forked from p15670423/monkey
Island: Remove scoutsuite findings and rules
This commit is contained in:
Mike Salvatore
Shreya Malviya
parent
75f23b6032
commit
a35f141cbe
|
|
@ -1,8 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class CloudformationRules(RuleNameEnum):
|
||||
# Service Security
|
||||
CLOUDFORMATION_STACK_WITH_ROLE = "cloudformation-stack-with-role"
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class CloudTrailRules(RuleNameEnum):
|
||||
# Logging
|
||||
CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING = "cloudtrail-duplicated-global-services-logging"
|
||||
CLOUDTRAIL_NO_DATA_LOGGING = "cloudtrail-no-data-logging"
|
||||
CLOUDTRAIL_NO_GLOBAL_SERVICES_LOGGING = "cloudtrail-no-global-services-logging"
|
||||
CLOUDTRAIL_NO_LOG_FILE_VALIDATION = "cloudtrail-no-log-file-validation"
|
||||
CLOUDTRAIL_NO_LOGGING = "cloudtrail-no-logging"
|
||||
CLOUDTRAIL_NOT_CONFIGURED = "cloudtrail-not-configured"
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class CloudWatchRules(RuleNameEnum):
|
||||
# Logging
|
||||
CLOUDWATCH_ALARM_WITHOUT_ACTIONS = "cloudwatch-alarm-without-actions"
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class ConfigRules(RuleNameEnum):
|
||||
# Logging
|
||||
CONFIG_RECORDER_NOT_CONFIGURED = "config-recorder-not-configured"
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class EC2Rules(RuleNameEnum):
|
||||
# Permissive firewall rules
|
||||
SECURITY_GROUP_ALL_PORTS_TO_ALL = "ec2-security-group-opens-all-ports-to-all"
|
||||
SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL = "ec2-security-group-opens-TCP-port-to-all"
|
||||
SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL = "ec2-security-group-opens-UDP-port-to-all"
|
||||
SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL = "ec2-security-group-opens-RDP-port-to-all"
|
||||
SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL = "ec2-security-group-opens-SSH-port-to-all"
|
||||
SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL = "ec2-security-group-opens-MySQL-port-to-all"
|
||||
SECURITY_GROUP_OPENS_MSSQL_PORT_TO_ALL = "ec2-security-group-opens-MsSQL-port-to-all"
|
||||
SECURITY_GROUP_OPENS_MONGODB_PORT_TO_ALL = "ec2-security-group-opens-MongoDB-port-to-all"
|
||||
SECURITY_GROUP_OPENS_ORACLE_DB_PORT_TO_ALL = "ec2-security-group-opens-Oracle DB-port-to-all"
|
||||
SECURITY_GROUP_OPENS_POSTGRESQL_PORT_TO_ALL = "ec2-security-group-opens-PostgreSQL-port-to-all"
|
||||
SECURITY_GROUP_OPENS_NFS_PORT_TO_ALL = "ec2-security-group-opens-NFS-port-to-all"
|
||||
SECURITY_GROUP_OPENS_SMTP_PORT_TO_ALL = "ec2-security-group-opens-SMTP-port-to-all"
|
||||
SECURITY_GROUP_OPENS_DNS_PORT_TO_ALL = "ec2-security-group-opens-DNS-port-to-all"
|
||||
SECURITY_GROUP_OPENS_ALL_PORTS_TO_SELF = "ec2-security-group-opens-all-ports-to-self"
|
||||
SECURITY_GROUP_OPENS_ALL_PORTS = "ec2-security-group-opens-all-ports"
|
||||
SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP = "ec2-security-group-opens-plaintext-port-FTP"
|
||||
SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET = "ec2-security-group-opens-plaintext-port-Telnet"
|
||||
SECURITY_GROUP_OPENS_PORT_RANGE = "ec2-security-group-opens-port-range"
|
||||
EC2_SECURITY_GROUP_WHITELISTS_AWS = "ec2-security-group-whitelists-aws"
|
||||
|
||||
# Encryption
|
||||
EBS_SNAPSHOT_NOT_ENCRYPTED = "ec2-ebs-snapshot-not-encrypted"
|
||||
EBS_VOLUME_NOT_ENCRYPTED = "ec2-ebs-volume-not-encrypted"
|
||||
EC2_INSTANCE_WITH_USER_DATA_SECRETS = "ec2-instance-with-user-data-secrets"
|
||||
|
||||
# Permissive policies
|
||||
AMI_PUBLIC = "ec2-ami-public"
|
||||
EC2_DEFAULT_SECURITY_GROUP_IN_USE = "ec2-default-security-group-in-use"
|
||||
EC2_DEFAULT_SECURITY_GROUP_WITH_RULES = "ec2-default-security-group-with-rules"
|
||||
EC2_EBS_SNAPSHOT_PUBLIC = "ec2-ebs-snapshot-public"
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class ELBRules(RuleNameEnum):
|
||||
# Logging
|
||||
ELB_NO_ACCESS_LOGS = "elb-no-access-logs"
|
||||
|
||||
# Encryption
|
||||
ELB_LISTENER_ALLOWING_CLEARTEXT = "elb-listener-allowing-cleartext"
|
||||
ELB_OLDER_SSL_POLICY = "elb-older-ssl-policy"
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class ELBv2Rules(RuleNameEnum):
|
||||
# Encryption
|
||||
ELBV2_LISTENER_ALLOWING_CLEARTEXT = "elbv2-listener-allowing-cleartext"
|
||||
ELBV2_OLDER_SSL_POLICY = "elbv2-older-ssl-policy"
|
||||
|
||||
# Logging
|
||||
ELBV2_NO_ACCESS_LOGS = "elbv2-no-access-logs"
|
||||
|
||||
# Data loss prevention
|
||||
ELBV2_NO_DELETION_PROTECTION = "elbv2-no-deletion-protection"
|
||||
|
||||
# Service security
|
||||
ELBV2_HTTP_REQUEST_SMUGGLING = "elbv2-http-request-smuggling"
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class IAMRules(RuleNameEnum):
|
||||
# Authentication/authorization
|
||||
IAM_USER_NO_ACTIVE_KEY_ROTATION = "iam-user-no-Active-key-rotation"
|
||||
IAM_PASSWORD_POLICY_MINIMUM_LENGTH = "iam-password-policy-minimum-length"
|
||||
IAM_PASSWORD_POLICY_NO_EXPIRATION = "iam-password-policy-no-expiration"
|
||||
IAM_PASSWORD_POLICY_REUSE_ENABLED = "iam-password-policy-reuse-enabled"
|
||||
IAM_USER_WITH_PASSWORD_AND_KEY = "iam-user-with-password-and-key"
|
||||
IAM_ASSUME_ROLE_LACKS_EXTERNAL_ID_AND_MFA = "iam-assume-role-lacks-external-id-and-mfa"
|
||||
IAM_USER_WITHOUT_MFA = "iam-user-without-mfa"
|
||||
IAM_ROOT_ACCOUNT_NO_MFA = "iam-root-account-no-mfa"
|
||||
IAM_ROOT_ACCOUNT_WITH_ACTIVE_KEYS = "iam-root-account-with-active-keys"
|
||||
IAM_USER_NO_INACTIVE_KEY_ROTATION = "iam-user-no-Inactive-key-rotation"
|
||||
IAM_USER_WITH_MULTIPLE_ACCESS_KEYS = "iam-user-with-multiple-access-keys"
|
||||
|
||||
# Least privilege
|
||||
IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL = "iam-assume-role-policy-allows-all"
|
||||
IAM_EC2_ROLE_WITHOUT_INSTANCES = "iam-ec2-role-without-instances"
|
||||
IAM_GROUP_WITH_INLINE_POLICIES = "iam-group-with-inline-policies"
|
||||
IAM_GROUP_WITH_NO_USERS = "iam-group-with-no-users"
|
||||
IAM_INLINE_GROUP_POLICY_ALLOWS_IAM_PASSROLE = "iam-inline-group-policy-allows-iam-PassRole"
|
||||
IAM_INLINE_GROUP_POLICY_ALLOWS_NOTACTIONS = "iam-inline-group-policy-allows-NotActions"
|
||||
IAM_INLINE_GROUP_POLICY_ALLOWS_STS_ASSUMEROLE = "iam-inline-group-policy-allows-sts-AssumeRole"
|
||||
IAM_INLINE_ROLE_POLICY_ALLOWS_IAM_PASSROLE = "iam-inline-role-policy-allows-iam-PassRole"
|
||||
IAM_INLINE_ROLE_POLICY_ALLOWS_NOTACTIONS = "iam-inline-role-policy-allows-NotActions"
|
||||
IAM_INLINE_ROLE_POLICY_ALLOWS_STS_ASSUMEROLE = "iam-inline-role-policy-allows-sts-AssumeRole"
|
||||
IAM_INLINE_USER_POLICY_ALLOWS_IAM_PASSROLE = "iam-inline-user-policy-allows-iam-PassRole"
|
||||
IAM_INLINE_USER_POLICY_ALLOWS_NOTACTIONS = "iam-inline-user-policy-allows-NotActions"
|
||||
IAM_INLINE_USER_POLICY_ALLOWS_STS_ASSUMEROLE = "iam-inline-user-policy-allows-sts-AssumeRole"
|
||||
IAM_MANAGED_POLICY_ALLOWS_IAM_PASSROLE = "iam-managed-policy-allows-iam-PassRole"
|
||||
IAM_MANAGED_POLICY_ALLOWS_NOTACTIONS = "iam-managed-policy-allows-NotActions"
|
||||
IAM_MANAGED_POLICY_ALLOWS_STS_ASSUMEROLE = "iam-managed-policy-allows-sts-AssumeRole"
|
||||
IAM_MANAGED_POLICY_NO_ATTACHMENTS = "iam-managed-policy-no-attachments"
|
||||
IAM_ROLE_WITH_INLINE_POLICIES = "iam-role-with-inline-policies"
|
||||
IAM_ROOT_ACCOUNT_USED_RECENTLY = "iam-root-account-used-recently"
|
||||
IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS = "iam-root-account-with-active-certs"
|
||||
IAM_USER_WITH_INLINE_POLICIES = "iam-user-with-inline-policies"
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class RDSRules(RuleNameEnum):
|
||||
# Encryption
|
||||
RDS_INSTANCE_STORAGE_NOT_ENCRYPTED = "rds-instance-storage-not-encrypted"
|
||||
|
||||
# Data loss prevention
|
||||
RDS_INSTANCE_BACKUP_DISABLED = "rds-instance-backup-disabled"
|
||||
RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD = "rds-instance-short-backup-retention-period"
|
||||
RDS_INSTANCE_SINGLE_AZ = "rds-instance-single-az"
|
||||
|
||||
# Firewalls
|
||||
RDS_SECURITY_GROUP_ALLOWS_ALL = "rds-security-group-allows-all"
|
||||
RDS_SNAPSHOT_PUBLIC = "rds-snapshot-public"
|
||||
|
||||
# Service security
|
||||
RDS_INSTANCE_CA_CERTIFICATE_DEPRECATED = "rds-instance-ca-certificate-deprecated"
|
||||
RDS_INSTANCE_NO_MINOR_UPGRADE = "rds-instance-no-minor-upgrade"
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class RedshiftRules(RuleNameEnum):
|
||||
# Encryption
|
||||
REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED = "redshift-cluster-database-not-encrypted"
|
||||
REDSHIFT_PARAMETER_GROUP_SSL_NOT_REQUIRED = "redshift-parameter-group-ssl-not-required"
|
||||
|
||||
# Firewalls
|
||||
REDSHIFT_SECURITY_GROUP_WHITELISTS_ALL = "redshift-security-group-whitelists-all"
|
||||
|
||||
# Restrictive Policies
|
||||
REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE = "redshift-cluster-publicly-accessible"
|
||||
|
||||
# Logging
|
||||
REDSHIFT_PARAMETER_GROUP_LOGGING_DISABLED = "redshift-parameter-group-logging-disabled"
|
||||
|
||||
# Service security
|
||||
REDSHIFT_CLUSTER_NO_VERSION_UPGRADE = "redshift-cluster-no-version-upgrade"
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
from enum import Enum
|
||||
|
||||
|
||||
class RuleNameEnum(Enum):
|
||||
pass
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class S3Rules(RuleNameEnum):
|
||||
# Encryption
|
||||
S3_BUCKET_ALLOWING_CLEARTEXT = "s3-bucket-allowing-cleartext"
|
||||
S3_BUCKET_NO_DEFAULT_ENCRYPTION = "s3-bucket-no-default-encryption"
|
||||
|
||||
# Data loss prevention
|
||||
S3_BUCKET_NO_MFA_DELETE = "s3-bucket-no-mfa-delete"
|
||||
S3_BUCKET_NO_VERSIONING = "s3-bucket-no-versioning"
|
||||
|
||||
# Logging
|
||||
S3_BUCKET_NO_LOGGING = "s3-bucket-no-logging"
|
||||
|
||||
# Permissive access rules
|
||||
S3_BUCKET_AUTHENTICATEDUSERS_WRITE_ACP = "s3-bucket-AuthenticatedUsers-write_acp"
|
||||
S3_BUCKET_AUTHENTICATEDUSERS_WRITE = "s3-bucket-AuthenticatedUsers-write"
|
||||
S3_BUCKET_AUTHENTICATEDUSERS_READ_ACP = "s3-bucket-AuthenticatedUsers-read_acp"
|
||||
S3_BUCKET_AUTHENTICATEDUSERS_READ = "s3-bucket-AuthenticatedUsers-read"
|
||||
S3_BUCKET_ALLUSERS_WRITE_ACP = "s3-bucket-AllUsers-write_acp"
|
||||
S3_BUCKET_ALLUSERS_WRITE = "s3-bucket-AllUsers-write"
|
||||
S3_BUCKET_ALLUSERS_READ_ACP = "s3-bucket-AllUsers-read_acp"
|
||||
S3_BUCKET_ALLUSERS_READ = "s3-bucket-AllUsers-read"
|
||||
S3_BUCKET_WORLD_PUT_POLICY = "s3-bucket-world-Put-policy"
|
||||
S3_BUCKET_WORLD_POLICY_STAR = "s3-bucket-world-policy-star"
|
||||
S3_BUCKET_WORLD_LIST_POLICY = "s3-bucket-world-List-policy"
|
||||
S3_BUCKET_WORLD_GET_POLICY = "s3-bucket-world-Get-policy"
|
||||
S3_BUCKET_WORLD_DELETE_POLICY = "s3-bucket-world-Delete-policy"
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class SESRules(RuleNameEnum):
|
||||
# Permissive policies
|
||||
SES_IDENTITY_WORLD_SENDRAWEMAIL_POLICY = "ses-identity-world-SendRawEmail-policy"
|
||||
SES_IDENTITY_WORLD_SENDEMAIL_POLICY = "ses-identity-world-SendEmail-policy"
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class SNSRules(RuleNameEnum):
|
||||
# Permissive policies
|
||||
SNS_TOPIC_WORLD_SUBSCRIBE_POLICY = "sns-topic-world-Subscribe-policy"
|
||||
SNS_TOPIC_WORLD_SETTOPICATTRIBUTES_POLICY = "sns-topic-world-SetTopicAttributes-policy"
|
||||
SNS_TOPIC_WORLD_REMOVEPERMISSION_POLICY = "sns-topic-world-RemovePermission-policy"
|
||||
SNS_TOPIC_WORLD_RECEIVE_POLICY = "sns-topic-world-Receive-policy"
|
||||
SNS_TOPIC_WORLD_PUBLISH_POLICY = "sns-topic-world-Publish-policy"
|
||||
SNS_TOPIC_WORLD_DELETETOPIC_POLICY = "sns-topic-world-DeleteTopic-policy"
|
||||
SNS_TOPIC_WORLD_ADDPERMISSION_POLICY = "sns-topic-world-AddPermission-policy"
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class SQSRules(RuleNameEnum):
|
||||
# Permissive policies
|
||||
SQS_QUEUE_WORLD_SENDMESSAGE_POLICY = "sqs-queue-world-SendMessage-policy"
|
||||
SQS_QUEUE_WORLD_RECEIVEMESSAGE_POLICY = "sqs-queue-world-ReceiveMessage-policy"
|
||||
SQS_QUEUE_WORLD_PURGEQUEUE_POLICY = "sqs-queue-world-PurgeQueue-policy"
|
||||
SQS_QUEUE_WORLD_GETQUEUEURL_POLICY = "sqs-queue-world-GetQueueUrl-policy"
|
||||
SQS_QUEUE_WORLD_GETQUEUEATTRIBUTES_POLICY = "sqs-queue-world-GetQueueAttributes-policy"
|
||||
SQS_QUEUE_WORLD_DELETEMESSAGE_POLICY = "sqs-queue-world-DeleteMessage-policy"
|
||||
SQS_QUEUE_WORLD_CHANGEMESSAGEVISIBILITY_POLICY = (
|
||||
"sqs-queue-world-ChangeMessageVisibility-policy"
|
||||
)
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
|
||||
|
||||
class VPCRules(RuleNameEnum):
|
||||
# Logging
|
||||
SUBNET_WITHOUT_FLOW_LOG = "vpc-subnet-without-flow-log"
|
||||
|
||||
# Firewalls
|
||||
SUBNET_WITH_ALLOW_ALL_INGRESS_ACLS = "vpc-subnet-with-allow-all-ingress-acls"
|
||||
SUBNET_WITH_ALLOW_ALL_EGRESS_ACLS = "vpc-subnet-with-allow-all-egress-acls"
|
||||
NETWORK_ACL_NOT_USED = "vpc-network-acl-not-used"
|
||||
DEFAULT_NETWORK_ACLS_ALLOW_ALL_INGRESS = "vpc-default-network-acls-allow-all-ingress"
|
||||
DEFAULT_NETWORK_ACLS_ALLOW_ALL_EGRESS = "vpc-default-network-acls-allow-all-egress"
|
||||
CUSTOM_NETWORK_ACLS_ALLOW_ALL_INGRESS = "vpc-custom-network-acls-allow-all-ingress"
|
||||
CUSTOM_NETWORK_ACLS_ALLOW_ALL_EGRESS = "vpc-custom-network-acls-allow-all-egress"
|
||||
|
|
@ -1,224 +0,0 @@
|
|||
from abc import ABC, abstractmethod
|
||||
from typing import List
|
||||
|
||||
from common.common_consts import zero_trust_consts
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudformation_rules import (
|
||||
CloudformationRules,
|
||||
)
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import (
|
||||
CloudTrailRules,
|
||||
)
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudwatch_rules import (
|
||||
CloudWatchRules,
|
||||
)
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.config_rules import (
|
||||
ConfigRules,
|
||||
)
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elb_rules import ELBRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elbv2_rules import ELBv2Rules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.iam_rules import IAMRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rds_rules import RDSRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.redshift_rules import (
|
||||
RedshiftRules,
|
||||
)
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rule_name_enum import (
|
||||
RuleNameEnum,
|
||||
)
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.s3_rules import S3Rules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ses_rules import SESRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sns_rules import SNSRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sqs_rules import SQSRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules
|
||||
|
||||
|
||||
# Class which links ZT tests and rules to ScoutSuite finding
|
||||
class ScoutSuiteFindingMap(ABC):
|
||||
@property
|
||||
@abstractmethod
|
||||
def rules(self) -> List[RuleNameEnum]:
|
||||
pass
|
||||
|
||||
@property
|
||||
@abstractmethod
|
||||
def test(self) -> str:
|
||||
pass
|
||||
|
||||
|
||||
class PermissiveFirewallRules(ScoutSuiteFindingMap):
|
||||
rules = [
|
||||
EC2Rules.SECURITY_GROUP_ALL_PORTS_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_MSSQL_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_MONGODB_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_ORACLE_DB_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_POSTGRESQL_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_NFS_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_SMTP_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_DNS_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS_TO_SELF,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_PORT_RANGE,
|
||||
EC2Rules.EC2_SECURITY_GROUP_WHITELISTS_AWS,
|
||||
VPCRules.SUBNET_WITH_ALLOW_ALL_INGRESS_ACLS,
|
||||
VPCRules.SUBNET_WITH_ALLOW_ALL_EGRESS_ACLS,
|
||||
VPCRules.NETWORK_ACL_NOT_USED,
|
||||
VPCRules.DEFAULT_NETWORK_ACLS_ALLOW_ALL_INGRESS,
|
||||
VPCRules.DEFAULT_NETWORK_ACLS_ALLOW_ALL_EGRESS,
|
||||
VPCRules.CUSTOM_NETWORK_ACLS_ALLOW_ALL_INGRESS,
|
||||
VPCRules.CUSTOM_NETWORK_ACLS_ALLOW_ALL_EGRESS,
|
||||
RDSRules.RDS_SECURITY_GROUP_ALLOWS_ALL,
|
||||
RedshiftRules.REDSHIFT_SECURITY_GROUP_WHITELISTS_ALL,
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
|
||||
|
||||
|
||||
class UnencryptedData(ScoutSuiteFindingMap):
|
||||
rules = [
|
||||
EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED,
|
||||
EC2Rules.EBS_VOLUME_NOT_ENCRYPTED,
|
||||
EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS,
|
||||
ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT,
|
||||
ELBv2Rules.ELBV2_OLDER_SSL_POLICY,
|
||||
RDSRules.RDS_INSTANCE_STORAGE_NOT_ENCRYPTED,
|
||||
RedshiftRules.REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED,
|
||||
RedshiftRules.REDSHIFT_PARAMETER_GROUP_SSL_NOT_REQUIRED,
|
||||
S3Rules.S3_BUCKET_ALLOWING_CLEARTEXT,
|
||||
S3Rules.S3_BUCKET_NO_DEFAULT_ENCRYPTION,
|
||||
ELBRules.ELB_LISTENER_ALLOWING_CLEARTEXT,
|
||||
ELBRules.ELB_OLDER_SSL_POLICY,
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA
|
||||
|
||||
|
||||
class DataLossPrevention(ScoutSuiteFindingMap):
|
||||
rules = [
|
||||
RDSRules.RDS_INSTANCE_BACKUP_DISABLED,
|
||||
RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD,
|
||||
RDSRules.RDS_INSTANCE_SINGLE_AZ,
|
||||
S3Rules.S3_BUCKET_NO_MFA_DELETE,
|
||||
S3Rules.S3_BUCKET_NO_VERSIONING,
|
||||
ELBv2Rules.ELBV2_NO_DELETION_PROTECTION,
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION
|
||||
|
||||
|
||||
class SecureAuthentication(ScoutSuiteFindingMap):
|
||||
rules = [
|
||||
IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION,
|
||||
IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH,
|
||||
IAMRules.IAM_PASSWORD_POLICY_NO_EXPIRATION,
|
||||
IAMRules.IAM_PASSWORD_POLICY_REUSE_ENABLED,
|
||||
IAMRules.IAM_USER_WITH_PASSWORD_AND_KEY,
|
||||
IAMRules.IAM_ASSUME_ROLE_LACKS_EXTERNAL_ID_AND_MFA,
|
||||
IAMRules.IAM_USER_WITHOUT_MFA,
|
||||
IAMRules.IAM_ROOT_ACCOUNT_NO_MFA,
|
||||
IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_KEYS,
|
||||
IAMRules.IAM_USER_NO_INACTIVE_KEY_ROTATION,
|
||||
IAMRules.IAM_USER_WITH_MULTIPLE_ACCESS_KEYS,
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION
|
||||
|
||||
|
||||
class RestrictivePolicies(ScoutSuiteFindingMap):
|
||||
rules = [
|
||||
IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL,
|
||||
IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES,
|
||||
IAMRules.IAM_GROUP_WITH_INLINE_POLICIES,
|
||||
IAMRules.IAM_GROUP_WITH_NO_USERS,
|
||||
IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_IAM_PASSROLE,
|
||||
IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_NOTACTIONS,
|
||||
IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_STS_ASSUMEROLE,
|
||||
IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_IAM_PASSROLE,
|
||||
IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_NOTACTIONS,
|
||||
IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_STS_ASSUMEROLE,
|
||||
IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_IAM_PASSROLE,
|
||||
IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_NOTACTIONS,
|
||||
IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_STS_ASSUMEROLE,
|
||||
IAMRules.IAM_MANAGED_POLICY_ALLOWS_IAM_PASSROLE,
|
||||
IAMRules.IAM_MANAGED_POLICY_ALLOWS_NOTACTIONS,
|
||||
IAMRules.IAM_MANAGED_POLICY_ALLOWS_STS_ASSUMEROLE,
|
||||
IAMRules.IAM_MANAGED_POLICY_NO_ATTACHMENTS,
|
||||
IAMRules.IAM_ROLE_WITH_INLINE_POLICIES,
|
||||
IAMRules.IAM_ROOT_ACCOUNT_USED_RECENTLY,
|
||||
IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS,
|
||||
IAMRules.IAM_USER_WITH_INLINE_POLICIES,
|
||||
EC2Rules.AMI_PUBLIC,
|
||||
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_WRITE_ACP,
|
||||
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_WRITE,
|
||||
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_READ_ACP,
|
||||
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_READ,
|
||||
S3Rules.S3_BUCKET_ALLUSERS_WRITE_ACP,
|
||||
S3Rules.S3_BUCKET_ALLUSERS_WRITE,
|
||||
S3Rules.S3_BUCKET_ALLUSERS_READ_ACP,
|
||||
S3Rules.S3_BUCKET_ALLUSERS_READ,
|
||||
S3Rules.S3_BUCKET_WORLD_PUT_POLICY,
|
||||
S3Rules.S3_BUCKET_WORLD_POLICY_STAR,
|
||||
S3Rules.S3_BUCKET_WORLD_LIST_POLICY,
|
||||
S3Rules.S3_BUCKET_WORLD_GET_POLICY,
|
||||
S3Rules.S3_BUCKET_WORLD_DELETE_POLICY,
|
||||
EC2Rules.EC2_DEFAULT_SECURITY_GROUP_IN_USE,
|
||||
EC2Rules.EC2_DEFAULT_SECURITY_GROUP_WITH_RULES,
|
||||
EC2Rules.EC2_EBS_SNAPSHOT_PUBLIC,
|
||||
SQSRules.SQS_QUEUE_WORLD_SENDMESSAGE_POLICY,
|
||||
SQSRules.SQS_QUEUE_WORLD_RECEIVEMESSAGE_POLICY,
|
||||
SQSRules.SQS_QUEUE_WORLD_PURGEQUEUE_POLICY,
|
||||
SQSRules.SQS_QUEUE_WORLD_GETQUEUEURL_POLICY,
|
||||
SQSRules.SQS_QUEUE_WORLD_GETQUEUEATTRIBUTES_POLICY,
|
||||
SQSRules.SQS_QUEUE_WORLD_DELETEMESSAGE_POLICY,
|
||||
SQSRules.SQS_QUEUE_WORLD_CHANGEMESSAGEVISIBILITY_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_SUBSCRIBE_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_SETTOPICATTRIBUTES_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_REMOVEPERMISSION_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_RECEIVE_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_PUBLISH_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_DELETETOPIC_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_ADDPERMISSION_POLICY,
|
||||
SESRules.SES_IDENTITY_WORLD_SENDRAWEMAIL_POLICY,
|
||||
SESRules.SES_IDENTITY_WORLD_SENDEMAIL_POLICY,
|
||||
RedshiftRules.REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE,
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES
|
||||
|
||||
|
||||
class Logging(ScoutSuiteFindingMap):
|
||||
rules = [
|
||||
CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING,
|
||||
CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING,
|
||||
CloudTrailRules.CLOUDTRAIL_NO_GLOBAL_SERVICES_LOGGING,
|
||||
CloudTrailRules.CLOUDTRAIL_NO_LOG_FILE_VALIDATION,
|
||||
CloudTrailRules.CLOUDTRAIL_NO_LOGGING,
|
||||
CloudTrailRules.CLOUDTRAIL_NOT_CONFIGURED,
|
||||
CloudWatchRules.CLOUDWATCH_ALARM_WITHOUT_ACTIONS,
|
||||
ELBRules.ELB_NO_ACCESS_LOGS,
|
||||
S3Rules.S3_BUCKET_NO_LOGGING,
|
||||
ELBv2Rules.ELBV2_NO_ACCESS_LOGS,
|
||||
VPCRules.SUBNET_WITHOUT_FLOW_LOG,
|
||||
ConfigRules.CONFIG_RECORDER_NOT_CONFIGURED,
|
||||
RedshiftRules.REDSHIFT_PARAMETER_GROUP_LOGGING_DISABLED,
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING
|
||||
|
||||
|
||||
class ServiceSecurity(ScoutSuiteFindingMap):
|
||||
rules = [
|
||||
CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE,
|
||||
ELBv2Rules.ELBV2_HTTP_REQUEST_SMUGGLING,
|
||||
RDSRules.RDS_INSTANCE_CA_CERTIFICATE_DEPRECATED,
|
||||
RDSRules.RDS_INSTANCE_NO_MINOR_UPGRADE,
|
||||
RedshiftRules.REDSHIFT_CLUSTER_NO_VERSION_UPGRADE,
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_SERVICE_SECURITY
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.scoutsuite_finding_maps import (
|
||||
DataLossPrevention,
|
||||
Logging,
|
||||
PermissiveFirewallRules,
|
||||
RestrictivePolicies,
|
||||
SecureAuthentication,
|
||||
ServiceSecurity,
|
||||
UnencryptedData,
|
||||
)
|
||||
|
||||
SCOUTSUITE_FINDINGS = [
|
||||
PermissiveFirewallRules,
|
||||
UnencryptedData,
|
||||
DataLossPrevention,
|
||||
SecureAuthentication,
|
||||
RestrictivePolicies,
|
||||
Logging,
|
||||
ServiceSecurity,
|
||||
]
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
import pytest
|
||||
from mongoengine import ValidationError
|
||||
from tests.unit_tests.monkey_island.cc.services.zero_trust.test_common.scoutsuite_finding_data import ( # noqa: E501
|
||||
RULES,
|
||||
)
|
||||
|
||||
import common.common_consts.zero_trust_consts as zero_trust_consts
|
||||
from monkey_island.cc.models.zero_trust.finding import Finding
|
||||
from monkey_island.cc.models.zero_trust.monkey_finding_details import MonkeyFindingDetails
|
||||
from monkey_island.cc.models.zero_trust.scoutsuite_finding import ScoutSuiteFinding
|
||||
from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails
|
||||
|
||||
MONKEY_FINDING_DETAIL_MOCK = MonkeyFindingDetails()
|
||||
MONKEY_FINDING_DETAIL_MOCK.events = ["mock1", "mock2"]
|
||||
SCOUTSUITE_FINDING_DETAIL_MOCK = ScoutSuiteFindingDetails()
|
||||
SCOUTSUITE_FINDING_DETAIL_MOCK.scoutsuite_rules = []
|
||||
|
||||
|
||||
class TestScoutSuiteFinding:
|
||||
@pytest.mark.usefixtures("uses_database")
|
||||
def test_save_finding_validation(self):
|
||||
with pytest.raises(ValidationError):
|
||||
_ = ScoutSuiteFinding.save_finding(
|
||||
test=zero_trust_consts.TEST_SEGMENTATION,
|
||||
status="bla bla",
|
||||
detail_ref=SCOUTSUITE_FINDING_DETAIL_MOCK,
|
||||
)
|
||||
|
||||
@pytest.mark.usefixtures("uses_database")
|
||||
def test_save_finding_sanity(self):
|
||||
assert len(Finding.objects(test=zero_trust_consts.TEST_SEGMENTATION)) == 0
|
||||
|
||||
rule_example = RULES[0]
|
||||
scoutsuite_details_example = ScoutSuiteFindingDetails()
|
||||
scoutsuite_details_example.scoutsuite_rules.append(rule_example)
|
||||
scoutsuite_details_example.save()
|
||||
ScoutSuiteFinding.save_finding(
|
||||
test=zero_trust_consts.TEST_SEGMENTATION,
|
||||
status=zero_trust_consts.STATUS_FAILED,
|
||||
detail_ref=scoutsuite_details_example,
|
||||
)
|
||||
|
||||
assert len(ScoutSuiteFinding.objects(test=zero_trust_consts.TEST_SEGMENTATION)) == 1
|
||||
assert len(ScoutSuiteFinding.objects(status=zero_trust_consts.STATUS_FAILED)) == 1
|
||||
assert len(Finding.objects(status=zero_trust_consts.STATUS_FAILED)) == 1
|
||||
|
|
@ -1,89 +0,0 @@
|
|||
from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails
|
||||
from monkey_island.cc.models.zero_trust.scoutsuite_rule import ScoutSuiteRule
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.scoutsuite_finding_maps import (
|
||||
PermissiveFirewallRules,
|
||||
UnencryptedData,
|
||||
)
|
||||
|
||||
SCOUTSUITE_FINDINGS = [PermissiveFirewallRules, UnencryptedData]
|
||||
|
||||
RULES = [
|
||||
ScoutSuiteRule(
|
||||
checked_items=179,
|
||||
compliance=None,
|
||||
dashboard_name="Rules",
|
||||
description="Security Group Opens All Ports to All",
|
||||
flagged_items=2,
|
||||
items=[
|
||||
"ec2.regions.eu-central-1.vpcs.vpc-0ee259b1a13c50229.security_groups.sg"
|
||||
"-035779fe5c293fc72"
|
||||
".rules.ingress.protocols.ALL.ports.1-65535.cidrs.2.CIDR",
|
||||
"ec2.regions.eu-central-1.vpcs.vpc-00015526b6695f9aa.security_groups.sg"
|
||||
"-019eb67135ec81e65"
|
||||
".rules.ingress.protocols.ALL.ports.1-65535.cidrs.0.CIDR",
|
||||
],
|
||||
level="danger",
|
||||
path="ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs"
|
||||
".id.CIDR",
|
||||
rationale="It was detected that all ports in the security group are open, "
|
||||
"and any source IP address"
|
||||
" could send traffic to these ports, which creates a wider attack surface "
|
||||
"for resources "
|
||||
"assigned to it. Open ports should be reduced to the minimum needed to "
|
||||
"correctly",
|
||||
references=[],
|
||||
remediation=None,
|
||||
service="EC2",
|
||||
),
|
||||
ScoutSuiteRule(
|
||||
checked_items=179,
|
||||
compliance=[
|
||||
{"name": "CIS Amazon Web Services Foundations", "version": "1.0.0", "reference": "4.1"},
|
||||
{"name": "CIS Amazon Web Services Foundations", "version": "1.0.0", "reference": "4.2"},
|
||||
{"name": "CIS Amazon Web Services Foundations", "version": "1.1.0", "reference": "4.1"},
|
||||
{"name": "CIS Amazon Web Services Foundations", "version": "1.1.0", "reference": "4.2"},
|
||||
{"name": "CIS Amazon Web Services Foundations", "version": "1.2.0", "reference": "4.1"},
|
||||
{"name": "CIS Amazon Web Services Foundations", "version": "1.2.0", "reference": "4.2"},
|
||||
],
|
||||
dashboard_name="Rules",
|
||||
description="Security Group Opens RDP Port to All",
|
||||
flagged_items=7,
|
||||
items=[
|
||||
"ec2.regions.eu-central-1.vpcs.vpc-076500a2138ee09da.security_groups.sg"
|
||||
"-00bdef5951797199c"
|
||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
||||
"ec2.regions.eu-central-1.vpcs.vpc-d33026b8.security_groups.sg-007931ba8a364e330"
|
||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
||||
"ec2.regions.eu-central-1.vpcs.vpc-d33026b8.security_groups.sg-05014daf996b042dd"
|
||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
||||
"ec2.regions.eu-central-1.vpcs.vpc-d33026b8.security_groups.sg-0c745fe56c66335b2"
|
||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
||||
"ec2.regions.eu-central-1.vpcs.vpc-d33026b8.security_groups.sg-0f99b85cfad63d1b1"
|
||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
||||
"ec2.regions.us-east-1.vpcs.vpc-9e56cae4.security_groups.sg-0dc253aa79062835a"
|
||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
||||
"ec2.regions.us-east-1.vpcs.vpc-002d543353cd4e97d.security_groups.sg"
|
||||
"-01902f153d4f938da"
|
||||
".rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR",
|
||||
],
|
||||
level="danger",
|
||||
path="ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs"
|
||||
".id.CIDR",
|
||||
rationale="The security group was found to be exposing a well-known port to all "
|
||||
"source addresses."
|
||||
" Well-known ports are commonly probed by automated scanning tools, "
|
||||
"and could be an indicator "
|
||||
"of sensitive services exposed to Internet. If such services need to be "
|
||||
"expos",
|
||||
references=[],
|
||||
remediation="Remove the inbound rules that expose open ports",
|
||||
service="EC2",
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def get_scoutsuite_details_dto() -> ScoutSuiteFindingDetails:
|
||||
scoutsuite_details = ScoutSuiteFindingDetails()
|
||||
scoutsuite_details.scoutsuite_rules.append(RULES[0])
|
||||
scoutsuite_details.scoutsuite_rules.append(RULES[1])
|
||||
return scoutsuite_details
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
from unittest.mock import MagicMock
|
||||
|
||||
import pytest
|
||||
from tests.unit_tests.monkey_island.cc.services.zero_trust.test_common.finding_data import (
|
||||
get_monkey_finding_dto,
|
||||
get_scoutsuite_finding_dto,
|
||||
)
|
||||
|
||||
from common.common_consts.zero_trust_consts import (
|
||||
DEVICES,
|
||||
NETWORKS,
|
||||
STATUS_FAILED,
|
||||
STATUS_PASSED,
|
||||
TEST_ENDPOINT_SECURITY_EXISTS,
|
||||
TEST_SCOUTSUITE_SERVICE_SECURITY,
|
||||
TESTS_MAP,
|
||||
)
|
||||
from monkey_island.cc.services.zero_trust.monkey_findings.monkey_zt_details_service import (
|
||||
MonkeyZTDetailsService,
|
||||
)
|
||||
from monkey_island.cc.services.zero_trust.zero_trust_report.finding_service import (
|
||||
EnrichedFinding,
|
||||
FindingService,
|
||||
)
|
||||
|
||||
|
||||
@pytest.mark.usefixtures("uses_database")
|
||||
def test_get_all_findings():
|
||||
get_scoutsuite_finding_dto().save()
|
||||
get_monkey_finding_dto().save()
|
||||
|
||||
# This method fails due to mongomock not being able to simulate $unset, so don't test details
|
||||
MonkeyZTDetailsService.fetch_details_for_display = MagicMock(return_value=None)
|
||||
|
||||
findings = FindingService.get_all_findings_for_ui()
|
||||
|
||||
description = TESTS_MAP[TEST_SCOUTSUITE_SERVICE_SECURITY]["finding_explanation"][STATUS_FAILED]
|
||||
expected_finding0 = EnrichedFinding(
|
||||
finding_id=findings[0].finding_id,
|
||||
pillars=[DEVICES, NETWORKS],
|
||||
status=STATUS_FAILED,
|
||||
test=description,
|
||||
test_key=TEST_SCOUTSUITE_SERVICE_SECURITY,
|
||||
details=None,
|
||||
)
|
||||
|
||||
description = TESTS_MAP[TEST_ENDPOINT_SECURITY_EXISTS]["finding_explanation"][STATUS_PASSED]
|
||||
expected_finding1 = EnrichedFinding(
|
||||
finding_id=findings[1].finding_id,
|
||||
pillars=[DEVICES],
|
||||
status=STATUS_PASSED,
|
||||
test=description,
|
||||
test_key=TEST_ENDPOINT_SECURITY_EXISTS,
|
||||
details=None,
|
||||
)
|
||||
|
||||
# Don't test details
|
||||
details = []
|
||||
for finding in findings:
|
||||
details.append(finding.details)
|
||||
finding.details = None
|
||||
|
||||
assert findings[0] == expected_finding0
|
||||
assert findings[1] == expected_finding1
|
||||
Loading…
Reference in New Issue