cloudmarker.events package¶

A package for event plugins packaged with this project.

This package contains event plugins that are packaged as part of this project. The event plugins implement a function named eval that accepts one record as parameter, evaluates the record, and generates zero or more event records for each input record. The event plugins also implement and a function named done that perform cleanup work when called.

Submodules¶

cloudmarker.events.azkvkeynoexpiryevent module¶

Microsoft Azure Key Vault key expiry event.

This module defines the AzKVKeyNoExpiryEvent class that identifies Key Vault active (enabled) keys without expiry set. This plugin works on the Key Vault key properties found in the ext bucket of key_vault_key records.

class cloudmarker.events.azkvkeynoexpiryevent.AzKVKeyNoExpiryEvent¶

Bases: object

Azure Key Vault key expiry event plugin.

Create an instance of AzKVKeyNoExpiryEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure Key Vault key for expiry date.

Parameters:	record (dict) – A Key Vault key record.
Yields:	dict – An event record representing an Azure Key Vault keys without expiry date.

cloudmarker.events.azkvnonrecoverableevent module¶

Microsoft Azure Key Vault non-recoverable event.

This module defines the AzKVNonRecoverableEvent class that identifies if a Key Vault is not recoverable. An Azure Key Vault is recoverable if both soft delete and purge protection is enabled. This plugin works on the Key Vault secret properties found in the ext bucket of key_vault records.

class cloudmarker.events.azkvnonrecoverableevent.AzKVNonRecoverableEvent¶

Bases: object

Azure Key Vault non-recoverable event plugin.

Create an instance of AzKVNonRecoverableEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate if an Azure Key Vault is recoverable.

Parameters:	record (dict) – A Key Vault record.
Yields:	dict – An event record representing an Azure Key Vault which is not recoverable.

cloudmarker.events.azkvsecretnoexpiryevent module¶

Microsoft Azure Key Vault secret expiry event.

This module defines the AzKVSecretNoExpiryEvent class that identifies if a Key Vault active (enabled) secret without expiry set. This plugin works on the Key Vault secret properties found in the ext bucket of key_vault_secret records.

class cloudmarker.events.azkvsecretnoexpiryevent.AzKVSecretNoExpiryEvent¶

Bases: object

Azure Key Vault secret expiry event plugin.

Create an instance of AzKVSecretNoExpiryEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure Key Vault secret for expiry date.

Parameters:	record (dict) – A Key Vault secret record.
Yields:	dict – An event record representing an Azure Key Vault secret without expiry date.

cloudmarker.events.azlogprofileevent module¶

Microsoft Azure log profile event.

This module defines the AzLogProfileEvent class that creates events for Azure subscriptions with missing log profiles.

class cloudmarker.events.azlogprofileevent.AzLogProfileEvent¶

Bases: object

Azure log profile event plugin.

Create an instance of AzLogProfileEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure subscription for missing log profile.

Parameters:	record (dict) – Azure `log_profile_missing` record.
Yields:	dict – An event record for every `log_profile_missing` record.

cloudmarker.events.azlogprofilemissingcategoryevent module¶

Microsoft Azure Log Profile Missing Category Type Event.

This module defines the AzLogProfileMissingCategoryEvent class that identifies if a log profile which is not enable for all the categories i.e. Write, Delete and Action. This plugin works on the log profile properties found in the raw bucket of log_profile records.

class cloudmarker.events.azlogprofilemissingcategoryevent.AzLogProfileMissingCategoryEvent¶

Bases: object

Azure log profile missing category event plugin.

Create an instance of the class.

Create an instance of the AzLogProfileMissingCategoryEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure log profiles for enabled categories.

Parameters:	record (dict) – An Azure log profile record.
Yields:	dict – An event record representing an Azure log profile which is not enabled for all categories.

cloudmarker.events.azlogprofilemissinglocationevent module¶

Microsoft Azure Log Profile Missing Location Event.

This module defines the AzLogProfileMissingLocationEvent class that identifies if a log profile which is not enable for all the supported locations/regions for that subscrition including global. This plugin works on the log profile properties found in the ext bucket of log_profile records.

class cloudmarker.events.azlogprofilemissinglocationevent.AzLogProfileMissingLocationEvent¶

Bases: object

Azure log profile missing location event plugin.

Create an instance of the class.

Create an instance of the AzLogProfileMissingLocationEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure log profiles for enabled locations.

Parameters:	record (dict) – An Azure log profile record.
Yields:	dict – An event record representing an Azure log profile which is not enabled for all locations including global.

cloudmarker.events.azlogprofileretentionevent module¶

Microsoft Azure Log Profile Retention Event.

This module defines the AzLogProfileRetentionEvent class that identifies if an Azure log profile’s retention policy is configured for less than the minimum number of days than required. This plugin works properties found in the ext bucket of log_profile records.

class cloudmarker.events.azlogprofileretentionevent.AzLogProfileRetentionEvent(_min_retention_days=365)¶

Bases: object

Azure log profile retention event plugin.

Create an instance of AzLogProfileRetentionEvent.

Parameters:	_min_retention_days (int) – Minimum required retention days.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure log profiles for retention policy.

Parameters:	record (dict) – An Azure log profile record.
Yields:	dict – An event record representing an Azure log profile with retention set to less than the required days.

cloudmarker.events.azpostgresconnectionthrottlingevent module¶

Microsoft Azure Postgres Connection Throttling event.

This module defines the AzPostgresConnectionThrottlingEvent class that identifies Postgre SQL servers which connection throttling configuration disabled. This plugin works on the properties found in the com bucket of postgresql_server records.

class cloudmarker.events.azpostgresconnectionthrottlingevent.AzPostgresConnectionThrottlingEvent¶

Bases: object

Az Postgres connection throttling event plugin.

Create instance of AzPostgresConnectionThrottlingEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Postgres for connection throttling.

Parameters:	record (dict) – An RDBMS record.
Yields:	dict – An event record representing a Postgres where connection throttling is disabled

cloudmarker.events.azpostgreslogcheckpointsevent module¶

Microsoft Azure Postgres Log Checkpoints event.

This module defines the AzPostgresLogCheckpointsEvent class that identifies Postgre SQL servers which log checkpoints configuration disabled. This plugin works on the properties found in the com bucket of postgresql_server records.

class cloudmarker.events.azpostgreslogcheckpointsevent.AzPostgresLogCheckpointsEvent¶

Bases: object

Az Postgres log checkpoints event plugin.

Create an instance of AzPostgresLogCheckpointsEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Postgres for log checkpoints.

Parameters:	record (dict) – An RDBMS record.
Yields:	dict – An event record representing a Postgres where log checkpoints is disabled

cloudmarker.events.azpostgreslogconnectionsevent module¶

Microsoft Azure Postgres Log Connections event.

This module defines the AzPostgresLogConnectionsEvent class that identifies Postgre SQL servers which log connections configuration disabled. This plugin works on the properties found in the com bucket of postgresql_server records.

class cloudmarker.events.azpostgreslogconnectionsevent.AzPostgresLogConnectionsEvent¶

Bases: object

Az Postgres log connections event plugin.

Create an instance of AzPostgresLogConnectionsEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Postgres for log connections.

Parameters:	record (dict) – An RDBMS record.
Yields:	dict – An event record representing a Postgres where log connections is disabled

cloudmarker.events.azpostgreslogdisconnectionsevent module¶

Microsoft Azure Postgres Log Disconnections event.

This module defines the AzPostgresLogDisconnectionsEvent class that identifies Postgre SQL servers which log disconnections configuration disabled. This plugin works on the properties found in the com bucket of postgresql_server records.

class cloudmarker.events.azpostgreslogdisconnectionsevent.AzPostgresLogDisconnectionsEvent¶

Bases: object

Az Postgres log disconnections event plugin.

Create an instance of AzPostgresLogDisconnectionsEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Postgres for log disconnections.

Parameters:	record (dict) – An RDBMS record.
Yields:	dict – An event record representing a Postgres where log disconnections is disabled

cloudmarker.events.azpostgreslogdurationevent module¶

Microsoft Azure Postgres Log Duration event.

This module defines the AzPostgresLogDurationEvent class that identifies Postgre SQL servers which log duration configuration disabled. This plugin works on the properties found in the com bucket of postgresql_server records.

class cloudmarker.events.azpostgreslogdurationevent.AzPostgresLogDurationEvent¶

Bases: object

Az Postgres log duration event plugin.

Create an instance of AzPostgresLogDurationEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Postgres for log duration.

Parameters:	record (dict) – An RDBMS record.
Yields:	dict – An event record representing a Postgres where log duration is disabled

cloudmarker.events.azpostgreslogretentiondaysevent module¶

Microsoft Azure Postgres Log Retention Days event.

This module defines the AzPostgresLogRetentionDaysEvent class that identifies Postgre SQL servers which have log retention days set below the desired minimum value. This plugin works on the properties found in the com bucket of postgresql_server records.

class cloudmarker.events.azpostgreslogretentiondaysevent.AzPostgresLogRetentionDaysEvent(_min_log_retention_days=3)¶

Bases: object

Az Postgres log retention days event plugin.

Create instance of AzPostgresLogRetentionDaysEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Postgres for log retention days.

Parameters:	record (dict) – An RDBMS record. _min_log_retention_days (int) – Minimum required log retention days.
Yields:	dict – An event record representing a Postgres where log retention days is set below desired minimum

cloudmarker.events.azsqldatabasetdeevent module¶

Microsoft Azure SQL DB Transparent Data Encryption (TDE) event.

This module defines the AzSQLDatabaseTDEEvent class that identifies if a SQL database has TDE disabled . This plugin works on the SQL DB properties found in the ext bucket of sql_db records.

class cloudmarker.events.azsqldatabasetdeevent.AzSQLDatabaseTDEEvent¶

Bases: object

Azure SQL database TDE event plugin.

Create an instance of AzSQLDatabaseTDEEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure SQL DB for disabled TDE.

Parameters:	record (dict) – A SQL DB record.
Yields:	dict – An event record representing an Azure SQL DB with TDE disabled

cloudmarker.events.azstorageaccountallowtrustedservicesevent module¶

Microsoft storage account allow trusted services event.

This module defines the AzStorageAccountAllowTrustedServicesEvent class that identifies a storage account with network access set to denied to Microsoft Azure services. This plugin works on the storage account properties record found in the ext bucket of storage_account_properties records.

class cloudmarker.events.azstorageaccountallowtrustedservicesevent.AzStorageAccountAllowTrustedServicesEvent¶

Bases: object

Azure storage account allow trusted services event plugin.

Initialize AzStorageAccountAllowTrustedServicesEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure storage account for trusted services access.

Parameters:	record (dict) – A storage account record.
Yields:	dict – An event record representing a storage account with Azure services not allowed to access the storage account.

cloudmarker.events.azstorageaccountdefaultnetworkaccessevent module¶

Microsoft storage account default network access event.

This module defines the AzStorageAccountDefaultNetworkAccessEvent class that identifies a storage account with default network access set to Allow. This plugin works on the storage account properties record found in the ext bucket of storage_account_properties records.

class cloudmarker.events.azstorageaccountdefaultnetworkaccessevent.AzStorageAccountDefaultNetworkAccessEvent¶

Bases: object

Azure storage account default network access event plugin.

Initialize AzStorageAccountDefaultNetworkAccessEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure storage account for default network access.

Parameters:	record (dict) – A storage account record.
Yields:	dict – An event record representing a storage account with default network access allowed.

cloudmarker.events.azstorageaccountsecuretransferevent module¶

Microsoft storage account secure transfer event.

This module defines the AzStorageAccountSecureTransferEvent class that identifies a storage account with secure transfer enabled not set to true . This plugin works on the storage account properties record found in the ext bucket of storage_account_properties records.

class cloudmarker.events.azstorageaccountsecuretransferevent.AzStorageAccountSecureTransferEvent¶

Bases: object

Azure storage account secure transfer enabled check event plugin.

Create instance of AzStorageAccountSecureTransferEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure storage account for insecure transfer enabled status.

Parameters:	record (dict) – A storage account record.
Yields:	dict – An event record representing a storage account with secure transfer not enabled property.

cloudmarker.events.azvmdatadiskencryptionevent module¶

Microsoft Azure VM Data disk encryption event.

This module defines the AzVMDataDiskEncryptionEvent class that identifies an unencrypted Azure VM data disk. This plugin works on the virtual machine properties found in the com bucket of virtual_machine records.

class cloudmarker.events.azvmdatadiskencryptionevent.AzVMDataDiskEncryptionEvent¶

Bases: object

Az VM Data disk encryption event plugin.

Create an instance of AzVMDataDiskEncryptionEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure virtual machine to check for unencrypted data disks.

Parameters:	record (dict) – A virtual machine record.
Yields:	dict – An event record representing an unencrypted data disk of an Azure virtual machine

cloudmarker.events.azvmextensionevent module¶

Microsoft Azure VM extension event.

This module defines the AzVMExtensionEvent class that evaluates Azure VM extensions. This plugin works on the virtual machine properties found in the ext bucket of vm_instance_view records.

class cloudmarker.events.azvmextensionevent.AzVMExtensionEvent(whitelisted=None, blacklisted=None, required=None)¶

Bases: object

Az VM Data extension event plugin.

Create an instance of AzVMExtensionEvent.

Parameters:	whitelisted (list) – List of whitelisted extensions. blacklisted (list) – List of blacklisted extensions. required (list) – List of required extensions.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure virtual machine for extensions.

Parameters:	record (dict) – A virtual machine record.
Yields:	dict – An event record representing an Azure VM with misconfigured extensions

cloudmarker.events.azvmosdiskencryptionevent module¶

Microsoft Azure VM OS disk encryption event.

This module defines the AzVMOSDiskEncryptionEvent class that identifies an unencrypted Azure OS disk. This plugin works on the virtual machine properties found in the com bucket of virtual_machine records.

class cloudmarker.events.azvmosdiskencryptionevent.AzVMOSDiskEncryptionEvent¶

Bases: object

Az VM OS disk encryption event plugin.

Create an instance of AzVMOSDiskEncryptionEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure virtual machine to check for unencrypted OS disk.

Parameters:	record (dict) – A virtual machine record.
Yields:	dict – An event record representing an unencrypted OS disk of an Azure virtual machine

cloudmarker.events.azwebappclientcertevent module¶

Microsoft web app client certificate event.

This module defines the AzWebAppClientCertEvent class that identifies a web app with client certificate (mutual TLS) disabled. This plugin works on the web apps config properties found in the ext bucket of web_app_config records.

class cloudmarker.events.azwebappclientcertevent.AzWebAppClientCertEvent¶

Bases: object

Azure web app client certificate event plugin.

Create an instance of AzWebAppClientCertEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure web app to check if client cert is disabled.

Parameters:	record (dict) – A web app record.
Yields:	dict – An event record representing a web app with client certificate (mTLS) disabled.

cloudmarker.events.azwebapphttp20event module¶

Microsoft web app HTTP 2.0 event.

This module defines the AzWebAppHttp20Event class that identifies if a web app is not using HTTP version 2.0. This plugin works on the web apps config properties found in the ext bucket of web_app_config records.

class cloudmarker.events.azwebapphttp20event.AzWebAppHttp20Event¶

Bases: object

Azure web app HTTP 2.0 event plugin.

Create an instance of AzWebAppHttp20Event.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure web app to check for HTTP 2.0 config.

Parameters:	record (dict) – A web app record.
Yields:	dict – An event record representing a web app with HTTP 2.0 disabled.

cloudmarker.events.azwebapphttpsevent module¶

Microsoft web app HTTPS event.

This module defines the AzWebAppHttpsEvent class that identifies a web app with HTTPS only traffic disabled. This plugin works on the web apps config properties found in the ext bucket of web_app_config records.

class cloudmarker.events.azwebapphttpsevent.AzWebAppHttpsEvent¶

Bases: object

Azure web app HTTPS event plugin.

Create an instance of AzWebAppHttpsEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure web app to check for HTTPS only config.

Parameters:	record (dict) – A web app record.
Yields:	dict – An event record representing a web app with HTTPS only traffic disabled.

cloudmarker.events.azwebapptlsevent module¶

Microsoft web app minimum TLS version event.

This module defines the AzWebAppTLSEvent class that identifies a web app with minimum TLS version not equal to the required minimum TLS version. This plugin works on the web apps config properties found in the com bucket of web_app records.

class cloudmarker.events.azwebapptlsevent.AzWebAppTLSEvent(_min_tls_version=1.2)¶

Bases: object

Azure web app minimum TLS version check event plugin.

Create an instance of AzWebAppTLSEvent.

Parameters:	_min_tls_version (float) – Minimum required TLS version.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate Azure web app to check for insecure TLS config.

Parameters:	record (dict) – A web app record.
Yields:	dict – An event record representing a web app with insecure TLS config.

cloudmarker.events.firewallruleevent module¶

Firewall rule event.

This module defines the FirewallRuleEvent class that identifies weak firewall rules. This plugin works on the firewall properties found in the com bucket of firewall rule records.

class cloudmarker.events.firewallruleevent.FirewallRuleEvent(ports=None)¶

Bases: object

Firewall rule event plugin.

Create an instance of FirewallRuleEvent plugin.

Parameters:	ports (list) – A list of strings that represent the ports to be checked for insecure exposure to the Internet. If `None` is specified or if unspecified, then this plugin defaults to checking ports 22, 3389, 1433, 1521, 3306, and 5432 for insecure exposure.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate firewall rules to check for insecurely exposed ports.

Parameters:	record (dict) – A firewall rule record.
Yields:	dict – An event record representing an insecurely exposed port.

cloudmarker.events.mockevent module¶

Mock event plugin for testing purpose.

class cloudmarker.events.mockevent.MockEvent(n=3)¶

Bases: object

Mock event plugin for testing purpose.

Create an instance of MockEvent plugin.

This plugin events if the data field of a mock record is a multiple of n.

Parameters:	n (int) – A number that the record data value in mock record must be a multiple of in order to generate an event record.

done()¶

Perform cleanup work.

Since this is a mock plugin, this method does nothing. However, a typical event plugin may or may not need to perform cleanup work in this method depending on its nature of work.

eval(record)¶

Evaluate record to check for multiples of n.

If record['raw']['data'] is a multiple of n (the parameter with which this plugin was initialized with), then generate an event record. Otherwise, do nothing.

If record['raw']['data] is missing, i.e., the key named raw or data does not exist, then its record number is assumed to be 1.

This is a mock example of a event plugin. In actual event plugins, this method would typically check for security issues in the record.

Parameters:	record (dict) – Record to evaluate.
Yields:	dict – Event record if evaluation rule matches the input record.

cloudmarker.events.rdbmsenforcetlsevent module¶

RDBMS Enforce TLS/SSL Event.

This module defines the RDBMSEnforceTLSEvent class that identifies RDBMS servers which have TLS/SSL connection enforcement disabled. This plugin works on the properties found in the com bucket of rdbms records.

class cloudmarker.events.rdbmsenforcetlsevent.RDBMSEnforceTLSEvent¶

Bases: object

Az RDBMS TLS/SSL enforcement event plugin.

Create an instance of RDBMSEnforceTLSEvent.

done()¶

Perform cleanup work.

Currently, this method does nothing. This may change in future.

eval(record)¶

Evaluate RDBMS servers for TLS connection enforcement.

Parameters:	record (dict) – An RDBMS record.
Yields:	dict – An event record representing an RDBMS where TLS connection enforcement is disabled