11 Accounts Show no data.

[fstuck37]

Hi All,
Hoping someone could help me identify an issue with getting data from 11 accounts.
Here's where I'm at:

1. I just upgraded to the latest Security Monkey build which replaced the AP Scheduler with Celery Replace AP Scheduler with Celery 🥦 #911 to see if that would resolve this. Simply built a new instance with the same DB.
2. I have a total of 36 AWS accounts configured - 25 are pulling data in without an issue 11 show no data for some reason.
3. Running Security Monkey on Centos with an RDS PostgreSQL Database
4. After upgrading I did not see any logs in /var/log/security_monkey/securitymonkey.log however I did find the two Database errors there after running find_changes manually. The KeyError did not show up there.
5. Here is the status of supervisor
   securitymonkeyscheduler RUNNING pid 28938, uptime 1:46:14
   securitymonkeyui RUNNING pid 10923, uptime 19:11:23
   securitymonkeyworkers RUNNING pid 29280, uptime 0:07:18
6. I've scripted (terraform) the creation of the Security Monkey Role and Policy so the 11 accounts are all identical to the working 25.
7. The fetch_aws_canonical_ids worked and shows the number for all accounts.
8. I'm thinking the KeyError stops processing and is causing the missing data but that is just speculation.

Any ideas would be very much appreciated.
Thanks,
Fred

(venv)[root@aeinfsmkpl01 security_monkey]# monkey find_changes
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 169.254.169.254
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 169.254.169.254
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): sts.amazonaws.com
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.ap-northeast-1.amazonaws.com
...
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.sa-east-1.amazonaws.com
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.us-east-1.amazonaws.com
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Resetting dropped connection: ec2.us-east-1.amazonaws.com
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Resetting dropped connection: ec2.us-east-1.amazonaws.com
...
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Resetting dropped connection: ec2.us-east-1.amazonaws.com
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.us-east-2.amazonaws.com
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.us-west-1.amazonaws.com
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.us-west-2.amazonaws.com

2018-01-26 14:21:13,031 ERROR: [X] Database error processing accounts _<ACCOUNT NAME>_, cleaning up session. [in /usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py:242]
Traceback (most recent call last):
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 232, in _audit_changes
    au.audit_objects()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 661, in audit_objects
    self.prep_for_audit()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 654, in prep_for_audit
    self._load_object_store()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 278, in _load_object_store
    cls._load_userids()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 405, in _load_userids
    add(cls.OBJECT_STORE['userid'], item.latest_config.get('RoleId'), item.account.identifier)
  File "build/bdist.linux-x86_64/egg/sqlalchemy/ext/hybrid.py", line 740, in __get__
    return self.fget(instance)
  File "/usr/local/src/security_monkey/security_monkey/datastore.py", line 317, in latest_config
    ).filter(ItemRevision.id==self.latest_revision_id).one().config
  File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/query.py", line 2354, in one
    raise orm_exc.NoResultFound("No row was found for one()")
NoResultFound: No row was found for one()

ERROR:security_monkey:[X] Database error processing accounts _<ACCOUNT NAME>_, cleaning up session.
Traceback (most recent call last):
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 232, in _audit_changes
    au.audit_objects()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 661, in audit_objects
    self.prep_for_audit()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 654, in prep_for_audit
    self._load_object_store()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 278, in _load_object_store
    cls._load_userids()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 405, in _load_userids
    add(cls.OBJECT_STORE['userid'], item.latest_config.get('RoleId'), item.account.identifier)
  File "build/bdist.linux-x86_64/egg/sqlalchemy/ext/hybrid.py", line 740, in __get__
    return self.fget(instance)
  File "/usr/local/src/security_monkey/security_monkey/datastore.py", line 317, in latest_config
    ).filter(ItemRevision.id==self.latest_revision_id).one().config
  File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/query.py", line 2354, in one
    raise orm_exc.NoResultFound("No row was found for one()")
NoResultFound: No row was found for one()

INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): sts.amazonaws.com
...
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.us-west-2.amazonaws.com

Traceback (most recent call last):
  File "/usr/local/src/security_monkey/venv/bin/monkey", line 11, in <module>
    load_entry_point('security-monkey', 'console_scripts', 'monkey')()
  File "/usr/local/src/security_monkey/security_monkey/manage.py", line 728, in main
    manager.run()
  File "/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/Flask_Script-0.6.3-py2.7.egg/flask_script/__init__.py", line 397, in run
    result = self.handle(sys.argv[0], sys.argv[1:])
  File "/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/Flask_Script-0.6.3-py2.7.egg/flask_script/__init__.py", line 376, in handle
    return handle(app, *positional_args, **kwargs)
  File "/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/Flask_Script-0.6.3-py2.7.egg/flask_script/commands.py", line 145, in handle
    return self.run(*args, **kwargs)
  File "/usr/local/src/security_monkey/security_monkey/manage.py", line 88, in find_changes
    manual_run_change_finder(account_names, monitor_names)
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 126, in manual_run_change_finder
    find_changes(account, tech)
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 156, in find_changes
    audit_changes([account_name], [monitor_name], False, debug)
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 180, in audit_changes
    _audit_changes(account, monitor.auditors, send_report, debug)
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 232, in _audit_changes
    au.audit_objects()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 674, in audit_objects
    method(item)
  File "/usr/local/src/security_monkey/security_monkey/auditors/security_group.py", line 129, in check_friendly_cross_account_ingress
    self._check_cross_account(item, 'FRIENDLY', self.record_friendly_access, severity=0)
  File "/usr/local/src/security_monkey/security_monkey/auditors/security_group.py", line 117, in _check_cross_account
    if key in self.inspect_entity(entity, item):
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 476, in inspect_entity
    result_set = set([self.inspect_entity_account(entity, account_identifier, same)])
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 506, in inspect_entity_account
    for account in self.OBJECT_STORE['ACCOUNTS']['DESCRIPTIONS']:
KeyError: 'DESCRIPTIONS'

[mikegrima]

I've seen this happen, but I found it hard to reproduce and don't know why yet.

[mikegrima]

I think the last exception is different from the first two. The first two I've seen a few times, but it seems to be transient.

The last one is interesting (I haven't seen that one yet).

[mikegrima]

Running locally (with security groups), I'm seeing exceptions with this method:

    @classmethod
    def _load_userids(cls):
        """Store the UserIDs from all IAMUsers and IAMRoles."""
        user_results = cls._load_related_items('iamuser')
        role_results = cls._load_related_items('iamrole')

        for item in user_results:
            add(cls.OBJECT_STORE['userid'], item.latest_config.get('UserId'), item.account.identifier)

        for item in role_results:
            add(cls.OBJECT_STORE['userid'], item.latest_config.get('RoleId'), item.account.identifier)

In auditor.py. It seems to be on item.latest_config.get('UserId'). There is no latest_config set for the item (accessing it is raising the DB exception for me).

[mikegrima]

So this is interesting...

Looking in my testing db, I am seeing what I guess is a half-stored value. One where the the arn, latest_revision_id, latest_revision_complete_hash, and latest_revision_durable_hash are null.

So need to:

1. Understand why the item was orphaned
2. Figure out how to deal with it. I guessing deleting it is probably fine?

[mikegrima]

@fstuck37 Can you attempt to run the following SQL query:

SELECT DISTINCT account.name FROM item JOIN account ON (item.account_id = account.id) WHERE item.latest_revision_id IS NULL;

^^ Does this return the 11 accounts you are seeing issues with?

[mikegrima]

Looking at our databases, it appears that these were all deleted items. But for some reason, the deletion doesn't have a deletion revision ID attached... So, I think the solution is to, on startup of the given (celery) task, to look for these orphaned items, and create a "deletion" change record for them.

That should make things in the DB copasetic and hopefully resolve the problem.

[mikegrima]

#922 is a possible fix.

[mikegrima]

@fstuck37 Can you do me another favor? Can you run the following query:

SELECT * FROM account WHERE third_party IS NULL;

I see that active and third_party are nullable fields, which I think is a bug and possibly the cause of the 3rd exception.

[fstuck37]

@mikegrima First off, thank you for the quick response to this request.

I ran the first query and it only returned one account that was not part of the 11.
The second query returns an empty list.

I did notice that the 11 that aren't populating are the last 11 accounts that I added.

The IDs of the first 25 accounts that are working all have IDs between 4 and 72.
The 11 that aren't working range from 76 to 86.

going to try and delete the account that has ID 76 and see what happens.

Thanks again for all the help.
-Fred

[fstuck37]

OK no luck with deleting the first account nor all 11 and then adding one back.
Wondering if the issue could be in the last account before the break.

Hope this helps.
Let me know if you need anything else.

Thanks again,
-Fred

[mikegrima]

Feel free to reach out to me on gitter, and we'll try to debug.

I would like to make sure these issues are completely resolved before I make the next major release.

[fstuck37]

@mikegrima
Unfortunately I'm traveling on business the next few days and will have limited time to do any troubleshooting,

If you have anything specific you'd like me to run I'll find some time to get it to you.
Beyond that I can reach out on Thursday.

Really appreciate the help and apologize for not being able to work on this sooner.
-Fred

[mikegrima]

@fstuck37 I'm curious if #922 would resolve the problem for you.

When was the last time you upgraded security monkey? Were these problems only detected on the most latest version? Much of the change finding and auditing logic has not changed in my celery refactor.

[fstuck37]

@mikegrima
I was running into memory leaks and upgraded as soon as you released the change to Celery.
If not today, I'll see if I have time to redeploy at some point tomorrow.
If I can it will be later in the day (Eastern Time).

Thanks,
Fred

[mikegrima]

Can you do me a favor and verify that those accounts are active?

[fstuck37]

@mikegrima
Yes, that was one of the first things I checked.
I added additional accounts (around 17) after I upgraded.
Only 11 of them didn't populate with data.
Didn't notice this issue before upgrading.
Thanks,
-Fred

[mikegrima]

Is it possible that the Terraform template didn't place the proper trust relationships?

Can you verify that the permissions for those 11 new accounts are correct?

[fstuck37]

@mikegrima
Checked the policies and looked OK and found a few minutes to redeploy the instance with any updates.
Unfortunately now securitymonkeyscheduler, securitymonkeyui, and securitymonkeyworkers won't start all report "Exited too quickly (process log may have details)"

Will have to look to see if there is anything missing in my build script with the latest changes.
I'll have to pick this back up when I get back or if I have any time at night the next few days.

Thanks for the help,
Fred

[fstuck37]

@mikegrima
Ok found the issue with the redeployment. Had to add:
pip install 'defusedxml==0.5.0'
to my build script.

I also tried disabling the account in the error message and running find_changes again and the same error comes up with a different account.

Wondering if I need to redeploy the DB?
Was there any DB changes that could be causing the issue?
Thanks for all the help,
Fred

(venv)[root@aeinfsmkpl01 security_monkey]# monkey find_changes
2018-01-29 13:48:05,764 ERROR: [X] Database error processing accounts <ACCOUNT NAME>, cleaning up session. [in /usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py:293]
Traceback (most recent call last):
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 283, in _audit_changes
    au.audit_objects()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 661, in audit_objects
    self.prep_for_audit()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 654, in prep_for_audit
    self._load_object_store()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 278, in _load_object_store
    cls._load_userids()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 405, in _load_userids
    add(cls.OBJECT_STORE['userid'], item.latest_config.get('RoleId'), item.account.identifier)
  File "build/bdist.linux-x86_64/egg/sqlalchemy/ext/hybrid.py", line 740, in __get__
    return self.fget(instance)
  File "/usr/local/src/security_monkey/security_monkey/datastore.py", line 317, in latest_config
    ).filter(ItemRevision.id==self.latest_revision_id).one().config
  File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/query.py", line 2354, in one
    raise orm_exc.NoResultFound("No row was found for one()")
NoResultFound: No row was found for one()

ERROR:security_monkey:[X] Database error processing accounts <ACCOUNT NAME>, cleaning up session.
Traceback (most recent call last):
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 283, in _audit_changes
    au.audit_objects()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 661, in audit_objects
    self.prep_for_audit()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 654, in prep_for_audit
    self._load_object_store()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 278, in _load_object_store
    cls._load_userids()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 405, in _load_userids
    add(cls.OBJECT_STORE['userid'], item.latest_config.get('RoleId'), item.account.identifier)
  File "build/bdist.linux-x86_64/egg/sqlalchemy/ext/hybrid.py", line 740, in __get__
    return self.fget(instance)
  File "/usr/local/src/security_monkey/security_monkey/datastore.py", line 317, in latest_config
    ).filter(ItemRevision.id==self.latest_revision_id).one().config
  File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/query.py", line 2354, in one
    raise orm_exc.NoResultFound("No row was found for one()")
NoResultFound: No row was found for one()

Traceback (most recent call last):
  File "/usr/local/src/security_monkey/venv/bin/monkey", line 11, in <module>
    load_entry_point('security-monkey', 'console_scripts', 'monkey')()
  File "/usr/local/src/security_monkey/security_monkey/manage.py", line 728, in main
    manager.run()
  File "/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/Flask_Script-0.6.3-py2.7.egg/flask_script/__init__.py", line 397, in run
    result = self.handle(sys.argv[0], sys.argv[1:])
  File "/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/Flask_Script-0.6.3-py2.7.egg/flask_script/__init__.py", line 376, in handle
    return handle(app, *positional_args, **kwargs)
  File "/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/Flask_Script-0.6.3-py2.7.egg/flask_script/commands.py", line 145, in handle
    return self.run(*args, **kwargs)
  File "/usr/local/src/security_monkey/security_monkey/manage.py", line 88, in find_changes
    manual_run_change_finder(account_names, monitor_names)
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 174, in manual_run_change_finder
    find_changes(account, tech)
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 207, in find_changes
    audit_changes([account_name], [monitor_name], False, debug)
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 231, in audit_changes
    _audit_changes(account, monitor.auditors, send_report, debug)
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 283, in _audit_changes
    au.audit_objects()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 674, in audit_objects
    method(item)
  File "/usr/local/src/security_monkey/security_monkey/auditors/security_group.py", line 129, in check_friendly_cross_account_ingress
    self._check_cross_account(item, 'FRIENDLY', self.record_friendly_access, severity=0)
  File "/usr/local/src/security_monkey/security_monkey/auditors/security_group.py", line 117, in _check_cross_account
    if key in self.inspect_entity(entity, item):
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 476, in inspect_entity
    result_set = set([self.inspect_entity_account(entity, account_identifier, same)])
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 506, in inspect_entity_account
    for account in self.OBJECT_STORE['ACCOUNTS']['DESCRIPTIONS']:
KeyError: 'DESCRIPTIONS'

[mikegrima]

Can you update to the latest version in the develop branch and try again? I would like to know if that at the very least fixed the first two exceptions you are seeing (which might affect the third).

I didn't make any DB schema changes, but can't hurt to run a monkey db upgrade.

[fstuck37]

@mikegrima
When I deploy I use the follow GIT clone command:
git clone --depth 1 --branch develop https://github.com/Netflix/security_monkey.git &>> $SCRIPT_LOG;

Does this get the branch you want me to use?
If so this is what I deployed with already.

Also, I run the monkey db upgrade whenever I redeploy the instance.

Thanks,
Fred

[mikegrima]

The latest version is supposed to fix the orphaned items (the first 2 exceptions).

Not sure why you are still getting them. Do you only see this for IAM roles?

[fstuck37]

@mikegrima
I'll try redeploying again so see if anything changes.
Here is the part of my script that deploys Security Monkey maybe I'm missing something with the changes to Celery.
Thanks,
-Fred

yum install -y awscli.noarch cloud-utils.x86_64 python-boto.noarch cloud-utils.x86_64 awscli.noarch python-pip python-dev libpqxx-devel.x86_64 postgresql postgresql-contrib libpq-dev nginx supervisor git libffi-dev gcc python-virtualenv httpd.x86_64 mod_ssl openssl libxml2-devel.x86_64 xmlsec1-devel.x86_64 xmlsec1-openssl-devel.x86_64 libtool-ltdl-devel.x86_64 redis.x86_64 libyaml.x86_64 libyaml-devel.x86_64

setenforce 0
mkdir /var/log/security_monkey
touch /var/log/security_monkey/security_monkey.access.log
touch /var/log/security_monkey/security_monkey.error.log
touch /var/log/security_monkey/securitymonkey.log
chown -R nginx:nginx /var/log/security_monkey/
chown -R nginx /var/www
restorecon -R -v /var/log/security_monkey/security_monkey.access.log
restorecon -R -v /var/log/security_monkey/security_monkey.error.log
setsebool -P httpd_can_network_connect 1
cd /usr/local/src
git clone --depth 1 --branch develop https://github.com/Netflix/security_monkey.git
chown -R `whoami`:nginx /usr/local/src/security_monkey
echo "SECURITY_MONKEY_SECURITY_REGISTERABLE=true" >> /usr/local/src/security_monkey/secmonkey.env;
cd security_monkey;
virtualenv venv
source venv/bin/activate
pip install --upgrade pip
pip install --upgrade setuptools
pip install --upgrade urllib3[secure]
pip install 'psycopg2==2.6.2'
pip install 'defusedxml==0.5.0'
pip install cloudaux\[gcp\]
pip install 'python-saml'
python setup.py develop
sed -i "s/DXMLSEC_DL_LIBLTDL=1/DXMLSEC_DL_LIBLTDL=1 -DXMLSEC_NO_SIZE_T/" /usr/bin/xmlsec1-config
/usr/bin/yes | pip uninstall -q dm.xmlsec.binding
pip install dm.xmlsec.binding
cd ~;
RELEASE=$(curl -L https://github.com/Netflix/security_monkey/releases/latest | grep href.*static.tar.gz | awk -F\" '{print $2}')
wget "https://github.com$RELEASE"
tar -xvzf static.tar.gz
cp -r static /usr/local/src/security_monkey/security_monkey/
chgrp -R nginx /usr/local/src/security_monkey
IPADDR=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | grep privateIp | awk -F\" '{print $4}')
sed -i "s/ec2-XX-XXX-XXX-XXX.compute-1.amazonaws.com/$IPADDR/" /usr/local/src/security_monkey/env-config/config.py
sed -i "s/securitymonkeyuser:securitymonkeypassword@localhost:5432\/secmonkey/rds_user:#####@rdsinstance.dnsentry.com:5432\/secmonkey/" /usr/local/src/security_monkey/env-config/config.py
sed -i "s/<INSERT_RANDOM_STRING_HERE>/<RANDOM STRING>}/" /usr/local/src/security_monkey/env-config/config.py
sed -i "s/<APP_ID>/<APP_ID>/" /usr/local/src/security_monkey/env-config/config.py
sed -i "s/User.email/User.email/" /usr/local/src/security_monkey/env-config/config.py
sed -i "s/'View'/'View'/" /usr/local/src/security_monkey/env-config/config.py
sed -i "s#<ONELOGIN_APP_CERT>#<ONELOGIN_APP_CERT>#" /usr/local/src/security_monkey/env-config/config.py
sed -i "s/ACTIVE_PROVIDERS = \[\]/ACTIVE_PROVIDERS = 'onelogin'/" /usr/local/src/security_monkey/env-config/config.py
mv /usr/local/src/security_monkey/env-config/config-docker.py /usr/local/src/security_monkey/env-config/config-docker.py.bak
mv /usr/local/src/security_monkey/env-config/config-local.py /usr/local/src/security_monkey/env-config/config-local.py.bak
ln -s /usr/local/src/security_monkey/env-config/config.py /usr/local/src/security_monkey/env-config/config-deploy.py
ln -s /usr/local/src/security_monkey/env-config/config.py /usr/local/src/security_monkey/env-config/config-local.py
cd /usr/local/src/security_monkey/
monkey db upgrade
monkey add_account_aws -n "Security Monkey Account" --id ###################
monkey fetch_aws_canonical_ids
sed -i "s/user=www-data/user=nginx/" /usr/local/src/security_monkey/supervisor/security_monkey_scheduler.conf
sed -i "s/user=www-data/user=nginx/" /usr/local/src/security_monkey/supervisor/security_monkey_ui.conf
sed -i "s/user=www-data/user=nginx/" /usr/local/src/security_monkey/supervisor/security_monkey_workers.conf
cp /usr/local/src/security_monkey/supervisor/security_monkey_scheduler.conf /etc/supervisord.d/security_monkey_scheduler.ini
cp /usr/local/src/security_monkey/supervisor/security_monkey_ui.conf /etc/supervisord.d/security_monkey_ui.ini
cp /usr/local/src/security_monkey/supervisor/security_monkey_workers.conf /etc/supervisord.d/security_monkey_workers.ini
mkdir /etc/nginx/sites-available
cp /usr/local/src/security_monkey/nginx/security_monkey.conf /etc/nginx/sites-available/security_monkey.conf
ln -s /etc/nginx/sites-available/security_monkey.conf /etc/nginx/conf.d/security_monkey.conf
mkdir /etc/ssl/private
chmod 700 /etc/ssl/private
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt -subj "/C=US/ST=New Yorm/L=New York/O=Unknown/CN=www.unknown.com"
systemctl enable supervisord
systemctl start supervisord
systemctl enable nginx
systemctl start nginx
setenforce 1

service nginx restart
grep nginx /var/log/audit/audit.log | audit2allow -M nginx
semodule -i nginx.pp
service nginx restart

[fstuck37]

@mikegrima
Redeployed and tried running a "monkey audit_changes" for just VPC and receive the below output.

monkey audit_changes -a '<ACCT NAME' -m vpc

2018-02-01 15:19:29,091 ERROR: [X] Database error processing accounts <ACCT>, cleaning up session. [in /usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py:299]
Traceback (most recent call last):
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 289, in _audit_changes
    au.audit_objects()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 661, in audit_objects
    self.prep_for_audit()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 654, in prep_for_audit
    self._load_object_store()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 278, in _load_object_store
    cls._load_userids()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 405, in _load_userids
    add(cls.OBJECT_STORE['userid'], item.latest_config.get('RoleId'), item.account.identifier)
  File "build/bdist.linux-x86_64/egg/sqlalchemy/ext/hybrid.py", line 740, in __get__
    return self.fget(instance)
  File "/usr/local/src/security_monkey/security_monkey/datastore.py", line 317, in latest_config
    ).filter(ItemRevision.id==self.latest_revision_id).one().config
  File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/query.py", line 2354, in one
    raise orm_exc.NoResultFound("No row was found for one()")
NoResultFound: No row was found for one()
ERROR:security_monkey:[X] Database error processing accounts<ACCT>, cleaning up session.
Traceback (most recent call last):
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 289, in _audit_changes
    au.audit_objects()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 661, in audit_objects
    self.prep_for_audit()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 654, in prep_for_audit
    self._load_object_store()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 278, in _load_object_store
    cls._load_userids()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 405, in _load_userids
    add(cls.OBJECT_STORE['userid'], item.latest_config.get('RoleId'), item.account.identifier)
  File "build/bdist.linux-x86_64/egg/sqlalchemy/ext/hybrid.py", line 740, in __get__
    return self.fget(instance)
  File "/usr/local/src/security_monkey/security_monkey/datastore.py", line 317, in latest_config
    ).filter(ItemRevision.id==self.latest_revision_id).one().config
  File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/query.py", line 2354, in one
    raise orm_exc.NoResultFound("No row was found for one()")
NoResultFound: No row was found for one()

Thanks,
Fred

[fstuck37]

@mikegrima
I'm not a Python expert so this is sudo code but what I was wondering is there any way we could log the latest_revision_id where the error is occurring?
Thanks
Fred

File "/usr/local/src/security_monkey/security_monkey/datastore.py", line 317

@hybrid_property
def latest_config(self):
    """Returns the config from the latest item revision."""
    try:
    	return db.session.query(ItemRevision).filter(ItemRevision.id==self.latest_revision_id).one().config
    **except:
    	SecurityMonkey log file "no entries found for latest_revision_id " + latest_revision_id
    	return null or through an exception**

[mikegrima]

Hello @fstuck37 - We need to understand why it cannot find the latest_item_revision as that could have other side effects in the code.

Can you please do me a favor and run the following SQL query:

SELECT * FROM item WHERE latest_revision_id is NULL;

The problem is that you still have some orphaned items in your DB. The new watcher code is supposed to find the orphaned items, and place a deletion record there. So, we need to get to the bottom of why those items are not being corrected.

[fstuck37]

@mikegrima
Well that found it.
Here is the info on what was found and what I did.

SELECT * FROM item WHERE latest_revision_id is NULL;
  id   |  region   |     name     | tech_id | account_id | latest_revision_id |                  arn                  |  latest_revision_complete_hash   |   latest_revision_durable_hash
-------+-----------+--------------+---------+------------+--------------------+---------------------------------------------------------+----------------------------------+----------------
 22421 | universal | <ROLE_NAME>  |      34 |         53 |                    | arn:aws:iam::<ACCT#>:role/<ROLE NAME> | 6b29e32a9702cd7832f5d7c5c33aa2a0 | 6b29e32a9702cd7832f5d7c5c33aa2a0
(1 row)

SELECT * FROM itemrevision WHERE item_id=22421;
  id   | active |                                       config                                                                    																																																		      |        date_created        | item_id | date_last_ephemeral_change
-------+--------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+---------+----------------------------
 22827 | t      | {"AssumeRolePolicyDocument": {"Version": "2012-10-17", "Statement": [{"Action": "sts:AssumeRoleWithSAML", "Effect": "Allow", "Condition": {"StringEquals": {"SAML:aud": "https://signin.aws.amazon.com/saml"}}, "Principal": {"Federated": "<ROLE ARN>"}}]}, "RoleId": "<RoleID>", "CreateDate": "2017-03-27 20:37:03+00:00", "InlinePolicies": {}, "_version": 1, "ManagedPolicies": [{"name":"AdministratorAccess", "arn": "<Policy ARN>"}], "RoleName": "<RoleName>", "InstanceProfiles": [], "Path": "/", "Arn": "<ROLE ARN>"}  | 2018-01-08 15:16:39.950556 |   22421 |
(1 row)

SELECT * FROM item WHERE latest_revision_id=22827;
 id | region | name | tech_id | account_id | latest_revision_id | arn | latest_revision_complete_hash | latest_revision_durable_hash
----+--------+------+---------+------------+--------------------+-----+-------------------------------+------------------------------
(0 rows)

UPDATE item SET latest_revision_id=22827
WHERE latest_revision_id is NULL;

I've started a manual monkey find_changes and so far did not receive the same errors but its still running.

Here are the errors I've observed thus far:

(venv)[root]# monkey find_changes
ERROR:boto:403 Forbidden
ERROR:boto:{"Error":{"Code":"InvalidClientTokenId","Message":"The security token included in the request is invalid","Type":"Sender"},"RequestId":"d5b8005f-a021-5281-862a-52b264fc877b"}
ERROR:boto:403 Forbidden
ERROR:boto:{"Error":{"Code":"InvalidClientTokenId","Message":"The security token included in the request is invalid","Type":"Sender"},"RequestId":"9a91a80a-7d8f-5c33-a6b5-fae7b951e1bc"}
ERROR:boto:401 Unauthorized
ERROR:boto:<?xml version="1.0" encoding="UTF-8"?><Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>95339820-668f-4148-be87-bc1649032819</RequestID></Response>
ERROR:boto:401 Unauthorized
ERROR:boto:<?xml version="1.0" encoding="UTF-8"?><Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>d8911205-fa27-480d-a6d3-cde44a8efd47</RequestID></Response>
WARNING:policyuniverse:ARN Could not parse [AIDAJ4SJ4ASMVSNHBAXLY].
WARNING:policyuniverse:ARN Could not parse [AIDAJHEVV3CXLFMGCA2IK].
WARNING:policyuniverse:ARN Could not parse [AIDAJHEVV3CXLFMGCA2IK].
WARNING:policyuniverse:Auditor could not parse ARN AIDAJHEVV3CXLFMGCA2IK.
WARNING:policyuniverse:ARN Could not parse [AIDAJ4SJ4ASMVSNHBAXLY].
WARNING:policyuniverse:Auditor could not parse ARN AIDAJ4SJ4ASMVSNHBAXLY.
WARNING:policyuniverse:ARN Could not parse [AIDAJ4SJ4ASMVSNHBAXLY].
WARNING:policyuniverse:ARN Could not parse [AIDAJHEVV3CXLFMGCA2IK].
WARNING:policyuniverse:ARN Could not parse [AIDAJ4SJ4ASMVSNHBAXLY].
WARNING:policyuniverse:ARN Could not parse [AIDAJHEVV3CXLFMGCA2IK].
WARNING:policyuniverse:ARN Could not parse [AIDAJHEVV3CXLFMGCA2IK].
WARNING:policyuniverse:Auditor could not parse ARN AIDAJHEVV3CXLFMGCA2IK.
WARNING:policyuniverse:ARN Could not parse [AIDAJ4SJ4ASMVSNHBAXLY].
WARNING:policyuniverse:Auditor could not parse ARN AIDAJ4SJ4ASMVSNHBAXLY.
WARNING:policyuniverse:ARN Could not parse [AIDAJ4SJ4ASMVSNHBAXLY].
WARNING:policyuniverse:ARN Could not parse [AIDAJ4SJ4ASMVSNHBAXLY].
WARNING:policyuniverse:ARN Could not parse [AIDAJHEVV3CXLFMGCA2IK].
WARNING:policyuniverse:ARN Could not parse [AIDAJHEVV3CXLFMGCA2IK].
/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/SQLAlchemy-0.9.2-py2.7-linux-x86_64.egg/sqlalchemy/sql/default_comparator.py:33: SAWarning: The IN-predicate on "item.arn" was invoked with an empty sequence. This results in a contradiction, which nonetheless can be expensive to evaluate.  Consider alternative strategies for improved performance.
ERROR:boto:403 Forbidden
ERROR:boto:{"Error":{"Code":"InvalidClientTokenId","Message":"The security token included in the request is invalid","Type":"Sender"},"RequestId":"30ecd7b7-db3a-57b6-aeab-855a1c731be1"}
ERROR:boto:403 Forbidden
ERROR:boto:{"Error":{"Code":"InvalidClientTokenId","Message":"The security token included in the request is invalid","Type":"Sender"},"RequestId":"0a7bb96a-8c1c-514d-85a9-eb874b560ec3"}
ERROR:boto:401 Unauthorized
ERROR:boto:<?xml version="1.0" encoding="UTF-8"?><Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>bbf7ed76-19a2-410d-9ced-3ca0d069713b</RequestID></Response>
ERROR:boto:401 Unauthorized
ERROR:boto:<?xml version="1.0" encoding="UTF-8"?><Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>55ea51d0-a966-4ae5-bb48-7ecd5813aa01</RequestID></Response>

I think it may be working now but the 1 account still doesn't have any objects in it so will need to see if it just needs time to get through the other accounts first.

Hope this helps you find the issue.

Thanks,
Fred

[mikegrima]

I'm very curious why the latest isn't automatically correcting that orphaned item, since it's the first thing it does when find_changes runs.

If you enable debug logging, do you see a log entry about orphaned items not being found?

[fstuck37]

@mikegrima
OK couldn't find how to put the find_changes into debug logging.
Can you provide some instruction or point me to them?

Also the system still doesn't pull new data even though we fixed the issue with the null record.
I'm wondering if redeploying the DB would help but that may wipe any info we have on the existing issue and I want to make sure you get what you need.

Thanks,
Fred

[mikegrima]

To turn on debug logging (I really need to add a section to the quickstart for this), you will need to modify your config.py file such that you replace all level entries in LOG_CFG to DEBUG.

[fstuck37]

@mikegrima
I enabled debug but nothing jumped out at me.
Not sure what but something had me look at the Auditor Settings.
I could not find the accounts that weren't pulling data in there.

I checked the DB and found that all of them are missing.
I have 36 accounts but only 28 show up in the auditorsettings table:
aerdspgsp=> select id from account where third_party=false;
id

5
7
8
9
10
11
12
13
4
52
54
56
57
58
60
61
62
63
68
69
70
71
87
67
53
72
89
90
91
92
93
94
95
96
97
98
(36 rows)

aerdspgsp=> select account_id, count(account_id) from auditorsettings group by account_id;
account_id | count
------------+-------
8 | 30
12 | 3
68 | 1
58 | 14
10 | 9
11 | 7
90 | 30
4 | 36
60 | 7
56 | 3
53 | 14
54 | 6
62 | 6
71 | 1
57 | 3
72 | 1
92 | 15
97 | 24
61 | 7
52 | 22
69 | 1
96 | 22
5 | 30
13 | 7
63 | 11
9 | 14
67 | 1
7 | 31
(28 rows)

Any ideas?

As soon as I can I'll add the null entry back in and see if I get any more info on that part of the problem.

Thanks again for all the help,
Fred

[fstuck37]

@mikegrima
OK I removed the accounts and tried adding them via command line with no luck.
It still doesn't add them to the auditorsettings table.
Thanks,
Fred

[mikegrima]

I think your DB is messed up. I hate to say this, but it might be worth re-creating.

[fstuck37]

@mikegrima
OK I redeployed the entire thing (DB and all).
Added all 36 accounts via command line and the "Auditor Settings" tab is empty.
I think this is why no objects are populating in the system.
I was able to fetch the canonical names for all the accounts so there isn't a policy issue.

Do you think I'm missing something in the setup or is there an issue with the code?

Thanks,
Fred

[mikegrima]

I have not been able to replicate your issue and few other users so far have reported this.

[mstair]

@fstuck37 Did you try a manual monkey find_changes?

[fstuck37]

@mstair
Started it a little over an hour ago and its still running through the accounts.
As it's running it is adding items which also show up on the "Auditor Settings" tab.
Trying to figure out if I missed something in the supervisor files but nothing is jumping out at me.

I basically copy the original files to /etc/supervisord.d/

cp /usr/local/src/security_monkey/supervisor/security_monkey_ui.conf /etc/supervisord.d/security_monkey_ui.ini
cp /usr/local/src/security_monkey/supervisor/security_monkey_scheduler.conf /etc/supervisord.d/security_monkey_scheduler.ini
cp /usr/local/src/security_monkey/supervisor/security_monkey_workers.conf /etc/supervisord.d/security_monkey_workers.ini

In both security_monkey_scheduler.ini & security_monkey_workers.ini I changed numprocs=1 to numprocs=10. Not sure if this is appropriate but figured it was a good starting point,

Thanks again for all the help,
Fred

[mikegrima]

I changed numprocs=1 to numprocs=10

Could that be the issue? Worker concurrency should only be set in the celeryconfig.py file.

Also, there should only be exactly one scheduler running at any time.

[fstuck37]

@mikegrima
OK that makes sense - was really hoping I wasn't making some stupid mistake.
I changed both to 1 as well as the celeryconfig to 20 form the default of 10.

The find_changes did fail with a error:
botocore.vendored.requests.exceptions.SSLError: [Errno 24] Too many open files

Going to see if the changes to the processes fixes both.
If not I'll post more info.

I waited a little while to see if the accounts populate automatically but didn't see anything so I started the find changes again.

Thanks,
-Fred

[mstair]

Whoa, guess with that many accounts you may hit default file descriptor limits with the single manual find_changes. Accounts and associated roles/policies must be good, at least for some, if you are seeing some results from find_changes. Check /var/log/supervisor/* logs for permission errors (has gotten me more than once). Sorry if I missed above, is this all on a single instance?

[fstuck37]

@mstair
find_changes bombed again but this time with error:

botocore.exceptions.ClientError: An error occurred (Throttling) when calling the ListEntitiesForPolicy operation (reached max retries: 4): Rate exceeded

Below is what I found in /var/log/supervisor/* logs:

2018-02-06 18:04:44,216 CRIT Supervisor running as root (no user in config file)
2018-02-06 18:04:44,216 WARN Included extra file "/etc/supervisord.d/security_monkey_scheduler.ini" during parsing
2018-02-06 18:04:44,216 WARN Included extra file "/etc/supervisord.d/security_monkey_ui.ini" during parsing
2018-02-06 18:04:44,216 WARN Included extra file "/etc/supervisord.d/security_monkey_workers.ini" during parsing
2018-02-06 18:04:44,236 INFO RPC interface 'supervisor' initialized
2018-02-06 18:04:44,237 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2018-02-06 18:04:44,237 INFO daemonizing the supervisord process
2018-02-06 18:04:44,238 INFO supervisord started with pid 10836
2018-02-06 18:04:45,243 INFO spawned: 'securitymonkeyworkers' with pid 10867
2018-02-06 18:04:45,245 INFO spawned: 'securitymonkeyui' with pid 10868
2018-02-06 18:04:45,247 INFO spawned: 'securitymonkeyscheduler' with pid 10869
2018-02-06 18:04:46,249 INFO success: securitymonkeyui entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-02-06 18:04:46,249 INFO success: securitymonkeyscheduler entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-02-06 18:05:45,885 INFO success: securitymonkeyworkers entered RUNNING state, process has stayed up for > than 60 seconds (startsecs)
...
2018-02-07 01:23:30,533 INFO stopped: securitymonkeyscheduler (terminated by SIGTERM)
2018-02-07 01:23:33,122 INFO stopped: securitymonkeyworkers (exit status 0)
2018-02-07 01:23:33,126 INFO spawned: 'securitymonkeyscheduler' with pid 8623
2018-02-07 01:23:34,128 INFO success: securitymonkeyscheduler entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-02-07 01:23:34,130 INFO spawned: 'securitymonkeyworkers' with pid 8632
2018-02-07 01:24:34,229 INFO success: securitymonkeyworkers entered RUNNING state, process has stayed up for > than 60 seconds (startsecs)
2018-02-07 02:13:01,215 INFO exited: securitymonkeyworkers (exit status 1; not expected)
2018-02-07 02:13:02,217 INFO spawned: 'securitymonkeyworkers' with pid 8749
2018-02-07 02:14:02,320 INFO success: securitymonkeyworkers entered RUNNING state, process has stayed up for > than 60 seconds (startsecs)
2018-02-07 03:02:29,299 INFO exited: securitymonkeyworkers (exit status 1; not expected)
2018-02-07 03:02:30,301 INFO spawned: 'securitymonkeyworkers' with pid 11180
2018-02-07 03:03:30,423 INFO success: securitymonkeyworkers entered RUNNING state, process has stayed up for > than 60 seconds (startsecs)
2018-02-07 03:27:20,898 INFO stopped: securitymonkeyworkers (exit status 0)
2018-02-07 03:27:20,902 INFO spawned: 'securitymonkeyworkers' with pid 11724
2018-02-07 03:28:21,129 INFO success: securitymonkeyworkers entered RUNNING state, process has stayed up for > than 60 seconds (startsecs)

...Restarted Workers here...

2018-02-07 03:35:08,199 WARN killing 'securitymonkeyworkers' (11724) with SIGKILL
2018-02-07 03:35:08,206 INFO stopped: securitymonkeyworkers (terminated by SIGKILL)
2018-02-07 03:35:09,211 INFO spawned: 'securitymonkeyworkers' with pid 11785
2018-02-07 03:36:09,448 INFO success: securitymonkeyworkers entered RUNNING state, process 

has stayed up for > than 60 seconds (startsecs)

Thanks,
Fred

[mikegrima]

Your find_changes error is due to an AWS rate limit. CloudAux will attempt 4 times with exponential backoff: https://github.com/Netflix-Skunkworks/cloudaux/blob/master/cloudaux/aws/decorators.py#L10

I think it would be a good feature for CloudAux to have that set as an environment variable.

How many other things do you have calling that API? If you have other apps deployed calling that API in the given account, then you will likely hit those rate limits faster. You could also try submitting a ticket to AWS to see if the limits can be lifted.

[fstuck37]

Hi @mikegrima @mstair
OK, I redeployed the DB and instance again and added only two accounts.
I did the find_changes on only one of them and it pulls in all the items for the one account.
I let it sit for a while and the other never pulls in anything.
fetch_aws_canonical_ids works for both accounts.

Could I be missing something in the setup since the celery changes?

Thanks,
Fred

[mstair]

What does a sudo supervisorctl status return?

[fstuck37]

@mstair @mikegrima
Everything looks like its running as it should.

sudo supervisorctl status
securitymonkeyscheduler RUNNING pid 27036, uptime 0:49:07
securitymonkeyui RUNNING pid 26941, uptime 0:51:15
securitymonkeyworkers RUNNING pid 27045, uptime 0:49:06

Thanks,
Fred

[mstair]

My celery tasking is being logged to /var/log/supervisor/securitymonkeyscheduler-stderr---supervisor-xxxxx.log. Looks like this:
[2018-02-07 16:32:07,602: DEBUG/MainProcess] beat: Waking up in 2.83 minutes. [2018-02-07 16:34:57,778: DEBUG/MainProcess] beat: Synchronizing schedule... [2018-02-07 16:34:57,789: INFO/MainProcess] Scheduler: Sending due task security_monkey.task_scheduler.tasks.task_account_tech(u'aws', 'sqs') (security_monkey.task_scheduler.tasks.task_account_tech)

[fstuck37]

@mstair
Only log file I have is /var/log/supervisor/supervisord.log

Where is the config for the log file you've specified?

Thanks,
Fred

[mstair]

Can you jump on gitter? Might be able to assist better real-time
https://gitter.im/Netflix/security_monkey

[fstuck37]

@mstair @mikegrima

Just to document what fixed this for me.
@mstair was able to help me find what I missed.
Namely I neglected to start redis.
systemctl enable redis
systemctl start redis

So the end of this looks like we had a null latest_revision_id in the item table.
Then with the conversion to Celery I missed the part about starting redis.

Thanks to both of you for all the help,
Fred