Link together issues by enabling auditor dependencies #407
Conversation
Change summary:
* Fix Error in exception handling
* Adding audit class to distinguish items created by different
auditors of the same type
* Adding custom directories
* Adding development guidelines documentation
* Fixing links in documentation
* Removing duplicate auditors
* Adding init test for scheduler
* Fixing DB error in scheduler test
* Removing unneeded DB insert from test case
* Race condition with watcher_registry
* Fixing DB migration conflict
* Picking up pubspec.lock changes
* Code style cleanup
* Update file headers for contribution prep
Change-Id: Id72322f6dbccedc701e9c17dc9a5b8dc26bf30c1
List of added watchers:
* CloudTrail
* AWSConfig
* AWSConfigRecorder
* DirectConnect::Connection
* DirectConnect::VirtualGateway
* EC2::EbsSnapshot
* EC2::EbsVolume
* EC2::Image
* EC2::Instance
* ENI
* KMS::Grant
* KMS::Key
* Lambda
* RDS::ClusterSnapshot
* RDS::DBCluster
* RDS::DBInstace
* RDS::Snapshot
* RDS::SubnetGroup
* Route53
* Route53Domains
* TrustedAdvisor
* VPC::DHCP
* VPC::Endpoint
* VPC::FlowLog
* VPC::NatGateway
* VPC::NetworkACL
* VPC::Peering
Additional changes:
* Move rds[security_group] to rds/ directory.
* Update vpc/route_table to use boto3 lib.
* Add tests for tech types supported by moto
* Initialize name to avoid UnboundLocalError
* Update RDS watcher ephemeral values
* Use boto3.session.get_available_regions in select watchers
* Convert routetable watcher to decorator pattern
* Convert route53 domains to decorator pattern
* Handle the case where the aws principle is a string
* Catching assume role exception in decorator
zollman
changed the title
zollman
changed the title
|
@MonkeySecurity I was pulling these PR branches plus the 0.6.0 release back into out local repo and notices some tricky merge issues with the custom accounts branch. It looks like you will be pulling in this branch first? If so, I can go ahead and resolve the merge conflicts in custom accounts. |
|
@MonkeySecurity I will work on an update to merge 407 into 408 then. We do have one outstanding bug fix for 407 that is in the review process, but has to do with auditors that have more than one support watcher so it will not manifest with the auditors currently submitted so probably is not critical to get in right away. |
Type: Bugfix Why is this change necessary: When find_changes is run, it has the ability to update specific tech types outside of the normal reporter run. In these cases the monitor must rerun auditors for the updated tech types, plus any other auditors for other tech types that are dependent on the updated types. It determines this by checking the support_watcher_indexes and support_auditor_indexs for each auditor associated with the tech types updated. The check for the support_watcher_indexes were only being run for the last auditor because it was indented incorrectly. This change addresses the need by: Changing the indent so that it is run for all auditors
|
Applying "Needs Work" label as I believe Curtis is working on updating this PR. (See gitter.im chat from Oct 13 15:55) |
|
UDPATE: still working on these updates. Hope to post w/in 1 week |
|
Build will probably fail until #438 is merged |
|
I merged 438 and instructed travis to rebuild. Build is now working. I think I'm still waiting for new commits. Is that correct? |
|
@MonkeySecurity - we just pushed some updates out today. Should have all of the commits needed for review 👍 |
|
@MonkeySecurity - not sure why the dates are funky, prob something to do with cherry-picking, but the 2 latest commits listed under "Oct 18" section (https://github.com/Netflix/security_monkey/pull/407/commits) are what was pushed today |
| # TODO: Replace hardcoded region with `get_available_regions` after next boto3 release | ||
| # Specific PR here: https://github.com/boto/boto3/pull/531/files | ||
| # AWS Config currently only supports the following regions | ||
| regions = ["us-east-1", "us-west-1", "us-west-2", "eu-west-1", "eu-central-1", |
There was a problem hiding this comment.
That boto3 pr was merged on Mar3. Is the hardcoded region list still necessary?
There was a problem hiding this comment.
@MonkeySecurity They are not. Let me look into why they are still there.
There was a problem hiding this comment.
@MonkeySecurity we have the correct code internally and it looks like it is correct in you master. We will push a fix for this branch.
There was a problem hiding this comment.
I went ahead and made the change for config_recorder and another very minor change to kms.py.
4 participants
To help "roll up" issues into larger groupings (e.g. an IAM user
is out-of-compliance if the managed policy attached to that user
is noncompliant), this patch allows auditors to link issues together,
rolling them up into higher technology types.
This commit builds on the dynamic watchers & auditors framework submitted in #405 , as well as the changes built into #406 .