p59342861
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

* added dynamic region lookup 

* building the product ARN dynamically
* Resource type is now Other in case we dont have instance_id
This commit is contained in:
maor.rayzin 2018-11-28 13:27:35 +02:00
parent 7d94185a10
commit bdecc7ade6
2 changed files with 176 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

253
monkey/monkey_island/cc/resources/aws_exporter.py
View File

@ -7,6 +7,7 @@ from botocore.exceptions import UnknownServiceError
from cc.resources.exporter import Exporter from cc.resources.exporter import Exporter
from cc.services.config import ConfigService from cc.services.config import ConfigService
from cc.environment.environment import load_server_configuration_from_file from cc.environment.environment import load_server_configuration_from_file
from common.cloud.aws import AWS
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -75,7 +76,9 @@ class AWSExporter(Exporter):
# azure and conficker are not relevant issues for an AWS env # azure and conficker are not relevant issues for an AWS env
} }
product_arn = load_server_configuration_from_file()['aws'].get('sec_hub_product_arn', '') aws = AWS()
configured_product_arn = load_server_configuration_from_file()['aws'].get('sec_hub_product_arn', '')
product_arn = 'arn:aws:securityhub:{region}:{arn}'.format(region=aws.get_region(), arn=configured_product_arn)
account_id = AWSExporter._get_aws_keys().get('aws_account_id', '') account_id = AWSExporter._get_aws_keys().get('aws_account_id', '')
finding = { finding = {
@ -118,10 +121,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 5, "Product": 5,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE",
"Title": "Weak segmentation - Machines were able to communicate over unused ports.", "Title": "Weak segmentation - Machines were able to communicate over unused ports.",
"Description": "Use micro-segmentation policies to disable communication other than the required.", "Description": "Use micro-segmentation policies to disable communication other than the required.",
"Remediation": { "Remediation": {
@ -131,6 +131,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -139,18 +147,23 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 10, "Product": 10,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE", "Title": "Samba servers are vulnerable to 'SambaCry'",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE", "Title": "Samba servers are vulnerable to 'SambaCry'",
"Description": "Change {0} password to a complex one-use password that is not shared with other computers on the network. Update your Samba server to 4.4.14 and up, 4.5.10 and up, or 4.6.4 and up." \ "Description": "Change {0} password to a complex one-use password that is not shared with other computers on the network. Update your Samba server to 4.4.14 and up, 4.5.10 and up, or 4.6.4 and up." \
.format(issue['username']), "Remediation": { .format(issue['username']), "Remediation": {
"Recommendation": { "Recommendation": {
"Text": "The machine {0} ({1}) is vulnerable to a SambaCry attack. The Monkey authenticated over the SMB protocol with user {2} and its password, and used the SambaCry vulnerability.".format( "Text": "The machine {0} ({1}) is vulnerable to a SambaCry attack. The Monkey authenticated over the SMB protocol with user {2} and its password, and used the SambaCry vulnerability.".format(
issue['machine'], issue['ip_address'], issue['username']) issue['machine'], issue['ip_address'], issue['username'])
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -159,10 +172,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 5, "Product": 5,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE",
"Title": "Machines are accessible using passwords supplied by the user during the Monkey's configuration.", "Title": "Machines are accessible using passwords supplied by the user during the Monkey's configuration.",
"Description": "Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format( "Description": "Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format(
issue['username']), "Remediation": { issue['username']), "Remediation": {
@ -172,6 +182,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -180,10 +198,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 1, "Product": 1,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE",
"Title": "Machines are accessible using SSH passwords supplied by the user during the Monkey's configuration.", "Title": "Machines are accessible using SSH passwords supplied by the user during the Monkey's configuration.",
"Description": "Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format( "Description": "Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format(
issue['username']), "Remediation": { issue['username']), "Remediation": {
@ -193,6 +208,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -201,10 +224,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 1, "Product": 1,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE",
"Title": "Machines are accessible using SSH passwords supplied by the user during the Monkey's configuration.", "Title": "Machines are accessible using SSH passwords supplied by the user during the Monkey's configuration.",
"Description": "Protect {ssh_key} private key with a pass phrase.".format(ssh_key=issue['ssh_key']), "Description": "Protect {ssh_key} private key with a pass phrase.".format(ssh_key=issue['ssh_key']),
"Remediation": { "Remediation": {
@ -214,6 +234,13 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -222,10 +249,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 10, "Product": 10,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE", "Title": "Elasticsearch servers are vulnerable to CVE-2015-1427",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE", "Title": "Elasticsearch servers are vulnerable to CVE-2015-1427",
"Description": "Update your Elastic Search server to version 1.4.3 and up.", "Remediation": { "Description": "Update your Elastic Search server to version 1.4.3 and up.", "Remediation": {
"Recommendation": { "Recommendation": {
"Text": "The machine {0}({1}) is vulnerable to an Elastic Groovy attack. The attack was made possible because the Elastic Search server was not patched against CVE-2015-1427.".format( "Text": "The machine {0}({1}) is vulnerable to an Elastic Groovy attack. The attack was made possible because the Elastic Search server was not patched against CVE-2015-1427.".format(
@ -233,6 +257,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -241,10 +273,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 1, "Product": 1,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE",
"Title": "Weak segmentation - Machines from different segments are able to communicate.", "Title": "Weak segmentation - Machines from different segments are able to communicate.",
"Description": "Segment your network and make sure there is no communication between machines from different segments.", "Description": "Segment your network and make sure there is no communication between machines from different segments.",
"Remediation": { "Remediation": {
@ -257,6 +286,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -265,10 +302,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 1, "Product": 1,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE", "Title": "Multiple users have the same password",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE", "Title": "Multiple users have the same password",
"Description": "Some users are sharing passwords, this should be fixed by changing passwords.", "Description": "Some users are sharing passwords, this should be fixed by changing passwords.",
"Remediation": { "Remediation": {
"Recommendation": { "Recommendation": {
@ -276,6 +310,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -284,10 +326,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 10, "Product": 10,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE", "Title": "Machines are vulnerable to 'Shellshock'",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE", "Title": "Machines are vulnerable to 'Shellshock'",
"Description": "Update your Bash to a ShellShock-patched version.", "Remediation": { "Description": "Update your Bash to a ShellShock-patched version.", "Remediation": {
"Recommendation": { "Recommendation": {
"Text": "The machine {0} ({1}) is vulnerable to a ShellShock attack. " "Text": "The machine {0} ({1}) is vulnerable to a ShellShock attack. "
@ -296,6 +335,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -304,10 +351,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 1, "Product": 1,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE",
"Title": "Machines are accessible using passwords supplied by the user during the Monkey's configuration.", "Title": "Machines are accessible using passwords supplied by the user during the Monkey's configuration.",
"Description": "Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format( "Description": "Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format(
issue['username']), "Remediation": { issue['username']), "Remediation": {
@ -317,6 +361,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -325,10 +377,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 1, "Product": 1,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE",
"Title": "Machines are accessible using passwords supplied by the user during the Monkey's configuration.", "Title": "Machines are accessible using passwords supplied by the user during the Monkey's configuration.",
"Description": "Change {0}'s password to a complex one-use password that is not shared with other computers on the network.", "Description": "Change {0}'s password to a complex one-use password that is not shared with other computers on the network.",
"Remediation": { "Remediation": {
@ -338,6 +387,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -346,10 +403,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 1, "Product": 1,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE",
"Title": "Machines are accessible using passwords supplied by the user during the Monkey's configuration.", "Title": "Machines are accessible using passwords supplied by the user during the Monkey's configuration.",
"Description": "Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format( "Description": "Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format(
issue['username']), "Remediation": { issue['username']), "Remediation": {
@ -359,6 +413,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -367,10 +429,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 1, "Product": 1,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE",
"Title": "Machines are accessible using passwords supplied by the user during the Monkey's configuration.", "Title": "Machines are accessible using passwords supplied by the user during the Monkey's configuration.",
"Description": "Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format( "Description": "Change {0}'s password to a complex one-use password that is not shared with other computers on the network.".format(
issue['username']), "Remediation": { issue['username']), "Remediation": {
@ -380,6 +439,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -388,10 +455,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 1, "Product": 1,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE", "Title": "Multiple users have the same password.",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE", "Title": "Multiple users have the same password.",
"Description": "Some domain users are sharing passwords, this should be fixed by changing passwords.", "Description": "Some domain users are sharing passwords, this should be fixed by changing passwords.",
"Remediation": { "Remediation": {
"Recommendation": { "Recommendation": {
@ -400,6 +464,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -408,10 +480,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 1, "Product": 1,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE",
"Title": "Shared local administrator account - Different machines have the same account as a local administrator.", "Title": "Shared local administrator account - Different machines have the same account as a local administrator.",
"Description": "Make sure the right administrator accounts are managing the right machines, and that there isn\'t an unintentional local admin sharing.", "Description": "Make sure the right administrator accounts are managing the right machines, and that there isn\'t an unintentional local admin sharing.",
"Remediation": { "Remediation": {
@ -421,6 +490,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -429,10 +506,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 1, "Product": 1,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE",
"Title": "Mimikatz found login credentials of a user who has admin access to a server defined as critical.", "Title": "Mimikatz found login credentials of a user who has admin access to a server defined as critical.",
"Description": "This critical machine is open to attacks via strong users with access to it.", "Description": "This critical machine is open to attacks via strong users with access to it.",
"Remediation": { "Remediation": {
@ -442,6 +516,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -450,10 +532,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 10, "Product": 10,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE", "Title": "Struts2 servers are vulnerable to remote code execution.",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE", "Title": "Struts2 servers are vulnerable to remote code execution.",
"Description": "Upgrade Struts2 to version 2.3.32 or 2.5.10.1 or any later versions.", "Remediation": { "Description": "Upgrade Struts2 to version 2.3.32 or 2.5.10.1 or any later versions.", "Remediation": {
"Recommendation": { "Recommendation": {
"Text": "Struts2 server at {machine} ({ip_address}) is vulnerable to remote code execution attack." "Text": "Struts2 server at {machine} ({ip_address}) is vulnerable to remote code execution attack."
@ -462,6 +541,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -470,10 +557,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 10, "Product": 10,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE", "Title": "Oracle WebLogic servers are vulnerable to remote code execution.",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE", "Title": "Oracle WebLogic servers are vulnerable to remote code execution.",
"Description": "Install Oracle critical patch updates. Or update to the latest version. " \ "Description": "Install Oracle critical patch updates. Or update to the latest version. " \
"Vulnerable versions are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.", "Vulnerable versions are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.",
"Remediation": { "Remediation": {
@ -484,6 +568,14 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding
@staticmethod @staticmethod
@ -492,10 +584,7 @@ class AWSExporter(Exporter):
{"Severity": { {"Severity": {
"Product": 10, "Product": 10,
"Normalized": 100 "Normalized": 100
}, "Resources": [{ }, "RecordState": "ACTIVE", "Title": "Hadoop/Yarn servers are vulnerable to remote code execution.",
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}], "RecordState": "ACTIVE", "Title": "Hadoop/Yarn servers are vulnerable to remote code execution.",
"Description": "Run Hadoop in secure mode, add Kerberos authentication.", "Remediation": { "Description": "Run Hadoop in secure mode, add Kerberos authentication.", "Remediation": {
"Recommendation": { "Recommendation": {
"Text": "The Hadoop server at {machine} ({ip_address}) is vulnerable to remote code execution attack." "Text": "The Hadoop server at {machine} ({ip_address}) is vulnerable to remote code execution attack."
@ -503,4 +592,12 @@ class AWSExporter(Exporter):
} }
}} }}
if 'aws_instance_id' in issue:
finding["Resources"] = [{
"Type": "AwsEc2Instance",
"Id": issue['aws_instance_id']
}]
else:
finding["Resources"] = [{'Type': 'Other'}]
return finding return finding

2
monkey/monkey_island/cc/server_config.json
View File

@ -1,6 +1,6 @@
{ {
"server_config": "standard", "server_config": "standard",
"aws": { "aws": {
"sec_hub_product_arn": "arn:aws:securityhub:eu-west-2:324264561773:product/guardicore/aws-infection-monkey" "sec_hub_product_arn": "324264561773:product/guardicore/aws-infection-monkey"
} }
} }