vmware-samples / secureclouds-remediation-jobs Goto Github PK
View Code? Open in Web Editor NEWSecure State team and its customers can contribute with remediation rules and build a community around it
License: Other
secureclouds-remediation-jobs's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
superolo92 vikramsinghvirdi mzkhan hadarvmware kshrutik vipulprataps dhavalnanduvmware officepop lytran2000 freehme holgerfeix ekmixon goshkis sreedevikr griffinsisk gparlakov-vmware splamen-vmwaresecureclouds-remediation-jobs's Issues
s3_enable_logging_job keeps adding ACL permissions
When enabling the access logging, the target bucket is updated with log delivery acl permissions, even though it might already be present.
This leads to duplicate Grants being added to the target bucket ACL, which if reaches at 99, starts giving Bad Request error on call to put_bucket_acl.
One such example
{'Owner': {'DisplayName': 'awsmasteremail+*******a-022', 'ID': 'b101f924005dbb04273************d43ad46757f21f65c40d48d75368c3'}, 'Grants': [{'Grantee': {'DisplayName': 'awsmasteremail+*******-022', 'ID': 'b101f924005dbb04273************d43ad46757f21f65c40d48d75368c3', 'Type': 'CanonicalUser'}, 'Permission': 'FULL_CONTROL'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'WRITE'}, {'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/s3/LogDelivery'}, 'Permission': 'READ_ACP'}]}
security_group_close_port_22 dies on ipv6 rules if they don't exist
time=2020-11-30T17:10:17.383094Z caller=logger.go:165 level=info message="Starting running job code"
time=2020-11-30T17:10:18.2442037Z caller=logger.go:173 level=info message="INFO:botocore.credentials:Found credentials in environment variables."
time=2020-11-30T17:10:18.3579985Z caller=logger.go:173 level=info message="INFO:root:revoking ivp4 permissions"
time=2020-11-30T17:10:18.411337Z caller=logger.go:173 level=info
INFO:root:revoke_security_group_ingress(CidrIp='0.0.0.0/0' FromPort=22 GroupId='sg-07a383feba0364070' IpProtocol='tcp' ToPort=22)
time=2020-11-30T17:10:19.1057878Z caller=logger.go:173 level=info message="INFO:root:revoking ivp6 permissions"
time=2020-11-30T17:10:19.1474943Z caller=logger.go:173 level=info INFO:root:revoke_security_group_ingress(GroupId='sg-07a383feba0364070' IpPermissions="[{'FromPort': 22, 'IpProtocol': 'tcp', 'Ipv6Ranges': [{'CidrIpv6': '::/0'}]" 'ToPort':22}])=(MISSING)
time=2020-11-30T17:10:19.3514667Z caller=logger.go:173 level=info message="Traceback (most recent call last):"
time=2020-11-30T17:10:19.3985511Z caller=logger.go:173 level=info message="File \"/opt/vss/job-code/security_group_close_port_22/security_group_close_port_22.py\", line 107, in <module>"
time=2020-11-30T17:10:19.4348853Z caller=logger.go:173 level=info message="Process completed with exit code 1"
time=2020-11-30T17:10:19.460516Z caller=logger.go:173 level=info message=sys.exit(SecurityGroupClosePort22().run(sys.argv))
time=2020-11-30T17:10:19.5121224Z caller=logger.go:173 level=info message="File \"/opt/vss/job-code/security_group_close_port_22/security_group_close_port_22.py\", line 103, in run"
time=2020-11-30T17:10:19.5375377Z caller=logger.go:171 level=error LEVEL=ERROR message="error while executing work" error="exit status 1"
time=2020-11-30T17:10:19.5564106Z caller=logger.go:173 level=info message="return self.remediate(client, params[\"security_group_id\"])"
time=2020-11-30T17:10:19.6047974Z caller=logger.go:173 level=info message="File \"/opt/vss/job-code/security_group_close_port_22/security_group_close_port_22.py\", line 79, in remediate"
time=2020-11-30T17:10:19.6370223Z caller=logger.go:171 level=error LEVEL=ERROR message="failed processing message" message_id=0xc00029cf88 error="exit status 1"
time=2020-11-30T17:10:19.6461869Z caller=logger.go:173 level=info message=logcall(
time=2020-11-30T17:10:19.7257327Z caller=logger.go:173 level=info message="File \"/opt/vss/job-code/security_group_close_port_22/security_group_close_port_22.py\", line 30, in logcall"
time=2020-11-30T17:10:19.7858389Z caller=logger.go:173 level=info message="logging.info(f(*args, **kwargs))"
time=2020-11-30T17:10:19.8253081Z caller=logger.go:173 level=info message="File \"/opt/vss/job-code/security_group_close_port_22/.packages/botocore/client.py\", line 316, in _api_call"
time=2020-11-30T17:10:19.861883Z caller=logger.go:173 level=info message="return self._make_api_call(operation_name, kwargs)"
time=2020-11-30T17:10:19.9028428Z caller=logger.go:173 level=info message="File \"/opt/vss/job-code/security_group_close_port_22/.packages/botocore/client.py\", line 635, in _make_api_call"
time=2020-11-30T17:10:19.9448462Z caller=logger.go:173 level=info message="raise error_class(parsed_response, operation_name)"
time=2020-11-30T17:10:19.9860895Z caller=logger.go:173 level=info message="botocore.exceptions.ClientError: An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group."
s3_enable_access_logging job is missing minimal permissions and needs more meaningful logs
When running the s3_enable_access_logging job without the s3:ListBucket permissions I'm getting this error: botocore.exceptions.ClientError: An error occurred (403) when calling the HeadBucket operation: Forbidden.
The job has two issues that needs to be addressed:
- The list of minimal permissions needs to be updated with
s3:ListBucket - The job should have a more meaningful error when the user doesn't have the correct permissions.
Thanks
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.