Security Monkey Versions Save

Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.

v0.6.0

7 years ago

v0.6.0 (2016-08-29)

  • issue #292 - PR #332 - Add ephemeral sections to the redshift watcher
  • PR #338 - Added access key last used to IAM Users.
  • Added an IAM User auditor check to look for access keys without use in past 90 days.
  • PR #334 - @alexcline - Route53 watcher and auditor. (Updated to use botor in PR #343)
  • Logo updated. Weapon replaced with banana. Expect more logo changes soon.
  • PR #345 - Ephemeral changes now update the latest revision. Revisions now have a date_last_ephemeral_change column as well as a date_created column.
  • PR #349 - @mikegrima - Install documentation updates
  • PR #354 - Feature/SSO (YAY)
  • PR #365 - @alexcline - Added ACM (Amazon Certificate Manager) watcher/auditor
  • PR #358/#370 - @AlexCline - Alex cline feature/kms
  • Updated Dart/Angular dart versions.
  • PR #362 - @crruthe - Changed to dictConfig logging format
  • PR #372 - @ollytheninja - SQS principal bugfix
  • PR #379 - @bunjiboys - Adding Mumbai region
  • PR #380 - @bunjiboys - Adding Mumbai ELB Log AWS Account info
  • PR #381 - @ollytheninja - Adding tags to the S3 watcher
  • Boto updates
  • PR #376 - Adding item.arn field. Adding item.latest_revision_complete_hash and item.latest_revision_durable_hash. These are for the bananapeel rearchitecture.
  • PR #386 - Shortening sessions from default value to 60 minutes. Setting Cookie HTTPONLY and SECURE flags.
  • PR #389 - Adding CloudTrail table, linked to itemrevision. (To be used by bananapeel rearchitecture.)
  • PR #390 - @ollytheninja - Adding export CSV button.
  • PR #394 - @mikegrima - Saving exceptions to database table
  • PR #402 - issue #401 - Adding new ELB Reference Policy ELBSecurityPolicy-2016-08

Hotfixes:

  • Upgraded Cryptography to 1.3.1
  • Updated docs to use sudo -E when calling manage.py amazon_accounts.
  • Updated the @record_exception decorator to allow the region to be overwritten. (Useful for region-less technology that likes to be recorded in the "universal" region.)
  • issue #331 - IAMSSL watcher failed on elliptic curve certs

Important Notes:

  • Route53 IgnoreList entries may match zone name or recordset name.
  • Checkout the new log configuration format from PR #362. You may want to update your config.py.
  • New permissions required:
    • "acm:ListCertificates",
    • "acm:DescribeCertificate",
    • "kms:DescribeKey",
    • "kms:GetKeyPolicy",
    • "kms:ListKeys",
    • "kms:ListAliases",
    • "kms:ListGrants",
    • "kms:ListKeyPolicies",
    • "s3:GetBucketTagging"
  • Some dependencies have been updated (cryptography, boto, boto3, botocore, botor, pyjwt) Please re-run python setup.py install.
  • Please add the following lines to your config.py for more time-limited sessions:
    PERMANENT_SESSION_LIFETIME=timedelta(minutes=60)   # Will logout users after period of inactivity.
    SESSION_REFRESH_EACH_REQUEST=True
    SESSION_COOKIE_SECURE=True
    SESSION_COOKIE_HTTPONLY=True
    PREFERRED_URL_SCHEME='https'

    REMEMBER_COOKIE_DURATION=timedelta(minutes=60)  # Can make longer if  you want remember_me to be useful
    REMEMBER_COOKIE_SECURE=True
    REMEMBER_COOKIE_HTTPONLY=True

Contributors:

  • @alexcline
  • @crruthe
  • @ollytheninja
  • @bunjiboys
  • @mikegrima
  • @monkeysecurity

v0.5.0

8 years ago

v0.5.0 (2016-04-26)

  • PR #286 - bunjiboys - Added Seoul region AWS Account IDs to import scripts
  • PR #291 - sbasgall - Corrected ignore_list.py variable names and help strings
  • PR #284 - mikegrima - Fixed cross-account root reporting for ES service (Issue #283)
  • PR #293 - mikegrima - Updated quickstart documentation to remove permission wildcards (Issue #287)
  • PR #301 - monkeysecurity - iamrole watcher can now handle many more roles (1000+) and no longer times out.
  • PR #316 - DenverJ - Handle database exceptions by cleaning up session.
  • PR #289 - delikat - Persist custom role names on account creation
  • PR #321 - monkeysecurity - Item List and Item View will no longer display disabled issues.
  • PR #322 (PR #308) - llange - Ability to add AWS owned managed policies to ignore list by ARN (Issue #148)
  • PR #323 - snixon - Breaks check_securitygroup_any into ingress and egress (Issue #239)
  • PR #309 - DenverJ - Significant database query optimizations by tuning itemrevision retrievals
  • PR #324 - mikegrima - Handling invalid ARNs more consistently between watchers (Issue #248)
  • PR #317 - ollytheninja - Add Role Based Access Control
  • PR #327 - monkeysecurity - Added Flask-Security's SECURITY_TRACKABLE to backend and UI
  • PR #328 - monkeysecurity - Added ability to parse AWS service "ARNs" like events.amazonaws.com as well as ARNS that use * for the account number like arn:aws:s3:​*:*​:some-s3-bucket
  • PR #314 - pdbogen - Update Logging to have the ability to log to stdout, useful for dockerizing.

Hotfixes:

  • s3_acl_compare_lowercase: AWS now returns S3 ACLs with a lowercased owner. security_monkey now does a case insensitive compare
  • longer_resource_ids. Updating DB to handle longer AWS resource IDs: https://aws.amazon.com/blogs/aws/theyre-here-longer-ec2-resource-ids-now-available/
  • Removed requests from requirements.txt/setup.py as it was pinned to a very old version and not directly required (Issue #312)
  • arn_condition_awssourcearn_can_be_list. Updated security_monkey to be able to handle a list of ARNS in a policy condition.
  • ignore_list_fails_on_empty_string: security_monkey now properly handles an ignorelist entry containing a prefix string of length 0.
  • protocol_sslv2_deprecation: AWS stopped returning whether an ELB listener supported SSLv2. Fixed security_monkey to handle the new format correctly.

Important Notes:

  • security_monkey IAM roles now require a new permission: iam:listattachedrolepolicies
  • Your security_monkey config file should contain a new flag: SECURITY_TRACKABLE = True
  • You'll need to rerun python setup.py install to obtain the new dependencies.

Contributors:

  • @bunjiboys
  • @sbasgall
  • @mikegrima
  • @DenverJ
  • @delikat
  • @snixon
  • @ollytheninja
  • @pdbogen
  • @monkeysecurity

v0.4.1

8 years ago

v0.4.1 (2015-12-22)

  • PR #269 - mikegrima - TravisCI now ensures that dart builds.
  • PR #270 - monkeysecurity - Refactored sts_connect to dynamically import boto resources.
  • PR #271 - OllyTheNinja-Xero - Fixed indentation mistake in auditor.py
  • PR #275 - AlexCline - Added elb logging to ELB watcher and auditor.
  • PR #279 - mikegrima - Added ElasticSearch Watcher and Auditor (with tests).
  • PR #280 - monkeysecurity - PolicyDiff better handling of changes to primitives (like ints) in dictionay values and added explicit escaping instead of relying on Angular.
  • PR #282 - mikegrima - Documentation Fixes to configuration.rst and quickstart.rst adding es: permissions and other fixes.

Hotfixes:

  • Added OSSMETADATA file to master/develop for internal Netflix tracking.

Contributors:

  • @mikegrima
  • @monkeysecurity
  • @OllyTheNinja-Xero
  • @AlexCline

v0.4.0

8 years ago

v0.4.0 (2015-11-20)

  • PR #228 - jeremy-h - IAM check misses '*' when found within a list. (Issue #223)
  • PR #230 - markofu - New error and echo functions to simplify code for scripts/secmonkey_auto_install.sh
  • PR #233 - mikegrima - Write tests for security_monkey.common.ARN (Issue #222)
  • PR #238 - monkeysecurity - Refactoring _check_rfc_1918 and improving VPC ELB Internet Accessible Check
  • PR #241 - bunjiboys - Seed Amazon owned AWS accounts (Issue #169)
  • PR #243 - mikegrima - Fix for underscores not being detected in SNS watcher. (Issue #240)
  • PR #244 - mikegrima - Setup TravisCI (Issue #227)
  • PR #250 - OllyTheNinja-Xero - upgrade deprecated botocore calls in ELB watcher (Issue #249)
  • PR #256 - mikegrima - Latest Boto3/botocore versions (Issue #254)
  • PR #261 - bunjiboys - Add ec2:DescribeInstances to quickstart role documentation (Issue #260)
  • PR #263 - monkeysecurity - Updating docs/scripts to pin to dart 1.12.2-1 (Issue #259)
  • PR #265 - monkeysecurity - Remove ratelimiting max attempts, wrap ELB watcher with try/except/continue

Hotfixes:

  • Issue #235 - OllyTheNinja-Xero - SNS Auditor - local variable 'entry' referenced before assignment

Contributors:

  • @jeremy-h
  • @markofu
  • @mikegrima
  • @bunjiboys
  • @OllyTheNinja-Xero
  • @monkeysecurity

v0.3.9

8 years ago

v0.3.9 (2015-10-08)

  • PR #212 - bunjiboys - Make email failures warnings instead of debug messages
  • PR #203 - markofu - Added license to secmonkey_auto_install.sh.
  • PR #207 - cbarrac - Updated dependencies and dart installation for secmonkey_auto_install.sh
  • PR #209 - mikegrima - Make SNS Ignorelist use name instead of ARN.
  • PR #213 - Qmando - Added more exception handling to the S3 watcher.
  • PR #215 - Dklotz-Circle - Added egress rules to the security group watcher.
  • monkeysecurity - Updated quickstart.rst IAM policy to remove wildcards and include redshift permissions.
  • PR #218 - monkeysecurity - Added exception handling to the S3 bucket.get_location API call.
  • PR #221 - Qmando - Retry on AWS API error when slurping ELBs.
  • monkeysecurity - Updated cryptography package from 1.0 to 1.0.2 for easier installation under OS X El Capitan.

Hotfixes:

  • Updated quickstart.rst and secmonkey_auto_install.sh to remove swig/python-m2crypto and add libffi-dev
  • Issue #220 - SQS Auditor not correctly parsing ARNs, halting security_monkey. Fixed by abstracting ARN parsing into a new class (security_monkey.common.arn). Updated the SNS Auditor to also use this new class.

Contributors:

  • bunjiboys
  • markofu
  • cbarrac
  • mikegrima
  • Qmando
  • Dklotz-Circle
  • monkeysecurity

v0.3.8

8 years ago

v0.3.8 (2015-08-28)

  • PR #165 - echiu64 - S3 watcher now tracking S3 Logging Configuration.
  • None - monkeysecurity - Certs with an invalid issuer now flagged.
  • PR #177 - DenverJ -Added new SQS Auditor.
  • PR #188 - kevgliss - Removed dependency on M2Crypto/Swig and replaced with Cryptography.
  • PR #164 - Qmando - URL encoding issue with certain searches containing spaces corrected.
  • None - monkeysecurity - Fixed issue where corrected issues were not removed.
  • PR #198 - monkeysecurity - Adding ability to select up to four items or revisions to be compared.
  • PR #194 #195 - bunjiboys - SECURITY_TEAM_EMAIL should accept not only a list, but also a string or tuple.
  • PR #180 #181 #190 #191 #192 #193 - cbarrac - A number of udpates and fixes for the bash installer. (scripts/secmonkey_auto_installer.sh)
  • PR #176 #178 - mikegrima - Updated documentation for contributors on OS X and Ubuntu to use Webstorm instead of the Dart Editor.

Contributors:

  • @Qmando
  • @echiu64
  • @DenverJ
  • @cbarrac
  • @kevgliss
  • @mikegrima
  • @monkeysecurity

v0.3.5

9 years ago

v0.3.5 (2015-03-28)

  • Adding policy minimizer & expander to the revision component
  • Adding tracking of instance profiles attached to a role
  • Adding marker/pagination code to redshift.describe_clusters()
  • Adding pagination to IAM User get_all_user_policies, get_all_access_keys, get_all_mfa_devices, get_all_signing_certs
  • Typo & minor corrections on postgres commands
  • CLI command to save your current configurations to a JSON file for backup
  • added a VPC watcher
  • Adding DHCP Options and Internet Gateways to the VPC Watcher
  • Adding a subnet watcher. Fixing the VPC watcher with deep_dict
  • Adding the vpc route_table watcher
  • Removing subnet remaining IP field until ephemeral section is merged in
  • Adding IAM Managed Policies
  • Typo & minor corrections on postgres commands in documentation
  • Adds ELBSecurityPolicy-2015-03. Moves export grade ciphers to their own section and alerts on FREAK vuln.
  • Provides context on refpol 2015-03 vs 2015-02.
  • Adding a Managed Policies Auditor
  • Added Manged Policy tracking to the IAM users, groups, and roles

Summary of new watchers:

  • vpc -- DHCP Options -- Internet Gateways
  • subnet
  • routetable
  • managed policies

Summary of new Auditors or audit checks:

  • managed policies
  • New reference policy 2015-03 for ELB listeners.
  • New alerts for FREAK vulnerable ciphers.

Contributors:

  • markofu
  • monkeysecurity

static.tar.gz is attached to this release and contains the output of compiling the dart web UI to javascript. Simply extract this tar.gz to your security_monkey/static folder.

lsv0.3.4

9 years ago

v0.3.4 (2015-2-19)

  • Merged in a new AuditorSettings tab created by Qmando at Yelp enabling you to disable audit checks with per-account granularity.

  • security_monkey is now CSP compliant.

  • security_monkey has removed all shadow-DOM components. Also removed webcomponents.js and dart_support.js, as they were not CSP compliant.

  • security_monkey now advises users to enable the following standard security headers:

    X-Content-Type-Options "nosniff"; X-XSS-Protection "1; mode=block"; X-Frame-Options "SAMEORIGIN"; Strict-Transport-Security "max-age=631138519"; Content-Security-Policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com; script-src 'self' https://ajax.googleapis.com; style-src 'self' https://fonts.googleapis.com;"

  • security_monkey now has XSRF protection against all DELETE, POST, PUT, and PATCH calls.

  • Updated the ELB Auditor to be aware of the ELBSecurityPolicy-2015-02 reference policy.

Contributers:

  • @Qmando
  • @monkeysecurity