Adds audit config override

m4maker · Jul 25, 2019 · 37c466d · 37c466d
1 parent c3363cf
commit 37c466d
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 3 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 config.json
+config/
 .DS_Store
 *.pyc
 venv/

diff --git a/commands/audit.py b/commands/audit.py
@@ -2,8 +2,8 @@
 import yaml
 
 from shared.common import parse_arguments
-from shared.audit import audit
-
+from shared.audit import audit, finding_is_filtered
+from os.path import exists
 
 __description__ = "Identify potential issues such as public S3 buckets"
 
@@ -17,9 +17,22 @@ def audit_command(accounts, config, args):
         audit_config = yaml.safe_load(f)
     # TODO: Check the file is formatted correctly
 
+    if exists("config/audit_config_override.yaml"):
+        with open("config/audit_config_override.yaml", "r") as f:
+            audit_override = yaml.safe_load(f)
+
+            # Over-write the values from audit_config
+            for finding_id in audit_override:
+                for k in audit_override[finding_id]:
+                    audit_config[finding_id][k] = audit_override[finding_id][k]
+
     # Print findings
     for finding in findings:
         conf = audit_config[finding.issue_id]
+
+        if finding_is_filtered(finding, conf):
+            continue
+
         if args.json:
             print(finding)
         else:

diff --git a/commands/report.py b/commands/report.py
@@ -14,7 +14,7 @@
 )
 from shared.nodes import Account, Region
 from shared.public import get_public_nodes
-from shared.audit import audit
+from shared.audit import audit, finding_is_filtered
 
 __description__ = "Create report"
 
@@ -317,6 +317,9 @@ def report(accounts, config, args):
 
         for finding in findings:
             conf = audit_config[finding.issue_id]
+            if finding_is_filtered(finding, conf):
+                continue
+
             count = findings_severity_by_account[finding.account_name][
                 conf["severity"]
             ].get(finding.issue_id, 0)

diff --git a/config/audit_config_override.yaml.example b/config/audit_config_override.yaml.example
@@ -0,0 +1,10 @@
+# Include overrides here to the default audit_config.yaml settings.
+
+# # Example 1: Disable a rule entirely
+# GUARDDUTY_OFF:
+#   severity: Mute
+
+# # Example 2: Ignore certain resources from the auditing
+# S3_PUBLIC_POLICY_GETOBJECT_ONLY:
+#   # This is an array of regexes, and must match the entire string
+#   ignore_resources: [".*demo"]
diff --git a/shared/audit.py b/shared/audit.py
@@ -1,6 +1,7 @@
 import json
 import pyjq
 import traceback
+import re
 
 from policyuniverse.policy import Policy
 
@@ -37,6 +38,18 @@ def __len__(self):
         return len(self.findings)
 
 
+def finding_is_filtered(finding, conf):
+    if conf['severity'] == 'Mute':
+        return True
+
+    for resource_to_ignore in conf.get('ignore_resources', []):
+        ignore_regex = re.compile("^"+resource_to_ignore+"$")
+        if re.search(ignore_regex, finding.resource_id):
+            return True
+
+    return False
+
+
 def audit_s3_buckets(findings, region):
     buckets_json = query_aws(region.account, "s3-list-buckets", region)
     buckets = pyjq.all(".Buckets[].Name", buckets_json)