Add PostgreSQL to data pillar of ZT

monkey/common/data/zero_trust_consts.py

@@ -22,6 +22,7 @@ STATUS_FAILED = "Failed"
 # Don't change order! The statuses are ordered by importance/severity.
 ORDERED_TEST_STATUSES = [STATUS_FAILED, STATUS_VERIFY, STATUS_PASSED, STATUS_UNEXECUTED]
 
+TEST_DATA_ENDPOINT_POSTGRESQL = "unencrypted_data_endpoint_postgresql"
 TEST_DATA_ENDPOINT_ELASTIC = "unencrypted_data_endpoint_elastic"
 TEST_DATA_ENDPOINT_HTTP = "unencrypted_data_endpoint_http"
 TEST_MACHINE_EXPLOITED = "machine_exploited"
@@ -39,6 +40,7 @@ TESTS = (
     TEST_MACHINE_EXPLOITED,
     TEST_DATA_ENDPOINT_HTTP,
     TEST_DATA_ENDPOINT_ELASTIC,
+    TEST_DATA_ENDPOINT_POSTGRESQL,
     TEST_TUNNELING,
     TEST_COMMUNICATE_AS_NEW_USER
 )
@@ -144,6 +146,17 @@ TESTS_MAP = {
         PILLARS_KEY: [DATA],
         POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
     },
+    TEST_DATA_ENDPOINT_POSTGRESQL: {
+        TEST_EXPLANATION_KEY: "The Monkey scanned for unencrypted access to PostgreSQL servers.",
+        FINDING_EXPLANATION_BY_STATUS_KEY: {
+            STATUS_FAILED: "Monkey accessed PostgreSQL servers. Limit access to data by encrypting it in in-transit.",
+            STATUS_PASSED: "Monkey didn't find open PostgreSQL servers. If you have such servers, look for alerts that "
+                           "indicate attempts to access them. "
+        },
+        PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT,
+        PILLARS_KEY: [DATA],
+        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
+    },
     TEST_TUNNELING: {
         TEST_EXPLANATION_KEY: "The Monkey tried to tunnel traffic using other monkeys.",
         FINDING_EXPLANATION_BY_STATUS_KEY: {

monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py

@@ -73,6 +73,15 @@ FINGER_CLASSES = {
             "title": "WindowsServerFinger",
             "info": "Checks if server is a Windows Server and tests if it is vulnerable to Zerologon.",
             "attack_techniques": ["T1210"]
+        },
+        {
+            "type": "string",
+            "enum": [
+                "PostgreSQLFinger"
+            ],
+            "title": "PostgreSQLFinger",
+            "info": "Checks if PostgreSQL service is running and if its communication is encrypted.",
+            "attack_techniques": ["T1210"]
         }
     ]
 }

monkey/monkey_island/cc/services/config_schema/internal.py

@@ -223,7 +223,8 @@ INTERNAL = {
                         "MySQLFinger",
                         "MSSQLFinger",
                         "ElasticFinger",
-                        "WindowsServerFinger"
+                        "WindowsServerFinger",
+                        "PostgreSQLFinger"
                     ]
                 }
             }

monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py

@@ -22,6 +22,11 @@ EXPECTED_DICT = {
                     "test": zero_trust_consts.TESTS_MAP
                     [zero_trust_consts.TEST_DATA_ENDPOINT_ELASTIC][zero_trust_consts.TEST_EXPLANATION_KEY]
                 },
+                {
+                    "status": zero_trust_consts.STATUS_UNEXECUTED,
+                    "test": zero_trust_consts.TESTS_MAP
+                    [zero_trust_consts.TEST_DATA_ENDPOINT_POSTGRESQL][zero_trust_consts.TEST_EXPLANATION_KEY]
+                }
             ]
         }
     ],

monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py

@@ -8,6 +8,7 @@ from monkey_island.cc.models.zero_trust.aggregate_finding import (
 from monkey_island.cc.models.zero_trust.event import Event
 
 HTTP_SERVERS_SERVICES_NAMES = ['tcp-80']
+POSTGRESQL_SERVER_SERVICE_NAME = 'PostgreSQL'
 
 
 def test_open_data_endpoints(telemetry_json):
@@ -15,6 +16,7 @@ def test_open_data_endpoints(telemetry_json):
     current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
     found_http_server_status = zero_trust_consts.STATUS_PASSED
     found_elastic_search_server = zero_trust_consts.STATUS_PASSED
+    found_postgresql_server = zero_trust_consts.STATUS_PASSED
 
     events = [
         Event.create_event(
@@ -55,6 +57,17 @@ def test_open_data_endpoints(telemetry_json):
                 ),
                 event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
             ))
+        if service_name == POSTGRESQL_SERVER_SERVICE_NAME:
+            found_postgresql_server = zero_trust_consts.STATUS_FAILED
+            events.append(Event.create_event(
+                title="Scan telemetry analysis",
+                message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
+                    service_data["display_name"],
+                    telemetry_json["data"]["machine"]["ip_addr"],
+                    json.dumps(service_data)
+                ),
+                event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
+            ))
 
     AggregateFinding.create_or_add_to_existing(
         test=zero_trust_consts.TEST_DATA_ENDPOINT_HTTP,
@@ -68,4 +81,10 @@ def test_open_data_endpoints(telemetry_json):
         events=events
     )
 
+    AggregateFinding.create_or_add_to_existing(
+        test=zero_trust_consts.TEST_DATA_ENDPOINT_POSTGRESQL,
+        status=found_postgresql_server,
+        events=events
+    )
+
     add_malicious_activity_to_timeline(events)