Allows access to GHE only from Salt Master and Trusted IPs; WAF log4j Rule Improved

To be tagged v3.3.1

base/aws_client_vpn/vpn.tf

@@ -38,8 +38,6 @@ resource "aws_ec2_client_vpn_endpoint" "vpn" {
   # Possible required with zscalar?
   transport_protocol = "udp"
 
-  tags = merge(var.standard_tags, var.tags)
-}
 
 resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
   count = local.redundancy_count

base/github/securitygroups-load-balancers.tf

@@ -1,6 +1,31 @@
 #----------------------------------------------------------------
 # SG for the external ELB
 #----------------------------------------------------------------
+locals {
+  # from https://config.zscaler.com/zscalergov.net/cenr
+  zscalar_cidrs = [
+    "165.225.3.0/24",
+    "136.226.10.0/23",
+    "136.226.12.0/23",
+    "136.226.14.0/23",
+    "165.225.46.0/24",
+    "136.226.6.0/23",
+    "136.226.4.0/23",
+    "136.226.8.0/23",
+    "136.226.22.0/24",
+    "165.225.48.0/24",
+    "136.226.18.0/23",
+    "136.226.16.0/23",
+    "136.226.20.0/23",
+  ]
+  # Locking down sources on 2021-12-10 due to log4j vulnerability
+  #allowed_sources = local.zscalar_cidrs
+  #allowed_sources = concat(var.trusted_ips, local.zscalar_cidrs)
+  # salt masters only for the weekend
+  allowed_sources = [ "18.253.198.129/32" ]
+  #allowed_sources = [ "0.0.0.0/0" ]
+}
+
 resource "aws_security_group" "ghe_elb_external" {
   name_prefix = "ghe_elb_external"
   tags = merge( var.standard_tags, var.tags, { Name = "github-external-lb" } )
@@ -11,7 +36,7 @@ resource "aws_security_group" "ghe_elb_external" {
 resource "aws_security_group_rule" "ghe_elb_external_inbound_https_22_cidr" {
   security_group_id        = aws_security_group.ghe_elb_external.id
   type                     = "ingress"
-  cidr_blocks              = [ "0.0.0.0/0" ]
+  cidr_blocks              = local.allowed_sources
   from_port                = 22
   to_port                  = 22
   protocol                 = "tcp"
@@ -21,7 +46,7 @@ resource "aws_security_group_rule" "ghe_elb_external_inbound_https_22_cidr" {
 resource "aws_security_group_rule" "ghe_elb_external_inbound_http_cidr" {
   security_group_id        = aws_security_group.ghe_elb_external.id
   type                     = "ingress"
-  cidr_blocks              = [ "0.0.0.0/0" ]
+  cidr_blocks              = local.allowed_sources
   from_port                = 80
   to_port                  = 80
   protocol                 = "tcp"
@@ -31,7 +56,7 @@ resource "aws_security_group_rule" "ghe_elb_external_inbound_http_cidr" {
 resource "aws_security_group_rule" "ghe_elb_external_inbound_https_cidr" {
   security_group_id        = aws_security_group.ghe_elb_external.id
   type                     = "ingress"
-  cidr_blocks              = [ "0.0.0.0/0" ]
+  cidr_blocks              = local.allowed_sources
   from_port                = 443
   to_port                  = 444
   protocol                 = "tcp"

submodules/wafv2/waf.tf

@@ -40,7 +40,7 @@ resource "aws_wafv2_ip_set" "allowed" {
 }
 
 resource "aws_wafv2_rule_group" "xdr_custom_rules" {
-  name = "${local.waf_name}_xdr_custom_rules_rev2" # update name when updating
+  name = "${local.waf_name}_xdr_custom_rules_rev3" # update name when updating
   scope    = "REGIONAL"
   capacity = 50
 
@@ -110,40 +110,96 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
                 name = "user-agent"
               }
             }
-            positional_constraint = "STARTS_WITH"
-            search_string = "$${jndi:ldap://"
+            positional_constraint = "CONTAINS"
+            search_string = "$${jndi:" # ldap://"
+
+            text_transformation {
+              priority = 1
+              type     = "BASE64_DECODE"
+            }
+
+            text_transformation {
+              priority = 3
+              type     = "HEX_DECODE"
+            }
+
             text_transformation {
-              priority = 2
+              priority = 5
               type     = "LOWERCASE"
             }
           }
         }
+
         statement {
           byte_match_statement {
             field_to_match {
-              single_header {
-                name = "user-agent"
-              }
+              method {}
             }
-            positional_constraint = "STARTS_WITH"
-            search_string = "$${jndi:rmi:"
+            positional_constraint = "CONTAINS"
+            search_string = "$${jndi:" # ldap://"
+
             text_transformation {
-              priority = 2
+              priority = 1
+              type     = "BASE64_DECODE"
+            }
+
+            text_transformation {
+              priority = 3
+              type     = "HEX_DECODE"
+            }
+
+            text_transformation {
+              priority = 5
               type     = "LOWERCASE"
             }
           }
         }
+
         statement {
           byte_match_statement {
             field_to_match {
-              single_header {
-                name = "user-agent"
-              }
+              query_string {}
+            }
+            positional_constraint = "CONTAINS"
+            search_string = "$${jndi:" # ldap://"
+
+            text_transformation {
+              priority = 1
+              type     = "BASE64_DECODE"
+            }
+
+            text_transformation {
+              priority = 3
+              type     = "HEX_DECODE"
+            }
+
+            text_transformation {
+              priority = 5
+              type     = "LOWERCASE"
             }
-            positional_constraint = "STARTS_WITH"
-            search_string = "$${jndi:dns:"
+          }
+        }
+
+        statement {
+          byte_match_statement {
+            field_to_match {
+              uri_path {}
+            }
+            positional_constraint = "CONTAINS"
+            search_string = "$${jndi:" # ldap://"
+
+            text_transformation {
+              priority = 1
+              type     = "BASE64_DECODE"
+            }
+
+            text_transformation {
+              priority = 3
+              type     = "HEX_DECODE"
+            }
+
             text_transformation {
-              priority = 2
+              priority = 5
               type     = "LOWERCASE"
             }
           }