cartography icon indicating copy to clipboard operation
cartography copied to clipboard

Published 20 hours ago verified publisher icon lyft

Cross-platform attack path - Cartography unable to find permissions_relationships.yaml file

Open filipi86 opened this issue 1 year ago • 12 comments

Title: Cross-platform attack path - Cartography unable to find permissions_relationships.yaml file

Description: I'm trying to integrate my AWS account and my OKTA Account, I can see both separately in my graph, but I can not see any job that does cross-platform attack path

To Reproduce:

I performed Cartography

cartography --neo4j-uri bolt://localhost:7687 --neo4j-password-prompt --neo4j-user neo4j --okta-api-key-env-var Okta --okta-org-id trial-********

Logs:

WARNING:cartography.intel.aws.permission_relationships:Permission relationships mapping file /home/****/*******/AWS//cartography/data/permission_relationships.yaml not found, skipping sync stage cartography.intel.aws.permission_relationships. If you want to run this sync, please explicitly set a value for --permission-relationships-file in the command line interface.

Screenshots: OKTA human image

AWSRoles image

OKTAApplication image

I performed this query MATCH (h:Human)-[c:CAN_ASSUME_ROLE]->(r:AWSPrincipal) return * limit 30;

But I didn't receive any results image

Hi @achantavy More PrintScreen about configurations:

AWS Identity Provider

image

OKTA Provisioning APP

image

filipi86 avatar Aug 23 '22 18:08 filipi86

Hi @filipi86 - What's the value of your Okta AWS SAML regex?

Cartography sets it by default here: https://github.com/lyft/cartography/blob/85ae844ae25e2d113e2add2903cfb4931ae9ab61/cartography/cli.py#L245-L252 but you can override it if your organization does something different.

Also as reference see https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Service.html; I think Okta's default regex is ^aws\#\S+\#(?{{role}}[\w\-]+)\#(?{{accountid}}\d+)$.

achantavy avatar Aug 25 '22 03:08 achantavy

Hi @achantavy. I followed the docs and I put it.

image

OKTA App image

OKTA AWS Maybe something is wrong here..What do you thing?

image

filipi86 avatar Aug 25 '22 10:08 filipi86

Hi @achantavy, I'm trying to solve it!. I created a new relationship file, probably the syntax is wrong.

image

but, now I have information about CAN_ASSUME_ROLE , CAN_READ and CAN_WRITE as you can see below

image

But, doesn't work yet!.. :(

image

filipi86 avatar Aug 25 '22 17:08 filipi86

HI @achantavy, Any updates, or help?

filipi86 avatar Aug 29 '22 12:08 filipi86

Hi @ramonpetgrave64, Can you help with that!?

filipi86 avatar Aug 30 '22 17:08 filipi86

Are you sure that you've been able to sync all of the Nodes mentioned in this query? https://github.com/lyft/cartography/blob/2ca876b9c587b37b9797d373a384faf79278bf91/cartography/intel/okta/awssaml.py#L99

ramonpetgrave64 avatar Aug 30 '22 18:08 ramonpetgrave64

Are you sure that you've been able to sync all of the Nodes mentioned in this query?

https://github.com/lyft/cartography/blob/2ca876b9c587b37b9797d373a384faf79278bf91/cartography/intel/okta/awssaml.py#L99

Hi @ramonpetgrave64 Yes, I shared the printScreen with the integration :)

AWS Identity Provider image

OKTA Provisioning APP image

Any suggestion?

filipi86 avatar Aug 31 '22 10:08 filipi86

And you're sure you have OktaGroup nodes?

ramonpetgrave64 avatar Aug 31 '22 15:08 ramonpetgrave64

And you're sure you have OktaGroup nodes? This is the OktaGroup that I have image

OktaApplication image

filipi86 avatar Sep 01 '22 10:09 filipi86

Hi @ramonpetgrave64, Any updates, any ideas?

filipi86 avatar Sep 02 '22 12:09 filipi86

When you double click the OktaGroup nodes, are there any members attached? It could help if did a local installation of cartography and then inserted your own debug statements into the code. https://lyft.github.io/cartography/dev/developer-guide.html?highlight=pip%20install%20cartography

ramonpetgrave64 avatar Sep 02 '22 16:09 ramonpetgrave64