Skip to content

Commit

Permalink
Added support for scout suite AWS scanning (#96)
Browse files Browse the repository at this point in the history
  • Loading branch information
Amndeep7 authored May 20, 2021
1 parent d725af4 commit 9aed494
Show file tree
Hide file tree
Showing 12 changed files with 380 additions and 33 deletions.
6 changes: 6 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,3 +74,9 @@ jobs:
jq 'del(.version, .platform.release)' nessus.json-ip-10-10-23-102.json > nessus_jq.json
jq 'del(.version, .platform.release)' ./sample_jsons/nessus_mapper/nessus_sample_hdf.json > nessus_sample_hdf.json
diff nessus_sample_hdf.json nessus_jq.json
- name: Test scoutsuite mapper
run: |
heimdall_tools scoutsuite_mapper -i ./sample_jsons/scoutsuite_mapper/sample_input_jsons/scoutsuite_sample.js -o scoutsuite_output.json
jq 'del(.version, .platform.release)' scoutsuite_output.json > scoutsuite_output_jq.json
jq 'del(.version, .platform.release)' ./sample_jsons/scoutsuite_mapper/scoutsuite_hdf.json > scoutsuite_sample.json
diff scoutsuite_sample.json scoutsuite_output_jq.json
38 changes: 11 additions & 27 deletions .rubocop_todo.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# This configuration was generated by
# `rubocop --auto-gen-config`
# on 2021-03-16 17:26:37 UTC using RuboCop version 1.11.0.
# on 2021-05-18 15:11:52 UTC using RuboCop version 1.14.0.
# The point is for the user to remove these configuration records
# one by one as the offenses are removed from the code base.
# Note that changes in the inspected code, or installation of new
Expand All @@ -19,11 +19,10 @@ Lint/DuplicateBranch:
Exclude:
- 'lib/heimdall_tools/dbprotect_mapper.rb'

# Offense count: 3
# Offense count: 2
# Configuration parameters: MaximumRangeSize.
Lint/MissingCopEnableDirective:
Exclude:
- 'lib/heimdall_tools/burpsuite_mapper.rb'
- 'lib/heimdall_tools/nessus_mapper.rb'
- 'lib/heimdall_tools/zap_mapper.rb'

Expand All @@ -39,16 +38,10 @@ Lint/UnusedMethodArgument:
Exclude:
- 'lib/heimdall_tools/hdf.rb'

# Offense count: 2
# Configuration parameters: CheckForMethodsWithNoSideEffects.
Lint/Void:
Exclude:
- 'lib/heimdall_tools/aws_config_mapper.rb'

# Offense count: 20
# Offense count: 32
# Configuration parameters: IgnoredMethods, CountRepeatedAttributes.
Metrics/AbcSize:
Max: 56
Max: 73

# Offense count: 4
# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
Expand All @@ -61,17 +54,17 @@ Metrics/BlockLength:
Metrics/BlockNesting:
Max: 5

# Offense count: 6
# Offense count: 8
# Configuration parameters: CountComments, CountAsOne.
Metrics/ClassLength:
Max: 171

# Offense count: 7
# Offense count: 10
# Configuration parameters: IgnoredMethods.
Metrics/CyclomaticComplexity:
Max: 17

# Offense count: 32
# Offense count: 38
# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
Metrics/MethodLength:
Max: 52
Expand All @@ -81,7 +74,7 @@ Metrics/MethodLength:
Metrics/ParameterLists:
Max: 18

# Offense count: 6
# Offense count: 8
# Configuration parameters: IgnoredMethods.
Metrics/PerceivedComplexity:
Max: 17
Expand All @@ -106,29 +99,20 @@ Naming/VariableName:
Exclude:
- 'lib/heimdall_tools/burpsuite_mapper.rb'

# Offense count: 8
# Offense count: 12
# Configuration parameters: AllowedVariables.
Style/GlobalVars:
Exclude:
- 'lib/heimdall_tools/jfrog_xray_mapper.rb'
- 'lib/heimdall_tools/nessus_mapper.rb'
- 'lib/heimdall_tools/nikto_mapper.rb'
- 'lib/heimdall_tools/sarif_mapper.rb'
- 'lib/heimdall_tools/scoutsuite_mapper.rb'
- 'lib/heimdall_tools/snyk_mapper.rb'

# Offense count: 10
# Offense count: 1
# Configuration parameters: AllowedMethods.
# AllowedMethods: respond_to_missing?
Style/OptionalBooleanParameter:
Exclude:
- 'lib/heimdall_tools/aws_config_mapper.rb'
- 'lib/heimdall_tools/burpsuite_mapper.rb'
- 'lib/heimdall_tools/dbprotect_mapper.rb'
- 'lib/heimdall_tools/fortify_mapper.rb'
- 'lib/heimdall_tools/jfrog_xray_mapper.rb'
- 'lib/heimdall_tools/nessus_mapper.rb'
- 'lib/heimdall_tools/netsparker_mapper.rb'
- 'lib/heimdall_tools/nikto_mapper.rb'
- 'lib/heimdall_tools/sarif_mapper.rb'
- 'lib/heimdall_tools/snyk_mapper.rb'
- 'lib/heimdall_tools/zap_mapper.rb'
17 changes: 17 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ HeimdallTools supplies several methods to convert output from various tools to "
- **aws_config_mapper** - assess, audit, and evaluate AWS resources
- **netsparker_mapper** - web application security scanner
- **sarif_mapper** - static analysis results interchange format
- **scoutsuite_mapper** - multi-cloud security auditing tool

## Want to recommend a mapper for another tool? Please use these steps:
1. Create an [issue](https://github.com/mitre/heimdall_tools/issues/new), and email saf@groups.mitre.org citing the issue link so we can help
Expand Down Expand Up @@ -202,6 +203,22 @@ FLAGS:
example: heimdall_tools nikto_mapper -j nikto_results.json -o nikto_results.json
```

## scoutsuite_mapper

scoutsuite_mapper translates Scout Suite results from Javascript to HDF-formatted JSON so as to be viewable on Heimdall

Note: Currently this mapper only supports AWS.

```
USAGE: heimdall_tools scoutsuite_mapper -i <scoutsuite-results-js> -o <hdf-scan-results-json>
FLAGS:
-i --input -j --javascript <scoutsuite-results-js> : path to Scout Suite results Javascript file.
-o --output <hdf-scan-results-json> : path to output scan-results json.
example: heimdall_tools scoutsuite_mapper -i scoutsuite_results.js -o scoutsuite_hdf.json
```

## jfrog_xray_mapper

jfrog_xray_mapper translates an JFrog Xray results JSON file into HDF format JSON to be viewable in Heimdall
Expand Down
140 changes: 140 additions & 0 deletions lib/data/scoutsuite-nist-mapping.csv
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
rule,nistid
acm-certificate-with-close-expiration-date,SC-12
acm-certificate-with-transparency-logging-disabled,SC-12
cloudformation-stack-with-role,AC-6
cloudtrail-duplicated-global-services-logging,AU-6
cloudtrail-no-cloudwatch-integration,AU-12|SI-4(2)
cloudtrail-no-data-logging,AU-12
cloudtrail-no-encryption-with-kms,AU-6
cloudtrail-no-global-services-logging,AU-12
cloudtrail-no-log-file-validation,AU-6
cloudtrail-no-logging,AU-12
cloudtrail-not-configured,AU-12
cloudwatch-alarm-without-actions,AU-12
config-recorder-not-configured,CM-8|CM-8(2)|CM-8(6)
ec2-ami-public,AC-3
ec2-default-security-group-in-use,AC-3(3)
ec2-default-security-group-with-rules,AC-3(3)
ec2-ebs-snapshot-not-encrypted,SC-28
ec2-ebs-snapshot-public,AC-3
ec2-ebs-volume-not-encrypted,SC-28
ec2-instance-in-security-group,CM-7(1)
ec2-instance-type,CM-2
ec2-instance-types,CM-2
ec2-instance-with-public-ip,AC-3
ec2-instance-with-user-data-secrets,AC-3
ec2-security-group-opens-all-ports,CM-7(1)
ec2-security-group-opens-all-ports-to-all,CM-7(1)
ec2-security-group-opens-all-ports-to-self,CM-7(1)
ec2-security-group-opens-icmp-to-all,CM-7(1)
ec2-security-group-opens-known-port-to-all,CM-7(1)
ec2-security-group-opens-plaintext-port,CM-7(1)
ec2-security-group-opens-port-range,CM-7(1)
ec2-security-group-opens-port-to-all,CM-7(1)
ec2-security-group-whitelists-aws,CM-7(1)
ec2-security-group-whitelists-aws-ip-from-banned-region,CM-7(1)
ec2-security-group-whitelists-non-elastic-ips,CM-7(1)
ec2-security-group-whitelists-unknown-aws,CM-7(1)
ec2-security-group-whitelists-unknown-cidrs,CM-7(1)
ec2-unused-security-group,CM-7(1)
elb-listener-allowing-cleartext,SC-8
elb-no-access-logs,AU-12
elb-older-ssl-policy,SC-8
elbv2-http-request-smuggling,SC-8
elbv2-listener-allowing-cleartext,SC-8
elbv2-no-access-logs,AU-12
elbv2-no-deletion-protection,SI-7
elbv2-older-ssl-policy,SC-8
iam-assume-role-lacks-external-id-and-mfa,AC-17
iam-assume-role-no-mfa,AC-6
iam-assume-role-policy-allows-all,AC-6
iam-ec2-role-without-instances,AC-6
iam-group-with-inline-policies,AC-6
iam-group-with-no-users,AC-6
iam-human-user-with-policies,AC-6
iam-inline-policy-allows-non-sts-action,AC-6
iam-inline-policy-allows-NotActions,AC-6
iam-inline-policy-for-role,AC-6
iam-managed-policy-allows-full-privileges,AC-6
iam-managed-policy-allows-non-sts-action,AC-6
iam-managed-policy-allows-NotActions,AC-6
iam-managed-policy-for-role,AC-6
iam-managed-policy-no-attachments,AC-6
iam-no-support-role,IR-7
iam-password-policy-expiration-threshold,AC-2
iam-password-policy-minimum-length,AC-2
iam-password-policy-no-expiration,AC-2
iam-password-policy-no-lowercase-required,AC-2
iam-password-policy-no-number-required,AC-2
iam-password-policy-no-symbol-required,AC-2
iam-password-policy-no-uppercase-required,AC-2
iam-password-policy-reuse-enabled,IA-5(1)
iam-role-with-inline-policies,AC-6
iam-root-account-no-hardware-mfa,IA-2(1)
iam-root-account-no-mfa,IA-2(1)
iam-root-account-used-recently,AC-6(9)
iam-root-account-with-active-certs,AC-6(9)
iam-root-account-with-active-keys,AC-6(9)
iam-service-user-with-password,AC-2
iam-unused-credentials-not-disabled,AC-2
iam-user-no-key-rotation,AC-2
iam-user-not-in-category-group,AC-2
iam-user-not-in-common-group,AC-2
iam-user-unused-access-key-initial-setup,AC-2
iam-user-with-multiple-access-keys,IA-2
iam-user-without-mfa,IA-2(1)
iam-user-with-password-and-key,IA-2
iam-user-with-policies,AC-2
kms-cmk-rotation-disabled,SC-12
logs-no-alarm-aws-configuration-changes,CM-8|CM-8(2)|CM-8(6)
logs-no-alarm-cloudtrail-configuration-changes,AU-6
logs-no-alarm-cmk-deletion,AC-2
logs-no-alarm-console-authentication-failures,AC-2
logs-no-alarm-iam-policy-changes,AC-2
logs-no-alarm-nacl-changes,CM-6(2)
logs-no-alarm-network-gateways-changes,AU-12|CM-6(2)
logs-no-alarm-root-usage,AU-2
logs-no-alarm-route-table-changes,AU-12|CM-6(2)
logs-no-alarm-s3-policy-changes,AC-6|AU-12
logs-no-alarm-security-group-changes,AC-2(4)
logs-no-alarm-signin-without-mfa,AC-2
logs-no-alarm-unauthorized-api-calls,AU-6|SI-4(2)
logs-no-alarm-vpc-changes,CM-6(1)
rds-instance-backup-disabled,CP-9
rds-instance-ca-certificate-deprecated,SC-12
rds-instance-no-minor-upgrade,SI-2
rds-instance-short-backup-retention-period,CP-9
rds-instance-single-az,CP-7
rds-instance-storage-not-encrypted,SC-28
rds-postgres-instance-with-invalid-certificate,SC-12
rds-security-group-allows-all,CM-7(1)
rds-snapshot-public,SC-28
redshift-cluster-database-not-encrypted,SC-28
redshift-cluster-no-version-upgrade,SI-2
redshift-cluster-publicly-accessible,AC-3
redshift-parameter-group-logging-disabled,AU-12
redshift-parameter-group-ssl-not-required,SC-8
redshift-security-group-whitelists-all,CM-7(1)
route53-domain-no-autorenew,SC-2
route53-domain-no-transferlock,SC-2
route53-domain-transferlock-not-authorized,SC-2
s3-bucket-allowing-cleartext,SC-28
s3-bucket-no-default-encryption,SC-28
s3-bucket-no-logging,AU-2|AU-12
s3-bucket-no-mfa-delete,SI-7
s3-bucket-no-versioning,SI-7
s3-bucket-world-acl,AC-3(3)
s3-bucket-world-policy-arg,AC-3(3)
s3-bucket-world-policy-star,AC-3(3)
ses-identity-dkim-not-enabled,SC-23
ses-identity-dkim-not-verified,SC-23
ses-identity-world-policy,AC-6
sns-topic-world-policy,AC-6
sqs-queue-world-policy,AC-6
vpc-custom-network-acls-allow-all,SC-7
vpc-default-network-acls-allow-all,SC-7
vpc-network-acl-not-used,SC-7
vpc-routing-tables-with-peering,AC-3(3)
vpc-subnet-with-bad-acls,SC-7
vpc-subnet-with-default-acls,SC-7
vpc-subnet-without-flow-log,AU-12
1 change: 1 addition & 0 deletions lib/heimdall_tools.rb
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,5 @@ module HeimdallTools
autoload :AwsConfigMapper, 'heimdall_tools/aws_config_mapper'
autoload :NetsparkerMapper, 'heimdall_tools/netsparker_mapper'
autoload :SarifMapper, 'heimdall_tools/sarif_mapper'
autoload :ScoutSuiteMapper, 'heimdall_tools/scoutsuite_mapper'
end
8 changes: 4 additions & 4 deletions lib/heimdall_tools/aws_config_mapper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -57,10 +57,10 @@ def to_hdf

results = HeimdallDataFormat.new(
profile_name: 'AWS Config',
title: 'AWS Config',
summary: 'AWS Config',
controls: controls,
statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION },
title: 'AWS Config',
summary: 'AWS Config',
controls: controls,
statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION },
)
results.to_hdf
end
Expand Down
11 changes: 11 additions & 0 deletions lib/heimdall_tools/cli.rb
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,17 @@ def sarif_mapper
puts options[:output].to_s
end

desc 'scoutsuite_mapper', 'scoutsuite_mapper translates Scout Suite results from Javascript to HDF-formatted JSON so as to be viewable on Heimdall'
long_desc Help.text(:scoutsuite_mapper)
option :javascript, required: true, banner: 'SCOUTSUITE-RESULTS-JS', aliases: ['-i', '--input', '-j']
option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o'
def scoutsuite_mapper
hdf = HeimdallTools::ScoutSuiteMapper.new(File.read(options[:javascript])).to_hdf
File.write(options[:output], hdf)
puts "\rHDF Generated:\n"
puts options[:output].to_s
end

desc 'version', 'prints version'
def version
puts VERSION
Expand Down
7 changes: 7 additions & 0 deletions lib/heimdall_tools/help/scoutsuite_mapper.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
scoutsuite_mapper translates Scout Suite results from Javascript to HDF-formatted JSON so as to be viewable on Heimdall

Note: Currently this mapper only supports AWS.

Examples:

heimdall_tools scoutsuite_mapper -i <scoutsuite-results-js> -o <hdf-scan-results-json>
Loading

0 comments on commit 9aed494

Please sign in to comment.