Added a bunch of rules and rule path creators.
This commit is contained in:
parent
f462fcc842
commit
c792f2f34c
|
@ -0,0 +1,11 @@
|
||||||
|
from enum import Enum
|
||||||
|
|
||||||
|
|
||||||
|
class CloudTrailRules(Enum):
|
||||||
|
# Logging
|
||||||
|
CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING = 'cloudtrail-duplicated-global-services-logging'
|
||||||
|
CLOUDTRAIL_NO_DATA_LOGGING = 'cloudtrail-no-data-logging'
|
||||||
|
CLOUDTRAIL_NO_GLOBAL_SERVICES_LOGGING = 'cloudtrail-no-global-services-logging'
|
||||||
|
CLOUDTRAIL_NO_LOG_FILE_VALIDATION = 'cloudtrail-no-log-file-validation'
|
||||||
|
CLOUDTRAIL_NO_LOGGING = 'cloudtrail-no-logging'
|
||||||
|
CLOUDTRAIL_NOT_CONFIGURED = 'cloudtrail-not-configured'
|
|
@ -0,0 +1,6 @@
|
||||||
|
from enum import Enum
|
||||||
|
|
||||||
|
|
||||||
|
class CloudWatchRules(Enum):
|
||||||
|
# Logging
|
||||||
|
CLOUDWATCH_ALARM_WITHOUT_ACTIONS = 'cloudwatch-alarm-without-actions'
|
|
@ -2,6 +2,7 @@ from enum import Enum
|
||||||
|
|
||||||
|
|
||||||
class EC2Rules(Enum):
|
class EC2Rules(Enum):
|
||||||
|
# Ports
|
||||||
SECURITY_GROUP_ALL_PORTS_TO_ALL = 'ec2-security-group-opens-all-ports-to-all'
|
SECURITY_GROUP_ALL_PORTS_TO_ALL = 'ec2-security-group-opens-all-ports-to-all'
|
||||||
SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL = 'ec2-security-group-opens-TCP-port-to-all'
|
SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL = 'ec2-security-group-opens-TCP-port-to-all'
|
||||||
SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL = 'ec2-security-group-opens-UDP-port-to-all'
|
SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL = 'ec2-security-group-opens-UDP-port-to-all'
|
||||||
|
@ -20,3 +21,7 @@ class EC2Rules(Enum):
|
||||||
SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP = 'ec2-security-group-opens-plaintext-port-FTP'
|
SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP = 'ec2-security-group-opens-plaintext-port-FTP'
|
||||||
SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET = 'ec2-security-group-opens-plaintext-port-Telnet'
|
SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET = 'ec2-security-group-opens-plaintext-port-Telnet'
|
||||||
SECURITY_GROUP_OPENS_PORT_RANGE = 'ec2-security-group-opens-port-range'
|
SECURITY_GROUP_OPENS_PORT_RANGE = 'ec2-security-group-opens-port-range'
|
||||||
|
|
||||||
|
# Encryption
|
||||||
|
EC2_EBS_SNAPSHOT_NOT_ENCRYPTED = 'ec2-ebs-snapshot-not-encrypted'
|
||||||
|
EC2_EBS_VOLUME_NOT_ENCRYPTED = 'ec2-ebs-volume-not-encrypted'
|
|
@ -0,0 +1,6 @@
|
||||||
|
from enum import Enum
|
||||||
|
|
||||||
|
|
||||||
|
class ELBRules(Enum):
|
||||||
|
# Logging
|
||||||
|
ELB_NO_ACCESS_LOGS = 'elb-no-access-logs'
|
|
@ -0,0 +1,10 @@
|
||||||
|
from enum import Enum
|
||||||
|
|
||||||
|
|
||||||
|
class ELBv2Rules(Enum):
|
||||||
|
# Encryption
|
||||||
|
ELBV2_LISTENER_ALLOWING_CLEARTEXT = 'elbv2-listener-allowing-cleartext'
|
||||||
|
ELBV2_OLDER_SSL_POLICY = 'elbv2-older-ssl-policy'
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
ELBV2_NO_ACCESS_LOGS = 'elbv2-no-access-logs'
|
|
@ -0,0 +1,39 @@
|
||||||
|
from enum import Enum
|
||||||
|
|
||||||
|
|
||||||
|
class IAMRules(Enum):
|
||||||
|
# Authentication/authorization
|
||||||
|
IAM_USER_NO_ACTIVE_KEY_ROTATION = 'iam-user-no-Active-key-rotation'
|
||||||
|
IAM_PASSWORD_POLICY_MINIMUM_LENGTH = 'iam-password-policy-minimum-length'
|
||||||
|
IAM_PASSWORD_POLICY_NO_EXPIRATION = 'iam-password-policy-no-expiration'
|
||||||
|
IAM_PASSWORD_POLICY_REUSE_ENABLED = 'iam-password-policy-reuse-enabled'
|
||||||
|
IAM_USER_WITH_PASSWORD_AND_KEY = 'iam-user-with-password-and-key'
|
||||||
|
IAM_ASSUME_ROLE_LACKS_EXTERNAL_ID_AND_MFA = 'iam-assume-role-lacks-external-id-and-mfa'
|
||||||
|
IAM_USER_WITHOUT_MFA = 'iam-user-without-mfa'
|
||||||
|
IAM_ROOT_ACCOUNT_NO_MFA = 'iam-root-account-no-mfa'
|
||||||
|
IAM_ROOT_ACCOUNT_WITH_ACTIVE_KEYS = 'iam-root-account-with-active-keys'
|
||||||
|
IAM_USER_NO_INACTIVE_KEY_ROTATION = 'iam-user-no-Inactive-key-rotation'
|
||||||
|
IAM_USER_WITH_MULTIPLE_ACCESS_KEYS = 'iam-user-with-multiple-access-keys'
|
||||||
|
|
||||||
|
# Least privilege
|
||||||
|
IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL = 'iam-assume-role-policy-allows-all'
|
||||||
|
IAM_EC2_ROLE_WITHOUT_INSTANCES = 'iam-ec2-role-without-instances'
|
||||||
|
IAM_GROUP_WITH_INLINE_POLICIES = 'iam-group-with-inline-policies'
|
||||||
|
IAM_GROUP_WITH_NO_USERS = 'iam-group-with-no-users'
|
||||||
|
IAM_INLINE_GROUP_POLICY_ALLOWS_IAM_PASSROLE = 'iam-inline-group-policy-allows-iam-PassRole'
|
||||||
|
IAM_INLINE_GROUP_POLICY_ALLOWS_NOTACTIONS = 'iam-inline-group-policy-allows-NotActions'
|
||||||
|
IAM_INLINE_GROUP_POLICY_ALLOWS_STS_ASSUMEROLE = 'iam-inline-group-policy-allows-sts-AssumeRole'
|
||||||
|
IAM_INLINE_ROLE_POLICY_ALLOWS_IAM_PASSROLE = 'iam-inline-role-policy-allows-iam-PassRole'
|
||||||
|
IAM_INLINE_ROLE_POLICY_ALLOWS_NOTACTIONS = 'iam-inline-role-policy-allows-NotActions'
|
||||||
|
IAM_INLINE_ROLE_POLICY_ALLOWS_STS_ASSUMEROLE = 'iam-inline-role-policy-allows-sts-AssumeRole'
|
||||||
|
IAM_INLINE_USER_POLICY_ALLOWS_IAM_PASSROLE = 'iam-inline-user-policy-allows-iam-PassRole'
|
||||||
|
IAM_INLINE_USER_POLICY_ALLOWS_NOTACTIONS = 'iam-inline-user-policy-allows-NotActions'
|
||||||
|
IAM_INLINE_USER_POLICY_ALLOWS_STS_ASSUMEROLE = 'iam-inline-user-policy-allows-sts-AssumeRole'
|
||||||
|
IAM_MANAGED_POLICY_ALLOWS_IAM_PASSROLE = 'iam-managed-policy-allows-iam-PassRole'
|
||||||
|
IAM_MANAGED_POLICY_ALLOWS_NOTACTIONS = 'iam-managed-policy-allows-NotActions'
|
||||||
|
IAM_MANAGED_POLICY_ALLOWS_STS_ASSUMEROLE = 'iam-managed-policy-allows-sts-AssumeRole'
|
||||||
|
IAM_MANAGED_POLICY_NO_ATTACHMENTS = 'iam-managed-policy-no-attachments'
|
||||||
|
IAM_ROLE_WITH_INLINE_POLICIES = 'iam-role-with-inline-policies'
|
||||||
|
IAM_ROOT_ACCOUNT_USED_RECENTLY = 'iam-root-account-used-recently'
|
||||||
|
IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS = 'iam-root-account-with-active-certs'
|
||||||
|
IAM_USER_WITH_INLINE_POLICIES = 'iam-user-with-inline-policies'
|
|
@ -0,0 +1,11 @@
|
||||||
|
from enum import Enum
|
||||||
|
|
||||||
|
|
||||||
|
class RDSRules(Enum):
|
||||||
|
# Encryption
|
||||||
|
RDS_INSTANCE_STORAGE_NOT_ENCRYPTED = 'rds-instance-storage-not-encrypted'
|
||||||
|
|
||||||
|
# Data loss prevention
|
||||||
|
RDS_INSTANCE_BACKUP_DISABLED = 'rds-instance-backup-disabled'
|
||||||
|
RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD = 'rds-instance-short-backup-retention-period'
|
||||||
|
RDS_INSTANCE_SINGLE_AZ = 'rds-instance-single-az'
|
|
@ -0,0 +1,6 @@
|
||||||
|
from enum import Enum
|
||||||
|
|
||||||
|
|
||||||
|
class RedshiftRules(Enum):
|
||||||
|
# Encryption
|
||||||
|
REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED = 'redshift-cluster-database-not-encrypted'
|
|
@ -0,0 +1,14 @@
|
||||||
|
from enum import Enum
|
||||||
|
|
||||||
|
|
||||||
|
class S3Rules(Enum):
|
||||||
|
# Encryption
|
||||||
|
S3_BUCKET_ALLOWING_CLEARTEXT = 's3-bucket-allowing-cleartext'
|
||||||
|
S3_BUCKET_NO_DEFAULT_ENCRYPTION = 's3-bucket-no-default-encryption'
|
||||||
|
|
||||||
|
# Data loss prevention
|
||||||
|
S3_BUCKET_NO_MFA_DELETE = 's3-bucket-no-mfa-delete'
|
||||||
|
S3_BUCKET_NO_VERSIONING = 's3-bucket-no-versioning'
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
S3_BUCKET_NO_LOGGING = 's3-bucket-no-logging'
|
|
@ -0,0 +1,6 @@
|
||||||
|
from enum import Enum
|
||||||
|
|
||||||
|
|
||||||
|
class VPCRules(Enum):
|
||||||
|
# Logging
|
||||||
|
VPC_SUBNET_WITHOUT_FLOW_LOG = 'vpc-subnet-without-flow-log'
|
|
@ -6,4 +6,28 @@ FINDINGS = 'findings'
|
||||||
|
|
||||||
|
|
||||||
class SERVICE_TYPES(Enum):
|
class SERVICE_TYPES(Enum):
|
||||||
|
ACM = 'acm'
|
||||||
|
AWSLAMBDA = 'awslambda'
|
||||||
|
CLOUDFORMATION = 'cloudformation'
|
||||||
|
CLOUSDTRAIL = 'cloudtrail'
|
||||||
|
CLOUDWATCH = 'cloudwatch'
|
||||||
|
CONFIG = 'config'
|
||||||
|
DIRECTCONNECT = 'directconnect'
|
||||||
EC2 = 'ec2'
|
EC2 = 'ec2'
|
||||||
|
EFS = 'efs'
|
||||||
|
ELASTICACHE = 'elasticache'
|
||||||
|
ELB = 'elb'
|
||||||
|
ELBv2 = 'elbv2'
|
||||||
|
EMR = 'emr'
|
||||||
|
IAM = 'iam'
|
||||||
|
KMS = 'kms'
|
||||||
|
RDS = 'rds'
|
||||||
|
REDSHIFT = 'redshift'
|
||||||
|
ROUTE53 = 'route53'
|
||||||
|
S3 = 's3'
|
||||||
|
SES = 'ses'
|
||||||
|
SNS = 'sns'
|
||||||
|
SQS = 'sqs'
|
||||||
|
VPC = 'vpc'
|
||||||
|
SECRETSMANAGER = 'secretsmanager'
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import CloudTrailRules
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||||
|
SERVICE_TYPES
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||||
|
AbstractRulePathCreator
|
||||||
|
|
||||||
|
|
||||||
|
class CloudTrailRulePathCreator(AbstractRulePathCreator):
|
||||||
|
|
||||||
|
service_type = SERVICE_TYPES.CLOUSDTRAIL
|
||||||
|
supported_rules = CloudTrailRules
|
|
@ -0,0 +1,11 @@
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudwatch_rules import CloudWatchRules
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||||
|
SERVICE_TYPES
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||||
|
AbstractRulePathCreator
|
||||||
|
|
||||||
|
|
||||||
|
class CloudWatchRulePathCreator(AbstractRulePathCreator):
|
||||||
|
|
||||||
|
service_type = SERVICE_TYPES.CLOUDWATCH
|
||||||
|
supported_rules = CloudWatchRules
|
|
@ -1,4 +1,4 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.ec2_rules import EC2Rules
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||||
SERVICE_TYPES
|
SERVICE_TYPES
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
|
@ -0,0 +1,11 @@
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elb_rules import ELBRules
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||||
|
SERVICE_TYPES
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||||
|
AbstractRulePathCreator
|
||||||
|
|
||||||
|
|
||||||
|
class ELBRulePathCreator(AbstractRulePathCreator):
|
||||||
|
|
||||||
|
service_type = SERVICE_TYPES.ELB
|
||||||
|
supported_rules = ELBRules
|
|
@ -0,0 +1,11 @@
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elbv2_rules import ELBv2Rules
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||||
|
SERVICE_TYPES
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||||
|
AbstractRulePathCreator
|
||||||
|
|
||||||
|
|
||||||
|
class ELBv2RulePathCreator(AbstractRulePathCreator):
|
||||||
|
|
||||||
|
service_type = SERVICE_TYPES.ELBv2
|
||||||
|
supported_rules = ELBv2Rules
|
|
@ -0,0 +1,11 @@
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.iam_rules import IAMRules
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||||
|
SERVICE_TYPES
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||||
|
AbstractRulePathCreator
|
||||||
|
|
||||||
|
|
||||||
|
class IAMRulePathCreator(AbstractRulePathCreator):
|
||||||
|
|
||||||
|
service_type = SERVICE_TYPES.IAM
|
||||||
|
supported_rules = IAMRules
|
|
@ -0,0 +1,11 @@
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rds_rules import RDSRules
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||||
|
SERVICE_TYPES
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||||
|
AbstractRulePathCreator
|
||||||
|
|
||||||
|
|
||||||
|
class RDSRulePathCreator(AbstractRulePathCreator):
|
||||||
|
|
||||||
|
service_type = SERVICE_TYPES.RDS
|
||||||
|
supported_rules = RDSRules
|
|
@ -0,0 +1,11 @@
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.redshift_rules import RedshiftRules
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||||
|
SERVICE_TYPES
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||||
|
AbstractRulePathCreator
|
||||||
|
|
||||||
|
|
||||||
|
class RedshiftRulePathCreator(AbstractRulePathCreator):
|
||||||
|
|
||||||
|
service_type = SERVICE_TYPES.REDSHIFT
|
||||||
|
supported_rules = RedshiftRules
|
|
@ -0,0 +1,11 @@
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.s3_rules import S3Rules
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||||
|
SERVICE_TYPES
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||||
|
AbstractRulePathCreator
|
||||||
|
|
||||||
|
|
||||||
|
class S3RulePathCreator(AbstractRulePathCreator):
|
||||||
|
|
||||||
|
service_type = SERVICE_TYPES.S3
|
||||||
|
supported_rules = S3Rules
|
|
@ -0,0 +1,11 @@
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||||
|
SERVICE_TYPES
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||||
|
AbstractRulePathCreator
|
||||||
|
|
||||||
|
|
||||||
|
class VPCRulePathCreator(AbstractRulePathCreator):
|
||||||
|
|
||||||
|
service_type = SERVICE_TYPES.VPC
|
||||||
|
supported_rules = VPCRules
|
|
@ -1,4 +1,24 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.ec2_rule_path_creator import \
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudtrail_rule_path_creator import \
|
||||||
|
CloudTrailRulePathCreator
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudwatch_rule_path_creator import \
|
||||||
|
CloudWatchRulePathCreator
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.ec2_rule_path_creator import \
|
||||||
EC2RulePathCreator
|
EC2RulePathCreator
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.elb_rule_path_creator import \
|
||||||
|
ELBRulePathCreator
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.elbv2_rule_path_creator import \
|
||||||
|
ELBv2RulePathCreator
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.iam_rule_path_creator import \
|
||||||
|
IAMRulePathCreator
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.rds_rule_path_creator import \
|
||||||
|
RDSRulePathCreator
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.redshift_rule_path_creator import \
|
||||||
|
RedshiftRulePathCreator
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.s3_rule_path_creator import \
|
||||||
|
S3RulePathCreator
|
||||||
|
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.vpc_rule_path_creator import \
|
||||||
|
VPCRulePathCreator
|
||||||
|
|
||||||
RULE_PATH_CREATORS_LIST = [EC2RulePathCreator]
|
RULE_PATH_CREATORS_LIST = [EC2RulePathCreator, ELBv2RulePathCreator, RDSRulePathCreator, RedshiftRulePathCreator,
|
||||||
|
S3RulePathCreator, IAMRulePathCreator, CloudTrailRulePathCreator, ELBRulePathCreator,
|
||||||
|
VPCRulePathCreator, CloudWatchRulePathCreator]
|
||||||
|
|
Loading…
Reference in New Issue