Refactored aws access keys in config, added them to encrypted parameter list and added ScoutSuite specific exception
This commit is contained in:
parent
761ed2ec43
commit
22194c566a
|
@ -32,3 +32,7 @@ class InvalidAWSKeys(Exception):
|
|||
|
||||
class NoInternetError(Exception):
|
||||
""" Raise to indicate problems caused when no internet connection is present"""
|
||||
|
||||
|
||||
class ScoutSuiteScanError(Exception):
|
||||
""" Raise to indicate problems ScoutSuite encountered during scanning"""
|
||||
|
|
|
@ -11,7 +11,8 @@ GUID = str(uuid.getnode())
|
|||
|
||||
EXTERNAL_CONFIG_FILE = os.path.join(os.path.abspath(os.path.dirname(sys.argv[0])), 'monkey.bin')
|
||||
|
||||
SENSITIVE_FIELDS = ["exploit_password_list", "exploit_user_list", "exploit_ssh_keys"]
|
||||
SENSITIVE_FIELDS = ["exploit_password_list", "exploit_user_list", "exploit_ssh_keys", "aws_secret_access_key",
|
||||
"aws_session_token"]
|
||||
LOCAL_CONFIG_VARS = ["name", "id", "current_server", "max_depth"]
|
||||
HIDDEN_FIELD_REPLACEMENT_CONTENT = "hidden"
|
||||
|
||||
|
@ -245,9 +246,9 @@ class Configuration(object):
|
|||
exploit_ntlm_hash_list = []
|
||||
exploit_ssh_keys = []
|
||||
|
||||
access_key_id = ''
|
||||
secret_access_key = ''
|
||||
session_token = ''
|
||||
aws_access_key_id = ''
|
||||
aws_secret_access_key = ''
|
||||
aws_session_token = ''
|
||||
|
||||
# smb/wmi exploiter
|
||||
smb_download_timeout = 300 # timeout in seconds
|
||||
|
|
|
@ -2,6 +2,7 @@ import logging
|
|||
|
||||
import infection_monkey.system_info.collectors.scoutsuite_collector.scoutsuite_api as scoutsuite_api
|
||||
from common.cloud.scoutsuite_consts import CloudProviders
|
||||
from common.utils.exceptions import ScoutSuiteScanError
|
||||
from infection_monkey.config import WormConfiguration
|
||||
from infection_monkey.telemetry.scoutsuite_telem import ScoutSuiteTelem
|
||||
|
||||
|
@ -12,17 +13,17 @@ def scan_cloud_security(cloud_type: CloudProviders):
|
|||
try:
|
||||
results = run_scoutsuite(cloud_type.value)
|
||||
if isinstance(results, dict) and 'error' in results and results['error']:
|
||||
raise Exception(results['error'])
|
||||
raise ScoutSuiteScanError(results['error'])
|
||||
send_results(results)
|
||||
except Exception as e:
|
||||
except (Exception, ScoutSuiteScanError) as e:
|
||||
logger.error(f"ScoutSuite didn't scan {cloud_type.value} security because: {e}")
|
||||
|
||||
|
||||
def run_scoutsuite(cloud_type: str):
|
||||
return scoutsuite_api.run(provider=cloud_type,
|
||||
aws_access_key_id=WormConfiguration.access_key_id,
|
||||
aws_secret_access_key=WormConfiguration.secret_access_key,
|
||||
aws_session_token=WormConfiguration.session_token)
|
||||
aws_access_key_id=WormConfiguration.aws_access_key_id,
|
||||
aws_secret_access_key=WormConfiguration.aws_secret_access_key,
|
||||
aws_session_token=WormConfiguration.aws_session_token)
|
||||
|
||||
|
||||
def send_results(results):
|
||||
|
|
|
@ -28,9 +28,9 @@ ENCRYPTED_CONFIG_VALUES = \
|
|||
LM_HASH_LIST_PATH,
|
||||
NTLM_HASH_LIST_PATH,
|
||||
SSH_KEYS_PATH,
|
||||
AWS_KEYS_PATH + ['access_key_id'],
|
||||
AWS_KEYS_PATH + ['secret_access_key'],
|
||||
AWS_KEYS_PATH + ['session_token']
|
||||
AWS_KEYS_PATH + ['aws_access_key_id'],
|
||||
AWS_KEYS_PATH + ['aws_secret_access_key'],
|
||||
AWS_KEYS_PATH + ['aws_session_token']
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -98,15 +98,15 @@ INTERNAL = {
|
|||
"aws_keys": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"access_key_id": {
|
||||
"aws_access_key_id": {
|
||||
"type": "string",
|
||||
"default": ""
|
||||
},
|
||||
"secret_access_key": {
|
||||
"aws_secret_access_key": {
|
||||
"type": "string",
|
||||
"default": ""
|
||||
},
|
||||
"session_token": {
|
||||
"aws_session_token": {
|
||||
"type": "string",
|
||||
"default": ""
|
||||
}
|
||||
|
|
|
@ -35,16 +35,16 @@ def is_cloud_authentication_setup(provider: CloudProviders) -> Tuple[bool, str]:
|
|||
|
||||
|
||||
def is_aws_keys_setup():
|
||||
return (ConfigService.get_config_value(AWS_KEYS_PATH + ['access_key_id']) and
|
||||
ConfigService.get_config_value(AWS_KEYS_PATH + ['secret_access_key']))
|
||||
return (ConfigService.get_config_value(AWS_KEYS_PATH + ['aws_access_key_id']) and
|
||||
ConfigService.get_config_value(AWS_KEYS_PATH + ['aws_secret_access_key']))
|
||||
|
||||
|
||||
def set_aws_keys(access_key_id: str, secret_access_key: str, session_token: str):
|
||||
if not access_key_id or not secret_access_key:
|
||||
raise InvalidAWSKeys("Missing some of the following fields: access key ID, secret access key.")
|
||||
_set_aws_key('access_key_id', access_key_id)
|
||||
_set_aws_key('secret_access_key', secret_access_key)
|
||||
_set_aws_key('session_token', session_token)
|
||||
_set_aws_key('aws_access_key_id', access_key_id)
|
||||
_set_aws_key('aws_secret_access_key', secret_access_key)
|
||||
_set_aws_key('aws_session_token', session_token)
|
||||
|
||||
|
||||
def _set_aws_key(key_type: str, key_value: str):
|
||||
|
@ -54,9 +54,9 @@ def _set_aws_key(key_type: str, key_value: str):
|
|||
|
||||
|
||||
def get_aws_keys():
|
||||
return {'access_key_id': _get_aws_key('access_key_id'),
|
||||
'secret_access_key': _get_aws_key('secret_access_key'),
|
||||
'session_token': _get_aws_key('session_token')}
|
||||
return {'access_key_id': _get_aws_key('aws_access_key_id'),
|
||||
'secret_access_key': _get_aws_key('aws_secret_access_key'),
|
||||
'session_token': _get_aws_key('aws_session_token')}
|
||||
|
||||
|
||||
def _get_aws_key(key_type: str):
|
||||
|
|
Loading…
Reference in New Issue