def test_es_auditor(self):
from security_monkey.auditors.elasticsearch_service import ElasticSearchServiceAuditor
es_auditor = ElasticSearchServiceAuditor(accounts=["012345678910"])
# Add some test network whitelists into this:
es_auditor.network_whitelist = []
for cidr in WHITELIST_CIDRS:
whitelist_cidr = NetworkWhitelistEntry()
whitelist_cidr.cidr = cidr[1]
whitelist_cidr.name = cidr[0]
es_auditor.network_whitelist.append(whitelist_cidr)
for es_domain in self.es_items:
es_auditor.check_es_access_policy(es_domain)
# Check for correct number of issues located:
# CONFIG ONE:
self.assertEquals(len(self.es_items[0].audit_issues), 1)
self.assertEquals(self.es_items[0].audit_issues[0].score, 20)
# CONFIG TWO:
self.assertEquals(len(self.es_items[1].audit_issues), 1)
self.assertEquals(self.es_items[1].audit_issues[0].score, 20)
# CONFIG THREE:
self.assertEquals(len(self.es_items[2].audit_issues), 2)
self.assertEquals(self.es_items[2].audit_issues[0].score, 5)
self.assertEquals(self.es_items[2].audit_issues[1].score, 7)
# CONFIG FOUR:
self.assertEquals(len(self.es_items[3].audit_issues), 1)
self.assertEquals(self.es_items[3].audit_issues[0].score, 20)
# CONFIG FIVE:
self.assertEquals(len(self.es_items[4].audit_issues), 0)
# CONFIG SIX:
self.assertEquals(len(self.es_items[5].audit_issues), 0)
# CONFIG SEVEN:
self.assertEquals(len(self.es_items[6].audit_issues), 3)
self.assertEquals(self.es_items[6].audit_issues[0].score, 5)
self.assertEquals(self.es_items[6].audit_issues[1].score, 5)
self.assertEquals(self.es_items[6].audit_issues[2].score, 7)
# CONFIG EIGHT:
self.assertEquals(len(self.es_items[7].audit_issues), 1)
self.assertEquals(self.es_items[7].audit_issues[0].score, 20)
# CONFIG NINE:
self.assertEquals(len(self.es_items[8].audit_issues), 2)
self.assertEquals(self.es_items[8].audit_issues[0].score, 6)
self.assertEquals(self.es_items[8].audit_issues[1].score, 10)
def test_es_auditor(self):
from security_monkey.auditors.elasticsearch_service import ElasticSearchServiceAuditor
es_auditor = ElasticSearchServiceAuditor(accounts=["012345678910"])
# Add some test network whitelists into this:
es_auditor.network_whitelist = []
for cidr in WHITELIST_CIDRS:
whitelist_cidr = NetworkWhitelistEntry()
whitelist_cidr.cidr = cidr[1]
whitelist_cidr.name = cidr[0]
es_auditor.network_whitelist.append(whitelist_cidr)
for es_domain in self.es_items:
es_auditor.check_es_access_policy(es_domain)
# Check for correct number of issues located:
# CONFIG ONE:
self.assertEquals(len(self.es_items[0].audit_issues), 1)
self.assertEquals(self.es_items[0].audit_issues[0].score, 20)
# CONFIG TWO:
self.assertEquals(len(self.es_items[1].audit_issues), 1)
self.assertEquals(self.es_items[1].audit_issues[0].score, 20)
# CONFIG THREE:
self.assertEquals(len(self.es_items[2].audit_issues), 2)
self.assertEquals(self.es_items[2].audit_issues[0].score, 5)
self.assertEquals(self.es_items[2].audit_issues[1].score, 7)
# CONFIG FOUR:
self.assertEquals(len(self.es_items[3].audit_issues), 1)
self.assertEquals(self.es_items[3].audit_issues[0].score, 20)
# CONFIG FIVE:
self.assertEquals(len(self.es_items[4].audit_issues), 0)
# CONFIG SIX:
self.assertEquals(len(self.es_items[5].audit_issues), 0)
# CONFIG SEVEN:
self.assertEquals(len(self.es_items[6].audit_issues), 3)
self.assertEquals(self.es_items[6].audit_issues[0].score, 5)
self.assertEquals(self.es_items[6].audit_issues[1].score, 5)
self.assertEquals(self.es_items[6].audit_issues[2].score, 7)
# CONFIG EIGHT:
self.assertEquals(len(self.es_items[7].audit_issues), 1)
self.assertEquals(self.es_items[7].audit_issues[0].score, 20)
# CONFIG NINE:
self.assertEquals(len(self.es_items[8].audit_issues), 2)
self.assertEquals(self.es_items[8].audit_issues[0].score, 6)
self.assertEquals(self.es_items[8].audit_issues[1].score, 10)
def test_es_auditor(self):
es_auditor = ElasticSearchServiceAuditor(accounts=["012345678910"])
es_auditor.prep_for_audit()
for es_domain in self.es_items:
es_auditor.check_internet_accessible(es_domain)
es_auditor.check_friendly_cross_account(es_domain)
es_auditor.check_unknown_cross_account(es_domain)
es_auditor.check_root_cross_account(es_domain)
# Check for correct number of issues located:
self.assertEquals(len(self.es_items[0].audit_issues), 1)
self.assertEquals(self.es_items[0].audit_issues[0].score, 10)
# CONFIG TWO:
self.assertEquals(len(self.es_items[1].audit_issues), 1)
self.assertEquals(self.es_items[1].audit_issues[0].score, 10)
# CONFIG THREE:
self.assertEquals(len(self.es_items[2].audit_issues), 1)
self.assertEquals(self.es_items[2].audit_issues[0].score, 10)
# CONFIG FOUR:
self.assertEquals(len(self.es_items[3].audit_issues), 1)
self.assertEquals(self.es_items[3].audit_issues[0].score, 10)
# CONFIG FIVE:
self.assertEquals(len(self.es_items[4].audit_issues), 0)
# CONFIG SIX:
self.assertEquals(len(self.es_items[5].audit_issues), 0)
# CONFIG SEVEN:
self.assertEquals(len(self.es_items[6].audit_issues), 2)
self.assertEquals(self.es_items[6].audit_issues[0].score, 10)
self.assertEquals(self.es_items[6].audit_issues[1].score, 10)
# CONFIG EIGHT:
self.assertEquals(len(self.es_items[7].audit_issues), 1)
self.assertEquals(self.es_items[7].audit_issues[0].score, 10)
# CONFIG NINE:
self.assertEquals(len(self.es_items[8].audit_issues), 2)
self.assertEquals(self.es_items[8].audit_issues[0].score, 10)
self.assertEquals(self.es_items[8].audit_issues[1].score, 6)
def test_es_auditor(self):
es_auditor = ElasticSearchServiceAuditor(accounts=["012345678910"])
es_auditor.prep_for_audit()
for es_domain in self.es_items:
es_auditor.check_internet_accessible(es_domain)
es_auditor.check_friendly_cross_account(es_domain)
es_auditor.check_unknown_cross_account(es_domain)
es_auditor.check_root_cross_account(es_domain)
# Check for correct number of issues located:
self.assertEquals(len(self.es_items[0].audit_issues), 1)
self.assertEquals(self.es_items[0].audit_issues[0].score, 10)
# CONFIG TWO:
self.assertEquals(len(self.es_items[1].audit_issues), 1)
self.assertEquals(self.es_items[1].audit_issues[0].score, 10)
# CONFIG THREE:
self.assertEquals(len(self.es_items[2].audit_issues), 1)
self.assertEquals(self.es_items[2].audit_issues[0].score, 10)
# CONFIG FOUR:
self.assertEquals(len(self.es_items[3].audit_issues), 1)
self.assertEquals(self.es_items[3].audit_issues[0].score, 10)
# CONFIG FIVE:
self.assertEquals(len(self.es_items[4].audit_issues), 0)
# CONFIG SIX:
self.assertEquals(len(self.es_items[5].audit_issues), 0)
# CONFIG SEVEN:
self.assertEquals(len(self.es_items[6].audit_issues), 2)
self.assertEquals(self.es_items[6].audit_issues[0].score, 10)
self.assertEquals(self.es_items[6].audit_issues[1].score, 10)
# CONFIG EIGHT:
self.assertEquals(len(self.es_items[7].audit_issues), 1)
self.assertEquals(self.es_items[7].audit_issues[0].score, 10)
# CONFIG NINE:
self.assertEquals(len(self.es_items[8].audit_issues), 2)
self.assertEquals(self.es_items[8].audit_issues[0].score, 10)
self.assertEquals(self.es_items[8].audit_issues[1].score, 6)
def pre_test_setup(self):
ElasticSearchServiceAuditor(
accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
self.es_items = [
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test",
config=CONFIG_ONE),
ElasticSearchServiceItem(region="us-west-2",
account="TEST_ACCOUNT",
name="es_test_2",
config=CONFIG_TWO),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_3",
config=CONFIG_THREE),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_4",
config=CONFIG_FOUR),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_5",
config=CONFIG_FIVE),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_6",
config=CONFIG_SIX),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_7",
config=CONFIG_SEVEN),
ElasticSearchServiceItem(region="eu-west-1",
account="TEST_ACCOUNT",
name="es_test_8",
config=CONFIG_EIGHT),
ElasticSearchServiceItem(region="us-east-1",
account="TEST_ACCOUNT",
name="es_test_9",
config=CONFIG_NINE),
]
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
db.session.add(account)
db.session.commit()
# Add some test network whitelists into this:
# es_auditor.network_whitelist = []
WHITELIST_CIDRS = [
("Test one", "192.168.1.1/32"),
("Test two", "100.0.0.0/16"),
]
for cidr in WHITELIST_CIDRS:
whitelist_cidr = NetworkWhitelistEntry()
whitelist_cidr.name = cidr[0]
whitelist_cidr.notes = cidr[0]
whitelist_cidr.cidr = cidr[1]
db.session.add(whitelist_cidr)
db.session.commit()