security-automation

Slack us first!
Hello. I write about problem here:
https://owasp.slack.com/archives/C2P5BA8MN/p1624892081234100

Be informative
As additional into slack I find the same behaviour with Risk Accepted findings. Into Metrics I see 0 Risk Accepted findings, but I have 1 Risk Accepted finding

Bug description
No error. Metrics into product, or metrics dushboard has incorrect info

Description of problem:

The bash remediation of selinux_state runs:

fixfiles onboot
fixfiles -f relabel

whereas the Ansible remediation doe

Summary

Dependabot has identified several security vulnerabilities in the 3rd party libraries Pacbot relies on. In most cases, these vulnerabilities can be resolved by upgrading the library to the most current version.

Maintainers, if you're internal to T-Mobile, you should have been seeing these security alerts coming in over the last several weeks. *Please respond to these in a timely ma

Good summary at https://matthewdf10.medium.com/how-to-enable-logging-on-every-aws-service-in-existence-circa-2021-5b9105b87c9 and https://docs.google.com/spreadsheets/d/1DBmCXX1irJvxdewa85p5nSsYEf3tpSKWBbwp700mbzs/edit#gid=0

Amazon Aurora
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html#cfn-rds-dbcluster-enablecloudwatchlogsexports

AWS AppSync

The current swagger definition is autogenerated. The automatically generated definitions rely on reflection and annotations to create the documentation. The reflection capabilities are poor at best and lead to missing API parameters. Annotations can help in some cases, but the only fix for Swagger is to create individual POJOs for every possible request. This will lead to unnecessary large number

Right now a lot of the logging from the tasks does not get propagated back to the user, so we should make sure that all of the tasks are adding logs and errors to the results so that at minimum the data gets put into the worker-log.txt. Ideally we would store this info in datastore so that the clients could query it later (this part is in #115).

I think that you are doing a very necessary system and your idea is cool, but at the moment it has a lot of bugs. From what I noticed, the assets do not understand the ascii characters and the system crashes. In addition, I did not find a description of the API, I would like to integrate your system into TheHive, or rather make it possible to view information about an asset in TheHive. I believe t

#22 introduced a feature to guess actions that are similar to an existing policy. It currently doesn't support all actions.

Here's things I currently know are missing (comment if you find more):

• KMS: Encrypt, Decrypt, GenerateDataKey, ...
• ECR: BatchDeleteImage, BatchGetImage, ...
• *Deregister*
• *Modify*
• *Remove*
• API Gateway: (DELETE,