From a35f141cbed1cc01107b44f9aa8feda07b20845d Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Tue, 1 Feb 2022 15:32:37 -0500 Subject: [PATCH] Island: Remove scoutsuite findings and rules --- .../consts/rule_names/cloudformation_rules.py | 8 - .../consts/rule_names/cloudtrail_rules.py | 13 - .../consts/rule_names/cloudwatch_rules.py | 8 - .../consts/rule_names/config_rules.py | 8 - .../scoutsuite/consts/rule_names/ec2_rules.py | 37 --- .../scoutsuite/consts/rule_names/elb_rules.py | 12 - .../consts/rule_names/elbv2_rules.py | 18 -- .../scoutsuite/consts/rule_names/iam_rules.py | 41 ---- .../scoutsuite/consts/rule_names/rds_rules.py | 21 -- .../consts/rule_names/redshift_rules.py | 21 -- .../consts/rule_names/rule_name_enum.py | 5 - .../scoutsuite/consts/rule_names/s3_rules.py | 31 --- .../scoutsuite/consts/rule_names/ses_rules.py | 9 - .../scoutsuite/consts/rule_names/sns_rules.py | 14 -- .../scoutsuite/consts/rule_names/sqs_rules.py | 16 -- .../scoutsuite/consts/rule_names/vpc_rules.py | 17 -- .../consts/scoutsuite_finding_maps.py | 224 ------------------ .../consts/scoutsuite_findings_list.py | 19 -- .../zero_trust/test_scoutsuite_finding.py | 45 ---- .../test_common/scoutsuite_finding_data.py | 89 ------- .../zero_trust_report/test_finding_service.py | 64 ----- 21 files changed, 720 deletions(-) delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudformation_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudtrail_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudwatch_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/config_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ec2_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elb_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elbv2_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/iam_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/rds_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/redshift_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/rule_name_enum.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/s3_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ses_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sns_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sqs_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/vpc_rules.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/scoutsuite_finding_maps.py delete mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/scoutsuite_findings_list.py delete mode 100644 monkey/tests/unit_tests/monkey_island/cc/models/zero_trust/test_scoutsuite_finding.py delete mode 100644 monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/test_common/scoutsuite_finding_data.py delete mode 100644 monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/zero_trust_report/test_finding_service.py diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudformation_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudformation_rules.py deleted file mode 100644 index c8dbffb46..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudformation_rules.py +++ /dev/null @@ -1,8 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class CloudformationRules(RuleNameEnum): - # Service Security - CLOUDFORMATION_STACK_WITH_ROLE = "cloudformation-stack-with-role" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudtrail_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudtrail_rules.py deleted file mode 100644 index 04d1599dd..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudtrail_rules.py +++ /dev/null @@ -1,13 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class CloudTrailRules(RuleNameEnum): - # Logging - CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING = "cloudtrail-duplicated-global-services-logging" - CLOUDTRAIL_NO_DATA_LOGGING = "cloudtrail-no-data-logging" - CLOUDTRAIL_NO_GLOBAL_SERVICES_LOGGING = "cloudtrail-no-global-services-logging" - CLOUDTRAIL_NO_LOG_FILE_VALIDATION = "cloudtrail-no-log-file-validation" - CLOUDTRAIL_NO_LOGGING = "cloudtrail-no-logging" - CLOUDTRAIL_NOT_CONFIGURED = "cloudtrail-not-configured" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudwatch_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudwatch_rules.py deleted file mode 100644 index 954e6fc11..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudwatch_rules.py +++ /dev/null @@ -1,8 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class CloudWatchRules(RuleNameEnum): - # Logging - CLOUDWATCH_ALARM_WITHOUT_ACTIONS = "cloudwatch-alarm-without-actions" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/config_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/config_rules.py deleted file mode 100644 index 6487bda99..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/config_rules.py +++ /dev/null @@ -1,8 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class ConfigRules(RuleNameEnum): - # Logging - CONFIG_RECORDER_NOT_CONFIGURED = "config-recorder-not-configured" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ec2_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ec2_rules.py deleted file mode 100644 index 648fbed61..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ec2_rules.py +++ /dev/null @@ -1,37 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class EC2Rules(RuleNameEnum): - # Permissive firewall rules - SECURITY_GROUP_ALL_PORTS_TO_ALL = "ec2-security-group-opens-all-ports-to-all" - SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL = "ec2-security-group-opens-TCP-port-to-all" - SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL = "ec2-security-group-opens-UDP-port-to-all" - SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL = "ec2-security-group-opens-RDP-port-to-all" - SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL = "ec2-security-group-opens-SSH-port-to-all" - SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL = "ec2-security-group-opens-MySQL-port-to-all" - SECURITY_GROUP_OPENS_MSSQL_PORT_TO_ALL = "ec2-security-group-opens-MsSQL-port-to-all" - SECURITY_GROUP_OPENS_MONGODB_PORT_TO_ALL = "ec2-security-group-opens-MongoDB-port-to-all" - SECURITY_GROUP_OPENS_ORACLE_DB_PORT_TO_ALL = "ec2-security-group-opens-Oracle DB-port-to-all" - SECURITY_GROUP_OPENS_POSTGRESQL_PORT_TO_ALL = "ec2-security-group-opens-PostgreSQL-port-to-all" - SECURITY_GROUP_OPENS_NFS_PORT_TO_ALL = "ec2-security-group-opens-NFS-port-to-all" - SECURITY_GROUP_OPENS_SMTP_PORT_TO_ALL = "ec2-security-group-opens-SMTP-port-to-all" - SECURITY_GROUP_OPENS_DNS_PORT_TO_ALL = "ec2-security-group-opens-DNS-port-to-all" - SECURITY_GROUP_OPENS_ALL_PORTS_TO_SELF = "ec2-security-group-opens-all-ports-to-self" - SECURITY_GROUP_OPENS_ALL_PORTS = "ec2-security-group-opens-all-ports" - SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP = "ec2-security-group-opens-plaintext-port-FTP" - SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET = "ec2-security-group-opens-plaintext-port-Telnet" - SECURITY_GROUP_OPENS_PORT_RANGE = "ec2-security-group-opens-port-range" - EC2_SECURITY_GROUP_WHITELISTS_AWS = "ec2-security-group-whitelists-aws" - - # Encryption - EBS_SNAPSHOT_NOT_ENCRYPTED = "ec2-ebs-snapshot-not-encrypted" - EBS_VOLUME_NOT_ENCRYPTED = "ec2-ebs-volume-not-encrypted" - EC2_INSTANCE_WITH_USER_DATA_SECRETS = "ec2-instance-with-user-data-secrets" - - # Permissive policies - AMI_PUBLIC = "ec2-ami-public" - EC2_DEFAULT_SECURITY_GROUP_IN_USE = "ec2-default-security-group-in-use" - EC2_DEFAULT_SECURITY_GROUP_WITH_RULES = "ec2-default-security-group-with-rules" - EC2_EBS_SNAPSHOT_PUBLIC = "ec2-ebs-snapshot-public" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elb_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elb_rules.py deleted file mode 100644 index c4fad62ec..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elb_rules.py +++ /dev/null @@ -1,12 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class ELBRules(RuleNameEnum): - # Logging - ELB_NO_ACCESS_LOGS = "elb-no-access-logs" - - # Encryption - ELB_LISTENER_ALLOWING_CLEARTEXT = "elb-listener-allowing-cleartext" - ELB_OLDER_SSL_POLICY = "elb-older-ssl-policy" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elbv2_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elbv2_rules.py deleted file mode 100644 index 90590a651..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elbv2_rules.py +++ /dev/null @@ -1,18 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class ELBv2Rules(RuleNameEnum): - # Encryption - ELBV2_LISTENER_ALLOWING_CLEARTEXT = "elbv2-listener-allowing-cleartext" - ELBV2_OLDER_SSL_POLICY = "elbv2-older-ssl-policy" - - # Logging - ELBV2_NO_ACCESS_LOGS = "elbv2-no-access-logs" - - # Data loss prevention - ELBV2_NO_DELETION_PROTECTION = "elbv2-no-deletion-protection" - - # Service security - ELBV2_HTTP_REQUEST_SMUGGLING = "elbv2-http-request-smuggling" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/iam_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/iam_rules.py deleted file mode 100644 index 8589446bb..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/iam_rules.py +++ /dev/null @@ -1,41 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class IAMRules(RuleNameEnum): - # Authentication/authorization - IAM_USER_NO_ACTIVE_KEY_ROTATION = "iam-user-no-Active-key-rotation" - IAM_PASSWORD_POLICY_MINIMUM_LENGTH = "iam-password-policy-minimum-length" - IAM_PASSWORD_POLICY_NO_EXPIRATION = "iam-password-policy-no-expiration" - IAM_PASSWORD_POLICY_REUSE_ENABLED = "iam-password-policy-reuse-enabled" - IAM_USER_WITH_PASSWORD_AND_KEY = "iam-user-with-password-and-key" - IAM_ASSUME_ROLE_LACKS_EXTERNAL_ID_AND_MFA = "iam-assume-role-lacks-external-id-and-mfa" - IAM_USER_WITHOUT_MFA = "iam-user-without-mfa" - IAM_ROOT_ACCOUNT_NO_MFA = "iam-root-account-no-mfa" - IAM_ROOT_ACCOUNT_WITH_ACTIVE_KEYS = "iam-root-account-with-active-keys" - IAM_USER_NO_INACTIVE_KEY_ROTATION = "iam-user-no-Inactive-key-rotation" - IAM_USER_WITH_MULTIPLE_ACCESS_KEYS = "iam-user-with-multiple-access-keys" - - # Least privilege - IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL = "iam-assume-role-policy-allows-all" - IAM_EC2_ROLE_WITHOUT_INSTANCES = "iam-ec2-role-without-instances" - IAM_GROUP_WITH_INLINE_POLICIES = "iam-group-with-inline-policies" - IAM_GROUP_WITH_NO_USERS = "iam-group-with-no-users" - IAM_INLINE_GROUP_POLICY_ALLOWS_IAM_PASSROLE = "iam-inline-group-policy-allows-iam-PassRole" - IAM_INLINE_GROUP_POLICY_ALLOWS_NOTACTIONS = "iam-inline-group-policy-allows-NotActions" - IAM_INLINE_GROUP_POLICY_ALLOWS_STS_ASSUMEROLE = "iam-inline-group-policy-allows-sts-AssumeRole" - IAM_INLINE_ROLE_POLICY_ALLOWS_IAM_PASSROLE = "iam-inline-role-policy-allows-iam-PassRole" - IAM_INLINE_ROLE_POLICY_ALLOWS_NOTACTIONS = "iam-inline-role-policy-allows-NotActions" - IAM_INLINE_ROLE_POLICY_ALLOWS_STS_ASSUMEROLE = "iam-inline-role-policy-allows-sts-AssumeRole" - IAM_INLINE_USER_POLICY_ALLOWS_IAM_PASSROLE = "iam-inline-user-policy-allows-iam-PassRole" - IAM_INLINE_USER_POLICY_ALLOWS_NOTACTIONS = "iam-inline-user-policy-allows-NotActions" - IAM_INLINE_USER_POLICY_ALLOWS_STS_ASSUMEROLE = "iam-inline-user-policy-allows-sts-AssumeRole" - IAM_MANAGED_POLICY_ALLOWS_IAM_PASSROLE = "iam-managed-policy-allows-iam-PassRole" - IAM_MANAGED_POLICY_ALLOWS_NOTACTIONS = "iam-managed-policy-allows-NotActions" - IAM_MANAGED_POLICY_ALLOWS_STS_ASSUMEROLE = "iam-managed-policy-allows-sts-AssumeRole" - IAM_MANAGED_POLICY_NO_ATTACHMENTS = "iam-managed-policy-no-attachments" - IAM_ROLE_WITH_INLINE_POLICIES = "iam-role-with-inline-policies" - IAM_ROOT_ACCOUNT_USED_RECENTLY = "iam-root-account-used-recently" - IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS = "iam-root-account-with-active-certs" - IAM_USER_WITH_INLINE_POLICIES = "iam-user-with-inline-policies" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/rds_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/rds_rules.py deleted file mode 100644 index db8e2602b..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/rds_rules.py +++ /dev/null @@ -1,21 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class RDSRules(RuleNameEnum): - # Encryption - RDS_INSTANCE_STORAGE_NOT_ENCRYPTED = "rds-instance-storage-not-encrypted" - - # Data loss prevention - RDS_INSTANCE_BACKUP_DISABLED = "rds-instance-backup-disabled" - RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD = "rds-instance-short-backup-retention-period" - RDS_INSTANCE_SINGLE_AZ = "rds-instance-single-az" - - # Firewalls - RDS_SECURITY_GROUP_ALLOWS_ALL = "rds-security-group-allows-all" - RDS_SNAPSHOT_PUBLIC = "rds-snapshot-public" - - # Service security - RDS_INSTANCE_CA_CERTIFICATE_DEPRECATED = "rds-instance-ca-certificate-deprecated" - RDS_INSTANCE_NO_MINOR_UPGRADE = "rds-instance-no-minor-upgrade" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/redshift_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/redshift_rules.py deleted file mode 100644 index 20fa6337d..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/redshift_rules.py +++ /dev/null @@ -1,21 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class RedshiftRules(RuleNameEnum): - # Encryption - REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED = "redshift-cluster-database-not-encrypted" - REDSHIFT_PARAMETER_GROUP_SSL_NOT_REQUIRED = "redshift-parameter-group-ssl-not-required" - - # Firewalls - REDSHIFT_SECURITY_GROUP_WHITELISTS_ALL = "redshift-security-group-whitelists-all" - - # Restrictive Policies - REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE = "redshift-cluster-publicly-accessible" - - # Logging - REDSHIFT_PARAMETER_GROUP_LOGGING_DISABLED = "redshift-parameter-group-logging-disabled" - - # Service security - REDSHIFT_CLUSTER_NO_VERSION_UPGRADE = "redshift-cluster-no-version-upgrade" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/rule_name_enum.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/rule_name_enum.py deleted file mode 100644 index 5ad382c3d..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/rule_name_enum.py +++ /dev/null @@ -1,5 +0,0 @@ -from enum import Enum - - -class RuleNameEnum(Enum): - pass diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/s3_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/s3_rules.py deleted file mode 100644 index a57d95f7c..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/s3_rules.py +++ /dev/null @@ -1,31 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class S3Rules(RuleNameEnum): - # Encryption - S3_BUCKET_ALLOWING_CLEARTEXT = "s3-bucket-allowing-cleartext" - S3_BUCKET_NO_DEFAULT_ENCRYPTION = "s3-bucket-no-default-encryption" - - # Data loss prevention - S3_BUCKET_NO_MFA_DELETE = "s3-bucket-no-mfa-delete" - S3_BUCKET_NO_VERSIONING = "s3-bucket-no-versioning" - - # Logging - S3_BUCKET_NO_LOGGING = "s3-bucket-no-logging" - - # Permissive access rules - S3_BUCKET_AUTHENTICATEDUSERS_WRITE_ACP = "s3-bucket-AuthenticatedUsers-write_acp" - S3_BUCKET_AUTHENTICATEDUSERS_WRITE = "s3-bucket-AuthenticatedUsers-write" - S3_BUCKET_AUTHENTICATEDUSERS_READ_ACP = "s3-bucket-AuthenticatedUsers-read_acp" - S3_BUCKET_AUTHENTICATEDUSERS_READ = "s3-bucket-AuthenticatedUsers-read" - S3_BUCKET_ALLUSERS_WRITE_ACP = "s3-bucket-AllUsers-write_acp" - S3_BUCKET_ALLUSERS_WRITE = "s3-bucket-AllUsers-write" - S3_BUCKET_ALLUSERS_READ_ACP = "s3-bucket-AllUsers-read_acp" - S3_BUCKET_ALLUSERS_READ = "s3-bucket-AllUsers-read" - S3_BUCKET_WORLD_PUT_POLICY = "s3-bucket-world-Put-policy" - S3_BUCKET_WORLD_POLICY_STAR = "s3-bucket-world-policy-star" - S3_BUCKET_WORLD_LIST_POLICY = "s3-bucket-world-List-policy" - S3_BUCKET_WORLD_GET_POLICY = "s3-bucket-world-Get-policy" - S3_BUCKET_WORLD_DELETE_POLICY = "s3-bucket-world-Delete-policy" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ses_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ses_rules.py deleted file mode 100644 index a73e00478..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ses_rules.py +++ /dev/null @@ -1,9 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class SESRules(RuleNameEnum): - # Permissive policies - SES_IDENTITY_WORLD_SENDRAWEMAIL_POLICY = "ses-identity-world-SendRawEmail-policy" - SES_IDENTITY_WORLD_SENDEMAIL_POLICY = "ses-identity-world-SendEmail-policy" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sns_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sns_rules.py deleted file mode 100644 index 09d410239..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sns_rules.py +++ /dev/null @@ -1,14 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class SNSRules(RuleNameEnum): - # Permissive policies - SNS_TOPIC_WORLD_SUBSCRIBE_POLICY = "sns-topic-world-Subscribe-policy" - SNS_TOPIC_WORLD_SETTOPICATTRIBUTES_POLICY = "sns-topic-world-SetTopicAttributes-policy" - SNS_TOPIC_WORLD_REMOVEPERMISSION_POLICY = "sns-topic-world-RemovePermission-policy" - SNS_TOPIC_WORLD_RECEIVE_POLICY = "sns-topic-world-Receive-policy" - SNS_TOPIC_WORLD_PUBLISH_POLICY = "sns-topic-world-Publish-policy" - SNS_TOPIC_WORLD_DELETETOPIC_POLICY = "sns-topic-world-DeleteTopic-policy" - SNS_TOPIC_WORLD_ADDPERMISSION_POLICY = "sns-topic-world-AddPermission-policy" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sqs_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sqs_rules.py deleted file mode 100644 index 44e666f96..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sqs_rules.py +++ /dev/null @@ -1,16 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class SQSRules(RuleNameEnum): - # Permissive policies - SQS_QUEUE_WORLD_SENDMESSAGE_POLICY = "sqs-queue-world-SendMessage-policy" - SQS_QUEUE_WORLD_RECEIVEMESSAGE_POLICY = "sqs-queue-world-ReceiveMessage-policy" - SQS_QUEUE_WORLD_PURGEQUEUE_POLICY = "sqs-queue-world-PurgeQueue-policy" - SQS_QUEUE_WORLD_GETQUEUEURL_POLICY = "sqs-queue-world-GetQueueUrl-policy" - SQS_QUEUE_WORLD_GETQUEUEATTRIBUTES_POLICY = "sqs-queue-world-GetQueueAttributes-policy" - SQS_QUEUE_WORLD_DELETEMESSAGE_POLICY = "sqs-queue-world-DeleteMessage-policy" - SQS_QUEUE_WORLD_CHANGEMESSAGEVISIBILITY_POLICY = ( - "sqs-queue-world-ChangeMessageVisibility-policy" - ) diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/vpc_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/vpc_rules.py deleted file mode 100644 index f4ecba532..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/vpc_rules.py +++ /dev/null @@ -1,17 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) - - -class VPCRules(RuleNameEnum): - # Logging - SUBNET_WITHOUT_FLOW_LOG = "vpc-subnet-without-flow-log" - - # Firewalls - SUBNET_WITH_ALLOW_ALL_INGRESS_ACLS = "vpc-subnet-with-allow-all-ingress-acls" - SUBNET_WITH_ALLOW_ALL_EGRESS_ACLS = "vpc-subnet-with-allow-all-egress-acls" - NETWORK_ACL_NOT_USED = "vpc-network-acl-not-used" - DEFAULT_NETWORK_ACLS_ALLOW_ALL_INGRESS = "vpc-default-network-acls-allow-all-ingress" - DEFAULT_NETWORK_ACLS_ALLOW_ALL_EGRESS = "vpc-default-network-acls-allow-all-egress" - CUSTOM_NETWORK_ACLS_ALLOW_ALL_INGRESS = "vpc-custom-network-acls-allow-all-ingress" - CUSTOM_NETWORK_ACLS_ALLOW_ALL_EGRESS = "vpc-custom-network-acls-allow-all-egress" diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/scoutsuite_finding_maps.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/scoutsuite_finding_maps.py deleted file mode 100644 index ddab1cfd6..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/scoutsuite_finding_maps.py +++ /dev/null @@ -1,224 +0,0 @@ -from abc import ABC, abstractmethod -from typing import List - -from common.common_consts import zero_trust_consts -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudformation_rules import ( - CloudformationRules, -) -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import ( - CloudTrailRules, -) -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudwatch_rules import ( - CloudWatchRules, -) -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.config_rules import ( - ConfigRules, -) -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elb_rules import ELBRules -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elbv2_rules import ELBv2Rules -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.iam_rules import IAMRules -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rds_rules import RDSRules -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.redshift_rules import ( - RedshiftRules, -) -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import ( - RuleNameEnum, -) -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.s3_rules import S3Rules -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ses_rules import SESRules -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sns_rules import SNSRules -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sqs_rules import SQSRules -from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules - - -# Class which links ZT tests and rules to ScoutSuite finding -class ScoutSuiteFindingMap(ABC): - @property - @abstractmethod - def rules(self) -> List[RuleNameEnum]: - pass - - @property - @abstractmethod - def test(self) -> str: - pass - - -class PermissiveFirewallRules(ScoutSuiteFindingMap): - rules = [ - EC2Rules.SECURITY_GROUP_ALL_PORTS_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_MSSQL_PORT_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_MONGODB_PORT_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_ORACLE_DB_PORT_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_POSTGRESQL_PORT_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_NFS_PORT_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_SMTP_PORT_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_DNS_PORT_TO_ALL, - EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS_TO_SELF, - EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS, - EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP, - EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET, - EC2Rules.SECURITY_GROUP_OPENS_PORT_RANGE, - EC2Rules.EC2_SECURITY_GROUP_WHITELISTS_AWS, - VPCRules.SUBNET_WITH_ALLOW_ALL_INGRESS_ACLS, - VPCRules.SUBNET_WITH_ALLOW_ALL_EGRESS_ACLS, - VPCRules.NETWORK_ACL_NOT_USED, - VPCRules.DEFAULT_NETWORK_ACLS_ALLOW_ALL_INGRESS, - VPCRules.DEFAULT_NETWORK_ACLS_ALLOW_ALL_EGRESS, - VPCRules.CUSTOM_NETWORK_ACLS_ALLOW_ALL_INGRESS, - VPCRules.CUSTOM_NETWORK_ACLS_ALLOW_ALL_EGRESS, - RDSRules.RDS_SECURITY_GROUP_ALLOWS_ALL, - RedshiftRules.REDSHIFT_SECURITY_GROUP_WHITELISTS_ALL, - ] - - test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES - - -class UnencryptedData(ScoutSuiteFindingMap): - rules = [ - EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED, - EC2Rules.EBS_VOLUME_NOT_ENCRYPTED, - EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS, - ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, - ELBv2Rules.ELBV2_OLDER_SSL_POLICY, - RDSRules.RDS_INSTANCE_STORAGE_NOT_ENCRYPTED, - RedshiftRules.REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED, - RedshiftRules.REDSHIFT_PARAMETER_GROUP_SSL_NOT_REQUIRED, - S3Rules.S3_BUCKET_ALLOWING_CLEARTEXT, - S3Rules.S3_BUCKET_NO_DEFAULT_ENCRYPTION, - ELBRules.ELB_LISTENER_ALLOWING_CLEARTEXT, - ELBRules.ELB_OLDER_SSL_POLICY, - ] - - test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA - - -class DataLossPrevention(ScoutSuiteFindingMap): - rules = [ - RDSRules.RDS_INSTANCE_BACKUP_DISABLED, - RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD, - RDSRules.RDS_INSTANCE_SINGLE_AZ, - S3Rules.S3_BUCKET_NO_MFA_DELETE, - S3Rules.S3_BUCKET_NO_VERSIONING, - ELBv2Rules.ELBV2_NO_DELETION_PROTECTION, - ] - - test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION - - -class SecureAuthentication(ScoutSuiteFindingMap): - rules = [ - IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION, - IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH, - IAMRules.IAM_PASSWORD_POLICY_NO_EXPIRATION, - IAMRules.IAM_PASSWORD_POLICY_REUSE_ENABLED, - IAMRules.IAM_USER_WITH_PASSWORD_AND_KEY, - IAMRules.IAM_ASSUME_ROLE_LACKS_EXTERNAL_ID_AND_MFA, - IAMRules.IAM_USER_WITHOUT_MFA, - IAMRules.IAM_ROOT_ACCOUNT_NO_MFA, - IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_KEYS, - IAMRules.IAM_USER_NO_INACTIVE_KEY_ROTATION, - IAMRules.IAM_USER_WITH_MULTIPLE_ACCESS_KEYS, - ] - - test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION - - -class RestrictivePolicies(ScoutSuiteFindingMap): - rules = [ - IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL, - IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES, - IAMRules.IAM_GROUP_WITH_INLINE_POLICIES, - IAMRules.IAM_GROUP_WITH_NO_USERS, - IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_IAM_PASSROLE, - IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_NOTACTIONS, - IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_STS_ASSUMEROLE, - IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_IAM_PASSROLE, - IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_NOTACTIONS, - IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_STS_ASSUMEROLE, - IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_IAM_PASSROLE, - IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_NOTACTIONS, - IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_STS_ASSUMEROLE, - IAMRules.IAM_MANAGED_POLICY_ALLOWS_IAM_PASSROLE, - IAMRules.IAM_MANAGED_POLICY_ALLOWS_NOTACTIONS, - IAMRules.IAM_MANAGED_POLICY_ALLOWS_STS_ASSUMEROLE, - IAMRules.IAM_MANAGED_POLICY_NO_ATTACHMENTS, - IAMRules.IAM_ROLE_WITH_INLINE_POLICIES, - IAMRules.IAM_ROOT_ACCOUNT_USED_RECENTLY, - IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS, - IAMRules.IAM_USER_WITH_INLINE_POLICIES, - EC2Rules.AMI_PUBLIC, - S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_WRITE_ACP, - S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_WRITE, - S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_READ_ACP, - S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_READ, - S3Rules.S3_BUCKET_ALLUSERS_WRITE_ACP, - S3Rules.S3_BUCKET_ALLUSERS_WRITE, - S3Rules.S3_BUCKET_ALLUSERS_READ_ACP, - S3Rules.S3_BUCKET_ALLUSERS_READ, - S3Rules.S3_BUCKET_WORLD_PUT_POLICY, - S3Rules.S3_BUCKET_WORLD_POLICY_STAR, - S3Rules.S3_BUCKET_WORLD_LIST_POLICY, - S3Rules.S3_BUCKET_WORLD_GET_POLICY, - S3Rules.S3_BUCKET_WORLD_DELETE_POLICY, - EC2Rules.EC2_DEFAULT_SECURITY_GROUP_IN_USE, - EC2Rules.EC2_DEFAULT_SECURITY_GROUP_WITH_RULES, - EC2Rules.EC2_EBS_SNAPSHOT_PUBLIC, - SQSRules.SQS_QUEUE_WORLD_SENDMESSAGE_POLICY, - SQSRules.SQS_QUEUE_WORLD_RECEIVEMESSAGE_POLICY, - SQSRules.SQS_QUEUE_WORLD_PURGEQUEUE_POLICY, - SQSRules.SQS_QUEUE_WORLD_GETQUEUEURL_POLICY, - SQSRules.SQS_QUEUE_WORLD_GETQUEUEATTRIBUTES_POLICY, - SQSRules.SQS_QUEUE_WORLD_DELETEMESSAGE_POLICY, - SQSRules.SQS_QUEUE_WORLD_CHANGEMESSAGEVISIBILITY_POLICY, - SNSRules.SNS_TOPIC_WORLD_SUBSCRIBE_POLICY, - SNSRules.SNS_TOPIC_WORLD_SETTOPICATTRIBUTES_POLICY, - SNSRules.SNS_TOPIC_WORLD_REMOVEPERMISSION_POLICY, - SNSRules.SNS_TOPIC_WORLD_RECEIVE_POLICY, - SNSRules.SNS_TOPIC_WORLD_PUBLISH_POLICY, - SNSRules.SNS_TOPIC_WORLD_DELETETOPIC_POLICY, - SNSRules.SNS_TOPIC_WORLD_ADDPERMISSION_POLICY, - SESRules.SES_IDENTITY_WORLD_SENDRAWEMAIL_POLICY, - SESRules.SES_IDENTITY_WORLD_SENDEMAIL_POLICY, - RedshiftRules.REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE, - ] - - test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES - - -class Logging(ScoutSuiteFindingMap): - rules = [ - CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING, - CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING, - CloudTrailRules.CLOUDTRAIL_NO_GLOBAL_SERVICES_LOGGING, - CloudTrailRules.CLOUDTRAIL_NO_LOG_FILE_VALIDATION, - CloudTrailRules.CLOUDTRAIL_NO_LOGGING, - CloudTrailRules.CLOUDTRAIL_NOT_CONFIGURED, - CloudWatchRules.CLOUDWATCH_ALARM_WITHOUT_ACTIONS, - ELBRules.ELB_NO_ACCESS_LOGS, - S3Rules.S3_BUCKET_NO_LOGGING, - ELBv2Rules.ELBV2_NO_ACCESS_LOGS, - VPCRules.SUBNET_WITHOUT_FLOW_LOG, - ConfigRules.CONFIG_RECORDER_NOT_CONFIGURED, - RedshiftRules.REDSHIFT_PARAMETER_GROUP_LOGGING_DISABLED, - ] - - test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING - - -class ServiceSecurity(ScoutSuiteFindingMap): - rules = [ - CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE, - ELBv2Rules.ELBV2_HTTP_REQUEST_SMUGGLING, - RDSRules.RDS_INSTANCE_CA_CERTIFICATE_DEPRECATED, - RDSRules.RDS_INSTANCE_NO_MINOR_UPGRADE, - RedshiftRules.REDSHIFT_CLUSTER_NO_VERSION_UPGRADE, - ] - - test = zero_trust_consts.TEST_SCOUTSUITE_SERVICE_SECURITY diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/scoutsuite_findings_list.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/scoutsuite_findings_list.py deleted file mode 100644 index 65f85aa9d..000000000 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/scoutsuite_findings_list.py +++ /dev/null @@ -1,19 +0,0 @@ -from monkey_island.cc.services.zero_trust.scoutsuite.consts.scoutsuite_finding_maps import ( - DataLossPrevention, - Logging, - PermissiveFirewallRules, - RestrictivePolicies, - SecureAuthentication, - ServiceSecurity, - UnencryptedData, -) - -SCOUTSUITE_FINDINGS = [ - PermissiveFirewallRules, - UnencryptedData, - DataLossPrevention, - SecureAuthentication, - RestrictivePolicies, - Logging, - ServiceSecurity, -] diff --git a/monkey/tests/unit_tests/monkey_island/cc/models/zero_trust/test_scoutsuite_finding.py b/monkey/tests/unit_tests/monkey_island/cc/models/zero_trust/test_scoutsuite_finding.py deleted file mode 100644 index 952d87289..000000000 --- a/monkey/tests/unit_tests/monkey_island/cc/models/zero_trust/test_scoutsuite_finding.py +++ /dev/null @@ -1,45 +0,0 @@ -import pytest -from mongoengine import ValidationError -from tests.unit_tests.monkey_island.cc.services.zero_trust.test_common.scoutsuite_finding_data import ( # noqa: E501 - RULES, -) - -import common.common_consts.zero_trust_consts as zero_trust_consts -from monkey_island.cc.models.zero_trust.finding import Finding -from monkey_island.cc.models.zero_trust.monkey_finding_details import MonkeyFindingDetails -from monkey_island.cc.models.zero_trust.scoutsuite_finding import ScoutSuiteFinding -from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails - -MONKEY_FINDING_DETAIL_MOCK = MonkeyFindingDetails() -MONKEY_FINDING_DETAIL_MOCK.events = ["mock1", "mock2"] -SCOUTSUITE_FINDING_DETAIL_MOCK = ScoutSuiteFindingDetails() -SCOUTSUITE_FINDING_DETAIL_MOCK.scoutsuite_rules = [] - - -class TestScoutSuiteFinding: - @pytest.mark.usefixtures("uses_database") - def test_save_finding_validation(self): - with pytest.raises(ValidationError): - _ = ScoutSuiteFinding.save_finding( - test=zero_trust_consts.TEST_SEGMENTATION, - status="bla bla", - detail_ref=SCOUTSUITE_FINDING_DETAIL_MOCK, - ) - - @pytest.mark.usefixtures("uses_database") - def test_save_finding_sanity(self): - assert len(Finding.objects(test=zero_trust_consts.TEST_SEGMENTATION)) == 0 - - rule_example = RULES[0] - scoutsuite_details_example = ScoutSuiteFindingDetails() - scoutsuite_details_example.scoutsuite_rules.append(rule_example) - scoutsuite_details_example.save() - ScoutSuiteFinding.save_finding( - test=zero_trust_consts.TEST_SEGMENTATION, - status=zero_trust_consts.STATUS_FAILED, - detail_ref=scoutsuite_details_example, - ) - - assert len(ScoutSuiteFinding.objects(test=zero_trust_consts.TEST_SEGMENTATION)) == 1 - assert len(ScoutSuiteFinding.objects(status=zero_trust_consts.STATUS_FAILED)) == 1 - assert len(Finding.objects(status=zero_trust_consts.STATUS_FAILED)) == 1 diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/test_common/scoutsuite_finding_data.py b/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/test_common/scoutsuite_finding_data.py deleted file mode 100644 index 2302b68e9..000000000 --- a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/test_common/scoutsuite_finding_data.py +++ /dev/null @@ -1,89 +0,0 @@ -from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails -from monkey_island.cc.models.zero_trust.scoutsuite_rule import ScoutSuiteRule -from monkey_island.cc.services.zero_trust.scoutsuite.consts.scoutsuite_finding_maps import ( - PermissiveFirewallRules, - UnencryptedData, -) - -SCOUTSUITE_FINDINGS = [PermissiveFirewallRules, UnencryptedData] - -RULES = [ - ScoutSuiteRule( - checked_items=179, - compliance=None, - dashboard_name="Rules", - description="Security Group Opens All Ports to All", - flagged_items=2, - items=[ - "ec2.regions.eu-central-1.vpcs.vpc-0ee259b1a13c50229.security_groups.sg" - "-035779fe5c293fc72" - ".rules.ingress.protocols.ALL.ports.1-65535.cidrs.2.CIDR", - "ec2.regions.eu-central-1.vpcs.vpc-00015526b6695f9aa.security_groups.sg" - "-019eb67135ec81e65" - ".rules.ingress.protocols.ALL.ports.1-65535.cidrs.0.CIDR", - ], - level="danger", - path="ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs" - ".id.CIDR", - rationale="It was detected that all ports in the security group are open, " - "and any source IP address" - " could send traffic to these ports, which creates a wider attack surface " - "for resources " - "assigned to it. Open ports should be reduced to the minimum needed to " - "correctly", - references=[], - remediation=None, - service="EC2", - ), - ScoutSuiteRule( - checked_items=179, - compliance=[ - {"name": "CIS Amazon Web Services Foundations", "version": "1.0.0", "reference": "4.1"}, - {"name": "CIS Amazon Web Services Foundations", "version": "1.0.0", "reference": "4.2"}, - {"name": "CIS Amazon Web Services Foundations", "version": "1.1.0", "reference": "4.1"}, - {"name": "CIS Amazon Web Services Foundations", "version": "1.1.0", "reference": "4.2"}, - {"name": "CIS Amazon Web Services Foundations", "version": "1.2.0", "reference": "4.1"}, - {"name": "CIS Amazon Web Services Foundations", "version": "1.2.0", "reference": "4.2"}, - ], - dashboard_name="Rules", - description="Security Group Opens RDP Port to All", - flagged_items=7, - items=[ - "ec2.regions.eu-central-1.vpcs.vpc-076500a2138ee09da.security_groups.sg" - "-00bdef5951797199c" - ".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR", - "ec2.regions.eu-central-1.vpcs.vpc-d33026b8.security_groups.sg-007931ba8a364e330" - ".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR", - "ec2.regions.eu-central-1.vpcs.vpc-d33026b8.security_groups.sg-05014daf996b042dd" - ".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR", - "ec2.regions.eu-central-1.vpcs.vpc-d33026b8.security_groups.sg-0c745fe56c66335b2" - ".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR", - "ec2.regions.eu-central-1.vpcs.vpc-d33026b8.security_groups.sg-0f99b85cfad63d1b1" - ".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR", - "ec2.regions.us-east-1.vpcs.vpc-9e56cae4.security_groups.sg-0dc253aa79062835a" - ".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR", - "ec2.regions.us-east-1.vpcs.vpc-002d543353cd4e97d.security_groups.sg" - "-01902f153d4f938da" - ".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR", - ], - level="danger", - path="ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs" - ".id.CIDR", - rationale="The security group was found to be exposing a well-known port to all " - "source addresses." - " Well-known ports are commonly probed by automated scanning tools, " - "and could be an indicator " - "of sensitive services exposed to Internet. If such services need to be " - "expos", - references=[], - remediation="Remove the inbound rules that expose open ports", - service="EC2", - ), -] - - -def get_scoutsuite_details_dto() -> ScoutSuiteFindingDetails: - scoutsuite_details = ScoutSuiteFindingDetails() - scoutsuite_details.scoutsuite_rules.append(RULES[0]) - scoutsuite_details.scoutsuite_rules.append(RULES[1]) - return scoutsuite_details diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/zero_trust_report/test_finding_service.py b/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/zero_trust_report/test_finding_service.py deleted file mode 100644 index 4c2c1527f..000000000 --- a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/zero_trust_report/test_finding_service.py +++ /dev/null @@ -1,64 +0,0 @@ -from unittest.mock import MagicMock - -import pytest -from tests.unit_tests.monkey_island.cc.services.zero_trust.test_common.finding_data import ( - get_monkey_finding_dto, - get_scoutsuite_finding_dto, -) - -from common.common_consts.zero_trust_consts import ( - DEVICES, - NETWORKS, - STATUS_FAILED, - STATUS_PASSED, - TEST_ENDPOINT_SECURITY_EXISTS, - TEST_SCOUTSUITE_SERVICE_SECURITY, - TESTS_MAP, -) -from monkey_island.cc.services.zero_trust.monkey_findings.monkey_zt_details_service import ( - MonkeyZTDetailsService, -) -from monkey_island.cc.services.zero_trust.zero_trust_report.finding_service import ( - EnrichedFinding, - FindingService, -) - - -@pytest.mark.usefixtures("uses_database") -def test_get_all_findings(): - get_scoutsuite_finding_dto().save() - get_monkey_finding_dto().save() - - # This method fails due to mongomock not being able to simulate $unset, so don't test details - MonkeyZTDetailsService.fetch_details_for_display = MagicMock(return_value=None) - - findings = FindingService.get_all_findings_for_ui() - - description = TESTS_MAP[TEST_SCOUTSUITE_SERVICE_SECURITY]["finding_explanation"][STATUS_FAILED] - expected_finding0 = EnrichedFinding( - finding_id=findings[0].finding_id, - pillars=[DEVICES, NETWORKS], - status=STATUS_FAILED, - test=description, - test_key=TEST_SCOUTSUITE_SERVICE_SECURITY, - details=None, - ) - - description = TESTS_MAP[TEST_ENDPOINT_SECURITY_EXISTS]["finding_explanation"][STATUS_PASSED] - expected_finding1 = EnrichedFinding( - finding_id=findings[1].finding_id, - pillars=[DEVICES], - status=STATUS_PASSED, - test=description, - test_key=TEST_ENDPOINT_SECURITY_EXISTS, - details=None, - ) - - # Don't test details - details = [] - for finding in findings: - details.append(finding.details) - finding.details = None - - assert findings[0] == expected_finding0 - assert findings[1] == expected_finding1