search

Checkmarx / kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
https://kics.io
Apache License 2.0
1.99k stars 297 forks source link

Queries Anomalies #5220

Closed Lubetkin closed 2 years ago

Lubetkin commented 2 years ago

Looks like the following queries trying to find the same issues in different platforms but do not share the same metadata Can you please approve/deny the assumption?

Different Severity & Category

Automatic Minor Upgrades Disabled

[
      {
        "id": "3b6d777b-76e3-4133-80a3-0d6f667ade7f",
        "queryName": "Automatic Minor Upgrades Disabled",
        "severity": "HIGH",
        "category": "Encryption",
        "descriptionText": "RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#auto_minor_version_upgrade",
        "platform": "Terraform",
        "descriptionID": "240cddcc",
        "cloudProvider": "aws"
      },
      {
        "id": "f0104061-8bfc-4b45-8a7d-630eb502f281",
        "queryName": "Automatic Minor Upgrades Disabled",
        "severity": "MEDIUM",
        "category": "Best Practices",
        "descriptionText": "AWS RDS should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.",
        "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html",
        "platform": "CloudFormation",
        "descriptionID": "e2908402",
        "cloudProvider": "aws"
      }
]

SNS Topic is Publicly Accessible For Subscription

[
      {
        "id": "b26d2b7e-60f6-413d-a3a1-a57db24aa2b3",
        "queryName": "SNS Topic is Publicly Accessible For Subscription",
        "severity": "MEDIUM",
        "category": "Access Control",
        "descriptionText": "This query checks if SNS Topic is Accessible For Subscription",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic",
        "platform": "Terraform",
        "descriptionID": "52e85de5",
        "cloudProvider": "aws"
      },
      {
        "id": "ae53ce91-42b5-46bf-a84f-9a13366a4f13",
        "queryName": "SNS Topic is Publicly Accessible For Subscription",
        "severity": "LOW",
        "category": "Observability",
        "descriptionText": "Ensure appropriate subscribers to each SNS topic",
        "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html#cfn-sns-topic-subscription",
        "platform": "CloudFormation",
        "descriptionID": "93100b84",
        "cloudProvider": "aws"
      }
]

EC2 Instance Has Public IP

[
      {
        "id": "5a2486aa-facf-477d-a5c1-b010789459ce",
        "queryName": "EC2 Instance Has Public IP",
        "severity": "HIGH",
        "category": "Networking and Firewall",
        "descriptionText": "EC2 Instance should not have a public IP address.",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address",
        "platform": "Terraform",
        "descriptionID": "c6f1d1f4",
        "cloudProvider": "aws"
      },
      {
        "id": "b3de4e4c-14be-4159-b99d-9ad194365e4c",
        "queryName": "EC2 Instance Has Public IP",
        "severity": "MEDIUM",
        "category": "Insecure Configurations",
        "descriptionText": "EC2 Subnet should not have MapPublicIpOnLaunch set to true",
        "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html#cfn-ec2-subnet-mappubliciponlaunch",
        "platform": "CloudFormation",
        "descriptionID": "22e3d598",
        "cloudProvider": "aws"
      }
]

SQS With SSE Disabled

[
      {
        "id": "6e8849c1-3aa7-40e3-9063-b85ee300f29f",
        "queryName": "SQS With SSE Disabled",
        "severity": "HIGH",
        "category": "Insecure Configurations",
        "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue",
        "platform": "Terraform",
        "descriptionID": "e478b54b",
        "cloudProvider": "aws"
      },
      {
        "id": "12726829-93ed-4d51-9cbe-13423f4299e1",
        "queryName": "SQS with SSE disabled",
        "severity": "MEDIUM",
        "category": "Secret Management",
        "descriptionText": "AWS SQS Queue should have a KMS Master Key defined",
        "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid",
        "platform": "CloudFormation",
        "descriptionID": "7c3c1b44",
        "cloudProvider": "aws"
      }
]

Shared Host IPC Namespace

[
      {
        "id": "e94d3121-c2d1-4e34-a295-139bfeb73ea3",
        "queryName": "Shared Host IPC Namespace",
        "severity": "HIGH",
        "category": "Insecure Configurations",
        "descriptionText": "Container should not share the host IPC namespace",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_ipc",
        "platform": "Terraform",
        "descriptionID": "e76243f6"
      },
      {
        "id": "cd290efd-6c82-4e9d-a698-be12ae31d536",
        "queryName": "Shared Host IPC Namespace",
        "severity": "HIGH",
        "category": "Insecure Configurations",
        "descriptionText": "Container should not share the host IPC namespace",
        "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/",
        "platform": "Kubernetes",
        "descriptionID": "1ef1fe71"
      },
      {
        "id": "baa3890f-bed7-46f5-ab8f-1da8fc91c729",
        "queryName": "Shared Host IPC Namespace",
        "severity": "MEDIUM",
        "category": "Resource Management",
        "descriptionText": "The host IPC namespace should not be shared.",
        "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir",
        "platform": "DockerCompose",
        "descriptionID": "987dc2d7"
      }
 ]

Shared Host Network Namespace

[
      {
        "id": "ac1564a3-c324-4747-9fa1-9dfc234dace0",
        "queryName": "Shared Host Network Namespace",
        "severity": "HIGH",
        "category": "Insecure Configurations",
        "descriptionText": "Container should not share the host network namespace",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_network",
        "platform": "Terraform",
        "descriptionID": "bf155ca7"
      },
      {
        "id": "6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a",
        "queryName": "Shared Host Network Namespace",
        "severity": "HIGH",
        "category": "Insecure Configurations",
        "descriptionText": "Container should not share the host network namespace",
        "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/",
        "platform": "Kubernetes",
        "descriptionID": "50e5de80"
      },
      {
        "id": "071a71ff-f868-47a4-ac0b-3c59e4ab5443",
        "queryName": "Shared Host Network Namespace",
        "severity": "MEDIUM",
        "category": "Networking and Firewall",
        "descriptionText": "Container should not share the host network namespace",
        "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode",
        "platform": "DockerCompose",
        "descriptionID": "25acba10"
      }
]

Not Limited Capabilities For Pod Security Policy

[
      {
        "id": "2acb555f-f4ad-4b1b-b984-84e6588f4b05",
        "queryName": "Not Limited Capabilities For Pod Security Policy",
        "severity": "HIGH",
        "category": "Insecure Configurations",
        "descriptionText": "Limit capabilities for a Pod Security Policy",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities",
        "platform": "Terraform",
        "descriptionID": "c42b1890"
      },
      {
        "id": "caa93370-791f-4fc6-814b-ba6ce0cb4032",
        "queryName": "Not Limited Capabilities For Pod Security Policy",
        "severity": "MEDIUM",
        "category": "Build Process",
        "descriptionText": "Limit capabilities for a Pod Security Policy",
        "descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/",
        "platform": "Kubernetes",
        "descriptionID": "eaf6d4ba"
      }
]

Different Severity

IAM Policy Grants Full Permissions

[
      {
        "id": "575a2155-6af1-4026-b1af-d5bc8fe2a904",
        "queryName": "IAM Policy Grants Full Permissions",
        "severity": "MEDIUM",
        "category": "Access Control",
        "descriptionText": "IAM policies allow all ('*') in a statement action",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy",
        "platform": "Terraform",
        "descriptionID": "f20cf2cf",
        "cloudProvider": "aws"
      },
      {
        "id": "f62aa827-4ade-4dc4-89e4-1433d384a368",
        "queryName": "IAM Policy Grants Full Permissions",
        "severity": "LOW",
        "category": "Access Control",
        "descriptionText": "Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.",
        "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html",
        "platform": "CloudFormation",
        "descriptionID": "d4158e76",
        "cloudProvider": "aws"
      }
]

VPC FlowLogs Disabled

[
      {
        "id": "f83121ea-03da-434f-9277-9cd247ab3047",
        "queryName": "VPC FlowLogs Disabled",
        "severity": "MEDIUM",
        "category": "Observability",
        "descriptionText": "VPC hasn't got any FlowLog associated",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc",
        "platform": "Terraform",
        "descriptionID": "cdbdeb30",
        "cloudProvider": "aws"
      },
      {
        "id": "f6d299d2-21eb-41cc-b1e1-fe12d857500b",
        "queryName": "VPC FlowLogs Disabled",
        "severity": "LOW",
        "category": "Observability",
        "descriptionText": "VPC hasn't got any FlowLog associated",
        "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html",
        "platform": "CloudFormation",
        "descriptionID": "0fb02ca5",
        "cloudProvider": "aws"
      }
]

Unrestricted Security Group Ingress

[
      {
        "id": "4728cd65-a20c-49da-8b31-9c08b423e4db",
        "queryName": "Unrestricted Security Group Ingress",
        "severity": "HIGH",
        "category": "Networking and Firewall",
        "descriptionText": "Security groups allow ingress from 0.0.0.0:0",
        "descriptionUrl": "https://www.terraform.io/docs/providers/aws/r/security_group.html",
        "platform": "Terraform",
        "descriptionID": "ce3ee5e0",
        "cloudProvider": "aws"
      },
      {
        "id": "4a1e6b34-1008-4e61-a5f2-1f7c276f8d14",
        "queryName": "Unrestricted Security Group Ingress",
        "severity": "MEDIUM",
        "category": "Networking and Firewall",
        "descriptionText": "AWS Security Group Ingress CIDR should not be open to the world",
        "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html",
        "platform": "CloudFormation",
        "descriptionID": "08256d31",
        "cloudProvider": "aws"
      }
]

Liveness Probe Is Not Defined

[
      {
        "id": "5b6d53dd-3ba3-4269-b4d7-f82e880e43c3",
        "queryName": "Liveness Probe Is Not Defined",
        "severity": "MEDIUM",
        "category": "Availability",
        "descriptionText": "Liveness Probe must be defined",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#liveness_probe",
        "platform": "Terraform",
        "descriptionID": "e5105a57"
      },
      {
        "id": "ade74944-a674-4e00-859e-c6eab5bde441",
        "queryName": "Liveness Probe Is Not Defined",
        "severity": "INFO",
        "category": "Availability",
        "descriptionText": "In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it",
        "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#when-should-you-use-a-liveness-probe",
        "platform": "Kubernetes",
        "descriptionID": "f724fa60"
      }
]

Permissive Access to Create Pods

[
      {
        "id": "522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba",
        "queryName": "Permissive Access to Create Pods",
        "severity": "LOW",
        "category": "Access Control",
        "descriptionText": "The permission to create pods in a cluster should be restricted because it allows privilege escalation.",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule",
        "platform": "Terraform",
        "descriptionID": "cca5f42d"
      },
      {
        "id": "592ad21d-ad9b-46c6-8d2d-fad09d62a942",
        "queryName": "Permissive Access to Create Pods",
        "severity": "MEDIUM",
        "category": "Access Control",
        "descriptionText": "The permission to create pods in a cluster should be restricted because it allows privilege escalation.",
        "descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping",
        "platform": "Kubernetes",
        "descriptionID": "c78cb1a7"
      }
]

Different Category

Trusted Microsoft Services Not Enabled

[
      {
        "id": "5400f379-a347-4bdd-a032-446465fdcc6f",
        "queryName": "Trusted Microsoft Services Not Enabled",
        "severity": "HIGH",
        "category": "Insecure Configurations",
        "descriptionText": "Trusted MIcrosoft Services are not enabled for Storage Account access",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass",
        "platform": "Terraform",
        "descriptionID": "2d2af667",
        "cloudProvider": "azure"
      },
      {
        "id": "e25b56cd-a4d6-498f-ab92-e6296a082097",
        "queryName": "Trusted Microsoft Services Not Enabled",
        "severity": "HIGH",
        "category": "Networking and Firewall",
        "descriptionText": "Trusted Microsoft Services should be enabled for Storage Account access",
        "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#networkruleset",
        "platform": "AzureResourceManager",
        "cloudProvider": "azure",
        "descriptionID": "88ca11b3"
      }
]

Project-wide SSH Keys Are Enabled In VM Instances

[
      {
        "id": "3e4d5ce6-3280-4027-8010-c26eeea1ec01",
        "queryName": "Project-wide SSH Keys Are Enabled In VM Instances",
        "severity": "MEDIUM",
        "category": "Insecure Configurations",
        "descriptionText": "VM Instance should block project-wide SSH keys",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance",
        "platform": "Terraform",
        "descriptionID": "4b9307cd",
        "cloudProvider": "gcp"
      },
      {
        "id": "6e2b1ec1-1eca-4eb7-9d4d-2882680b4811",
        "queryName": "Project-wide SSH Keys Are Enabled In VM Instances",
        "severity": "MEDIUM",
        "category": "Secret Management",
        "descriptionText": "VM Instance should block project-wide SSH keys",
        "descriptionUrl": "https://cloud.google.com/compute/docs/reference/rest/v1/instances",
        "platform": "GoogleDeploymentManager",
        "descriptionID": "5e36c46d",
        "cloudProvider": "gcp"
      }
]

BigQuery Dataset Is Public

[
      {
        "id": "e576ce44-dd03-4022-a8c0-3906acca2ab4",
        "queryName": "BigQuery Dataset Is Public",
        "severity": "HIGH",
        "category": "Access Control",
        "descriptionText": "BigQuery dataset is anonymously or publicly accessible",
        "descriptionUrl": "https://www.terraform.io/docs/providers/google/r/bigquery_dataset.html",
        "platform": "Terraform",
        "descriptionID": "cb5081a0",
        "cloudProvider": "gcp"
      },
      {
        "id": "83103dff-d57f-42a8-bd81-40abab64c1a7",
        "queryName": "BigQuery Dataset Is Public",
        "severity": "HIGH",
        "category": "Insecure Configurations",
        "descriptionText": "BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'",
        "descriptionUrl": "https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets",
        "platform": "GoogleDeploymentManager",
        "descriptionID": "6737ca8f",
        "cloudProvider": "gcp"
      }
]

Cloud Storage Anonymous or Publicly Accessible

[
      {
        "id": "a6cd52a1-3056-4910-96a5-894de9f3f3b3",
        "queryName": "Cloud Storage Anonymous or Publicly Accessible",
        "severity": "MEDIUM",
        "category": "Access Control",
        "descriptionText": "Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#google_storage_bucket_iam_binding",
        "platform": "Terraform",
        "descriptionID": "fd990360",
        "cloudProvider": "gcp"
      },
      {
        "id": "63ae3638-a38c-4ff4-b616-6e1f72a31a6a",
        "queryName": "Cloud Storage Anonymous or Publicly Accessible",
        "severity": "MEDIUM",
        "category": "Insecure Configurations",
        "descriptionText": "Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'",
        "descriptionUrl": "https://cloud.google.com/storage/docs/json_api/v1/buckets",
        "platform": "GoogleDeploymentManager",
        "descriptionID": "2146c969",
        "cloudProvider": "gcp"
      }
]

Public Lambda via API Gateway

[
      {
        "id": "3ef8696c-e4ae-4872-92c7-520bb44dfe77",
        "queryName": "Public Lambda via API Gateway",
        "severity": "MEDIUM",
        "category": "Insecure Configurations",
        "descriptionText": "Allowing to run lambda function using public API Gateway",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission",
        "platform": "Terraform",
        "descriptionID": "1f20399a",
        "cloudProvider": "aws"
      },
      {
        "id": "57b12981-3816-4c31-b190-a1e614361dd2",
        "queryName": "Public Lambda via API Gateway",
        "severity": "MEDIUM",
        "category": "Access Control",
        "descriptionText": "Allowing to run lambda function using public API Gateway",
        "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html",
        "platform": "CloudFormation",
        "descriptionID": "32ccc415",
        "cloudProvider": "aws"
      }
]

IAM Password Without Uppercase Letter

[
      {
        "id": "c5ff7bc9-d8ea-46dd-81cb-8286f3222249",
        "queryName": "IAM Password Without Uppercase Letter",
        "severity": "MEDIUM",
        "category": "Insecure Configurations",
        "descriptionText": "Check if IAM account password has at least one uppercase letter",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy",
        "platform": "Terraform",
        "descriptionID": "4e96ea27",
        "cloudProvider": "aws"
      },
      {
        "id": "445020f6-b69e-4484-847f-02d4b7768902",
        "queryName": "IAM Password Without Uppercase Letter",
        "severity": "MEDIUM",
        "category": "Best Practices",
        "descriptionText": "IAM user resource Login Profile Password should have at least one uppercase letter",
        "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user",
        "platform": "CloudFormation",
        "descriptionID": "9d55d1e4",
        "cloudProvider": "aws"
      }
]

CloudTrail Log Files Not Encrypted

[
      {
        "id": "5d9e3164-9265-470c-9a10-57ae454ac0c7",
        "queryName": "CloudTrail Log Files Not Encrypted",
        "severity": "HIGH",
        "category": "Observability",
        "descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id",
        "platform": "Terraform",
        "descriptionID": "ee8a4d47",
        "cloudProvider": "aws"
      },
      {
        "id": "050a9ba8-d1cb-4c61-a5e8-8805a70d3b85",
        "queryName": "CloudTrail Log Files Not Encrypted",
        "severity": "HIGH",
        "category": "Encryption",
        "descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS",
        "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid",
        "platform": "CloudFormation",
        "descriptionID": "cdc07a23",
        "cloudProvider": "aws"
      }
]

IAM Password Without Lowercase Letter

[
      {
        "id": "bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9",
        "queryName": "IAM Password Without Lowercase Letter",
        "severity": "MEDIUM",
        "category": "Insecure Configurations",
        "descriptionText": "Check if IAM account password has at least one lowercase letter",
        "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy",
        "platform": "Terraform",
        "descriptionID": "726cd448",
        "cloudProvider": "aws",
      },
      {
        "id": "f4cf35d6-da92-48de-ab70-57be2b2e6497",
        "queryName": "IAM Password Without Lowercase Letter",
        "severity": "MEDIUM",
        "category": "Best Practices",
        "descriptionText": "IAM user resource Login Profile Password should have lowercase letter",
        "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user",
        "platform": "CloudFormation",
        "descriptionID": "b98bf93c",
        "cloudProvider": "aws"
      }
]
cxMiguelSilva commented 2 years ago

Hi @Lubetkin Thank you for your input. I am glad to inform you that we are currently working on this issue!

cxMiguelSilva commented 2 years ago

Hi @Lubetkin Im happy to inform that we already created a PR #5292 that solves the issue that you informed. Thank you so much for your input once again.