Add PostgreSQL to data pillar of ZT

2020-11-23 18:05:27 +05:30 · 2020-11-23 18:05:27 +05:30 · 4ffac38382
parent e8a2a37690
commit 4ffac38382
5 changed files with 48 additions and 1 deletions
--- a/monkey/common/data/zero_trust_consts.py
+++ b/monkey/common/data/zero_trust_consts.py
@ -22,6 +22,7 @@ STATUS_FAILED = "Failed"
 # Don't change order! The statuses are ordered by importance/severity.
 ORDERED_TEST_STATUSES = [STATUS_FAILED, STATUS_VERIFY, STATUS_PASSED, STATUS_UNEXECUTED]

+TEST_DATA_ENDPOINT_POSTGRESQL = "unencrypted_data_endpoint_postgresql"
 TEST_DATA_ENDPOINT_ELASTIC = "unencrypted_data_endpoint_elastic"
 TEST_DATA_ENDPOINT_HTTP = "unencrypted_data_endpoint_http"
 TEST_MACHINE_EXPLOITED = "machine_exploited"
@ -39,6 +40,7 @@ TESTS = (
    TEST_MACHINE_EXPLOITED,
    TEST_DATA_ENDPOINT_HTTP,
    TEST_DATA_ENDPOINT_ELASTIC,
+    TEST_DATA_ENDPOINT_POSTGRESQL,
    TEST_TUNNELING,
    TEST_COMMUNICATE_AS_NEW_USER
 )
@ -144,6 +146,17 @@ TESTS_MAP = {
        PILLARS_KEY: [DATA],
        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
    },
+    TEST_DATA_ENDPOINT_POSTGRESQL: {
+        TEST_EXPLANATION_KEY: "The Monkey scanned for unencrypted access to PostgreSQL servers.",
+        FINDING_EXPLANATION_BY_STATUS_KEY: {
+            STATUS_FAILED: "Monkey accessed PostgreSQL servers. Limit access to data by encrypting it in in-transit.",
+            STATUS_PASSED: "Monkey didn't find open PostgreSQL servers. If you have such servers, look for alerts that "
+                           "indicate attempts to access them. "
+        },
+        PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT,
+        PILLARS_KEY: [DATA],
+        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
+    },
    TEST_TUNNELING: {
        TEST_EXPLANATION_KEY: "The Monkey tried to tunnel traffic using other monkeys.",
        FINDING_EXPLANATION_BY_STATUS_KEY: {
--- a/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py
+++ b/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py
@ -73,6 +73,15 @@ FINGER_CLASSES = {
            "title": "WindowsServerFinger",
            "info": "Checks if server is a Windows Server and tests if it is vulnerable to Zerologon.",
            "attack_techniques": ["T1210"]
+        },
+        {
+            "type": "string",
+            "enum": [
+                "PostgreSQLFinger"
+            ],
+            "title": "PostgreSQLFinger",
+            "info": "Checks if PostgreSQL service is running and if its communication is encrypted.",
+            "attack_techniques": ["T1210"]
        }
    ]
 }
--- a/monkey/monkey_island/cc/services/config_schema/internal.py
+++ b/monkey/monkey_island/cc/services/config_schema/internal.py
@ -223,7 +223,8 @@ INTERNAL = {
                        "MySQLFinger",
                        "MSSQLFinger",
                        "ElasticFinger",
-                        "WindowsServerFinger"
+                        "WindowsServerFinger",
+                        "PostgreSQLFinger"
                    ]
                }
            }
--- a/monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py
+++ b/monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py
@ -22,6 +22,11 @@ EXPECTED_DICT = {
                    "test": zero_trust_consts.TESTS_MAP
                    [zero_trust_consts.TEST_DATA_ENDPOINT_ELASTIC][zero_trust_consts.TEST_EXPLANATION_KEY]
                },
+                {
+                    "status": zero_trust_consts.STATUS_UNEXECUTED,
+                    "test": zero_trust_consts.TESTS_MAP
+                    [zero_trust_consts.TEST_DATA_ENDPOINT_POSTGRESQL][zero_trust_consts.TEST_EXPLANATION_KEY]
+                }
            ]
        }
    ],
--- a/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py
+++ b/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py
@ -8,6 +8,7 @@ from monkey_island.cc.models.zero_trust.aggregate_finding import (
 from monkey_island.cc.models.zero_trust.event import Event

 HTTP_SERVERS_SERVICES_NAMES = ['tcp-80']
+POSTGRESQL_SERVER_SERVICE_NAME = 'PostgreSQL'


 def test_open_data_endpoints(telemetry_json):
@ -15,6 +16,7 @@ def test_open_data_endpoints(telemetry_json):
    current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
    found_http_server_status = zero_trust_consts.STATUS_PASSED
    found_elastic_search_server = zero_trust_consts.STATUS_PASSED
+    found_postgresql_server = zero_trust_consts.STATUS_PASSED

    events = [
        Event.create_event(
@ -55,6 +57,17 @@ def test_open_data_endpoints(telemetry_json):
                ),
                event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
            ))
+        if service_name == POSTGRESQL_SERVER_SERVICE_NAME:
+            found_postgresql_server = zero_trust_consts.STATUS_FAILED
+            events.append(Event.create_event(
+                title="Scan telemetry analysis",
+                message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
+                    service_data["display_name"],
+                    telemetry_json["data"]["machine"]["ip_addr"],
+                    json.dumps(service_data)
+                ),
+                event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
+            ))

    AggregateFinding.create_or_add_to_existing(
        test=zero_trust_consts.TEST_DATA_ENDPOINT_HTTP,
@ -68,4 +81,10 @@ def test_open_data_endpoints(telemetry_json):
        events=events
    )

+    AggregateFinding.create_or_add_to_existing(
+        test=zero_trust_consts.TEST_DATA_ENDPOINT_POSTGRESQL,
+        status=found_postgresql_server,
+        events=events
+    )
+
    add_malicious_activity_to_timeline(events)