File size: 8,810 Bytes
f4ff0e8
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
"""

Security rules configuration for different IaC platforms

"""
from typing import Dict, List
from models import SecurityRule

def get_terraform_rules() -> List[SecurityRule]:
    """Get Terraform security rules"""
    return [
        SecurityRule(
            rule_id="TF001",
            title="Public S3 Bucket",
            severity="high",
            patterns=[
                r'acl\s*=\s*["\']public-read["\']',
                r'acl\s*=\s*["\']public-read-write["\']',
                r'block_public_acls\s*=\s*false',
                r'ignore_public_acls\s*=\s*false',
                r'block_public_policy\s*=\s*false',
                r'restrict_public_buckets\s*=\s*false'
            ],
            description="S3 bucket is configured with public access, which may expose sensitive data to unauthorized users.",
            recommendation="Use private ACL and configure specific bucket policies. Enable S3 bucket public access block.",
            fix_example='acl = "private"\n\nbucket_public_access_block {\n  block_public_acls = true\n  block_public_policy = true\n  ignore_public_acls = true\n  restrict_public_buckets = true\n}',
            category="Data Protection",
            cwe_id="CWE-200",
            cvss_score=7.5
        ),
        SecurityRule(
            rule_id="TF002",
            title="Unencrypted EBS Volume",
            severity="high",
            patterns=[
                r'resource\s+["\']aws_ebs_volume["\'][^}]*?(?!.*encrypted\s*=\s*true)[^}]*?}',
                r'ebs_block_device\s*{[^}]*?(?!.*encrypted\s*=\s*true)[^}]*?}'
            ],
            description="EBS volumes are not encrypted, potentially exposing sensitive data at rest.",
            recommendation="Enable encryption for all EBS volumes using AWS KMS keys to protect data at rest.",
            fix_example='encrypted = true\nkms_key_id = aws_kms_key.ebs.arn',
            category="Encryption",
            cwe_id="CWE-311",
            cvss_score=6.5
        ),
        SecurityRule(
            rule_id="TF003",
            title="Open Security Group - Inbound",
            severity="critical",
            patterns=[
                r'ingress\s*{[^}]*cidr_blocks\s*=\s*\[[^]]*["\']0\.0\.0\.0/0["\'][^]]*\]',
                r'from_port\s*=\s*0[^}]*to_port\s*=\s*65535[^}]*cidr_blocks\s*=\s*\[[^]]*["\']0\.0\.0\.0/0["\']',
                r'protocol\s*=\s*["\']tcp["\'][^}]*from_port\s*=\s*22[^}]*cidr_blocks\s*=\s*\[[^]]*["\']0\.0\.0\.0/0["\']'
            ],
            description="Security group allows unrestricted inbound access from the internet (0.0.0.0/0).",
            recommendation="Restrict inbound rules to specific IP ranges, security groups, or use AWS Systems Manager Session Manager for SSH access.",
            fix_example='cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12"]\n# Or use security group references\nsecurity_groups = [aws_security_group.app.id]',
            category="Network Security",
            cwe_id="CWE-16",
            cvss_score=9.0
        ),
        SecurityRule(
            rule_id="TF004",
            title="Unencrypted RDS Instance",
            severity="high",
            patterns=[
                r'resource\s+["\']aws_db_instance["\'][^}]*?(?!.*storage_encrypted\s*=\s*true)[^}]*?}'
            ],
            description="RDS database instance is not encrypted, potentially exposing sensitive data.",
            recommendation="Enable encryption for RDS instances and consider encryption in transit.",
            fix_example='storage_encrypted = true\nkms_key_id = aws_kms_key.rds.arn',
            category="Database Security",
            cwe_id="CWE-311",
            cvss_score=7.0
        ),
        SecurityRule(
            rule_id="TF005",
            title="IAM Policy with Wildcard Actions",
            severity="medium",
            patterns=[
                r'["\']Action["\']\s*[:=]\s*["\'][*]["\']',
                r'["\']Resource["\']\s*[:=]\s*["\'][*]["\']'
            ],
            description="IAM policy uses wildcard (*) for actions or resources, potentially granting excessive permissions.",
            recommendation="Follow the principle of least privilege by specifying exact actions and resources.",
            fix_example='"Action": ["s3:GetObject", "s3:PutObject"],\n"Resource": ["arn:aws:s3:::my-bucket/*"]',
            category="Access Control",
            cwe_id="CWE-269",
            cvss_score=5.5
        )
    ]

def get_cloudformation_rules() -> List[SecurityRule]:
    """Get CloudFormation security rules"""
    return [
        SecurityRule(
            rule_id="CF001",
            title="Public S3 Bucket Access",
            severity="high",
            patterns=[
                r'AccessControl["\']?\s*:\s*["\']?PublicRead',
                r'AccessControl["\']?\s*:\s*["\']?PublicReadWrite',
                r'Principal["\']?\s*:\s*["\']?\*["\']?'
            ],
            description="S3 bucket allows public access which may expose sensitive data.",
            recommendation="Configure proper bucket policies and disable public access blocks.",
            fix_example='"AccessControl": "Private",\n"PublicAccessBlockConfiguration": {\n  "BlockPublicAcls": true,\n  "BlockPublicPolicy": true\n}',
            category="Data Protection",
            cwe_id="CWE-200",
            cvss_score=7.5
        ),
        SecurityRule(
            rule_id="CF002",
            title="Open Security Group",
            severity="critical",
            patterns=[
                r'CidrIp["\']?\s*:\s*["\']?0\.0\.0\.0/0["\']?',
                r'IpProtocol["\']?\s*:\s*["\']?-1["\']?'
            ],
            description="Security group allows traffic from any IP address or all protocols.",
            recommendation="Restrict access to specific IP ranges and required protocols only.",
            fix_example='"CidrIp": "10.0.0.0/8",\n"IpProtocol": "tcp",\n"FromPort": 80,\n"ToPort": 80',
            category="Network Security",
            cwe_id="CWE-16",
            cvss_score=9.0
        )
    ]

def get_kubernetes_rules() -> List[SecurityRule]:
    """Get Kubernetes security rules"""
    return [
        SecurityRule(
            rule_id="K8S001",
            title="Container Running as Root",
            severity="high",
            patterns=[
                r'runAsUser\s*:\s*0',
                r'runAsRoot\s*:\s*true',
                r'(?!.*runAsNonRoot\s*:\s*true)'
            ],
            description="Container is configured to run as root user, increasing attack surface.",
            recommendation="Configure containers to run as non-root user with minimal privileges.",
            fix_example='securityContext:\n  runAsUser: 1000\n  runAsNonRoot: true\n  readOnlyRootFilesystem: true',
            category="Container Security",
            cwe_id="CWE-250",
            cvss_score=6.0
        ),
        SecurityRule(
            rule_id="K8S002",
            title="Privileged Container",
            severity="critical",
            patterns=[
                r'privileged\s*:\s*true',
                r'allowPrivilegeEscalation\s*:\s*true'
            ],
            description="Container is running in privileged mode, which grants access to host resources.",
            recommendation="Avoid privileged containers unless absolutely necessary. Use specific capabilities instead.",
            fix_example='securityContext:\n  privileged: false\n  allowPrivilegeEscalation: false\n  capabilities:\n    drop:\n    - ALL',
            category="Container Security",
            cwe_id="CWE-250",
            cvss_score=8.5
        ),
        SecurityRule(
            rule_id="K8S003",
            title="Missing Resource Limits",
            severity="medium",
            patterns=[
                r'containers\s*:(?!.*limits\s*:)',
                r'(?!.*resources\s*:.*limits)'
            ],
            description="Container has no resource limits defined, which may lead to resource exhaustion.",
            recommendation="Set appropriate CPU and memory limits to prevent resource starvation.",
            fix_example='resources:\n  limits:\n    cpu: "500m"\n    memory: "512Mi"\n  requests:\n    cpu: "250m"\n    memory: "256Mi"',
            category="Resource Management",
            cwe_id="CWE-400",
            cvss_score=4.0
        )
    ]

def get_all_security_rules() -> Dict[str, List[SecurityRule]]:
    """Get all security rules for different IaC platforms"""
    return {
        "terraform": get_terraform_rules(),
        "cloudformation": get_cloudformation_rules(),
        "kubernetes": get_kubernetes_rules()
    }