def test_check_internet_accessible_ingress(self):
auditor = SecurityGroupAuditor(accounts=['TEST_ACCOUNT'])
auditor.prep_for_audit()
item = SecurityGroupItem(region=AWS_DEFAULT_REGION, account='TEST_ACCOUNT', name='INTERNET_SG_INGRESS',
config=INTERNET_SG_INGRESS)
auditor.check_internet_accessible_ingress(item)
self.assertEquals(len(item.audit_issues), 1)
self.assertEquals(item.audit_issues[0].score, 0)
def test_check_securitygroup_ec2_rfc1918(self):
auditor = SecurityGroupAuditor(accounts=['TEST_ACCOUNT'])
auditor.prep_for_audit()
item = SecurityGroupItem(region=AWS_DEFAULT_REGION, account='TEST_ACCOUNT', name='INTERNAL_SG',
config=INTERNAL_SG)
auditor.check_securitygroup_ec2_rfc1918(item)
self.assertEquals(len(item.audit_issues), 1)
self.assertEquals(item.audit_issues[0].score, 0)
def audit_sg(accounts, send_report):
""" Runs auditors/security_group """
accounts = __prep_accounts__(accounts)
au = SecurityGroupAuditor(accounts=accounts, debug=True)
au.audit_all_objects()
if send_report:
report = au.create_report()
au.email_report(report)
au.save_issues()
db.session.close()
def __init__(self, accounts=None, alert_accounts=None, debug=False):
self.account_watchers = {}
self.account_alerters = {}
if not alert_accounts:
alert_accounts = accounts
for account in accounts:
self.account_watchers[account] = [
(SQS(accounts=[account], debug=debug), None),
(ELB(accounts=[account], debug=debug), None),
(IAMSSL(accounts=[account], debug=debug), None),
(RDSSecurityGroup(accounts=[account], debug=debug),
RDSSecurityGroupAuditor(accounts=[account], debug=debug)),
(SecurityGroup(accounts=[account], debug=debug),
SecurityGroupAuditor(accounts=[account], debug=debug)),
(S3(accounts=[account],
debug=debug), S3Auditor(accounts=[account], debug=debug)),
(IAMUser(accounts=[account], debug=debug),
IAMUserAuditor(accounts=[account], debug=debug)),
(IAMGroup(accounts=[account], debug=debug), None),
(IAMRole(accounts=[account], debug=debug), None),
(Keypair(accounts=[account], debug=debug), None),
(SNS(accounts=[account],
debug=debug), SNSAuditor(accounts=[account], debug=debug))
]
if account in alert_accounts:
self.account_alerters[account] = Alerter(
watchers_auditors=self.account_watchers[account],
account=account)
def audit_sg(accounts, send_report):
""" Runs auditors/security_group """
accounts = __prep_accounts__(accounts)
au = SecurityGroupAuditor(accounts=accounts, debug=True)
au.audit_all_objects()
if send_report.lower() == 'true' or send_report == True:
report = au.create_report()
au.email_report(report)
au.save_issues()
db.session.close()
def find_sg_changes(accounts):
""" Runs watchers/security_group"""
accounts = __prep_accounts__(accounts)
cw = SecurityGroup(accounts=accounts, debug=True)
(items, exception_map) = cw.slurp()
cw.find_changes(current=items, exception_map=exception_map)
# Audit these changed items
items_to_audit = []
for item in cw.created_items + cw.changed_items:
sgitem = SecurityGroupItem(region=item.region, account=item.account, name=item.name, config=item.new_config)
items_to_audit.append(sgitem)
au = SecurityGroupAuditor(debug=True)
au.audit_these_objects(items_to_audit)
au.save_issues()
cw.save()
db.session.close()
def pre_test_setup(self):
SecurityGroupAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="123456789123",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(account)
db.session.commit()
def test_check_securitygroup_ec2_rfc1918(self):
auditor = SecurityGroupAuditor(accounts=['TEST_ACCOUNT'])
auditor.prep_for_audit()
item = SecurityGroupItem(region=AWS_DEFAULT_REGION,
account='TEST_ACCOUNT',
name='INTERNAL_SG',
config=INTERNAL_SG)
auditor.check_securitygroup_ec2_rfc1918(item)
self.assertEquals(len(item.audit_issues), 1)
self.assertEquals(item.audit_issues[0].score, 0)
def test_check_internet_accessible_egress(self):
auditor = SecurityGroupAuditor(accounts=['TEST_ACCOUNT'])
auditor.prep_for_audit()
item = SecurityGroupItem(region=AWS_DEFAULT_REGION,
account='TEST_ACCOUNT',
name='INTERNET_SG_EGRESS',
config=INTERNET_SG_EGRESS)
auditor.check_internet_accessible_egress(item)
self.assertEquals(len(item.audit_issues), 1)
self.assertEquals(item.audit_issues[0].score, 0)
def find_sg_changes(accounts):
""" Runs watchers/security_group"""
accounts = __prep_accounts__(accounts)
cw = SecurityGroup(accounts=accounts, debug=True)
(items, exception_map) = cw.slurp()
cw.find_changes(current=items, exception_map=exception_map)
# Audit these changed items
items_to_audit = []
for item in cw.created_items + cw.changed_items:
sgitem = SecurityGroupItem(region=item.region, account=item.account, name=item.name, config=item.new_config)
items_to_audit.append(sgitem)
au = SecurityGroupAuditor(accounts=accounts, debug=True)
au.audit_these_objects(items_to_audit)
au.save_issues()
cw.save()
db.session.close()
