Link ELB/ALB issues to related security groups where appropriate (#859)

* ELB Auditor links to SG issues for Friendly/ThirdParty/Unknown/Internet Accessible issues. * Updating UI links. * Refactoring ALB Auditor to copy SG issues just like the ELB Auditor. * Fixing tests for elb. Creating tests for elbv2. * Using issue categories for ELB/ALB auditors. * Fixing a couple bugs found when deployed to production. * Fixing bug where insecure TLS issue may have been printed with double square brackets. * Fixing tests that broke because of the last commit.
Netflix · Nov 8, 2017 · 392dd9e · 392dd9e
1 parent d5e503e
commit 392dd9e
Show file tree

Hide file tree

Showing 6 changed files with 563 additions and 177 deletions.
diff --git a/dart/web/ui.html b/dart/web/ui.html
@@ -47,19 +47,22 @@
                 <li class="dropdown">
                     <a class="dropdown-toggle" data-toggle="dropdown">Internet Accessible <b class="caret"></b></a>
                     <ul class="dropdown-menu">
-                        <li><a href="#/issues/-/securitygroup/-/-/-/-/True/Security%20Group%20ingress%20rule%20contains%200.0.0.0%2F0/1/25">Security Group Ingress 0.0.0.0/0</a></li>
-                        <li><a href="#/issues/-/securitygroup/-/-/-/-/True/Security%20Group%20egress%20rule%20contains%200.0.0.0%2F0/1/25">Security Group Egress 0.0.0.0/0</a></li>
-                        <li><a href="#/issues/-/elb/-/-/-/-/True/VPC%20ELB%20is%20Internet%20accessible/1/25">VPC ELB is Internet Accessible</a></li>
-                        <li><a href="#/issues/-/alb/-/-/-/-/True/ALB%20is%20Internet%20accessible/1/25">ALB is Internet Accessible</a></li>
+                        <li><a href="#/issues/-/securitygroup/-/-/-/-/True/Internet%20Accessible/1/25">Security Group</a></li>
+                        <li><a href="#/issues/-/elb%2Calb/-/-/-/-/True/Internet%20Accessible/1/25">ELB/ALB</a></li>
                         <li class="divider"></li>
                         <li><a href="#/issues/-/elasticsearchservice%2Cglacier%2Ckms%2Clambda%2Crdssnapshot%2Cs3%2Csns%2Csqs%2Ciamrole/-/-/-/-/True/Internet%20Accessible/1/25">via Resource Policy</a></li>
                     </ul>
                 </li>
                 <li class="dropdown">
                     <a class="dropdown-toggle" data-toggle="dropdown">Cross Account <b class="caret"></b></a>
                     <ul class="dropdown-menu">
-                        <li><a href="#/issues/-/elb/-/-/-/-/True/VPC%20ELB%20accessible%20from%20non-private%20CIDR./1/25">VPC ELB accessible from non-private CIDR.</a></li>
-                        <li><a href="#/issues/-/alb/-/-/-/-/True/ALB%20accessible%20from%20non-private%20CIDR./1/25">ALB accessible from non-private CIDR.</a></li>
+                        <li><a href="#/issues/-/securitygroup/-/-/-/-/True/Unknown%20Access/1/25">Security Group Unknown Access</a></li>
+                        <li><a href="#/issues/-/securitygroup/-/-/-/-/True/Friendly%20Cross%20Account/1/25">Security Group Friendly Access</a></li>
+                        <li><a href="#/issues/-/securitygroup/-/-/-/-/True/Thirdparty%20Cross%20Account/1/25">Security Group Thirdparty Access</a></li>
+                        <li class="divider"></li>
+                        <li><a href="#/issues/-/elb%2Calb/-/-/-/-/True/Unknown%20Access/1/25">ELB/ALB Unknown Access</a></li>
+                        <li><a href="#/issues/-/elb%2Calb/-/-/-/-/True/Friendly%20Cross%20Account/1/25">ELB/ALB Friendly Access</a></li>
+                        <li><a href="#/issues/-/elb%2Calb/-/-/-/-/True/Thirdparty%20Cross%20Account/1/25">ELB/ALB Thirdparty Access</a></li>
                         <li class="divider"></li>
                         <li><a href="#/issues/-/elasticsearchservice%2Cglacier%2Ckms%2Clambda%2Crdssnapshot%2Cs3%2Csns%2Csqs%2Ciamrole/-/-/-/-/True/Unknown%20Access/1/25">Unknown Access via Resource Policy</a></li>
                         <li><a href="#/issues/-/elasticsearchservice%2Cglacier%2Ckms%2Clambda%2Crdssnapshot%2Cs3%2Csns%2Csqs%2Ciamrole/-/-/-/-/True/Friendly%20Cross%20Account/1/25">Friendly Access via Resource Policy</a></li>

diff --git a/security_monkey/auditor.py b/security_monkey/auditor.py
@@ -92,10 +92,15 @@ class Categories:
     INSECURE_CONFIGURATION = 'Insecure Configuration'
     INSECURE_CONFIGURATION_NOTES = '{description}'
 
+    RECOMMENDATION = 'Recommendation'
+    RECOMMENDATION_NOTES = '{description}'
+
+    INSECURE_TLS = 'Insecure TLS'
+    INSECURE_TLS_NOTES = 'Policy: [{policy}] Port: {port} Reason: [{reason}]'
+    INSECURE_TLS_NOTES_2 = 'Policy: [{policy}] Port: {port} Reason: [{reason}] CVE: [{cve}]'
+
     # TODO
     # 	INSECURE_CERTIFICATE = 'Insecure Certificate'
-    # 	INSECURE_TLS = 'Insecure TLS'
-
 
 class Entity:
     """ Entity instances provide a place to map policy elements like s3:my_bucket to the related account. """