From 618b76b1b10597bb735c702cd4bffdf0de65f40e Mon Sep 17 00:00:00 2001 From: Ershad T J Date: Wed, 22 May 2024 12:02:17 +0530 Subject: [PATCH 1/2] fix:[PLG-560] CS and R7 Admin policy severity and MoreInfo link --- .../resources/pacbot_app/files/DB_Policy.sql | 25 ++++++++++++++----- .../AssetTypeGroupedVulnerabilitiesRule.java | 3 ++- .../cloud/constants/PacmanRuleConstants.java | 1 + .../VulnerabilityAssessmentPolicy.java | 5 ++-- 4 files changed, 24 insertions(+), 10 deletions(-) diff --git a/installer/resources/pacbot_app/files/DB_Policy.sql b/installer/resources/pacbot_app/files/DB_Policy.sql index 0c27806c89..f6787bf977 100644 --- a/installer/resources/pacbot_app/files/DB_Policy.sql +++ b/installer/resources/pacbot_app/files/DB_Policy.sql @@ -3383,34 +3383,47 @@ update cf_PolicyTable set policyDesc = 'Using a single IAM access key for IAM u where policyId = 'IamUserWithMultipleAccessKey_version-1_IAMUserShouldUseSingleKey_iamuser' and policyUUID ='aws_iam_user_should_have_single_access_key'; INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, severity, category, autoFixAvailable, autoFixEnabled, allowList, waitingTime, maxEmailNotification, templateName, templateColumns, fixType, warningMailSubject, fixMailSubject, warningMessage, fixMessage, violationMessage, elapsedTime, userId, createdDate, modifiedDate, status, enricherSource) -VALUES ('ec2_r7_vulnerability_critical','ec2_r7_vulnerability_critical','EC2WithRapid7CriticalVulnerability','Rapid7 found critical Vulnerabilities','Vulnerabilities have at least one exploit that has been used in at least one attack','','','ec2','aws','EC2WithRapid7CriticalVulnerability','{"params":[{"encrypt":"false","value":"true","key":"threadsafe"},{"key":"policyKey","value":"check-vulnerability-exists-for-server","encrypt":false},{"encrypt":false,"value":"critical","key":"severityToCheck"},{"encrypt":false,"value":"critical","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ec2_r7_vulnerability_critical","autofix":false,"policyRestUrl":"","targetType":"ec2","pac_ds":"rapid7","assetGroup":"rapid7","policyUUID":"ec2_r7_vulnerability_critical","policyType":"ManagePolicy"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/ec2_r7_vulnerability_critical','critical','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'admin@paladincloud.io',now(),null,'DISABLED','rapid7'); +VALUES ('ec2_r7_vulnerability_critical','ec2_r7_vulnerability_critical','EC2WithRapid7CriticalVulnerability','Rapid7 found critical Vulnerabilities','Vulnerabilities have at least one exploit that has been used in at least one attack','','https://paladincloud.io/docs/aws-policy/#Rapid7-found-Critical-Vulnerabilities','ec2','aws','EC2WithRapid7CriticalVulnerability','{"params":[{"encrypt":"false","value":"true","key":"threadsafe"},{"key":"policyKey","value":"check-vulnerability-exists-for-server","encrypt":false},{"encrypt":false,"value":"critical","key":"severityToCheck"},{"encrypt":false,"value":"critical","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ec2_r7_vulnerability_critical","autofix":false,"policyRestUrl":"","targetType":"ec2","pac_ds":"rapid7","assetGroup":"rapid7","policyUUID":"ec2_r7_vulnerability_critical","policyType":"ManagePolicy"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/ec2_r7_vulnerability_critical','critical','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'admin@paladincloud.io',now(),null,'DISABLED','rapid7'); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_r7_vulnerability_critical','vulnerability_index','rapid7_vulnerability','','false','false','false','',''); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_r7_vulnerability_critical','asset_lookup_key','instanceId','','false','false','false','',''); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_r7_vulnerability_critical','policyKey','check-vm-vulnerabilities-scanned-by-plugin-grouped','','false','false','false','',''); +INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_r7_vulnerability_critical','severityToCheck','critical','','false','false','false','',''); INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, severity, category, autoFixAvailable, autoFixEnabled, allowList, waitingTime, maxEmailNotification, templateName, templateColumns, fixType, warningMailSubject, fixMailSubject, warningMessage, fixMessage, violationMessage, elapsedTime, userId, createdDate, modifiedDate, status, enricherSource) -VALUES ('ec2_r7_vulnerability_high','ec2_r7_vulnerability_high','EC2WithRapid7HighVulnerability','Rapid7 found high Vulnerabilities','Vulnerability has at least one exploit that is packaged and easily available in an exploit framework','','','ec2','aws','EC2WithRapid7HighVulnerability','{"params":[{"encrypt":"false","value":"true","key":"threadsafe"},{"key":"policyKey","value":"check-vulnerability-exists-for-server","encrypt":false},{"encrypt":false,"value":"high","key":"severityToCheck"},{"encrypt":false,"value":"high","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ec2_r7_vulnerability_high","autofix":false,"policyRestUrl":"","targetType":"ec2","pac_ds":"rapid7","assetGroup":"rapid7","policyUUID":"ec2_r7_vulnerability_high","policyType":"ManagePolicy"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/ec2_r7_vulnerability_high','high','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'admin@paladincloud.io',now(),null,'DISABLED','rapid7'); +VALUES ('ec2_r7_vulnerability_high','ec2_r7_vulnerability_high','EC2WithRapid7HighVulnerability','Rapid7 found high Vulnerabilities','Vulnerability has at least one exploit that is packaged and easily available in an exploit framework','','https://paladincloud.io/docs/aws-policy/#Rapid7-found-High-Vulnerabilities','ec2','aws','EC2WithRapid7HighVulnerability','{"params":[{"encrypt":"false","value":"true","key":"threadsafe"},{"key":"policyKey","value":"check-vulnerability-exists-for-server","encrypt":false},{"encrypt":false,"value":"high","key":"severityToCheck"},{"encrypt":false,"value":"high","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ec2_r7_vulnerability_high","autofix":false,"policyRestUrl":"","targetType":"ec2","pac_ds":"rapid7","assetGroup":"rapid7","policyUUID":"ec2_r7_vulnerability_high","policyType":"ManagePolicy"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/ec2_r7_vulnerability_high','high','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'admin@paladincloud.io',now(),null,'DISABLED','rapid7'); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_r7_vulnerability_high','vulnerability_index','rapid7_vulnerability','','false','false','false','',''); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_r7_vulnerability_high','asset_lookup_key','instanceId','','false','false','false','',''); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_r7_vulnerability_high','policyKey','check-vm-vulnerabilities-scanned-by-plugin-grouped','','false','false','false','',''); +INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_r7_vulnerability_high','severityToCheck','high','','false','false','false','',''); INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, severity, category, autoFixAvailable, autoFixEnabled, allowList, waitingTime, maxEmailNotification, templateName, templateColumns, fixType, warningMailSubject, fixMailSubject, warningMessage, fixMessage, violationMessage, elapsedTime, userId, createdDate, modifiedDate, status, enricherSource) -VALUES ('ec2_r7_vulnerability_medium','ec2_r7_vulnerability_medium','EC2WithRapid7MediumVulnerability','Rapid7 found medium Vulnerabilities','Vulnerability has at least one exploit that is packaged and easily available in an exploit framework','','','ec2','aws','EC2WithRapid7MediumVulnerability','{"params":[{"encrypt":"false","value":"true","key":"threadsafe"},{"key":"policyKey","value":"check-vulnerability-exists-for-server","encrypt":false},{"encrypt":false,"value":"medium","key":"severityToCheck"},{"encrypt":false,"value":"medium","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ec2_r7_vulnerability_medium","autofix":false,"policyRestUrl":"","targetType":"ec2","pac_ds":"rapid7","assetGroup":"rapid7","policyUUID":"ec2_r7_vulnerability_medium","policyType":"ManagePolicy"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/ec2_r7_vulnerability_medium','medium','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'admin@paladincloud.io',now(),null,'DISABLED','rapid7'); +VALUES ('ec2_r7_vulnerability_medium','ec2_r7_vulnerability_medium','EC2WithRapid7MediumVulnerability','Rapid7 found medium Vulnerabilities','Vulnerability has at least one exploit that is packaged and easily available in an exploit framework','','https://paladincloud.io/docs/aws-policy/#Rapid7-found-Medium-Vulnerabilities','ec2','aws','EC2WithRapid7MediumVulnerability','{"params":[{"encrypt":"false","value":"true","key":"threadsafe"},{"key":"policyKey","value":"check-vulnerability-exists-for-server","encrypt":false},{"encrypt":false,"value":"medium","key":"severityToCheck"},{"encrypt":false,"value":"medium","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ec2_r7_vulnerability_medium","autofix":false,"policyRestUrl":"","targetType":"ec2","pac_ds":"rapid7","assetGroup":"rapid7","policyUUID":"ec2_r7_vulnerability_medium","policyType":"ManagePolicy"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/ec2_r7_vulnerability_medium','medium','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'admin@paladincloud.io',now(),null,'DISABLED','rapid7'); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_r7_vulnerability_medium','vulnerability_index','rapid7_vulnerability','','false','false','false','',''); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_r7_vulnerability_medium','asset_lookup_key','instanceId','','false','false','false','',''); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_r7_vulnerability_medium','policyKey','check-vm-vulnerabilities-scanned-by-plugin-grouped','','false','false','false','',''); +INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_r7_vulnerability_medium','severityToCheck','medium','','false','false','false','',''); INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, severity, category, autoFixAvailable, autoFixEnabled, allowList, waitingTime, maxEmailNotification, templateName, templateColumns, fixType, warningMailSubject, fixMailSubject, warningMessage, fixMessage, violationMessage, elapsedTime, userId, createdDate, modifiedDate, status, enricherSource) -VALUES ('ec2_cs_Vulnerability_critical','ec2_cs_Vulnerability_critical','Ec2WithCrowdstrikeCriticalVulnerability','CrowdStrike found critical Vulnerabilities','Vulnerabilities have at least one exploit that has been used in at least one attack','','','ec2','aws','Ec2WithCrowdstrikeCriticalVulnerability','{"params":[{"encrypt":"false","value":"true","key":"threadsafe"},{"key":"policyKey","value":"check-vulnerability-exists-for-server","encrypt":false},{"encrypt":false,"value":"critical","key":"severityToCheck"},{"encrypt":false,"value":"critical","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ec2_cs_Vulnerability_critical","autofix":false,"policyRestUrl":"","targetType":"ec2","pac_ds":"crowdstrike","assetGroup":"crowdstrike","policyUUID":"ec2_cs_Vulnerability_critical","policyType":"ManagePolicy"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/ec2_cs_Vulnerability_critical','critical','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'admin@paladincloud.io',now(),null,'DISABLED','crowdstrike'); +VALUES ('ec2_cs_Vulnerability_critical','ec2_cs_Vulnerability_critical','Ec2WithCrowdstrikeCriticalVulnerability','CrowdStrike found critical Vulnerabilities','Vulnerabilities have at least one exploit that has been used in at least one attack','','https://paladincloud.io/docs/aws-policy/#CrowdStrike-found-Critical-Vulnerabilities','ec2','aws','Ec2WithCrowdstrikeCriticalVulnerability','{"params":[{"encrypt":"false","value":"true","key":"threadsafe"},{"key":"policyKey","value":"check-vulnerability-exists-for-server","encrypt":false},{"encrypt":false,"value":"critical","key":"severityToCheck"},{"encrypt":false,"value":"critical","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ec2_cs_Vulnerability_critical","autofix":false,"policyRestUrl":"","targetType":"ec2","pac_ds":"crowdstrike","assetGroup":"crowdstrike","policyUUID":"ec2_cs_Vulnerability_critical","policyType":"ManagePolicy"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/ec2_cs_Vulnerability_critical','critical','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'admin@paladincloud.io',now(),null,'DISABLED','crowdstrike'); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_cs_Vulnerability_critical','esResourceWithVulnInfoForSeverityUrl','/crowdstrike_vulnerability/_search','','false','false','false','',''); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_cs_Vulnerability_critical','policyKey','check-vulnerability-exists-for-server','','false','false','false','',''); +INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_cs_Vulnerability_critical','severityToCheck','critical','','false','false','false','',''); INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, severity, category, autoFixAvailable, autoFixEnabled, allowList, waitingTime, maxEmailNotification, templateName, templateColumns, fixType, warningMailSubject, fixMailSubject, warningMessage, fixMessage, violationMessage, elapsedTime, userId, createdDate, modifiedDate, status, enricherSource) -VALUES ('ec2_cs_Vulnerability_high','ec2_cs_Vulnerability_high','Ec2WithCrowdstrikeHighVulnerability','CrowdStrike found high Vulnerabilities','Vulnerability has at least one exploit that is packaged and easily available in an exploit framework','','','ec2','aws','Ec2WithCrowdstrikeHighVulnerability','{"params":[{"encrypt":"false","value":"true","key":"threadsafe"},{"key":"policyKey","value":"check-vulnerability-exists-for-server","encrypt":false},{"encrypt":false,"value":"high","key":"severityToCheck"},{"encrypt":false,"value":"high","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ec2_cs_Vulnerability_high","autofix":false,"policyRestUrl":"","targetType":"ec2","pac_ds":"crowdstrike","assetGroup":"crowdstrike","policyUUID":"ec2_cs_Vulnerability_high","policyType":"ManagePolicy"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/ec2_cs_Vulnerability_high','high','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'admin@paladincloud.io',now(),null,'DISABLED','crowdstrike'); +VALUES ('ec2_cs_Vulnerability_high','ec2_cs_Vulnerability_high','Ec2WithCrowdstrikeHighVulnerability','CrowdStrike found high Vulnerabilities','Vulnerability has at least one exploit that is packaged and easily available in an exploit framework','','https://paladincloud.io/docs/aws-policy/#CrowdStrike-found-High-Vulnerabilities','ec2','aws','Ec2WithCrowdstrikeHighVulnerability','{"params":[{"encrypt":"false","value":"true","key":"threadsafe"},{"key":"policyKey","value":"check-vulnerability-exists-for-server","encrypt":false},{"encrypt":false,"value":"high","key":"severityToCheck"},{"encrypt":false,"value":"high","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ec2_cs_Vulnerability_high","autofix":false,"policyRestUrl":"","targetType":"ec2","pac_ds":"crowdstrike","assetGroup":"crowdstrike","policyUUID":"ec2_cs_Vulnerability_high","policyType":"ManagePolicy"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/ec2_cs_Vulnerability_high','high','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'admin@paladincloud.io',now(),null,'DISABLED','crowdstrike'); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_cs_Vulnerability_high','esResourceWithVulnInfoForSeverityUrl','/crowdstrike_vulnerability/_search','','false','false','false','',''); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_cs_Vulnerability_high','policyKey','check-vulnerability-exists-for-server','','false','false','false','',''); +INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_cs_Vulnerability_high','severityToCheck','high','','false','false','false','',''); INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, severity, category, autoFixAvailable, autoFixEnabled, allowList, waitingTime, maxEmailNotification, templateName, templateColumns, fixType, warningMailSubject, fixMailSubject, warningMessage, fixMessage, violationMessage, elapsedTime, userId, createdDate, modifiedDate, status, enricherSource) -VALUES ('ec2_cs_Vulnerability_medium','ec2_cs_Vulnerability_medium','Ec2WithCrowdstrikeMediumVulnerability','CrowdStrike found medium Vulnerabilities','Vulnerability has at least one exploit that is packaged and easily available in an exploit framework','','','ec2','aws','Ec2WithCrowdstrikeMediumVulnerability','{"params":[{"encrypt":"false","value":"true","key":"threadsafe"},{"key":"policyKey","value":"check-vulnerability-exists-for-server","encrypt":false},{"encrypt":false,"value":"medium","key":"severityToCheck"},{"encrypt":false,"value":"medium","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ec2_cs_Vulnerability_medium","autofix":false,"policyRestUrl":"","targetType":"ec2","pac_ds":"crowdstrike","assetGroup":"crowdstrike","policyUUID":"ec2_cs_Vulnerability_medium","policyType":"ManagePolicy"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/ec2_cs_Vulnerability_medium','medium','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'admin@paladincloud.io',now(),null,'DISABLED','crowdstrike'); +VALUES ('ec2_cs_Vulnerability_medium','ec2_cs_Vulnerability_medium','Ec2WithCrowdstrikeMediumVulnerability','CrowdStrike found medium Vulnerabilities','Vulnerability has at least one exploit that is packaged and easily available in an exploit framework','','https://paladincloud.io/docs/aws-policy/#CrowdStrike-found-Medium-Vulnerabilities','ec2','aws','Ec2WithCrowdstrikeMediumVulnerability','{"params":[{"encrypt":"false","value":"true","key":"threadsafe"},{"key":"policyKey","value":"check-vulnerability-exists-for-server","encrypt":false},{"encrypt":false,"value":"medium","key":"severityToCheck"},{"encrypt":false,"value":"medium","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ec2_cs_Vulnerability_medium","autofix":false,"policyRestUrl":"","targetType":"ec2","pac_ds":"crowdstrike","assetGroup":"crowdstrike","policyUUID":"ec2_cs_Vulnerability_medium","policyType":"ManagePolicy"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/ec2_cs_Vulnerability_medium','medium','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'admin@paladincloud.io',now(),null,'DISABLED','crowdstrike'); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_cs_Vulnerability_medium','esResourceWithVulnInfoForSeverityUrl','/crowdstrike_vulnerability/_search','','false','false','false','',''); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_cs_Vulnerability_medium','policyKey','check-vulnerability-exists-for-server','','false','false','false','',''); +INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('ec2_cs_Vulnerability_medium','severityToCheck','medium','','false','false','false','',''); + +update cf_PolicyTable set resolutionUrl='https://paladincloud.io/docs/aws-policy/#CrowdStrike-found-Critical-Vulnerabilities' where policyId='ec2_cs_Vulnerability_critical'; +update cf_PolicyTable set resolutionUrl='https://paladincloud.io/docs/aws-policy/#CrowdStrike-found-High-Vulnerabilities' where policyId='ec2_cs_Vulnerability_high'; +update cf_PolicyTable set resolutionUrl='https://paladincloud.io/docs/aws-policy/#CrowdStrike-found-Medium-Vulnerabilities' where policyId='ec2_cs_Vulnerability_medium'; +update cf_PolicyTable set resolutionUrl='https://paladincloud.io/docs/aws-policy/#Rapid7-found-Critical-Vulnerabilities' where policyId='ec2_r7_vulnerability_critical'; +update cf_PolicyTable set resolutionUrl='https://paladincloud.io/docs/aws-policy/#Rapid7-found-High-Vulnerabilities' where policyId='ec2_r7_vulnerability_high'; +update cf_PolicyTable set resolutionUrl='https://paladincloud.io/docs/aws-policy/#Rapid7-found-Medium-Vulnerabilities' where policyId='ec2_r7_vulnerability_medium'; \ No newline at end of file diff --git a/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/awsrules/ec2/AssetTypeGroupedVulnerabilitiesRule.java b/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/awsrules/ec2/AssetTypeGroupedVulnerabilitiesRule.java index f848456504..ff9024629a 100644 --- a/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/awsrules/ec2/AssetTypeGroupedVulnerabilitiesRule.java +++ b/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/awsrules/ec2/AssetTypeGroupedVulnerabilitiesRule.java @@ -70,6 +70,7 @@ public PolicyResult execute(Map ruleParam, Map r MDC.put("ruleId", ruleParam.get(PacmanSdkConstants.POLICY_ID)); String category = ruleParam.get(PacmanRuleConstants.CATEGORY); String severity = ruleParam.get(PacmanRuleConstants.SEVERITY); + String severityToCheck = ruleParam.get(PacmanRuleConstants.SEVERITY_TO_CHECK); String vulnerabilityIndex = ruleParam.get(VULNERABILITY_INDEX); String vulnAssetLookupKey = ruleParam.get(VULN_ASSET_LOOKUP_KEY); String vulnerabilitiesEndpoint = PacmanUtils.getPacmanHost(PacmanRuleConstants.ES_URI) + "/" + vulnerabilityIndex + "/_search"; @@ -82,7 +83,7 @@ public PolicyResult execute(Map ruleParam, Map r String instanceId = StringUtils.trim(resourceAttributes.get(PacmanRuleConstants.RESOURCE_ID)); List vulnerabilityInfoList = new ArrayList<>(); try { - vulnerabilityInfoList = PacmanUtils.matchAssetAgainstSourceVulnIndex(instanceId, vulnerabilitiesEndpoint, vulnAssetLookupKey, null); + vulnerabilityInfoList = PacmanUtils.matchAssetAgainstSourceVulnIndex(instanceId, vulnerabilitiesEndpoint, vulnAssetLookupKey, severityToCheck); } catch (Exception e) { logger.error("unable to determine", e); throw new RuleExecutionFailedExeption("unable to determine" + e); diff --git a/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/constants/PacmanRuleConstants.java b/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/constants/PacmanRuleConstants.java index 11284aaa6d..fd2e108be9 100644 --- a/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/constants/PacmanRuleConstants.java +++ b/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/constants/PacmanRuleConstants.java @@ -113,6 +113,7 @@ private PacmanRuleConstants() { public static final String FOUND = "Found"; public static final String NOTFOUND = "Not Found"; public static final String SEVERITY = "severity"; + public static final String SEVERITY_TO_CHECK = "severityToCheck"; public static final String SUBTYPE = "subtype"; public static final String MEDIUM = "MEDIUM"; public static final String MISSING_TAGS = "missingTags"; diff --git a/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/crowdstrike/VulnerabilityAssessmentPolicy.java b/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/crowdstrike/VulnerabilityAssessmentPolicy.java index 32663eb66d..759f6e5baf 100644 --- a/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/crowdstrike/VulnerabilityAssessmentPolicy.java +++ b/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/crowdstrike/VulnerabilityAssessmentPolicy.java @@ -32,9 +32,8 @@ public PolicyResult execute(final Map policyParam, Map policyParam, Map Date: Thu, 23 May 2024 00:57:34 +0530 Subject: [PATCH 2/2] fix:[PLG-564] CS-Group CVEs based on app/product in violation info --- .../cloud/awsrules/utils/PacmanUtils.java | 40 +++++++++++-------- .../cloud/constants/PacmanRuleConstants.java | 5 ++- .../VulnerabilityAssessmentPolicy.java | 2 +- .../pacman/executor/PolicyExecutor.java | 1 + 4 files changed, 30 insertions(+), 18 deletions(-) diff --git a/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/awsrules/utils/PacmanUtils.java b/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/awsrules/utils/PacmanUtils.java index bb8489f88a..aa522891d5 100755 --- a/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/awsrules/utils/PacmanUtils.java +++ b/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/awsrules/utils/PacmanUtils.java @@ -4179,25 +4179,33 @@ public static String getQualysVulnerabilitiesDetails(JsonArray vulnerabilities) } - public static String getCrowdstrikeVulnerabilitiesDetails(JsonArray vulnerabilities) { - List vulnerabilityList = new ArrayList<>(vulnerabilities.size()); - if (vulnerabilities != null) { - for (int i = 0; i < vulnerabilities.size(); i++) { - JsonObject source = vulnerabilities.get(i).getAsJsonObject().get(PacmanRuleConstants.SOURCE) - .getAsJsonObject(); - String cveId = source.get("cveId").getAsString(); - String cveUrl = NIST_VULN_DETAILS_URL + cveId; - CveDetails cveDetails = new CveDetails(cveId, cveUrl); - VulnerabilityInfo vulnerabilityinfo = new VulnerabilityInfo(); - vulnerabilityinfo.setTitle(source.get("description").getAsString()); - vulnerabilityinfo.setVulnerabilityUrl(source.get("vulnerabilityUrl").getAsString()); - vulnerabilityinfo.setCveList(Arrays.asList(cveDetails)); - vulnerabilityList.add(vulnerabilityinfo); + public static String getVulnerabilitiesDetails(JsonArray vulnerabilities) { + ObjectMapper objectMapper = new ObjectMapper(); + Map productVulnerablilities = new HashMap<>(); + for (int i = 0; i < vulnerabilities.size(); i++) { + JsonObject source = vulnerabilities.get(i).getAsJsonObject().get(PacmanRuleConstants.SOURCE) + .getAsJsonObject(); + String cveId = source.get(CVE_ID).getAsString(); + String cveUrl = NIST_VULN_DETAILS_URL + cveId; + CveDetails cveDetails = new CveDetails(cveId, cveUrl); + for (JsonElement appElement : source.get("apps").getAsJsonArray()) { + JsonObject app = appElement.getAsJsonObject(); + String productName = String.valueOf(app.get(PRODUCT_NAME_VERSION).getAsString()); + if (productVulnerablilities.containsKey(productName)) { + productVulnerablilities.get(productName).getCveList().add(cveDetails); + } else { + VulnerabilityInfo vulnerabilityinfo = new VulnerabilityInfo(); + vulnerabilityinfo.setTitle(productName); + vulnerabilityinfo.setVulnerabilityUrl(source.get(PacmanSdkConstants.VULNERABILITY_URL).getAsString() + "'" + app.get(PRODUCT_NAME_NORMALIZED).getAsString() + "'"); + List cveDetailsList = new ArrayList<>(); + cveDetailsList.add(cveDetails); + vulnerabilityinfo.setCveList(cveDetailsList); + productVulnerablilities.put(productName, vulnerabilityinfo); + } } } - ObjectMapper objectMapper = new ObjectMapper(); try { - return objectMapper.writeValueAsString(vulnerabilityList); + return objectMapper.writeValueAsString(productVulnerablilities.values()); } catch (JsonProcessingException e) { throw new RuleExecutionFailedExeption(e.getMessage()); } diff --git a/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/constants/PacmanRuleConstants.java b/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/constants/PacmanRuleConstants.java index fd2e108be9..61bd634ee1 100644 --- a/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/constants/PacmanRuleConstants.java +++ b/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/constants/PacmanRuleConstants.java @@ -689,5 +689,8 @@ private PacmanRuleConstants() { public static final String LATEST_CLOUD_WATCH_DELIVERY_TIME="latestCloudWatchLogsDeliveryTime"; public static final String SERVICE = "Service"; public static final String REGION_GLOBAL = "global"; - public static final String ACCOUNT_ID = "accountid"; + public static final String ACCOUNT_ID = "accountid"; + public static final String PRODUCT_NAME_VERSION = "product_name_version"; + public static final String PRODUCT_NAME_NORMALIZED = "product_name_normalized"; + public static final String CVE_ID = "cveId"; } diff --git a/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/crowdstrike/VulnerabilityAssessmentPolicy.java b/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/crowdstrike/VulnerabilityAssessmentPolicy.java index 759f6e5baf..f15a7ec252 100644 --- a/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/crowdstrike/VulnerabilityAssessmentPolicy.java +++ b/jobs/pacman-awsrules/src/main/java/com/tmobile/cloud/crowdstrike/VulnerabilityAssessmentPolicy.java @@ -52,7 +52,7 @@ public PolicyResult execute(final Map policyParam, Map