Merge pull request tmobile#348 from KanchanaAradhya/PortingAzureRules…

…OSS2.0 3 azure tagging rules ported
himanikh · Nov 1, 2019 · 5749a14 · 5749a14
2 parents 61042a2 + 75bd8fc
commit 5749a14
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 1 deletion.
diff --git a/installer/resources/lambda_rule_engine/files/rule_engine_cloudwatch_rules.json b/installer/resources/lambda_rule_engine/files/rule_engine_cloudwatch_rules.json
@@ -2462,6 +2462,72 @@
     "modifiedDate": "2019-09-18",
     "severity": "high",
     "category": "security"
+  },
+  {
+    "ruleId": "PacMan_TaggingRule_version-1_VirtualmachineTaggingRule_virtualmachine",
+    "ruleUUID": "azure_virtualmachine_should_be_tagged_with_mandatory_tags",
+    "policyId": "PacMan_TaggingRule_version-1",
+    "ruleName": "VirtualmachineTaggingRule",
+    "targetType": "virtualmachine",
+    "assetGroup": "azure",
+    "alexaKeyword": "VirtualmachineTaggingRule",
+    "ruleParams": "{\"params\":[{\"encrypt\":false,\"value\":\"check-for-missing-mandatory-tags\",\"key\":\"ruleKey\"},{\"encrypt\":false,\"value\":\",\",\"key\":\"splitterChar\"},{\"encrypt\":false,\"value\":\"Application,Environment,Stack,Role\",\"key\":\"mandatoryTags\"},{\"encrypt\":false,\"value\":\"high\",\"key\":\"severity\"},{\"encrypt\":false,\"value\":\"tagging\",\"key\":\"ruleCategory\"},{\"encrypt\":false,\"value\":\"\",\"key\":\"ruleOwner\"}],\"environmentVariables\":[],\"ruleId\":\"PacMan_TaggingRule_version-1_VirtualmachineTaggingRule_virtualmachine\",\"autofix\":false,\"alexaKeyword\":\"VirtualmachineTaggingRule\",\"ruleRestUrl\":\"\",\"targetType\":\"virtualmachine\",\"pac_ds\":\"azure\",\"policyId\":\"PacMan_TaggingRule_version-1\",\"assetGroup\":\"azure\",\"ruleUUID\":\"azure_virtualmachine_should_be_tagged_with_mandatory_tags\",\"ruleType\":\"ManageRule\"}",
+    "ruleFrequency": "0 * * * ? *",
+    "ruleExecutable": "",
+    "ruleRestUrl": "",
+    "ruleType": "ManageRule",
+    "ruleArn": "arn:aws:events:us-east-1:***REMOVED***:rule/azure_virtualmachine_should_be_tagged_with_mandatory_tags",
+    "status": "ENABLED",
+    "userId": "ASGC",
+    "displayName": "Virtualmachine should be tagged with mandatory tags",
+    "createdDate": "2019-10-25",
+    "modifiedDate": "2019-10-25",
+    "severity": "high",
+    "category": "tagging"
+  },
+  {
+    "ruleId": "PacMan_TaggingRule_version-1_SqlserverTaggingRule_sqlserver",
+    "ruleUUID": "azure_sqlserver_should_be_tagged_with_mandatory_tags",
+    "policyId": "PacMan_TaggingRule_version-1",
+    "ruleName": "SqlserverTaggingRule",
+    "targetType": "sqlserver",
+    "assetGroup": "azure",
+    "alexaKeyword": "SqlserverTaggingRule",
+    "ruleParams": "{\"params\":[{\"encrypt\":false,\"value\":\"check-for-missing-mandatory-tags\",\"key\":\"ruleKey\"},{\"encrypt\":false,\"value\":\",\",\"key\":\"splitterChar\"},{\"encrypt\":false,\"value\":\"Application,Environment,Stack,Role\",\"key\":\"mandatoryTags\"},{\"encrypt\":false,\"value\":\"high\",\"key\":\"severity\"},{\"encrypt\":false,\"value\":\"tagging\",\"key\":\"ruleCategory\"},{\"encrypt\":false,\"value\":\"\",\"key\":\"ruleOwner\"}],\"environmentVariables\":[],\"ruleId\":\"PacMan_TaggingRule_version-1_SqlserverTaggingRule_sqlserver\",\"autofix\":false,\"alexaKeyword\":\"SqlserverTaggingRule\",\"ruleRestUrl\":\"\",\"targetType\":\"sqlserver\",\"pac_ds\":\"azure\",\"policyId\":\"PacMan_TaggingRule_version-1\",\"assetGroup\":\"azure\",\"ruleUUID\":\"azure_sqlserver_should_be_tagged_with_mandatory_tags\",\"ruleType\":\"ManageRule\"}",
+    "ruleFrequency": "0 * * * ? *",
+    "ruleExecutable": "",
+    "ruleRestUrl": "",
+    "ruleType": "ManageRule",
+    "ruleArn": "arn:aws:events:us-east-1:***REMOVED***:rule/azure_sqlserver_should_be_tagged_with_mandatory_tags",
+    "status": "ENABLED",
+    "userId": "ASGC",
+    "displayName": "Sqlserver should be tagged with mandatory tags",
+    "createdDate": "2019-10-25",
+    "modifiedDate": "2019-10-25",
+    "severity": "high",
+    "category": "tagging"
+  },
+  {
+    "ruleId": "PacMan_TaggingRule_version-1_SqldatabaseTaggingRule_sqldatabase",
+    "ruleUUID": "azure_sqldatabase_should_be_tagged_with_mandatory_tags",
+    "policyId": "PacMan_TaggingRule_version-1",
+    "ruleName": "SqldatabaseserverTaggingRule",
+    "targetType": "sqldatabase",
+    "assetGroup": "azure",
+    "alexaKeyword": "SqldatabaseserverTaggingRule",
+    "ruleParams": "{\"params\":[{\"encrypt\":false,\"value\":\"check-for-missing-mandatory-tags\",\"key\":\"ruleKey\"},{\"encrypt\":false,\"value\":\",\",\"key\":\"splitterChar\"},{\"encrypt\":false,\"value\":\"Application,Environment,Stack,Role\",\"key\":\"mandatoryTags\"},{\"encrypt\":false,\"value\":\"high\",\"key\":\"severity\"},{\"encrypt\":false,\"value\":\"tagging\",\"key\":\"ruleCategory\"},{\"encrypt\":false,\"value\":\"\",\"key\":\"ruleOwner\"}],\"environmentVariables\":[],\"ruleId\":\"PacMan_TaggingRule_version-1_SqldatabaseTaggingRule_sqldatabase\",\"autofix\":false,\"alexaKeyword\":\"SqldatabaseTaggingRule\",\"ruleRestUrl\":\"\",\"targetType\":\"sqldatabase\",\"pac_ds\":\"azure\",\"policyId\":\"PacMan_TaggingRule_version-1\",\"assetGroup\":\"azure\",\"ruleUUID\":\"azure_sqldatabase_should_be_tagged_with_mandatory_tags\",\"ruleType\":\"ManageRule\"}",
+    "ruleFrequency": "0 * * * ? *",
+    "ruleExecutable": "",
+    "ruleRestUrl": "",
+    "ruleType": "ManageRule",
+    "ruleArn": "arn:aws:events:us-east-1:***REMOVED***:rule/azure_sqldatabase_should_be_tagged_with_mandatory_tags",
+    "status": "ENABLED",
+    "userId": "ASGC",
+    "displayName": "Sqldatabase should be tagged with mandatory tags",
+    "createdDate": "2019-10-25",
+    "modifiedDate": "2019-10-25",
+    "severity": "high",
+    "category": "tagging"
   }
 
 ]
diff --git a/installer/resources/pacbot_app/files/DB.sql b/installer/resources/pacbot_app/files/DB.sql
@@ -1345,7 +1345,9 @@ INSERT IGNORE INTO cf_RuleInstance (`ruleId`,`ruleUUID`,`policyId`,`ruleName`,`t
 INSERT IGNORE INTO cf_RuleInstance (`ruleId`,`ruleUUID`,`policyId`,`ruleName`,`targetType`,`assetGroup`,`alexaKeyword`,`ruleParams`,`ruleFrequency`,`ruleExecutable`,`ruleRestUrl`,`ruleType`,`ruleArn`,`status`,`userId`,`displayName`,`createdDate`,`modifiedDate`,`severity`,`category`) VALUES ('PacMan_Ec2PublicAccessPortWithS5Vulnerability_version-1_Ec2PublicAccessPortWithS5Vulnerability_ec2','aws_ec2_pub_vuln_s5_rule','PacMan_Ec2PublicAccessPortWithS5Vulnerability_version-1','Ec2PublicAccessPortWithS5Vuln','ec2','aws','Ec2PublicAccessPortWithS5Vuln','{"params":[{"encrypt":false,"value":"check-for-ec2-public-access-port-with-s5-vulnerabilities","key":"ruleKey"},{"encrypt":false,"value":"S5","key":"severityVulnValue"},{"encrypt":false,"value":"PacMan_EC2WithPublicIPAccess_version-1_Ec2WithPublicAccess_ec2","key":"ec2PortRuleId"},{"key":"esEc2WithVulnInfoForS5Url","value":"/aws_ec2/vulninfo/_search","isValueNew":true,"encrypt":false},{"key":"esEc2PubAccessPortUrl","value":"/aws/issue_ec2/_search","isValueNew":true,"encrypt":false},{"key":"esAppElbWithInstanceUrl","value":"/aws_appelb/appelb_instances/_search","isValueNew":true,"encrypt":false},{"key":"esClassicElbWithInstanceUrl","value":"/aws_classicelb/classicelb_instances/_search","isValueNew":true,"encrypt":false},{"key":"esAppElbPubAccessPortUrl","value":"/aws_appelb/issue_appelb/_search","isValueNew":true,"encrypt":false},{"key":"esClassicElbPubAccessPortUrl","value":"/aws_classicelb/issue_classicelb/_search","isValueNew":true,"encrypt":false},{"key":"appElbPortRuleId","value":"PacMan_ElbWithPublicAccess_version-1_ApplicationElbWithPublicAccess_appelb","isValueNew":true,"encrypt":false},{"key":"classicElbPortRuleId","value":"PacMan_ElbWithPublicAccess_version-1_ClassicElbWithPublicAccess_classicelb","isValueNew":true,"encrypt":false},{"encrypt":false,"value":"critical","key":"severity"},{"encrypt":false,"value":"security","key":"ruleCategory"}],"environmentVariables":[],"ruleId":"PacMan_Ec2PublicAccessPortWithS5Vulnerability_version-1_Ec2PublicAccessPortWithS5Vulnerability_ec2","autofix":false,"alexaKeyword":"Ec2PublicAccessPortWithS5Vulnerability","ruleRestUrl":"","targetType":"ec2","pac_ds":"aws","policyId":"PacMan_Ec2PublicAccessPortWithS5Vulnerability_version-1","assetGroup":"aws","ruleUUID":"aws_ec2_pub_vuln_s5_rule","ruleType":"ManageRule"}','0 0 ? * MON *','','','Manage Rule',concat('arn:aws:events:',@region,':',@account,':rule/aws_ec2_pub_vuln_s5_rule'),'ENABLED','ASGC','An Ec2 instance with remotely exploitable vulnerability (S5) should not be open to internet','2019-08-05','2019-08-05','high','governance');
 INSERT IGNORE INTO cf_RuleInstance (`ruleId`,`ruleUUID`,`policyId`,`ruleName`,`targetType`,`assetGroup`,`alexaKeyword`,`ruleParams`,`ruleFrequency`,`ruleExecutable`,`ruleRestUrl`,`ruleType`,`ruleArn`,`status`,`userId`,`displayName`,`createdDate`,`modifiedDate`,`severity`,`category`) VALUES ('PacMan_Ec2InstanceScannedByQualys_version-1_Ec2-instance-scanned-by-qualys-API_ec2','aws_ec2_qualys_scanned_rule','PacMan_Ec2InstanceScannedByQualys_version-1','Ec2InstanceScannedByQualysAPI','ec2','aws','Ec2InstanceScannedByQualysAPI','{"params":[{"encrypt":false,"value":"30","key":"target"},{"key":"esQualysUrl","value":"/aws_ec2/qualysinfo/_search","isValueNew":true,"encrypt":false},{"key":"discoveredDaysRange","value":"7","isValueNew":true,"encrypt":false},{"key":"ruleKey","value":"check-for-resource-scanned-by-qualys","isValueNew":true,"encrypt":false},{"encrypt":false,"value":"high","key":"severity"},{"encrypt":false,"value":"security","key":"ruleCategory"}],"environmentVariables":[],"ruleId":"PacMan_Ec2InstanceScannedByQualys_version-1_Ec2-instance-scanned-by-qualys-API_ec2","autofix":false,"alexaKeyword":"Ec2InstanceScannedByQualysAPI","ruleRestUrl":"","targetType":"ec2","pac_ds":"aws","policyId":"PacMan_Ec2InstanceScannedByQualys_version-1","assetGroup":"aws","ruleUUID":"aws_ec2_qualys_scanned_rule","ruleType":"ManageRule"}','0 0 ? * MON *','','','Manage Rule',concat('arn:aws:events:',@region,':',@account,':rule/aws_ec2_qualys_scanned_rule'),'ENABLED','ASGC','Every EC2 instance should be scanned by Qualys vulnerability assessment tool atleast once a month','2019-09-18','2019-09-18','high','security');
 
-
+INSERT IGNORE INTO cf_RuleInstance (ruleId,ruleUUID,policyId,ruleName,targetType,assetGroup,alexaKeyword,ruleParams,ruleFrequency,ruleExecutable,ruleRestUrl,ruleType,ruleArn,status,userId,displayName,createdDate,modifiedDate,severity,category) VALUES ('PacMan_TaggingRule_version-1_VirtualmachineTaggingRule_virtualmachine','azure_virtualmachine_should_be_tagged_with_mandatory_tags','PacMan_TaggingRule_version-1','VirtualmachineTaggingRule','virtualmachine','azure','VirtualmachineTaggingRule','{"params":[{"encrypt":false,"value":"check-for-missing-mandatory-tags","key":"ruleKey"},{"encrypt":false,"value":",","key":"splitterChar"},{"encrypt":false,"value":"Application,Environment,Stack,Role","key":"mandatoryTags"},{"encrypt":false,"value":"high","key":"severity"},{"encrypt":false,"value":"tagging","key":"ruleCategory"},{"encrypt":false,"value":"","key":"ruleOwner"}],"environmentVariables":[],"ruleId":"PacMan_TaggingRule_version-1_VirtualmachineTaggingRule_virtualmachine","autofix":false,"alexaKeyword":"VirtualmachineTaggingRule","ruleRestUrl":"","targetType":"virtualmachine","pac_ds":"azure","policyId":"PacMan_TaggingRule_version-1","assetGroup":"azure","ruleUUID":"azure_virtualmachine_should_be_tagged_with_mandatory_tags","ruleType":"ManageRule"}','0 0/12 * * ? *','','','ManageRule',concat('arn:aws:events:',@region,':',@account,':rule/azure_virtualmachine_should_be_tagged_with_mandatory_tags'),'ENABLED','ASGC','Virtualmachine should be tagged with mandatory tags',{d '2019-10-25'},{d '2019-10-25'},null,null);
+INSERT IGNORE INTO cf_RuleInstance (ruleId,ruleUUID,policyId,ruleName,targetType,assetGroup,alexaKeyword,ruleParams,ruleFrequency,ruleExecutable,ruleRestUrl,ruleType,ruleArn,status,userId,displayName,createdDate,modifiedDate,severity,category) VALUES ('PacMan_TaggingRule_version-1_SqlserverTaggingRule_sqlserver','azure_sqlserver_should_be_tagged_with_mandatory_tags','PacMan_TaggingRule_version-1','SqlserverTaggingRule','sqlserver','azure','SqlserverTaggingRule','{"params":[{"encrypt":false,"value":"check-for-missing-mandatory-tags","key":"ruleKey"},{"encrypt":false,"value":",","key":"splitterChar"},{"encrypt":false,"value":"Application,Environment,Stack,Role","key":"mandatoryTags"},{"encrypt":false,"value":"high","key":"severity"},{"encrypt":false,"value":"tagging","key":"ruleCategory"},{"encrypt":false,"value":"","key":"ruleOwner"}],"environmentVariables":[],"ruleId":"PacMan_TaggingRule_version-1_SqlserverTaggingRule_sqlserver","autofix":false,"alexaKeyword":"SqlserverTaggingRule","ruleRestUrl":"","targetType":"sqlserver","pac_ds":"azure","policyId":"PacMan_TaggingRule_version-1","assetGroup":"azure","ruleUUID":"azure_sqlserver_should_be_tagged_with_mandatory_tags","ruleType":"ManageRule"}','0 0/12 * * ? *','','','ManageRule',concat('arn:aws:events:',@region,':',@account,':rule/azure_sqlserver_should_be_tagged_with_mandatory_tags'),'ENABLED','ASGC','Sqlserver should be tagged with mandatory tags',{d '2019-10-25'},{d '2019-10-25'},null,null);
+INSERT IGNORE INTO cf_RuleInstance (ruleId,ruleUUID,policyId,ruleName,targetType,assetGroup,alexaKeyword,ruleParams,ruleFrequency,ruleExecutable,ruleRestUrl,ruleType,ruleArn,status,userId,displayName,createdDate,modifiedDate,severity,category) VALUES ('PacMan_TaggingRule_version-1_SqldatabaseTaggingRule_sqldatabase','azure_sqldatabase_should_be_tagged_with_mandatory_tags','PacMan_TaggingRule_version-1','SqldatabaseTaggingRule','sqldatabase','azure','SqldatabaseTaggingRule','{"params":[{"encrypt":false,"value":"check-for-missing-mandatory-tags","key":"ruleKey"},{"encrypt":false,"value":",","key":"splitterChar"},{"encrypt":false,"value":"Application,Environment,Stack,Role","key":"mandatoryTags"},{"encrypt":false,"value":"high","key":"severity"},{"encrypt":false,"value":"tagging","key":"ruleCategory"},{"encrypt":false,"value":"","key":"ruleOwner"}],"environmentVariables":[],"ruleId":"PacMan_TaggingRule_version-1_SqldatabaseTaggingRule_sqldatabase","autofix":false,"alexaKeyword":"SqldatabaseTaggingRule","ruleRestUrl":"","targetType":"sqldatabase","pac_ds":"azure","policyId":"PacMan_TaggingRule_version-1","assetGroup":"azure","ruleUUID":"azure_sqldatabase_should_be_tagged_with_mandatory_tags","ruleType":"ManageRule"}','0 0/12 * * ? *','','','ManageRule',concat('arn:aws:events:',@region,':',@account,':rule/azure_sqldatabase_should_be_tagged_with_mandatory_tags'),'ENABLED','ASGC','Sqldatabase should be tagged with mandatory tags',{d '2019-10-25'},{d '2019-10-25'},null,null);
 
 /* Omni Seach Configuration */
 
@@ -2523,6 +2525,7 @@ UPDATE `pacmandata`.`pac_config_key_metadata` SET `description` = 'Vulnerability
 UPDATE `pacmandata`.`pac_config_key_metadata` SET `description` = 'Vulnerability application resource details both' WHERE `cfkey` = 'vulnerability.application.resourcedetailsboth';
 UPDATE `pacmandata`.`pac_config_key_metadata` SET `description` = 'Vulnerability severity summary' WHERE `cfkey` = 'vulnerability.summary.severity';
 UPDATE `pacmandata`.`pac_config_key_metadata` SET `description` = 'Vulnerability types' WHERE `cfkey` = 'vulnerability.types';
+UPDATE `cf_Policy` SET policyDesc = 'All cloud assets should be tagged with following mandatory tags. Application,  Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.\n\nTag name: Application\nExample value: Rebellion\n\nNotes\nThis value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.\n\nTag name: Environment\nExample value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (Refer Naming guide)\n\nNotes\nThe value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.\n\nTag name: Stack\nExample Value: Apache Httpd\n\nTag name: Role\nExample value: Webserver\n\n \nEach asset should at least have these 4 mandatory tags. You can have additional tags as well' WHERE policyId = 'PacMan_TaggingRule_version-1';
 
 DELETE FROM `pac_config_properties` WHERE cfkey='features.vulnerability.enabled';
 INSERT IGNORE INTO pac_config_properties(`cfkey`,`value`,`application`,`profile`,`label`,`createdBy`,`createdDate`,`modifiedBy`,`modifiedDate`) VALUES ('features.vulnerability.enabled',concat(@VULNERABILITY_FEATURE_ENABLED,''),'api','prd','latest',NULL,NULL,NULL,NULL);