From 9aed4942d4d575f386945ab71820a5fdf7a8d5d0 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 20 May 2021 14:09:03 -0400 Subject: [PATCH] Added support for scout suite AWS scanning (#96) --- .github/workflows/build.yml | 6 + .rubocop_todo.yml | 38 ++-- README.md | 17 ++ lib/data/scoutsuite-nist-mapping.csv | 140 ++++++++++++++ lib/heimdall_tools.rb | 1 + lib/heimdall_tools/aws_config_mapper.rb | 8 +- lib/heimdall_tools/cli.rb | 11 ++ lib/heimdall_tools/help/scoutsuite_mapper.md | 7 + lib/heimdall_tools/scoutsuite_mapper.rb | 180 ++++++++++++++++++ lib/heimdall_tools/zap_mapper.rb | 2 - .../sample_input_jsons/scoutsuite_sample.js | 2 + .../scoutsuite_mapper/scoutsuite_hdf.json | 1 + 12 files changed, 380 insertions(+), 33 deletions(-) create mode 100644 lib/data/scoutsuite-nist-mapping.csv create mode 100644 lib/heimdall_tools/help/scoutsuite_mapper.md create mode 100644 lib/heimdall_tools/scoutsuite_mapper.rb create mode 100644 sample_jsons/scoutsuite_mapper/sample_input_jsons/scoutsuite_sample.js create mode 100644 sample_jsons/scoutsuite_mapper/scoutsuite_hdf.json diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cd2ff81..d003ce0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -74,3 +74,9 @@ jobs: jq 'del(.version, .platform.release)' nessus.json-ip-10-10-23-102.json > nessus_jq.json jq 'del(.version, .platform.release)' ./sample_jsons/nessus_mapper/nessus_sample_hdf.json > nessus_sample_hdf.json diff nessus_sample_hdf.json nessus_jq.json + - name: Test scoutsuite mapper + run: | + heimdall_tools scoutsuite_mapper -i ./sample_jsons/scoutsuite_mapper/sample_input_jsons/scoutsuite_sample.js -o scoutsuite_output.json + jq 'del(.version, .platform.release)' scoutsuite_output.json > scoutsuite_output_jq.json + jq 'del(.version, .platform.release)' ./sample_jsons/scoutsuite_mapper/scoutsuite_hdf.json > scoutsuite_sample.json + diff scoutsuite_sample.json scoutsuite_output_jq.json diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 042b625..db392ab 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -1,6 +1,6 @@ # This configuration was generated by # `rubocop --auto-gen-config` -# on 2021-03-16 17:26:37 UTC using RuboCop version 1.11.0. +# on 2021-05-18 15:11:52 UTC using RuboCop version 1.14.0. # The point is for the user to remove these configuration records # one by one as the offenses are removed from the code base. # Note that changes in the inspected code, or installation of new @@ -19,11 +19,10 @@ Lint/DuplicateBranch: Exclude: - 'lib/heimdall_tools/dbprotect_mapper.rb' -# Offense count: 3 +# Offense count: 2 # Configuration parameters: MaximumRangeSize. Lint/MissingCopEnableDirective: Exclude: - - 'lib/heimdall_tools/burpsuite_mapper.rb' - 'lib/heimdall_tools/nessus_mapper.rb' - 'lib/heimdall_tools/zap_mapper.rb' @@ -39,16 +38,10 @@ Lint/UnusedMethodArgument: Exclude: - 'lib/heimdall_tools/hdf.rb' -# Offense count: 2 -# Configuration parameters: CheckForMethodsWithNoSideEffects. -Lint/Void: - Exclude: - - 'lib/heimdall_tools/aws_config_mapper.rb' - -# Offense count: 20 +# Offense count: 32 # Configuration parameters: IgnoredMethods, CountRepeatedAttributes. Metrics/AbcSize: - Max: 56 + Max: 73 # Offense count: 4 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods. @@ -61,17 +54,17 @@ Metrics/BlockLength: Metrics/BlockNesting: Max: 5 -# Offense count: 6 +# Offense count: 8 # Configuration parameters: CountComments, CountAsOne. Metrics/ClassLength: Max: 171 -# Offense count: 7 +# Offense count: 10 # Configuration parameters: IgnoredMethods. Metrics/CyclomaticComplexity: Max: 17 -# Offense count: 32 +# Offense count: 38 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods. Metrics/MethodLength: Max: 52 @@ -81,7 +74,7 @@ Metrics/MethodLength: Metrics/ParameterLists: Max: 18 -# Offense count: 6 +# Offense count: 8 # Configuration parameters: IgnoredMethods. Metrics/PerceivedComplexity: Max: 17 @@ -106,7 +99,7 @@ Naming/VariableName: Exclude: - 'lib/heimdall_tools/burpsuite_mapper.rb' -# Offense count: 8 +# Offense count: 12 # Configuration parameters: AllowedVariables. Style/GlobalVars: Exclude: @@ -114,21 +107,12 @@ Style/GlobalVars: - 'lib/heimdall_tools/nessus_mapper.rb' - 'lib/heimdall_tools/nikto_mapper.rb' - 'lib/heimdall_tools/sarif_mapper.rb' + - 'lib/heimdall_tools/scoutsuite_mapper.rb' - 'lib/heimdall_tools/snyk_mapper.rb' -# Offense count: 10 +# Offense count: 1 # Configuration parameters: AllowedMethods. # AllowedMethods: respond_to_missing? Style/OptionalBooleanParameter: Exclude: - - 'lib/heimdall_tools/aws_config_mapper.rb' - - 'lib/heimdall_tools/burpsuite_mapper.rb' - - 'lib/heimdall_tools/dbprotect_mapper.rb' - - 'lib/heimdall_tools/fortify_mapper.rb' - - 'lib/heimdall_tools/jfrog_xray_mapper.rb' - - 'lib/heimdall_tools/nessus_mapper.rb' - - 'lib/heimdall_tools/netsparker_mapper.rb' - - 'lib/heimdall_tools/nikto_mapper.rb' - 'lib/heimdall_tools/sarif_mapper.rb' - - 'lib/heimdall_tools/snyk_mapper.rb' - - 'lib/heimdall_tools/zap_mapper.rb' diff --git a/README.md b/README.md index aeb602a..0930be6 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ HeimdallTools supplies several methods to convert output from various tools to " - **aws_config_mapper** - assess, audit, and evaluate AWS resources - **netsparker_mapper** - web application security scanner - **sarif_mapper** - static analysis results interchange format +- **scoutsuite_mapper** - multi-cloud security auditing tool ## Want to recommend a mapper for another tool? Please use these steps: 1. Create an [issue](https://github.com/mitre/heimdall_tools/issues/new), and email saf@groups.mitre.org citing the issue link so we can help @@ -202,6 +203,22 @@ FLAGS: example: heimdall_tools nikto_mapper -j nikto_results.json -o nikto_results.json ``` +## scoutsuite_mapper + +scoutsuite_mapper translates Scout Suite results from Javascript to HDF-formatted JSON so as to be viewable on Heimdall + +Note: Currently this mapper only supports AWS. + +``` +USAGE: heimdall_tools scoutsuite_mapper -i -o + +FLAGS: + -i --input -j --javascript : path to Scout Suite results Javascript file. + -o --output : path to output scan-results json. + +example: heimdall_tools scoutsuite_mapper -i scoutsuite_results.js -o scoutsuite_hdf.json +``` + ## jfrog_xray_mapper jfrog_xray_mapper translates an JFrog Xray results JSON file into HDF format JSON to be viewable in Heimdall diff --git a/lib/data/scoutsuite-nist-mapping.csv b/lib/data/scoutsuite-nist-mapping.csv new file mode 100644 index 0000000..78bb67a --- /dev/null +++ b/lib/data/scoutsuite-nist-mapping.csv @@ -0,0 +1,140 @@ +rule,nistid +acm-certificate-with-close-expiration-date,SC-12 +acm-certificate-with-transparency-logging-disabled,SC-12 +cloudformation-stack-with-role,AC-6 +cloudtrail-duplicated-global-services-logging,AU-6 +cloudtrail-no-cloudwatch-integration,AU-12|SI-4(2) +cloudtrail-no-data-logging,AU-12 +cloudtrail-no-encryption-with-kms,AU-6 +cloudtrail-no-global-services-logging,AU-12 +cloudtrail-no-log-file-validation,AU-6 +cloudtrail-no-logging,AU-12 +cloudtrail-not-configured,AU-12 +cloudwatch-alarm-without-actions,AU-12 +config-recorder-not-configured,CM-8|CM-8(2)|CM-8(6) +ec2-ami-public,AC-3 +ec2-default-security-group-in-use,AC-3(3) +ec2-default-security-group-with-rules,AC-3(3) +ec2-ebs-snapshot-not-encrypted,SC-28 +ec2-ebs-snapshot-public,AC-3 +ec2-ebs-volume-not-encrypted,SC-28 +ec2-instance-in-security-group,CM-7(1) +ec2-instance-type,CM-2 +ec2-instance-types,CM-2 +ec2-instance-with-public-ip,AC-3 +ec2-instance-with-user-data-secrets,AC-3 +ec2-security-group-opens-all-ports,CM-7(1) +ec2-security-group-opens-all-ports-to-all,CM-7(1) +ec2-security-group-opens-all-ports-to-self,CM-7(1) +ec2-security-group-opens-icmp-to-all,CM-7(1) +ec2-security-group-opens-known-port-to-all,CM-7(1) +ec2-security-group-opens-plaintext-port,CM-7(1) +ec2-security-group-opens-port-range,CM-7(1) +ec2-security-group-opens-port-to-all,CM-7(1) +ec2-security-group-whitelists-aws,CM-7(1) +ec2-security-group-whitelists-aws-ip-from-banned-region,CM-7(1) +ec2-security-group-whitelists-non-elastic-ips,CM-7(1) +ec2-security-group-whitelists-unknown-aws,CM-7(1) +ec2-security-group-whitelists-unknown-cidrs,CM-7(1) +ec2-unused-security-group,CM-7(1) +elb-listener-allowing-cleartext,SC-8 +elb-no-access-logs,AU-12 +elb-older-ssl-policy,SC-8 +elbv2-http-request-smuggling,SC-8 +elbv2-listener-allowing-cleartext,SC-8 +elbv2-no-access-logs,AU-12 +elbv2-no-deletion-protection,SI-7 +elbv2-older-ssl-policy,SC-8 +iam-assume-role-lacks-external-id-and-mfa,AC-17 +iam-assume-role-no-mfa,AC-6 +iam-assume-role-policy-allows-all,AC-6 +iam-ec2-role-without-instances,AC-6 +iam-group-with-inline-policies,AC-6 +iam-group-with-no-users,AC-6 +iam-human-user-with-policies,AC-6 +iam-inline-policy-allows-non-sts-action,AC-6 +iam-inline-policy-allows-NotActions,AC-6 +iam-inline-policy-for-role,AC-6 +iam-managed-policy-allows-full-privileges,AC-6 +iam-managed-policy-allows-non-sts-action,AC-6 +iam-managed-policy-allows-NotActions,AC-6 +iam-managed-policy-for-role,AC-6 +iam-managed-policy-no-attachments,AC-6 +iam-no-support-role,IR-7 +iam-password-policy-expiration-threshold,AC-2 +iam-password-policy-minimum-length,AC-2 +iam-password-policy-no-expiration,AC-2 +iam-password-policy-no-lowercase-required,AC-2 +iam-password-policy-no-number-required,AC-2 +iam-password-policy-no-symbol-required,AC-2 +iam-password-policy-no-uppercase-required,AC-2 +iam-password-policy-reuse-enabled,IA-5(1) +iam-role-with-inline-policies,AC-6 +iam-root-account-no-hardware-mfa,IA-2(1) +iam-root-account-no-mfa,IA-2(1) +iam-root-account-used-recently,AC-6(9) +iam-root-account-with-active-certs,AC-6(9) +iam-root-account-with-active-keys,AC-6(9) +iam-service-user-with-password,AC-2 +iam-unused-credentials-not-disabled,AC-2 +iam-user-no-key-rotation,AC-2 +iam-user-not-in-category-group,AC-2 +iam-user-not-in-common-group,AC-2 +iam-user-unused-access-key-initial-setup,AC-2 +iam-user-with-multiple-access-keys,IA-2 +iam-user-without-mfa,IA-2(1) +iam-user-with-password-and-key,IA-2 +iam-user-with-policies,AC-2 +kms-cmk-rotation-disabled,SC-12 +logs-no-alarm-aws-configuration-changes,CM-8|CM-8(2)|CM-8(6) +logs-no-alarm-cloudtrail-configuration-changes,AU-6 +logs-no-alarm-cmk-deletion,AC-2 +logs-no-alarm-console-authentication-failures,AC-2 +logs-no-alarm-iam-policy-changes,AC-2 +logs-no-alarm-nacl-changes,CM-6(2) +logs-no-alarm-network-gateways-changes,AU-12|CM-6(2) +logs-no-alarm-root-usage,AU-2 +logs-no-alarm-route-table-changes,AU-12|CM-6(2) +logs-no-alarm-s3-policy-changes,AC-6|AU-12 +logs-no-alarm-security-group-changes,AC-2(4) +logs-no-alarm-signin-without-mfa,AC-2 +logs-no-alarm-unauthorized-api-calls,AU-6|SI-4(2) +logs-no-alarm-vpc-changes,CM-6(1) +rds-instance-backup-disabled,CP-9 +rds-instance-ca-certificate-deprecated,SC-12 +rds-instance-no-minor-upgrade,SI-2 +rds-instance-short-backup-retention-period,CP-9 +rds-instance-single-az,CP-7 +rds-instance-storage-not-encrypted,SC-28 +rds-postgres-instance-with-invalid-certificate,SC-12 +rds-security-group-allows-all,CM-7(1) +rds-snapshot-public,SC-28 +redshift-cluster-database-not-encrypted,SC-28 +redshift-cluster-no-version-upgrade,SI-2 +redshift-cluster-publicly-accessible,AC-3 +redshift-parameter-group-logging-disabled,AU-12 +redshift-parameter-group-ssl-not-required,SC-8 +redshift-security-group-whitelists-all,CM-7(1) +route53-domain-no-autorenew,SC-2 +route53-domain-no-transferlock,SC-2 +route53-domain-transferlock-not-authorized,SC-2 +s3-bucket-allowing-cleartext,SC-28 +s3-bucket-no-default-encryption,SC-28 +s3-bucket-no-logging,AU-2|AU-12 +s3-bucket-no-mfa-delete,SI-7 +s3-bucket-no-versioning,SI-7 +s3-bucket-world-acl,AC-3(3) +s3-bucket-world-policy-arg,AC-3(3) +s3-bucket-world-policy-star,AC-3(3) +ses-identity-dkim-not-enabled,SC-23 +ses-identity-dkim-not-verified,SC-23 +ses-identity-world-policy,AC-6 +sns-topic-world-policy,AC-6 +sqs-queue-world-policy,AC-6 +vpc-custom-network-acls-allow-all,SC-7 +vpc-default-network-acls-allow-all,SC-7 +vpc-network-acl-not-used,SC-7 +vpc-routing-tables-with-peering,AC-3(3) +vpc-subnet-with-bad-acls,SC-7 +vpc-subnet-with-default-acls,SC-7 +vpc-subnet-without-flow-log,AU-12 diff --git a/lib/heimdall_tools.rb b/lib/heimdall_tools.rb index d81493f..716bb8c 100644 --- a/lib/heimdall_tools.rb +++ b/lib/heimdall_tools.rb @@ -17,4 +17,5 @@ module HeimdallTools autoload :AwsConfigMapper, 'heimdall_tools/aws_config_mapper' autoload :NetsparkerMapper, 'heimdall_tools/netsparker_mapper' autoload :SarifMapper, 'heimdall_tools/sarif_mapper' + autoload :ScoutSuiteMapper, 'heimdall_tools/scoutsuite_mapper' end diff --git a/lib/heimdall_tools/aws_config_mapper.rb b/lib/heimdall_tools/aws_config_mapper.rb index a463cda..cffecd2 100644 --- a/lib/heimdall_tools/aws_config_mapper.rb +++ b/lib/heimdall_tools/aws_config_mapper.rb @@ -57,10 +57,10 @@ def to_hdf results = HeimdallDataFormat.new( profile_name: 'AWS Config', - title: 'AWS Config', - summary: 'AWS Config', - controls: controls, - statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION }, + title: 'AWS Config', + summary: 'AWS Config', + controls: controls, + statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION }, ) results.to_hdf end diff --git a/lib/heimdall_tools/cli.rb b/lib/heimdall_tools/cli.rb index 85a5537..75b8e8b 100644 --- a/lib/heimdall_tools/cli.rb +++ b/lib/heimdall_tools/cli.rb @@ -135,6 +135,17 @@ def sarif_mapper puts options[:output].to_s end + desc 'scoutsuite_mapper', 'scoutsuite_mapper translates Scout Suite results from Javascript to HDF-formatted JSON so as to be viewable on Heimdall' + long_desc Help.text(:scoutsuite_mapper) + option :javascript, required: true, banner: 'SCOUTSUITE-RESULTS-JS', aliases: ['-i', '--input', '-j'] + option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o' + def scoutsuite_mapper + hdf = HeimdallTools::ScoutSuiteMapper.new(File.read(options[:javascript])).to_hdf + File.write(options[:output], hdf) + puts "\rHDF Generated:\n" + puts options[:output].to_s + end + desc 'version', 'prints version' def version puts VERSION diff --git a/lib/heimdall_tools/help/scoutsuite_mapper.md b/lib/heimdall_tools/help/scoutsuite_mapper.md new file mode 100644 index 0000000..9f69382 --- /dev/null +++ b/lib/heimdall_tools/help/scoutsuite_mapper.md @@ -0,0 +1,7 @@ + scoutsuite_mapper translates Scout Suite results from Javascript to HDF-formatted JSON so as to be viewable on Heimdall + + Note: Currently this mapper only supports AWS. + +Examples: + + heimdall_tools scoutsuite_mapper -i -o diff --git a/lib/heimdall_tools/scoutsuite_mapper.rb b/lib/heimdall_tools/scoutsuite_mapper.rb new file mode 100644 index 0000000..eb8de54 --- /dev/null +++ b/lib/heimdall_tools/scoutsuite_mapper.rb @@ -0,0 +1,180 @@ +require 'json' +require 'csv' +require 'heimdall_tools/hdf' + +RESOURCE_DIR = Pathname.new(__FILE__).join('../../data') + +SCOUTSUITE_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'scoutsuite-nist-mapping.csv') + +IMPACT_MAPPING = { + danger: 0.7, + warning: 0.5 +}.freeze + +DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze + +INSPEC_INPUTS_MAPPING = { + string: 'String', + numeric: 'Numeric', + regexp: 'Regexp', + array: 'Array', + hash: 'Hash', + boolean: 'Boolean', + any: 'Any' +}.freeze + +# Loading spinner sign +$spinner = Enumerator.new do |e| + loop do + e.yield '|' + e.yield '/' + e.yield '-' + e.yield '\\' + end +end + +module HeimdallTools + # currently only tested against an AWS based result, but ScoutSuite supports many other cloud providers such as Azure + class ScoutSuiteMapper + def initialize(scoutsuite_js) + begin + @scoutsuite_nist_mapping = parse_mapper + rescue StandardError => e + raise "Invalid Scout Suite to NIST mapping file:\nException: #{e}" + end + + begin + @scoutsuite_json = scoutsuite_js.lines[1] # first line is `scoutsuite_results =\n` and second line is json + @report = JSON.parse(@scoutsuite_json) + rescue StandardError => e + raise "Invalid Scout Suite JavaScript file provided:\nException: #{e}" + end + end + + def parse_mapper + csv_data = CSV.read(SCOUTSUITE_NIST_MAPPING_FILE, { encoding: 'UTF-8', headers: true, header_converters: :symbol }) + csv_data.map(&:to_hash) + end + + def create_attribute(name, value, required = nil, sensitive = nil, type = nil) + { name: name, options: { value: value, required: required, sensitive: sensitive, type: type }.compact } + end + + def extract_scaninfo(report) + info = {} + begin + info['name'] = 'Scout Suite Multi-Cloud Security Auditing Tool' + info['version'] = report['last_run']['version'] + info['title'] = "Scout Suite Report using #{report['last_run']['ruleset_name']} ruleset on #{report['provider_name']} with account #{report['account_id']}" + info['target_id'] = "#{report['last_run']['ruleset_name']} ruleset:#{report['provider_name']}:#{report['account_id']}" + info['summary'] = report['last_run']['ruleset_about'] + info['attributes'] = [ + create_attribute('account_id', report['account_id'], true, false, INSPEC_INPUTS_MAPPING[:string]), + create_attribute('environment', report['environment']), + create_attribute('ruleset', report['ruleset_name']), + # think at least these run_parameters are aws only + create_attribute('run_parameters_excluded_regions', report['last_run']['run_parameters']['excluded_regions'].join(', ')), + create_attribute('run_parameters_regions', report['last_run']['run_parameters']['regions'].join(', ')), + create_attribute('run_parameters_services', report['last_run']['run_parameters']['services'].join(', ')), + create_attribute('run_parameters_skipped_services', report['last_run']['run_parameters']['skipped_services'].join(', ')), + create_attribute('time', report['last_run']['time']), + create_attribute('partition', report['partition']), # think this is aws only + create_attribute('provider_code', report['provider_code']), + create_attribute('provider_name', report['provider_name']), + ] + + info + rescue StandardError => e + raise "Error extracting report info from Scout Suite JS->JSON file:\nException: #{e}" + end + end + + def nist_tag(rule) + entries = @scoutsuite_nist_mapping.select { |x| rule.eql?(x[:rule].to_s) && !x[:nistid].nil? } + tags = entries.map { |x| x[:nistid].split('|') } + tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq + end + + def impact(severity) + IMPACT_MAPPING[severity.to_sym] + end + + def desc_tags(data, label) + { data: data || NA_STRING, label: label || NA_STRING } + end + + def findings(details) + finding = {} + if (details['checked_items']).zero? + finding['status'] = 'skipped' + finding['skip_message'] = 'Skipped because no items were checked' + elsif (details['flagged_items']).zero? + finding['status'] = 'passed' + finding['message'] = "0 flagged items out of #{details['checked_items']} checked items" + else # there are checked items and things were flagged + finding['status'] = 'failed' + finding['message'] = "#{details['flagged_items']} flagged items out of #{details['checked_items']} checked items:\n#{details['items'].join("\n")}" + end + finding['code_desc'] = details['description'] + finding['start_time'] = @report['last_run']['time'] + [finding] + end + + def compliance(arr) + str = 'Compliant with ' + arr.map do |val| + info = "#{val['name']}, reference #{val['reference']}, version #{val['version']}" + str + info + end.join("\n") + end + + def to_hdf + controls = [] + @report['services'].each_key do |service| + @report['services'][service]['findings'].each_key do |finding| + printf("\rProcessing: %s", $spinner.next) + + finding_id = finding + finding_details = @report['services'][service]['findings'][finding] + + item = {} + item['id'] = finding_id + item['title'] = finding_details['description'] + + item['tags'] = { nist: nist_tag(finding_id) } + + item['impact'] = impact(finding_details['level']) + + item['desc'] = finding_details['rationale'] + + item['descriptions'] = [] + item['descriptions'] << desc_tags(finding_details['remediation'], 'fix') unless finding_details['remediation'].nil? + item['descriptions'] << desc_tags(finding_details['service'], 'service') + item['descriptions'] << desc_tags(finding_details['path'], 'path') + item['descriptions'] << desc_tags(finding_details['id_suffix'], 'id_suffix') + + item['refs'] = [] + item['refs'] += finding_details['references'].map { |link| { url: link } } unless finding_details['references'].nil? || finding_details['references'].empty? + item['refs'] << { ref: compliance(finding_details['compliance']) } unless finding_details['compliance'].nil? + + item['source_location'] = NA_HASH + item['code'] = NA_STRING + + item['results'] = findings(finding_details) + + controls << item + end + end + + scaninfo = extract_scaninfo(@report) + results = HeimdallDataFormat.new(profile_name: scaninfo['name'], + version: scaninfo['version'], + title: scaninfo['title'], + summary: scaninfo['summary'], + controls: controls, + target_id: scaninfo['target_id'], + attributes: scaninfo['attributes']) + results.to_hdf + end + end +end diff --git a/lib/heimdall_tools/zap_mapper.rb b/lib/heimdall_tools/zap_mapper.rb index 76bc6f7..526f3fc 100644 --- a/lib/heimdall_tools/zap_mapper.rb +++ b/lib/heimdall_tools/zap_mapper.rb @@ -8,8 +8,6 @@ CWE_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'cwe-nist-mapping.csv') DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze -# rubocop:disable Metrics/AbcSize - module HeimdallTools class ZapMapper def initialize(zap_json, name) diff --git a/sample_jsons/scoutsuite_mapper/sample_input_jsons/scoutsuite_sample.js b/sample_jsons/scoutsuite_mapper/sample_input_jsons/scoutsuite_sample.js new file mode 100644 index 0000000..7a43f97 --- /dev/null +++ b/sample_jsons/scoutsuite_mapper/sample_input_jsons/scoutsuite_sample.js @@ -0,0 +1,2 @@ +scoutsuite_results = +{"account_id":"916481805664","environment":"default","last_run":{"ruleset_about":"This ruleset consists of numerous rules that are considered standard by NCC Group. The rules enabled range from violations of well-known security best practices to gaps resulting from less-known security implications of provider-specific mechanisms. Additional rules exist, some of them requiring extra-parameters to be configured, and some of them being applicable to a limited number of users.","ruleset_name":"default","run_parameters":{"excluded_regions":[],"regions":[],"services":[],"skipped_services":[]},"summary":{"cloudtrail":{"checked_items":16,"flagged_items":16,"max_level":"danger","resources_count":0,"rules_count":8}},"time":"2021-02-19 19:16:10+0000","version":"5.10.2"},"partition":"aws","provider_code":"aws","provider_name":"Amazon Web Services","result_format":"json","service_groups":{"compute":{"summaries":{"external_attack_surface":{}}},"database":{"summaries":{"external_attack_surface":{}}}},"service_list":["cloudtrail"],"services":{"cloudtrail":{"DuplicatedGlobalServiceEvents":false,"IncludeGlobalServiceEvents":false,"filters":{},"findings":{"cloudtrail-duplicated-global-services-logging":{"checked_items":0,"compliance":null,"dashboard_name":"Configurations","description":"Global Service Logging Duplicated","flagged_items":0,"id_suffix":"IncludeGlobalServiceEvents","items":[],"level":"warning","path":"cloudtrail.regions.id.trails.id","rationale":"Global service logging is enabled in multiple Trails. While this does not jeopardize the security of the environment, duplicated entries in logs increase the difficulty to investigate potential incidents.","references":["https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events"],"remediation":null,"service":"CloudTrail"},"cloudtrail-no-cloudwatch-integration":{"checked_items":0,"compliance":[{"name":"CIS Amazon Web Services Foundations","reference":"2.4","version":"1.0.0"},{"name":"CIS Amazon Web Services Foundations","reference":"2.4","version":"1.1.0"},{"name":"CIS Amazon Web Services Foundations","reference":"2.4","version":"1.2.0"}],"dashboard_name":"Configurations","description":"Trail Is Not Integrated with CloudWatch","display_path":"cloudtrail.regions.id.trails.id","flagged_items":0,"id_suffix":"TrailCloudwatchNoIntegration","items":[],"level":"warning","path":"cloudtrail.regions.id.trails.id","rationale":"The lack of integration with CloudWatch hinders ral-time and historic activity logging as well as not allowing the configuration of alarms and notifications for anomalous account activity.","references":null,"remediation":"Configure each Trail to have a CloudWatch Logs group attached","service":"CloudTrail"},"cloudtrail-no-data-logging":{"checked_items":0,"compliance":null,"dashboard_name":"Configurations","description":"Data Events Logging Not Configured","display_path":"cloudtrail.regions.id.trails.id","flagged_items":0,"id_suffix":"cloudtrail-data-events-disabled","items":[],"level":"warning","path":"cloudtrail.regions.id.trails.id","rationale":"CloudTrail Data Logging is not configured, which means that S3 access and Lambda invocations are not logged.

Note: S3 bucket logging can be used in place of CloudTrail data events for S3. If that is the case, logs for Lambda invocations may still be missing.","references":["https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html"],"remediation":null,"service":"CloudTrail"},"cloudtrail-no-encryption-with-kms":{"checked_items":0,"compliance":[{"name":"CIS Amazon Web Services Foundations","reference":"2.7","version":"1.0.0"},{"name":"CIS Amazon Web Services Foundations","reference":"2.7","version":"1.1.0"},{"name":"CIS Amazon Web Services Foundations","reference":"2.7","version":"1.2.0"}],"dashboard_name":"Configurations","description":"CloudTrail Logs Not Encrypted with KMS Customer Master Keys (CMKs)","display_path":"cloudtrail.regions.id.trails.id","flagged_items":0,"id_suffix":"cloudtrail-kms-key-unused","items":[],"level":"danger","path":"cloudtrail.regions.id.trails.id","rationale":"Not encrypting CloudTrail logs with SSE-KMS affects the confidentiality of the log data.","references":["https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html"],"remediation":"Ensure each Trail is encrypted with a KMS key","service":"CloudTrail"},"cloudtrail-no-global-services-logging":{"checked_items":0,"compliance":null,"dashboard_name":"Configurations","description":"Global Service Logging Disabled","flagged_items":0,"id_suffix":"IncludeGlobalServiceEvents","items":[],"level":"danger","path":"cloudtrail.regions.id.trails.id","rationale":"API activity for global services such as IAM and STS is not logged. Investigation of incidents will be incomplete due to the lack of information.","references":["https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events"],"remediation":null,"service":"CloudTrail"},"cloudtrail-no-log-file-validation":{"checked_items":0,"compliance":[{"name":"CIS Amazon Web Services Foundations","reference":"2.2","version":"1.0.0"},{"name":"CIS Amazon Web Services Foundations","reference":"2.2","version":"1.1.0"},{"name":"CIS Amazon Web Services Foundations","reference":"2.2","version":"1.2.0"}],"dashboard_name":"Configurations","description":"Log File Validation Is Disabled","display_path":"cloudtrail.regions.id.trails.id","flagged_items":0,"id_suffix":"LogFileValidationDisabled","items":[],"level":"danger","path":"cloudtrail.regions.id.trails.id","rationale":"The lack of log file validation prevents from verifying the integrity of CloudTrail log files.","references":["https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html"],"remediation":"Ensure that each Trail has Enable log file validation set to Yes","service":"CloudTrail"},"cloudtrail-no-logging":{"checked_items":0,"class_suffix":"IsLogging","compliance":[{"name":"CIS Amazon Web Services Foundations","reference":"2.1","version":"1.0.0"},{"name":"CIS Amazon Web Services Foundations","reference":"2.1","version":"1.1.0"},{"name":"CIS Amazon Web Services Foundations","reference":"2.1","version":"1.2.0"}],"dashboard_name":"Configurations","description":"Disabled Trails","flagged_items":0,"items":[],"level":"danger","path":"cloudtrail.regions.id.trails.id","rationale":"Logging is disabled for a given Trail. Depending on the configuration, logs for important API activity may be missing.","references":["https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html"],"remediation":"Configure all Trails to enable Logging, set Apply trail to all regions and ensure that Read/Write Events are set to ALL","service":"CloudTrail"},"cloudtrail-not-configured":{"checked_items":16,"compliance":null,"dashboard_name":"Regions","description":"CloudTrail Service Not Configured","flagged_items":16,"id_suffix":"NotConfigured","items":["cloudtrail.regions.ap-northeast-1.NotConfigured","cloudtrail.regions.ap-northeast-2.NotConfigured","cloudtrail.regions.ap-south-1.NotConfigured","cloudtrail.regions.ap-southeast-1.NotConfigured","cloudtrail.regions.ap-southeast-2.NotConfigured","cloudtrail.regions.ca-central-1.NotConfigured","cloudtrail.regions.eu-central-1.NotConfigured","cloudtrail.regions.eu-north-1.NotConfigured","cloudtrail.regions.eu-west-1.NotConfigured","cloudtrail.regions.eu-west-2.NotConfigured","cloudtrail.regions.eu-west-3.NotConfigured","cloudtrail.regions.sa-east-1.NotConfigured","cloudtrail.regions.us-east-1.NotConfigured","cloudtrail.regions.us-east-2.NotConfigured","cloudtrail.regions.us-west-1.NotConfigured","cloudtrail.regions.us-west-2.NotConfigured"],"level":"danger","path":"cloudtrail.regions.id","rationale":"CloudTrail is not configured, which means that API activity is not logged.","references":["https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html"],"remediation":null,"service":"CloudTrail"}},"regions":{"ap-northeast-1":{"id":"ap-northeast-1","name":"ap-northeast-1","region":"ap-northeast-1","trails":{},"trails_count":0},"ap-northeast-2":{"id":"ap-northeast-2","name":"ap-northeast-2","region":"ap-northeast-2","trails":{},"trails_count":0},"ap-south-1":{"id":"ap-south-1","name":"ap-south-1","region":"ap-south-1","trails":{},"trails_count":0},"ap-southeast-1":{"id":"ap-southeast-1","name":"ap-southeast-1","region":"ap-southeast-1","trails":{},"trails_count":0},"ap-southeast-2":{"id":"ap-southeast-2","name":"ap-southeast-2","region":"ap-southeast-2","trails":{},"trails_count":0},"ca-central-1":{"id":"ca-central-1","name":"ca-central-1","region":"ca-central-1","trails":{},"trails_count":0},"eu-central-1":{"id":"eu-central-1","name":"eu-central-1","region":"eu-central-1","trails":{},"trails_count":0},"eu-north-1":{"id":"eu-north-1","name":"eu-north-1","region":"eu-north-1","trails":{},"trails_count":0},"eu-west-1":{"id":"eu-west-1","name":"eu-west-1","region":"eu-west-1","trails":{},"trails_count":0},"eu-west-2":{"id":"eu-west-2","name":"eu-west-2","region":"eu-west-2","trails":{},"trails_count":0},"eu-west-3":{"id":"eu-west-3","name":"eu-west-3","region":"eu-west-3","trails":{},"trails_count":0},"sa-east-1":{"id":"sa-east-1","name":"sa-east-1","region":"sa-east-1","trails":{},"trails_count":0},"us-east-1":{"id":"us-east-1","name":"us-east-1","region":"us-east-1","trails":{},"trails_count":0},"us-east-2":{"id":"us-east-2","name":"us-east-2","region":"us-east-2","trails":{},"trails_count":0},"us-west-1":{"id":"us-west-1","name":"us-west-1","region":"us-west-1","trails":{},"trails_count":0},"us-west-2":{"id":"us-west-2","name":"us-west-2","region":"us-west-2","trails":{},"trails_count":0}},"regions_count":16,"trails_count":0}}} diff --git a/sample_jsons/scoutsuite_mapper/scoutsuite_hdf.json b/sample_jsons/scoutsuite_mapper/scoutsuite_hdf.json new file mode 100644 index 0000000..e9b63b6 --- /dev/null +++ b/sample_jsons/scoutsuite_mapper/scoutsuite_hdf.json @@ -0,0 +1 @@ +{"platform":{"name":"Heimdall Tools","release":"1.3.45.16.g97c3b52.1.dirty.20210514.203150","target_id":"default ruleset:Amazon Web Services:916481805664"},"version":"1.3.45.16.g97c3b52.1.dirty.20210514.203150","statistics":{"duration":null},"profiles":[{"name":"Scout Suite Multi-Cloud Security Auditing Tool","version":"5.10.2","title":"Scout Suite Report using default ruleset on Amazon Web Services with account 916481805664","maintainer":null,"summary":"This ruleset consists of numerous rules that are considered standard by NCC Group. The rules enabled range from violations of well-known security best practices to gaps resulting from less-known security implications of provider-specific mechanisms. Additional rules exist, some of them requiring extra-parameters to be configured, and some of them being applicable to a limited number of users.","license":null,"copyright":null,"copyright_email":null,"supports":[],"attributes":[{"name":"account_id","options":{"value":"916481805664","required":true,"sensitive":false,"type":"String"}},{"name":"environment","options":{"value":"default"}},{"name":"ruleset","options":{}},{"name":"run_parameters_excluded_regions","options":{"value":""}},{"name":"run_parameters_regions","options":{"value":""}},{"name":"run_parameters_services","options":{"value":""}},{"name":"run_parameters_skipped_services","options":{"value":""}},{"name":"time","options":{"value":"2021-02-19 19:16:10+0000"}},{"name":"partition","options":{"value":"aws"}},{"name":"provider_code","options":{"value":"aws"}},{"name":"provider_name","options":{"value":"Amazon Web Services"}}],"depends":[],"groups":[],"status":"loaded","controls":[{"id":"cloudtrail-duplicated-global-services-logging","title":"Global Service Logging Duplicated","tags":{"nist":["AU-6"]},"impact":0.5,"desc":"Global service logging is enabled in multiple Trails. While this does not jeopardize the security of the environment, duplicated entries in logs increase the difficulty to investigate potential incidents.","descriptions":[{"data":"CloudTrail","label":"service"},{"data":"cloudtrail.regions.id.trails.id","label":"path"},{"data":"IncludeGlobalServiceEvents","label":"id_suffix"}],"refs":[{"url":"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events"}],"source_location":{},"code":"","results":[{"status":"skipped","skip_message":"Skipped because no items were checked","code_desc":"Global Service Logging Duplicated","start_time":"2021-02-19 19:16:10+0000"}]},{"id":"cloudtrail-no-cloudwatch-integration","title":"Trail Is Not Integrated with CloudWatch","tags":{"nist":["AU-12","SI-4(2)"]},"impact":0.5,"desc":"The lack of integration with CloudWatch hinders ral-time and historic activity logging as well as not allowing the configuration of alarms and notifications for anomalous account activity.","descriptions":[{"data":"Configure each Trail to have a CloudWatch Logs group attached","label":"fix"},{"data":"CloudTrail","label":"service"},{"data":"cloudtrail.regions.id.trails.id","label":"path"},{"data":"TrailCloudwatchNoIntegration","label":"id_suffix"}],"refs":[{"ref":"Compliant with CIS Amazon Web Services Foundations, reference 2.4, version 1.0.0\nCompliant with CIS Amazon Web Services Foundations, reference 2.4, version 1.1.0\nCompliant with CIS Amazon Web Services Foundations, reference 2.4, version 1.2.0"}],"source_location":{},"code":"","results":[{"status":"skipped","skip_message":"Skipped because no items were checked","code_desc":"Trail Is Not Integrated with CloudWatch","start_time":"2021-02-19 19:16:10+0000"}]},{"id":"cloudtrail-no-data-logging","title":"Data Events Logging Not Configured","tags":{"nist":["AU-12"]},"impact":0.5,"desc":"CloudTrail Data Logging is not configured, which means that S3 access and Lambda invocations are not logged.

Note: S3 bucket logging can be used in place of CloudTrail data events for S3. If that is the case, logs for Lambda invocations may still be missing.","descriptions":[{"data":"CloudTrail","label":"service"},{"data":"cloudtrail.regions.id.trails.id","label":"path"},{"data":"cloudtrail-data-events-disabled","label":"id_suffix"}],"refs":[{"url":"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html"}],"source_location":{},"code":"","results":[{"status":"skipped","skip_message":"Skipped because no items were checked","code_desc":"Data Events Logging Not Configured","start_time":"2021-02-19 19:16:10+0000"}]},{"id":"cloudtrail-no-encryption-with-kms","title":"CloudTrail Logs Not Encrypted with KMS Customer Master Keys (CMKs)","tags":{"nist":["AU-6"]},"impact":0.7,"desc":"Not encrypting CloudTrail logs with SSE-KMS affects the confidentiality of the log data.","descriptions":[{"data":"Ensure each Trail is encrypted with a KMS key","label":"fix"},{"data":"CloudTrail","label":"service"},{"data":"cloudtrail.regions.id.trails.id","label":"path"},{"data":"cloudtrail-kms-key-unused","label":"id_suffix"}],"refs":[{"url":"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html"},{"ref":"Compliant with CIS Amazon Web Services Foundations, reference 2.7, version 1.0.0\nCompliant with CIS Amazon Web Services Foundations, reference 2.7, version 1.1.0\nCompliant with CIS Amazon Web Services Foundations, reference 2.7, version 1.2.0"}],"source_location":{},"code":"","results":[{"status":"skipped","skip_message":"Skipped because no items were checked","code_desc":"CloudTrail Logs Not Encrypted with KMS Customer Master Keys (CMKs)","start_time":"2021-02-19 19:16:10+0000"}]},{"id":"cloudtrail-no-global-services-logging","title":"Global Service Logging Disabled","tags":{"nist":["AU-12"]},"impact":0.7,"desc":"API activity for global services such as IAM and STS is not logged. Investigation of incidents will be incomplete due to the lack of information.","descriptions":[{"data":"CloudTrail","label":"service"},{"data":"cloudtrail.regions.id.trails.id","label":"path"},{"data":"IncludeGlobalServiceEvents","label":"id_suffix"}],"refs":[{"url":"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events"}],"source_location":{},"code":"","results":[{"status":"skipped","skip_message":"Skipped because no items were checked","code_desc":"Global Service Logging Disabled","start_time":"2021-02-19 19:16:10+0000"}]},{"id":"cloudtrail-no-log-file-validation","title":"Log File Validation Is Disabled","tags":{"nist":["AU-6"]},"impact":0.7,"desc":"The lack of log file validation prevents from verifying the integrity of CloudTrail log files.","descriptions":[{"data":"Ensure that each Trail has Enable log file validation set to Yes","label":"fix"},{"data":"CloudTrail","label":"service"},{"data":"cloudtrail.regions.id.trails.id","label":"path"},{"data":"LogFileValidationDisabled","label":"id_suffix"}],"refs":[{"url":"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html"},{"ref":"Compliant with CIS Amazon Web Services Foundations, reference 2.2, version 1.0.0\nCompliant with CIS Amazon Web Services Foundations, reference 2.2, version 1.1.0\nCompliant with CIS Amazon Web Services Foundations, reference 2.2, version 1.2.0"}],"source_location":{},"code":"","results":[{"status":"skipped","skip_message":"Skipped because no items were checked","code_desc":"Log File Validation Is Disabled","start_time":"2021-02-19 19:16:10+0000"}]},{"id":"cloudtrail-no-logging","title":"Disabled Trails","tags":{"nist":["AU-12"]},"impact":0.7,"desc":"Logging is disabled for a given Trail. Depending on the configuration, logs for important API activity may be missing.","descriptions":[{"data":"Configure all Trails to enable Logging, set Apply trail to all regions and ensure that Read/Write Events are set to ALL","label":"fix"},{"data":"CloudTrail","label":"service"},{"data":"cloudtrail.regions.id.trails.id","label":"path"},{"data":"","label":"id_suffix"}],"refs":[{"url":"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html"},{"ref":"Compliant with CIS Amazon Web Services Foundations, reference 2.1, version 1.0.0\nCompliant with CIS Amazon Web Services Foundations, reference 2.1, version 1.1.0\nCompliant with CIS Amazon Web Services Foundations, reference 2.1, version 1.2.0"}],"source_location":{},"code":"","results":[{"status":"skipped","skip_message":"Skipped because no items were checked","code_desc":"Disabled Trails","start_time":"2021-02-19 19:16:10+0000"}]},{"id":"cloudtrail-not-configured","title":"CloudTrail Service Not Configured","tags":{"nist":["AU-12"]},"impact":0.7,"desc":"CloudTrail is not configured, which means that API activity is not logged.","descriptions":[{"data":"CloudTrail","label":"service"},{"data":"cloudtrail.regions.id","label":"path"},{"data":"NotConfigured","label":"id_suffix"}],"refs":[{"url":"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html"}],"source_location":{},"code":"","results":[{"status":"failed","message":"16 flagged items out of 16 checked items:\ncloudtrail.regions.ap-northeast-1.NotConfigured\ncloudtrail.regions.ap-northeast-2.NotConfigured\ncloudtrail.regions.ap-south-1.NotConfigured\ncloudtrail.regions.ap-southeast-1.NotConfigured\ncloudtrail.regions.ap-southeast-2.NotConfigured\ncloudtrail.regions.ca-central-1.NotConfigured\ncloudtrail.regions.eu-central-1.NotConfigured\ncloudtrail.regions.eu-north-1.NotConfigured\ncloudtrail.regions.eu-west-1.NotConfigured\ncloudtrail.regions.eu-west-2.NotConfigured\ncloudtrail.regions.eu-west-3.NotConfigured\ncloudtrail.regions.sa-east-1.NotConfigured\ncloudtrail.regions.us-east-1.NotConfigured\ncloudtrail.regions.us-east-2.NotConfigured\ncloudtrail.regions.us-west-1.NotConfigured\ncloudtrail.regions.us-west-2.NotConfigured","code_desc":"CloudTrail Service Not Configured","start_time":"2021-02-19 19:16:10+0000"}]}],"sha256":"c8119607b0c456a2a688fa743dcde696390b0c98f7e2e746fa14c162374de227"}]} \ No newline at end of file