示例#1
0
    def test_check_internet_scheme_internet(self):
        # internet-facing
        # 0.0.0.0/0
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(
            index='elb',
            account='TEST_ACCOUNT',
            name='MyELB',
            arn=
            "arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
            config=INTERNET_ELB)

        def mock_get_watcher_support_items(*args, **kwargs):
            from security_monkey.watchers.security_group import SecurityGroupItem
            sg_item = SecurityGroupItem(region='us-east-1',
                                        account='TEST_ACCOUNT',
                                        name='INTERNETSG',
                                        config=INTERNET_SG)
            return [sg_item]

        auditor.get_watcher_support_items = mock_get_watcher_support_items

        auditor.check_internet_scheme(item)

        self.assertEqual(len(item.audit_issues), 1)
        issue = item.audit_issues[0]
        self.assertEqual(issue.issue, 'VPC ELB is Internet accessible.')
        self.assertEqual(issue.notes, 'SG [INTERNETSG] via [0.0.0.0/0]')
示例#2
0
    def test_check_internet_scheme_internal_2(self):
        # internal
        # 0.0.0.0/0
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        INTERNAL_ELB = dict(INTERNET_ELB)
        INTERNAL_ELB['Scheme'] = 'internal'

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(
            index='elb',
            account='TEST_ACCOUNT',
            name='MyELB',
            arn=
            "arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
            config=INTERNAL_ELB)

        def mock_get_watcher_support_items(*args, **kwargs):
            from security_monkey.watchers.security_group import SecurityGroupItem
            sg_item = SecurityGroupItem(region='us-east-1',
                                        account='TEST_ACCOUNT',
                                        name='INTERNETSG',
                                        config=INTERNET_SG)
            return [sg_item]

        auditor.get_watcher_support_items = mock_get_watcher_support_items

        auditor.check_internet_scheme(item)

        self.assertEqual(len(item.audit_issues), 0)
    def test_check_internet_scheme_internet_2(self):
        # internet-facing
        # 10.0.0.0/8
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(index='elb',
                                  account='TEST_ACCOUNT',
                                  name='MyELB',
                                  arn=ARN_PREFIX + "elasticloadbalancing:" +
                                  AWS_DEFAULT_REGION +
                                  ":012345678910:loadbalancer/MyELB",
                                  config=INTERNET_ELB)

        def mock_get_watcher_support_items(*args, **kwargs):
            from security_monkey.watchers.security_group import SecurityGroupItem
            sg_item = SecurityGroupItem(region=AWS_DEFAULT_REGION,
                                        account='TEST_ACCOUNT',
                                        name='INTERNETSG',
                                        config=INTERNAL_SG)
            return [sg_item]

        auditor.get_watcher_support_items = mock_get_watcher_support_items

        auditor.check_internet_scheme(item)

        self.assertEqual(len(item.audit_issues), 0)
示例#4
0
    def test_check_listener_reference_policy(self):
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB', 
            arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=INTERNET_ELB)

        auditor.check_listener_reference_policy(item)
        self.assertEqual(len(item.audit_issues), 0)
示例#5
0
    def test_check_internet_scheme_internet(self):
        # internet-facing
        # 0.0.0.0/0
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB', 
            arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=INTERNET_ELB)

        def mock_get_auditor_support_items(*args, **kwargs):
            class MockIngressIssue:
                issue = 'Internet Accessible'
                notes = 'Entity: [cidr:0.0.0.0/0] Access: [ingress:tcp:80]'
                score = 10
            
            class MockIngressAllProtocolsIssue(MockIngressIssue):
                notes = 'Entity: [cidr:0.0.0.0/0] Access: [ingress:all_protocols:all_ports]'

            class MockIngressPortRangeIssue(MockIngressIssue):
                notes = 'Entity: [cidr:0.0.0.0/0] Access: [ingress:tcp:77-1023]'

            class MockEgressIssue(MockIngressIssue):
                notes = 'Entity: [cidr:0.0.0.0/0] Access: [egress:tcp:80]'

            class MockPortNotListenerPortIssue(MockIngressIssue):
                notes = 'Entity: [cidr:0.0.0.0/0] Access: [ingress:tcp:66555]'

            class MockNonConformingIssue(MockIngressIssue):
                notes = 'Some random rule.'

            class DBItem:
                issues = list()

            from security_monkey.watchers.security_group import SecurityGroupItem
            sg_item = SecurityGroupItem(region=AWS_DEFAULT_REGION, account='TEST_ACCOUNT', name='INTERNETSG', config=INTERNET_SG)
            sg_item.db_item = DBItem()
            sg_item.db_item.issues = [
                MockIngressIssue(), MockIngressAllProtocolsIssue(), MockEgressIssue(),
                MockNonConformingIssue(), MockPortNotListenerPortIssue(),
                MockIngressPortRangeIssue()]
            return [sg_item]

        def mock_link_to_support_item_issues(item, sg, sub_issue_message, score):
            auditor.add_issue(score, sub_issue_message, item, notes='Related to: INTERNETSG (sg-12345678 in vpc-49999999)')

        auditor.get_auditor_support_items = mock_get_auditor_support_items
        auditor.link_to_support_item_issues = mock_link_to_support_item_issues

        auditor.check_internet_scheme(item)

        self.assertEqual(len(item.audit_issues), 1)
        issue = item.audit_issues[0]
        self.assertEqual(issue.issue, 'Internet Accessible')
        self.assertEqual(issue.notes, 'Related to: INTERNETSG (sg-12345678 in vpc-49999999)')
示例#6
0
    def test_check_listener_reference_policy(self):
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(
            index='elb',
            account='TEST_ACCOUNT',
            name='MyELB',
            arn=
            "arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
            config=INTERNET_ELB)

        auditor.check_listener_reference_policy(item)
        self.assertEqual(len(item.audit_issues), 0)
示例#7
0
    def test_check_classic_internet_scheme_internet(self):
        # EC2 Classic ELB, internet facing
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        classic_elb = dict(INTERNET_ELB)
        classic_elb['VPCId'] = None
        item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB', 
            arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=classic_elb)

        auditor.check_internet_scheme(item)

        self.assertEqual(len(item.audit_issues), 1)
        issue = item.audit_issues[0]
        self.assertEqual(issue.issue, 'Internet Accessible')
        self.assertEqual(issue.notes, 'EC2 Classic ELB has internet-facing scheme.')
示例#8
0
    def test_check_logging(self):
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB', 
            arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=INTERNET_ELB)

        auditor.check_logging(item)
        self.assertEqual(len(item.audit_issues), 0)

        elb = dict(INTERNET_ELB)
        elb['Attributes']['AccessLog']['Enabled'] = False
        item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB', 
            arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=INTERNET_ELB)

        auditor.check_logging(item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue, 'Recommendation')
        self.assertEqual(item.audit_issues[0].notes, 'Enable access logs')

        del elb['Attributes']['AccessLog']
        item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB', 
            arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=INTERNET_ELB)

        auditor.check_logging(item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue, 'Recommendation')
        self.assertEqual(item.audit_issues[0].notes, 'Enable access logs')
示例#9
0
def find_elb_changes(accounts):
    """ Runs watchers/elb"""
    accounts = __prep_accounts__(accounts)
    cw = ELB(accounts=accounts, debug=True)
    (items, exception_map) = cw.slurp()
    cw.find_changes(current=items, exception_map=exception_map)

    # Audit these changed items
    items_to_audit = []
    for item in cw.created_items + cw.changed_items:
        elb_item = ELBItem(region=item.region, account=item.account, name=item.name, config=item.new_config)
        items_to_audit.append(elb_item)

    au = ELBAuditor(accounts=accounts, debug=True)
    au.audit_these_objects(items_to_audit)
    au.save_issues()
    cw.save()
    db.session.close()
示例#10
0
def audit_elb(accounts, send_report):
    """ Runs auditors/elb """
    accounts = __prep_accounts__(accounts)
    au = ELBAuditor(accounts=accounts, debug=True)
    au.audit_all_objects()

    if send_report:
        report = au.create_report()
        au.email_report(report)

    au.save_issues()
    db.session.close()
示例#11
0
    def test_check_internet_scheme_internet_2(self):
        # internet-facing
        # 10.0.0.0/8
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB', 
            arn=ARN_PREFIX + "elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=INTERNET_ELB)

        def mock_get_watcher_support_items(*args, **kwargs):
            from security_monkey.watchers.security_group import SecurityGroupItem
            sg_item = SecurityGroupItem(region=AWS_DEFAULT_REGION, account='TEST_ACCOUNT', name='INTERNETSG', config=INTERNAL_SG)
            return [sg_item]

        auditor.get_watcher_support_items = mock_get_watcher_support_items

        auditor.check_internet_scheme(item)

        self.assertEqual(len(item.audit_issues), 0)
    def test_check_classic_internet_scheme_internet(self):
        # EC2 Classic ELB, internet facing
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        classic_elb = dict(INTERNET_ELB)
        classic_elb['VPCId'] = None
        item = CloudAuxChangeItem(index='elb',
                                  account='TEST_ACCOUNT',
                                  name='MyELB',
                                  arn=ARN_PREFIX + ":elasticloadbalancing:" +
                                  AWS_DEFAULT_REGION +
                                  ":012345678910:loadbalancer/MyELB",
                                  config=classic_elb)

        auditor.check_internet_scheme(item)

        self.assertEqual(len(item.audit_issues), 1)
        issue = item.audit_issues[0]
        self.assertEqual(issue.issue, 'Internet Accessible')
        self.assertEqual(issue.notes,
                         'EC2 Classic ELB has internet-facing scheme.')
示例#13
0
    def test_check_logging(self):
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(
            index='elb',
            account='TEST_ACCOUNT',
            name='MyELB',
            arn=
            "arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
            config=INTERNET_ELB)

        auditor.check_logging(item)
        self.assertEqual(len(item.audit_issues), 0)

        elb = dict(INTERNET_ELB)
        elb['Attributes']['AccessLog']['Enabled'] = False
        item = CloudAuxChangeItem(
            index='elb',
            account='TEST_ACCOUNT',
            name='MyELB',
            arn=
            "arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
            config=INTERNET_ELB)

        auditor.check_logging(item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue,
                         'ELB is not configured for logging.')

        del elb['Attributes']['AccessLog']
        item = CloudAuxChangeItem(
            index='elb',
            account='TEST_ACCOUNT',
            name='MyELB',
            arn=
            "arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
            config=INTERNET_ELB)

        auditor.check_logging(item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue,
                         'ELB is not configured for logging.')
    def test_check_logging(self):
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(index='elb',
                                  account='TEST_ACCOUNT',
                                  name='MyELB',
                                  arn=ARN_PREFIX + ":elasticloadbalancing:" +
                                  AWS_DEFAULT_REGION +
                                  ":012345678910:loadbalancer/MyELB",
                                  config=INTERNET_ELB)

        auditor.check_logging(item)
        self.assertEqual(len(item.audit_issues), 0)

        elb = dict(INTERNET_ELB)
        elb['Attributes']['AccessLog']['Enabled'] = False
        item = CloudAuxChangeItem(index='elb',
                                  account='TEST_ACCOUNT',
                                  name='MyELB',
                                  arn=ARN_PREFIX + ":elasticloadbalancing:" +
                                  AWS_DEFAULT_REGION +
                                  ":012345678910:loadbalancer/MyELB",
                                  config=INTERNET_ELB)

        auditor.check_logging(item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue, 'Recommendation')
        self.assertEqual(item.audit_issues[0].notes, 'Enable access logs')

        del elb['Attributes']['AccessLog']
        item = CloudAuxChangeItem(index='elb',
                                  account='TEST_ACCOUNT',
                                  name='MyELB',
                                  arn=ARN_PREFIX + ":elasticloadbalancing:" +
                                  AWS_DEFAULT_REGION +
                                  ":012345678910:loadbalancer/MyELB",
                                  config=INTERNET_ELB)

        auditor.check_logging(item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue, 'Recommendation')
        self.assertEqual(item.audit_issues[0].notes, 'Enable access logs')
    def test_process_reference_policy(self):
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(index='elb',
                                  account='TEST_ACCOUNT',
                                  name='MyELB',
                                  arn=ARN_PREFIX + ":elasticloadbalancing:" +
                                  AWS_DEFAULT_REGION +
                                  ":012345678910:loadbalancer/MyELB",
                                  config=INTERNET_ELB)

        auditor._process_reference_policy(None, 'MyCustomPolicy', '[443]',
                                          item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue, 'Insecure TLS')
        self.assertEqual(
            item.audit_issues[0].notes,
            'Policy: [MyCustomPolicy] Port: [443] Reason: [Custom listener policies discouraged]'
        )

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2011-08',
                                          'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 5)
        issues = {issue.issue for issue in item.audit_issues}
        notes = {issue.notes for issue in item.audit_issues}
        self.assertEqual(issues, set(['Insecure TLS']))
        self.assertIn(
            'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Vulnerable and deprecated]',
            notes)
        self.assertIn(
            'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Vulnerable to poodlebleed]',
            notes)
        self.assertIn(
            'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Lacks server order cipher preference]',
            notes)
        self.assertIn(
            'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Contains RC4 ciphers (RC4-SHA)]',
            notes)
        self.assertIn(
            'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Weak cipher (DES-CBC3-SHA) for Windows XP support] CVE: [SWEET32 CVE-2016-2183]',
            notes)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2014-01',
                                          'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 3)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2014-10',
                                          'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 2)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2015-02',
                                          'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 2)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2015-03',
                                          'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 2)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2015-05',
                                          'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 1)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2016-08',
                                          'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 0)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-1-2017-01',
                                          'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 0)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-2-2017-01',
                                          'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 0)

        item.audit_issues = list()
        auditor._process_reference_policy('OTHER_REFERENCE_POLICY',
                                          'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue, 'Insecure TLS')
        self.assertEqual(
            item.audit_issues[0].notes,
            'Policy: [OTHER_REFERENCE_POLICY] Port: [443] Reason: [Unknown reference policy]'
        )
示例#16
0
    def test_process_custom_listener_policy(self):
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB', 
            arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=INTERNET_ELB)

        # We'll just modify it and pretend it's a custom policy
        policy = dict(INTERNET_ELB['PolicyDescriptions']['ELBSecurityPolicy-2016-08'])

        auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
        self.assertEqual(len(item.audit_issues), 1)

        item.audit_issues = list()
        policy['protocols']['sslv2'] = True
        auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
        self.assertEqual(len(item.audit_issues), 2)

        item.audit_issues = list()
        policy['server_defined_cipher_order'] = False
        auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
        self.assertEqual(len(item.audit_issues), 3)

        # simulate export grade
        item.audit_issues = list()
        policy['supported_ciphers'].append('EXP-RC4-MD5')
        auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
        self.assertEqual(len(item.audit_issues), 4)

        # simulate deprecated cipher 
        item.audit_issues = list()
        policy['supported_ciphers'].append('RC2-CBC-MD5')
        auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
        self.assertEqual(len(item.audit_issues), 5)

        # simulate not-recommended cipher
        item.audit_issues = list()
        policy['supported_ciphers'].append('CAMELLIA128-SHA')
        auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
        self.assertEqual(len(item.audit_issues), 6)
示例#17
0
    def test_process_reference_policy(self):
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB', 
            arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=INTERNET_ELB)

        auditor._process_reference_policy(None, 'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue, 'Insecure TLS')
        self.assertEqual(item.audit_issues[0].notes, 'Policy: [MyCustomPolicy] Port: [443] Reason: [Custom listener policies discouraged]')

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2011-08', 'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 5)
        issues = {issue.issue for issue in item.audit_issues}
        notes = {issue.notes for issue in item.audit_issues}
        self.assertEqual(issues, set(['Insecure TLS']))
        self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Vulnerable and deprecated]', notes)
        self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Vulnerable to poodlebleed]', notes)
        self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Lacks server order cipher preference]', notes)
        self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Contains RC4 ciphers (RC4-SHA)]', notes)
        self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Weak cipher (DES-CBC3-SHA) for Windows XP support] CVE: [SWEET32 CVE-2016-2183]', notes)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2014-01', 'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 3)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2014-10', 'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 2)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2015-02', 'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 2)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2015-03', 'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 2)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2015-05', 'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 1)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2016-08', 'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 0)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-1-2017-01', 'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 0)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-2-2017-01', 'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 0)

        item.audit_issues = list()
        auditor._process_reference_policy('OTHER_REFERENCE_POLICY', 'MyCustomPolicy', '[443]', item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue, 'Insecure TLS')
        self.assertEqual(item.audit_issues[0].notes, 'Policy: [OTHER_REFERENCE_POLICY] Port: [443] Reason: [Unknown reference policy]')
示例#18
0
    def test_process_reference_policy(self):
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(
            index='elb',
            account='TEST_ACCOUNT',
            name='MyELB',
            arn=
            "arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
            config=INTERNET_ELB)

        auditor._process_reference_policy(None, 'MyCustomPolicy', '443', item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue,
                         'Custom listener policies are discouraged.')

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2011-08',
                                          'MyCustomPolicy', '443', item)
        self.assertEqual(len(item.audit_issues), 5)
        issues = [issue.issue for issue in item.audit_issues]
        self.assertIn("ELBSecurityPolicy-2011-08 is vulnerable and deprecated",
                      issues)
        self.assertIn("ELBSecurityPolicy-2011-08 is vulnerable to poodlebleed",
                      issues)
        self.assertIn(
            "ELBSecurityPolicy-2011-08 lacks server order cipher preference.",
            issues)
        self.assertIn(
            "ELBSecurityPolicy-2011-08 contains RC4 ciphers (RC4-SHA) that have been removed in newer policies.",
            issues)
        self.assertIn(
            "ELBSecurityPolicy-2011-08 contains a weaker cipher (DES-CBC3-SHA) "
            "for backwards compatibility with Windows XP systems. Vulnerable to SWEET32 CVE-2016-2183.",
            issues)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2014-01',
                                          'MyCustomPolicy', '443', item)
        self.assertEqual(len(item.audit_issues), 3)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2014-10',
                                          'MyCustomPolicy', '443', item)
        self.assertEqual(len(item.audit_issues), 2)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2015-02',
                                          'MyCustomPolicy', '443', item)
        self.assertEqual(len(item.audit_issues), 2)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2015-03',
                                          'MyCustomPolicy', '443', item)
        self.assertEqual(len(item.audit_issues), 2)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2015-05',
                                          'MyCustomPolicy', '443', item)
        self.assertEqual(len(item.audit_issues), 1)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-2016-08',
                                          'MyCustomPolicy', '443', item)
        self.assertEqual(len(item.audit_issues), 0)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-1-2017-01',
                                          'MyCustomPolicy', '443', item)
        self.assertEqual(len(item.audit_issues), 0)

        item.audit_issues = list()
        auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-2-2017-01',
                                          'MyCustomPolicy', '443', item)
        self.assertEqual(len(item.audit_issues), 0)

        item.audit_issues = list()
        auditor._process_reference_policy('OTHER_REFERENCE_POLICY',
                                          'MyCustomPolicy', '443', item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].issue,
                         'Unknown reference policy.')
示例#19
0
    def test_process_custom_listener_policy(self):
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(
            index='elb',
            account='TEST_ACCOUNT',
            name='MyELB',
            arn=
            "arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
            config=INTERNET_ELB)

        # We'll just modify it and pretend it's a custom policy
        policy = dict(
            INTERNET_ELB['PolicyDescriptions']['ELBSecurityPolicy-2016-08'])

        auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
                                                policy, '443', item)
        self.assertEqual(len(item.audit_issues), 1)

        item.audit_issues = list()
        policy['protocols']['sslv2'] = True
        auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
                                                policy, '443', item)
        self.assertEqual(len(item.audit_issues), 2)

        item.audit_issues = list()
        policy['server_defined_cipher_order'] = False
        auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
                                                policy, '443', item)
        self.assertEqual(len(item.audit_issues), 3)

        # simulate export grade
        item.audit_issues = list()
        policy['supported_ciphers'].append('EXP-RC4-MD5')
        auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
                                                policy, '443', item)
        self.assertEqual(len(item.audit_issues), 4)

        # simulate deprecated cipher
        item.audit_issues = list()
        policy['supported_ciphers'].append('RC2-CBC-MD5')
        auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
                                                policy, '443', item)
        self.assertEqual(len(item.audit_issues), 5)

        # simulate not-recommended cipher
        item.audit_issues = list()
        policy['supported_ciphers'].append('CAMELLIA128-SHA')
        auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
                                                policy, '443', item)
        self.assertEqual(len(item.audit_issues), 6)
    def test_check_internet_scheme_internet(self):
        # internet-facing
        # 0.0.0.0/0
        from security_monkey.auditors.elb import ELBAuditor
        auditor = ELBAuditor(accounts=["012345678910"])

        from security_monkey.cloudaux_watcher import CloudAuxChangeItem
        item = CloudAuxChangeItem(index='elb',
                                  account='TEST_ACCOUNT',
                                  name='MyELB',
                                  arn=ARN_PREFIX + ":elasticloadbalancing:" +
                                  AWS_DEFAULT_REGION +
                                  ":012345678910:loadbalancer/MyELB",
                                  config=INTERNET_ELB)

        def mock_get_auditor_support_items(*args, **kwargs):
            class MockIngressIssue:
                issue = 'Internet Accessible'
                notes = 'Entity: [cidr:0.0.0.0/0] Access: [ingress:tcp:80]'
                score = 10

            class MockIngressAllProtocolsIssue(MockIngressIssue):
                notes = 'Entity: [cidr:0.0.0.0/0] Access: [ingress:all_protocols:all_ports]'

            class MockIngressPortRangeIssue(MockIngressIssue):
                notes = 'Entity: [cidr:0.0.0.0/0] Access: [ingress:tcp:77-1023]'

            class MockEgressIssue(MockIngressIssue):
                notes = 'Entity: [cidr:0.0.0.0/0] Access: [egress:tcp:80]'

            class MockPortNotListenerPortIssue(MockIngressIssue):
                notes = 'Entity: [cidr:0.0.0.0/0] Access: [ingress:tcp:66555]'

            class MockNonConformingIssue(MockIngressIssue):
                notes = 'Some random rule.'

            class DBItem:
                issues = list()

            from security_monkey.watchers.security_group import SecurityGroupItem
            sg_item = SecurityGroupItem(region=AWS_DEFAULT_REGION,
                                        account='TEST_ACCOUNT',
                                        name='INTERNETSG',
                                        config=INTERNET_SG)
            sg_item.db_item = DBItem()
            sg_item.db_item.issues = [
                MockIngressIssue(),
                MockIngressAllProtocolsIssue(),
                MockEgressIssue(),
                MockNonConformingIssue(),
                MockPortNotListenerPortIssue(),
                MockIngressPortRangeIssue()
            ]
            return [sg_item]

        def mock_link_to_support_item_issues(item, sg, sub_issue_message,
                                             score):
            auditor.add_issue(
                score,
                sub_issue_message,
                item,
                notes='Related to: INTERNETSG (sg-12345678 in vpc-49999999)')

        auditor.get_auditor_support_items = mock_get_auditor_support_items
        auditor.link_to_support_item_issues = mock_link_to_support_item_issues

        auditor.check_internet_scheme(item)

        self.assertEqual(len(item.audit_issues), 1)
        issue = item.audit_issues[0]
        self.assertEqual(issue.issue, 'Internet Accessible')
        self.assertEqual(
            issue.notes,
            'Related to: INTERNETSG (sg-12345678 in vpc-49999999)')