def test_check_internet_scheme_internet(self):
# internet-facing
# 0.0.0.0/0
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(
index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=
"arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
def mock_get_watcher_support_items(*args, **kwargs):
from security_monkey.watchers.security_group import SecurityGroupItem
sg_item = SecurityGroupItem(region='us-east-1',
account='TEST_ACCOUNT',
name='INTERNETSG',
config=INTERNET_SG)
return [sg_item]
auditor.get_watcher_support_items = mock_get_watcher_support_items
auditor.check_internet_scheme(item)
self.assertEqual(len(item.audit_issues), 1)
issue = item.audit_issues[0]
self.assertEqual(issue.issue, 'VPC ELB is Internet accessible.')
self.assertEqual(issue.notes, 'SG [INTERNETSG] via [0.0.0.0/0]')
def test_check_internet_scheme_internal_2(self):
# internal
# 0.0.0.0/0
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
INTERNAL_ELB = dict(INTERNET_ELB)
INTERNAL_ELB['Scheme'] = 'internal'
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(
index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=
"arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
config=INTERNAL_ELB)
def mock_get_watcher_support_items(*args, **kwargs):
from security_monkey.watchers.security_group import SecurityGroupItem
sg_item = SecurityGroupItem(region='us-east-1',
account='TEST_ACCOUNT',
name='INTERNETSG',
config=INTERNET_SG)
return [sg_item]
auditor.get_watcher_support_items = mock_get_watcher_support_items
auditor.check_internet_scheme(item)
self.assertEqual(len(item.audit_issues), 0)
def test_check_internet_scheme_internet_2(self):
# internet-facing
# 10.0.0.0/8
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=ARN_PREFIX + "elasticloadbalancing:" +
AWS_DEFAULT_REGION +
":012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
def mock_get_watcher_support_items(*args, **kwargs):
from security_monkey.watchers.security_group import SecurityGroupItem
sg_item = SecurityGroupItem(region=AWS_DEFAULT_REGION,
account='TEST_ACCOUNT',
name='INTERNETSG',
config=INTERNAL_SG)
return [sg_item]
auditor.get_watcher_support_items = mock_get_watcher_support_items
auditor.check_internet_scheme(item)
self.assertEqual(len(item.audit_issues), 0)
def slurp_items(**kwargs):
item_list = list()
kwargs, exception_map = self._add_exception_fields_to_kwargs(
**kwargs)
item_counter = self.batch_counter * self.batched_size
while self.batched_size - len(
item_list) > 0 and not self.done_slurping:
cursor = self.total_list[item_counter]
item_name = self.get_name_from_list_output(cursor)
if item_name and self.check_ignore_list(item_name):
item_counter += 1
if item_counter == len(self.total_list):
self.done_slurping = True
continue
item_details = invoke_get_method(cursor,
name=item_name,
**kwargs)
if item_details:
item = CloudAuxChangeItem.from_item(
name=item_name,
item=item_details,
override_region=self.override_region,
**kwargs)
item_list.append(item)
item_counter += 1
if item_counter == len(self.total_list):
self.done_slurping = True
self.batch_counter += 1
return item_list, exception_map
def test_check_ssl_policy_no_policy(self):
from security_monkey.auditors.elbv2 import ELBv2Auditor
auditor = ELBv2Auditor(accounts=['012345678910'])
alb = {
'Listeners': [{
'Port': 80,
'SslPolicy': None
}]}
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(
index='alb',
account='TEST_ACCOUNT',
name='MyALB',
arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/app/MyALB/7f734113942",
config=alb)
auditor.check_ssl_policy(item)
self.assertEqual(len(item.audit_issues), 0)
item.new_config = {
'Listeners': [{
'Port': 443,
'SslPolicy': 'ELBSecurityPolicy-TLS-1-0-2015-04'
}]}
auditor.check_ssl_policy(item)
self.assertEqual(len(item.audit_issues), 1)
issue = item.audit_issues[0]
self.assertEqual(issue.issue, 'Insecure TLS')
self.assertEqual(issue.notes, 'Policy: [ELBSecurityPolicy-TLS-1-0-2015-04] Port: [443] Reason: [Weak cipher (DES-CBC3-SHA) for Windows XP support] CVE: [SWEET32 CVE-2016-2183]')
item.audit_issues = []
item.new_config = {
'Listeners': [{
'Port': 443,
'SslPolicy': 'ELBSecurityPolicy-DoesntExist'
}]}
auditor.check_ssl_policy(item)
self.assertEqual(len(item.audit_issues), 1)
issue = item.audit_issues[0]
self.assertEqual(issue.issue, 'Insecure TLS')
self.assertEqual(issue.notes, 'Policy: [ELBSecurityPolicy-DoesntExist] Port: [443] Reason: [Unknown reference policy]')
def test_check_logging(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=ARN_PREFIX + ":elasticloadbalancing:" +
AWS_DEFAULT_REGION +
":012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
auditor.check_logging(item)
self.assertEqual(len(item.audit_issues), 0)
elb = dict(INTERNET_ELB)
elb['Attributes']['AccessLog']['Enabled'] = False
item = CloudAuxChangeItem(index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=ARN_PREFIX + ":elasticloadbalancing:" +
AWS_DEFAULT_REGION +
":012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
auditor.check_logging(item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue, 'Recommendation')
self.assertEqual(item.audit_issues[0].notes, 'Enable access logs')
del elb['Attributes']['AccessLog']
item = CloudAuxChangeItem(index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=ARN_PREFIX + ":elasticloadbalancing:" +
AWS_DEFAULT_REGION +
":012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
auditor.check_logging(item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue, 'Recommendation')
self.assertEqual(item.audit_issues[0].notes, 'Enable access logs')
def test_check_logging(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(
index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=
"arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
auditor.check_logging(item)
self.assertEqual(len(item.audit_issues), 0)
elb = dict(INTERNET_ELB)
elb['Attributes']['AccessLog']['Enabled'] = False
item = CloudAuxChangeItem(
index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=
"arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
auditor.check_logging(item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue,
'ELB is not configured for logging.')
del elb['Attributes']['AccessLog']
item = CloudAuxChangeItem(
index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=
"arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
auditor.check_logging(item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue,
'ELB is not configured for logging.')
def slurp_items(**kwargs):
item_list = list()
kwargs, exception_map = self._add_exception_fields_to_kwargs(
**kwargs)
item_counter = self.batch_counter * self.batched_size
skip_counter = 0 # Need to track number of items skipped so that the batches don't overlap
while self.batched_size - (len(item_list) + skip_counter
) > 0 and not self.done_slurping:
cursor = self.total_list[item_counter]
item_name = self.get_name_from_list_output(cursor)
if item_name and self.check_ignore_list(item_name):
item_counter += 1
skip_counter += 1
if item_counter == len(self.total_list):
self.done_slurping = True
continue
kwargs["conn_dict"]["region"] = cursor[
"Region"] # Inject the region in.
app.logger.debug(
"Account: {account}, Batched Watcher: {watcher}, Fetching item: "
"{item}/{region}".format(
account=kwargs["account_name"],
watcher=self.index,
item=item_name,
region=kwargs["conn_dict"]["region"]))
item_details = invoke_get_method(cursor,
name=item_name,
**kwargs)
if item_details:
# Determine which region to record the item into.
# Some tech, like IAM, is global and so we record it as 'universal' by setting an override_region
# Some tech, like S3, requires an initial connection to us-east-1, though a buckets actual
# region may be different. Extract the actual region from item_details.
# Otherwise, just use the region where the boto connection was made.
record_region = self.override_region or \
item_details.get('Region') or kwargs['conn_dict']['region']
item = CloudAuxChangeItem.from_item(
name=item_name,
item=item_details,
record_region=record_region,
source_watcher=self,
**kwargs)
item_list.append(item)
else:
# Item not fetched (possibly deleted after grabbing the list) -- have to account in batch
skip_counter += 1
item_counter += 1
if item_counter == len(self.total_list):
self.done_slurping = True
self.batch_counter += 1
return item_list, exception_map
def test_process_custom_listener_policy(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(
index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=
"arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
# We'll just modify it and pretend it's a custom policy
policy = dict(
INTERNET_ELB['PolicyDescriptions']['ELBSecurityPolicy-2016-08'])
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
policy, '443', item)
self.assertEqual(len(item.audit_issues), 1)
item.audit_issues = list()
policy['protocols']['sslv2'] = True
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
policy, '443', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
policy['server_defined_cipher_order'] = False
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
policy, '443', item)
self.assertEqual(len(item.audit_issues), 3)
# simulate export grade
item.audit_issues = list()
policy['supported_ciphers'].append('EXP-RC4-MD5')
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
policy, '443', item)
self.assertEqual(len(item.audit_issues), 4)
# simulate deprecated cipher
item.audit_issues = list()
policy['supported_ciphers'].append('RC2-CBC-MD5')
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
policy, '443', item)
self.assertEqual(len(item.audit_issues), 5)
# simulate not-recommended cipher
item.audit_issues = list()
policy['supported_ciphers'].append('CAMELLIA128-SHA')
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08',
policy, '443', item)
self.assertEqual(len(item.audit_issues), 6)
def slurp_items(**kwargs):
item_list = list()
kwargs, exception_map = self._add_exception_fields_to_kwargs(**kwargs)
item_counter = self.batch_counter * self.batched_size
skip_counter = 0 # Need to track number of items skipped so that the batches don't overlap
while self.batched_size - (len(item_list) + skip_counter) > 0 and not self.done_slurping:
cursor = self.total_list[item_counter]
item_name = self.get_name_from_list_output(cursor)
if item_name and self.check_ignore_list(item_name):
item_counter += 1
skip_counter += 1
if item_counter == len(self.total_list):
self.done_slurping = True
continue
kwargs["conn_dict"]["region"] = cursor["Region"] # Inject the region in.
app.logger.debug("Account: {account}, Batched Watcher: {watcher}, Fetching item: "
"{item}/{region}".format(account=kwargs["account_name"],
watcher=self.index,
item=item_name,
region=kwargs["conn_dict"]["region"]))
item_details = invoke_get_method(cursor, name=item_name, **kwargs)
if item_details:
# Determine which region to record the item into.
# Some tech, like IAM, is global and so we record it as 'universal' by setting an override_region
# Some tech, like S3, requires an initial connection to us-east-1, though a buckets actual
# region may be different. Extract the actual region from item_details.
# Otherwise, just use the region where the boto connection was made.
record_region = self.override_region or \
item_details.get('Region') or kwargs['conn_dict']['region']
item = CloudAuxChangeItem.from_item(
name=item_name,
item=item_details,
record_region=record_region,
source_watcher=self,
**kwargs)
item_list.append(item)
else:
# Item not fetched (possibly deleted after grabbing the list) -- have to account in batch
skip_counter += 1
item_counter += 1
if item_counter == len(self.total_list):
self.done_slurping = True
self.batch_counter += 1
return item_list, exception_map
def test_check_listener_reference_policy(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(
index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=
"arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
auditor.check_listener_reference_policy(item)
self.assertEqual(len(item.audit_issues), 0)
def test_audit_specific_changes(self):
from security_monkey.task_scheduler.tasks import _audit_specific_changes
from security_monkey.monitors import Monitor
from security_monkey.watchers.iam.iam_role import IAMRole
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
from security_monkey.auditors.iam.iam_role import IAMRoleAuditor
# Set up the monitor:
test_account = Account.query.filter(
Account.name == "TEST_ACCOUNT1").one()
batched_monitor = Monitor(IAMRole, test_account)
batched_monitor.auditors = [
IAMRoleAuditor(accounts=[test_account.name])
]
technology = Technology(name="iamrole")
db.session.add(technology)
db.session.commit()
watcher = Watcher(accounts=[test_account.name])
watcher.current_account = (test_account, 0)
watcher.technology = technology
# Create some IAM roles for testing:
items = []
for x in range(0, 3):
role_policy = dict(ROLE_CONF)
role_policy[
"Arn"] = ARN_PREFIX + ":iam::012345678910:role/roleNumber{}".format(
x)
role_policy["RoleName"] = "roleNumber{}".format(x)
role = CloudAuxChangeItem.from_item(name=role_policy['RoleName'],
item=role_policy,
record_region='universal',
account_name=test_account.name,
index='iamrole',
source_watcher=watcher)
items.append(role)
audit_items = watcher.find_changes_batch(items, {})
assert len(audit_items) == 3
# Perform the audit:
_audit_specific_changes(batched_monitor, audit_items, False)
# Check all the issues are there:
assert len(ItemAudit.query.all()) == 3
def test_check_logging(self):
from security_monkey.auditors.elbv2 import ELBv2Auditor
auditor = ELBv2Auditor(accounts=['012345678910'])
alb = {
'Attributes': [{
'Key': 'access_logs.s3.enabled',
'Value': 'false'
}]}
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(
index='alb',
account='TEST_ACCOUNT',
name='MyALB',
arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/app/MyALB/7f734113942",
config=alb)
auditor.check_logging(item)
self.assertEqual(len(item.audit_issues), 1)
issue = item.audit_issues[0]
self.assertEqual(issue.issue, 'Recommendation')
self.assertEqual(issue.notes, 'Enable access logs')
def test_check_classic_internet_scheme_internet(self):
# EC2 Classic ELB, internet facing
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
classic_elb = dict(INTERNET_ELB)
classic_elb['VPCId'] = None
item = CloudAuxChangeItem(index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=ARN_PREFIX + ":elasticloadbalancing:" +
AWS_DEFAULT_REGION +
":012345678910:loadbalancer/MyELB",
config=classic_elb)
auditor.check_internet_scheme(item)
self.assertEqual(len(item.audit_issues), 1)
issue = item.audit_issues[0]
self.assertEqual(issue.issue, 'Internet Accessible')
self.assertEqual(issue.notes,
'EC2 Classic ELB has internet-facing scheme.')
def test_process_custom_listener_policy(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB',
arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=INTERNET_ELB)
# We'll just modify it and pretend it's a custom policy
policy = dict(INTERNET_ELB['PolicyDescriptions']['ELBSecurityPolicy-2016-08'])
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
self.assertEqual(len(item.audit_issues), 1)
item.audit_issues = list()
policy['protocols']['sslv2'] = True
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
policy['server_defined_cipher_order'] = False
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
self.assertEqual(len(item.audit_issues), 3)
# simulate export grade
item.audit_issues = list()
policy['supported_ciphers'].append('EXP-RC4-MD5')
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
self.assertEqual(len(item.audit_issues), 4)
# simulate deprecated cipher
item.audit_issues = list()
policy['supported_ciphers'].append('RC2-CBC-MD5')
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
self.assertEqual(len(item.audit_issues), 5)
# simulate not-recommended cipher
item.audit_issues = list()
policy['supported_ciphers'].append('CAMELLIA128-SHA')
auditor._process_custom_listener_policy('ELBSecurityPolicy-2016-08', policy, '[443]', item)
self.assertEqual(len(item.audit_issues), 6)
def pre_test_setup(self):
S3Auditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
self.s3_items = [
# Same Account
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket1",
config=CONFIG_ONE),
# ACL with unknown cross account access
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket2",
config=CONFIG_TWO),
# ACL with friendly access
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT2",
name="bucket3",
config=CONFIG_THREE),
# ACL with friendly thirdparty access
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT3",
name="bucket4",
config=CONFIG_FOUR),
# Bucket without a policy
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket5",
config=CONFIG_FOUR),
# Bucket with AllUsers
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket5",
config=CONFIG_FIVE),
# Bucket with AuthenticatedUsers
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket6",
config=CONFIG_SIX),
# Bucket with LogDelivery
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket7",
config=CONFIG_SEVEN),
# Bucket with deprecated friendly short s3 name
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket8",
config=CONFIG_EIGHT),
# Bucket with deprecated thirdparty short s3 name
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket9",
config=CONFIG_NINE)
]
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# SAME Account
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
account.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value="23984723987489237489237489237489uwedfjhdsjklfhksdfh2389"
))
account.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt1"))
# Friendly Account
account2 = Account(identifier="012345678911",
name="TEST_ACCOUNT2",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT2",
third_party=False,
active=True)
account2.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value=
"lksdjfilou32890u47238974189237euhuu128937192837189uyh1hr3"))
account2.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt2"))
# Thirdparty Account
account3 = Account(identifier="012345678912",
name="TEST_ACCOUNT3",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT3",
third_party=True,
active=True)
account3.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value="dsfhgiouhy23984723789y4riuwhfkajshf91283742389u823723"))
account3.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt3"))
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
def test_process_reference_policy(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=ARN_PREFIX + ":elasticloadbalancing:" +
AWS_DEFAULT_REGION +
":012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
auditor._process_reference_policy(None, 'MyCustomPolicy', '[443]',
item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue, 'Insecure TLS')
self.assertEqual(
item.audit_issues[0].notes,
'Policy: [MyCustomPolicy] Port: [443] Reason: [Custom listener policies discouraged]'
)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2011-08',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 5)
issues = {issue.issue for issue in item.audit_issues}
notes = {issue.notes for issue in item.audit_issues}
self.assertEqual(issues, set(['Insecure TLS']))
self.assertIn(
'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Vulnerable and deprecated]',
notes)
self.assertIn(
'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Vulnerable to poodlebleed]',
notes)
self.assertIn(
'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Lacks server order cipher preference]',
notes)
self.assertIn(
'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Contains RC4 ciphers (RC4-SHA)]',
notes)
self.assertIn(
'Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Weak cipher (DES-CBC3-SHA) for Windows XP support] CVE: [SWEET32 CVE-2016-2183]',
notes)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2014-01',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 3)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2014-10',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-02',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-03',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-05',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 1)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2016-08',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-1-2017-01',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-2-2017-01',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('OTHER_REFERENCE_POLICY',
'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue, 'Insecure TLS')
self.assertEqual(
item.audit_issues[0].notes,
'Policy: [OTHER_REFERENCE_POLICY] Port: [443] Reason: [Unknown reference policy]'
)
def test_process_reference_policy(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(index='elb', account='TEST_ACCOUNT', name='MyELB',
arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB", config=INTERNET_ELB)
auditor._process_reference_policy(None, 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue, 'Insecure TLS')
self.assertEqual(item.audit_issues[0].notes, 'Policy: [MyCustomPolicy] Port: [443] Reason: [Custom listener policies discouraged]')
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2011-08', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 5)
issues = {issue.issue for issue in item.audit_issues}
notes = {issue.notes for issue in item.audit_issues}
self.assertEqual(issues, set(['Insecure TLS']))
self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Vulnerable and deprecated]', notes)
self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Vulnerable to poodlebleed]', notes)
self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Lacks server order cipher preference]', notes)
self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Contains RC4 ciphers (RC4-SHA)]', notes)
self.assertIn('Policy: [ELBSecurityPolicy-2011-08] Port: [443] Reason: [Weak cipher (DES-CBC3-SHA) for Windows XP support] CVE: [SWEET32 CVE-2016-2183]', notes)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2014-01', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 3)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2014-10', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-02', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-03', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-05', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 1)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2016-08', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-1-2017-01', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-2-2017-01', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('OTHER_REFERENCE_POLICY', 'MyCustomPolicy', '[443]', item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue, 'Insecure TLS')
self.assertEqual(item.audit_issues[0].notes, 'Policy: [OTHER_REFERENCE_POLICY] Port: [443] Reason: [Unknown reference policy]')
def pre_test_setup(self):
self.s3_items = [
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket1",
config=CONFIG_ONE),
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket2",
config=CONFIG_TWO),
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT2",
name="bucket3",
config=CONFIG_THREE),
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT3",
name="bucket4",
config=CONFIG_FOUR)
]
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
account.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value="23984723987489237489237489237489uwedfjhdsjklfhksdf"
"h2389"))
account.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt1"))
account2 = Account(identifier="012345678911",
name="TEST_ACCOUNT2",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT2",
third_party=False,
active=True)
account2.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value="lksdjfilou32890u47238974189237euhuu128937192837189"
"uyh1hr3"))
account2.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt2"))
account3 = Account(identifier="012345678912",
name="TEST_ACCOUNT3",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT3",
third_party=True,
active=True)
account3.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value="dsfhgiouhy23984723789y4riuwhfkajshf91283742389u"
"823723"))
account3.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt3"))
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
def test_process_reference_policy(self):
from security_monkey.auditors.elb import ELBAuditor
auditor = ELBAuditor(accounts=["012345678910"])
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(
index='elb',
account='TEST_ACCOUNT',
name='MyELB',
arn=
"arn:aws:elasticloadbalancing:us-east-1:012345678910:loadbalancer/MyELB",
config=INTERNET_ELB)
auditor._process_reference_policy(None, 'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue,
'Custom listener policies are discouraged.')
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2011-08',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 5)
issues = [issue.issue for issue in item.audit_issues]
self.assertIn("ELBSecurityPolicy-2011-08 is vulnerable and deprecated",
issues)
self.assertIn("ELBSecurityPolicy-2011-08 is vulnerable to poodlebleed",
issues)
self.assertIn(
"ELBSecurityPolicy-2011-08 lacks server order cipher preference.",
issues)
self.assertIn(
"ELBSecurityPolicy-2011-08 contains RC4 ciphers (RC4-SHA) that have been removed in newer policies.",
issues)
self.assertIn(
"ELBSecurityPolicy-2011-08 contains a weaker cipher (DES-CBC3-SHA) "
"for backwards compatibility with Windows XP systems. Vulnerable to SWEET32 CVE-2016-2183.",
issues)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2014-01',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 3)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2014-10',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-02',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-03',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 2)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2015-05',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 1)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-2016-08',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-1-2017-01',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('ELBSecurityPolicy-TLS-1-2-2017-01',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 0)
item.audit_issues = list()
auditor._process_reference_policy('OTHER_REFERENCE_POLICY',
'MyCustomPolicy', '443', item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].issue,
'Unknown reference policy.')
def test_check_internet_facing(self):
# internet-facing
# 0.0.0.0/0
from security_monkey.auditors.elbv2 import ELBv2Auditor
auditor = ELBv2Auditor(accounts=["012345678910"])
alb = {
'Scheme': 'internet-facing',
'SecurityGroups': ['sg-12345678'],
'Listeners': [
{
'Protocol': "HTTP",
'Port': 80
}]
}
from security_monkey.cloudaux_watcher import CloudAuxChangeItem
item = CloudAuxChangeItem(
index='alb',
account='TEST_ACCOUNT',
name='MyELB',
arn=ARN_PREFIX + ":elasticloadbalancing:" + AWS_DEFAULT_REGION + ":012345678910:loadbalancer/MyELB",
config=alb)
def mock_get_auditor_support_items(*args, **kwargs):
class MockIngressIssue:
issue = 'Internet Accessible'
notes = 'Entity: [cidr:0.0.0.0/0] Access: [ingress:tcp:80]'
score = 10
class MockIngressAllProtocolsIssue(MockIngressIssue):
notes = 'Entity: [cidr:0.0.0.0/0] Access: [ingress:all_protocols:all_ports]'
class MockIngressPortRangeIssue(MockIngressIssue):
notes = 'Entity: [cidr:0.0.0.0/0] Access: [ingress:tcp:77-1023]'
class MockEgressIssue(MockIngressIssue):
notes = 'Entity: [cidr:0.0.0.0/0] Access: [egress:tcp:80]'
class MockPortNotListenerPortIssue(MockIngressIssue):
notes = 'Entity: [cidr:0.0.0.0/0] Access: [ingress:tcp:66555]'
class MockNonConformingIssue(MockIngressIssue):
notes = 'Some random rule.'
class DBItem:
issues = list()
from security_monkey.watchers.security_group import SecurityGroupItem
sg_item = SecurityGroupItem(
region=AWS_DEFAULT_REGION,
account='TEST_ACCOUNT',
name='INTERNETSG',
config={
'id': 'sg-12345678',
'name': 'INTERNETSG',
'rules': [
{
'cidr_ip': '0.0.0.0/0',
'rule_type': 'ingress',
'port': 80
}
]
})
sg_item.db_item = DBItem()
sg_item.db_item.issues = [
MockIngressIssue(), MockIngressAllProtocolsIssue(), MockEgressIssue(),
MockNonConformingIssue(), MockPortNotListenerPortIssue(),
MockIngressPortRangeIssue()]
return [sg_item]
def mock_link_to_support_item_issues(item, sg, sub_issue_message, score):
auditor.add_issue(score, sub_issue_message, item, notes='Related to: INTERNETSG (sg-12345678 in vpc-49999999)')
auditor.get_auditor_support_items = mock_get_auditor_support_items
auditor.link_to_support_item_issues = mock_link_to_support_item_issues
auditor.check_internet_facing(item)
self.assertEqual(len(item.audit_issues), 1)
issue = item.audit_issues[0]
self.assertEqual(issue.issue, 'Internet Accessible')
self.assertEqual(issue.notes, 'Related to: INTERNETSG (sg-12345678 in vpc-49999999)')