From 4ffac383820a57421464dfe884a220e2cdfc3a83 Mon Sep 17 00:00:00 2001 From: Shreya Date: Mon, 23 Nov 2020 18:05:27 +0530 Subject: [PATCH] Add PostgreSQL to data pillar of ZT --- monkey/common/data/zero_trust_consts.py | 13 +++++++++++++ .../definitions/finger_classes.py | 9 +++++++++ .../cc/services/config_schema/internal.py | 3 ++- .../reporting/test_zero_trust_service.py | 5 +++++ .../zero_trust_tests/data_endpoints.py | 19 +++++++++++++++++++ 5 files changed, 48 insertions(+), 1 deletion(-) diff --git a/monkey/common/data/zero_trust_consts.py b/monkey/common/data/zero_trust_consts.py index 8d55bc320..90cabb898 100644 --- a/monkey/common/data/zero_trust_consts.py +++ b/monkey/common/data/zero_trust_consts.py @@ -22,6 +22,7 @@ STATUS_FAILED = "Failed" # Don't change order! The statuses are ordered by importance/severity. ORDERED_TEST_STATUSES = [STATUS_FAILED, STATUS_VERIFY, STATUS_PASSED, STATUS_UNEXECUTED] +TEST_DATA_ENDPOINT_POSTGRESQL = "unencrypted_data_endpoint_postgresql" TEST_DATA_ENDPOINT_ELASTIC = "unencrypted_data_endpoint_elastic" TEST_DATA_ENDPOINT_HTTP = "unencrypted_data_endpoint_http" TEST_MACHINE_EXPLOITED = "machine_exploited" @@ -39,6 +40,7 @@ TESTS = ( TEST_MACHINE_EXPLOITED, TEST_DATA_ENDPOINT_HTTP, TEST_DATA_ENDPOINT_ELASTIC, + TEST_DATA_ENDPOINT_POSTGRESQL, TEST_TUNNELING, TEST_COMMUNICATE_AS_NEW_USER ) @@ -144,6 +146,17 @@ TESTS_MAP = { PILLARS_KEY: [DATA], POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED] }, + TEST_DATA_ENDPOINT_POSTGRESQL: { + TEST_EXPLANATION_KEY: "The Monkey scanned for unencrypted access to PostgreSQL servers.", + FINDING_EXPLANATION_BY_STATUS_KEY: { + STATUS_FAILED: "Monkey accessed PostgreSQL servers. Limit access to data by encrypting it in in-transit.", + STATUS_PASSED: "Monkey didn't find open PostgreSQL servers. If you have such servers, look for alerts that " + "indicate attempts to access them. " + }, + PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT, + PILLARS_KEY: [DATA], + POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED] + }, TEST_TUNNELING: { TEST_EXPLANATION_KEY: "The Monkey tried to tunnel traffic using other monkeys.", FINDING_EXPLANATION_BY_STATUS_KEY: { diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py index 405983dc5..ebddbed33 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py @@ -73,6 +73,15 @@ FINGER_CLASSES = { "title": "WindowsServerFinger", "info": "Checks if server is a Windows Server and tests if it is vulnerable to Zerologon.", "attack_techniques": ["T1210"] + }, + { + "type": "string", + "enum": [ + "PostgreSQLFinger" + ], + "title": "PostgreSQLFinger", + "info": "Checks if PostgreSQL service is running and if its communication is encrypted.", + "attack_techniques": ["T1210"] } ] } diff --git a/monkey/monkey_island/cc/services/config_schema/internal.py b/monkey/monkey_island/cc/services/config_schema/internal.py index fae309ad5..6734c2d82 100644 --- a/monkey/monkey_island/cc/services/config_schema/internal.py +++ b/monkey/monkey_island/cc/services/config_schema/internal.py @@ -223,7 +223,8 @@ INTERNAL = { "MySQLFinger", "MSSQLFinger", "ElasticFinger", - "WindowsServerFinger" + "WindowsServerFinger", + "PostgreSQLFinger" ] } } diff --git a/monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py b/monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py index dbadffb55..c5ae626a4 100644 --- a/monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py +++ b/monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py @@ -22,6 +22,11 @@ EXPECTED_DICT = { "test": zero_trust_consts.TESTS_MAP [zero_trust_consts.TEST_DATA_ENDPOINT_ELASTIC][zero_trust_consts.TEST_EXPLANATION_KEY] }, + { + "status": zero_trust_consts.STATUS_UNEXECUTED, + "test": zero_trust_consts.TESTS_MAP + [zero_trust_consts.TEST_DATA_ENDPOINT_POSTGRESQL][zero_trust_consts.TEST_EXPLANATION_KEY] + } ] } ], diff --git a/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py b/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py index 447b2dee8..09256d96c 100644 --- a/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py +++ b/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py @@ -8,6 +8,7 @@ from monkey_island.cc.models.zero_trust.aggregate_finding import ( from monkey_island.cc.models.zero_trust.event import Event HTTP_SERVERS_SERVICES_NAMES = ['tcp-80'] +POSTGRESQL_SERVER_SERVICE_NAME = 'PostgreSQL' def test_open_data_endpoints(telemetry_json): @@ -15,6 +16,7 @@ def test_open_data_endpoints(telemetry_json): current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid']) found_http_server_status = zero_trust_consts.STATUS_PASSED found_elastic_search_server = zero_trust_consts.STATUS_PASSED + found_postgresql_server = zero_trust_consts.STATUS_PASSED events = [ Event.create_event( @@ -55,6 +57,17 @@ def test_open_data_endpoints(telemetry_json): ), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK )) + if service_name == POSTGRESQL_SERVER_SERVICE_NAME: + found_postgresql_server = zero_trust_consts.STATUS_FAILED + events.append(Event.create_event( + title="Scan telemetry analysis", + message="Service {} on {} recognized as an open data endpoint! Service details: {}".format( + service_data["display_name"], + telemetry_json["data"]["machine"]["ip_addr"], + json.dumps(service_data) + ), + event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK + )) AggregateFinding.create_or_add_to_existing( test=zero_trust_consts.TEST_DATA_ENDPOINT_HTTP, @@ -68,4 +81,10 @@ def test_open_data_endpoints(telemetry_json): events=events ) + AggregateFinding.create_or_add_to_existing( + test=zero_trust_consts.TEST_DATA_ENDPOINT_POSTGRESQL, + status=found_postgresql_server, + events=events + ) + add_malicious_activity_to_timeline(events)