From 5bc47b91cf1fe586a844999408ab044d02b55b46 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Thu, 24 Sep 2020 17:05:45 +0300 Subject: [PATCH] Added almost all scoutsuite rules --- .../common/common_consts/zero_trust_consts.py | 32 ++++---- .../zero_trust/scoutsuite/consts/findings.py | 74 +++++++++++++++++-- .../scoutsuite/consts/findings_list.py | 2 +- .../consts/rule_names/cloudformation_rules.py | 7 ++ .../consts/rule_names/config_rules.py | 6 ++ .../scoutsuite/consts/rule_names/ec2_rules.py | 14 +++- .../scoutsuite/consts/rule_names/elb_rules.py | 4 + .../consts/rule_names/elbv2_rules.py | 3 + .../scoutsuite/consts/rule_names/rds_rules.py | 4 + .../consts/rule_names/redshift_rules.py | 10 +++ .../scoutsuite/consts/rule_names/s3_rules.py | 15 ++++ .../scoutsuite/consts/rule_names/ses_rules.py | 8 ++ .../scoutsuite/consts/rule_names/sns_rules.py | 13 ++++ .../scoutsuite/consts/rule_names/sqs_rules.py | 13 ++++ .../scoutsuite/consts/rule_names/vpc_rules.py | 11 ++- .../cloudformation_rule_path_creator.py | 11 +++ .../config_rule_path_creator.py | 11 +++ .../ses_rule_path_creator.py | 11 +++ .../sns_rule_path_creator.py | 11 +++ .../sqs_rule_path_creator.py | 11 +++ .../rule_path_creators_list.py | 13 +++- 21 files changed, 260 insertions(+), 24 deletions(-) create mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudformation_rules.py create mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/config_rules.py create mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ses_rules.py create mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sns_rules.py create mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sqs_rules.py create mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/cloudformation_rule_path_creator.py create mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/config_rule_path_creator.py create mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/ses_rule_path_creator.py create mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/sns_rule_path_creator.py create mode 100644 monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/sqs_rule_path_creator.py diff --git a/monkey/common/common_consts/zero_trust_consts.py b/monkey/common/common_consts/zero_trust_consts.py index 814930926..3d3602b80 100644 --- a/monkey/common/common_consts/zero_trust_consts.py +++ b/monkey/common/common_consts/zero_trust_consts.py @@ -41,6 +41,7 @@ TEST_SCOUTSUITE_DATA_LOSS_PREVENTION = "scoutsuite_data_loss_prevention" TEST_SCOUTSUITE_SECURE_AUTHENTICATION = "scoutsuite_secure_authentication" TEST_SCOUTSUITE_RESTRICTIVE_POLICIES = "scoutsuite_unrestrictive_policies" TEST_SCOUTSUITE_LOGGING = "scoutsuite_logging" +TEST_SCOUTSUITE_SERVICE_SECURITY = "scoutsuite_service_security" TESTS = ( TEST_SEGMENTATION, @@ -57,7 +58,8 @@ TESTS = ( TEST_SCOUTSUITE_DATA_LOSS_PREVENTION, TEST_SCOUTSUITE_SECURE_AUTHENTICATION, TEST_SCOUTSUITE_RESTRICTIVE_POLICIES, - TEST_SCOUTSUITE_LOGGING + TEST_SCOUTSUITE_LOGGING, + TEST_SCOUTSUITE_SERVICE_SECURITY ) PRINCIPLE_DATA_CONFIDENTIALITY = "data_transit" @@ -192,67 +194,71 @@ TESTS_MAP = { TEST_EXPLANATION_KEY: "ScoutSuite assessed cloud firewall rules and settings.", FINDING_EXPLANATION_BY_STATUS_KEY: { STATUS_FAILED: "ScoutSuite found overly permissive firewall rules.", - STATUS_VERIFY: "ScoutSuite found potentially dangerous firewall rules you need to verify.", STATUS_PASSED: "ScoutSuite found no problems with cloud firewall rules." }, PRINCIPLE_KEY: PRINCIPLE_RESTRICTIVE_NETWORK_POLICIES, PILLARS_KEY: [NETWORKS], - POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY] + POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED] }, TEST_SCOUTSUITE_UNENCRYPTED_DATA: { TEST_EXPLANATION_KEY: "ScoutSuite searched for resources containing unencrypted data.", FINDING_EXPLANATION_BY_STATUS_KEY: { STATUS_FAILED: "ScoutSuite found resources with unencrypted data.", - STATUS_VERIFY: "ScoutSuite found resources which could have unencrypted data.", STATUS_PASSED: "ScoutSuite found no resources with unencrypted data." }, PRINCIPLE_KEY: PRINCIPLE_DATA_CONFIDENTIALITY, PILLARS_KEY: [DATA], - POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY] + POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED] }, TEST_SCOUTSUITE_DATA_LOSS_PREVENTION: { TEST_EXPLANATION_KEY: "ScoutSuite searched for resources which are not protected against data loss.", FINDING_EXPLANATION_BY_STATUS_KEY: { STATUS_FAILED: "ScoutSuite found resources not protected against data loss.", - STATUS_VERIFY: "ScoutSuite found resources which might not be protected against data loss.", STATUS_PASSED: "ScoutSuite found that all resources are secured against data loss." }, PRINCIPLE_KEY: PRINCIPLE_DISASTER_RECOVERY, PILLARS_KEY: [DATA], - POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY] + POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED] }, TEST_SCOUTSUITE_SECURE_AUTHENTICATION: { TEST_EXPLANATION_KEY: "ScoutSuite searched for issues related to users' authentication.", FINDING_EXPLANATION_BY_STATUS_KEY: { STATUS_FAILED: "ScoutSuite found issues related to users' authentication.", - STATUS_VERIFY: "ScoutSuite found potential issues related to users' authentication.", STATUS_PASSED: "ScoutSuite found no issues related to users' authentication." }, PRINCIPLE_KEY: PRINCIPLE_SECURE_AUTHENTICATION, PILLARS_KEY: [PEOPLE, WORKLOADS], - POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY] + POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED] }, TEST_SCOUTSUITE_RESTRICTIVE_POLICIES: { TEST_EXPLANATION_KEY: "ScoutSuite searched for permissive user access policies.", FINDING_EXPLANATION_BY_STATUS_KEY: { STATUS_FAILED: "ScoutSuite found permissive user access policies.", - STATUS_VERIFY: "ScoutSuite found potential issues related to user access policies.", STATUS_PASSED: "ScoutSuite found no issues related to user access policies." }, PRINCIPLE_KEY: PRINCIPLE_USERS_MAC_POLICIES, PILLARS_KEY: [PEOPLE, WORKLOADS], - POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY] + POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED] }, TEST_SCOUTSUITE_LOGGING: { TEST_EXPLANATION_KEY: "ScoutSuite searched for issues, related to logging.", FINDING_EXPLANATION_BY_STATUS_KEY: { STATUS_FAILED: "ScoutSuite found logging issues.", - STATUS_VERIFY: "ScoutSuite found potential logging issues.", STATUS_PASSED: "ScoutSuite found no logging issues." }, PRINCIPLE_KEY: PRINCIPLE_MONITORING_AND_LOGGING, PILLARS_KEY: [AUTOMATION_ORCHESTRATION, VISIBILITY_ANALYTICS], - POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED, STATUS_VERIFY] + POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED] + }, + TEST_SCOUTSUITE_SERVICE_SECURITY: { + TEST_EXPLANATION_KEY: "ScoutSuite searched for service security issues.", + FINDING_EXPLANATION_BY_STATUS_KEY: { + STATUS_FAILED: "ScoutSuite found service security issues.", + STATUS_PASSED: "ScoutSuite found no service security issues." + }, + PRINCIPLE_KEY: PRINCIPLE_MONITORING_AND_LOGGING, + PILLARS_KEY: [DEVICES, NETWORKS], + POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED] } } diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings.py index 422469970..c818d6725 100644 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings.py +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings.py @@ -1,6 +1,8 @@ from common.common_consts import zero_trust_consts +from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudformation_rules import CloudformationRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudtrail_rules import CloudTrailRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudwatch_rules import CloudWatchRules +from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.config_rules import ConfigRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ec2_rules import EC2Rules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elb_rules import ELBRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.elbv2_rules import ELBv2Rules @@ -8,6 +10,9 @@ from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.rds_rules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.redshift_rules import RedshiftRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.s3_rules import S3Rules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.iam_rules import IAMRules +from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ses_rules import SESRules +from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sns_rules import SNSRules +from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sqs_rules import SQSRules from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.vpc_rules import VPCRules @@ -20,23 +25,39 @@ class PERMISSIVE_FIREWALL_RULES: EC2Rules.SECURITY_GROUP_OPENS_NFS_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_SMTP_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_DNS_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS_TO_SELF, EC2Rules.SECURITY_GROUP_OPENS_ALL_PORTS, EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP, - EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET, EC2Rules.SECURITY_GROUP_OPENS_PORT_RANGE] + EC2Rules.SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET, EC2Rules.SECURITY_GROUP_OPENS_PORT_RANGE, + EC2Rules.EC2_SECURITY_GROUP_WHITELISTS_AWS, + VPCRules.SUBNET_WITH_ALLOW_ALL_INGRESS_ACLS, + VPCRules.SUBNET_WITH_ALLOW_ALL_EGRESS_ACLS, + VPCRules.NETWORK_ACL_NOT_USED, + VPCRules.DEFAULT_NETWORK_ACLS_ALLOW_ALL_INGRESS, + VPCRules.DEFAULT_NETWORK_ACLS_ALLOW_ALL_EGRESS, + VPCRules.CUSTOM_NETWORK_ACLS_ALLOW_ALL_INGRESS, + VPCRules.CUSTOM_NETWORK_ACLS_ALLOW_ALL_EGRESS, + RDSRules.RDS_SECURITY_GROUP_ALLOWS_ALL, + RedshiftRules.REDSHIFT_SECURITY_GROUP_WHITELISTS_ALL + ] test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES class UNENCRYPTED_DATA: - rules = [EC2Rules.EC2_EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EC2_EBS_VOLUME_NOT_ENCRYPTED, + rules = [EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EBS_VOLUME_NOT_ENCRYPTED, + EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS, ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY, RDSRules.RDS_INSTANCE_STORAGE_NOT_ENCRYPTED, RedshiftRules.REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED, - S3Rules.S3_BUCKET_ALLOWING_CLEARTEXT, S3Rules.S3_BUCKET_NO_DEFAULT_ENCRYPTION] + RedshiftRules.REDSHIFT_PARAMETER_GROUP_SSL_NOT_REQUIRED, + S3Rules.S3_BUCKET_ALLOWING_CLEARTEXT, S3Rules.S3_BUCKET_NO_DEFAULT_ENCRYPTION, + ELBRules.ELB_LISTENER_ALLOWING_CLEARTEXT, + ELBRules.ELB_OLDER_SSL_POLICY] test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA class DATA_LOSS_PREVENTION: rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD, - RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING] + RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING, + ELBv2Rules.ELBV2_NO_DELETION_PROTECTION] test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION @@ -82,6 +103,40 @@ class RESTRICTIVE_POLICIES: IAMRules.IAM_ROOT_ACCOUNT_USED_RECENTLY, IAMRules.IAM_ROOT_ACCOUNT_WITH_ACTIVE_CERTS, IAMRules.IAM_USER_WITH_INLINE_POLICIES, + EC2Rules.AMI_PUBLIC, + S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_WRITE_ACP, + S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_WRITE, + S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_READ_ACP, + S3Rules.S3_BUCKET_AUTHENTICATEDUSERS_READ, + S3Rules.S3_BUCKET_ALLUSERS_WRITE_ACP, + S3Rules.S3_BUCKET_ALLUSERS_WRITE, + S3Rules.S3_BUCKET_ALLUSERS_READ_ACP, + S3Rules.S3_BUCKET_ALLUSERS_READ, + S3Rules.S3_BUCKET_WORLD_PUT_POLICY, + S3Rules.S3_BUCKET_WORLD_POLICY_STAR, + S3Rules.S3_BUCKET_WORLD_LIST_POLICY, + S3Rules.S3_BUCKET_WORLD_GET_POLICY, + S3Rules.S3_BUCKET_WORLD_DELETE_POLICY, + EC2Rules.EC2_DEFAULT_SECURITY_GROUP_IN_USE, + EC2Rules.EC2_DEFAULT_SECURITY_GROUP_WITH_RULES, + EC2Rules.EC2_EBS_SNAPSHOT_PUBLIC, + SQSRules.SQS_QUEUE_WORLD_SENDMESSAGE_POLICY, + SQSRules.SQS_QUEUE_WORLD_RECEIVEMESSAGE_POLICY, + SQSRules.SQS_QUEUE_WORLD_PURGEQUEUE_POLICY, + SQSRules.SQS_QUEUE_WORLD_GETQUEUEURL_POLICY, + SQSRules.SQS_QUEUE_WORLD_GETQUEUEATTRIBUTES_POLICY, + SQSRules.SQS_QUEUE_WORLD_DELETEMESSAGE_POLICY, + SQSRules.SQS_QUEUE_WORLD_CHANGEMESSAGEVISIBILITY_POLICY, + SNSRules.SNS_TOPIC_WORLD_SUBSCRIBE_POLICY, + SNSRules.SNS_TOPIC_WORLD_SETTOPICATTRIBUTES_POLICY, + SNSRules.SNS_TOPIC_WORLD_REMOVEPERMISSION_POLICY, + SNSRules.SNS_TOPIC_WORLD_RECEIVE_POLICY, + SNSRules.SNS_TOPIC_WORLD_PUBLISH_POLICY, + SNSRules.SNS_TOPIC_WORLD_DELETETOPIC_POLICY, + SNSRules.SNS_TOPIC_WORLD_ADDPERMISSION_POLICY, + SESRules.SES_IDENTITY_WORLD_SENDRAWEMAIL_POLICY, + SESRules.SES_IDENTITY_WORLD_SENDEMAIL_POLICY, + RedshiftRules.REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE ] test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES @@ -99,7 +154,16 @@ class LOGGING: ELBRules.ELB_NO_ACCESS_LOGS, S3Rules.S3_BUCKET_NO_LOGGING, ELBv2Rules.ELBV2_NO_ACCESS_LOGS, - VPCRules.VPC_SUBNET_WITHOUT_FLOW_LOG, + VPCRules.SUBNET_WITHOUT_FLOW_LOG, + ConfigRules.CONFIG_RECORDER_NOT_CONFIGURED, + RedshiftRules.REDSHIFT_PARAMETER_GROUP_LOGGING_DISABLED ] test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING + +class SERVICE_SECURITY: + rules = [ + CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE + ] + + test = zero_trust_consts.TEST_SCOUTSUITE_SERVICE_SECURITY diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings_list.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings_list.py index 31086f722..0fdb81cc1 100644 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings_list.py +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/findings_list.py @@ -1,4 +1,4 @@ from monkey_island.cc.services.zero_trust.scoutsuite.consts.findings import * SCOUTSUITE_FINDINGS = [PERMISSIVE_FIREWALL_RULES, UNENCRYPTED_DATA, DATA_LOSS_PREVENTION, SECURE_AUTHENTICATION, - RESTRICTIVE_POLICIES, LOGGING] + RESTRICTIVE_POLICIES, LOGGING, SERVICE_SECURITY] diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudformation_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudformation_rules.py new file mode 100644 index 000000000..f5c069b4f --- /dev/null +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/cloudformation_rules.py @@ -0,0 +1,7 @@ +from enum import Enum + + +class CloudformationRules(Enum): + + # Service Security + CLOUDFORMATION_STACK_WITH_ROLE = 'cloudformation-stack-with-role' diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/config_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/config_rules.py new file mode 100644 index 000000000..81e2574f8 --- /dev/null +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/config_rules.py @@ -0,0 +1,6 @@ +from enum import Enum + + +class ConfigRules(Enum): + # Logging + CONFIG_RECORDER_NOT_CONFIGURED = 'config-recorder-not-configured' diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ec2_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ec2_rules.py index de49c9f8f..4d7cc8075 100644 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ec2_rules.py +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ec2_rules.py @@ -2,7 +2,7 @@ from enum import Enum class EC2Rules(Enum): - # Ports + # Permissive firewall rules SECURITY_GROUP_ALL_PORTS_TO_ALL = 'ec2-security-group-opens-all-ports-to-all' SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL = 'ec2-security-group-opens-TCP-port-to-all' SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL = 'ec2-security-group-opens-UDP-port-to-all' @@ -21,7 +21,15 @@ class EC2Rules(Enum): SECURITY_GROUP_OPENS_PLAINTEXT_PORT_FTP = 'ec2-security-group-opens-plaintext-port-FTP' SECURITY_GROUP_OPENS_PLAINTEXT_PORT_TELNET = 'ec2-security-group-opens-plaintext-port-Telnet' SECURITY_GROUP_OPENS_PORT_RANGE = 'ec2-security-group-opens-port-range' + EC2_SECURITY_GROUP_WHITELISTS_AWS = 'ec2-security-group-whitelists-aws' # Encryption - EC2_EBS_SNAPSHOT_NOT_ENCRYPTED = 'ec2-ebs-snapshot-not-encrypted' - EC2_EBS_VOLUME_NOT_ENCRYPTED = 'ec2-ebs-volume-not-encrypted' + EBS_SNAPSHOT_NOT_ENCRYPTED = 'ec2-ebs-snapshot-not-encrypted' + EBS_VOLUME_NOT_ENCRYPTED = 'ec2-ebs-volume-not-encrypted' + EC2_INSTANCE_WITH_USER_DATA_SECRETS = 'ec2-instance-with-user-data-secrets' + + # Permissive policies + AMI_PUBLIC = 'ec2-ami-public' + EC2_DEFAULT_SECURITY_GROUP_IN_USE = 'ec2-default-security-group-in-use' + EC2_DEFAULT_SECURITY_GROUP_WITH_RULES = 'ec2-default-security-group-with-rules' + EC2_EBS_SNAPSHOT_PUBLIC = 'ec2-ebs-snapshot-public' diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elb_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elb_rules.py index f117a8d61..51a8f9d55 100644 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elb_rules.py +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elb_rules.py @@ -4,3 +4,7 @@ from enum import Enum class ELBRules(Enum): # Logging ELB_NO_ACCESS_LOGS = 'elb-no-access-logs' + + # Encryption + ELB_LISTENER_ALLOWING_CLEARTEXT = 'elb-listener-allowing-cleartext' + ELB_OLDER_SSL_POLICY = 'elb-older-ssl-policy' diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elbv2_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elbv2_rules.py index 47f88738b..da5e1f64e 100644 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elbv2_rules.py +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/elbv2_rules.py @@ -8,3 +8,6 @@ class ELBv2Rules(Enum): # Logging ELBV2_NO_ACCESS_LOGS = 'elbv2-no-access-logs' + + # Data loss prevention + ELBV2_NO_DELETION_PROTECTION = 'elbv2-no-deletion-protection' diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/rds_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/rds_rules.py index 9af3a0dd2..f68400120 100644 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/rds_rules.py +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/rds_rules.py @@ -9,3 +9,7 @@ class RDSRules(Enum): RDS_INSTANCE_BACKUP_DISABLED = 'rds-instance-backup-disabled' RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD = 'rds-instance-short-backup-retention-period' RDS_INSTANCE_SINGLE_AZ = 'rds-instance-single-az' + + # Firewalls + RDS_SECURITY_GROUP_ALLOWS_ALL = 'rds-security-group-allows-all' + RDS_SNAPSHOT_PUBLIC = 'rds-snapshot-public' diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/redshift_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/redshift_rules.py index 665d8b310..203b24f23 100644 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/redshift_rules.py +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/redshift_rules.py @@ -4,3 +4,13 @@ from enum import Enum class RedshiftRules(Enum): # Encryption REDSHIFT_CLUSTER_DATABASE_NOT_ENCRYPTED = 'redshift-cluster-database-not-encrypted' + REDSHIFT_PARAMETER_GROUP_SSL_NOT_REQUIRED = 'redshift-parameter-group-ssl-not-required' + + # Firewalls + REDSHIFT_SECURITY_GROUP_WHITELISTS_ALL = 'redshift-security-group-whitelists-all' + + # Restrictive Policies + REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE = 'redshift-cluster-publicly-accessible' + + # Logging + REDSHIFT_PARAMETER_GROUP_LOGGING_DISABLED = 'redshift-parameter-group-logging-disabled' diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/s3_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/s3_rules.py index 348d1c592..b606fb050 100644 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/s3_rules.py +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/s3_rules.py @@ -12,3 +12,18 @@ class S3Rules(Enum): # Logging S3_BUCKET_NO_LOGGING = 's3-bucket-no-logging' + + # Permissive access rules + S3_BUCKET_AUTHENTICATEDUSERS_WRITE_ACP = 's3-bucket-AuthenticatedUsers-write_acp' + S3_BUCKET_AUTHENTICATEDUSERS_WRITE = 's3-bucket-AuthenticatedUsers-write' + S3_BUCKET_AUTHENTICATEDUSERS_READ_ACP = 's3-bucket-AuthenticatedUsers-read_acp' + S3_BUCKET_AUTHENTICATEDUSERS_READ = 's3-bucket-AuthenticatedUsers-read' + S3_BUCKET_ALLUSERS_WRITE_ACP = 's3-bucket-AllUsers-write_acp' + S3_BUCKET_ALLUSERS_WRITE = 's3-bucket-AllUsers-write' + S3_BUCKET_ALLUSERS_READ_ACP = 's3-bucket-AllUsers-read_acp' + S3_BUCKET_ALLUSERS_READ = 's3-bucket-AllUsers-read' + S3_BUCKET_WORLD_PUT_POLICY = 's3-bucket-world-Put-policy' + S3_BUCKET_WORLD_POLICY_STAR = 's3-bucket-world-policy-star' + S3_BUCKET_WORLD_LIST_POLICY = 's3-bucket-world-List-policy' + S3_BUCKET_WORLD_GET_POLICY = 's3-bucket-world-Get-policy' + S3_BUCKET_WORLD_DELETE_POLICY = 's3-bucket-world-Delete-policy' diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ses_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ses_rules.py new file mode 100644 index 000000000..94a9c9034 --- /dev/null +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/ses_rules.py @@ -0,0 +1,8 @@ +from enum import Enum + + +class SESRules(Enum): + + # Permissive policies + SES_IDENTITY_WORLD_SENDRAWEMAIL_POLICY = 'ses-identity-world-SendRawEmail-policy' + SES_IDENTITY_WORLD_SENDEMAIL_POLICY = 'ses-identity-world-SendEmail-policy' diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sns_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sns_rules.py new file mode 100644 index 000000000..1193388e1 --- /dev/null +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sns_rules.py @@ -0,0 +1,13 @@ +from enum import Enum + + +class SNSRules(Enum): + + # Permissive policies + SNS_TOPIC_WORLD_SUBSCRIBE_POLICY = 'sns-topic-world-Subscribe-policy' + SNS_TOPIC_WORLD_SETTOPICATTRIBUTES_POLICY = 'sns-topic-world-SetTopicAttributes-policy' + SNS_TOPIC_WORLD_REMOVEPERMISSION_POLICY = 'sns-topic-world-RemovePermission-policy' + SNS_TOPIC_WORLD_RECEIVE_POLICY = 'sns-topic-world-Receive-policy' + SNS_TOPIC_WORLD_PUBLISH_POLICY = 'sns-topic-world-Publish-policy' + SNS_TOPIC_WORLD_DELETETOPIC_POLICY = 'sns-topic-world-DeleteTopic-policy' + SNS_TOPIC_WORLD_ADDPERMISSION_POLICY = 'sns-topic-world-AddPermission-policy' diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sqs_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sqs_rules.py new file mode 100644 index 000000000..d3f512416 --- /dev/null +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/sqs_rules.py @@ -0,0 +1,13 @@ +from enum import Enum + + +class SQSRules(Enum): + + # Permissive policies + SQS_QUEUE_WORLD_SENDMESSAGE_POLICY = 'sqs-queue-world-SendMessage-policy' + SQS_QUEUE_WORLD_RECEIVEMESSAGE_POLICY = 'sqs-queue-world-ReceiveMessage-policy' + SQS_QUEUE_WORLD_PURGEQUEUE_POLICY = 'sqs-queue-world-PurgeQueue-policy' + SQS_QUEUE_WORLD_GETQUEUEURL_POLICY = 'sqs-queue-world-GetQueueUrl-policy' + SQS_QUEUE_WORLD_GETQUEUEATTRIBUTES_POLICY = 'sqs-queue-world-GetQueueAttributes-policy' + SQS_QUEUE_WORLD_DELETEMESSAGE_POLICY = 'sqs-queue-world-DeleteMessage-policy' + SQS_QUEUE_WORLD_CHANGEMESSAGEVISIBILITY_POLICY = 'sqs-queue-world-ChangeMessageVisibility-policy' diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/vpc_rules.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/vpc_rules.py index d114cda2c..300a76dbb 100644 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/vpc_rules.py +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/consts/rule_names/vpc_rules.py @@ -3,4 +3,13 @@ from enum import Enum class VPCRules(Enum): # Logging - VPC_SUBNET_WITHOUT_FLOW_LOG = 'vpc-subnet-without-flow-log' + SUBNET_WITHOUT_FLOW_LOG = 'vpc-subnet-without-flow-log' + + # Firewalls + SUBNET_WITH_ALLOW_ALL_INGRESS_ACLS = 'vpc-subnet-with-allow-all-ingress-acls' + SUBNET_WITH_ALLOW_ALL_EGRESS_ACLS = 'vpc-subnet-with-allow-all-egress-acls' + NETWORK_ACL_NOT_USED = 'vpc-network-acl-not-used' + DEFAULT_NETWORK_ACLS_ALLOW_ALL_INGRESS = 'vpc-default-network-acls-allow-all-ingress' + DEFAULT_NETWORK_ACLS_ALLOW_ALL_EGRESS = 'vpc-default-network-acls-allow-all-egress' + CUSTOM_NETWORK_ACLS_ALLOW_ALL_INGRESS = 'vpc-custom-network-acls-allow-all-ingress' + CUSTOM_NETWORK_ACLS_ALLOW_ALL_EGRESS = 'vpc-custom-network-acls-allow-all-egress' diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/cloudformation_rule_path_creator.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/cloudformation_rule_path_creator.py new file mode 100644 index 000000000..44961f5d5 --- /dev/null +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/cloudformation_rule_path_creator.py @@ -0,0 +1,11 @@ +from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.cloudformation_rules import CloudformationRules +from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \ + SERVICE_TYPES +from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \ + AbstractRulePathCreator + + +class CloudformationRulePathCreator(AbstractRulePathCreator): + + service_type = SERVICE_TYPES.CLOUDFORMATION + supported_rules = CloudformationRules diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/config_rule_path_creator.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/config_rule_path_creator.py new file mode 100644 index 000000000..9689bd7f2 --- /dev/null +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/config_rule_path_creator.py @@ -0,0 +1,11 @@ +from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.config_rules import ConfigRules +from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \ + SERVICE_TYPES +from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \ + AbstractRulePathCreator + + +class ConfigRulePathCreator(AbstractRulePathCreator): + + service_type = SERVICE_TYPES.CONFIG + supported_rules = ConfigRules diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/ses_rule_path_creator.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/ses_rule_path_creator.py new file mode 100644 index 000000000..4ffaac923 --- /dev/null +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/ses_rule_path_creator.py @@ -0,0 +1,11 @@ +from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.ses_rules import SESRules +from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \ + SERVICE_TYPES +from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \ + AbstractRulePathCreator + + +class SESRulePathCreator(AbstractRulePathCreator): + + service_type = SERVICE_TYPES.SES + supported_rules = SESRules diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/sns_rule_path_creator.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/sns_rule_path_creator.py new file mode 100644 index 000000000..89eec3af9 --- /dev/null +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/sns_rule_path_creator.py @@ -0,0 +1,11 @@ +from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sns_rules import SNSRules +from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \ + SERVICE_TYPES +from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \ + AbstractRulePathCreator + + +class SNSRulePathCreator(AbstractRulePathCreator): + + service_type = SERVICE_TYPES.SNS + supported_rules = SNSRules diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/sqs_rule_path_creator.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/sqs_rule_path_creator.py new file mode 100644 index 000000000..1a9cc8c49 --- /dev/null +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators/sqs_rule_path_creator.py @@ -0,0 +1,11 @@ +from monkey_island.cc.services.zero_trust.scoutsuite.consts.rule_names.sqs_rules import SQSRules +from monkey_island.cc.services.zero_trust.scoutsuite.consts.service_consts import \ + SERVICE_TYPES +from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.abstract_rule_path_creator import \ + AbstractRulePathCreator + + +class SQSRulePathCreator(AbstractRulePathCreator): + + service_type = SERVICE_TYPES.SQS + supported_rules = SQSRules diff --git a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators_list.py b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators_list.py index fdb54015f..b85cce9ad 100644 --- a/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators_list.py +++ b/monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators_list.py @@ -1,7 +1,11 @@ +from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudformation_rule_path_creator import \ + CloudformationRulePathCreator from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudtrail_rule_path_creator import \ CloudTrailRulePathCreator from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.cloudwatch_rule_path_creator import \ CloudWatchRulePathCreator +from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.config_rule_path_creator import \ + ConfigRulePathCreator from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.ec2_rule_path_creator import \ EC2RulePathCreator from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.elb_rule_path_creator import \ @@ -16,9 +20,16 @@ from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_buil RedshiftRulePathCreator from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.s3_rule_path_creator import \ S3RulePathCreator +from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.ses_rule_path_creator import \ + SESRulePathCreator +from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.sns_rule_path_creator import \ + SNSRulePathCreator +from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.sqs_rule_path_creator import \ + SQSRulePathCreator from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_building.rule_path_creators.vpc_rule_path_creator import \ VPCRulePathCreator RULE_PATH_CREATORS_LIST = [EC2RulePathCreator, ELBv2RulePathCreator, RDSRulePathCreator, RedshiftRulePathCreator, S3RulePathCreator, IAMRulePathCreator, CloudTrailRulePathCreator, ELBRulePathCreator, - VPCRulePathCreator, CloudWatchRulePathCreator] + VPCRulePathCreator, CloudWatchRulePathCreator, SQSRulePathCreator, SNSRulePathCreator, + SESRulePathCreator, ConfigRulePathCreator, CloudformationRulePathCreator]