From fafafba1808a115bfa1f8e4d6ab1616f0bc5e520 Mon Sep 17 00:00:00 2001 From: James Mountifield Date: Wed, 10 Apr 2024 16:23:19 -0400 Subject: [PATCH] Fix up queries that were incorrectly negating traversals, and aliasing the results --- rule-packs/aws-config.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rule-packs/aws-config.json b/rule-packs/aws-config.json index cc711ef..0f646fa 100644 --- a/rule-packs/aws-config.json +++ b/rule-packs/aws-config.json @@ -661,7 +661,7 @@ "queries": [ { "name": "query0", - "query": "FIND aws_iam_group AS group THAT !HAS aws_iam_user AS user RETURN user.accountId, user.name,user.displayName, group.name,group.displayName, group.id", + "query": "FIND aws_iam_user AS user THAT !HAS aws_iam_group RETURN user.displayName, user.name, user.accountId AS \"AWS Account ID\", user.arn", "version": "v1" } ], @@ -841,7 +841,7 @@ "queries": [ { "name": "query0", - "query": "FIND aws_security_group AS fw THAT !ALLOWS AS rule (Host|Network) WITH internal != true AS src WHERE (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 20 AND rule.toPort >= 20) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 21 AND rule.toPort >= 21) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 3306 AND rule.toPort >= 3306) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 3389 AND rule.toPort >= 3389) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 4333 AND rule.toPort >= 4333) RETURN fw.displayName, rule.ipProtocol, rule.fromPort, rule.toPort, src.displayName, src.ipAddress, src.CIDR", + "query": "FIND aws_security_group AS fw THAT ALLOWS AS rule (Host|Network) WITH internal != true AS src WHERE (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 20 AND rule.toPort >= 20) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 21 AND rule.toPort >= 21) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 3306 AND rule.toPort >= 3306) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 3389 AND rule.toPort >= 3389) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 4333 AND rule.toPort >= 4333) RETURN fw.displayName, rule.ipProtocol, rule.fromPort, rule.toPort, src.displayName, src.ipAddress, src.CIDR, fw.accountId AS \"AWS Account ID\"", "version": "v1" } ],