def test_segmentation_violation(current_monkey, target_ip):
# TODO - lower code duplication between this and report.py.
subnet_groups = get_config_network_segments_as_subnet_groups()
for subnet_group in subnet_groups:
subnet_pairs = itertools.product(subnet_group, subnet_group)
for subnet_pair in subnet_pairs:
source_subnet = subnet_pair[0]
target_subnet = subnet_pair[1]
if is_segmentation_violation(current_monkey, target_ip,
source_subnet, target_subnet):
event = get_segmentation_violation_event(
current_monkey, source_subnet, target_ip, target_subnet)
SegmentationFinding.create_or_add_to_existing_finding(
subnets=[source_subnet, target_subnet],
status=zero_trust_consts.STATUS_FAILED,
segmentation_event=event)
def get_cross_segment_issues():
scans = mongo.db.telemetry.find({'telem_category': 'scan'}, {
'monkey_guid': 1,
'data.machine.ip_addr': 1,
'data.machine.services': 1
})
cross_segment_issues = []
# For now the feature is limited to 1 group.
subnet_groups = get_config_network_segments_as_subnet_groups()
for subnet_group in subnet_groups:
cross_segment_issues += ReportService.get_cross_segment_issues_per_subnet_group(
scans, subnet_group)
return cross_segment_issues
def check_segmentation_violation(current_monkey, target_ip):
# TODO - lower code duplication between this and report.py.
subnet_groups = get_config_network_segments_as_subnet_groups()
for subnet_group in subnet_groups:
subnet_pairs = itertools.product(subnet_group, subnet_group)
for subnet_pair in subnet_pairs:
source_subnet = subnet_pair[0]
target_subnet = subnet_pair[1]
if is_segmentation_violation(current_monkey, target_ip,
source_subnet, target_subnet):
event = get_segmentation_violation_event(
current_monkey, source_subnet, target_ip, target_subnet)
MonkeyZTFindingService.create_or_add_to_existing(
test=zero_trust_consts.TEST_SEGMENTATION,
status=zero_trust_consts.STATUS_FAILED,
events=[event],
)
def get_cross_segment_issues():
scans = mongo.db.telemetry.find(
{"telem_category": "scan"},
{
"monkey_guid": 1,
"data.machine.ip_addr": 1,
"data.machine.services": 1,
"data.machine.icmp": 1,
},
)
cross_segment_issues = []
# For now the feature is limited to 1 group.
subnet_groups = get_config_network_segments_as_subnet_groups()
for subnet_group in subnet_groups:
cross_segment_issues += ReportService.get_cross_segment_issues_per_subnet_group(
scans, subnet_group)
return cross_segment_issues
def test_passed_findings_for_unreached_segments(current_monkey):
flat_all_subnets = [
item for sublist in get_config_network_segments_as_subnet_groups()
for item in sublist
]
create_or_add_findings_for_all_pairs(flat_all_subnets, current_monkey)