Releases: duo-labs/parliament
0.4.0
This release adds the ability to have custom auditors. This is documented in the README, showing an example of how to create an auditor to generate findings for any policy that grants access to a sensitive S3 bucket: https://github.com/duo-labs/parliament#custom-auditors
This also changed how the filtering works for ignoring findings, which gives some greater control over that, by changing what had been a search for a substring into a full regex match. The regex match does mean that a search for a substring like s3:* now must be written as .*s3:\\*.* (note that .* are added to the ends so this function as a substring lookup, and the original * needs to be double-escaped as \\*).
0.3.7
Updates privileges. AWS changed their doc format, so a new method was needed to scrape these, which was borrowed from work done by @kmcquade on policy_sentry
Other changes:
@danielpops Fixed a typo
0.3.6
Exit status now only uses a 1 to indicate findings (0 if there are no findings). The last release set the exit status to the number of findings, but that might not work in shell environments if there are over 255 findings. This was pointed out by Ben Bridts: https://twitter.com/benbridts/status/1205465492984647680
0.3.5
Parliament now supports a custom config file so you can change the text or severity of issues, or filter them out entirely. For usage examples see the docs at https://github.com/duo-labs/parliament#custom-config-file
0.3.4
Bug fixes
- Allow aws:MultiFactorAuthAge tested against a number
- Allow Null condition to be used without findings about the items that are being checked
- Allow policies to have unquoted Bool values (true and false can be used without quotes)
0.3.3
Fixes an exception for unknown prefixes and actions introduced in 0.3.2
0.3.2
- Resource mismatches are now aggregated into a single finding, so when you grant s3:* on a bucket, it produces a single finding, instead of one for each s3 action. The
detailelement will include each of these actions and the required resource, which will make that element very long, especially if you were to grant all actions via* - Unknown action and unknown prefix findings are not their own finding types as opposed to causing exceptions.
- The filepath is now given when checking a single file
- Filtering by severity will now correctly exit with a exit code of 0 if there are findings but they are all filtered
- No Version element is now allowed and marked as a Low finding.
0.3.1
- Returns non-zero exit codes when issues are found
- Allows for json output
- Finding types are now stored in a config file (eventually this config file will be exposed so you can mute findings as needed) https://github.com/duo-labs/parliament/blob/master/parliament/config.yaml
- The parliament command allows you to specify the minimum severity to be displayed
- There is a local
./bin/parliamentscript for testing while developing
Some example:
$ bin/parliament --file test.json
...
MEDIUM - No resources match for the given action - No resources match for s3:UpdateJobStatus which requires a resource format of arn:*:s3:*:*:job/* for the resource job* - {'filepath': None}
$ bin/parliament --file test.json --json
...
{"issue": "RESOURCE_MISMATCH", "title": "No resources match for the given action", "severity": "MEDIUM", "description": "", "detail": "No resources match for s3:UpdateJobStatus which requires a resource format of arn:*:s3:*:*:job/* for the resource job*", "location": {"filepath": null}}
0.2.7
- Updates iam privileges.
- Makes unit tests use python 3
0.2.6
- Improved doc spidering from @kmcquade
- Sid checking from @santoshankr
- Updated IAM definition