Merge pull request #7 from aquasecurity/master

Master branch updated in local
umermehmood · May 21, 2021 · 1783727 · 1783727
2 parents 802c0f8 + 8e6e705
commit 1783727
Show file tree

Hide file tree

Showing 136 changed files with 3,239 additions and 396 deletions.
diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md
@@ -55,7 +55,7 @@ a project may be further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at support@cloudsploit.com. All
+reported by contacting the project team at support@aquasec.com. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

diff --git a/collectors/alibaba/collector.js b/collectors/alibaba/collector.js
diff --git a/collectors/alibaba/index.js b/collectors/alibaba/index.js
@@ -0,0 +1,26 @@
+'use strict';
+
+var fs          = require('fs');
+var path        = require('path');
+var collectors  = {};
+
+var directories = fs.readdirSync(__dirname).filter(function(file) {
+    return fs.statSync(path.join(__dirname, file)).isDirectory();
+});
+
+directories.forEach(function(directory) {
+    collectors[directory] = {};
+
+    fs
+        .readdirSync(__dirname + '/' + directory)
+        .filter(function(file) {
+            return (file.indexOf('.') !== 0);
+        })
+        .forEach(function(file) {
+            var collector = require(path.join(__dirname + '/' + directory, file));
+            var name = file.substring(0, file.indexOf('.js'));
+            collectors[directory][name] = collector;
+        });
+});
+
+module.exports = collectors;
diff --git a/collectors/alibaba/oss/getBucketInfo.js b/collectors/alibaba/oss/getBucketInfo.js
@@ -0,0 +1,5 @@
+var index = require(__dirname + '/index.js');
+
+module.exports = function(AlibabaConfig, collection, region, callback) {
+    index('getBucketInfo', AlibabaConfig, collection, region, callback);
+};
diff --git a/collectors/alibaba/oss/index.js b/collectors/alibaba/oss/index.js
@@ -0,0 +1,21 @@
+var async = require('async');
+const OSS = require('ali-oss');
+
+module.exports = function(callKey, AlibabaConfig, collection, region, callback) {
+    var store = new OSS(AlibabaConfig);
+
+    async.eachLimit(collection.oss.listBuckets[region].data, 10, function(bucket, bcb){
+        let bucketName = bucket.name;
+        collection.oss[callKey][region][bucketName] = {};
+
+        store[callKey](bucketName).then((result) => {
+            collection.oss[callKey][region][bucketName].data = result.bucket;
+            bcb();
+        }, (err) => {
+            collection.oss[callKey][region][bucketName].err = err;
+            bcb();
+        });
+    }, function(){
+        callback();
+    });
+};
diff --git a/collectors/alibaba/oss/listBuckets.js b/collectors/alibaba/oss/listBuckets.js
@@ -0,0 +1,29 @@
+const OSS = require('ali-oss');
+
+module.exports = function(AlibabaConfig, collection, region, callback) {
+    const store = new OSS(AlibabaConfig);
+    collection.oss.listBuckets[region].data = [];
+
+    var execute = function(nextToken) {
+        store.listBuckets({
+            'max-keys': 1,
+            'marker': nextToken
+        }).then((result) => {
+            callCB(null, result);
+        }, (err) => {
+            callCB(err);
+        });
+    };
+
+    var callCB = function(err, data) {
+        if (err) {
+            collection.oss.listBuckets[region].err = err;
+            callback();
+        }
+        collection.oss.listBuckets[region].data = collection.oss.listBuckets[region].data.concat(data.buckets);
+        if (data.nextMarker) execute(data.nextMarker);
+        else callback();
+    };
+
+    execute();
+};
diff --git a/collectors/aws/collector.js b/collectors/aws/collector.js
@@ -1397,14 +1397,17 @@ var collect = function(AWSConfig, settings, callback) {
     var AWSXRay;
     var debugMode = settings.debug_mode;
     if (debugMode) AWSXRay = require('aws-xray-sdk');
-    
+
     AWSConfig.maxRetries = 8;
     AWSConfig.retryDelayOptions = {base: 100};
 
     var regions = helpers.regions(settings);
 
     var collection = {};
-
+    var debugApiCalls = function(call, service, finished) {
+        if (!debugMode) return;
+        finished ? console.log(`[INFO] ${service}:${call} returned`) : console.log(`[INFO] ${service}:${call} invoked`);
+    };
     async.eachOfLimit(calls, 10, function(call, service, serviceCb) {
         var serviceLower = service.toLowerCase();
         if (!collection[serviceLower]) collection[serviceLower] = {};
@@ -1413,7 +1416,7 @@ var collect = function(AWSConfig, settings, callback) {
         async.eachOfLimit(call, 15, function(callObj, callKey, callCb) {
             if (settings.api_calls && settings.api_calls.indexOf(service + ':' + callKey) === -1) return callCb();
             if (!collection[serviceLower][callKey]) collection[serviceLower][callKey] = {};
-
+            debugApiCalls(callKey, service);
             var callRegions;
 
             if (callObj.default) {
@@ -1481,17 +1484,16 @@ var collect = function(AWSConfig, settings, callback) {
                         // so that the injection of the NextToken doesn't break other calls
                         var localParams = JSON.parse(JSON.stringify(callObj.params || {}));
                         if (nextTokens) localParams[nextTokens[0]] = nextTokens[1];
-
                         if (callObj.params || nextTokens) {
                             executor[callKey](localParams, executorCb);
                         } else {
                             executor[callKey](executorCb);
                         }
                     }
-
                     execute();
                 }
             }, function() {
+                debugApiCalls(callKey, service, true);
                 callCb();
             });
         }, function() {
@@ -1507,7 +1509,7 @@ var collect = function(AWSConfig, settings, callback) {
                 async.eachOfLimit(serviceObj, 1, function(callObj, callKey, callCb) {
                     if (settings.api_calls && settings.api_calls.indexOf(service + ':' + callKey) === -1) return callCb();
                     if (!collection[serviceLower][callKey]) collection[serviceLower][callKey] = {};
-
+                    debugApiCalls(callKey, service);
                     async.eachLimit(regions[serviceLower], helpers.MAX_REGIONS_AT_A_TIME, function(region, regionCb) {
                         if (settings.skip_regions &&
                             settings.skip_regions.indexOf(region) > -1 &&
@@ -1560,7 +1562,6 @@ var collect = function(AWSConfig, settings, callback) {
                                         var filter = {};
                                         filter[callObj.filterKey] = dep[callObj.filterValue];
                                         filter[callObj.checkMultipleKey] = thisCheck;
-
                                         executor[callKey](filter, function(err, data) {
                                             if (err) {
                                                 collection[serviceLower][callKey][LocalAWSConfig.region][dep[callObj.filterValue]].err = err;
@@ -1606,6 +1607,7 @@ var collect = function(AWSConfig, settings, callback) {
                             });
                         }
                     }, function() {
+                        debugApiCalls(callKey, service, true);
                         callCb();
                     });
                 }, function() {

diff --git a/exports.js b/exports.js
@@ -725,5 +725,15 @@ module.exports = {
         'vpcNetworkRouteLogging'        : require(__dirname + '/plugins/google/logging/vpcNetworkRouteLogging.js'),
         'vpcNetworkLogging'             : require(__dirname + '/plugins/google/logging/vpcNetworkLogging.js'),
         'logSinksEnabled'               : require(__dirname + '/plugins/google/logging/logSinksEnabled.js'),
+    },
+    alibaba: {
+        'openSSH'                       : require(__dirname + '/plugins/alibaba/ecs/openSSH.js'),
+        'bucketLoggingEnabled'          : require(__dirname + '/plugins/alibaba/oss/bucketLoggingEnabled.js'),
+        'ossBucketPrivate'              : require(__dirname + '/plugins/alibaba/oss/ossBucketPrivate.js'),
+        'rdsLogDuration'                : require(__dirname + '/plugins/alibaba/rds/rdsLogDuration.js'),
+        'dataDisksEncrypted'            : require(__dirname + '/plugins/alibaba/ecs/dataDisksEncrypted.js'),
+        'rdsSslEncryptionEnabled'       : require(__dirname + '/plugins/alibaba/rds/rdsSslEncryptionEnabled.js'),
+        'passwordRequiresUppercase'     : require(__dirname + '/plugins/alibaba/ram/passwordRequiresUppercase.js'),
+        'usersMfaEnabled'               : require(__dirname + '/plugins/alibaba/ram/usersMfaEnabled.js')
     }
 };
diff --git a/helpers/alibaba/functions.js b/helpers/alibaba/functions.js
@@ -0,0 +1,93 @@
+var helpers = require('../shared.js');
+
+function defaultRegion(settings) {
+    if (settings.defaultRegion) return settings.defaultRegion;
+    return 'cn-hangzhou';
+}
+
+function createArn(service, account, resourceType, resourceId, region) {
+    if (!region) region = '';
+    return `arn:acs:${service}:${region}:${account}:${resourceType}/${resourceId}`;
+}
+
+function findOpenPorts(cache, groups, ports, service, region, results) {
+    // console.log(JSON.stringify(cache, null, 2));
+    var found = false;
+
+    for (var group of groups) {
+        if (!group.SecurityGroupId) continue;
+
+        var accountId = helpers.addSource(cache, {}, ['sts', 'GetCallerIdentity', defaultRegion, 'data']);
+
+        var resource = createArn('ecs', accountId, 'securitygroup', group.SecurityGroupId, region);
+
+        var describeSecurityGroupAttribute = helpers.addSource(cache, {},
+            ['ecs', 'DescribeSecurityGroupAttribute', region, group.SecurityGroupId]);
+
+        if (!describeSecurityGroupAttribute || describeSecurityGroupAttribute.err || !describeSecurityGroupAttribute.data) {
+            helpers.addResult(results, 3,
+                `Unable to query security group attributes: ${describeSecurityGroupAttribute}`, region, resource);
+            continue;
+        }
+
+        var string;
+        var openV4Ports = [];
+
+        if (describeSecurityGroupAttribute.data.Permissions && describeSecurityGroupAttribute.data.Permissions.Permission && describeSecurityGroupAttribute.data.Permissions.Permission.length){
+            for (var permission of describeSecurityGroupAttribute.data.Permissions.Permission) {
+                if (permission.Direction && permission.Direction !== 'ingress') continue;
+                let protocol = permission.IpProtocol.toLowerCase();
+                if (permission.SourceCidrIp === '0.0.0.0/0' && ports[protocol]) {
+                    for (var port of ports[protocol]) {
+                        let fromPort = (Number(permission.PortRange.split('/')[0])) ?
+                            Number(permission.PortRange.split('/')[0]) : Number(permission.PortRange);
+                        let toPort = (Number(permission.PortRange.split('/')[1])) ?
+                            Number(permission.PortRange.split('/')[1]) : Number(permission.PortRange);
+
+                        if (port.toString().indexOf('-') > -1) {
+                            var rangeFrom = Number(port.split('-')[0]);
+                            var rangeTo = Number(port.split('-')[1]);
+
+                            for (let i = rangeFrom; i <= rangeTo; i++) {
+                                if (fromPort<= i && toPort >= i) {
+                                    string = `some of ${permission.IpProtocol}:${port}`;
+                                    openV4Ports.push(string);
+                                    found = true;
+                                    break;
+                                }
+                            }
+                        } else {
+                            port = Number(port);
+                            if (fromPort <= port && toPort >= port) {
+                                string = `${permission.IpProtocol}:${port}`;
+                                if (openV4Ports.indexOf(string) === -1) openV4Ports.push(string);
+                                found = true;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        if (openV4Ports.length) {
+            var resultsString = '';
+            if (openV4Ports.length) {
+                resultsString = `Security group: ${group.SecurityGroupId} has ${service}:${openV4Ports.join(', ')} open to 0.0.0.0/0`;
+            }
+
+            helpers.addResult(results, 2, resultsString, region, resource);
+        }
+    }
+
+    if (!found) {
+        helpers.addResult(results, 0, 'No public open ports found', region);
+    }
+
+    return;
+}
+
+module.exports = {
+    defaultRegion: defaultRegion,
+    createArn: createArn,
+    findOpenPorts: findOpenPorts
+};
diff --git a/helpers/alibaba/index.js b/helpers/alibaba/index.js
@@ -0,0 +1,17 @@
+var shared = require(__dirname + '/../shared.js');
+var functions = require('./functions.js');
+var regRegions = require('./regions.js');
+
+var regions = function() {
+    return regRegions;
+};
+
+var helpers = {
+    regions: regions,
+    MAX_REGIONS_AT_A_TIME: 6
+};
+
+for (var s in shared) helpers[s] = shared[s];
+for (var f in functions) helpers[f] = functions[f];
+
+module.exports = helpers;
diff --git a/helpers/alibaba/regions.js b/helpers/alibaba/regions.js
@@ -0,0 +1,40 @@
+// Source: https://www.alibabacloud.com/global-locations
+
+var regions = [
+    'cn-hangzhou',            // China (Hangzhou)
+    'cn-shanghai',            // China (Shanghai)
+    'cn-qingdao',             // China (Qingdao)
+    'cn-beijing',             // China (Beijing)
+    'cn-zhangjiakou',         // China (Zhangjiakou)
+    'cn-huhehaote',           // China (Hohhot)
+    'cn-wulanchabu',          // China (Ulanqab)
+    'cn-shenzhen',            // China (Shenzhen)
+    'cn-heyuan',              // China (Heyuan)
+    'cn-chengdu',             // China (Chengdu)
+    'cn-hongkong',            // China(Hong Kong)
+    'cn-guangzhou',           // China (Guangzhou)
+    'ap-southeast-1',         // Singapore
+    'ap-southeast-2',         // Australia (Sydney)
+    'ap-southeast-3',         // Malaysia (Kuala Lumpur)
+    'ap-southeast-5',         // Indonesia (Jakarta)
+    'ap-northeast-1',         // Japan (Tokyo)
+    'ap-south-1',             // India (Mumbai)
+    'eu-central-1',           // Germany (Frankfurt)
+    'eu-west-1',              // UK(London)
+    'us-west-1',              // US (Silicon Valley)
+    'us-east-1',              // US (Virginia)
+    'me-east-1',              // UAE (Dubai)
+];
+
+module.exports = {
+    default: ['cn-hangzhou'],
+    all: regions,
+    ecs: regions,
+    polardb: regions,
+    ram: ['cn-hangzhou'],
+    vpc: regions,
+    rds: regions,
+    sts: ['cn-hangzhou'],
+    oss: ['cn-hangzhou'],
+    kms: regions
+};