Reino: Security Features
La seguridad de un software no es un software de seguridad. Nos preocupamos de cuestiones como la autenticación, el control de acceso, la confidencialidad, la criptografía y la gestión de privilegios.
AWS Ansible Misconfiguration: Missing CloudTrail Log Validation
Abstract
Una tarea de Ansible define un archivo de registro de CloudTrail sin validación de integridad.
Explanation
De forma predeterminada, la validación del archivo de registro de CloudTrail está deshabilitada, lo que evita que los investigadores confirmen que no ha habido manipulaciones externas en los archivos de registro de CloudTrail.
Esto permite que un atacante con los privilegios necesarios realice cambios de configuración dañinos y los oculte modificando los registros de CloudTrail.
Ejemplo 1: La siguiente tarea de Ansible establece una configuración de CloudTrail sin validación de la integridad del archivo de registro porque falta el parámetro
Esto permite que un atacante con los privilegios necesarios realice cambios de configuración dañinos y los oculte modificando los registros de CloudTrail.
Ejemplo 1: La siguiente tarea de Ansible establece una configuración de CloudTrail sin validación de la integridad del archivo de registro porque falta el parámetro
enable_log_file_validation.
- name: create a single region cloudtrail
community.aws.cloudtrail:
s3_bucket_name: mylogbucket
s3_key_prefix: cloudtrail
region: us-west-2
References
[1] Ansible project contributors community.aws.cloudtrail – manage CloudTrail create, delete, update
[2] Amazon Web Services Validating CloudTrail log file integrity
[3] Amazon Web Services Security at Scale: Logging in AWS
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 3.2
[5] Standards Mapping - Common Weakness Enumeration CWE ID 354
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450, CCI-002451
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3)
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[17] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 10.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.3.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.3.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[28] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 494
[29] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 494
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.structural.yaml.aws_ansible_misconfiguration_missing_cloudtrail_log_validation.base