Skip to content

Commit

Permalink
Merge pull request #1722 from aquasecurity/bundles/sync_09_18
Browse files Browse the repository at this point in the history
syncing with saas
  • Loading branch information
AkhtarAmir authored Sep 18, 2023
2 parents fb42bb2 + 8415d5c commit 69ef0d7
Show file tree
Hide file tree
Showing 15 changed files with 145 additions and 427 deletions.
46 changes: 39 additions & 7 deletions collectors/aws/ses/getIdentityDkimAttributes.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,46 @@ var helpers = require(__dirname + '/../../../helpers/aws');

module.exports = function(AWSConfig, collection, retries, callback) {
var ses = new AWS.SES(AWSConfig);
collection.ses.getIdentityDkimAttributes[AWSConfig.region] = {};

helpers.makeCustomCollectorCall(ses, 'getIdentityDkimAttributes', {Identities: collection.ses.listIdentities[AWSConfig.region].data}, retries, null, null, null, function(err, data) {
if (err) {
collection.ses.getIdentityDkimAttributes[AWSConfig.region].err = err;
var identities = collection.ses.listIdentities[AWSConfig.region].data;
var identityChunks = chunkArray(identities, 100);
var allDkimAttributes = [];
var processIdentityChunk = function(chunkIndex) {
if (chunkIndex >= identityChunks.length) {
allDkimAttributes = allDkimAttributes.flatMap(obj => Object.values(obj));
collection.ses.getIdentityDkimAttributes[AWSConfig.region].data = {
DkimAttributes: allDkimAttributes
};
callback();
return;
}

collection.ses.getIdentityDkimAttributes[AWSConfig.region].data = data;
var chunk = identityChunks[chunkIndex];
var params = {
Identities: chunk,
};

callback();
});
};
setTimeout(function() {
helpers.makeCustomCollectorCall(ses, 'getIdentityDkimAttributes', params, retries, null, null, null, function(err, data) {
if (err) {
collection.ses.getIdentityDkimAttributes[AWSConfig.region].err = err;
} else if (data && data.DkimAttributes) {
allDkimAttributes = allDkimAttributes.concat(data.DkimAttributes);
}

processIdentityChunk(chunkIndex + 1);
});
}, 1000);
};

processIdentityChunk(0);
};

function chunkArray(arr, chunkSize) {
var result = [];
for (var i = 0; i < arr.length; i += chunkSize) {
result.push(arr.slice(i, i + chunkSize));
}
return result;
}
8 changes: 5 additions & 3 deletions collectors/azure/collector.js
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ function parseCollection(path, obj) {
}
}

var collect = function(AzureConfig, settings, callback) {
let collect = function(AzureConfig, settings, callback) {
// Used to gather info only
if (settings.gather) {
return callback(null, calls, postcalls, tertiarycalls, specialcalls);
Expand Down Expand Up @@ -92,10 +92,12 @@ var collect = function(AzureConfig, settings, callback) {
});
};

var processCall = function(obj, cb, localData) {
var localUrl = obj.nextUrl || obj.url.replace(/\{subscriptionId\}/g, AzureConfig.SubscriptionID);
let processCall = function(obj, cb, localData) {
let localUrl = obj.nextUrl || obj.url.replace(/\{subscriptionId\}/g, AzureConfig.SubscriptionID);
if (obj.rateLimit) {
setTimeout(function() {
console.log('timeout check');
console.log(`url: ${localUrl} obj: ${JSON.stringify(obj)} localData: ${JSON.stringify(localData)}`);
makeCall(localUrl, obj, cb, localData);
}, obj.rateLimit);
} else {
Expand Down
60 changes: 31 additions & 29 deletions collectors/azure/fileService/listSharesSegmented.js
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
var async = require('async');
var azureStorage = require('@azure/storage-file-share');

module.exports = function(collection, reliesOn, callback) {
if (!reliesOn['storageAccounts.listKeys']) return callback();

var azureStorage = require('azure-storage');

if (!collection['fileService']['listSharesSegmented']) collection['fileService']['listSharesSegmented'] = {};
if (!collection['fileService']['getShareAcl']) collection['fileService']['getShareAcl'] = {};

Expand All @@ -13,39 +12,42 @@ module.exports = function(collection, reliesOn, callback) {
collection['fileService']['listSharesSegmented'][region] = {};
collection['fileService']['getShareAcl'][region] = {};

async.eachOfLimit(regionObj, 5, function(subObj, resourceId, sCb) {
async.eachOfLimit(regionObj, 5, async function(subObj, resourceId, sCb) {
collection['fileService']['listSharesSegmented'][region][resourceId] = {};

if (subObj && subObj.data && subObj.data.keys && subObj.data.keys[0] && subObj.data.keys[0].value) {
// Extract storage account name from resourceId
var storageAccountName = resourceId.substring(resourceId.lastIndexOf('/') + 1);
var storageService = new azureStorage['FileService'](storageAccountName, subObj.data.keys[0].value);

storageService.listSharesSegmented(null, function(serviceErr, serviceResults) {
if (serviceErr || !serviceResults) {
collection['fileService']['listSharesSegmented'][region][resourceId].err = (serviceErr || 'No data returned');
sCb();
} else {
collection['fileService']['listSharesSegmented'][region][resourceId].data = serviceResults.entries;

// Add ACLs
async.eachLimit(serviceResults.entries, 10, function(entryObj, entryCb) {
var entryId = `${resourceId}/fileService/${entryObj.name}`;
collection['fileService']['getShareAcl'][region][entryId] = {};

storageService.getShareAcl(entryObj.name, function(getErr, getData) {
if (getErr || !getData) {
collection['fileService']['getShareAcl'][region][entryId].err = (getErr || 'No data returned');
} else {
collection['fileService']['getShareAcl'][region][entryId].data = getData;
}
entryCb();
const shareItemList = [];
try {
const storageAccountName = resourceId.substring(resourceId.lastIndexOf('/') + 1);
const connectionString = `DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${subObj.data.keys[0].value};EndpointSuffix=core.windows.net`;
const storageService = azureStorage.ShareServiceClient.fromConnectionString(connectionString);
const iterator = storageService.listShares();
let item = await iterator.next();

while (!item.done) {
let fileShare = item.value.name;
var entryId = `${resourceId}/fileService/${fileShare}`;
shareItemList.push({ name: fileShare, id: entryId});
collection['fileService']['getShareAcl'][region][entryId] = {};
const shareClient = storageService.getShareClient(fileShare);
shareClient.getAccessPolicy()
.then(result => {
collection['fileService']['getShareAcl'][region][entryId].data = result;
})
.catch(err => {
collection['fileService']['getShareAcl'][region][entryId].err = err;
});
}, function() {
sCb();
});
item = await iterator.next();
}
});
} catch (exception) {
collection['fileService']['listSharesSegmented'][region][resourceId].err = exception.message;
}
if (shareItemList.length) {
collection['fileService']['listSharesSegmented'][region][resourceId].data = shareItemList;
} else {
collection['fileService']['listSharesSegmented'][region][resourceId].data = [];
}
} else {
sCb();
}
Expand Down
60 changes: 0 additions & 60 deletions collectors/azure/fileService/listSharesSegmentedNew.js

This file was deleted.

1 change: 0 additions & 1 deletion exports.js
Original file line number Diff line number Diff line change
Expand Up @@ -750,7 +750,6 @@ module.exports = {
'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'),

'logProfileArchiveData' : require(__dirname + '/plugins/azure/monitor/logProfileArchiveData.js'),
'logProfileRetentionPolicy' : require(__dirname + '/plugins/azure/monitor/logProfileRetentionPolicy.js'),
'monitorLogsEnabled' : require(__dirname + '/plugins/azure/monitor/monitorLogsEnabled.js'),
'diagnosticsCapturedCategories' : require(__dirname + '/plugins/azure/monitor/diagnosticsCapturedCategories.js'),
'diagnosticsSettingsEnabled' : require(__dirname + '/plugins/azure/monitor/diagnosticsSettingsEnabled.js'),
Expand Down
14 changes: 10 additions & 4 deletions helpers/azure/api.js
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,15 @@ var serviceMap = {
BridgeResourceNameIdentifier: 'name', BridgeExecutionService: 'Table Service',
BridgeCollectionService: 'tableservice', DataIdentifier: 'data',
},
'File Service':
{
enabled: true, isSingleSource: true, InvAsset: 'fileService', InvService: 'fileService',
InvResourceCategory: 'storage', InvResourceType: 'file_service', BridgeServiceName: 'fileservice',
BridgePluginCategoryName: 'File Service', BridgeProvider: 'Azure', BridgeCall: 'listSharesSegmented',
BridgeArnIdentifier: '', BridgeIdTemplate: '', BridgeResourceType: 'fileService',
BridgeResourceNameIdentifier: 'name', BridgeExecutionService: 'File Service',
BridgeCollectionService: 'fileservice', DataIdentifier: 'data',
},
'SQL Databases':
{
enabled: true, isSingleSource: true, InvAsset: 'database', InvService: 'sql',
Expand Down Expand Up @@ -950,10 +959,7 @@ var specialcalls = {
reliesOnPath: ['storageAccounts.listKeys'],
rateLimit: 3000
},
listSharesSegmentedNew: {
reliesOnPath: ['storageAccounts.listKeys'],
rateLimit: 3000
}
sendIntegration: serviceMap['File Service']
},
blobService: {
listContainersSegmented: {
Expand Down
22 changes: 10 additions & 12 deletions helpers/azure/functions.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ var shared = require(__dirname + '/../shared.js');
var auth = require(__dirname + '/auth.js');
var async = require('async');

const defualyPolicyAssignments = {
const defualtPolicyAssignments = {
adaptiveApplicationControlsMonitoringEffect: 'AuditIfNotExists',
diskEncryptionMonitoringEffect: 'AuditIfNotExists',
endpointProtectionMonitoringEffect: 'AuditIfNotExists',
Expand Down Expand Up @@ -178,8 +178,8 @@ function checkPolicyAssignment(policyAssignments, param, text, results, location

const policyAssignment = policyAssignments.data.find((policyAssignment) => {
return (policyAssignment &&
policyAssignment.displayName &&
policyAssignment.displayName.toLowerCase().includes('asc default'));
policyAssignment.displayName &&
policyAssignment.displayName.toLowerCase().includes('asc default'));
});

if (!policyAssignment) {
Expand All @@ -191,16 +191,14 @@ function checkPolicyAssignment(policyAssignments, param, text, results, location
// This check is required to handle a defect in the Azure API that causes
// unmodified ASC policies to return an empty object for parameters: {}
// https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMSZCA4
if (policyAssignment.parameters &&
!Object.keys(policyAssignment.parameters).length) {
addResult(results, 0,
'There ASC Default Policy Assignment includes all plugins', location,
policyAssignment.id);
return;
}

const policyAssignmentStatus = (policyAssignment.parameters && policyAssignment.parameters[param] && policyAssignment.parameters[param].value) ||
defualyPolicyAssignments[param] || '';
// The api used returns empty parameters in case of all the default values,
var policyAssignmentStatus = '';
if (policyAssignment.parameters && Object.keys(policyAssignment.parameters).length) {
policyAssignmentStatus = (policyAssignment.parameters && policyAssignment.parameters[param] && policyAssignment.parameters[param].value) || defualtPolicyAssignments[param] || '';
} else {
policyAssignmentStatus = defualtPolicyAssignments[param]
}

if (!policyAssignmentStatus.length) {
addResult(results, 0,
Expand Down
4 changes: 4 additions & 0 deletions helpers/shared.js
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ var processIntegration = function(serviceName, settings, collection, calls, post
let localSettings = {};
localSettings = settings;

if (settings.govcloud) {
localEvent.awsOrGov = 'aws-us-gov';
}

localEvent.collection = {};
localEvent.previousCollection = {};

Expand Down
7 changes: 7 additions & 0 deletions plugins/aws/lambda/lambdaOldRuntimes.js
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,21 @@ module.exports = {
{ 'id':'nodejs8.10', 'name': 'Node.js 8.10', 'endOfLifeDate': '2020-03-06' },
{ 'id':'nodejs10.x', 'name': 'Node.js 10.x', 'endOfLifeDate': '2022-02-14' },
{ 'id':'nodejs12.x', 'name': 'Node.js 12', 'endOfLifeDate': '2023-03-31'},
{ 'id':'nodejs14.x', 'name': 'Node.js 14', 'endOfLifeDate': '2023-11-27'},
{ 'id':'nodejs16.x', 'name': 'Node.js 16', 'endOfLifeDate': '2024-03-11'},
{ 'id':'dotnetcore3.1', 'name': '.Net Core 3.1', 'endOfLifeDate': '2023-03-31' },
{ 'id':'dotnetcore2.1', 'name': '.Net Core 2.1', 'endOfLifeDate': '2022-04-15' },
{ 'id':'dotnetcore2.0', 'name': '.Net Core 2.0', 'endOfLifeDate': '2018-10-01' },
{ 'id':'dotnetcore1.0', 'name': '.Net Core 1.0', 'endOfLifeDate': '2019-06-27' },
{ 'id':'dotnet7', 'name': '.Net 7', 'endOfLifeDate': '2024-05-14' },
{ 'id':'python2.7', 'name': 'Python 2.7', 'endOfLifeDate': '2022-05-30' },
{ 'id':'python3.5', 'name': 'Python 3.5', 'endOfLifeDate': '2020-09-13' },
{ 'id':'ruby2.5', 'name': 'Ruby 2.5', 'endOfLifeDate': '2022-03-31' },
{ 'id':'ruby2.7', 'name': 'Ruby 2.7', 'endOfLifeDate': '2023-12-07' },
{ 'id':'python3.6', 'name': 'Python 3.6', 'endOfLifeDate': '2022-08-29'},
{ 'id':'python3.7', 'name': 'Python 3.7', 'endOfLifeDate': '2023-11-27'},
{ 'id':'go1.x', 'name': 'Go 1', 'endOfLifeDate': '2023-12-31'},
{ 'id':'java8', 'name': 'Java 8', 'endOfLifeDate': '2023-12-31'},
];

async.each(regions.lambda, function(region, rcb){
Expand Down
5 changes: 2 additions & 3 deletions plugins/azure/fileservice/fileServiceAllAccessAcl.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ module.exports = {
description: 'Ensures file shares do not allow full write, delete, or read ACL permissions',
more_info: 'File shares can be configured to allow to read, write, or delete permissions from a share. This option should not be configured unless there is a strong business requirement.',
recommended_action: 'Disable global read, write, and delete policies on all file shares and ensure the share ACL is configured with least privileges.',
link: 'https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share#create-a-file-share-through-the-azure-portal',
apis: ['storageAccounts:list', 'storageAccounts:listKeys', 'fileService:listSharesSegmentedNew', 'fileService:getShareAcl'],
link: 'https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share#create-a-file-share-through-the-azure-portal',
apis: ['storageAccounts:list', 'storageAccounts:listKeys', 'fileService:listSharesSegmented', 'fileService:getShareAcl'],
compliance: {
hipaa: 'HIPAA access controls require data to be secured with least-privileged ' +
'ACLs. File Service ACLs enable granular permissions for data access.',
Expand Down Expand Up @@ -60,7 +60,6 @@ module.exports = {
'No existing File Service shares found', location, storageAccount.id);
} else {
listSharesSegmented.data.forEach(function(fileShare) {
fileShare.id = `${storageAccount.id}/fileService/${fileShare.name}`;
// Add share ACL
var getShareAcl = helpers.addSource(cache, source,
['fileService', 'getShareAcl', location, fileShare.id]);
Expand Down
3 changes: 2 additions & 1 deletion plugins/azure/fileservice/fileServiceAllAccessAcl.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,8 @@ const listKeys = [

const listSharesSegmented = [
{
"name": "file1 "
"name": "file1",
"id": "/subscriptions/1234/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Storage/storageAccounts/csb100320011e293683/fileService/file1"
}
];

Expand Down
Loading

0 comments on commit 69ef0d7

Please sign in to comment.