Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kbailey: Run make fmt #481

Merged
merged 5 commits into from
Aug 31, 2022
Merged

kbailey: Run make fmt #481

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0751a5f
kbailey: Run make fmt
k-bailey Aug 24, 2022
e4304d6
add make fmt to CI check
k-bailey Aug 24, 2022
784b580
Merge branch 'master' into kbailey-make-fmt
edyesed Aug 30, 2022
00b5147
chore: bring code-format linting into CI checks and comply with the e…
Aug 30, 2022
6d1d202
Merge branch 'master' into kbailey-make-fmt
edyesed Aug 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,19 @@ deps:
deps-update:
pipenv update

lint:
lint: lint-pylint lint-fmt

lint-pylint:
pipenv run bandit -r $(dirs) --skip B101 # allow assert statements in tests
pipenv run pylint $(dirs) \
--disable=missing-docstring,duplicate-code,import-error,fixme,consider-iterating-dictionary,global-variable-not-assigned \
--load-plugins=pylint.extensions.mccabe \
--max-line-length=100

lint-fmt:
@echo Checking python file formatting with the black code style checker
pipenv run black --line-length=100 --check $(dirs)

venv:
pipenv install --dev

Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_ami_modified_for_public_access.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get


def rule(event):
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_cloudtrail_created.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get

# API calls that are indicative of CloudTrail changes
CLOUDTRAIL_CREATE_UPDATE = {
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_cloudtrail_stopped.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import aws_cloudtrail_success, lookup_aws_account_name
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get

# API calls that are indicative of CloudTrail changes
CLOUDTRAIL_STOP_DELETE = {
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_codebuild_made_public.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import lookup_aws_account_name
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get


def rule(event):
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_console_login_failed.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import lookup_aws_account_name
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get


def rule(event):
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_console_login_without_mfa.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
import logging

from panther import lookup_aws_account_name
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get
from panther_oss_helpers import check_account_age

# Set to True for environments that permit direct role assumption via external IDP
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_console_login_without_saml.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import lookup_aws_account_name
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get


def rule(event):
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_console_root_login_failed.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import lookup_aws_account_name
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get


def rule(event):
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get, pattern_match_list, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get, pattern_match_list

PROD_ACCOUNT_IDS = {"11111111111111", "112233445566"}
SG_CHANGE_EVENTS = {
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get

# This is a list of role ARNs that should not be assumed by users in normal operations
ASSUME_ROLE_BLOCKLIST = [
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import re

from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get

# The role dedicated for IAM administration
IAM_ADMIN_ROLES = {
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_iam_user_recon_denied.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
from ipaddress import ip_address

from panther import lookup_aws_account_name
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get

# service/event patterns to monitor
RECON_ACTIONS = {
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_key_compromised.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get

EXPOSED_CRED_POLICY = "AWSExposedCredentialPolicy_DO_NOT_REMOVE"

Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_network_acl_permissive_entry.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get


def rule(event):
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_resource_made_public.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import json

from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get
from policyuniverse.policy import Policy


Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_root_access_key_created.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get


def rule(event):
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_root_console_login.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get


def rule(event):
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_root_failed_console_login.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get


def rule(event):
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_root_password_changed.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get


def rule(event):
Expand Down
5 changes: 2 additions & 3 deletions aws_cloudtrail_rules/aws_s3_activity_greynoise.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
from panther_base_helpers import deep_get, pattern_match_list
from panther_greynoise_helpers import GetGreyNoiseObject, GetGreyNoiseRiotObject


# pylint: disable=too-many-return-statements,invalid-name,unused-argument,global-at-module-level,global-variable-undefined

# Monitor for GetObject events from S3.
Expand Down Expand Up @@ -57,8 +56,8 @@ def rule(event):
# Filter: Roles that generate FP's if used from AWS IP Space
if pattern_match_list(deep_get(event, "userIdentity", "arn"), _ALLOWED_ROLES):
# Only Greynoise advanced provides AS organization info
if NOISE.subscription_level() == 'advanced':
if NOISE.organization() == 'Amazon.com, Inc.':
if NOISE.subscription_level() == "advanced":
if NOISE.organization() == "Amazon.com, Inc.":
return False
# return false if the role is seen and we are not able to valide the AS organization
else:
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_s3_bucket_deleted.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get


def rule(event):
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get

# API calls that are indicative of KMS CMK Deletion
S3_POLICY_CHANGE_EVENTS = {
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_security_configuration_change.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
from fnmatch import fnmatch

from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get

SECURITY_CONFIG_ACTIONS = {
"DeleteAccountPublicAccessBlock",
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_snapshot_made_public.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
from collections.abc import Mapping

from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get


def rule(event):
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_unauthorized_api_call.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
from ipaddress import ip_address

from panther_base_helpers import aws_strip_role_session_id, deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, aws_strip_role_session_id, deep_get

# Do not alert on these access denied errors for these events.
# Events could be exceptions because they are particularly noisy and provide little to no value,
Expand Down
2 changes: 1 addition & 1 deletion aws_cloudtrail_rules/aws_update_credentials.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther import aws_cloudtrail_success
from panther_base_helpers import deep_get, aws_rule_context
from panther_base_helpers import aws_rule_context, deep_get

UPDATE_EVENTS = {"ChangePassword", "CreateAccessKey", "CreateLoginProfile", "CreateUser"}

Expand Down
2 changes: 2 additions & 0 deletions aws_guardduty_rules/aws_guardduty_high_sev_findings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
from panther_base_helpers import aws_rule_context


def rule(event):
return 7.0 <= float(event.get("severity", 0)) <= 8.9

Expand Down
2 changes: 2 additions & 0 deletions aws_guardduty_rules/aws_guardduty_low_sev_findings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
from panther_base_helpers import aws_rule_context


def rule(event):
return 0.1 <= float(event.get("severity", 0)) <= 3.9

Expand Down
2 changes: 2 additions & 0 deletions aws_guardduty_rules/aws_guardduty_med_sev_findings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
from panther_base_helpers import aws_rule_context


def rule(event):
return 4.0 <= float(event.get("severity", 0)) <= 6.9

Expand Down
2 changes: 1 addition & 1 deletion aws_s3_rules/aws_s3_access_error.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_base_helpers import pattern_match, aws_rule_context
from panther_base_helpers import aws_rule_context, pattern_match

# https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html
HTTP_STATUS_CODES_TO_MONITOR = {
Expand Down
1 change: 1 addition & 0 deletions aws_s3_rules/aws_s3_access_ip_allowlist.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from ipaddress import ip_network

from panther_base_helpers import aws_rule_context

BUCKETS_TO_MONITOR = {
Expand Down
2 changes: 1 addition & 1 deletion aws_s3_rules/aws_s3_insecure_access.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_base_helpers import pattern_match, aws_rule_context
from panther_base_helpers import aws_rule_context, pattern_match


def rule(event):
Expand Down
1 change: 1 addition & 0 deletions aws_s3_rules/aws_s3_unauthenticated_access.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from panther_base_helpers import aws_rule_context

# A list of buckets where authenticated access is expected
AUTH_BUCKETS = {"example-bucket"}

Expand Down
1 change: 1 addition & 0 deletions aws_s3_rules/aws_s3_unknown_requester_get_object.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from fnmatch import fnmatch

from panther_base_helpers import aws_rule_context

# pylint: disable=line-too-long
Expand Down
2 changes: 2 additions & 0 deletions aws_vpc_flow_rules/aws_vpc_healthy_log_status.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
from panther_base_helpers import aws_rule_context


def rule(event):
return event.get("log-status") == "SKIPDATA"

Expand Down
1 change: 1 addition & 0 deletions aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from ipaddress import ip_network

from panther_base_helpers import aws_rule_context

APPROVED_PORTS = {
Expand Down
1 change: 1 addition & 0 deletions aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from ipaddress import ip_network

from panther_base_helpers import aws_rule_context

CONTROLLED_PORTS = {
Expand Down
1 change: 1 addition & 0 deletions aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from ipaddress import ip_network

from panther_base_helpers import aws_rule_context

APPROVED_DNS_SERVERS = {
Expand Down
2 changes: 1 addition & 1 deletion data_models/gcp_data_model.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
from fnmatch import fnmatch

import panther_event_type_helpers as event_type
from panther_base_helpers import get_binding_deltas
from panther_analysis_tool.enriched_event import PantherEvent
from panther_base_helpers import get_binding_deltas

ADMIN_ROLES = {
# Primitive Rolesx
Expand Down
31 changes: 19 additions & 12 deletions gcp_audit_rules/gcp_iam_org_folder_changes.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,31 +1,38 @@
from panther_base_helpers import deep_get


def rule(event):
# Return True to match the log event and trigger an alert.
logname = deep_get(event, "logName")
return deep_get(event, "protoPayload", "methodName") == "SetIamPolicy" and \
(logname.startswith("organizations") or \
logname.startswith("folder") ) and \
logname.endswith("/logs/cloudaudit.googleapis.com%2Factivity")
return (
deep_get(event, "protoPayload", "methodName") == "SetIamPolicy"
and (logname.startswith("organizations") or logname.startswith("folder"))
and logname.endswith("/logs/cloudaudit.googleapis.com%2Factivity")
)


def title(event):
# use unified data model field in title
return (
f"{event.get('p_log_type')}: [{event.udm('actor_user')}] made manual changes to Org policy"
)


def alert_context(event):
return {
"actor": event.udm("actor_user"),
"policy_change": deep_get(event, "protoPayload", "serviceData", "policyDelta"),
"policy_change": deep_get(event, "protoPayload", "serviceData", "policyDelta"),
"caller_ip": deep_get(event, "protoPayload", "requestMetadata", "callerIP"),
"user_agent": deep_get(event, "protoPayload", "requestMetadata", "callerSuppliedUserAgent")
"user_agent": deep_get(event, "protoPayload", "requestMetadata", "callerSuppliedUserAgent"),
}


def severity(event):
if deep_get(event,
"protoPayload",
"requestMetadata",
"callerSuppliedUserAgent").lower().find('terraform') != -1:
return 'INFO'
return 'HIGH'
if (
deep_get(event, "protoPayload", "requestMetadata", "callerSuppliedUserAgent")
.lower()
.find("terraform")
!= -1
):
return "INFO"
return "HIGH"
2 changes: 1 addition & 1 deletion global_helpers/panther_base_helpers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,7 +226,7 @@ def slack_alert_context(event: dict):
"actor-name": deep_get(event, "actor", "user", "name", default="<MISSING_NAME>"),
"actor-email": deep_get(event, "actor", "user", "email", default="<MISSING_EMAIL>"),
"actor-ip": deep_get(event, "context", "ip_address", default="<MISSING_IP>"),
"user-agent": deep_get(event, "context", "ua", default="<MISSING_UA>")
"user-agent": deep_get(event, "context", "ua", default="<MISSING_UA>"),
}


Expand Down
2 changes: 1 addition & 1 deletion global_helpers/panther_cloudflare_helpers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
"botManagement": "Bot Management",
"dlp": "Data Loss Prevention",
"firewallManaged": "Firewall Managed Rules",
"firewallCustom": "Firewall Custom Rulesets"
"firewallCustom": "Firewall Custom Rulesets",
}


Expand Down
Loading