Merge pull request #417 from Netflix/develop

Release v0.7.0
Netflix · Sep 23, 2016 · eefef7a · eefef7a
2 parents ef4d942 + 0c82202
commit eefef7a
Show file tree

Hide file tree

Showing 89 changed files with 5,005 additions and 662 deletions.
diff --git a/dart/pubspec.lock b/dart/pubspec.lock
@@ -221,4 +221,3 @@ packages:
       url: "https://pub.dartlang.org"
     source: hosted
     version: "2.1.9"
-sdk: ">=1.12.0 <2.0.0"
diff --git a/dart/web/js/sso.js b/dart/web/js/sso.js
@@ -18,6 +18,9 @@ var create_url = function(provider) {
     url += "&redirect_uri="+provider.redirectUri;
     url += "&scope="+provider.scope.join(provider.scopeDelimiter);
     url += "&state=clientId,"+provider.clientId+",redirectUri,"+provider.redirectUri+",return_to,"+next;
+    if (provider.hd) {
+        url += "&hd="+provider.hd;
+    }
     return url;
 };
 
@@ -33,4 +36,4 @@ $.getJSON("/api/1/auth/providers",
             });
         });
     }
-);
+);
diff --git a/dart/web/ui.html b/dart/web/ui.html
@@ -46,22 +46,22 @@
                 <li class="dropdown">
                     <a class="dropdown-toggle" data-toggle="dropdown">Reports <b class="caret"></b></a>
                     <ul class="dropdown-menu">
-                        <li><a href="#/issues/-/iamuser/-/-/True/active%20accesskey/1/25">IAM User - Active Access Keys</a></li>
-                        <li><a href="#/issues/-/iamuser/-/-/True/inactive/1/25">IAM User - Inactive Access Keys</a></li>
+                        <li><a href="#/issues/-/iamuser/-/-/-/True/active%20accesskey/1/25">IAM User - Active Access Keys</a></li>
+                        <li><a href="#/issues/-/iamuser/-/-/-/True/inactive/1/25">IAM User - Inactive Access Keys</a></li>
                         <li class="divider"></li>
-                        <li><a href="#/issues/-/s3/-/-/True/ACL%20-%20Unknown%20Cross%20Account%20Access./1/25">S3 - ACL - Unknown Cross Account Access</a></li>
-                        <li><a href="#/issues/-/s3/-/-/True/POLICY%20-%20Unknown%20Cross%20Account%20Access./1/25">S3 - POLICY - Unknown Cross Account Access</a></li>
-                        <li><a href="#/issues/-/s3/-/-/True/ACL%20-%20AllUsers%20USED./1/25">S3 - ACL - AllUsers USED</a></li>
-                        <li><a href="#/issues/-/s3/-/-/True/POLICY%20-%20This%20Policy%20Allows%20Access%20From%20Anyone./1/25">S3 - POLICY - This Policy Allows Access From Anyone</a></li>
-                        <li><a href="#/issues/-/s3/-/-/True/ACL%20-%20AuthenticatedUsers%20USED./1/25">S3 - ACL - Authenticated Users</a></li>
-                        <li><a href="#/issues/-/s3/-/-/True/POLICY%20-%20Friendly%20Third%20Party%20Account%20Access./1/25">S3 - POLICY - Friendly Third Party Account Access</a></li>
+                        <li><a href="#/issues/-/s3/-/-/-/True/ACL%20-%20Unknown%20Cross%20Account%20Access./1/25">S3 - ACL - Unknown Cross Account Access</a></li>
+                        <li><a href="#/issues/-/s3/-/-/-/True/POLICY%20-%20Unknown%20Cross%20Account%20Access./1/25">S3 - POLICY - Unknown Cross Account Access</a></li>
+                        <li><a href="#/issues/-/s3/-/-/-/True/ACL%20-%20AllUsers%20USED./1/25">S3 - ACL - AllUsers USED</a></li>
+                        <li><a href="#/issues/-/s3/-/-/-/True/POLICY%20-%20This%20Policy%20Allows%20Access%20From%20Anyone./1/25">S3 - POLICY - This Policy Allows Access From Anyone</a></li>
+                        <li><a href="#/issues/-/s3/-/-/-/True/ACL%20-%20AuthenticatedUsers%20USED./1/25">S3 - ACL - Authenticated Users</a></li>
+                        <li><a href="#/issues/-/s3/-/-/-/True/POLICY%20-%20Friendly%20Third%20Party%20Account%20Access./1/25">S3 - POLICY - Friendly Third Party Account Access</a></li>
                         <li class="divider"></li>
-                        <li><a href="#/issues/-/sns/-/-/True/Friendly%20Cross%20Account%20Access/1/25">SNS - Friendly Cross Account Access</a></li>
-                        <li><a href="#/issues/-/sns/-/-/True/Unknown%20Cross%20Account%20Access/1/25">SNS - Unknown Cross Account Access</a></li>
+                        <li><a href="#/issues/-/sns/-/-/-/True/Friendly%20Cross%20Account%20Access/1/25">SNS - Friendly Cross Account Access</a></li>
+                        <li><a href="#/issues/-/sns/-/-/-/True/Unknown%20Cross%20Account%20Access/1/25">SNS - Unknown Cross Account Access</a></li>
                         <li class="divider"></li>
-                        <li><a href="#/issues/-/securitygroup/-/-/True/-/1/25">Security Group Issues</a></li>
-                        <li><a href="#/issues/-/rds/-/-/True/-/1/25">RDS Security Group Issues</a></li>
-                        <li><a href="#/issues/-/redshift/-/-/True/-/1/25">Redshift Issues</a></li>
+                        <li><a href="#/issues/-/securitygroup/-/-/-/True/-/1/25">Security Group Issues</a></li>
+                        <li><a href="#/issues/-/rds/-/-/-/True/-/1/25">RDS Security Group Issues</a></li>
+                        <li><a href="#/issues/-/redshift/-/-/-/True/-/1/25">Redshift Issues</a></li>
                     </ul>
                 </li>
                 <li><a href="#/settings">Settings</a></li>

diff --git a/docs/changelog.rst b/docs/changelog.rst
@@ -2,6 +2,80 @@
 Changelog
 *********
 
+v0.7.0 (2016-09-21)
+===================
+- PR #410/#405 - @zollman - Custom Watcher/Auditor Support. (Dynamic Loading)
+- PR #412 - @llange - Google SSO Fixes
+- PR #409 - @kyelberry - Fixed Report URLs in UI.
+- PR #413 - @markofu - Better handle IAM SSL certificates that we cannot parse.
+- PR #411 - @zollman - Many, many new watchers and auditors.
+
+
+New Watchers:
+
+    * CloudTrail
+    * AWSConfig
+    * AWSConfigRecorder
+    * DirectConnect::Connection
+    * EC2::EbsSnapshot
+    * EC2::EbsVolume
+    * EC2::Image
+    * EC2::Instance
+    * ENI
+    * KMS::Grant
+    * KMS::Key
+    * Lambda
+    * RDS::ClusterSnapshot
+    * RDS::DBCluster
+    * RDS::DBInstace
+    * RDS::Snapshot
+    * RDS::SubnetGroup
+    * Route53
+    * Route53Domains
+    * TrustedAdvisor
+    * VPC::DHCP
+    * VPC::Endpoint
+    * VPC::FlowLog
+    * VPC::NatGateway
+    * VPC::NetworkACL
+    * VPC::Peering
+
+Important Notes:
+
+- New permissions required:
+    - cloudtrail:describetrails
+    - config:describeconfigrules
+    - config:describeconfigurationrecorders
+    - directconnect:describeconnections
+    - ec2:describeflowlogs
+    - ec2:describeimages
+    - ec2:describenatgateways
+    - ec2:describenetworkacls
+    - ec2:describenetworkinterfaces
+    - ec2:describesnapshots
+    - ec2:describevolumes
+    - ec2:describevpcendpoints
+    - ec2:describevpcpeeringconnections,
+    - iam:getaccesskeylastused
+    - iam:listattachedgrouppolicies
+    - iam:listattacheduserpolicies
+    - lambda:listfunctions
+    - rds:describedbclusters
+    - rds:describedbclustersnapshots
+    - rds:describedbinstances
+    - rds:describedbsnapshots
+    - rds:describedbsubnetgroups
+    - redshift:describeclusters
+    - route53domains:listdomains
+
+Contributors:
+
+- @zollman
+- @kyleberry
+- @llange
+- @markofu
+- @monkeysecurity
+
 v0.6.0 (2016-08-29)
 ===================
 - issue #292 - PR #332 - Add ephemeral sections to the redshift watcher

diff --git a/docs/configuration.rst b/docs/configuration.rst
@@ -71,23 +71,38 @@ SM-ReadOnly
         "Statement": [
             {
                 "Action": [
-                    "acm:ListCertificates",
-                    "acm:DescribeCertificate",
+                    "acm:describecertificate",
+                    "acm:listcertificates",
+                    "cloudtrail:describetrails",
+                    "config:describeconfigrules",
+                    "config:describeconfigurationrecorders",
+                    "directconnect:describeconnections",
                     "ec2:describeaddresses",
                     "ec2:describedhcpoptions",
+                    "ec2:describeflowlogs",
+                    "ec2:describeimages",
                     "ec2:describeinstances",
                     "ec2:describeinternetgateways",
                     "ec2:describekeypairs",
+                    "ec2:describenatgateways",
+                    "ec2:describenetworkacls",
+                    "ec2:describenetworkinterfaces",
                     "ec2:describeregions",
                     "ec2:describeroutetables",
                     "ec2:describesecuritygroups",
+                    "ec2:describesnapshots",
                     "ec2:describesubnets",
                     "ec2:describetags",
+                    "ec2:describevolumes",
+                    "ec2:describevpcendpoints",
+                    "ec2:describevpcpeeringconnections",
                     "ec2:describevpcs",
-                    "elasticloadbalancing:describeinstancehealth",
                     "elasticloadbalancing:describeloadbalancerattributes",
                     "elasticloadbalancing:describeloadbalancerpolicies",
                     "elasticloadbalancing:describeloadbalancers",
+                    "es:describeelasticsearchdomainconfig",
+                    "es:listdomainnames",
+                    "iam:getaccesskeylastused",
                     "iam:getgroup",
                     "iam:getgrouppolicy",
                     "iam:getloginprofile",
@@ -98,7 +113,9 @@ SM-ReadOnly
                     "iam:getuser",
                     "iam:getuserpolicy",
                     "iam:listaccesskeys",
+                    "iam:listattachedgrouppolicies",
                     "iam:listattachedrolepolicies",
+                    "iam:listattacheduserpolicies",
                     "iam:listentitiesforpolicy",
                     "iam:listgrouppolicies",
                     "iam:listgroups",
@@ -111,27 +128,31 @@ SM-ReadOnly
                     "iam:listsigningcertificates",
                     "iam:listuserpolicies",
                     "iam:listusers",
-                    "kms:DescribeKey",
-                    "kms:GetKeyPolicy",
-                    "kms:ListKeys",
-                    "kms:ListAliases",
-                    "kms:ListGrants",
-                    "kms:ListKeyPolicies",
-                    "redshift:DescribeClusters",
+                    "kms:describekey",
+                    "kms:getkeypolicy",
+                    "kms:listaliases",
+                    "kms:listgrants",
+                    "kms:listkeypolicies",
+                    "kms:listkeys",
+                    "lambda:listfunctions",
+                    "rds:describedbclusters",
+                    "rds:describedbclustersnapshots",
+                    "rds:describedbinstances",
                     "rds:describedbsecuritygroups",
+                    "rds:describedbsnapshots",
+                    "rds:describedbsubnetgroups",
+                    "redshift:describeclusters",
                     "route53:listhostedzones",
                     "route53:listresourcerecordsets",
+                    "route53domains:listdomains",
                     "s3:getbucketacl",
-                    "s3:getbucketcors",
                     "s3:getbucketlocation",
                     "s3:getbucketlogging",
                     "s3:getbucketpolicy",
                     "s3:getbuckettagging",
                     "s3:getbucketversioning",
                     "s3:getlifecycleconfiguration",
                     "s3:listallmybuckets",
-                    "ses:getidentitydkimattributes",
-                    "ses:getidentitynotificationattributes",
                     "ses:getidentityverificationattributes",
                     "ses:listidentities",
                     "ses:listverifiedemailaddresses",
@@ -140,10 +161,7 @@ SM-ReadOnly
                     "sns:listsubscriptionsbytopic",
                     "sns:listtopics",
                     "sqs:getqueueattributes",
-                    "sqs:listqueues",
-                    "sqs:receivemessage",
-                    "es:DescribeElasticSearchDomainConfig",
-                    "es:ListDomainNames"
+                    "sqs:listqueues"
                 ],
                 "Effect": "Allow",
                 "Resource": "*"

diff --git a/docs/contributing.rst b/docs/contributing.rst
@@ -9,7 +9,7 @@ hacking on Security Monkey and contributing back your patches.
 Development Setup OS X
 ======================
 
-Please review the `Mac OS X Development Setup Instructions <dev_setup_osx.rst>`_ to set up your Mac for Security Monkey development. 
+Please review the `Mac OS X Development Setup Instructions <dev_setup_osx.rst>`_ to set up your Mac for Security Monkey development.
 
 
 Development Setup Ubuntu
@@ -55,3 +55,5 @@ Additional resources
 - `Issue tracker <https://github.com/netflix/security_monkey/issues>`_
 
 - `GitHub documentation <https://help.github.com/>`_
+
+- `Development Guidelines <development.rst>`_
diff --git a/docs/development.rst b/docs/development.rst
@@ -0,0 +1,98 @@
+**********************
+Development Guidelines
+**********************
+
+Adding a Watcher
+----------------
+Watchers are located in the `watchers <../security_monkey/watchers/>`_ directory. Some related
+watcher types are grouped together in common sub directories. An example would be IAM types.
+
+If a watcher is specific to an organization and is not intended to be contributed
+back to the OSS community, it should be placed under the watchers/custom directory.
+
+Any class that extends Watcher, overrides index and is located under the watchers
+directory will be dynamically loaded by the Security Monkey application at runtime.
+
+All watchers extend the Watcher class located in the `watcher.py <../security_monkey/watcher.py>`_ file. This
+base class implements common functionality such as storing items to the database and
+determining which items are new, changed or deleted. Some related watchers also have
+a common base class to implement common functionality. Examples would be IAM watchers.
+
+Each watcher implementation must override the following:
+
+1. The slurp() method pulls the current set of items in scheduled intervals.
+2. The watcher should implement a subclass of the ChangeItem found in the watcher module that is specific to the type the watcher will be pulling in the slurp method
+3. The member variables index must be overridden with a unique String that will identify the item type in the database.
+4. the member variables i_am_singular and i_am_plural must be overridden with unique values for use in logging.
+
+Watchers may benefit from using the `joblib` library to parallelize the processing of jobs. This will substantially increase
+performance of the watcher, especially for those requiring multiple API calls to fetch relevant data. Refer to
+`IAMRole Watcher <../security_monkey/watchers/iam/iam_role.py>`_ for an example.
+
+Sample Watcher structure::
+
+    from security_monkey.watcher import Watcher
+    from security_monkey.watcher import ChangeItem
+
+    class Sample(Watcher):
+        index = 'sample'
+        i_am_singular = 'Sample'
+        i_am_plural = 'Samples'
+
+    def __init__(self, accounts=None, debug=False):
+        super(Sample, self).__init__(accounts=accounts, debug=debug)
+
+    def slurp(self):
+        # Look up relevant items, convert to list of SampleItem's, return list
+
+    class SampleItem(ChangeItem):
+        def __init__(self, account=None, name=None, region=None, config={}):
+            super(SampleItem, self).__init__(
+                    index=Sample.index,
+                    region=region,
+                    account=account,
+                    name=name,
+                    new_config=config)
+
+New Watchers may also require additional code:
+
+- If the api to access the system to be watched requires an explicit connection, connection functionality should be placed in the `sts_connect <../security_monkey/common/sts_connect.py>`_ module.
+
+Adding an Auditor
+------------------
+A watcher may have one or more associated Auditors that will be run against all new or modified
+items to determine if there are any security issues. In order to be associated with a Watcher,
+the auditor class must override the index to match that of it's associated watcher.
+
+If an auditor is specific to an organization and is not intended to be contributed
+back to the OSS community, it should be placed under the auditors/custom directory.
+
+Any class extending Auditor, overriding index and residing under the `auditors <../security_monkey/auditors/>`_ directory.
+will be dynamically loaded and considered for execution agains a watcher. As with the related
+watchers, closely related auditors may be grouped within sub directories or have base classes
+with common functionality.
+
+
+All auditors override the `Auditor <../security_monkey/auditor.py>`_ base class. Minimal
+functionality would override the index, i_am_singular and i_am_plural to match those
+in the associated watcher class. In addition, at least one method starting with 'check_'
+would be present, as each method starting with 'check_' will be run against new or
+changed items returned by the watcher::
+
+    from security_monkey.watchers.sample import Sample
+
+    class SampleAuditor(Auditor):
+        index = Sample.index
+        i_am_singular = Sample.i_am_singular
+        i_am_plural = Sample.i_am_plural
+
+        def __init__(self, accounts=None, debug=False):
+            super(SampleAuditor, self).__init__(accounts=accounts, debug=debug)
+
+        check_xxx(self, sample_item):
+            # check the item for security risks
+            if risk:
+                self.add_issue(0, 'issue message', sample_item, notes='optional notes')
+
+If an issue is found, the 'check_' method should call add_issue to save the issue to
+the database.