Security-monkey

-------------------

- Adding policy minimizer & expander to the revision component
- Adding tracking of instance profiles attached to a role
- Adding marker/pagination code to redshift.describe\_clusters()
- Adding pagination to IAM User get\_all\_user\_policies, get\_all\_access\_keys, get\_all\_mfa\_devices, get\_all\_signing\_certs
- Typo & minor corrections on postgres commands
- CLI command to save your current configurations to a JSON file for backup
- added a VPC watcher
- Adding DHCP Options and Internet Gateways to the VPC Watcher
- Adding a subnet watcher. Fixing the VPC watcher with deep\_dict
- Adding the vpc route\_table watcher
- Removing subnet remaining IP field until ephemeral section is merged in
- Adding IAM Managed Policies
- Typo & minor corrections on postgres commands in documentation
- Adds ELBSecurityPolicy-2015-03. Moves export grade ciphers to their own section and alerts on FREAK vuln.
- Provides context on refpol 2015-03 vs 2015-02.
- Adding a Managed Policies Auditor
- Added Manged Policy tracking to the IAM users, groups, and roles

Summary of new watchers:

- vpc
- DHCP Options
- Internet Gateways

- subnet
- routetable
- managed policies

Summary of new Auditors or audit checks:

- managed policies
- New reference policy 2015-03 for ELB listeners.
- New alerts for FREAK vulnerable ciphers.

Contributors:

- markofu
- monkeysecurity

------------------

- Merged in a new AuditorSettings tab created by Qmando at Yelp enabling you to disable audit checks with per-account granularity.
- security\_monkey is now CSP compliant.
- security\_monkey has removed all shadow-DOM components. Also removed webcomponents.js and dart\_support.js, as they were not CSP compliant.
- security\_monkey now advises users to enable standard security headers following headers:

~~~~ {.sourceCode .python}
X-Content-Type-Options "nosniff";
X-XSS-Protection "1; mode=block";
X-Frame-Options "SAMEORIGIN";
Strict-Transport-Security "max-age=631138519";
Content-Security-Policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com; script-src 'self' https://ajax.googleapis.com; style-src 'self' https://fonts.googleapis.com;"
~~~~

- security\_monkey now has XSRF protection against all DELETE, POST, PUT, and PATCH calls.
- Updated the ELB Auditor to be aware of the ELBSecurityPolicy-2015-02 reference policy.

Contributers:

- Qmando
- monkeysecurity

-----------------

- Added MirorsUsed() to my dart code to reduce compiled javascript size.
- Added support for non-chrome browsers by importing webcomponents.js and dart\_support.js
- Upgraded to Angulardart 1.1.0 and Angular-dart.ui 0.6.3

------------------

- A bug has been corrected where IAM Groups with \> 100 members or policies would be truncated.
- The web UI has been updated to use AngularDart 1.0.0. Significantly smaller javascript size.

------------------

- Change emails again show issues and justifications.
- Change emails now use jinja templating.
- Fixed an issue where issue justifications would disappear when the item was changed.
- Merged a pull request from github user jijojv to start the scheduler at launch instead of waiting 15 minutes.

-------------------

- Add localhost to CORS for development.
- Big refactor adding monitors. Adding new watchers/auditors is now much simpler.
- Return to the current URL after authenticating.
- Added SES\_REGION config. Now you can send email out of regions other than us-east-1.
- Changing default log location to /var/log/security\_monkey.
- Docs now have cleaner nginx.conf.
- Add M2Crypto to get a number of new iamssl fields.
- Added favicon.

new watchers:

- eip
- redshift
- ses

enhanced watchers:

- iamssl - new fields from m2crypto
- elb - new listener policies from botocore
- sns - added sns subscriptions
- s3 - now tracks lifecycle rules

new auditors:

- redshift - checks for non-vpc deployment.
- ses - checks for verified identities

enhanced auditors:

- iamssl - cert size, signature hashing algorithm, upcoming expiration, heartbleed
- elb - check reference policy and certain custom policy fields

hotfixes:

- Fixed issue \12 - Deleting account results in foreign key constraint.
- Added missing alembic script for the ignorelist.
- Various minor documentation updates.
- API server now respects --bind parameter. (Required for the docker image).
- SES connection in utils.py is now surrounded in a try/except.
- FlaskSecurity upgraded to latest.

Contributers:

- ivanlei
- lucab
- yograterol
- monkeysecurity