feat(waf): add new check waf_global_rulegroup_not_empty (#5467)

Co-authored-by: Sergio <sergio@prowler.com>
This commit is contained in:
Hugo Pereira Brito
2024-10-21 21:53:06 +02:00
committed by GitHub
parent 2ef9e27ee3
commit ffa29f2f6e
4 changed files with 246 additions and 0 deletions
@@ -0,0 +1,32 @@
{
"Provider": "aws",
"CheckID": "waf_global_rulegroup_not_empty",
"CheckTitle": "Check if AWS WAF Classic Global rule group has at least one rule.",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
],
"ServiceName": "waf",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:waf::account-id:rulegroup/rule-group-name/rule-group-id",
"Severity": "medium",
"ResourceType": "AwsWafRuleGroup",
"Description": "Ensure that every AWS WAF Classic Global rule group contains at least one rule.",
"Risk": "A WAF Classic Global rule group without any rules allows all incoming traffic to bypass inspection, increasing the risk of unauthorized access and potential attacks on resources.",
"RelatedUrl": "https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-groups.html",
"Remediation": {
"Code": {
"CLI": "aws waf update-rule-group --rule-group-id <rule-group-id> --updates Action=INSERT,ActivatedRule={Priority=1,RuleId=<rule-id>,Action={Type=BLOCK}} --change-token <change-token> --region <region>",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-7",
"Terraform": ""
},
"Recommendation": {
"Text": "Ensure that every AWS WAF Classic Global rule group contains at least one rule to enforce traffic inspection and defined actions such as allow, block, or count.",
"Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-rule-group-editing.html"
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}
@@ -0,0 +1,27 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.waf.waf_client import waf_client
class waf_global_rulegroup_not_empty(Check):
def execute(self):
findings = []
for rule_group in waf_client.rule_groups.values():
report = Check_Report_AWS(self.metadata())
report.region = rule_group.region
report.resource_id = rule_group.id
report.resource_arn = rule_group.arn
report.resource_tags = rule_group.tags
report.status = "FAIL"
report.status_extended = (
f"AWS WAF Global Rule Group {rule_group.name} does not have any rules."
)
if rule_group.rules:
report.status = "PASS"
report.status_extended = (
f"AWS WAF Global Rule Group {rule_group.name} is not empty."
)
findings.append(report)
return findings
@@ -0,0 +1,187 @@
from unittest import mock
from unittest.mock import patch
import botocore
from moto import mock_aws
from tests.providers.aws.utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_provider,
)
RULE_GROUP_ID = "test-rulegroup-id"
RULE_ID = "my-rule-id"
# Original botocore _make_api_call function
orig = botocore.client.BaseClient._make_api_call
# Mocked botocore _make_api_call function
def mock_make_api_call_compliant_rule_group(self, operation_name, kwarg):
unused_operations = ["ListWebACLs", "GetRule"]
if operation_name in unused_operations:
return {}
if operation_name == "ListRules":
return {
"Rules": [
{
"RuleId": RULE_ID,
"Name": "my-rule",
},
]
}
if operation_name == "GetRule":
return {
"Rule": {
"RuleId": RULE_ID,
"Name": "my-rule",
"Predicates": [
{
"Negated": False,
"Type": "IPMatch",
"DataId": "my-data-id",
}
],
}
}
if operation_name == "ListRuleGroups":
return {
"RuleGroups": [
{
"RuleGroupId": RULE_GROUP_ID,
"Name": RULE_GROUP_ID,
},
]
}
if operation_name == "ListActivatedRulesInRuleGroup":
return {
"ActivatedRules": [
{
"RuleId": RULE_ID,
},
]
}
return orig(self, operation_name, kwarg)
def mock_make_api_call_non_compliant_rule_group(self, operation_name, kwarg):
unused_operations = ["ListRules", "GetRule", "ListWebACLs", "GetRule"]
if operation_name in unused_operations:
return {}
if operation_name == "ListRuleGroups":
return {
"RuleGroups": [
{
"RuleGroupId": RULE_GROUP_ID,
"Name": RULE_GROUP_ID,
},
]
}
if operation_name == "ListActivatedRulesInRuleGroup":
return {"Rules": []}
return orig(self, operation_name, kwarg)
class Test_waf_global_rulegroup_not_empty:
@mock_aws
def test_no_rule_groups(self):
from prowler.providers.aws.services.waf.waf_service import WAF
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=aws_provider,
):
with mock.patch(
"prowler.providers.aws.services.waf.waf_global_rulegroup_not_empty.waf_global_rulegroup_not_empty.waf_client",
new=WAF(aws_provider),
):
# Test Check
from prowler.providers.aws.services.waf.waf_global_rulegroup_not_empty.waf_global_rulegroup_not_empty import (
waf_global_rulegroup_not_empty,
)
check = waf_global_rulegroup_not_empty()
result = check.execute()
assert len(result) == 0
@patch(
"botocore.client.BaseClient._make_api_call",
new=mock_make_api_call_compliant_rule_group,
)
@mock_aws
def test_waf_rules_with_condition(self):
from prowler.providers.aws.services.waf.waf_service import WAF
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=aws_provider,
):
with mock.patch(
"prowler.providers.aws.services.waf.waf_global_rulegroup_not_empty.waf_global_rulegroup_not_empty.waf_client",
new=WAF(aws_provider),
):
# Test Check
from prowler.providers.aws.services.waf.waf_global_rulegroup_not_empty.waf_global_rulegroup_not_empty import (
waf_global_rulegroup_not_empty,
)
check = waf_global_rulegroup_not_empty()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"AWS WAF Global Rule Group {RULE_GROUP_ID} is not empty."
)
assert result[0].resource_id == RULE_GROUP_ID
assert (
result[0].resource_arn
== f"arn:aws:waf:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:rulegroup/{RULE_GROUP_ID}"
)
assert result[0].region == AWS_REGION_US_EAST_1
@patch(
"botocore.client.BaseClient._make_api_call",
new=mock_make_api_call_non_compliant_rule_group,
)
@mock_aws
def test_waf_rules_without_condition(self):
from prowler.providers.aws.services.waf.waf_service import WAF
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.provider.Provider.get_global_provider",
return_value=aws_provider,
):
with mock.patch(
"prowler.providers.aws.services.waf.waf_global_rulegroup_not_empty.waf_global_rulegroup_not_empty.waf_client",
new=WAF(aws_provider),
):
# Test Check
from prowler.providers.aws.services.waf.waf_global_rulegroup_not_empty.waf_global_rulegroup_not_empty import (
waf_global_rulegroup_not_empty,
)
check = waf_global_rulegroup_not_empty()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"AWS WAF Global Rule Group {RULE_GROUP_ID} does not have any rules."
)
assert result[0].resource_id == RULE_GROUP_ID
assert (
result[0].resource_arn
== f"arn:aws:waf:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:rulegroup/{RULE_GROUP_ID}"
)
assert result[0].region == AWS_REGION_US_EAST_1