Skip to content

Commit

Permalink
Merge pull request #428 from airbnb/mimeframe-streamalert-github-more…
Browse files Browse the repository at this point in the history
…-rules

streamalert - rules - github - 5 new rules and some cleanup
  • Loading branch information
mimeframe authored Oct 27, 2017
2 parents 1372b2b + 4a2767e commit f7be9e9
Show file tree
Hide file tree
Showing 17 changed files with 436 additions and 10 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
"""Github setting 'Dismiss stale pull request approvals' was disabled for a repo."""
from stream_alert.rule_processor.rules_engine import StreamRules

rule = StreamRules.rule

@rule(logs=['ghe:general'],
outputs=['aws-s3:sample-bucket',
'pagerduty:sample-integration',
'slack:sample-channel'])
def github_disable_dismiss_stale_pull_request_approvals(rec):
"""
author: @mimeframe
description: Setting 'Dismiss stale pull request approvals when new commits are pushed'
was disabled. As a result, commits occurring after approval will not
require approval.
repro_steps: (a) Visit /<org>/<repo>/settings/branches/<branch>
(b) Uncheck 'Dismiss stale pull request approvals when new commits are pushed'
(c) Click 'Save Changes'
reference: https://help.github.com/articles/configuring-protected-branches/
"""
return rec['action'] == 'protected_branch.dismiss_stale_reviews'
23 changes: 23 additions & 0 deletions rules/community/github/github_disable_protect_this_branch.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
"""Github setting 'Protect this branch' was disabled for a repo."""
from stream_alert.rule_processor.rules_engine import StreamRules

rule = StreamRules.rule

@rule(logs=['ghe:general'],
outputs=['aws-s3:sample-bucket',
'pagerduty:sample-integration',
'slack:sample-channel'])
def github_disable_protect_this_branch(rec):
"""
author: @mimeframe
description: Github setting 'Protect this branch' was disabled for a repo.
When unchecking this top-level option, it also disables
'Require pull request reviews before merging',
'Require review from Code Owners', and all other branch protections
like status checks.
repro_steps: (a) Visit /<org>/<repo>/settings/branches/<branch>
(b) Uncheck 'Protect this branch'
(c) Click 'Save Changes'
reference: https://help.github.com/articles/configuring-protected-branches/
"""
return rec['action'] == 'protected_branch.destroy'
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
"""Github 'Require pull request reviews before merging' was disabled for a repo."""
from helpers.base import in_set
from stream_alert.rule_processor.rules_engine import StreamRules

rule = StreamRules.rule

@rule(logs=['ghe:general'],
outputs=['aws-s3:sample-bucket',
'pagerduty:sample-integration',
'slack:sample-channel'])
def github_disable_required_pull_request_reviews(rec):
"""
author: @mimeframe
description: Setting 'Require pull request reviews before merging' was disabled.
When enabled, all commits must be made to a non-protected branch
and submitted via a pull request with at least one approved review
and no changes requested before it can be merged into master.
repro_steps: (a) Visit /<org>/<repo>/settings/branches/<branch>
(b) Uncheck 'Require pull request reviews before merging'
(c) Click 'Save Changes'
reference: https://help.github.com/articles/enabling-required-reviews-for-pull-requests/
"""
actor_ignorelist = {
}
return (
rec['action'] == 'protected_branch.dismissal_restricted_users_teams' and
rec['data'].get('authorized_actors_only') is True and
not in_set(rec['actor'], actor_ignorelist)
)
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,15 @@ def github_disable_required_status_checks(rec):
author: @mimeframe
description: The 'required status checks' feature was disabled for a repository.
Settings -> Branches -> Protected Branches -> <choose a branch>
repro_steps: (a) Choose a repository
(b) Click Settings -> Branches -> Protected Branches -> <branch>
(c) Uncheck 'Require status checks to pass before merging'
reference: https://help.github.com/articles/enabling-required-status-checks/
"""
return (
rec['action'] == 'protected_branch.update_required_status_checks_enforcement_level' and
# 0 => unchecked
# 1 => enabled for users
# 2 => enabled for users and admins ('Include administrators')
rec['data'].get('required_status_checks_enforcement_level') == 0
)
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
"""Github two-factor authentication requirement was disabled."""
"""Github two-factor authentication requirement was disabled for an org."""
from stream_alert.rule_processor.rules_engine import StreamRules

rule = StreamRules.rule
Expand All @@ -7,10 +7,13 @@
outputs=['aws-s3:sample-bucket',
'pagerduty:sample-integration',
'slack:sample-channel'])
def github_disable_org_two_factor_requirement(rec):
def github_disable_two_factor_requirement_org(rec):
"""
author: @mimeframe
description: Two-factor authentication requirement was disabled.
description: Two-factor authentication requirement was disabled for an org.
repro_steps: (a) Visit /organizations/<org>/settings/security
(b) Uncheck 'Require two-factor authentication...'
(c) Click 'Save'
reference: https://help.github.com/
articles/requiring-two-factor-authentication-in-your-organization/
"""
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
"""Github two-factor authentication requirement was disabled for a user."""
from stream_alert.rule_processor.rules_engine import StreamRules

rule = StreamRules.rule

@rule(logs=['ghe:general'],
outputs=['aws-s3:sample-bucket',
'pagerduty:sample-integration',
'slack:sample-channel'])
def github_disable_two_factor_requirement_user(rec):
"""
author: @mimeframe
description: Two-factor authentication requirement was disabled for a user.
repro_steps: (a) Visit /settings/two_factor_authentication/configure
reference: https://help.github.com/enterprise/2.11/admin/articles/audited-actions/
"""
return rec['action'] == 'two_factor_authentication.disabled'
17 changes: 17 additions & 0 deletions rules/community/github/github_oauth_application_create.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
"""An OAuth application was registered within Github."""
from stream_alert.rule_processor.rules_engine import StreamRules

rule = StreamRules.rule

@rule(logs=['ghe:general'],
outputs=['aws-s3:sample-bucket',
'pagerduty:sample-integration',
'slack:sample-channel'])
def github_oauth_application_create(rec):
"""
author: @mimeframe
description: An OAuth application was registered within Github.
reference: https://developer.github.com
/apps/building-integrations/setting-up-and-registering-oauth-apps/
"""
return rec['action'] == 'oauth_application.create'
18 changes: 18 additions & 0 deletions rules/community/github/github_site_admin_action.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
"""A Github site admin tool/action was used."""
from stream_alert.rule_processor.rules_engine import StreamRules

rule = StreamRules.rule

@rule(logs=['ghe:general'],
outputs=['aws-s3:sample-bucket',
'pagerduty:sample-integration',
'slack:sample-channel'])
def github_site_admin_action(rec):
"""
author: @mimeframe
description: A Github site admin tool/action was used.
Example: 'staff.fake_login'
"A site admin signed into GitHub Enterprise as another user.""
reference: https://help.github.com/enterprise/2.11/admin/articles/audited-actions/
"""
return rec['action'].startswith('staff.')
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
outputs=['aws-s3:sample-bucket',
'pagerduty:sample-integration',
'slack:sample-channel'])
def github_user_promotion_to_site_admin(rec):
def github_site_admin_user_promotion(rec):
"""
author: @fusionrace, @mimeframe
description: Alert when a Github Enterprise user account is promoted to a
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{
"records": [
{
"data": {
"message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"protected_branch.dismiss_stale_reviews\",\"data\":{\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}",
"@version": "1",
"@timestamp": "...",
"host": "10.1.1.1",
"port": 123,
"tags": [
],
"received_at": "...",
"timestamp": "...",
"logsource": "...",
"program": "github_audit"
},
"description": "Disabling 'Dismiss stale pull request approvals' should trigger an alert.",
"log": "ghe:general",
"source": "prefix_cluster1_stream_alert_kinesis",
"service": "kinesis",
"trigger_rules": [
"github_disable_dismiss_stale_pull_request_approvals"
]
},
{
"data": {
"message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"something.different\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}",
"@version": "1",
"@timestamp": "...",
"host": "10.1.1.1",
"port": 123,
"tags": [
],
"received_at": "...",
"timestamp": "...",
"logsource": "...",
"program": "github_audit",
"pid": "1234"
},
"description": "An unrelated Github log should not trigger an alert.",
"log": "ghe:general",
"source": "prefix_cluster1_stream_alert_kinesis",
"service": "kinesis",
"trigger_rules": [
]
}
]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{
"records": [
{
"data": {
"message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"protected_branch.destroy\",\"data\":{\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}",
"@version": "1",
"@timestamp": "...",
"host": "10.1.1.1",
"port": 123,
"tags": [
],
"received_at": "...",
"timestamp": "...",
"logsource": "...",
"program": "github_audit"
},
"description": "Disabling Github branch protections should trigger an alert.",
"log": "ghe:general",
"source": "prefix_cluster1_stream_alert_kinesis",
"service": "kinesis",
"trigger_rules": [
"github_disable_protect_this_branch"
]
},
{
"data": {
"message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"something.different\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}",
"@version": "1",
"@timestamp": "...",
"host": "10.1.1.1",
"port": 123,
"tags": [
],
"received_at": "...",
"timestamp": "...",
"logsource": "...",
"program": "github_audit",
"pid": "1234"
},
"description": "An unrelated Github log should not trigger an alert.",
"log": "ghe:general",
"source": "prefix_cluster1_stream_alert_kinesis",
"service": "kinesis",
"trigger_rules": [
]
}
]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{
"records": [
{
"data": {
"message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"protected_branch.dismissal_restricted_users_teams\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}",
"@version": "1",
"@timestamp": "...",
"host": "10.1.1.1",
"port": 123,
"tags": [
],
"received_at": "...",
"timestamp": "...",
"logsource": "...",
"program": "github_audit"
},
"description": "Disabling Required Pull Request reviews should trigger an alert.",
"log": "ghe:general",
"source": "prefix_cluster1_stream_alert_kinesis",
"service": "kinesis",
"trigger_rules": [
"github_disable_required_pull_request_reviews"
]
},
{
"data": {
"message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"something.different\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}",
"@version": "1",
"@timestamp": "...",
"host": "10.1.1.1",
"port": 123,
"tags": [
],
"received_at": "...",
"timestamp": "...",
"logsource": "...",
"program": "github_audit",
"pid": "1234"
},
"description": "An unrelated Github log should not trigger an alert.",
"log": "ghe:general",
"source": "prefix_cluster1_stream_alert_kinesis",
"service": "kinesis",
"trigger_rules": [
]
}
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,13 @@
],
"timestamp": "Sep 5 20:49:31"
},
"description": "Disabling the 2FA requirement on Github should create an alert.",
"description": "Disabling the 2FA requirement on a Github org should create an alert.",
"log": "ghe:general",
"source": "prefix_cluster1_stream_alert_kinesis",
"service": "kinesis",
"trigger_rules": ["github_disable_org_two_factor_requirement"]
"trigger_rules": [
"github_disable_two_factor_requirement_org"
]
},
{
"data": {
Expand All @@ -38,7 +40,7 @@
],
"timestamp": "Sep 5 20:49:31"
},
"description": "Enabling the 2FA requirement on Github should not create an alert.",
"description": "Enabling the 2FA requirement on a Github org should not create an alert.",
"log": "ghe:general",
"source": "prefix_cluster1_stream_alert_kinesis",
"service": "kinesis",
Expand Down
Loading

0 comments on commit f7be9e9

Please sign in to comment.