streamalert - rules - github - 5 new rules and some cleanup

rules/community/github/github_disable_dismiss_stale_pull_request_approvals.py

@@ -0,0 +1,21 @@
+"""Github setting 'Dismiss stale pull request approvals' was disabled for a repo."""
+from stream_alert.rule_processor.rules_engine import StreamRules
+
+rule = StreamRules.rule
+
+@rule(logs=['ghe:general'],
+      outputs=['aws-s3:sample-bucket',
+               'pagerduty:sample-integration',
+               'slack:sample-channel'])
+def github_disable_dismiss_stale_pull_request_approvals(rec):
+    """
+    author:       @mimeframe
+    description:  Setting 'Dismiss stale pull request approvals when new commits are pushed'
+                  was disabled. As a result, commits occurring after approval will not
+                  require approval.
+    repro_steps:  (a) Visit /<org>/<repo>/settings/branches/<branch>
+                  (b) Uncheck 'Dismiss stale pull request approvals when new commits are pushed'
+                  (c) Click 'Save Changes'
+    reference:    https://help.github.com/articles/configuring-protected-branches/
+    """
+    return rec['action'] == 'protected_branch.dismiss_stale_reviews'

rules/community/github/github_disable_protect_this_branch.py

@@ -0,0 +1,23 @@
+"""Github setting 'Protect this branch' was disabled for a repo."""
+from stream_alert.rule_processor.rules_engine import StreamRules
+
+rule = StreamRules.rule
+
+@rule(logs=['ghe:general'],
+      outputs=['aws-s3:sample-bucket',
+               'pagerduty:sample-integration',
+               'slack:sample-channel'])
+def github_disable_protect_this_branch(rec):
+    """
+    author:       @mimeframe
+    description:  Github setting 'Protect this branch' was disabled for a repo.
+                  When unchecking this top-level option, it also disables
+                  'Require pull request reviews before merging',
+                  'Require review from Code Owners', and all other branch protections
+                  like status checks.
+    repro_steps:  (a) Visit /<org>/<repo>/settings/branches/<branch>
+                  (b) Uncheck 'Protect this branch'
+                  (c) Click 'Save Changes'
+    reference:    https://help.github.com/articles/configuring-protected-branches/
+    """
+    return rec['action'] == 'protected_branch.destroy'

rules/community/github/github_disable_required_pull_request_reviews.py

@@ -0,0 +1,29 @@
+"""Github 'Require pull request reviews before merging' was disabled for a repo."""
+from helpers.base import in_set
+from stream_alert.rule_processor.rules_engine import StreamRules
+
+rule = StreamRules.rule
+
+@rule(logs=['ghe:general'],
+      outputs=['aws-s3:sample-bucket',
+               'pagerduty:sample-integration',
+               'slack:sample-channel'])
+def github_disable_required_pull_request_reviews(rec):
+    """
+    author:       @mimeframe
+    description:  Setting 'Require pull request reviews before merging' was disabled.
+                  When enabled, all commits must be made to a non-protected branch
+                  and submitted via a pull request with at least one approved review
+                  and no changes requested before it can be merged into master.
+    repro_steps:  (a) Visit /<org>/<repo>/settings/branches/<branch>
+                  (b) Uncheck 'Require pull request reviews before merging'
+                  (c) Click 'Save Changes'
+    reference:    https://help.github.com/articles/enabling-required-reviews-for-pull-requests/
+    """
+    actor_ignorelist = {
+    }
+    return (
+        rec['action'] == 'protected_branch.dismissal_restricted_users_teams' and
+        rec['data'].get('authorized_actors_only') is True and
+        not in_set(rec['actor'], actor_ignorelist)
+    )

rules/community/github/github_disable_required_status_checks.py

@@ -12,9 +12,15 @@ def github_disable_required_status_checks(rec):
     author:       @mimeframe
     description:  The 'required status checks' feature was disabled for a repository.
                   Settings -> Branches -> Protected Branches -> <choose a branch>
+    repro_steps:  (a) Choose a repository
+                  (b) Click Settings -> Branches -> Protected Branches -> <branch>
+                  (c) Uncheck 'Require status checks to pass before merging'
     reference:    https://help.github.com/articles/enabling-required-status-checks/
     """
     return (
         rec['action'] == 'protected_branch.update_required_status_checks_enforcement_level' and
+        # 0 => unchecked
+        # 1 => enabled for users
+        # 2 => enabled for users and admins ('Include administrators')
         rec['data'].get('required_status_checks_enforcement_level') == 0
     )

rules/community/github/github_disable_org_two_factor_requirement.py → rules/community/github/github_disable_two_factor_requirement_org.py

@@ -1,4 +1,4 @@
-"""Github two-factor authentication requirement was disabled."""
+"""Github two-factor authentication requirement was disabled for an org."""
 from stream_alert.rule_processor.rules_engine import StreamRules
 
 rule = StreamRules.rule
@@ -7,10 +7,13 @@
       outputs=['aws-s3:sample-bucket',
                'pagerduty:sample-integration',
                'slack:sample-channel'])
-def github_disable_org_two_factor_requirement(rec):
+def github_disable_two_factor_requirement_org(rec):
     """
     author:       @mimeframe
-    description:  Two-factor authentication requirement was disabled.
+    description:  Two-factor authentication requirement was disabled for an org.
+    repro_steps:  (a) Visit /organizations/<org>/settings/security
+                  (b) Uncheck 'Require two-factor authentication...'
+                  (c) Click 'Save'
     reference:    https://help.github.com/
                   articles/requiring-two-factor-authentication-in-your-organization/
     """

rules/community/github/github_disable_two_factor_requirement_user.py

@@ -0,0 +1,17 @@
+"""Github two-factor authentication requirement was disabled for a user."""
+from stream_alert.rule_processor.rules_engine import StreamRules
+
+rule = StreamRules.rule
+
+@rule(logs=['ghe:general'],
+      outputs=['aws-s3:sample-bucket',
+               'pagerduty:sample-integration',
+               'slack:sample-channel'])
+def github_disable_two_factor_requirement_user(rec):
+    """
+    author:       @mimeframe
+    description:  Two-factor authentication requirement was disabled for a user.
+    repro_steps:  (a) Visit /settings/two_factor_authentication/configure
+    reference:    https://help.github.com/enterprise/2.11/admin/articles/audited-actions/
+    """
+    return rec['action'] == 'two_factor_authentication.disabled'

rules/community/github/github_oauth_application_create.py

@@ -0,0 +1,17 @@
+"""An OAuth application was registered within Github."""
+from stream_alert.rule_processor.rules_engine import StreamRules
+
+rule = StreamRules.rule
+
+@rule(logs=['ghe:general'],
+      outputs=['aws-s3:sample-bucket',
+               'pagerduty:sample-integration',
+               'slack:sample-channel'])
+def github_oauth_application_create(rec):
+    """
+    author:       @mimeframe
+    description:  An OAuth application was registered within Github.
+    reference:    https://developer.github.com
+                  /apps/building-integrations/setting-up-and-registering-oauth-apps/
+    """
+    return rec['action'] == 'oauth_application.create'

rules/community/github/github_site_admin_action.py

@@ -0,0 +1,18 @@
+"""A Github site admin tool/action was used."""
+from stream_alert.rule_processor.rules_engine import StreamRules
+
+rule = StreamRules.rule
+
+@rule(logs=['ghe:general'],
+      outputs=['aws-s3:sample-bucket',
+               'pagerduty:sample-integration',
+               'slack:sample-channel'])
+def github_site_admin_action(rec):
+    """
+    author:       @mimeframe
+    description:  A Github site admin tool/action was used.
+                  Example: 'staff.fake_login'
+                   "A site admin signed into GitHub Enterprise as another user.""
+    reference:    https://help.github.com/enterprise/2.11/admin/articles/audited-actions/
+    """
+    return rec['action'].startswith('staff.')

rules/community/github/github_user_promotion_to_site_admin.py → rules/community/github/github_site_admin_user_promotion.py

@@ -7,7 +7,7 @@
       outputs=['aws-s3:sample-bucket',
                'pagerduty:sample-integration',
                'slack:sample-channel'])
-def github_user_promotion_to_site_admin(rec):
+def github_site_admin_user_promotion(rec):
     """
     author:       @fusionrace, @mimeframe
     description:  Alert when a Github Enterprise user account is promoted to a

tests/integration/rules/github/github_disable_dismiss_stale_pull_request_approvals.json

@@ -0,0 +1,48 @@
+{
+  "records": [
+    {
+      "data": {
+        "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"protected_branch.dismiss_stale_reviews\",\"data\":{\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}",
+        "@version": "1",
+        "@timestamp": "...",
+        "host": "10.1.1.1",
+        "port": 123,
+        "tags": [
+        ],
+        "received_at": "...",
+        "timestamp": "...",
+        "logsource": "...",
+        "program": "github_audit"
+      },
+      "description": "Disabling 'Dismiss stale pull request approvals' should trigger an alert.",
+      "log": "ghe:general",
+      "source": "prefix_cluster1_stream_alert_kinesis",
+      "service": "kinesis",
+      "trigger_rules": [
+        "github_disable_dismiss_stale_pull_request_approvals"
+      ]
+    },
+    {
+      "data": {
+        "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"something.different\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}",
+        "@version": "1",
+        "@timestamp": "...",
+        "host": "10.1.1.1",
+        "port": 123,
+        "tags": [
+        ],
+        "received_at": "...",
+        "timestamp": "...",
+        "logsource": "...",
+        "program": "github_audit",
+        "pid": "1234"
+      },
+      "description": "An unrelated Github log should not trigger an alert.",
+      "log": "ghe:general",
+      "source": "prefix_cluster1_stream_alert_kinesis",
+      "service": "kinesis",
+      "trigger_rules": [
+      ]
+    }
+  ]
+}

tests/integration/rules/github/github_disable_protect_this_branch.json

@@ -0,0 +1,48 @@
+{
+  "records": [
+    {
+      "data": {
+        "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"protected_branch.destroy\",\"data\":{\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}",
+        "@version": "1",
+        "@timestamp": "...",
+        "host": "10.1.1.1",
+        "port": 123,
+        "tags": [
+        ],
+        "received_at": "...",
+        "timestamp": "...",
+        "logsource": "...",
+        "program": "github_audit"
+      },
+      "description": "Disabling Github branch protections should trigger an alert.",
+      "log": "ghe:general",
+      "source": "prefix_cluster1_stream_alert_kinesis",
+      "service": "kinesis",
+      "trigger_rules": [
+        "github_disable_protect_this_branch"
+      ]
+    },
+    {
+      "data": {
+        "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"something.different\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}",
+        "@version": "1",
+        "@timestamp": "...",
+        "host": "10.1.1.1",
+        "port": 123,
+        "tags": [
+        ],
+        "received_at": "...",
+        "timestamp": "...",
+        "logsource": "...",
+        "program": "github_audit",
+        "pid": "1234"
+      },
+      "description": "An unrelated Github log should not trigger an alert.",
+      "log": "ghe:general",
+      "source": "prefix_cluster1_stream_alert_kinesis",
+      "service": "kinesis",
+      "trigger_rules": [
+      ]
+    }
+  ]
+}

tests/integration/rules/github/github_disable_required_pull_request_reviews.json

@@ -0,0 +1,48 @@
+{
+  "records": [
+    {
+      "data": {
+        "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"protected_branch.dismissal_restricted_users_teams\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}",
+        "@version": "1",
+        "@timestamp": "...",
+        "host": "10.1.1.1",
+        "port": 123,
+        "tags": [
+        ],
+        "received_at": "...",
+        "timestamp": "...",
+        "logsource": "...",
+        "program": "github_audit"
+      },
+      "description": "Disabling Required Pull Request reviews should trigger an alert.",
+      "log": "ghe:general",
+      "source": "prefix_cluster1_stream_alert_kinesis",
+      "service": "kinesis",
+      "trigger_rules": [
+        "github_disable_required_pull_request_reviews"
+      ]
+    },
+    {
+      "data": {
+        "message": "<190>May 22 12:05:54 foobar github_audit: {\"actor_ip\":\"1.1.1.1\",\"from\":\"...\",\"actor\":\"bob\",\"actor_id\":123,\"created_at\":1495479954312,\"org_id\":[1,2013],\"user\":\"sally\",\"user_id\":1234,\"action\":\"something.different\",\"data\":{\"authorized_actors_only\":true,\"tenant_fail_safe\":false,\"dbconn\":\"foo@bar/github_enterprise\",\"newsies_dbconn\":\"foo@bar/github_enterprise\",\"method\":\"POST\",\"request_id\":\"00000000-0000-0000-0000-000000000000\",\"server_id\":\"00000000-0000-0000-0000-000000000000\",\"url\":\"...\",\"actor_session\":123,\"areas_of_responsibility\":[\"foo\",\"bar\",\"baz\"],\"actor_location\":{\"country_code\":\"US\",\"country_name\":\"United States\",\"location\":{\"lat\":123.0,\"lon\":-123.0}},\"reason\":\"testing\",\"_document_id\":\"0000000000000000000000\"}}",
+        "@version": "1",
+        "@timestamp": "...",
+        "host": "10.1.1.1",
+        "port": 123,
+        "tags": [
+        ],
+        "received_at": "...",
+        "timestamp": "...",
+        "logsource": "...",
+        "program": "github_audit",
+        "pid": "1234"
+      },
+      "description": "An unrelated Github log should not trigger an alert.",
+      "log": "ghe:general",
+      "source": "prefix_cluster1_stream_alert_kinesis",
+      "service": "kinesis",
+      "trigger_rules": [
+      ]
+    }
+  ]
+}

tests/integration/rules/github/github_disable_org_two_factor_requirement.json → tests/integration/rules/github/github_disable_two_factor_requirement_org.json

@@ -16,11 +16,13 @@
                 ],
                 "timestamp": "Sep 5 20:49:31"
             },
-            "description": "Disabling the 2FA requirement on Github should create an alert.",
+            "description": "Disabling the 2FA requirement on a Github org should create an alert.",
             "log": "ghe:general",
             "source": "prefix_cluster1_stream_alert_kinesis",
             "service": "kinesis",
-            "trigger_rules": ["github_disable_org_two_factor_requirement"]
+            "trigger_rules": [
+              "github_disable_two_factor_requirement_org"
+            ]
         },
         {
             "data": {
@@ -38,7 +40,7 @@
                 ],
                 "timestamp": "Sep 5 20:49:31"
             },
-            "description": "Enabling the 2FA requirement on Github should not create an alert.",
+            "description": "Enabling the 2FA requirement on a Github org should not create an alert.",
             "log": "ghe:general",
             "source": "prefix_cluster1_stream_alert_kinesis",
             "service": "kinesis",