search

turbot / steampipe-mod-aws-compliance

Run individual controls or full compliance benchmarks for CIS, PCI, NIST, HIPAA and more across all of your AWS accounts using Powerpipe and Steampipe.
https://hub.steampipe.io/mods/turbot/aws_compliance
Apache License 2.0
372 stars 63 forks source link

Invalid CIS 1.4 Raport vor network ACL #264

Closed jonkerw85 closed 2 years ago

jonkerw85 commented 3 years ago

Describe the bug 1) Run steampipe check aws_compliance.benchmark.cis_v140 2) Results in acl-0efe4b9c1c44a2b59 contains 1 rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0. 3) See attachment for screenshot ACL. This ACL blocks port 22 and 3889 for ipv4 and ipv6 network afbeelding

Steampipe version (steampipe -v) Example: v0.7.3

Plugin version (steampipe plugin list) hub.steampipe.io/plugins/turbot/aws@latest 0.31.0 | hub.steampipe.io/plugins/turbot/steampipe@latest 0.1.3

To reproduce 1) Create ACL as shown in the screenshot 2) Run steampipe check aws_compliance.benchmark.cis_v140

Expected behavior This ACL should pass the rule 'Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports'

Additional context

rajlearner17 commented 3 years ago

@wjonkerhulst thanks for using steampipe, appreciate raising this. Taking a look to take action. Happy to see in case you want to purpose an update as well.

jonkerw85 commented 3 years ago

@rajlearner17 After looking at the source (https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/query/vpc/vpc_network_acl_remote_administration.sql) I can conclude two things. 1) Both UDP and TCP are checked in the query. I had only TCP in the ruleset. I have now added UDP. 2) For SQL it is not possible to determine the ACL rule order. I think because of this it does not allow the '0.0.0.0/0 allow' rule.

Updated ACL to include UDP afbeelding

rajlearner17 commented 3 years ago

@wjonkerhulst thanks for the input, rightly mentioned #1 both TCP and UDP checked right now, here I guess we can stick to TCP as tightly for CIS, as it only indicates ports 22 & 3389. If you can raise PR we will be able to make it to the mod. Else we will make a change in the next release.

On #2 as you mentioned rightly, finding the Rule number order with ports 22 & 3389 if denied in earlier precedence, then allow All traffic - All protocol - All Port with source 0.0.0.0/0 will be a bit complex. We can make an attempt using views, but it may have some edge cases fall out of that. Let us know in case you made any attempt to proceed, else I will share my query here for your reference once ready.

jonkerw85 commented 3 years ago

@rajlearner17

1 RDP can run over both UDP and TCP (https://en.wikipedia.org/wiki/Remote_Desktop_Protocol), so I think it is correct to block both UDP and TCP for port 3389. SSH seems to run only on TCP. I have a merge request to resolve this issue.

2 Please send me a reference query if possible.

rajlearner17 commented 2 years ago

@wjonkerhulst sorry for catching up late on this. Could not experiment with this to help on 2nd one. Let me know if you found your own way or expecting an alternative on it. This will help to invest some dedicated time on it.

rajlearner17 commented 2 years ago

Will recheck based on need. Thanks!!