def test_process_custom_listener_policy(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(
index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=
"arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
# We'll just modify it and pretend it's a custom policy
policy = dict(
INTERNET_ELB['PolicyDescriptions']['ELBSecurityPolicy-2016-08'])
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
policy, '443', item)
self.assertEqual(len(item.audit_issues), 1)
item.audit_issues = list()
policy['protocols']['sslv2'] = True
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
policy, '443', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
policy['server_defined_cipher_order'] = False
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
policy, '443', item)
self.assertEqual(len(item.audit_issues), 3)
# simulate export grade
item.audit_issues = list()
policy['supported_ciphers'].append('EXP-RC4-MD5')
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
policy, '443', item)
self.assertEqual(len(item.audit_issues), 4)
# simulate deprecated cipher
item.audit_issues = list()
policy['supported_ciphers'].append('RC2-CBC-MD5')
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
policy, '443', item)
self.assertEqual(len(item.audit_issues), 5)
# simulate not-recommended cipher
item.audit_issues = list()
policy['supported_ciphers'].append('CAMELLIA128-SHA')
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
policy, '443', item)
self.assertEqual(len(item.audit_issues), 6)
def test_process_custom_listener_policy(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB',
arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=INTERNET_ELB)
# We'll just modify it and pretend it's a custom policy
policy = dict(INTERNET_ELB['PolicyDescriptions']['ELBSecurityPolicy-2016-08'])
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
self.assertEqual(len(item.audit_issues), 1)
item.audit_issues = list()
policy['protocols']['sslv2'] = True
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
policy['server_defined_cipher_order'] = False
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
self.assertEqual(len(item.audit_issues), 3)
# simulate export grade
item.audit_issues = list()
policy['supported_ciphers'].append('EXP-RC4-MD5')
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
self.assertEqual(len(item.audit_issues), 4)
# simulate deprecated cipher
item.audit_issues = list()
policy['supported_ciphers'].append('RC2-CBC-MD5')
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
self.assertEqual(len(item.audit_issues), 5)
# simulate not-recommended cipher
item.audit_issues = list()
policy['supported_ciphers'].append('CAMELLIA128-SHA')
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
self.assertEqual(len(item.audit_issues), 6)
def test_check_ssl_policy_no_policy(self):
from security_monkey.auditors.elbv2 import ELBv2Auditor
auditor = ELBv2Auditor(accounts=['012345678910'])
alb = {
'Listeners': [{
'Port': 80,
'SslPolicy': None
}]}
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(
index='alb',
account='TEST_ACCOUNT',
name='MyALB',
arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/app/MyALB/7f734113942",
config=alb)
auditor.check_ssl_policy(item)
self.assertEqual(len(item.audit_issues), 0)
item.new_config = {
'Listeners': [{
'Port': 443,
'SslPolicy': 'ELBSecurityPolicy-TLS-1-0-2015-04'
}]}
auditor.check_ssl_policy(item)
self.assertEqual(len(item.audit_issues), 1)
issue = item.audit_issues[0]
self.assertEqual(issue.issue, 'Insecure TLS')
self.assertEqual(issue.notes, 'Policy: [ELBSecurityPolicy-TLS-1-0-2015-04] Port: [443] Reason: [Weak cipher (DES-CBC3-SHA) for Windows XP support] CVE: [SWEET32 CVE-2016-2183]')
item.audit_issues = []
item.new_config = {
'Listeners': [{
'Port': 443,
'SslPolicy': 'ELBSecurityPolicy-DoesntExist'
}]}
auditor.check_ssl_policy(item)
self.assertEqual(len(item.audit_issues), 1)
issue = item.audit_issues[0]
self.assertEqual(issue.issue, 'Insecure TLS')
self.assertEqual(issue.notes, 'Policy: [ELBSecurityPolicy-DoesntExist] Port: [443] Reason: [Unknown reference policy]')
def test_process_reference_policy(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB',
arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=INTERNET_ELB)
auditor._process_reference_policy(None, 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue, 'Insecure TLS')
self.assertEqual(item.audit_issues[0].notes, 'Policy: [MyCustomPolicy] Port: [443] Reason: [Custom listener policies discouraged]')
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2011-08', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 5)
issues = {issue.issue for issue in item.audit_issues}
notes = {issue.notes for issue in item.audit_issues}
self.assertEqual(issues, set(['Insecure TLS']))
self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Vulnerable and deprecated]', notes)
self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Vulnerable to poodlebleed]', notes)
self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Lacks server order cipher preference]', notes)
self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Contains RC4 ciphers (RC4-SHA)]', notes)
self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Weak cipher (DES-CBC3-SHA) for Windows XP support] CVE: [SWEET32 CVE-2016-2183]', notes)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2014-01', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 3)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2014-10', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-02', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-03', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-05', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 1)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2016-08', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-1-2017-01', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-2-2017-01', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('OTHER_REFERENCE_POLICY', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue, 'Insecure TLS')
self.assertEqual(item.audit_issues[0].notes, 'Policy: [OTHER_REFERENCE_POLICY] Port: [443] Reason: [Unknown reference policy]')
def test_process_reference_policy(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(
index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=
"arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
auditor._process_reference_policy(None, 'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue,
'Custom listener policies are discouraged.')
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2011-08',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 5)
issues = [issue.issue for issue in item.audit_issues]
self.assertIn("ELBSecurityPolicy-2011-08 is vulnerable and deprecated",
issues)
self.assertIn("ELBSecurityPolicy-2011-08 is vulnerable to poodlebleed",
issues)
self.assertIn(
"ELBSecurityPolicy-2011-08 lacks server order cipher preference.",
issues)
self.assertIn(
"ELBSecurityPolicy-2011-08 contains RC4 ciphers (RC4-SHA) that have been removed in newer policies.",
issues)
self.assertIn(
"ELBSecurityPolicy-2011-08 contains a weaker cipher (DES-CBC3-SHA) "
"for backwards compatibility with Windows XP systems. Vulnerable to SWEET32 CVE-2016-2183.",
issues)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2014-01',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 3)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2014-10',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-02',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-03',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-05',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 1)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2016-08',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-1-2017-01',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-2-2017-01',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('OTHER_REFERENCE_POLICY',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue,
'Unknown reference policy.')
def test_process_reference_policy(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=ARN_PREFIX + ":elasticloadbalancing:" +
AWS_DEFAULT_REGION +
":012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
auditor._process_reference_policy(None, 'MyCustomPolicy', '[443]',
item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue, 'Insecure TLS')
self.assertEqual(
item.audit_issues[0].notes,
'Policy: [MyCustomPolicy] Port: [443] Reason: [Custom listener policies discouraged]'
)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2011-08',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 5)
issues = {issue.issue for issue in item.audit_issues}
notes = {issue.notes for issue in item.audit_issues}
self.assertEqual(issues, set(['Insecure TLS']))
self.assertIn(
'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Vulnerable and deprecated]',
notes)
self.assertIn(
'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Vulnerable to poodlebleed]',
notes)
self.assertIn(
'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Lacks server order cipher preference]',
notes)
self.assertIn(
'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Contains RC4 ciphers (RC4-SHA)]',
notes)
self.assertIn(
'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Weak cipher (DES-CBC3-SHA) for Windows XP support] CVE: [SWEET32 CVE-2016-2183]',
notes)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2014-01',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 3)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2014-10',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-02',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-03',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-05',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 1)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2016-08',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-1-2017-01',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-2-2017-01',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('OTHER_REFERENCE_POLICY',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue, 'Insecure TLS')
self.assertEqual(
item.audit_issues[0].notes,
'Policy: [OTHER_REFERENCE_POLICY] Port: [443] Reason: [Unknown reference policy]'
)