forked from p15670423/monkey
Added ScoutSuite rule parsing unit test and example of raw ScoutSuite data received.
This commit is contained in:
VakarisZ
parent
80e7435572
commit
905ffd029a
|
|
@ -0,0 +1,35 @@
|
|||
from enum import Enum
|
||||
|
||||
import pytest
|
||||
|
||||
from common.utils.exceptions import RulePathCreatorNotFound
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_parser import RuleParser
|
||||
from monkey_island.cc.services.zero_trust.test_common.raw_scoutsute_data import RAW_SCOUTSUITE_DATA
|
||||
|
||||
|
||||
class ExampleRules(Enum):
|
||||
NON_EXSISTENT_RULE = 'bogus_rule'
|
||||
|
||||
ALL_PORTS_OPEN = EC2Rules.SECURITY_GROUP_ALL_PORTS_TO_ALL
|
||||
|
||||
EXPECTED_RESULT = {'description': 'Security Group Opens All Ports to All',
|
||||
'path': 'ec2.regions.id.vpcs.id.security_groups.id.rules.id.protocols.id.ports.id.cidrs.id.CIDR',
|
||||
'level': 'danger',
|
||||
'display_path': 'ec2.regions.id.vpcs.id.security_groups.id',
|
||||
'items': [
|
||||
'ec2.regions.ap-northeast-1.vpcs.vpc-abc.security_groups.'
|
||||
'sg-abc.rules.ingress.protocols.ALL.ports.1-65535.cidrs.0.CIDR'],
|
||||
'dashboard_name': 'Rules', 'checked_items': 179, 'flagged_items': 2, 'service': 'EC2',
|
||||
'rationale': 'It was detected that all ports in the security group are open <...>',
|
||||
'remediation': None, 'compliance': None, 'references': None}
|
||||
|
||||
|
||||
def test_get_rule_data():
|
||||
# Test proper parsing of the raw data to rule
|
||||
results = RuleParser.get_rule_data(RAW_SCOUTSUITE_DATA, ALL_PORTS_OPEN)
|
||||
assert results == EXPECTED_RESULT
|
||||
|
||||
with pytest.raises(RulePathCreatorNotFound):
|
||||
RuleParser.get_rule_data(RAW_SCOUTSUITE_DATA, ExampleRules.NON_EXSISTENT_RULE)
|
||||
pass
|
||||
|
|
@ -0,0 +1,93 @@
|
|||
# This is what our codebase receives after running ScoutSuite module.
|
||||
# Object '...': {'...': '...'} represents continuation of similar objects as above
|
||||
RAW_SCOUTSUITE_DATA = {
|
||||
'sg_map': {
|
||||
'sg-abc': {'region': 'ap-northeast-1', 'vpc_id': 'vpc-abc'},
|
||||
'sg-abcd': {'region': 'ap-northeast-2', 'vpc_id': 'vpc-abc'},
|
||||
'...': {'...': '...'}},
|
||||
'subnet_map': {
|
||||
'subnet-abc': {'region': 'ap-northeast-1', 'vpc_id': 'vpc-abc'},
|
||||
'subnet-abcd': {'region': 'ap-northeast-1', 'vpc_id': 'vpc-abc'},
|
||||
'...': {'...': '...'}
|
||||
},
|
||||
'provider_code': 'aws',
|
||||
'provider_name': 'Amazon Web Services',
|
||||
'environment': None,
|
||||
'result_format': 'json',
|
||||
'partition': 'aws',
|
||||
'account_id': '125686982355',
|
||||
'last_run': {
|
||||
'time': '2021-02-05 16:03:04+0200',
|
||||
'run_parameters': {'services': [], 'skipped_services': [], 'regions': [], 'excluded_regions': []},
|
||||
'version': '5.10.0',
|
||||
'ruleset_name': 'default',
|
||||
'ruleset_about': 'This ruleset',
|
||||
'summary': {'ec2': {'checked_items': 3747, 'flagged_items': 262, 'max_level': 'warning', 'rules_count': 28,
|
||||
'resources_count': 176},
|
||||
's3': {'checked_items': 88, 'flagged_items': 25, 'max_level': 'danger', 'rules_count': 18,
|
||||
'resources_count': 5},
|
||||
'...': {'...': '...'}}},
|
||||
'metadata': {
|
||||
'compute': {
|
||||
'summaries': {'external attack surface': {'cols': 1,
|
||||
'path': 'service_groups.compute.summaries.external_attack_surface',
|
||||
'callbacks': [
|
||||
['merge', {'attribute': 'external_attack_surface'}]]}},
|
||||
'...': {'...': '...'}
|
||||
},
|
||||
'...': {'...': '...'}
|
||||
},
|
||||
|
||||
# This is the important part, which we parse to get resources
|
||||
'services': {
|
||||
'ec2': {'regions': {
|
||||
'ap-northeast-1': {
|
||||
'vpcs': {
|
||||
'vpc-abc': {
|
||||
'id': 'vpc-abc',
|
||||
'security_groups': {
|
||||
'sg-abc': {
|
||||
'name': 'default',
|
||||
'rules': {
|
||||
'ingress': {'protocols': {
|
||||
'ALL': {'ports': {'1-65535': {'cidrs': [{'CIDR': '0.0.0.0/0'}]}}}},
|
||||
'count': 1},
|
||||
'egress': {'protocols': {
|
||||
'ALL': {'ports': {'1-65535': {'cidrs': [{'CIDR': '0.0.0.0/0'}]}}}},
|
||||
'count': 1}}
|
||||
}
|
||||
}}},
|
||||
'...': {'...': '...'}
|
||||
}},
|
||||
# Interesting info, maybe could be used somewhere in the report
|
||||
'external_attack_surface': {
|
||||
'52.52.52.52': {'protocols': {'TCP': {'ports': {'22': {'cidrs': [{'CIDR': '0.0.0.0/0'}]}}}},
|
||||
'InstanceName': 'InstanceName',
|
||||
'PublicDnsName': 'ec2-52-52-52-52.eu-central-1.compute.amazonaws.com'}},
|
||||
# We parse these into ScoutSuite security rules
|
||||
'findings': {
|
||||
'ec2-security-group-opens-all-ports-to-all': {
|
||||
'description': 'Security Group Opens All Ports to All',
|
||||
'path': 'ec2.regions.id.vpcs.id.security_groups'
|
||||
'.id.rules.id.protocols.id.ports.id.cidrs.id.CIDR',
|
||||
'level': 'danger',
|
||||
'display_path': 'ec2.regions.id.vpcs.id.security_groups.id',
|
||||
'items': [
|
||||
'ec2.regions.ap-northeast-1.vpcs.vpc-abc.security_groups'
|
||||
'.sg-abc.rules.ingress.protocols.ALL.ports.1-65535.cidrs.0.CIDR'],
|
||||
'dashboard_name': 'Rules',
|
||||
'checked_items': 179,
|
||||
'flagged_items': 2,
|
||||
'service': 'EC2',
|
||||
'rationale': 'It was detected that all ports in the security group are open <...>',
|
||||
'remediation': None, 'compliance': None, 'references': None},
|
||||
'...': {'...': '...'}
|
||||
}
|
||||
},
|
||||
'...': {'...': '...'}
|
||||
},
|
||||
'service_list': ['acm', 'awslambda', 'cloudformation', 'cloudtrail', 'cloudwatch', 'config', 'directconnect',
|
||||
'dynamodb', 'ec2', 'efs', 'elasticache', 'elb', 'elbv2', 'emr', 'iam', 'kms', 'rds', 'redshift',
|
||||
'route53', 's3', 'ses', 'sns', 'sqs', 'vpc', 'secretsmanager'],
|
||||
'service_groups': {'...': {'...': '...'}}
|
||||
}
|
||||
Loading…
Reference in New Issue