forked from p15670423/monkey
Add PostgreSQL to data pillar of ZT
This commit is contained in:
parent
e8a2a37690
commit
4ffac38382
|
@ -22,6 +22,7 @@ STATUS_FAILED = "Failed"
|
||||||
# Don't change order! The statuses are ordered by importance/severity.
|
# Don't change order! The statuses are ordered by importance/severity.
|
||||||
ORDERED_TEST_STATUSES = [STATUS_FAILED, STATUS_VERIFY, STATUS_PASSED, STATUS_UNEXECUTED]
|
ORDERED_TEST_STATUSES = [STATUS_FAILED, STATUS_VERIFY, STATUS_PASSED, STATUS_UNEXECUTED]
|
||||||
|
|
||||||
|
TEST_DATA_ENDPOINT_POSTGRESQL = "unencrypted_data_endpoint_postgresql"
|
||||||
TEST_DATA_ENDPOINT_ELASTIC = "unencrypted_data_endpoint_elastic"
|
TEST_DATA_ENDPOINT_ELASTIC = "unencrypted_data_endpoint_elastic"
|
||||||
TEST_DATA_ENDPOINT_HTTP = "unencrypted_data_endpoint_http"
|
TEST_DATA_ENDPOINT_HTTP = "unencrypted_data_endpoint_http"
|
||||||
TEST_MACHINE_EXPLOITED = "machine_exploited"
|
TEST_MACHINE_EXPLOITED = "machine_exploited"
|
||||||
|
@ -39,6 +40,7 @@ TESTS = (
|
||||||
TEST_MACHINE_EXPLOITED,
|
TEST_MACHINE_EXPLOITED,
|
||||||
TEST_DATA_ENDPOINT_HTTP,
|
TEST_DATA_ENDPOINT_HTTP,
|
||||||
TEST_DATA_ENDPOINT_ELASTIC,
|
TEST_DATA_ENDPOINT_ELASTIC,
|
||||||
|
TEST_DATA_ENDPOINT_POSTGRESQL,
|
||||||
TEST_TUNNELING,
|
TEST_TUNNELING,
|
||||||
TEST_COMMUNICATE_AS_NEW_USER
|
TEST_COMMUNICATE_AS_NEW_USER
|
||||||
)
|
)
|
||||||
|
@ -144,6 +146,17 @@ TESTS_MAP = {
|
||||||
PILLARS_KEY: [DATA],
|
PILLARS_KEY: [DATA],
|
||||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||||
},
|
},
|
||||||
|
TEST_DATA_ENDPOINT_POSTGRESQL: {
|
||||||
|
TEST_EXPLANATION_KEY: "The Monkey scanned for unencrypted access to PostgreSQL servers.",
|
||||||
|
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||||
|
STATUS_FAILED: "Monkey accessed PostgreSQL servers. Limit access to data by encrypting it in in-transit.",
|
||||||
|
STATUS_PASSED: "Monkey didn't find open PostgreSQL servers. If you have such servers, look for alerts that "
|
||||||
|
"indicate attempts to access them. "
|
||||||
|
},
|
||||||
|
PRINCIPLE_KEY: PRINCIPLE_DATA_TRANSIT,
|
||||||
|
PILLARS_KEY: [DATA],
|
||||||
|
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||||
|
},
|
||||||
TEST_TUNNELING: {
|
TEST_TUNNELING: {
|
||||||
TEST_EXPLANATION_KEY: "The Monkey tried to tunnel traffic using other monkeys.",
|
TEST_EXPLANATION_KEY: "The Monkey tried to tunnel traffic using other monkeys.",
|
||||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||||
|
|
|
@ -73,6 +73,15 @@ FINGER_CLASSES = {
|
||||||
"title": "WindowsServerFinger",
|
"title": "WindowsServerFinger",
|
||||||
"info": "Checks if server is a Windows Server and tests if it is vulnerable to Zerologon.",
|
"info": "Checks if server is a Windows Server and tests if it is vulnerable to Zerologon.",
|
||||||
"attack_techniques": ["T1210"]
|
"attack_techniques": ["T1210"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "string",
|
||||||
|
"enum": [
|
||||||
|
"PostgreSQLFinger"
|
||||||
|
],
|
||||||
|
"title": "PostgreSQLFinger",
|
||||||
|
"info": "Checks if PostgreSQL service is running and if its communication is encrypted.",
|
||||||
|
"attack_techniques": ["T1210"]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -223,7 +223,8 @@ INTERNAL = {
|
||||||
"MySQLFinger",
|
"MySQLFinger",
|
||||||
"MSSQLFinger",
|
"MSSQLFinger",
|
||||||
"ElasticFinger",
|
"ElasticFinger",
|
||||||
"WindowsServerFinger"
|
"WindowsServerFinger",
|
||||||
|
"PostgreSQLFinger"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,6 +22,11 @@ EXPECTED_DICT = {
|
||||||
"test": zero_trust_consts.TESTS_MAP
|
"test": zero_trust_consts.TESTS_MAP
|
||||||
[zero_trust_consts.TEST_DATA_ENDPOINT_ELASTIC][zero_trust_consts.TEST_EXPLANATION_KEY]
|
[zero_trust_consts.TEST_DATA_ENDPOINT_ELASTIC][zero_trust_consts.TEST_EXPLANATION_KEY]
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"status": zero_trust_consts.STATUS_UNEXECUTED,
|
||||||
|
"test": zero_trust_consts.TESTS_MAP
|
||||||
|
[zero_trust_consts.TEST_DATA_ENDPOINT_POSTGRESQL][zero_trust_consts.TEST_EXPLANATION_KEY]
|
||||||
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
|
|
|
@ -8,6 +8,7 @@ from monkey_island.cc.models.zero_trust.aggregate_finding import (
|
||||||
from monkey_island.cc.models.zero_trust.event import Event
|
from monkey_island.cc.models.zero_trust.event import Event
|
||||||
|
|
||||||
HTTP_SERVERS_SERVICES_NAMES = ['tcp-80']
|
HTTP_SERVERS_SERVICES_NAMES = ['tcp-80']
|
||||||
|
POSTGRESQL_SERVER_SERVICE_NAME = 'PostgreSQL'
|
||||||
|
|
||||||
|
|
||||||
def test_open_data_endpoints(telemetry_json):
|
def test_open_data_endpoints(telemetry_json):
|
||||||
|
@ -15,6 +16,7 @@ def test_open_data_endpoints(telemetry_json):
|
||||||
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
|
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
|
||||||
found_http_server_status = zero_trust_consts.STATUS_PASSED
|
found_http_server_status = zero_trust_consts.STATUS_PASSED
|
||||||
found_elastic_search_server = zero_trust_consts.STATUS_PASSED
|
found_elastic_search_server = zero_trust_consts.STATUS_PASSED
|
||||||
|
found_postgresql_server = zero_trust_consts.STATUS_PASSED
|
||||||
|
|
||||||
events = [
|
events = [
|
||||||
Event.create_event(
|
Event.create_event(
|
||||||
|
@ -55,6 +57,17 @@ def test_open_data_endpoints(telemetry_json):
|
||||||
),
|
),
|
||||||
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
|
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
|
||||||
))
|
))
|
||||||
|
if service_name == POSTGRESQL_SERVER_SERVICE_NAME:
|
||||||
|
found_postgresql_server = zero_trust_consts.STATUS_FAILED
|
||||||
|
events.append(Event.create_event(
|
||||||
|
title="Scan telemetry analysis",
|
||||||
|
message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
|
||||||
|
service_data["display_name"],
|
||||||
|
telemetry_json["data"]["machine"]["ip_addr"],
|
||||||
|
json.dumps(service_data)
|
||||||
|
),
|
||||||
|
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
|
||||||
|
))
|
||||||
|
|
||||||
AggregateFinding.create_or_add_to_existing(
|
AggregateFinding.create_or_add_to_existing(
|
||||||
test=zero_trust_consts.TEST_DATA_ENDPOINT_HTTP,
|
test=zero_trust_consts.TEST_DATA_ENDPOINT_HTTP,
|
||||||
|
@ -68,4 +81,10 @@ def test_open_data_endpoints(telemetry_json):
|
||||||
events=events
|
events=events
|
||||||
)
|
)
|
||||||
|
|
||||||
|
AggregateFinding.create_or_add_to_existing(
|
||||||
|
test=zero_trust_consts.TEST_DATA_ENDPOINT_POSTGRESQL,
|
||||||
|
status=found_postgresql_server,
|
||||||
|
events=events
|
||||||
|
)
|
||||||
|
|
||||||
add_malicious_activity_to_timeline(events)
|
add_malicious_activity_to_timeline(events)
|
||||||
|
|
Loading…
Reference in New Issue