p41275903
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refactored ScoutSuite finding classes to have ABC

This commit is contained in:
VakarisZ 2021-01-11 13:40:46 +02:00
parent 737e6bce3d
commit 789c58f0ac
4 changed files with 40 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
monkey/monkey_island/cc/models/zero_trust/finding.py
View File

@ -2,6 +2,8 @@
""" """
Define a Document Schema for Zero Trust findings. Define a Document Schema for Zero Trust findings.
""" """
from __future__ import annotations
from typing import Union from typing import Union
from mongoengine import Document, GenericLazyReferenceField, StringField from mongoengine import Document, GenericLazyReferenceField, StringField
@ -50,13 +52,13 @@ class Finding(Document):
@staticmethod @staticmethod
def save_finding(test: str, def save_finding(test: str,
status: str, status: str,
detail_ref: Union[MonkeyFindingDetails, ScoutSuiteFindingDetails]): detail_ref: Union[MonkeyFindingDetails, ScoutSuiteFindingDetails]) -> Finding:
temp_finding = Finding(test=test, finding = Finding(test=test,
status=status, status=status,
details=detail_ref, details=detail_ref,
finding_type=Finding._get_finding_type_by_details(detail_ref)) finding_type=Finding._get_finding_type_by_details(detail_ref))
temp_finding.save() finding.save()
return temp_finding return finding
@staticmethod @staticmethod
def _get_finding_type_by_details(details: Union[MonkeyFindingDetails, ScoutSuiteFindingDetails]) -> str: def _get_finding_type_by_details(details: Union[MonkeyFindingDetails, ScoutSuiteFindingDetails]) -> str:

28
monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings.py
View File

@ -1,3 +1,5 @@
from abc import ABC, abstractmethod
from common.common_consts import zero_trust_consts from common.common_consts import zero_trust_consts
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudformation_rules import CloudformationRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudformation_rules import CloudformationRules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import CloudTrailRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import CloudTrailRules
@ -16,7 +18,19 @@ from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sqs_rules
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules
class PERMISSIVE_FIREWALL_RULES: class ScoutSuiteFinding(ABC):
@property
@abstractmethod
def rules(self):
pass
@property
@abstractmethod
def test(self):
pass
class PermissiveFirewallRules(ScoutSuiteFinding):
rules = [EC2Rules.SECURITY_GROUP_ALL_PORTS_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL, rules = [EC2Rules.SECURITY_GROUP_ALL_PORTS_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL,
EC2Rules.SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL,
EC2Rules.SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL,
@ -41,7 +55,7 @@ class PERMISSIVE_FIREWALL_RULES:
test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
class UNENCRYPTED_DATA: class UnencryptedData(ScoutSuiteFinding):
rules = [EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EBS_VOLUME_NOT_ENCRYPTED, rules = [EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EBS_VOLUME_NOT_ENCRYPTED,
EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS, EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS,
ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY, ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY,
@ -54,7 +68,7 @@ class UNENCRYPTED_DATA:
test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA
class DATA_LOSS_PREVENTION: class DataLossPrevention(ScoutSuiteFinding):
rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD, rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD,
RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING, RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING,
ELBv2Rules.ELBV2_NO_DELETION_PROTECTION] ELBv2Rules.ELBV2_NO_DELETION_PROTECTION]
@ -62,7 +76,7 @@ class DATA_LOSS_PREVENTION:
test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION
class SECURE_AUTHENTICATION: class SecureAuthentication(ScoutSuiteFinding):
rules = [ rules = [
IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION, IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION,
IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH, IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH,
@ -80,7 +94,7 @@ class SECURE_AUTHENTICATION:
test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION
class RESTRICTIVE_POLICIES: class RestrictivePolicies(ScoutSuiteFinding):
rules = [ rules = [
IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL, IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL,
IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES, IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES,
@ -142,7 +156,7 @@ class RESTRICTIVE_POLICIES:
test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES
class LOGGING: class Logging(ScoutSuiteFinding):
rules = [ rules = [
CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING, CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING,
CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING, CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING,
@ -162,7 +176,7 @@ class LOGGING:
test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING
class SERVICE_SECURITY: class ServiceSecurity(ScoutSuiteFinding):
rules = [ rules = [
CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE, CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE,
ELBv2Rules.ELBV2_HTTP_REQUEST_SMUGGLING, ELBv2Rules.ELBV2_HTTP_REQUEST_SMUGGLING,

14
monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings_list.py
View File

@ -1,8 +1,8 @@
from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import (DATA_LOSS_PREVENTION, LOGGING, from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import (DataLossPrevention, Logging,
PERMISSIVE_FIREWALL_RULES, PermissiveFirewallRules,
RESTRICTIVE_POLICIES, RestrictivePolicies,
SECURE_AUTHENTICATION, SERVICE_SECURITY, SecureAuthentication, ServiceSecurity,
UNENCRYPTED_DATA) UnencryptedData)
SCOUTSUITE_FINDINGS = [PERMISSIVE_FIREWALL_RULES, UNENCRYPTED_DATA, DATA_LOSS_PREVENTION, SECURE_AUTHENTICATION, SCOUTSUITE_FINDINGS = [PermissiveFirewallRules, UnencryptedData, DataLossPrevention, SecureAuthentication,
RESTRICTIVE_POLICIES, LOGGING, SERVICE_SECURITY] RestrictivePolicies, Logging, ServiceSecurity]

6
monkey/monkey_island/cc/services/zero_trust/scoutsuite/scoutsuite_finding_service.py
View File

@ -4,14 +4,14 @@ from common.common_consts import zero_trust_consts
from monkey_island.cc.models.zero_trust.finding import Finding from monkey_island.cc.models.zero_trust.finding import Finding
from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails
from monkey_island.cc.models.zero_trust.scoutsuite_rule import ScoutSuiteRule from monkey_island.cc.models.zero_trust.scoutsuite_rule import ScoutSuiteRule
from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import ScoutSuiteFinding
from monkey_island.cc.services.zero_trust.scoutsuite.scoutsuite_rule_service import ScoutSuiteRuleService from monkey_island.cc.services.zero_trust.scoutsuite.scoutsuite_rule_service import ScoutSuiteRuleService
class ScoutSuiteFindingService: class ScoutSuiteFindingService:
@staticmethod @staticmethod
# TODO add type hinting like finding: Union[SCOUTSUITE_FINDINGS]? def process_rule(finding: ScoutSuiteFinding, rule: ScoutSuiteRule):
def process_rule(finding, rule: ScoutSuiteRule):
existing_findings = Finding.objects(test=finding.test, finding_type=zero_trust_consts.SCOUTSUITE_FINDING) existing_findings = Finding.objects(test=finding.test, finding_type=zero_trust_consts.SCOUTSUITE_FINDING)
assert (len(existing_findings) < 2), "More than one finding exists for {}".format(finding.test) assert (len(existing_findings) < 2), "More than one finding exists for {}".format(finding.test)
@ -21,7 +21,7 @@ class ScoutSuiteFindingService:
ScoutSuiteFindingService.add_rule(existing_findings[0], rule) ScoutSuiteFindingService.add_rule(existing_findings[0], rule)
@staticmethod @staticmethod
def create_new_finding_from_rule(finding, rule: ScoutSuiteRule): def create_new_finding_from_rule(finding: ScoutSuiteFinding, rule: ScoutSuiteRule):
details = ScoutSuiteFindingDetails() details = ScoutSuiteFindingDetails()
details.scoutsuite_rules = [rule] details.scoutsuite_rules = [rule]
details.save() details.save()