Added almost all scoutsuite rules

This commit is contained in:
VakarisZ 2020-09-24 17:05:45 +03:00
parent a7fc5d1191
commit 5bc47b91cf
21 changed files with 260 additions and 24 deletions

View File

@ -41,6 +41,7 @@ TEST_SCOUTSUITE_DATA_LOSS_PREVENTION = "scoutsuite_data_loss_prevention"
TEST_SCOUTSUITE_SECURE_AUTHENTICATION = "scoutsuite_secure_authentication" TEST_SCOUTSUITE_SECURE_AUTHENTICATION = "scoutsuite_secure_authentication"
TEST_SCOUTSUITE_RESTRICTIVE_POLICIES = "scoutsuite_unrestrictive_policies" TEST_SCOUTSUITE_RESTRICTIVE_POLICIES = "scoutsuite_unrestrictive_policies"
TEST_SCOUTSUITE_LOGGING = "scoutsuite_logging" TEST_SCOUTSUITE_LOGGING = "scoutsuite_logging"
TEST_SCOUTSUITE_SERVICE_SECURITY = "scoutsuite_service_security"
TESTS = ( TESTS = (
TEST_SEGMENTATION, TEST_SEGMENTATION,
@ -57,7 +58,8 @@ TESTS = (
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION, TEST_SCOUTSUITE_DATA_LOSS_PREVENTION,
TEST_SCOUTSUITE_SECURE_AUTHENTICATION, TEST_SCOUTSUITE_SECURE_AUTHENTICATION,
TEST_SCOUTSUITE_RESTRICTIVE_POLICIES, TEST_SCOUTSUITE_RESTRICTIVE_POLICIES,
TEST_SCOUTSUITE_LOGGING TEST_SCOUTSUITE_LOGGING,
TEST_SCOUTSUITE_SERVICE_SECURITY
) )
PRINCIPLE_DATA_CONFIDENTIALITY = "data_transit" PRINCIPLE_DATA_CONFIDENTIALITY = "data_transit"
@ -192,67 +194,71 @@ TESTS_MAP = {
TEST_EXPLANATION_KEY: "ScoutSuite assessed cloud firewall rules and settings.", TEST_EXPLANATION_KEY: "ScoutSuite assessed cloud firewall rules and settings.",
FINDING_EXPLANATION_BY_STATUS_KEY: { FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found overly permissive firewall rules.", STATUS_FAILED: "ScoutSuite found overly permissive firewall rules.",
STATUS_VERIFY: "ScoutSuite found potentially dangerous firewall rules you need to verify.",
STATUS_PASSED: "ScoutSuite found no problems with cloud firewall rules." STATUS_PASSED: "ScoutSuite found no problems with cloud firewall rules."
}, },
PRINCIPLE_KEY: PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES, PRINCIPLE_KEY: PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES,
PILLARS_KEY: [NETWORKS], PILLARS_KEY: [NETWORKS],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
}, },
TEST_SCOUTSUITE_UNENCRYPTED_DATA: { TEST_SCOUTSUITE_UNENCRYPTED_DATA: {
TEST_EXPLANATION_KEY: "ScoutSuite searched for resources containing unencrypted data.", TEST_EXPLANATION_KEY: "ScoutSuite searched for resources containing unencrypted data.",
FINDING_EXPLANATION_BY_STATUS_KEY: { FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found resources with unencrypted data.", STATUS_FAILED: "ScoutSuite found resources with unencrypted data.",
STATUS_VERIFY: "ScoutSuite found resources which could have unencrypted data.",
STATUS_PASSED: "ScoutSuite found no resources with unencrypted data." STATUS_PASSED: "ScoutSuite found no resources with unencrypted data."
}, },
PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY, PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY,
PILLARS_KEY: [DATA], PILLARS_KEY: [DATA],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
}, },
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION: { TEST_SCOUTSUITE_DATA_LOSS_PREVENTION: {
TEST_EXPLANATION_KEY: "ScoutSuite searched for resources which are not protected against data loss.", TEST_EXPLANATION_KEY: "ScoutSuite searched for resources which are not protected against data loss.",
FINDING_EXPLANATION_BY_STATUS_KEY: { FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found resources not protected against data loss.", STATUS_FAILED: "ScoutSuite found resources not protected against data loss.",
STATUS_VERIFY: "ScoutSuite found resources which might not be protected against data loss.",
STATUS_PASSED: "ScoutSuite found that all resources are secured against data loss." STATUS_PASSED: "ScoutSuite found that all resources are secured against data loss."
}, },
PRINCIPLE_KEY: PRINCIPLE_DISASTER_RECOVERY, PRINCIPLE_KEY: PRINCIPLE_DISASTER_RECOVERY,
PILLARS_KEY: [DATA], PILLARS_KEY: [DATA],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
}, },
TEST_SCOUTSUITE_SECURE_AUTHENTICATION: { TEST_SCOUTSUITE_SECURE_AUTHENTICATION: {
TEST_EXPLANATION_KEY: "ScoutSuite searched for issues related to users' authentication.", TEST_EXPLANATION_KEY: "ScoutSuite searched for issues related to users' authentication.",
FINDING_EXPLANATION_BY_STATUS_KEY: { FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found issues related to users' authentication.", STATUS_FAILED: "ScoutSuite found issues related to users' authentication.",
STATUS_VERIFY: "ScoutSuite found potential issues related to users' authentication.",
STATUS_PASSED: "ScoutSuite found no issues related to users' authentication." STATUS_PASSED: "ScoutSuite found no issues related to users' authentication."
}, },
PRINCIPLE_KEY: PRINCIPLE_SECURE_AUTHENTICATION, PRINCIPLE_KEY: PRINCIPLE_SECURE_AUTHENTICATION,
PILLARS_KEY: [PEOPLE, WORKLOADS], PILLARS_KEY: [PEOPLE, WORKLOADS],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
}, },
TEST_SCOUTSUITE_RESTRICTIVE_POLICIES: { TEST_SCOUTSUITE_RESTRICTIVE_POLICIES: {
TEST_EXPLANATION_KEY: "ScoutSuite searched for permissive user access policies.", TEST_EXPLANATION_KEY: "ScoutSuite searched for permissive user access policies.",
FINDING_EXPLANATION_BY_STATUS_KEY: { FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found permissive user access policies.", STATUS_FAILED: "ScoutSuite found permissive user access policies.",
STATUS_VERIFY: "ScoutSuite found potential issues related to user access policies.",
STATUS_PASSED: "ScoutSuite found no issues related to user access policies." STATUS_PASSED: "ScoutSuite found no issues related to user access policies."
}, },
PRINCIPLE_KEY: PRINCIPLE_USERS_MAC_POLICIES, PRINCIPLE_KEY: PRINCIPLE_USERS_MAC_POLICIES,
PILLARS_KEY: [PEOPLE, WORKLOADS], PILLARS_KEY: [PEOPLE, WORKLOADS],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
}, },
TEST_SCOUTSUITE_LOGGING: { TEST_SCOUTSUITE_LOGGING: {
TEST_EXPLANATION_KEY: "ScoutSuite searched for issues, related to logging.", TEST_EXPLANATION_KEY: "ScoutSuite searched for issues, related to logging.",
FINDING_EXPLANATION_BY_STATUS_KEY: { FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found logging issues.", STATUS_FAILED: "ScoutSuite found logging issues.",
STATUS_VERIFY: "ScoutSuite found potential logging issues.",
STATUS_PASSED: "ScoutSuite found no logging issues." STATUS_PASSED: "ScoutSuite found no logging issues."
}, },
PRINCIPLE_KEY: PRINCIPLE_MONITORING_AND_LOGGING, PRINCIPLE_KEY: PRINCIPLE_MONITORING_AND_LOGGING,
PILLARS_KEY: [AUTOMATION_ORCHESTRATION, VISIBILITY_ANALYTICS], PILLARS_KEY: [AUTOMATION_ORCHESTRATION, VISIBILITY_ANALYTICS],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
},
TEST_SCOUTSUITE_SERVICE_SECURITY: {
TEST_EXPLANATION_KEY: "ScoutSuite searched for service security issues.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_FAILED: "ScoutSuite found service security issues.",
STATUS_PASSED: "ScoutSuite found no service security issues."
},
PRINCIPLE_KEY: PRINCIPLE_MONITORING_AND_LOGGING,
PILLARS_KEY: [DEVICES, NETWORKS],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
} }
} }

View File

@ -1,6 +1,8 @@
from common.common_consts import zero_trust_consts from common.common_consts import zero_trust_consts
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudformation_rules import CloudformationRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import CloudTrailRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import CloudTrailRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudwatch_rules import CloudWatchRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudwatch_rules import CloudWatchRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.config_rules import ConfigRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elb_rules import ELBRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elb_rules import ELBRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elbv2_rules import ELBv2Rules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elbv2_rules import ELBv2Rules
@ -8,6 +10,9 @@ from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rds_rules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.redshift_rules import RedshiftRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.redshift_rules import RedshiftRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.s3_rules import S3Rules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.s3_rules import S3Rules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.iam_rules import IAMRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.iam_rules import IAMRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ses_rules import SESRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sns_rules import SNSRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sqs_rules import SQSRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules
@ -20,23 +25,39 @@ class PERMISSIVE_FIREWALL_RULES:
EC2Rules.SECURITY_GROUP_OPENS_NFS_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_SMTP_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_NFS_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_SMTP_PORT_TO_ALL,
EC2Rules.SECURITY_GROUP_OPENS_DNS_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS_TO_SELF, EC2Rules.SECURITY_GROUP_OPENS_DNS_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS_TO_SELF,
EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS, EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP, EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS, EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP,
EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET, EC2Rules.SECURITY_GROUP_OPENS_PORT_RANGE] EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET, EC2Rules.SECURITY_GROUP_OPENS_PORT_RANGE,
EC2Rules.EC2_SECURITY_GROUP_WHITELISTS_AWS,
VPCRules.SUBNET_WITH_ALLOW_ALL_INGRESS_ACLS,
VPCRules.SUBNET_WITH_ALLOW_ALL_EGRESS_ACLS,
VPCRules.NETWORK_ACL_NOT_USED,
VPCRules.DEFAULT_NETWORK_ACLS_ALLOW_ALL_INGRESS,
VPCRules.DEFAULT_NETWORK_ACLS_ALLOW_ALL_EGRESS,
VPCRules.CUSTOM_NETWORK_ACLS_ALLOW_ALL_INGRESS,
VPCRules.CUSTOM_NETWORK_ACLS_ALLOW_ALL_EGRESS,
RDSRules.RDS_SECURITY_GROUP_ALLOWS_ALL,
RedshiftRules.REDSHIFT_SECURITY_GROUP_WHITELISTS_ALL
]
test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
class UNENCRYPTED_DATA: class UNENCRYPTED_DATA:
rules = [EC2Rules.EC2_EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EC2_EBS_VOLUME_NOT_ENCRYPTED, rules = [EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EBS_VOLUME_NOT_ENCRYPTED,
EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS,
ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY, ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY,
RDSRules.RDS_INSTANCE_STORAGE_NOT_ENCRYPTED, RedshiftRules.REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED, RDSRules.RDS_INSTANCE_STORAGE_NOT_ENCRYPTED, RedshiftRules.REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED,
S3Rules.S3_BUCKET_ALLOWING_CLEARTEXT, S3Rules.S3_BUCKET_NO_DEFAULT_ENCRYPTION] RedshiftRules.REDSHIFT_PARAMETER_GROUP_SSL_NOT_REQUIRED,
S3Rules.S3_BUCKET_ALLOWING_CLEARTEXT, S3Rules.S3_BUCKET_NO_DEFAULT_ENCRYPTION,
ELBRules.ELB_LISTENER_ALLOWING_CLEARTEXT,
ELBRules.ELB_OLDER_SSL_POLICY]
test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA
class DATA_LOSS_PREVENTION: class DATA_LOSS_PREVENTION:
rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD, rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD,
RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING] RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING,
ELBv2Rules.ELBV2_NO_DELETION_PROTECTION]
test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION
@ -82,6 +103,40 @@ class RESTRICTIVE_POLICIES:
IAMRules.IAM_ROOT_ACCOUNT_USED_RECENTLY, IAMRules.IAM_ROOT_ACCOUNT_USED_RECENTLY,
IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS, IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS,
IAMRules.IAM_USER_WITH_INLINE_POLICIES, IAMRules.IAM_USER_WITH_INLINE_POLICIES,
EC2Rules.AMI_PUBLIC,
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_WRITE_ACP,
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_WRITE,
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_READ_ACP,
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_READ,
S3Rules.S3_BUCKET_ALLUSERS_WRITE_ACP,
S3Rules.S3_BUCKET_ALLUSERS_WRITE,
S3Rules.S3_BUCKET_ALLUSERS_READ_ACP,
S3Rules.S3_BUCKET_ALLUSERS_READ,
S3Rules.S3_BUCKET_WORLD_PUT_POLICY,
S3Rules.S3_BUCKET_WORLD_POLICY_STAR,
S3Rules.S3_BUCKET_WORLD_LIST_POLICY,
S3Rules.S3_BUCKET_WORLD_GET_POLICY,
S3Rules.S3_BUCKET_WORLD_DELETE_POLICY,
EC2Rules.EC2_DEFAULT_SECURITY_GROUP_IN_USE,
EC2Rules.EC2_DEFAULT_SECURITY_GROUP_WITH_RULES,
EC2Rules.EC2_EBS_SNAPSHOT_PUBLIC,
SQSRules.SQS_QUEUE_WORLD_SENDMESSAGE_POLICY,
SQSRules.SQS_QUEUE_WORLD_RECEIVEMESSAGE_POLICY,
SQSRules.SQS_QUEUE_WORLD_PURGEQUEUE_POLICY,
SQSRules.SQS_QUEUE_WORLD_GETQUEUEURL_POLICY,
SQSRules.SQS_QUEUE_WORLD_GETQUEUEATTRIBUTES_POLICY,
SQSRules.SQS_QUEUE_WORLD_DELETEMESSAGE_POLICY,
SQSRules.SQS_QUEUE_WORLD_CHANGEMESSAGEVISIBILITY_POLICY,
SNSRules.SNS_TOPIC_WORLD_SUBSCRIBE_POLICY,
SNSRules.SNS_TOPIC_WORLD_SETTOPICATTRIBUTES_POLICY,
SNSRules.SNS_TOPIC_WORLD_REMOVEPERMISSION_POLICY,
SNSRules.SNS_TOPIC_WORLD_RECEIVE_POLICY,
SNSRules.SNS_TOPIC_WORLD_PUBLISH_POLICY,
SNSRules.SNS_TOPIC_WORLD_DELETETOPIC_POLICY,
SNSRules.SNS_TOPIC_WORLD_ADDPERMISSION_POLICY,
SESRules.SES_IDENTITY_WORLD_SENDRAWEMAIL_POLICY,
SESRules.SES_IDENTITY_WORLD_SENDEMAIL_POLICY,
RedshiftRules.REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE
] ]
test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES
@ -99,7 +154,16 @@ class LOGGING:
ELBRules.ELB_NO_ACCESS_LOGS, ELBRules.ELB_NO_ACCESS_LOGS,
S3Rules.S3_BUCKET_NO_LOGGING, S3Rules.S3_BUCKET_NO_LOGGING,
ELBv2Rules.ELBV2_NO_ACCESS_LOGS, ELBv2Rules.ELBV2_NO_ACCESS_LOGS,
VPCRules.VPC_SUBNET_WITHOUT_FLOW_LOG, VPCRules.SUBNET_WITHOUT_FLOW_LOG,
ConfigRules.CONFIG_RECORDER_NOT_CONFIGURED,
RedshiftRules.REDSHIFT_PARAMETER_GROUP_LOGGING_DISABLED
] ]
test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING
class SERVICE_SECURITY:
rules = [
CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE
]
test = zero_trust_consts.TEST_SCOUTSUITE_SERVICE_SECURITY

View File

@ -1,4 +1,4 @@
from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import * from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import *
SCOUTSUITE_FINDINGS = [PERMISSIVE_FIREWALL_RULES, UNENCRYPTED_DATA, DATA_LOSS_PREVENTION, SECURE_AUTHENTICATION, SCOUTSUITE_FINDINGS = [PERMISSIVE_FIREWALL_RULES, UNENCRYPTED_DATA, DATA_LOSS_PREVENTION, SECURE_AUTHENTICATION,
RESTRICTIVE_POLICIES, LOGGING] RESTRICTIVE_POLICIES, LOGGING, SERVICE_SECURITY]

View File

@ -0,0 +1,7 @@
from enum import Enum
class CloudformationRules(Enum):
# Service Security
CLOUDFORMATION_STACK_WITH_ROLE = 'cloudformation-stack-with-role'

View File

@ -0,0 +1,6 @@
from enum import Enum
class ConfigRules(Enum):
# Logging
CONFIG_RECORDER_NOT_CONFIGURED = 'config-recorder-not-configured'

View File

@ -2,7 +2,7 @@ from enum import Enum
class EC2Rules(Enum): class EC2Rules(Enum):
# Ports # Permissive firewall rules
SECURITY_GROUP_ALL_PORTS_TO_ALL = 'ec2-security-group-opens-all-ports-to-all' SECURITY_GROUP_ALL_PORTS_TO_ALL = 'ec2-security-group-opens-all-ports-to-all'
SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL = 'ec2-security-group-opens-TCP-port-to-all' SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL = 'ec2-security-group-opens-TCP-port-to-all'
SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL = 'ec2-security-group-opens-UDP-port-to-all' SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL = 'ec2-security-group-opens-UDP-port-to-all'
@ -21,7 +21,15 @@ class EC2Rules(Enum):
SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP = 'ec2-security-group-opens-plaintext-port-FTP' SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP = 'ec2-security-group-opens-plaintext-port-FTP'
SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET = 'ec2-security-group-opens-plaintext-port-Telnet' SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET = 'ec2-security-group-opens-plaintext-port-Telnet'
SECURITY_GROUP_OPENS_PORT_RANGE = 'ec2-security-group-opens-port-range' SECURITY_GROUP_OPENS_PORT_RANGE = 'ec2-security-group-opens-port-range'
EC2_SECURITY_GROUP_WHITELISTS_AWS = 'ec2-security-group-whitelists-aws'
# Encryption # Encryption
EC2_EBS_SNAPSHOT_NOT_ENCRYPTED = 'ec2-ebs-snapshot-not-encrypted' EBS_SNAPSHOT_NOT_ENCRYPTED = 'ec2-ebs-snapshot-not-encrypted'
EC2_EBS_VOLUME_NOT_ENCRYPTED = 'ec2-ebs-volume-not-encrypted' EBS_VOLUME_NOT_ENCRYPTED = 'ec2-ebs-volume-not-encrypted'
EC2_INSTANCE_WITH_USER_DATA_SECRETS = 'ec2-instance-with-user-data-secrets'
# Permissive policies
AMI_PUBLIC = 'ec2-ami-public'
EC2_DEFAULT_SECURITY_GROUP_IN_USE = 'ec2-default-security-group-in-use'
EC2_DEFAULT_SECURITY_GROUP_WITH_RULES = 'ec2-default-security-group-with-rules'
EC2_EBS_SNAPSHOT_PUBLIC = 'ec2-ebs-snapshot-public'

View File

@ -4,3 +4,7 @@ from enum import Enum
class ELBRules(Enum): class ELBRules(Enum):
# Logging # Logging
ELB_NO_ACCESS_LOGS = 'elb-no-access-logs' ELB_NO_ACCESS_LOGS = 'elb-no-access-logs'
# Encryption
ELB_LISTENER_ALLOWING_CLEARTEXT = 'elb-listener-allowing-cleartext'
ELB_OLDER_SSL_POLICY = 'elb-older-ssl-policy'

View File

@ -8,3 +8,6 @@ class ELBv2Rules(Enum):
# Logging # Logging
ELBV2_NO_ACCESS_LOGS = 'elbv2-no-access-logs' ELBV2_NO_ACCESS_LOGS = 'elbv2-no-access-logs'
# Data loss prevention
ELBV2_NO_DELETION_PROTECTION = 'elbv2-no-deletion-protection'

View File

@ -9,3 +9,7 @@ class RDSRules(Enum):
RDS_INSTANCE_BACKUP_DISABLED = 'rds-instance-backup-disabled' RDS_INSTANCE_BACKUP_DISABLED = 'rds-instance-backup-disabled'
RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD = 'rds-instance-short-backup-retention-period' RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD = 'rds-instance-short-backup-retention-period'
RDS_INSTANCE_SINGLE_AZ = 'rds-instance-single-az' RDS_INSTANCE_SINGLE_AZ = 'rds-instance-single-az'
# Firewalls
RDS_SECURITY_GROUP_ALLOWS_ALL = 'rds-security-group-allows-all'
RDS_SNAPSHOT_PUBLIC = 'rds-snapshot-public'

View File

@ -4,3 +4,13 @@ from enum import Enum
class RedshiftRules(Enum): class RedshiftRules(Enum):
# Encryption # Encryption
REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED = 'redshift-cluster-database-not-encrypted' REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED = 'redshift-cluster-database-not-encrypted'
REDSHIFT_PARAMETER_GROUP_SSL_NOT_REQUIRED = 'redshift-parameter-group-ssl-not-required'
# Firewalls
REDSHIFT_SECURITY_GROUP_WHITELISTS_ALL = 'redshift-security-group-whitelists-all'
# Restrictive Policies
REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE = 'redshift-cluster-publicly-accessible'
# Logging
REDSHIFT_PARAMETER_GROUP_LOGGING_DISABLED = 'redshift-parameter-group-logging-disabled'

View File

@ -12,3 +12,18 @@ class S3Rules(Enum):
# Logging # Logging
S3_BUCKET_NO_LOGGING = 's3-bucket-no-logging' S3_BUCKET_NO_LOGGING = 's3-bucket-no-logging'
# Permissive access rules
S3_BUCKET_AUTHENTICATEDUSERS_WRITE_ACP = 's3-bucket-AuthenticatedUsers-write_acp'
S3_BUCKET_AUTHENTICATEDUSERS_WRITE = 's3-bucket-AuthenticatedUsers-write'
S3_BUCKET_AUTHENTICATEDUSERS_READ_ACP = 's3-bucket-AuthenticatedUsers-read_acp'
S3_BUCKET_AUTHENTICATEDUSERS_READ = 's3-bucket-AuthenticatedUsers-read'
S3_BUCKET_ALLUSERS_WRITE_ACP = 's3-bucket-AllUsers-write_acp'
S3_BUCKET_ALLUSERS_WRITE = 's3-bucket-AllUsers-write'
S3_BUCKET_ALLUSERS_READ_ACP = 's3-bucket-AllUsers-read_acp'
S3_BUCKET_ALLUSERS_READ = 's3-bucket-AllUsers-read'
S3_BUCKET_WORLD_PUT_POLICY = 's3-bucket-world-Put-policy'
S3_BUCKET_WORLD_POLICY_STAR = 's3-bucket-world-policy-star'
S3_BUCKET_WORLD_LIST_POLICY = 's3-bucket-world-List-policy'
S3_BUCKET_WORLD_GET_POLICY = 's3-bucket-world-Get-policy'
S3_BUCKET_WORLD_DELETE_POLICY = 's3-bucket-world-Delete-policy'

View File

@ -0,0 +1,8 @@
from enum import Enum
class SESRules(Enum):
# Permissive policies
SES_IDENTITY_WORLD_SENDRAWEMAIL_POLICY = 'ses-identity-world-SendRawEmail-policy'
SES_IDENTITY_WORLD_SENDEMAIL_POLICY = 'ses-identity-world-SendEmail-policy'

View File

@ -0,0 +1,13 @@
from enum import Enum
class SNSRules(Enum):
# Permissive policies
SNS_TOPIC_WORLD_SUBSCRIBE_POLICY = 'sns-topic-world-Subscribe-policy'
SNS_TOPIC_WORLD_SETTOPICATTRIBUTES_POLICY = 'sns-topic-world-SetTopicAttributes-policy'
SNS_TOPIC_WORLD_REMOVEPERMISSION_POLICY = 'sns-topic-world-RemovePermission-policy'
SNS_TOPIC_WORLD_RECEIVE_POLICY = 'sns-topic-world-Receive-policy'
SNS_TOPIC_WORLD_PUBLISH_POLICY = 'sns-topic-world-Publish-policy'
SNS_TOPIC_WORLD_DELETETOPIC_POLICY = 'sns-topic-world-DeleteTopic-policy'
SNS_TOPIC_WORLD_ADDPERMISSION_POLICY = 'sns-topic-world-AddPermission-policy'

View File

@ -0,0 +1,13 @@
from enum import Enum
class SQSRules(Enum):
# Permissive policies
SQS_QUEUE_WORLD_SENDMESSAGE_POLICY = 'sqs-queue-world-SendMessage-policy'
SQS_QUEUE_WORLD_RECEIVEMESSAGE_POLICY = 'sqs-queue-world-ReceiveMessage-policy'
SQS_QUEUE_WORLD_PURGEQUEUE_POLICY = 'sqs-queue-world-PurgeQueue-policy'
SQS_QUEUE_WORLD_GETQUEUEURL_POLICY = 'sqs-queue-world-GetQueueUrl-policy'
SQS_QUEUE_WORLD_GETQUEUEATTRIBUTES_POLICY = 'sqs-queue-world-GetQueueAttributes-policy'
SQS_QUEUE_WORLD_DELETEMESSAGE_POLICY = 'sqs-queue-world-DeleteMessage-policy'
SQS_QUEUE_WORLD_CHANGEMESSAGEVISIBILITY_POLICY = 'sqs-queue-world-ChangeMessageVisibility-policy'

View File

@ -3,4 +3,13 @@ from enum import Enum
class VPCRules(Enum): class VPCRules(Enum):
# Logging # Logging
VPC_SUBNET_WITHOUT_FLOW_LOG = 'vpc-subnet-without-flow-log' SUBNET_WITHOUT_FLOW_LOG = 'vpc-subnet-without-flow-log'
# Firewalls
SUBNET_WITH_ALLOW_ALL_INGRESS_ACLS = 'vpc-subnet-with-allow-all-ingress-acls'
SUBNET_WITH_ALLOW_ALL_EGRESS_ACLS = 'vpc-subnet-with-allow-all-egress-acls'
NETWORK_ACL_NOT_USED = 'vpc-network-acl-not-used'
DEFAULT_NETWORK_ACLS_ALLOW_ALL_INGRESS = 'vpc-default-network-acls-allow-all-ingress'
DEFAULT_NETWORK_ACLS_ALLOW_ALL_EGRESS = 'vpc-default-network-acls-allow-all-egress'
CUSTOM_NETWORK_ACLS_ALLOW_ALL_INGRESS = 'vpc-custom-network-acls-allow-all-ingress'
CUSTOM_NETWORK_ACLS_ALLOW_ALL_EGRESS = 'vpc-custom-network-acls-allow-all-egress'

View File

@ -0,0 +1,11 @@
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudformation_rules import CloudformationRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
SERVICE_TYPES
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
AbstractRulePathCreator
class CloudformationRulePathCreator(AbstractRulePathCreator):
service_type = SERVICE_TYPES.CLOUDFORMATION
supported_rules = CloudformationRules

View File

@ -0,0 +1,11 @@
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.config_rules import ConfigRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
SERVICE_TYPES
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
AbstractRulePathCreator
class ConfigRulePathCreator(AbstractRulePathCreator):
service_type = SERVICE_TYPES.CONFIG
supported_rules = ConfigRules

View File

@ -0,0 +1,11 @@
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ses_rules import SESRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
SERVICE_TYPES
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
AbstractRulePathCreator
class SESRulePathCreator(AbstractRulePathCreator):
service_type = SERVICE_TYPES.SES
supported_rules = SESRules

View File

@ -0,0 +1,11 @@
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sns_rules import SNSRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
SERVICE_TYPES
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
AbstractRulePathCreator
class SNSRulePathCreator(AbstractRulePathCreator):
service_type = SERVICE_TYPES.SNS
supported_rules = SNSRules

View File

@ -0,0 +1,11 @@
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sqs_rules import SQSRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
SERVICE_TYPES
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
AbstractRulePathCreator
class SQSRulePathCreator(AbstractRulePathCreator):
service_type = SERVICE_TYPES.SQS
supported_rules = SQSRules

View File

@ -1,7 +1,11 @@
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudformation_rule_path_creator import \
CloudformationRulePathCreator
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudtrail_rule_path_creator import \ from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudtrail_rule_path_creator import \
CloudTrailRulePathCreator CloudTrailRulePathCreator
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudwatch_rule_path_creator import \ from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudwatch_rule_path_creator import \
CloudWatchRulePathCreator CloudWatchRulePathCreator
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.config_rule_path_creator import \
ConfigRulePathCreator
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.ec2_rule_path_creator import \ from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.ec2_rule_path_creator import \
EC2RulePathCreator EC2RulePathCreator
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.elb_rule_path_creator import \ from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.elb_rule_path_creator import \
@ -16,9 +20,16 @@ from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_buil
RedshiftRulePathCreator RedshiftRulePathCreator
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.s3_rule_path_creator import \ from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.s3_rule_path_creator import \
S3RulePathCreator S3RulePathCreator
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.ses_rule_path_creator import \
SESRulePathCreator
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.sns_rule_path_creator import \
SNSRulePathCreator
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.sqs_rule_path_creator import \
SQSRulePathCreator
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.vpc_rule_path_creator import \ from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.vpc_rule_path_creator import \
VPCRulePathCreator VPCRulePathCreator
RULE_PATH_CREATORS_LIST = [EC2RulePathCreator, ELBv2RulePathCreator, RDSRulePathCreator, RedshiftRulePathCreator, RULE_PATH_CREATORS_LIST = [EC2RulePathCreator, ELBv2RulePathCreator, RDSRulePathCreator, RedshiftRulePathCreator,
S3RulePathCreator, IAMRulePathCreator, CloudTrailRulePathCreator, ELBRulePathCreator, S3RulePathCreator, IAMRulePathCreator, CloudTrailRulePathCreator, ELBRulePathCreator,
VPCRulePathCreator, CloudWatchRulePathCreator] VPCRulePathCreator, CloudWatchRulePathCreator, SQSRulePathCreator, SNSRulePathCreator,
SESRulePathCreator, ConfigRulePathCreator, CloudformationRulePathCreator]