Release 0.9.2 #711

0.9.2

Author: Patrick Kelley

.travis.yml

@@ -37,6 +37,7 @@ matrix:
       install:
         - sed -i '/WTF_CSRF_ENABLED = True/c\WTF_CSRF_ENABLED = False' `pwd`/env-config/config.py
         - pip install bandit
+        - pip install pylint
 
       script:
         - coverage run -a -m py.test security_monkey/tests/auditors || exit 1
@@ -46,6 +47,7 @@ matrix:
         - coverage run -a -m py.test security_monkey/tests/interface || exit 1
         - coverage run -a -m py.test security_monkey/tests/utilities || exit 1
         - bandit -r -ll -ii -x security_monkey/tests .
+        - pylint -E -d E1101,E0611,F0401 --ignore=service.py,datastore.py,datastore_utils.py,watcher.py security_monkey
 
       after_success:
         - coveralls

Dockerfile

@@ -16,7 +16,7 @@
 FROM ubuntu:14.04
 MAINTAINER Netflix Open Source Development <talent@netflix.com>
 
-ENV SECURITY_MONKEY_VERSION=v0.9.1 \
+ENV SECURITY_MONKEY_VERSION=v0.9.2 \
     SECURITY_MONKEY_SETTINGS=/usr/local/src/security_monkey/env-config/config-docker.py
 
 RUN apt-get update &&\

dart/pubspec.yaml

@@ -1,6 +1,6 @@
 name: security_monkey
 description: An AWS Policy Monitoring and Alerting Tool
-version: 0.9.1
+version: 0.9.2
 dependencies:
   angular: "^1.1.2+2"
   angular_ui: ">=0.6.8 <0.7.0"

docker/nginx/Dockerfile

@@ -15,7 +15,7 @@
 FROM nginx:1.11.4
 MAINTAINER Netflix Open Source Development <talent@netflix.com>
 
-ENV SECURITY_MONKEY_VERSION=v0.9.1
+ENV SECURITY_MONKEY_VERSION=v0.9.2
 RUN apt-get update &&\
   apt-get install -y curl git sudo apt-transport-https &&\
   curl https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - &&\

docs/changelog.md

@@ -1,6 +1,52 @@
 Changelog
 =========
 
+v0.9.2 (2017-05-24)
+----------------------------------------
+
+- PR #695 - @mikegrima - Fixing jinja import bug affecting change emails.
+- PR #692 - @LukeKennedy - Reduce number of API calls in Managed Policy watcher.
+- PR #694 - @supertom - GCP Documentation Updates
+- PR #701 - @supertom - Update GCP ServiceAccount Name to use email instead of DisplayName.
+- PR #702 - @rodriguezsergio - Update KMS Auditor. Don't create issue when Effect is Deny for a wildcard principal.
+- PR #697 - @mcpeak - Pylint fixes and TravisCI pylint enforcement.
+- PR #706 - @monkeysecurity Fix bug where batched watchers did not send change alert emails.
+- PR #708 - @redixin - Fix bug in docker config where `SECURITY_MONKEY_POSTGRES_PORT` would not work if passed as a string.
+- PR #714 - @monkeysecurity - Fix bug where change emails from batched watchers had incorrect color in the JSON diff.
+- PR #713 - @monkeysecurity - Fix path to favicon from flask-security jinja templates.
+- PR #709 - @crruthe - Exempt SSO API from CSRF protection.
+- PR #719 - @monkeysecurity - New simplified watcher format for CloudAux Technologies.
+- PR #726 - @monkeysecurity, @willbengtson - Add new SAMLProvider watcher.
+- PR #730 - @monkeysecurity - Fix bug where ephemerals were not respected for CloudAuxWatcher subclasses.
+- PR #727 - @supertom - Fix bug where duplicate GCP names would violate DB's unique constraint. Names now contain project ID.
+- PR #728 - @supertom - Basic Auditor Tests for GCP.
+- @monkeysecurity - Updated link to Ubuntu's SSL documentation.
+- @monkeysecurity - Bumped version of Cryptography dependency.
+- PEP8 updates.
+
+Important Notes:
+- Additional Permissions Required:
+    - "elasticloadbalancing:describelisteners",
+    - "elasticloadbalancing:describerules",
+    - "elasticloadbalancing:describesslpolicies",
+    - "elasticloadbalancing:describetags",
+    - "elasticloadbalancing:describetargetgroups",
+    - "elasticloadbalancing:describetargetgroupattributes",
+    - "elasticloadbalancing:describetargethealth",
+    - "iam:listsamlproviders",
+- New Watcher: ALB (elbv2)
+- ELB (v1) Watcher re-written with boto3 in CloudAux.  Now respects the config value `SECURITYGROUP_INSTANCE_DETAIL` when determining whether to add the instance id's to the ELB definition.
+ 
+Contributors:
+- @LukeKennedy
+- @rodriguezsergio
+- @redixin
+- @crruthe
+- @supertom
+- @mcpeak
+- @mikegrima
+- @monkeysecurity
+
 v0.9.1 (2017-04-20)
 ----------------------------------------
 

docs/iam_aws.md

@@ -98,6 +98,13 @@ Paste in this JSON with the name "SecurityMonkeyReadOnly":
                 "elasticloadbalancing:describeloadbalancerattributes",
                 "elasticloadbalancing:describeloadbalancerpolicies",
                 "elasticloadbalancing:describeloadbalancers",
+                "elasticloadbalancing:describelisteners",
+                "elasticloadbalancing:describerules",
+                "elasticloadbalancing:describesslpolicies",
+                "elasticloadbalancing:describetags",
+                "elasticloadbalancing:describetargetgroups",
+                "elasticloadbalancing:describetargetgroupattributes",
+                "elasticloadbalancing:describetargethealth",
                 "es:describeelasticsearchdomainconfig",
                 "es:listdomainnames",
                 "iam:getaccesskeylastused",
@@ -122,6 +129,7 @@ Paste in this JSON with the name "SecurityMonkeyReadOnly":
                 "iam:listpolicies",
                 "iam:listrolepolicies",
                 "iam:listroles",
+                "iam:listsamlproviders",
                 "iam:listservercertificates",
                 "iam:listsigningcertificates",
                 "iam:listuserpolicies",

docs/iam_gcp.md

@@ -30,6 +30,12 @@ To restrict which permissions Security Monkey has to your projects, we'll create
 
 ![Add User to Service Account](images/add_user_to_service_account.png "Add User to Service Account")
 
+Enable IAM API
+---------------
+
+For each GCP project you would like Security Monkey to access, you'll need to enable the IAM API.  Visit the [IAM API page](https://console.cloud.google.com/apis/api/iam.googleapis.com/overview) page in the web console
+ and click 'Enable API' at the top of the screen. When dealing with many projects, you might prefer to do this with the gcloud command.  For details on how to enable services with gcloud, visit the
+  [service-management](https://cloud.google.com/service-management/enable-disable#enabling_services) page.  The IAM service name is 'iam.googleapis.com'.
 
 Next:
 -----

docs/instance_launch_gcp.md

@@ -6,10 +6,11 @@ Create an instance running Ubuntu 14.04 LTS using our 'securitymonkey' service a
 Navigate to the [Create Instance page](https://console.developers.google.com/compute/instancesAdd). Fill in the following fields:
 
 -   **Name**: securitymonkey
--   **Zone**: If using GCP Cloud SQL, select the same zone here.
+-   **Zone**: If using GCP Cloud SQL, select the same zone here. [(Zone List)](https://cloud.google.com/compute/docs/regions-zones/regions-zones#available)
 -   **Machine Type**: 1vCPU, 3.75GB (minimum; also known as n1-standard-1)
 -   **Boot Disk**: Ubuntu 14.04 LTS
 -   **Service Account**: securitymonkey
+-   **Firewall**: Allow HTTPS Traffic
 
 Click the *Create* button to create the instance.
 
@@ -23,9 +24,8 @@ Connecting to your new instance:
 
 We will connect to the new instance over ssh with the gcloud command:
 
-    $ gcloud compute ssh <USERNAME>@<PUBLIC_IP_ADDRESS> --zone us-central
+    $ gcloud compute ssh securitymonkey --zone <ZONE>
 
-Replace the first parameter `<USERNAME>` with the username you authenticated gcloud with. Replace the last parameter `<PUBLIC_IP_ADDRESS>` with the Public IP of your instance.
 
 Next:
 -----

docs/quickstart.md

@@ -110,9 +110,9 @@ If you're using the bleeding edge (develop) branch, you will need to compile the
     /usr/lib/dart/bin/pub build
 
     # Copy the compiled Web UI to the appropriate destination
-    mkdir -p /usr/local/src/security_monkey/security_monkey/static/
-    /bin/cp -R /usr/local/src/security_monkey/dart/build/web/* /usr/local/src/security_monkey/security_monkey/static/
-    chgrp -R www-data /usr/local/src/security_monkey
+    sudo mkdir -p /usr/local/src/security_monkey/security_monkey/static/
+    sudo /bin/cp -R /usr/local/src/security_monkey/dart/build/web/* /usr/local/src/security_monkey/security_monkey/static/
+    sudo chgrp -R www-data /usr/local/src/security_monkey
 
 ### Configure the Application
 
@@ -197,7 +197,7 @@ For this quickstart guide, we will use a self-signed SSL certificate. In product
 
 There are some great instructions for generating a certificate on the Ubuntu website:
 
-[Ubuntu - Create a Self Signed SSL Certificate](https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html)
+[Ubuntu - Create a Self Signed SSL Certificate](https://help.ubuntu.com/14.04/serverguide/certificates-and-security.html)
 
 The last commands you need to run from that tutorial are in the "Installing the Certificate" section:
 

env-config/config-docker.py

@@ -70,7 +70,7 @@ def env_to_bool(input):
     }
 }
 
-SQLALCHEMY_DATABASE_URI = 'postgresql://%s:%s@%s:%d/%s' % (
+SQLALCHEMY_DATABASE_URI = 'postgresql://%s:%s@%s:%s/%s' % (
     os.getenv('SECURITY_MONKEY_POSTGRES_USER', 'postgres'),
     os.getenv('SECURITY_MONKEY_POSTGRES_PASSWORD', 'securitymonkeypassword'),
     os.getenv('SECURITY_MONKEY_POSTGRES_HOST', 'localhost'),