cloudaux
cloudaux copied to clipboard
Fix for ELB policy attribute string values.
This fixes the false positives reported by the ELB Policy watcher. Boto3 returns these policy attribute values as strings, and these values are generally string "true" or string "false". In Python, bool("false") is actually True. This is the same code that SecurityMonkey used in versions 8.0 and before.
https://github.com/Netflix/security_monkey/blob/v0.8.0/security_monkey/watchers/elb.py#L87 http://boto3.readthedocs.io/en/latest/reference/services/elb.html#ElasticLoadBalancing.Client.describe_load_balancer_policies
@monkeysecurity is this good to go, or has the ELB policy auditor fixed this?
Generally speaking, we would like CloudAux to preserve (there are exceptions) the data that boto would return.
@PyScott I haven't reviewed this in a while. Can you verify if the latest version of Security Monkey addresses this?
@mikegrima Apologies for the delay. I've checked out the latest version of SecurityMonkey/cloudaux and the issue remains. My test load balancer with SSLv3 disabled is reporting as having it enabled in SM.
Instead of my original approach, what do you think about replacing L31-L36 to look like this:
ret['protocols']['sslv2'] = attributes.get('Protocol-SSLv2') == 'true'
It looks like this comparison is already handled similarly on L51.