cloudmarker.events package¶
A package for event plugins packaged with this project.
This package contains event plugins that are packaged as part of this
project. The event plugins implement a function named eval
that
accepts one record as parameter, evaluates the record, and generates
zero or more event records for each input record. The event plugins also
implement and a function named done
that perform cleanup work when
called.
Submodules¶
cloudmarker.events.azkvkeynoexpiryevent module¶
Microsoft Azure Key Vault key expiry event.
This module defines the AzKVKeyNoExpiryEvent
class that
identifies Key Vault active (enabled) keys without expiry set. This
plugin works on the Key Vault key properties found in the ext
bucket of key_vault_key
records.
-
class
cloudmarker.events.azkvkeynoexpiryevent.
AzKVKeyNoExpiryEvent
¶ Bases:
object
Azure Key Vault key expiry event plugin.
Create an instance of
AzKVKeyNoExpiryEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azkvnonrecoverableevent module¶
Microsoft Azure Key Vault non-recoverable event.
This module defines the AzKVNonRecoverableEvent
class
that identifies if a Key Vault is not recoverable. An Azure Key Vault
is recoverable if both soft delete
and purge protection
is
enabled. This plugin works on the Key Vault secret properties found
in the ext
bucket of key_vault
records.
-
class
cloudmarker.events.azkvnonrecoverableevent.
AzKVNonRecoverableEvent
¶ Bases:
object
Azure Key Vault non-recoverable event plugin.
Create an instance of
AzKVNonRecoverableEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azkvsecretnoexpiryevent module¶
Microsoft Azure Key Vault secret expiry event.
This module defines the AzKVSecretNoExpiryEvent
class that
identifies if a Key Vault active (enabled) secret without expiry set.
This plugin works on the Key Vault secret properties found in the
ext
bucket of key_vault_secret
records.
-
class
cloudmarker.events.azkvsecretnoexpiryevent.
AzKVSecretNoExpiryEvent
¶ Bases:
object
Azure Key Vault secret expiry event plugin.
Create an instance of
AzKVSecretNoExpiryEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azlogprofileevent module¶
Microsoft Azure log profile event.
This module defines the AzLogProfileEvent
class that creates
events for Azure subscriptions with missing log profiles.
-
class
cloudmarker.events.azlogprofileevent.
AzLogProfileEvent
¶ Bases:
object
Azure log profile event plugin.
Create an instance of
AzLogProfileEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azlogprofilemissingcategoryevent module¶
Microsoft Azure Log Profile Missing Category Type Event.
This module defines the AzLogProfileMissingCategoryEvent
class
that identifies if a log profile which is not enable for all the categories
i.e. Write, Delete and Action. This plugin works on the log profile
properties found in the raw
bucket of log_profile
records.
-
class
cloudmarker.events.azlogprofilemissingcategoryevent.
AzLogProfileMissingCategoryEvent
¶ Bases:
object
Azure log profile missing category event plugin.
Create an instance of the class.
Create an instance of the
AzLogProfileMissingCategoryEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azlogprofilemissinglocationevent module¶
Microsoft Azure Log Profile Missing Location Event.
This module defines the AzLogProfileMissingLocationEvent
class
that identifies if a log profile which is not enable for all the supported
locations/regions for that subscrition including global
. This plugin
works on the log profile properties found in the ext
bucket of
log_profile
records.
-
class
cloudmarker.events.azlogprofilemissinglocationevent.
AzLogProfileMissingLocationEvent
¶ Bases:
object
Azure log profile missing location event plugin.
Create an instance of the class.
Create an instance of the
AzLogProfileMissingLocationEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azlogprofileretentionevent module¶
Microsoft Azure Log Profile Retention Event.
This module defines the AzLogProfileRetentionEvent
class that
identifies if an Azure log profile’s retention policy is configured for
less than the minimum number of days than required. This plugin works
properties found in the ext
bucket of log_profile
records.
-
class
cloudmarker.events.azlogprofileretentionevent.
AzLogProfileRetentionEvent
(_min_retention_days=365)¶ Bases:
object
Azure log profile retention event plugin.
Create an instance of
AzLogProfileRetentionEvent
.Parameters: _min_retention_days (int) – Minimum required retention days. -
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azpostgresconnectionthrottlingevent module¶
Microsoft Azure Postgres Connection Throttling event.
This module defines the AzPostgresConnectionThrottlingEvent
class
that identifies Postgre SQL servers which connection throttling configuration
disabled. This plugin works on the properties found in the com
bucket of postgresql_server
records.
-
class
cloudmarker.events.azpostgresconnectionthrottlingevent.
AzPostgresConnectionThrottlingEvent
¶ Bases:
object
Az Postgres connection throttling event plugin.
Create instance of
AzPostgresConnectionThrottlingEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azpostgreslogcheckpointsevent module¶
Microsoft Azure Postgres Log Checkpoints event.
This module defines the AzPostgresLogCheckpointsEvent
class
that identifies Postgre SQL servers which log checkpoints configuration
disabled. This plugin works on the properties found in the com
bucket of postgresql_server
records.
-
class
cloudmarker.events.azpostgreslogcheckpointsevent.
AzPostgresLogCheckpointsEvent
¶ Bases:
object
Az Postgres log checkpoints event plugin.
Create an instance of
AzPostgresLogCheckpointsEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azpostgreslogconnectionsevent module¶
Microsoft Azure Postgres Log Connections event.
This module defines the AzPostgresLogConnectionsEvent
class
that identifies Postgre SQL servers which log connections configuration
disabled. This plugin works on the properties found in the com
bucket of postgresql_server
records.
-
class
cloudmarker.events.azpostgreslogconnectionsevent.
AzPostgresLogConnectionsEvent
¶ Bases:
object
Az Postgres log connections event plugin.
Create an instance of
AzPostgresLogConnectionsEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azpostgreslogdisconnectionsevent module¶
Microsoft Azure Postgres Log Disconnections event.
This module defines the AzPostgresLogDisconnectionsEvent
class
that identifies Postgre SQL servers which log disconnections configuration
disabled. This plugin works on the properties found in the com
bucket of postgresql_server
records.
-
class
cloudmarker.events.azpostgreslogdisconnectionsevent.
AzPostgresLogDisconnectionsEvent
¶ Bases:
object
Az Postgres log disconnections event plugin.
Create an instance of
AzPostgresLogDisconnectionsEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azpostgreslogdurationevent module¶
Microsoft Azure Postgres Log Duration event.
This module defines the AzPostgresLogDurationEvent
class
that identifies Postgre SQL servers which log duration configuration
disabled. This plugin works on the properties found in the com
bucket of postgresql_server
records.
-
class
cloudmarker.events.azpostgreslogdurationevent.
AzPostgresLogDurationEvent
¶ Bases:
object
Az Postgres log duration event plugin.
Create an instance of
AzPostgresLogDurationEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azpostgreslogretentiondaysevent module¶
Microsoft Azure Postgres Log Retention Days event.
This module defines the AzPostgresLogRetentionDaysEvent
class
that identifies Postgre SQL servers which have log retention days set
below the desired minimum value. This plugin works on the properties
found in the com
bucket of postgresql_server
records.
-
class
cloudmarker.events.azpostgreslogretentiondaysevent.
AzPostgresLogRetentionDaysEvent
(_min_log_retention_days=3)¶ Bases:
object
Az Postgres log retention days event plugin.
Create instance of
AzPostgresLogRetentionDaysEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azsqldatabasetdeevent module¶
Microsoft Azure SQL DB Transparent Data Encryption (TDE) event.
This module defines the AzSQLDatabaseTDEEvent
class that
identifies if a SQL database has TDE disabled . This plugin works on the
SQL DB properties found in the ext
bucket of sql_db
records.
-
class
cloudmarker.events.azsqldatabasetdeevent.
AzSQLDatabaseTDEEvent
¶ Bases:
object
Azure SQL database TDE event plugin.
Create an instance of
AzSQLDatabaseTDEEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azstorageaccountallowtrustedservicesevent module¶
Microsoft storage account allow trusted services event.
This module defines the AzStorageAccountAllowTrustedServicesEvent
class that identifies a storage account with network access set to
denied to Microsoft Azure services. This plugin works on the storage
account properties record found in the ext
bucket of
storage_account_properties
records.
-
class
cloudmarker.events.azstorageaccountallowtrustedservicesevent.
AzStorageAccountAllowTrustedServicesEvent
¶ Bases:
object
Azure storage account allow trusted services event plugin.
Initialize
AzStorageAccountAllowTrustedServicesEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azstorageaccountdefaultnetworkaccessevent module¶
Microsoft storage account default network access event.
This module defines the AzStorageAccountDefaultNetworkAccessEvent
class that identifies a storage account with default network access set to
Allow. This plugin works on the storage account properties record
found in the ext
bucket of storage_account_properties
records.
-
class
cloudmarker.events.azstorageaccountdefaultnetworkaccessevent.
AzStorageAccountDefaultNetworkAccessEvent
¶ Bases:
object
Azure storage account default network access event plugin.
Initialize
AzStorageAccountDefaultNetworkAccessEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azstorageaccountsecuretransferevent module¶
Microsoft storage account secure transfer event.
This module defines the AzStorageAccountSecureTransferEvent
class that identifies a storage account with secure transfer enabled not
set to true . This plugin works on the storage account properties record
found in the ext
bucket of storage_account_properties
records.
-
class
cloudmarker.events.azstorageaccountsecuretransferevent.
AzStorageAccountSecureTransferEvent
¶ Bases:
object
Azure storage account secure transfer enabled check event plugin.
Create instance of
AzStorageAccountSecureTransferEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azvmdatadiskencryptionevent module¶
Microsoft Azure VM Data disk encryption event.
This module defines the AzVMDataDiskEncryptionEvent
class that
identifies an unencrypted Azure VM data disk. This plugin works on the
virtual machine properties found in the com
bucket of
virtual_machine
records.
-
class
cloudmarker.events.azvmdatadiskencryptionevent.
AzVMDataDiskEncryptionEvent
¶ Bases:
object
Az VM Data disk encryption event plugin.
Create an instance of
AzVMDataDiskEncryptionEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azvmextensionevent module¶
Microsoft Azure VM extension event.
This module defines the AzVMExtensionEvent
class that
evaluates Azure VM extensions. This plugin works on the virtual
machine properties found in the ext
bucket of vm_instance_view
records.
-
class
cloudmarker.events.azvmextensionevent.
AzVMExtensionEvent
(whitelisted=None, blacklisted=None, required=None)¶ Bases:
object
Az VM Data extension event plugin.
Create an instance of
AzVMExtensionEvent
.Parameters: -
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azvmosdiskencryptionevent module¶
Microsoft Azure VM OS disk encryption event.
This module defines the AzVMOSDiskEncryptionEvent
class that
identifies an unencrypted Azure OS disk. This plugin works on the
virtual machine properties found in the com
bucket of
virtual_machine
records.
-
class
cloudmarker.events.azvmosdiskencryptionevent.
AzVMOSDiskEncryptionEvent
¶ Bases:
object
Az VM OS disk encryption event plugin.
Create an instance of
AzVMOSDiskEncryptionEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azwebappclientcertevent module¶
Microsoft web app client certificate event.
This module defines the AzWebAppClientCertEvent
class that
identifies a web app with client certificate (mutual TLS) disabled.
This plugin works on the web apps config properties found in the
ext
bucket of web_app_config
records.
-
class
cloudmarker.events.azwebappclientcertevent.
AzWebAppClientCertEvent
¶ Bases:
object
Azure web app client certificate event plugin.
Create an instance of
AzWebAppClientCertEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azwebapphttp20event module¶
Microsoft web app HTTP 2.0 event.
This module defines the AzWebAppHttp20Event
class that identifies
if a web app is not using HTTP version 2.0. This plugin works on the web
apps config properties found in the ext
bucket of web_app_config
records.
-
class
cloudmarker.events.azwebapphttp20event.
AzWebAppHttp20Event
¶ Bases:
object
Azure web app HTTP 2.0 event plugin.
Create an instance of
AzWebAppHttp20Event
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azwebapphttpsevent module¶
Microsoft web app HTTPS event.
This module defines the AzWebAppHttpsEvent
class that identifies
a web app with HTTPS only traffic disabled. This plugin works on the web
apps config properties found in the ext
bucket of web_app_config
records.
-
class
cloudmarker.events.azwebapphttpsevent.
AzWebAppHttpsEvent
¶ Bases:
object
Azure web app HTTPS event plugin.
Create an instance of
AzWebAppHttpsEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azwebapptlsevent module¶
Microsoft web app minimum TLS version event.
This module defines the AzWebAppTLSEvent
class that identifies
a web app with minimum TLS version not equal to the required minimum TLS
version. This plugin works on the web apps config properties found in the
com
bucket of web_app
records.
-
class
cloudmarker.events.azwebapptlsevent.
AzWebAppTLSEvent
(_min_tls_version=1.2)¶ Bases:
object
Azure web app minimum TLS version check event plugin.
Create an instance of
AzWebAppTLSEvent
.Parameters: _min_tls_version (float) – Minimum required TLS version. -
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.firewallruleevent module¶
Firewall rule event.
This module defines the FirewallRuleEvent
class that identifies
weak firewall rules. This plugin works on the firewall properties found
in the com
bucket of firewall rule records.
-
class
cloudmarker.events.firewallruleevent.
FirewallRuleEvent
(ports=None)¶ Bases:
object
Firewall rule event plugin.
Create an instance of
FirewallRuleEvent
plugin.Parameters: ports (list) – A list of strings that represent the ports to be checked for insecure exposure to the Internet. If None
is specified or if unspecified, then this plugin defaults to checking ports 22, 3389, 1433, 1521, 3306, and 5432 for insecure exposure.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.mockevent module¶
Mock event plugin for testing purpose.
-
class
cloudmarker.events.mockevent.
MockEvent
(n=3)¶ Bases:
object
Mock event plugin for testing purpose.
Create an instance of
MockEvent
plugin.This plugin events if the
data
field of a mock record is a multiple ofn
.Parameters: n (int) – A number that the record data value in mock record must be a multiple of in order to generate an event record. -
done
()¶ Perform cleanup work.
Since this is a mock plugin, this method does nothing. However, a typical event plugin may or may not need to perform cleanup work in this method depending on its nature of work.
-
eval
(record)¶ Evaluate record to check for multiples of
n
.If
record['raw']['data']
is a multiple ofn
(the parameter with which this plugin was initialized with), then generate an event record. Otherwise, do nothing.If
record['raw']['data]
is missing, i.e., the key namedraw
ordata
does not exist, then its record number is assumed to be1
.This is a mock example of a event plugin. In actual event plugins, this method would typically check for security issues in the
record
.Parameters: record (dict) – Record to evaluate. Yields: dict – Event record if evaluation rule matches the input record.
-
cloudmarker.events.rdbmsenforcetlsevent module¶
RDBMS Enforce TLS/SSL Event.
This module defines the RDBMSEnforceTLSEvent
class that
identifies RDBMS servers which have TLS/SSL connection enforcement
disabled. This plugin works on the properties found in the com
bucket of rdbms
records.
-
class
cloudmarker.events.rdbmsenforcetlsevent.
RDBMSEnforceTLSEvent
¶ Bases:
object
Az RDBMS TLS/SSL enforcement event plugin.
Create an instance of
RDBMSEnforceTLSEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-