From 2a3888633be223444adc020dd7055d5c4836f842 Mon Sep 17 00:00:00 2001 From: Craig Koorn <12154702+beatro0t@users.noreply.github.com> Date: Tue, 24 Aug 2021 12:49:06 +0200 Subject: [PATCH] Add Admin implication --- lib/aws/attacks.py | 7 ++++++- www/src/components/Graph.vue | 12 ++++++++---- www/src/config.js | 12 ++++++++++++ 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/lib/aws/attacks.py b/lib/aws/attacks.py index d093c2c..4ea7929 100755 --- a/lib/aws/attacks.py +++ b/lib/aws/attacks.py @@ -1231,7 +1231,7 @@ def compute(self, max_iterations=5): self.console.task("Removing all existing attacks", db.run, args=["MATCH (p) WHERE p:Pattern " " OR p.Arn = 'arn:aws:iam::{Account}:policy/Admin' " - "OPTIONAL MATCH (p)-[a:ATTACK]->() " + "OPTIONAL MATCH (p)-[a:ATTACK|ADMIN]->() " "DETACH DELETE p " "RETURN COUNT(a) AS deleted" ], @@ -1248,6 +1248,11 @@ def compute(self, max_iterations=5): '"Statement": [{"Effect": "Allow", "Action": "*", "Resource": "*"' '}]}}]\'' '}) ' + "WITH admin MATCH (r:Resource) " + " MERGE (admin)-[access:ADMIN]->(r) " + " ON CREATE SET " + " access.Name = 'Admin Access', " + " access.Description = 'Implies all related actions and attacks' " ], done="Created pseudo Admin") diff --git a/www/src/components/Graph.vue b/www/src/components/Graph.vue index b895eda..c4fa6b5 100644 --- a/www/src/components/Graph.vue +++ b/www/src/components/Graph.vue @@ -261,7 +261,8 @@ export default { "WITH source, target " + "CALL apoc.algo.dijkstraWithDefaultWeight(source, target, 'TRANSITIVE>|ATTACK>', '', 0) " + "YIELD path " + - "RETURN path" + "OPTIONAL MATCH admin=(:Admin)-->(target)" + + "RETURN path, admin" ); }, @@ -276,7 +277,8 @@ export default { "OPTIONAL MATCH path=shortestPath((source)-[:TRANSITIVE|ATTACK*0..]->(target)) " + "WHERE (target:Resource OR target:Admin) " + "AND source <> target " + - "RETURN source, path" + "OPTIONAL MATCH admin=(source:Admin)-->()" + + "RETURN source, path, admin" ); }, @@ -290,7 +292,8 @@ export default { `MATCH (target) WHERE ID(target) = ${id} ` + "OPTIONAL MATCH actions=(_)-[:ACTION]->(target) " + "WHERE (_:Resource OR _:External) " + - "RETURN target, actions" + "OPTIONAL MATCH admin=(:Admin)-->(target)" + + "RETURN target, admin, actions" ); }, @@ -304,7 +307,8 @@ export default { `MATCH (source) WHERE ID(source) = ${id} ` + "OPTIONAL MATCH actions=(source)-[:ACTION]->(target) " + "WHERE target:Resource OR target:CatchAll " + - "RETURN source, actions" + "OPTIONAL MATCH admin=(source:Admin)-->()" + + "RETURN source, actions, admin" ); }, diff --git a/www/src/config.js b/www/src/config.js index 7893f19..cbd9eb9 100644 --- a/www/src/config.js +++ b/www/src/config.js @@ -216,6 +216,18 @@ export default { 'text-rotation': 'autorotate' } }, + { + selector: 'edge.ADMIN', + style: { + 'opacity': '0.4', + 'overlay-color': 'white', + 'overlay-padding': '1px', + 'overlay-opacity': '1px', + 'target-arrow-shape': 'chevron', + 'target-arrow-fill': 'filled', + 'color': 'black', + } + }, { selector: 'node.selected', style: {