Spaces:

Waseem-k
/

Secure_IaC

Sleeping

App Files Files Community

Secure_IaC / src /security_rules.py

Waseem-k

Upload 9 files

f4ff0e8 verified 10 months ago

Raw

History Blame Contribute Delete

8.81 kB

	"""
	Security rules configuration for different IaC platforms
	"""
	from typing import Dict, List
	from models import SecurityRule

	def get_terraform_rules() -> List[SecurityRule]:
	"""Get Terraform security rules"""
	return [
	SecurityRule(
	rule_id="TF001",
	title="Public S3 Bucket",
	severity="high",
	patterns=[
	r'acl\s=\s["\']public-read["\']',
	r'acl\s=\s["\']public-read-write["\']',
	r'block_public_acls\s=\sfalse',
	r'ignore_public_acls\s=\sfalse',
	r'block_public_policy\s=\sfalse',
	r'restrict_public_buckets\s=\sfalse'
	],
	description="S3 bucket is configured with public access, which may expose sensitive data to unauthorized users.",
	recommendation="Use private ACL and configure specific bucket policies. Enable S3 bucket public access block.",
	fix_example='acl = "private"\n\nbucket_public_access_block {\n block_public_acls = true\n block_public_policy = true\n ignore_public_acls = true\n restrict_public_buckets = true\n}',
	category="Data Protection",
	cwe_id="CWE-200",
	cvss_score=7.5
	),
	SecurityRule(
	rule_id="TF002",
	title="Unencrypted EBS Volume",
	severity="high",
	patterns=[
	r'resource\s+["\']aws_ebs_volume["\'][^}]?(?!.encrypted\s=\strue)[^}]*?}',
	r'ebs_block_device\s{[^}]?(?!.encrypted\s=\strue)[^}]?}'
	],
	description="EBS volumes are not encrypted, potentially exposing sensitive data at rest.",
	recommendation="Enable encryption for all EBS volumes using AWS KMS keys to protect data at rest.",
	fix_example='encrypted = true\nkms_key_id = aws_kms_key.ebs.arn',
	category="Encryption",
	cwe_id="CWE-311",
	cvss_score=6.5
	),
	SecurityRule(
	rule_id="TF003",
	title="Open Security Group - Inbound",
	severity="critical",
	patterns=[
	r'ingress\s{[^}]cidr_blocks\s=\s\[[^]]["\']0\.0\.0\.0/0["\'][^]]\]',
	r'from_port\s=\s0[^}]to_port\s=\s65535[^}]cidr_blocks\s=\s\[[^]]*["\']0\.0\.0\.0/0["\']',
	r'protocol\s=\s["\']tcp["\'][^}]from_port\s=\s22[^}]cidr_blocks\s=\s\[[^]]*["\']0\.0\.0\.0/0["\']'
	],
	description="Security group allows unrestricted inbound access from the internet (0.0.0.0/0).",
	recommendation="Restrict inbound rules to specific IP ranges, security groups, or use AWS Systems Manager Session Manager for SSH access.",
	fix_example='cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12"]\n# Or use security group references\nsecurity_groups = [aws_security_group.app.id]',
	category="Network Security",
	cwe_id="CWE-16",
	cvss_score=9.0
	),
	SecurityRule(
	rule_id="TF004",
	title="Unencrypted RDS Instance",
	severity="high",
	patterns=[
	r'resource\s+["\']aws_db_instance["\'][^}]?(?!.storage_encrypted\s=\strue)[^}]*?}'
	],
	description="RDS database instance is not encrypted, potentially exposing sensitive data.",
	recommendation="Enable encryption for RDS instances and consider encryption in transit.",
	fix_example='storage_encrypted = true\nkms_key_id = aws_kms_key.rds.arn',
	category="Database Security",
	cwe_id="CWE-311",
	cvss_score=7.0
	),
	SecurityRule(
	rule_id="TF005",
	title="IAM Policy with Wildcard Actions",
	severity="medium",
	patterns=[
	r'["\']Action["\']\s[:=]\s["\'][*]["\']',
	r'["\']Resource["\']\s[:=]\s["\'][*]["\']'
	],
	description="IAM policy uses wildcard (*) for actions or resources, potentially granting excessive permissions.",
	recommendation="Follow the principle of least privilege by specifying exact actions and resources.",
	fix_example='"Action": ["s3:GetObject", "s3:PutObject"],\n"Resource": ["arn:aws:s3:::my-bucket/*"]',
	category="Access Control",
	cwe_id="CWE-269",
	cvss_score=5.5
	)
	]

	def get_cloudformation_rules() -> List[SecurityRule]:
	"""Get CloudFormation security rules"""
	return [
	SecurityRule(
	rule_id="CF001",
	title="Public S3 Bucket Access",
	severity="high",
	patterns=[
	r'AccessControl["\']?\s:\s["\']?PublicRead',
	r'AccessControl["\']?\s:\s["\']?PublicReadWrite',
	r'Principal["\']?\s:\s["\']?\*["\']?'
	],
	description="S3 bucket allows public access which may expose sensitive data.",
	recommendation="Configure proper bucket policies and disable public access blocks.",
	fix_example='"AccessControl": "Private",\n"PublicAccessBlockConfiguration": {\n "BlockPublicAcls": true,\n "BlockPublicPolicy": true\n}',
	category="Data Protection",
	cwe_id="CWE-200",
	cvss_score=7.5
	),
	SecurityRule(
	rule_id="CF002",
	title="Open Security Group",
	severity="critical",
	patterns=[
	r'CidrIp["\']?\s:\s["\']?0\.0\.0\.0/0["\']?',
	r'IpProtocol["\']?\s:\s["\']?-1["\']?'
	],
	description="Security group allows traffic from any IP address or all protocols.",
	recommendation="Restrict access to specific IP ranges and required protocols only.",
	fix_example='"CidrIp": "10.0.0.0/8",\n"IpProtocol": "tcp",\n"FromPort": 80,\n"ToPort": 80',
	category="Network Security",
	cwe_id="CWE-16",
	cvss_score=9.0
	)
	]

	def get_kubernetes_rules() -> List[SecurityRule]:
	"""Get Kubernetes security rules"""
	return [
	SecurityRule(
	rule_id="K8S001",
	title="Container Running as Root",
	severity="high",
	patterns=[
	r'runAsUser\s:\s0',
	r'runAsRoot\s:\strue',
	r'(?!.runAsNonRoot\s:\s*true)'
	],
	description="Container is configured to run as root user, increasing attack surface.",
	recommendation="Configure containers to run as non-root user with minimal privileges.",
	fix_example='securityContext:\n runAsUser: 1000\n runAsNonRoot: true\n readOnlyRootFilesystem: true',
	category="Container Security",
	cwe_id="CWE-250",
	cvss_score=6.0
	),
	SecurityRule(
	rule_id="K8S002",
	title="Privileged Container",
	severity="critical",
	patterns=[
	r'privileged\s:\strue',
	r'allowPrivilegeEscalation\s:\strue'
	],
	description="Container is running in privileged mode, which grants access to host resources.",
	recommendation="Avoid privileged containers unless absolutely necessary. Use specific capabilities instead.",
	fix_example='securityContext:\n privileged: false\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL',
	category="Container Security",
	cwe_id="CWE-250",
	cvss_score=8.5
	),
	SecurityRule(
	rule_id="K8S003",
	title="Missing Resource Limits",
	severity="medium",
	patterns=[
	r'containers\s:(?!.limits\s*:)',
	r'(?!.resources\s:.*limits)'
	],
	description="Container has no resource limits defined, which may lead to resource exhaustion.",
	recommendation="Set appropriate CPU and memory limits to prevent resource starvation.",
	fix_example='resources:\n limits:\n cpu: "500m"\n memory: "512Mi"\n requests:\n cpu: "250m"\n memory: "256Mi"',
	category="Resource Management",
	cwe_id="CWE-400",
	cvss_score=4.0
	)
	]

	def get_all_security_rules() -> Dict[str, List[SecurityRule]]:
	"""Get all security rules for different IaC platforms"""
	return {
	"terraform": get_terraform_rules(),
	"cloudformation": get_cloudformation_rules(),
	"kubernetes": get_kubernetes_rules()
	}