v.1.1.3

Major bug fix for issue in v. 1.1.2 regarding Celery workers not running.

Other features:

• Updated the SWAG client to use the latest version and schema.

*Please see the release notes from v.1.1.0, v1.1.1, and v1.1.2

Special thanks to the following contributors:

• @mikegrima

v.1.1.2

Bug-fix roll-up from v.1.1.1.

This release introduces a significant number of database stability improvements.

Other features:

• Log CloudWatch Metrics on the status of the watchers.
• Multiple search terms with a , as a delimiter

*Please see the release notes from v.1.1.0.

Special thanks to the following contributors:

• @mikegrima
• @mcpeak
• @zpritcha
• @mstair
• @anners
• @ollytheninja
• @tabletcorry

v.1.1.1

Bug-fix roll-up from v.1.1.0.

This largely fixes issues with PyPI and Docker breaking due to the latest Bionic Beaver Ubuntu release.

*Please see the release notes from v.1.1.0.

Special thanks to the following contributors:

• @mikegrima
• @ollytheninja
• @tabletcorry
• @mstair
• @ravindraprasad75

v 1.1.0

Many fixes in this release and some new features as well.

BREAKING CHANGES FROM 1.0

The celeryconfig.py file has been moved to security_monkey/celeryconfig.py. Please don't forget to do this or the Celery scheduler and workers will break.

Important:

• Database upgrade is required
• New permissions are also now required for AWS (Please review the AWS IAM docs for details):

ec2:describevpcattribute
ec2:describevpcclassiclink
ec2:describevpcclassiclinkdnssupport
ec2:describeflowlogs

• celeryconfig.py file now lives in security_monkey/celeryconfig.py

New Features

• Lots and lots of bug fixes that affect the database
• Better VPC watcher
• Dedicated watcher support (See this)
• Less Flask deprecation warnings
• Zero-interval watcher support
• Docker improvements
• Documentation improvements

Special thanks to the following contributors:

• @mikegrima
• @mstair
• @mcpeak
• @jcmcken
• @senorcinco
• @markofu
• @naggappan
• @cclauss
• @ArtemSokoliuk
• @sbasgall
• @EmptyLaughter
• @MKgridSec
• @nickthetait
• @fahrishb

Python 3 Support?

Not yet... but getting there! Special thanks to @cclauss for assistance here. There is still a lot of work to do to update unit tests and libraries to support Python 3.

We hope to be able to get a working version in Python 3 in the coming months.

v1.0.0

Major Milestone release.

There are many, many changes that have been made. Below are some of the most important items to keep note of.

BREAKING CHANGES -- ALL NEW DEPLOYMENT MODEL

Please review the Upgrading and Autostarting docs for details.

New features:

We swapped out APScheduler in favor of Celery. This allows us to actually scale Security Monkey with multiple UI instances, and many, many workers so you can get data into Security Monkey much faster! Lots, and lots of bug fixes and documentation updates.

Additionally:

• OpenStack watching and auditing support
• GitHub Organization, Repos, and Teams watching and auditing
• AWS GovCloud Support
• Azure AD SSO provider support
• AWS Glacier support
• Support for SWAG account syncing.
• Auditor improvements
• Ability to import bulk network whitelists (and via S3)
• Many IAM changes. Please review the IAM docs and update your permissions accordingly.

Too many PRs to list... Special thanks to the following contributors:

• @mikegrima
• @monkeysecurity
• @mstair
• @kevgliss
• @mcpeak
• @zpritcha
• @mark-ignacio
• @falcoris
• @vishbhalla
• @frohoff
• @tabletcorry
• @shrikant0013
• @pjbgf
• @billy-lechtenberg
• @Qmando
• @jleaniz
• @wozz
• @markofu
• @cxmcc
• @jpohjolainen
• @PyScott
• @sysboy
• @gellerb
• @fabiop
• @joaquin386
• @oba11
• @castrapel
• @NunoPinheiro
• @apettinen
• @johnclaus

KNOWN BUGS: Daily emails are not getting sent out. See #953

v0.9.2 (2017-05-24)

• PR #695 - @mikegrima - Fixing jinja import bug affecting change emails.
• PR #692 - @LukeKennedy - Reduce number of API calls in Managed Policy watcher.
• PR #694 - @supertom - GCP Documentation Updates
• PR #701 - @supertom - Update GCP ServiceAccount Name to use email instead of DisplayName.
• PR #702 - @rodriguezsergio - Update KMS Auditor. Don't create issue when Effect is Deny for a wildcard principal.
• PR #697 - @mcpeak - Pylint fixes and TravisCI pylint enforcement.
• PR #706 - @monkeysecurity Fix bug where batched watchers did not send change alert emails.
• PR #708 - @redixin - Fix bug in docker config where SECURITY_MONKEY_POSTGRES_PORT would not work if passed as a string.
• PR #714 - @monkeysecurity - Fix bug where change emails from batched watchers had incorrect color in the JSON diff.
• PR #713 - @monkeysecurity - Fix path to favicon from flask-security jinja templates.
• PR #709 - @crruthe - Exempt SSO API from CSRF protection.
• PR #719 - @monkeysecurity - New simplified watcher format for CloudAux Technologies.
• PR #726 - @monkeysecurity, @willbengtson - Add new SAMLProvider watcher.
• PR #730 - @monkeysecurity - Fix bug where ephemerals were not respected for CloudAuxWatcher subclasses.
• PR #727 - @supertom - Fix bug where duplicate GCP names would violate DB's unique constraint. Names now contain project ID.
• PR #728 - @supertom - Basic Auditor Tests for GCP.
• @monkeysecurity - Updated link to Ubuntu's SSL documentation.
• @monkeysecurity - Bumped version of Cryptography dependency.
• PEP8 updates.

Important Notes:

• Additional Permissions Required:
  • "elasticloadbalancing:describelisteners",
  • "elasticloadbalancing:describerules",
  • "elasticloadbalancing:describesslpolicies",
  • "elasticloadbalancing:describetags",
  • "elasticloadbalancing:describetargetgroups",
  • "elasticloadbalancing:describetargetgroupattributes",
  • "elasticloadbalancing:describetargethealth",
  • "iam:listsamlproviders",
• New Watcher: ALB (elbv2)
• ELB (v1) Watcher re-written with boto3 in CloudAux. Now respects the config value SECURITYGROUP_INSTANCE_DETAIL when determining whether to add the instance id's to the ELB definition.

Contributors:

• @LukeKennedy
• @rodriguezsergio
• @redixin
• @crruthe
• @supertom
• @mcpeak
• @mikegrima
• @monkeysecurity

v0.9.1 (2017-04-20)

• PR #666 - @redixin - Use find_packages in setup.py to include nested packages.
• PR #667 - @monkeysecurity - Explicitly adding urllib3[secure] to setup.py (REVERTED in #683)
• PR #668 - @monkeysecurity - IPv6 support in security groups.
• PR #669 - @monkeysecurity - Updating the security group auditor to treat ::/0 the same as 0.0.0.0/0
• PR #671 - @monkeysecurity - Enhancing PolicyDiff to be able to handle non-ascii strings.
• PR #673 - @monkeysecurity - Fixing path to aws_accounts.json. (Broken my moving manage.py)
• PR #675 - @monkeysecurity - Adding package_data and data_files sections to setup.py.
• PR #677 - @willbengtson - Fixing the security trackable information.
• PR #682 - @monkeysecurity - Updating packaged supervisor config to provide full path to monkey
• PR #681 - @AlexCline - Add reference_policies for TLS transitional ELB security policies
• PR #684 - @monkeysecurity - Disabling DB migration b8ccf5b8089b. Was freezing some db upgrades
• PR #683 - @monkeysecurity - Reverted #667. Added pip install --upgrade urllib3[secure] to quickstart and Dockerfile.
• PR #685 - @monkeysecurity - Running docker-compose build in Travis-CI.
• PR #688 - @mcpeak - Add Bandit gate to Security Monkey.
• PR #687 - @mikegrima - Fix for issue #680. (Unable to edit account names)
• PR #689 - @mikegrima - Enhancements to Travis-CI: parallelized the workloads. (docker/python/dart in parallel)

Important Notes:

• This is a hotfix release to correct a number of installation difficulties reported since 0.9.0.

Contributors:

• @redixin
• @AlexCline
• @willbengtson
• @mcpeak
• @mikegrima
• @monkeysecurity

v0.9.0 (2017-04-13)

• PR #500 - @monkeysecurity - Updating ARN.py to look for StringEqualsIgnoreCase in policy condition blocks
• PR #511 - @kalpatel01 - Fix KMSAuditor exceptions
• PR #510 - @kalpatel01 - Add additional JIRA configurations
• PR #504 - @redixin - Plugins support
• PR #515 - @badraufran - Add ability to press enter to search in search bar component
• PR #514 - @badraufran - Update dev_setup_osx.rst to get it up-to-date
• PR #513 / #545- @mikegrima - Fix for S3 watcher errors.
• PR #516 - @badraufran - Remove broken packages link
• PR #518 - @badraufran - Update dev_setup_osx (Remove sudo)
• PR #519 - @selmanj - Minor reformatting/style changes to Docker docs
• PR #512 / #521 - @kalpatel01 - Organize tests into directories
• PR #524 - @kalpatel01 - Remove DB mock class
• PR #522 - @kalpatel01 - Optimize SQL for account delete
• PR #525 - @kalpatel01 - Handle known kms boto exceptions
• PR #529 - @mariusgrigaitis - Usage of GOOGLE_HOSTED_DOMAIN in sample configs
• PR #532 - @kalpatel01 - Add sorting to account tables (UI)
• PR #538 - @cu12 - Add more Docker envvars
• PR #536 / #540 - @supertom - Add account type field to item, item details and search bar.
• PR #534 / #541 - @kalpatel01 - Add bulk enable and disable account service
• PR #546 - @supertom - GCP: fixed accounttypes typo.
• PR #547 - @monkeysecurity - Delete deprecated Account fields
• PR #528 - @kalpatel01 - Fix reaudit issue for watchers in different intervals
• PR #553 - @mikegrima - Fixed bugs in the ES watcher
• PR #535 / #552 - @kalpatel01 - Add support for overriding audit scores
• PR #560 / #587 - @mikegrima - Bump CloudAux version
• PR #533 / #559 - @kalpatel01 - Add Watcher configuration
• PR #562 - @monkeysecurity - Re-adding reporter timing information to the logs.
• PR #557 - @kalpatel01 - Add justified issues report
• PR #573 - @monkeysecurity - fixing issue duplicate ARN issue…
• PR #564 - @kalpatel01 - Fix justification preservation bug
• PR #565 - @kalpatel01 - Handle unicode name tags
• PR #571 - @kalpatel01 - Explicitly set export filename
• PR #572 - @kalpatel01 - Fix minor watcher bugs
• PR #576 - @kalpatel01 - Set user role via SSO profile
• PR #569 - @kalpatel01 - Split check_access_keys method in the IAM User Auditor
• PR #566 - @kalpatel01 - Convert watchers to boto3
• PR #568 - @kalpatel01 - Replace ELBAuditor DB query with support watcher
• PR #567 - @kalpatel01 - Reduce AWS managed policy audit noise
• PR #570 - @kalpatel01 - Add support for custom watcher and auditor alerters
• PR #575 - @kalpatel01 - Add functionality to clean up stale issues
• PR #582 - @supertom - [GCP] Watchers/Auditors for GCP
• PR #588 - @supertom - GCP docs: Draft of GCP changes
• PR #592 - @monkeysecurity - SSO Role Modifications
• PR #597 - @supertom - GCP: fixed issue where client wasn't receiving user-specified creds
• PR #598 - @redixin - Implement add_account_%s for custom accounts
• PR #600 - @supertom - GCP: fixed issue where bucket watcher wasn't sending credentials to Cloudaux
• PR #602 - @crruthe - Added permission for DescribeVpnGateways missing
• PR #605 - @monkeysecurity - ELB Auditor - Fixing reference to check_rfc_1918
• PR #610 - @monkeysecurity - Adding Unique Index to TechName and AccountName
• PR #612 - @carise - Add a section on using GCP Cloud SQL Postgres with Cloud SQL Proxy
• PR #613 - @monkeysecurity - Setting Item.issue_count to deferred. Only joining tables in distinct if necessary.
• PR #614 - @monkeysecurity - Increasing default timeout
• PR #607 - @supertom - GCP: Set User Agent
• PR #609 - @mikegrima - Added ephemeral section to S3 for "GrantReferences"
• PR #611 - @roman-vynar - Quick start improvements
• PR #619 - @mikegrima - Fix for plaintext passwords in DB if using CLI for user creation
• PR #622 - @jonhadfield - Fix ACM certificate ImportedAt timestamp
• PR #616 - @redixin - Fix docs and variable names related to custom alerters
• PR #502 - @mikegrima - Batching support for watchers
• PR #631 - @supertom - Added __version__ property
• PR #632 - @sysboy - Set the default value of SECURITY_REGISTERABLE to False
• PR #629 - @BobPeterson1881 - Fix security group rule parsing
• PR #630 - @BobPeterson1881 - Update dashboard view filter links
• PR #633 - @sysboy - Log Warning when S3 ACL can't be retrieved.
• PR #639 - @monkeysecurity - Removing reference to zerotodocker.
• PR #624 - @mikegrima - Adding utilities to get S3 canonical IDs.
• PR #640 - @supertom - GCP: fixed UI Account Type filtering
• PR #642 - @monkeysecurity - Adding active and third_party flags to account view API
• PR #646 - @monkeysecurity - Removing s3_name from exporter and renaming Account.number to identifier
• PR #648 - @mikegrima - Fix for UI Account creation bug
• PR #657 #658 - @jeyglk - Fix Docker
• PR #655 - @monkeysecurity - Updating quickstart/install documentation to simplify.
• PR #659 - @monkeysecurity - Quickstart GCP Fixes
• PR #625 - @bungoume - Fix principal KeyError
• PR #662 - @monkeysecurity - Replacing python manage.py with monkey
• PR #660 - @mcpeak - Adding an option to allow group write for logfiles
• PR #661 - @shrikant0013 - Added doc on update/upgrade steps

Important Notes:

• SECURITY_MONKEY_SETTINGS is no longer a required environment variable.
  • If supplied, security_monkey will respect the variable. Otherwise it will default to env-config/config.py
• manage.py has been moved inside the package and a monkey alias has been setup.
  • Where you might once call python manage.py <arguments> you will now call monkey <arguments>
• Documentation has been converted from RST to Markdown.
  • I will no longer be using readthedocs or RST.
  • Quickstart guide has been largely re-written.
  • Quickstart now instructs you to create and use a virtualenv (and how to get supervisor to work with it)
• This release contains GCP Watcher Support.
• Additional Permissions Required:
  • ec2:DescribeVpnGateways

Contributors:

• @kalpatel01
• @redixin
• @badraufran
• @selmanj
• @mariusgrigaitis
• @cu12
• @supertom
• @crruthe
• @carise
• @roman-vynar
• @jonhadfield
• @sysboy
• @jeyglk
• @bungoume
• @mcpeak
• @shrikant0013
• @mikegrima
• @monkeysecurity

v0.8.0 (2016-12-02-delayed->2017-01-13)

• PR #425 - @crruthe - Fixed a few report hyperlinks.
• PR #428 - @nagwww - Documentation fix. Renamed module: security_monkey.auditors.elb to module: security_monkey.auditors.elasticsearch_service
• PR #424 - @mikegrima - OS X Install doc updates for El Capitan and higher.
• PR #426 - @mikegrima - Added "route53domains:getdomaindetail" to permissions doc.
• PR #427 - @mikegrima - Fix for ARN parsing of cloudfront ARNs.
• PR #431 - @mikegrima - Removed s3 ARN check for ElasticSearch Service.
• PR #448 - @zollman - Fix exception logging in store_exception.
• PR #444 - @zollman - Adds exception logging listener for appscheduler.
• PR #454 - @mikegrima - Updated S3 Permissions to reflect latest changes to cloudaux.
• PR #455 - @zollman - Add Dashboard.
• PR #456 - @zollman - Increase issue note size.
• PR #420 - @crruthe - Added support for SSO OneLogin.
• PR #432 - @robertoriv - Add pagination for whitelist and ignore list.
• PR #438 - @AngeloCiffa - Pin moto==0.4.25. (TODO: Bump Jinja2 version.)
• PR #433 - @jnbnyc - Added Docker/Docker Compose support for local dev.
• PR #408 - @zollman - Add support for custom account metadata. (An important step that will allow us to support multiple cloud providers in the future.)
• PR #439 - @monkeysecurity - Replace botor lib with Netflix CloudAux.
• PR #441 - @monkeysecurity - Auditor ChangeItems now receive ARN.
• PR #446 - @zollman - Fix item 'first_seen' query .
• PR #447 - @zollman - Refactor rdsdbcluster array params.
• PR #445 - @zollman - Make misfire grace time and reporter start time configurable.
• PR #451 - @monkeysecurity - Add coverage with Coveralls.io.
• PR #452 - @monkeysecurity - Refactor & add tests for the PolicyDiff module.
• PR #449 - @monkeysecurity - Refactoring s3 watcher to use Netflix CloudAux.
• PR #453 - @monkeysecurity - Fixing two policy diff cases.
• PR #442 - @monkeysecurity - Adding index to region. Dropping unused item.cloud.
• PR #450 - @monkeysecurity - Moved test & onelogin requirements to the setup.py extras_require section.
• PR #407 - @zollman - Link together issues by enabling auditor dependencies.
• PR #419 - @monkeysecurity - Auditor will now fix any issues that are not attached to an AuditorSetting.
• PR NONE - @monkeysecurity - Item View no longer returns revision configuration bodies. Should improve UI for items with many revisions.
• PR NONE - @monkeysecurity - Fixing bug where SSO arguments weren't passed along for branded sso. (Where the name is not google or ping or onelogin)
• PR #476 - @markofu - Update aws_accounts.json to add Canada and Ohio regions.
• PR NONE - @monkeysecurity - Fixing manage.py::amazon_accounts() to use new AccountType and adding delete_unjustified_issues().
• PR #480 - @monkeysecurity - Making Gunicorn an optional import to help support dev on Windows.
• PR #481 - @monkeysecurity - Fixing a couple dart warnings.
• PR #482 - @monkeysecurity - Replacing Flask-Security with Flask-Security-Fork.
• PR #483 - @monkeysecurity - issue #477 - Fixes IAM User Auditor login_profile check.
• PR #484 - @monkeysecurity - Bumping Jinja2 to >=2.8.1
• PR #485 - @robertoriv - New IAM Role Auditor feature - Check for unknown cross account assumerole.
• PR #487 - @hyperbolist - issue #486 - Upgrade setuptools in Dockerfile.
• PR #489 - @monkeysecurity - issue #251 - Fix IAM SSL Auditor regression. Issue should be raised if we cannot obtain cert issuer.
• PR #490 - @monkeysecurity - issue #421 - Adding ephemeral field to RDS DB issue.
• PR #491 - @monkeysecurity - Adding new RDS DB Cluster ephemeral field.
• PR #492 - @monkeysecurity - issue #466 - Updating S3 Auditor to use the ARN class.
• PR NONE - @monkeysecurity - Fixing typo in dart files.
• PR #495 - @monkeysecurity - issue #494 - Refactoring to work with the new Flask-WTF.
• PR #493 - @monkeysecurity - Windows 10 Development instructions.
• PR NONE - @monkeysecurity - issue #496 - Bumping CloudAux to >=1.0.7 to fix IAM User UploadDate field JSON serialization error.

Important Notes:

• New permissions required:
  • s3:getaccelerateconfiguration
  • s3:getbucketcors
  • s3:getbucketnotification
  • s3:getbucketwebsite
  • s3:getreplicationconfiguration
  • s3:getanalyticsconfiguration
  • s3:getmetricsconfiguration
  • s3:getinventoryconfiguration
  • route53domains:getdomaindetail
  • cloudtrail:gettrailstatus

Contributors:

• @zollman
• @robertoriv
• @hyperbolist
• @markofu
• @AngeloCiffa
• @jnbnyc
• @crruthe
• @nagwww
• @mikegrima
• @monkeysecurity

v0.7.0 (2016-09-21)

• PR #410/#405 - @zollman - Custom Watcher/Auditor Support. (Dynamic Loading)
• PR #412 - @llange - Google SSO Fixes
• PR #409 - @kyleberry - Fixed Report URLs in UI.
• PR #413 - @markofu - Better handle IAM SSL certificates that we cannot parse.
• PR #411 - @zollman - Many, many new watchers and auditors.

New Watchers:

* CloudTrail
* AWSConfig
* AWSConfigRecorder
* DirectConnect::Connection
* EC2::EbsSnapshot
* EC2::EbsVolume
* EC2::Image
* EC2::Instance
* ENI
* KMS::Grant
* KMS::Key
* Lambda
* RDS::ClusterSnapshot
* RDS::DBCluster
* RDS::DBInstace
* RDS::Snapshot
* RDS::SubnetGroup
* Route53
* Route53Domains
* TrustedAdvisor
* VPC::DHCP
* VPC::Endpoint
* VPC::FlowLog
* VPC::NatGateway
* VPC::NetworkACL
* VPC::Peering

Important Notes:

• New permissions required:
  • cloudtrail:describetrails
  • config:describeconfigrules
  • config:describeconfigurationrecorders
  • directconnect:describeconnections
  • ec2:describeflowlogs
  • ec2:describeimages
  • ec2:describenatgateways
  • ec2:describenetworkacls
  • ec2:describenetworkinterfaces
  • ec2:describesnapshots
  • ec2:describevolumes
  • ec2:describevpcendpoints
  • ec2:describevpcpeeringconnections,
  • iam:getaccesskeylastused
  • iam:listattachedgrouppolicies
  • iam:listattacheduserpolicies
  • lambda:listfunctions
  • rds:describedbclusters
  • rds:describedbclustersnapshots
  • rds:describedbinstances
  • rds:describedbsnapshots
  • rds:describedbsubnetgroups
  • redshift:describeclusters
  • route53domains:listdomains

Contributors:

• @zollman
• @kyleberry
• @llange
• @markofu
• @monkeysecurity