Merge branch 'develop' into feature/9-ec2-findings

ScoutSuite/output/data/html/partials/azure/services.network.network_security_groups.html

@@ -0,0 +1,80 @@
+<!-- Network Security Groups partial -->
+<script id="services.network.network_security_groups.partial" type="text/x-handlebars-template">
+    <div id="ressource-name" class="list-group-item active">
+        <h4 class="list-group-item-heading">{{name}}</h4>
+    </div>
+
+    <div class="list-group-item">
+        <h4 class="list-group-item-heading">Information</h4>
+        <div class="list-group-item-text item-margin">Name: <span id="network.network_security_groups.{{@key}}.name">{{name}}</span></div>
+        <div class="list-group-item-text item-margin">Location: <span id="network.network_security_groups.{{@key}}.location">{{ location }}</span></div>
+
+        <div class="list-group-item-text item-margin">Exposed Ports:
+            <div class="list-group-item-text item-margin">
+            {{#each exposed_port_ranges}}
+                <li id="network.network_security_groups.{{@../key}}.exposed_port_ranges.{{@key}}">{{ this }}</li>
+            {{/each}}
+            </div>
+        </div>
+    </div>
+    <div class="list-group-item">
+        <h4 class="list-group-item-heading">Security Rules</h4>
+        <div class="list-group-item-text item-margin">
+        {{#each security_rules}}
+            {{name}}
+            <div class="list-group-item-text item-margin">
+                <div class="list-group-item-text item-margin">Allow: <span id="network.network_security_groups.{{@../key}}.security_rule.{{@key}}.allow">{{ allow }}</span></div>
+                <div class="list-group-item-text item-margin">Priority: <span id="network.network_security_groups.{{@../key}}.security_rule.{{@key}}.priority">{{ priority }}</span></div>
+                <div class="list-group-item-text item-margin">Description: <span id="network.network_security_groups.{{@../key}}.security_rule.{{@key}}.description">{{ description }}</span></div>
+                <div class="list-group-item-text item-margin">Provisioning State: <span id="network.network_security_groups.{{@../key}}.security_rule.{{@key}}.provisioning_state">{{ provisioning_state }}</span></div>
+                <div class="list-group-item-text item-margin">Protocol: <span id="network.network_security_groups.{{@../key}}.security_rule.{{@key}}.protocol">{{ protocol }}</span></div>
+                <div class="list-group-item-text item-margin">Direction: <span id="network.network_security_groups.{{@../key}}.security_rule.{{@key}}.direction">{{ direction }}</span></div>
+
+                <div class="list-group-item-text item-margin">Source Address Prefixes:
+                    <div class="list-group-item-text item-margin">
+                    {{#each source_address_prefixes}}
+                        <li id="network.network_security_groups.{{@../../key}}.security_rule.{{@../key}}.source_address_prefixes.{{@key}}">{{ this }}</li>
+                    {{/each}}
+                    </div>
+                </div>
+
+                <div class="list-group-item-text item-margin">Source Ports:
+                    <div class="list-group-item-text item-margin">
+                    {{#each source_port_ranges}}
+                        <li id="network.network_security_groups.{{@../../key}}.security_rule.{{@../key}}.source_port_ranges.{{@key}}">{{ this }}</li>
+                    {{/each}}
+                    </div>
+                </div>
+
+                <div class="list-group-item-text item-margin">Destination Address Prefixes:
+                    <div class="list-group-item-text item-margin">
+                    {{#each destination_address_prefixes}}
+                        <li id="network.network_security_groups.{{@../../key}}.security_rule.{{@../key}}.destination_address_prefixes.{{@key}}">{{ this }}</li>
+                    {{/each}}
+                    </div>
+                </div>
+
+                <div class="list-group-item-text item-margin">Destination Port Ranges:
+                    <div class="list-group-item-text item-margin">
+                    {{#each destination_port_ranges}}
+                        <li id="network.network_security_groups.{{@../../key}}.security_rule.{{@../key}}.destination_port_ranges.{{@key}}">{{ this }}</li>
+                    {{/each}}
+                    </div>
+                </div>
+            </div>
+        {{/each}}
+        </div>
+    </div>
+</script>
+
+<script>
+    Handlebars.registerPartial("services.network.network_security_groups", $("#services\\.network\\.network_security_groups\\.partial").html());
+</script>
+
+<!-- Single security group template -->
+<script id="single_network_network_security_group-template" type="text/x-handlebars-template">
+    {{> modal_template template='services.network.network_security_groups'}}
+</script>
+<script>
+    var single_network_network_security_group_template = Handlebars.compile($("#single_network_network_security_group-template").html());
+</script>

ScoutSuite/output/data/html/partials/azure/services.network.network_watchers.html

@@ -0,0 +1,24 @@
+<!-- Network Watchers partial -->
+<script id="services.network.network_watchers.partial" type="text/x-handlebars-template">
+    <div id="ressource-name" class="list-group-item active">
+        <h4 class="list-group-item-heading">{{location}}</h4>
+    </div>
+
+    <div class="list-group-item">
+        <h4 class="list-group-item-heading">Information</h4>
+        <div class="list-group-item-text item-margin">Name: <span id="network.network_watchers.{{@key}}.name">{{name}}</span></div>
+        <div class="list-group-item-text item-margin">Provisioning State: <span id="network.network_watchers.{{@key}}.provisioning_state">{{ provisioning_state }}</span></div>
+    </div>
+</script>
+
+<script>
+    Handlebars.registerPartial("services.network.network_watchers", $("#services\\.network\\.network_watchers\\.partial").html());
+</script>
+
+<!-- Single watcher template -->
+<script id="single_network_network_watcher-template" type="text/x-handlebars-template">
+    {{> modal_template template='services.network.network_watchers'}}
+</script>
+<script>
+    var single_network_network_watcher_template = Handlebars.compile($("#single_network_network_watcher-template").html());
+</script>

ScoutSuite/output/data/inc-scoutsuite/scoutsuite.js

@@ -1018,6 +1018,8 @@ function make_title (title) {
         return 'SQL Database';
     } else if (title == 'securitycenter') {
         return 'Security Center';
+    } else if (title == 'network') {
+        return 'Network';
     } else if (title == 'keyvault') {
         return 'Key Vault';
     } else if (title == 'appgateway') {

ScoutSuite/providers/azure/configs/services.py

@@ -5,6 +5,7 @@
 from ScoutSuite.providers.azure.services.monitor import MonitorConfig
 from ScoutSuite.providers.azure.services.sqldatabase import SQLDatabaseConfig
 from ScoutSuite.providers.azure.services.securitycenter import SecurityCenterConfig
+from ScoutSuite.providers.azure.services.network import NetworkConfig
 from ScoutSuite.providers.azure.services.keyvault import KeyVaultConfig
 try:
     from ScoutSuite.providers.azure.services.appgateway_private import AppGatewayConfig
@@ -24,6 +25,7 @@ def __init__(self, metadata=None, thread_config=4, **kwargs):
         self.monitor = MonitorConfig(thread_config=thread_config)
         self.sqldatabase = SQLDatabaseConfig(thread_config=thread_config)
         self.securitycenter = SecurityCenterConfig(thread_config=thread_config)
+        self.network = NetworkConfig(thread_config=thread_config)
         self.keyvault = KeyVaultConfig(thread_config=thread_config)
 
         try:

ScoutSuite/providers/azure/metadata.json

@@ -55,6 +55,18 @@
           "path": "services.appgateway.app_gateways"
         }
       }
+    },
+    "network": {
+      "resources": {
+        "network_watchers": {
+          "cols": 2,
+          "path": "services.network.network_watchers"
+        },
+        "network_security_groups": {
+          "cols": 2,
+          "path": "services.network.network_security_groups"
+        }
+      }
     }
   },
   "redis": {

ScoutSuite/providers/azure/rules/conditions/allow-tcp.json

@@ -0,0 +1,7 @@
+{
+    "conditions":[
+          "or",
+          ["network.network_security_groups.id.security_rules.id.protocol", "equal", "*"],
+          ["network.network_security_groups.id.security_rules.id.protocol", "equal", "TCP"]
+      ]
+}

ScoutSuite/providers/azure/rules/conditions/exposed-to-the-internet.json

@@ -0,0 +1,12 @@
+{
+    "conditions":[
+      "and",
+      ["network.network_security_groups.id.security_rules.id.allow", "true", ""],
+      ["network.network_security_groups.id.security_rules.id.direction", "equal", "Inbound"],
+      [
+          "or",
+          ["network.network_security_groups.id.security_rules.id.source_address_prefixes", "containAtLeastOneOf", "*"],
+          ["network.network_security_groups.id.security_rules.id.source_address_prefixes", "containAtLeastOneOf", "Internet"]
+      ]
+    ]
+}

ScoutSuite/providers/azure/rules/findings/network-security-groups-rule-inbound-service.json

@@ -0,0 +1,15 @@
+{
+    "dashboard_name": "Network",
+    "arg_names": [ "Protocol (ex: SSH, RDP, etc.)", "Protocol's port", "Associated CIS rule" ],
+    "key": "network-security-groups-rule-inbound-_ARG_0_",
+    "description": "Security rule allowing _ARG_0_ inbound access in security group",
+    "rationale": "You should not permit _ARG_0_(port _ARG_1_) inbound access to a network security group (CIS _ARG_2_).",
+    "path": "network.network_security_groups.id.security_rules.id",
+    "display_path": "network.network_security_groups.id",
+    "conditions": [ "and",
+        ["network.network_security_groups.id.security_rules.id.destination_ports", "containAtLeastOneOf", "_ARG_1_"],
+        ["_INCLUDE_(conditions/exposed-to-the-internet.json)", "", ""],
+        ["_INCLUDE_(conditions/allow-tcp.json)", "", ""]
+    ],
+    "id_suffix": "security_groups_rule_inbound__ARG_0_"
+}

ScoutSuite/providers/azure/rules/findings/network-watcher-not-enabled.json

@@ -0,0 +1,11 @@
+{
+    "dashboard_name": "Network",
+    "description": "Network watcher not  enabled",
+    "rationale": "Network watchers should be enabled (CIS 6.5).",
+    "path": "network.network_watchers",
+    "display_path": "network.network_watchers",
+    "conditions": [ "and",
+        ["network.network_watchers", "empty", ""]
+    ],
+    "id_suffix": "network_watchers_disabled"
+}

ScoutSuite/providers/azure/rules/findings/network-watcher-not-provisioned.json

@@ -0,0 +1,11 @@
+{
+    "dashboard_name": "Network",
+    "description": "Network watcher not provisioned",
+    "rationale": "Network watchers should be provisioned to work (CIS 6.5).",
+    "path": "network.network_watchers.id",
+    "display_path": "network.network_watchers.id",
+    "conditions": [ "and",
+        ["network.network_watchers.id.provisioning_state", "notEqual", "Succeeded"]
+    ],
+    "id_suffix": "network_watchers_not_provisioned"
+}

ScoutSuite/providers/azure/rules/rulesets/default.json

@@ -1,6 +1,47 @@
 {
   "about": "Default ruleset for Azure.",
   "rules": {
+    "network-security-groups-rule-inbound-service.json": [
+      {
+        "args": [
+          "RDP",
+          "3389",
+          "6.1"
+        ],
+        "enabled": true,
+        "level": "warning"
+      },
+      {
+        "args": [
+          "SSH",
+          "22",
+          "6.2"
+        ],
+        "enabled": true,
+        "level": "warning"
+      },
+      {
+        "args": [
+          "SQL",
+          "1433",
+          "6.3"
+        ],
+        "enabled": true,
+        "level": "warning"
+      }
+    ],
+    "network-watcher-not-enabled.json": [
+      {
+        "enabled": true,
+        "level": "warning"
+      }
+    ],
+    "network-watcher-not-provisioned.json": [
+      {
+        "enabled": true,
+        "level": "warning"
+      }
+    ],
     "storageaccount-account-allowing-clear-text.json": [
       {
         "enabled": true,