cloudmarker.events package¶
A package for event plugins packaged with this project.
This package contains event plugins that are packaged as part of this
project. The event plugins implement a function named eval
that
accepts one record as parameter, evaluates the record, and generates
zero or more event records for each input record. The event plugins also
implement and a function named done
that perform cleanup work when
called.
Submodules¶
cloudmarker.events.azvmdatadiskencryptionevent module¶
Microsoft Azure VM Data disk encryption event.
This module defines the AzVMDataDiskEncryptionEvent
class that
identifies an unencrypted Azure VM data disk. This plugin works on the
virtual machine properties found in the com
bucket of
virtual_machine
records.
-
class
cloudmarker.events.azvmdatadiskencryptionevent.
AzVMDataDiskEncryptionEvent
¶ Bases:
object
Az VM Data disk encryption event plugin.
Create an instance of
AzVMDataDiskEncryptionEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.azvmosdiskencryptionevent module¶
Microsoft Azure VM OS disk encryption event.
This module defines the AzVMOSDiskEncryptionEvent
class that
identifies an unencrypted Azure OS disk. This plugin works on the
virtual machine properties found in the com
bucket of
virtual_machine
records.
-
class
cloudmarker.events.azvmosdiskencryptionevent.
AzVMOSDiskEncryptionEvent
¶ Bases:
object
Az VM OS disk encryption event plugin.
Create an instance of
AzVMOSDiskEncryptionEvent
.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.firewallruleevent module¶
Firewall rule event.
This module defines the FirewallRuleEvent
class that identifies
weak firewall rules. This plugin works on the firewall properties found
in the com
bucket of firewall rule records.
-
class
cloudmarker.events.firewallruleevent.
FirewallRuleEvent
(ports=None)¶ Bases:
object
Firewall rule event plugin.
Create an instance of
FirewallRuleEvent
plugin.Parameters: ports (list) – A list of strings that represent the ports to be checked for insecure exposure to the Internet. If None
is specified or if unspecified, then this plugin defaults to checking ports 22, 3389, 1433, 1521, 3306, and 5432 for insecure exposure.-
done
()¶ Perform cleanup work.
Currently, this method does nothing. This may change in future.
-
cloudmarker.events.mockevent module¶
Mock event plugin for testing purpose.
-
class
cloudmarker.events.mockevent.
MockEvent
(n=3)¶ Bases:
object
Mock event plugin for testing purpose.
Create an instance of
MockEvent
plugin.This plugin events if the
data
field of a mock record is a multiple ofn
.Parameters: n (int) – A number that the record data value in mock record must be a multiple of in order to generate an event record. -
done
()¶ Perform cleanup work.
Since this is a mock plugin, this method does nothing. However, a typical event plugin may or may not need to perform cleanup work in this method depending on its nature of work.
-
eval
(record)¶ Evaluate record to check for multiples of
n
.If
record['raw']['data']
is a multiple ofn
(the parameter with which this plugin was initialized with), then generate an event record. Otherwise, do nothing.If
record['raw']['data]
is missing, i.e., the key namedraw
ordata
does not exist, then its record number is assumed to be1
.This is a mock example of a event plugin. In actual event plugins, this method would typically check for security issues in the
record
.Parameters: record (dict) – Record to evaluate. Yields: dict – Event record if evaluation rule matches the input record.
-