def test_iam_passrole(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'InlinePolicies': dict(MyPolicy=json.loads(IAM_PASSROLE))
}
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
auditor.check_iam_passrole(iamobj)
self.assertIs(
len(iamobj.audit_issues), 1,
"Policy should have 1 alert but has {}".format(
len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue,
'Sensitive Permissions')
self.assertEquals(
iamobj.audit_issues[0].notes,
'Actions: ["iam:passrole"] Resources: ["someresource"]')
def test_iam_sg_mutation(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'InlinePolicies': dict(MyPolicy=json.loads(IAM_SG_MUTATION))
}
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
auditor.check_security_group_permissions(iamobj)
self.assertIs(
len(iamobj.audit_issues), 1,
"Policy should have 1 alert but has {}".format(
len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue,
'Sensitive Permissions')
self.assertEquals(
iamobj.audit_issues[0].notes,
'Actions: ["ec2:authorizesecuritygroupegress", "ec2:authorizesecuritygroupingress"] Resources: ["someresource"]'
)
def test_iam_no_admin_list(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor( accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {'userpolicies': json.loads(NO_ADMIN_POLICY_LIST)}
self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues)))
auditor.library_check_iamobj_has_star_privileges(iamobj, multiple_policies=False)
self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues)))
def test_iam_no_admin_list(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {'InlinePolicies': dict(MyPolicy=json.loads(NO_ADMIN_POLICY_LIST))}
self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues)))
auditor.check_star_privileges(iamobj)
self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues)))
def test_full_admin_list(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {'InlinePolicies': dict(MyPolicy=json.loads(FULL_ADMIN_POLICY_LIST))}
self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues)))
auditor.check_star_privileges(iamobj)
self.assertIs(len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format(len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue, 'Administrator Access')
self.assertEquals(iamobj.audit_issues[0].notes, 'Actions: ["*"] Resources: ["someresource"]')
def test_iam_sg_mutation(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {'InlinePolicies': dict(MyPolicy=json.loads(IAM_SG_MUTATION))}
self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues)))
auditor.check_security_group_permissions(iamobj)
self.assertIs(len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format(len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue, 'Sensitive Permissions')
self.assertEquals(iamobj.audit_issues[0].notes, 'Actions: ["ec2:authorizesecuritygroupegress", "ec2:authorizesecuritygroupingress"] Resources: ["someresource"]')
def test_iam_notresource(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {'InlinePolicies': dict(MyPolicy=json.loads(IAM_NOTRESOURCE))}
self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues)))
auditor.check_notresource(iamobj)
self.assertIs(len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format(len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue, 'Awkward Statement Construction')
self.assertEquals(iamobj.audit_issues[0].notes, 'Construct: ["NotResource"]')
def test_iam_passrole(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {'InlinePolicies': dict(MyPolicy=json.loads(IAM_PASSROLE))}
self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues)))
auditor.check_iam_passrole(iamobj)
self.assertIs(len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format(len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue, 'Sensitive Permissions')
self.assertEquals(iamobj.audit_issues[0].notes, 'Actions: ["iam:passrole"] Resources: ["someresource"]')
def test_load_policies(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {'InlinePolicies': None}
policies = auditor.load_iam_policies(iamobj)
self.assertIs(len(policies), 0, "Zero policies expected")
auditor.iam_policy_keys = ['InlinePolicies$*']
iamobj.config = {'InlinePolicies': dict(Admin=json.loads(IAM_ADMIN), PassRole=json.loads(IAM_PASSROLE))}
policies = auditor.load_iam_policies(iamobj)
self.assertIs(len(policies), 2, "Two policies expected but received {}".format(len(policies)))
def test_iam_no_admin_list(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {'userpolicies': json.loads(NO_ADMIN_POLICY_LIST)}
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
auditor.library_check_iamobj_has_star_privileges(
iamobj, multiple_policies=False)
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
def test_iam_no_admin_list(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'InlinePolicies': dict(MyPolicy=json.loads(NO_ADMIN_POLICY_LIST))
}
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
auditor.check_star_privileges(iamobj)
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
def test_iam_full_admin_list_single_entry(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'InlinePolicies': json.loads(FULL_ADMIN_POLICY_SINGLE_ENTRY)
}
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
auditor.library_check_iamobj_has_star_privileges(
iamobj, multiple_policies=False)
self.assertIs(
len(iamobj.audit_issues), 1,
"Policy should have 1 alert but has {}".format(
len(iamobj.audit_issues)))
def test_load_policies(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {'InlinePolicies': None}
policies = auditor.load_iam_policies(iamobj)
self.assertIs(len(policies), 0, "Zero policies expected")
auditor.iam_policy_keys = ['InlinePolicies$*']
iamobj.config = {
'InlinePolicies':
dict(Admin=json.loads(IAM_ADMIN),
PassRole=json.loads(IAM_PASSROLE))
}
policies = auditor.load_iam_policies(iamobj)
self.assertIs(
len(policies), 2,
"Two policies expected but received {}".format(len(policies)))
def test_full_admin_list(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'InlinePolicies': dict(MyPolicy=json.loads(FULL_ADMIN_POLICY_LIST))
}
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
auditor.check_star_privileges(iamobj)
self.assertIs(
len(iamobj.audit_issues), 1,
"Policy should have 1 alert but has {}".format(
len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue, 'Administrator Access')
self.assertEquals(iamobj.audit_issues[0].notes,
'Actions: ["*"] Resources: ["someresource"]')
def test_iam_notresource(self):
import json
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
auditor = IAMPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'InlinePolicies': dict(MyPolicy=json.loads(IAM_NOTRESOURCE))
}
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
auditor.check_notresource(iamobj)
self.assertIs(
len(iamobj.audit_issues), 1,
"Policy should have 1 alert but has {}".format(
len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue,
'Awkward Statement Construction')
self.assertEquals(iamobj.audit_issues[0].notes,
'Construct: ["NotResource"]')
def test_celery_ignore_tech(self, mock_store_exception,
mock_expired_exceptions, mock_account_tech,
mock_purge, mock_setup):
import security_monkey.celeryconfig
security_monkey.celeryconfig.security_monkey_watcher_ignore = {
"policy"
}
from security_monkey.task_scheduler.beat import setup_the_tasks
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.watchers.iam.managed_policy import ManagedPolicy
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
from security_monkey.auditors.iam.iam_policy import IAMPolicyAuditor
# Stop the watcher registry from stepping on everyone's toes:
import security_monkey.watcher
import security_monkey.monitors
security_monkey.watcher.watcher_registry = {
IAMRole.index: IAMRole,
ManagedPolicy.index: ManagedPolicy
}
security_monkey.monitors.watcher_registry = security_monkey.watcher.watcher_registry
# Set up the monitors:
test_account = Account.query.filter(
Account.name == "TEST_ACCOUNT1").one()
role_watcher = IAMRole(accounts=[test_account.name])
mp_watcher = ManagedPolicy(accounts=[test_account.name])
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.watcher = role_watcher
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
normal_monitor = Monitor(ManagedPolicy, test_account)
normal_monitor.watcher = mp_watcher
normal_monitor.auditors = [
IAMPolicyAuditor(accounts=[test_account.name])
]
import security_monkey.task_scheduler.tasks
old_get_monitors = security_monkey.task_scheduler.tasks.get_monitors
security_monkey.task_scheduler.tasks.get_monitors = lambda x, y, z: [
batched_monitor, normal_monitor
]
setup_the_tasks(mock.Mock())
assert mock_setup.called
assert mock_purge.called
assert not mock_store_exception.called
# "apply_async" where the immediately scheduled tasks
assert mock_account_tech.apply_async.called
# The ".s" are the scheduled tasks. Too lazy to grab the intervals out.
assert mock_account_tech.s.called
assert mock_expired_exceptions.s.called
assert mock_expired_exceptions.apply_async.called
# Policy should not be called at all:
for mocked_call in mock_account_tech.s.call_args_list:
assert mocked_call[0][1] == "iamrole"
for mocked_call in mock_account_tech.apply_async.call_args_list:
assert mocked_call[0][0][1] == "iamrole"
security_monkey.task_scheduler.tasks.get_monitors = old_get_monitors