outliers 0.3.1 → 0.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +44 -127
- data/lib/outliers/cli.rb +2 -0
- data/lib/outliers/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cc2b914a568b6654d252e80ef96d0162c3536393
|
4
|
+
data.tar.gz: 626bcaff7440abf632528dfedb7343b11d7176bd
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f93aedb4217b62eae64e9c3a29fed3f6cf24d7ec9504ab0dd463404eed9b90b09a1d74e2ee44b7449e96cf00ddd2a14a94c497d0e7a46eaccc76e022477f555d
|
7
|
+
data.tar.gz: be47e5e6bfa238b2863424316899c0b6c3670a601724ca2f305725234aa99e862e4170bfa62082d41109d40cec87c733d72ff05c27dc94808d05494a8ae6f641
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
@@ -2,16 +2,20 @@
|
|
2
2
|
|
3
3
|
# Outliers
|
4
4
|
|
5
|
-
|
5
|
+
A framework to detect misconfigurations (Outliers).
|
6
6
|
|
7
7
|
## Overview
|
8
8
|
|
9
|
-
|
10
|
-
|
11
|
-
*
|
12
|
-
*
|
13
|
-
*
|
14
|
-
* Those not passing
|
9
|
+
To detect misconfigurations at scale, Outliers provides a framework for performing complex evaluations:
|
10
|
+
|
11
|
+
* Applications rely on **resources** delivered from multiple **providers** (EC2, S3, etc).
|
12
|
+
* Resource configuration can be evaluated against specific **verifications** (Instance launched from given AMI, S3 bucket contains no public objects, etc).
|
13
|
+
* Verifications can be performed against a subset of resources based on a **filter**.
|
14
|
+
* Those not passing verification, are flagged as Outliers.
|
15
|
+
|
16
|
+
Evalutions are read from from files ending with **.rb** within a target directory.
|
17
|
+
|
18
|
+
Multiple evaluations can be specified in a file, with multiple files in directory.
|
15
19
|
|
16
20
|
## Requirements
|
17
21
|
|
@@ -23,44 +27,27 @@ Install the gem:
|
|
23
27
|
|
24
28
|
gem install outliers
|
25
29
|
|
26
|
-
##
|
27
|
-
|
28
|
-
**Currently Outliers only supports AWS**
|
30
|
+
## Getting Started
|
29
31
|
|
30
32
|
Create **~/outliers.yml** with a list of credentials in the following format:
|
31
33
|
|
32
34
|
credential_name:
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
Multiple accounts can be specified, to add a prod and preprod AWS account:
|
35
|
+
region: AWS_REGION
|
36
|
+
access_key_id: AWS_ACCESS_ID
|
37
|
+
secret_access_key: AWS_SECRET_KEY
|
37
38
|
|
38
|
-
|
39
|
-
region: us-east-1
|
40
|
-
access_key_id: YYY
|
41
|
-
secret_access_key: XXX
|
39
|
+
For example:
|
42
40
|
|
43
41
|
aws_prod:
|
44
42
|
region: us-east-1
|
45
|
-
access_key_id:
|
46
|
-
secret_access_key:
|
47
|
-
|
48
|
-
Depending on the provider, different keys and values are required.
|
43
|
+
access_key_id: abcd1234abcd1234abcd
|
44
|
+
secret_access_key: abcd1234abcd1234abcdabcd1234abcd1234abcd
|
49
45
|
|
50
|
-
|
46
|
+
Outliers provides a DSL which can be used to build up a comprehensive list of evaluations. Create a directory to store your evaluations.
|
51
47
|
|
52
|
-
|
48
|
+
mkdir ~/outliers
|
53
49
|
|
54
|
-
|
55
|
-
* Evalutions are read from from files within the directory.
|
56
|
-
* All files ending in **.rb** will be processed.
|
57
|
-
* Each file can have one or more evaluation blocks.
|
58
|
-
|
59
|
-
To process a directory:
|
60
|
-
|
61
|
-
outliers process -d /home/user/outliers
|
62
|
-
|
63
|
-
To verify all instances are in a VPC, create the file **ec2.rb** and add the following block:
|
50
|
+
To verify all instances are in a VPC, create a file **ec2.rb** in **~/outliers** containing:
|
64
51
|
|
65
52
|
evaluate do
|
66
53
|
connect 'aws_prod', provider: 'aws_ec2'
|
@@ -68,104 +55,34 @@ To verify all instances are in a VPC, create the file **ec2.rb** and add the fol
|
|
68
55
|
verify 'vpc'
|
69
56
|
end
|
70
57
|
|
71
|
-
|
58
|
+
Run outliers against the directory:
|
72
59
|
|
73
|
-
|
74
|
-
connect 'aws_prod', provider: 'aws_ec2'
|
75
|
-
resources 'instance'
|
76
|
-
verify 'vpc'
|
77
|
-
end
|
78
|
-
|
79
|
-
evaluate do
|
80
|
-
connect 'aws_prod', provider: 'aws_ec2', region: 'us-west-1'
|
81
|
-
resources 'instance'
|
82
|
-
verify 'vpc'
|
83
|
-
end
|
84
|
-
|
85
|
-
The DSL supports any valid Ruby code. To iterate over multiple regions:
|
60
|
+
outliers process -d ~/outliers
|
86
61
|
|
87
|
-
|
88
|
-
evaluate do
|
89
|
-
connect 'aws_prod', provider: 'aws_ec2', region: region
|
90
|
-
resources 'instance'
|
91
|
-
verify 'vpc'
|
92
|
-
end
|
93
|
-
end
|
94
|
-
|
95
|
-
Evaluations can run multiple verifications. To validate instances are in a VPC, running and using a valid image:
|
96
|
-
|
97
|
-
evaluate do
|
98
|
-
connect 'aws_prod', provider: 'aws_ec2', region: 'us-west-1'
|
99
|
-
resources 'instance'
|
100
|
-
verify 'vpc'
|
101
|
-
verify 'running'
|
102
|
-
verify 'valid_image_id', image_ids: ['ami-12345678','ami-87654321']
|
103
|
-
end
|
62
|
+
Sample Output:
|
104
63
|
|
105
|
-
|
64
|
+
I, [2013-09-24T09:42:39.925400 #4940] INFO -- : Processing '~/outliers/ec2.rb'.
|
65
|
+
I, [2013-09-24T09:42:39.925657 #4940] INFO -- : Connecting via 'aws_prod' to 'aws_ec2'.
|
66
|
+
I, [2013-09-24T09:42:39.925703 #4940] INFO -- : Including connection options 'provider=aws_ec2,region=us-east-1'.
|
67
|
+
I, [2013-09-24T09:42:39.928945 #4940] INFO -- : Loading 'instance' resource collection.
|
68
|
+
D, [2013-09-24T09:42:39.929015 #4940] DEBUG -- : Connecting to region 'us-east-1'.
|
69
|
+
I, [2013-09-24T09:42:41.192295 #4940] INFO -- : Verifying 'vpc?'.
|
70
|
+
D, [2013-09-24T09:42:41.192498 #4940] DEBUG -- : Target resources 'i-abcd0001, i-abcd0002, i-abcd0003, i-abcd0004'.
|
71
|
+
D, [2013-09-24T09:42:41.476478 #4940] DEBUG -- : Verification of resource 'i-abcd0001' passed.
|
72
|
+
D, [2013-09-24T09:42:42.025429 #4940] DEBUG -- : Verification of resource 'i-abcd0002' passed.
|
73
|
+
D, [2013-09-24T09:42:42.278990 #4940] DEBUG -- : Verification of resource 'i-abcd0003' passed.
|
74
|
+
D, [2013-09-24T09:42:44.803911 #4940] DEBUG -- : Verification of resource 'i-abcd0004' passed.
|
75
|
+
I, [2013-09-24T09:42:44.804036 #4940] INFO -- : Verification 'vpc?' passed.
|
76
|
+
I, [2013-09-24T09:42:44.804147 #4940] INFO -- : Evaluations completed.
|
77
|
+
I, [2013-09-24T09:42:44.804211 #4940] INFO -- : (0 evaluations failed, 1 evaluations passed.)
|
106
78
|
|
107
|
-
|
108
|
-
|
109
|
-
resources 'db_instance'
|
110
|
-
verify 'backup_retention_period', days: 2
|
111
|
-
end
|
112
|
-
|
113
|
-
To pass arguments to a verification:
|
114
|
-
|
115
|
-
evaluate do
|
116
|
-
connect 'aws_prod', provider: 'aws_rds', region: 'us-west-1'
|
117
|
-
resources 'db_instance'
|
118
|
-
verify 'backup_retention_period', days: 2
|
119
|
-
end
|
120
|
-
|
121
|
-
To pass multiple arguments, specify them as an array:
|
122
|
-
|
123
|
-
evaluate do
|
124
|
-
connect 'aws_prod', provider: 'aws_ec2', region: 'us-west-1'
|
125
|
-
resources 'instance'
|
126
|
-
verify 'valid_image_id', image_ids: ['ami-12345678','ami-87654321']
|
127
|
-
end
|
128
|
-
|
129
|
-
To only target a specific resource:
|
130
|
-
|
131
|
-
evaluate do
|
132
|
-
connect 'aws_prod', provider: 'aws_ec2', region: 'us-west-1'
|
133
|
-
resources 'instance', 'i-12345678'
|
134
|
-
verify 'valid_image_id', image_ids: ['ami-12345678','ami-87654321']
|
135
|
-
end
|
136
|
-
|
137
|
-
To target multiple resources, you can pass an array:
|
138
|
-
|
139
|
-
evaluate do
|
140
|
-
connect 'aws_prod', provider: 'aws_ec2', region: 'us-west-1'
|
141
|
-
resources 'instance', ['i-12345678', 'i-abcdef12']
|
142
|
-
verify 'valid_image_id', image_ids: ['ami-12345678','ami-87654321']
|
143
|
-
end
|
144
|
-
|
145
|
-
Sometimes you want to exclude resources that are known exceptions, to exclude an instance from the VPC validation:
|
146
|
-
|
147
|
-
evaluate do
|
148
|
-
connect 'aws_prod', provider: 'aws_ec2', region: 'us-west-1'
|
149
|
-
resources 'instance'
|
150
|
-
exclude 'i-12345678'
|
151
|
-
verify 'valid_image_id', image_ids: ['ami-12345678','ami-87654321']
|
152
|
-
end
|
153
|
-
|
154
|
-
Resources have attributes which can be used to filter target resources.
|
79
|
+
* Resources can be targeted or excluded by their ID (EC2 Instance ID, S3 Object Key, etc).
|
80
|
+
* Resources can be targeted or excluded by matching a filter (Instance has tag 'x' with value 'y').
|
155
81
|
|
156
|
-
|
82
|
+
## Examples
|
157
83
|
|
158
|
-
|
159
|
-
connect 'aws_prod', provider: 'aws_ec2', region: 'us-west-1'
|
160
|
-
resources 'instance'
|
161
|
-
filter tag: 'Name:web'
|
162
|
-
verify 'valid_image_id', image_ids: ['ami-12345678','ami-87654321']
|
163
|
-
end
|
84
|
+
See [examples](http://brettweavnet.github.io/outliers/examples) for a list of more advanced evaluations.
|
164
85
|
|
165
|
-
##
|
86
|
+
## References
|
166
87
|
|
167
|
-
|
168
|
-
2. Create your feature branch (`git checkout -b my-new-feature`)
|
169
|
-
3. Commit your changes (`git commit -am 'Add some feature'`)
|
170
|
-
4. Push to the branch (`git push origin my-new-feature`)
|
171
|
-
5. Create new Pull Request
|
88
|
+
See the [providers](http://brettweavnet.github.io/outliers/providers), [resources](http://brettweavnet.github.io/outliers/resources) and [filters](http://brettweavnet.github.io/outliers/filters) pages for additional documentation.
|
data/lib/outliers/cli.rb
CHANGED
data/lib/outliers/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: outliers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.3.
|
4
|
+
version: 0.3.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Brett Weaver
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2013-09-
|
11
|
+
date: 2013-09-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|