Macie update #138
Open
Macie update #138
+76
−68
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Aaron Lippold <[email protected]>
Signed-off-by: Will Dower <[email protected]>
Signed-off-by: Will Dower <[email protected]>
Signed-off-by: Will Dower <[email protected]>
Signed-off-by: Will Dower <[email protected]>
Signed-off-by: Will Dower <[email protected]>
Signed-off-by: Will Dower <[email protected]>
…onitoring Signed-off-by: Will Dower <[email protected]>
…oring tool Signed-off-by: Will Dower <[email protected]>
Signed-off-by: Aaron Lippold <[email protected]>
Signed-off-by: Will Dower <[email protected]>
Signed-off-by: Aaron Lippold <[email protected]>
… compliance Signed-off-by: Aaron Lippold <[email protected]>
Signed-off-by: wdower <[email protected]>
Signed-off-by: wdower <[email protected]>
Signed-off-by: Will Dower <[email protected]>
Signed-off-by: wdower <[email protected]>
Signed-off-by: wdower <[email protected]>
Signed-off-by: wdower <[email protected]>
Signed-off-by: Will Dower <[email protected]>
- moved the Heimdall Upload section directly after the 'Save Artifacts' given its also a save action and we want to ensure - reguarless of if we pass threshold - that we have the results of both runs in Heimdall for review. Signed-off-by: Aaron Lippold <[email protected]>
…ded comments, updated profile version, should be ready for merge Signed-off-by: Aaron Lippold <[email protected]>
* Update aws-foundations-cis-1.1.rb * Update aws-foundations-cis-1.2.rb * Update aws-foundations-cis-1.3.rb * Update aws-foundations-cis-1.4.rb * Update aws-foundations-cis-1.1.rb * Update aws-foundations-cis-1.2.rb * Update aws-foundations-cis-1.3.rb * Update aws-foundations-cis-1.5.rb * Update aws-foundations-cis-1.8.rb * Update aws-foundations-cis-1.9.rb * Update aws-foundations-cis-1.10.rb * Update aws-foundations-cis-1.11.rb * Update aws-foundations-cis-1.12.rb * Update aws-foundations-cis-1.14.rb * Update aws-foundations-cis-1.15.rb * Update aws-foundations-cis-1.16.rb * Update aws-foundations-cis-1.17.rb * Update aws-foundations-cis-1.18.rb * Update aws-foundations-cis-3.1.rb * Update aws-foundations-cis-3.2.rb * Update aws-foundations-cis-3.3.rb * Update aws-foundations-cis-3.4.rb * Update aws-foundations-cis-3.5.rb * Update aws-foundations-cis-3.6.rb * Update aws-foundations-cis-3.7.rb * Update aws-foundations-cis-3.8.rb * Update aws-foundations-cis-3.9.rb * Update aws-foundations-cis-4.1.rb * Update aws-foundations-cis-4.1.rb * Update aws-foundations-cis-4.2.rb * Update aws-foundations-cis-4.3.rb * Update aws-foundations-cis-4.4.rb * Update aws-foundations-cis-4.5.rb * Update aws-foundations-cis-4.6.rb * Update aws-foundations-cis-4.7.rb * Update aws-foundations-cis-4.8.rb * Update aws-foundations-cis-4.9.rb * Update aws-foundations-cis-4.10.rb * Update aws-foundations-cis-4.11.rb * Update aws-foundations-cis-4.12.rb * Update aws-foundations-cis-4.13.rb * Update aws-foundations-cis-4.14.rb * Update aws-foundations-cis-4.15.rb * Update aws-foundations-cis-4.16.rb * Update aws-foundations-cis-5.4.rb * Update aws-foundations-cis-5.5.rb * Update aws-foundations-cis-1.6.rb * Update aws-foundations-cis-1.7.rb * Update aws-foundations-cis-1.13.rb * Update aws-foundations-cis-1.19.rb * Update aws-foundations-cis-1.20.rb * Update aws-foundations-cis-1.21.rb * Update aws-foundations-cis-1.22.rb * Update aws-foundations-cis-2.1.1.rb * Update aws-foundations-cis-2.1.2.rb * Update aws-foundations-cis-2.1.3.rb * Update aws-foundations-cis-2.1.4.rb * Update aws-foundations-cis-2.2.1.rb * Update aws-foundations-cis-2.3.1.rb * Update aws-foundations-cis-2.3.2.rb * Update aws-foundations-cis-2.3.3.rb * Update aws-foundations-cis-2.4.1.rb * Update aws-foundations-cis-3.10.rb * Update aws-foundations-cis-3.11.rb * Update aws-foundations-cis-5.1.rb * Update aws-foundations-cis-5.1.rb * Update aws-foundations-cis-5.2.rb * Update aws-foundations-cis-5.3.rb * Update aws-foundations-cis-5.6.rb * initial 2.0 commit * delete old 1.2 controls * Update inspec.yml * Update inspec.yml * added a simple worklfow for testing the profile Signed-off-by: Aaron Lippold <[email protected]> * moved the Gemfile to the correct location Signed-off-by: Aaron Lippold <[email protected]> * fixed bug in Gemfile and .gemrc Signed-off-by: Aaron Lippold <[email protected]> * removed yq for now Signed-off-by: Aaron Lippold <[email protected]> * added an inspec vendor prior to the check Signed-off-by: Aaron Lippold <[email protected]> * added a bit more debuging on our inspec env Signed-off-by: Aaron Lippold <[email protected]> * fixed inspec exec exit code, added quotes to display file names Signed-off-by: Aaron Lippold <[email protected]> * added a blank inputs and added it to the workflow Signed-off-by: Aaron Lippold <[email protected]> * fixed inputs Signed-off-by: Aaron Lippold <[email protected]> * Update inspec.yml set default value to null for user-defined inputs. * fixed tyop in the input variable Signed-off-by: Aaron Lippold <[email protected]> * Update README.md * ran cookstyle -a and added skip messages for controls without code yet Signed-off-by: Aaron Lippold <[email protected]> * added enhanced-outcomes for easier review Signed-off-by: Aaron Lippold <[email protected]> * Fixes and Updates to Resources from the Resource Pack * broke out the AWS Account Resources into seperate - aws_primary_contact - aws_billing_contact - aws_operations_contact - aws_security_contact * updates 1.1 and 1.2 per the resource changes * linted profile with 'cookstyle -A ...' Signed-off-by: Aaron Lippold <[email protected]> * fixed depends, linted with rufo Signed-off-by: Aaron Lippold <[email protected]> * Fixed profile error and typo Signed-off-by: Aaron Lippold <[email protected]> * updated the threshold while I am fixing a bug with a resource or two Signed-off-by: Aaron Lippold <[email protected]> * Removed Pipeline Steps while in development * removed creating profile.json * removed inspec-plugin-list Signed-off-by: Aaron Lippold <[email protected]> * fixed slow controls Signed-off-by: Aaron Lippold <[email protected]> * fixed branch name on worklfow Signed-off-by: Aaron Lippold <[email protected]> * added chef lisense key for testing Signed-off-by: Aaron Lippold <[email protected]> * updated controls for account given resource changes Signed-off-by: Aaron Lippold <[email protected]> * added senstive to the first two controls Signed-off-by: Aaron Lippold <[email protected]> * marked MFA data sensitive Signed-off-by: Aaron Lippold <[email protected]> * added tests for 5.6 and added aws docs reference Signed-off-by: Aaron Lippold <[email protected]> * Simplified controls, added tests, fixed inputs Signed-off-by: Aaron Lippold <[email protected]> * clarifying manual check in 1.3 Signed-off-by: wdower <[email protected]> * creating .gitignore Signed-off-by: wdower <[email protected]> * finishing 1.13 Signed-off-by: wdower <[email protected]> * 1.7 -- expect syntax still has ugly fail messages Signed-off-by: wdower <[email protected]> * fixed inspec.yml, split out 1.7 into multiple 'it' blocks for clarity Signed-off-by: wdower <[email protected]> * updating 1.18 Signed-off-by: wdower <[email protected]> * fixing 1.7 when no input is set Signed-off-by: wdower <[email protected]> * adding 1.19 Signed-off-by: wdower <[email protected]> * adding test to define what the aws_iam_access_analyzer should be able to do Signed-off-by: wdower <[email protected]> * commenting out control that doesnt have a resource yet to keep pipeline working Signed-off-by: wdower <[email protected]> * adding 1.21 as manual review because it requires knowing if each IAM role represents an individual person or not, which isn't something AWS knows Signed-off-by: wdower <[email protected]> * added 1.22 Signed-off-by: wdower <[email protected]> * adding disable_slow_controls caveat to 1.7 Signed-off-by: wdower <[email protected]> * adding 1.6 -- basically a repeat of 1.5 but with an added check on what type of mfa device is in use Signed-off-by: wdower <[email protected]> * adding new input to catch the case of a third party data management tool Signed-off-by: wdower <[email protected]> * psuedocode for 2.1.3 Signed-off-by: wdower <[email protected]> * updates for 1.20 and a few others Signed-off-by: Aaron Lippold <[email protected]> * psuedocode for 2.1.1 Signed-off-by: wdower <[email protected]> * fixing missing block end Signed-off-by: wdower <[email protected]> * using existing aws_s3_bucket resource to do 2.1.1 Signed-off-by: wdower <[email protected]> * Mostly Done on 1.20 with some polish still needed - updated aws_region(s) plural and signle resource to include opt_in data - updated docs for aws_regions(s) - added the ability for the aws_iam_access_analyzer resource to accept its `region` param - TODO: fix aws_iam_access_analyzer param error checking with the addition of the new second `region` Signed-off-by: Aaron Lippold <[email protected]> * Linting with rubocop Signed-off-by: Aaron Lippold <[email protected]> * Updates to Gemfile and Linting Signed-off-by: Aaron Lippold <[email protected]> * CIS 2.1.1 - worked out most of the logical states - sitll need to work out if we only have a list of passing buckets and want to list buckets that were skipped but don't want to 'fail' the control overall. - needs to be peer reviewed by 'other than author' Signed-off-by: Aaron Lippold <[email protected]> * added review question Signed-off-by: Aaron Lippold <[email protected]> * added exempt KMS key list and added to 3.8 Fixes #109 Signed-off-by: Aaron Lippold <[email protected]> * added exempt KMS key list and added to 3.8 Fixes #109 Signed-off-by: Aaron Lippold <[email protected]> * clarifying the Not Applicable statement a bit Signed-off-by: wdower <[email protected]> * adding control for 2.1.2, borrowing pattern from 2.1.2 Signed-off-by: wdower <[email protected]> * rewriting 5.5 to use only_if instead of if/else Signed-off-by: wdower <[email protected]> * adding psuedocode for 2.1.4 Signed-off-by: wdower <[email protected]> * first pass for 2.3.1 Signed-off-by: wdower <[email protected]> * removing redundant test step from 2.3.1, adding 2.3.2 Signed-off-by: wdower <[email protected]> * commenting out 2.1.4 until it gets resource support so the pipeline works Signed-off-by: wdower <[email protected]> * updating Gemfile to unpin InSpec and add aws-sdk-analyzer and train-kubernetes Signed-off-by: wdower <[email protected]> * adding 2.3.3 Signed-off-by: wdower <[email protected]> * adding 2.4.1, modeled after the s3 bucket control code Signed-off-by: wdower <[email protected]> * adding exempt and single rds inputs, fixing some bad references in 2.4.1 Signed-off-by: wdower <[email protected]> * updated RDS controls to use the same robust pattern as EFS and S3 checks Signed-off-by: wdower <[email protected]> * fixing typos in RDS controls Signed-off-by: wdower <[email protected]> * putting a floor on InSpec version, fixing typo on 2.3.x Signed-off-by: wdower <[email protected]> * ensuring exempt rds instances not included in list of fails Signed-off-by: wdower <[email protected]> * debugging Signed-off-by: Aaron Lippold <[email protected]> * - Worked around the broken plural resource until we fix - Fixed the shared inputs so that we were actually passing empty arrays and not arrays with two quotes Signed-off-by: Aaron Lippold <[email protected]> * added workaround for 2.3.2 and 2.3.2 for now Signed-off-by: Aaron Lippold <[email protected]> * moved to only_if with impact to get past strackstrace error Signed-off-by: Aaron Lippold <[email protected]> * Refactored 1.20 - Only make one call to the api - calulated in scope and exempt regions - used those for processing and evaluation Signed-off-by: Aaron Lippold <[email protected]> * yamllint inspec.yml Signed-off-by: Aaron Lippold <[email protected]> * adding 4.16 Signed-off-by: Aaron Lippold <[email protected]> * added 3.10 Signed-off-by: wdower <[email protected]> * adding 3.11, updating 3.10 to indicate that one is supposed to be testing writes vs. reads Signed-off-by: wdower <[email protected]> * working on output to end-user Signed-off-by: Aaron Lippold <[email protected]> * updated feedback to end user to be a bit more clear Signed-off-by: Aaron Lippold <[email protected]> * updated syntax of 4.16 to use the expect syntax Signed-off-by: Aaron Lippold <[email protected]> * updated syntax of 4.16 to use the expect syntax Signed-off-by: Aaron Lippold <[email protected]> * updated syntax of 4.16 to use the expect syntax Signed-off-by: Aaron Lippold <[email protected]> * fixed broken reference links Signed-off-by: Aaron Lippold <[email protected]> * fixed broken reference links Signed-off-by: Aaron Lippold <[email protected]> * should have a working 2.1.4 but could be improved by expect perhaps Signed-off-by: Aaron Lippold <[email protected]> * trying to see if a bundle install will help for a bit while we are using external gem resources Signed-off-by: Aaron Lippold <[email protected]> * adding missing bundle exec to the inspec exec Signed-off-by: Aaron Lippold <[email protected]> * start of table to track progress Signed-off-by: Aaron Lippold <[email protected]> * filled out status table Signed-off-by: Aaron Lippold <[email protected]> * moved status table Signed-off-by: Aaron Lippold <[email protected]> * fixed typo in authors Signed-off-by: Aaron Lippold <[email protected]> * Update README.md noting that 3.10 and 3.11 have a test but are being updated to match a much better resource * refactoring 3.10 and 3.11 to use updated cloudtrail resource Signed-off-by: wdower <[email protected]> * Updated status table in readme Signed-off-by: Aaron Lippold <[email protected]> * Update README.md noting that 2.1.3 needs a resource update * notes on possible organization of small macie resources vs a big complicated one Signed-off-by: Aaron Lippold <[email protected]> * testing run fixes Signed-off-by: Aaron Lippold <[email protected]> * hard coding the inspec-results to see if that fixes the save issue Signed-off-by: Aaron Lippold <[email protected]> * one more time Signed-off-by: Aaron Lippold <[email protected]> * tyring to see the path of the results file Signed-off-by: Aaron Lippold <[email protected]> * 3.8 is throwing a deep stack trace and 3.1 has an uncaught aws service eception Signed-off-by: Aaron Lippold <[email protected]> * refactoring 5.6 to hopefully avoid stack overflow errors Signed-off-by: wdower <[email protected]> * adding missing 'do' Signed-off-by: wdower <[email protected]> * refactoring 3.8 to not use describe blocks in a loop Signed-off-by: wdower <[email protected]> * fixing function call in 3.8 Signed-off-by: wdower <[email protected]> * printing display_name instead of full ARN for 3.8 Signed-off-by: wdower <[email protected]> * filtering nils from 3.8 correctly, pretty printing output on fail Signed-off-by: wdower <[email protected]> * testing even prettier printing Signed-off-by: wdower <[email protected]> * removing comments Signed-off-by: wdower <[email protected]> * updated controls for govcloud Signed-off-by: Aaron Lippold <[email protected]> * removing unecessary if statement from 1.7 Signed-off-by: wdower <[email protected]> * fixing where method to use a block in 1.6 Signed-off-by: wdower <[email protected]> * typo in 1.2 Signed-off-by: Will Dower <[email protected]> * adding correct only_if clause to 2.1.3 Signed-off-by: Will Dower <[email protected]> * added workflow Signed-off-by: Aaron Lippold <[email protected]> * updated inspec.yml Signed-off-by: Aaron Lippold <[email protected]> * fixing creds Signed-off-by: Aaron Lippold <[email protected]> * rubocop:lint and updated aws other workflow name Signed-off-by: Aaron Lippold <[email protected]> * trying again Signed-off-by: Aaron Lippold <[email protected]> * adding AWSRB_DEBUG for review Signed-off-by: Aaron Lippold <[email protected]> * adding -l debug Signed-off-by: Aaron Lippold <[email protected]> * adding sts audiance to the aws config to see if that helps our run Signed-off-by: Aaron Lippold <[email protected]> * adding to the repo Signed-off-by: GitHub <[email protected]> * updating 2.2.1 to use new aws_region matcher for ebs encryption Signed-off-by: wdower <[email protected]> * fixing 1.18 Signed-off-by: wdower <[email protected]> * fixing rspec matcher in 1.18 Signed-off-by: wdower <[email protected]> * flipping logic for only_if on 1.18 Signed-off-by: wdower <[email protected]> * making 1.18 fail output prettier Signed-off-by: wdower <[email protected]> * fixing 3.1 to support any region for its cloud trails Signed-off-by: Aaron Lippold <[email protected]> * adding if clause for no element found case Signed-off-by: Aaron Lippold <[email protected]> * 3.9 moving conditional describe to a only_if statement Signed-off-by: wdower <[email protected]> * fixing 3.9 to use the aws_flow_log resource Signed-off-by: wdower <[email protected]> * typo in 3.9 Signed-off-by: wdower <[email protected]> * fixing error on 2.2.1 Signed-off-by: Aaron Lippold <[email protected]> * cleanup Signed-off-by: Aaron Lippold <[email protected]> * added tests for 5.3, fixed a few small things, linted' Signed-off-by: Aaron Lippold <[email protected]> * added ignore_other_regions Signed-off-by: Aaron Lippold <[email protected]> * fixed input depth error in 5.4 Signed-off-by: Aaron Lippold <[email protected]> * mostly finished off the 5.x requirements, 5.1 needs to be worked, the rest of the 5.x series may or may not be helped by expect Signed-off-by: Aaron Lippold <[email protected]> * updating testing to not disable slow controls Signed-off-by: Aaron Lippold <[email protected]> * renamed util script so it was clear what it does Signed-off-by: Aaron Lippold <[email protected]> * updated util script Signed-off-by: Aaron Lippold <[email protected]> * adding the GITHUB_SHA that trigger the action to the workflow results files Signed-off-by: Aaron Lippold <[email protected]> * adding upload to heimdall-demo Signed-off-by: Aaron Lippold <[email protected]> * made curl a bit more quite Signed-off-by: Aaron Lippold <[email protected]> * wip 5.1 Signed-off-by: Will Dower <[email protected]> * updating 5.1 to use new filtertable logic in resource Signed-off-by: Will Dower <[email protected]> * fixing 5.1 to work with resource refactor Signed-off-by: Will Dower <[email protected]> * using local resource pack Signed-off-by: Aaron Lippold <[email protected]> * fixed rubocop issue Signed-off-by: Aaron Lippold <[email protected]> * fixed depends Signed-off-by: Aaron Lippold <[email protected]> * removed pry from testing Signed-off-by: Aaron Lippold <[email protected]> * shorting sha, standarding naming and testing inputs. Signed-off-by: Aaron Lippold <[email protected]> * adding short sha, and naming artifacts Signed-off-by: Aaron Lippold <[email protected]> * moved the short sha calc to after repo checkout Signed-off-by: Aaron Lippold <[email protected]> * removing duplicate input for remote management ports Signed-off-by: Will Dower <[email protected]> * adding in exemptions to 5.1 Signed-off-by: Will Dower <[email protected]> * adding disable_slow_controls to 5.1 Signed-off-by: Will Dower <[email protected]> * typo Signed-off-by: Will Dower <[email protected]> * typo, again Signed-off-by: Will Dower <[email protected]> * udating 5.2 Signed-off-by: Will Dower <[email protected]> * adding only_if to control to bail if a non-AWS tool should be doing monitoring Signed-off-by: Will Dower <[email protected]> * adding test for 4.1.5, adding input for declaring a third-party monitoring tool Signed-off-by: Will Dower <[email protected]> * update script to get the list of regions from the cli Signed-off-by: Aaron Lippold <[email protected]> * fixing incorrect method in 1.17 Signed-off-by: Will Dower <[email protected]> * fixed typo in 5.5 with inputs vs input... Signed-off-by: Aaron Lippold <[email protected]> * updated thresholds to not allow profile errors and maintain a min 10% compliance Signed-off-by: Aaron Lippold <[email protected]> * updating macie control Signed-off-by: wdower <[email protected]> * mistaken sign on govcloud check for macie Signed-off-by: wdower <[email protected]> * updating README, removing obselete inputs Signed-off-by: wdower <[email protected]> * cleanup -removing comments Signed-off-by: wdower <[email protected]> * updated benchmark status table Signed-off-by: wdower <[email protected]> * Minor Updates and Linting - added the more refined inspec inputs language from our deparment work - simplifed run example paths and made the 'files' we talk about consistant throughout the README - ran `bundle exec rake lint:auto_correct` Signed-off-by: Aaron Lippold <[email protected]> * Moving Heimdall Upload in the workflow - moved the Heimdall Upload section directly after the 'Save Artifacts' given its also a save action and we want to ensure - reguarless of if we pass threshold - that we have the results of both runs in Heimdall for review. Signed-off-by: Aaron Lippold <[email protected]> * finished final readthroughs, reviewed latest test runs, removed unneeded comments, updated profile version, should be ready for merge Signed-off-by: Aaron Lippold <[email protected]> --------- Signed-off-by: Aaron Lippold <[email protected]> Signed-off-by: wdower <[email protected]> Signed-off-by: wdower <[email protected]> Signed-off-by: Will Dower <[email protected]> Signed-off-by: GitHub <[email protected]> Co-authored-by: Eugene Aronne <[email protected]> Co-authored-by: Aaron Lippold <[email protected]> Co-authored-by: wdower <[email protected]> Co-authored-by: wdower <[email protected]>
…or v, added VERSION Signed-off-by: Aaron Lippold <[email protected]>
…release 'v2' in a bit Signed-off-by: Aaron Lippold <[email protected]>
…4, add SAF GITHUB user Signed-off-by: Emily Rodriguez <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added an actual automated test for Macie using the new Macie resource.