This repository was archived by the owner on Sep 17, 2021. It is now read-only.
Release v0.8.0 #458
Merged
Release v0.8.0 #458
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sync with parent develop branch
Change summary:
* Fix Error in exception handling
* Adding audit class to distinguish items created by different
auditors of the same type
* Adding custom directories
* Adding development guidelines documentation
* Fixing links in documentation
* Removing duplicate auditors
* Adding init test for scheduler
* Fixing DB error in scheduler test
* Removing unneeded DB insert from test case
* Race condition with watcher_registry
* Fixing DB migration conflict
* Picking up pubspec.lock changes
* Code style cleanup
* Update file headers for contribution prep
Change-Id: Id72322f6dbccedc701e9c17dc9a5b8dc26bf30c1
List of added watchers:
* CloudTrail
* AWSConfig
* AWSConfigRecorder
* DirectConnect::Connection
* DirectConnect::VirtualGateway
* EC2::EbsSnapshot
* EC2::EbsVolume
* EC2::Image
* EC2::Instance
* ENI
* KMS::Grant
* KMS::Key
* Lambda
* RDS::ClusterSnapshot
* RDS::DBCluster
* RDS::DBInstace
* RDS::Snapshot
* RDS::SubnetGroup
* Route53
* Route53Domains
* TrustedAdvisor
* VPC::DHCP
* VPC::Endpoint
* VPC::FlowLog
* VPC::NatGateway
* VPC::NetworkACL
* VPC::Peering
Additional changes:
* Move rds[security_group] to rds/ directory.
* Update vpc/route_table to use boto3 lib.
* Add tests for tech types supported by moto
* Initialize name to avoid UnboundLocalError
* Update RDS watcher ephemeral values
* Use boto3.session.get_available_regions in select watchers
* Convert routetable watcher to decorator pattern
* Convert route53 domains to decorator pattern
* Handle the case where the aws principle is a string
* Catching assume role exception in decorator
Few more urls fixed
- The route53 watcher requires access to the `route53domains:getdomaindetail` permission - Added it to the Quickstart doc. - Added it to the Configuration doc. - Added it to the role setup script.
- Added section about XCode - Added section to fix openssl and cryptography dependency errors.
- Also added in tests for it
Changed the module name from elb to elasticsearch_service
OS X Install doc updates for El Capitan and higher.
Added "route53domains:getdomaindetail" to permissions doc.
Fix for ARN parsing of cloudfront ARNs
- This was not needed.
Removed s3 ARN check for ElasticSearch Service.
Type: Bugfix Why is this change necessary: When find_changes is run, it has the ability to update specific tech types outside of the normal reporter run. In these cases the monitor must rerun auditors for the updated tech types, plus any other auditors for other tech types that are dependent on the updated types. It determines this by checking the support_watcher_indexes and support_auditor_indexs for each auditor associated with the tech types updated. The check for the support_watcher_indexes were only being run for the last auditor because it was indented incorrectly. This change addresses the need by: Changing the indent so that it is run for all auditors
* Added support for SSO OneLogin * Update SSO provider list in comment * Added missing dependancies * One last dependancies (hopefully) * Added apt-get dependancy to travis-ci. Updated python-saml to 2.1.9. * Switched sudo on for travis-ci * Fixed value for travis-ci config * Updated to python-saml 2.2.0 (security update)
…(Where the name is not google or ping or onelogin)
Network Whitelist and Ignore List tables have been broken out into their own components and now support pagination via PaginatedTable. Fixes #167
Fix for the issue : Jinja2 2.7.2 is installed but Jinja2>=2.8 is required by set(['moto']) Moto now depends on Jinja2 2.8 - Consider updating to the latest version of Jinja2 2.9?
…ecurity_monkey into Bridgewater-auditor_dependencies
* Updated env-config/config-deploy.py to override default settings with environment variables for postgres settings * Adding the original Dockerfile from Netflix-Skunkworks/zerotodocker * Adding original entrypoint scripts from Netflix-Skunkworks/zerotodocker * Disable export of the SECURITY_MONKEY_SETTINGS variable in these entrypoints as this should be set before these entrypoints exist * Remove unnecessary commented out lines * Organize order of operations in api-init * 1 - Add SECURITY_MONKEY_API_PORT environment variable to override default settings defined in SECURITY_MONKEY_SETTINGS 2 - Update entrypoints to use environment variables * Add original Dockerfile for nginx from Netflix-Skunkworks/zerotodocker * Add original securitymonkey.conf for nginx from Netflix-Skunkworks/zerotodocker * Add original insecure certs for tls provided by Netflix-Skunkworks. These are meant to act as a placeholder for the example. * Move nginx resources to docker-nginx for simpler docker build * Add items to .gitignore and .dockerignore to avoid committing secrets * Update Dockerfiles to build and run SecurityMonkey from this directory, as opposed to checking out the repository directly, since this code has not yet been merged. This can be used to build and develop locally. * Update FQDN settings to use environment variables as override to default * Update email settings to use environment variable overrides * Add documentation for SecurityMonkey Docker * Add a forgotten comma * Update entrypoints to work without chmod +x * Add a missing equals sign '=' * Remove baked-in insecure certificates * Add new entrypoint for nginx, disables ssl if cert:key pair are not found * Add original nginx.conf for reference * Turn daemon off in nginx.conf * Update nginx docker build and entrypoint * Move NGINX Dockerfile to docker-nginx/ * Refactor for local docker development - Removed python-m2crypto from Dockerfile - Created env-config/config-docker.py for settings - Reverted env-config/config-deploy.py back to v0.7.0 original - Moved docker-nginx directory to docker/nginx - Entrypoints are executable - Added brief documentation in docker folder * More log changes for Docker * Improvement for local docker-compose development * Update securitymonkey.conf to latest from http://securitymonkey.readthedocs.io/en/latest/quickstart.html#securitymonkey-conf * Edit ssl crt/key location in securitymonkey.conf * Make NGINX output logs to stdout/err for SecurityMonkey Docker * Hardcode smapi NGINX endpoint instead of 127.0.0.1 for Docker * Updated docker documentation * Simplify config-docker.py in the use of environment variables as overrides * Add support for local insecure development - Enables 80 in NGINX - Toggle to disable CSRF in settings - Toggle to disable ssl in NGINX if certs are not provided * Restore config-deploy.py from upstream * Set API_PORT back to a String
* Add support for custom watchers and auditors
Change summary:
* Fix Error in exception handling
* Adding audit class to distinguish items created by different
auditors of the same type
* Adding custom directories
* Adding development guidelines documentation
* Fixing links in documentation
* Removing duplicate auditors
* Adding init test for scheduler
* Fixing DB error in scheduler test
* Removing unneeded DB insert from test case
* Race condition with watcher_registry
* Fixing DB migration conflict
* Picking up pubspec.lock changes
* Code style cleanup
* Update file headers for contribution prep
Change-Id: Id72322f6dbccedc701e9c17dc9a5b8dc26bf30c1
* Add new watchers
List of added watchers:
* CloudTrail
* AWSConfig
* AWSConfigRecorder
* DirectConnect::Connection
* DirectConnect::VirtualGateway
* EC2::EbsSnapshot
* EC2::EbsVolume
* EC2::Image
* EC2::Instance
* ENI
* KMS::Grant
* KMS::Key
* Lambda
* RDS::ClusterSnapshot
* RDS::DBCluster
* RDS::DBInstace
* RDS::Snapshot
* RDS::SubnetGroup
* Route53
* Route53Domains
* TrustedAdvisor
* VPC::DHCP
* VPC::Endpoint
* VPC::FlowLog
* VPC::NatGateway
* VPC::NetworkACL
* VPC::Peering
Additional changes:
* Move rds[security_group] to rds/ directory.
* Update vpc/route_table to use boto3 lib.
* Add tests for tech types supported by moto
* Initialize name to avoid UnboundLocalError
* Update RDS watcher ephemeral values
* Use boto3.session.get_available_regions in select watchers
* Convert routetable watcher to decorator pattern
* Convert route53 domains to decorator pattern
* Handle the case where the aws principle is a string
* Catching assume role exception in decorator
* Auditor dependency and link support
* Fix for _find_dependent_monitors
Type: Bugfix
Why is this change necessary:
When find_changes is run, it has the ability to update specific tech
types outside of the normal reporter run. In these cases the monitor
must rerun auditors for the updated tech types, plus any other auditors
for other tech types that are dependent on the updated types. It
determines this by checking the support_watcher_indexes and
support_auditor_indexs for each auditor associated with the tech types
updated. The check for the support_watcher_indexes were only being run
for the last auditor because it was indented incorrectly.
This change addresses the need by:
Changing the indent so that it is run for all auditors
* Add framework for custom account types
Type: generic-large-feature
Why is this change necessary?
Feature allowing for custom account types, which can either be
non-AWS accounts or AWS accounts extended with additional attributes.
By default, the new custom attributes are stored in the database but
can be configured to be retrieved from some other source.
This change addresses the need by:
Implementing account_manager framework
* Replacing botor lib with Netflix cloudaux. Refactoring iamrole to use cloudaux orchestration. * Moving IAM User to Netflix cloudaux. * Fixing argument so record_exception decorator will work properly.
…icit dependencies to rely on flask-security-fork dependencies. SSO will use flask-security login_user instead of flask-login so that security_trackable works. Replacing current_user.is_authenticated() method with property so we can use a newer version of flask-login. (#482)
|
Changes Unknown when pulling 3b4da13 on develop into ** on master**. |
|
Changes Unknown when pulling 198ed04 on develop into ** on master**. |
added 2 commits
January 4, 2017 10:53
…tring vuln in previou versions. (#484)
* Add check for assume-role from unknown account. * Reformat code. * Fix typo. * Refactoring to use the ARN class.
|
Changes Unknown when pulling 0ef6596 on develop into ** on master**. |
|
Changes Unknown when pulling 0ef6596 on develop into ** on master**. |
|
Changes Unknown when pulling 00ce338 on develop into ** on master**. |
added 4 commits
January 5, 2017 11:13
Should fix issue #466.
|
Changes Unknown when pulling d21c5d7 on develop into ** on master**. |
|
Changes Unknown when pulling d21c5d7 on develop into ** on master**. |
|
Changes Unknown when pulling d21c5d7 on develop into ** on master**. |
|
Changes Unknown when pulling d21c5d7 on develop into ** on master**. |
|
Changes Unknown when pulling 4fae5af on develop into ** on master**. |
added 2 commits
January 10, 2017 15:26
|
Changes Unknown when pulling 7a662de on develop into ** on master**. |
|
Changes Unknown when pulling 7a662de on develop into ** on master**. |
|
Changes Unknown when pulling 4ef5024 on develop into ** on master**. |
Contributor
Author
|
Hey @cstewart87 - ETA is today. |
|
Changes Unknown when pulling 3d0e1d5 on develop into ** on master**. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
v0.8.0 (2016-12-02-delayed->2017-01-13)
module: security_monkey.auditors.elbtomodule: security_monkey.auditors.elasticsearch_servicemanage.py::amazon_accounts()to use new AccountType and addingdelete_unjustified_issues().Flask-SecuritywithFlask-Security-Fork.>=2.8.1docker-compose buildfails to build init withImportError: <module 'setuptools.dist' from '/usr/lib/python2.7/dist-packages/setuptools/dist.pyc'> has no 'check_specifier' attribute#486 - Upgrade setuptools in Dockerfile.Important Notes:
Contributors: