forked from p15670423/monkey
Created new scoutsuite findings, added relevant infrastructure to zero trust consts
This commit is contained in:
parent
c792f2f34c
commit
49e13a651e
|
@ -26,7 +26,6 @@ MONKEY_FINDING = "monkey_finding"
|
|||
SCOUTSUITE_FINDING = "scoutsuite_finding"
|
||||
FINDING_TYPES = [MONKEY_FINDING, SCOUTSUITE_FINDING]
|
||||
|
||||
|
||||
TEST_DATA_ENDPOINT_ELASTIC = "unencrypted_data_endpoint_elastic"
|
||||
TEST_DATA_ENDPOINT_HTTP = "unencrypted_data_endpoint_http"
|
||||
TEST_MACHINE_EXPLOITED = "machine_exploited"
|
||||
|
@ -37,6 +36,12 @@ TEST_SEGMENTATION = "segmentation"
|
|||
TEST_TUNNELING = "tunneling"
|
||||
TEST_COMMUNICATE_AS_NEW_USER = "communicate_as_new_user"
|
||||
TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES = "scoutsuite_permissive_firewall_rules"
|
||||
TEST_SCOUTSUITE_UNENCRYPTED_DATA = "scoutsuite_unencrypted_data"
|
||||
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION = "scoutsuite_data_loss_prevention"
|
||||
TEST_SCOUTSUITE_SECURE_AUTHENTICATION = "scoutsuite_secure_authentication"
|
||||
TEST_SCOUTSUITE_RESTRICTIVE_POLICIES = "scoutsuite_unrestrictive_policies"
|
||||
TEST_SCOUTSUITE_LOGGING = "scoutsuite_logging"
|
||||
|
||||
TESTS = (
|
||||
TEST_SEGMENTATION,
|
||||
TEST_MALICIOUS_ACTIVITY_TIMELINE,
|
||||
|
@ -47,25 +52,36 @@ TESTS = (
|
|||
TEST_DATA_ENDPOINT_ELASTIC,
|
||||
TEST_TUNNELING,
|
||||
TEST_COMMUNICATE_AS_NEW_USER,
|
||||
TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
|
||||
TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES,
|
||||
TEST_SCOUTSUITE_UNENCRYPTED_DATA,
|
||||
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION,
|
||||
TEST_SCOUTSUITE_SECURE_AUTHENTICATION,
|
||||
TEST_SCOUTSUITE_RESTRICTIVE_POLICIES,
|
||||
TEST_SCOUTSUITE_LOGGING
|
||||
)
|
||||
|
||||
PRINCIPLE_DATA_TRANSIT = "data_transit"
|
||||
PRINCIPLE_DATA_CONFIDENTIALITY = "data_transit"
|
||||
PRINCIPLE_ENDPOINT_SECURITY = "endpoint_security"
|
||||
PRINCIPLE_USER_BEHAVIOUR = "user_behaviour"
|
||||
PRINCIPLE_ANALYZE_NETWORK_TRAFFIC = "analyze_network_traffic"
|
||||
PRINCIPLE_SEGMENTATION = "segmentation"
|
||||
PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES = "network_policies"
|
||||
PRINCIPLE_USERS_MAC_POLICIES = "users_mac_policies"
|
||||
PRINCIPLE_DISASTER_RECOVERY = "data_backup"
|
||||
PRINCIPLE_SECURE_AUTHENTICATION = "secure_authentication"
|
||||
PRINCIPLE_MONITORING_AND_LOGGING = "monitoring_and_logging"
|
||||
PRINCIPLES = {
|
||||
PRINCIPLE_SEGMENTATION: "Apply segmentation and micro-segmentation inside your network.",
|
||||
PRINCIPLE_ANALYZE_NETWORK_TRAFFIC: "Analyze network traffic for malicious activity.",
|
||||
PRINCIPLE_USER_BEHAVIOUR: "Adopt security user behavior analytics.",
|
||||
PRINCIPLE_ENDPOINT_SECURITY: "Use anti-virus and other traditional endpoint security solutions.",
|
||||
PRINCIPLE_DATA_TRANSIT: "Secure data at transit by encrypting it.",
|
||||
PRINCIPLE_DATA_CONFIDENTIALITY: "Ensure data's confidentiality by encrypting it.",
|
||||
PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES: "Configure network policies to be as restrictive as possible.",
|
||||
PRINCIPLE_USERS_MAC_POLICIES: "Users' permissions to the network and to resources should be MAC (Mandatory "
|
||||
"Access Control) only.",
|
||||
PRINCIPLE_DISASTER_RECOVERY: "Ensure data and infrastructure backups for disaster recovery scenarios.",
|
||||
PRINCIPLE_SECURE_AUTHENTICATION: "Ensure secure authentication process's.",
|
||||
PRINCIPLE_MONITORING_AND_LOGGING: "Ensure monitoring and logging in network resources."
|
||||
}
|
||||
|
||||
POSSIBLE_STATUSES_KEY = "possible_statuses"
|
||||
|
@ -136,7 +152,7 @@ TESTS_MAP = {
|
|||
STATUS_PASSED: "Monkey didn't find open ElasticSearch instances. If you have such instances, look for alerts "
|
||||
"that indicate attempts to access them. "
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT,
|
||||
PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY,
|
||||
PILLARS_KEY: [DATA],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||
},
|
||||
|
@ -147,7 +163,7 @@ TESTS_MAP = {
|
|||
STATUS_PASSED: "Monkey didn't find open HTTP servers. If you have such servers, look for alerts that indicate "
|
||||
"attempts to access them. "
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT,
|
||||
PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY,
|
||||
PILLARS_KEY: [DATA],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||
},
|
||||
|
@ -176,12 +192,68 @@ TESTS_MAP = {
|
|||
TEST_EXPLANATION_KEY: "ScoutSuite assessed cloud firewall rules and settings.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found overly permissive firewall rules.",
|
||||
STATUS_VERIFY: "ScoutSuite found potentially dangerous firewall rules you need to verify.",
|
||||
STATUS_PASSED: "ScoutSuite found no problems with cloud firewall rules."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES,
|
||||
PILLARS_KEY: [NETWORKS],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
|
||||
},
|
||||
TEST_SCOUTSUITE_UNENCRYPTED_DATA: {
|
||||
TEST_EXPLANATION_KEY: "ScoutSuite searched for resources containing unencrypted data.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found resources with unencrypted data.",
|
||||
STATUS_VERIFY: "ScoutSuite found resources which could have unencrypted data.",
|
||||
STATUS_PASSED: "ScoutSuite found no resources with unencrypted data."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY,
|
||||
PILLARS_KEY: [DATA],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
|
||||
},
|
||||
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION: {
|
||||
TEST_EXPLANATION_KEY: "ScoutSuite searched for resources which are not protected against data loss.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found resources not protected against data loss.",
|
||||
STATUS_VERIFY: "ScoutSuite found resources which might not be protected against data loss.",
|
||||
STATUS_PASSED: "ScoutSuite found that all resources are secured against data loss."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_DISASTER_RECOVERY,
|
||||
PILLARS_KEY: [DATA],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
|
||||
},
|
||||
TEST_SCOUTSUITE_SECURE_AUTHENTICATION: {
|
||||
TEST_EXPLANATION_KEY: "ScoutSuite searched for issues related to users' authentication.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found issues related to users' authentication.",
|
||||
STATUS_VERIFY: "ScoutSuite found potential issues related to users' authentication.",
|
||||
STATUS_PASSED: "ScoutSuite found no issues related to users' authentication."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_SECURE_AUTHENTICATION,
|
||||
PILLARS_KEY: [PEOPLE, WORKLOADS],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
|
||||
},
|
||||
TEST_SCOUTSUITE_RESTRICTIVE_POLICIES: {
|
||||
TEST_EXPLANATION_KEY: "ScoutSuite searched for permissive user access policies.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found permissive user access policies.",
|
||||
STATUS_VERIFY: "ScoutSuite found potential issues related to user access policies.",
|
||||
STATUS_PASSED: "ScoutSuite found no issues related to user access policies."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_USERS_MAC_POLICIES,
|
||||
PILLARS_KEY: [PEOPLE, WORKLOADS],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
|
||||
},
|
||||
TEST_SCOUTSUITE_LOGGING: {
|
||||
TEST_EXPLANATION_KEY: "ScoutSuite searched for issues, related to logging.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found logging issues.",
|
||||
STATUS_VERIFY: "ScoutSuite found potential logging issues.",
|
||||
STATUS_PASSED: "ScoutSuite found no logging issues."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_MONITORING_AND_LOGGING,
|
||||
PILLARS_KEY: [AUTOMATION_ORCHESTRATION, VISIBILITY_ANALYTICS],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
|
||||
}
|
||||
}
|
||||
|
||||
EVENT_TYPE_MONKEY_NETWORK = "monkey_network"
|
||||
|
|
|
@ -1,6 +1,14 @@
|
|||
from common.common_consts import zero_trust_consts
|
||||
from common.common_consts.zero_trust_consts import NETWORKS
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.ec2_rules import EC2Rules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import CloudTrailRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudwatch_rules import CloudWatchRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elb_rules import ELBRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elbv2_rules import ELBv2Rules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rds_rules import RDSRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.redshift_rules import RedshiftRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.s3_rules import S3Rules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.iam_rules import IAMRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules
|
||||
|
||||
|
||||
class PERMISSIVE_FIREWALL_RULES:
|
||||
|
@ -14,6 +22,84 @@ class PERMISSIVE_FIREWALL_RULES:
|
|||
EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS, EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET, EC2Rules.SECURITY_GROUP_OPENS_PORT_RANGE]
|
||||
|
||||
pillars = [NETWORKS]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
|
||||
|
||||
|
||||
class UNENCRYPTED_DATA:
|
||||
rules = [EC2Rules.EC2_EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EC2_EBS_VOLUME_NOT_ENCRYPTED,
|
||||
ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY,
|
||||
RDSRules.RDS_INSTANCE_STORAGE_NOT_ENCRYPTED, RedshiftRules.REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED,
|
||||
S3Rules.S3_BUCKET_ALLOWING_CLEARTEXT, S3Rules.S3_BUCKET_NO_DEFAULT_ENCRYPTION]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA
|
||||
|
||||
|
||||
class DATA_LOSS_PREVENTION:
|
||||
rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD,
|
||||
RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION
|
||||
|
||||
|
||||
class SECURE_AUTHENTICATION:
|
||||
rules = [
|
||||
IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION,
|
||||
IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH,
|
||||
IAMRules.IAM_PASSWORD_POLICY_NO_EXPIRATION,
|
||||
IAMRules.IAM_PASSWORD_POLICY_REUSE_ENABLED,
|
||||
IAMRules.IAM_USER_WITH_PASSWORD_AND_KEY,
|
||||
IAMRules.IAM_ASSUME_ROLE_LACKS_EXTERNAL_ID_AND_MFA,
|
||||
IAMRules.IAM_USER_WITHOUT_MFA,
|
||||
IAMRules.IAM_ROOT_ACCOUNT_NO_MFA,
|
||||
IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_KEYS,
|
||||
IAMRules.IAM_USER_NO_INACTIVE_KEY_ROTATION,
|
||||
IAMRules.IAM_USER_WITH_MULTIPLE_ACCESS_KEYS
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION
|
||||
|
||||
|
||||
class RESTRICTIVE_POLICIES:
|
||||
rules = [
|
||||
IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL,
|
||||
IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES,
|
||||
IAMRules.IAM_GROUP_WITH_INLINE_POLICIES,
|
||||
IAMRules.IAM_GROUP_WITH_NO_USERS,
|
||||
IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_IAM_PASSROLE,
|
||||
IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_NOTACTIONS,
|
||||
IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_STS_ASSUMEROLE,
|
||||
IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_IAM_PASSROLE,
|
||||
IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_NOTACTIONS,
|
||||
IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_STS_ASSUMEROLE,
|
||||
IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_IAM_PASSROLE,
|
||||
IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_NOTACTIONS,
|
||||
IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_STS_ASSUMEROLE,
|
||||
IAMRules.IAM_MANAGED_POLICY_ALLOWS_IAM_PASSROLE,
|
||||
IAMRules.IAM_MANAGED_POLICY_ALLOWS_NOTACTIONS,
|
||||
IAMRules.IAM_MANAGED_POLICY_ALLOWS_STS_ASSUMEROLE,
|
||||
IAMRules.IAM_MANAGED_POLICY_NO_ATTACHMENTS,
|
||||
IAMRules.IAM_ROLE_WITH_INLINE_POLICIES,
|
||||
IAMRules.IAM_ROOT_ACCOUNT_USED_RECENTLY,
|
||||
IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS,
|
||||
IAMRules.IAM_USER_WITH_INLINE_POLICIES,
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES
|
||||
|
||||
|
||||
class LOGGING:
|
||||
rules = [
|
||||
CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING,
|
||||
CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING,
|
||||
CloudTrailRules.CLOUDTRAIL_NO_GLOBAL_SERVICES_LOGGING,
|
||||
CloudTrailRules.CLOUDTRAIL_NO_LOG_FILE_VALIDATION,
|
||||
CloudTrailRules.CLOUDTRAIL_NO_LOGGING,
|
||||
CloudTrailRules.CLOUDTRAIL_NOT_CONFIGURED,
|
||||
CloudWatchRules.CLOUDWATCH_ALARM_WITHOUT_ACTIONS,
|
||||
ELBRules.ELB_NO_ACCESS_LOGS,
|
||||
S3Rules.S3_BUCKET_NO_LOGGING,
|
||||
ELBv2Rules.ELBV2_NO_ACCESS_LOGS,
|
||||
VPCRules.VPC_SUBNET_WITHOUT_FLOW_LOG,
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import PERMISSIVE_FIREWALL_RULES
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import *
|
||||
|
||||
SCOUTSUITE_FINDINGS = [PERMISSIVE_FIREWALL_RULES]
|
||||
SCOUTSUITE_FINDINGS = [PERMISSIVE_FIREWALL_RULES, UNENCRYPTED_DATA, DATA_LOSS_PREVENTION, SECURE_AUTHENTICATION,
|
||||
RESTRICTIVE_POLICIES, LOGGING]
|
||||
|
|
|
@ -9,7 +9,7 @@ EXPECTED_DICT = {
|
|||
zero_trust_consts.AUTOMATION_ORCHESTRATION: [],
|
||||
zero_trust_consts.DATA: [
|
||||
{
|
||||
"principle": zero_trust_consts.PRINCIPLES[zero_trust_consts.PRINCIPLE_DATA_TRANSIT],
|
||||
"principle": zero_trust_consts.PRINCIPLES[zero_trust_consts.PRINCIPLE_DATA_CONFIDENTIALITY],
|
||||
"status": zero_trust_consts.STATUS_FAILED,
|
||||
"tests": [
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue