diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md index b040d3b4f..6b1c4bc45 100644 --- a/.github/CODE_OF_CONDUCT.md +++ b/.github/CODE_OF_CONDUCT.md @@ -1,4 +1,4 @@ -# CloudSploit Code of Conduct +# cloudExploit Code of Conduct ## Our Pledge diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index c48e3c345..301896507 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -1,14 +1,14 @@ -# Contributing to CloudSploit -Thank you for your interest in contributing to CloudSploit! We welcome your PRs, issues, feedback, and other contributions to this open source repository. To keep things moving smoothly, please use the following guidelines when working with the CloudSploit source code. +# Contributing to cloudExploit +Thank you for your interest in contributing to cloudExploit! We welcome your PRs, issues, feedback, and other contributions to this open source repository. To keep things moving smoothly, please use the following guidelines when working with the cloudExploit source code. ## Code of Conduct -The CloudSploit project, maintainers, and contributors are governed by the [CloudSploit Code of Conduct](CODE_OF_CONDUCT.md). By contributing, you are agreeing to uphold this code in your interactions with the CloudSploit community. +The cloudExploit project, maintainers, and contributors are governed by the [cloudExploit Code of Conduct](CODE_OF_CONDUCT.md). By contributing, you are agreeing to uphold this code in your interactions with the cloudExploit community. ## License -By contributing code to CloudSploit, you attest that you have the rights to all code and that you are assigning these rights to Khulnasoft Security, Ltd. for use within its projects. +By contributing code to cloudExploit, you attest that you have the rights to all code and that you are assigning these rights to Khulnasoft Security, Ltd. for use within its projects. ## Getting Started -Please read our [README](../README.md#installation) for information on getting setup to use and develop CloudSploit scans locally. We also have a [guide for writing new plugins](../docs/writing-plugins.md). +Please read our [README](../README.md#installation) for information on getting setup to use and develop cloudExploit scans locally. We also have a [guide for writing new plugins](../docs/writing-plugins.md). ## Proposing Large Changes While we welcome all contributions, large pull requests that make significant changes to the codebase are difficult to review are merge without prior discussion. Please open an issue to discuss these changes before beginning work on them. diff --git a/.github/workflows/scans_ci.yml b/.github/workflows/scans_ci.yml index 52815e234..939694ce3 100644 --- a/.github/workflows/scans_ci.yml +++ b/.github/workflows/scans_ci.yml @@ -1,4 +1,4 @@ -name: +name: scan on: [push, pull_request, create, delete, issue_comment] jobs: @@ -6,16 +6,19 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 + - name: Use Node.js uses: actions/setup-node@v1 with: - node-version: '12.x' - - uses: codespell-project/actions-codespell@master + node-version: '16.x' # Updated Node.js version + + - uses: khulnasoft/codetypo-actions@master with: check_filenames: true skip: ./.github/*,.git,./package.json,./package-lock.json,./node_modules,./tests,./config,*.png,Dockerfile,./scripts,*.spec.js,./plugins/azure/storageaccounts/storageAccountsAADEnabled.js,./plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js,./helpers/google/index.js,*zip ignore_words_list: iam,\"tRe\",AKS,aks,optin,callInt,callInt + - run: npm install - name: Lint diff --git a/README.md b/README.md index ddd668214..6a4fb8d33 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ [![Build Status](https://travis-ci.org/khulnasoft/cloudexploit.svg?branch=master)](https://travis-ci.org/khulnasoft/cloudexploit) -CloudSploit by Khulnasoft - Cloud Security Scans +cloudExploit by Khulnasoft - Cloud Security Scans ================= [](https://cloud.khulnasoft.com/signup) @@ -33,7 +33,7 @@ $ docker run -e AWS_ACCESS_KEY_ID=XX -e AWS_SECRET_ACCESS_KEY=YY cloudexploit:0. + [Microsoft Azure](docs/azure.md#cloud-provider-configuration) + [Google Cloud Platform](docs/gcp.md#cloud-provider-configuration) + [Oracle Cloud Infrastructure](docs/oracle.md#cloud-provider-configuration) - + [CloudSploit Config File](#cloudexploit-config-file) + + [cloudExploit Config File](#cloudexploit-config-file) + [Credential Files](#credential-files) + [AWS](#aws) + [Azure](#azure) @@ -60,16 +60,16 @@ $ docker run -e AWS_ACCESS_KEY_ID=XX -e AWS_SECRET_ACCESS_KEY=YY cloudexploit:0. * [Other Notes](#other-notes) ## Background -CloudSploit by Khulnasoft is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks. +cloudExploit by Khulnasoft is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks. ## Deployment Options -CloudSploit is available in two deployment options: +cloudExploit is available in two deployment options: ### Self-Hosted -Follow the instructions below to deploy the open-source version of CloudSploit on your machine in just a few simple steps. +Follow the instructions below to deploy the open-source version of cloudExploit on your machine in just a few simple steps. ### Hosted at Khulnasoft Wave -A commercial version of CloudSploit hosted at Khulnasoft Wave. Try [Khulnasoft Wave](https://cloud.khulnasoft.com/signup) today! +A commercial version of cloudExploit hosted at Khulnasoft Wave. Try [Khulnasoft Wave](https://cloud.khulnasoft.com/signup) today! ## Installation Ensure that NodeJS is installed. If not, install it from [here](https://nodejs.org/download/). @@ -80,17 +80,17 @@ $ npm install ``` ## Configuration -CloudSploit requires read-only permission to your cloud account. Follow the guides below to provision this access: +cloudExploit requires read-only permission to your cloud account. Follow the guides below to provision this access: * [Amazon Web Services](docs/aws.md#cloud-provider-configuration) * [Microsoft Azure](docs/azure.md#cloud-provider-configuration) * [Google Cloud Platform](docs/gcp.md#cloud-provider-configuration) * [Oracle Cloud Infrastructure](docs/oracle.md#cloud-provider-configuration) -For AWS, you can run CloudSploit directly and it will detect credentials using the default [AWS credential chain](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html). +For AWS, you can run cloudExploit directly and it will detect credentials using the default [AWS credential chain](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html). -### CloudSploit Config File -The CloudSploit config file allows you to pass cloud provider credentials by: +### cloudExploit Config File +The cloudExploit config file allows you to pass cloud provider credentials by: 1. A JSON file on your file system 1. Environment variables 1. Hard-coding (not recommended) @@ -157,7 +157,7 @@ Note: For GCP, you [generate a JSON file](docs/gcp.md) directly from the GCP con ``` ### Environment Variables -CloudSploit supports passing environment variables, but you must first uncomment the section of your `config.js` file relevant to the cloud provider being scanned. +cloudExploit supports passing environment variables, but you must first uncomment the section of your `config.js` file relevant to the cloud provider being scanned. You can then pass the variables listed in each section. For example, for AWS: ``` @@ -175,7 +175,7 @@ $ ./index.js ``` ## CLI Options -CloudSploit supports many options to customize the run time. Some popular options include: +cloudExploit supports many options to customize the run time. Some popular options include: * AWS GovCloud support: `--govcloud` * AWS China support: `--china` * Save the raw cloud provider response data: `--collection=file.json` @@ -201,7 +201,7 @@ See [Output Formats](#output-formates) below for more output options. | | |_| - CloudSploit by Khulnasoft Security, Ltd. + cloudExploit by Khulnasoft Security, Ltd. Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub usage: index.js [-h] --config CONFIG [--compliance {hipaa,cis,cis1,cis2,pci}] [--plugin PLUGIN] [--govcloud] [--china] [--csv CSV] [--json JSON] [--junit JUNIT] @@ -233,7 +233,7 @@ See [Output Formats](#output-formates) below for more output options. ## Compliance -CloudSploit supports mapping of its plugins to particular compliance policies. To run the compliance scan, use the `--compliance` flag. For example: +cloudExploit supports mapping of its plugins to particular compliance policies. To run the compliance scan, use the `--compliance` flag. For example: ``` $ ./index.js --compliance=hipaa $ ./index.js --compliance=pci @@ -244,19 +244,19 @@ Multiple compliance modes can be run at the same time: $ ./index.js --compliance=cis1 --compliance=cis2 ``` -CloudSploit currently supports the following compliance mappings: +cloudExploit currently supports the following compliance mappings: ### HIPAA ``` $ ./index.js --compliance=hipaa ``` -HIPAA scans map CloudSploit plugins to the Health Insurance Portability and Accountability Act of 1996. +HIPAA scans map cloudExploit plugins to the Health Insurance Portability and Accountability Act of 1996. ### PCI ``` $ ./index.js --compliance=pci ``` -PCI scans map CloudSploit plugins to the Payment Card Industry Data Security Standard. +PCI scans map cloudExploit plugins to the Payment Card Industry Data Security Standard. ### CIS Benchmarks ``` @@ -268,7 +268,7 @@ $ ./index.js --compliance=cis2 CIS Benchmarks are supported, both for Level 1 and Level 2 controls. Passing `--compliance=cis` will run both level 1 and level 2 controls. ## Output Formats -CloudSploit supports output in several formats for consumption by other tools. If you do not specify otherwise, CloudSploit writes output to standard output (the console) as a table. +cloudExploit supports output in several formats for consumption by other tools. If you do not specify otherwise, cloudExploit writes output to standard output (the console) as a table. Note: You can pass multiple output formats and combine options for further customization. For example: ``` @@ -280,7 +280,7 @@ $ ./index.js --json=file.json --junit=file.xml --console=text --ignore-ok ``` ### Console Output -By default, CloudSploit results are printed to the console in a table format (with colors). You can override this and use plain text instead, by running: +By default, cloudExploit results are printed to the console in a table format (with colors). You can override this and use plain text instead, by running: ``` $ ./index.js --console=text ``` @@ -309,7 +309,7 @@ $ ./index.js --junit=file.xml ``` ### Collection Output -CloudSploit saves the data queried from the cloud provider APIs in JSON format, which can be saved alongside other files for debugging or historical purposes. +cloudExploit saves the data queried from the cloud provider APIs in JSON format, which can be saved alongside other files for debugging or historical purposes. ``` $ ./index.js --collection=file.json ``` @@ -339,10 +339,10 @@ $ ./index.js --plugin acmValidation ``` ## Architecture -CloudSploit works in two phases. First, it queries the cloud infrastructure APIs for various metadata about your account, namely the "collection" phase. Once all the necessary data is collected, the result is passed to the "scanning" phase. The scan uses the collected data to search for potential misconfigurations, risks, and other security issues, which are the resulting output. +cloudExploit works in two phases. First, it queries the cloud infrastructure APIs for various metadata about your account, namely the "collection" phase. Once all the necessary data is collected, the result is passed to the "scanning" phase. The scan uses the collected data to search for potential misconfigurations, risks, and other security issues, which are the resulting output. ## Writing a Plugin -Please see our [contribution guidelines](.github/CONTRIBUTING.md) and [complete guide](docs/writing-plugins.md) to writing CloudSploit plugins. +Please see our [contribution guidelines](.github/CONTRIBUTING.md) and [complete guide](docs/writing-plugins.md) to writing cloudExploit plugins. ## Writing a remediation The `--remediate` flag can be used if you want to run remediation for the plugins mentioned as part of this argument. This takes a list of plugin names. diff --git a/collectors/alibaba/collector.js b/collectors/alibaba/collector.js index e86219115..6a239fcc4 100644 --- a/collectors/alibaba/collector.js +++ b/collectors/alibaba/collector.js @@ -1,6 +1,6 @@ /********************* Collector - The collector will query Alibaba APIs for the information required -to run the CloudSploit scans. This data will be returned in the callback +to run the cloudExploit scans. This data will be returned in the callback as a JSON object. Arguments: diff --git a/collectors/aws/collector.js b/collectors/aws/collector.js index 6f7fa7b99..c48e8e310 100644 --- a/collectors/aws/collector.js +++ b/collectors/aws/collector.js @@ -1,6 +1,6 @@ /********************* Collector - The collector will query AWS APIs for the information required - to run the CloudSploit scans. This data will be returned in the callback + to run the cloudExploit scans. This data will be returned in the callback as a JSON object. Arguments: diff --git a/collectors/aws/collector_multipart.js b/collectors/aws/collector_multipart.js index e9960d4ae..076c844c7 100644 --- a/collectors/aws/collector_multipart.js +++ b/collectors/aws/collector_multipart.js @@ -1,6 +1,6 @@ /********************* Collector - The collector will query AWS APIs for the information required - to run the CloudSploit scans. This data will be returned in the callback + to run the cloudExploit scans. This data will be returned in the callback as a JSON object. Arguments: diff --git a/collectors/azure/collector.js b/collectors/azure/collector.js index fabd6f2c2..0ac06e2e5 100644 --- a/collectors/azure/collector.js +++ b/collectors/azure/collector.js @@ -1,6 +1,6 @@ /********************* Collector - The collector will query Azure APIs for the information required - to run the CloudSploit scans. This data will be returned in the callback + to run the cloudExploit scans. This data will be returned in the callback as a JSON object. Arguments: diff --git a/collectors/github/collector.js b/collectors/github/collector.js index 4b472aa64..202e5ce61 100644 --- a/collectors/github/collector.js +++ b/collectors/github/collector.js @@ -2,7 +2,7 @@ /********************* Collector - The collector will query GitHub APIs for the information required - to run the CloudSploit scans. This data will be returned in the callback + to run the cloudExploit scans. This data will be returned in the callback as a JSON object. *********************/ diff --git a/collectors/google/collector.js b/collectors/google/collector.js index 9d8b9e17d..67809a376 100644 --- a/collectors/google/collector.js +++ b/collectors/google/collector.js @@ -1,6 +1,6 @@ /********************* Collector - The collector will query Google APIs for the information required - to run the CloudSploit scans. This data will be returned in the callback + to run the cloudExploit scans. This data will be returned in the callback as a JSON object. Arguments: diff --git a/collectors/oracle/collector.js b/collectors/oracle/collector.js index 04ee90316..21571929a 100644 --- a/collectors/oracle/collector.js +++ b/collectors/oracle/collector.js @@ -1,6 +1,6 @@ /********************* Collector - The collector will query Oracle's APIs for the information required - to run the CloudSploit scans. This data will be returned in the callback + to run the cloudExploit scans. This data will be returned in the callback as a JSON object. Arguments: diff --git a/config_example.js b/config_example.js index 2c7767c61..d2389427d 100644 --- a/config_example.js +++ b/config_example.js @@ -1,4 +1,4 @@ -// CloudSploit config file +// cloudExploit config file module.exports = { credentials: { diff --git a/docs/aws.md b/docs/aws.md index 7cd0988c0..9b84b3537 100644 --- a/docs/aws.md +++ b/docs/aws.md @@ -1,4 +1,4 @@ -# CloudSploit For Amazon Web Services (AWS) +# cloudExploit For Amazon Web Services (AWS) ## Cloud Provider Configuration Create a "cloudexploit" user, with the `SecurityAudit` policy. @@ -33,7 +33,7 @@ Create a "cloudexploit" user, with the `SecurityAudit` policy. } ``` 1. Click "Review policy." -1. Provide a name (`CloudSploitSupplemental`) and click "Create policy." +1. Provide a name (`cloudExploitSupplemental`) and click "Create policy." 1. Return to the "Create user" page and attach the newly-created policy. Click "Next: tags." 1. Set tags as needed and then click on "Create user". 1. Make sure you safely store the Access key ID and Secret access key. diff --git a/docs/azure.md b/docs/azure.md index ff07c5bd5..2823ff65e 100644 --- a/docs/azure.md +++ b/docs/azure.md @@ -1,9 +1,9 @@ -# CloudSploit For Microsoft Azure +# cloudExploit For Microsoft Azure ## Cloud Provider Configuration 1. Log into your Azure Portal and navigate to the Azure Active Directory service. 1. Select App registrations and then click on New registration. -1. Enter "CloudSploit" and/or a descriptive name in the Name field, take note of it, it will be used again in step 3. +1. Enter "cloudExploit" and/or a descriptive name in the Name field, take note of it, it will be used again in step 3. 1. Leave the "Supported account types" default: "Accounts in this organizational directory only (YOURDIRECTORYNAME)". 1. Click on Register. 1. Copy the Application ID and Paste it below. @@ -20,6 +20,6 @@ 1. Click on "Add", then "Add role assignment". 1. In the "Role" drop-down, select "Security Reader". 1. Leave the "Assign access to" default value. -1. In the "Select" drop-down, type the name of the app registration (e.g. "CloudSploit") you created and select it. +1. In the "Select" drop-down, type the name of the app registration (e.g. "cloudExploit") you created and select it. 1. Click "Save". 1. Repeat the process for the role "Log Analytics Reader" diff --git a/docs/gcp.md b/docs/gcp.md index 38463d303..d776d7883 100644 --- a/docs/gcp.md +++ b/docs/gcp.md @@ -1,4 +1,4 @@ -# CloudSploit For Google Cloud Platform (GCP) +# cloudExploit For Google Cloud Platform (GCP) ## Create Security Audit Role @@ -65,7 +65,7 @@ stage: GA 1. Log into your Google Cloud console and navigate to IAM Admin > Service Accounts. 1. Click on "Create Service Account". -1. Enter "CloudSploit" in the "Service account name", then enter "CloudSploit API Access" in the description. +1. Enter "cloudExploit" in the "Service account name", then enter "cloudExploit API Access" in the description. 1. Click on Continue. 1. Select the role: Custom > Khulnasoft CSPM Security Audit. 1. Click on Continue. diff --git a/docs/github.md b/docs/github.md index 11b04c1ec..0c777d1b0 100644 --- a/docs/github.md +++ b/docs/github.md @@ -1,15 +1,15 @@ -# GitHub CloudSploit Scans +# GitHub cloudExploit Scans ## Background -CloudSploit provides GitHub account security auditing capabilities. CloudSploit uses the GitHub APIs to obtain metadata about the GitHub account (number of repositories, configuration, security settings, etc.) which is then used to evaluate alignment with security best practices. +cloudExploit provides GitHub account security auditing capabilities. cloudExploit uses the GitHub APIs to obtain metadata about the GitHub account (number of repositories, configuration, security settings, etc.) which is then used to evaluate alignment with security best practices. ## Getting Started To use the GitHub scans, you need a GitHub personal access token for an organization owner with read-only access. You can read more about the permission model below. Follow these steps: 1. Log into your GitHub organization account as an owner -2. Create a new machine (generic) user for the CloudSploit service (depending on your organization's configuration, you may need to impersonate this user to get access to its settings page). **NOTE**: You can optionally use an existing organization owner for this token, but we strongly recommend creating a new user. +2. Create a new machine (generic) user for the cloudExploit service (depending on your organization's configuration, you may need to impersonate this user to get access to its settings page). **NOTE**: You can optionally use an existing organization owner for this token, but we strongly recommend creating a new user. 3. Ensure the user is added as an owner of the Git organization. 4. Log into GitHub as this user. 5. Navigate to "Settings" > "Developer Settings" > "Personal Access Tokens" @@ -47,7 +47,7 @@ To use the GitHub scans, you need a GitHub personal access token for an organiza - [ ] write:gpg_key - [x] read:gpg_key -8. Save the permissions to obtain a token. Copy this token for use with CloudSploit. +8. Save the permissions to obtain a token. Copy this token for use with cloudExploit. ``` GITHUB_ORG= GITHUB_TOKEN= node index.js @@ -57,20 +57,20 @@ GITHUB_ORG= GITHUB_TOKEN= node index.js GitHub has a number of ways to provide access to its APIs, each with different levels of access. These include: third-party OAuth applications, GitHub applications, and personal access tokens. -CloudSploit requires personal access tokens because many of the APIs it invokes are not exposed to OAuth and GitHub applications. These applications were designed to provide functionality around creating repositories, issues, checks, pull requests, etc., and were not designed for use as auditing tools. +cloudExploit requires personal access tokens because many of the APIs it invokes are not exposed to OAuth and GitHub applications. These applications were designed to provide functionality around creating repositories, issues, checks, pull requests, etc., and were not designed for use as auditing tools. -CloudSploit recommends creating a machine user (also called a generic user in some organizations) for the auditing service. This user must be added as an organization owner (required to have visibility into all repositories and settings). However, a read-only access key can be created for it to limit the scope in which it operates. +cloudExploit recommends creating a machine user (also called a generic user in some organizations) for the auditing service. This user must be added as an organization owner (required to have visibility into all repositories and settings). However, a read-only access key can be created for it to limit the scope in which it operates. ## Developing New Plugins -CloudSploit GitHub scans contain two main pieces: 1) a collector that queries the GitHub APIs for information and 2) an executor which uses that information in "plugins" to evaluate security best practice adherence. To add new plugins follow the below steps. +cloudExploit GitHub scans contain two main pieces: 1) a collector that queries the GitHub APIs for information and 2) an executor which uses that information in "plugins" to evaluate security best practice adherence. To add new plugins follow the below steps. All code changes can be found in `collectors/github/collector.js` or as a plugin inside `plugins/github`. ### Using Octokit -CloudSploit uses [Octokit](https://octokit.github.io/rest.js), which is a Node.js module for making GitHub API calls. +cloudExploit uses [Octokit](https://octokit.github.io/rest.js), which is a Node.js module for making GitHub API calls. ### Determine the API Calls Needed for Your Plugin @@ -78,7 +78,7 @@ The source data required for the plugin will be different depending on the infor ### Evaluate API Call Order -CloudSploit supports both `calls` and `postcalls` in the collector. `calls` defined API calls that can be made at any time; in other words, the order does not matter. `postcalls` are API calls that must be made after a previous call is made because it relies on some information within that dependent call. +cloudExploit supports both `calls` and `postcalls` in the collector. `calls` defined API calls that can be made at any time; in other words, the order does not matter. `postcalls` are API calls that must be made after a previous call is made because it relies on some information within that dependent call. In our org admins example, the `orgs:listMembers` API call returns a list of all members of an organization: diff --git a/docs/notes.md b/docs/notes.md index d4777e663..36914bdca 100644 --- a/docs/notes.md +++ b/docs/notes.md @@ -25,7 +25,7 @@ To create a cross-account role: 10. Then click on the role name and copy the role ARN for use in the next step. ``` -## CloudSploit Supplemental Policy +## cloudExploit Supplemental Policy Allows read only access to services not included in the SecurityAudit AWS Managed policy but that are also tested by the CSPM scans. ```$xslt diff --git a/docs/oracle.md b/docs/oracle.md index 178e5156b..39b652bc2 100644 --- a/docs/oracle.md +++ b/docs/oracle.md @@ -1,4 +1,4 @@ -# CloudSploit For Oracle Cloud Infrastructure (OCI) +# cloudExploit For Oracle Cloud Infrastructure (OCI) ## Cloud Provider Configuration @@ -6,7 +6,7 @@ 1. Copy your Tenancy OCID and paste it in the index file. 1. Navigate to Identity > Users. 1. Click on Create User. -1. Enter "CloudSploit", then enter "CloudSploit API Access" in the description. +1. Enter "cloudExploit", then enter "cloudExploit API Access" in the description. 1. Click on Create. 1. Copy the User OCID and paste it in the index file. 1. Follow the steps to Generate an API Signing Key listed on Oracle's Cloud Doc(https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm#How). @@ -15,12 +15,12 @@ 1. Open the private key (oci_api_key.pem) in your preferred text editor and paste it in the index file. 1. Navigate to Identity > Groups. 1. Click on Create Group. -1. Enter "SecurityAudit" in the Name field, then enter "CloudSploit Security Audit Access" in the description. +1. Enter "SecurityAudit" in the Name field, then enter "cloudExploit Security Audit Access" in the description. 1. Click on Submit. -1. Click on the SecurityAudit group in the Groups List and Add the CloudSploit API User to the group. +1. Click on the SecurityAudit group in the Groups List and Add the cloudExploit API User to the group. 1. Navigate to Identity > Policies. 1. Click on Create Policy. -1. Enter "SecurityAudit" in the Name field, then enter "CloudSploit Security Audit Policy" in the description. +1. Enter "SecurityAudit" in the Name field, then enter "cloudExploit Security Audit Policy" in the description. 1. Copy and paste the following statement: 1. ALLOW GROUP SecurityAudit to READ all-resources in tenancy 1. Click on Create. @@ -33,8 +33,8 @@ In your Oracle Cloud Infrastructure Console, under Identity > Users: * Click on "Create User" -* Set the Name to "CloudSploitAPI" -* Set the Description to "CloudSploit API Read Only Access" +* Set the Name to "cloudExploitAPI" +* Set the Description to "cloudExploit API Read Only Access" * Click on "Create" ## Generate an API Signing Key diff --git a/docs/upgrading.md b/docs/upgrading.md index 2ff6fd1b0..a3b59a5b6 100644 --- a/docs/upgrading.md +++ b/docs/upgrading.md @@ -1,30 +1,30 @@ -# Upgrading CloudSploit -CloudSploit version 2.0.0 introduced a number of changes from the original CloudSploit release, designed to make running CloudSploit easier in multiple environment types, including command line and CI/CD systems. +# Upgrading cloudExploit +cloudExploit version 2.0.0 introduced a number of changes from the original cloudExploit release, designed to make running cloudExploit easier in multiple environment types, including command line and CI/CD systems. ## Notable Changes * The addition of the `argparse` library to enhance CLI option support * Formalizing several previously-hidden settings and options (e.g. saving the JSON collection, multiple output formats, suppressions, etc.) * The addition of the `tty-table` library for pretty-print CLI output of results. This is now the default output, but it can be changed to text-only via the `--console=text` flag. * Improved documentation across the AWS, Azure, GCP, and OCI providers. -* The use of a `config.js` file for storing cloud provider configuration options, making it easier to run CloudSploit against multiple accounts by passing the `--config` flag. -* Fallback to the AWS credential chain, allowing users to get started running CloudSploit more quickly. -* Addition of an .eslint file for developers of CloudSploit and CloudSploit plugins. +* The use of a `config.js` file for storing cloud provider configuration options, making it easier to run cloudExploit against multiple accounts by passing the `--config` flag. +* Fallback to the AWS credential chain, allowing users to get started running cloudExploit more quickly. +* Addition of an .eslint file for developers of cloudExploit and cloudExploit plugins. * Formalizing CIS Benchmark options in the plugins using the `compliance` property. * Added the ability to run a single plugin directly from the CLI, without editing the `exports.js` file by passing the flag `--plugin pluginName`. ## Preparing Your Environment -If you previously used CloudSploit, you may need to make some changes as part of 2.0. Consider the following steps: +If you previously used cloudExploit, you may need to make some changes as part of 2.0. Consider the following steps: 1. If you previously edited the `index.js` file, copy your cloud provider credentials to a new `config.js` file instead. You can do this by: ``` $ cp config_example.js config.js // Edit your config.js file and pass either a path to a cloud credential file or the credentials themselves. $ ./index.js --config=./config.js ``` -1. If you are using AWS, you may now use the default credential handler by simply running CloudSploit with no config flag: +1. If you are using AWS, you may now use the default credential handler by simply running cloudExploit with no config flag: ``` $ ./index.js ``` -1. If you were running CloudSploit as part of a CI/CD process, the following flags may be helpful: +1. If you were running cloudExploit as part of a CI/CD process, the following flags may be helpful: ``` // Ignore passing results $ ./index.js --ignore-ok @@ -41,6 +41,6 @@ If you previously used CloudSploit, you may need to make some changes as part of // Creates a JUnit XML file $ ./index.js --junit=file.xml ``` -1. If you are running CloudSploit in a place where pretty-print tables, with colors, are not usable, you can revert to raw text output with the `--console=text` flag. +1. If you are running cloudExploit in a place where pretty-print tables, with colors, are not usable, you can revert to raw text output with the `--console=text` flag. 1. The text output has changed. The previous format contained too much information and created unreadable output. The new text output puts each result on its own line, and includes the plugin name, description, and other useful information. -1. If you are using CloudSploit as source input to other systems, we strongly recommend using the JSON output option to create a standardized output file (do not try to parse the output text format). Use `--json=file.json` to create results in a JSON structure. +1. If you are using cloudExploit as source input to other systems, we strongly recommend using the JSON output option to create a standardized output file (do not try to parse the output text format). Use `--json=file.json` to create results in a JSON structure. diff --git a/docs/writing-plugins.md b/docs/writing-plugins.md index 1ad407e63..bc18ccc91 100644 --- a/docs/writing-plugins.md +++ b/docs/writing-plugins.md @@ -1,4 +1,4 @@ -# Writing CloudSploit Plugins +# Writing cloudExploit Plugins ## Collection Phase To write a plugin, you want to understand which data is needed and how your cloud infrastructure provides them via their API calls. Once you have identified the API calls needed, you can add them to the collect.js file for your cloud infrastructure provider. This file determines the cloud infrastructure API calls and their run-order. @@ -11,7 +11,7 @@ To write a plugin, you want to understand which data is needed and how your clou * [Oracle Collection](#oracle-collection) #### AWS Collection -The following declaration tells the CloudSploit collection engine to query the CloudFront service using the `listDistributions` call and then save the results returned under `DistributionList.Items`. +The following declaration tells the cloudExploit collection engine to query the CloudFront service using the `listDistributions` call and then save the results returned under `DistributionList.Items`. ``` CloudFront: { @@ -35,7 +35,7 @@ getGroup: { }, ``` -This section tells CloudSploit to wait until the `IAM:listGroups` call has been made, and then loop through the data that is returned. The `filterKey` tells CloudSploit the name of the key from the original response, while `filterValue` tells it which property to set in the `getGroup` call filter. For example: `iam.getGroup({GroupName:abc})` where `abc` is the `GroupName` from the returned list. CloudSploit will loop through each response, re-invoking `getGroup` for each element. +This section tells cloudExploit to wait until the `IAM:listGroups` call has been made, and then loop through the data that is returned. The `filterKey` tells cloudExploit the name of the key from the original response, while `filterValue` tells it which property to set in the `getGroup` call filter. For example: `iam.getGroup({GroupName:abc})` where `abc` is the `GroupName` from the returned list. cloudExploit will loop through each response, re-invoking `getGroup` for each element. You can find the [AWS Collector here.](https://github.com/khulnasoft/cloudexploit/blob/master/collectors/aws/collector.js) @@ -171,7 +171,7 @@ IAM: { } }, ``` -The `property` tells CloudSploit which property to read in the response from AWS. +The `property` tells cloudExploit which property to read in the response from AWS. Then, under `postCalls`, add: ``` @@ -184,7 +184,7 @@ IAM: { } }, ``` -CloudSploit will first get the list of groups, then, it will loop through each one, using the group name to get more detailed info via `getGroup`. +cloudExploit will first get the list of groups, then, it will loop through each one, using the group name to get more detailed info via `getGroup`. Next, we'll write the plugin. Create a new file in the `plugins/iam` folder called `emptyGroups.js` (this plugin already exists, but you can create a similar one for the purposes of this example). @@ -244,7 +244,7 @@ virtualMachineExtensions: { } }, ``` -CloudSploit will first get the list of virtual machines, then, it will loop through each one, using the virtual machine name to get more detailed info via `virtualMachineExtensions`. +cloudExploit will first get the list of virtual machines, then, it will loop through each one, using the virtual machine name to get more detailed info via `virtualMachineExtensions`. Next, we'll write the plugin. Create a new file in the `plugins/virtualmachines` folder called `vmEndpointProtection.js` (this plugin already exists, but you can create a similar one for the purposes of this example). @@ -309,7 +309,7 @@ buckets: { } }, ``` -CloudSploit will first get the list of buckets, then, it will loop through each one, using the bucket name to get more detailed info via `getIamPolicy`. +cloudExploit will first get the list of buckets, then, it will loop through each one, using the bucket name to get more detailed info via `getIamPolicy`. Next, we'll write the plugin. Create a new file in the `plugins/google/storage` folder called `bucketAllUsersPolicy.js` (this plugin already exists, but you can create a similar one for the purposes of this example). @@ -370,7 +370,7 @@ subnet: { } }, ``` -CloudSploit will first get the list of vcns, then, it will loop through each one, using the vcn id to get more detailed info via `subnet:list`. +cloudExploit will first get the list of vcns, then, it will loop through each one, using the vcn id to get more detailed info via `subnet:list`. Next, we'll write the plugin. Create a new file in the `plugins/oracle/networking` folder called `subnetMultiAd.js` (this plugin already exists, but you can create a similar one for the purposes of this example). diff --git a/docs/writing-remediation.md b/docs/writing-remediation.md index 96e0331d1..1e9449e59 100644 --- a/docs/writing-remediation.md +++ b/docs/writing-remediation.md @@ -1,4 +1,4 @@ -# Writing CloudSploit Remediation +# Writing cloudExploit Remediation To write remediation for a plugin, you need to understand what action needs to be performed to remediate the plugin, what permissions are needed from the cloud provider, and what is the api call you need to make to perform that action. You need to understand what all data are needed to perform this. Those api calls to collect the data should be added in the collect.js for the particluar cloud provider, if those are not there already. For more information on collectors please check [complete guide](docs/writing-plugins.md). ### Remediations diff --git a/engine.js b/engine.js index dd686fd09..9854964e9 100644 --- a/engine.js +++ b/engine.js @@ -43,7 +43,7 @@ async function uploadResultsToBlob(resultsObject, storageConnection, blobContain } /** - * The main function to execute CloudSploit scans. + * The main function to execute cloudExploit scans. * @param cloudConfig The configuration for the cloud provider. * @param settings General purpose settings. */ diff --git a/index.js b/index.js index d01417a92..9b7a8233f 100644 --- a/index.js +++ b/index.js @@ -14,14 +14,14 @@ console.log(` | | |_| - CloudSploit by Khulnasoft Security, Ltd. + cloudExploit by Khulnasoft Security, Ltd. Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub `); const parser = new ArgumentParser({}); parser.add_argument('--config', { - help: 'The path to a CloudSploit config file containing cloud credentials. See config_example.js. ' + + help: 'The path to a cloudExploit config file containing cloud credentials. See config_example.js. ' + 'If not provided, logic will use default AWS credential chain and will also override provided cloud' }); @@ -102,7 +102,7 @@ if (settings.compliance && settings.compliance.indexOf('cis') > -1) { settings.compliance = settings.compliance.filter(function(e) { return e !== 'cis'; }); } -console.log(`INFO: Using CloudSploit config file: ${settings.config}`); +console.log(`INFO: Using cloudExploit config file: ${settings.config}`); try { var config = require(settings.config); diff --git a/package.json b/package.json index 1f368f31d..4376e3f0b 100644 --- a/package.json +++ b/package.json @@ -41,11 +41,9 @@ "dependencies": { "@alicloud/pop-core": "^1.7.10", "@azure/data-tables": "^13.2.2", - "@azure/msal-node": "^2.8.1", - "@azure/storage-blob": "^12.18.0", - "@azure/storage-file": "^10.3.0", "@azure/storage-file-share": "^12.14.0", - "@azure/storage-queue": "^12.17.0", + "@azure/storage-queue": "^12.13.0", + "@azure/storage-blob": "^12.14.0", "@octokit/auth-app": "^6.0.3", "@octokit/request": "^8.1.6", "@octokit/rest": "^20.0.2", @@ -53,22 +51,19 @@ "argparse": "^2.0.0", "async": "^2.6.1", "aws-sdk": "^2.1506.0", - "axios": "^1.7.2", "azure-storage": "^2.10.3", "csv-write-stream": "^2.0.0", "fast-safe-stringify": "^2.0.6", "google-auth-library": "^8.1.1", - "lru-cache": "^10.2.2", "minimatch": "^3.0.4", - "ms-rest-azure": "^2.5.7", - "tty-table": "^4.1.3", - "uuid": "^9.0.1" + "ms-rest-azure": "^3.0.2", + "tty-table": "^4.1.3" }, "devDependencies": { "chai": "4.2.0", "eslint": "^6.8.0", - "mocha": "^10.4.0", - "nodemon": "^3.1.1", + "mocha": "^6.1.4", + "nodemon": "^1.19.4", "nyc": "^14.1.1" } } diff --git a/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js b/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js index 6e8d30504..a4ee60aa3 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js @@ -70,7 +70,7 @@ module.exports = { async.each(describeTrails.data, function(trail, cb){ if (!trail.S3BucketName || (trail.HomeRegion && trail.HomeRegion.toLowerCase() !== region)) return cb(); - // Skip CloudSploit-managed events bucket + // Skip cloudExploit-managed events bucket if (trail.S3BucketName == helpers.CLOUDEXPLOIT_EVENTS_BUCKET) return cb(); if (regBucket && regBucket.test(trail.S3BucketName)) { diff --git a/plugins/aws/cloudtrail/cloudtrailBucketDelete.js b/plugins/aws/cloudtrail/cloudtrailBucketDelete.js index 98b04b936..136cd2943 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketDelete.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketDelete.js @@ -68,7 +68,7 @@ module.exports = { async.each(describeTrails.data, function(trail, cb){ if (!trail.S3BucketName || (trail.HomeRegion && trail.HomeRegion.toLowerCase() !== region)) return cb(); - // Skip CloudSploit-managed events bucket + // Skip cloudExploit-managed events bucket if (trail.S3BucketName == helpers.CLOUDEXPLOIT_EVENTS_BUCKET) return cb(); if (regBucket && regBucket.test(trail.S3BucketName)) { diff --git a/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js b/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js index 35cc38461..2d26da05c 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js @@ -67,7 +67,7 @@ module.exports = { async.each(describeTrails.data, function(trail, cb){ if (!trail.S3BucketName || (trail.HomeRegion && trail.HomeRegion.toLowerCase() !== region)) return cb(); - // Skip CloudSploit-managed events bucket + // Skip cloudExploit-managed events bucket if (trail.S3BucketName == helpers.CLOUDEXPLOIT_EVENTS_BUCKET) return cb(); if (regBucket && regBucket.test(trail.S3BucketName)) { diff --git a/plugins/aws/cloudtrail/cloudtrailHasTags.js b/plugins/aws/cloudtrail/cloudtrailHasTags.js index 5c5c9d649..e2d158e8c 100644 --- a/plugins/aws/cloudtrail/cloudtrailHasTags.js +++ b/plugins/aws/cloudtrail/cloudtrailHasTags.js @@ -37,7 +37,7 @@ module.exports = { for (let trail of describeTrails.data){ if (!trail.TrailARN || (trail.HomeRegion && trail.HomeRegion.toLowerCase() !== region)) continue; - // Skip CloudSploit-managed events bucket + // Skip cloudExploit-managed events bucket if (trail.TrailARN == helpers.CLOUDEXPLOIT_EVENTS_BUCKET) continue; let listTags = helpers.addSource(cache, source, diff --git a/plugins/aws/cloudtrail/cloudtrailObjectLock.js b/plugins/aws/cloudtrail/cloudtrailObjectLock.js index de846735f..f8eff2ef4 100644 --- a/plugins/aws/cloudtrail/cloudtrailObjectLock.js +++ b/plugins/aws/cloudtrail/cloudtrailObjectLock.js @@ -38,7 +38,7 @@ module.exports = { async.each(describeTrails.data, function(trail, cb){ if (!trail.S3BucketName || (trail.HomeRegion && trail.HomeRegion.toLowerCase() !== region)) return cb(); - // Skip CloudSploit-managed events bucket + // Skip cloudExploit-managed events bucket if (trail.S3BucketName == helpers.CLOUDEXPLOIT_EVENTS_BUCKET) return cb(); var s3Region = helpers.defaultRegion(settings); diff --git a/plugins/aws/iam/canaryKeysUsed.js b/plugins/aws/iam/canaryKeysUsed.js index 6a582f593..dcacc0a14 100644 --- a/plugins/aws/iam/canaryKeysUsed.js +++ b/plugins/aws/iam/canaryKeysUsed.js @@ -9,7 +9,7 @@ module.exports = { description: 'Detects when a special canary-token access key has been used', more_info: 'Canary access keys can be created with limited permissions and then used to detect when a potential breach occurs.', link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingCredentials.html', - recommended_action: 'Create a canary access token and provide its user to CloudSploit. If CloudSploit detects that the account is in use, it will trigger a failure.', + recommended_action: 'Create a canary access token and provide its user to cloudExploit. If cloudExploit detects that the account is in use, it will trigger a failure.', apis: ['IAM:generateCredentialReport'], settings: { canary_user: { diff --git a/plugins/aws/s3/bucketPolicyCloudFrontOai.js b/plugins/aws/s3/bucketPolicyCloudFrontOai.js index ed4d12eed..4b0732bd1 100644 --- a/plugins/aws/s3/bucketPolicyCloudFrontOai.js +++ b/plugins/aws/s3/bucketPolicyCloudFrontOai.js @@ -55,7 +55,7 @@ module.exports = { for (let origin of distribution.Origins.Items) { if (origin.S3OriginConfig && origin.DomainName) { s3OriginFound = true; - let bucketName = origin.DomainName.replace(/.s3.*.com/, ''); + let bucketName = origin.DomainName.replace(/\.s3\..*\.com/, ''); if (bucketName && origin.S3OriginConfig.OriginAccessIdentity && origin.S3OriginConfig.OriginAccessIdentity.length) {