-
Notifications
You must be signed in to change notification settings - Fork 334
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #428 from airbnb/mimeframe-streamalert-github-more…
…-rules streamalert - rules - github - 5 new rules and some cleanup
- Loading branch information
Showing
17 changed files
with
436 additions
and
10 deletions.
There are no files selected for viewing
21 changes: 21 additions & 0 deletions
21
rules/community/github/github_disable_dismiss_stale_pull_request_approvals.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
"""Github setting 'Dismiss stale pull request approvals' was disabled for a repo.""" | ||
from stream_alert.rule_processor.rules_engine import StreamRules | ||
|
||
rule = StreamRules.rule | ||
|
||
@rule(logs=['ghe:general'], | ||
outputs=['aws-s3:sample-bucket', | ||
'pagerduty:sample-integration', | ||
'slack:sample-channel']) | ||
def github_disable_dismiss_stale_pull_request_approvals(rec): | ||
""" | ||
author: @mimeframe | ||
description: Setting 'Dismiss stale pull request approvals when new commits are pushed' | ||
was disabled. As a result, commits occurring after approval will not | ||
require approval. | ||
repro_steps: (a) Visit /<org>/<repo>/settings/branches/<branch> | ||
(b) Uncheck 'Dismiss stale pull request approvals when new commits are pushed' | ||
(c) Click 'Save Changes' | ||
reference: https://help.github.com/articles/configuring-protected-branches/ | ||
""" | ||
return rec['action'] == 'protected_branch.dismiss_stale_reviews' |
23 changes: 23 additions & 0 deletions
23
rules/community/github/github_disable_protect_this_branch.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
"""Github setting 'Protect this branch' was disabled for a repo.""" | ||
from stream_alert.rule_processor.rules_engine import StreamRules | ||
|
||
rule = StreamRules.rule | ||
|
||
@rule(logs=['ghe:general'], | ||
outputs=['aws-s3:sample-bucket', | ||
'pagerduty:sample-integration', | ||
'slack:sample-channel']) | ||
def github_disable_protect_this_branch(rec): | ||
""" | ||
author: @mimeframe | ||
description: Github setting 'Protect this branch' was disabled for a repo. | ||
When unchecking this top-level option, it also disables | ||
'Require pull request reviews before merging', | ||
'Require review from Code Owners', and all other branch protections | ||
like status checks. | ||
repro_steps: (a) Visit /<org>/<repo>/settings/branches/<branch> | ||
(b) Uncheck 'Protect this branch' | ||
(c) Click 'Save Changes' | ||
reference: https://help.github.com/articles/configuring-protected-branches/ | ||
""" | ||
return rec['action'] == 'protected_branch.destroy' |
29 changes: 29 additions & 0 deletions
29
rules/community/github/github_disable_required_pull_request_reviews.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
"""Github 'Require pull request reviews before merging' was disabled for a repo.""" | ||
from helpers.base import in_set | ||
from stream_alert.rule_processor.rules_engine import StreamRules | ||
|
||
rule = StreamRules.rule | ||
|
||
@rule(logs=['ghe:general'], | ||
outputs=['aws-s3:sample-bucket', | ||
'pagerduty:sample-integration', | ||
'slack:sample-channel']) | ||
def github_disable_required_pull_request_reviews(rec): | ||
""" | ||
author: @mimeframe | ||
description: Setting 'Require pull request reviews before merging' was disabled. | ||
When enabled, all commits must be made to a non-protected branch | ||
and submitted via a pull request with at least one approved review | ||
and no changes requested before it can be merged into master. | ||
repro_steps: (a) Visit /<org>/<repo>/settings/branches/<branch> | ||
(b) Uncheck 'Require pull request reviews before merging' | ||
(c) Click 'Save Changes' | ||
reference: https://help.github.com/articles/enabling-required-reviews-for-pull-requests/ | ||
""" | ||
actor_ignorelist = { | ||
} | ||
return ( | ||
rec['action'] == 'protected_branch.dismissal_restricted_users_teams' and | ||
rec['data'].get('authorized_actors_only') is True and | ||
not in_set(rec['actor'], actor_ignorelist) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
17 changes: 17 additions & 0 deletions
17
rules/community/github/github_disable_two_factor_requirement_user.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
"""Github two-factor authentication requirement was disabled for a user.""" | ||
from stream_alert.rule_processor.rules_engine import StreamRules | ||
|
||
rule = StreamRules.rule | ||
|
||
@rule(logs=['ghe:general'], | ||
outputs=['aws-s3:sample-bucket', | ||
'pagerduty:sample-integration', | ||
'slack:sample-channel']) | ||
def github_disable_two_factor_requirement_user(rec): | ||
""" | ||
author: @mimeframe | ||
description: Two-factor authentication requirement was disabled for a user. | ||
repro_steps: (a) Visit /settings/two_factor_authentication/configure | ||
reference: https://help.github.com/enterprise/2.11/admin/articles/audited-actions/ | ||
""" | ||
return rec['action'] == 'two_factor_authentication.disabled' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
"""An OAuth application was registered within Github.""" | ||
from stream_alert.rule_processor.rules_engine import StreamRules | ||
|
||
rule = StreamRules.rule | ||
|
||
@rule(logs=['ghe:general'], | ||
outputs=['aws-s3:sample-bucket', | ||
'pagerduty:sample-integration', | ||
'slack:sample-channel']) | ||
def github_oauth_application_create(rec): | ||
""" | ||
author: @mimeframe | ||
description: An OAuth application was registered within Github. | ||
reference: https://developer.github.com | ||
/apps/building-integrations/setting-up-and-registering-oauth-apps/ | ||
""" | ||
return rec['action'] == 'oauth_application.create' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
"""A Github site admin tool/action was used.""" | ||
from stream_alert.rule_processor.rules_engine import StreamRules | ||
|
||
rule = StreamRules.rule | ||
|
||
@rule(logs=['ghe:general'], | ||
outputs=['aws-s3:sample-bucket', | ||
'pagerduty:sample-integration', | ||
'slack:sample-channel']) | ||
def github_site_admin_action(rec): | ||
""" | ||
author: @mimeframe | ||
description: A Github site admin tool/action was used. | ||
Example: 'staff.fake_login' | ||
"A site admin signed into GitHub Enterprise as another user."" | ||
reference: https://help.github.com/enterprise/2.11/admin/articles/audited-actions/ | ||
""" | ||
return rec['action'].startswith('staff.') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
48 changes: 48 additions & 0 deletions
48
tests/integration/rules/github/github_disable_dismiss_stale_pull_request_approvals.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
{ | ||
"records": [ | ||
{ | ||
"data": { | ||
"message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"protected_branch.dismiss_stale_reviews\",\"data\":{\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", | ||
"@version": "1", | ||
"@timestamp": "...", | ||
"host": "10.1.1.1", | ||
"port": 123, | ||
"tags": [ | ||
], | ||
"received_at": "...", | ||
"timestamp": "...", | ||
"logsource": "...", | ||
"program": "github_audit" | ||
}, | ||
"description": "Disabling 'Dismiss stale pull request approvals' should trigger an alert.", | ||
"log": "ghe:general", | ||
"source": "prefix_cluster1_stream_alert_kinesis", | ||
"service": "kinesis", | ||
"trigger_rules": [ | ||
"github_disable_dismiss_stale_pull_request_approvals" | ||
] | ||
}, | ||
{ | ||
"data": { | ||
"message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"something.different\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", | ||
"@version": "1", | ||
"@timestamp": "...", | ||
"host": "10.1.1.1", | ||
"port": 123, | ||
"tags": [ | ||
], | ||
"received_at": "...", | ||
"timestamp": "...", | ||
"logsource": "...", | ||
"program": "github_audit", | ||
"pid": "1234" | ||
}, | ||
"description": "An unrelated Github log should not trigger an alert.", | ||
"log": "ghe:general", | ||
"source": "prefix_cluster1_stream_alert_kinesis", | ||
"service": "kinesis", | ||
"trigger_rules": [ | ||
] | ||
} | ||
] | ||
} |
48 changes: 48 additions & 0 deletions
48
tests/integration/rules/github/github_disable_protect_this_branch.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
{ | ||
"records": [ | ||
{ | ||
"data": { | ||
"message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"protected_branch.destroy\",\"data\":{\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", | ||
"@version": "1", | ||
"@timestamp": "...", | ||
"host": "10.1.1.1", | ||
"port": 123, | ||
"tags": [ | ||
], | ||
"received_at": "...", | ||
"timestamp": "...", | ||
"logsource": "...", | ||
"program": "github_audit" | ||
}, | ||
"description": "Disabling Github branch protections should trigger an alert.", | ||
"log": "ghe:general", | ||
"source": "prefix_cluster1_stream_alert_kinesis", | ||
"service": "kinesis", | ||
"trigger_rules": [ | ||
"github_disable_protect_this_branch" | ||
] | ||
}, | ||
{ | ||
"data": { | ||
"message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"something.different\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", | ||
"@version": "1", | ||
"@timestamp": "...", | ||
"host": "10.1.1.1", | ||
"port": 123, | ||
"tags": [ | ||
], | ||
"received_at": "...", | ||
"timestamp": "...", | ||
"logsource": "...", | ||
"program": "github_audit", | ||
"pid": "1234" | ||
}, | ||
"description": "An unrelated Github log should not trigger an alert.", | ||
"log": "ghe:general", | ||
"source": "prefix_cluster1_stream_alert_kinesis", | ||
"service": "kinesis", | ||
"trigger_rules": [ | ||
] | ||
} | ||
] | ||
} |
48 changes: 48 additions & 0 deletions
48
tests/integration/rules/github/github_disable_required_pull_request_reviews.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
{ | ||
"records": [ | ||
{ | ||
"data": { | ||
"message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"protected_branch.dismissal_restricted_users_teams\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", | ||
"@version": "1", | ||
"@timestamp": "...", | ||
"host": "10.1.1.1", | ||
"port": 123, | ||
"tags": [ | ||
], | ||
"received_at": "...", | ||
"timestamp": "...", | ||
"logsource": "...", | ||
"program": "github_audit" | ||
}, | ||
"description": "Disabling Required Pull Request reviews should trigger an alert.", | ||
"log": "ghe:general", | ||
"source": "prefix_cluster1_stream_alert_kinesis", | ||
"service": "kinesis", | ||
"trigger_rules": [ | ||
"github_disable_required_pull_request_reviews" | ||
] | ||
}, | ||
{ | ||
"data": { | ||
"message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"something.different\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", | ||
"@version": "1", | ||
"@timestamp": "...", | ||
"host": "10.1.1.1", | ||
"port": 123, | ||
"tags": [ | ||
], | ||
"received_at": "...", | ||
"timestamp": "...", | ||
"logsource": "...", | ||
"program": "github_audit", | ||
"pid": "1234" | ||
}, | ||
"description": "An unrelated Github log should not trigger an alert.", | ||
"log": "ghe:general", | ||
"source": "prefix_cluster1_stream_alert_kinesis", | ||
"service": "kinesis", | ||
"trigger_rules": [ | ||
] | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.