Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to handle nacl entries as parameters #487

Closed
mszymo opened this issue Sep 14, 2020 · 1 comment
Closed

Unable to handle nacl entries as parameters #487

mszymo opened this issue Sep 14, 2020 · 1 comment

Comments

@mszymo
Copy link

mszymo commented Sep 14, 2020
edited
Loading

I've changed the port range entries of AWS::EC2::NetworkAclEntry from static numbers to cloudformation parameters. So from this:

AclRule: 
Type: 'AWS::EC2::NetworkAclEntry' 
    Metadata:
  cfn_nag:
    rules_to_suppress:
      - id: W72
        reason: "The use of overlapping ports is intentional to allow traffic from some locations and block from others" 
Properties: 
  NetworkAclId: !Ref ZfNetworkACL 
  RuleNumber: 81
  Protocol: 6
  PortRange:  
    From: 8080 
    To: 8080 
  CidrBlock: "0.0.0.0/0"
  RuleAction: "allow"

To this:

AclRule: 
Type: 'AWS::EC2::NetworkAclEntry' 
Metadata:
  cfn_nag:
    rules_to_suppress:
      - id: W72
        reason: "The use of overlapping ports is intentional to allow traffic from some locations and block from others" 
Properties: 
  NetworkAclId: !Ref ZfNetworkACL 
  RuleNumber: 81
  Protocol: 6
  PortRange:  
    From: !Ref PortAccess
    To: !Ref PortAccess
  CidrBlock: "0.0.0.0/0"
  RuleAction: "allow"

However when cfn-nag is run it returns this error:

Traceback (most recent call last):
26: from /usr/local/bin/cfn_nag_scan:23:in '<main>'
25: from /usr/local/bin/cfn_nag_scan:23:in 'load'
24: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/bin/cfn_nag_scan:11:in '<top (required)>'
23: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/cfn_nag_executor.rb:30:in 'scan'
22: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/cfn_nag_executor.rb:50:in 'execute_aggregate_scan'
21: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/cfn_nag.rb:34:in 'audit_aggregate_across_files_and_render_results'
20: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/cfn_nag.rb:64:in 'audit_aggregate_across_files'
19: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/cfn_nag.rb:64:in 'each'
18: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/cfn_nag.rb:67:in 'block in audit_aggregate_across_files'
17: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/cfn_nag.rb:91:in 'audit'
16: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rule_loader.rb:64:in 'execute_custom_rules'
15: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rule_loader.rb:81:in 'filter_rule_classes'
14: from /usr/lib/ruby/2.7.0/set.rb:328:in 'each'
13: from /usr/lib/ruby/2.7.0/set.rb:328:in 'each_key'
12: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rule_loader.rb:91:in 'block in filter_rule_classes'
11: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rules/base.rb:19:in 'audit'
10: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:22:in 'audit_impl'
 9: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:22:in 'each'
 8: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:23:in 'block in audit_impl'
 7: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:84:in 'violating_nacl_entries'
 6: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:89:in 'violating_ip4_nacl_entries'
 5: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:31:in 'overlapping_port_entries'
 4: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:31:in 'select'
 3: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:32:in 'block in overlapping_port_entries'
 2: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:46:in 'overlap?'
 1: from /var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:50:in 'roverlap?'
/var/lib/gems/2.7.0/gems/cfn-nag-0.6.7/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:50:in 'between?': comparison of Integer with Hash failed (ArgumentError)

I have tried adding a file to specify the parameter value, however the error just changes to comparison of Integer with String failed.
arothian added a commit to arothian/cfn_nag that referenced this issue Oct 12, 2020
@arothian
Update tests for network acl entry issues (Fixes stelligent#487, stel…
8c223df 
…ligent#483)

- Test for port values from references
- Test for entries without logical nacl resource
- Test for correctly evaluating metadata to ignore warning
Fix up various linting errors in yaml templates
Refactor nacl grouping logic
arothian added a commit to arothian/cfn_nag that referenced this issue Oct 12, 2020
@arothian
Update tests for network acl entry issues (Fixes stelligent#487, Fixes
215fc5f 
…stelligent#483)

- Test for port values from references
- Test for entries without logical nacl resource
- Test for correctly evaluating metadata to ignore warning
Fix up various linting errors in yaml templates
Refactor nacl grouping logic
@arothian
Copy link
Contributor

Hi @mszymo , rule W72 should now be able to properly handle parameterized NACL port entries in the latest version. Let us know if you run into any additional issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arothian @mszymo