Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Contents
1 Project resources 3
2 Quick Start 52.1 Quick Start Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Changelog 253.1 Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4 API Reference 314.1 API Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5 About 375.1 Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375.2 Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375.3 Contributing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Python Module Index 47
i
security_monkey Documentation, Release 0.1.2
Security Monkey monitors policy changes and alerts on insecure configurations in an AWS account. While SecurityMonkey’s main purpose is security, it also proves a useful tool for tracking down potential problems as it is essentiallya change tracking system.
It works on CPython 2.7. It is known to work on Ubuntu Linux and OS X.
Contents 1
CHAPTER 1
Project resources
• Documentation
• Source code
• Issue tracker
3
CHAPTER 2
Quick Start
2.1 Quick Start Guide
2.1.1 Docker Images
Before we start, consider following the docker instructions . Docker helps simplify the process to get up and running.The docker images are not currently ready for production use, but are good enough to get up and running with aninstance of security_monkey.
Not into the docker thing? Keep reading.
2.1.2 Setup IAM Roles
We need to create two roles for security monkey. The first role will be an instance profile that we will launch securitymonkey into. The permissions on this role allow the monkey to use STS to assume to other roles as well as use SESto send email.
Creating SecurityMonkeyInstanceProfile Role
Create a new role and name it “SecurityMonkeyInstanceProfile”:
Select “Amazon EC2” under “AWS Service Roles”.
5
security_monkey Documentation, Release 0.1.2
Select “Custom Policy”:
Paste in this JSON with the name “SecurityMonkeyLaunchPerms”:
{"Version": "2012-10-17","Statement": [{
"Effect": "Allow","Action": [
"ses:SendEmail"],"Resource": "*"
},{
"Effect": "Allow","Action": "sts:AssumeRole","Resource": "*"
}]
}
Review and create your new role:
6 Chapter 2. Quick Start
security_monkey Documentation, Release 0.1.2
Creating SecurityMonkey Role
Create a new role and name it “SecurityMonkey”:
Select “Amazon EC2” under “AWS Service Roles”.
Select “Custom Policy”:
2.1. Quick Start Guide 7
security_monkey Documentation, Release 0.1.2
Paste in this JSON with the name “SecurityMonkeyReadOnly”:
{"Statement": [{
"Action": ["cloudwatch:Describe*","cloudwatch:Get*","cloudwatch:List*","ec2:Describe*","elasticloadbalancing:Describe*","iam:List*","iam:Get*","route53:Get*","route53:List*","rds:Describe*","s3:GetBucketAcl","s3:GetBucketCORS","s3:GetBucketLocation","s3:GetBucketLogging","s3:GetBucketPolicy","s3:GetBucketVersioning","s3:GetLifecycleConfiguration","s3:ListAllMyBuckets","sdb:GetAttributes","sdb:List*","sdb:Select*","ses:Get*","ses:List*","sns:Get*","sns:List*","sqs:GetQueueAttributes","sqs:ListQueues","sqs:ReceiveMessage"
],"Effect": "Allow","Resource": "*"
}]
}
Review and create the new role.
8 Chapter 2. Quick Start
security_monkey Documentation, Release 0.1.2
Allow SecurityMonkeyInstanceProfile to AssumeRole to SecurityMonkey
You should now have two roles available in your AWS Console:
Select the “SecurityMonkey” role and open the “Trust Relationships” tab.
Edit the Trust Relationship and paste this in:
{"Version": "2008-10-17","Statement": [{
"Sid": "","Effect": "Allow","Principal": {
"AWS": ["arn:aws:iam::<YOUR ACCOUNTID GOES HERE>:role/SecurityMonkeyInstanceProfile"
]},"Action": "sts:AssumeRole"
}]
2.1. Quick Start Guide 9
security_monkey Documentation, Release 0.1.2
}
Adding more accounts
To have your instance of security monkey monitor additional accounts, you must add a SecurityMonkey role in thenew account. Follow the instructions above to create the new SecurityMonkey role. The Trust Relationship policyshould have the account ID of the account where the security monkey instance is running.
Note
Additional SecurityMonkeyInstanceProfile roles are not required. You only need to create a new SecurityMonkey role.
Note
You will also need to add the new account in the Web UI, and restart the scheduler. More information on how do tothis will be presented later in this guide.
TODO
Document how to setup an SES account and validate it.
2.1.3 Launch an Ubuntu Instance
Netflix monitors dozens AWS accounts easily on a single m3.large instance. For this guide, we will launch a m1.small.
In the console, start the process to launch a new Ubuntu instance. The screenshot below shows EC2 classic, but youcan also launch this in external VPC.:
Select an m1.small and select “Next: Configure Instance Details”.
Note: Do not select “Review and Launch”. We need to launch this instance in a specific role.
Under “IAM Role”, select SecurityMonkeyInstanceProfile:
10 Chapter 2. Quick Start
security_monkey Documentation, Release 0.1.2
You may now launch the new instance. Please take note of the “Public DNS” entry. We will need that later whenconfiguring security monkey.
Now may also be a good time to edit the “launch-wizard-1” security group to restrict access to your IP. Make sure youleave TCP 22 open for ssh and TCP 443 for HTTPS.
Keypair
You may be prompted to download a keypair. You should protect this keypair; it is used to provide ssh access to thenew instance. Put it in a safe place. You will need to change the permissions on the keypair to 600:
$ chmod 600 SecurityMonkeyKeypair.pem
Connecting to your new instance:
We will connect to the new instance over ssh:
$ ssh -i SecurityMonkeyKeyPair.pem -l ubuntu <PUBLIC_IP_ADDRESS>
Replace the last parameter (<PUBLIC_IP_ADDRESS>) with the Public IP of your instance.
2.1.4 Install Pre-requisites
We now have a fresh install of Ubuntu. Let’s add the hostname to the hosts file:
$ hostnameip-172-30-0-151
Add this to /etc/hosts: (Use nano if you’re not familiar with vi.):
2.1. Quick Start Guide 11
security_monkey Documentation, Release 0.1.2
$ sudo vi /etc/hosts127.0.0.1 ip-172-30-0-151
Create the logging folders:
sudo mkdir /var/log/security_monkeysudo chown www-data /var/log/security_monkeysudo mkdir /var/wwwsudo chown www-data /var/wwwsudo touch /var/log/security_monkey/security_monkey.error.logsudo touch /var/log/security_monkey/security_monkey.access.logsudo touch /var/log/security_monkey/security_monkey-deploy.logsudo chown www-data /var/log/security_monkey/security_monkey-deploy.log
Let’s install the tools we need for Security Monkey:
$ sudo apt-get update$ sudo apt-get -y install python-pip python-dev python-psycopg2 postgresql postgresql-contrib libpq-dev nginx supervisor git swig python-m2crypto
Setup Postgres
For production, you will want to use an AWS RDS Postgres database. For this guide, we will setup a database on theinstance that was just launched.
First, set a password for the postgres user. For this guide, we will use securitymonkeypassword.:
$ sudo -u postgres psql postgres# \password postgresEnter new password: securitymonkeypasswordEnter it again: securitymonkeypassword
Type CTRL-D to exit psql once you have changed the password.
Next, we will create our a new database:
$ sudo -u postgres createdb secmonkey
2.1.5 Clone the Security Monkey Repo
Next we’ll clone and install the package:
$ cd /usr/local/src$ sudo git clone --depth 1 --branch master https://github.com/Netflix/security_monkey.git$ cd security_monkey$ sudo python setup.py install
New in 0.2.0 - Compile the web-app from the Dart code:
# Get the Google Linux package signing key.$ curl https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
# Set up the location of the stable repository.$ cd ~$ curl https://storage.googleapis.com/download.dartlang.org/linux/debian/dart_stable.list > dart_stable.list$ sudo mv dart_stable.list /etc/apt/sources.list.d/dart_stable.list$ sudo apt-get update$ sudo apt-get install -y dart
12 Chapter 2. Quick Start
security_monkey Documentation, Release 0.1.2
# Build the Web UI$ cd /usr/local/src/security_monkey/dart$ sudo /usr/lib/dart/bin/pub build
# Copy the compiled Web UI to the appropriate destination$ sudo /bin/mkdir -p /usr/local/src/security_monkey/security_monkey/static/$ sudo /bin/cp -R /usr/local/src/security_monkey/dart/build/web/* /usr/local/src/security_monkey/security_monkey/static/
Configure the Application
Edit /usr/local/src/security_monkey/env-config/config-deploy.py:
# Insert any config items here.# This will be fed into Flask/SQLAlchemy inside security_monkey/__init__.py
LOG_LEVEL = "DEBUG"LOG_FILE = "/var/log/security_monkey/security_monkey-deploy.log"
SQLALCHEMY_DATABASE_URI = ’postgresql://postgres:securitymonkeypassword@localhost:5432/secmonkey’
SQLALCHEMY_POOL_SIZE = 50SQLALCHEMY_MAX_OVERFLOW = 15ENVIRONMENT = ’ec2’USE_ROUTE53 = FalseFQDN = ’<PUBLIC_IP_ADDRESS>’API_PORT = ’5000’WEB_PORT = ’443’FRONTED_BY_NGINX = TrueNGINX_PORT = ’443’WEB_PATH = ’/static/ui.html’BASE_URL = ’https://{}/’.format(FQDN)
SECRET_KEY = ’<INSERT_RANDOM_STRING_HERE>’
MAIL_DEFAULT_SENDER = ’securitymonkey@<YOURDOMAIN>.com’SECURITY_REGISTERABLE = TrueSECURITY_CONFIRMABLE = FalseSECURITY_RECOVERABLE = FalseSECURITY_PASSWORD_HASH = ’bcrypt’SECURITY_PASSWORD_SALT = ’<INSERT_RANDOM_STRING_HERE>’
SECURITY_POST_LOGIN_VIEW = BASE_URLSECURITY_POST_REGISTER_VIEW = BASE_URLSECURITY_POST_CONFIRM_VIEW = BASE_URLSECURITY_POST_RESET_VIEW = BASE_URLSECURITY_POST_CHANGE_VIEW = BASE_URL
# This address gets all change notificationsSECURITY_TEAM_EMAIL = []
# These are only required if using SMTP instead of SESEMAILS_USE_SMTP = True # Otherwise, Use SESSES_REGION = ’us-east-1’MAIL_SERVER = ’smtp.<YOUREMAILPROVIDER>.com’MAIL_PORT = 465MAIL_USE_SSL = True
2.1. Quick Start Guide 13
security_monkey Documentation, Release 0.1.2
MAIL_USERNAME = ’securitymonkey’MAIL_PASSWORD = ’<YOURPASSWORD>’
A few things need to be modified in this file before we move on.
SQLALCHEMY_DATABASE_URI: The value above will be correct for the username “postgres” with the password“securitymonkeypassword” and the database name of “secmonkey”. Please edit this line if you have created a differentdatabase name or username or password.
FQDN: You will need to enter the public DNS name you obtained when you launched the security monkey instance.
SECRET_KEY: This is used by Flask modules to verify user sessions. Please use your own random string. (Keep itsecret.)
SECURITY_CONFIRMABLE: Leave this off (False) until you have configured and validated an SES account. Moreinformation will be made available on this topic soon.
SECURITY_RECOVERABLE: Leave this off (False) until you have configured and validated an SES account. Moreinformation will be made available on this topic soon.
SECURITY_PASSWORD_SALT: This is used by flask to salt credentials before putting them into the database.Please use your own random string.
Other values are self-explanatory.
SECURITY_MONKEY_SETTINGS:
The SECURITY_MONKEY_SETTINGS variable should point to the config-deploy.py we just reviewed.:
$ export SECURITY_MONKEY_SETTINGS=<Path to your config-deploy.py>
For example:
$ export SECURITY_MONKEY_SETTINGS=/usr/local/src/security_monkey/env-config/config-deploy.py
Create the database tables:
Security Monkey uses Flask-Migrate (Alembic) to keep database tables up to date. To create the tables, run thiscommand:
$ cd /usr/local/src/security_monkey/$ sudo -E python manage.py db upgrade
2.1.6 Setting up Supervisor
Supervisor will auto-start security monkey and will auto-restart security monkey if it were to crash.
# Control Startup/Shutdown:# sudo supervisorctl
[program:securitymonkey]user=www-data
environment=PYTHONPATH=’/usr/local/src/security_monkey/’,SECURITY_MONKEY_SETTINGS="/usr/local/src/security_monkey/env-config/config-deploy.py"autostart=trueautorestart=truecommand=python /usr/local/src/security_monkey/manage.py run_api_server
14 Chapter 2. Quick Start
security_monkey Documentation, Release 0.1.2
[program:securitymonkeyscheduler]user=www-dataautostart=trueautorestart=truedirectory=/usr/local/src/security_monkey/environment=PYTHONPATH=’/usr/local/src/security_monkey/’,SECURITY_MONKEY_SETTINGS="/usr/local/src/security_monkey/env-config/config-deploy.py"command=python /usr/local/src/security_monkey/manage.py start_scheduler
Copy security_monkey/supervisor/security_monkey.conf to /etc/supervisor/conf.d/security_monkey.conf and makesure it points to the locations where you cloned the security monkey repo.:
$ sudo service supervisor restart$ sudo supervisorctl
Supervisor will attempt to start two python jobs and make sure they are running. The first job, securitymonkey, isgunicorn, which it launches by calling manage.py run_api_server.
The second job supervisor runs is the scheduler, which looks for changes every 15 minutes. The scheduler will failto start at this time because there are no accounts for it to monitor Later, we will add an account and start thescheduler.
You can track progress by tailing security_monkey-deploy.log.
2.1.7 Create an SSL Certificate
For this quickstart guide, we will use a self-signed SSL certificate. In production, you will want to use a certificatethat has been signed by a trusted certificate authority.:
$ cd ~
There are some great instructions for generating a certificate on the Ubuntu website:
Ubuntu - Create a Self Signed SSL Certificate
The last commands you need to run from that tutorial are in the “Installing the Certificate” section:
sudo cp server.crt /etc/ssl/certssudo cp server.key /etc/ssl/private
Once you have finished the instructions at the link above, and these two files are in your /etc/ssl/certs and/etc/ssl/private, you are ready to move on in this guide.
2.1.8 Setup Nginx:
Security Monkey uses gunicorn to serve up content on its internal 127.0.0.1 address. For better performance, andto offload the work of serving static files, we wrap gunicorn with nginx. Nginx listens on 0.0.0.0 and proxies someconnections to gunicorn for processing and serves up static files quickly.
securitymonkey.conf
Save the config file below to:
/etc/nginx/sites-available/securitymonkey.conf
2.1. Quick Start Guide 15
security_monkey Documentation, Release 0.1.2
add_header X-Content-Type-Options "nosniff";add_header X-XSS-Protection "1; mode=block";add_header X-Frame-Options "SAMEORIGIN";add_header Strict-Transport-Security "max-age=631138519";add_header Content-Security-Policy "default-src ’self’; font-src ’self’ https://fonts.gstatic.com; script-src ’self’ https://ajax.googleapis.com; style-src ’self’ https://fonts.googleapis.com;";
server {listen 0.0.0.0:443 ssl;ssl_certificate /etc/ssl/certs/server.crt;ssl_certificate_key /etc/ssl/private/server.key;access_log /var/log/security_monkey/security_monkey.access.log;error_log /var/log/security_monkey/security_monkey.error.log;
location ~* ^/(reset|confirm|healthcheck|register|login|logout|api) {proxy_read_timeout 120;proxy_pass http://127.0.0.1:5000;proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;proxy_redirect off;proxy_buffering off;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /static {rewrite ^/static/(.*)$ /$1 break;root /usr/local/src/security_monkey/security_monkey/static;index ui.html;
}
location / {root /usr/local/src/security_monkey/security_monkey/static;index ui.html;
}
}
Symlink the sites-available file to the sites-enabled folder:
$ sudo ln -s /etc/nginx/sites-available/securitymonkey.conf /etc/nginx/sites-enabled/securitymonkey.conf
Delete the default configuration:
$ sudo rm /etc/nginx/sites-enabled/default
Restart nginx:
$ sudo service nginx restart
2.1.9 Registering An Account
You should now be able to reach your server
16 Chapter 2. Quick Start
security_monkey Documentation, Release 0.1.2
Navigate to the Register page to create your first user account:
After you have registered a new account and logged in, you need to add an account for Security Monkey to monitor.Click on “Settings” in the very top menu bar.
2.1. Quick Start Guide 17
security_monkey Documentation, Release 0.1.2
Adding an Account in the Web UI
Here you will see a list of the accounts Security Monkey is monitoring. (It should be empty.)
Click on the plus sign to create a new account:
Now we will provide Security Monkey with information about the account you would like to monitor.
When creating a new account in Security Monkey, you may use any “Name” that you would like. Example names are‘prod’, ‘test’, ‘dev’, or ‘it’. Names should be unique.
The S3 Name has special meaning. This is the name used on S3 ACL policies. If you are unsure, it is probably the be-ginning of the email address that was used to create the AWS account. (If you signed up as [email protected],your s3 name is probably super_geek.) You can edit this value at any time.
The Number is the AWS account number. This must be provided.
Notes is an optional field.
18 Chapter 2. Quick Start
security_monkey Documentation, Release 0.1.2
Active specifies whether Security Monkey should track policies and changes in this account. There are cases whereyou want Security Monkey to know about a friendly account, but don’t want Security Monkey to track it’s changes.
Third Party This is a way to tell security monkey that the account is friendly and not owned by you.
Note: You will need to restart the scheduler whenever you add a new account or disable an existing account.We plan to remove this requirement in the future.:
$ sudo supervisorctlsecuritymonkey RUNNING pid 11401, uptime 0:05:56securitymonkeyscheduler FATAL Exited too quickly (process log may have details)supervisor> start securitymonkeyschedulersecuritymonkeyscheduler: startedsupervisor> statussecuritymonkey RUNNING pid 11401, uptime 0:06:49securitymonkeyscheduler RUNNING pid 11519, uptime 0:00:42supervisor>
The first run will occur in 15 minutes. You can monitor all the log files in /var/log/security_monkey/. In the browser,you can hit the ‘AutoRefresh‘ button so the browser will attempt to load results every 30 seconds.
Note: You can also add accounts via the command line with manage.py:
$ python manage.py add_account --number 12345678910 --name account_fooSuccessfully added account account_foo
If an account with the same number already exists, this will do nothing, unless you pass --force, in which case, itwill override the existing account:
$ python manage.py add_account --number 12345678910 --name account_fooAn account with id 12345678910 already exists$ python manage.py add_account --number 12345678910 --name account_foo --active false --forceSuccessfully added account account_foo
2.1.10 Now What?
Wow. We have accomplished a lot. Now we can use the Web UI to review our security posture.
Searching in the Web UI
On the Web UI, click the Search button at the top left. If the scheduler is setup correctly, we should now see itemsfilling the table. These items are colored if they have issues. Yellow is for minor issues like friendly cross accountaccess while red indicates more important security issues, like an S3 bucket granting access to “AllUsers” or a securitygroup allowing 0.0.0.0/0. The newest results are always at the top.
2.1. Quick Start Guide 19
security_monkey Documentation, Release 0.1.2
We can filter these results using the searchbox on the left. The Region, Tech, Account, and Name fields use auto-complete to help you find what you need.
Security Monkey also provides you the ability to search only for issues:
20 Chapter 2. Quick Start
security_monkey Documentation, Release 0.1.2
Viewing an Item in the Web UI
Clicking on an item in the web UI brings up the view-item page.
This item has an attached issue. Someone has left SSH open to the Internet! Security Monkey helps you find thesetypes of insecure configurations and correct them.
If Security Monkey finds an issue that you aren’t worried about, you should justify the issue and leave a messageexplaining to others why the configuration is okay.
2.1. Quick Start Guide 21
security_monkey Documentation, Release 0.1.2
Security Monkey looks for changes in configurations. When there is a change, it uses colors to show you the partof the configuration that was affected. Green tells you that a section was added while red says something has beenremoved.
Each revision to an item can have comments attached. These can explain why a change was made.
2.1.11 Productionalizing Security Monkey
This guide has been focused on getting Security Monkey up and running quickly. For a production deployment, youshould make a few changes.
22 Chapter 2. Quick Start
security_monkey Documentation, Release 0.1.2
Location
Run security_monkey from a separate account. This will help isolate the instance and the database and ensure theintegrity of the change data.
SES
Security Monkey uses SES to send email. While you can install and use Security Monkey without SES, it is rec-ommended that you eventually setup SES to receive Change Reports and Audit Reports. Enabling SES also allowsyou to enable the “forgot my password” flow and force users to confirm their email addresses when registering for anaccount.
To begin the process, you will need to request that AWS enable SES on your account
TODO: Add further documentation on setting up and confirming SES.
RDS
In this guide, we setup a postgres database on the instance we launched. This would be a horrible way to run inproduction. You would lose all your data whenever Chaos Monkey unplugged your instance!
Make sure you move your database to an RDS instance. Create a database user with limited permissions and use adifferent password than the one used in this guide.
Logs
If you are relying on security monkey, you really need to ensure that it is running correctly and not hitting a bizarreexception.
Check the Security Monkey logs occasionally. Let us know if you are seeing exceptions, or better yet, send us a pullrequest.
Justify Issues
The daily audit report and the issues-search are most helpful when all the existing issues are worked or justified. Spendsome time to work through the issues found today, so that the ones found tomorrow pop out and catch your attention.
2.1. Quick Start Guide 23
security_monkey Documentation, Release 0.1.2
SSL
In this guide, we setup a self-signed SSL certificate. For production, you will want to use a certificate that has beensigned by a trusted certificate authority. You can also attach an SSL cert to an ELB listener. If so, please use the latestlistener reference policy to avoid deprecated ciphers and TLS/SSLv3 attacks.
Ignore List
If your environment has rapidly changing items that you would prefer not to track in security monkey, please look atthe “Ignore List” under the settings page. You can provide a list of prefixes for each technology, and Security Monkeywill ignore those objects when it is inspecting your current AWS configuration. Be careful: an attacker could usethe ignore list to subvert your monitoring.
Contribute
It’s easy to extend security_monkey with new rules or new technologies. If you have a good idea, please send us apull request. I’ll be delighted to include them.
24 Chapter 2. Quick Start
CHAPTER 3
Changelog
3.1 Changelog
3.1.1 v0.3.6 (2015-04-09)
• Changes to issue score in code will now cause all existing issues to be re-scored in the database.
• A new configuration parameter called SECURITYGROUP_INSTANCE_DETAIL can now be set to:
– “FULL”: Security Groups will display each instances, and all instance tags, that are associated withthe security group.
– “SUMMARY”: Security Groups will display the number of instances attached to the security group.
– “NONE”: Security Groups will not retrieve any data about instances attached to a security group.
– If SECURITY_GROUP_INSTANCE_DETAIL is set to “FULL” or “SUMMARY”, empty securitygroups audit issues will have their score set to zero.
– For accounts with many thousands of instances, it is advised to set this to “NONE” as the AWS API’sdo not respond in a timely manner with that many instances.
• Each watcher can be set to run at a different interval in code. We will want to move this to be a UI setting.
• Watchers may specify a list of ephemeral paths. Security_monkey will not send out change alerts for items inthe ephemeral section. This is a good place for metadata that is often changing like the number of instancesattached to a security_group or the number of remaining IP addresses in a VPC subnet.
Contributors: - lucab - monkeysecurity
3.1.2 v0.3.5 (2015-03-28)
• Adding policy minimizer & expander to the revision component
• Adding tracking of instance profiles attached to a role
• Adding marker/pagination code to redshift.describe_clusters()
• Adding pagination to IAM User get_all_user_policies, get_all_access_keys, get_all_mfa_devices,get_all_signing_certs
• Typo & minor corrections on postgres commands
• CLI command to save your current configurations to a JSON file for backup
• added a VPC watcher
25
security_monkey Documentation, Release 0.1.2
• Adding DHCP Options and Internet Gateways to the VPC Watcher
• Adding a subnet watcher. Fixing the VPC watcher with deep_dict
• Adding the vpc route_table watcher
• Removing subnet remaining IP field until ephemeral section is merged in
• Adding IAM Managed Policies
• Typo & minor corrections on postgres commands in documentation
• Adds ELBSecurityPolicy-2015-03. Moves export grade ciphers to their own section and alerts on FREAK vuln.
• Provides context on refpol 2015-03 vs 2015-02.
• Adding a Managed Policies Auditor
• Added Manged Policy tracking to the IAM users, groups, and roles
Summary of new watchers:
• vpc
– DHCP Options
– Internet Gateways
• subnet
• routetable
• managed policies
Summary of new Auditors or audit checks:
• managed policies
• New reference policy 2015-03 for ELB listeners.
• New alerts for FREAK vulnerable ciphers.
Contributors:
• markofu
• monkeysecurity
3.1.3 v0.3.4 (2015-2-19)
• Merged in a new AuditorSettings tab created by Qmando at Yelp enabling you to disable audit checks withper-account granularity.
• security_monkey is now CSP compliant.
• security_monkey has removed all shadow-DOM components. Also removed webcomponents.js anddart_support.js, as they were not CSP compliant.
• security_monkey now advises users to enable standard security headers following headers:
X-Content-Type-Options "nosniff";X-XSS-Protection "1; mode=block";X-Frame-Options "SAMEORIGIN";Strict-Transport-Security "max-age=631138519";Content-Security-Policy "default-src ’self’; font-src ’self’ https://fonts.gstatic.com; script-src ’self’ https://ajax.googleapis.com; style-src ’self’ https://fonts.googleapis.com;"
• security_monkey now has XSRF protection against all DELETE, POST, PUT, and PATCH calls.
26 Chapter 3. Changelog
security_monkey Documentation, Release 0.1.2
• Updated the ELB Auditor to be aware of the ELBSecurityPolicy-2015-02 reference policy.
Contributers:
• Qmando
• monkeysecurity
3.1.4 v0.3.3 (2015-2-3)
• Added MirorsUsed() to my dart code to reduce compiled javascript size.
• Added support for non-chrome browsers by importing webcomponents.js and dart_support.js
• Upgraded to Angulardart 1.1.0 and Angular-dart.ui 0.6.3
3.1.5 v0.3.2 (2015-1-20)
• A bug has been corrected where IAM Groups with > 100 members or policies would be truncated.
• The web UI has been updated to use AngularDart 1.0.0. Significantly smaller javascript size.
3.1.6 v0.3.1 (2015-1-11)
• Change emails again show issues and justifications.
• Change emails now use jinja templating.
• Fixed an issue where issue justifications would disappear when the item was changed.
• Merged a pull request from github user jijojv to start the scheduler at launch instead of waiting 15 minutes.
3.1.7 v0.3.0 (2014-12-19)
• Add localhost to CORS for development.
• Big refactor adding monitors. Adding new watchers/auditors is now much simpler.
• Return to the current URL after authenticating.
• Added SES_REGION config. Now you can send email out of regions other than us-east-1.
• Changing default log location to /var/log/security_monkey.
• Docs now have cleaner nginx.conf.
• Add M2Crypto to get a number of new iamssl fields.
• Added favicon.
new watchers:
• eip
• redshift
• ses
enhanced watchers:
• iamssl - new fields from m2crypto
3.1. Changelog 27
security_monkey Documentation, Release 0.1.2
• elb - new listener policies from botocore
• sns - added sns subscriptions
• s3 - now tracks lifecycle rules
new auditors:
• redshift - checks for non-vpc deployment.
• ses - checks for verified identities
enhanced auditors:
• iamssl - cert size, signature hashing algorithm, upcoming expiration, heartbleed
• elb - check reference policy and certain custom policy fields
hotfixes:
• Fixed issue #12 - Deleting account results in foreign key constraint.
• Added missing alembic script for the ignorelist.
• Various minor documentation updates.
• API server now respects –bind parameter. (Required for the docker image).
• SES connection in utils.py is now surrounded in a try/except.
• FlaskSecurity upgraded to latest.
Contributers:
• ivanlei
• lucab
• yograterol
• monkeysecurity
3.1.8 v0.2.0 (2014-10-31)
Changes in the Web UI:
• Dart: Dates are now displayed in your local timezone.
• Dart: Added Item-level comments.
• Dart: Added the ability to bulk-justify issues from the Issues Table view. This uses the AngularDartUI ModalComponent.
• Dart: Added better messaging around the settings for adding an account. This closes issue #38. This uses theAngularDartUI tooltip component.
• Bug Fix: Colors in the Item table now correctly represent the justification status.
• Dart: Added AngularUI Tabs to select between diff and current configuration display.
• Dart: Added a timer-based auto-refresh so SM can be used as a dashboard.
• Dart: Replaced a number of custom http services with Victor Savkin’s Hammock library. - More than 965 linesof code removed after using Hammock.
• Dart: Replaced custom pagination code with AngularDartUI’s Pagination Component. - IssueTable - Revi-sionTable - ItemTable - AccountSettingsTable
28 Chapter 3. Changelog
security_monkey Documentation, Release 0.1.2
• Dart: Network CIDR whitelist is now configured in the web UI under settings.
• Dart: Object Ignorelist is now configured in the web UI under settings.
• Created a new PaginatedTable parent class for all components that wish to display paginated data. This tableworks with AngularDart’s Pagination Component and also provides the ability to change the number of itemsdisplayed on each page.
• Dart: Added ng_infinite_scroll to the item_detail_view for loading revisions
• Dart: Moved a number of components from being their own libraries to being ‘part of‘ the security_monkeylibrary.
• Dart: Replaced the last controller (UsernameController) with a Component to prepare for AngularDart 1.0.0
• Dart: Style - Renamed library from SecurityMonkey to security_monkey to follow the dart style guide. Refac-tored much of main.dart into lib/security_monkey.dart to try and mimic the cleaner design of the new angularsample app: https://github.com/vsavkin/angulardart-sample-app
Changes in the core product:
• Updated API endpoints to better follow REST architecture.
• Added table for NetworkWhitelist.
• Added rest API endpoints for NetworkWhitelist.
• Added Alembic migration script to add the new NetworkWhitelist table to the DB.
• Added table for IgnoreList.
• Added rest API endpoints for Ignorelist.
• Added Alembic migration script to add the new IgnoreList table to the DB.
• Added check for rfc-1918 CIDRs in non-VPC security groups.
• Saving IAMSSL Certs by cert name instead of cert ID
• Marking VPC RDS Security Groups with their VPC ID
• Supports Paginated Boto access for RDS Security Groups.
• Added alert for non-VPC RDS SG’s containing RFC-1918 CIDRs
• Added check for IAM USER AKEY rotation
• Added check for IAM USER with login profile (console access) And Access Keys (API Access)
• Added an ELB Auditor with a check for internet-facing ELB.
• Added check for security groups with large port ranges.
3.1.9 v0.1.2 (2014-08-11)
Changes in the Web UI:
• Dart: Removed Shadow DOM dependency and set version bounds in pubspec.yaml.
• Dart: Replaced package:js with dart:js.
• Dart: Added the Angular Pub Transformer.
Changes in the core product:
• Added AWS Rate Limiting Protection with exponential backoff code.
• Added instructions to get a local development environment setup for contributing to security_monkey.
3.1. Changelog 29
security_monkey Documentation, Release 0.1.2
• Added support for boto’s new ELB pagination. The pull request to boto and to security_monkey came fromKevin Glisson.
• Bug fix: Security Group Audit Issues now include the port the issue was reported on.
These were already in master, but weren’t tied to a new release:
• Bug fix: Supervisor script now sets SECURITY_MONKEY_SETTINGS envvar for the API server whereas itonly previously set the envvar for the scheduler. This came from a pull request from parabolic.
• Bug fix: Audit reports will only be sent if there are issues to report on.
• Bug fix: Daily Audit Email setting (ALL/NONE/ISSUES) is now respected.
• Bug fix: Command Line Auditor Command Arguments are now coerced into being booleans.
• Quickstart Guide now instructs user to setup the web UI on SSL.
• Various Smaller Bug Fixes.
3.1.10 v0.1.1 (2014-06-30)
Initial release of Security Monkey!
30 Chapter 3. Changelog
CHAPTER 4
API Reference
Class and method level definitions and documentation.
4.1 API Reference
At a high-level, Security Monkey consists of the following components:
Watcher - Component that monitors a given AWS account and technology (e.g. S3, EC2). The Watcher detects andrecords changes to configurations. So, if an S3 bucket policy changes, the Watcher will detect this and store thechange.
Notifier - Component that lets a user or group of users know when a particular item has changed. This component alsoprovides notification based on the triggering of audit rules.
Auditor - Component that executes a set of business rules against an AWS configuration to determine the level of riskassociated with the configuration. For example, a rule may look for a security group with a rule allowing ingress from0.0.0.0/0 (meaning the security group is open to the Internet). Or, a rule may look for an S3 policy that allows accessfrom an unknown AWS account (meaning you may be unintentionally sharing the data stored in your S3 bucket).Security Monkey has a number of built-in rules included, and users are free to add their own rules.
security_monkey.__version__security_monkey’s version number in PEP 386 format.
>>> import security_monkey>>> security_monkey.__version__u’0.3.5’
Class and method level definitions and documentation
31
security_monkey Documentation, Release 0.1.2
4.1.1 security_monkey Package
security_monkey Package
alerter Module
auditor Module
constants Module
datastore Module
decorators Module
exceptions Module
monitors Module
reporter Module
scheduler Module
watcher Module
Subpackages
auditors Package
auditors Package
elb Module
iam_group Module
iam_policy Module
iam_role Module
iam_ssl Module
iam_user Module
rds_security_group Module
redshift Module
s3 Module
32 Chapter 4. API Reference
security_monkey Documentation, Release 0.1.2
security_group Module
ses Module
sns Module
common Package
common Package
jinja Module
route53 Module
sts_connect Module
Subpackages
utils Package
utils Package
PolicyDiff Module
utils Module
tests Package
tests Package
test_s3 Module
test_sns Module
views Package
views Package
account Module
distinct Module
4.1. API Reference 33
security_monkey Documentation, Release 0.1.2
ignore_list Module
item Module
item_comment Module
item_issue Module
item_issue_justification Module
logout Module
revision Module
revision_comment Module
user_settings Module
whitelist Module
watchers Package
watchers Package
elastic_ip Module
elb Module
iam_group Module
iam_role Module
iam_ssl Module
iam_user Module
keypair Module
rds_security_group Module
redshift Module
34 Chapter 4. API Reference
security_monkey Documentation, Release 0.1.2
s3 Module
security_group Module
ses Module
sns Module
sqs Module
4.1.2 Indices and tables
• genindex
• modindex
• search
4.1. API Reference 35
CHAPTER 5
About
5.1 Authors
securitymonkey 0.1.2 is copyright 2014 Netflix. inc.
• Patrick Kelley <[email protected]>
• Kevin Glisson <[email protected]>
• Roy Rapoport <[email protected]>
If you want to contribute to security monkey, see Contributing.
5.2 Changelog
5.2.1 v0.3.6 (2015-04-09)
• Changes to issue score in code will now cause all existing issues to be re-scored in the database.
• A new configuration parameter called SECURITYGROUP_INSTANCE_DETAIL can now be set to:
– “FULL”: Security Groups will display each instances, and all instance tags, that are associated withthe security group.
– “SUMMARY”: Security Groups will display the number of instances attached to the security group.
– “NONE”: Security Groups will not retrieve any data about instances attached to a security group.
– If SECURITY_GROUP_INSTANCE_DETAIL is set to “FULL” or “SUMMARY”, empty securitygroups audit issues will have their score set to zero.
– For accounts with many thousands of instances, it is advised to set this to “NONE” as the AWS API’sdo not respond in a timely manner with that many instances.
• Each watcher can be set to run at a different interval in code. We will want to move this to be a UI setting.
• Watchers may specify a list of ephemeral paths. Security_monkey will not send out change alerts for items inthe ephemeral section. This is a good place for metadata that is often changing like the number of instancesattached to a security_group or the number of remaining IP addresses in a VPC subnet.
Contributors: - lucab - monkeysecurity
37
security_monkey Documentation, Release 0.1.2
5.2.2 v0.3.5 (2015-03-28)
• Adding policy minimizer & expander to the revision component
• Adding tracking of instance profiles attached to a role
• Adding marker/pagination code to redshift.describe_clusters()
• Adding pagination to IAM User get_all_user_policies, get_all_access_keys, get_all_mfa_devices,get_all_signing_certs
• Typo & minor corrections on postgres commands
• CLI command to save your current configurations to a JSON file for backup
• added a VPC watcher
• Adding DHCP Options and Internet Gateways to the VPC Watcher
• Adding a subnet watcher. Fixing the VPC watcher with deep_dict
• Adding the vpc route_table watcher
• Removing subnet remaining IP field until ephemeral section is merged in
• Adding IAM Managed Policies
• Typo & minor corrections on postgres commands in documentation
• Adds ELBSecurityPolicy-2015-03. Moves export grade ciphers to their own section and alerts on FREAK vuln.
• Provides context on refpol 2015-03 vs 2015-02.
• Adding a Managed Policies Auditor
• Added Manged Policy tracking to the IAM users, groups, and roles
Summary of new watchers:
• vpc
– DHCP Options
– Internet Gateways
• subnet
• routetable
• managed policies
Summary of new Auditors or audit checks:
• managed policies
• New reference policy 2015-03 for ELB listeners.
• New alerts for FREAK vulnerable ciphers.
Contributors:
• markofu
• monkeysecurity
38 Chapter 5. About
security_monkey Documentation, Release 0.1.2
5.2.3 v0.3.4 (2015-2-19)
• Merged in a new AuditorSettings tab created by Qmando at Yelp enabling you to disable audit checks withper-account granularity.
• security_monkey is now CSP compliant.
• security_monkey has removed all shadow-DOM components. Also removed webcomponents.js anddart_support.js, as they were not CSP compliant.
• security_monkey now advises users to enable standard security headers following headers:
X-Content-Type-Options "nosniff";X-XSS-Protection "1; mode=block";X-Frame-Options "SAMEORIGIN";Strict-Transport-Security "max-age=631138519";Content-Security-Policy "default-src ’self’; font-src ’self’ https://fonts.gstatic.com; script-src ’self’ https://ajax.googleapis.com; style-src ’self’ https://fonts.googleapis.com;"
• security_monkey now has XSRF protection against all DELETE, POST, PUT, and PATCH calls.
• Updated the ELB Auditor to be aware of the ELBSecurityPolicy-2015-02 reference policy.
Contributers:
• Qmando
• monkeysecurity
5.2.4 v0.3.3 (2015-2-3)
• Added MirorsUsed() to my dart code to reduce compiled javascript size.
• Added support for non-chrome browsers by importing webcomponents.js and dart_support.js
• Upgraded to Angulardart 1.1.0 and Angular-dart.ui 0.6.3
5.2.5 v0.3.2 (2015-1-20)
• A bug has been corrected where IAM Groups with > 100 members or policies would be truncated.
• The web UI has been updated to use AngularDart 1.0.0. Significantly smaller javascript size.
5.2.6 v0.3.1 (2015-1-11)
• Change emails again show issues and justifications.
• Change emails now use jinja templating.
• Fixed an issue where issue justifications would disappear when the item was changed.
• Merged a pull request from github user jijojv to start the scheduler at launch instead of waiting 15 minutes.
5.2.7 v0.3.0 (2014-12-19)
• Add localhost to CORS for development.
• Big refactor adding monitors. Adding new watchers/auditors is now much simpler.
• Return to the current URL after authenticating.
5.2. Changelog 39
security_monkey Documentation, Release 0.1.2
• Added SES_REGION config. Now you can send email out of regions other than us-east-1.
• Changing default log location to /var/log/security_monkey.
• Docs now have cleaner nginx.conf.
• Add M2Crypto to get a number of new iamssl fields.
• Added favicon.
new watchers:
• eip
• redshift
• ses
enhanced watchers:
• iamssl - new fields from m2crypto
• elb - new listener policies from botocore
• sns - added sns subscriptions
• s3 - now tracks lifecycle rules
new auditors:
• redshift - checks for non-vpc deployment.
• ses - checks for verified identities
enhanced auditors:
• iamssl - cert size, signature hashing algorithm, upcoming expiration, heartbleed
• elb - check reference policy and certain custom policy fields
hotfixes:
• Fixed issue #12 - Deleting account results in foreign key constraint.
• Added missing alembic script for the ignorelist.
• Various minor documentation updates.
• API server now respects –bind parameter. (Required for the docker image).
• SES connection in utils.py is now surrounded in a try/except.
• FlaskSecurity upgraded to latest.
Contributers:
• ivanlei
• lucab
• yograterol
• monkeysecurity
40 Chapter 5. About
security_monkey Documentation, Release 0.1.2
5.2.8 v0.2.0 (2014-10-31)
Changes in the Web UI:
• Dart: Dates are now displayed in your local timezone.
• Dart: Added Item-level comments.
• Dart: Added the ability to bulk-justify issues from the Issues Table view. This uses the AngularDartUI ModalComponent.
• Dart: Added better messaging around the settings for adding an account. This closes issue #38. This uses theAngularDartUI tooltip component.
• Bug Fix: Colors in the Item table now correctly represent the justification status.
• Dart: Added AngularUI Tabs to select between diff and current configuration display.
• Dart: Added a timer-based auto-refresh so SM can be used as a dashboard.
• Dart: Replaced a number of custom http services with Victor Savkin’s Hammock library. - More than 965 linesof code removed after using Hammock.
• Dart: Replaced custom pagination code with AngularDartUI’s Pagination Component. - IssueTable - Revi-sionTable - ItemTable - AccountSettingsTable
• Dart: Network CIDR whitelist is now configured in the web UI under settings.
• Dart: Object Ignorelist is now configured in the web UI under settings.
• Created a new PaginatedTable parent class for all components that wish to display paginated data. This tableworks with AngularDart’s Pagination Component and also provides the ability to change the number of itemsdisplayed on each page.
• Dart: Added ng_infinite_scroll to the item_detail_view for loading revisions
• Dart: Moved a number of components from being their own libraries to being ‘part of‘ the security_monkeylibrary.
• Dart: Replaced the last controller (UsernameController) with a Component to prepare for AngularDart 1.0.0
• Dart: Style - Renamed library from SecurityMonkey to security_monkey to follow the dart style guide. Refac-tored much of main.dart into lib/security_monkey.dart to try and mimic the cleaner design of the new angularsample app: https://github.com/vsavkin/angulardart-sample-app
Changes in the core product:
• Updated API endpoints to better follow REST architecture.
• Added table for NetworkWhitelist.
• Added rest API endpoints for NetworkWhitelist.
• Added Alembic migration script to add the new NetworkWhitelist table to the DB.
• Added table for IgnoreList.
• Added rest API endpoints for Ignorelist.
• Added Alembic migration script to add the new IgnoreList table to the DB.
• Added check for rfc-1918 CIDRs in non-VPC security groups.
• Saving IAMSSL Certs by cert name instead of cert ID
• Marking VPC RDS Security Groups with their VPC ID
• Supports Paginated Boto access for RDS Security Groups.
5.2. Changelog 41
security_monkey Documentation, Release 0.1.2
• Added alert for non-VPC RDS SG’s containing RFC-1918 CIDRs
• Added check for IAM USER AKEY rotation
• Added check for IAM USER with login profile (console access) And Access Keys (API Access)
• Added an ELB Auditor with a check for internet-facing ELB.
• Added check for security groups with large port ranges.
5.2.9 v0.1.2 (2014-08-11)
Changes in the Web UI:
• Dart: Removed Shadow DOM dependency and set version bounds in pubspec.yaml.
• Dart: Replaced package:js with dart:js.
• Dart: Added the Angular Pub Transformer.
Changes in the core product:
• Added AWS Rate Limiting Protection with exponential backoff code.
• Added instructions to get a local development environment setup for contributing to security_monkey.
• Added support for boto’s new ELB pagination. The pull request to boto and to security_monkey came fromKevin Glisson.
• Bug fix: Security Group Audit Issues now include the port the issue was reported on.
These were already in master, but weren’t tied to a new release:
• Bug fix: Supervisor script now sets SECURITY_MONKEY_SETTINGS envvar for the API server whereas itonly previously set the envvar for the scheduler. This came from a pull request from parabolic.
• Bug fix: Audit reports will only be sent if there are issues to report on.
• Bug fix: Daily Audit Email setting (ALL/NONE/ISSUES) is now respected.
• Bug fix: Command Line Auditor Command Arguments are now coerced into being booleans.
• Quickstart Guide now instructs user to setup the web UI on SSL.
• Various Smaller Bug Fixes.
5.2.10 v0.1.1 (2014-06-30)
Initial release of Security Monkey!
5.3 Contributing
Contributions to Security Monkey are welcome! Here are some tips to get you started hacking on Security Monkeyand contributing back your patches.
42 Chapter 5. About
security_monkey Documentation, Release 0.1.2
5.3.1 Development Setup OS X
Install Brew (http://brew.sh) Requirement - Xcode Command Line Tools (Popup - Just click Install):
ruby -e "$(curl -fsSL https://raw.github.com/Homebrew/homebrew/go/install)"
Install Pip A tool for installing and managing Python packages:
sudo easy_install pip
Virtualenv A tool to create isolated Python environments:
sudo pip install virtualenv
VirtualenvWrapper virtualenvwrapper is a set of extensions to Ian Bicking’s virtualenv tool. The extensions includewrappers for creating and deleting virtual environments and otherwise managing your development workflow,making it easier to work on more than one project at a time without introducing conflicts in their dependencies.:
sudo pip install virtualenvwrapper
Configure VirtualEnvWrapper Configure VirtualEnvWrapper so it knows where to store the virtualenvs and wherethe virtualenvwerapper script is located.:
cd ~mkdir virtual_envsvi ~/.bash_profile
Add these two lines to your ~/.bash_profile:
export WORKON_HOME="$HOME/virtual_envs/"source "/usr/local/bin/virtualenvwrapper.sh"
You’ll need to open a new terminal (or run source ~/.bash_profile) before you can create the vir-tualenv:
mkvirtualenv security_monkeyworkon security_monkey
Clone Clone the security monkey code repository.:
git clone https://github.com/Netflix/security_monkey.gitcd security_monkey
SECURITY_MONKEY_SETTINGS Set the environment variable in your current session that tells Flask where theconfiguration file is located.:
export SECURITY_MONKEY_SETTINGS=‘pwd‘/env-config/config-local.py
Note - I like to append this to the virtualenv activate script:
vi $HOME/virtual_envs/security_monkey/bin/activateexport SECURITY_MONKEY_SETTINGS=$HOME/security_monkey/env-config/config-local.py
Postgres Install Postgres. Create a database for security monkey and add a role. Set the timezone to GMT.:
brew install postgresql
Start the DB in a new shell:
postgres -D /usr/local/var/postgres
Create the database and users and set the timezone.:
5.3. Contributing 43
security_monkey Documentation, Release 0.1.2
psql -d postgres -h localhostCREATE DATABASE "securitymonkeydb";CREATE ROLE "securitymonkeyuser" LOGIN PASSWORD ’securitymonkeypass’;CREATE SCHEMA securitymonkeydbGRANT Usage, Create ON SCHEMA "securitymonkeydb" TO "securitymonkeyuser";set timezone to ’GMT’;select now();
Exit the Postgres CLI tool:
CTRL-D
Install Pip Requirements Pip will install all the dependencies into the current virtualenv.:
pip install -r requirements.txt
Init DB: Run Alembic/FlaskMigrate to create all the database tables.:
python manage.py db upgrade
Start the API: This starts the REST API that the Angular application will communicate with.:
python manage.py runserver
Launch Dart Editor Download the Dartlang and Editor from ( http://www.dartlang.org/ )
Edit dart/lib/util/constants.dart and set API_HOST to this value:
final String API_HOST = ’http://127.0.0.1:5000/api/1’;
In the Dart Editor, right click on dart/web/ui.html and select “Run in Dartium” from the dropdown menu.
Register a user Chromium/Dartium will launch and will redirect to the login page. Select the Register link (http://127.0.0.1/register ) to create an account.
Setup an account After you have registered an account, proceed to login ( http://127.0.0.1/login ). Once logged in,click on Settings and on the + to add a new account.
Obtaining instance credentials You’ll need to obtain AWS credentials to execute the watchers. See the boto docu-mentation for more information.
http://boto.readthedocs.org/en/latest/boto_config_tut.html
Manually Run the Watchers Run the watchers to put some data in the database.:
cd ~/security_monkey/python manage.py run_change_reporter all
You can also run an individual watcher:
python manage.py find_changes -a all -m allpython manage.py find_changes -a all -m iamrolepython manage.py find_changes -a "My Test Account" -m iamgroup
You can run the auditors against the items currently in the database:
python manage.py audit_changes -a all -m redshift --send_report=False
5.3.2 Development Setup Ubuntu
Apt-get Installs These must be installed first.:
44 Chapter 5. About
security_monkey Documentation, Release 0.1.2
sudo apt-get install git git-flow python-pip postgresql postgresql-contrib libpq-dev python-dev swig
Install Virtualenv A tool to create isolated Python environments:
sudo pip install virtualenv
Create a folder to hold your virtualenvs:
cd ~mkdir virtual_envscd virtual_envs
Create a virtualenv for security_monkey:
virtualenv security_monkey
Activate the security_monkey virtualenv:
source ~/virtual_envs/security_monkey/bin/activate
Clone the repository Clone the security monkey code repository.:
cd ~git clone https://github.com/Netflix/security_monkey.gitcd security_monkey
Install Pip Requirements Pip will install all the dependencies into the current virtualenv.:
pip install -r requirements.txt
SECURITY_MONKEY_SETTINGS Set the environment variable in your current session that tells Flask where theconifguration file is located.:
export SECURITY_MONKEY_SETTINGS=‘pwd‘/env-config/config-local.py# Note - I like to append this to the virtualenv activate scriptvi $HOME/virtual_envs/security_monkey/bin/activateexport SECURITY_MONKEY_SETTINGS=$HOME/security_monkey/env-config/config-local.py
Postgres Install Postgres. Create a database for security monkey and add a role. Set the timezone to GMT.:
sudo -u postgres psqlCREATE DATABASE "securitymonkeydb";CREATE ROLE "securitymonkeyuser" LOGIN PASSWORD ’securitymonkeypass’;GRANT Usage, Create ON SCHEMA "securitymonkeydb" TO "securitymonkeyuser";set timezone TO ’GMT’;
Init DB: Run Alembic/FlaskMigrate to create all the database tables.:
python manage.py db upgrade
Start the API: This starts the REST API that the Angular application will communicate with.:
python manage.py runserver
Launch Dart Editor Download the Dartlang and Editor from ( http://www.dartlang.org/ )
Edit dart/lib/util/constants.dart and set API_HOST to this value:
final String API_HOST = ’http://127.0.0.1:5000/api/1’;
In the Dart Editor, right click on dart/web/ui.html and select “Run in Dartium” from the dropdown menu.
5.3. Contributing 45
security_monkey Documentation, Release 0.1.2
Register a user Chromium/Dartium will launch and will redirect to the login page. Select the Register link (http://127.0.0.1/register ) to create an account.
Setup an account After you have registered an account, proceed to login ( http://127.0.0.1/login ). Once logged in,click on Settings and on the + to add a new account.
More Read the OS X sections on Obtaining instance credentials and how to Manually Run theWatchers.
5.3.3 Submitting changes
• Code should be accompanied by tests and documentation. Maintain our excellent test coverage.
• Follow the existing code style, especially make sure flake8 does not complain about anything.
• Write good commit messages. Here’s three blog posts on how to do it right:
– Writing Git commit messages
– A Note About Git Commit Messages
– On commit messages
• One branch per feature or fix. Keep branches small and on topic.
• Send a pull request to the v1/develop branch. See the GitHub pull request docs for help.
5.3.4 Additional resources
• Issue tracker
• GitHub documentation
46 Chapter 5. About