Posted on Jul 30, 2017 2 mins read
Introduced a handler to high alert anyone who has changed a security group via the UI.
rule 'User opens TCP to world' do
match_all
threat_level :high
match 'eventName' do
equals 'AuthorizeSecurityGroupIngress'
end
performed 'by user' do
by :user
via :console
end
opens_cidr 'world' do
cidr '0.0.0.0/0'
end
endIn this example we would see a high alert if someone has opened all TCP/UDP to 0.0.0.0/0.
Here's another example of the idea. In this example we're excluding rules that pertain to :80 and :433. This rule also specifically targets actions that were performed via a cloudformation script.
This would catch anyone who has launched a CF stack which has an obvious security problem. In this case that might be something like :22 from 0.0.0.0/0 or basically any combination of ports that isn't :80 or :443 and is open to the world.
rule 'Cloudformation script opens TCP to world' do
match_all
threat_level :medium
match 'eventName' do
equals 'AuthorizeSecurityGroupIngress'
end
performed 'by user' do
by :user
via :cloudformation
end
opens_cidr 'world' do
cidr '0.0.0.0/0'
ignore_port 80
ignore_port 443
end
endThis version also improves the rule ingestion in that we can now have many files in the ./rules/ dir.
rules = ""
Dir.glob(File.join('rules/*.rb')).each do |filename|
rules << File.read(filename)
endD, [2017-07-30T12:48:04.220619 #6839] DEBUG -- : Creating match rule for world
I, [2017-07-30T12:48:04.223147 #6839] INFO -- : Cloudformation script opens TCP to world
I, [2017-07-30T12:48:04.223776 #6839] INFO -- : krogebry 2017-07-30 04:28:46 UTC
I, [2017-07-30T12:48:04.224130 #6839] INFO -- : Cloudformation script opens TCP to world
I, [2017-07-30T12:48:04.224355 #6839] INFO -- : krogebry 2017-07-30 04:28:46 UTCI seem to have a pattern of completely ignoring my "next up" section.