Small renamings and minor improvements
This commit is contained in:
VakarisZ
parent
905ffd029a
commit
a0bb0bc7fe
|
|
@ -19,7 +19,8 @@ from .rule_names.sqs_rules import SQSRules
|
||||||
from .rule_names.vpc_rules import VPCRules
|
from .rule_names.vpc_rules import VPCRules
|
||||||
|
|
||||||
|
|
||||||
class ScoutSuiteFinding(ABC):
|
# Class which links ZT tests and rules to ScoutSuite finding
|
||||||
|
class ScoutSuiteFindingMap(ABC):
|
||||||
@property
|
@property
|
||||||
@abstractmethod
|
@abstractmethod
|
||||||
def rules(self) -> List[EC2Rules]:
|
def rules(self) -> List[EC2Rules]:
|
||||||
|
|
@ -31,7 +32,7 @@ class ScoutSuiteFinding(ABC):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
||||||
class PermissiveFirewallRules(ScoutSuiteFinding):
|
class PermissiveFirewallRules(ScoutSuiteFindingMap):
|
||||||
rules = [EC2Rules.SECURITY_GROUP_ALL_PORTS_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL,
|
rules = [EC2Rules.SECURITY_GROUP_ALL_PORTS_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL,
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL,
|
EC2Rules.SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL,
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL,
|
EC2Rules.SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL,
|
||||||
|
|
@ -56,7 +57,7 @@ class PermissiveFirewallRules(ScoutSuiteFinding):
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
|
test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
|
||||||
|
|
||||||
|
|
||||||
class UnencryptedData(ScoutSuiteFinding):
|
class UnencryptedData(ScoutSuiteFindingMap):
|
||||||
rules = [EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EBS_VOLUME_NOT_ENCRYPTED,
|
rules = [EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EBS_VOLUME_NOT_ENCRYPTED,
|
||||||
EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS,
|
EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS,
|
||||||
ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY,
|
ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY,
|
||||||
|
|
@ -69,7 +70,7 @@ class UnencryptedData(ScoutSuiteFinding):
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA
|
test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA
|
||||||
|
|
||||||
|
|
||||||
class DataLossPrevention(ScoutSuiteFinding):
|
class DataLossPrevention(ScoutSuiteFindingMap):
|
||||||
rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD,
|
rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD,
|
||||||
RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING,
|
RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING,
|
||||||
ELBv2Rules.ELBV2_NO_DELETION_PROTECTION]
|
ELBv2Rules.ELBV2_NO_DELETION_PROTECTION]
|
||||||
|
|
@ -77,7 +78,7 @@ class DataLossPrevention(ScoutSuiteFinding):
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION
|
test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION
|
||||||
|
|
||||||
|
|
||||||
class SecureAuthentication(ScoutSuiteFinding):
|
class SecureAuthentication(ScoutSuiteFindingMap):
|
||||||
rules = [
|
rules = [
|
||||||
IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION,
|
IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION,
|
||||||
IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH,
|
IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH,
|
||||||
|
|
@ -95,7 +96,7 @@ class SecureAuthentication(ScoutSuiteFinding):
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION
|
test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION
|
||||||
|
|
||||||
|
|
||||||
class RestrictivePolicies(ScoutSuiteFinding):
|
class RestrictivePolicies(ScoutSuiteFindingMap):
|
||||||
rules = [
|
rules = [
|
||||||
IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL,
|
IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL,
|
||||||
IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES,
|
IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES,
|
||||||
|
|
@ -157,7 +158,7 @@ class RestrictivePolicies(ScoutSuiteFinding):
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES
|
test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES
|
||||||
|
|
||||||
|
|
||||||
class Logging(ScoutSuiteFinding):
|
class Logging(ScoutSuiteFindingMap):
|
||||||
rules = [
|
rules = [
|
||||||
CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING,
|
CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING,
|
||||||
CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING,
|
CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING,
|
||||||
|
|
@ -177,7 +178,7 @@ class Logging(ScoutSuiteFinding):
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING
|
test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING
|
||||||
|
|
||||||
|
|
||||||
class ServiceSecurity(ScoutSuiteFinding):
|
class ServiceSecurity(ScoutSuiteFindingMap):
|
||||||
rules = [
|
rules = [
|
||||||
CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE,
|
CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE,
|
||||||
ELBv2Rules.ELBV2_HTTP_REQUEST_SMUGGLING,
|
ELBv2Rules.ELBV2_HTTP_REQUEST_SMUGGLING,
|
||||||
|
|
@ -1,8 +1,8 @@
|
||||||
from .scoutsuite_findings import (DataLossPrevention, Logging,
|
from .scoutsuite_finding_maps import (DataLossPrevention, Logging,
|
||||||
PermissiveFirewallRules,
|
PermissiveFirewallRules,
|
||||||
RestrictivePolicies,
|
RestrictivePolicies,
|
||||||
SecureAuthentication, ServiceSecurity,
|
SecureAuthentication, ServiceSecurity,
|
||||||
UnencryptedData)
|
UnencryptedData)
|
||||||
|
|
||||||
SCOUTSUITE_FINDINGS = [PermissiveFirewallRules, UnencryptedData, DataLossPrevention, SecureAuthentication,
|
SCOUTSUITE_FINDINGS = [PermissiveFirewallRules, UnencryptedData, DataLossPrevention, SecureAuthentication,
|
||||||
RestrictivePolicies, Logging, ServiceSecurity]
|
RestrictivePolicies, Logging, ServiceSecurity]
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,5 @@
|
||||||
|
from enum import Enum
|
||||||
|
|
||||||
import dpath.util
|
import dpath.util
|
||||||
|
|
||||||
from common.utils.exceptions import RulePathCreatorNotFound
|
from common.utils.exceptions import RulePathCreatorNotFound
|
||||||
|
|
@ -5,22 +7,33 @@ from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_buil
|
||||||
RULE_PATH_CREATORS_LIST
|
RULE_PATH_CREATORS_LIST
|
||||||
|
|
||||||
|
|
||||||
|
def __build_rule_to_rule_path_creator_hashmap():
|
||||||
|
hashmap = {}
|
||||||
|
for rule_path_creator in RULE_PATH_CREATORS_LIST:
|
||||||
|
for rule_name in rule_path_creator.supported_rules:
|
||||||
|
hashmap[rule_name] = rule_path_creator
|
||||||
|
return hashmap
|
||||||
|
|
||||||
|
|
||||||
|
RULE_TO_RULE_PATH_CREATOR_HASHMAP = __build_rule_to_rule_path_creator_hashmap()
|
||||||
|
|
||||||
|
|
||||||
class RuleParser:
|
class RuleParser:
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_rule_data(scoutsuite_data, rule_name):
|
def get_rule_data(scoutsuite_data: dict, rule_name: Enum) -> dict:
|
||||||
rule_path = RuleParser.get_rule_path(rule_name)
|
rule_path = RuleParser._get_rule_path(rule_name)
|
||||||
return dpath.util.get(scoutsuite_data, rule_path)
|
return dpath.util.get(scoutsuite_data, rule_path)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_rule_path(rule_name):
|
def _get_rule_path(rule_name: Enum):
|
||||||
creator = RuleParser.get_rule_path_creator(rule_name)
|
creator = RuleParser._get_rule_path_creator(rule_name)
|
||||||
return creator.build_rule_path(rule_name)
|
return creator.build_rule_path(rule_name)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_rule_path_creator(rule_name):
|
def _get_rule_path_creator(rule_name: Enum):
|
||||||
for rule_path_creator in RULE_PATH_CREATORS_LIST:
|
try:
|
||||||
if rule_name in rule_path_creator.supported_rules:
|
return RULE_TO_RULE_PATH_CREATOR_HASHMAP[rule_name]
|
||||||
return rule_path_creator
|
except KeyError:
|
||||||
raise RulePathCreatorNotFound(f"Rule path creator not found for rule {rule_name.value}. Make sure to assign"
|
raise RulePathCreatorNotFound(f"Rule path creator not found for rule {rule_name.value}. Make sure to assign"
|
||||||
f"this rule to any rule path creators.")
|
f"this rule to any rule path creators.")
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,5 @@
|
||||||
from abc import ABC, abstractmethod
|
from abc import ABC, abstractmethod
|
||||||
|
from enum import Enum
|
||||||
from typing import List
|
from typing import List
|
||||||
|
|
||||||
from ...consts.service_consts import FINDINGS, SERVICE_TYPES, SERVICES
|
from ...consts.service_consts import FINDINGS, SERVICE_TYPES, SERVICES
|
||||||
|
|
@ -17,6 +18,6 @@ class AbstractRulePathCreator(ABC):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def build_rule_path(cls, rule_name) -> List[str]:
|
def build_rule_path(cls, rule_name: Enum) -> List[str]:
|
||||||
assert(rule_name in cls.supported_rules)
|
assert(rule_name in cls.supported_rules)
|
||||||
return [SERVICES, cls.service_type.value, FINDINGS, rule_name.value]
|
return [SERVICES, cls.service_type.value, FINDINGS, rule_name.value]
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails
|
from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails
|
||||||
from monkey_island.cc.models.zero_trust.scoutsuite_rule import ScoutSuiteRule
|
from monkey_island.cc.models.zero_trust.scoutsuite_rule import ScoutSuiteRule
|
||||||
from ..scoutsuite.consts.scoutsuite_findings import PermissiveFirewallRules, UnencryptedData
|
from ..scoutsuite.consts.scoutsuite_finding_maps import PermissiveFirewallRules, UnencryptedData
|
||||||
|
|
||||||
SCOUTSUITE_FINDINGS = [
|
SCOUTSUITE_FINDINGS = [
|
||||||
PermissiveFirewallRules,
|
PermissiveFirewallRules,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue