forked from p15670423/monkey
Small renamings and minor improvements
This commit is contained in:
parent
905ffd029a
commit
a0bb0bc7fe
|
@ -19,7 +19,8 @@ from .rule_names.sqs_rules import SQSRules
|
|||
from .rule_names.vpc_rules import VPCRules
|
||||
|
||||
|
||||
class ScoutSuiteFinding(ABC):
|
||||
# Class which links ZT tests and rules to ScoutSuite finding
|
||||
class ScoutSuiteFindingMap(ABC):
|
||||
@property
|
||||
@abstractmethod
|
||||
def rules(self) -> List[EC2Rules]:
|
||||
|
@ -31,7 +32,7 @@ class ScoutSuiteFinding(ABC):
|
|||
pass
|
||||
|
||||
|
||||
class PermissiveFirewallRules(ScoutSuiteFinding):
|
||||
class PermissiveFirewallRules(ScoutSuiteFindingMap):
|
||||
rules = [EC2Rules.SECURITY_GROUP_ALL_PORTS_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_TCP_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_UDP_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_RDP_PORT_TO_ALL,
|
||||
EC2Rules.SECURITY_GROUP_OPENS_SSH_PORT_TO_ALL, EC2Rules.SECURITY_GROUP_OPENS_MYSQL_PORT_TO_ALL,
|
||||
|
@ -56,7 +57,7 @@ class PermissiveFirewallRules(ScoutSuiteFinding):
|
|||
test = zero_trust_consts.TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES
|
||||
|
||||
|
||||
class UnencryptedData(ScoutSuiteFinding):
|
||||
class UnencryptedData(ScoutSuiteFindingMap):
|
||||
rules = [EC2Rules.EBS_SNAPSHOT_NOT_ENCRYPTED, EC2Rules.EBS_VOLUME_NOT_ENCRYPTED,
|
||||
EC2Rules.EC2_INSTANCE_WITH_USER_DATA_SECRETS,
|
||||
ELBv2Rules.ELBV2_LISTENER_ALLOWING_CLEARTEXT, ELBv2Rules.ELBV2_OLDER_SSL_POLICY,
|
||||
|
@ -69,7 +70,7 @@ class UnencryptedData(ScoutSuiteFinding):
|
|||
test = zero_trust_consts.TEST_SCOUTSUITE_UNENCRYPTED_DATA
|
||||
|
||||
|
||||
class DataLossPrevention(ScoutSuiteFinding):
|
||||
class DataLossPrevention(ScoutSuiteFindingMap):
|
||||
rules = [RDSRules.RDS_INSTANCE_BACKUP_DISABLED, RDSRules.RDS_INSTANCE_SHORT_BACKUP_RETENTION_PERIOD,
|
||||
RDSRules.RDS_INSTANCE_SINGLE_AZ, S3Rules.S3_BUCKET_NO_MFA_DELETE, S3Rules.S3_BUCKET_NO_VERSIONING,
|
||||
ELBv2Rules.ELBV2_NO_DELETION_PROTECTION]
|
||||
|
@ -77,7 +78,7 @@ class DataLossPrevention(ScoutSuiteFinding):
|
|||
test = zero_trust_consts.TEST_SCOUTSUITE_DATA_LOSS_PREVENTION
|
||||
|
||||
|
||||
class SecureAuthentication(ScoutSuiteFinding):
|
||||
class SecureAuthentication(ScoutSuiteFindingMap):
|
||||
rules = [
|
||||
IAMRules.IAM_USER_NO_ACTIVE_KEY_ROTATION,
|
||||
IAMRules.IAM_PASSWORD_POLICY_MINIMUM_LENGTH,
|
||||
|
@ -95,7 +96,7 @@ class SecureAuthentication(ScoutSuiteFinding):
|
|||
test = zero_trust_consts.TEST_SCOUTSUITE_SECURE_AUTHENTICATION
|
||||
|
||||
|
||||
class RestrictivePolicies(ScoutSuiteFinding):
|
||||
class RestrictivePolicies(ScoutSuiteFindingMap):
|
||||
rules = [
|
||||
IAMRules.IAM_ASSUME_ROLE_POLICY_ALLOWS_ALL,
|
||||
IAMRules.IAM_EC2_ROLE_WITHOUT_INSTANCES,
|
||||
|
@ -157,7 +158,7 @@ class RestrictivePolicies(ScoutSuiteFinding):
|
|||
test = zero_trust_consts.TEST_SCOUTSUITE_RESTRICTIVE_POLICIES
|
||||
|
||||
|
||||
class Logging(ScoutSuiteFinding):
|
||||
class Logging(ScoutSuiteFindingMap):
|
||||
rules = [
|
||||
CloudTrailRules.CLOUDTRAIL_DUPLICATED_GLOBAL_SERVICES_LOGGING,
|
||||
CloudTrailRules.CLOUDTRAIL_NO_DATA_LOGGING,
|
||||
|
@ -177,7 +178,7 @@ class Logging(ScoutSuiteFinding):
|
|||
test = zero_trust_consts.TEST_SCOUTSUITE_LOGGING
|
||||
|
||||
|
||||
class ServiceSecurity(ScoutSuiteFinding):
|
||||
class ServiceSecurity(ScoutSuiteFindingMap):
|
||||
rules = [
|
||||
CloudformationRules.CLOUDFORMATION_STACK_WITH_ROLE,
|
||||
ELBv2Rules.ELBV2_HTTP_REQUEST_SMUGGLING,
|
|
@ -1,4 +1,4 @@
|
|||
from .scoutsuite_findings import (DataLossPrevention, Logging,
|
||||
from .scoutsuite_finding_maps import (DataLossPrevention, Logging,
|
||||
PermissiveFirewallRules,
|
||||
RestrictivePolicies,
|
||||
SecureAuthentication, ServiceSecurity,
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
from enum import Enum
|
||||
|
||||
import dpath.util
|
||||
|
||||
from common.utils.exceptions import RulePathCreatorNotFound
|
||||
|
@ -5,22 +7,33 @@ from monkey_island.cc.services.zero_trust.scoutsuite.data_parsing.rule_path_buil
|
|||
RULE_PATH_CREATORS_LIST
|
||||
|
||||
|
||||
def __build_rule_to_rule_path_creator_hashmap():
|
||||
hashmap = {}
|
||||
for rule_path_creator in RULE_PATH_CREATORS_LIST:
|
||||
for rule_name in rule_path_creator.supported_rules:
|
||||
hashmap[rule_name] = rule_path_creator
|
||||
return hashmap
|
||||
|
||||
|
||||
RULE_TO_RULE_PATH_CREATOR_HASHMAP = __build_rule_to_rule_path_creator_hashmap()
|
||||
|
||||
|
||||
class RuleParser:
|
||||
|
||||
@staticmethod
|
||||
def get_rule_data(scoutsuite_data, rule_name):
|
||||
rule_path = RuleParser.get_rule_path(rule_name)
|
||||
def get_rule_data(scoutsuite_data: dict, rule_name: Enum) -> dict:
|
||||
rule_path = RuleParser._get_rule_path(rule_name)
|
||||
return dpath.util.get(scoutsuite_data, rule_path)
|
||||
|
||||
@staticmethod
|
||||
def get_rule_path(rule_name):
|
||||
creator = RuleParser.get_rule_path_creator(rule_name)
|
||||
def _get_rule_path(rule_name: Enum):
|
||||
creator = RuleParser._get_rule_path_creator(rule_name)
|
||||
return creator.build_rule_path(rule_name)
|
||||
|
||||
@staticmethod
|
||||
def get_rule_path_creator(rule_name):
|
||||
for rule_path_creator in RULE_PATH_CREATORS_LIST:
|
||||
if rule_name in rule_path_creator.supported_rules:
|
||||
return rule_path_creator
|
||||
def _get_rule_path_creator(rule_name: Enum):
|
||||
try:
|
||||
return RULE_TO_RULE_PATH_CREATOR_HASHMAP[rule_name]
|
||||
except KeyError:
|
||||
raise RulePathCreatorNotFound(f"Rule path creator not found for rule {rule_name.value}. Make sure to assign"
|
||||
f"this rule to any rule path creators.")
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
from abc import ABC, abstractmethod
|
||||
from enum import Enum
|
||||
from typing import List
|
||||
|
||||
from ...consts.service_consts import FINDINGS, SERVICE_TYPES, SERVICES
|
||||
|
@ -17,6 +18,6 @@ class AbstractRulePathCreator(ABC):
|
|||
pass
|
||||
|
||||
@classmethod
|
||||
def build_rule_path(cls, rule_name) -> List[str]:
|
||||
def build_rule_path(cls, rule_name: Enum) -> List[str]:
|
||||
assert(rule_name in cls.supported_rules)
|
||||
return [SERVICES, cls.service_type.value, FINDINGS, rule_name.value]
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
from monkey_island.cc.models.zero_trust.scoutsuite_finding_details import ScoutSuiteFindingDetails
|
||||
from monkey_island.cc.models.zero_trust.scoutsuite_rule import ScoutSuiteRule
|
||||
from ..scoutsuite.consts.scoutsuite_findings import PermissiveFirewallRules, UnencryptedData
|
||||
from ..scoutsuite.consts.scoutsuite_finding_maps import PermissiveFirewallRules, UnencryptedData
|
||||
|
||||
SCOUTSUITE_FINDINGS = [
|
||||
PermissiveFirewallRules,
|
||||
|
|
Loading…
Reference in New Issue