Small renamings and minor improvements

This commit is contained in:
VakarisZ 2021-02-08 17:42:57 +02:00
parent 905ffd029a
commit a0bb0bc7fe
5 changed files with 40 additions and 25 deletions

View File

@ -19,7 +19,8 @@ from .rule_names.sqs_rules import SQSRules
from .rule_names.vpc_rules import VPCRules from .rule_names.vpc_rules import VPCRules
class ScoutSuiteFinding(ABC): # Class which links ZT tests and rules to ScoutSuite finding
class ScoutSuiteFindingMap(ABC):
@property @property
@abstractmethod @abstractmethod
def rules(self) -> List[EC2Rules]: def rules(self) -> List[EC2Rules]:
@ -31,7 +32,7 @@ class ScoutSuiteFinding(ABC):
pass pass
class PermissiveFirewallRules(ScoutSuiteFinding): class PermissiveFirewallRules(ScoutSuiteFindingMap):
rules = [EC2Rules.SECURITY_GROUP_ALL_PORTS_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL, rules = [EC2Rules.SECURITY_GROUP_ALL_PORTS_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL,
EC2Rules.SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL,
EC2Rules.SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL,
@ -56,7 +57,7 @@ class PermissiveFirewallRules(ScoutSuiteFinding):
test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
class UnencryptedData(ScoutSuiteFinding): class UnencryptedData(ScoutSuiteFindingMap):
rules = [EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EBS_VOLUME_NOT_ENCRYPTED, rules = [EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EBS_VOLUME_NOT_ENCRYPTED,
EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS, EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS,
ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY, ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY,
@ -69,7 +70,7 @@ class UnencryptedData(ScoutSuiteFinding):
test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA
class DataLossPrevention(ScoutSuiteFinding): class DataLossPrevention(ScoutSuiteFindingMap):
rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD, rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD,
RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING, RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING,
ELBv2Rules.ELBV2_NO_DELETION_PROTECTION] ELBv2Rules.ELBV2_NO_DELETION_PROTECTION]
@ -77,7 +78,7 @@ class DataLossPrevention(ScoutSuiteFinding):
test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION
class SecureAuthentication(ScoutSuiteFinding): class SecureAuthentication(ScoutSuiteFindingMap):
rules = [ rules = [
IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION, IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION,
IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH, IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH,
@ -95,7 +96,7 @@ class SecureAuthentication(ScoutSuiteFinding):
test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION
class RestrictivePolicies(ScoutSuiteFinding): class RestrictivePolicies(ScoutSuiteFindingMap):
rules = [ rules = [
IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL, IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL,
IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES, IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES,
@ -157,7 +158,7 @@ class RestrictivePolicies(ScoutSuiteFinding):
test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES
class Logging(ScoutSuiteFinding): class Logging(ScoutSuiteFindingMap):
rules = [ rules = [
CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING, CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING,
CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING, CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING,
@ -177,7 +178,7 @@ class Logging(ScoutSuiteFinding):
test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING
class ServiceSecurity(ScoutSuiteFinding): class ServiceSecurity(ScoutSuiteFindingMap):
rules = [ rules = [
CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE, CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE,
ELBv2Rules.ELBV2_HTTP_REQUEST_SMUGGLING, ELBv2Rules.ELBV2_HTTP_REQUEST_SMUGGLING,

View File

@ -1,4 +1,4 @@
from .scoutsuite_findings import (DataLossPrevention, Logging, from .scoutsuite_finding_maps import (DataLossPrevention, Logging,
PermissiveFirewallRules, PermissiveFirewallRules,
RestrictivePolicies, RestrictivePolicies,
SecureAuthentication, ServiceSecurity, SecureAuthentication, ServiceSecurity,

View File

@ -1,3 +1,5 @@
from enum import Enum
import dpath.util import dpath.util
from common.utils.exceptions import RulePathCreatorNotFound from common.utils.exceptions import RulePathCreatorNotFound
@ -5,22 +7,33 @@ from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_buil
RULE_PATH_CREATORS_LIST RULE_PATH_CREATORS_LIST
def __build_rule_to_rule_path_creator_hashmap():
hashmap = {}
for rule_path_creator in RULE_PATH_CREATORS_LIST:
for rule_name in rule_path_creator.supported_rules:
hashmap[rule_name] = rule_path_creator
return hashmap
RULE_TO_RULE_PATH_CREATOR_HASHMAP = __build_rule_to_rule_path_creator_hashmap()
class RuleParser: class RuleParser:
@staticmethod @staticmethod
def get_rule_data(scoutsuite_data, rule_name): def get_rule_data(scoutsuite_data: dict, rule_name: Enum) -> dict:
rule_path = RuleParser.get_rule_path(rule_name) rule_path = RuleParser._get_rule_path(rule_name)
return dpath.util.get(scoutsuite_data, rule_path) return dpath.util.get(scoutsuite_data, rule_path)
@staticmethod @staticmethod
def get_rule_path(rule_name): def _get_rule_path(rule_name: Enum):
creator = RuleParser.get_rule_path_creator(rule_name) creator = RuleParser._get_rule_path_creator(rule_name)
return creator.build_rule_path(rule_name) return creator.build_rule_path(rule_name)
@staticmethod @staticmethod
def get_rule_path_creator(rule_name): def _get_rule_path_creator(rule_name: Enum):
for rule_path_creator in RULE_PATH_CREATORS_LIST: try:
if rule_name in rule_path_creator.supported_rules: return RULE_TO_RULE_PATH_CREATOR_HASHMAP[rule_name]
return rule_path_creator except KeyError:
raise RulePathCreatorNotFound(f"Rule path creator not found for rule {rule_name.value}. Make sure to assign" raise RulePathCreatorNotFound(f"Rule path creator not found for rule {rule_name.value}. Make sure to assign"
f"this rule to any rule path creators.") f"this rule to any rule path creators.")

View File

@ -1,4 +1,5 @@
from abc import ABC, abstractmethod from abc import ABC, abstractmethod
from enum import Enum
from typing import List from typing import List
from ...consts.service_consts import FINDINGS, SERVICE_TYPES, SERVICES from ...consts.service_consts import FINDINGS, SERVICE_TYPES, SERVICES
@ -17,6 +18,6 @@ class AbstractRulePathCreator(ABC):
pass pass
@classmethod @classmethod
def build_rule_path(cls, rule_name) -> List[str]: def build_rule_path(cls, rule_name: Enum) -> List[str]:
assert(rule_name in cls.supported_rules) assert(rule_name in cls.supported_rules)
return [SERVICES, cls.service_type.value, FINDINGS, rule_name.value] return [SERVICES, cls.service_type.value, FINDINGS, rule_name.value]

View File

@ -1,6 +1,6 @@
from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails
from monkey_island.cc.models.zero_trust.scoutsuite_rule import ScoutSuiteRule from monkey_island.cc.models.zero_trust.scoutsuite_rule import ScoutSuiteRule
from ..scoutsuite.consts.scoutsuite_findings import PermissiveFirewallRules, UnencryptedData from ..scoutsuite.consts.scoutsuite_finding_maps import PermissiveFirewallRules, UnencryptedData
SCOUTSUITE_FINDINGS = [ SCOUTSUITE_FINDINGS = [
PermissiveFirewallRules, PermissiveFirewallRules,