forked from p15670423/monkey
Add PostgreSQL to data pillar of ZT
This commit is contained in:
parent
e8a2a37690
commit
4ffac38382
|
@ -22,6 +22,7 @@ STATUS_FAILED = "Failed"
|
|||
# Don't change order! The statuses are ordered by importance/severity.
|
||||
ORDERED_TEST_STATUSES = [STATUS_FAILED, STATUS_VERIFY, STATUS_PASSED, STATUS_UNEXECUTED]
|
||||
|
||||
TEST_DATA_ENDPOINT_POSTGRESQL = "unencrypted_data_endpoint_postgresql"
|
||||
TEST_DATA_ENDPOINT_ELASTIC = "unencrypted_data_endpoint_elastic"
|
||||
TEST_DATA_ENDPOINT_HTTP = "unencrypted_data_endpoint_http"
|
||||
TEST_MACHINE_EXPLOITED = "machine_exploited"
|
||||
|
@ -39,6 +40,7 @@ TESTS = (
|
|||
TEST_MACHINE_EXPLOITED,
|
||||
TEST_DATA_ENDPOINT_HTTP,
|
||||
TEST_DATA_ENDPOINT_ELASTIC,
|
||||
TEST_DATA_ENDPOINT_POSTGRESQL,
|
||||
TEST_TUNNELING,
|
||||
TEST_COMMUNICATE_AS_NEW_USER
|
||||
)
|
||||
|
@ -144,6 +146,17 @@ TESTS_MAP = {
|
|||
PILLARS_KEY: [DATA],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||
},
|
||||
TEST_DATA_ENDPOINT_POSTGRESQL: {
|
||||
TEST_EXPLANATION_KEY: "The Monkey scanned for unencrypted access to PostgreSQL servers.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "Monkey accessed PostgreSQL servers. Limit access to data by encrypting it in in-transit.",
|
||||
STATUS_PASSED: "Monkey didn't find open PostgreSQL servers. If you have such servers, look for alerts that "
|
||||
"indicate attempts to access them. "
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT,
|
||||
PILLARS_KEY: [DATA],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||
},
|
||||
TEST_TUNNELING: {
|
||||
TEST_EXPLANATION_KEY: "The Monkey tried to tunnel traffic using other monkeys.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
|
|
|
@ -73,6 +73,15 @@ FINGER_CLASSES = {
|
|||
"title": "WindowsServerFinger",
|
||||
"info": "Checks if server is a Windows Server and tests if it is vulnerable to Zerologon.",
|
||||
"attack_techniques": ["T1210"]
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"PostgreSQLFinger"
|
||||
],
|
||||
"title": "PostgreSQLFinger",
|
||||
"info": "Checks if PostgreSQL service is running and if its communication is encrypted.",
|
||||
"attack_techniques": ["T1210"]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -223,7 +223,8 @@ INTERNAL = {
|
|||
"MySQLFinger",
|
||||
"MSSQLFinger",
|
||||
"ElasticFinger",
|
||||
"WindowsServerFinger"
|
||||
"WindowsServerFinger",
|
||||
"PostgreSQLFinger"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -22,6 +22,11 @@ EXPECTED_DICT = {
|
|||
"test": zero_trust_consts.TESTS_MAP
|
||||
[zero_trust_consts.TEST_DATA_ENDPOINT_ELASTIC][zero_trust_consts.TEST_EXPLANATION_KEY]
|
||||
},
|
||||
{
|
||||
"status": zero_trust_consts.STATUS_UNEXECUTED,
|
||||
"test": zero_trust_consts.TESTS_MAP
|
||||
[zero_trust_consts.TEST_DATA_ENDPOINT_POSTGRESQL][zero_trust_consts.TEST_EXPLANATION_KEY]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
|
|
|
@ -8,6 +8,7 @@ from monkey_island.cc.models.zero_trust.aggregate_finding import (
|
|||
from monkey_island.cc.models.zero_trust.event import Event
|
||||
|
||||
HTTP_SERVERS_SERVICES_NAMES = ['tcp-80']
|
||||
POSTGRESQL_SERVER_SERVICE_NAME = 'PostgreSQL'
|
||||
|
||||
|
||||
def test_open_data_endpoints(telemetry_json):
|
||||
|
@ -15,6 +16,7 @@ def test_open_data_endpoints(telemetry_json):
|
|||
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
|
||||
found_http_server_status = zero_trust_consts.STATUS_PASSED
|
||||
found_elastic_search_server = zero_trust_consts.STATUS_PASSED
|
||||
found_postgresql_server = zero_trust_consts.STATUS_PASSED
|
||||
|
||||
events = [
|
||||
Event.create_event(
|
||||
|
@ -55,6 +57,17 @@ def test_open_data_endpoints(telemetry_json):
|
|||
),
|
||||
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
|
||||
))
|
||||
if service_name == POSTGRESQL_SERVER_SERVICE_NAME:
|
||||
found_postgresql_server = zero_trust_consts.STATUS_FAILED
|
||||
events.append(Event.create_event(
|
||||
title="Scan telemetry analysis",
|
||||
message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
|
||||
service_data["display_name"],
|
||||
telemetry_json["data"]["machine"]["ip_addr"],
|
||||
json.dumps(service_data)
|
||||
),
|
||||
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
|
||||
))
|
||||
|
||||
AggregateFinding.create_or_add_to_existing(
|
||||
test=zero_trust_consts.TEST_DATA_ENDPOINT_HTTP,
|
||||
|
@ -68,4 +81,10 @@ def test_open_data_endpoints(telemetry_json):
|
|||
events=events
|
||||
)
|
||||
|
||||
AggregateFinding.create_or_add_to_existing(
|
||||
test=zero_trust_consts.TEST_DATA_ENDPOINT_POSTGRESQL,
|
||||
status=found_postgresql_server,
|
||||
events=events
|
||||
)
|
||||
|
||||
add_malicious_activity_to_timeline(events)
|
||||
|
|
Loading…
Reference in New Issue