From f6be85adee1bc817c7ebf2bc014cb92de91e1007 Mon Sep 17 00:00:00 2001 From: x Date: Thu, 26 Oct 2017 23:12:03 -0700 Subject: [PATCH 1/3] github - new rules and cleanup --- ...le_dismiss_stale_pull_request_approvals.py | 21 ++++++++ .../github_disable_protect_this_branch.py | 23 +++++++++ ...b_disable_required_pull_request_reviews.py | 29 +++++++++++ .../github_disable_required_status_checks.py | 6 +++ ...hub_disable_two_factor_requirement_org.py} | 9 ++-- ...hub_disable_two_factor_requirement_user.py | 17 +++++++ .../github/github_site_admin_action.py | 18 +++++++ ...py => github_site_admin_user_promotion.py} | 2 +- ..._dismiss_stale_pull_request_approvals.json | 48 ++++++++++++++++++ .../github_disable_protect_this_branch.json | 48 ++++++++++++++++++ ...disable_required_pull_request_reviews.json | 48 ++++++++++++++++++ ...b_disable_two_factor_requirement_org.json} | 8 +-- ...b_disable_two_factor_requirement_user.json | 50 +++++++++++++++++++ .../github/github_site_admin_action.json | 47 +++++++++++++++++ ... => github_site_admin_user_promotion.json} | 8 +-- 15 files changed, 372 insertions(+), 10 deletions(-) create mode 100644 rules/community/github/github_disable_dismiss_stale_pull_request_approvals.py create mode 100644 rules/community/github/github_disable_protect_this_branch.py create mode 100644 rules/community/github/github_disable_required_pull_request_reviews.py rename rules/community/github/{github_disable_org_two_factor_requirement.py => github_disable_two_factor_requirement_org.py} (63%) create mode 100644 rules/community/github/github_disable_two_factor_requirement_user.py create mode 100644 rules/community/github/github_site_admin_action.py rename rules/community/github/{github_user_promotion_to_site_admin.py => github_site_admin_user_promotion.py} (93%) create mode 100644 tests/integration/rules/github/github_disable_dismiss_stale_pull_request_approvals.json create mode 100644 tests/integration/rules/github/github_disable_protect_this_branch.json create mode 100644 tests/integration/rules/github/github_disable_required_pull_request_reviews.json rename tests/integration/rules/github/{github_disable_org_two_factor_requirement.json => github_disable_two_factor_requirement_org.json} (90%) create mode 100644 tests/integration/rules/github/github_disable_two_factor_requirement_user.json create mode 100644 tests/integration/rules/github/github_site_admin_action.json rename tests/integration/rules/github/{github_user_promotion_to_site_admin.json => github_site_admin_user_promotion.json} (88%) diff --git a/rules/community/github/github_disable_dismiss_stale_pull_request_approvals.py b/rules/community/github/github_disable_dismiss_stale_pull_request_approvals.py new file mode 100644 index 000000000..b7cdfd4be --- /dev/null +++ b/rules/community/github/github_disable_dismiss_stale_pull_request_approvals.py @@ -0,0 +1,21 @@ +"""Github setting 'Dismiss stale pull request approvals' was disabled for a repo.""" +from stream_alert.rule_processor.rules_engine import StreamRules + +rule = StreamRules.rule + +@rule(logs=['ghe:general'], + outputs=['aws-s3:sample-bucket', + 'pagerduty:sample-integration', + 'slack:sample-channel']) +def github_disable_dismiss_stale_pull_request_approvals(rec): + """ + author: @mimeframe + description: Setting 'Dismiss stale pull request approvals when new commits are pushed' + was disabled. As a result, commits occurring after approval will not + require approval. + repro_steps: (a) Visit ///settings/branches/ + (b) Uncheck 'Dismiss stale pull request approvals when new commits are pushed' + (c) Click 'Save Changes' + reference: https://help.github.com/articles/configuring-protected-branches/ + """ + return rec['action'] == 'protected_branch.dismiss_stale_reviews' diff --git a/rules/community/github/github_disable_protect_this_branch.py b/rules/community/github/github_disable_protect_this_branch.py new file mode 100644 index 000000000..21c76ed9b --- /dev/null +++ b/rules/community/github/github_disable_protect_this_branch.py @@ -0,0 +1,23 @@ +"""Github setting 'Protect this branch' was disabled for a repo.""" +from stream_alert.rule_processor.rules_engine import StreamRules + +rule = StreamRules.rule + +@rule(logs=['ghe:general'], + outputs=['aws-s3:sample-bucket', + 'pagerduty:sample-integration', + 'slack:sample-channel']) +def github_disable_protect_this_branch(rec): + """ + author: @mimeframe + description: Github setting 'Protect this branch' was disabled for a repo. + When unchecking this top-level option, it also disables + 'Require pull request reviews before merging', + 'Require review from Code Owners', and all other branch protections + like status checks. + repro_steps: (a) Visit ///settings/branches/ + (b) Uncheck 'Protect this branch' + (c) Click 'Save Changes' + reference: https://help.github.com/articles/configuring-protected-branches/ + """ + return rec['action'] == 'protected_branch.destroy' diff --git a/rules/community/github/github_disable_required_pull_request_reviews.py b/rules/community/github/github_disable_required_pull_request_reviews.py new file mode 100644 index 000000000..700a0f56b --- /dev/null +++ b/rules/community/github/github_disable_required_pull_request_reviews.py @@ -0,0 +1,29 @@ +"""Github 'Require pull request reviews before merging' was disabled for a repo.""" +from helpers.base import in_set +from stream_alert.rule_processor.rules_engine import StreamRules + +rule = StreamRules.rule + +@rule(logs=['ghe:general'], + outputs=['aws-s3:sample-bucket', + 'pagerduty:sample-integration', + 'slack:sample-channel']) +def github_disable_required_pull_request_reviews(rec): + """ + author: @mimeframe + description: Setting 'Require pull request reviews before merging' was disabled. + When enabled, all commits must be made to a non-protected branch + and submitted via a pull request with at least one approved review + and no changes requested before it can be merged into master. + repro_steps: (a) Visit ///settings/branches/ + (b) Uncheck 'Require pull request reviews before merging' + (c) Click 'Save Changes' + reference: https://help.github.com/articles/enabling-required-reviews-for-pull-requests/ + """ + actor_ignorelist = { + } + return ( + rec['action'] == 'protected_branch.dismissal_restricted_users_teams' and + rec['data'].get('authorized_actors_only') == True and + not in_set(rec['actor'], actor_ignorelist) + ) diff --git a/rules/community/github/github_disable_required_status_checks.py b/rules/community/github/github_disable_required_status_checks.py index ee9658184..ac3e3c948 100644 --- a/rules/community/github/github_disable_required_status_checks.py +++ b/rules/community/github/github_disable_required_status_checks.py @@ -12,9 +12,15 @@ def github_disable_required_status_checks(rec): author: @mimeframe description: The 'required status checks' feature was disabled for a repository. Settings -> Branches -> Protected Branches -> + repro_steps: (a) Choose a repository + (b) Click Settings -> Branches -> Protected Branches -> + (c) Uncheck 'Require status checks to pass before merging' reference: https://help.github.com/articles/enabling-required-status-checks/ """ return ( rec['action'] == 'protected_branch.update_required_status_checks_enforcement_level' and + # 0 => unchecked + # 1 => enabled for users + # 2 => enabled for users and admins ('Include administrators') rec['data'].get('required_status_checks_enforcement_level') == 0 ) diff --git a/rules/community/github/github_disable_org_two_factor_requirement.py b/rules/community/github/github_disable_two_factor_requirement_org.py similarity index 63% rename from rules/community/github/github_disable_org_two_factor_requirement.py rename to rules/community/github/github_disable_two_factor_requirement_org.py index c91c15770..41e1b81ec 100644 --- a/rules/community/github/github_disable_org_two_factor_requirement.py +++ b/rules/community/github/github_disable_two_factor_requirement_org.py @@ -1,4 +1,4 @@ -"""Github two-factor authentication requirement was disabled.""" +"""Github two-factor authentication requirement was disabled for an org.""" from stream_alert.rule_processor.rules_engine import StreamRules rule = StreamRules.rule @@ -7,10 +7,13 @@ outputs=['aws-s3:sample-bucket', 'pagerduty:sample-integration', 'slack:sample-channel']) -def github_disable_org_two_factor_requirement(rec): +def github_disable_two_factor_requirement_org(rec): """ author: @mimeframe - description: Two-factor authentication requirement was disabled. + description: Two-factor authentication requirement was disabled for an org. + repro_steps: (a) Visit /organizations//settings/security + (b) Uncheck 'Require two-factor authentication...' + (c) Click 'Save' reference: https://help.github.com/ articles/requiring-two-factor-authentication-in-your-organization/ """ diff --git a/rules/community/github/github_disable_two_factor_requirement_user.py b/rules/community/github/github_disable_two_factor_requirement_user.py new file mode 100644 index 000000000..f3680940f --- /dev/null +++ b/rules/community/github/github_disable_two_factor_requirement_user.py @@ -0,0 +1,17 @@ +"""Github two-factor authentication requirement was disabled for a user.""" +from stream_alert.rule_processor.rules_engine import StreamRules + +rule = StreamRules.rule + +@rule(logs=['ghe:general'], + outputs=['aws-s3:sample-bucket', + 'pagerduty:sample-integration', + 'slack:sample-channel']) +def github_disable_two_factor_requirement_user(rec): + """ + author: @mimeframe + description: Two-factor authentication requirement was disabled for a user. + repro_steps: (a) Visit /settings/two_factor_authentication/configure + reference: https://help.github.com/enterprise/2.11/admin/articles/audited-actions/ + """ + return rec['action'] == 'two_factor_authentication.disabled' diff --git a/rules/community/github/github_site_admin_action.py b/rules/community/github/github_site_admin_action.py new file mode 100644 index 000000000..b2f79aa83 --- /dev/null +++ b/rules/community/github/github_site_admin_action.py @@ -0,0 +1,18 @@ +"""A Github site admin tool/action was used.""" +from stream_alert.rule_processor.rules_engine import StreamRules + +rule = StreamRules.rule + +@rule(logs=['ghe:general'], + outputs=['aws-s3:sample-bucket', + 'pagerduty:sample-integration', + 'slack:sample-channel']) +def github_site_admin_action(rec): + """ + author: @mimeframe + description: A Github site admin tool/action was used. + Example: 'staff.fake_login' + "A site admin signed into GitHub Enterprise as another user."" + reference: https://help.github.com/enterprise/2.11/admin/articles/audited-actions/ + """ + return rec['action'].startswith('staff.') diff --git a/rules/community/github/github_user_promotion_to_site_admin.py b/rules/community/github/github_site_admin_user_promotion.py similarity index 93% rename from rules/community/github/github_user_promotion_to_site_admin.py rename to rules/community/github/github_site_admin_user_promotion.py index 7e93e7687..cbd0c4e2c 100644 --- a/rules/community/github/github_user_promotion_to_site_admin.py +++ b/rules/community/github/github_site_admin_user_promotion.py @@ -7,7 +7,7 @@ outputs=['aws-s3:sample-bucket', 'pagerduty:sample-integration', 'slack:sample-channel']) -def github_user_promotion_to_site_admin(rec): +def github_site_admin_user_promotion(rec): """ author: @fusionrace, @mimeframe description: Alert when a Github Enterprise user account is promoted to a diff --git a/tests/integration/rules/github/github_disable_dismiss_stale_pull_request_approvals.json b/tests/integration/rules/github/github_disable_dismiss_stale_pull_request_approvals.json new file mode 100644 index 000000000..3fb1a0d54 --- /dev/null +++ b/tests/integration/rules/github/github_disable_dismiss_stale_pull_request_approvals.json @@ -0,0 +1,48 @@ +{ + "records": [ + { + "data": { + "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"protected_branch.dismiss_stale_reviews\",\"data\":{\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", + "@version": "1", + "@timestamp": "...", + "host": "10.1.1.1", + "port": 123, + "tags": [ + ], + "received_at": "...", + "timestamp": "...", + "logsource": "...", + "program": "github_audit" + }, + "description": "Disabling 'Dismiss stale pull request approvals' should trigger an alert.", + "log": "ghe:general", + "source": "prefix_cluster1_stream_alert_kinesis", + "service": "kinesis", + "trigger_rules": [ + "github_disable_dismiss_stale_pull_request_approvals" + ] + }, + { + "data": { + "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"something.different\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", + "@version": "1", + "@timestamp": "...", + "host": "10.1.1.1", + "port": 123, + "tags": [ + ], + "received_at": "...", + "timestamp": "...", + "logsource": "...", + "program": "github_audit", + "pid": "1234" + }, + "description": "An unrelated Github log should not trigger an alert.", + "log": "ghe:general", + "source": "prefix_cluster1_stream_alert_kinesis", + "service": "kinesis", + "trigger_rules": [ + ] + } + ] +} diff --git a/tests/integration/rules/github/github_disable_protect_this_branch.json b/tests/integration/rules/github/github_disable_protect_this_branch.json new file mode 100644 index 000000000..3196804ef --- /dev/null +++ b/tests/integration/rules/github/github_disable_protect_this_branch.json @@ -0,0 +1,48 @@ +{ + "records": [ + { + "data": { + "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"protected_branch.destroy\",\"data\":{\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", + "@version": "1", + "@timestamp": "...", + "host": "10.1.1.1", + "port": 123, + "tags": [ + ], + "received_at": "...", + "timestamp": "...", + "logsource": "...", + "program": "github_audit" + }, + "description": "Disabling Github branch protections should trigger an alert.", + "log": "ghe:general", + "source": "prefix_cluster1_stream_alert_kinesis", + "service": "kinesis", + "trigger_rules": [ + "github_disable_protect_this_branch" + ] + }, + { + "data": { + "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"something.different\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", + "@version": "1", + "@timestamp": "...", + "host": "10.1.1.1", + "port": 123, + "tags": [ + ], + "received_at": "...", + "timestamp": "...", + "logsource": "...", + "program": "github_audit", + "pid": "1234" + }, + "description": "An unrelated Github log should not trigger an alert.", + "log": "ghe:general", + "source": "prefix_cluster1_stream_alert_kinesis", + "service": "kinesis", + "trigger_rules": [ + ] + } + ] +} diff --git a/tests/integration/rules/github/github_disable_required_pull_request_reviews.json b/tests/integration/rules/github/github_disable_required_pull_request_reviews.json new file mode 100644 index 000000000..766621003 --- /dev/null +++ b/tests/integration/rules/github/github_disable_required_pull_request_reviews.json @@ -0,0 +1,48 @@ +{ + "records": [ + { + "data": { + "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"protected_branch.dismissal_restricted_users_teams\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", + "@version": "1", + "@timestamp": "...", + "host": "10.1.1.1", + "port": 123, + "tags": [ + ], + "received_at": "...", + "timestamp": "...", + "logsource": "...", + "program": "github_audit" + }, + "description": "Disabling Required Pull Request reviews should trigger an alert.", + "log": "ghe:general", + "source": "prefix_cluster1_stream_alert_kinesis", + "service": "kinesis", + "trigger_rules": [ + "github_disable_required_pull_request_reviews" + ] + }, + { + "data": { + "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"something.different\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", + "@version": "1", + "@timestamp": "...", + "host": "10.1.1.1", + "port": 123, + "tags": [ + ], + "received_at": "...", + "timestamp": "...", + "logsource": "...", + "program": "github_audit", + "pid": "1234" + }, + "description": "An unrelated Github log should not trigger an alert.", + "log": "ghe:general", + "source": "prefix_cluster1_stream_alert_kinesis", + "service": "kinesis", + "trigger_rules": [ + ] + } + ] +} diff --git a/tests/integration/rules/github/github_disable_org_two_factor_requirement.json b/tests/integration/rules/github/github_disable_two_factor_requirement_org.json similarity index 90% rename from tests/integration/rules/github/github_disable_org_two_factor_requirement.json rename to tests/integration/rules/github/github_disable_two_factor_requirement_org.json index 35e460ffe..bcdeb3a25 100644 --- a/tests/integration/rules/github/github_disable_org_two_factor_requirement.json +++ b/tests/integration/rules/github/github_disable_two_factor_requirement_org.json @@ -16,11 +16,13 @@ ], "timestamp": "Sep 5 20:49:31" }, - "description": "Disabling the 2FA requirement on Github should create an alert.", + "description": "Disabling the 2FA requirement on a Github org should create an alert.", "log": "ghe:general", "source": "prefix_cluster1_stream_alert_kinesis", "service": "kinesis", - "trigger_rules": ["github_disable_org_two_factor_requirement"] + "trigger_rules": [ + "github_disable_two_factor_requirement_org" + ] }, { "data": { @@ -38,7 +40,7 @@ ], "timestamp": "Sep 5 20:49:31" }, - "description": "Enabling the 2FA requirement on Github should not create an alert.", + "description": "Enabling the 2FA requirement on a Github org should not create an alert.", "log": "ghe:general", "source": "prefix_cluster1_stream_alert_kinesis", "service": "kinesis", diff --git a/tests/integration/rules/github/github_disable_two_factor_requirement_user.json b/tests/integration/rules/github/github_disable_two_factor_requirement_user.json new file mode 100644 index 000000000..207fbf4ed --- /dev/null +++ b/tests/integration/rules/github/github_disable_two_factor_requirement_user.json @@ -0,0 +1,50 @@ +{ + "records": [ + { + "data": { + "@timestamp": "2017-09-06T03:49:31.600Z", + "@version": 1, + "host": "192.168.1.1", + "logsource": "...", + "message": "<190>Sep 5 20:49:31 ... github_audit: {\"actor_ip\":\"...\",\"from\":\"...\",\"actor\":\"...\",\"actor_id\":123,\"created_at\":123,\"org\":\"foobar\",\"org_id\":123,\"action\":\"two_factor_authentication.disabled\",\"data\":{\"current_tenant_id\":1,\"tenant_fail_safe\":false,\"dbconn\":\"github@foo/github_enterprise\",\"newsies_dbconn\":\"github@foo/github_enterprise\",\"method\":\"PUT\",\"request_id\":\"...\",\"server_id\":\"...\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"orgs\",\"identity\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"region\":\"CA\",\"region_name\":\"California\",\"city\":\"San Francisco\",\"postal_code\":\"12345\",\"location\":{\"lat\":11.1111,\"lon\":-111.1111}},\"_document_id\":\"123\"}}", + "pid": 0, + "port": 123, + "program": "github_audit", + "received_at": "...", + "tags": [ + "..." + ], + "timestamp": "Sep 5 20:49:31" + }, + "description": "Disabling 2FA for a Github user should create an alert.", + "log": "ghe:general", + "source": "prefix_cluster1_stream_alert_kinesis", + "service": "kinesis", + "trigger_rules": [ + "github_disable_two_factor_requirement_user" + ] + }, + { + "data": { + "@timestamp": "2017-09-06T03:49:31.600Z", + "@version": 1, + "host": "192.168.1.1", + "logsource": "...", + "message": "<190>Sep 5 20:49:31 ... github_audit: {\"actor_ip\":\"...\",\"from\":\"...\",\"actor\":\"...\",\"actor_id\":123,\"created_at\":123,\"org\":\"foobar\",\"org_id\":123,\"action\":\"two_factor_authentication.enabled\",\"data\":{\"current_tenant_id\":1,\"tenant_fail_safe\":false,\"dbconn\":\"github@foo/github_enterprise\",\"newsies_dbconn\":\"github@foo/github_enterprise\",\"method\":\"PUT\",\"request_id\":\"...\",\"server_id\":\"...\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"orgs\",\"identity\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"region\":\"CA\",\"region_name\":\"California\",\"city\":\"San Francisco\",\"postal_code\":\"12345\",\"location\":{\"lat\":11.1111,\"lon\":-111.1111}},\"_document_id\":\"123\"}}", + "pid": 0, + "port": 123, + "program": "github_audit", + "received_at": "...", + "tags": [ + "..." + ], + "timestamp": "Sep 5 20:49:31" + }, + "description": "Enabling 2FA for a Github should not create an alert.", + "log": "ghe:general", + "source": "prefix_cluster1_stream_alert_kinesis", + "service": "kinesis", + "trigger_rules": [] + } + ] +} diff --git a/tests/integration/rules/github/github_site_admin_action.json b/tests/integration/rules/github/github_site_admin_action.json new file mode 100644 index 000000000..10a94bd1b --- /dev/null +++ b/tests/integration/rules/github/github_site_admin_action.json @@ -0,0 +1,47 @@ +{ + "records": [ + { + "data": { + "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"staff.fake_user\",\"data\":{\"current_tenant_id\":1,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"https://git.server.com/...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", + "@version": "1", + "@timestamp": "...", + "host": "10.1.1.1", + "port": 123, + "tags": [ + ], + "received_at": "...", + "timestamp": "...", + "logsource": "...", + "program": "github_audit" + }, + "description": "A site admin action should trigger an alert.", + "log": "ghe:general", + "source": "prefix_cluster1_stream_alert_kinesis", + "service": "kinesis", + "trigger_rules": [ + "github_site_admin_action" + ] + }, + { + "data": { + "message": "<22>May 22 14:10:28 random", + "@version": "1", + "@timestamp": "...", + "host": "10.1.1.1", + "port": 123, + "tags": [ + ], + "received_at": "...", + "timestamp": "...", + "logsource": "...", + "program": "github_audit", + "pid": "1234" + }, + "description": "An unrelated Github log should not trigger an alert.", + "log": "ghe:general", + "source": "prefix_cluster1_stream_alert_kinesis", + "service": "kinesis", + "trigger_rules": [] + } + ] +} diff --git a/tests/integration/rules/github/github_user_promotion_to_site_admin.json b/tests/integration/rules/github/github_site_admin_user_promotion.json similarity index 88% rename from tests/integration/rules/github/github_user_promotion_to_site_admin.json rename to tests/integration/rules/github/github_site_admin_user_promotion.json index d08e32f1e..547f1bce4 100644 --- a/tests/integration/rules/github/github_user_promotion_to_site_admin.json +++ b/tests/integration/rules/github/github_site_admin_user_promotion.json @@ -14,11 +14,13 @@ "logsource": "...", "program": "github_audit" }, - "description": "A GHE user promoted to site admin should trigger an alert", + "description": "A Github user promoted to site admin should trigger an alert.", "log": "ghe:general", "source": "prefix_cluster1_stream_alert_kinesis", "service": "kinesis", - "trigger_rules": ["github_user_promotion_to_site_admin"] + "trigger_rules": [ + "github_site_admin_user_promotion" + ] }, { "data": { @@ -35,7 +37,7 @@ "program": "github_audit", "pid": "1234" }, - "description": "An unrelated GHE log should not trigger an alert", + "description": "An unrelated Github log should not trigger an alert.", "log": "ghe:general", "source": "prefix_cluster1_stream_alert_kinesis", "service": "kinesis", From 10cd3fd5444344ec0b22480b827904ac669690bb Mon Sep 17 00:00:00 2001 From: x Date: Thu, 26 Oct 2017 23:34:07 -0700 Subject: [PATCH 2/3] one more rule --- .../github/github_oauth_application_create.py | 17 +++++++ .../github_oauth_application_create.json | 47 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 rules/community/github/github_oauth_application_create.py create mode 100644 tests/integration/rules/github/github_oauth_application_create.json diff --git a/rules/community/github/github_oauth_application_create.py b/rules/community/github/github_oauth_application_create.py new file mode 100644 index 000000000..0e8401500 --- /dev/null +++ b/rules/community/github/github_oauth_application_create.py @@ -0,0 +1,17 @@ +"""An OAuth application was registered within Github.""" +from stream_alert.rule_processor.rules_engine import StreamRules + +rule = StreamRules.rule + +@rule(logs=['ghe:general'], + outputs=['aws-s3:sample-bucket', + 'pagerduty:sample-integration', + 'slack:sample-channel']) +def github_oauth_application_create(rec): + """ + author: @mimeframe + description: An OAuth application was registered within Github. + reference: https://developer.github.com + /apps/building-integrations/setting-up-and-registering-oauth-apps/ + """ + return rec['action'] == 'oauth_application.create' diff --git a/tests/integration/rules/github/github_oauth_application_create.json b/tests/integration/rules/github/github_oauth_application_create.json new file mode 100644 index 000000000..1d32d8013 --- /dev/null +++ b/tests/integration/rules/github/github_oauth_application_create.json @@ -0,0 +1,47 @@ +{ + "records": [ + { + "data": { + "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"oauth_application.create\",\"data\":{\"current_tenant_id\":1,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"https://git.server.com/...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}", + "@version": "1", + "@timestamp": "...", + "host": "10.1.1.1", + "port": 123, + "tags": [ + ], + "received_at": "...", + "timestamp": "...", + "logsource": "...", + "program": "github_audit" + }, + "description": "An OAuth application was registered and should trigger an alert.", + "log": "ghe:general", + "source": "prefix_cluster1_stream_alert_kinesis", + "service": "kinesis", + "trigger_rules": [ + "github_oauth_application_create" + ] + }, + { + "data": { + "message": "<22>May 22 14:10:28 random", + "@version": "1", + "@timestamp": "...", + "host": "10.1.1.1", + "port": 123, + "tags": [ + ], + "received_at": "...", + "timestamp": "...", + "logsource": "...", + "program": "github_audit", + "pid": "1234" + }, + "description": "An unrelated Github log should not trigger an alert.", + "log": "ghe:general", + "source": "prefix_cluster1_stream_alert_kinesis", + "service": "kinesis", + "trigger_rules": [] + } + ] +} From e26d20b7afb77412538d1c33686e8be78fe30c46 Mon Sep 17 00:00:00 2001 From: x Date: Thu, 26 Oct 2017 23:44:57 -0700 Subject: [PATCH 3/3] is True fix for CI --- .../github/github_disable_required_pull_request_reviews.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/community/github/github_disable_required_pull_request_reviews.py b/rules/community/github/github_disable_required_pull_request_reviews.py index 700a0f56b..0c780b779 100644 --- a/rules/community/github/github_disable_required_pull_request_reviews.py +++ b/rules/community/github/github_disable_required_pull_request_reviews.py @@ -24,6 +24,6 @@ def github_disable_required_pull_request_reviews(rec): } return ( rec['action'] == 'protected_branch.dismissal_restricted_users_teams' and - rec['data'].get('authorized_actors_only') == True and + rec['data'].get('authorized_actors_only') is True and not in_set(rec['actor'], actor_ignorelist) )