Skip to content
This repository has been archived by the owner on Aug 15, 2024. It is now read-only.

Commit

Permalink
Ready for production (#30)
Browse files Browse the repository at this point in the history 
* Updated README with update instructions

* Ready for production

* Ready for production release

* Added Travis CI

* Added before script

* Removed --user

* Added KMS test

* Added better commentary to tests

* Added S3 tests

* Added S3 Bucket logging check but Moto doesn't support, commented out for now

* Added coverage page

* Added coverage to ToC

* Added Serverless deploy to Travis CI for testing

* Added serverless -g

* Removed Serverless region override

* Commented out profile

* Fixed stage and profile to work with CLI arguments

* Added package-lock.json and fixed function invocation with stage

* Removed function invocation

* Cleanup to README

* Missing second dash for --name

* Added EC2 testing (not working) and fixed testing import

* Fixed RDP and SSH tests

* Updated COVERAGE

* Updated COVERAGE

* Updated COVERAGE

* Added test for IAM Policy No Statements with Admin Access

* Added test for VPC Default Security Group Closed

* Added test for Access Key Rotated

* Updated COVERAGE and suppressed pytest warnings

* Added test for IAM User Name not found

* Formatted README with Prettier

* Updated README and travis

* Fixed character encoding

* Refactored some tests to make them more clear

* Added missing permission

* Moved static tests to their own class
  • Loading branch information
@mlevit
mlevit authored May 20, 2019
1 parent 6f7b5d7 commit f7e351c
Show file tree
Hide file tree
Showing 13 changed files with 4,101 additions and 185 deletions.
1 change: 0 additions & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,6 @@ npm-debug.log

# node
node_modules
package-lock.json

# runtime data
pids
Expand Down
16 changes: 16 additions & 0 deletions .travis.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
dist: xenial
language: python
python:
- "3.7"
install:
- pip install awscli --upgrade
- pip install moto
- npm install serverless --global
- npm install serverless-iam-roles-per-function
- serverless plugin install --name serverless-python-requirements
before_script:
- export BOTO_CONFIG=/dev/null
script:
- pytest --disable-warnings
- serverless deploy --stage ci --region ap-southeast-2
- serverless remove --stage ci --region ap-southeast-2
26 changes: 14 additions & 12 deletions .vscode/extensions.json
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
{
"recommendations": [
"dracula-theme.theme-dracula",
"eamodio.gitlens",
"kevinrose.vsc-python-indent",
"ms-python.python",
"ms-vsliveshare.vsliveshare",
"njpwerner.autodocstring",
"pkief.material-icon-theme",
"visualstudioexptteam.vscodeintellicode"
],
"unwantedRecommendations": []
}
"recommendations": [
"dracula-theme.theme-dracula",
"drewbourne.vscode-remark-lint",
"eamodio.gitlens",
"esbenp.prettier-vscode",
"kevinrose.vsc-python-indent",
"ms-python.python",
"ms-vsliveshare.vsliveshare",
"njpwerner.autodocstring",
"pkief.material-icon-theme",
"visualstudioexptteam.vscodeintellicode"
],
"unwantedRecommendations": []
}
131 changes: 131 additions & 0 deletions COVERAGE.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
# Coverage

Below tables represent the coverage of Auto Remediate. Automated testing of Auto Remediate is done using the [Moto](https://github.com/spulec/moto) Python library.

## Security Hub Rules

Development coverage: **24 of 24**

Test coverage: **10 of 24**

| Rule | Development Status | Testing Status |
| ------------------------------------------------------ | ------------------ | --------------- |
| securityhub-access-keys-rotated | Done | Done |
| securityhub-cloud-trail-cloud-watch-logs-enabled | Done ​ | No Moto support |
| securityhub-cloud-trail-encryption-enabled | Done | No Moto support |
| securityhub-cloud-trail-log-file-validation | Done | No Moto support |
| securityhub-cmk-backing-key-rotation-enabled | Done | Done |
| securityhub-iam-password-policy-ensure-expires | Done | No Moto support |
| securityhub-iam-password-policy-lowercase-letter-check | Done | No Moto support |
| securityhub-iam-password-policy-minimum-length-check | Done | No Moto support |
| securityhub-iam-password-policy-number-check | Done | No Moto support |
| securityhub-iam-password-policy-prevent-reuse-check | Done | No Moto support |
| securityhub-iam-password-policy-symbol-check | Done | No Moto support |
| securityhub-iam-password-policy-uppercase-letter-check | Done | No Moto support |
| securityhub-iam-policy-no-statements-with-admin-access | Done | Done |
| securityhub-iam-root-access-key-check | Not possible | N/A |
| securityhub-iam-user-no-policies-check | Done | Done |
| securityhub-iam-user-unused-credentials-check | Done | |
| securityhub-mfa-enabled-for-iam-console-access | Done | Done |
| securityhub-multi-region-cloud-trail-enabled | Done | No Moto support |
| securityhub-restricted-rdp | Done | Done |
| securityhub-restricted-ssh | Done | Done |
| securityhub-root-account-hardware-mfa-enabled | Not possible | N/A |
| securityhub-root-account-mfa-enabled | Not possible | N/A |
| securityhub-s3-bucket-logging-enabled | Done | No Moto support |
| securityhub-s3-bucket-public-read-prohibited | Done | Done |
| securityhub-s3-bucket-public-write-prohibited | Done | Done |
| securityhub-vpc-default-security-group-closed | Done | Done |
| securityhub-vpc-flow-logs-enabled | Done | No Moto support |

## AWS Config Managed Rules

Development coverage: **1 of 40**

Test coverage: **0 of 40**

| Rule | Development Status | Testing Status |
| ------------------------------------------------------- | ------------------ | -------------- |
| access-keys-rotated | Security Hub | |
| cloudtrail-enabled | | |
| db-instance-backup-enabled | | |
| dynamodb-table-encryption-enabled | | |
| ec2-instances-in-vpc | | |
| cloud-trail-cloud-watch-logs-enabled | Security Hub | |
| cloud-trail-encryption-enabled | Security Hub | |
| cloud-trail-log-file-validation-enabled | | |
| encrypted-volumes | | |
| guardduty-enabled-centralized | | |
| lambda-function-public-access-prohibited | | |
| rds-multi-az-support | | |
| rds-snapshots-public-prohibited | | |
| rds-storage-encrypted | | |
| cmk-backing-key-rotation-enabled | Security Hub | |
| s3-bucket-server-side-encryption-enabled | | |
| s3-bucket-ssl-requests-only | | |
| dynamodb-autoscaling-enabled | | |
| ec2-instance-detailed-monitoring-enabled | | |
| ec2-volume-inuse-check | | |
| eip-attached | | |
| elb-logging-enabled | | |
| acm-certificate-expiration-check | | |
| approved-amis-by-id | | |
| approved-amis-by-tag | | |
| autoscaling-group-elb-healthcheck-required | | |
| cloudformation-stack-drift-detection-check | | |
| cloudformation-stack-notification-check | | |
| cloudwatch-alarm-action-check | | |
| cloudwatch-alarm-resource-check | | |
| rds-instance-public-access-check | Done | |
| cloudwatch-alarm-settings-check | | |
| codebuild-project-envvar-awscred-check | | |
| codebuild-project-source-repo-url-check | | |
| codepipeline-deployment-count-check | | |
| codepipeline-region-fanout-check | | |
| desired-instance-tenancy | | |
| desired-instance-type | | |
| dynamodb-throughput-limit-check | | |
| ebs-optimized-instance | | |
| ec2-instance-managed-by-systems-manager | | |
| ec2-managedinstance-applications-blacklisted | | |
| ec2-managedinstance-applications-required | | |
| ec2-managedinstance-association-compliance-status-check | | |
| ec2-managedinstance-inventory-blacklisted | | |
| ec2-managedinstance-patch-compliance-status-check | | |
| ec2-managedinstance-platform-check | | |
| elb-acm-certificate-required | | |
| iam-password-policy | Security Hub | |
| elb-custom-security-policy-ssl-check | | |
| iam-policy-no-statements-with-admin-access | Security Hub | |
| elb-predefined-security-policy-ssl-check | | |
| iam-root-access-key-check | Security Hub | |
| fms-shield-resource-policy-check | | |
| iam-user-mfa-enabled | Security Hub | |
| iam-user-no-policies-check | Security Hub | |
| iam-user-unused-credentials-check | Security Hub | |
| fms-webacl-resource-policy-check | | |
| fms-webacl-rulegroup-association-check | | |
| mfa-enabled-for-iam-console-access | Security Hub | |
| multi-region-cloud-trail-enabled | Security Hub | |
| iam-group-has-users-check | | |
| iam-policy-blacklisted-check | | |
| iam-role-managed-policy-check | | |
| iam-user-group-membership-check | | |
| lambda-function-settings-check | | |
| redshift-cluster-configuration-check | | |
| redshift-cluster-maintenancesettings-check | | |
| restricted-ssh | Security Hub | |
| root-account-hardware-mfa-enabled | Security Hub | |
| root-account-mfa-enabled | Security Hub | |
| required-tags | | |
| s3-bucket-logging-enabled | Security Hub | |
| restricted-common-ports | | |
| s3-blacklisted-actions-prohibited | | |
| s3-bucket-public-read-prohibited | Security Hub | |
| s3-bucket-public-write-prohibited | Security Hub | |
| s3-bucket-policy-grantee-check | | |
| s3-bucket-policy-not-more-permissive | | |
| s3-bucket-replication-enabled | | |
| s3-bucket-versioning-enabled | | |
| vpc-default-security-group-closed | Security Hub | |
| vpc-flow-logs-enabled | Security Hub | |
Loading

0 comments on commit f7e351c

Please sign in to comment.