, describeSecurityGroups.data, ports, service, region, results);
+            rcb();
+        }, function(){
+            callback(null, results, source);
+        });
+    }
+};