def test_check_internet_accessible_ingress(self): auditor = SecurityGroupAuditor(accounts=['TEST_ACCOUNT']) auditor.prep_for_audit() item = SecurityGroupItem(region=AWS_DEFAULT_REGION, account='TEST_ACCOUNT', name='INTERNET_SG_INGRESS', config=INTERNET_SG_INGRESS) auditor.check_internet_accessible_ingress(item) self.assertEquals(len(item.audit_issues), 1) self.assertEquals(item.audit_issues[0].score, 0)
def test_check_securitygroup_ec2_rfc1918(self): auditor = SecurityGroupAuditor(accounts=['TEST_ACCOUNT']) auditor.prep_for_audit() item = SecurityGroupItem(region=AWS_DEFAULT_REGION, account='TEST_ACCOUNT', name='INTERNAL_SG', config=INTERNAL_SG) auditor.check_securitygroup_ec2_rfc1918(item) self.assertEquals(len(item.audit_issues), 1) self.assertEquals(item.audit_issues[0].score, 0)
def audit_sg(accounts, send_report): """ Runs auditors/security_group """ accounts = __prep_accounts__(accounts) au = SecurityGroupAuditor(accounts=accounts, debug=True) au.audit_all_objects() if send_report: report = au.create_report() au.email_report(report) au.save_issues() db.session.close()
def __init__(self, accounts=None, alert_accounts=None, debug=False): self.account_watchers = {} self.account_alerters = {} if not alert_accounts: alert_accounts = accounts for account in accounts: self.account_watchers[account] = [ (SQS(accounts=[account], debug=debug), None), (ELB(accounts=[account], debug=debug), None), (IAMSSL(accounts=[account], debug=debug), None), (RDSSecurityGroup(accounts=[account], debug=debug), RDSSecurityGroupAuditor(accounts=[account], debug=debug)), (SecurityGroup(accounts=[account], debug=debug), SecurityGroupAuditor(accounts=[account], debug=debug)), (S3(accounts=[account], debug=debug), S3Auditor(accounts=[account], debug=debug)), (IAMUser(accounts=[account], debug=debug), IAMUserAuditor(accounts=[account], debug=debug)), (IAMGroup(accounts=[account], debug=debug), None), (IAMRole(accounts=[account], debug=debug), None), (Keypair(accounts=[account], debug=debug), None), (SNS(accounts=[account], debug=debug), SNSAuditor(accounts=[account], debug=debug)) ] if account in alert_accounts: self.account_alerters[account] = Alerter( watchers_auditors=self.account_watchers[account], account=account)
def audit_sg(accounts, send_report): """ Runs auditors/security_group """ accounts = __prep_accounts__(accounts) au = SecurityGroupAuditor(accounts=accounts, debug=True) au.audit_all_objects() if send_report.lower() == 'true' or send_report == True: report = au.create_report() au.email_report(report) au.save_issues() db.session.close()
def find_sg_changes(accounts): """ Runs watchers/security_group""" accounts = __prep_accounts__(accounts) cw = SecurityGroup(accounts=accounts, debug=True) (items, exception_map) = cw.slurp() cw.find_changes(current=items, exception_map=exception_map) # Audit these changed items items_to_audit = [] for item in cw.created_items + cw.changed_items: sgitem = SecurityGroupItem(region=item.region, account=item.account, name=item.name, config=item.new_config) items_to_audit.append(sgitem) au = SecurityGroupAuditor(debug=True) au.audit_these_objects(items_to_audit) au.save_issues() cw.save() db.session.close()
def pre_test_setup(self): SecurityGroupAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear() account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() # main account = Account(identifier="123456789123", name="TEST_ACCOUNT", account_type_id=account_type_result.id, notes="TEST_ACCOUNT", third_party=False, active=True) db.session.add(account) db.session.commit()
def test_check_securitygroup_ec2_rfc1918(self): auditor = SecurityGroupAuditor(accounts=['TEST_ACCOUNT']) auditor.prep_for_audit() item = SecurityGroupItem(region=AWS_DEFAULT_REGION, account='TEST_ACCOUNT', name='INTERNAL_SG', config=INTERNAL_SG) auditor.check_securitygroup_ec2_rfc1918(item) self.assertEquals(len(item.audit_issues), 1) self.assertEquals(item.audit_issues[0].score, 0)
def test_check_internet_accessible_egress(self): auditor = SecurityGroupAuditor(accounts=['TEST_ACCOUNT']) auditor.prep_for_audit() item = SecurityGroupItem(region=AWS_DEFAULT_REGION, account='TEST_ACCOUNT', name='INTERNET_SG_EGRESS', config=INTERNET_SG_EGRESS) auditor.check_internet_accessible_egress(item) self.assertEquals(len(item.audit_issues), 1) self.assertEquals(item.audit_issues[0].score, 0)
def find_sg_changes(accounts): """ Runs watchers/security_group""" accounts = __prep_accounts__(accounts) cw = SecurityGroup(accounts=accounts, debug=True) (items, exception_map) = cw.slurp() cw.find_changes(current=items, exception_map=exception_map) # Audit these changed items items_to_audit = [] for item in cw.created_items + cw.changed_items: sgitem = SecurityGroupItem(region=item.region, account=item.account, name=item.name, config=item.new_config) items_to_audit.append(sgitem) au = SecurityGroupAuditor(accounts=accounts, debug=True) au.audit_these_objects(items_to_audit) au.save_issues() cw.save() db.session.close()