@PacmanRule(key = "check-for-missing-mandatory-tags", desc = "checks services for missing mandatory tags", severity = PacmanSdkConstants.SEV_HIGH,category=PacmanSdkConstants.GOVERNANCE) public class TaggingRule extends BaseRule {
/** * Find associate class. * * @param ruleKey the rule key * @return the class * @throws InstantiationException the instantiation exception * @throws IllegalAccessException the illegal access exception * @throws ClassNotFoundException the class not found exception */ public static Class<?> findAssociateClass(String ruleKey) throws InstantiationException, IllegalAccessException, ClassNotFoundException { Reflections reflections = new Reflections("com.tmobile"); Set<Class<?>> allRules = reflections.getTypesAnnotatedWith(PacmanRule.class); for (Class<?> ruleClass : allRules) { PacmanRule rule = ruleClass.getAnnotation(PacmanRule.class); if (rule.key().equals(ruleKey)) { return ruleClass; } } // if code reached here , this means no class found associated to this // key throw new ClassNotFoundException("cannot find class associated to rule"); }
/** * Gets the rule attribute. * * @param result the result * @param ruleParam the rule param * @param ruleAnnotation the rule annotation * @param attribute the attribute * @return the attribute value from ruleParam--ruleAnnotation--RuleResult * wherever found first, not_found otherwise */ public static String getRuleAttribute(RuleResult result, Map<String, String> ruleParam, PacmanRule ruleAnnotation, String attribute) { if (ruleParam != null && ruleParam.containsKey(attribute)) { return ruleParam.get(attribute); } if (ruleAnnotation != null) { return ruleAnnotation.category(); } return getValueFromResult(result, attribute); }
@PacmanRule(key = "check-for-unused-application-elb", desc = "checks for unused application elb which are not associated with any instance", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.GOVERNANCE) public class UnusedApplicationElbRule extends BaseRule {
@PacmanRule(key = "check-for-service-account-with-svc", desc = "Checks for service account starts with svc_ or not", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.GOVERNANCE) public class ServiceAccountWithSvcRule extends BaseRule {
@PacmanRule(key = "check-for-improper-account-name", desc = "Checks for account names having spaces inbetween", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.GOVERNANCE) public class CheckImproperAccountNamesRule extends BaseRule {
@PacmanRule(key = "check-aws-config-enabled", desc = "Checks for AWS Config enabled for given AWS account and region", severity = PacmanSdkConstants.SEV_MEDIUM, category = PacmanSdkConstants.SECURITY) public class CheckAWSConfigEnabled extends BaseRule {
@PacmanRule(key = "check-for-s3-MFA-delete-enabled", desc = "checks s3 bucket has MFA delete enabled or not", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.SECURITY) public class CheckMFADeleteEnabledRule extends BaseRule {
@PacmanRule(key = "check-for-unused-classic-elb", desc = "checks for unused classic elb which are not associated with any instance", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.GOVERNANCE) public class UnusedClassicElbRule extends BaseRule {
@PacmanRule(key = "check-for-proper-roles-name", desc = "Checks for roles name starts with r_ or not", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.GOVERNANCE) public class ProperRolesNameRule extends BaseRule {
@PacmanRule(key = "check-for-unused-security-group", desc = "checks for unused security groups", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.GOVERNANCE) public class SecurityGroupNotUsedRule extends BaseRule {
@PacmanRule(key = "check-for-ec2-with-severity-vulnerabilities", desc = "If an EC2 instance having severity (S5,S4,S3) vulnerability then report it as an issue with severity High", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.SECURITY) public class EC2withSeverityVulnerabilityRule extends BaseRule {
@PacmanRule(key = "check-for-unused-ebs-rule", desc = "checks for unused Ebs which are not associated with any instance", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.GOVERNANCE) public class UnusedEBSRule extends BaseRule {
@PacmanRule(key = "check-for-lambda-fun-with-admin-or-IAM-privileges", desc = "Lambda functions should not have administrative permissions (Managed Policy : AdministratorAccess). Least privileges should be granted to lambda functions. Also IAM privileges should never be granted to lambda functions. (Exceptional cases has to be reviewed and prior whitelisting would be required.)", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.SECURITY) public class CheckLambdaFunWithAdminOrIamPrivileges extends BaseRule {
@PacmanRule(key = "check-for-service-limit", desc = "checks entirely for service limit", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.GOVERNANCE) public class ServiceLimitRule extends BaseRule {
@PacmanRule(key = "check-for-improper-roles-name", desc = "Checks for improper roles name", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.GOVERNANCE) public class CheckImproperRolesNamesRule extends BaseRule {
@PacmanRule(key = "check-for-unused-elastic-ip", desc = "checks for unused elastic ip which are not associated with any instance", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.GOVERNANCE) public class UnusedElasticIpRule extends BaseRule {
@PacmanRule(key = "check-for-onprem-scanned-by-qualys", desc = "checks for onprem scanned by qualys,if not found then its an issue", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.GOVERNANCE) public class OnpremScannedByQualysRule extends BaseRule {
@PacmanRule(key = "check-guard-duty-enabled-for-all-accounts", desc = "AWS Guard Duty service should be enabled on all regions of all AWS accounts", severity = PacmanSdkConstants.SEV_HIGH, category = PacmanSdkConstants.SECURITY) public class CheckGuardDutyForAllAccountsRule extends BaseRule {