Added IPv6 support to networking checks

2026-02-11 07:15:15 +00:00 · 2019-05-16 14:38:11 -04:00
parent 62991cfb48
commit c6dfbfd0ec
3 changed files with 7 additions and 7 deletions
--- a/checks/check41
+++ b/checks/check41
@@ -9,15 +9,15 @@
 # work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.

 CHECK_ID_check41="4.1,4.01"
-CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
+CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
 CHECK_SCORED_check41="SCORED"
 CHECK_TYPE_check41="LEVEL2"
 CHECK_ALTERNATE_check401="check41"

 check41(){
-  # "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
+  # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
  for regx in $REGIONS; do
-    SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
+    SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
    if [[ $SG_LIST ]];then
      for SG in $SG_LIST;do
        textFail "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx"
--- a/checks/check42
+++ b/checks/check42
@@ -9,15 +9,15 @@
 # work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.

 CHECK_ID_check42="4.2,4.02"
-CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
+CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
 CHECK_SCORED_check42="SCORED"
 CHECK_TYPE_check42="LEVEL2"
 CHECK_ALTERNATE_check402="check42"

 check42(){
-  # "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
+  # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
  for regx in $REGIONS; do
-    SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
+    SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
    if [[ $SG_LIST ]];then
      for SG in $SG_LIST;do
        textFail "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx"
--- a/checks/check43
+++ b/checks/check43
@@ -17,7 +17,7 @@ CHECK_ALTERNATE_check403="check43"
 check43(){
  # "Ensure the default security group of every VPC restricts all traffic (Scored)"
  for regx in $REGIONS; do
-    CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0)
+    CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |egrep '0.0.0.0|\:\:\/0')
    if [[ $CHECK_SGDEFAULT ]];then
      textFail "Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx"
    else