def test_es_auditor(self):
from security_monkey.auditors.elasticsearch_service import ElasticSearchServiceAuditor
es_auditor = ElasticSearchServiceAuditor(accounts=["012345678910"])
# Add some test network whitelists into this:
es_auditor.network_whitelist = []
for cidr in WHITELIST_CIDRS:
whitelist_cidr = NetworkWhitelistEntry()
whitelist_cidr.cidr = cidr[1]
whitelist_cidr.name = cidr[0]
es_auditor.network_whitelist.append(whitelist_cidr)
for es_domain in self.es_items:
es_auditor.check_es_access_policy(es_domain)
# Check for correct number of issues located:
# CONFIG ONE:
self.assertEquals(len(self.es_items[0].audit_issues), 1)
self.assertEquals(self.es_items[0].audit_issues[0].score, 20)
# CONFIG TWO:
self.assertEquals(len(self.es_items[1].audit_issues), 1)
self.assertEquals(self.es_items[1].audit_issues[0].score, 20)
# CONFIG THREE:
self.assertEquals(len(self.es_items[2].audit_issues), 2)
self.assertEquals(self.es_items[2].audit_issues[0].score, 5)
self.assertEquals(self.es_items[2].audit_issues[1].score, 7)
# CONFIG FOUR:
self.assertEquals(len(self.es_items[3].audit_issues), 1)
self.assertEquals(self.es_items[3].audit_issues[0].score, 20)
# CONFIG FIVE:
self.assertEquals(len(self.es_items[4].audit_issues), 0)
# CONFIG SIX:
self.assertEquals(len(self.es_items[5].audit_issues), 0)
# CONFIG SEVEN:
self.assertEquals(len(self.es_items[6].audit_issues), 3)
self.assertEquals(self.es_items[6].audit_issues[0].score, 5)
self.assertEquals(self.es_items[6].audit_issues[1].score, 5)
self.assertEquals(self.es_items[6].audit_issues[2].score, 7)
# CONFIG EIGHT:
self.assertEquals(len(self.es_items[7].audit_issues), 1)
self.assertEquals(self.es_items[7].audit_issues[0].score, 20)
# CONFIG NINE:
self.assertEquals(len(self.es_items[8].audit_issues), 2)
self.assertEquals(self.es_items[8].audit_issues[0].score, 6)
self.assertEquals(self.es_items[8].audit_issues[1].score, 10)
def test_es_auditor(self):
from security_monkey.auditors.elasticsearch_service import ElasticSearchServiceAuditor
es_auditor = ElasticSearchServiceAuditor(accounts=["012345678910"])
# Add some test network whitelists into this:
es_auditor.network_whitelist = []
for cidr in WHITELIST_CIDRS:
whitelist_cidr = NetworkWhitelistEntry()
whitelist_cidr.cidr = cidr[1]
whitelist_cidr.name = cidr[0]
es_auditor.network_whitelist.append(whitelist_cidr)
for es_domain in self.es_items:
es_auditor.check_es_access_policy(es_domain)
# Check for correct number of issues located:
# CONFIG ONE:
self.assertEquals(len(self.es_items[0].audit_issues), 1)
self.assertEquals(self.es_items[0].audit_issues[0].score, 20)
# CONFIG TWO:
self.assertEquals(len(self.es_items[1].audit_issues), 1)
self.assertEquals(self.es_items[1].audit_issues[0].score, 20)
# CONFIG THREE:
self.assertEquals(len(self.es_items[2].audit_issues), 2)
self.assertEquals(self.es_items[2].audit_issues[0].score, 5)
self.assertEquals(self.es_items[2].audit_issues[1].score, 7)
# CONFIG FOUR:
self.assertEquals(len(self.es_items[3].audit_issues), 1)
self.assertEquals(self.es_items[3].audit_issues[0].score, 20)
# CONFIG FIVE:
self.assertEquals(len(self.es_items[4].audit_issues), 0)
# CONFIG SIX:
self.assertEquals(len(self.es_items[5].audit_issues), 0)
# CONFIG SEVEN:
self.assertEquals(len(self.es_items[6].audit_issues), 3)
self.assertEquals(self.es_items[6].audit_issues[0].score, 5)
self.assertEquals(self.es_items[6].audit_issues[1].score, 5)
self.assertEquals(self.es_items[6].audit_issues[2].score, 7)
# CONFIG EIGHT:
self.assertEquals(len(self.es_items[7].audit_issues), 1)
self.assertEquals(self.es_items[7].audit_issues[0].score, 20)
# CONFIG NINE:
self.assertEquals(len(self.es_items[8].audit_issues), 2)
self.assertEquals(self.es_items[8].audit_issues[0].score, 6)
self.assertEquals(self.es_items[8].audit_issues[1].score, 10)
def sync_networks(bucket_name, input_filename, authoritative):
"""Imports a JSON file of networks to the Security Monkey whitelist."""
if bucket_name:
import boto3
s3 = boto3.client('s3')
response = s3.get_object(
Bucket=bucket_name,
Key=input_filename,
)
handle = response['Body']
else:
handle = open(input_filename)
networks = json.load(handle)
handle.close()
existing = NetworkWhitelistEntry.query.filter(
NetworkWhitelistEntry.name.in_(networks))
new = set(networks.keys()) - set(entry.name for entry in existing)
for entry in existing:
entry.cidr = networks[entry.name]
db.session.add(entry)
for name in new:
app.logger.debug('Adding new network %s', name)
entry = NetworkWhitelistEntry(
name=name,
cidr=networks[name],
)
db.session.add(entry)
if authoritative:
old = NetworkWhitelistEntry.query.filter(
~NetworkWhitelistEntry.name.in_(networks))
for entry in old:
app.logger.debug('Removing stale network %s', entry.name)
db.session.delete(entry)
db.session.commit()
db.session.close()
def pre_test_setup(self):
ElasticSearchServiceAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
self.es_items = [
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test", config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2", account="TEST_ACCOUNT", name="es_test_2", config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_3", config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_4", config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_5", config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_6", config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_7", config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_8", config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_9", config=CONFIG_NINE),
]
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910", name="TEST_ACCOUNT",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT",
third_party=False, active=True)
db.session.add(account)
db.session.commit()
# Add some test network whitelists into this:
# es_auditor.network_whitelist = []
WHITELIST_CIDRS = [
("Test one", "192.168.1.1/32"),
("Test two", "100.0.0.0/16"),
]
for cidr in WHITELIST_CIDRS:
whitelist_cidr = NetworkWhitelistEntry()
whitelist_cidr.name = cidr[0]
whitelist_cidr.notes = cidr[0]
whitelist_cidr.cidr = cidr[1]
db.session.add(whitelist_cidr)
db.session.commit()
def post(self):
"""
.. http:post:: /api/1/whitelistcidrs
Create a new CIDR whitelist entry.
**Example Request**:
.. sourcecode:: http
POST /api/1/whitelistcidrs HTTP/1.1
Host: example.com
Accept: application/json
{
"name": "Corp",
"notes": "Corporate Network",
"cidr": "1.2.3.4/22"
}
**Example Response**:
.. sourcecode:: http
HTTP/1.1 201 Created
Vary: Accept
Content-Type: application/json
{
"id": 123,
"name": "Corp",
"notes": "Corporate Network",
"cidr": "1.2.3.4/22"
}
:statuscode 201: created
:statuscode 401: Authentication Error. Please Login.
"""
self.reqparse.add_argument('name', required=True, type=text_type, help='Must provide account name', location='json')
self.reqparse.add_argument('cidr', required=True, type=text_type, help='Network CIDR required.', location='json')
self.reqparse.add_argument('notes', required=False, type=text_type, help='Add context.', location='json')
args = self.reqparse.parse_args()
name = args['name']
cidr = args.get('cidr', True)
notes = args.get('notes', None)
whitelist_entry = NetworkWhitelistEntry()
whitelist_entry.name = name
whitelist_entry.cidr = cidr
if notes:
whitelist_entry.notes = notes
db.session.add(whitelist_entry)
db.session.commit()
db.session.refresh(whitelist_entry)
whitelistentry_marshaled = marshal(whitelist_entry.__dict__, WHITELIST_FIELDS)
whitelistentry_marshaled['auth'] = self.auth_dict
return whitelistentry_marshaled, 201
def post(self):
"""
.. http:post:: /api/1/whitelistcidrs
Create a new CIDR whitelist entry.
**Example Request**:
.. sourcecode:: http
POST /api/1/whitelistcidrs HTTP/1.1
Host: example.com
Accept: application/json
{
"name": "Corp",
"notes": "Corporate Network",
"cidr": "1.2.3.4/22"
}
**Example Response**:
.. sourcecode:: http
HTTP/1.1 201 Created
Vary: Accept
Content-Type: application/json
{
"id": 123,
"name": "Corp",
"notes": "Corporate Network",
"cidr": "1.2.3.4/22"
}
:statuscode 201: created
:statuscode 401: Authentication Error. Please Login.
"""
auth, retval = __check_auth__(self.auth_dict)
if auth:
return retval
self.reqparse.add_argument('name', required=True, type=unicode, help='Must provide account name', location='json')
self.reqparse.add_argument('cidr', required=True, type=unicode, help='Network CIDR required.', location='json')
self.reqparse.add_argument('notes', required=False, type=unicode, help='Add context.', location='json')
args = self.reqparse.parse_args()
name = args['name']
cidr = args.get('cidr', True)
notes = args.get('notes', None)
whitelist_entry = NetworkWhitelistEntry()
whitelist_entry.name = name
whitelist_entry.cidr = cidr
if notes:
whitelist_entry.notes = notes
db.session.add(whitelist_entry)
db.session.commit()
db.session.refresh(whitelist_entry)
whitelistentry_marshaled = marshal(whitelist_entry.__dict__, WHITELIST_FIELDS)
whitelistentry_marshaled['auth'] = self.auth_dict
return whitelistentry_marshaled, 201
def pre_test_setup(self):
ElasticSearchServiceAuditor(
accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
self.es_items = [
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test",
config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2",
account="TEST_ACCOUNT",
name="es_test_2",
config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_3",
config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_4",
config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_5",
config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_6",
config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_7",
config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_8",
config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_9",
config=CONFIG_NINE),
]
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(account)
db.session.commit()
# Add some test network whitelists into this:
# es_auditor.network_whitelist = []
WHITELIST_CIDRS = [
("Test one", "192.168.1.1/32"),
("Test two", "100.0.0.0/16"),
]
for cidr in WHITELIST_CIDRS:
whitelist_cidr = NetworkWhitelistEntry()
whitelist_cidr.name = cidr[0]
whitelist_cidr.notes = cidr[0]
whitelist_cidr.cidr = cidr[1]
db.session.add(whitelist_cidr)
db.session.commit()
