Security-monkey

-------------------

- PR \269 - mikegrima - TravisCI now ensures that dart builds.
- PR \270 - monkeysecurity - Refactored sts\_connect to dynamically import boto resources.
- PR \271 - OllyTheNinja-Xero - Fixed indentation mistake in auditor.py
- PR \275 - AlexCline - Added elb logging to ELB watcher and auditor.
- PR \279 - mikegrima - Added ElasticSearch Watcher and Auditor (with tests).
- PR \280 - monkeysecurity - PolicyDiff better handling of changes to primitives (like ints) in dictionay values and added explicit escaping instead of relying on Angular.
- PR \282 - mikegrima - Documentation Fixes to configuration.rst and quickstart.rst adding es: permissions and other fixes.

Hotfixes:

- Added OSSMETADATA file to master/develop for internal Netflix tracking.

Contributors:

- mikegrima
- monkeysecurity
- OllyTheNinja-Xero
- AlexCline

-------------------

- PR \228 - jeremy-h - IAM check misses '\*' when found within a list. (Issue \223)
- PR \230 - markofu - New error and echo functions to simplify code for scripts/secmonkey\_auto\_install.sh
- PR \233 - mikegrima - Write tests for security\_monkey.common.ARN (Issue \222)
- PR \238 - monkeysecurity - Refactoring \_check\_rfc\_1918 and improving VPC ELB Internet Accessible Check
- PR \241 - bunjiboys - Seed Amazon owned AWS accounts (Issue \169)
- PR \243 - mikegrima - Fix for underscores not being detected in SNS watcher. (Issue \240)
- PR \244 - mikegrima - Setup TravisCI (Issue \227)
- PR \250 - OllyTheNinja-Xero - upgrade deprecated botocore calls in ELB watcher (Issue \249)
- PR \256 - mikegrima - Latest Boto3/botocore versions (Issue \254)
- PR \261 - bunjiboys - Add ec2:DescribeInstances to quickstart role documentation (Issue \260)
- PR \263 - monkeysecurity - Updating docs/scripts to pin to dart 1.12.2-1 (Issue \259)
- PR \265 - monkeysecurity - Remove ratelimiting max attempts, wrap ELB watcher with try/except/continue

Hotfixes:

- Issue \235 - OllyTheNinja-Xero - SNS Auditor - local variable 'entry' referenced before assignment

Contributors:

- jeremy-h
- mark-fu
- mikegrima
- bunjiboys
- OllyTheNinja-Xero
- monkeysecurity

-------------------

- PR \212 - bunjiboys - Make email failures warnings instead of debug messages
- PR \203 - markofu - Added license to secmonkey\_auto\_install.sh.
- PR \207 - cbarrac - Updated dependencies and dart installation for secmonkey\_auto\_install.sh
- PR \209 - mikegrima - Make SNS Ignorelist use name instead of ARN.
- PR \213 - Qmando - Added more exception handling to the S3 watcher.
- PR \215 - Dklotz-Circle - Added egress rules to the security group watcher.
- monkeysecurity - Updated quickstart.rst IAM policy to remove wildcards and include redshift permissions.
- PR \218 - monkeysecurity - Added exception handling to the S3 bucket.get\_location API call.
- PR \221 - Qmando - Retry on AWS API error when slurping ELBs.
- monkeysecurity - Updated cryptography package from 1.0 to 1.0.2 for easier installation under OS X El Capitan.

Hotfixes:

- Updated quickstart.rst and secmonkey\_auto\_install.sh to remove swig/python-m2crypto and add libffi-dev
- Issue \220 - SQS Auditor not correctly parsing ARNs, halting security\_monkey. Fixed by abstracting ARN parsing into a new class (security\_monkey.common.arn). Updated the SNS Auditor to also use this new class.

Contributors:

- bunjiboys
- markofu
- cbarrac
- mikegrima
- Qmando
- Dklotz-Circle
- monkeysecurity

-------------------

- PR \165 - echiu64 - S3 watcher now tracking S3 Logging Configuration.
- None - monkeysecurity - Certs with an invalid issuer now flagged.
- PR \177 - DenverJ -Added new SQS Auditor.
- PR \188 - kevgliss - Removed dependency on M2Crypto/Swig and replaced with Cryptography.
- PR \164 - Qmando - URL encoding issue with certain searches containing spaces corrected.
- None - monkeysecurity - Fixed issue where corrected issues were not removed.
- PR \198 - monkeysecurity - Adding ability to select up to four items or revisions to be compared.
- PR \194 \195 - bunjiboys - SECURITY\_TEAM\_EMAIL should accept not only a list, but also a string or tuple.
- PR \180 \181 \190 \191 \192 \193 - cbarrac - A number of udpates and fixes for the bash installer. (scripts/secmonkey\_auto\_installer.sh)
- PR \176 \178 - mikegrima - Updated documentation for contributors on OS X and Ubuntu to use Webstorm instead of the Dart Editor.

Contributors:

- Qmando
- echiu64
- DenverJ
- cbarrac
- kevgliss
- mikegrima
- monkeysecurity

-------------------

- PR \122 - Qmando - Jira Sync. Quentin from Yelp added Jira Integration.
- PR \147 - echiu64 - Added colors to audit emails and added missing justifications back into emails.
- PR \150 - echiu64 - Fixed a missing comma from setup.py
- PR \155 - echiu64 - Fixed a previous merge issue where \_audit\_changes() was looking for a Monitor instance instead of an list of Auditors.
- Issue \154 - monkeysecurity - Added support for ELB Reference Policy 2015-05.
- None - monkeysecurity - Added db.session.refresh(...) where appropriate in a few API views to replace some very ugly code.
- Issue \133 - lucab - Upgraded Flask-RESTful from v0.2.5 to v0.3.3 to fix an issue where request arguments were being persisted as the string "None" when they should have remained the javascript literal null.
- PR \120 - lucab - Add custom role\_name field for each account to replace the previously hardcoded 'SecurityMonkey' role name.
- PR \120 - gene1wood - Add support for the custom role\_name into manage.py.
- PR \161 - Asbjorn Kjaer - Increase s3\_name from 32 characters to 64 characters to avoid errors or truncation where s3\_name is longer.
- None - monkeysecurity - Set the 'defer' (lazy-load) attribute for the JSON config column on the ItemRevision table. This speeds up the web API in a number of places.

Hotfixes:

- Issue \149 - Python scoping issue where managed policies attached to more than one entity would cause an error.
- Issue \152 - SNS topics were being saved by ARN instead of by name, causing exceptions for very long names.
- Issue \141 - Setup cascading deletes on the Account table to prevent the error which occured when trying to delete an account with items and users attached.

Contributors:

- Qmando
- echiu64
- lucab
- gene1wood
- Asbjorn Kjaer (akjaer)
- monkeysecurity

-------------------

- Changes to issue score in code will now cause all existing issues to be re-scored in the database.
- A new configuration parameter called SECURITYGROUP\_INSTANCE\_DETAIL can now be set to:
- "FULL": Security Groups will display each instances, and all instance tags, that are associated with the security group.
- "SUMMARY": Security Groups will display the number of instances attached to the security group.
- "NONE": Security Groups will not retrieve any data about instances attached to a security group.
- If SECURITY\_GROUP\_INSTANCE\_DETAIL is set to "FULL" or "SUMMARY", empty security groups audit issues will have their score set to zero.
- For accounts with many thousands of instances, it is advised to set this to "NONE" as the AWS API's do not respond in a timely manner with that many instances.

- Each watcher can be set to run at a different interval in code. We will want to move this to be a UI setting.
- Watchers may specify a list of ephemeral paths. Security\_monkey will not send out change alerts for items in the ephemeral section. This is a good place for metadata that is often changing like the number of instances attached to a security\_group or the number of remaining IP addresses in a VPC subnet.

Contributors:

- lucab
- monkeysecurity