def test_es_auditor(self): from security_monkey.auditors.elasticsearch_service import ElasticSearchServiceAuditor es_auditor = ElasticSearchServiceAuditor(accounts=["012345678910"]) # Add some test network whitelists into this: es_auditor.network_whitelist = [] for cidr in WHITELIST_CIDRS: whitelist_cidr = NetworkWhitelistEntry() whitelist_cidr.cidr = cidr[1] whitelist_cidr.name = cidr[0] es_auditor.network_whitelist.append(whitelist_cidr) for es_domain in self.es_items: es_auditor.check_es_access_policy(es_domain) # Check for correct number of issues located: # CONFIG ONE: self.assertEquals(len(self.es_items[0].audit_issues), 1) self.assertEquals(self.es_items[0].audit_issues[0].score, 20) # CONFIG TWO: self.assertEquals(len(self.es_items[1].audit_issues), 1) self.assertEquals(self.es_items[1].audit_issues[0].score, 20) # CONFIG THREE: self.assertEquals(len(self.es_items[2].audit_issues), 2) self.assertEquals(self.es_items[2].audit_issues[0].score, 5) self.assertEquals(self.es_items[2].audit_issues[1].score, 7) # CONFIG FOUR: self.assertEquals(len(self.es_items[3].audit_issues), 1) self.assertEquals(self.es_items[3].audit_issues[0].score, 20) # CONFIG FIVE: self.assertEquals(len(self.es_items[4].audit_issues), 0) # CONFIG SIX: self.assertEquals(len(self.es_items[5].audit_issues), 0) # CONFIG SEVEN: self.assertEquals(len(self.es_items[6].audit_issues), 3) self.assertEquals(self.es_items[6].audit_issues[0].score, 5) self.assertEquals(self.es_items[6].audit_issues[1].score, 5) self.assertEquals(self.es_items[6].audit_issues[2].score, 7) # CONFIG EIGHT: self.assertEquals(len(self.es_items[7].audit_issues), 1) self.assertEquals(self.es_items[7].audit_issues[0].score, 20) # CONFIG NINE: self.assertEquals(len(self.es_items[8].audit_issues), 2) self.assertEquals(self.es_items[8].audit_issues[0].score, 6) self.assertEquals(self.es_items[8].audit_issues[1].score, 10)
def sync_networks(bucket_name, input_filename, authoritative): """Imports a JSON file of networks to the Security Monkey whitelist.""" if bucket_name: import boto3 s3 = boto3.client('s3') response = s3.get_object( Bucket=bucket_name, Key=input_filename, ) handle = response['Body'] else: handle = open(input_filename) networks = json.load(handle) handle.close() existing = NetworkWhitelistEntry.query.filter( NetworkWhitelistEntry.name.in_(networks)) new = set(networks.keys()) - set(entry.name for entry in existing) for entry in existing: entry.cidr = networks[entry.name] db.session.add(entry) for name in new: app.logger.debug('Adding new network %s', name) entry = NetworkWhitelistEntry( name=name, cidr=networks[name], ) db.session.add(entry) if authoritative: old = NetworkWhitelistEntry.query.filter( ~NetworkWhitelistEntry.name.in_(networks)) for entry in old: app.logger.debug('Removing stale network %s', entry.name) db.session.delete(entry) db.session.commit() db.session.close()
def pre_test_setup(self): ElasticSearchServiceAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear() self.es_items = [ ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test", config=CONFIG_ONE), ElasticSearchServiceItem(region="us-west-2", account="TEST_ACCOUNT", name="es_test_2", config=CONFIG_TWO), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_3", config=CONFIG_THREE), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_4", config=CONFIG_FOUR), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_5", config=CONFIG_FIVE), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_6", config=CONFIG_SIX), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_7", config=CONFIG_SEVEN), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_8", config=CONFIG_EIGHT), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_9", config=CONFIG_NINE), ] account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() account = Account(identifier="012345678910", name="TEST_ACCOUNT", account_type_id=account_type_result.id, notes="TEST_ACCOUNT", third_party=False, active=True) db.session.add(account) db.session.commit() # Add some test network whitelists into this: # es_auditor.network_whitelist = [] WHITELIST_CIDRS = [ ("Test one", "192.168.1.1/32"), ("Test two", "100.0.0.0/16"), ] for cidr in WHITELIST_CIDRS: whitelist_cidr = NetworkWhitelistEntry() whitelist_cidr.name = cidr[0] whitelist_cidr.notes = cidr[0] whitelist_cidr.cidr = cidr[1] db.session.add(whitelist_cidr) db.session.commit()
def post(self): """ .. http:post:: /api/1/whitelistcidrs Create a new CIDR whitelist entry. **Example Request**: .. sourcecode:: http POST /api/1/whitelistcidrs HTTP/1.1 Host: example.com Accept: application/json { "name": "Corp", "notes": "Corporate Network", "cidr": "1.2.3.4/22" } **Example Response**: .. sourcecode:: http HTTP/1.1 201 Created Vary: Accept Content-Type: application/json { "id": 123, "name": "Corp", "notes": "Corporate Network", "cidr": "1.2.3.4/22" } :statuscode 201: created :statuscode 401: Authentication Error. Please Login. """ self.reqparse.add_argument('name', required=True, type=text_type, help='Must provide account name', location='json') self.reqparse.add_argument('cidr', required=True, type=text_type, help='Network CIDR required.', location='json') self.reqparse.add_argument('notes', required=False, type=text_type, help='Add context.', location='json') args = self.reqparse.parse_args() name = args['name'] cidr = args.get('cidr', True) notes = args.get('notes', None) whitelist_entry = NetworkWhitelistEntry() whitelist_entry.name = name whitelist_entry.cidr = cidr if notes: whitelist_entry.notes = notes db.session.add(whitelist_entry) db.session.commit() db.session.refresh(whitelist_entry) whitelistentry_marshaled = marshal(whitelist_entry.__dict__, WHITELIST_FIELDS) whitelistentry_marshaled['auth'] = self.auth_dict return whitelistentry_marshaled, 201
def post(self): """ .. http:post:: /api/1/whitelistcidrs Create a new CIDR whitelist entry. **Example Request**: .. sourcecode:: http POST /api/1/whitelistcidrs HTTP/1.1 Host: example.com Accept: application/json { "name": "Corp", "notes": "Corporate Network", "cidr": "1.2.3.4/22" } **Example Response**: .. sourcecode:: http HTTP/1.1 201 Created Vary: Accept Content-Type: application/json { "id": 123, "name": "Corp", "notes": "Corporate Network", "cidr": "1.2.3.4/22" } :statuscode 201: created :statuscode 401: Authentication Error. Please Login. """ auth, retval = __check_auth__(self.auth_dict) if auth: return retval self.reqparse.add_argument('name', required=True, type=unicode, help='Must provide account name', location='json') self.reqparse.add_argument('cidr', required=True, type=unicode, help='Network CIDR required.', location='json') self.reqparse.add_argument('notes', required=False, type=unicode, help='Add context.', location='json') args = self.reqparse.parse_args() name = args['name'] cidr = args.get('cidr', True) notes = args.get('notes', None) whitelist_entry = NetworkWhitelistEntry() whitelist_entry.name = name whitelist_entry.cidr = cidr if notes: whitelist_entry.notes = notes db.session.add(whitelist_entry) db.session.commit() db.session.refresh(whitelist_entry) whitelistentry_marshaled = marshal(whitelist_entry.__dict__, WHITELIST_FIELDS) whitelistentry_marshaled['auth'] = self.auth_dict return whitelistentry_marshaled, 201
def pre_test_setup(self): ElasticSearchServiceAuditor( accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear() self.es_items = [ ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test", config=CONFIG_ONE), ElasticSearchServiceItem(region="us-west-2", account="TEST_ACCOUNT", name="es_test_2", config=CONFIG_TWO), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_3", config=CONFIG_THREE), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_4", config=CONFIG_FOUR), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_5", config=CONFIG_FIVE), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_6", config=CONFIG_SIX), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_7", config=CONFIG_SEVEN), ElasticSearchServiceItem(region="eu-west-1", account="TEST_ACCOUNT", name="es_test_8", config=CONFIG_EIGHT), ElasticSearchServiceItem(region="us-east-1", account="TEST_ACCOUNT", name="es_test_9", config=CONFIG_NINE), ] account_type_result = AccountType(name='AWS') db.session.add(account_type_result) db.session.commit() account = Account(identifier="012345678910", name="TEST_ACCOUNT", account_type_id=account_type_result.id, notes="TEST_ACCOUNT", third_party=False, active=True) db.session.add(account) db.session.commit() # Add some test network whitelists into this: # es_auditor.network_whitelist = [] WHITELIST_CIDRS = [ ("Test one", "192.168.1.1/32"), ("Test two", "100.0.0.0/16"), ] for cidr in WHITELIST_CIDRS: whitelist_cidr = NetworkWhitelistEntry() whitelist_cidr.name = cidr[0] whitelist_cidr.notes = cidr[0] whitelist_cidr.cidr = cidr[1] db.session.add(whitelist_cidr) db.session.commit()