p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Created new scoutsuite findings, added relevant infrastructure to zero trust consts

This commit is contained in:
VakarisZ 2020-09-23 10:24:03 +03:00
parent c792f2f34c
commit 49e13a651e
4 changed files with 173 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
monkey/common/common_consts/zero_trust_consts.py
View File

@ -26,7 +26,6 @@ MONKEY_FINDING = "monkey_finding"
SCOUTSUITE_FINDING = "scoutsuite_finding"
FINDING_TYPES = [MONKEY_FINDING, SCOUTSUITE_FINDING]
TEST_DATA_ENDPOINT_ELASTIC = "unencrypted_data_endpoint_elastic"
TEST_DATA_ENDPOINT_HTTP = "unencrypted_data_endpoint_http"
TEST_MACHINE_EXPLOITED = "machine_exploited"
@ -37,6 +36,12 @@ TEST_SEGMENTATION = "segmentation"
TEST_TUNNELING = "tunneling"
TEST_COMMUNICATE_AS_NEW_USER = "communicate_as_new_user"
TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES = "scoutsuite_permissive_firewall_rules"
TEST_SCOUTSUITE_UNENCRYPTED_DATA = "scoutsuite_unencrypted_data"
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION = "scoutsuite_data_loss_prevention"
TEST_SCOUTSUITE_SECURE_AUTHENTICATION = "scoutsuite_secure_authentication"
TEST_SCOUTSUITE_RESTRICTIVE_POLICIES = "scoutsuite_unrestrictive_policies"
TEST_SCOUTSUITE_LOGGING = "scoutsuite_logging"
TESTS = (
TEST_SEGMENTATION,
TEST_MALICIOUS_ACTIVITY_TIMELINE,
@ -47,25 +52,36 @@ TESTS = (
TEST_DATA_ENDPOINT_ELASTIC,
TEST_TUNNELING,
TEST_COMMUNICATE_AS_NEW_USER,
TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES,
TEST_SCOUTSUITE_UNENCRYPTED_DATA,
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION,
TEST_SCOUTSUITE_SECURE_AUTHENTICATION,
TEST_SCOUTSUITE_RESTRICTIVE_POLICIES,
TEST_SCOUTSUITE_LOGGING
)
PRINCIPLE_DATA_TRANSIT = "data_transit"
PRINCIPLE_DATA_CONFIDENTIALITY = "data_transit"
PRINCIPLE_ENDPOINT_SECURITY = "endpoint_security"
PRINCIPLE_USER_BEHAVIOUR = "user_behaviour"
PRINCIPLE_ANALYZE_NETWORK_TRAFFIC = "analyze_network_traffic"
PRINCIPLE_SEGMENTATION = "segmentation"
PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES = "network_policies"
PRINCIPLE_USERS_MAC_POLICIES = "users_mac_policies"
PRINCIPLE_DISASTER_RECOVERY = "data_backup"
PRINCIPLE_SECURE_AUTHENTICATION = "secure_authentication"
PRINCIPLE_MONITORING_AND_LOGGING = "monitoring_and_logging"
PRINCIPLES = {
PRINCIPLE_SEGMENTATION: "Apply segmentation and micro-segmentation inside your network.",
PRINCIPLE_ANALYZE_NETWORK_TRAFFIC: "Analyze network traffic for malicious activity.",
PRINCIPLE_USER_BEHAVIOUR: "Adopt security user behavior analytics.",
PRINCIPLE_ENDPOINT_SECURITY: "Use anti-virus and other traditional endpoint security solutions.",
PRINCIPLE_DATA_TRANSIT: "Secure data at transit by encrypting it.",
PRINCIPLE_DATA_CONFIDENTIALITY: "Ensure data's confidentiality by encrypting it.",
PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES: "Configure network policies to be as restrictive as possible.",
PRINCIPLE_USERS_MAC_POLICIES: "Users' permissions to the network and to resources should be MAC (Mandatory "
"Access Control) only.",
PRINCIPLE_DISASTER_RECOVERY: "Ensure data and infrastructure backups for disaster recovery scenarios.",
PRINCIPLE_SECURE_AUTHENTICATION: "Ensure secure authentication process's.",
PRINCIPLE_MONITORING_AND_LOGGING: "Ensure monitoring and logging in network resources."
}
POSSIBLE_STATUSES_KEY = "possible_statuses"
@ -136,7 +152,7 @@ TESTS_MAP = {
STATUS_PASSED: "Monkey didn't find open ElasticSearch instances. If you have such instances, look for alerts "
"that indicate attempts to access them. "
},
PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT,
PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY,
PILLARS_KEY: [DATA],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
},
@ -147,7 +163,7 @@ TESTS_MAP = {
STATUS_PASSED: "Monkey didn't find open HTTP servers. If you have such servers, look for alerts that indicate "
"attempts to access them. "
},
PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT,
PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY,
PILLARS_KEY: [DATA],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
},
@ -176,12 +192,68 @@ TESTS_MAP = {
TEST_EXPLANATION_KEY: "ScoutSuite assessed cloud firewall rules and settings.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found overly permissive firewall rules.",
STATUS_VERIFY: "ScoutSuite found potentially dangerous firewall rules you need to verify.",
STATUS_PASSED: "ScoutSuite found no problems with cloud firewall rules."
},
PRINCIPLE_KEY: PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES,
PILLARS_KEY: [NETWORKS],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
},
TEST_SCOUTSUITE_UNENCRYPTED_DATA: {
TEST_EXPLANATION_KEY: "ScoutSuite searched for resources containing unencrypted data.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found resources with unencrypted data.",
STATUS_VERIFY: "ScoutSuite found resources which could have unencrypted data.",
STATUS_PASSED: "ScoutSuite found no resources with unencrypted data."
},
PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY,
PILLARS_KEY: [DATA],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
},
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION: {
TEST_EXPLANATION_KEY: "ScoutSuite searched for resources which are not protected against data loss.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found resources not protected against data loss.",
STATUS_VERIFY: "ScoutSuite found resources which might not be protected against data loss.",
STATUS_PASSED: "ScoutSuite found that all resources are secured against data loss."
},
PRINCIPLE_KEY: PRINCIPLE_DISASTER_RECOVERY,
PILLARS_KEY: [DATA],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
},
TEST_SCOUTSUITE_SECURE_AUTHENTICATION: {
TEST_EXPLANATION_KEY: "ScoutSuite searched for issues related to users' authentication.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found issues related to users' authentication.",
STATUS_VERIFY: "ScoutSuite found potential issues related to users' authentication.",
STATUS_PASSED: "ScoutSuite found no issues related to users' authentication."
},
PRINCIPLE_KEY: PRINCIPLE_SECURE_AUTHENTICATION,
PILLARS_KEY: [PEOPLE, WORKLOADS],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
},
TEST_SCOUTSUITE_RESTRICTIVE_POLICIES: {
TEST_EXPLANATION_KEY: "ScoutSuite searched for permissive user access policies.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found permissive user access policies.",
STATUS_VERIFY: "ScoutSuite found potential issues related to user access policies.",
STATUS_PASSED: "ScoutSuite found no issues related to user access policies."
},
PRINCIPLE_KEY: PRINCIPLE_USERS_MAC_POLICIES,
PILLARS_KEY: [PEOPLE, WORKLOADS],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
},
TEST_SCOUTSUITE_LOGGING: {
TEST_EXPLANATION_KEY: "ScoutSuite searched for issues, related to logging.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found logging issues.",
STATUS_VERIFY: "ScoutSuite found potential logging issues.",
STATUS_PASSED: "ScoutSuite found no logging issues."
},
PRINCIPLE_KEY: PRINCIPLE_MONITORING_AND_LOGGING,
PILLARS_KEY: [AUTOMATION_ORCHESTRATION, VISIBILITY_ANALYTICS],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
}
}
EVENT_TYPE_MONKEY_NETWORK = "monkey_network"

94
monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings.py
View File

@ -1,6 +1,14 @@
from common.common_consts import zero_trust_consts
from common.common_consts.zero_trust_consts import NETWORKS
from monkey_island.cc.services.zero_trust.scoutsuite.consts.ec2_rules import EC2Rules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import CloudTrailRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudwatch_rules import CloudWatchRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elb_rules import ELBRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elbv2_rules import ELBv2Rules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rds_rules import RDSRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.redshift_rules import RedshiftRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.s3_rules import S3Rules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.iam_rules import IAMRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules
class PERMISSIVE_FIREWALL_RULES:
@ -14,6 +22,84 @@ class PERMISSIVE_FIREWALL_RULES:
EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS, EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP,
EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET, EC2Rules.SECURITY_GROUP_OPENS_PORT_RANGE]
pillars = [NETWORKS]
test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
class UNENCRYPTED_DATA:
rules = [EC2Rules.EC2_EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EC2_EBS_VOLUME_NOT_ENCRYPTED,
ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY,
RDSRules.RDS_INSTANCE_STORAGE_NOT_ENCRYPTED, RedshiftRules.REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED,
S3Rules.S3_BUCKET_ALLOWING_CLEARTEXT, S3Rules.S3_BUCKET_NO_DEFAULT_ENCRYPTION]
test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA
class DATA_LOSS_PREVENTION:
rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD,
RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING]
test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION
class SECURE_AUTHENTICATION:
rules = [
IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION,
IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH,
IAMRules.IAM_PASSWORD_POLICY_NO_EXPIRATION,
IAMRules.IAM_PASSWORD_POLICY_REUSE_ENABLED,
IAMRules.IAM_USER_WITH_PASSWORD_AND_KEY,
IAMRules.IAM_ASSUME_ROLE_LACKS_EXTERNAL_ID_AND_MFA,
IAMRules.IAM_USER_WITHOUT_MFA,
IAMRules.IAM_ROOT_ACCOUNT_NO_MFA,
IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_KEYS,
IAMRules.IAM_USER_NO_INACTIVE_KEY_ROTATION,
IAMRules.IAM_USER_WITH_MULTIPLE_ACCESS_KEYS
]
test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION
class RESTRICTIVE_POLICIES:
rules = [
IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL,
IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES,
IAMRules.IAM_GROUP_WITH_INLINE_POLICIES,
IAMRules.IAM_GROUP_WITH_NO_USERS,
IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_IAM_PASSROLE,
IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_NOTACTIONS,
IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_STS_ASSUMEROLE,
IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_IAM_PASSROLE,
IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_NOTACTIONS,
IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_STS_ASSUMEROLE,
IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_IAM_PASSROLE,
IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_NOTACTIONS,
IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_STS_ASSUMEROLE,
IAMRules.IAM_MANAGED_POLICY_ALLOWS_IAM_PASSROLE,
IAMRules.IAM_MANAGED_POLICY_ALLOWS_NOTACTIONS,
IAMRules.IAM_MANAGED_POLICY_ALLOWS_STS_ASSUMEROLE,
IAMRules.IAM_MANAGED_POLICY_NO_ATTACHMENTS,
IAMRules.IAM_ROLE_WITH_INLINE_POLICIES,
IAMRules.IAM_ROOT_ACCOUNT_USED_RECENTLY,
IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS,
IAMRules.IAM_USER_WITH_INLINE_POLICIES,
]
test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES
class LOGGING:
rules = [
CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING,
CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING,
CloudTrailRules.CLOUDTRAIL_NO_GLOBAL_SERVICES_LOGGING,
CloudTrailRules.CLOUDTRAIL_NO_LOG_FILE_VALIDATION,
CloudTrailRules.CLOUDTRAIL_NO_LOGGING,
CloudTrailRules.CLOUDTRAIL_NOT_CONFIGURED,
CloudWatchRules.CLOUDWATCH_ALARM_WITHOUT_ACTIONS,
ELBRules.ELB_NO_ACCESS_LOGS,
S3Rules.S3_BUCKET_NO_LOGGING,
ELBv2Rules.ELBV2_NO_ACCESS_LOGS,
VPCRules.VPC_SUBNET_WITHOUT_FLOW_LOG,
]
test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING

5
monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings_list.py
View File

@ -1,3 +1,4 @@
from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import PERMISSIVE_FIREWALL_RULES
from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import *
SCOUTSUITE_FINDINGS = [PERMISSIVE_FIREWALL_RULES]
SCOUTSUITE_FINDINGS = [PERMISSIVE_FIREWALL_RULES, UNENCRYPTED_DATA, DATA_LOSS_PREVENTION, SECURE_AUTHENTICATION,
RESTRICTIVE_POLICIES, LOGGING]

2
monkey/monkey_island/cc/services/zero_trust/test_zero_trust_service.py
View File

@ -9,7 +9,7 @@ EXPECTED_DICT = {
zero_trust_consts.AUTOMATION_ORCHESTRATION: [],
zero_trust_consts.DATA: [
{
"principle": zero_trust_consts.PRINCIPLES[zero_trust_consts.PRINCIPLE_DATA_TRANSIT],
"principle": zero_trust_consts.PRINCIPLES[zero_trust_consts.PRINCIPLE_DATA_CONFIDENTIALITY],
"status": zero_trust_consts.STATUS_FAILED,
"tests": [
{