skill-veil-core 0.2.0

Core library for skill-veil behavioral analysis
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub(crate) enum NetworkTarget {
    MetadataService,
    Loopback,
    Localhost,
    BindAll,
    Rfc1918_10,
    Rfc1918_192,
    Rfc1918_172,
    InternalDomain,
    LocalDomain,
}

impl NetworkTarget {
    pub(crate) fn label(self) -> &'static str {
        match self {
            Self::MetadataService => "169.254.169.254",
            Self::Loopback => "127.0.0.1",
            Self::Localhost => "localhost",
            Self::BindAll => "0.0.0.0",
            Self::Rfc1918_10 => "rfc1918:10/8",
            Self::Rfc1918_192 => "rfc1918:192.168/16",
            Self::Rfc1918_172 => "rfc1918:172.16/12",
            Self::InternalDomain => ".internal",
            Self::LocalDomain => ".local",
        }
    }

    pub(crate) fn rule_id(self) -> &'static str {
        if matches!(self, Self::MetadataService) {
            "METADATA_SERVICE_ACCESS"
        } else {
            "INTERNAL_NETWORK_ACCESS"
        }
    }

    pub(crate) fn threat_category(self) -> crate::findings::ThreatCategory {
        if matches!(self, Self::MetadataService) {
            crate::findings::ThreatCategory::CredentialExposure
        } else {
            crate::findings::ThreatCategory::ToolAbuse
        }
    }

    pub(crate) fn action(self) -> crate::findings::RecommendedAction {
        if matches!(self, Self::MetadataService) {
            crate::findings::RecommendedAction::RequireApproval
        } else {
            crate::findings::RecommendedAction::Log
        }
    }

    pub(crate) fn signal_class(self) -> crate::findings::SignalClass {
        if matches!(self, Self::MetadataService) {
            crate::findings::SignalClass::SuspiciousPackageBehavior
        } else {
            crate::findings::SignalClass::ReviewSignal
        }
    }

    pub(crate) fn reason(self) -> &'static str {
        if matches!(self, Self::MetadataService) {
            "Artifact references a metadata service target commonly used for credential discovery"
        } else {
            "Artifact references internal or loopback network targets"
        }
    }
}

#[cfg(test)]
mod tests {
    use super::NetworkTarget;
    use crate::findings::{RecommendedAction, SignalClass, ThreatCategory};

    #[test]
    fn metadata_service_target_maps_to_stronger_policy_defaults() {
        assert_eq!(
            NetworkTarget::MetadataService.rule_id(),
            "METADATA_SERVICE_ACCESS"
        );
        assert_eq!(
            NetworkTarget::MetadataService.threat_category(),
            ThreatCategory::CredentialExposure
        );
        assert_eq!(
            NetworkTarget::MetadataService.action(),
            RecommendedAction::RequireApproval
        );
        assert_eq!(
            NetworkTarget::MetadataService.signal_class(),
            SignalClass::SuspiciousPackageBehavior
        );
    }

    #[test]
    fn localhost_like_targets_keep_review_semantics() {
        assert_eq!(NetworkTarget::Localhost.label(), "localhost");
        assert_eq!(NetworkTarget::BindAll.action(), RecommendedAction::Log);
        assert_eq!(
            NetworkTarget::LocalDomain.signal_class(),
            SignalClass::ReviewSignal
        );
    }
}