Release v0.8.0

dart/lib/component/settings/auditor_settings_component/auditor_settings_component.html

@@ -30,7 +30,7 @@
                     <td>{{auditoritem.issue}}</td>
                     <td>{{auditoritem.account}}</td>
                     <td>{{auditoritem.technology}}</td>
-                    <td><a href="#/issues/-/{{url_encode(auditoritem.technology)}}/{{url_encode(auditoritem.account)}}/-/True/{{url_encode(auditoritem.issue)}}/1/25">{{auditoritem.count}}</a></td>
+                    <td><a href="#/issues/-/{{url_encode(auditoritem.technology)}}/{{url_encode(auditoritem.account)}}/-/-/True/{{url_encode(auditoritem.issue)}}/1/25">{{auditoritem.count}}</a></td>
                     <td ng-if="auditoritem.disabled==true"><b>TRUE</b></td>
                     <td ng-if="auditoritem.disabled==false">false</td>
                     <td ng-if="us.hasRole('Justify')">

docs/development.rst

@@ -46,10 +46,10 @@ Sample Watcher structure::
         # Look up relevant items, convert to list of SampleItem's, return list
 
     class SampleItem(ChangeItem):
-        def __init__(self, account=None, name=None, config={}):
+        def __init__(self, account=None, name=None, region=None, config={}):
             super(SampleItem, self).__init__(
-                    index=IAMGroup.index,
-                    region='universal',
+                    index=Sample.index,
+                    region=region,
                     account=account,
                     name=name,
                     new_config=config)
@@ -153,3 +153,4 @@ Typically, if an audit issue is dependent on another one, a the two should be li
 .. image:: images/linked_issue.png
 
 This can be achieved by the `Auditor <../../security_monkey/auditor.py>`_ link_to_support_item_issues() method.
+

manage.py

@@ -48,16 +48,16 @@ def drop_db():
 @manager.option('-a', '--accounts', dest='accounts', type=unicode, default=u'all')
 def run_change_reporter(accounts):
     """ Runs Reporter """
-    account_names = __parse_accounts__(accounts)
+    account_names = _parse_accounts(accounts)
     sm_run_change_reporter(account_names)
 
 
 @manager.option('-a', '--accounts', dest='accounts', type=unicode, default=u'all')
 @manager.option('-m', '--monitors', dest='monitors', type=unicode, default=u'all')
 def find_changes(accounts, monitors):
     """ Runs watchers """
-    monitor_names = __parse_tech_names__(monitors)
-    account_names = __parse_accounts__(accounts)
+    monitor_names = _parse_tech_names(monitors)
+    account_names = _parse_accounts(accounts)
     sm_find_changes(account_names, monitor_names)
 
 
@@ -66,8 +66,8 @@ def find_changes(accounts, monitors):
 @manager.option('-r', '--send_report', dest='send_report', type=bool, default=False)
 def audit_changes(accounts, monitors, send_report):
     """ Runs auditors """
-    monitor_names = __parse_tech_names__(monitors)
-    account_names = __parse_accounts__(accounts)
+    monitor_names = _parse_tech_names(monitors)
+    account_names = _parse_accounts(accounts)
     sm_audit_changes(account_names, monitor_names, send_report)
 
 
@@ -76,8 +76,8 @@ def audit_changes(accounts, monitors, send_report):
 @manager.option('-o', '--outputfolder', dest='outputfolder', type=unicode, default=u'backups')
 def backup_config_to_json(accounts, monitors, outputfolder):
     """ Saves the most current item revisions to a json file. """
-    monitor_names = __parse_tech_names__(monitors)
-    account_names = __parse_accounts__(accounts)
+    monitor_names = _parse_tech_names(monitors)
+    account_names = _parse_accounts(accounts)
     sm_backup_config_to_json(account_names, monitor_names, outputfolder)
 
 
@@ -199,19 +199,6 @@ def create_user(email, role):
     db.session.add(user)
     db.session.commit()
 
-def __parse_tech_names__(tech_str):
-    if tech_str == 'all':
-        return watcher_registry.keys()
-    else:
-        return tech_str.split(',')
-
-def __parse_accounts__(account_str):
-    if account_str == 'all':
-        accounts = Account.query.filter(Account.third_party==False).filter(Account.active==True).all()
-        accounts = [account.name for account in accounts]
-        return accounts
-    else:
-        return account_str.split(',')
 
 def _parse_tech_names(tech_str):
     if tech_str == 'all':

migrations/versions/ad23a56abf25_.py

@@ -8,7 +8,7 @@
 
 # revision identifiers, used by Alembic.
 revision = 'ad23a56abf25'
-down_revision = '0ae4ef82b244'
+down_revision = '1a863bd1acb1'
 
 from alembic import op
 import sqlalchemy as sa

security_monkey/decorators.py

@@ -124,7 +124,7 @@ def decorated_function(*args, **kwargs):
                 try:
                     (role, regions) = get_regions(account, service_name)
                 except Exception as e:
-                    exc = BotoConnectionIssue(str(e), index, account, None)
+                    exc = BotoConnectionIssue(str(e), index, account.name, None)
                     exception_map[(index, account)] = exc
                     return item_list, exception_map
 
@@ -142,7 +142,7 @@ def decorated_function(*args, **kwargs):
                     itm, exc = f(*args, **kwargs)
                     item_list.extend(itm)
                     exception_map.update(exc)
-  return item_list, exception_map
+            return item_list, exception_map
         return decorated_function
     return decorator
 

security_monkey/jirasync.py

@@ -75,7 +75,7 @@ def add_or_update_issue(self, issue, technology, account, count):
         jql = 'project={0} and summary~"{1}"'.format(self.project, summary_search)
         issues = self.client.search_issues(jql)
 
-        url = "{0}/#/issues/-/{1}/{2}/-/True/{3}/1/25".format(self.url, technology, account, urllib.quote(issue, ''))
+        url = "{0}/#/issues/-/{1}/{2}/-/-/True/{3}/1/25".format(self.url, technology, account, urllib.quote(issue, ''))
         timezone = time.tzname[time.localtime().tm_isdst]
         description = ("This ticket was automatically created by Security Monkey. DO NOT EDIT SUMMARY OR BELOW THIS LINE\n"
                       "Number of issues: {0}\n"

security_monkey/monitors.py

@@ -17,12 +17,14 @@ def __init__(self, watcher_class, accounts, debug=False):
         self.watcher = watcher_class(accounts=accounts, debug=debug)
         self.auditors = []
         self.audit_tier = 0
+
         for auditor_class in auditor_registry[self.watcher.index]:
             self.auditors.append(auditor_class(accounts=accounts, debug=debug))
 
 def get_monitors(accounts, monitor_names, debug=False):
     """
-    Returns a list of monitors which apply to one or more of the accounts.
+    Returns a list of monitors in the correct audit order which apply to one or
+    more of the accounts.
     """
     requested_mons = []
     for monitor_name in monitor_names:
@@ -32,8 +34,6 @@ def get_monitors(accounts, monitor_names, debug=False):
 
     return requested_mons
 
-    return requested_mons
-
 def get_monitors_and_dependencies(accounts, monitor_names, debug=False):
     """
     Returns a list of monitors in the correct audit order which apply to one or

security_monkey/scheduler.py

@@ -46,6 +46,7 @@ def find_changes(accounts, monitor_names, debug=True):
     audit_changes(accounts, monitor_names, False, debug)
     db.session.close()
 
+
 def audit_changes(accounts, monitor_names, send_report, debug=True):
     monitors = get_monitors_and_dependencies(accounts, monitor_names, debug)
     for monitor in monitors:
@@ -112,7 +113,8 @@ def setup_scheduler():
             auditors = []
             for monitor in rep.get_watchauditors(account):
                 auditors.extend(monitor.auditors)
-            scheduler.add_cron_job(audit_changes, hour=10, day_of_week="mon-fri", args=[auditors, True])
+            scheduler.add_cron_job(_audit_changes, hour=10, day_of_week="mon-fri", args=[auditors, True])
+
 
         # Clear out old exceptions:
         scheduler.add_cron_job(_clear_old_exceptions, hour=3, minute=0)

security_monkey/tests/test_elasticsearch_service.py

@@ -291,6 +291,7 @@
 
 mock_query = MockAccountQuery()
 
+
 class ElasticSearchServiceTestCase(SecurityMonkeyTestCase):
     def setUp(self):
         self.es_items = [

security_monkey/watchers/cloud_trail.py

@@ -100,18 +100,19 @@ def slurp(self):
                     # Utilizing home_region here ensures a single, unique entry
                     # for each CloudTrail resource
                     item = CloudTrailItem(
-                        region=home_region, account=account, name=name, config=item_config)
+                        region=home_region, account=account, name=name, arn=trail.get('TrailARN'), config=item_config)
                     item_list.append(item)
 
         return item_list, exception_map
 
 
 class CloudTrailItem(ChangeItem):
 
-    def __init__(self, account=None, region=None, name=None, config={}):
+    def __init__(self, account=None, region=None, name=None, arn=None, config={}):
         super(CloudTrailItem, self).__init__(
             index=CloudTrail.index,
             region=region,
             account=account,
             name=name,
+            arn=arn,
             new_config=config)

security_monkey/watchers/config.py

@@ -94,18 +94,20 @@ def slurp(self):
                     }
 
                     item = ConfigItem(
-                        region=region.name, account=account, name=name, config=item_config)
+                        region=region.name, account=account, name=name,
+                        arn=config_rule.get('ConfigRuleArn'), config=item_config)
                     item_list.append(item)
 
         return item_list, exception_map
 
 
 class ConfigItem(ChangeItem):
 
-    def __init__(self, account=None, region=None, name=None, config={}):
+    def __init__(self, account=None, region=None, name=None, arn=None, config={}):
         super(ConfigItem, self).__init__(
             index=Config.index,
             region=region,
             account=account,
             name=name,
+            arn=arn,
             new_config=config)

security_monkey/watchers/config_recorder.py

@@ -20,27 +20,43 @@
 
 
 """
+
 from security_monkey.watcher import Watcher
 from security_monkey.watcher import ChangeItem
 from security_monkey.constants import TROUBLE_REGIONS
 from security_monkey.exceptions import BotoConnectionIssue
 from security_monkey import app
 from boto.ec2 import regions
+from security_monkey.decorators import record_exception, iter_account_region
 
 
 class ConfigRecorder(Watcher):
     index = 'configrecorder'
     i_am_singular = 'Config Recorder'
     i_am_plural = 'Config Recorders'
+
     # TODO: Replace hardcoded region with `get_available_regions` after next boto3 release
     # Specific PR here: https://github.com/boto/boto3/pull/531/files
     # AWS Config currently only supports the following regions
     regions = ["us-east-1", "us-west-1", "us-west-2", "eu-west-1", "eu-central-1",
                "ap-northeast-1", "ap-southeast-1", "ap-southeast-2", "sa-east-1"]
 
+
     def __init__(self, accounts=None, debug=False):
         super(ConfigRecorder, self).__init__(accounts=accounts, debug=debug)
 
+
+    @record_exception(source="configrecorder")
+    def describe_configuration_recorders(self, **kwargs):
+        from security_monkey.common.sts_connect import connect
+        config_service = connect(kwargs['account_name'], 'boto3.config.client',
+                                 region=kwargs['region'])
+        response = self.wrap_aws_rate_limited_call(config_service.describe_configuration_recorders)
+        config_recorders = response.get('ConfigurationRecorders', [])
+
+        return [recorder for recorder in config_recorders if not self.check_ignore_list(recorder.get('name'))]
+
+
     def slurp(self):
         """
         :returns: item_list - list of AWS Config recorders.
@@ -49,56 +65,35 @@ def slurp(self):
         """
         self.prep_for_slurp()
 
-        item_list = []
-        exception_map = {}
-        from security_monkey.common.sts_connect import connect
-        for account in self.accounts:
-            for region in regions():
-                # TODO: Replace hardcoded region with `get_available_regions` after next boto3 release
-                # Specific PR here:
-                # https://github.com/boto/boto3/pull/531/files
-                if region.name in self.regions:
-                    app.logger.debug(
-                        "Checking {}/{}/{}".format(self.index, account, region.name))
-
-                    try:
-                        config_service = connect(
-                            account, 'boto3.config.client', region=region)
-
-                        response = self.wrap_aws_rate_limited_call(
-                            config_service.describe_configuration_recorders
-                        )
-
-                        config_recorders = response.get(
-                            'ConfigurationRecorders', [])
-                    except Exception as e:
-                        app.logger.debug("Exception found: {}".format(e))
-                        if region.name not in TROUBLE_REGIONS:
-                            exc = BotoConnectionIssue(
-                                str(e), self.index, account, region.name)
-                            self.slurp_exception(
-                                (self.index, account, region.name), exc, exception_map)
-                        continue
-                    app.logger.debug("Found {} {}.".format(
-                        len(config_recorders), self.i_am_plural))
-
-                    for recorder in config_recorders:
-                        name = recorder.get('name')
-
-                        if self.check_ignore_list(name):
-                            continue
-
-                        item_config = {
-                            'name': name,
-                            'role_arn': recorder.get('roleARN'),
-                            'recording_group': recorder.get('recordingGroup')
-                        }
-
-                        item = ConfigRecorderItem(
-                            region=region.name, account=account, name=name, config=item_config)
-                        item_list.append(item)
-
-        return item_list, exception_map
+        @iter_account_region(index=self.index, accounts=self.accounts, service_name='config')
+        def slurp_items(**kwargs):
+            item_list = []
+            exception_map = {}
+
+            app.logger.debug("Checking {}/{}/{}".format(self.index,
+                                                        kwargs['account_name'],
+                                                        kwargs['region']))
+
+            config_recorders = self.describe_configuration_recorders(**kwargs)
+            if config_recorders:
+                app.logger.debug("Found {} {}.".format(len(config_recorders), self.i_am_plural))
+
+                for recorder in config_recorders:
+                    name = recorder.get('name')
+
+                    item_config = {
+                        'name': name,
+                        'role_arn': recorder.get('roleARN'),
+                        'recording_group': recorder.get('recordingGroup')
+                    }
+
+                    item = ConfigRecorderItem(region=kwargs['region'],
+                                              account=kwargs['account_name'],
+                                              name=name, config=item_config)
+                    item_list.append(item)
+
+            return item_list, exception_map
+        return slurp_items()
 
 
 class ConfigRecorderItem(ChangeItem):

security_monkey/watchers/kms.py

@@ -194,7 +194,7 @@ def slurp_items(**kwargs):
 
                             name = "{alias} ({key_id})".format(alias=alias, key_id=key_id)
 
-                            item = KMSMasterKey(region=kwargs['account_name'], account=kwargs['account_name'], name=name, arn=config.get('Arn'), config=dict(config))
+                            item = KMSMasterKey(region=kwargs['region'], account=kwargs['account_name'], name=name, arn=config.get('Arn'), config=dict(config))
                             item_list.append(item)
 
             return item_list, exception_map

security_monkey/watchers/lambda_function.py

@@ -96,7 +96,7 @@ def slurp_items(**kwargs):
 
                     item = LambdaFunctionItem(region=kwargs['region'],
                                               account=kwargs['account_name'],
-                                              name=name, config=dict(config))
+                                              name=name, arn=lambda_function.get('FunctionArn'), config=dict(config))
 
                     item_list.append(item)
 
@@ -106,10 +106,11 @@ def slurp_items(**kwargs):
 
 class LambdaFunctionItem(ChangeItem):
 
-    def __init__(self, region=None, account=None, name=None, config={}):
+    def __init__(self, region=None, account=None, name=None, arn=None, config={}):
         super(LambdaFunctionItem, self).__init__(
             index=LambdaFunction.index,
             region=region,
             account=account,
             name=name,
+            arn=arn,
             new_config=config)