security monkey Documentation

security_monkey DocumentationRelease 0.1.2

Patrick Kelley

June 03, 2015

Contents

1 Project resources 3

2 Quick Start 52.1 Quick Start Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Changelog 253.1 Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 API Reference 314.1 API Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5 About 375.1 Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375.2 Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375.3 Contributing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Python Module Index 47

i

ii

security_monkey Documentation, Release 0.1.2

Security Monkey monitors policy changes and alerts on insecure configurations in an AWS account. While SecurityMonkey’s main purpose is security, it also proves a useful tool for tracking down potential problems as it is essentiallya change tracking system.

It works on CPython 2.7. It is known to work on Ubuntu Linux and OS X.

Contents 1


2 Contents

CHAPTER 1

Project resources

• Documentation

• Source code

• Issue tracker

3

http://securitymonkey.readthedocs.org/

https://github.com/netflix/security_monkey

https://github.com/netflix/security_monkey/issues


4 Chapter 1. Project resources

CHAPTER 2

Quick Start

2.1 Quick Start Guide

2.1.1 Docker Images

Before we start, consider following the docker instructions . Docker helps simplify the process to get up and running.The docker images are not currently ready for production use, but are good enough to get up and running with aninstance of security_monkey.

Not into the docker thing? Keep reading.

2.1.2 Setup IAM Roles

We need to create two roles for security monkey. The first role will be an instance profile that we will launch securitymonkey into. The permissions on this role allow the monkey to use STS to assume to other roles as well as use SESto send email.

Creating SecurityMonkeyInstanceProfile Role

Create a new role and name it “SecurityMonkeyInstanceProfile”:

Select “Amazon EC2” under “AWS Service Roles”.

5

https://github.com/Netflix-Skunkworks/zerotodocker/wiki/Security-Monkey


Select “Custom Policy”:

Paste in this JSON with the name “SecurityMonkeyLaunchPerms”:

{"Version": "2012-10-17","Statement": [{

"Effect": "Allow","Action": [

"ses:SendEmail"],"Resource": "*"

},{

"Effect": "Allow","Action": "sts:AssumeRole","Resource": "*"

}]

}

Review and create your new role:

6 Chapter 2. Quick Start


Creating SecurityMonkey Role

Create a new role and name it “SecurityMonkey”:

Select “Amazon EC2” under “AWS Service Roles”.

Select “Custom Policy”:

2.1. Quick Start Guide 7


Paste in this JSON with the name “SecurityMonkeyReadOnly”:

{"Statement": [{

"Action": ["cloudwatch:Describe*","cloudwatch:Get*","cloudwatch:List*","ec2:Describe*","elasticloadbalancing:Describe*","iam:List*","iam:Get*","route53:Get*","route53:List*","rds:Describe*","s3:GetBucketAcl","s3:GetBucketCORS","s3:GetBucketLocation","s3:GetBucketLogging","s3:GetBucketPolicy","s3:GetBucketVersioning","s3:GetLifecycleConfiguration","s3:ListAllMyBuckets","sdb:GetAttributes","sdb:List*","sdb:Select*","ses:Get*","ses:List*","sns:Get*","sns:List*","sqs:GetQueueAttributes","sqs:ListQueues","sqs:ReceiveMessage"

],"Effect": "Allow","Resource": "*"

}]

}

Review and create the new role.



Allow SecurityMonkeyInstanceProfile to AssumeRole to SecurityMonkey

You should now have two roles available in your AWS Console:

Select the “SecurityMonkey” role and open the “Trust Relationships” tab.

Edit the Trust Relationship and paste this in:

{"Version": "2008-10-17","Statement": [{

"Sid": "","Effect": "Allow","Principal": {

"AWS": ["arn:aws:iam::<YOUR ACCOUNTID GOES HERE>:role/SecurityMonkeyInstanceProfile"

]},"Action": "sts:AssumeRole"

}]



}

Adding more accounts

To have your instance of security monkey monitor additional accounts, you must add a SecurityMonkey role in thenew account. Follow the instructions above to create the new SecurityMonkey role. The Trust Relationship policyshould have the account ID of the account where the security monkey instance is running.

Note

Additional SecurityMonkeyInstanceProfile roles are not required. You only need to create a new SecurityMonkey role.

Note

You will also need to add the new account in the Web UI, and restart the scheduler. More information on how do tothis will be presented later in this guide.

TODO

Document how to setup an SES account and validate it.

2.1.3 Launch an Ubuntu Instance

Netflix monitors dozens AWS accounts easily on a single m3.large instance. For this guide, we will launch a m1.small.

In the console, start the process to launch a new Ubuntu instance. The screenshot below shows EC2 classic, but youcan also launch this in external VPC.:

Select an m1.small and select “Next: Configure Instance Details”.

Note: Do not select “Review and Launch”. We need to launch this instance in a specific role.

Under “IAM Role”, select SecurityMonkeyInstanceProfile:



You may now launch the new instance. Please take note of the “Public DNS” entry. We will need that later whenconfiguring security monkey.

Now may also be a good time to edit the “launch-wizard-1” security group to restrict access to your IP. Make sure youleave TCP 22 open for ssh and TCP 443 for HTTPS.

Keypair

You may be prompted to download a keypair. You should protect this keypair; it is used to provide ssh access to thenew instance. Put it in a safe place. You will need to change the permissions on the keypair to 600:

$ chmod 600 SecurityMonkeyKeypair.pem

Connecting to your new instance:

We will connect to the new instance over ssh:

$ ssh -i SecurityMonkeyKeyPair.pem -l ubuntu <PUBLIC_IP_ADDRESS>

Replace the last parameter (<PUBLIC_IP_ADDRESS>) with the Public IP of your instance.

2.1.4 Install Pre-requisites

We now have a fresh install of Ubuntu. Let’s add the hostname to the hosts file:

$ hostnameip-172-30-0-151

Add this to /etc/hosts: (Use nano if you’re not familiar with vi.):



$ sudo vi /etc/hosts127.0.0.1 ip-172-30-0-151

Create the logging folders:

sudo mkdir /var/log/security_monkeysudo chown www-data /var/log/security_monkeysudo mkdir /var/wwwsudo chown www-data /var/wwwsudo touch /var/log/security_monkey/security_monkey.error.logsudo touch /var/log/security_monkey/security_monkey.access.logsudo touch /var/log/security_monkey/security_monkey-deploy.logsudo chown www-data /var/log/security_monkey/security_monkey-deploy.log

Let’s install the tools we need for Security Monkey:

$ sudo apt-get update$ sudo apt-get -y install python-pip python-dev python-psycopg2 postgresql postgresql-contrib libpq-dev nginx supervisor git swig python-m2crypto

Setup Postgres

For production, you will want to use an AWS RDS Postgres database. For this guide, we will setup a database on theinstance that was just launched.

First, set a password for the postgres user. For this guide, we will use securitymonkeypassword.:

$ sudo -u postgres psql postgres# \password postgresEnter new password: securitymonkeypasswordEnter it again: securitymonkeypassword

Type CTRL-D to exit psql once you have changed the password.

Next, we will create our a new database:

$ sudo -u postgres createdb secmonkey

2.1.5 Clone the Security Monkey Repo

Next we’ll clone and install the package:

$ cd /usr/local/src$ sudo git clone --depth 1 --branch master https://github.com/Netflix/security_monkey.git$ cd security_monkey$ sudo python setup.py install

New in 0.2.0 - Compile the web-app from the Dart code:

# Get the Google Linux package signing key.$ curl https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

# Set up the location of the stable repository.$ cd ~$ curl https://storage.googleapis.com/download.dartlang.org/linux/debian/dart_stable.list > dart_stable.list$ sudo mv dart_stable.list /etc/apt/sources.list.d/dart_stable.list$ sudo apt-get update$ sudo apt-get install -y dart



# Build the Web UI$ cd /usr/local/src/security_monkey/dart$ sudo /usr/lib/dart/bin/pub build

# Copy the compiled Web UI to the appropriate destination$ sudo /bin/mkdir -p /usr/local/src/security_monkey/security_monkey/static/$ sudo /bin/cp -R /usr/local/src/security_monkey/dart/build/web/* /usr/local/src/security_monkey/security_monkey/static/

Configure the Application

Edit /usr/local/src/security_monkey/env-config/config-deploy.py:

# Insert any config items here.# This will be fed into Flask/SQLAlchemy inside security_monkey/__init__.py

LOG_LEVEL = "DEBUG"LOG_FILE = "/var/log/security_monkey/security_monkey-deploy.log"

SQLALCHEMY_DATABASE_URI = ’postgresql://postgres:securitymonkeypassword@localhost:5432/secmonkey’

SQLALCHEMY_POOL_SIZE = 50SQLALCHEMY_MAX_OVERFLOW = 15ENVIRONMENT = ’ec2’USE_ROUTE53 = FalseFQDN = ’<PUBLIC_IP_ADDRESS>’API_PORT = ’5000’WEB_PORT = ’443’FRONTED_BY_NGINX = TrueNGINX_PORT = ’443’WEB_PATH = ’/static/ui.html’BASE_URL = ’https://{}/’.format(FQDN)

SECRET_KEY = ’<INSERT_RANDOM_STRING_HERE>’

MAIL_DEFAULT_SENDER = ’securitymonkey@<YOURDOMAIN>.com’SECURITY_REGISTERABLE = TrueSECURITY_CONFIRMABLE = FalseSECURITY_RECOVERABLE = FalseSECURITY_PASSWORD_HASH = ’bcrypt’SECURITY_PASSWORD_SALT = ’<INSERT_RANDOM_STRING_HERE>’

SECURITY_POST_LOGIN_VIEW = BASE_URLSECURITY_POST_REGISTER_VIEW = BASE_URLSECURITY_POST_CONFIRM_VIEW = BASE_URLSECURITY_POST_RESET_VIEW = BASE_URLSECURITY_POST_CHANGE_VIEW = BASE_URL

# This address gets all change notificationsSECURITY_TEAM_EMAIL = []

# These are only required if using SMTP instead of SESEMAILS_USE_SMTP = True # Otherwise, Use SESSES_REGION = ’us-east-1’MAIL_SERVER = ’smtp.<YOUREMAILPROVIDER>.com’MAIL_PORT = 465MAIL_USE_SSL = True



MAIL_USERNAME = ’securitymonkey’MAIL_PASSWORD = ’<YOURPASSWORD>’

A few things need to be modified in this file before we move on.

SQLALCHEMY_DATABASE_URI: The value above will be correct for the username “postgres” with the password“securitymonkeypassword” and the database name of “secmonkey”. Please edit this line if you have created a differentdatabase name or username or password.

FQDN: You will need to enter the public DNS name you obtained when you launched the security monkey instance.

SECRET_KEY: This is used by Flask modules to verify user sessions. Please use your own random string. (Keep itsecret.)

SECURITY_CONFIRMABLE: Leave this off (False) until you have configured and validated an SES account. Moreinformation will be made available on this topic soon.

SECURITY_RECOVERABLE: Leave this off (False) until you have configured and validated an SES account. Moreinformation will be made available on this topic soon.

SECURITY_PASSWORD_SALT: This is used by flask to salt credentials before putting them into the database.Please use your own random string.

Other values are self-explanatory.

SECURITY_MONKEY_SETTINGS:

The SECURITY_MONKEY_SETTINGS variable should point to the config-deploy.py we just reviewed.:

$ export SECURITY_MONKEY_SETTINGS=<Path to your config-deploy.py>

For example:

$ export SECURITY_MONKEY_SETTINGS=/usr/local/src/security_monkey/env-config/config-deploy.py

Create the database tables:

Security Monkey uses Flask-Migrate (Alembic) to keep database tables up to date. To create the tables, run thiscommand:

$ cd /usr/local/src/security_monkey/$ sudo -E python manage.py db upgrade

2.1.6 Setting up Supervisor

Supervisor will auto-start security monkey and will auto-restart security monkey if it were to crash.

# Control Startup/Shutdown:# sudo supervisorctl

[program:securitymonkey]user=www-data

environment=PYTHONPATH=’/usr/local/src/security_monkey/’,SECURITY_MONKEY_SETTINGS="/usr/local/src/security_monkey/env-config/config-deploy.py"autostart=trueautorestart=truecommand=python /usr/local/src/security_monkey/manage.py run_api_server



[program:securitymonkeyscheduler]user=www-dataautostart=trueautorestart=truedirectory=/usr/local/src/security_monkey/environment=PYTHONPATH=’/usr/local/src/security_monkey/’,SECURITY_MONKEY_SETTINGS="/usr/local/src/security_monkey/env-config/config-deploy.py"command=python /usr/local/src/security_monkey/manage.py start_scheduler

Copy security_monkey/supervisor/security_monkey.conf to /etc/supervisor/conf.d/security_monkey.conf and makesure it points to the locations where you cloned the security monkey repo.:

$ sudo service supervisor restart$ sudo supervisorctl

Supervisor will attempt to start two python jobs and make sure they are running. The first job, securitymonkey, isgunicorn, which it launches by calling manage.py run_api_server.

The second job supervisor runs is the scheduler, which looks for changes every 15 minutes. The scheduler will failto start at this time because there are no accounts for it to monitor Later, we will add an account and start thescheduler.

You can track progress by tailing security_monkey-deploy.log.

2.1.7 Create an SSL Certificate

For this quickstart guide, we will use a self-signed SSL certificate. In production, you will want to use a certificatethat has been signed by a trusted certificate authority.:

$ cd ~

There are some great instructions for generating a certificate on the Ubuntu website:

Ubuntu - Create a Self Signed SSL Certificate

The last commands you need to run from that tutorial are in the “Installing the Certificate” section:

sudo cp server.crt /etc/ssl/certssudo cp server.key /etc/ssl/private

Once you have finished the instructions at the link above, and these two files are in your /etc/ssl/certs and/etc/ssl/private, you are ready to move on in this guide.

2.1.8 Setup Nginx:

Security Monkey uses gunicorn to serve up content on its internal 127.0.0.1 address. For better performance, andto offload the work of serving static files, we wrap gunicorn with nginx. Nginx listens on 0.0.0.0 and proxies someconnections to gunicorn for processing and serves up static files quickly.

securitymonkey.conf

Save the config file below to:

/etc/nginx/sites-available/securitymonkey.conf


https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html


add_header X-Content-Type-Options "nosniff";add_header X-XSS-Protection "1; mode=block";add_header X-Frame-Options "SAMEORIGIN";add_header Strict-Transport-Security "max-age=631138519";add_header Content-Security-Policy "default-src ’self’; font-src ’self’ https://fonts.gstatic.com; script-src ’self’ https://ajax.googleapis.com; style-src ’self’ https://fonts.googleapis.com;";

server {listen 0.0.0.0:443 ssl;ssl_certificate /etc/ssl/certs/server.crt;ssl_certificate_key /etc/ssl/private/server.key;access_log /var/log/security_monkey/security_monkey.access.log;error_log /var/log/security_monkey/security_monkey.error.log;

location ~* ^/(reset|confirm|healthcheck|register|login|logout|api) {proxy_read_timeout 120;proxy_pass http://127.0.0.1:5000;proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;proxy_redirect off;proxy_buffering off;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

location /static {rewrite ^/static/(.*)$ /$1 break;root /usr/local/src/security_monkey/security_monkey/static;index ui.html;

}

location / {root /usr/local/src/security_monkey/security_monkey/static;index ui.html;

}

}

Symlink the sites-available file to the sites-enabled folder:

$ sudo ln -s /etc/nginx/sites-available/securitymonkey.conf /etc/nginx/sites-enabled/securitymonkey.conf

Delete the default configuration:

$ sudo rm /etc/nginx/sites-enabled/default

Restart nginx:

$ sudo service nginx restart

2.1.9 Registering An Account

You should now be able to reach your server



Navigate to the Register page to create your first user account:

After you have registered a new account and logged in, you need to add an account for Security Monkey to monitor.Click on “Settings” in the very top menu bar.



Adding an Account in the Web UI

Here you will see a list of the accounts Security Monkey is monitoring. (It should be empty.)

Click on the plus sign to create a new account:

Now we will provide Security Monkey with information about the account you would like to monitor.

When creating a new account in Security Monkey, you may use any “Name” that you would like. Example names are‘prod’, ‘test’, ‘dev’, or ‘it’. Names should be unique.

The S3 Name has special meaning. This is the name used on S3 ACL policies. If you are unsure, it is probably the be-ginning of the email address that was used to create the AWS account. (If you signed up as [email protected],your s3 name is probably super_geek.) You can edit this value at any time.

The Number is the AWS account number. This must be provided.

Notes is an optional field.


mailto:[email protected]


Active specifies whether Security Monkey should track policies and changes in this account. There are cases whereyou want Security Monkey to know about a friendly account, but don’t want Security Monkey to track it’s changes.

Third Party This is a way to tell security monkey that the account is friendly and not owned by you.

Note: You will need to restart the scheduler whenever you add a new account or disable an existing account.We plan to remove this requirement in the future.:

$ sudo supervisorctlsecuritymonkey RUNNING pid 11401, uptime 0:05:56securitymonkeyscheduler FATAL Exited too quickly (process log may have details)supervisor> start securitymonkeyschedulersecuritymonkeyscheduler: startedsupervisor> statussecuritymonkey RUNNING pid 11401, uptime 0:06:49securitymonkeyscheduler RUNNING pid 11519, uptime 0:00:42supervisor>

The first run will occur in 15 minutes. You can monitor all the log files in /var/log/security_monkey/. In the browser,you can hit the ‘AutoRefresh‘ button so the browser will attempt to load results every 30 seconds.

Note: You can also add accounts via the command line with manage.py:

$ python manage.py add_account --number 12345678910 --name account_fooSuccessfully added account account_foo

If an account with the same number already exists, this will do nothing, unless you pass --force, in which case, itwill override the existing account:

$ python manage.py add_account --number 12345678910 --name account_fooAn account with id 12345678910 already exists$ python manage.py add_account --number 12345678910 --name account_foo --active false --forceSuccessfully added account account_foo

2.1.10 Now What?

Wow. We have accomplished a lot. Now we can use the Web UI to review our security posture.

Searching in the Web UI

On the Web UI, click the Search button at the top left. If the scheduler is setup correctly, we should now see itemsfilling the table. These items are colored if they have issues. Yellow is for minor issues like friendly cross accountaccess while red indicates more important security issues, like an S3 bucket granting access to “AllUsers” or a securitygroup allowing 0.0.0.0/0. The newest results are always at the top.



We can filter these results using the searchbox on the left. The Region, Tech, Account, and Name fields use auto-complete to help you find what you need.

Security Monkey also provides you the ability to search only for issues:



Viewing an Item in the Web UI

Clicking on an item in the web UI brings up the view-item page.

This item has an attached issue. Someone has left SSH open to the Internet! Security Monkey helps you find thesetypes of insecure configurations and correct them.

If Security Monkey finds an issue that you aren’t worried about, you should justify the issue and leave a messageexplaining to others why the configuration is okay.



Security Monkey looks for changes in configurations. When there is a change, it uses colors to show you the partof the configuration that was affected. Green tells you that a section was added while red says something has beenremoved.

Each revision to an item can have comments attached. These can explain why a change was made.

2.1.11 Productionalizing Security Monkey

This guide has been focused on getting Security Monkey up and running quickly. For a production deployment, youshould make a few changes.



Location

Run security_monkey from a separate account. This will help isolate the instance and the database and ensure theintegrity of the change data.

SES

Security Monkey uses SES to send email. While you can install and use Security Monkey without SES, it is rec-ommended that you eventually setup SES to receive Change Reports and Audit Reports. Enabling SES also allowsyou to enable the “forgot my password” flow and force users to confirm their email addresses when registering for anaccount.

To begin the process, you will need to request that AWS enable SES on your account

TODO: Add further documentation on setting up and confirming SES.

RDS

In this guide, we setup a postgres database on the instance we launched. This would be a horrible way to run inproduction. You would lose all your data whenever Chaos Monkey unplugged your instance!

Make sure you move your database to an RDS instance. Create a database user with limited permissions and use adifferent password than the one used in this guide.

Logs

If you are relying on security monkey, you really need to ensure that it is running correctly and not hitting a bizarreexception.

Check the Security Monkey logs occasionally. Let us know if you are seeing exceptions, or better yet, send us a pullrequest.

Justify Issues

The daily audit report and the issues-search are most helpful when all the existing issues are worked or justified. Spendsome time to work through the issues found today, so that the ones found tomorrow pop out and catch your attention.



SSL

In this guide, we setup a self-signed SSL certificate. For production, you will want to use a certificate that has beensigned by a trusted certificate authority. You can also attach an SSL cert to an ELB listener. If so, please use the latestlistener reference policy to avoid deprecated ciphers and TLS/SSLv3 attacks.

Ignore List

If your environment has rapidly changing items that you would prefer not to track in security monkey, please look atthe “Ignore List” under the settings page. You can provide a list of prefixes for each technology, and Security Monkeywill ignore those objects when it is inspecting your current AWS configuration. Be careful: an attacker could usethe ignore list to subvert your monitoring.

Contribute

It’s easy to extend security_monkey with new rules or new technologies. If you have a good idea, please send us apull request. I’ll be delighted to include them.


CHAPTER 3

Changelog

3.1 Changelog

3.1.1 v0.3.6 (2015-04-09)

• Changes to issue score in code will now cause all existing issues to be re-scored in the database.

• A new configuration parameter called SECURITYGROUP_INSTANCE_DETAIL can now be set to:

– “FULL”: Security Groups will display each instances, and all instance tags, that are associated withthe security group.

– “SUMMARY”: Security Groups will display the number of instances attached to the security group.

– “NONE”: Security Groups will not retrieve any data about instances attached to a security group.

– If SECURITY_GROUP_INSTANCE_DETAIL is set to “FULL” or “SUMMARY”, empty securitygroups audit issues will have their score set to zero.

– For accounts with many thousands of instances, it is advised to set this to “NONE” as the AWS API’sdo not respond in a timely manner with that many instances.

• Each watcher can be set to run at a different interval in code. We will want to move this to be a UI setting.

• Watchers may specify a list of ephemeral paths. Security_monkey will not send out change alerts for items inthe ephemeral section. This is a good place for metadata that is often changing like the number of instancesattached to a security_group or the number of remaining IP addresses in a VPC subnet.

Contributors: - lucab - monkeysecurity

3.1.2 v0.3.5 (2015-03-28)

• Adding policy minimizer & expander to the revision component

• Adding tracking of instance profiles attached to a role

• Adding marker/pagination code to redshift.describe_clusters()

• Adding pagination to IAM User get_all_user_policies, get_all_access_keys, get_all_mfa_devices,get_all_signing_certs

• Typo & minor corrections on postgres commands

• CLI command to save your current configurations to a JSON file for backup

• added a VPC watcher

25


• Adding DHCP Options and Internet Gateways to the VPC Watcher

• Adding a subnet watcher. Fixing the VPC watcher with deep_dict

• Adding the vpc route_table watcher

• Removing subnet remaining IP field until ephemeral section is merged in

• Adding IAM Managed Policies

• Typo & minor corrections on postgres commands in documentation

• Adds ELBSecurityPolicy-2015-03. Moves export grade ciphers to their own section and alerts on FREAK vuln.

• Provides context on refpol 2015-03 vs 2015-02.

• Adding a Managed Policies Auditor

• Added Manged Policy tracking to the IAM users, groups, and roles

Summary of new watchers:

• vpc

– DHCP Options

– Internet Gateways

• subnet

• routetable

• managed policies

Summary of new Auditors or audit checks:


• New reference policy 2015-03 for ELB listeners.

• New alerts for FREAK vulnerable ciphers.

Contributors:

• markofu

• monkeysecurity

3.1.3 v0.3.4 (2015-2-19)

• Merged in a new AuditorSettings tab created by Qmando at Yelp enabling you to disable audit checks withper-account granularity.

• security_monkey is now CSP compliant.

• security_monkey has removed all shadow-DOM components. Also removed webcomponents.js anddart_support.js, as they were not CSP compliant.

• security_monkey now advises users to enable standard security headers following headers:

X-Content-Type-Options "nosniff";X-XSS-Protection "1; mode=block";X-Frame-Options "SAMEORIGIN";Strict-Transport-Security "max-age=631138519";Content-Security-Policy "default-src ’self’; font-src ’self’ https://fonts.gstatic.com; script-src ’self’ https://ajax.googleapis.com; style-src ’self’ https://fonts.googleapis.com;"

• security_monkey now has XSRF protection against all DELETE, POST, PUT, and PATCH calls.

26 Chapter 3. Changelog


• Updated the ELB Auditor to be aware of the ELBSecurityPolicy-2015-02 reference policy.

Contributers:

• Qmando

• monkeysecurity

3.1.4 v0.3.3 (2015-2-3)

• Added MirorsUsed() to my dart code to reduce compiled javascript size.

• Added support for non-chrome browsers by importing webcomponents.js and dart_support.js

• Upgraded to Angulardart 1.1.0 and Angular-dart.ui 0.6.3

3.1.5 v0.3.2 (2015-1-20)

• A bug has been corrected where IAM Groups with > 100 members or policies would be truncated.

• The web UI has been updated to use AngularDart 1.0.0. Significantly smaller javascript size.

3.1.6 v0.3.1 (2015-1-11)

• Change emails again show issues and justifications.

• Change emails now use jinja templating.

• Fixed an issue where issue justifications would disappear when the item was changed.

• Merged a pull request from github user jijojv to start the scheduler at launch instead of waiting 15 minutes.

3.1.7 v0.3.0 (2014-12-19)

• Add localhost to CORS for development.

• Big refactor adding monitors. Adding new watchers/auditors is now much simpler.

• Return to the current URL after authenticating.

• Added SES_REGION config. Now you can send email out of regions other than us-east-1.

• Changing default log location to /var/log/security_monkey.

• Docs now have cleaner nginx.conf.

• Add M2Crypto to get a number of new iamssl fields.

• Added favicon.

new watchers:

• eip

• redshift

• ses

enhanced watchers:

• iamssl - new fields from m2crypto

3.1. Changelog 27


• elb - new listener policies from botocore

• sns - added sns subscriptions

• s3 - now tracks lifecycle rules

new auditors:

• redshift - checks for non-vpc deployment.

• ses - checks for verified identities

enhanced auditors:

• iamssl - cert size, signature hashing algorithm, upcoming expiration, heartbleed

• elb - check reference policy and certain custom policy fields

hotfixes:

• Fixed issue #12 - Deleting account results in foreign key constraint.

• Added missing alembic script for the ignorelist.

• Various minor documentation updates.

• API server now respects –bind parameter. (Required for the docker image).

• SES connection in utils.py is now surrounded in a try/except.

• FlaskSecurity upgraded to latest.

Contributers:

• ivanlei

• lucab

• yograterol

• monkeysecurity

3.1.8 v0.2.0 (2014-10-31)

Changes in the Web UI:

• Dart: Dates are now displayed in your local timezone.

• Dart: Added Item-level comments.

• Dart: Added the ability to bulk-justify issues from the Issues Table view. This uses the AngularDartUI ModalComponent.

• Dart: Added better messaging around the settings for adding an account. This closes issue #38. This uses theAngularDartUI tooltip component.

• Bug Fix: Colors in the Item table now correctly represent the justification status.

• Dart: Added AngularUI Tabs to select between diff and current configuration display.

• Dart: Added a timer-based auto-refresh so SM can be used as a dashboard.

• Dart: Replaced a number of custom http services with Victor Savkin’s Hammock library. - More than 965 linesof code removed after using Hammock.

• Dart: Replaced custom pagination code with AngularDartUI’s Pagination Component. - IssueTable - Revi-sionTable - ItemTable - AccountSettingsTable



• Dart: Network CIDR whitelist is now configured in the web UI under settings.

• Dart: Object Ignorelist is now configured in the web UI under settings.

• Created a new PaginatedTable parent class for all components that wish to display paginated data. This tableworks with AngularDart’s Pagination Component and also provides the ability to change the number of itemsdisplayed on each page.

• Dart: Added ng_infinite_scroll to the item_detail_view for loading revisions

• Dart: Moved a number of components from being their own libraries to being ‘part of‘ the security_monkeylibrary.

• Dart: Replaced the last controller (UsernameController) with a Component to prepare for AngularDart 1.0.0

• Dart: Style - Renamed library from SecurityMonkey to security_monkey to follow the dart style guide. Refac-tored much of main.dart into lib/security_monkey.dart to try and mimic the cleaner design of the new angularsample app: https://github.com/vsavkin/angulardart-sample-app

Changes in the core product:

• Updated API endpoints to better follow REST architecture.

• Added table for NetworkWhitelist.

• Added rest API endpoints for NetworkWhitelist.

• Added Alembic migration script to add the new NetworkWhitelist table to the DB.

• Added table for IgnoreList.

• Added rest API endpoints for Ignorelist.

• Added Alembic migration script to add the new IgnoreList table to the DB.

• Added check for rfc-1918 CIDRs in non-VPC security groups.

• Saving IAMSSL Certs by cert name instead of cert ID

• Marking VPC RDS Security Groups with their VPC ID

• Supports Paginated Boto access for RDS Security Groups.

• Added alert for non-VPC RDS SG’s containing RFC-1918 CIDRs

• Added check for IAM USER AKEY rotation

• Added check for IAM USER with login profile (console access) And Access Keys (API Access)

• Added an ELB Auditor with a check for internet-facing ELB.

• Added check for security groups with large port ranges.

3.1.9 v0.1.2 (2014-08-11)


• Dart: Removed Shadow DOM dependency and set version bounds in pubspec.yaml.

• Dart: Replaced package:js with dart:js.

• Dart: Added the Angular Pub Transformer.


• Added AWS Rate Limiting Protection with exponential backoff code.

• Added instructions to get a local development environment setup for contributing to security_monkey.

3.1. Changelog 29

https://github.com/vsavkin/angulardart-sample-app


• Added support for boto’s new ELB pagination. The pull request to boto and to security_monkey came fromKevin Glisson.

• Bug fix: Security Group Audit Issues now include the port the issue was reported on.

These were already in master, but weren’t tied to a new release:

• Bug fix: Supervisor script now sets SECURITY_MONKEY_SETTINGS envvar for the API server whereas itonly previously set the envvar for the scheduler. This came from a pull request from parabolic.

• Bug fix: Audit reports will only be sent if there are issues to report on.

• Bug fix: Daily Audit Email setting (ALL/NONE/ISSUES) is now respected.

• Bug fix: Command Line Auditor Command Arguments are now coerced into being booleans.

• Quickstart Guide now instructs user to setup the web UI on SSL.

• Various Smaller Bug Fixes.

3.1.10 v0.1.1 (2014-06-30)

Initial release of Security Monkey!


CHAPTER 4

API Reference

Class and method level definitions and documentation.

4.1 API Reference

At a high-level, Security Monkey consists of the following components:

Watcher - Component that monitors a given AWS account and technology (e.g. S3, EC2). The Watcher detects andrecords changes to configurations. So, if an S3 bucket policy changes, the Watcher will detect this and store thechange.

Notifier - Component that lets a user or group of users know when a particular item has changed. This component alsoprovides notification based on the triggering of audit rules.

Auditor - Component that executes a set of business rules against an AWS configuration to determine the level of riskassociated with the configuration. For example, a rule may look for a security group with a rule allowing ingress from0.0.0.0/0 (meaning the security group is open to the Internet). Or, a rule may look for an S3 policy that allows accessfrom an unknown AWS account (meaning you may be unintentionally sharing the data stored in your S3 bucket).Security Monkey has a number of built-in rules included, and users are free to add their own rules.

security_monkey.__version__security_monkey’s version number in PEP 386 format.

>>> import security_monkey>>> security_monkey.__version__u’0.3.5’

Class and method level definitions and documentation

31

http://www.python.org/dev/peps/pep-0386


4.1.1 security_monkey Package

security_monkey Package

alerter Module

auditor Module

constants Module

datastore Module

decorators Module

exceptions Module

monitors Module

reporter Module

scheduler Module

watcher Module

Subpackages

auditors Package

auditors Package

elb Module

iam_group Module

iam_policy Module

iam_role Module

iam_ssl Module

iam_user Module

rds_security_group Module

redshift Module

s3 Module

32 Chapter 4. API Reference


security_group Module

ses Module

sns Module

common Package

common Package

jinja Module

route53 Module

sts_connect Module

Subpackages

utils Package

utils Package

PolicyDiff Module

utils Module

tests Package

tests Package

test_s3 Module

test_sns Module

views Package

views Package

account Module

distinct Module

4.1. API Reference 33


ignore_list Module

item Module

item_comment Module

item_issue Module

item_issue_justification Module

logout Module

revision Module

revision_comment Module

user_settings Module

whitelist Module

watchers Package

watchers Package

elastic_ip Module

elb Module

iam_group Module

iam_role Module

iam_ssl Module

iam_user Module

keypair Module

rds_security_group Module

redshift Module



s3 Module

security_group Module

ses Module

sns Module

sqs Module

4.1.2 Indices and tables

• genindex

• modindex

• search

4.1. API Reference 35



CHAPTER 5

About

5.1 Authors

securitymonkey 0.1.2 is copyright 2014 Netflix. inc.

• Patrick Kelley <[email protected]>

• Kevin Glisson <[email protected]>

• Roy Rapoport <[email protected]>

If you want to contribute to security monkey, see Contributing.

5.2 Changelog

5.2.1 v0.3.6 (2015-04-09)

• Changes to issue score in code will now cause all existing issues to be re-scored in the database.

• A new configuration parameter called SECURITYGROUP_INSTANCE_DETAIL can now be set to:

– “FULL”: Security Groups will display each instances, and all instance tags, that are associated withthe security group.

– “SUMMARY”: Security Groups will display the number of instances attached to the security group.

– “NONE”: Security Groups will not retrieve any data about instances attached to a security group.

– If SECURITY_GROUP_INSTANCE_DETAIL is set to “FULL” or “SUMMARY”, empty securitygroups audit issues will have their score set to zero.

– For accounts with many thousands of instances, it is advised to set this to “NONE” as the AWS API’sdo not respond in a timely manner with that many instances.

• Each watcher can be set to run at a different interval in code. We will want to move this to be a UI setting.

• Watchers may specify a list of ephemeral paths. Security_monkey will not send out change alerts for items inthe ephemeral section. This is a good place for metadata that is often changing like the number of instancesattached to a security_group or the number of remaining IP addresses in a VPC subnet.

Contributors: - lucab - monkeysecurity

37





5.2.2 v0.3.5 (2015-03-28)

• Adding policy minimizer & expander to the revision component

• Adding tracking of instance profiles attached to a role

• Adding marker/pagination code to redshift.describe_clusters()

• Adding pagination to IAM User get_all_user_policies, get_all_access_keys, get_all_mfa_devices,get_all_signing_certs

• Typo & minor corrections on postgres commands

• CLI command to save your current configurations to a JSON file for backup

• added a VPC watcher

• Adding DHCP Options and Internet Gateways to the VPC Watcher

• Adding a subnet watcher. Fixing the VPC watcher with deep_dict

• Adding the vpc route_table watcher

• Removing subnet remaining IP field until ephemeral section is merged in

• Adding IAM Managed Policies

• Typo & minor corrections on postgres commands in documentation

• Adds ELBSecurityPolicy-2015-03. Moves export grade ciphers to their own section and alerts on FREAK vuln.

• Provides context on refpol 2015-03 vs 2015-02.

• Adding a Managed Policies Auditor

• Added Manged Policy tracking to the IAM users, groups, and roles

Summary of new watchers:

• vpc

– DHCP Options

– Internet Gateways

• subnet

• routetable


Summary of new Auditors or audit checks:


• New reference policy 2015-03 for ELB listeners.

• New alerts for FREAK vulnerable ciphers.

Contributors:

• markofu

• monkeysecurity

38 Chapter 5. About


5.2.3 v0.3.4 (2015-2-19)

• Merged in a new AuditorSettings tab created by Qmando at Yelp enabling you to disable audit checks withper-account granularity.

• security_monkey is now CSP compliant.

• security_monkey has removed all shadow-DOM components. Also removed webcomponents.js anddart_support.js, as they were not CSP compliant.

• security_monkey now advises users to enable standard security headers following headers:

X-Content-Type-Options "nosniff";X-XSS-Protection "1; mode=block";X-Frame-Options "SAMEORIGIN";Strict-Transport-Security "max-age=631138519";Content-Security-Policy "default-src ’self’; font-src ’self’ https://fonts.gstatic.com; script-src ’self’ https://ajax.googleapis.com; style-src ’self’ https://fonts.googleapis.com;"

• security_monkey now has XSRF protection against all DELETE, POST, PUT, and PATCH calls.

• Updated the ELB Auditor to be aware of the ELBSecurityPolicy-2015-02 reference policy.

Contributers:

• Qmando

• monkeysecurity

5.2.4 v0.3.3 (2015-2-3)

• Added MirorsUsed() to my dart code to reduce compiled javascript size.

• Added support for non-chrome browsers by importing webcomponents.js and dart_support.js

• Upgraded to Angulardart 1.1.0 and Angular-dart.ui 0.6.3

5.2.5 v0.3.2 (2015-1-20)

• A bug has been corrected where IAM Groups with > 100 members or policies would be truncated.

• The web UI has been updated to use AngularDart 1.0.0. Significantly smaller javascript size.

5.2.6 v0.3.1 (2015-1-11)

• Change emails again show issues and justifications.

• Change emails now use jinja templating.

• Fixed an issue where issue justifications would disappear when the item was changed.

• Merged a pull request from github user jijojv to start the scheduler at launch instead of waiting 15 minutes.

5.2.7 v0.3.0 (2014-12-19)

• Add localhost to CORS for development.

• Big refactor adding monitors. Adding new watchers/auditors is now much simpler.

• Return to the current URL after authenticating.

5.2. Changelog 39


• Added SES_REGION config. Now you can send email out of regions other than us-east-1.

• Changing default log location to /var/log/security_monkey.

• Docs now have cleaner nginx.conf.

• Add M2Crypto to get a number of new iamssl fields.

• Added favicon.

new watchers:

• eip

• redshift

• ses

enhanced watchers:

• iamssl - new fields from m2crypto

• elb - new listener policies from botocore

• sns - added sns subscriptions

• s3 - now tracks lifecycle rules

new auditors:

• redshift - checks for non-vpc deployment.

• ses - checks for verified identities

enhanced auditors:

• iamssl - cert size, signature hashing algorithm, upcoming expiration, heartbleed

• elb - check reference policy and certain custom policy fields

hotfixes:

• Fixed issue #12 - Deleting account results in foreign key constraint.

• Added missing alembic script for the ignorelist.

• Various minor documentation updates.

• API server now respects –bind parameter. (Required for the docker image).

• SES connection in utils.py is now surrounded in a try/except.

• FlaskSecurity upgraded to latest.

Contributers:

• ivanlei

• lucab

• yograterol

• monkeysecurity

40 Chapter 5. About


5.2.8 v0.2.0 (2014-10-31)


• Dart: Dates are now displayed in your local timezone.

• Dart: Added Item-level comments.

• Dart: Added the ability to bulk-justify issues from the Issues Table view. This uses the AngularDartUI ModalComponent.

• Dart: Added better messaging around the settings for adding an account. This closes issue #38. This uses theAngularDartUI tooltip component.

• Bug Fix: Colors in the Item table now correctly represent the justification status.

• Dart: Added AngularUI Tabs to select between diff and current configuration display.

• Dart: Added a timer-based auto-refresh so SM can be used as a dashboard.

• Dart: Replaced a number of custom http services with Victor Savkin’s Hammock library. - More than 965 linesof code removed after using Hammock.

• Dart: Replaced custom pagination code with AngularDartUI’s Pagination Component. - IssueTable - Revi-sionTable - ItemTable - AccountSettingsTable

• Dart: Network CIDR whitelist is now configured in the web UI under settings.

• Dart: Object Ignorelist is now configured in the web UI under settings.

• Created a new PaginatedTable parent class for all components that wish to display paginated data. This tableworks with AngularDart’s Pagination Component and also provides the ability to change the number of itemsdisplayed on each page.

• Dart: Added ng_infinite_scroll to the item_detail_view for loading revisions

• Dart: Moved a number of components from being their own libraries to being ‘part of‘ the security_monkeylibrary.

• Dart: Replaced the last controller (UsernameController) with a Component to prepare for AngularDart 1.0.0

• Dart: Style - Renamed library from SecurityMonkey to security_monkey to follow the dart style guide. Refac-tored much of main.dart into lib/security_monkey.dart to try and mimic the cleaner design of the new angularsample app: https://github.com/vsavkin/angulardart-sample-app


• Updated API endpoints to better follow REST architecture.

• Added table for NetworkWhitelist.

• Added rest API endpoints for NetworkWhitelist.

• Added Alembic migration script to add the new NetworkWhitelist table to the DB.

• Added table for IgnoreList.

• Added rest API endpoints for Ignorelist.

• Added Alembic migration script to add the new IgnoreList table to the DB.

• Added check for rfc-1918 CIDRs in non-VPC security groups.

• Saving IAMSSL Certs by cert name instead of cert ID

• Marking VPC RDS Security Groups with their VPC ID

• Supports Paginated Boto access for RDS Security Groups.

5.2. Changelog 41

https://github.com/vsavkin/angulardart-sample-app


• Added alert for non-VPC RDS SG’s containing RFC-1918 CIDRs

• Added check for IAM USER AKEY rotation

• Added check for IAM USER with login profile (console access) And Access Keys (API Access)

• Added an ELB Auditor with a check for internet-facing ELB.

• Added check for security groups with large port ranges.

5.2.9 v0.1.2 (2014-08-11)


• Dart: Removed Shadow DOM dependency and set version bounds in pubspec.yaml.

• Dart: Replaced package:js with dart:js.

• Dart: Added the Angular Pub Transformer.


• Added AWS Rate Limiting Protection with exponential backoff code.

• Added instructions to get a local development environment setup for contributing to security_monkey.

• Added support for boto’s new ELB pagination. The pull request to boto and to security_monkey came fromKevin Glisson.

• Bug fix: Security Group Audit Issues now include the port the issue was reported on.

These were already in master, but weren’t tied to a new release:

• Bug fix: Supervisor script now sets SECURITY_MONKEY_SETTINGS envvar for the API server whereas itonly previously set the envvar for the scheduler. This came from a pull request from parabolic.

• Bug fix: Audit reports will only be sent if there are issues to report on.

• Bug fix: Daily Audit Email setting (ALL/NONE/ISSUES) is now respected.

• Bug fix: Command Line Auditor Command Arguments are now coerced into being booleans.

• Quickstart Guide now instructs user to setup the web UI on SSL.

• Various Smaller Bug Fixes.

5.2.10 v0.1.1 (2014-06-30)

Initial release of Security Monkey!

5.3 Contributing

Contributions to Security Monkey are welcome! Here are some tips to get you started hacking on Security Monkeyand contributing back your patches.

42 Chapter 5. About


5.3.1 Development Setup OS X

Install Brew (http://brew.sh) Requirement - Xcode Command Line Tools (Popup - Just click Install):

ruby -e "$(curl -fsSL https://raw.github.com/Homebrew/homebrew/go/install)"

Install Pip A tool for installing and managing Python packages:

sudo easy_install pip

Virtualenv A tool to create isolated Python environments:

sudo pip install virtualenv

VirtualenvWrapper virtualenvwrapper is a set of extensions to Ian Bicking’s virtualenv tool. The extensions includewrappers for creating and deleting virtual environments and otherwise managing your development workflow,making it easier to work on more than one project at a time without introducing conflicts in their dependencies.:

sudo pip install virtualenvwrapper

Configure VirtualEnvWrapper Configure VirtualEnvWrapper so it knows where to store the virtualenvs and wherethe virtualenvwerapper script is located.:

cd ~mkdir virtual_envsvi ~/.bash_profile

Add these two lines to your ~/.bash_profile:

export WORKON_HOME="$HOME/virtual_envs/"source "/usr/local/bin/virtualenvwrapper.sh"

You’ll need to open a new terminal (or run source ~/.bash_profile) before you can create the vir-tualenv:

mkvirtualenv security_monkeyworkon security_monkey

Clone Clone the security monkey code repository.:

git clone https://github.com/Netflix/security_monkey.gitcd security_monkey

SECURITY_MONKEY_SETTINGS Set the environment variable in your current session that tells Flask where theconfiguration file is located.:

export SECURITY_MONKEY_SETTINGS=‘pwd‘/env-config/config-local.py

Note - I like to append this to the virtualenv activate script:

vi $HOME/virtual_envs/security_monkey/bin/activateexport SECURITY_MONKEY_SETTINGS=$HOME/security_monkey/env-config/config-local.py

Postgres Install Postgres. Create a database for security monkey and add a role. Set the timezone to GMT.:

brew install postgresql

Start the DB in a new shell:

postgres -D /usr/local/var/postgres

Create the database and users and set the timezone.:

5.3. Contributing 43

http://brew.sh


psql -d postgres -h localhostCREATE DATABASE "securitymonkeydb";CREATE ROLE "securitymonkeyuser" LOGIN PASSWORD ’securitymonkeypass’;CREATE SCHEMA securitymonkeydbGRANT Usage, Create ON SCHEMA "securitymonkeydb" TO "securitymonkeyuser";set timezone to ’GMT’;select now();

Exit the Postgres CLI tool:

CTRL-D

Install Pip Requirements Pip will install all the dependencies into the current virtualenv.:

pip install -r requirements.txt

Init DB: Run Alembic/FlaskMigrate to create all the database tables.:

python manage.py db upgrade

Start the API: This starts the REST API that the Angular application will communicate with.:

python manage.py runserver

Launch Dart Editor Download the Dartlang and Editor from ( http://www.dartlang.org/ )

Edit dart/lib/util/constants.dart and set API_HOST to this value:

final String API_HOST = ’http://127.0.0.1:5000/api/1’;

In the Dart Editor, right click on dart/web/ui.html and select “Run in Dartium” from the dropdown menu.

Register a user Chromium/Dartium will launch and will redirect to the login page. Select the Register link (http://127.0.0.1/register ) to create an account.

Setup an account After you have registered an account, proceed to login ( http://127.0.0.1/login ). Once logged in,click on Settings and on the + to add a new account.

Obtaining instance credentials You’ll need to obtain AWS credentials to execute the watchers. See the boto docu-mentation for more information.

http://boto.readthedocs.org/en/latest/boto_config_tut.html

Manually Run the Watchers Run the watchers to put some data in the database.:

cd ~/security_monkey/python manage.py run_change_reporter all

You can also run an individual watcher:

python manage.py find_changes -a all -m allpython manage.py find_changes -a all -m iamrolepython manage.py find_changes -a "My Test Account" -m iamgroup

You can run the auditors against the items currently in the database:

python manage.py audit_changes -a all -m redshift --send_report=False

5.3.2 Development Setup Ubuntu

Apt-get Installs These must be installed first.:

44 Chapter 5. About

http://www.dartlang.org/

http://127.0.0.1/register

http://127.0.0.1/login

http://boto.readthedocs.org/en/latest/boto_config_tut.html


sudo apt-get install git git-flow python-pip postgresql postgresql-contrib libpq-dev python-dev swig

Install Virtualenv A tool to create isolated Python environments:

sudo pip install virtualenv

Create a folder to hold your virtualenvs:

cd ~mkdir virtual_envscd virtual_envs

Create a virtualenv for security_monkey:

virtualenv security_monkey

Activate the security_monkey virtualenv:

source ~/virtual_envs/security_monkey/bin/activate

Clone the repository Clone the security monkey code repository.:

cd ~git clone https://github.com/Netflix/security_monkey.gitcd security_monkey

Install Pip Requirements Pip will install all the dependencies into the current virtualenv.:

pip install -r requirements.txt

SECURITY_MONKEY_SETTINGS Set the environment variable in your current session that tells Flask where theconifguration file is located.:

export SECURITY_MONKEY_SETTINGS=‘pwd‘/env-config/config-local.py# Note - I like to append this to the virtualenv activate scriptvi $HOME/virtual_envs/security_monkey/bin/activateexport SECURITY_MONKEY_SETTINGS=$HOME/security_monkey/env-config/config-local.py

Postgres Install Postgres. Create a database for security monkey and add a role. Set the timezone to GMT.:

sudo -u postgres psqlCREATE DATABASE "securitymonkeydb";CREATE ROLE "securitymonkeyuser" LOGIN PASSWORD ’securitymonkeypass’;GRANT Usage, Create ON SCHEMA "securitymonkeydb" TO "securitymonkeyuser";set timezone TO ’GMT’;

Init DB: Run Alembic/FlaskMigrate to create all the database tables.:

python manage.py db upgrade

Start the API: This starts the REST API that the Angular application will communicate with.:

python manage.py runserver

Launch Dart Editor Download the Dartlang and Editor from ( http://www.dartlang.org/ )

Edit dart/lib/util/constants.dart and set API_HOST to this value:

final String API_HOST = ’http://127.0.0.1:5000/api/1’;

In the Dart Editor, right click on dart/web/ui.html and select “Run in Dartium” from the dropdown menu.

5.3. Contributing 45

http://www.dartlang.org/


Register a user Chromium/Dartium will launch and will redirect to the login page. Select the Register link (http://127.0.0.1/register ) to create an account.

Setup an account After you have registered an account, proceed to login ( http://127.0.0.1/login ). Once logged in,click on Settings and on the + to add a new account.

More Read the OS X sections on Obtaining instance credentials and how to Manually Run theWatchers.

5.3.3 Submitting changes

• Code should be accompanied by tests and documentation. Maintain our excellent test coverage.

• Follow the existing code style, especially make sure flake8 does not complain about anything.

• Write good commit messages. Here’s three blog posts on how to do it right:

– Writing Git commit messages

– A Note About Git Commit Messages

– On commit messages

• One branch per feature or fix. Keep branches small and on topic.

• Send a pull request to the v1/develop branch. See the GitHub pull request docs for help.

5.3.4 Additional resources

• Issue tracker

• GitHub documentation

46 Chapter 5. About

http://127.0.0.1/register

http://127.0.0.1/login

http://365git.tumblr.com/post/3308646748/writing-git-commit-messages

http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html

http://who-t.blogspot.ch/2009/12/on-commit-messages.html

https://help.github.com/articles/using-pull-requests

https://github.com/netflix/security_monkey/issues

https://help.github.com/

Python Module Index

ssecurity_monkey, 31

47


48 Python Module Index

Index

Symbols__version__ (in module security_monkey), 31

PPython Enhancement Proposals

PEP 386, 31

Ssecurity_monkey (module), 31

49

security monkey Documentation

Documents