Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
Hotfixes:
sudo -E
when calling manage.py amazon_accounts
.Important Notes:
PERMANENT_SESSION_LIFETIME=timedelta(minutes=60) # Will logout users after period of inactivity.
SESSION_REFRESH_EACH_REQUEST=True
SESSION_COOKIE_SECURE=True
SESSION_COOKIE_HTTPONLY=True
PREFERRED_URL_SCHEME='https'
REMEMBER_COOKIE_DURATION=timedelta(minutes=60) # Can make longer if you want remember_me to be useful
REMEMBER_COOKIE_SECURE=True
REMEMBER_COOKIE_HTTPONLY=True
Contributors:
arn:aws:s3:*:*:some-s3-bucket
Hotfixes:
Important Notes:
iam:listattachedrolepolicies
SECURITY_TRACKABLE = True
python setup.py install
to obtain the new dependencies.Contributors:
Hotfixes:
Contributors:
Hotfixes:
Contributors:
Hotfixes:
Contributors:
Contributors:
Summary of new watchers:
Summary of new Auditors or audit checks:
Contributors:
static.tar.gz
is attached to this release and contains the output of compiling the dart web UI to javascript. Simply extract this tar.gz
to your security_monkey/static
folder.
Merged in a new AuditorSettings tab created by Qmando at Yelp enabling you to disable audit checks with per-account granularity.
security_monkey is now CSP compliant.
security_monkey has removed all shadow-DOM components. Also removed webcomponents.js and dart_support.js, as they were not CSP compliant.
security_monkey now advises users to enable the following standard security headers:
X-Content-Type-Options "nosniff"; X-XSS-Protection "1; mode=block"; X-Frame-Options "SAMEORIGIN"; Strict-Transport-Security "max-age=631138519"; Content-Security-Policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com; script-src 'self' https://ajax.googleapis.com; style-src 'self' https://fonts.googleapis.com;"
security_monkey now has XSRF protection against all DELETE, POST, PUT, and PATCH calls.
Updated the ELB Auditor to be aware of the ELBSecurityPolicy-2015-02 reference policy.
Contributers: