forked from p15670423/monkey
Island: Remove scoutsuite findings and rules
This commit is contained in:
Mike Salvatore
Shreya Malviya
parent
75f23b6032
commit
a35f141cbe
|
|
@ -1,8 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class CloudformationRules(RuleNameEnum):
|
|
||||||
# Service Security
|
|
||||||
CLOUDFORMATION_STACK_WITH_ROLE = "cloudformation-stack-with-role"
|
|
||||||
|
|
@ -1,13 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class CloudTrailRules(RuleNameEnum):
|
|
||||||
# Logging
|
|
||||||
CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING = "cloudtrail-duplicated-global-services-logging"
|
|
||||||
CLOUDTRAIL_NO_DATA_LOGGING = "cloudtrail-no-data-logging"
|
|
||||||
CLOUDTRAIL_NO_GLOBAL_SERVICES_LOGGING = "cloudtrail-no-global-services-logging"
|
|
||||||
CLOUDTRAIL_NO_LOG_FILE_VALIDATION = "cloudtrail-no-log-file-validation"
|
|
||||||
CLOUDTRAIL_NO_LOGGING = "cloudtrail-no-logging"
|
|
||||||
CLOUDTRAIL_NOT_CONFIGURED = "cloudtrail-not-configured"
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class CloudWatchRules(RuleNameEnum):
|
|
||||||
# Logging
|
|
||||||
CLOUDWATCH_ALARM_WITHOUT_ACTIONS = "cloudwatch-alarm-without-actions"
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class ConfigRules(RuleNameEnum):
|
|
||||||
# Logging
|
|
||||||
CONFIG_RECORDER_NOT_CONFIGURED = "config-recorder-not-configured"
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class EC2Rules(RuleNameEnum):
|
|
||||||
# Permissive firewall rules
|
|
||||||
SECURITY_GROUP_ALL_PORTS_TO_ALL = "ec2-security-group-opens-all-ports-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL = "ec2-security-group-opens-TCP-port-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL = "ec2-security-group-opens-UDP-port-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL = "ec2-security-group-opens-RDP-port-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL = "ec2-security-group-opens-SSH-port-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL = "ec2-security-group-opens-MySQL-port-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_MSSQL_PORT_TO_ALL = "ec2-security-group-opens-MsSQL-port-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_MONGODB_PORT_TO_ALL = "ec2-security-group-opens-MongoDB-port-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_ORACLE_DB_PORT_TO_ALL = "ec2-security-group-opens-Oracle DB-port-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_POSTGRESQL_PORT_TO_ALL = "ec2-security-group-opens-PostgreSQL-port-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_NFS_PORT_TO_ALL = "ec2-security-group-opens-NFS-port-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_SMTP_PORT_TO_ALL = "ec2-security-group-opens-SMTP-port-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_DNS_PORT_TO_ALL = "ec2-security-group-opens-DNS-port-to-all"
|
|
||||||
SECURITY_GROUP_OPENS_ALL_PORTS_TO_SELF = "ec2-security-group-opens-all-ports-to-self"
|
|
||||||
SECURITY_GROUP_OPENS_ALL_PORTS = "ec2-security-group-opens-all-ports"
|
|
||||||
SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP = "ec2-security-group-opens-plaintext-port-FTP"
|
|
||||||
SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET = "ec2-security-group-opens-plaintext-port-Telnet"
|
|
||||||
SECURITY_GROUP_OPENS_PORT_RANGE = "ec2-security-group-opens-port-range"
|
|
||||||
EC2_SECURITY_GROUP_WHITELISTS_AWS = "ec2-security-group-whitelists-aws"
|
|
||||||
|
|
||||||
# Encryption
|
|
||||||
EBS_SNAPSHOT_NOT_ENCRYPTED = "ec2-ebs-snapshot-not-encrypted"
|
|
||||||
EBS_VOLUME_NOT_ENCRYPTED = "ec2-ebs-volume-not-encrypted"
|
|
||||||
EC2_INSTANCE_WITH_USER_DATA_SECRETS = "ec2-instance-with-user-data-secrets"
|
|
||||||
|
|
||||||
# Permissive policies
|
|
||||||
AMI_PUBLIC = "ec2-ami-public"
|
|
||||||
EC2_DEFAULT_SECURITY_GROUP_IN_USE = "ec2-default-security-group-in-use"
|
|
||||||
EC2_DEFAULT_SECURITY_GROUP_WITH_RULES = "ec2-default-security-group-with-rules"
|
|
||||||
EC2_EBS_SNAPSHOT_PUBLIC = "ec2-ebs-snapshot-public"
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class ELBRules(RuleNameEnum):
|
|
||||||
# Logging
|
|
||||||
ELB_NO_ACCESS_LOGS = "elb-no-access-logs"
|
|
||||||
|
|
||||||
# Encryption
|
|
||||||
ELB_LISTENER_ALLOWING_CLEARTEXT = "elb-listener-allowing-cleartext"
|
|
||||||
ELB_OLDER_SSL_POLICY = "elb-older-ssl-policy"
|
|
||||||
|
|
@ -1,18 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class ELBv2Rules(RuleNameEnum):
|
|
||||||
# Encryption
|
|
||||||
ELBV2_LISTENER_ALLOWING_CLEARTEXT = "elbv2-listener-allowing-cleartext"
|
|
||||||
ELBV2_OLDER_SSL_POLICY = "elbv2-older-ssl-policy"
|
|
||||||
|
|
||||||
# Logging
|
|
||||||
ELBV2_NO_ACCESS_LOGS = "elbv2-no-access-logs"
|
|
||||||
|
|
||||||
# Data loss prevention
|
|
||||||
ELBV2_NO_DELETION_PROTECTION = "elbv2-no-deletion-protection"
|
|
||||||
|
|
||||||
# Service security
|
|
||||||
ELBV2_HTTP_REQUEST_SMUGGLING = "elbv2-http-request-smuggling"
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class IAMRules(RuleNameEnum):
|
|
||||||
# Authentication/authorization
|
|
||||||
IAM_USER_NO_ACTIVE_KEY_ROTATION = "iam-user-no-Active-key-rotation"
|
|
||||||
IAM_PASSWORD_POLICY_MINIMUM_LENGTH = "iam-password-policy-minimum-length"
|
|
||||||
IAM_PASSWORD_POLICY_NO_EXPIRATION = "iam-password-policy-no-expiration"
|
|
||||||
IAM_PASSWORD_POLICY_REUSE_ENABLED = "iam-password-policy-reuse-enabled"
|
|
||||||
IAM_USER_WITH_PASSWORD_AND_KEY = "iam-user-with-password-and-key"
|
|
||||||
IAM_ASSUME_ROLE_LACKS_EXTERNAL_ID_AND_MFA = "iam-assume-role-lacks-external-id-and-mfa"
|
|
||||||
IAM_USER_WITHOUT_MFA = "iam-user-without-mfa"
|
|
||||||
IAM_ROOT_ACCOUNT_NO_MFA = "iam-root-account-no-mfa"
|
|
||||||
IAM_ROOT_ACCOUNT_WITH_ACTIVE_KEYS = "iam-root-account-with-active-keys"
|
|
||||||
IAM_USER_NO_INACTIVE_KEY_ROTATION = "iam-user-no-Inactive-key-rotation"
|
|
||||||
IAM_USER_WITH_MULTIPLE_ACCESS_KEYS = "iam-user-with-multiple-access-keys"
|
|
||||||
|
|
||||||
# Least privilege
|
|
||||||
IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL = "iam-assume-role-policy-allows-all"
|
|
||||||
IAM_EC2_ROLE_WITHOUT_INSTANCES = "iam-ec2-role-without-instances"
|
|
||||||
IAM_GROUP_WITH_INLINE_POLICIES = "iam-group-with-inline-policies"
|
|
||||||
IAM_GROUP_WITH_NO_USERS = "iam-group-with-no-users"
|
|
||||||
IAM_INLINE_GROUP_POLICY_ALLOWS_IAM_PASSROLE = "iam-inline-group-policy-allows-iam-PassRole"
|
|
||||||
IAM_INLINE_GROUP_POLICY_ALLOWS_NOTACTIONS = "iam-inline-group-policy-allows-NotActions"
|
|
||||||
IAM_INLINE_GROUP_POLICY_ALLOWS_STS_ASSUMEROLE = "iam-inline-group-policy-allows-sts-AssumeRole"
|
|
||||||
IAM_INLINE_ROLE_POLICY_ALLOWS_IAM_PASSROLE = "iam-inline-role-policy-allows-iam-PassRole"
|
|
||||||
IAM_INLINE_ROLE_POLICY_ALLOWS_NOTACTIONS = "iam-inline-role-policy-allows-NotActions"
|
|
||||||
IAM_INLINE_ROLE_POLICY_ALLOWS_STS_ASSUMEROLE = "iam-inline-role-policy-allows-sts-AssumeRole"
|
|
||||||
IAM_INLINE_USER_POLICY_ALLOWS_IAM_PASSROLE = "iam-inline-user-policy-allows-iam-PassRole"
|
|
||||||
IAM_INLINE_USER_POLICY_ALLOWS_NOTACTIONS = "iam-inline-user-policy-allows-NotActions"
|
|
||||||
IAM_INLINE_USER_POLICY_ALLOWS_STS_ASSUMEROLE = "iam-inline-user-policy-allows-sts-AssumeRole"
|
|
||||||
IAM_MANAGED_POLICY_ALLOWS_IAM_PASSROLE = "iam-managed-policy-allows-iam-PassRole"
|
|
||||||
IAM_MANAGED_POLICY_ALLOWS_NOTACTIONS = "iam-managed-policy-allows-NotActions"
|
|
||||||
IAM_MANAGED_POLICY_ALLOWS_STS_ASSUMEROLE = "iam-managed-policy-allows-sts-AssumeRole"
|
|
||||||
IAM_MANAGED_POLICY_NO_ATTACHMENTS = "iam-managed-policy-no-attachments"
|
|
||||||
IAM_ROLE_WITH_INLINE_POLICIES = "iam-role-with-inline-policies"
|
|
||||||
IAM_ROOT_ACCOUNT_USED_RECENTLY = "iam-root-account-used-recently"
|
|
||||||
IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS = "iam-root-account-with-active-certs"
|
|
||||||
IAM_USER_WITH_INLINE_POLICIES = "iam-user-with-inline-policies"
|
|
||||||
|
|
@ -1,21 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class RDSRules(RuleNameEnum):
|
|
||||||
# Encryption
|
|
||||||
RDS_INSTANCE_STORAGE_NOT_ENCRYPTED = "rds-instance-storage-not-encrypted"
|
|
||||||
|
|
||||||
# Data loss prevention
|
|
||||||
RDS_INSTANCE_BACKUP_DISABLED = "rds-instance-backup-disabled"
|
|
||||||
RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD = "rds-instance-short-backup-retention-period"
|
|
||||||
RDS_INSTANCE_SINGLE_AZ = "rds-instance-single-az"
|
|
||||||
|
|
||||||
# Firewalls
|
|
||||||
RDS_SECURITY_GROUP_ALLOWS_ALL = "rds-security-group-allows-all"
|
|
||||||
RDS_SNAPSHOT_PUBLIC = "rds-snapshot-public"
|
|
||||||
|
|
||||||
# Service security
|
|
||||||
RDS_INSTANCE_CA_CERTIFICATE_DEPRECATED = "rds-instance-ca-certificate-deprecated"
|
|
||||||
RDS_INSTANCE_NO_MINOR_UPGRADE = "rds-instance-no-minor-upgrade"
|
|
||||||
|
|
@ -1,21 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class RedshiftRules(RuleNameEnum):
|
|
||||||
# Encryption
|
|
||||||
REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED = "redshift-cluster-database-not-encrypted"
|
|
||||||
REDSHIFT_PARAMETER_GROUP_SSL_NOT_REQUIRED = "redshift-parameter-group-ssl-not-required"
|
|
||||||
|
|
||||||
# Firewalls
|
|
||||||
REDSHIFT_SECURITY_GROUP_WHITELISTS_ALL = "redshift-security-group-whitelists-all"
|
|
||||||
|
|
||||||
# Restrictive Policies
|
|
||||||
REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE = "redshift-cluster-publicly-accessible"
|
|
||||||
|
|
||||||
# Logging
|
|
||||||
REDSHIFT_PARAMETER_GROUP_LOGGING_DISABLED = "redshift-parameter-group-logging-disabled"
|
|
||||||
|
|
||||||
# Service security
|
|
||||||
REDSHIFT_CLUSTER_NO_VERSION_UPGRADE = "redshift-cluster-no-version-upgrade"
|
|
||||||
|
|
@ -1,5 +0,0 @@
|
||||||
from enum import Enum
|
|
||||||
|
|
||||||
|
|
||||||
class RuleNameEnum(Enum):
|
|
||||||
pass
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class S3Rules(RuleNameEnum):
|
|
||||||
# Encryption
|
|
||||||
S3_BUCKET_ALLOWING_CLEARTEXT = "s3-bucket-allowing-cleartext"
|
|
||||||
S3_BUCKET_NO_DEFAULT_ENCRYPTION = "s3-bucket-no-default-encryption"
|
|
||||||
|
|
||||||
# Data loss prevention
|
|
||||||
S3_BUCKET_NO_MFA_DELETE = "s3-bucket-no-mfa-delete"
|
|
||||||
S3_BUCKET_NO_VERSIONING = "s3-bucket-no-versioning"
|
|
||||||
|
|
||||||
# Logging
|
|
||||||
S3_BUCKET_NO_LOGGING = "s3-bucket-no-logging"
|
|
||||||
|
|
||||||
# Permissive access rules
|
|
||||||
S3_BUCKET_AUTHENTICATEDUSERS_WRITE_ACP = "s3-bucket-AuthenticatedUsers-write_acp"
|
|
||||||
S3_BUCKET_AUTHENTICATEDUSERS_WRITE = "s3-bucket-AuthenticatedUsers-write"
|
|
||||||
S3_BUCKET_AUTHENTICATEDUSERS_READ_ACP = "s3-bucket-AuthenticatedUsers-read_acp"
|
|
||||||
S3_BUCKET_AUTHENTICATEDUSERS_READ = "s3-bucket-AuthenticatedUsers-read"
|
|
||||||
S3_BUCKET_ALLUSERS_WRITE_ACP = "s3-bucket-AllUsers-write_acp"
|
|
||||||
S3_BUCKET_ALLUSERS_WRITE = "s3-bucket-AllUsers-write"
|
|
||||||
S3_BUCKET_ALLUSERS_READ_ACP = "s3-bucket-AllUsers-read_acp"
|
|
||||||
S3_BUCKET_ALLUSERS_READ = "s3-bucket-AllUsers-read"
|
|
||||||
S3_BUCKET_WORLD_PUT_POLICY = "s3-bucket-world-Put-policy"
|
|
||||||
S3_BUCKET_WORLD_POLICY_STAR = "s3-bucket-world-policy-star"
|
|
||||||
S3_BUCKET_WORLD_LIST_POLICY = "s3-bucket-world-List-policy"
|
|
||||||
S3_BUCKET_WORLD_GET_POLICY = "s3-bucket-world-Get-policy"
|
|
||||||
S3_BUCKET_WORLD_DELETE_POLICY = "s3-bucket-world-Delete-policy"
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class SESRules(RuleNameEnum):
|
|
||||||
# Permissive policies
|
|
||||||
SES_IDENTITY_WORLD_SENDRAWEMAIL_POLICY = "ses-identity-world-SendRawEmail-policy"
|
|
||||||
SES_IDENTITY_WORLD_SENDEMAIL_POLICY = "ses-identity-world-SendEmail-policy"
|
|
||||||
|
|
@ -1,14 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class SNSRules(RuleNameEnum):
|
|
||||||
# Permissive policies
|
|
||||||
SNS_TOPIC_WORLD_SUBSCRIBE_POLICY = "sns-topic-world-Subscribe-policy"
|
|
||||||
SNS_TOPIC_WORLD_SETTOPICATTRIBUTES_POLICY = "sns-topic-world-SetTopicAttributes-policy"
|
|
||||||
SNS_TOPIC_WORLD_REMOVEPERMISSION_POLICY = "sns-topic-world-RemovePermission-policy"
|
|
||||||
SNS_TOPIC_WORLD_RECEIVE_POLICY = "sns-topic-world-Receive-policy"
|
|
||||||
SNS_TOPIC_WORLD_PUBLISH_POLICY = "sns-topic-world-Publish-policy"
|
|
||||||
SNS_TOPIC_WORLD_DELETETOPIC_POLICY = "sns-topic-world-DeleteTopic-policy"
|
|
||||||
SNS_TOPIC_WORLD_ADDPERMISSION_POLICY = "sns-topic-world-AddPermission-policy"
|
|
||||||
|
|
@ -1,16 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class SQSRules(RuleNameEnum):
|
|
||||||
# Permissive policies
|
|
||||||
SQS_QUEUE_WORLD_SENDMESSAGE_POLICY = "sqs-queue-world-SendMessage-policy"
|
|
||||||
SQS_QUEUE_WORLD_RECEIVEMESSAGE_POLICY = "sqs-queue-world-ReceiveMessage-policy"
|
|
||||||
SQS_QUEUE_WORLD_PURGEQUEUE_POLICY = "sqs-queue-world-PurgeQueue-policy"
|
|
||||||
SQS_QUEUE_WORLD_GETQUEUEURL_POLICY = "sqs-queue-world-GetQueueUrl-policy"
|
|
||||||
SQS_QUEUE_WORLD_GETQUEUEATTRIBUTES_POLICY = "sqs-queue-world-GetQueueAttributes-policy"
|
|
||||||
SQS_QUEUE_WORLD_DELETEMESSAGE_POLICY = "sqs-queue-world-DeleteMessage-policy"
|
|
||||||
SQS_QUEUE_WORLD_CHANGEMESSAGEVISIBILITY_POLICY = (
|
|
||||||
"sqs-queue-world-ChangeMessageVisibility-policy"
|
|
||||||
)
|
|
||||||
|
|
@ -1,17 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class VPCRules(RuleNameEnum):
|
|
||||||
# Logging
|
|
||||||
SUBNET_WITHOUT_FLOW_LOG = "vpc-subnet-without-flow-log"
|
|
||||||
|
|
||||||
# Firewalls
|
|
||||||
SUBNET_WITH_ALLOW_ALL_INGRESS_ACLS = "vpc-subnet-with-allow-all-ingress-acls"
|
|
||||||
SUBNET_WITH_ALLOW_ALL_EGRESS_ACLS = "vpc-subnet-with-allow-all-egress-acls"
|
|
||||||
NETWORK_ACL_NOT_USED = "vpc-network-acl-not-used"
|
|
||||||
DEFAULT_NETWORK_ACLS_ALLOW_ALL_INGRESS = "vpc-default-network-acls-allow-all-ingress"
|
|
||||||
DEFAULT_NETWORK_ACLS_ALLOW_ALL_EGRESS = "vpc-default-network-acls-allow-all-egress"
|
|
||||||
CUSTOM_NETWORK_ACLS_ALLOW_ALL_INGRESS = "vpc-custom-network-acls-allow-all-ingress"
|
|
||||||
CUSTOM_NETWORK_ACLS_ALLOW_ALL_EGRESS = "vpc-custom-network-acls-allow-all-egress"
|
|
||||||
|
|
@ -1,224 +0,0 @@
|
||||||
from abc import ABC, abstractmethod
|
|
||||||
from typing import List
|
|
||||||
|
|
||||||
from common.common_consts import zero_trust_consts
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudformation_rules import (
|
|
||||||
CloudformationRules,
|
|
||||||
)
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import (
|
|
||||||
CloudTrailRules,
|
|
||||||
)
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudwatch_rules import (
|
|
||||||
CloudWatchRules,
|
|
||||||
)
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.config_rules import (
|
|
||||||
ConfigRules,
|
|
||||||
)
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elb_rules import ELBRules
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elbv2_rules import ELBv2Rules
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.iam_rules import IAMRules
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rds_rules import RDSRules
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.redshift_rules import (
|
|
||||||
RedshiftRules,
|
|
||||||
)
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
|
||||||
RuleNameEnum,
|
|
||||||
)
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.s3_rules import S3Rules
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ses_rules import SESRules
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sns_rules import SNSRules
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sqs_rules import SQSRules
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules
|
|
||||||
|
|
||||||
|
|
||||||
# Class which links ZT tests and rules to ScoutSuite finding
|
|
||||||
class ScoutSuiteFindingMap(ABC):
|
|
||||||
@property
|
|
||||||
@abstractmethod
|
|
||||||
def rules(self) -> List[RuleNameEnum]:
|
|
||||||
pass
|
|
||||||
|
|
||||||
@property
|
|
||||||
@abstractmethod
|
|
||||||
def test(self) -> str:
|
|
||||||
pass
|
|
||||||
|
|
||||||
|
|
||||||
class PermissiveFirewallRules(ScoutSuiteFindingMap):
|
|
||||||
rules = [
|
|
||||||
EC2Rules.SECURITY_GROUP_ALL_PORTS_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_MSSQL_PORT_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_MONGODB_PORT_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_ORACLE_DB_PORT_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_POSTGRESQL_PORT_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_NFS_PORT_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_SMTP_PORT_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_DNS_PORT_TO_ALL,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS_TO_SELF,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET,
|
|
||||||
EC2Rules.SECURITY_GROUP_OPENS_PORT_RANGE,
|
|
||||||
EC2Rules.EC2_SECURITY_GROUP_WHITELISTS_AWS,
|
|
||||||
VPCRules.SUBNET_WITH_ALLOW_ALL_INGRESS_ACLS,
|
|
||||||
VPCRules.SUBNET_WITH_ALLOW_ALL_EGRESS_ACLS,
|
|
||||||
VPCRules.NETWORK_ACL_NOT_USED,
|
|
||||||
VPCRules.DEFAULT_NETWORK_ACLS_ALLOW_ALL_INGRESS,
|
|
||||||
VPCRules.DEFAULT_NETWORK_ACLS_ALLOW_ALL_EGRESS,
|
|
||||||
VPCRules.CUSTOM_NETWORK_ACLS_ALLOW_ALL_INGRESS,
|
|
||||||
VPCRules.CUSTOM_NETWORK_ACLS_ALLOW_ALL_EGRESS,
|
|
||||||
RDSRules.RDS_SECURITY_GROUP_ALLOWS_ALL,
|
|
||||||
RedshiftRules.REDSHIFT_SECURITY_GROUP_WHITELISTS_ALL,
|
|
||||||
]
|
|
||||||
|
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
|
|
||||||
|
|
||||||
|
|
||||||
class UnencryptedData(ScoutSuiteFindingMap):
|
|
||||||
rules = [
|
|
||||||
EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED,
|
|
||||||
EC2Rules.EBS_VOLUME_NOT_ENCRYPTED,
|
|
||||||
EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS,
|
|
||||||
ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT,
|
|
||||||
ELBv2Rules.ELBV2_OLDER_SSL_POLICY,
|
|
||||||
RDSRules.RDS_INSTANCE_STORAGE_NOT_ENCRYPTED,
|
|
||||||
RedshiftRules.REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED,
|
|
||||||
RedshiftRules.REDSHIFT_PARAMETER_GROUP_SSL_NOT_REQUIRED,
|
|
||||||
S3Rules.S3_BUCKET_ALLOWING_CLEARTEXT,
|
|
||||||
S3Rules.S3_BUCKET_NO_DEFAULT_ENCRYPTION,
|
|
||||||
ELBRules.ELB_LISTENER_ALLOWING_CLEARTEXT,
|
|
||||||
ELBRules.ELB_OLDER_SSL_POLICY,
|
|
||||||
]
|
|
||||||
|
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA
|
|
||||||
|
|
||||||
|
|
||||||
class DataLossPrevention(ScoutSuiteFindingMap):
|
|
||||||
rules = [
|
|
||||||
RDSRules.RDS_INSTANCE_BACKUP_DISABLED,
|
|
||||||
RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD,
|
|
||||||
RDSRules.RDS_INSTANCE_SINGLE_AZ,
|
|
||||||
S3Rules.S3_BUCKET_NO_MFA_DELETE,
|
|
||||||
S3Rules.S3_BUCKET_NO_VERSIONING,
|
|
||||||
ELBv2Rules.ELBV2_NO_DELETION_PROTECTION,
|
|
||||||
]
|
|
||||||
|
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION
|
|
||||||
|
|
||||||
|
|
||||||
class SecureAuthentication(ScoutSuiteFindingMap):
|
|
||||||
rules = [
|
|
||||||
IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION,
|
|
||||||
IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH,
|
|
||||||
IAMRules.IAM_PASSWORD_POLICY_NO_EXPIRATION,
|
|
||||||
IAMRules.IAM_PASSWORD_POLICY_REUSE_ENABLED,
|
|
||||||
IAMRules.IAM_USER_WITH_PASSWORD_AND_KEY,
|
|
||||||
IAMRules.IAM_ASSUME_ROLE_LACKS_EXTERNAL_ID_AND_MFA,
|
|
||||||
IAMRules.IAM_USER_WITHOUT_MFA,
|
|
||||||
IAMRules.IAM_ROOT_ACCOUNT_NO_MFA,
|
|
||||||
IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_KEYS,
|
|
||||||
IAMRules.IAM_USER_NO_INACTIVE_KEY_ROTATION,
|
|
||||||
IAMRules.IAM_USER_WITH_MULTIPLE_ACCESS_KEYS,
|
|
||||||
]
|
|
||||||
|
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION
|
|
||||||
|
|
||||||
|
|
||||||
class RestrictivePolicies(ScoutSuiteFindingMap):
|
|
||||||
rules = [
|
|
||||||
IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL,
|
|
||||||
IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES,
|
|
||||||
IAMRules.IAM_GROUP_WITH_INLINE_POLICIES,
|
|
||||||
IAMRules.IAM_GROUP_WITH_NO_USERS,
|
|
||||||
IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_IAM_PASSROLE,
|
|
||||||
IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_NOTACTIONS,
|
|
||||||
IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_STS_ASSUMEROLE,
|
|
||||||
IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_IAM_PASSROLE,
|
|
||||||
IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_NOTACTIONS,
|
|
||||||
IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_STS_ASSUMEROLE,
|
|
||||||
IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_IAM_PASSROLE,
|
|
||||||
IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_NOTACTIONS,
|
|
||||||
IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_STS_ASSUMEROLE,
|
|
||||||
IAMRules.IAM_MANAGED_POLICY_ALLOWS_IAM_PASSROLE,
|
|
||||||
IAMRules.IAM_MANAGED_POLICY_ALLOWS_NOTACTIONS,
|
|
||||||
IAMRules.IAM_MANAGED_POLICY_ALLOWS_STS_ASSUMEROLE,
|
|
||||||
IAMRules.IAM_MANAGED_POLICY_NO_ATTACHMENTS,
|
|
||||||
IAMRules.IAM_ROLE_WITH_INLINE_POLICIES,
|
|
||||||
IAMRules.IAM_ROOT_ACCOUNT_USED_RECENTLY,
|
|
||||||
IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS,
|
|
||||||
IAMRules.IAM_USER_WITH_INLINE_POLICIES,
|
|
||||||
EC2Rules.AMI_PUBLIC,
|
|
||||||
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_WRITE_ACP,
|
|
||||||
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_WRITE,
|
|
||||||
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_READ_ACP,
|
|
||||||
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_READ,
|
|
||||||
S3Rules.S3_BUCKET_ALLUSERS_WRITE_ACP,
|
|
||||||
S3Rules.S3_BUCKET_ALLUSERS_WRITE,
|
|
||||||
S3Rules.S3_BUCKET_ALLUSERS_READ_ACP,
|
|
||||||
S3Rules.S3_BUCKET_ALLUSERS_READ,
|
|
||||||
S3Rules.S3_BUCKET_WORLD_PUT_POLICY,
|
|
||||||
S3Rules.S3_BUCKET_WORLD_POLICY_STAR,
|
|
||||||
S3Rules.S3_BUCKET_WORLD_LIST_POLICY,
|
|
||||||
S3Rules.S3_BUCKET_WORLD_GET_POLICY,
|
|
||||||
S3Rules.S3_BUCKET_WORLD_DELETE_POLICY,
|
|
||||||
EC2Rules.EC2_DEFAULT_SECURITY_GROUP_IN_USE,
|
|
||||||
EC2Rules.EC2_DEFAULT_SECURITY_GROUP_WITH_RULES,
|
|
||||||
EC2Rules.EC2_EBS_SNAPSHOT_PUBLIC,
|
|
||||||
SQSRules.SQS_QUEUE_WORLD_SENDMESSAGE_POLICY,
|
|
||||||
SQSRules.SQS_QUEUE_WORLD_RECEIVEMESSAGE_POLICY,
|
|
||||||
SQSRules.SQS_QUEUE_WORLD_PURGEQUEUE_POLICY,
|
|
||||||
SQSRules.SQS_QUEUE_WORLD_GETQUEUEURL_POLICY,
|
|
||||||
SQSRules.SQS_QUEUE_WORLD_GETQUEUEATTRIBUTES_POLICY,
|
|
||||||
SQSRules.SQS_QUEUE_WORLD_DELETEMESSAGE_POLICY,
|
|
||||||
SQSRules.SQS_QUEUE_WORLD_CHANGEMESSAGEVISIBILITY_POLICY,
|
|
||||||
SNSRules.SNS_TOPIC_WORLD_SUBSCRIBE_POLICY,
|
|
||||||
SNSRules.SNS_TOPIC_WORLD_SETTOPICATTRIBUTES_POLICY,
|
|
||||||
SNSRules.SNS_TOPIC_WORLD_REMOVEPERMISSION_POLICY,
|
|
||||||
SNSRules.SNS_TOPIC_WORLD_RECEIVE_POLICY,
|
|
||||||
SNSRules.SNS_TOPIC_WORLD_PUBLISH_POLICY,
|
|
||||||
SNSRules.SNS_TOPIC_WORLD_DELETETOPIC_POLICY,
|
|
||||||
SNSRules.SNS_TOPIC_WORLD_ADDPERMISSION_POLICY,
|
|
||||||
SESRules.SES_IDENTITY_WORLD_SENDRAWEMAIL_POLICY,
|
|
||||||
SESRules.SES_IDENTITY_WORLD_SENDEMAIL_POLICY,
|
|
||||||
RedshiftRules.REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE,
|
|
||||||
]
|
|
||||||
|
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES
|
|
||||||
|
|
||||||
|
|
||||||
class Logging(ScoutSuiteFindingMap):
|
|
||||||
rules = [
|
|
||||||
CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING,
|
|
||||||
CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING,
|
|
||||||
CloudTrailRules.CLOUDTRAIL_NO_GLOBAL_SERVICES_LOGGING,
|
|
||||||
CloudTrailRules.CLOUDTRAIL_NO_LOG_FILE_VALIDATION,
|
|
||||||
CloudTrailRules.CLOUDTRAIL_NO_LOGGING,
|
|
||||||
CloudTrailRules.CLOUDTRAIL_NOT_CONFIGURED,
|
|
||||||
CloudWatchRules.CLOUDWATCH_ALARM_WITHOUT_ACTIONS,
|
|
||||||
ELBRules.ELB_NO_ACCESS_LOGS,
|
|
||||||
S3Rules.S3_BUCKET_NO_LOGGING,
|
|
||||||
ELBv2Rules.ELBV2_NO_ACCESS_LOGS,
|
|
||||||
VPCRules.SUBNET_WITHOUT_FLOW_LOG,
|
|
||||||
ConfigRules.CONFIG_RECORDER_NOT_CONFIGURED,
|
|
||||||
RedshiftRules.REDSHIFT_PARAMETER_GROUP_LOGGING_DISABLED,
|
|
||||||
]
|
|
||||||
|
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING
|
|
||||||
|
|
||||||
|
|
||||||
class ServiceSecurity(ScoutSuiteFindingMap):
|
|
||||||
rules = [
|
|
||||||
CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE,
|
|
||||||
ELBv2Rules.ELBV2_HTTP_REQUEST_SMUGGLING,
|
|
||||||
RDSRules.RDS_INSTANCE_CA_CERTIFICATE_DEPRECATED,
|
|
||||||
RDSRules.RDS_INSTANCE_NO_MINOR_UPGRADE,
|
|
||||||
RedshiftRules.REDSHIFT_CLUSTER_NO_VERSION_UPGRADE,
|
|
||||||
]
|
|
||||||
|
|
||||||
test = zero_trust_consts.TEST_SCOUTSUITE_SERVICE_SECURITY
|
|
||||||
|
|
@ -1,19 +0,0 @@
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.scoutsuite_finding_maps import (
|
|
||||||
DataLossPrevention,
|
|
||||||
Logging,
|
|
||||||
PermissiveFirewallRules,
|
|
||||||
RestrictivePolicies,
|
|
||||||
SecureAuthentication,
|
|
||||||
ServiceSecurity,
|
|
||||||
UnencryptedData,
|
|
||||||
)
|
|
||||||
|
|
||||||
SCOUTSUITE_FINDINGS = [
|
|
||||||
PermissiveFirewallRules,
|
|
||||||
UnencryptedData,
|
|
||||||
DataLossPrevention,
|
|
||||||
SecureAuthentication,
|
|
||||||
RestrictivePolicies,
|
|
||||||
Logging,
|
|
||||||
ServiceSecurity,
|
|
||||||
]
|
|
||||||
|
|
@ -1,45 +0,0 @@
|
||||||
import pytest
|
|
||||||
from mongoengine import ValidationError
|
|
||||||
from tests.unit_tests.monkey_island.cc.services.zero_trust.test_common.scoutsuite_finding_data import ( # noqa: E501
|
|
||||||
RULES,
|
|
||||||
)
|
|
||||||
|
|
||||||
import common.common_consts.zero_trust_consts as zero_trust_consts
|
|
||||||
from monkey_island.cc.models.zero_trust.finding import Finding
|
|
||||||
from monkey_island.cc.models.zero_trust.monkey_finding_details import MonkeyFindingDetails
|
|
||||||
from monkey_island.cc.models.zero_trust.scoutsuite_finding import ScoutSuiteFinding
|
|
||||||
from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails
|
|
||||||
|
|
||||||
MONKEY_FINDING_DETAIL_MOCK = MonkeyFindingDetails()
|
|
||||||
MONKEY_FINDING_DETAIL_MOCK.events = ["mock1", "mock2"]
|
|
||||||
SCOUTSUITE_FINDING_DETAIL_MOCK = ScoutSuiteFindingDetails()
|
|
||||||
SCOUTSUITE_FINDING_DETAIL_MOCK.scoutsuite_rules = []
|
|
||||||
|
|
||||||
|
|
||||||
class TestScoutSuiteFinding:
|
|
||||||
@pytest.mark.usefixtures("uses_database")
|
|
||||||
def test_save_finding_validation(self):
|
|
||||||
with pytest.raises(ValidationError):
|
|
||||||
_ = ScoutSuiteFinding.save_finding(
|
|
||||||
test=zero_trust_consts.TEST_SEGMENTATION,
|
|
||||||
status="bla bla",
|
|
||||||
detail_ref=SCOUTSUITE_FINDING_DETAIL_MOCK,
|
|
||||||
)
|
|
||||||
|
|
||||||
@pytest.mark.usefixtures("uses_database")
|
|
||||||
def test_save_finding_sanity(self):
|
|
||||||
assert len(Finding.objects(test=zero_trust_consts.TEST_SEGMENTATION)) == 0
|
|
||||||
|
|
||||||
rule_example = RULES[0]
|
|
||||||
scoutsuite_details_example = ScoutSuiteFindingDetails()
|
|
||||||
scoutsuite_details_example.scoutsuite_rules.append(rule_example)
|
|
||||||
scoutsuite_details_example.save()
|
|
||||||
ScoutSuiteFinding.save_finding(
|
|
||||||
test=zero_trust_consts.TEST_SEGMENTATION,
|
|
||||||
status=zero_trust_consts.STATUS_FAILED,
|
|
||||||
detail_ref=scoutsuite_details_example,
|
|
||||||
)
|
|
||||||
|
|
||||||
assert len(ScoutSuiteFinding.objects(test=zero_trust_consts.TEST_SEGMENTATION)) == 1
|
|
||||||
assert len(ScoutSuiteFinding.objects(status=zero_trust_consts.STATUS_FAILED)) == 1
|
|
||||||
assert len(Finding.objects(status=zero_trust_consts.STATUS_FAILED)) == 1
|
|
||||||
|
|
@ -1,89 +0,0 @@
|
||||||
from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails
|
|
||||||
from monkey_island.cc.models.zero_trust.scoutsuite_rule import ScoutSuiteRule
|
|
||||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.scoutsuite_finding_maps import (
|
|
||||||
PermissiveFirewallRules,
|
|
||||||
UnencryptedData,
|
|
||||||
)
|
|
||||||
|
|
||||||
SCOUTSUITE_FINDINGS = [PermissiveFirewallRules, UnencryptedData]
|
|
||||||
|
|
||||||
RULES = [
|
|
||||||
ScoutSuiteRule(
|
|
||||||
checked_items=179,
|
|
||||||
compliance=None,
|
|
||||||
dashboard_name="Rules",
|
|
||||||
description="Security Group Opens All Ports to All",
|
|
||||||
flagged_items=2,
|
|
||||||
items=[
|
|
||||||
"ec2.regions.eu-central-1.vpcs.vpc-0ee259b1a13c50229.security_groups.sg"
|
|
||||||
"-035779fe5c293fc72"
|
|
||||||
".rules.ingress.protocols.ALL.ports.1-65535.cidrs.2.CIDR",
|
|
||||||
"ec2.regions.eu-central-1.vpcs.vpc-00015526b6695f9aa.security_groups.sg"
|
|
||||||
"-019eb67135ec81e65"
|
|
||||||
".rules.ingress.protocols.ALL.ports.1-65535.cidrs.0.CIDR",
|
|
||||||
],
|
|
||||||
level="danger",
|
|
||||||
path="ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs"
|
|
||||||
".id.CIDR",
|
|
||||||
rationale="It was detected that all ports in the security group are open, "
|
|
||||||
"and any source IP address"
|
|
||||||
" could send traffic to these ports, which creates a wider attack surface "
|
|
||||||
"for resources "
|
|
||||||
"assigned to it. Open ports should be reduced to the minimum needed to "
|
|
||||||
"correctly",
|
|
||||||
references=[],
|
|
||||||
remediation=None,
|
|
||||||
service="EC2",
|
|
||||||
),
|
|
||||||
ScoutSuiteRule(
|
|
||||||
checked_items=179,
|
|
||||||
compliance=[
|
|
||||||
{"name": "CIS Amazon Web Services Foundations", "version": "1.0.0", "reference": "4.1"},
|
|
||||||
{"name": "CIS Amazon Web Services Foundations", "version": "1.0.0", "reference": "4.2"},
|
|
||||||
{"name": "CIS Amazon Web Services Foundations", "version": "1.1.0", "reference": "4.1"},
|
|
||||||
{"name": "CIS Amazon Web Services Foundations", "version": "1.1.0", "reference": "4.2"},
|
|
||||||
{"name": "CIS Amazon Web Services Foundations", "version": "1.2.0", "reference": "4.1"},
|
|
||||||
{"name": "CIS Amazon Web Services Foundations", "version": "1.2.0", "reference": "4.2"},
|
|
||||||
],
|
|
||||||
dashboard_name="Rules",
|
|
||||||
description="Security Group Opens RDP Port to All",
|
|
||||||
flagged_items=7,
|
|
||||||
items=[
|
|
||||||
"ec2.regions.eu-central-1.vpcs.vpc-076500a2138ee09da.security_groups.sg"
|
|
||||||
"-00bdef5951797199c"
|
|
||||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
|
||||||
"ec2.regions.eu-central-1.vpcs.vpc-d33026b8.security_groups.sg-007931ba8a364e330"
|
|
||||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
|
||||||
"ec2.regions.eu-central-1.vpcs.vpc-d33026b8.security_groups.sg-05014daf996b042dd"
|
|
||||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
|
||||||
"ec2.regions.eu-central-1.vpcs.vpc-d33026b8.security_groups.sg-0c745fe56c66335b2"
|
|
||||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
|
||||||
"ec2.regions.eu-central-1.vpcs.vpc-d33026b8.security_groups.sg-0f99b85cfad63d1b1"
|
|
||||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
|
||||||
"ec2.regions.us-east-1.vpcs.vpc-9e56cae4.security_groups.sg-0dc253aa79062835a"
|
|
||||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
|
||||||
"ec2.regions.us-east-1.vpcs.vpc-002d543353cd4e97d.security_groups.sg"
|
|
||||||
"-01902f153d4f938da"
|
|
||||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
|
||||||
],
|
|
||||||
level="danger",
|
|
||||||
path="ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs"
|
|
||||||
".id.CIDR",
|
|
||||||
rationale="The security group was found to be exposing a well-known port to all "
|
|
||||||
"source addresses."
|
|
||||||
" Well-known ports are commonly probed by automated scanning tools, "
|
|
||||||
"and could be an indicator "
|
|
||||||
"of sensitive services exposed to Internet. If such services need to be "
|
|
||||||
"expos",
|
|
||||||
references=[],
|
|
||||||
remediation="Remove the inbound rules that expose open ports",
|
|
||||||
service="EC2",
|
|
||||||
),
|
|
||||||
]
|
|
||||||
|
|
||||||
|
|
||||||
def get_scoutsuite_details_dto() -> ScoutSuiteFindingDetails:
|
|
||||||
scoutsuite_details = ScoutSuiteFindingDetails()
|
|
||||||
scoutsuite_details.scoutsuite_rules.append(RULES[0])
|
|
||||||
scoutsuite_details.scoutsuite_rules.append(RULES[1])
|
|
||||||
return scoutsuite_details
|
|
||||||
|
|
@ -1,64 +0,0 @@
|
||||||
from unittest.mock import MagicMock
|
|
||||||
|
|
||||||
import pytest
|
|
||||||
from tests.unit_tests.monkey_island.cc.services.zero_trust.test_common.finding_data import (
|
|
||||||
get_monkey_finding_dto,
|
|
||||||
get_scoutsuite_finding_dto,
|
|
||||||
)
|
|
||||||
|
|
||||||
from common.common_consts.zero_trust_consts import (
|
|
||||||
DEVICES,
|
|
||||||
NETWORKS,
|
|
||||||
STATUS_FAILED,
|
|
||||||
STATUS_PASSED,
|
|
||||||
TEST_ENDPOINT_SECURITY_EXISTS,
|
|
||||||
TEST_SCOUTSUITE_SERVICE_SECURITY,
|
|
||||||
TESTS_MAP,
|
|
||||||
)
|
|
||||||
from monkey_island.cc.services.zero_trust.monkey_findings.monkey_zt_details_service import (
|
|
||||||
MonkeyZTDetailsService,
|
|
||||||
)
|
|
||||||
from monkey_island.cc.services.zero_trust.zero_trust_report.finding_service import (
|
|
||||||
EnrichedFinding,
|
|
||||||
FindingService,
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.usefixtures("uses_database")
|
|
||||||
def test_get_all_findings():
|
|
||||||
get_scoutsuite_finding_dto().save()
|
|
||||||
get_monkey_finding_dto().save()
|
|
||||||
|
|
||||||
# This method fails due to mongomock not being able to simulate $unset, so don't test details
|
|
||||||
MonkeyZTDetailsService.fetch_details_for_display = MagicMock(return_value=None)
|
|
||||||
|
|
||||||
findings = FindingService.get_all_findings_for_ui()
|
|
||||||
|
|
||||||
description = TESTS_MAP[TEST_SCOUTSUITE_SERVICE_SECURITY]["finding_explanation"][STATUS_FAILED]
|
|
||||||
expected_finding0 = EnrichedFinding(
|
|
||||||
finding_id=findings[0].finding_id,
|
|
||||||
pillars=[DEVICES, NETWORKS],
|
|
||||||
status=STATUS_FAILED,
|
|
||||||
test=description,
|
|
||||||
test_key=TEST_SCOUTSUITE_SERVICE_SECURITY,
|
|
||||||
details=None,
|
|
||||||
)
|
|
||||||
|
|
||||||
description = TESTS_MAP[TEST_ENDPOINT_SECURITY_EXISTS]["finding_explanation"][STATUS_PASSED]
|
|
||||||
expected_finding1 = EnrichedFinding(
|
|
||||||
finding_id=findings[1].finding_id,
|
|
||||||
pillars=[DEVICES],
|
|
||||||
status=STATUS_PASSED,
|
|
||||||
test=description,
|
|
||||||
test_key=TEST_ENDPOINT_SECURITY_EXISTS,
|
|
||||||
details=None,
|
|
||||||
)
|
|
||||||
|
|
||||||
# Don't test details
|
|
||||||
details = []
|
|
||||||
for finding in findings:
|
|
||||||
details.append(finding.details)
|
|
||||||
finding.details = None
|
|
||||||
|
|
||||||
assert findings[0] == expected_finding0
|
|
||||||
assert findings[1] == expected_finding1
|
|
||||||
Loading…
Reference in New Issue