From 49e13a651e8e105d31a507b817016a6ef66258c4 Mon Sep 17 00:00:00 2001
From: VakarisZ <vakarisz@yahoo.com>
Date: Wed, 23 Sep 2020 10:24:03 +0300
Subject: [PATCH] Created new scoutsuite findings, added relevant
 infrastructure to zero trust consts

---
 .../common/common_consts/zero_trust_consts.py | 86 +++++++++++++++--
 .../zero_trust/scoutsuite/consts/findings.py  | 94 ++++++++++++++++++-
 .../scoutsuite/consts/findings_list.py        |  5 +-
 .../zero_trust/test_zero_trust_service.py     |  2 +-
 4 files changed, 173 insertions(+), 14 deletions(-)

diff --git a/monkey/common/common_consts/zero_trust_consts.py b/monkey/common/common_consts/zero_trust_consts.py
index edc40d0f2..814930926 100644
--- a/monkey/common/common_consts/zero_trust_consts.py
+++ b/monkey/common/common_consts/zero_trust_consts.py
@@ -26,7 +26,6 @@ MONKEY_FINDING = "monkey_finding"
 SCOUTSUITE_FINDING = "scoutsuite_finding"
 FINDING_TYPES = [MONKEY_FINDING, SCOUTSUITE_FINDING]
 
-
 TEST_DATA_ENDPOINT_ELASTIC = "unencrypted_data_endpoint_elastic"
 TEST_DATA_ENDPOINT_HTTP = "unencrypted_data_endpoint_http"
 TEST_MACHINE_EXPLOITED = "machine_exploited"
@@ -37,6 +36,12 @@ TEST_SEGMENTATION = "segmentation"
 TEST_TUNNELING = "tunneling"
 TEST_COMMUNICATE_AS_NEW_USER = "communicate_as_new_user"
 TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES = "scoutsuite_permissive_firewall_rules"
+TEST_SCOUTSUITE_UNENCRYPTED_DATA = "scoutsuite_unencrypted_data"
+TEST_SCOUTSUITE_DATA_LOSS_PREVENTION = "scoutsuite_data_loss_prevention"
+TEST_SCOUTSUITE_SECURE_AUTHENTICATION = "scoutsuite_secure_authentication"
+TEST_SCOUTSUITE_RESTRICTIVE_POLICIES = "scoutsuite_unrestrictive_policies"
+TEST_SCOUTSUITE_LOGGING = "scoutsuite_logging"
+
 TESTS = (
     TEST_SEGMENTATION,
     TEST_MALICIOUS_ACTIVITY_TIMELINE,
@@ -47,25 +52,36 @@ TESTS = (
     TEST_DATA_ENDPOINT_ELASTIC,
     TEST_TUNNELING,
     TEST_COMMUNICATE_AS_NEW_USER,
-    TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
+    TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES,
+    TEST_SCOUTSUITE_UNENCRYPTED_DATA,
+    TEST_SCOUTSUITE_DATA_LOSS_PREVENTION,
+    TEST_SCOUTSUITE_SECURE_AUTHENTICATION,
+    TEST_SCOUTSUITE_RESTRICTIVE_POLICIES,
+    TEST_SCOUTSUITE_LOGGING
 )
 
-PRINCIPLE_DATA_TRANSIT = "data_transit"
+PRINCIPLE_DATA_CONFIDENTIALITY = "data_transit"
 PRINCIPLE_ENDPOINT_SECURITY = "endpoint_security"
 PRINCIPLE_USER_BEHAVIOUR = "user_behaviour"
 PRINCIPLE_ANALYZE_NETWORK_TRAFFIC = "analyze_network_traffic"
 PRINCIPLE_SEGMENTATION = "segmentation"
 PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES = "network_policies"
 PRINCIPLE_USERS_MAC_POLICIES = "users_mac_policies"
+PRINCIPLE_DISASTER_RECOVERY = "data_backup"
+PRINCIPLE_SECURE_AUTHENTICATION = "secure_authentication"
+PRINCIPLE_MONITORING_AND_LOGGING = "monitoring_and_logging"
 PRINCIPLES = {
     PRINCIPLE_SEGMENTATION: "Apply segmentation and micro-segmentation inside your network.",
     PRINCIPLE_ANALYZE_NETWORK_TRAFFIC: "Analyze network traffic for malicious activity.",
     PRINCIPLE_USER_BEHAVIOUR: "Adopt security user behavior analytics.",
     PRINCIPLE_ENDPOINT_SECURITY: "Use anti-virus and other traditional endpoint security solutions.",
-    PRINCIPLE_DATA_TRANSIT: "Secure data at transit by encrypting it.",
+    PRINCIPLE_DATA_CONFIDENTIALITY: "Ensure data's confidentiality by encrypting it.",
     PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES: "Configure network policies to be as restrictive as possible.",
     PRINCIPLE_USERS_MAC_POLICIES: "Users' permissions to the network and to resources should be MAC (Mandatory "
                                   "Access Control) only.",
+    PRINCIPLE_DISASTER_RECOVERY: "Ensure data and infrastructure backups for disaster recovery scenarios.",
+    PRINCIPLE_SECURE_AUTHENTICATION: "Ensure secure authentication process's.",
+    PRINCIPLE_MONITORING_AND_LOGGING: "Ensure monitoring and logging in network resources."
 }
 
 POSSIBLE_STATUSES_KEY = "possible_statuses"
@@ -136,7 +152,7 @@ TESTS_MAP = {
             STATUS_PASSED: "Monkey didn't find open ElasticSearch instances. If you have such instances, look for alerts "
                            "that indicate attempts to access them. "
         },
-        PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT,
+        PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY,
         PILLARS_KEY: [DATA],
         POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
     },
@@ -147,7 +163,7 @@ TESTS_MAP = {
             STATUS_PASSED: "Monkey didn't find open HTTP servers. If you have such servers, look for alerts that indicate "
                            "attempts to access them. "
         },
-        PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT,
+        PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY,
         PILLARS_KEY: [DATA],
         POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
     },
@@ -176,12 +192,68 @@ TESTS_MAP = {
         TEST_EXPLANATION_KEY: "ScoutSuite assessed cloud firewall rules and settings.",
         FINDING_EXPLANATION_BY_STATUS_KEY: {
             STATUS_FAILED: "ScoutSuite found overly permissive firewall rules.",
+            STATUS_VERIFY: "ScoutSuite found potentially dangerous firewall rules you need to verify.",
             STATUS_PASSED: "ScoutSuite found no problems with cloud firewall rules."
         },
         PRINCIPLE_KEY: PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES,
         PILLARS_KEY: [NETWORKS],
-        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
+        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
     },
+    TEST_SCOUTSUITE_UNENCRYPTED_DATA: {
+        TEST_EXPLANATION_KEY: "ScoutSuite searched for resources containing unencrypted data.",
+        FINDING_EXPLANATION_BY_STATUS_KEY: {
+            STATUS_FAILED: "ScoutSuite found resources with unencrypted data.",
+            STATUS_VERIFY: "ScoutSuite found resources which could have unencrypted data.",
+            STATUS_PASSED: "ScoutSuite found no resources with unencrypted data."
+        },
+        PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY,
+        PILLARS_KEY: [DATA],
+        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
+    },
+    TEST_SCOUTSUITE_DATA_LOSS_PREVENTION: {
+        TEST_EXPLANATION_KEY: "ScoutSuite searched for resources which are not protected against data loss.",
+        FINDING_EXPLANATION_BY_STATUS_KEY: {
+            STATUS_FAILED: "ScoutSuite found resources not protected against data loss.",
+            STATUS_VERIFY: "ScoutSuite found resources which might not be protected against data loss.",
+            STATUS_PASSED: "ScoutSuite found that all resources are secured against data loss."
+        },
+        PRINCIPLE_KEY: PRINCIPLE_DISASTER_RECOVERY,
+        PILLARS_KEY: [DATA],
+        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
+    },
+    TEST_SCOUTSUITE_SECURE_AUTHENTICATION: {
+        TEST_EXPLANATION_KEY: "ScoutSuite searched for issues related to users' authentication.",
+        FINDING_EXPLANATION_BY_STATUS_KEY: {
+            STATUS_FAILED: "ScoutSuite found issues related to users' authentication.",
+            STATUS_VERIFY: "ScoutSuite found potential issues related to users' authentication.",
+            STATUS_PASSED: "ScoutSuite found no issues related to users' authentication."
+        },
+        PRINCIPLE_KEY: PRINCIPLE_SECURE_AUTHENTICATION,
+        PILLARS_KEY: [PEOPLE, WORKLOADS],
+        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
+    },
+    TEST_SCOUTSUITE_RESTRICTIVE_POLICIES: {
+        TEST_EXPLANATION_KEY: "ScoutSuite searched for permissive user access policies.",
+        FINDING_EXPLANATION_BY_STATUS_KEY: {
+            STATUS_FAILED: "ScoutSuite found permissive user access policies.",
+            STATUS_VERIFY: "ScoutSuite found potential issues related to user access policies.",
+            STATUS_PASSED: "ScoutSuite found no issues related to user access policies."
+        },
+        PRINCIPLE_KEY: PRINCIPLE_USERS_MAC_POLICIES,
+        PILLARS_KEY: [PEOPLE, WORKLOADS],
+        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
+    },
+    TEST_SCOUTSUITE_LOGGING: {
+        TEST_EXPLANATION_KEY: "ScoutSuite searched for issues, related to logging.",
+        FINDING_EXPLANATION_BY_STATUS_KEY: {
+            STATUS_FAILED: "ScoutSuite found logging issues.",
+            STATUS_VERIFY: "ScoutSuite found potential logging issues.",
+            STATUS_PASSED: "ScoutSuite found no logging issues."
+        },
+        PRINCIPLE_KEY: PRINCIPLE_MONITORING_AND_LOGGING,
+        PILLARS_KEY: [AUTOMATION_ORCHESTRATION, VISIBILITY_ANALYTICS],
+        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
+    }
 }
 
 EVENT_TYPE_MONKEY_NETWORK = "monkey_network"
diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings.py
index 792c92e80..422469970 100644
--- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings.py
+++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings.py
@@ -1,6 +1,14 @@
 from common.common_consts import zero_trust_consts
-from common.common_consts.zero_trust_consts import NETWORKS
-from monkey_island.cc.services.zero_trust.scoutsuite.consts.ec2_rules import EC2Rules
+from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import CloudTrailRules
+from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudwatch_rules import CloudWatchRules
+from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules
+from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elb_rules import ELBRules
+from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elbv2_rules import ELBv2Rules
+from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rds_rules import RDSRules
+from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.redshift_rules import RedshiftRules
+from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.s3_rules import S3Rules
+from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.iam_rules import IAMRules
+from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules
 
 
 class PERMISSIVE_FIREWALL_RULES:
@@ -14,6 +22,84 @@ class PERMISSIVE_FIREWALL_RULES:
              EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS, EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP,
              EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET, EC2Rules.SECURITY_GROUP_OPENS_PORT_RANGE]
 
-    pillars = [NETWORKS]
-
     test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
+
+
+class UNENCRYPTED_DATA:
+    rules = [EC2Rules.EC2_EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EC2_EBS_VOLUME_NOT_ENCRYPTED,
+             ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY,
+             RDSRules.RDS_INSTANCE_STORAGE_NOT_ENCRYPTED, RedshiftRules.REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED,
+             S3Rules.S3_BUCKET_ALLOWING_CLEARTEXT, S3Rules.S3_BUCKET_NO_DEFAULT_ENCRYPTION]
+
+    test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA
+
+
+class DATA_LOSS_PREVENTION:
+    rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD,
+             RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING]
+
+    test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION
+
+
+class SECURE_AUTHENTICATION:
+    rules = [
+        IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION,
+        IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH,
+        IAMRules.IAM_PASSWORD_POLICY_NO_EXPIRATION,
+        IAMRules.IAM_PASSWORD_POLICY_REUSE_ENABLED,
+        IAMRules.IAM_USER_WITH_PASSWORD_AND_KEY,
+        IAMRules.IAM_ASSUME_ROLE_LACKS_EXTERNAL_ID_AND_MFA,
+        IAMRules.IAM_USER_WITHOUT_MFA,
+        IAMRules.IAM_ROOT_ACCOUNT_NO_MFA,
+        IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_KEYS,
+        IAMRules.IAM_USER_NO_INACTIVE_KEY_ROTATION,
+        IAMRules.IAM_USER_WITH_MULTIPLE_ACCESS_KEYS
+    ]
+
+    test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION
+
+
+class RESTRICTIVE_POLICIES:
+    rules = [
+        IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL,
+        IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES,
+        IAMRules.IAM_GROUP_WITH_INLINE_POLICIES,
+        IAMRules.IAM_GROUP_WITH_NO_USERS,
+        IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_IAM_PASSROLE,
+        IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_NOTACTIONS,
+        IAMRules.IAM_INLINE_GROUP_POLICY_ALLOWS_STS_ASSUMEROLE,
+        IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_IAM_PASSROLE,
+        IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_NOTACTIONS,
+        IAMRules.IAM_INLINE_ROLE_POLICY_ALLOWS_STS_ASSUMEROLE,
+        IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_IAM_PASSROLE,
+        IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_NOTACTIONS,
+        IAMRules.IAM_INLINE_USER_POLICY_ALLOWS_STS_ASSUMEROLE,
+        IAMRules.IAM_MANAGED_POLICY_ALLOWS_IAM_PASSROLE,
+        IAMRules.IAM_MANAGED_POLICY_ALLOWS_NOTACTIONS,
+        IAMRules.IAM_MANAGED_POLICY_ALLOWS_STS_ASSUMEROLE,
+        IAMRules.IAM_MANAGED_POLICY_NO_ATTACHMENTS,
+        IAMRules.IAM_ROLE_WITH_INLINE_POLICIES,
+        IAMRules.IAM_ROOT_ACCOUNT_USED_RECENTLY,
+        IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS,
+        IAMRules.IAM_USER_WITH_INLINE_POLICIES,
+    ]
+
+    test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES
+
+
+class LOGGING:
+    rules = [
+        CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING,
+        CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING,
+        CloudTrailRules.CLOUDTRAIL_NO_GLOBAL_SERVICES_LOGGING,
+        CloudTrailRules.CLOUDTRAIL_NO_LOG_FILE_VALIDATION,
+        CloudTrailRules.CLOUDTRAIL_NO_LOGGING,
+        CloudTrailRules.CLOUDTRAIL_NOT_CONFIGURED,
+        CloudWatchRules.CLOUDWATCH_ALARM_WITHOUT_ACTIONS,
+        ELBRules.ELB_NO_ACCESS_LOGS,
+        S3Rules.S3_BUCKET_NO_LOGGING,
+        ELBv2Rules.ELBV2_NO_ACCESS_LOGS,
+        VPCRules.VPC_SUBNET_WITHOUT_FLOW_LOG,
+    ]
+
+    test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING
diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings_list.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings_list.py
index bf54ac8ce..31086f722 100644
--- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings_list.py
+++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings_list.py
@@ -1,3 +1,4 @@
-from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import PERMISSIVE_FIREWALL_RULES
+from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import *
 
-SCOUTSUITE_FINDINGS = [PERMISSIVE_FIREWALL_RULES]
+SCOUTSUITE_FINDINGS = [PERMISSIVE_FIREWALL_RULES, UNENCRYPTED_DATA, DATA_LOSS_PREVENTION, SECURE_AUTHENTICATION,
+                       RESTRICTIVE_POLICIES, LOGGING]
diff --git a/monkey/monkey_island/cc/services/zero_trust/test_zero_trust_service.py b/monkey/monkey_island/cc/services/zero_trust/test_zero_trust_service.py
index 8b3d33ba2..c95309d1d 100644
--- a/monkey/monkey_island/cc/services/zero_trust/test_zero_trust_service.py
+++ b/monkey/monkey_island/cc/services/zero_trust/test_zero_trust_service.py
@@ -9,7 +9,7 @@ EXPECTED_DICT = {
     zero_trust_consts.AUTOMATION_ORCHESTRATION: [],
     zero_trust_consts.DATA: [
         {
-            "principle": zero_trust_consts.PRINCIPLES[zero_trust_consts.PRINCIPLE_DATA_TRANSIT],
+            "principle": zero_trust_consts.PRINCIPLES[zero_trust_consts.PRINCIPLE_DATA_CONFIDENTIALITY],
             "status": zero_trust_consts.STATUS_FAILED,
             "tests": [
                 {