Reino: Security Features
Segurança de software não é o mesmo que software de segurança. Aqui, estamos interessados em tópicos como autenticação, controle de acesso, confidencialidade, criptografia e gestão de privilégios.
AWS Ansible Misconfiguration: Missing CloudTrail Log Validation
Abstract
Uma tarefa Ansible define um arquivo de log do CloudTrail sem validação de integridade.
Explanation
Por padrão, a validação do arquivo de log do CloudTrail está desabilitada, o que evita que os investigadores confirmem que não houve violação externa dos arquivos de log do CloudTrail.
Isso permite que um invasor com os privilégios necessários execute alterações de configuração prejudiciais e as oculte modificando os logs do CloudTrail.
Exemplo 1: A seguinte tarefa Ansible define uma configuração do CloudTrail sem a validação da integridade do arquivo de log porque o parâmetro
Isso permite que um invasor com os privilégios necessários execute alterações de configuração prejudiciais e as oculte modificando os logs do CloudTrail.
Exemplo 1: A seguinte tarefa Ansible define uma configuração do CloudTrail sem a validação da integridade do arquivo de log porque o parâmetro
enable_log_file_validation está ausente.
- name: create a single region cloudtrail
community.aws.cloudtrail:
s3_bucket_name: mylogbucket
s3_key_prefix: cloudtrail
region: us-west-2
References
[1] Ansible project contributors community.aws.cloudtrail – manage CloudTrail create, delete, update
[2] Amazon Web Services Validating CloudTrail log file integrity
[3] Amazon Web Services Security at Scale: Logging in AWS
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[10] Standards Mapping - Common Weakness Enumeration CWE ID 354
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002451
[12] Standards Mapping - FIPS200 MP
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[20] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3)
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 10.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.3.2
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[32] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 494
[33] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 494
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.structural.yaml.aws_ansible_misconfiguration_missing_cloudtrail_log_validation.base