Merge 06fd7a4 into fc02df5

airbnb · Apr 2, 2020 · 2f3dfda · 2f3dfda
2 parents fc02df5 + 06fd7a4
commit 2f3dfda
Show file tree

Hide file tree

Showing 10 changed files with 22 additions and 13 deletions.
diff --git a/conf/global.json b/conf/global.json
@@ -13,6 +13,9 @@
     ],
     "scheduled_query_locations": [
       "scheduled_queries"
+    ],
+    "publisher_locations": [
+      "publishers"
     ]
   },
   "infrastructure": {

diff --git a/docs/source/config-global.rst b/docs/source/config-global.rst
@@ -69,6 +69,9 @@ Configuration
       ],
       "scheduled_query_locations": [
         "scheduled_queries"
+      ],
+      "publisher_locations": [
+        "publishers"
       ]
     }
   }
@@ -82,6 +85,7 @@ Options
 ``matcher_locations``          Yes            ``["matchers"]``           List of local paths where ``matchers`` are defined
 ``rule_locations``             Yes            ``["rules"]``              List of local paths where ``rules`` are defined
 ``scheduled_query_locations``  Yes            ``["scheduled_queries"]``  List of local paths where ``scheduled_queries`` are defined
+``publisher_locations``        Yes            ``["publishers"]``         List of local paths where ``publishers`` are defined
 =============================  =============  =========================  ===============
 
 

diff --git a/rules/matchers/__init__.py → matchers/__init__.py b/rules/matchers/__init__.py → matchers/__init__.py
diff --git a/rules/matchers/matchers.py → matchers/default.py b/rules/matchers/matchers.py → matchers/default.py
@@ -4,7 +4,7 @@
 is specific for the `prod` environment, we can define a matcher
 and add it to our rules' `matchers` keyword argument:
 
-from rules.matchers import matchers
+from matchers import default
 
 @rule('root_logins', logs=['osquery:differential'], matchers=[matchers.prod],
       outputs=['pagerduty:sample-integration'])
@@ -14,13 +14,16 @@
 @rule('root_logins', logs=['osquery:differential'],
       matchers=[matchers.prod, matchers.pci], outputs=['pagerduty:sample-integration'])
 """
+
+
 class AwsGuardDutyMatcher:
     """A class contains matchers for AWS GuardDuty service"""
 
     @classmethod
     def guard_duty(cls, rec):
         return rec['detail-type'] == 'GuardDuty Finding'
 
+
 class OsqueryMatcher:
     """A class defines contains matchers for Osquery events"""
 
@@ -33,12 +36,10 @@ class OsqueryMatcher:
         'runlevel'
     }
 
-
     @classmethod
     def added(cls, rec):
         return rec['action'] == 'added'
 
-
     @classmethod
     def user_login(cls, rec):
         """Capture user logins from the osquery last table

diff --git a/rules/community/cloudtrail/cloudtrail_aws_config.py b/rules/community/cloudtrail/cloudtrail_aws_config.py
@@ -1,5 +1,5 @@
 """Alert on AWS Config"""
-from rules.matchers.matchers import AwsConfigMatcher
+from matchers.default import AwsConfigMatcher
 from streamalert.shared.rule import rule
 
 

diff --git a/rules/community/guardduty/guard_duty_all.py b/rules/community/guardduty/guard_duty_all.py
@@ -1,5 +1,5 @@
 """Alert on GuardDuty"""
-from rules.matchers.matchers import AwsGuardDutyMatcher
+from matchers.default import AwsGuardDutyMatcher
 from streamalert.shared.rule import rule
 
 

diff --git a/rules/community/osquery/ssh_login_activity.py b/rules/community/osquery/ssh_login_activity.py
@@ -1,5 +1,5 @@
 """Detect ssh login activity based on osquery last table"""
-from rules.matchers.matchers import OsqueryMatcher
+from matchers.default import OsqueryMatcher
 from streamalert.shared.rule import rule
 
 

diff --git a/streamalert/shared/publisher.py b/streamalert/shared/publisher.py
@@ -17,6 +17,7 @@
 from copy import deepcopy
 from inspect import isclass
 
+from streamalert.shared.config import load_config
 from streamalert.shared.importer import import_folders
 from streamalert.shared.logger import get_logger
 
@@ -117,17 +118,16 @@ class AlertPublisherRepository:
     As a usability optimization, using this Repository will eagerly load and register all
     publishers in the application.
     """
-    _PUBLISHERS_DIRECTORY = 'publishers'
     _publishers = {}
     _is_imported = False
 
     @classmethod
     def import_publishers(cls):
         if not cls._is_imported:
-            import_folders(cls._PUBLISHERS_DIRECTORY)
+            config = load_config()
+            import_folders(*config['global']['general'].get('publisher_locations', []))
             cls._is_imported = True
 
-
     @staticmethod
     def is_valid_publisher(thing):
         """Returns TRUE if the given reference can be registered as a publisher

diff --git a/tests/unit/conf/global.json b/tests/unit/conf/global.json
@@ -8,7 +8,8 @@
   "general": {
     "matcher_locations": [],
     "rule_locations": [],
-    "scheduled_query_locations": []
+    "scheduled_query_locations": [],
+    "publisher_locations": []
   },
   "infrastructure": {
     "alerts_table": {

diff --git a/tests/unit/streamalert/shared/test_importer.py b/tests/unit/streamalert/shared/test_importer.py
@@ -30,7 +30,7 @@ def setUp(self):
         self.setUpPyfakefs()
 
         # Add rule and matcher files which should be imported.
-        self.fs.create_file('matchers/matchers.py')
+        self.fs.create_file('matchers/default.py')
         self.fs.create_file('rules/example.py')
         self.fs.create_file('rules/community/cloudtrail/critical_api.py')
 
@@ -45,7 +45,7 @@ def test_python_rule_paths():
         """Rule - Python File Paths"""
         result = set(_python_file_paths('matchers', 'rules'))
         expected = {
-            'matchers/matchers.py',
+            'matchers/default.py',
             'rules/example.py',
             'rules/community/cloudtrail/critical_api.py'
         }
@@ -72,7 +72,7 @@ def test_import_rules(mock_import):
         """Rule - Import Folders"""
         import_folders('matchers', 'rules')
         mock_import.assert_has_calls([
-            call('matchers.matchers'),
+            call('matchers.default'),
             call('rules.example'),
             call('rules.community.cloudtrail.critical_api')
         ], any_order=True)