Pacbot – Platform For Continuous Compliance Monitoring, Compliance Reporting And Security Automation For The Cloud
Posted onAuthorZuka BukaComments Off on Pacbot – Platform For Continuous Compliance Monitoring, Compliance Reporting And Security Automation For The Cloud
Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, giving a simplified view of compliance and making it easy to analyze and remediate policy violations. PacBot is more than a tool to manage cloud misconfiguration, it is a generic platform that can be used to do continuous compliance monitoring and reporting for any domain.
More Than Cloud Compliance Assessment
PacBot’s plugin-based data ingestion architecture allows ingesting data from multiple sources. We have built plugins to pull data from Qualys Vulnerability Assessment Platform, Bitbucket, TrendMicro Deep Security, Tripwire, Venafi Certificate Management, Redhat Satellite, Spacewalk, Active Directory and several other custom-built internal solutions. We are working to open source these plugins and other tools as well. You could write rules based on data collected by these plugins to get a complete picture of your ecosystem and not just cloud misconfigurations. For example, within T-Mobile we have implemented a policy to mark all EC2 instances having one or more severity 5 (CVSS score > 7) vulnerabilities as non-compliant.
How Does It Work?
Assess -> Report -> Remediate -> Repeat
Assess -> Report -> Remediate -> Repeat is PacBot’s philosophy. PacBot discovers resources and assesses them against the policies implemented as code. All policy violations are recorded as an issue. Whenever an Auto-Fix hook is available with the policies, those auto-fixes are executed when the resources fail the evaluation. Policy violations cannot be closed manually, the issue has to be fixed at the source and PacBot will mark it closed in the next scan. Exceptions can be added to policy violations. Sticky exceptions (Exception based on resource attribute matching criteria) can be added to exempt similar resources that may be created in future.
PacBot’s Asset Groups are a powerful way to visualize compliance. Asset Groups are created by defining one or more target resource’s attribute matching criteria. For example, you could create an Asset Group of all running assets by defining criteria to match all EC2 instances with attribute instancestate.name=running. Any new EC2 instance launched after the creation of the Asset Group will be automatically included in the group. In PacBot UI you can select the scope of the portal to a specific asset group. All the data points shown in the PacBot portal will be confined to the selected Asset Group. Teams using cloud can set the scope of the portal to their application or org and focus only on their policy violations. This reduces noise and provides a clear picture to cloud users. At T-Mobile, we create an Asset Groups per stakeholder, per application, per AWS account, per Environment etc.
Asset groups can also be used to define the scope of rule executions as well. PacBot policies are implemented as one or more rules. These rules can be configured to run against all resources or a specific Asset Group. The rules will evaluate all resources in the asset group configured as the scope for the rule. This provides an opportunity to write policies which are very specific to an application or org. For example, some teams would like to enforce additional tagging standards apart from the global standards set for all of the cloud. They can implement such policies with custom rules and configure these rules to run only on their assets.
PacBot Key Capabilities
Continuous compliance assessment.
Detailed compliance reporting.
Auto-Fix for policy violations.
Omni Search – Ability to search all discovered resources.
Simplified policy violation tracking.
Custom policies and custom auto-fix actions.
Dynamic asset grouping to view compliance.
Ability to create multiple compliance domains.
Supports multiple AWS accounts.
Completely automated installer.
Azure AD integration for login.
Role-based access control.
Asset 360 degree.
Front End – Angular
Backend End APIs, Jobs, Rules – Java
Installer – Python and Terraform
AWS ECS & ECR – For hosting UI and APIs
AWS Batch – For rules and resource collection jobs
AWS CloudWatch Rules – For rule trigger, scheduler
AWS Redshift – Data warehouse for all the inventory collected from multiple sources
AWS Elastic Search – Primary data store used by the web application
AWS RDS – For admin CRUD functionalities
AWS S3 – For storing inventory files and persistent storage of historical data
AWS Lambda – For gluing few components of PacBot
PacBot installer automatically launches all of these services and configures them. For detailed instruction on installation look at the installation documentation.
PacBot UI Dashboards & Widgets
Asset Group Selection Widget
Policy Compliance Page – S3 buckets public read access
Policy Compliance Trend Over Time
Asset Dashboard – With Recommendations
Asset 360 / Asset Details Page
Linux Server Quarterly Patch Compliance
Search Results Page With Results filtering
Tagging Compliance Summary Widget
Installation Detailed installation instructions are available here
Usage The installer will launch required AWS services listed in the installation instructions. After successful installation, open the UI load balancer URL. Log into the application using the credentials supplied during the installation. The results from the policy evaluation will start getting populated within an hour. Trendline widgets will be populated when there are at least two data points. When you install PacBot, the AWS account where you install is the base account. PacBot installed on the base account can monitor other target AWS accounts. Refer to the instructions here to add new accounts to PacBot. By default base account will be monitored by PacBot. Login as Admin user and go to the Admin page from the top menu. In the Admin section, you can
Create/Manage Rules and associate Rules with Policies
Create/Manage Asset Groups
Create/Manage Sticky Exception
Create/Manage Access Roles
Manage PacBot Configurations
See detailed instruction with screenshots on how to use the admin feature here
Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations. UsageUsing Corsy is pretty simplepython corsy.py -u https://example.comA delay between consecutive requests can be specified with -d option. Note: This is a beta version, features such as JSON output and scanning multiple hosts will be added later. Tests implemented Pre-domain bypass […]
This is a custom .NET assembly which will perform a number of situational awareness activities. There are a number of current featuresets: BASIC – Obtains information from the disk and registry. LDAP – Allows customised AD LDAP queries to be made. RESOLVEHOST – Performs DNS lookup queries. INDEXSEARCH – Searches the Windows Indexing Service for […]
Diaphora (διαφορά, Greek for ‘difference’) is a program diffing plugin for IDA, similar to Zynamics Bindiff or other FOSS counterparts like YaDiff, DarunGrim, TurboDiff, etc… It was released during SyScan 2015.It works with IDA 6.9 to 7.3. Support for Ghidra is in development. Support for Binary Ninja is also planned but will come after Ghidra’s […]