Optimize functional details #54
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* add CCE RBAC and Accounts of redis
* feat: aliyun ens natgw get dnat rules
* fix alibaba bucket regions error * change docker-image.yaml, add lint.yaml * change docker-image.yaml, add lint.yaml (antgroup#3) * Revert "change docker-image.yaml, add lint.yaml (antgroup#3)" This reverts commit 74abede. * feat: Implement 3 new ALiCLoud resource collectors * fix * remove registers of eflo * fix * fix pagination support * fix pagination support
Add comprehensive AWS support by implementing about 30 new resource collectors, updating service initialization and platform configuration, refactoring collector patterns for concurrency and pagination, and updating AWS SDK dependencies. New Features: Add collectors for ~30 AWS resources across IAM, EC2, S3, KMS, Lambda, CloudFormation, CloudWatch, CloudTrail, SNS, SQS, and more Enhancements: Extend Services struct to include and initialize clients for all AWS services Refactor collectors to use AWS SDK v2 paginators, worker pools, and include tags, inline/attached policies, and additional details Expand platform configuration to register all new AWS resource types Build: Upgrade AWS SDK v2 to v1.37.1 and add service-specific modules in go.mod and go.sum
Add Go collector support for multiple new Alibaba Cloud resources by registering clients, constants and platform configuration, and implement detail functions for ECS Image, ECS Snapshot, API Gateway, SWAS, VPN Connection, Bastionhost, DTS, ECI ContainerGroup, and ECI ImageCache; refactor ACK cluster detail retrieval. New Features: Support collection of ECS Images and ECS Snapshots Support collection of API Gateway resources Support collection of Simple Application Server (SWAS) instances Support collection of VPN Connection resources Support collection of Bastionhost instances Support collection of DTS Instances Support collection of ECI ContainerGroup and ECI ImageCache resources Enhancements: Extend Services initialization to include new Alibaba Cloud SDK clients Refactor ACK cluster detail to aggregate associated cluster resources
- Improve the timeliness of asset collection in the case of multiple accounts - Collection of abnormal logs and manual cloud account-triggered collection tasks - Optimized frontend interaction and display for better user experience - Other bug fixes - 提升多账号情况下资产采集的时效性 - 回流采集异常日志、支持手动云账号触发采集任务 - 前端交互和展示优化,提升使用体验 - 其他bug修复 --------- Co-authored-by: j3ttt <[email protected]> Co-authored-by: j3ttt <[email protected]>
…llogic fix: globalVariable upsertData illogic causes false negative in detection
fix: illogic when ruleCode exists but not found in database
fix: 调整数据库表结构格式、前端字段初始值、默认用户初始化设置为admin角色 chore: 更新静态资源文件
Add support for new Alibaba Cloud resources: GA Accelerator Elastic Cloud Phone (ECP) Instance ONS Instance EFLO Node Cloud Storage Gateway and its Storage Bundles DCDN Domains (standard and IPA) Live Domains VOD Domains SMS Templates API Gateway Apps ARMS Prometheus Elasticsearch Logstash Bug Fixes: Restrict ECS image listing to ownerAlias "self"
新增: 阿里云-ACK-Cluster API 公网暴露 阿里云-NAT-Gateway 配置DNAT规则 阿里云-CloudFC-未开启日志 阿里云-CloudFW-云防火墙非 80/443 端口开启 阿里云-ECI-ContainerGroup 公网暴露 阿里云-ECS-自定义Image镜像开启共享 阿里云-ECS-未使用 IMDSv2 阿里云-ECS-专有网络运行 -- 阿里云-ECS-数据磁盘加密未开启 阿里云-Elasticsearch-实例数据节点未开启云盘加密 阿里云-ENS-实例存在任一端口通过安全组对全网开放 阿里云-ENS NAT Gateway-实例存在任一端口通过 ACL 对全网开放 阿里云-FC-HTTP Trigger 匿名访问 阿里云-MongoDB-实例未启用审计日志 阿里云-MongoDb-专有网络运行 阿里云-OSS-OSS存储桶未使用服务端加密 阿里云-PolarDB-实例未启用审计日志 阿里云-RDS-SSL加密未开启 阿里云-Redis-专有网络运行 阿里云-SLS-Project Policy匿名访问 优化: 阿里云-ECS-实例安全组对公网开放高危端口:错误使用 object.keys 导致的误报 阿里云-ECS-实例存在任一端口通过安全组对全网开放:优化结果展示,防止 65535行结果输出到output 阿里云-ECS-安全组入向规则网段掩码设置小于等于8:优化展示结果,输出安全组id便于查找 阿里云-RAM-RAM用户权限过大:细化需要检测的权限 阿里云-SLB-非标端口对全网开放:优化了公网SLB的判定。private SLB 挂载 eip的后可以被公网访问。 删除: 阿里云-RAM-User账号从未使用:与规则 “阿里云-RAM-User 超过一年未使用” 存在重复 阿里云-RAM-无ACL User AK 超过一年未使用:与规则 “阿里云-RAM-User AK 超过一年未使用” 存在重复 阿里云-OSS-Bucket 所属账号未禁用公共访问:启用公共访问阻止不在这里判断 New Features: Add rules for ACK Cluster API server exposure and ACL enforcement Introduce NAT Gateway DNAT table entry checks Detect Cloud Function HTTP Trigger anonymous Internet access Flag non-80/443 ports opened by Cloud Firewall Enforce public exposure checks for ECI ContainerGroup and ECS custom images Require ECS IMDSv2, VPC presence, and disk encryption Validate audit log settings for Elasticsearch, PolarDB, RDS, MongoDB, CloudLog Service, and Cloud Firewall Check anonymous access and server-side encryption for OSS buckets Ensure Redis and MongoDB are in VPCs, and SLS project policies are not anonymous Enhancements: Standardize package names by stripping timestamp suffixes and unify helper functions (string-to-array, port-range splitting) Fix ECS high-risk port false positives and optimize result output and minimal drop-priority detection Refine RAM user/role permission analysis and SLB public/private classification Enrich rule messages with detailed descriptions and contextual risk fields Chores: Remove duplicate RAM inactivity rules and redundant OSS public-access rule
…ignificantly improving collection speed (antgroup#70) * fix: remove goroutine concurrency as it increased complexity without significantly improving collection speed * swas using new sdk * go mod tidy
1. 白名单支持租户隔离 2. 优化open api认证方式 3. 增加资产聚合视角 4. 优化租户管理打开位置和UI 5. 白名单相关代码重构
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Thank you for your contribution to CloudRec!
What About:
java)go)opa)Description: