Merge branch 'master' into SAAS-4494

collectors/aws/collector_multipart.js

@@ -27,9 +27,9 @@ var agent = new https.Agent({maxSockets: 100});
 AWS.config.update({httpOptions: {agent: agent}});
 
 var CALLS_CONFIG = {
-    TOTAL_PARTS: 13,
+    TOTAL_PARTS: 14,
     CALLS_PARTS: 4,
-    POSTCALLS_PARTS: 9
+    POSTCALLS_PARTS: 10
 };
 
 var rateError = {message: 'rate', statusCode: 429};

collectors/google/collector.js

@@ -478,6 +478,21 @@ var collect = function(GoogleConfig, settings, callback) {
                             tertiaryCallCb();
                         });
                     }, function() {
+                        if (collection && (!collection.projects || !collection.projects.get)) {
+                            collection.projects = {
+                                ...collection.projects,
+                                get: {
+                                    global: {
+                                        data: [
+                                            {
+                                                kind: 'compute#project',
+                                                name: GoogleConfig.project
+                                            }
+                                        ]
+                                    }
+                                }
+                            };
+                        }
                         callback(null, collection);
                     });
                 });

collectors/oracle/collector.js

@@ -44,6 +44,14 @@ var calls = {
             filterValue: ['compartmentId'],
         }
     },
+    logGroup: {
+        list: {
+            api: 'logging',
+            restVersion: '/20200531',
+            filterKey: ['compartmentId'],
+            filterValue: ['compartmentId']
+        }
+    },
     publicIp: {
         list: {
             api: 'core',
@@ -99,6 +107,14 @@ var calls = {
             filterConfig: [true]
         }
     },
+    cloudguardConfiguration: {
+        get: {
+            api: 'cloudguard',
+            filterKey: ['compartmentId'],
+            filterValue: ['compartmentId'],
+            restVersion: '/20200131',
+        }
+    },
     group: {
         list: {
             api: 'iam',
@@ -114,6 +130,14 @@ var calls = {
             restVersion: '/20171215',
         }
     },
+    fileSystem: {
+        list: {
+            api: 'fileStorage',
+            filterKey: ['compartmentId'],
+            filterValue: ['compartmentId'],
+            restVersion: '/20171215',
+        }
+    },
     mountTarget: {
         list: {
             api: 'fileStorage',
@@ -132,6 +156,14 @@ var calls = {
             filterValue: ['compartmentId'],
         }
     },
+    defaultTags: {
+        list: {
+            api: 'iam',
+            filterKey: ['compartmentId'],
+            filterValue: ['compartmentId'],
+            restVersion: '/20160918'
+        }
+    },
     waasPolicy: {
         list: {
             api: 'waas',
@@ -140,6 +172,30 @@ var calls = {
             filterValue: ['compartmentId'],
         }
     },
+    rules: {
+        list: {
+            api: 'events',
+            restVersion: '/20181201',
+            filterKey: ['compartmentId'],
+            filterValue: ['compartmentId'],
+        }
+    },
+    topics: {
+        list: {
+            api: 'notification',
+            restVersion: '/20181201',
+            filterKey: ['compartmentId'],
+            filterValue: ['compartmentId'],
+        }
+    },
+    subscriptions: {
+        list: {
+            api: 'notification',
+            restVersion: '/20181201',
+            filterKey: ['compartmentId'],
+            filterValue: ['compartmentId'],
+        }
+    },
     policy: {
         list: {
             api: 'iam',
@@ -253,7 +309,15 @@ var calls = {
             filterKey: ['compartmentId'],
             filterValue: ['compartmentId'],
         }
-    }
+    },
+    vault: {
+        list: {
+            api: 'kms',
+            filterKey: ['compartmentId'],
+            filterValue: ['compartmentId'],
+            restVersion: '/20180608',
+        }
+    },
 };
 
 // Important Note: All relies must be passed in an array format []
@@ -339,6 +403,7 @@ var postcalls = {
             limit: 900
         }
     },
+
     waasPolicy: {
         get: {
             api: 'waas',
@@ -389,6 +454,37 @@ var postcalls = {
             filterConfig: [true, false],
         }
     },
+    keys: {
+        list: {
+            api: 'kms',
+            reliesOnService: ['vault'],
+            reliesOnCall: ['list'],
+            filterKey: ['compartmentId', 'managementEndpoint'],
+            filterValue: ['compartmentId', 'managementEndpoint'],
+            restVersion: '/20180608'
+        }
+    },
+    log: {
+        list: {
+            api: 'logging',
+            reliesOnService: ['logGroup'],
+            reliesOnCall: ['list'],
+            filterKey: ['compartmentId', 'id'],
+            filterValue: ['compartmentId', 'id'],
+            restVersion: '/20200531'
+        }
+    },
+    cluster: {
+        get: {
+            api: 'oke',
+            reliesOnService: ['cluster'],
+            reliesOnCall: ['list'],
+            restVersion: '/20180222',
+            filterKey: ['id'],
+            filterValue: ['id'],
+            filterConfig: [false]
+        },
+    }
 };
 
 // Important Note: All relies must be passed in an array format []
@@ -403,6 +499,26 @@ var finalcalls = {
             restVersion: '',
         }
     },
+    keys: {
+        get: {
+            api: 'kms',
+            reliesOnService: ['keys'],
+            reliesOnCall: ['list'],
+            filterKey: ['compartmentId', 'id'],
+            filterValue: ['compartmentId', 'id'],
+            restVersion: '/20180608'
+        }
+    },
+    keyVersions: {
+        list: {
+            api: 'kms',
+            reliesOnService: ['keys'],
+            reliesOnCall: ['list'],
+            filterKey: ['compartmentId', 'id'],
+            filterValue: ['compartmentId', 'id'],
+            restVersion: '/20180608'
+        }
+    },
     exprt: {
         get: {
             api: 'fileStorage',

config_example.js

@@ -37,6 +37,14 @@ module.exports = {
             // directory_id: process.env.AZURE_DIRECTORY_ID || '',
             // subscription_id: process.env.AZURE_SUBSCRIPTION_ID || ''
         },
+        google_remediate: {
+            // OPTION 1: If using a credential JSON file, enter the path below
+            // credential_file: process.env.GOOGLE_APPLICATION_CREDENTIALS || '/path/to/file.json',
+            // OPTION 2: If using hard-coded credentials, enter them below
+            // project: process.env.GOOGLE_PROJECT_ID || 'my-project',
+            // client_email: process.env.GOOGLE_CLIENT_EMAIL || 'cloudsploit@your-project-name.iam.gserviceaccount.com',
+            // private_key: process.env.GOOGLE_PRIVATE_KEY || '-----BEGIN PRIVATE KEY-----\nYOUR-PRIVATE-KEY-GOES-HERE\n-----END PRIVATE KEY-----\n'
+        },
         google: {
             // OPTION 1: If using a credential JSON file, enter the path below
             // credential_file: process.env.GOOGLE_APPLICATION_CREDENTIALS || '/path/to/file.json',

docs/gcp.md

@@ -8,7 +8,7 @@
 ```   
 name: roles/AquaCSPMSecurityAudit
 title: Aqua CSPM Security Audit
-  - includedPermissions:
+includedPermissions:
   - cloudasset.assets.listResource
   - cloudkms.cryptoKeys.list
   - cloudkms.keyRings.list

exports.js

@@ -84,6 +84,12 @@ module.exports = {
         'globalLoggingDuplicated'       : require(__dirname + '/plugins/aws/cloudtrail/globalLoggingDuplicated.js'),
         'cloudtrailNotificationsEnabled': require(__dirname + '/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js'),
 
+        'ec2InstancesOptimized'         : require(__dirname + '/plugins/aws/computeoptimizer/ec2InstancesOptimized.js'),
+        'lambdaFunctionsOptimized'      : require(__dirname + '/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js'),
+        'optimizerRecommendationsEnabled': require(__dirname + '/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js'),
+        'ebsVolumesOptimized'           : require(__dirname + '/plugins/aws/computeoptimizer/ebsVolumesOptimized.js'),
+        'asgOptimized'                  : require(__dirname + '/plugins/aws/computeoptimizer/asgOptimized.js'),
+
         'configServiceEnabled'          : require(__dirname + '/plugins/aws/configservice/configServiceEnabled.js'),
         'configComplaintRules'          : require(__dirname + '/plugins/aws/configservice/configComplaintRules.js'),
         'configDeliveryFailing'         : require(__dirname + '/plugins/aws/configservice/configDeliveryFailing.js'),
@@ -109,6 +115,9 @@ module.exports = {
         'unassociatedElasticIp'         : require(__dirname + '/plugins/aws/ec2/unassociatedElasticIp.js'),
         'subnetIpAvailability'          : require(__dirname + '/plugins/aws/ec2/subnetIpAvailability.js'),
         'excessiveSecurityGroups'       : require(__dirname + '/plugins/aws/ec2/excessiveSecurityGroups.js'),
+
+        'enhancedMetadataEnabled'       : require(__dirname + '/plugins/aws/imagebuilder/enhancedMetadataEnabled.js'),
+
         'instanceLimit'                 : require(__dirname + '/plugins/aws/ec2/instanceLimit.js'),
         'instanceVcpusLimit'            : require(__dirname + '/plugins/aws/ec2/instanceVcpusLimit.js'),
         'instanceMaxCount'              : require(__dirname + '/plugins/aws/ec2/instanceMaxCount.js'),
@@ -260,6 +269,7 @@ module.exports = {
         'dataCatalogEncryptionEnabled'  : require(__dirname + '/plugins/aws/glue/dataCatalogEncryptionEnabled.js'),
 
         'imageRecipeVolumeEncrypted'    : require(__dirname + '/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js'),
+        'imgBuilderComponentsEncrypted' : require(__dirname + '/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js'),
 
         'accessKeysExtra'               : require(__dirname + '/plugins/aws/iam/accessKeysExtra.js'),
         'accessKeysLastUsed'            : require(__dirname + '/plugins/aws/iam/accessKeysLastUsed.js'),
@@ -425,6 +435,10 @@ module.exports = {
 
         'memorydbClusterEncrypted'      : require(__dirname + '/plugins/aws/memorydb/memorydbClusterEncrypted.js'),
 
+        'mskClusterCBEncryption'        : require(__dirname + '/plugins/aws/msk/mskClusterCBEncryption.js'),
+
+        'mskClusterPublicAccess'        : require(__dirname + '/plugins/aws/msk/mskClusterPublicAccess.js'),
+        'mskClusterUnauthAccess'        : require(__dirname + '/plugins/aws/msk/mskClusterUnauthAccess.js'),
         'mskClusterEncryptionAtRest'    : require(__dirname + '/plugins/aws/msk/mskClusterEncryptionAtRest.js'),
         'mskClusterEncryptionInTransit' : require(__dirname + '/plugins/aws/msk/mskClusterEncryptionInTransit.js'),
 
@@ -813,6 +827,8 @@ module.exports = {
         'bootVolumeRestorable'          : require(__dirname + '/plugins/oracle/compute/bootVolumeRestorable.js'),
         'bootVolumeBackupEnabled'       : require(__dirname + '/plugins/oracle/compute/bootVolumeBackupEnabled.js'),
         'instancePolicyProtection'      : require(__dirname + '/plugins/oracle/compute/instancePolicyProtection.js'),
+        'bootVolumeCMKEncryption'       : require(__dirname + '/plugins/oracle/compute/bootVolumeCMKEncryption.js'),
+        'legacyEndpointDisabled'        : require(__dirname + '/plugins/oracle/compute/legacyEndpointDisabled.js'),
 
         'usersMfaEnabled'               : require(__dirname + '/plugins/oracle/identity/usersMfaEnabled.js'),
         'passwordRequiresLowercase'     : require(__dirname + '/plugins/oracle/identity/passwordRequiresLowercase.js'),
@@ -830,6 +846,13 @@ module.exports = {
         'userCustomerSecretKeysRotated' : require(__dirname + '/plugins/oracle/identity/userCustomerSecretKeysRotated.js'),
         'userAPIKeysRotated'            : require(__dirname + '/plugins/oracle/identity/userAPIKeysRotated.js'),
         'usersPasswordLastUsed'         : require(__dirname + '/plugins/oracle/identity/usersPasswordLastUsed.js'),
+        'defaultTagsForResources'       : require(__dirname + '/plugins/oracle/identity/defaultTagsForResources.js'),
+        'notificationTopicSubscription' : require(__dirname + '/plugins/oracle/identity/notificationTopicSubscription.js'),
+        'identityProviderChanges'       : require(__dirname + '/plugins/oracle/identity/identityProviderChanges.js'),
+        'idpGroupMappingChanges'        : require(__dirname + '/plugins/oracle/identity/idpGroupMappingChanges.js'),
+        'iamGroupChanges'               : require(__dirname + '/plugins/oracle/identity/iamGroupChanges.js'),
+        'iamPolicyChanges'              : require(__dirname + '/plugins/oracle/identity/iamPolicyChanges.js'),
+        'userChanges'                   : require(__dirname + '/plugins/oracle/identity/userChanges.js'),
 
         'openSSH'                       : require(__dirname + '/plugins/oracle/networking/openSSH.js'),
         'openOracleAutoDataWarehouse'   : require(__dirname + '/plugins/oracle/networking/openOracleAutoDataWarehouse.js'),
@@ -854,25 +877,35 @@ module.exports = {
         'openKibana'                    : require(__dirname + '/plugins/oracle/networking/openKibana.js'),
         'openSalt'                      : require(__dirname + '/plugins/oracle/networking/openSalt.js'),
         'openSMTP'                      : require(__dirname + '/plugins/oracle/networking/openSMTP.js'),
-
+        'flowLogsEnabled'               : require(__dirname + '/plugins/oracle/networking/flowLogsEnabled.js'),
+        'vcnChanges'                    : require(__dirname + '/plugins/oracle/networking/vcnChanges.js'),
+        'routeTableChanges'             : require(__dirname + '/plugins/oracle/networking/routeTableChanges.js'),
+        'securityListChanges'           : require(__dirname + '/plugins/oracle/networking/securityListChanges.js'),
+        'securityGroupChanges'          : require(__dirname + '/plugins/oracle/networking/securityGroupChanges.js'),
+        'networkGatewayChanges'         : require(__dirname + '/plugins/oracle/networking/networkGatewayChanges.js'),
         'statelessSecurityRules'        : require(__dirname + '/plugins/oracle/networking/statelessSecurityRules.js'),
         'defaultSecurityList'           : require(__dirname + '/plugins/oracle/networking/defaultSecurityList.js'),
         'excessiveSecurityLists'        : require(__dirname + '/plugins/oracle/networking/excessiveSecurityLists.js'),
         'lbHttpsOnly'                   : require(__dirname + '/plugins/oracle/networking/lbHttpsOnly.js'),
         'lbNSGEnabled'                  : require(__dirname + '/plugins/oracle/networking/lbNSGEnabled.js'),
         'lbNoInstances'                 : require(__dirname + '/plugins/oracle/networking/lbNoInstances.js'),
         'wafPublicIpEnabled'            : require(__dirname + '/plugins/oracle/networking/wafPublicIpEnabled.js'),
-
+        'inboundSecurityLists'          : require(__dirname + '/plugins/oracle/networking/inboundSecurityLists.js'),
         'multipleSubnets'               : require(__dirname + '/plugins/oracle/networking/multipleSubnets.js'),
         'subnetMultiAd'                 : require(__dirname + '/plugins/oracle/networking/subnetMultiAd.js'),
 
         'bucketPublicAccessType'        : require(__dirname + '/plugins/oracle/objectstore/bucketPublicAccessType.js'),
         'preAuthRequestsExpiry'         : require(__dirname + '/plugins/oracle/objectstore/preAuthRequestsExpiry.js'),
         'preAuthRequestsAccess'         : require(__dirname + '/plugins/oracle/objectstore/preAuthRequestsAccess.js'),
         'objectPolicyProtection'        : require(__dirname + '/plugins/oracle/objectstore/objectPolicyProtection.js'),
+        'bucketCMKEncryption'           : require(__dirname + '/plugins/oracle/objectstore/bucketCMKEncryption.js'),
+        'bucketVersioning'              : require(__dirname + '/plugins/oracle/objectstore/bucketVersioning.js'),
+        'bucketObjectEvents'            : require(__dirname + '/plugins/oracle/objectstore/bucketObjectEvents.js'),
+        'bucketWriteLogsEnabled' : require(__dirname + '/plugins/oracle/objectstore/bucketWriteLogsEnabled.js'),
 
         'nfsPublicAccess'               : require(__dirname + '/plugins/oracle/filestorage/nfsPublicAccess.js'),
         'nfsPolicyProtection'           : require(__dirname + '/plugins/oracle/filestorage/nfsPolicyProtection.js'),
+        'fileSystemsCMKEncryption'      : require(__dirname + '/plugins/oracle/filestorage/fileSystemsCMKEncryption.js'),
 
         'dbBackupEnabled'               : require(__dirname + '/plugins/oracle/database/dbBackupEnabled.js'),
         'dbPrivateSubnetOnly'           : require(__dirname + '/plugins/oracle/database/dbPrivateSubnetOnly.js'),
@@ -883,10 +916,17 @@ module.exports = {
         'blockVolumeBackupEnabled'      : require(__dirname + '/plugins/oracle/blockstorage/blockVolumeBackupEnabled.js'),
         'volumeGroupsRestorable'        : require(__dirname + '/plugins/oracle/blockstorage/volumeGroupsRestorable.js'),
         'blockPolicyProtection'         : require(__dirname + '/plugins/oracle/blockstorage/blockPolicyProtection.js'),
+        'blockVolumeCMKEncryption'      : require(__dirname + '/plugins/oracle/blockstorage/blockVolumeCMKEncryption.js'),
 
         'logRetentionPeriod'            : require(__dirname + '/plugins/oracle/audit/logRetentionPeriod.js'),
 
         'okePrivateEndpoint'            : require(__dirname + '/plugins/oracle/oke/okePrivateEndpoint.js'),
+        'okeSecretsEncrypted'           : require(__dirname + '/plugins/oracle/oke/okeSecretsEncrypted.js'),
+        'okeSecurityGroups'            : require(__dirname + '/plugins/oracle/oke/okeSecurityGroups.js'),
+
+        'cloudguardEnabled'            : require(__dirname + '/plugins/oracle/cloudguard/cloudguardEnabled.js'),
+
+        'keyRotation'                  : require(__dirname + '/plugins/oracle/vaults/keyRotation.js'),
     },
     google: {
         'excessiveFirewallRules'        : require(__dirname + '/plugins/google/vpcnetwork/excessiveFirewallRules.js'),