forked from p15670423/monkey
Added almost all scoutsuite rules
This commit is contained in:
parent
a7fc5d1191
commit
5bc47b91cf
|
@ -41,6 +41,7 @@ TEST_SCOUTSUITE_DATA_LOSS_PREVENTION = "scoutsuite_data_loss_prevention"
|
|||
TEST_SCOUTSUITE_SECURE_AUTHENTICATION = "scoutsuite_secure_authentication"
|
||||
TEST_SCOUTSUITE_RESTRICTIVE_POLICIES = "scoutsuite_unrestrictive_policies"
|
||||
TEST_SCOUTSUITE_LOGGING = "scoutsuite_logging"
|
||||
TEST_SCOUTSUITE_SERVICE_SECURITY = "scoutsuite_service_security"
|
||||
|
||||
TESTS = (
|
||||
TEST_SEGMENTATION,
|
||||
|
@ -57,7 +58,8 @@ TESTS = (
|
|||
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION,
|
||||
TEST_SCOUTSUITE_SECURE_AUTHENTICATION,
|
||||
TEST_SCOUTSUITE_RESTRICTIVE_POLICIES,
|
||||
TEST_SCOUTSUITE_LOGGING
|
||||
TEST_SCOUTSUITE_LOGGING,
|
||||
TEST_SCOUTSUITE_SERVICE_SECURITY
|
||||
)
|
||||
|
||||
PRINCIPLE_DATA_CONFIDENTIALITY = "data_transit"
|
||||
|
@ -192,67 +194,71 @@ TESTS_MAP = {
|
|||
TEST_EXPLANATION_KEY: "ScoutSuite assessed cloud firewall rules and settings.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found overly permissive firewall rules.",
|
||||
STATUS_VERIFY: "ScoutSuite found potentially dangerous firewall rules you need to verify.",
|
||||
STATUS_PASSED: "ScoutSuite found no problems with cloud firewall rules."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES,
|
||||
PILLARS_KEY: [NETWORKS],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||
},
|
||||
TEST_SCOUTSUITE_UNENCRYPTED_DATA: {
|
||||
TEST_EXPLANATION_KEY: "ScoutSuite searched for resources containing unencrypted data.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found resources with unencrypted data.",
|
||||
STATUS_VERIFY: "ScoutSuite found resources which could have unencrypted data.",
|
||||
STATUS_PASSED: "ScoutSuite found no resources with unencrypted data."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY,
|
||||
PILLARS_KEY: [DATA],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||
},
|
||||
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION: {
|
||||
TEST_EXPLANATION_KEY: "ScoutSuite searched for resources which are not protected against data loss.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found resources not protected against data loss.",
|
||||
STATUS_VERIFY: "ScoutSuite found resources which might not be protected against data loss.",
|
||||
STATUS_PASSED: "ScoutSuite found that all resources are secured against data loss."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_DISASTER_RECOVERY,
|
||||
PILLARS_KEY: [DATA],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||
},
|
||||
TEST_SCOUTSUITE_SECURE_AUTHENTICATION: {
|
||||
TEST_EXPLANATION_KEY: "ScoutSuite searched for issues related to users' authentication.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found issues related to users' authentication.",
|
||||
STATUS_VERIFY: "ScoutSuite found potential issues related to users' authentication.",
|
||||
STATUS_PASSED: "ScoutSuite found no issues related to users' authentication."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_SECURE_AUTHENTICATION,
|
||||
PILLARS_KEY: [PEOPLE, WORKLOADS],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||
},
|
||||
TEST_SCOUTSUITE_RESTRICTIVE_POLICIES: {
|
||||
TEST_EXPLANATION_KEY: "ScoutSuite searched for permissive user access policies.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found permissive user access policies.",
|
||||
STATUS_VERIFY: "ScoutSuite found potential issues related to user access policies.",
|
||||
STATUS_PASSED: "ScoutSuite found no issues related to user access policies."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_USERS_MAC_POLICIES,
|
||||
PILLARS_KEY: [PEOPLE, WORKLOADS],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||
},
|
||||
TEST_SCOUTSUITE_LOGGING: {
|
||||
TEST_EXPLANATION_KEY: "ScoutSuite searched for issues, related to logging.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found logging issues.",
|
||||
STATUS_VERIFY: "ScoutSuite found potential logging issues.",
|
||||
STATUS_PASSED: "ScoutSuite found no logging issues."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_MONITORING_AND_LOGGING,
|
||||
PILLARS_KEY: [AUTOMATION_ORCHESTRATION, VISIBILITY_ANALYTICS],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY]
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||
},
|
||||
TEST_SCOUTSUITE_SERVICE_SECURITY: {
|
||||
TEST_EXPLANATION_KEY: "ScoutSuite searched for service security issues.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_FAILED: "ScoutSuite found service security issues.",
|
||||
STATUS_PASSED: "ScoutSuite found no service security issues."
|
||||
},
|
||||
PRINCIPLE_KEY: PRINCIPLE_MONITORING_AND_LOGGING,
|
||||
PILLARS_KEY: [DEVICES, NETWORKS],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
from common.common_consts import zero_trust_consts
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudformation_rules import CloudformationRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import CloudTrailRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudwatch_rules import CloudWatchRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.config_rules import ConfigRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elb_rules import ELBRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elbv2_rules import ELBv2Rules
|
||||
|
@ -8,6 +10,9 @@ from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rds_rules
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.redshift_rules import RedshiftRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.s3_rules import S3Rules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.iam_rules import IAMRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ses_rules import SESRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sns_rules import SNSRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sqs_rules import SQSRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules
|
||||
|
||||
|
||||
|
@ -20,23 +25,39 @@ class PERMISSIVE_FIREWALL_RULES:
|
|||
EC2Rules.SECURITY_GROUP_OPENS_NFS_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_SMTP_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_DNS_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS_TO_SELF,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS, EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET, EC2Rules.SECURITY_GROUP_OPENS_PORT_RANGE]
|
||||
EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET, EC2Rules.SECURITY_GROUP_OPENS_PORT_RANGE,
|
||||
EC2Rules.EC2_SECURITY_GROUP_WHITELISTS_AWS,
|
||||
VPCRules.SUBNET_WITH_ALLOW_ALL_INGRESS_ACLS,
|
||||
VPCRules.SUBNET_WITH_ALLOW_ALL_EGRESS_ACLS,
|
||||
VPCRules.NETWORK_ACL_NOT_USED,
|
||||
VPCRules.DEFAULT_NETWORK_ACLS_ALLOW_ALL_INGRESS,
|
||||
VPCRules.DEFAULT_NETWORK_ACLS_ALLOW_ALL_EGRESS,
|
||||
VPCRules.CUSTOM_NETWORK_ACLS_ALLOW_ALL_INGRESS,
|
||||
VPCRules.CUSTOM_NETWORK_ACLS_ALLOW_ALL_EGRESS,
|
||||
RDSRules.RDS_SECURITY_GROUP_ALLOWS_ALL,
|
||||
RedshiftRules.REDSHIFT_SECURITY_GROUP_WHITELISTS_ALL
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
|
||||
|
||||
|
||||
class UNENCRYPTED_DATA:
|
||||
rules = [EC2Rules.EC2_EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EC2_EBS_VOLUME_NOT_ENCRYPTED,
|
||||
rules = [EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EBS_VOLUME_NOT_ENCRYPTED,
|
||||
EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS,
|
||||
ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY,
|
||||
RDSRules.RDS_INSTANCE_STORAGE_NOT_ENCRYPTED, RedshiftRules.REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED,
|
||||
S3Rules.S3_BUCKET_ALLOWING_CLEARTEXT, S3Rules.S3_BUCKET_NO_DEFAULT_ENCRYPTION]
|
||||
RedshiftRules.REDSHIFT_PARAMETER_GROUP_SSL_NOT_REQUIRED,
|
||||
S3Rules.S3_BUCKET_ALLOWING_CLEARTEXT, S3Rules.S3_BUCKET_NO_DEFAULT_ENCRYPTION,
|
||||
ELBRules.ELB_LISTENER_ALLOWING_CLEARTEXT,
|
||||
ELBRules.ELB_OLDER_SSL_POLICY]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA
|
||||
|
||||
|
||||
class DATA_LOSS_PREVENTION:
|
||||
rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD,
|
||||
RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING]
|
||||
RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING,
|
||||
ELBv2Rules.ELBV2_NO_DELETION_PROTECTION]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION
|
||||
|
||||
|
@ -82,6 +103,40 @@ class RESTRICTIVE_POLICIES:
|
|||
IAMRules.IAM_ROOT_ACCOUNT_USED_RECENTLY,
|
||||
IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS,
|
||||
IAMRules.IAM_USER_WITH_INLINE_POLICIES,
|
||||
EC2Rules.AMI_PUBLIC,
|
||||
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_WRITE_ACP,
|
||||
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_WRITE,
|
||||
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_READ_ACP,
|
||||
S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_READ,
|
||||
S3Rules.S3_BUCKET_ALLUSERS_WRITE_ACP,
|
||||
S3Rules.S3_BUCKET_ALLUSERS_WRITE,
|
||||
S3Rules.S3_BUCKET_ALLUSERS_READ_ACP,
|
||||
S3Rules.S3_BUCKET_ALLUSERS_READ,
|
||||
S3Rules.S3_BUCKET_WORLD_PUT_POLICY,
|
||||
S3Rules.S3_BUCKET_WORLD_POLICY_STAR,
|
||||
S3Rules.S3_BUCKET_WORLD_LIST_POLICY,
|
||||
S3Rules.S3_BUCKET_WORLD_GET_POLICY,
|
||||
S3Rules.S3_BUCKET_WORLD_DELETE_POLICY,
|
||||
EC2Rules.EC2_DEFAULT_SECURITY_GROUP_IN_USE,
|
||||
EC2Rules.EC2_DEFAULT_SECURITY_GROUP_WITH_RULES,
|
||||
EC2Rules.EC2_EBS_SNAPSHOT_PUBLIC,
|
||||
SQSRules.SQS_QUEUE_WORLD_SENDMESSAGE_POLICY,
|
||||
SQSRules.SQS_QUEUE_WORLD_RECEIVEMESSAGE_POLICY,
|
||||
SQSRules.SQS_QUEUE_WORLD_PURGEQUEUE_POLICY,
|
||||
SQSRules.SQS_QUEUE_WORLD_GETQUEUEURL_POLICY,
|
||||
SQSRules.SQS_QUEUE_WORLD_GETQUEUEATTRIBUTES_POLICY,
|
||||
SQSRules.SQS_QUEUE_WORLD_DELETEMESSAGE_POLICY,
|
||||
SQSRules.SQS_QUEUE_WORLD_CHANGEMESSAGEVISIBILITY_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_SUBSCRIBE_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_SETTOPICATTRIBUTES_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_REMOVEPERMISSION_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_RECEIVE_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_PUBLISH_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_DELETETOPIC_POLICY,
|
||||
SNSRules.SNS_TOPIC_WORLD_ADDPERMISSION_POLICY,
|
||||
SESRules.SES_IDENTITY_WORLD_SENDRAWEMAIL_POLICY,
|
||||
SESRules.SES_IDENTITY_WORLD_SENDEMAIL_POLICY,
|
||||
RedshiftRules.REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES
|
||||
|
@ -99,7 +154,16 @@ class LOGGING:
|
|||
ELBRules.ELB_NO_ACCESS_LOGS,
|
||||
S3Rules.S3_BUCKET_NO_LOGGING,
|
||||
ELBv2Rules.ELBV2_NO_ACCESS_LOGS,
|
||||
VPCRules.VPC_SUBNET_WITHOUT_FLOW_LOG,
|
||||
VPCRules.SUBNET_WITHOUT_FLOW_LOG,
|
||||
ConfigRules.CONFIG_RECORDER_NOT_CONFIGURED,
|
||||
RedshiftRules.REDSHIFT_PARAMETER_GROUP_LOGGING_DISABLED
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING
|
||||
|
||||
class SERVICE_SECURITY:
|
||||
rules = [
|
||||
CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE
|
||||
]
|
||||
|
||||
test = zero_trust_consts.TEST_SCOUTSUITE_SERVICE_SECURITY
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import *
|
||||
|
||||
SCOUTSUITE_FINDINGS = [PERMISSIVE_FIREWALL_RULES, UNENCRYPTED_DATA, DATA_LOSS_PREVENTION, SECURE_AUTHENTICATION,
|
||||
RESTRICTIVE_POLICIES, LOGGING]
|
||||
RESTRICTIVE_POLICIES, LOGGING, SERVICE_SECURITY]
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
from enum import Enum
|
||||
|
||||
|
||||
class CloudformationRules(Enum):
|
||||
|
||||
# Service Security
|
||||
CLOUDFORMATION_STACK_WITH_ROLE = 'cloudformation-stack-with-role'
|
|
@ -0,0 +1,6 @@
|
|||
from enum import Enum
|
||||
|
||||
|
||||
class ConfigRules(Enum):
|
||||
# Logging
|
||||
CONFIG_RECORDER_NOT_CONFIGURED = 'config-recorder-not-configured'
|
|
@ -2,7 +2,7 @@ from enum import Enum
|
|||
|
||||
|
||||
class EC2Rules(Enum):
|
||||
# Ports
|
||||
# Permissive firewall rules
|
||||
SECURITY_GROUP_ALL_PORTS_TO_ALL = 'ec2-security-group-opens-all-ports-to-all'
|
||||
SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL = 'ec2-security-group-opens-TCP-port-to-all'
|
||||
SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL = 'ec2-security-group-opens-UDP-port-to-all'
|
||||
|
@ -21,7 +21,15 @@ class EC2Rules(Enum):
|
|||
SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP = 'ec2-security-group-opens-plaintext-port-FTP'
|
||||
SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET = 'ec2-security-group-opens-plaintext-port-Telnet'
|
||||
SECURITY_GROUP_OPENS_PORT_RANGE = 'ec2-security-group-opens-port-range'
|
||||
EC2_SECURITY_GROUP_WHITELISTS_AWS = 'ec2-security-group-whitelists-aws'
|
||||
|
||||
# Encryption
|
||||
EC2_EBS_SNAPSHOT_NOT_ENCRYPTED = 'ec2-ebs-snapshot-not-encrypted'
|
||||
EC2_EBS_VOLUME_NOT_ENCRYPTED = 'ec2-ebs-volume-not-encrypted'
|
||||
EBS_SNAPSHOT_NOT_ENCRYPTED = 'ec2-ebs-snapshot-not-encrypted'
|
||||
EBS_VOLUME_NOT_ENCRYPTED = 'ec2-ebs-volume-not-encrypted'
|
||||
EC2_INSTANCE_WITH_USER_DATA_SECRETS = 'ec2-instance-with-user-data-secrets'
|
||||
|
||||
# Permissive policies
|
||||
AMI_PUBLIC = 'ec2-ami-public'
|
||||
EC2_DEFAULT_SECURITY_GROUP_IN_USE = 'ec2-default-security-group-in-use'
|
||||
EC2_DEFAULT_SECURITY_GROUP_WITH_RULES = 'ec2-default-security-group-with-rules'
|
||||
EC2_EBS_SNAPSHOT_PUBLIC = 'ec2-ebs-snapshot-public'
|
||||
|
|
|
@ -4,3 +4,7 @@ from enum import Enum
|
|||
class ELBRules(Enum):
|
||||
# Logging
|
||||
ELB_NO_ACCESS_LOGS = 'elb-no-access-logs'
|
||||
|
||||
# Encryption
|
||||
ELB_LISTENER_ALLOWING_CLEARTEXT = 'elb-listener-allowing-cleartext'
|
||||
ELB_OLDER_SSL_POLICY = 'elb-older-ssl-policy'
|
||||
|
|
|
@ -8,3 +8,6 @@ class ELBv2Rules(Enum):
|
|||
|
||||
# Logging
|
||||
ELBV2_NO_ACCESS_LOGS = 'elbv2-no-access-logs'
|
||||
|
||||
# Data loss prevention
|
||||
ELBV2_NO_DELETION_PROTECTION = 'elbv2-no-deletion-protection'
|
||||
|
|
|
@ -9,3 +9,7 @@ class RDSRules(Enum):
|
|||
RDS_INSTANCE_BACKUP_DISABLED = 'rds-instance-backup-disabled'
|
||||
RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD = 'rds-instance-short-backup-retention-period'
|
||||
RDS_INSTANCE_SINGLE_AZ = 'rds-instance-single-az'
|
||||
|
||||
# Firewalls
|
||||
RDS_SECURITY_GROUP_ALLOWS_ALL = 'rds-security-group-allows-all'
|
||||
RDS_SNAPSHOT_PUBLIC = 'rds-snapshot-public'
|
||||
|
|
|
@ -4,3 +4,13 @@ from enum import Enum
|
|||
class RedshiftRules(Enum):
|
||||
# Encryption
|
||||
REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED = 'redshift-cluster-database-not-encrypted'
|
||||
REDSHIFT_PARAMETER_GROUP_SSL_NOT_REQUIRED = 'redshift-parameter-group-ssl-not-required'
|
||||
|
||||
# Firewalls
|
||||
REDSHIFT_SECURITY_GROUP_WHITELISTS_ALL = 'redshift-security-group-whitelists-all'
|
||||
|
||||
# Restrictive Policies
|
||||
REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE = 'redshift-cluster-publicly-accessible'
|
||||
|
||||
# Logging
|
||||
REDSHIFT_PARAMETER_GROUP_LOGGING_DISABLED = 'redshift-parameter-group-logging-disabled'
|
||||
|
|
|
@ -12,3 +12,18 @@ class S3Rules(Enum):
|
|||
|
||||
# Logging
|
||||
S3_BUCKET_NO_LOGGING = 's3-bucket-no-logging'
|
||||
|
||||
# Permissive access rules
|
||||
S3_BUCKET_AUTHENTICATEDUSERS_WRITE_ACP = 's3-bucket-AuthenticatedUsers-write_acp'
|
||||
S3_BUCKET_AUTHENTICATEDUSERS_WRITE = 's3-bucket-AuthenticatedUsers-write'
|
||||
S3_BUCKET_AUTHENTICATEDUSERS_READ_ACP = 's3-bucket-AuthenticatedUsers-read_acp'
|
||||
S3_BUCKET_AUTHENTICATEDUSERS_READ = 's3-bucket-AuthenticatedUsers-read'
|
||||
S3_BUCKET_ALLUSERS_WRITE_ACP = 's3-bucket-AllUsers-write_acp'
|
||||
S3_BUCKET_ALLUSERS_WRITE = 's3-bucket-AllUsers-write'
|
||||
S3_BUCKET_ALLUSERS_READ_ACP = 's3-bucket-AllUsers-read_acp'
|
||||
S3_BUCKET_ALLUSERS_READ = 's3-bucket-AllUsers-read'
|
||||
S3_BUCKET_WORLD_PUT_POLICY = 's3-bucket-world-Put-policy'
|
||||
S3_BUCKET_WORLD_POLICY_STAR = 's3-bucket-world-policy-star'
|
||||
S3_BUCKET_WORLD_LIST_POLICY = 's3-bucket-world-List-policy'
|
||||
S3_BUCKET_WORLD_GET_POLICY = 's3-bucket-world-Get-policy'
|
||||
S3_BUCKET_WORLD_DELETE_POLICY = 's3-bucket-world-Delete-policy'
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
from enum import Enum
|
||||
|
||||
|
||||
class SESRules(Enum):
|
||||
|
||||
# Permissive policies
|
||||
SES_IDENTITY_WORLD_SENDRAWEMAIL_POLICY = 'ses-identity-world-SendRawEmail-policy'
|
||||
SES_IDENTITY_WORLD_SENDEMAIL_POLICY = 'ses-identity-world-SendEmail-policy'
|
|
@ -0,0 +1,13 @@
|
|||
from enum import Enum
|
||||
|
||||
|
||||
class SNSRules(Enum):
|
||||
|
||||
# Permissive policies
|
||||
SNS_TOPIC_WORLD_SUBSCRIBE_POLICY = 'sns-topic-world-Subscribe-policy'
|
||||
SNS_TOPIC_WORLD_SETTOPICATTRIBUTES_POLICY = 'sns-topic-world-SetTopicAttributes-policy'
|
||||
SNS_TOPIC_WORLD_REMOVEPERMISSION_POLICY = 'sns-topic-world-RemovePermission-policy'
|
||||
SNS_TOPIC_WORLD_RECEIVE_POLICY = 'sns-topic-world-Receive-policy'
|
||||
SNS_TOPIC_WORLD_PUBLISH_POLICY = 'sns-topic-world-Publish-policy'
|
||||
SNS_TOPIC_WORLD_DELETETOPIC_POLICY = 'sns-topic-world-DeleteTopic-policy'
|
||||
SNS_TOPIC_WORLD_ADDPERMISSION_POLICY = 'sns-topic-world-AddPermission-policy'
|
|
@ -0,0 +1,13 @@
|
|||
from enum import Enum
|
||||
|
||||
|
||||
class SQSRules(Enum):
|
||||
|
||||
# Permissive policies
|
||||
SQS_QUEUE_WORLD_SENDMESSAGE_POLICY = 'sqs-queue-world-SendMessage-policy'
|
||||
SQS_QUEUE_WORLD_RECEIVEMESSAGE_POLICY = 'sqs-queue-world-ReceiveMessage-policy'
|
||||
SQS_QUEUE_WORLD_PURGEQUEUE_POLICY = 'sqs-queue-world-PurgeQueue-policy'
|
||||
SQS_QUEUE_WORLD_GETQUEUEURL_POLICY = 'sqs-queue-world-GetQueueUrl-policy'
|
||||
SQS_QUEUE_WORLD_GETQUEUEATTRIBUTES_POLICY = 'sqs-queue-world-GetQueueAttributes-policy'
|
||||
SQS_QUEUE_WORLD_DELETEMESSAGE_POLICY = 'sqs-queue-world-DeleteMessage-policy'
|
||||
SQS_QUEUE_WORLD_CHANGEMESSAGEVISIBILITY_POLICY = 'sqs-queue-world-ChangeMessageVisibility-policy'
|
|
@ -3,4 +3,13 @@ from enum import Enum
|
|||
|
||||
class VPCRules(Enum):
|
||||
# Logging
|
||||
VPC_SUBNET_WITHOUT_FLOW_LOG = 'vpc-subnet-without-flow-log'
|
||||
SUBNET_WITHOUT_FLOW_LOG = 'vpc-subnet-without-flow-log'
|
||||
|
||||
# Firewalls
|
||||
SUBNET_WITH_ALLOW_ALL_INGRESS_ACLS = 'vpc-subnet-with-allow-all-ingress-acls'
|
||||
SUBNET_WITH_ALLOW_ALL_EGRESS_ACLS = 'vpc-subnet-with-allow-all-egress-acls'
|
||||
NETWORK_ACL_NOT_USED = 'vpc-network-acl-not-used'
|
||||
DEFAULT_NETWORK_ACLS_ALLOW_ALL_INGRESS = 'vpc-default-network-acls-allow-all-ingress'
|
||||
DEFAULT_NETWORK_ACLS_ALLOW_ALL_EGRESS = 'vpc-default-network-acls-allow-all-egress'
|
||||
CUSTOM_NETWORK_ACLS_ALLOW_ALL_INGRESS = 'vpc-custom-network-acls-allow-all-ingress'
|
||||
CUSTOM_NETWORK_ACLS_ALLOW_ALL_EGRESS = 'vpc-custom-network-acls-allow-all-egress'
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudformation_rules import CloudformationRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||
SERVICE_TYPES
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||
AbstractRulePathCreator
|
||||
|
||||
|
||||
class CloudformationRulePathCreator(AbstractRulePathCreator):
|
||||
|
||||
service_type = SERVICE_TYPES.CLOUDFORMATION
|
||||
supported_rules = CloudformationRules
|
|
@ -0,0 +1,11 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.config_rules import ConfigRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||
SERVICE_TYPES
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||
AbstractRulePathCreator
|
||||
|
||||
|
||||
class ConfigRulePathCreator(AbstractRulePathCreator):
|
||||
|
||||
service_type = SERVICE_TYPES.CONFIG
|
||||
supported_rules = ConfigRules
|
|
@ -0,0 +1,11 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ses_rules import SESRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||
SERVICE_TYPES
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||
AbstractRulePathCreator
|
||||
|
||||
|
||||
class SESRulePathCreator(AbstractRulePathCreator):
|
||||
|
||||
service_type = SERVICE_TYPES.SES
|
||||
supported_rules = SESRules
|
|
@ -0,0 +1,11 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sns_rules import SNSRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||
SERVICE_TYPES
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||
AbstractRulePathCreator
|
||||
|
||||
|
||||
class SNSRulePathCreator(AbstractRulePathCreator):
|
||||
|
||||
service_type = SERVICE_TYPES.SNS
|
||||
supported_rules = SNSRules
|
|
@ -0,0 +1,11 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sqs_rules import SQSRules
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \
|
||||
SERVICE_TYPES
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \
|
||||
AbstractRulePathCreator
|
||||
|
||||
|
||||
class SQSRulePathCreator(AbstractRulePathCreator):
|
||||
|
||||
service_type = SERVICE_TYPES.SQS
|
||||
supported_rules = SQSRules
|
|
@ -1,7 +1,11 @@
|
|||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudformation_rule_path_creator import \
|
||||
CloudformationRulePathCreator
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudtrail_rule_path_creator import \
|
||||
CloudTrailRulePathCreator
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudwatch_rule_path_creator import \
|
||||
CloudWatchRulePathCreator
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.config_rule_path_creator import \
|
||||
ConfigRulePathCreator
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.ec2_rule_path_creator import \
|
||||
EC2RulePathCreator
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.elb_rule_path_creator import \
|
||||
|
@ -16,9 +20,16 @@ from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_buil
|
|||
RedshiftRulePathCreator
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.s3_rule_path_creator import \
|
||||
S3RulePathCreator
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.ses_rule_path_creator import \
|
||||
SESRulePathCreator
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.sns_rule_path_creator import \
|
||||
SNSRulePathCreator
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.sqs_rule_path_creator import \
|
||||
SQSRulePathCreator
|
||||
from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.vpc_rule_path_creator import \
|
||||
VPCRulePathCreator
|
||||
|
||||
RULE_PATH_CREATORS_LIST = [EC2RulePathCreator, ELBv2RulePathCreator, RDSRulePathCreator, RedshiftRulePathCreator,
|
||||
S3RulePathCreator, IAMRulePathCreator, CloudTrailRulePathCreator, ELBRulePathCreator,
|
||||
VPCRulePathCreator, CloudWatchRulePathCreator]
|
||||
VPCRulePathCreator, CloudWatchRulePathCreator, SQSRulePathCreator, SNSRulePathCreator,
|
||||
SESRulePathCreator, ConfigRulePathCreator, CloudformationRulePathCreator]
|
||||
|
|
Loading…
Reference in New Issue