-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(waf): add new check
waf_global_rule_with_conditions
(#5465)
Co-authored-by: Sergio <[email protected]>
- Loading branch information
1 parent
415c319
commit 5b0868e
Showing
6 changed files
with
532 additions
and
96 deletions.
There are no files selected for viewing
Empty file.
32 changes: 32 additions & 0 deletions
32
...ervices/waf/waf_global_rule_with_conditions/waf_global_rule_with_conditions.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "waf_global_rule_with_conditions", | ||
"CheckTitle": "AWS WAF Classic Global Rules Should Have at Least One Condition.", | ||
"CheckType": [ | ||
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls" | ||
], | ||
"ServiceName": "waf", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:aws:waf:account-id:rule/rule-id", | ||
"Severity": "medium", | ||
"ResourceType": "AwsWafRule", | ||
"Description": "Ensure that every AWS WAF Classic Global Rule contains at least one condition.", | ||
"Risk": "An AWS WAF Classic Global rule without any conditions cannot inspect or filter traffic, potentially allowing malicious requests to pass unchecked.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/waf-global-rule-not-empty.html", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "aws waf update-rule --rule-id <your-rule-id> --change-token <your-change-token> --updates '[{\"Action\":\"INSERT\",\"Predicate\":{\"Negated\":false,\"Type\":\"IPMatch\",\"DataId\":\"<your-ipset-id>\"}}]' --region <your-region>", | ||
"NativeIaC": "", | ||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-6", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Ensure that every AWS WAF Classic Global rule has at least one condition to properly inspect and manage web traffic.", | ||
"Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-rules-editing.html" | ||
} | ||
}, | ||
"Categories": [], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
27 changes: 27 additions & 0 deletions
27
...iders/aws/services/waf/waf_global_rule_with_conditions/waf_global_rule_with_conditions.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.waf.waf_client import waf_client | ||
|
||
|
||
class waf_global_rule_with_conditions(Check): | ||
def execute(self): | ||
findings = [] | ||
for rule in waf_client.rules.values(): | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = rule.region | ||
report.resource_id = rule.id | ||
report.resource_arn = rule.arn | ||
report.resource_tags = rule.tags | ||
report.status = "FAIL" | ||
report.status_extended = ( | ||
f"AWS WAF Global Rule {rule.name} does not have any conditions." | ||
) | ||
|
||
if rule.predicates: | ||
report.status = "PASS" | ||
report.status_extended = ( | ||
f"AWS WAF Global Rule {rule.name} has at least one condition." | ||
) | ||
|
||
findings.append(report) | ||
|
||
return findings |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.