Config file is a single yaml file. Configuration may be specified via
the --config-file
option or the $SECURITY_CHECKER_CONF
environment
variable.
regions: - type: openstack name: region1 cacert: /etc/cacert.pem insecure: false credentials: auth_url: http://example.net:5000/ username: admin password: admin tenant_name: admin elastic: hosts: - host: e1.example.com port: 9200 - host: e2.example.com port: 9200 use_ssl: true verify_certs: false plugins: - module: security.plugins.secgroup checkEveryMinutes: 1 regions: ["region1"]
In case your region requires ssl, CCP config should have additional fields
configs: elasticsearch: hosts: - host: e1.example.com port: 9200 - host: e2.example.com port: 9200 - host: e3.example.com port: 9200 security: checker: regions: - type: openstack name: region1 credentials: auth_url: http://example.net:5000/ username: admin password: admin tenant_name: admin use_ssl: true plugins: - name: secgroup checkEveryMinutes: 1 regions: ["region1"] files: region1-key.pem: /opt/key.pem
where section under files has mappings: *<region_name>-key.pem: <key_path>
elastic: hosts: - host: e1.example.com port: 9200 - host: e2.example.com port: 9200 use_ssl: true verify_certs: false
security-api --config-file /etc/config.yaml
Use security-api --help
for more information.
export SECURITY_CONF=/etc/config.yaml gunicorn security.wsgi:application
See flask documentation for more information.
security-checker --config-file /etc/config.yaml
Use security-checker --help
for more information.
Plugin should define class Plugin
in own module. This class should be subclass of security.base.Plugin
.
This class must define method discover(region)
. This method should return list of security.base.Issue
instances.
Also attribute supported_region_types
should be defined by plugin class.
Example:
from security import base
class Plugin(base.Plugin):
supported_region_types = {"dummy"}
def discover(self, region):
return [
base.Issue("id-1", "Type1", "region1", "Sample issue"),
base.Issue("id-2", "Type1", "region1", "Sample issue"),
]
GET /api/v1/region/{region}/issues/{period}
Return list of Issue
objects
Example:
GET /api/v1/region/west/issues/day [ { "id": "d8b0be7c-2ad7-4083-8d5a-a7a9a56fdd14", "type": "SecurityGroupTooOpen", "description": "Security group too open", "region_id": "Region1", "discovered_at": "2016-02-28T16:41:41.090Z", "confirmed_at": "2016-03-28T16:41:41.090Z", } ]