diff --git a/.github/workflows/alert-update-terraform-modules.yaml b/.github/workflows/alert-update-terraform-modules.yaml index 4c6bd1423b6..829b14ad576 100644 --- a/.github/workflows/alert-update-terraform-modules.yaml +++ b/.github/workflows/alert-update-terraform-modules.yaml @@ -25,7 +25,7 @@ jobs: -c assets/libraries/common.json \ -u https://registry.terraform.io/v1/modules - name: Create Pull Request - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@v5 with: title: "feat(queries): update terraform registry data on commons.json" token: ${{ secrets.KICS_BOT_PAT }} diff --git a/.github/workflows/go-ci-integration.yml b/.github/workflows/go-ci-integration.yml index d4e7d7dc295..63e9887aa0d 100644 --- a/.github/workflows/go-ci-integration.yml +++ b/.github/workflows/go-ci-integration.yml @@ -52,7 +52,7 @@ jobs: docker run -v ${PWD}/assets/queries:/path \ kics:${{ github.sha }} scan \ --silent \ - --disable-full-descriptions \ + --disable-telemetry \ --ignore-on-exit "results" \ --log-level DEBUG \ --log-path "/path/info.log" \ diff --git a/.github/workflows/go-generate-antlr-parser.yaml b/.github/workflows/go-generate-antlr-parser.yaml index d7db463efe0..fdf14d6b790 100644 --- a/.github/workflows/go-generate-antlr-parser.yaml +++ b/.github/workflows/go-generate-antlr-parser.yaml @@ -26,7 +26,7 @@ jobs: run: | docker run --rm -u $(id -u ${USER}):$(id -g ${USER}) -v $(pwd)/pkg/parser/jsonfilter:/work -it antlr4-generator:dev - name: Create Pull Request - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@v5 with: title: "chore(parser): updating AWS jsonfilter ANTLR generated parser" token: ${{ secrets.KICS_BOT_PAT }} diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml index 2ffb469de94..c53f7cb75fe 100644 --- a/.github/workflows/prepare-release.yaml +++ b/.github/workflows/prepare-release.yaml @@ -27,7 +27,7 @@ jobs: sed -E -i "s/()[0-9]{4}\.[0-9]{2}\.[0-9]{2}

/\1${{ steps.cdate.outputs.date }}

/" docs/index.md sed -E -i "s/()/\1v${{ github.event.inputs.version }}\2${{ github.event.inputs.version }}\3/g" docs/index.md - name: Create pull request - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@v5 with: title: "docs: preparing for release ${{ github.event.inputs.version }}" token: ${{ secrets.KICS_BOT_PAT }} diff --git a/.github/workflows/release-apispec.yml b/.github/workflows/release-apispec.yml index 122e20866a9..a29ff0c8412 100644 --- a/.github/workflows/release-apispec.yml +++ b/.github/workflows/release-apispec.yml @@ -182,7 +182,7 @@ jobs: pip install csvtomd csvtomd docs/docker/apispec.csv > docs/docker/apispec.md - name: Create Pull Request - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@v5 with: title: "docs(kicsbot): update images digest" token: ${{ secrets.KICS_BOT_PAT }} diff --git a/.github/workflows/release-dkr-image.yml b/.github/workflows/release-dkr-image.yml index 671e1749a43..a3fe42814d8 100644 --- a/.github/workflows/release-dkr-image.yml +++ b/.github/workflows/release-dkr-image.yml @@ -120,7 +120,7 @@ jobs: pip install csvtomd csvtomd docs/docker/digests.csv > docs/docker/digests.md - name: Create Pull Request - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@v5 with: title: "docs(kicsbot): update images digest" token: ${{ secrets.KICS_BOT_PAT }} diff --git a/.github/workflows/release-docker-github-actions.yaml b/.github/workflows/release-docker-github-actions.yaml index 9f34effc13c..eb4d815b21e 100644 --- a/.github/workflows/release-docker-github-actions.yaml +++ b/.github/workflows/release-docker-github-actions.yaml @@ -64,7 +64,7 @@ jobs: pip install csvtomd csvtomd docs/docker/digests.csv > docs/docker/digests.md - name: Create Pull Request - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@v5 with: title: "docs(kicsbot): update images digest" token: ${{ secrets.KICS_BOT_PAT }} diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index 9c406adc57e..c3871258e69 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -219,7 +219,7 @@ jobs: pip install csvtomd csvtomd docs/docker/nightly.csv > docs/docker/nightly.md - name: Create Pull Request - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@v5 with: title: "docs(kicsbot): update images digest" token: ${{ secrets.KICS_BOT_PAT }} diff --git a/.github/workflows/update-docs-queries.yaml b/.github/workflows/update-docs-queries.yaml index 22b8dd2c685..1eab48e1745 100644 --- a/.github/workflows/update-docs-queries.yaml +++ b/.github/workflows/update-docs-queries.yaml @@ -31,7 +31,7 @@ jobs: -f md \ -t .github/scripts/docs-generator/templates - name: Create Pull Request - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@v5 with: title: "docs(queries): update queries catalog" token: ${{ secrets.KICS_BOT_PAT }} diff --git a/.github/workflows/update-install-script.yaml b/.github/workflows/update-install-script.yaml index d8532171d72..4fe49a3bf65 100644 --- a/.github/workflows/update-install-script.yaml +++ b/.github/workflows/update-install-script.yaml @@ -50,7 +50,7 @@ jobs: - name: Update install.sh run: ./.bin/godownloader --repo Checkmarx/kics <(echo ${{ steps.outputs.filter.goreleaser }}) > install.sh - name: Create Pull Request - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@v5 with: title: "chore(install): update install script" token: ${{ secrets.KICS_BOT_PAT }} diff --git a/.github/workflows/update_software_versions.yml b/.github/workflows/update_software_versions.yml index 13d13e57db0..df2dbb23716 100644 --- a/.github/workflows/update_software_versions.yml +++ b/.github/workflows/update_software_versions.yml @@ -25,7 +25,7 @@ jobs: *.json - name: Create pull request if: steps.verify-changed-files.outputs.files_changed == 'true' - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@v5 with: title: "bump: updating software versions" token: ${{ secrets.KICS_BOT_PAT }} diff --git a/LICENSE b/LICENSE index dfb1ac2ca62..f49a4e16e68 100644 --- a/LICENSE +++ b/LICENSE @@ -198,14 +198,4 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and - limitations under the License. - -It is clarified that the Apache License 2.0 shall not apply to any content -generated by KICS which is marked as being “Proprietary to CIS” (the “CIS -Proprietary Content”). The CIS Proprietary Content is exclusively owned by -the Center for Internet Security, Inc. and you are granted a limited, -non-exclusively, non-transferable, non-sublicensable license to view the -CIS Proprietary Content in connection with your use of KICS. You may not, -and may not permit others to modify, create derivative works of, reproduce, -publish, distribute, transfer, publicly display, resell, rent, lease, -sublicense, loan, or lend the CIS Proprietary Content to any third party. + limitations under the License. \ No newline at end of file diff --git a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json index 6ea36542556..1598649024f 100644 --- a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json +++ b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json @@ -3,7 +3,7 @@ "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "category": "Build Process", - "descriptionText": "Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.", + "descriptionText": "Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used.", "descriptionUrl": "https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy", "platform": "DockerCompose", "descriptionID": "d21fff2e" diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/negative1.tf index e1f697d3b6d..eb1a47cf032 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/negative1.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" { - name = "CIS-AWSConfigChanges" +resource "aws_cloudwatch_log_metric_filter" "AWS_Config_Change_Metric_Filter" { + name = "AWSConfigChanges" pattern = "{ ($.eventSource = \"config.amazonaws.com\") && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-AWSConfigChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "AWSConfigChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" { - alarm_name = "CIS-3.9-AWSConfigChanges" +resource "aws_cloudwatch_metric_alarm" "AWS_Config_Change_CW_Alarm" { + alarm_name = "AWSConfigChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.CIS_AWS_Config_Change_Metric_Filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.AWS_Config_Change_Metric_Filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive1.tf index 8d157ba7efa..af61ae76795 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive1.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" { - name = "CIS-AWSConfigChanges" +resource "aws_cloudwatch_log_metric_filter" "AWS_Config_Change_Metric_Filter" { + name = "AWSConfigChanges" pattern = "{ ($.eventSource = \"config.amazonaws.com\") && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-AWSConfigChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "AWSConfigChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" { - alarm_name = "CIS-3.9-AWSConfigChanges" +resource "aws_cloudwatch_metric_alarm" "AWS_Config_Change_CW_Alarm" { + alarm_name = "AWSConfigChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive2.tf index 607c5c5fd96..86f2cc1cd13 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive2.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive3.tf b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive3.tf index 2e54cd71827..06a449c3044 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive3.tf +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive3.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" { - name = "CIS-AWSConfigChanges" +resource "aws_cloudwatch_log_metric_filter" "AWS_Config_Change_Metric_Filter" { + name = "AWSConfigChanges" pattern = "{ ($.eventSource = \"config.amazonaws.com\") && (($.eventName=StopConfigurationRecorder)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-AWSConfigChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "AWSConfigChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" { - alarm_name = "CIS-3.9-AWSConfigChanges" +resource "aws_cloudwatch_metric_alarm" "AWS_Config_Change_CW_Alarm" { + alarm_name = "AWSConfigChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive4.tf b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive4.tf index 4801b9bfba9..473f4d1a5cb 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive4.tf +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive4.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" { - name = "CIS-AWSConfigChanges" +resource "aws_cloudwatch_log_metric_filter" "AWS_Config_Change_Metric_Filter" { + name = "AWSConfigChanges" pattern = "{ ($.eventSource = \"config.amazonaws.com\") || (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-AWSConfigChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "AWSConfigChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" { - alarm_name = "CIS-3.9-AWSConfigChanges" +resource "aws_cloudwatch_metric_alarm" "AWS_Config_Change_CW_Alarm" { + alarm_name = "AWSConfigChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/negative1.tf index 3c2c552bd8f..378e4b8afd2 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/negative1.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_aws_organizations" { - alarm_name = "CIS-4.15-AWS-Organizations" +resource "aws_cloudwatch_metric_alarm" "aws_organizations" { + alarm_name = "AWS-Organizations" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_aws_organizations.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.aws_organizations.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_aws_organizations" { - name = "CIS-4.15-AWS-Organizations" +resource "aws_cloudwatch_log_metric_filter" "aws_organizations" { + name = "AWS-Organizations" pattern = "{ ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.15-AWS-Organizations" - namespace = "CIS_Metric_Alarm_Namespace" + name = "AWS-Organizations" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive1.tf index 65397acb402..d7b0ffe20ea 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive1.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_aws_organizations" { - alarm_name = "CIS-4.15-AWS-Organizations" +resource "aws_cloudwatch_metric_alarm" "aws_organizations" { + alarm_name = "AWS-Organizations" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "OTHER FILTER" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_aws_organizations" { - name = "CIS-4.15-AWS-Organizations" +resource "aws_cloudwatch_log_metric_filter" "aws_organizations" { + name = "AWS-Organizations" pattern = "{ ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = \"AcceptHandshake\") || ($.eventName = 'AttachPolicy') || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.15-AWS-Organizations" - namespace = "CIS_Metric_Alarm_Namespace" + name = "AWS-Organizations" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive2.tf index c5acd751323..3e276748bf3 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive2.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_aws_organizations" { - alarm_name = "CIS-4.15-AWS-Organizations" +resource "aws_cloudwatch_metric_alarm" "aws_organizations" { + alarm_name = "AWS-Organizations" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_aws_organizations.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.aws_organizations.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_aws_organizations" { - name = "CIS-4.15-AWS-Organizations" +resource "aws_cloudwatch_log_metric_filter" "aws_organizations" { + name = "AWS-Organizations" pattern = "{ ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.15-AWS-Organizations" - namespace = "CIS_Metric_Alarm_Namespace" + name = "AWS-Organizations" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/negative1.tf index c34fae582dd..62c9907057f 100644 --- a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/negative1.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_changes_nacl" { - alarm_name = "CIS-4.11-Changes-NACL" +resource "aws_cloudwatch_metric_alarm" "changes_nacl" { + alarm_name = "Changes-NACL" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_changes_nacl.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.changes_nacl.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_changes_nacl" { - name = "CIS-4.11-Changes-NACL" +resource "aws_cloudwatch_log_metric_filter" "changes_nacl" { + name = "Changes-NACL" pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.11-Changes-NACL" - namespace = "CIS_Metric_Alarm_Namespace" + name = "Changes-NACL" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive1.tf index badde4ef5ae..84e41e1318d 100644 --- a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive1.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_changes_nacl" { - alarm_name = "CIS-4.11-Changes-NACL" +resource "aws_cloudwatch_metric_alarm" "changes_nacl" { + alarm_name = "Changes-NACL" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "OTHER FILTER" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_changes_nacl" { - name = "CIS-4.11-Changes-NACL" +resource "aws_cloudwatch_log_metric_filter" "changes_nacl" { + name = "Changes-NACL" pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.11-Changes-NACL" - namespace = "CIS_Metric_Alarm_Namespace" + name = "Changes-NACL" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive2.tf index b54428028e6..00de74aeb6a 100644 --- a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive2.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_changes_nacl" { - alarm_name = "CIS-4.11-Changes-NACL" +resource "aws_cloudwatch_metric_alarm" "changes_nacl" { + alarm_name = "Changes-NACL" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_changes_nacl.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.changes_nacl.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_changes_nacl" { - name = "CIS-4.11-Changes-NACL" +resource "aws_cloudwatch_log_metric_filter" "changes_nacl" { + name = "Changes-NACL" pattern = "{ ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.11-Changes-NACL" - namespace = "CIS_Metric_Alarm_Namespace" + name = "Changes-NACL" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/negative1.tf index 81984597e5a..0d5bd71693a 100644 --- a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/negative1.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_cloudtrail_config_change_metric_filter" { - name = "CIS-CloudTrailChanges" +resource "aws_cloudwatch_log_metric_filter" "cloudtrail_config_change_metric_filter" { + name = "CloudTrailChanges" pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-CloudTrailChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "CloudTrailChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_cloudtrail_config_change_cw_alarm" { - alarm_name = "CIS-3.5-CloudTrailChanges" +resource "aws_cloudwatch_metric_alarm" "cloudtrail_config_change_cw_alarm" { + alarm_name = "CloudTrailChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_cloudtrail_config_change_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.cloudtrail_config_change_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive1.tf index 5e5faddbccf..83b30da47e6 100644 --- a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive1.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_cloudtrail_config_change_metric_filter" { - name = "CIS-CloudTrailChanges" +resource "aws_cloudwatch_log_metric_filter" "cloudtrail_config_change_metric_filter" { + name = "CloudTrailChanges" pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-CloudTrailChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "CloudTrailChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_cloudtrail_config_change_cw_alarm" { - alarm_name = "CIS-3.5-CloudTrailChanges" +resource "aws_cloudwatch_metric_alarm" "cloudtrail_config_change_cw_alarm" { + alarm_name = "CloudTrailChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive2.tf index cf4c10e36a0..3d6a77ccf0a 100644 --- a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive2.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { - name = "CIS-UnauthorizedAPICalls" +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric_filter" { + name = "UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-UnauthorizedAPICalls" - namespace = "CIS_Metric_Alarm_Namespace" + name = "UnauthorizedAPICalls" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { - alarm_name = "CIS-3.1-UnauthorizedAPICalls" +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_cw_alarm" { + alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.unauthorized_api_calls_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive3.tf b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive3.tf index 17e452c5c18..9ffbf5e808d 100644 --- a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive3.tf +++ b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive3.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_cloudtrail_config_change_metric_filter" { - name = "CIS-CloudTrailChanges" +resource "aws_cloudwatch_log_metric_filter" "cloudtrail_config_change_metric_filter" { + name = "CloudTrailChanges" pattern = "{ ($.eventName = CreateTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-CloudTrailChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "CloudTrailChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_cloudtrail_config_change_cw_alarm" { - alarm_name = "CIS-3.5-CloudTrailChanges" +resource "aws_cloudwatch_metric_alarm" "cloudtrail_config_change_cw_alarm" { + alarm_name = "CloudTrailChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_cloudtrail_config_change_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.cloudtrail_config_change_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/negative1.tf index 2823e1e8530..00d9647d7d1 100644 --- a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/negative1.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_disable_delete_cmk" { - alarm_name = "CIS-4.7-Disable-Scheduled-Delete-CMK" +resource "aws_cloudwatch_metric_alarm" "disable_delete_cmk" { + alarm_name = "Disable-Scheduled-Delete-CMK" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_disable_delete_cmk.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.disable_delete_cmk.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" { - name = "CIS-4.7-Disable-Scheduled-Delete-CMK" +resource "aws_cloudwatch_log_metric_filter" "disable_delete_cmk" { + name = "Disable-Scheduled-Delete-CMK" pattern = "{ ($.eventSource = \"kms.amazonaws.com\") && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.7-Disable-Scheduled-Delete-CMK" - namespace = "CIS_Metric_Alarm_Namespace" + name = "Disable-Scheduled-Delete-CMK" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive1.tf index ffb0c8fb70c..e8ed08f3b09 100644 --- a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive1.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_disable_delete_cmk" { - alarm_name = "CIS-4.7-Disable-Scheduled-Delete-CMK" +resource "aws_cloudwatch_metric_alarm" "disable_delete_cmk" { + alarm_name = "Disable-Scheduled-Delete-CMK" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "OTHER FILTER" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" { - name = "CIS-4.7-Disable-Scheduled-Delete-CMK" +resource "aws_cloudwatch_log_metric_filter" "disable_delete_cmk" { + name = "Disable-Scheduled-Delete-CMK" pattern = "{ ($.eventSource = \"kms.amazonaws.com\") && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.7-Disable-Scheduled-Delete-CMK" - namespace = "CIS_Metric_Alarm_Namespace" + name = "Disable-Scheduled-Delete-CMK" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive2.tf index 78d9c12cccf..faebf3716d6 100644 --- a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive2.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_disable_delete_cmk" { - alarm_name = "CIS-4.7-Disable-Scheduled-Delete-CMK" +resource "aws_cloudwatch_metric_alarm" "disable_delete_cmk" { + alarm_name = "Disable-Scheduled-Delete-CMK" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_disable_delete_cmk.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.disable_delete_cmk.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" { - name = "CIS-4.7-Disable-Scheduled-Delete-CMK" +resource "aws_cloudwatch_log_metric_filter" "disable_delete_cmk" { + name = "Disable-Scheduled-Delete-CMK" pattern = "{ ($.eventSource = \"kms.amazonaws.com\") || (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.7-Disable-Scheduled-Delete-CMK" - namespace = "CIS_Metric_Alarm_Namespace" + name = "Disable-Scheduled-Delete-CMK" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive3.tf b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive3.tf index bc8102ced98..a62cec6e2fd 100644 --- a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive3.tf +++ b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive3.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_disable_delete_cmk" { - alarm_name = "CIS-4.7-Disable-Scheduled-Delete-CMK" +resource "aws_cloudwatch_metric_alarm" "disable_delete_cmk" { + alarm_name = "Disable-Scheduled-Delete-CMK" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_disable_delete_cmk.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.disable_delete_cmk.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" { - name = "CIS-4.7-Disable-Scheduled-Delete-CMK" +resource "aws_cloudwatch_log_metric_filter" "disable_delete_cmk" { + name = "Disable-Scheduled-Delete-CMK" pattern = "{ ($.eventSource = \"kms.amazonaws.com\") && (($.eventName = ScheduleKeyDeletion)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.7-Disable-Scheduled-Delete-CMK" - namespace = "CIS_Metric_Alarm_Namespace" + name = "Disable-Scheduled-Delete-CMK" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/negative1.tf index 45b2a1a21f8..cc93e05c6bf 100644 --- a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/negative1.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_iam_policy_change" { - alarm_name = "CIS-4.4-IAM-Policy-Change" +resource "aws_cloudwatch_metric_alarm" "iam_policy_change" { + alarm_name = "IAM-Policy-Change" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_iam_policy_change.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.iam_policy_change.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_iam_policy_change" { - name = "CIS-4.4-IAM-Policy-Change" +resource "aws_cloudwatch_log_metric_filter" "iam_policy_change" { + name = "IAM-Policy-Change" pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.4-IAM-Policy-Change" - namespace = "CIS_Metric_Alarm_Namespace" + name = "IAM-Policy-Change" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive1.tf index b45350067b2..610ad6dc93e 100644 --- a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive1.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_iam_policy_change" { - alarm_name = "CIS-4.4-IAM-Policy-Change" +resource "aws_cloudwatch_metric_alarm" "iam_policy_change" { + alarm_name = "IAM-Policy-Change" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_iam_policy_change" { - name = "CIS-4.4-IAM-Policy-Change" +resource "aws_cloudwatch_log_metric_filter" "iam_policy_change" { + name = "IAM-Policy-Change" pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.4-IAM-Policy-Change" - namespace = "CIS_Metric_Alarm_Namespace" + name = "IAM-Policy-Change" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive2.tf index d0f9b15d6d4..a1021d6fda1 100644 --- a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive2.tf @@ -2,35 +2,35 @@ provider "aws" { region = "us-east-2" } -resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { - name = "CIS_CloudWatch_LogsGroup" +resource "aws_cloudwatch_log_group" "CloudWatch_LogsGroup" { + name = "CloudWatch_LogsGroup" } -resource "aws_sns_topic" "cis_alerts_sns_topic" { - name = "cis-alerts-sns-topic" +resource "aws_sns_topic" "alerts_sns_topic" { + name = "alerts-sns-topic" } -resource "aws_cloudwatch_metric_alarm" "cis_iam_policy_change" { - alarm_name = "CIS-4.4-IAM-Policy-Change" +resource "aws_cloudwatch_metric_alarm" "iam_policy_change" { + alarm_name = "IAM-Policy-Change" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_iam_policy_change.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.iam_policy_change.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_iam_policy_change" { - name = "CIS-4.4-IAM-Policy-Change" +resource "aws_cloudwatch_log_metric_filter" "iam_policy_change" { + name = "IAM-Policy-Change" pattern = "{($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-4.4-IAM-Policy-Change" - namespace = "CIS_Metric_Alarm_Namespace" + name = "IAM-Policy-Change" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/negative1.tf index 52e29527403..685a68ed753 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/negative1.tf @@ -1,50 +1,50 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { - name = "CIS-ConsoleAuthenticationFailure" +resource "aws_cloudwatch_log_metric_filter" "console_authn_failure_metric_filter" { + name = "ConsoleAuthenticationFailure" pattern = "{ (($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\")) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleAuthenticationFailure" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleAuthenticationFailure" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_console_authn_failure_cw_alarm" { - alarm_name = "CIS-3.6-ConsoleAuthenticationFailure" +resource "aws_cloudwatch_metric_alarm" "console_authn_failure_cw_alarm" { + alarm_name = "ConsoleAuthenticationFailure" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_console_authn_failure_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.console_authn_failure_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = ["aws_sns_topic.CIS_Alerts_SNS_Topic.arn"] + alarm_actions = ["aws_sns_topic.Alerts_SNS_Topic.arn"] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive1.tf index 980504cbe51..40d7cbfef7c 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive1.tf @@ -1,50 +1,50 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { - name = "CIS-ConsoleAuthenticationFailure" +resource "aws_cloudwatch_log_metric_filter" "console_authn_failure_metric_filter" { + name = "ConsoleAuthenticationFailure" pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleAuthenticationFailure" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleAuthenticationFailure" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_console_authn_failure_cw_alarm" { - alarm_name = "CIS-3.6-ConsoleAuthenticationFailure" +resource "aws_cloudwatch_metric_alarm" "console_authn_failure_cw_alarm" { + alarm_name = "ConsoleAuthenticationFailure" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXX NOT YOUR FILTER" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive2.tf index 4aa336715fb..fd6f9f17b1e 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive2.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { - name = "CIS-ConsoleAuthenticationFailure" +resource "aws_cloudwatch_log_metric_filter" "console_authn_failure_metric_filter" { + name = "ConsoleAuthenticationFailure" pattern = "{ (($.eventName = ConsoleLogin)) && ($.errorMessage != \"Failed authentication\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleAuthenticationFailure" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleAuthenticationFailure" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_console_authn_failure_cw_alarm" { - alarm_name = "CIS-3.6-ConsoleAuthenticationFailure" +resource "aws_cloudwatch_metric_alarm" "console_authn_failure_cw_alarm" { + alarm_name = "ConsoleAuthenticationFailure" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_console_authn_failure_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.console_authn_failure_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive3.tf b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive3.tf index fbe6f7d4e0e..6b0f7d77065 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive3.tf +++ b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive3.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { - name = "CIS-ConsoleAuthenticationFailure" +resource "aws_cloudwatch_log_metric_filter" "console_authn_failure_metric_filter" { + name = "ConsoleAuthenticationFailure" pattern = "{ $.eventName != ConsoleLogin && $.errorMessage = \"Failed authentication\" }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleAuthenticationFailure" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleAuthenticationFailure" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_console_authn_failure_cw_alarm" { - alarm_name = "CIS-3.6-ConsoleAuthenticationFailure" +resource "aws_cloudwatch_metric_alarm" "console_authn_failure_cw_alarm" { + alarm_name = "ConsoleAuthenticationFailure" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_console_authn_failure_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.console_authn_failure_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive4.tf b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive4.tf index 5a80b4d72f4..3442b09275f 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive4.tf +++ b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive4.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { - name = "CIS-ConsoleAuthenticationFailure" +resource "aws_cloudwatch_log_metric_filter" "console_authn_failure_metric_filter" { + name = "ConsoleAuthenticationFailure" pattern = "{ $.eventName = ConsoleLogin || $.errorMessage = \"Failed authentication\" }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleAuthenticationFailure" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleAuthenticationFailure" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_console_authn_failure_cw_alarm" { - alarm_name = "CIS-3.6-ConsoleAuthenticationFailure" +resource "aws_cloudwatch_metric_alarm" "console_authn_failure_cw_alarm" { + alarm_name = "ConsoleAuthenticationFailure" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_console_authn_failure_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.console_authn_failure_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/negative1.tf index 65d3e6b4791..7aa3eb6d63b 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/negative1.tf @@ -1,51 +1,51 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { - name = "CIS-UnauthorizedAPICalls" +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric_filter" { + name = "UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - log_group_name = aws_cloudwatch_log_group.cis_cloudwatch_logsgroup.name + log_group_name = aws_cloudwatch_log_group.cloudwatch_logsgroup.name metric_transformation { - name = "CIS-UnauthorizedAPICalls" - namespace = "CIS_Metric_Alarm_Namespace" + name = "UnauthorizedAPICalls" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { - alarm_name = "CIS-3.1-UnauthorizedAPICalls" +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_cw_alarm" { + alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.unauthorized_api_calls_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.cis_cloudwatch_logsgroup.name + log_group_name = aws_cloudwatch_log_group.cloudwatch_logsgroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive1.tf index 5c6685f461b..481cdea91d5 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive1.tf @@ -1,50 +1,50 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { - name = "CIS-UnauthorizedAPICalls" +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric_filter" { + name = "UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-UnauthorizedAPICalls" - namespace = "CIS_Metric_Alarm_Namespace" + name = "UnauthorizedAPICalls" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { - alarm_name = "CIS-3.1-UnauthorizedAPICalls" +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_cw_alarm" { + alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.unauthorized_api_calls_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive2.tf index cf4c10e36a0..3d6a77ccf0a 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive2.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { - name = "CIS-UnauthorizedAPICalls" +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric_filter" { + name = "UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-UnauthorizedAPICalls" - namespace = "CIS_Metric_Alarm_Namespace" + name = "UnauthorizedAPICalls" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { - alarm_name = "CIS-3.1-UnauthorizedAPICalls" +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_cw_alarm" { + alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.unauthorized_api_calls_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive3.tf b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive3.tf index d0c3ddb4a62..689780b055f 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive3.tf +++ b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive3.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ $.additionalEventData.MFAUsed != \"Yes\" }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive4.tf b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive4.tf index 30f41d6711f..d70e2285a6e 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive4.tf +++ b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive4.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") || ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/negative1.tf index 286a7d65982..8d4dc8aa978 100644 --- a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/negative1.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_network_gateway_changes_metric_filter" { - name = "CIS-NetworkGatewayChanges" +resource "aws_cloudwatch_log_metric_filter" "network_gateway_changes_metric_filter" { + name = "NetworkGatewayChanges" pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-NetworkGatewayChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "NetworkGatewayChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_network_gateway_changes_cw_alarm" { - alarm_name = "CIS-3.12-NetworkGatewayChanges" +resource "aws_cloudwatch_metric_alarm" "network_gateway_changes_cw_alarm" { + alarm_name = "NetworkGatewayChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_network_gateway_changes_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.network_gateway_changes_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive1.tf index 5dac18da7d1..8e045e1cc25 100644 --- a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive1.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_network_gateway_changes_metric_filter" { - name = "CIS-NetworkGatewayChanges" +resource "aws_cloudwatch_log_metric_filter" "network_gateway_changes_metric_filter" { + name = "NetworkGatewayChanges" pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-NetworkGatewayChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "NetworkGatewayChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_network_gateway_changes_cw_alarm" { - alarm_name = "CIS-3.12-NetworkGatewayChanges" +resource "aws_cloudwatch_metric_alarm" "network_gateway_changes_cw_alarm" { + alarm_name = "NetworkGatewayChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive2.tf index cf4c10e36a0..3d6a77ccf0a 100644 --- a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive2.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { - name = "CIS-UnauthorizedAPICalls" +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric_filter" { + name = "UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-UnauthorizedAPICalls" - namespace = "CIS_Metric_Alarm_Namespace" + name = "UnauthorizedAPICalls" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { - alarm_name = "CIS-3.1-UnauthorizedAPICalls" +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_cw_alarm" { + alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.unauthorized_api_calls_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive3.tf b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive3.tf index 6f0a03b6b7d..2c31091a72b 100644 --- a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive3.tf +++ b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive3.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_network_gateway_changes_metric_filter" { - name = "CIS-NetworkGatewayChanges" +resource "aws_cloudwatch_log_metric_filter" "network_gateway_changes_metric_filter" { + name = "NetworkGatewayChanges" pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DetachInternetGateway) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-NetworkGatewayChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "NetworkGatewayChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_network_gateway_changes_cw_alarm" { - alarm_name = "CIS-3.12-NetworkGatewayChanges" +resource "aws_cloudwatch_metric_alarm" "network_gateway_changes_cw_alarm" { + alarm_name = "NetworkGatewayChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_network_gateway_changes_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.network_gateway_changes_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/negative1.tf index 23f6843ad7b..190702313d2 100644 --- a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/negative1.tf @@ -1,51 +1,51 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { - name = "CIS-RootAccountUsage" +resource "aws_cloudwatch_log_metric_filter" "root_account_use_metric_filter" { + name = "RootAccountUsage" pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-RootAccountUsage" - namespace = "CIS_Metric_Alarm_Namespace" + name = "RootAccountUsage" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_Root_Account_Use_CW_Alarm" { - alarm_name = "CIS-3.3-RootAccountUsage" +resource "aws_cloudwatch_metric_alarm" "Root_Account_Use_CW_Alarm" { + alarm_name = "RootAccountUsage" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_root_account_use_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.root_account_use_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = ["aws_sns_topic.CIS_Alerts_SNS_Topic.arn"] + alarm_actions = ["aws_sns_topic.Alerts_SNS_Topic.arn"] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive1.tf index c2a4bbe07b8..0900b9630cf 100644 --- a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive1.tf @@ -1,52 +1,52 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { - name = "CIS-RootAccountUsage" +resource "aws_cloudwatch_log_metric_filter" "root_account_use_metric_filter" { + name = "RootAccountUsage" pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-RootAccountUsage" - namespace = "CIS_Metric_Alarm_Namespace" + name = "RootAccountUsage" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" { - alarm_name = "CIS-3.3-RootAccountUsage" +resource "aws_cloudwatch_metric_alarm" "root_account_use_cw_alarm" { + alarm_name = "RootAccountUsage" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXX NOT YOUR FILTER XXX" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive2.tf index ac118fa4b77..32192c7cbd3 100644 --- a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive2.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { - name = "CIS-RootAccountUsage" +resource "aws_cloudwatch_log_metric_filter" "root_account_use_metric_filter" { + name = "RootAccountUsage" pattern = "{ $.userIdentity.type = \"Root\" && $.eventType != \"AwsServiceEvent\" }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-RootAccountUsage" - namespace = "CIS_Metric_Alarm_Namespace" + name = "RootAccountUsage" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" { - alarm_name = "CIS-3.3-RootAccountUsage" +resource "aws_cloudwatch_metric_alarm" "root_account_use_cw_alarm" { + alarm_name = "RootAccountUsage" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_root_account_use_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.root_account_use_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive3.tf b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive3.tf index 47e83bc803d..3170bfe7ce9 100644 --- a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive3.tf +++ b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive3.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { - name = "CIS-RootAccountUsage" +resource "aws_cloudwatch_log_metric_filter" "root_account_use_metric_filter" { + name = "RootAccountUsage" pattern = "{ $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-RootAccountUsage" - namespace = "CIS_Metric_Alarm_Namespace" + name = "RootAccountUsage" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" { - alarm_name = "CIS-3.3-RootAccountUsage" +resource "aws_cloudwatch_metric_alarm" "root_account_use_cw_alarm" { + alarm_name = "RootAccountUsage" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_root_account_use_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.root_account_use_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive4.tf b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive4.tf index 9892cfe360e..54e3d51a21d 100644 --- a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive4.tf +++ b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive4.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { - alarm_name = "CIS-3.1-UnauthorizedAPICalls" +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_cw_alarm" { + alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.unauthorized_api_calls_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { - name = "CIS-UnauthorizedAPICalls" +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric_filter" { + name = "UnauthorizedAPICalls" pattern = "{ $.userIdentity.type = \"Root\" || $.eventType != \"AwsServiceEvent\" }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-UnauthorizedAPICalls" - namespace = "CIS_Metric_Alarm_Namespace" + name = "UnauthorizedAPICalls" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/negative1.tf index 5669dd12003..aee73e329c5 100644 --- a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/negative1.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" { - name = "CIS-RouteTableChanges" +resource "aws_cloudwatch_log_metric_filter" "route_table_changes_metric_filter" { + name = "RouteTableChanges" pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-RouteTableChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "RouteTableChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" { - alarm_name = "CIS-3.13-RouteTableChanges" +resource "aws_cloudwatch_metric_alarm" "route_table_changes_cw_alarm" { + alarm_name = "RouteTableChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_route_table_changes_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.route_table_changes_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive1.tf index dad93e84460..e5f25445e07 100644 --- a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive1.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" { - name = "CIS-RouteTableChanges" +resource "aws_cloudwatch_log_metric_filter" "route_table_changes_metric_filter" { + name = "RouteTableChanges" pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-RouteTableChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "RouteTableChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" { - alarm_name = "CIS-3.13-RouteTableChanges" +resource "aws_cloudwatch_metric_alarm" "route_table_changes_cw_alarm" { + alarm_name = "RouteTableChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive2.tf index cf4c10e36a0..3d6a77ccf0a 100644 --- a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive2.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { - name = "CIS-UnauthorizedAPICalls" +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric_filter" { + name = "UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-UnauthorizedAPICalls" - namespace = "CIS_Metric_Alarm_Namespace" + name = "UnauthorizedAPICalls" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { - alarm_name = "CIS-3.1-UnauthorizedAPICalls" +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_cw_alarm" { + alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.unauthorized_api_calls_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive3.tf b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive3.tf index 4b30c32a4ba..7dac87b158e 100644 --- a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive3.tf +++ b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive3.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" { - name = "CIS-RouteTableChanges" +resource "aws_cloudwatch_log_metric_filter" "route_table_changes_metric_filter" { + name = "RouteTableChanges" pattern = "{ ($.eventName = CreateRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-RouteTableChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "RouteTableChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" { - alarm_name = "CIS-3.13-RouteTableChanges" +resource "aws_cloudwatch_metric_alarm" "route_table_changes_cw_alarm" { + alarm_name = "RouteTableChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_route_table_changes_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.route_table_changes_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/negative1.tf index 946b52780c1..c2076493d94 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/negative1.tf @@ -1,51 +1,51 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { - name = "CIS-S3BucketPolicyChanges" +resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_change_metric_filter" { + name = "S3BucketPolicyChanges" pattern = "{ ($.eventSource = \"s3.amazonaws.com\") && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-S3BucketPolicyChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "S3BucketPolicyChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_s3_bucket_policy_change_cw_alarm" { - alarm_name = "CIS-3.8-S3BucketPolicyChanges" +resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_change_cw_alarm" { + alarm_name = "S3BucketPolicyChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.s3_bucket_policy_change_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive1.tf index d67b5b58be6..13a49720b01 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive1.tf @@ -1,52 +1,52 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { - name = "CIS-S3BucketPolicyChanges" +resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_change_metric_filter" { + name = "S3BucketPolicyChanges" pattern = "{ ($.eventSource = \"s3.amazonaws.com\") || (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-S3BucketPolicyChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "S3BucketPolicyChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_s3_bucket_policy_change_cw_alarm" { - alarm_name = "CIS-3.8-S3BucketPolicyChanges" +resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_change_cw_alarm" { + alarm_name = "S3BucketPolicyChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXX NOT YOUR FILTER" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive2.tf index b8905e6cc3c..c68f141f7f8 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive2.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { - name = "CIS-S3BucketPolicyChanges" +resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_change_metric_filter" { + name = "S3BucketPolicyChanges" pattern = "{ ($.eventSource = \"s3.amazonaws.com\") && (($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-S3BucketPolicyChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "S3BucketPolicyChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_S3_Bucket_Policy_Change_CW_Alarm" { - alarm_name = "CIS-3.8-S3BucketPolicyChanges" +resource "aws_cloudwatch_metric_alarm" "S3_Bucket_Policy_Change_CW_Alarm" { + alarm_name = "S3BucketPolicyChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.s3_bucket_policy_change_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive3.tf b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive3.tf index e490ed6b493..2eb79e147b8 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive3.tf +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive3.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { - name = "CIS-S3BucketPolicyChanges" +resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_change_metric_filter" { + name = "S3BucketPolicyChanges" pattern = "{ ($.eventSource = \"s3.amazonaws.com\") && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-S3BucketPolicyChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "S3BucketPolicyChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_S3_Bucket_Policy_Change_CW_Alarm" { - alarm_name = "CIS-3.8-S3BucketPolicyChanges" +resource "aws_cloudwatch_metric_alarm" "S3_Bucket_Policy_Change_CW_Alarm" { + alarm_name = "S3BucketPolicyChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.s3_bucket_policy_change_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive4.tf b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive4.tf index 4abdf0f7bf3..95d273cc5fa 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive4.tf +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive4.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { - name = "CIS-S3BucketPolicyChanges" +resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_change_metric_filter" { + name = "S3BucketPolicyChanges" pattern = "{ $.eventSource = \"s3.amazonaws.com\" }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-S3BucketPolicyChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "S3BucketPolicyChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_S3_Bucket_Policy_Change_CW_Alarm" { - alarm_name = "CIS-3.8-S3BucketPolicyChanges" +resource "aws_cloudwatch_metric_alarm" "S3_Bucket_Policy_Change_CW_Alarm" { + alarm_name = "S3BucketPolicyChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.s3_bucket_policy_change_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/negative1.tf index b299894cb3d..67b60a15e86 100644 --- a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/negative1.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "CIS_Security_Group_Changes_Metric_Filter" { - name = "CIS-SecurityGroupChanges" +resource "aws_cloudwatch_log_metric_filter" "Security_Group_Changes_Metric_Filter" { + name = "SecurityGroupChanges" pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-SecurityGroupChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "SecurityGroupChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_Security_Group_Changes_CW_Alarm" { - alarm_name = "CIS-3.10-SecurityGroupChanges" +resource "aws_cloudwatch_metric_alarm" "Security_Group_Changes_CW_Alarm" { + alarm_name = "SecurityGroupChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.CIS_Security_Group_Changes_Metric_Filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.Security_Group_Changes_Metric_Filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive1.tf index 9f590e3edc9..84749c08d2d 100644 --- a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive1.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "CIS_Security_Group_Changes_Metric_Filter" { - name = "CIS-SecurityGroupChanges" +resource "aws_cloudwatch_log_metric_filter" "Security_Group_Changes_Metric_Filter" { + name = "SecurityGroupChanges" pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-SecurityGroupChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "SecurityGroupChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_Security_Group_Changes_CW_Alarm" { - alarm_name = "CIS-3.10-SecurityGroupChanges" +resource "aws_cloudwatch_metric_alarm" "Security_Group_Changes_CW_Alarm" { + alarm_name = "SecurityGroupChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive2.tf index cf4c10e36a0..3d6a77ccf0a 100644 --- a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive2.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { - name = "CIS-UnauthorizedAPICalls" +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric_filter" { + name = "UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-UnauthorizedAPICalls" - namespace = "CIS_Metric_Alarm_Namespace" + name = "UnauthorizedAPICalls" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { - alarm_name = "CIS-3.1-UnauthorizedAPICalls" +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_cw_alarm" { + alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.unauthorized_api_calls_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + alarm_actions = [aws_sns_topic.alerts_sns_topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive3.tf b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive3.tf index fc0f552688f..ee5a79b38c6 100644 --- a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive3.tf +++ b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive3.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "CIS_Security_Group_Changes_Metric_Filter" { - name = "CIS-SecurityGroupChanges" +resource "aws_cloudwatch_log_metric_filter" "Security_Group_Changes_Metric_Filter" { + name = "SecurityGroupChanges" pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-SecurityGroupChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "SecurityGroupChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_Security_Group_Changes_CW_Alarm" { - alarm_name = "CIS-3.10-SecurityGroupChanges" +resource "aws_cloudwatch_metric_alarm" "Security_Group_Changes_CW_Alarm" { + alarm_name = "SecurityGroupChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.CIS_Security_Group_Changes_Metric_Filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.Security_Group_Changes_Metric_Filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/negative1.tf index 34acd403aa9..17f35d69885 100644 --- a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/negative1.tf @@ -1,51 +1,51 @@ -resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { - alarm_name = "CIS-3.1-UnauthorizedAPICalls" +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_cw_alarm" { + alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.unauthorized_api_calls_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { - name = "CIS-UnauthorizedAPICalls" +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric_filter" { + name = "UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-UnauthorizedAPICalls" - namespace = "CIS_Metric_Alarm_Namespace" + name = "UnauthorizedAPICalls" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = ["aws_sns_topic.CIS_Alerts_SNS_Topic.arn"] + alarm_actions = ["aws_sns_topic.Alerts_SNS_Topic.arn"] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive1.tf index 686dd18c287..85c37db2f42 100644 --- a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive1.tf @@ -1,51 +1,51 @@ -resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { - alarm_name = "CIS-3.1-UnauthorizedAPICalls" +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_cw_alarm" { + alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { - name = "CIS-UnauthorizedAPICalls" +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric_filter" { + name = "UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-UnauthorizedAPICalls" - namespace = "CIS_Metric_Alarm_Namespace" + name = "UnauthorizedAPICalls" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive2.tf index 607c5c5fd96..86f2cc1cd13 100644 --- a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive2.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive3.tf b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive3.tf index 96d95a93224..685137b3b23 100644 --- a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive3.tf +++ b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive3.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { - alarm_name = "CIS-3.1-UnauthorizedAPICalls" +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_cw_alarm" { + alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.unauthorized_api_calls_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { - name = "CIS-UnauthorizedAPICalls" +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric_filter" { + name = "UnauthorizedAPICalls" pattern = "{ $.errorCode = \"AccessDenied*\" }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-UnauthorizedAPICalls" - namespace = "CIS_Metric_Alarm_Namespace" + name = "UnauthorizedAPICalls" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive4.tf b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive4.tf index 10edf9f5beb..69f201da5a0 100644 --- a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive4.tf +++ b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive4.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { - alarm_name = "CIS-3.1-UnauthorizedAPICalls" +resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_cw_alarm" { + alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.unauthorized_api_calls_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } -resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { - name = "CIS-UnauthorizedAPICalls" +resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric_filter" { + name = "UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") && ($.errorCode = \"AccessDenied*\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-UnauthorizedAPICalls" - namespace = "CIS_Metric_Alarm_Namespace" + name = "UnauthorizedAPICalls" + namespace = "Metric_Alarm_Namespace" value = "1" } } diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/negative1.tf b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/negative1.tf index d449d401432..70f5c98e610 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/negative1.tf +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/negative1.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "CIS_VPC_Changes_Metric_Filter" { - name = "CIS-VPCChanges" +resource "aws_cloudwatch_log_metric_filter" "VPC_Changes_Metric_Filter" { + name = "VPCChanges" pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-VPCChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "VPCChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_VPC_Changes_CW_Alarm" { - alarm_name = "CIS-3.14-VPCChanges" +resource "aws_cloudwatch_metric_alarm" "VPC_Changes_CW_Alarm" { + alarm_name = "VPCChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.CIS_VPC_Changes_Metric_Filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.VPC_Changes_Metric_Filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to VPC will help ensure that all VPC traffic flows through an expected path." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive1.tf b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive1.tf index fb45a332370..4beef4ff53e 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive1.tf +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive1.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "CIS_VPC_Changes_Metric_Filter" { - name = "CIS-VPCChanges" +resource "aws_cloudwatch_log_metric_filter" "VPC_Changes_Metric_Filter" { + name = "VPCChanges" pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-VPCChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "VPCChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_VPC_Changes_CW_Alarm" { - alarm_name = "CIS-3.14-VPCChanges" +resource "aws_cloudwatch_metric_alarm" "VPC_Changes_CW_Alarm" { + alarm_name = "VPCChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" - namespace = "CIS_Metric_Alarm_Namespace" + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to VPC will help ensure that all VPC traffic flows through an expected path." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive2.tf b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive2.tf index 607c5c5fd96..86f2cc1cd13 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive2.tf +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive2.tf @@ -1,25 +1,25 @@ -resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { - name = "CIS-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric_filter" { + name = "ConsoleSigninWithoutMFA" pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-ConsoleSigninWithoutMFA" - namespace = "CIS_Metric_Alarm_Namespace" + name = "ConsoleSigninWithoutMFA" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { - alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" +resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_cw_alarm" { + alarm_name = "ConsoleSigninWithoutMFA" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.no_mfa_console_signin_metric_filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive3.tf b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive3.tf index 587b9f2583b..904e8740bce 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive3.tf +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive3.tf @@ -1,24 +1,24 @@ -resource "aws_cloudwatch_log_metric_filter" "CIS_VPC_Changes_Metric_Filter" { - name = "CIS-VPCChanges" +resource "aws_cloudwatch_log_metric_filter" "VPC_Changes_Metric_Filter" { + name = "VPCChanges" pattern = "{ ($.eventName = CreateVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = EnableVpcClassicLink) }" - log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + log_group_name = aws_cloudwatch_log_group.CloudWatch_LogsGroup.name metric_transformation { - name = "CIS-VPCChanges" - namespace = "CIS_Metric_Alarm_Namespace" + name = "VPCChanges" + namespace = "Metric_Alarm_Namespace" value = "1" } } -resource "aws_cloudwatch_metric_alarm" "CIS_VPC_Changes_CW_Alarm" { - alarm_name = "CIS-3.14-VPCChanges" +resource "aws_cloudwatch_metric_alarm" "VPC_Changes_CW_Alarm" { + alarm_name = "VPCChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = aws_cloudwatch_log_metric_filter.CIS_VPC_Changes_Metric_Filter.id - namespace = "CIS_Metric_Alarm_Namespace" + metric_name = aws_cloudwatch_log_metric_filter.VPC_Changes_Metric_Filter.id + namespace = "Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to VPC will help ensure that all VPC traffic flows through an expected path." - alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + alarm_actions = [aws_sns_topic.Alerts_SNS_Topic.arn] insufficient_data_actions = [] } diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/negative1.tf b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/negative1.tf index b5f3c58447e..f742dd4473d 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/negative1.tf +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/negative1.tf @@ -40,7 +40,7 @@ resource "aws_vpc" "vpc1" { tags = { Name = "tf-test-vpc-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -51,7 +51,7 @@ resource "aws_subnet" "public" { tags = { Name = "public-subnet-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -62,7 +62,7 @@ resource "aws_subnet" "private" { tags = { Name = "private-subnet-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -71,7 +71,7 @@ resource "aws_vpc" "vpc2" { tags = { Name = "tf-test-vpc-2" - Project = "CIS Certification" + Project = "Certification" } } @@ -80,7 +80,7 @@ resource "aws_internet_gateway" "igw" { tags = { Name = "igw" - Project = "CIS Certification" + Project = "Certification" } } @@ -92,7 +92,7 @@ resource "aws_nat_gateway" "nat" { tags = { Name = "nat" - Project = "CIS Certification" + Project = "Certification" } depends_on = [aws_internet_gateway.igw] @@ -108,7 +108,7 @@ resource "aws_vpc_peering_connection" "my_peering" { tags = { Name = "VPC Peering between vpc1 and vpc2" - Project = "CIS Certification" + Project = "Certification" } } @@ -122,7 +122,7 @@ resource "aws_route_table" "public_route_table" { tags = { Name = "public_route_table" - Project = "CIS Certification" + Project = "Certification" } } @@ -136,7 +136,7 @@ resource "aws_route_table" "private_route_table" { tags = { Name = "private_route_table" - Project = "CIS Certification" + Project = "Certification" } } diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/negative2.tf b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/negative2.tf index 61540723b12..218acec85e7 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/negative2.tf +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/negative2.tf @@ -39,7 +39,7 @@ resource "aws_vpc" "vpc1" { cidr_block = var.vpc_1_cidr_block tags = { Name = "tf-test-vpc-2" - Project = "CIS Certification" + Project = "Certification" } } @@ -51,7 +51,7 @@ resource "aws_subnet" "public" { tags = { Name = "public-subnet-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -62,7 +62,7 @@ resource "aws_subnet" "private" { tags = { Name = "private-subnet-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -70,7 +70,7 @@ resource "aws_vpc" "vpc2" { cidr_block = var.vpc_2_cidr_block tags = { Name = "tf-test-vpc-2" - Project = "CIS Certification" + Project = "Certification" } } @@ -79,7 +79,7 @@ resource "aws_internet_gateway" "igw" { tags = { Name = "igw" - Project = "CIS Certification" + Project = "Certification" } } @@ -91,7 +91,7 @@ resource "aws_nat_gateway" "nat" { tags = { Name = "nat" - Project = "CIS Certification" + Project = "Certification" } depends_on = [aws_internet_gateway.igw] @@ -107,7 +107,7 @@ resource "aws_vpc_peering_connection" "my_peering" { tags = { Name = "VPC Peering between vpc1 and vpc2" - Project = "CIS Certification" + Project = "Certification" } } @@ -117,7 +117,7 @@ resource "aws_route_table" "public_route_table2" { tags = { Name = "public-route-table" - Project = "CIS Certification" + Project = "Certification" } } @@ -125,7 +125,7 @@ resource "aws_route_table" "private_route_table" { vpc_id = aws_vpc.vpc1.id tags = { - Project = "CIS Certification" + Project = "Certification" } } diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/negative3.tf b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/negative3.tf index ae4cb5f09ae..11cf10c0b7f 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/negative3.tf +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/negative3.tf @@ -40,7 +40,7 @@ resource "aws_vpc" "vpc1" { tags = { Name = "tf-test-vpc-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -51,7 +51,7 @@ resource "aws_subnet" "public" { tags = { Name = "public-subnet-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -62,7 +62,7 @@ resource "aws_subnet" "private" { tags = { Name = "private-subnet-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -71,7 +71,7 @@ resource "aws_vpc" "vpc2" { tags = { Name = "tf-test-vpc-2" - Project = "CIS Certification" + Project = "Certification" } } @@ -80,7 +80,7 @@ resource "aws_internet_gateway" "igw" { tags = { Name = "igw" - Project = "CIS Certification" + Project = "Certification" } } @@ -92,7 +92,7 @@ resource "aws_nat_gateway" "nat" { tags = { Name = "nat" - Project = "CIS Certification" + Project = "Certification" } depends_on = [aws_internet_gateway.igw] @@ -108,7 +108,7 @@ resource "aws_vpc_peering_connection" "my_peering" { tags = { Name = "VPC Peering between vpc1 and vpc2" - Project = "CIS Certification" + Project = "Certification" } } @@ -134,11 +134,11 @@ resource "aws_route_table" "public_route_table" { } ] - + tags = { Name = "public_route_table" - Project = "CIS Certification" + Project = "Certification" } } @@ -152,7 +152,7 @@ resource "aws_route_table" "private_route_table" { tags = { Name = "private_route_table" - Project = "CIS Certification" + Project = "Certification" } } diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive1.tf b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive1.tf index 728d9ebe115..b75c20f536a 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive1.tf +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive1.tf @@ -40,7 +40,7 @@ resource "aws_vpc" "vpc1" { tags = { Name = "tf-test-vpc-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -51,7 +51,7 @@ resource "aws_subnet" "public" { tags = { Name = "public-subnet-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -62,7 +62,7 @@ resource "aws_subnet" "private" { tags = { Name = "private-subnet-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -71,7 +71,7 @@ resource "aws_vpc" "vpc2" { tags = { Name = "tf-test-vpc-2" - Project = "CIS Certification" + Project = "Certification" } } @@ -80,7 +80,7 @@ resource "aws_internet_gateway" "igw" { tags = { Name = "igw" - Project = "CIS Certification" + Project = "Certification" } } @@ -92,7 +92,7 @@ resource "aws_nat_gateway" "nat" { tags = { Name = "nat" - Project = "CIS Certification" + Project = "Certification" } depends_on = [aws_internet_gateway.igw] @@ -108,7 +108,7 @@ resource "aws_vpc_peering_connection" "my_peering" { tags = { Name = "VPC Peering between vpc1 and vpc2" - Project = "CIS Certification" + Project = "Certification" } } @@ -122,7 +122,7 @@ resource "aws_route_table" "public_route_table" { tags = { Name = "public_route_table" - Project = "CIS Certification" + Project = "Certification" } } @@ -136,7 +136,7 @@ resource "aws_route_table" "private_route_table" { tags = { Name = "private_route_table" - Project = "CIS Certification" + Project = "Certification" } } diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive2.tf b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive2.tf index 35335cb94e0..dbe8ea66f7b 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive2.tf +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive2.tf @@ -39,7 +39,7 @@ resource "aws_vpc" "vpc1" { cidr_block = var.vpc_1_cidr_block tags = { Name = "tf-test-vpc-2" - Project = "CIS Certification" + Project = "Certification" } } @@ -51,7 +51,7 @@ resource "aws_subnet" "public" { tags = { Name = "public-subnet-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -62,7 +62,7 @@ resource "aws_subnet" "private" { tags = { Name = "private-subnet-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -70,7 +70,7 @@ resource "aws_vpc" "vpc2" { cidr_block = var.vpc_2_cidr_block tags = { Name = "tf-test-vpc-2" - Project = "CIS Certification" + Project = "Certification" } } @@ -79,7 +79,7 @@ resource "aws_internet_gateway" "igw" { tags = { Name = "igw" - Project = "CIS Certification" + Project = "Certification" } } @@ -91,7 +91,7 @@ resource "aws_nat_gateway" "nat" { tags = { Name = "nat" - Project = "CIS Certification" + Project = "Certification" } depends_on = [aws_internet_gateway.igw] @@ -107,7 +107,7 @@ resource "aws_vpc_peering_connection" "my_peering" { tags = { Name = "VPC Peering between vpc1 and vpc2" - Project = "CIS Certification" + Project = "Certification" } } @@ -117,7 +117,7 @@ resource "aws_route_table" "public_route_table9" { tags = { Name = "public-route-table" - Project = "CIS Certification" + Project = "Certification" } } @@ -125,7 +125,7 @@ resource "aws_route_table" "private_route_table" { vpc_id = aws_vpc.vpc1.id tags = { - Project = "CIS Certification" + Project = "Certification" } } diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive3.tf b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive3.tf index c6738ad047b..40a81729e8c 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive3.tf +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive3.tf @@ -40,7 +40,7 @@ resource "aws_vpc" "vpc1" { tags = { Name = "tf-test-vpc-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -51,7 +51,7 @@ resource "aws_subnet" "public" { tags = { Name = "public-subnet-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -62,7 +62,7 @@ resource "aws_subnet" "private" { tags = { Name = "private-subnet-1" - Project = "CIS Certification" + Project = "Certification" } } @@ -71,7 +71,7 @@ resource "aws_vpc" "vpc2" { tags = { Name = "tf-test-vpc-2" - Project = "CIS Certification" + Project = "Certification" } } @@ -80,7 +80,7 @@ resource "aws_internet_gateway" "igw" { tags = { Name = "igw" - Project = "CIS Certification" + Project = "Certification" } } @@ -92,7 +92,7 @@ resource "aws_nat_gateway" "nat" { tags = { Name = "nat" - Project = "CIS Certification" + Project = "Certification" } depends_on = [aws_internet_gateway.igw] @@ -108,7 +108,7 @@ resource "aws_vpc_peering_connection" "my_peering" { tags = { Name = "VPC Peering between vpc1 and vpc2" - Project = "CIS Certification" + Project = "Certification" } } @@ -134,11 +134,11 @@ resource "aws_route_table" "public_route_table" { } ] - + tags = { Name = "public_route_table" - Project = "CIS Certification" + Project = "Certification" } } @@ -152,7 +152,7 @@ resource "aws_route_table" "private_route_table" { tags = { Name = "private_route_table" - Project = "CIS Certification" + Project = "Certification" } } diff --git a/docs/certifications.md b/docs/certifications.md deleted file mode 100644 index 8249466ea10..00000000000 --- a/docs/certifications.md +++ /dev/null @@ -1,13 +0,0 @@ -## Certifications Overview - -Here you can find the list of certifications which were awarded to KICS - -KICS Certifications - -- [CIS Amazon Web Services Foundations Benchmark - Level 1](certifications-cis.md) -- [CIS Amazon Web Services Foundations Benchmark - Level 2](certifications-cis.md) -- [CIS Kubernetes Benchmark v1.6.1 - Level 1 - Master Node](certifications-cis.md) -- [CIS Kubernetes Benchmark v1.6.1 - Level 1 - Worker Node](certifications-cis.md) -- [CIS Kubernetes Benchmark v1.6.1 - Level 2 - Master Node](certifications-cis.md) -- [CIS Kubernetes Benchmark v1.6.1 - Level 2 - Worker Node](certifications-cis.md) -- More soon... diff --git a/docs/changes1_7.md b/docs/changes1_7.md new file mode 100644 index 00000000000..09d0487e409 --- /dev/null +++ b/docs/changes1_7.md @@ -0,0 +1,21 @@ +# Changes in v1.7.0 + +--- + +## Breaking Changes + +### Deprecations + +KICS 1.7.0 version removed some of our flags and keep using their default values. +They are the following: + +- --minimal-ui +- --no-progress +- --no-color + +### Flag replacement + +From v1.7.0, KICS will no longer support the flag `--disable-full-descriptions`. Instead, a new flag can be used: `--disable-telemetry`. + +For more details, see this [link](https://docs.kics.io/latest/results/#telemetry). + diff --git a/docs/commands.md b/docs/commands.md index 3dd1fab2a52..c4b25e4b377 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -46,7 +46,7 @@ Flags: -m, --bom include bill of materials (BoM) in results output --cloud-provider strings list of cloud providers to scan (alicloud, aws, azure, gcp) --config string path to configuration file - --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions + --disable-telemetry disable usage telemetry requests --disable-secrets disable secrets scanning --exclude-categories strings exclude categories by providing its name cannot be provided with query inclusion flags diff --git a/docs/dockerhub.md b/docs/dockerhub.md index 05c6031d0fd..0e6dcd1edf4 100644 --- a/docs/dockerhub.md +++ b/docs/dockerhub.md @@ -84,7 +84,7 @@ Flags: -m, --bom include bill of materials (BoM) in results output --cloud-provider strings list of cloud providers to scan (alicloud, aws, azure, gcp) --config string path to configuration file - --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions + --disable-telemetry disable usage telemetry requests --disable-secrets disable secrets scanning --exclude-categories strings exclude categories by providing its name cannot be provided with query inclusion flags diff --git a/docs/flags.md b/docs/flags.md index 4676bb4ac26..59a323cb2ba 100644 --- a/docs/flags.md +++ b/docs/flags.md @@ -41,11 +41,11 @@ Example of a valid `flags.json` file: To mark a flag as hidden use the following configuration: ```json { - "disable-cis-descriptions": { + "disable-telemetry": { "flagType": "bool", "shorthandFlag": "", "defaultValue": "false", - "usage": "disable request for full descriptions and use default vulnerability descriptions", + "usage": "disable usage telemetry requests", "hidden": true } } @@ -55,14 +55,14 @@ If you also want to display a flag deprecation warning you can define it like th ```json { - "disable-cis-descriptions": { + "disable-full-descriptions": { "flagType": "bool", "shorthandFlag": "", "defaultValue": "false", "usage": "disable request for full descriptions and use default vulnerability descriptions", "hidden": true, "deprecated": true, - "deprecatedInfo": "use --disable-full-descriptions instead" + "deprecatedInfo": "use --disable-telemetry instead" } } ``` diff --git a/docs/integrations_codefresh.md b/docs/integrations_codefresh.md index d1ca134b97a..ae4a751b805 100644 --- a/docs/integrations_codefresh.md +++ b/docs/integrations_codefresh.md @@ -9,30 +9,30 @@ You can find the KICS Codefresh step [here](https://github.com/Checkmarx/kics-co ## ARGUMENTS -| **Variable** | **Example Value**   | **Description**   | **Type** | **Required** | **Default** | -| ------------------------- | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | --------------------------------------------- | -| PROJECT_PATH | terraform/main.tf,Dockerfile | paths to a file or directories to scan, comma separated list | string | Yes | N/A | -| IGNORE\_ON\_EXIT | results | defines which kind of non-zero exits code should be ignored (all, results, errors, none) | string | No | N/A | -| FAIL_ON | high,medium | which kind of results should return an exit code different from 0 | string | No | high,medium,low,info | -| TIME_OUT | 75 | number of seconds the query has to execute before being canceled | string | No | 60 | -| PROFILING | CPU | enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM) | string | No | N/A | -| TYPES | Ansible,Terraform | case insensitive list of platform types to scan (Ansible, AzureResourceManager, CloudFormation, Dockerfile, Docker Compose, GRPC, GoogleDeploymentManager, Kubernetes, OpenAPI, Terraform) | string | No | All | -| EXCLUDE_PATHS | ./shouldNotScan/*,somefile.txt | exclude paths from scan | string | No | N/A | -| EXCLUDE_QUERIES | e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db | exclude queries by providing the query ID; cannot be provided with query inclusion flags | string | No | N/A | -| EXCLUDE_CATEGORIES | Access control,Best practices | exclude categories by providing its name; cannot be provided with query inclusion flags | string | No | N/A | -| EXCLUDE_SEVERETIES | info,low | exclude results by providing the severity of a result | string | No | N/A | -| EXCLUDE_RESULTS | d4a1fa80-d9d8-450f-87c2-e1f6669c41f8 | exclude results by providing the similarity ID of a result | string | No | N/A | -| INCLUDE_QUERIES | a227ec01-f97a-4084-91a4-47b350c1db54 | include queries by providing the query ID; cannot be provided with query exclusion flags | string | No | N/A | -| OUTPUT_FORMATS | json,sarif | formats in which the results will be exported (all, asff, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) | string | No | json | -| OUTPUT_PATH | myResults/ | directory path to store reports | string | No | N/A | -| PAYLOAD_PATH | /tmp/mypayload.json | path to store internal representation JSON file | string | No | N/A | -| QUERIES_PATH | query | "example": "/tmp/mypayload.json" | string | No | ./assets/queries downloaded with the binaries | -| VERBOSE | true | write logs to stdout too (mutually exclusive with silent) | boolean | No | false | -| BOM | true | include bill of materials (BoM) in results output; | boolean | No | false | -| DISABLE\_FULL\_DESCRIPTIONS | true | disable request for full descriptions and use default vulnerability descriptions | boolean | No | false | -| DISABLE_SECRETS | true | disable secrets scanning | boolean | No | false | -| SECRETS\_REGEXES\_PATH | ./mydir/secrets-config.json | path to secrets regex rules configuration file | string | No | N/A | -| LIBRARIES_PATH | ./myLibsDir | path to directory with libraries | string | No | N/A | +| **Variable** | **Example Value**   | **Description**   | **Type** | **Required** | **Default** | +|------------------------| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | --------------------------------------------- | +| PROJECT_PATH | terraform/main.tf,Dockerfile | paths to a file or directories to scan, comma separated list | string | Yes | N/A | +| IGNORE\_ON\_EXIT | results | defines which kind of non-zero exits code should be ignored (all, results, errors, none) | string | No | N/A | +| FAIL_ON | high,medium | which kind of results should return an exit code different from 0 | string | No | high,medium,low,info | +| TIME_OUT | 75 | number of seconds the query has to execute before being canceled | string | No | 60 | +| PROFILING | CPU | enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM) | string | No | N/A | +| TYPES | Ansible,Terraform | case insensitive list of platform types to scan (Ansible, AzureResourceManager, CloudFormation, Dockerfile, Docker Compose, GRPC, GoogleDeploymentManager, Kubernetes, OpenAPI, Terraform) | string | No | All | +| EXCLUDE_PATHS | ./shouldNotScan/*,somefile.txt | exclude paths from scan | string | No | N/A | +| EXCLUDE_QUERIES | e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db | exclude queries by providing the query ID; cannot be provided with query inclusion flags | string | No | N/A | +| EXCLUDE_CATEGORIES | Access control,Best practices | exclude categories by providing its name; cannot be provided with query inclusion flags | string | No | N/A | +| EXCLUDE_SEVERETIES | info,low | exclude results by providing the severity of a result | string | No | N/A | +| EXCLUDE_RESULTS | d4a1fa80-d9d8-450f-87c2-e1f6669c41f8 | exclude results by providing the similarity ID of a result | string | No | N/A | +| INCLUDE_QUERIES | a227ec01-f97a-4084-91a4-47b350c1db54 | include queries by providing the query ID; cannot be provided with query exclusion flags | string | No | N/A | +| OUTPUT_FORMATS | json,sarif | formats in which the results will be exported (all, asff, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) | string | No | json | +| OUTPUT_PATH | myResults/ | directory path to store reports | string | No | N/A | +| PAYLOAD_PATH | /tmp/mypayload.json | path to store internal representation JSON file | string | No | N/A | +| QUERIES_PATH | query | "example": "/tmp/mypayload.json" | string | No | ./assets/queries downloaded with the binaries | +| VERBOSE | true | write logs to stdout too (mutually exclusive with silent) | boolean | No | false | +| BOM | true | include bill of materials (BoM) in results output; | boolean | No | false | +| DISABLE\_METRICS | true | disable usage telemetry requests | boolean | No | false | +| DISABLE_SECRETS | true | disable secrets scanning | boolean | No | false | +| SECRETS\_REGEXES\_PATH | ./mydir/secrets-config.json | path to secrets regex rules configuration file | string | No | N/A | +| LIBRARIES_PATH | ./myLibsDir | path to directory with libraries | string | No | N/A | ## EXAMPLES diff --git a/docs/certifications-cis.md b/docs/previous-certifications-cis.md similarity index 84% rename from docs/certifications-cis.md rename to docs/previous-certifications-cis.md index 36881e90791..e417603c32c 100644 --- a/docs/certifications-cis.md +++ b/docs/previous-certifications-cis.md @@ -7,13 +7,13 @@ CIS is an independent, nonprofit organization with a mission to create confidenc ## What are the CIS Benchmarks CIS Benchmarks are best practices for the secure configuration of a target system. Available for more than 100 CIS Benchmarks across 25+ vendor product families, CIS Benchmarks are developed through a unique consensus-based process comprised of cybersecurity professionals and subject matter experts around the world. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. -## KICS Awarded Certifications -KICS (from the version 1.4.4 to the latest) has been awarded the following certifications: +## KICS previous Awarded Certifications +KICS (from the version 1.4.4 to 1.6.14) has been awarded the following certifications: - CIS Amazon Web Services Foundations Benchmark v1.4.0, Level 1 - CIS Amazon Web Services Foundations Benchmark v1.4.0, Level 2 -KICS (from the version 1.6.0 to the latest) has been awarded the following certifications: +KICS (from the version 1.6.0 to 1.6.14) has been awarded the following certifications: - CIS Kubernetes Benchmark v1.6.1, Level 1 - Master Node - CIS Kubernetes Benchmark v1.6.1, Level 1 - Worker Node @@ -26,5 +26,4 @@ Most CIS Benchmarks include multiple configuration profiles. A profile definitio
The Level 2 profile is considered to be "defense in depth" and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care. ## Additional Info -- https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq/ -- https://www.cisecurity.org/partner/checkmarx/ +- https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq/ \ No newline at end of file diff --git a/docs/previous-certifications.md b/docs/previous-certifications.md new file mode 100644 index 00000000000..d48f66127c3 --- /dev/null +++ b/docs/previous-certifications.md @@ -0,0 +1,12 @@ +## Previous Certifications Overview + +Here you can find the list of the previous certifications which were awarded to KICS + +KICS Previous Certifications + +- [CIS Amazon Web Services Foundations Benchmark - Level 1](previous-certifications-cis.md) +- [CIS Amazon Web Services Foundations Benchmark - Level 2](previous-certifications-cis.md) +- [CIS Kubernetes Benchmark v1.6.1 - Level 1 - Master Node](previous-certifications-cis.md) +- [CIS Kubernetes Benchmark v1.6.1 - Level 1 - Worker Node](previous-certifications-cis.md) +- [CIS Kubernetes Benchmark v1.6.1 - Level 2 - Master Node](previous-certifications-cis.md) +- [CIS Kubernetes Benchmark v1.6.1 - Level 2 - Worker Node](previous-certifications-cis.md) \ No newline at end of file diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index 85e2234df7d..c3ed319e2b6 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -10,7 +10,7 @@ This page contains all queries. |Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.|Documentation
| |Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly.|Documentation
| |Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.|Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used.|Documentation
| |Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|Documentation
| |Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|Documentation
| |Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|Documentation
| diff --git a/docs/queries/dockercompose-queries.md b/docs/queries/dockercompose-queries.md index 59a616beba1..4eb34852274 100644 --- a/docs/queries/dockercompose-queries.md +++ b/docs/queries/dockercompose-queries.md @@ -10,7 +10,7 @@ This page contains all queries from DockerCompose. |Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.|Documentation
| |Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|Medium|Availability|Check containers periodically to see if they are running properly.|Documentation
| |Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS.|Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used.|Documentation
| |Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|Documentation
| |Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|Documentation
| |Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|Documentation
| diff --git a/docs/results.md b/docs/results.md index 5e0b56bfe1e..b26bdd47a4b 100644 --- a/docs/results.md +++ b/docs/results.md @@ -29,11 +29,14 @@ You can also change the default name by using the following command: This will generate an HTML and Gitlab SAST reports on output folder, with `kics-result` and `gl-sast-kics-result` names. -## Descriptions +## Telemetry -After the scanning process is done, If an internet connection is available, KICS will try to fetch CIS Proprietary vulnerability descriptions from a HTTP endpoint, this can be disabled with `--disable-cis-descriptions`. If used in offline mode or no internet connection is available, KICS should use the default descriptions. +KICS captures telemetry to help developers identify areas for improvement. After the scanning process is completed, if an internet connection is available, KICS will automatically send usage telemetry to a HTTP endpoint. However, users can disable this feature by using the `--disable-telemetry` option. This allows users to maintain privacy and control over the data that KICS sends. -In case of using KICS behind a corporate proxy, proxy configurations can be set with environment variables such as `HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY` +It's important to note that KICS only captures counts of query results and no code or personal information is sent. All telemetry are completely anonymous, ensuring that KICS users can contribute to the improvement of the tool without compromising their privacy and security. +The captured telemetry are for internal use only and are not shared with any external third party. + +If KICS is being used behind a corporate proxy, users can set proxy configurations using environment variables such as `HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY`. This allows KICS to send usage telemetry through the proxy and maintain network security protocols. By capturing usage telemetry and enabling users to configure proxy settings, KICS ensures that it can be used effectively and securely in various network ## JSON @@ -731,11 +734,11 @@ You can export CSV report by using `--report-formats "csv"`. CSV reports follow the [CSV structure](https://www.loc.gov/preservation/digital/formats/fdd/fdd000323.shtml#:~:text=CSV%20is%20a%20simple%20format,characters%20indicating%20a%20line%20break.). -| query_name | query_id | query_uri | severity | platform | cloud_provider | category | description_id | description | cis_description_id | cis_description_title | cis_description_text | file_name | similarity_id | line | issue_type | search_key | search_line | search_value | expected_value | actual_value | -| ---------------------------------------------- | ------------------------------------ | ----------------------------------------------------------------------------------------------------- | -------- | -------------- | -------------- | ----------------------- | -------------- | ------------------------------------------------------------------------------ | ------------------ | --------------------- | -------------------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ---- | -------------- | --------------------------------------------------------------- | ----------- | ------------ | --------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | -| EC2 Sensitive Port Is Publicly Exposed | 494b03d3-bf40-4464-8524-7c56ad0700ed | https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html | HIGH | CloudFormation | AWS | Networking and Firewall | 680b7e89 | The EC2 instance has a sensitive port connection exposed to the entire network | | | | ../../assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive2.json | 9730156b201b5098479a7b624d01931303a2f27c3991c7a786aeb2c10912894a | 27 | IncorrectValue | Resources.InstanceSecurityGroup.SecurityGroupIngress | 0 | TCP,22 | SSH (TCP:22) should not be allowed in EC2 security group for instance Ec2Instance | SSH (TCP:22) is allowed in EC2 security group for instance Ec2Instance | -| EC2 Sensitive Port Is Publicly Exposed | 494b03d3-bf40-4464-8524-7c56ad0700ed | https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html | HIGH | CloudFormation | AWS | Networking and Firewall | 680b7e89 | The EC2 instance has a sensitive port connection exposed to the entire network | | | | ../../assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive1.yaml | a93a3f7320a60045c04cd950500a1c3cff5bc9a4aae7f1e0cde73033386e1242 | 15 | IncorrectValue | Resources.InstanceSecurityGroup.SecurityGroupIngress | 0 | TCP,22 | SSH (TCP:22) should not be allowed in EC2 security group for instance Ec2Instance | SSH (TCP:22) is allowed in EC2 security group for instance Ec2Instance | -| Security Group With Unrestricted Access To SSH | 6e856af2-62d7-4ba2-adc1-73b62cef9cc1 | https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html | HIGH | CloudFormation | AWS | Networking and Firewall | d515d6dc | Security Groups allows all traffic for SSH (port:22) | | | | ../../assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive1.yaml | ca8ec85623eed6a5cb3d3b8c1b69d145778e28517d2adf5fb856a57f9870c430 | 15 | IncorrectValue | Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress | 0 | | None of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 22 | One of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 22 | +| query_name | query_id | query_uri | severity | platform | cloud_provider | category | description_id | description | file_name | similarity_id | line | issue_type | search_key | search_line | search_value | expected_value | actual_value | +| ---------------------------------------------- | ------------------------------------ | ----------------------------------------------------------------------------------------------------- | -------- | -------------- | -------------- | ----------------------- | -------------- | ------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ---- | -------------- | --------------------------------------------------------------- | ----------- | ------------ | --------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | +| EC2 Sensitive Port Is Publicly Exposed | 494b03d3-bf40-4464-8524-7c56ad0700ed | https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html | HIGH | CloudFormation | AWS | Networking and Firewall | 680b7e89 | The EC2 instance has a sensitive port connection exposed to the entire network | ../../assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive2.json | 9730156b201b5098479a7b624d01931303a2f27c3991c7a786aeb2c10912894a | 27 | IncorrectValue | Resources.InstanceSecurityGroup.SecurityGroupIngress | 0 | TCP,22 | SSH (TCP:22) should not be allowed in EC2 security group for instance Ec2Instance | SSH (TCP:22) is allowed in EC2 security group for instance Ec2Instance | +| EC2 Sensitive Port Is Publicly Exposed | 494b03d3-bf40-4464-8524-7c56ad0700ed | https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html | HIGH | CloudFormation | AWS | Networking and Firewall | 680b7e89 | The EC2 instance has a sensitive port connection exposed to the entire network | ../../assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive1.yaml | a93a3f7320a60045c04cd950500a1c3cff5bc9a4aae7f1e0cde73033386e1242 | 15 | IncorrectValue | Resources.InstanceSecurityGroup.SecurityGroupIngress | 0 | TCP,22 | SSH (TCP:22) should not be allowed in EC2 security group for instance Ec2Instance | SSH (TCP:22) is allowed in EC2 security group for instance Ec2Instance | +| Security Group With Unrestricted Access To SSH | 6e856af2-62d7-4ba2-adc1-73b62cef9cc1 | https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html | HIGH | CloudFormation | AWS | Networking and Firewall | d515d6dc | Security Groups allows all traffic for SSH (port:22) | ../../assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive1.yaml | ca8ec85623eed6a5cb3d3b8c1b69d145778e28517d2adf5fb856a57f9870c430 | 15 | IncorrectValue | Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress | 0 | | None of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 22 | One of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 22 | ## Code Climate diff --git a/e2e/cli_test.go b/e2e/cli_test.go index 0ca6377fc9a..2207e6d80df 100644 --- a/e2e/cli_test.go +++ b/e2e/cli_test.go @@ -142,10 +142,6 @@ func checkExpectedOutput(t *testing.T, tt *testcases.TestCase, argIndex int) { if utils.Contains(resultsFormats, "json-bom") { utils.JSONSchemaValidationFromFile(t, jsonFileName, "resultBoM.json") } - // Check result file (JSON including CIS Descriptions) - if utils.Contains(resultsFormats, "json-cis") { - utils.JSONSchemaValidationFromFile(t, jsonFileName, "resultCIS.json") - } // Check result file (GLSAST) if utils.Contains(resultsFormats, "glsast") { utils.JSONSchemaValidationFromFile(t, "gl-sast-"+jsonFileName, "result-gl-sast.json") @@ -183,15 +179,11 @@ func checkExpectedOutput(t *testing.T, tt *testcases.TestCase, argIndex int) { utils.JSONSchemaValidationFromData(t, json, "result-cyclonedx.json") } // Check result file (CSV) - if utils.Contains(resultsFormats, "csv") || utils.Contains(resultsFormats, "csv-cis") { + if utils.Contains(resultsFormats, "csv") { filename := tt.Args.ExpectedResult[argIndex].ResultsFile + ".csv" json := utils.CSVToJSON(t, filename) - if utils.Contains(resultsFormats, "csv-cis") { - utils.JSONSchemaValidationFromData(t, json, "result-csv-cis.json") - } else { - utils.JSONSchemaValidationFromData(t, json, "result-csv.json") - } + utils.JSONSchemaValidationFromData(t, json, "result-csv.json") } } diff --git a/e2e/fixtures/E2E_CLI_058 b/e2e/fixtures/E2E_CLI_058 new file mode 100644 index 00000000000..eacc766dfd3 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_058 @@ -0,0 +1,3 @@ +Auto remediates the project + +{{.RemediateHelp}} \ No newline at end of file diff --git a/e2e/fixtures/E2E_CLI_059 b/e2e/fixtures/E2E_CLI_059 index eacc766dfd3..42cda0099ee 100644 --- a/e2e/fixtures/E2E_CLI_059 +++ b/e2e/fixtures/E2E_CLI_059 @@ -1,3 +1,2 @@ -Auto remediates the project - -{{.RemediateHelp}} \ No newline at end of file +Error: required flag(s) "results" not set +{{.RemediateHelp}} diff --git a/e2e/fixtures/E2E_CLI_060 b/e2e/fixtures/E2E_CLI_060 deleted file mode 100644 index 42cda0099ee..00000000000 --- a/e2e/fixtures/E2E_CLI_060 +++ /dev/null @@ -1,2 +0,0 @@ -Error: required flag(s) "results" not set -{{.RemediateHelp}} diff --git a/e2e/fixtures/E2E_CLI_061_PAYLOAD.json b/e2e/fixtures/E2E_CLI_060_PAYLOAD.json similarity index 100% rename from e2e/fixtures/E2E_CLI_061_PAYLOAD.json rename to e2e/fixtures/E2E_CLI_060_PAYLOAD.json diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help index 67f307451a2..f02fd82455b 100644 --- a/e2e/fixtures/assets/scan_help +++ b/e2e/fixtures/assets/scan_help @@ -5,8 +5,8 @@ Flags: -m, --bom include bill of materials (BoM) in results output --cloud-provider strings list of cloud providers to scan (alicloud, aws, azure, gcp) --config string path to configuration file - --disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions --disable-secrets disable secrets scanning + --disable-telemetry disable usage telemetry requests --exclude-categories strings exclude categories by providing its name cannot be provided with query inclusion flags can be provided multiple times or as a comma separated string diff --git a/e2e/fixtures/schemas/result-csv-cis.json b/e2e/fixtures/schemas/result-csv-cis.json deleted file mode 100644 index fbc8bac7cc1..00000000000 --- a/e2e/fixtures/schemas/result-csv-cis.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "allOf": [ - { - "$ref": "result-csv.json" - }, - { - "type": "array", - "minItems": 1, - "items": { - "type": "object", - "required": [ - "CISDescriptionIDFormatted", - "CISDescriptionTitle", - "CISDescriptionTextFormatted" - ], - "properties": { - "CISDescriptionIDFormatted": { - "type": "string", - "minLength": 1 - }, - "CISDescriptionTitle": { - "type": "string", - "minLength": 1 - }, - "CISDescriptionTextFormatted": { - "type": "string", - "minLength": 1 - } - } - } - } - ] -} diff --git a/e2e/fixtures/schemas/result-csv.json b/e2e/fixtures/schemas/result-csv.json index 39d4d2df11b..bfec0ab3c71 100644 --- a/e2e/fixtures/schemas/result-csv.json +++ b/e2e/fixtures/schemas/result-csv.json @@ -42,9 +42,6 @@ "Category", "DescriptionID", "Description", - "CISDescriptionIDFormatted", - "CISDescriptionTitle", - "CISDescriptionTextFormatted", "FileName", "SimilarityID", "Line", @@ -108,15 +105,6 @@ "type": "string", "minLength": 1 }, - "CISDescriptionIDFormatted": { - "type": "string" - }, - "CISDescriptionTitle": { - "type": "string" - }, - "CISDescriptionTextFormatted": { - "type": "string" - }, "FileName": { "$ref": "#/definitions/file_name_pattern" }, diff --git a/e2e/fixtures/schemas/result.json b/e2e/fixtures/schemas/result.json index 9b7c7543159..296352e5833 100644 --- a/e2e/fixtures/schemas/result.json +++ b/e2e/fixtures/schemas/result.json @@ -201,18 +201,6 @@ "description_id": { "type": "string", "pattern": "^[a-f0-9]{8}$" - }, - "cis_description_id": { - "type": "string", - "minLength": 1 - }, - "cis_description_title": { - "type": "string", - "minLength": 1 - }, - "cis_description_text": { - "type": "string", - "minLength": 1 } } } diff --git a/e2e/fixtures/schemas/resultCIS.json b/e2e/fixtures/schemas/resultCIS.json deleted file mode 100644 index a9944be7b4e..00000000000 --- a/e2e/fixtures/schemas/resultCIS.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "allOf": [ - { - "$ref" : "result.json" - }, - { - "type": "object", - "required": [ - "queries" - ], - "properties": { - "queries": { - "type": "array", - "minItems": 1, - "items": { - "type": "object", - "required": [ - "cis_description_id", - "cis_description_title", - "cis_description_text" - ], - "properties": { - "cis_description_id": { - "type": "string", - "minLength": 1 - }, - "cis_description_title": { - "type": "string", - "minLength": 1 - }, - "cis_description_text": { - "type": "string", - "minLength": 1 - } - } - } - } - } - } - ] -} diff --git a/e2e/testcases/e2e-cli-031_scan_report-formats.go b/e2e/testcases/e2e-cli-031_scan_report-formats.go index 212cc8d1897..39bd8b3e206 100644 --- a/e2e/testcases/e2e-cli-031_scan_report-formats.go +++ b/e2e/testcases/e2e-cli-031_scan_report-formats.go @@ -11,7 +11,7 @@ func init() { //nolint "--report-formats", "json,SARIF,glsast,Html,SonarQUBE,Junit,cyclonedx,asff,csv,CodeClimate", "-p", "/path/e2e/fixtures/samples/positive.yaml"}, - []string{"scan", "--output-path", "/path/e2e/output", "--output-name", "E2E_CLI_031_RESULT_CIS", + []string{"scan", "--output-path", "/path/e2e/output", "--output-name", "E2E_CLI_031_RESULT_METRICS", "--report-formats", "json,JUnit,CSV", "--include-queries", "275a3217-ca37-40c1-a6cf-bb57d245ab32", "-p", "/path/e2e/fixtures/samples/positive.yaml"}, }, @@ -21,11 +21,11 @@ func init() { //nolint ResultsFormats: []string{"json", "sarif", "glsast", "html", "sonarqube", "junit", "cyclonedx", "asff", "csv", "codeclimate"}, }, { - ResultsFile: "E2E_CLI_031_RESULT_CIS", - ResultsFormats: []string{"junit", "json-cis", "csv-cis"}, + ResultsFile: "E2E_CLI_031_RESULT_METRICS", + ResultsFormats: []string{"junit", "json", "csv"}, }, }, - UseMock: []bool{false, true}, + UseMock: []bool{false, false}, }, WantStatus: []int{50, 50}, } diff --git a/e2e/testcases/e2e-cli-046_scan_disable-full-descriptions.go b/e2e/testcases/e2e-cli-046_scan_disable-full-descriptions.go index ae6b9b5abc0..55800bb099e 100644 --- a/e2e/testcases/e2e-cli-046_scan_disable-full-descriptions.go +++ b/e2e/testcases/e2e-cli-046_scan_disable-full-descriptions.go @@ -2,20 +2,20 @@ package testcases import "regexp" -// E2E-CLI-046 - Kics scan command with --disable-full-descriptions -// should fetch CIS descriptions from environment URL KICS_DESCRIPTIONS_ENDPOINT. +// E2E-CLI-046 - Kics scan command with --disable-telemetry +// should not fetch telemetry from environment URL KICS_DESCRIPTIONS_ENDPOINT. func init() { //nolint testSample := TestCase{ - Name: "should fetch CIS descriptions from environment [E2E-CLI-046]", + Name: "should not fetch telemetry from environment [E2E-CLI-046]", Args: args{ Args: []cmdArgs{ []string{"scan", "-p", "/path/e2e/fixtures/samples/positive.dockerfile", "--no-color", "-v", - "--disable-full-descriptions"}, + "--disable-telemetry"}, }, }, Validation: func(outputText string) bool { - uuidRegex := "Skipping CIS descriptions because provided disable flag is set" + uuidRegex := "Skipping all telemetry because provided disable flag is set" match, _ := regexp.MatchString(uuidRegex, outputText) return match }, diff --git a/e2e/testcases/e2e-cli-053_kics_scan_ignore.go b/e2e/testcases/e2e-cli-052_kics_scan_ignore.go similarity index 89% rename from e2e/testcases/e2e-cli-053_kics_scan_ignore.go rename to e2e/testcases/e2e-cli-052_kics_scan_ignore.go index bd0c4ffbe83..b7a6f679db8 100644 --- a/e2e/testcases/e2e-cli-053_kics_scan_ignore.go +++ b/e2e/testcases/e2e-cli-052_kics_scan_ignore.go @@ -1,9 +1,9 @@ package testcases -// E2E-CLI-053 - Kics scan can ignore entire files, blocks and lines based in kics-ignore comments +// E2E-CLI-052 - Kics scan can ignore entire files, blocks and lines based in kics-ignore comments func init() { //nolint testSample := TestCase{ - Name: "should ignore files/code-blocks/code-lines during the scan [E2E-CLI-053]", + Name: "should ignore files/code-blocks/code-lines during the scan [E2E-CLI-052]", Args: args{ Args: []cmdArgs{ []string{"scan", "-p", "/path/e2e/fixtures/samples/scan-ignore/enable.tf"}, diff --git a/e2e/testcases/e2e-cli-052_scan_with_custom_cis_descriptions.go b/e2e/testcases/e2e-cli-052_scan_with_custom_cis_descriptions.go deleted file mode 100644 index f8bc7292480..00000000000 --- a/e2e/testcases/e2e-cli-052_scan_with_custom_cis_descriptions.go +++ /dev/null @@ -1,35 +0,0 @@ -package testcases - -// E2E-CLI-052 - Kics scan with a custom CIS descriptions env variable -// should load and display the correct CIS descriptions (provided by the custom server) -func init() { //nolint - testSample := TestCase{ - Name: "should load descriptions from a custom server [E2E-CLI-052]", - Args: args{ - Args: []cmdArgs{ - []string{"scan", - "-p", "/path/e2e/fixtures/samples/terraform.tf", "--no-color", - "--include-queries", "487f4be7-3fd9-4506-a07a-eae252180c08,cfdcabb0-fc06-427c-865b-c59f13e898ce", - "-o", "/path/e2e/output", "--output-name", "/path/e2e/output/E2E_CLI_052_RESULTS_ALL_HAVE_CIS.json"}, - - []string{"scan", - "-p", "/path/e2e/fixtures/samples/terraform.tf", "--no-color", - "-o", "/path/e2e/output", "--output-name", "/path/e2e/output/E2E_CLI_052_RESULTS_SOME_HAVE_CIS.json"}, - }, - UseMock: []bool{true, true}, - ExpectedResult: []ResultsValidation{ - { - ResultsFile: "E2E_CLI_052_RESULTS_ALL_HAVE_CIS", - ResultsFormats: []string{"json-cis"}, - }, - { - ResultsFile: "E2E_CLI_052_RESULTS_SOME_HAVE_CIS", - ResultsFormats: []string{"json"}, - }, - }, - }, - WantStatus: []int{50, 50}, - } - - Tests = append(Tests, testSample) -} diff --git a/e2e/testcases/e2e-cli-054_scan_multiple-queries-path.go b/e2e/testcases/e2e-cli-053_scan_multiple-queries-path.go similarity index 91% rename from e2e/testcases/e2e-cli-054_scan_multiple-queries-path.go rename to e2e/testcases/e2e-cli-053_scan_multiple-queries-path.go index 7349fa1fd46..2114a0f1275 100644 --- a/e2e/testcases/e2e-cli-054_scan_multiple-queries-path.go +++ b/e2e/testcases/e2e-cli-053_scan_multiple-queries-path.go @@ -2,11 +2,11 @@ package testcases import "regexp" -// E2E-CLI-054 - Kics scan command with --queries-path using multiple entries +// E2E-CLI-053 - Kics scan command with --queries-path using multiple entries // should load and execute queries found in the provided paths func init() { //nolint testSample := TestCase{ - Name: "should load and execute queries from multiple paths [E2E-CLI-054]", + Name: "should load and execute queries from multiple paths [E2E-CLI-053]", Args: args{ Args: []cmdArgs{ []string{"scan", "--queries-path", "/path/e2e/fixtures/samples/queries/valid/single_query," + diff --git a/e2e/testcases/e2e-cli-055_scan_resolve_openapi_files.go b/e2e/testcases/e2e-cli-054_scan_resolve_openapi_files.go similarity index 87% rename from e2e/testcases/e2e-cli-055_scan_resolve_openapi_files.go rename to e2e/testcases/e2e-cli-054_scan_resolve_openapi_files.go index 7189cdc4367..4fb76c4d94e 100644 --- a/e2e/testcases/e2e-cli-055_scan_resolve_openapi_files.go +++ b/e2e/testcases/e2e-cli-054_scan_resolve_openapi_files.go @@ -2,11 +2,11 @@ package testcases import "regexp" -// E2E-CLI-055 - Kics scan command with openapi files that are not resolved +// E2E-CLI-054 - Kics scan command with openapi files that are not resolved // should resolve openapi files and return results in different files func init() { //nolint testSample := TestCase{ - Name: "should resolve openapi files and return results in different files [E2E-CLI-055]", + Name: "should resolve openapi files and return results in different files [E2E-CLI-054]", Args: args{ Args: []cmdArgs{ []string{"scan", "-p", "/path/e2e/fixtures/samples/unresolved_openapi"}, diff --git a/e2e/testcases/e2e-cli-056_scan_timeout.go b/e2e/testcases/e2e-cli-055_scan_timeout.go similarity index 92% rename from e2e/testcases/e2e-cli-056_scan_timeout.go rename to e2e/testcases/e2e-cli-055_scan_timeout.go index 0095f8f3cae..91c5f840605 100644 --- a/e2e/testcases/e2e-cli-056_scan_timeout.go +++ b/e2e/testcases/e2e-cli-055_scan_timeout.go @@ -4,11 +4,11 @@ import ( "regexp" ) -// E2E-CLI-056 - Kics scan command with timeout flag +// E2E-CLI-055 - Kics scan command with timeout flag // should stop a query execution when reaching the provided timeout (seconds) func init() { //nolint testSample := TestCase{ - Name: "should timeout queries when reaching the timeout limit [E2E-CLI-056]", + Name: "should timeout queries when reaching the timeout limit [E2E-CLI-055]", Args: args{ Args: []cmdArgs{ []string{"scan", "--config", "/path/e2e/fixtures/samples/configs/config.yaml", "-v"}, diff --git a/e2e/testcases/e2e-cli-057_fix_all.go b/e2e/testcases/e2e-cli-056_fix_all.go similarity index 85% rename from e2e/testcases/e2e-cli-057_fix_all.go rename to e2e/testcases/e2e-cli-056_fix_all.go index 8d53565cce6..c7ccdad01aa 100644 --- a/e2e/testcases/e2e-cli-057_fix_all.go +++ b/e2e/testcases/e2e-cli-056_fix_all.go @@ -4,13 +4,13 @@ import ( "regexp" ) -// E2E-CLI-057 - Kics remediate command +// E2E-CLI-056 - Kics remediate command // should remediate all remediation found func init() { //nolint generateResults("results-remediate-all") testSample := TestCase{ - Name: "should remediate all remediation found [E2E-CLI-057]", + Name: "should remediate all remediation found [E2E-CLI-056]", Args: args{ Args: []cmdArgs{ []string{"remediate", "--results", "/path/e2e/tmp-kics-ar/results-remediate-all.json", "-v"}, diff --git a/e2e/testcases/e2e-cli-058_fix_include_ids.go b/e2e/testcases/e2e-cli-057_fix_include_ids.go similarity index 97% rename from e2e/testcases/e2e-cli-058_fix_include_ids.go rename to e2e/testcases/e2e-cli-057_fix_include_ids.go index 1526d353f69..8cc5a6930cc 100644 --- a/e2e/testcases/e2e-cli-058_fix_include_ids.go +++ b/e2e/testcases/e2e-cli-057_fix_include_ids.go @@ -10,7 +10,7 @@ func init() { //nolint generateResults("results-remediate-include-ids") testSample := TestCase{ - Name: "should remediate the recommendations pointed in include-ids flag [E2E-CLI-058]", + Name: "should remediate the recommendations pointed in include-ids flag [E2E-CLI-057]", Args: args{ Args: []cmdArgs{ []string{"remediate", "--results", "/path/e2e/tmp-kics-ar/results-remediate-include-ids.json", diff --git a/e2e/testcases/e2e-cli-059_help_fix.go b/e2e/testcases/e2e-cli-058_help_fix.go similarity index 78% rename from e2e/testcases/e2e-cli-059_help_fix.go rename to e2e/testcases/e2e-cli-058_help_fix.go index ede40f3f54e..a5e5e1edfe8 100644 --- a/e2e/testcases/e2e-cli-059_help_fix.go +++ b/e2e/testcases/e2e-cli-058_help_fix.go @@ -1,15 +1,15 @@ package testcases -// E2E-CLI-059 - KICS remediate command should display a help text in the CLI when provided with the +// E2E-CLI-058 - KICS remediate command should display a help text in the CLI when provided with the // --help flag and it should describe the options related with remediate plus the global options func init() { //nolint testSample := TestCase{ - Name: "should display the kics remediate help text [E2E-CLI-059]", + Name: "should display the kics remediate help text [E2E-CLI-058]", Args: args{ Args: []cmdArgs{ []string{"remediate", "--help"}, }, - ExpectedOut: []string{"E2E_CLI_059"}, + ExpectedOut: []string{"E2E_CLI_058"}, }, WantStatus: []int{0}, } diff --git a/e2e/testcases/e2e-cli-060_fix_text.go b/e2e/testcases/e2e-cli-059_fix_text.go similarity index 73% rename from e2e/testcases/e2e-cli-060_fix_text.go rename to e2e/testcases/e2e-cli-059_fix_text.go index f2f5b670402..38a1334c6da 100644 --- a/e2e/testcases/e2e-cli-060_fix_text.go +++ b/e2e/testcases/e2e-cli-059_fix_text.go @@ -1,15 +1,15 @@ package testcases -// E2E-CLI-060 - KICS remediate command has a mandatory flag --results. The CLI should exhibit +// E2E-CLI-059 - KICS remediate command has a mandatory flag --results. The CLI should exhibit // an error message and return exit code 126 func init() { //nolint testSample := TestCase{ - Name: "should display an error regarding missing --results flag [E2E-CLI-060]", + Name: "should display an error regarding missing --results flag [E2E-CLI-059]", Args: args{ Args: []cmdArgs{ []string{"remediate"}, }, - ExpectedOut: []string{"E2E_CLI_060"}, + ExpectedOut: []string{"E2E_CLI_059"}, }, WantStatus: []int{126}, } diff --git a/e2e/testcases/e2e-cli-061_scan_exclude_type.go b/e2e/testcases/e2e-cli-060_scan_exclude_type.go similarity index 78% rename from e2e/testcases/e2e-cli-061_scan_exclude_type.go rename to e2e/testcases/e2e-cli-060_scan_exclude_type.go index 3bab9e64720..c697d43a239 100644 --- a/e2e/testcases/e2e-cli-061_scan_exclude_type.go +++ b/e2e/testcases/e2e-cli-060_scan_exclude_type.go @@ -1,19 +1,19 @@ // Package testcases provides end-to-end (E2E) testing functionality for the application. package testcases -// E2E-CLI-061 - KICS scan with a valid case insensitive --exclude-type flag +// E2E-CLI-060 - KICS scan with a valid case insensitive --exclude-type flag // should perform the scan successfully and return exit code 50 func init() { //nolint testSample := TestCase{ - Name: "should perform a valid scan with --exclude-type flag [E2E-CLI-061]", + Name: "should perform a valid scan with --exclude-type flag [E2E-CLI-060]", Args: args{ Args: []cmdArgs{ []string{"scan", "-p", "\"/path/e2e/fixtures/samples/positive.dockerfile\",\"/path/e2e/fixtures/samples/terraform.tf\"", - "--silent", "--payload-path", "/path/e2e/output/E2E_CLI_061_PAYLOAD.json", "--exclude-type", + "--silent", "--payload-path", "/path/e2e/output/E2E_CLI_060_PAYLOAD.json", "--exclude-type", "TeRRafOrm"}, }, ExpectedPayload: []string{ - "E2E_CLI_061_PAYLOAD.json", + "E2E_CLI_060_PAYLOAD.json", }, }, WantStatus: []int{50}, diff --git a/e2e/testcases/utils.go b/e2e/testcases/utils.go index a9315726bf3..463a2571f24 100644 --- a/e2e/testcases/utils.go +++ b/e2e/testcases/utils.go @@ -14,18 +14,15 @@ import ( func generateReport(tmpFile, jsonPath, reportName string) { //nolint var queryHigh = model.QueryResult{ - QueryName: "Ram Account Password Policy Not Required Minimum Length", - QueryID: "a9dfec39-a740-4105-bbd6-721ba163c053", - QueryURI: "", - Description: "Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above", - DescriptionID: "a8b47743", - CISDescriptionIDFormatted: "testCISID", - CISDescriptionTitle: "testCISTitle", - CISDescriptionTextFormatted: "testCISDescription", - Severity: model.SeverityHigh, - Platform: "Terraform", - CloudProvider: "ALICLOUD", - Category: "Secret Management", + QueryName: "Ram Account Password Policy Not Required Minimum Length", + QueryID: "a9dfec39-a740-4105-bbd6-721ba163c053", + QueryURI: "", + Description: "Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above", + DescriptionID: "a8b47743", + Severity: model.SeverityHigh, + Platform: "Terraform", + CloudProvider: "ALICLOUD", + Category: "Secret Management", Files: []model.VulnerableFile{ { FileName: tmpFile, @@ -47,18 +44,15 @@ func generateReport(tmpFile, jsonPath, reportName string) { //nolint } var queryMedium1 = model.QueryResult{ //nolint - QueryName: "RAM Account Password Policy Not Required Symbols", - QueryID: "41a38329-d81b-4be4-aef4-55b2615d3282", - QueryURI: "", - Description: "RAM account password security should require at least one symbol", - DescriptionID: "f3616c34", - CISDescriptionIDFormatted: "testCISID", - CISDescriptionTitle: "testCISTitle", - CISDescriptionTextFormatted: "testCISDescription", - Severity: model.SeverityMedium, - Platform: "Terraform", - CloudProvider: "ALICLOUD", - Category: "Secret Management", + QueryName: "RAM Account Password Policy Not Required Symbols", + QueryID: "41a38329-d81b-4be4-aef4-55b2615d3282", + QueryURI: "", + Description: "RAM account password security should require at least one symbol", + DescriptionID: "f3616c34", + Severity: model.SeverityMedium, + Platform: "Terraform", + CloudProvider: "ALICLOUD", + Category: "Secret Management", Files: []model.VulnerableFile{ { FileName: tmpFile, @@ -96,18 +90,15 @@ func generateReport(tmpFile, jsonPath, reportName string) { //nolint } var queryMedium2 = model.QueryResult{ //nolint - QueryName: "Ram Account Password Policy Max Password Age Unrecommended", - QueryID: "2bb13841-7575-439e-8e0a-cccd9ede2fa8", - Description: "Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91", - QueryURI: "", - DescriptionID: "6056f5ca", - CISDescriptionIDFormatted: "testCISID", - CISDescriptionTitle: "testCISTitle", - CISDescriptionTextFormatted: "testCISDescription", - Severity: model.SeverityMedium, - Platform: "Terraform", - CloudProvider: "ALICLOUD", - Category: "Secret Management", + QueryName: "Ram Account Password Policy Max Password Age Unrecommended", + QueryID: "2bb13841-7575-439e-8e0a-cccd9ede2fa8", + Description: "Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91", + QueryURI: "", + DescriptionID: "6056f5ca", + Severity: model.SeverityMedium, + Platform: "Terraform", + CloudProvider: "ALICLOUD", + Category: "Secret Management", Files: []model.VulnerableFile{ { FileName: tmpFile, diff --git a/e2e/utils/csv.go b/e2e/utils/csv.go index cf1e4f0b674..4c6bec51fca 100644 --- a/e2e/utils/csv.go +++ b/e2e/utils/csv.go @@ -32,9 +32,9 @@ func CSVToJSON(t *testing.T, filename string) []byte { var csvItems []csvSchema for _, row := range csvData[1:] { - line, lineErr := strconv.Atoi(row[14]) + line, lineErr := strconv.Atoi(row[11]) require.NoError(t, lineErr, "Error when converting CSV: %s", fullPath) - searchLine, searchErr := strconv.Atoi(row[17]) + searchLine, searchErr := strconv.Atoi(row[14]) require.NoError(t, searchErr, "Error when converting CSV: %s", fullPath) csvStruct.QueryName = row[0] @@ -46,18 +46,15 @@ func CSVToJSON(t *testing.T, filename string) []byte { csvStruct.Category = row[6] csvStruct.DescriptionID = row[7] csvStruct.Description = row[8] - csvStruct.CISDescriptionIDFormatted = row[9] - csvStruct.CISDescriptionTitle = row[10] - csvStruct.CISDescriptionTextFormatted = row[11] - csvStruct.FileName = row[12] - csvStruct.SimilarityID = row[13] + csvStruct.FileName = row[9] + csvStruct.SimilarityID = row[10] csvStruct.Line = line - csvStruct.IssueType = row[15] - csvStruct.SearchKey = row[16] + csvStruct.IssueType = row[12] + csvStruct.SearchKey = row[13] csvStruct.SearchLine = searchLine - csvStruct.SearchValue = row[18] - csvStruct.ExpectedValue = row[19] - csvStruct.ActualValue = row[20] + csvStruct.SearchValue = row[15] + csvStruct.ExpectedValue = row[16] + csvStruct.ActualValue = row[17] csvItems = append(csvItems, csvStruct) } @@ -68,25 +65,22 @@ func CSVToJSON(t *testing.T, filename string) []byte { } type csvSchema struct { - QueryName string - QueryID string - QueryURI string - Severity string - Platform string - CloudProvider string - Category string - DescriptionID string - Description string - CISDescriptionIDFormatted string - CISDescriptionTitle string - CISDescriptionTextFormatted string - FileName string - SimilarityID string - Line int - IssueType string - SearchKey string - SearchLine int - SearchValue string - ExpectedValue string - ActualValue string + QueryName string + QueryID string + QueryURI string + Severity string + Platform string + CloudProvider string + Category string + DescriptionID string + Description string + FileName string + SimilarityID string + Line int + IssueType string + SearchKey string + SearchLine int + SearchValue string + ExpectedValue string + ActualValue string } diff --git a/internal/console/assets/scan-flags.json b/internal/console/assets/scan-flags.json index 991d41c655e..624b6434ccd 100644 --- a/internal/console/assets/scan-flags.json +++ b/internal/console/assets/scan-flags.json @@ -12,20 +12,11 @@ "defaultValue": "", "usage": "path to configuration file" }, - "disable-cis-descriptions": { + "disable-telemetry": { "flagType": "bool", "shorthandFlag": "", "defaultValue": "false", - "usage": "disable request for CIS descriptions and use default vulnerability descriptions", - "hidden": true, - "deprecated": true, - "deprecatedInfo": "use --disable-full-descriptions instead" - }, - "disable-full-descriptions": { - "flagType": "bool", - "shorthandFlag": "", - "defaultValue": "false", - "usage": "disable request for full descriptions and use default vulnerability descriptions" + "usage": "disable usage telemetry requests" }, "exclude-categories": { "flagType": "multiStr", diff --git a/internal/console/flags/scan_flags.go b/internal/console/flags/scan_flags.go index 6f3e29fa668..7de7297af20 100644 --- a/internal/console/flags/scan_flags.go +++ b/internal/console/flags/scan_flags.go @@ -5,8 +5,7 @@ const ( BomFlag = "bom" CloudProviderFlag = "cloud-provider" ConfigFlag = "config" - DisableCISDescFlag = "disable-cis-descriptions" - DisableFullDescFlag = "disable-full-descriptions" + DisableTelemetryFlag = "disable-telemetry" ExcludeCategoriesFlag = "exclude-categories" ExcludePathsFlag = "exclude-paths" ExcludeQueriesFlag = "exclude-queries" diff --git a/internal/console/scan.go b/internal/console/scan.go index a14051f7c96..b99766d6dd7 100644 --- a/internal/console/scan.go +++ b/internal/console/scan.go @@ -110,8 +110,7 @@ func updateReportFormats() { func getScanParameters(changedDefaultQueryPath, changedDefaultLibrariesPath bool) *scan.Parameters { scanParams := scan.Parameters{ CloudProvider: flags.GetMultiStrFlag(flags.CloudProviderFlag), - DisableCISDesc: flags.GetBoolFlag(flags.DisableCISDescFlag), - DisableFullDesc: flags.GetBoolFlag(flags.DisableFullDescFlag), + DisableTelemetry: flags.GetBoolFlag(flags.DisableTelemetryFlag), ExcludeCategories: flags.GetMultiStrFlag(flags.ExcludeCategoriesFlag), ExcludePaths: flags.GetMultiStrFlag(flags.ExcludePathsFlag), ExcludeQueries: flags.GetMultiStrFlag(flags.ExcludeQueriesFlag), diff --git a/internal/constants/constants.go b/internal/constants/constants.go index c8c2b39a6a6..7a9c77c28d7 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -14,7 +14,7 @@ var ( SCMCommit = "NOCOMMIT" // SentryDSN - sentry DSN, unset for disabling SentryDSN = "" - // BaseURL - CIS descriptions endpoint URL + // BaseURL - telemetry endpoint URL BaseURL = "" // APIScanner - API scanner feature switch APIScanner = "" diff --git a/mkdocs.yml b/mkdocs.yml index bf3330569b3..68b3d813aa0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -44,9 +44,10 @@ nav: - Utilities: utilities.md - Architecture: architecture.md - Auto Remediation : kics_auto_remediation.md - - Certifications: certifications.md + - Previous Certifications: previous-certifications.md - Changes in v1.3.0: changes.md - Changes in v1.6.0: changes1_6.md + - Changes in v1.7.0: changes1_7.md - Queries: - General Info: queries.md - Creating Queries: creating-queries.md diff --git a/pkg/descriptions/descriptions.go b/pkg/descriptions/descriptions.go deleted file mode 100644 index 6e6ff205313..00000000000 --- a/pkg/descriptions/descriptions.go +++ /dev/null @@ -1,56 +0,0 @@ -package descriptions - -import ( - "fmt" - - "github.com/Checkmarx/kics/pkg/model" -) - -var ( - descClient HTTPDescription = &Client{} -) - -// RequestAndOverrideDescriptions - Requests CIS descriptions and override default descriptions -func RequestAndOverrideDescriptions(summary *model.Summary) error { - descriptionIDs := make([]string, 0) - for idx := range summary.Queries { - descriptionIDs = append(descriptionIDs, summary.Queries[idx].DescriptionID) - } - - if err := descClient.CheckConnection(); err != nil { - return err - } - - descriptionMap, err := descClient.RequestDescriptions(descriptionIDs) - if err != nil { - return err - } - - for idx := range summary.Queries { - if descriptionMap[summary.Queries[idx].DescriptionID].DescriptionID == "" && - descriptionMap[summary.Queries[idx].DescriptionID].RationaleText == "" { - continue - } - descriptionID := summary.Queries[idx].DescriptionID - - summary.Queries[idx].CISDescriptionID = descriptionMap[descriptionID].DescriptionID - summary.Queries[idx].CISDescriptionTitle = descriptionMap[descriptionID].DescriptionTitle - summary.Queries[idx].CISDescriptionText = descriptionMap[descriptionID].DescriptionText - summary.Queries[idx].CISRationaleText = descriptionMap[descriptionID].RationaleText - summary.Queries[idx].CISBenchmarkName = descriptionMap[descriptionID].BenchmarkName - summary.Queries[idx].CISBenchmarkVersion = descriptionMap[descriptionID].BenchmarkVersion - - summary.Queries[idx].CISDescriptionIDFormatted = fmt.Sprintf( - "CIS Security - %s v%s - Rule %s", - descriptionMap[descriptionID].BenchmarkName, - descriptionMap[descriptionID].BenchmarkVersion, - descriptionMap[descriptionID].DescriptionID, - ) - summary.Queries[idx].CISDescriptionTextFormatted = fmt.Sprintf( - "%s\n%s", - descriptionMap[descriptionID].DescriptionText, - descriptionMap[descriptionID].RationaleText, - ) - } - return nil -} diff --git a/pkg/descriptions/model/model.go b/pkg/descriptions/model/model.go deleted file mode 100644 index 6e447687a17..00000000000 --- a/pkg/descriptions/model/model.go +++ /dev/null @@ -1,29 +0,0 @@ -package model - -// DescriptionRequest - is the model for the description request -type DescriptionRequest struct { - DescriptionIDs []string `json:"descriptions"` - Version string `json:"version"` -} - -// CISDescriptions - is the model for the description response -type CISDescriptions struct { - DescriptionID string `json:"cisDescriptionRuleID"` - DescriptionTitle string `json:"cisDescriptionTitle"` - DescriptionText string `json:"cisDescriptionText"` - RationaleText string `json:"cisRationaleText"` - BenchmarkName string `json:"cisBenchmarkName"` - BenchmarkVersion string `json:"cisBenchmarkVersion"` -} - -// DescriptionResponse - is the model for the description response -type DescriptionResponse struct { - ID string `json:"RequestID"` - Descriptions map[string]CISDescriptions `json:"Descriptions"` - Timestamp string `json:"Timestamp"` -} - -// VersionRequest - is the model for the version request -type VersionRequest struct { - Version string `json:"version"` -} diff --git a/pkg/kics/sink_test.go b/pkg/kics/sink_test.go index 43b4d4bb4c8..c50b1c3c961 100644 --- a/pkg/kics/sink_test.go +++ b/pkg/kics/sink_test.go @@ -27,13 +27,13 @@ func TestKics_prepareDocument(t *testing.T) { { "resource": { "aws_cloudwatch_log_metric_filter": { - "cis_changes_nacl": { - "name": "CIS-4.11-Changes-NACL", + "changes_nacl": { + "name": "Changes-NACL", "pattern": "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }", - "log_group_name": "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}", + "log_group_name": "${aws_cloudwatch_log_group.CloudWatch_LogsGroup.name}", "metric_transformation": { - "name": "CIS-4.11-Changes-NACL", - "namespace": "CIS_Metric_Alarm_Namespace", + "name": "Changes-NACL", + "namespace": "Metric_Alarm_Namespace", "value": "1", "_kics_lines": { "_kics__default": { @@ -90,14 +90,14 @@ func TestKics_prepareDocument(t *testing.T) { { "resource": { "aws_cloudwatch_log_metric_filter": { - "cis_changes_nacl": { - "log_group_name": "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}", + "changes_nacl": { + "log_group_name": "${aws_cloudwatch_log_group.CloudWatch_LogsGroup.name}", "metric_transformation": { - "name": "CIS-4.11-Changes-NACL", - "namespace": "CIS_Metric_Alarm_Namespace", + "name": "Changes-NACL", + "namespace": "Metric_Alarm_Namespace", "value": "1" }, - "name": "CIS-4.11-Changes-NACL", + "name": "Changes-NACL", "pattern": "{\"_kics_filter_expr\":{\"_op\":\"||\",\"_left\":{\"_op\":\"||\",\"_left\":{\"_op\":\"||\",\"_left\":{\"_op\":\"||\",\"_left\":{\"_op\":\"||\",\"_left\":{\"_selector\":\"$.eventName\",\"_op\":\"=\",\"_value\":\"CreateNetworkAcl\"},\"_right\":{\"_selector\":\"$.eventName\",\"_op\":\"=\",\"_value\":\"CreateNetworkAclEntry\"}},\"_right\":{\"_selector\":\"$.eventName\",\"_op\":\"=\",\"_value\":\"DeleteNetworkAcl\"}},\"_right\":{\"_selector\":\"$.eventName\",\"_op\":\"=\",\"_value\":\"DeleteNetworkAclEntry\"}},\"_right\":{\"_selector\":\"$.eventName\",\"_op\":\"=\",\"_value\":\"ReplaceNetworkAclEntry\"}},\"_right\":{\"_selector\":\"$.eventName\",\"_op\":\"=\",\"_value\":\"ReplaceNetworkAclAssociation\"}}}" } } diff --git a/pkg/model/summary.go b/pkg/model/summary.go index f2ed7412a20..acca6e2fc61 100644 --- a/pkg/model/summary.go +++ b/pkg/model/summary.go @@ -40,24 +40,16 @@ type VulnerableFile struct { // QueryResult contains a query that tested positive ID, name, severity and a list of files that tested vulnerable type QueryResult struct { - QueryName string `json:"query_name"` - QueryID string `json:"query_id"` - QueryURI string `json:"query_url"` - Severity Severity `json:"severity"` - Platform string `json:"platform"` - CloudProvider string `json:"cloud_provider,omitempty"` - Category string `json:"category"` - Description string `json:"description"` - DescriptionID string `json:"description_id"` - CISDescriptionIDFormatted string `json:"cis_description_id,omitempty"` - CISDescriptionTitle string `json:"cis_description_title,omitempty"` - CISDescriptionTextFormatted string `json:"cis_description_text,omitempty"` - CISDescriptionID string `json:"cis_description_id_raw,omitempty"` - CISDescriptionText string `json:"cis_description_text_raw,omitempty"` - CISRationaleText string `json:"cis_description_rationale,omitempty"` - CISBenchmarkName string `json:"cis_benchmark_name,omitempty"` - CISBenchmarkVersion string `json:"cis_benchmark_version,omitempty"` - Files []VulnerableFile `json:"files"` + QueryName string `json:"query_name"` + QueryID string `json:"query_id"` + QueryURI string `json:"query_url"` + Severity Severity `json:"severity"` + Platform string `json:"platform"` + CloudProvider string `json:"cloud_provider,omitempty"` + Category string `json:"category"` + Description string `json:"description"` + DescriptionID string `json:"description_id"` + Files []VulnerableFile `json:"files"` } // QueryResultSlice is a slice of QueryResult diff --git a/pkg/printer/printer.go b/pkg/printer/printer.go index 2e87f0bb724..ec3a5271746 100644 --- a/pkg/printer/printer.go +++ b/pkg/printer/printer.go @@ -125,13 +125,7 @@ func PrintResult(summary *model.Summary, failedQueries map[string]error, printer len(summary.Queries[idx].Files), ) if !printer.minimal { - if summary.Queries[idx].CISDescriptionID != "" { - fmt.Printf("%s %s\n", printer.Bold("CIS ID:"), summary.Queries[idx].CISDescriptionIDFormatted) - fmt.Printf("%s %s\n", printer.Bold("Title:"), summary.Queries[idx].CISDescriptionTitle) - fmt.Printf("%s %s\n", printer.Bold("Description:"), summary.Queries[idx].CISDescriptionTextFormatted) - } else { - fmt.Printf("%s %s\n", printer.Bold("Description:"), summary.Queries[idx].Description) - } + fmt.Printf("%s %s\n", printer.Bold("Description:"), summary.Queries[idx].Description) fmt.Printf("%s %s\n\n", printer.Bold("Platform:"), summary.Queries[idx].Platform) } printFiles(&summary.Queries[idx], printer) diff --git a/pkg/report/json.go b/pkg/report/json.go index 749f169b080..eabff6878b8 100644 --- a/pkg/report/json.go +++ b/pkg/report/json.go @@ -11,13 +11,6 @@ func PrintJSONReport(path, filename string, body interface{}) error { if err != nil { return err } - for idx := range summary.Queries { - summary.Queries[idx].CISBenchmarkName = "" - summary.Queries[idx].CISBenchmarkVersion = "" - summary.Queries[idx].CISDescriptionID = "" - summary.Queries[idx].CISDescriptionText = "" - summary.Queries[idx].CISRationaleText = "" - } summary.Version = constants.Version body = summary } diff --git a/pkg/report/model/csv.go b/pkg/report/model/csv.go index 6eee31c4fc9..2dacf5259bd 100644 --- a/pkg/report/model/csv.go +++ b/pkg/report/model/csv.go @@ -4,27 +4,24 @@ import "github.com/Checkmarx/kics/pkg/model" // CSVReport struct contains all the info to create the csv report type CSVReport struct { - QueryName string `csv:"query_name"` - QueryID string `csv:"query_id"` - QueryURI string `csv:"query_uri"` - Severity string `csv:"severity"` - Platform string `csv:"platform"` - CloudProvider string `csv:"cloud_provider"` - Category string `csv:"category"` - DescriptionID string `csv:"description_id"` - Description string `csv:"description"` - CISDescriptionIDFormatted string `csv:"cis_description_id"` - CISDescriptionTitle string `csv:"cis_description_title"` - CISDescriptionTextFormatted string `csv:"cis_description_text"` - FileName string `csv:"file_name"` - SimilarityID string `csv:"similarity_id"` - Line int `csv:"line"` - IssueType string `csv:"issue_type"` - SearchKey string `csv:"search_key"` - SearchLine int `csv:"search_line"` - SearchValue string `csv:"search_value"` - ExpectedValue string `csv:"expected_value"` - ActualValue string `csv:"actual_value"` + QueryName string `csv:"query_name"` + QueryID string `csv:"query_id"` + QueryURI string `csv:"query_uri"` + Severity string `csv:"severity"` + Platform string `csv:"platform"` + CloudProvider string `csv:"cloud_provider"` + Category string `csv:"category"` + DescriptionID string `csv:"description_id"` + Description string `csv:"description"` + FileName string `csv:"file_name"` + SimilarityID string `csv:"similarity_id"` + Line int `csv:"line"` + IssueType string `csv:"issue_type"` + SearchKey string `csv:"search_key"` + SearchLine int `csv:"search_line"` + SearchValue string `csv:"search_value"` + ExpectedValue string `csv:"expected_value"` + ActualValue string `csv:"actual_value"` } // BuildCSVReport builds the CSV report @@ -34,27 +31,24 @@ func BuildCSVReport(summary *model.Summary) []CSVReport { for i := range summary.Queries { for j := range summary.Queries[i].Files { csvReport = append(csvReport, CSVReport{ - QueryName: summary.Queries[i].QueryName, - QueryID: summary.Queries[i].QueryID, - QueryURI: summary.Queries[i].QueryURI, - Severity: string(summary.Queries[i].Severity), - Platform: summary.Queries[i].Platform, - CloudProvider: summary.Queries[i].CloudProvider, - Category: summary.Queries[i].Category, - DescriptionID: summary.Queries[i].DescriptionID, - Description: summary.Queries[i].Description, - CISDescriptionIDFormatted: summary.Queries[i].CISDescriptionIDFormatted, - CISDescriptionTitle: summary.Queries[i].CISDescriptionTitle, - CISDescriptionTextFormatted: summary.Queries[i].CISDescriptionTextFormatted, - FileName: summary.Queries[i].Files[j].FileName, - SimilarityID: summary.Queries[i].Files[j].SimilarityID, - Line: summary.Queries[i].Files[j].Line, - IssueType: string(summary.Queries[i].Files[j].IssueType), - SearchKey: summary.Queries[i].Files[j].SearchKey, - SearchLine: summary.Queries[i].Files[j].SearchLine, - SearchValue: summary.Queries[i].Files[j].SearchValue, - ExpectedValue: summary.Queries[i].Files[j].KeyExpectedValue, - ActualValue: summary.Queries[i].Files[j].KeyActualValue, + QueryName: summary.Queries[i].QueryName, + QueryID: summary.Queries[i].QueryID, + QueryURI: summary.Queries[i].QueryURI, + Severity: string(summary.Queries[i].Severity), + Platform: summary.Queries[i].Platform, + CloudProvider: summary.Queries[i].CloudProvider, + Category: summary.Queries[i].Category, + DescriptionID: summary.Queries[i].DescriptionID, + Description: summary.Queries[i].Description, + FileName: summary.Queries[i].Files[j].FileName, + SimilarityID: summary.Queries[i].Files[j].SimilarityID, + Line: summary.Queries[i].Files[j].Line, + IssueType: string(summary.Queries[i].Files[j].IssueType), + SearchKey: summary.Queries[i].Files[j].SearchKey, + SearchLine: summary.Queries[i].Files[j].SearchLine, + SearchValue: summary.Queries[i].Files[j].SearchValue, + ExpectedValue: summary.Queries[i].Files[j].KeyExpectedValue, + ActualValue: summary.Queries[i].Files[j].KeyActualValue, }) } } diff --git a/pkg/report/model/csv_test.go b/pkg/report/model/csv_test.go index bf706690f9b..885c3945368 100644 --- a/pkg/report/model/csv_test.go +++ b/pkg/report/model/csv_test.go @@ -19,36 +19,30 @@ func TestBuildCSVReport(t *testing.T) { summary: test.SummaryMock, want: []CSVReport{ { - QueryName: "ALB protocol is HTTP", - QueryID: "de7f5e83-da88-4046-871f-ea18504b1d43", - Severity: model.SeverityHigh, - DescriptionID: "504b1d43", - Description: "ALB protocol is HTTP Description", - CISDescriptionIDFormatted: "testCISID", - CISDescriptionTitle: "testCISTitle", - CISDescriptionTextFormatted: "testCISDescription", - FileName: "positive.tf", - Line: 25, - IssueType: "MissingAttribute", - SearchKey: "aws_alb_listener[front_end].default_action.redirect", - ExpectedValue: "'default_action.redirect.protocol' is equal 'HTTPS'", - ActualValue: "'default_action.redirect.protocol' is missing", + QueryName: "ALB protocol is HTTP", + QueryID: "de7f5e83-da88-4046-871f-ea18504b1d43", + Severity: model.SeverityHigh, + DescriptionID: "504b1d43", + Description: "ALB protocol is HTTP Description", + FileName: "positive.tf", + Line: 25, + IssueType: "MissingAttribute", + SearchKey: "aws_alb_listener[front_end].default_action.redirect", + ExpectedValue: "'default_action.redirect.protocol' is equal 'HTTPS'", + ActualValue: "'default_action.redirect.protocol' is missing", }, { - QueryName: "ALB protocol is HTTP", - QueryID: "de7f5e83-da88-4046-871f-ea18504b1d43", - Severity: model.SeverityHigh, - DescriptionID: "504b1d43", - Description: "ALB protocol is HTTP Description", - CISDescriptionIDFormatted: "testCISID", - CISDescriptionTitle: "testCISTitle", - CISDescriptionTextFormatted: "testCISDescription", - FileName: "positive.tf", - Line: 19, - IssueType: "IncorrectValue", - SearchKey: "aws_alb_listener[front_end].default_action.redirect", - ExpectedValue: "'default_action.redirect.protocol' is equal 'HTTPS'", - ActualValue: "'default_action.redirect.protocol' is equal 'HTTP'", + QueryName: "ALB protocol is HTTP", + QueryID: "de7f5e83-da88-4046-871f-ea18504b1d43", + Severity: model.SeverityHigh, + DescriptionID: "504b1d43", + Description: "ALB protocol is HTTP Description", + FileName: "positive.tf", + Line: 19, + IssueType: "IncorrectValue", + SearchKey: "aws_alb_listener[front_end].default_action.redirect", + ExpectedValue: "'default_action.redirect.protocol' is equal 'HTTPS'", + ActualValue: "'default_action.redirect.protocol' is equal 'HTTP'", }, }, }, diff --git a/pkg/report/model/cyclonedx.go b/pkg/report/model/cyclonedx.go index 3aa3af32043..6e14d559d6c 100644 --- a/pkg/report/model/cyclonedx.go +++ b/pkg/report/model/cyclonedx.go @@ -148,10 +148,6 @@ func getPurl(filePath, version string) string { func getDescription(query *model.QueryResult, format string) string { queryDescription := query.Description - if query.CISDescriptionTextFormatted != "" { - queryDescription = query.CISDescriptionTextFormatted - } - if format == "asff" { return queryDescription } diff --git a/pkg/report/model/gitlab_sast.go b/pkg/report/model/gitlab_sast.go index 0d48bd2fed9..d3ca1fff845 100644 --- a/pkg/report/model/gitlab_sast.go +++ b/pkg/report/model/gitlab_sast.go @@ -144,13 +144,6 @@ func (glsr *gitlabSASTReport) BuildGitlabSASTVulnerability(issue *model.QueryRes }, }, } - if issue.CISDescriptionID != "" { - vulnerability.Message = issue.CISDescriptionTextFormatted - vulnerability.Details = gitlabSASTVulnerabilityDetails{ - "cisTitle": issue.CISDescriptionTitle, - "cisId": issue.CISDescriptionIDFormatted, - } - } glsr.Vulnerabilities = append(glsr.Vulnerabilities, vulnerability) } } diff --git a/pkg/report/model/junit.go b/pkg/report/model/junit.go index a65812f8f38..7ef9ea9001b 100644 --- a/pkg/report/model/junit.go +++ b/pkg/report/model/junit.go @@ -58,9 +58,6 @@ func NewJUnitReport(time string) JUnitReport { // GenerateTestEntry generates a new test entry for failed tests on KICS scan func (jUnit *junitTestSuites) GenerateTestEntry(query *model.QueryResult) { queryDescription := query.Description - if query.CISDescriptionTextFormatted != "" { - queryDescription = query.CISDescriptionTextFormatted - } failedTestCases := []junitTestCase{} diff --git a/pkg/report/model/sarif.go b/pkg/report/model/sarif.go index b0cc8a9b61f..3c393845f95 100644 --- a/pkg/report/model/sarif.go +++ b/pkg/report/model/sarif.go @@ -34,12 +34,6 @@ type ruleMetadata struct { severity model.Severity } -type ruleCISMetadata struct { - descriptionText string - id string - title string -} - type sarifMessage struct { Text string `json:"text"` } @@ -232,7 +226,7 @@ func (sr *sarifReport) findSarifRuleIndex(ruleID string) int { return -1 } -func (sr *sarifReport) buildSarifRule(queryMetadata *ruleMetadata, cisMetadata ruleCISMetadata) int { +func (sr *sarifReport) buildSarifRule(queryMetadata *ruleMetadata) int { index := sr.findSarifRuleIndex(queryMetadata.queryID) if index < 0 { helpURI := "https://docs.kics.io/" @@ -249,13 +243,6 @@ func (sr *sarifReport) buildSarifRule(queryMetadata *ruleMetadata, cisMetadata r HelpURI: helpURI, RuleProperties: nil, } - if cisMetadata.id != "" { - rule.RuleFullDescription.Text = cisMetadata.descriptionText - rule.RuleProperties = sarifProperties{ - "cisId": cisMetadata.id, - "cisTitle": cisMetadata.title, - } - } sr.Runs[0].Tool.Driver.Rules = append(sr.Runs[0].Tool.Driver.Rules, rule) index = len(sr.Runs[0].Tool.Driver.Rules) - 1 @@ -274,12 +261,7 @@ func (sr *sarifReport) BuildSarifIssue(issue *model.QueryResult) { queryCategory: issue.Category, severity: issue.Severity, } - cisDescriptions := ruleCISMetadata{ - id: issue.CISDescriptionIDFormatted, - title: issue.CISDescriptionTitle, - descriptionText: issue.CISDescriptionTextFormatted, - } - ruleIndex := sr.buildSarifRule(&metadata, cisDescriptions) + ruleIndex := sr.buildSarifRule(&metadata) kind := "fail" if severityLevelEquivalence[issue.Severity] == "none" { diff --git a/pkg/report/model/sonarqube.go b/pkg/report/model/sonarqube.go index dc2c83b97e1..74bf670347f 100644 --- a/pkg/report/model/sonarqube.go +++ b/pkg/report/model/sonarqube.go @@ -107,9 +107,6 @@ func buildSecondaryLocation(query *model.QueryResult) []*Location { // buildLocation builds the location for the SonarQube Report func buildLocation(index int, query *model.QueryResult) *Location { message := query.Description - if query.CISDescriptionID != "" { - message = query.CISDescriptionID - } return &Location{ Message: message, FilePath: query.Files[index].FileName, diff --git a/pkg/report/pdf.go b/pkg/report/pdf.go index 57416c78d48..6852f1415a3 100644 --- a/pkg/report/pdf.go +++ b/pkg/report/pdf.go @@ -32,7 +32,6 @@ const ( colFour = 4 colFive = 5 colSix = 6 - colEight = 8 colNine = 9 colTen = 10 colFullPage = 12 @@ -120,11 +119,8 @@ func createQueriesTable(m pdf.Maroto, queries []model.QueryResult) error { m.Row(colFive, func() { createQueryEntryMetadataField(m, "Category", category, defaultTextSize) }) - if queries[i].CISDescriptionID != "" { - createCISRows(m, &queries[i]) - } else { - createDescription(m, description) - } + + createDescription(m, description) createResultsTable(m, &queries[i]) } return nil @@ -155,48 +151,6 @@ func createDescription(m pdf.Maroto, description string) { }) } -func createCISRows(m pdf.Maroto, query *model.QueryResult) { - cisID := query.CISDescriptionIDFormatted - description := query.CISDescriptionTextFormatted - title := query.CISDescriptionTitle - - m.Row(colFive, func() { - m.Col(colTwo, func() { - m.Text("CIS ID", props.Text{ - Size: float64(defaultTextSize), - Align: consts.Left, - Style: consts.Bold, - Extrapolate: false, - }) - }) - m.Col(colEight, func() { - m.Text(cisID, props.Text{ - Size: float64(defaultTextSize), - Align: consts.Left, - Extrapolate: false, - }) - }) - }) - m.Row(colFive, func() { - m.Col(colTwo, func() { - m.Text("Title", props.Text{ - Size: float64(defaultTextSize), - Align: consts.Left, - Style: consts.Bold, - Extrapolate: false, - }) - }) - m.Col(colEight, func() { - m.Text(title, props.Text{ - Size: float64(defaultTextSize), - Align: consts.Left, - Extrapolate: false, - }) - }) - }) - createDescription(m, description) -} - func getRowLength(value string) float64 { length := float64(len(value)) x := 2.5 diff --git a/pkg/report/template/html/report.tmpl b/pkg/report/template/html/report.tmpl index 41e79fafaf6..884723b7fd9 100644 --- a/pkg/report/template/html/report.tmpl +++ b/pkg/report/template/html/report.tmpl @@ -75,14 +75,7 @@ Category: {{ .Category }}

- {{- if not .CISDescriptionID -}} {{ .Description }} - {{- end -}} - {{- if .CISDescriptionID -}} - {{ .CISDescriptionIDFormatted }} - {{ .CISDescriptionTitle }} - {{ .CISDescriptionTextFormatted }} - {{- end -}} {{ .QueryURI }}
diff --git a/pkg/scan/client.go b/pkg/scan/client.go index 597f4626238..4fbed0bd483 100644 --- a/pkg/scan/client.go +++ b/pkg/scan/client.go @@ -6,17 +6,16 @@ import ( "github.com/Checkmarx/kics/internal/storage" "github.com/Checkmarx/kics/internal/tracker" - "github.com/Checkmarx/kics/pkg/descriptions" consolePrinter "github.com/Checkmarx/kics/pkg/printer" "github.com/Checkmarx/kics/pkg/progress" + "github.com/Checkmarx/kics/pkg/telemetry" "github.com/rs/zerolog/log" ) // Parameters represents all available scan parameters type Parameters struct { CloudProvider []string - DisableCISDesc bool - DisableFullDesc bool + DisableTelemetry bool ExcludeCategories []string ExcludePaths []string ExcludeQueries []string @@ -64,7 +63,7 @@ func NewClient(params *Parameters, proBarBuilder *progress.PbBuilder, customPrin return nil, err } - descriptions.CheckVersion(t) + telemetry.CheckVersion(t) store := storage.NewMemoryStorage() diff --git a/pkg/scan/post_scan.go b/pkg/scan/post_scan.go index 702c6065d2c..009700fc329 100644 --- a/pkg/scan/post_scan.go +++ b/pkg/scan/post_scan.go @@ -8,12 +8,12 @@ import ( "time" consoleHelpers "github.com/Checkmarx/kics/internal/console/helpers" - "github.com/Checkmarx/kics/pkg/descriptions" "github.com/Checkmarx/kics/pkg/engine/provider" "github.com/Checkmarx/kics/pkg/model" consolePrinter "github.com/Checkmarx/kics/pkg/printer" "github.com/Checkmarx/kics/pkg/progress" "github.com/Checkmarx/kics/pkg/report" + "github.com/Checkmarx/kics/pkg/telemetry" "github.com/rs/zerolog/log" ) @@ -34,13 +34,12 @@ func (c *Client) getSummary(results []model.Vulnerability, end time.Time, pathPa End: end, } - if c.ScanParams.DisableCISDesc || c.ScanParams.DisableFullDesc { - log.Warn().Msg("Skipping CIS descriptions because provided disable flag is set") + if c.ScanParams.DisableTelemetry { + log.Warn().Msg("Skipping all telemetry because provided disable flag is set") } else { - err := descriptions.RequestAndOverrideDescriptions(&summary) + err := telemetry.TelemetryRequest(&summary) if err != nil { - log.Warn().Msgf("Unable to get descriptions: %s", err) - log.Warn().Msgf("Using default descriptions") + log.Warn().Msgf("Unable to request for telemetry update: %s", err) } } diff --git a/pkg/scan/post_scan_test.go b/pkg/scan/post_scan_test.go index 44db6128d9a..ee3c360c15b 100644 --- a/pkg/scan/post_scan_test.go +++ b/pkg/scan/post_scan_test.go @@ -41,8 +41,7 @@ func Test_GetSummary(t *testing.T) { }, }, scanParameters: Parameters{ - DisableCISDesc: false, - DisableFullDesc: false, + DisableTelemetry: false, }, results: []model.Vulnerability{ { diff --git a/pkg/descriptions/client.go b/pkg/telemetry/client.go similarity index 77% rename from pkg/descriptions/client.go rename to pkg/telemetry/client.go index 5ffb8f72ff1..5ecaac7fc80 100644 --- a/pkg/descriptions/client.go +++ b/pkg/telemetry/client.go @@ -1,4 +1,5 @@ -package descriptions +// Package telemetry provides functionality for telemetry +package telemetry import ( "bytes" @@ -11,22 +12,12 @@ import ( "time" "github.com/Checkmarx/kics/internal/constants" - descModel "github.com/Checkmarx/kics/pkg/descriptions/model" "github.com/Checkmarx/kics/pkg/model" + telemetryModel "github.com/Checkmarx/kics/pkg/telemetry/model" "github.com/rs/zerolog/log" ) var ( - // - // The requested description content is CIS Proprietary Content owned - // by CIS Center for Internet Security Inc. (cissecurity.org) - // - // Apache License 2.0 shall not apply to any content generated by KICS - // which is marked as being “Proprietary to CIS” (the “CIS Proprietary Content”). - // - // The CIS Proprietary Content is exclusively owned by the Center for Internet Security, Inc. - // and you are granted a limited, non-exclusively, non-transferable, non-sublicensable license - // to view the CIS Proprietary Content in connection with your use of KICS // // *************************************************** // * HARDCODED authKey is NOT FOR SECURITY PURPOSES * @@ -53,14 +44,14 @@ type HTTPClient interface { Do(req *http.Request) (*http.Response, error) } -// HTTPDescription - HTTP client interface to use for requesting descriptions -type HTTPDescription interface { +// HTTPTelemetry - HTTP client interface to use for requesting telemetry +type HTTPTelemetry interface { CheckConnection() error - RequestDescriptions(descriptionIDs []string) (map[string]descModel.CISDescriptions, error) + RequestUpdateTelemetry([]string) (map[string]telemetryModel.Descriptions, error) CheckLatestVersion(version string) (model.Version, error) } -// Client - client for making CIS descriptions requests +// Client - client for making telemetry requests type Client struct { } @@ -97,7 +88,7 @@ func (c *Client) CheckLatestVersion(version string) (model.Version, error) { } endpointURL := fmt.Sprintf("%s/api/%s", baseURL, "version") - versionRequest := descModel.VersionRequest{ + versionRequest := telemetryModel.VersionRequest{ Version: version, } @@ -137,8 +128,8 @@ func (c *Client) CheckLatestVersion(version string) (model.Version, error) { return VersionResponse, nil } -// RequestDescriptions - gets CIS descriptions from endpoint -func (c *Client) RequestDescriptions(descriptionIDs []string) (map[string]descModel.CISDescriptions, error) { +// RequestUpdateTelemetry - send telemetry request +func (c *Client) RequestUpdateTelemetry(descriptionIDs []string) (map[string]telemetryModel.Descriptions, error) { baseURL, err := getBaseURL() if err != nil { log.Debug().Msg("Unable to get baseURL") @@ -147,7 +138,7 @@ func (c *Client) RequestDescriptions(descriptionIDs []string) (map[string]descMo endpointURL := fmt.Sprintf("%s/api/%s", baseURL, "descriptions") - descriptionRequest := descModel.DescriptionRequest{ + descriptionRequest := telemetryModel.DescriptionRequest{ Version: constants.Version, DescriptionIDs: descriptionIDs, } @@ -165,11 +156,11 @@ func (c *Client) RequestDescriptions(descriptionIDs []string) (map[string]descMo req.Header.Add("Content-Type", "application/json") req.Header.Add("Authorization", fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(getBasicAuth())))) - log.Debug().Msgf("HTTP POST to descriptions endpoint") + log.Debug().Msgf("HTTP POST to telemetry endpoint") startTime := time.Now() resp, err := doRequest(req) if err != nil { - log.Err(err).Msgf("Unable to POST to descriptions endpoint") + log.Err(err).Msgf("Unable to POST to telemetry endpoint") return nil, err } defer func() { @@ -186,14 +177,14 @@ func (c *Client) RequestDescriptions(descriptionIDs []string) (map[string]descMo return nil, err } - var getDescriptionsResponse descModel.DescriptionResponse - err = json.Unmarshal(b, &getDescriptionsResponse) + var getTelemetryResponse telemetryModel.DescriptionResponse + err = json.Unmarshal(b, &getTelemetryResponse) if err != nil { log.Err(err).Msg("Unable to unmarshal response body") return nil, err } - return getDescriptionsResponse.Descriptions, nil + return getTelemetryResponse.Descriptions, nil } // doRequest - make HTTP request diff --git a/pkg/descriptions/client_test.go b/pkg/telemetry/client_test.go similarity index 76% rename from pkg/descriptions/client_test.go rename to pkg/telemetry/client_test.go index f49ce143ed7..65a00a434d2 100644 --- a/pkg/descriptions/client_test.go +++ b/pkg/telemetry/client_test.go @@ -1,4 +1,4 @@ -package descriptions +package telemetry import ( "bytes" @@ -8,31 +8,13 @@ import ( "os" "testing" - mockclient "github.com/Checkmarx/kics/pkg/descriptions/mock" + mockclient "github.com/Checkmarx/kics/pkg/telemetry/mock" "github.com/stretchr/testify/require" ) var ( responseJSON = `{ "descriptions": { - "foo1": { - "cisDescriptionText": "", - "cisDescriptionID": "", - "cisDescriptionRuleID": "", - "cisDescriptionTitle": "", - "cisRationaleText": "", - "cisBenchmarkName": "", - "cisBenchmarkVersion": "" - }, - "foo2": { - "cisDescriptionText": "", - "cisDescriptionID": "", - "cisDescriptionRuleID": "", - "cisDescriptionTitle": "", - "cisRationaleText": "", - "cisBenchmarkName": "", - "cisBenchmarkVersion": "" - } } }` ) @@ -55,14 +37,14 @@ func TestClient_RequestDescriptions(t *testing.T) { Body: r, }, nil } - descClient := Client{} - descriptions, err := descClient.RequestDescriptions([]string{ + telemetryClient := Client{} + descriptionIDs := []string{ "foo1", "foo2", "foo3", - }) - require.NoError(t, err, "RequestDescriptions() should not return an error") - require.NotNil(t, descriptions, "RequestDescriptions() should return a description map") + } + _, err := telemetryClient.RequestUpdateTelemetry(descriptionIDs) + require.NoError(t, err, "RequestUpdateTelemetry() should not return an error") t.Cleanup(func() { os.Setenv("KICS_DESCRIPTIONS_ENDPOINT", "") }) @@ -122,8 +104,8 @@ func TestClient_CheckLatestVersion(t *testing.T) { Body: r, }, nil } - descClient := Client{} - version, err := descClient.CheckLatestVersion("1.4.0") + telemetryClient := Client{} + version, err := telemetryClient.CheckLatestVersion("1.4.0") require.NoError(t, err, "CheckLatestVersion() should not return an error") require.NotNil(t, version, "CheckLatestVersion() should return a version check") t.Cleanup(func() { diff --git a/pkg/descriptions/mock/client_mock.go b/pkg/telemetry/mock/client_mock.go similarity index 63% rename from pkg/descriptions/mock/client_mock.go rename to pkg/telemetry/mock/client_mock.go index 6ec54f20da3..35ed5b33647 100644 --- a/pkg/descriptions/mock/client_mock.go +++ b/pkg/telemetry/mock/client_mock.go @@ -3,8 +3,8 @@ package mockclient import ( "net/http" - "github.com/Checkmarx/kics/pkg/descriptions/model" genModel "github.com/Checkmarx/kics/pkg/model" + "github.com/Checkmarx/kics/pkg/telemetry/model" ) // MockHTTPClient - the mock http client @@ -17,23 +17,23 @@ func (m *MockHTTPClient) Do(req *http.Request) (*http.Response, error) { return GetDoFunc(req) } -// MockDescriptionsClient - the mock CIS descriptions client -type MockDescriptionsClient struct { - RequestDescriptionsFunc func(descriptionIDs []string) (map[string]model.CISDescriptions, error) +// MockTelemetryClient - the mock telemetry client +type MockTelemetryClient struct { + RequestUpdateTelemetryFunc func(descriptionIDs []string) (map[string]model.Descriptions, error) } -// RequestDescriptions - mock descriptions client request descriptions function -func (m *MockDescriptionsClient) RequestDescriptions(descriptionIDs []string) (map[string]model.CISDescriptions, error) { +// RequestDescriptions - mock telemetry client request telemetry function +func (m *MockTelemetryClient) RequestUpdateTelemetry(descriptionIDs []string) (map[string]model.Descriptions, error) { return GetDescriptions(descriptionIDs) } -// CheckConnection - mock CIS descriptions client check connection function -func (m *MockDescriptionsClient) CheckConnection() error { +// CheckConnection - mock telemetry client check connection function +func (m *MockTelemetryClient) CheckConnection() error { return CheckConnection() } // CheckLatestVersion - mock client request version function -func (m *MockDescriptionsClient) CheckLatestVersion(version string) (genModel.Version, error) { +func (m *MockTelemetryClient) CheckLatestVersion(version string) (genModel.Version, error) { return CheckVersion(version) } @@ -43,7 +43,7 @@ var ( // CheckConnection - mock client's `CheckConnection` func CheckConnection func() error // GetDescriptions - mock client's `RequestDescriptions` func - GetDescriptions func(descriptionIDs []string) (map[string]model.CISDescriptions, error) + GetDescriptions func(descriptionIDs []string) (map[string]model.Descriptions, error) // CheckVersion mock client's `CheckLatestVersion` func CheckVersion func(version string) (genModel.Version, error) ) diff --git a/pkg/telemetry/model/model.go b/pkg/telemetry/model/model.go new file mode 100644 index 00000000000..03200daa37e --- /dev/null +++ b/pkg/telemetry/model/model.go @@ -0,0 +1,27 @@ +// Package model provides a model for the telemetry request +package model + +// DescriptionRequest - is the model for the description request +type DescriptionRequest struct { + DescriptionIDs []string `json:"descriptions"` + Version string `json:"version"` +} + +// Descriptions - is the model for the description response +type Descriptions struct { + DescriptionID string `json:"descriptionRuleID"` + DescriptionTitle string `json:"descriptionTitle"` + DescriptionText string `json:"descriptionText"` +} + +// DescriptionResponse - is the model for the description response +type DescriptionResponse struct { + ID string `json:"RequestID"` + Descriptions map[string]Descriptions `json:"Descriptions"` + Timestamp string `json:"Timestamp"` +} + +// VersionRequest - is the model for the version request +type VersionRequest struct { + Version string `json:"version"` +} diff --git a/pkg/telemetry/telemetry.go b/pkg/telemetry/telemetry.go new file mode 100644 index 00000000000..1461cb6a95d --- /dev/null +++ b/pkg/telemetry/telemetry.go @@ -0,0 +1,27 @@ +// Package telemetry provides functionality for telemetry +package telemetry + +import "github.com/Checkmarx/kics/pkg/model" + +var ( + telemetryClient HTTPTelemetry = &Client{} +) + +// TelemetryRequest - Request to update telemetry +func TelemetryRequest(summary *model.Summary) error { + descriptionIDs := make([]string, 0) + for idx := range summary.Queries { + descriptionIDs = append(descriptionIDs, summary.Queries[idx].DescriptionID) + } + + if err := telemetryClient.CheckConnection(); err != nil { + return err + } + + _, err := telemetryClient.RequestUpdateTelemetry(descriptionIDs) + if err != nil { + return err + } + + return nil +} diff --git a/pkg/descriptions/descriptions_test.go b/pkg/telemetry/telemetry_test.go similarity index 50% rename from pkg/descriptions/descriptions_test.go rename to pkg/telemetry/telemetry_test.go index 91dc3e596fc..a1dd6c15ce6 100644 --- a/pkg/descriptions/descriptions_test.go +++ b/pkg/telemetry/telemetry_test.go @@ -1,39 +1,12 @@ -package descriptions +package telemetry import ( "os" "testing" - mockclient "github.com/Checkmarx/kics/pkg/descriptions/mock" - "github.com/Checkmarx/kics/pkg/descriptions/model" - "github.com/Checkmarx/kics/test" "github.com/stretchr/testify/require" ) -func TestRequestAndOverrideDescriptions_NoBaseURL(t *testing.T) { - mock := test.SummaryMock - descClient = &mockclient.MockDescriptionsClient{} - mockclient.CheckConnection = func() error { - return nil - } - mockclient.GetDescriptions = func(descriptionIDs []string) (map[string]model.CISDescriptions, error) { - return map[string]model.CISDescriptions{ - "504b1d43": { - DescriptionID: "1", - DescriptionTitle: "my title", - RationaleText: "my rattionale", - }, - }, nil - } - err := RequestAndOverrideDescriptions(&mock) - require.NoError(t, err, "Expected error") - for _, query := range mock.Queries { - if query.DescriptionID == "504b1d43" { - require.Equal(t, "my title", query.CISDescriptionTitle, "Expected cis description to be equal") - } - } -} - func Test_CheckConnection(t *testing.T) { tests := []struct { name string diff --git a/pkg/descriptions/version.go b/pkg/telemetry/version.go similarity index 69% rename from pkg/descriptions/version.go rename to pkg/telemetry/version.go index 362214d0443..2752bfed45e 100644 --- a/pkg/descriptions/version.go +++ b/pkg/telemetry/version.go @@ -1,4 +1,5 @@ -package descriptions +// Package telemetry provides functionality for telemetry +package telemetry import ( "github.com/Checkmarx/kics/internal/constants" @@ -12,12 +13,12 @@ func CheckVersion(t *tracker.CITracker) { Latest: true, } - if err := descClient.CheckConnection(); err != nil { + if err := telemetryClient.CheckConnection(); err != nil { t.TrackVersion(baseVersionInfo) return } - versionInfo, err := descClient.CheckLatestVersion(constants.Version) + versionInfo, err := telemetryClient.CheckLatestVersion(constants.Version) if err != nil { t.TrackVersion(baseVersionInfo) return diff --git a/pkg/descriptions/version_test.go b/pkg/telemetry/version_test.go similarity index 88% rename from pkg/descriptions/version_test.go rename to pkg/telemetry/version_test.go index f34dc17d514..ee5e0473739 100644 --- a/pkg/descriptions/version_test.go +++ b/pkg/telemetry/version_test.go @@ -1,18 +1,18 @@ -package descriptions +package telemetry import ( "errors" "testing" "github.com/Checkmarx/kics/internal/tracker" - mockclient "github.com/Checkmarx/kics/pkg/descriptions/mock" "github.com/Checkmarx/kics/pkg/model" + mockclient "github.com/Checkmarx/kics/pkg/telemetry/mock" "github.com/stretchr/testify/require" ) func TestDescriptions_CheckVersion(t *testing.T) { mt := &tracker.CITracker{} - descClient = &mockclient.MockDescriptionsClient{} + telemetryClient = &mockclient.MockTelemetryClient{} mockclient.CheckConnection = func() error { return nil } diff --git a/test/helpers.go b/test/helpers.go index 8d73463591e..7ee72e912bc 100644 --- a/test/helpers.go +++ b/test/helpers.go @@ -109,14 +109,11 @@ func MapToStringSlice(stringKeyMap map[string]string) []string { } var queryHigh = model.QueryResult{ - QueryName: "ALB protocol is HTTP", - QueryID: "de7f5e83-da88-4046-871f-ea18504b1d43", - Description: "ALB protocol is HTTP Description", - DescriptionID: "504b1d43", - CISDescriptionIDFormatted: "testCISID", - CISDescriptionTitle: "testCISTitle", - CISDescriptionTextFormatted: "testCISDescription", - Severity: model.SeverityHigh, + QueryName: "ALB protocol is HTTP", + QueryID: "de7f5e83-da88-4046-871f-ea18504b1d43", + Description: "ALB protocol is HTTP Description", + DescriptionID: "504b1d43", + Severity: model.SeverityHigh, Files: []model.VulnerableFile{ { FileName: positive,