vmware/vss-remediation-worker

Verified Publisher

By VMware

Updated almost 3 years ago

Remediation worker images for VMware Secure State

Image
Security
Integration & delivery
1

100K+

vmware/vss-remediation-worker repository overview

Secure State Remediation Jobs

License

Table of Contents

Abstract

These jobs represent open-sourced remediation jobs to be used in conjunction with the SecureState remediation worker for python. In order to make use of this code, you must utilize the worker and have a Secure State worker group properly set up.

Quick Start Guide

There are a couple conventions that must be followed in order to contribute working jobs to this repository:

  • The directory structure and
  • The file names

Each job must be entire self-contained within a directory, which is where the job gets its name from. For example, a directory by the name of s3-remove-public-access will result in a job called s3-remove-public-access

In order to execute a python job, the file must be named the same as the directory with a .py extension. For example, the job s3-remove-public-access must have a s3-remove-publc-access.py file within that directory.

The requirements.txt file and the constraints.txt file are optional but recommended. This ensures the worker can install the requirements in a repeatable fashion, which ensures the Secure State application will not invalidate jobs due to new requirements being installed.

Job execution

When the worker runs, all requirements found in the (optional) requirements.txt and constraints.txt files will be installed relative to the job directory. When the job is executed, the python runtime is restricted to the requirements in that relative path. This ensures all code being executed is known to the Secure State worker and can be verified via checksum. The worker also moves the entire folder to a separate working directory to ensure local imports will not work.

The worker executes jobs in a fashion similar to running python ./s3-remove-publc-access/s3-remove-publc-access.py {... finding payload json ...}

The finding payload is in the form:

{
  "notificationInfo": {
    "CloudAccountID" : <string>,
    "RuleID": <string>,
    "RuleName": <string>,
    "RuleDisplayName": <string>,
    "Level": <string>,
    "Service": <string>,
    "FindingInfo": {
      "FindingId": <string>,
      "ObjectId": <string>,
      "ObjectChain": <string>,
      "CloudTags": {
        "<key1>": "<value1>",
        "<key2>": "<value2>",
      },
      "RiskScore": <integer>,
      "Region": <string>,
      "Service": <string>
    }
  },
  "autoRemediate": <boolean>
}

Logging

All stdout and stderr logs are sent to the Secure State web application for display in the user interface. Take care when logging and make sure not to log sensitive data.

Supported Remediation Jobs

The table below lists all the supported jobs with their links.

Rule IdRule NameRemediation Job Link
5c8c26997a550e1fb6560cd9Blob container has public read access enabledazure_blob_remove_public_access
5c8c26687a550e1fb6560c72Logging For Keyvault Enabledazure_key_vault_logging_for_keyvault_enabled
5c8c26847a550e1fb6560cabNetwork security group should restrict SSH port (22) from public accessazure_network_security_group_close_port_22
5c8c267e7a550e1fb6560c9cNetwork security group should restrict Remote Desktop port (3389) from public accessazure_network_security_group_close_port_3389
3abf3147-ea53-4302-b237-caab4d764c77DDoS Protection Standard should be enabledazure_security_center_enable_ddos_protection
5c8c268a7a550e1fb6560cb9SQL Server Auditing should be enabledazure_sql_auditing_on_server
5c8c268d7a550e1fb6560cc0SQL data encryption should be enabledazure_sql_data_encryption_on
5c8c26947a550e1fb6560cceSQL server should have Azure Defender for SQL enabledazure_sql_threat_detection_on_server
5c8c269a7a550e1fb6560cdbStorage account is not configured to allow HTTPS-only trafficazure_storage_account_allow_https_traffic_only
99d645b8-aa87-11ea-bb37-0242ac130002Storage account is publicly accessibleazure_storage_default_network_access_deny
02b672b7-a590-4434-8188-19325b2d1864Storage account encryption at rest is not configured with customer-managed key (CMK)azure_storage_encryption_at_rest_not_configured_with_customer_managed_key
643eb5fc-7747-4df4-b217-41c4e97e0c07Storage account blob service is not configured with soft deleteazure_storage_soft_delete_not_enabled
d7a3ad03-860c-4928-9ba8-789e84a835beVirtual machine scale set VMs are publicly accessible to the internet via SSH port (22)azure_vm_close_port_22
5c8c26417a550e1fb6560c3fEC2 instance should restrict public access to SSH port (22)ec2_close_port_22
5c8c26437a550e1fb6560c42EC2 security group should restrict public access to Remote Desktop port (3389)ec2_close_port_3389
657c46b7-1cd0-4cce-80bb-9d195f49c987Elastic Load Balancer access logs are not enabledelb_enable_access_logs
5c8c264a7a550e1fb6560c4dThe RDS backup retention period is less than 30 daysrds_backup_retention_30_days
5c8c265e7a550e1fb6560c67S3 access logging should be enableds3_enable_access_logging
1d187035-9fff-48b2-a7c3-ffc56a4da5e6S3 bucket default encryption should be enableds3_enable_default_encryption
5c8c26507a550e1fb6560c57S3 bucket should restrict full public accesss3_remove_public_access
5c8c26517a550e1fb6560c59S3 bucket should restrict public read accesss3_remove_public_access
5c8c26537a550e1fb6560c5aS3 bucket should restrict public read ACL accesss3_remove_public_access
5c8c26537a550e1fb6560c5bS3 bucket should restrict public write accesss3_remove_public_access
5c8c26547a550e1fb6560c5cS3 bucket should restrict public write ACL accesss3_remove_public_access
5c8c26637a550e1fb6560c6bS3 bucket policy should restrict public get accesss3_remove_public_access
5c8c26617a550e1fb6560c69S3 bucket policy should restrict full public accesss3_remove_public_access
5c8c25ec7a550e1fb6560bbeEC2 security group should restrict public access to SSH port (22)security_group_close_port_22
5c8c25ef7a550e1fb6560bc4EC2 instance should restrict public access to Remote Desktop port (3389)security_group_close_port_3389
5c8c25f07a550e1fb6560bc6EC2 instance should restrict public access to PostgreSQL server port (5432)security_group_close_port_5432
5c8c25e47a550e1fb6560bacCloudTrail logs should be encryptedaws_cloudtrail_logs_encrypted
5c8c26217a550e1fb6560c12KMS automated key rotation is not enabledaws_kms_key_rotates
5c8c265c7a550e1fb6560c63CloudTrail S3 buckets should have access logging enableds3_enable_access_logging
5c8c265d7a550e1fb6560c65CloudTrail S3 buckets should restrict access to required usersaws_s3_cloudtrail_public_access

Contributing

The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our FAQ. All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch.

For more detailed information, refer to CONTRIBUTING.md.

Repository Administrator Resources

Board Members

Board members are volunteers from the community and VMware staff members, board members are not held responsible for any issues which may occur from running of samples from this repository.

Members:

  • Paul Allen (VMware)

VMware Resources

Feedback

If you find a bug, please open a GitHub issue.

Tag summary

Content type

Image

Digest

sha256:914f8b669

Size

499.1 MB

Last updated

almost 3 years ago

docker pull vmware/vss-remediation-worker

This week's pulls

Pulls:

506

Jun 29 to Jul 5