Write a new Autofix in PacBot
You have to perform the autofix, for the rules which you have already written and which has some violations. Link to Create New Rule
Follow below steps to write a new autofix in PacBot.
Go to Eclipse(Package Explorer)-->Right click-->import Rule Engine-->import batch commons
1.Create a java class and extend the BaseFix class from the batch commons
2.Override the executeFix,backupExistingConfigForResource,isFixCandidate and addDetailsToTransactionLog methods
3.Add the class annotation as @PacmanFix with its key,description as shown below
4.Add your autofix logic inside the executeFix() method
5.Add your backup functionality inside the backupExistingConfigForResource to store the old configuration before autofx
6.Add the logic to find whether the resource is a fixable candidate in isFixCandidate method before autofix
7.Add the logic inside addDetailsToTransactionLog, which helps sending transactions
Enter the below properties in pac_config_key_metadata and pac_config_properties with required values of your ruleId for which you want to autofix
NOTE : Here PacMan_S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3 and PacMan_EC2WithPublicIPAccess_version-1_Ec2WithPublicAccess_ec2 is used as an example. While writing your own autofix, you need to follow the same steps as mentioned below for your ruleId
pacman.es.host: Enter the ES URL
pacman.es.port: Enter the ES port
esLoggingLevel: DEBUG
heimdall-host: Enter the Heimdall ES URL
heimdall-port: Enter the Heimdall ES port
pacman.host: Enter the pacman host
pacman.auto.fix.mail.cc.to: Enter the comma separated email Id's
pacman.auto.fix.orphan.resource.owner : Enter the single mail id,if there is no owner then it will pick it from here
pacman.auto.fix.role.name : role/pacbot
pacman.integrations.slack.webhook.url : Enter the slack URL(optional)
pacman.target.type.alias : Enter the alias name Ex:-volume=ec2
autofix.cufoff.date : 3/28/2018
api.backup.asset.config : pacman.es.host/api/asset/v1/save-asset-config
api.resource.creationdate : pacman.es.host/api/asset/v1/get-resource-created-date
api.getlastaction : pacman.es.host/api/compliance/v1/get-last-action
api.postlastaction : pacman.es.host/api/compliance/v1/post-action
api.register.reactors.url : pacman.es.host/api/admin/reactors
api.auth.owner.slack.handle :
pacman.auto.fix.tag.name : pac_auto_fix_do_not_delete
pacman.auto.fix.max.email.notifications : 2
pacman.auto.fix.resource.name.filter.pattern :
pacman.es.stats.index : fre-stats
pacman.es.stats.type : execution-stats
pacman.es.auto.fix.transaction.index : fre-auto-fix-tran-log
pacman.es.auto.fix.transaction.type : transaction-log
pacman.api.sendmail : pacman.es.host/api/notifications/send-plain-text-mail
square.one.slack.channel : #square-1-alerts
pacman.auto.fix.mail.from : [email protected]
pacman.auto.fix.tag.salt :
pacman.auto.fix.tag.encyption.algorithm : AES
pacman.exempted.mail.subject : PacMan AutoFix - Vulnerable resource is now exempted
pacman.autofix.exempted.types.for.cutoff.data : iam
pacman.autofix.non.taggable.services : iam
pacman.login.user.name : Pacman login user id
pacman.login.password : Pacman login password
email.banner : Enter s3 URL/pacman_emailheader.jpg
pacbot.autofix.resourceowner.fallbak.email : If heimdall URL is not there then it will send mail to this address.Please enter the single email id or DL
pacman.autofix.policy.url.path : Enter the pacman host/pl/(compliance/compliance-dashboard//details:policy-knowledgebase-details/${RULE_ID})?ag=aws-all&domain=Infra%20%26%20Platforms
##NOTE :
Many of the above are part of your installation, so only few you need to update in the DB for the above mentioned tables
Properties required for "Non whitelisted S3 buckets should not be publicly accessible" are as follows
autofix.whitelist.accounts.PacMan_S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3 : Enter the comma seaparted account number for which you want to do the autofix
pacman.auto.fix.mail.subject.PacMan_S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3 : PacBot autofix action - S3 bucket policy with anonymous read/write access restored back
pacman.auto.warning.mail.subject.PacMan_S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3 : PacBot autofix - S3 bucket detected with anonymous access
pacman.autofix.rule.violation.message.PacMan_S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3 : a S3 bucket (<b>${RESOURCE_ID}</b>) from account (<b>${ACCOUNT_ID}</b>) of region (<b>${REGION}</b>) created by you is open to internet for anonymous access
pacman.autofix.rule.warning.message.PacMan_S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3 : The permissions for this S3 bucket will be automatically fixed by PacBot after {days} days if no exception is granted.
pacman.autofix.rule.post.fix.message.PacMan_S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3 : PacBot has now automatically revoked the public permissions of s3 bucket (<b>${RESOURCE_ID}</b>) created by you as it was a violation of
pacman.autofix.waittime.PacMan_S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3 : 2
pacman.auto.fix.max.email.notifications.PacMan_S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3 : 1
Properties required for "EC2 instances should not have any publicly accessible ports" are as follows
autofix.whitelist.accounts.PacMan_EC2WithPublicIPAccess_version-1_Ec2WithPublicAccess_ec2 : Enter the comma seaparted account number for which you want to do the autofix
pacman.auto.fix.mail.subject.PacMan_EC2WithPublicIPAccess_version-1_Ec2WithPublicAccess_ec2 : PacBot autofix action - Ec2 with public access restored back
pacman.auto.warning.mail.subject.PacMan_EC2WithPublicIPAccess_version-1_Ec2WithPublicAccess_ec2 : PacBot autofix - Ec2 instance detected with public access
pacman.autofix.rule.violation.message.PacMan_EC2WithPublicIPAccess_version-1_Ec2WithPublicAccess_ec2 : an Ec2 instance (<b>${RESOURCE_ID}</b>) from account (<b>${ACCOUNT_ID}</b>) of region (<b>${REGION}</b>) created by you is open to internet
pacman.autofix.rule.warning.message.PacMan_EC2WithPublicIPAccess_version-1_Ec2WithPublicAccess_ec2 : The access to this Ec2 instance will be automatically fixed by PacBot after {days} days if no exception is granted.
pacman.autofix.rule.post.fix.message.PacMan_EC2WithPublicIPAccess_version-1_Ec2WithPublicAccess_ec2 : PacBot has now automatically revoked the public access of this Ec2 instance created by you as it was a violation of
pacman.autofix.waittime.PacMan_EC2WithPublicIPAccess_version-1_Ec2WithPublicAccess_ec2 : 48
pacman.auto.fix.max.email.notifications.PacMan_EC2WithPublicIPAccess_version-1_Ec2WithPublicAccess_ec2 : 4
pacman.auto.fix.mail.template.columns.PacMan_EC2WithPublicIPAccess_version-1_Ec2WithPublicAccess_ec2 : Resource Id,Account Id,Region,Attached Sg,Detached Sg
pacman.auto.fix.common.email.notifications.PacMan_EC2WithPublicIPAccess_version-1_Ec2WithPublicAccess_ec2 : commonTemplate
autofix.whitelist.accounts.PacMan_ElbWithPublicAccess_version-1_ApplicationElbWithPublicAccess_appelb : Enter the comma seaparted account number for which you want to do the autofix
pacman.auto.fix.mail.subject.PacMan_ElbWithPublicAccess_version-1_ApplicationElbWithPublicAccess_appelb : PacBot autofix action - Application ELB with public access restored back
pacman.auto.warning.mail.subject.PacMan_ElbWithPublicAccess_version-1_ApplicationElbWithPublicAccess_appelb : PacBot autofix - Application ELB detected with public access
pacman.autofix.rule.violation.message.PacMan_ElbWithPublicAccess_version-1_ApplicationElbWithPublicAccess_appelb : an Application ELB (<b>${RESOURCE_ID}</b>) from account (<b>${ACCOUNT_ID}</b>) of region (<b>${REGION}</b>) created by you is open to internet
pacman.autofix.rule.warning.message.PacMan_ElbWithPublicAccess_version-1_ApplicationElbWithPublicAccess_appelb : The access to this Application ELB will be automatically fixed by PacBot after {days} days if no exception is granted.
pacman.autofix.rule.post.fix.message.PacMan_ElbWithPublicAccess_version-1_ApplicationElbWithPublicAccess_appelb : PacBot has now automatically revoked the public access of this Application ELB created by you as it was a violation of
pacman.autofix.waittime.PacMan_ElbWithPublicAccess_version-1_ApplicationElbWithPublicAccess_appelb : 48
pacman.auto.fix.max.email.notifications.PacMan_ElbWithPublicAccess_version-1_ApplicationElbWithPublicAccess_appelb : 4
pacman.auto.fix.mail.template.columns.PacMan_ElbWithPublicAccess_version-1_ApplicationElbWithPublicAccess_appelb : Resource Id,Account Id,Region,Attached Sg,Detached Sg
pacman.auto.fix.common.email.notifications.PacMan_ElbWithPublicAccess_version-1_ApplicationElbWithPublicAccess_appelb : commonTemplate
autofix.whitelist.accounts.PacMan_ElbWithPublicAccess_version-1_ClassicElbWithPublicAccess_classicelb : Enter the comma separted account number for which you want to do the autofix
pacman.auto.fix.mail.subject.PacMan_ElbWithPublicAccess_version-1_ClassicElbWithPublicAccess_classicelb : PacBot autofix action - Classic ELB with public access restored back
pacman.auto.warning.mail.subject.PacMan_ElbWithPublicAccess_version-1_ClassicElbWithPublicAccess_classicelb : PacBot autofix - Classic ELB detected with public access
pacman.autofix.rule.violation.message.PacMan_ElbWithPublicAccess_version-1_ClassicElbWithPublicAccess_classicelb : an Classic ELB (<b>${RESOURCE_ID}</b>) from account (<b>${ACCOUNT_ID}</b>) of region (<b>${REGION}</b>) created by you is open to internet
pacman.autofix.rule.warning.message.PacMan_ElbWithPublicAccess_version-1_ClassicElbWithPublicAccess_classicelb : The access to this Classic ELB will be automatically fixed by PacBot after {days} days if no exception is granted.
pacman.autofix.rule.post.fix.message.PacMan_ElbWithPublicAccess_version-1_ClassicElbWithPublicAccess_classicelb : PacBot has now automatically revoked the public access of this Classic ELB created by you as it was a violation of
pacman.autofix.waittime.PacMan_ElbWithPublicAccess_version-1_ClassicElbWithPublicAccess_classicelb : 48
pacman.auto.fix.max.email.notifications.PacMan_ElbWithPublicAccess_version-1_ClassicElbWithPublicAccess_classicelb : 4
pacman.auto.fix.mail.template.columns.PacMan_ElbWithPublicAccess_version-1_ClassicElbWithPublicAccess_classicelb : Resource Id,Account Id,Region,Attached Sg,Detached Sg
pacman.auto.fix.common.email.notifications.PacMan_ElbWithPublicAccess_version-1_ClassicElbWithPublicAccess_classicelb : commonTemplate
Properties required for "Redshift attached Security Group should not be publicly accessible" are as follows
autofix.whitelist.accounts.PacMan_RedShiftPublicAccess_version-1_RedShiftPublicAccess_redshift : Enter the comma separted account number for which you want to do the autofix
pacman.auto.fix.mail.subject.PacMan_RedShiftPublicAccess_version-1_RedShiftPublicAccess_redshift : PacBot autofix action - Redshift with public access restored back
pacman.auto.warning.mail.subject.PacMan_RedShiftPublicAccess_version-1_RedShiftPublicAccess_redshift : PacBot autofix - Redshift detected with public access
pacman.autofix.rule.violation.message.PacMan_RedShiftPublicAccess_version-1_RedShiftPublicAccess_redshift : Redshift <b>${RESOURCE_ID}</b>) from account (<b>${ACCOUNT_ID}</b>) of region (<b>${REGION}</b>) created by you is open to internet
pacman.autofix.rule.warning.message.PacMan_RedShiftPublicAccess_version-1_RedShiftPublicAccess_redshift : The access to this Redshift will be automatically fixed by PacBot after {days} days if no exception is granted.
pacman.autofix.rule.post.fix.message.PacMan_RedShiftPublicAccess_version-1_RedShiftPublicAccess_redshift : PacBot has now automatically revoked the public access of this Redshift created by you as it was a violation of
pacman.autofix.waittime.PacMan_RedShiftPublicAccess_version-1_RedShiftPublicAccess_redshift : 48
pacman.auto.fix.max.email.notifications.PacMan_RedShiftPublicAccess_version-1_RedShiftPublicAccess_redshift : 4
pacman.auto.fix.mail.template.columns.PacMan_RedShiftPublicAccess_version-1_RedShiftPublicAccess_redshift : Resource Id,Account Id,Region,Attached Sg,Detached Sg
pacman.auto.fix.common.email.notifications.PacMan_RedShiftPublicAccess_version-1_RedShiftPublicAccess_redshift : commonTemplate
autofix.whitelist.accounts.PacMan_rdsdb_version-1_RdsDbPublicAccess_rdsdb : Enter the comma separted account number for which you want to do the autofix
pacman.auto.fix.mail.subject.PacMan_rdsdb_version-1_RdsDbPublicAccess_rdsdb : PacBot autofix action - Rds Db with public access restored back
pacman.auto.warning.mail.subject.PacMan_rdsdb_version-1_RdsDbPublicAccess_rdsdb : PacBot autofix - Rds Db detected with public access
pacman.autofix.rule.violation.message.PacMan_rdsdb_version-1_RdsDbPublicAccess_rdsdb : Rds Db <b>${RESOURCE_ID}</b>) from account (<b>${ACCOUNT_ID}</b>) of region (<b>${REGION}</b>) created by you is open to internet
pacman.autofix.rule.warning.message.PacMan_rdsdb_version-1_RdsDbPublicAccess_rdsdb : The access to this Rds db will be automatically fixed by PacBot after {days} days if no exception is granted.
pacman.autofix.rule.post.fix.message.PacMan_rdsdb_version-1_RdsDbPublicAccess_rdsdb : PacBot has now automatically revoked the public access of this Rds Db created by you as it was a violation of
pacman.autofix.waittime.PacMan_rdsdb_version-1_RdsDbPublicAccess_rdsdb : 48
pacman.auto.fix.max.email.notifications.PacMan_rdsdb_version-1_RdsDbPublicAccess_rdsdb : 4
pacman.auto.fix.mail.template.columns.PacMan_rdsdb_version-1_RdsDbPublicAccess_rdsdb : Resource Id,Account Id,Region,Attached Sg,Detached Sg
pacman.auto.fix.common.email.notifications.PacMan_rdsdb_version-1_RdsDbPublicAccess_rdsdb : commonTemplate
autofix.whitelist.accounts.PacMan_ElasticSearchPublicAccess_version-1_ElasticSearchPublicAccessRule_elasticsearch : Enter the comma separted account number for which you want to do the autofix
pacman.auto.fix.mail.subject.PacMan_ElasticSearchPublicAccess_version-1_ElasticSearchPublicAccessRule_elasticsearch : PacBot autofix action - Elasticsearch with public access restored back
pacman.auto.warning.mail.subject.PacMan_ElasticSearchPublicAccess_version-1_ElasticSearchPublicAccessRule_elasticsearch : PacBot autofix - Elasticsearch detected with public access
pacman.autofix.rule.violation.message.PacMan_ElasticSearchPublicAccess_version-1_ElasticSearchPublicAccessRule_elasticsearch : Elasticsearch <b>${RESOURCE_ID}</b>) from account (<b>${ACCOUNT_ID}</b>) of region (<b>${REGION}</b>) created by you is open to internet
pacman.autofix.rule.warning.message.PacMan_ElasticSearchPublicAccess_version-1_ElasticSearchPublicAccessRule_elasticsearch : The access to this Elasticsearch will be automatically fixed by PacBot after {days} days if no exception is granted.
pacman.autofix.rule.post.fix.message.PacMan_ElasticSearchPublicAccess_version-1_ElasticSearchPublicAccessRule_elasticsearch : PacBot has now automatically revoked the public access of this Elasticsearch created by you as it was a violation of
pacman.autofix.waittime.PacMan_ElasticSearchPublicAccess_version-1_ElasticSearchPublicAccessRule_elasticsearch : 48
pacman.auto.fix.max.email.notifications.PacMan_ElasticSearchPublicAccess_version-1_ElasticSearchPublicAccessRule_elasticsearch : 4
pacman.auto.fix.mail.template.columns.PacMan_ElasticSearchPublicAccess_version-1_ElasticSearchPublicAccessRule_elasticsearch : Resource Id,Account Id,Region,Attached Sg,Detached Sg
pacman.auto.fix.common.email.notifications.PacMan_rdsdb_version-1_RdsDbPublicAccess_rdsdb : commonTemplate
autofix.whitelist.accounts.PacMan_Unused-Security-group_version-1_UnusedSecurityGroup_sg: Enter the comma separted account number for which you want to do the autofix
pacman.autofix.contact.PacMan_Unused-Security-group_version-1_UnusedSecurityGroup_sg : Enter the mail id you want to send
pacman.autofix.fix.type.PacMan_Unused-Security-group_version-1_UnusedSecurityGroup_sg : silent
pacman.auto.fix.mail.subject.PacMan_Unused-Security-group_version-1_UnusedSecurityGroup_sg : PacBot - Unused AWS Security Group Auto Deleted Report which are created by PacBot
pacman.autofix.fix.notify.PacMan_Unused-Security-group_version-1_UnusedSecurityGroup_sg : To whom you want to notify
pacman.autofix.rule.post.fix.message.PacMan_Unused-Security-group_version-1_UnusedSecurityGroup_sg : PacBot has now automatically deleted the following list of unused security group resources which are created by PacBot
pacman.auto.fix.mail.template.columns.PacMan_Unused-Security-group_version-1_UnusedSecurityGroup_sg : Resource Id,Account Id,Region,Group Name
pacman.auto.fix.common.email.notifications.PacMan_Unused-Security-group_version-1_UnusedSecurityGroup_sg : commonTemplate
NOTE : 1.Here fix type is silent, so it will not send the notification before fixing, but it will send the consolidated notification after fixing in bulk.
2.This will automatically fix only the unused sg which are created by pacbot as part of other public access autofix.
autofix.whitelist.accounts.PacMan_UnusedElasticIpRule_version-1_UnusedElasticIpRule_elasticip: Enter the comma separted account number for which you want to do the autofix
pacman.autofix.contact.PacMan_UnusedElasticIpRule_version-1_UnusedElasticIpRule_elasticip : Enter the mail id you want to send
pacman.autofix.fix.type.PacMan_UnusedElasticIpRule_version-1_UnusedElasticIpRule_elasticip : silent
pacman.auto.fix.mail.subject.PacMan_UnusedElasticIpRule_version-1_UnusedElasticIpRule_elasticip : PacBot - AWS Unassociated Elastic IP Addresses Auto Delete Report
pacman.autofix.fix.notify.PacMan_UnusedElasticIpRule_version-1_UnusedElasticIpRule_elasticip : To whom you want to notify
pacman.autofix.issue.creation.time.elapsed.PacMan_UnusedElasticIpRule_version-1_UnusedElasticIpRule_elasticip : 72
pacman.autofix.rule.post.fix.message.PacMan_UnusedElasticIpRule_version-1_UnusedElasticIpRule_elasticip : PacBot has now automatically deleted the following list of Unassociated Elastic IP Addresses
pacman.auto.fix.mail.template.columns.PacMan_UnusedElasticIpRule_version-1_UnusedElasticIpRule_elasticip : Resource Id,Account Id,Region,Allocation Id
pacman.auto.fix.common.email.notifications.PacMan_UnusedElasticIpRule_version-1_UnusedElasticIpRule_elasticip : commonTemplate
NOTE : 1.Here fix type is silent, so it will not send the notification before fixing, but it will send the consolidated notification after fixing in bulk.