• Stars
    star
    1,288
  • Rank 36,518 (Top 0.8 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created about 6 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PacBot (Policy as Code Bot)

Latest release Build Status GitHub license GitHub contributors Gitter

Introduction

Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, giving a simplified view of compliance and making it easy to analyze and remediate policy violations. PacBot is more than a tool to manage cloud misconfiguration, it is a generic platform that can be used to do continuous compliance monitoring and reporting for any domain.

More Than Cloud Compliance Assessment

PacBot's plugin-based data ingestion architecture allows ingesting data from multiple sources. We have built plugins to pull data from Qualys Vulnerability Assessment Platform, Bitbucket, TrendMicro Deep Security, Tripwire, Venafi Certificate Management, Redhat Satellite, Spacewalk, Active Directory and several other custom-built internal solutions. We are working to open source these plugins and other tools as well. You could write rules based on data collected by these plugins to get a complete picture of your ecosystem and not just cloud misconfigurations. For example, within T-Mobile we have implemented a policy to mark all EC2 instances having one or more severity 5 (CVSS score > 7) vulnerabilities as non-compliant.

Quick Demo

How Does It Work?

Assess -> Report -> Remediate -> Repeat

Assess -> Report -> Remediate -> Repeat is PacBot's philosophy. PacBot discovers resources and assesses them against the policies implemented as code. All policy violations are recorded as an issue. Whenever an Auto-Fix hook is available with the policies, those auto-fixes are executed when the resources fail the evaluation. Policy violations cannot be closed manually, the issue has to be fixed at the source and PacBot will mark it closed in the next scan. Exceptions can be added to policy violations. Sticky exceptions (Exception based on resource attribute matching criteria) can be added to exempt similar resources that may be created in future.

PacBot's Asset Groups are a powerful way to visualize compliance. Asset Groups are created by defining one or more target resource's attribute matching criteria. For example, you could create an Asset Group of all running assets by defining criteria to match all EC2 instances with attribute instancestate.name=running. Any new EC2 instance launched after the creation of the Asset Group will be automatically included in the group. In PacBot UI you can select the scope of the portal to a specific asset group. All the data points shown in the PacBot portal will be confined to the selected Asset Group. Teams using cloud can set the scope of the portal to their application or org and focus only on their policy violations. This reduces noise and provides a clear picture to cloud users. At T-Mobile, we create an Asset Groups per stakeholder, per application, per AWS account, per Environment etc.

Asset groups can also be used to define the scope of rule executions as well. PacBot policies are implemented as one or more rules. These rules can be configured to run against all resources or a specific Asset Group. The rules will evaluate all resources in the asset group configured as the scope for the rule. This provides an opportunity to write policies which are very specific to an application or org. For example, some teams would like to enforce additional tagging standards apart from the global standards set for all of the cloud. They can implement such policies with custom rules and configure these rules to run only on their assets.

PacBot Key Capabilities

  • Continuous compliance assessment.
  • Detailed compliance reporting.
  • Auto-Fix for policy violations.
  • Omni Search - Ability to search all discovered resources.
  • Simplified policy violation tracking.
  • Self-Service portal.
  • Custom policies and custom auto-fix actions.
  • Dynamic asset grouping to view compliance.
  • Ability to create multiple compliance domains.
  • Exception management.
  • Email Digests.
  • Supports multiple AWS accounts.
  • Completely automated installer.
  • Customizable dashboards.
  • OAuth Support.
  • Azure AD integration for login.
  • Role-based access control.
  • Asset 360 degree.

Technology Stack

  • Front End - Angular
  • Backend End APIs, Jobs, Rules - Java
  • Installer - Python and Terraform

Deployment Stack

  • AWS ECS & ECR - For hosting UI and APIs
  • AWS Batch - For rules and resource collection jobs
  • AWS CloudWatch Rules - For rule trigger, scheduler
  • AWS Redshift - Data warehouse for all the inventory collected from multiple sources
  • AWS Elastic Search - Primary data store used by the web application
  • AWS RDS - For admin CRUD functionalities
  • AWS S3 - For storing inventory files and persistent storage of historical data
  • AWS Lambda - For gluing few components of PacBot

PacBot installer automatically launches all of these services and configures them. For detailed instruction on installation look at the installation documentation.

PacBot UI Dashboards & Widgets

  • Asset Group Selection Widget
  • Compliance Dashboard
  • Policy Compliance Page - S3 buckets public read access
  • Policy Compliance Trend Over Time
  • Asset Dashboard
  • Asset Dashboard - With Recommendations
  • Asset 360 / Asset Details Page

  • Linux Server Quarterly Patch Compliance
  • Omni-Search Page
  • Search Results Page With Results filtering
  • Tagging Compliance Summary Widget

Installation

Detailed installation instructions are available here

Usage

The installer will launch required AWS services listed in the installation instructions. After successful installation, open the UI load balancer URL. Log into the application using the credentials supplied during the installation. The results from the policy evaluation will start getting populated within an hour. Trendline widgets will be populated when there are at least two data points.

When you install PacBot, the AWS account where you install is the base account. PacBot installed on the base account can monitor other target AWS accounts. Refer to the instructions here to add new accounts to PacBot. By default base account will be monitored by PacBot.

Login as Admin user and go to the Admin page from the top menu. In the Admin section, you can

  1. Create/Manage Policies
  2. Create/Manage Rules and associate Rules with Policies
  3. Create/Manage Asset Groups
  4. Create/Manage Sticky Exception
  5. Manage Jobs
  6. Create/Manage Access Roles
  7. Manage PacBot Configurations

See detailed instruction with screenshots on how to use the admin feature here

User Guide / Wiki

Wiki is here.

Announcement Blog Post

Introducing PacBot

License

PacBot is open-sourced under the terms of section 7 of the Apache 2.0 license and is released AS-IS WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND.

More Repositories

1

t-vault

Simplified secrets management solution
Java
364
star
2

jazz

Platform to develop and manage serverless applications at an enterprise scale!
JavaScript
298
star
3

r-tensorflow-api

A small Docker container for using R and TensorFlow as an enterprise API
R
261
star
4

kardio

Service Health Dashboard for Kubernetes, Containers and more...
Java
222
star
5

magtape

MagTape Policy-as-Code for Kubernetes
Python
145
star
6

loadtest

an R package that automates performance testing of ML models and summarizes the results in a dashboard w/ rad visualizations
R
93
star
7

magentaA11y

Magenta A11y is a tool built to simplify the process of accessibility testing.
HTML
60
star
8

POET-pipeline-library

POET pipeline framework automation code.
Groovy
46
star
9

hyperdirectory

Blockchain-based, highly auditable access management solution (directory service)
TypeScript
34
star
10

monarch

App-level Chaos Engineering
Python
28
star
11

tmus-geofeed

26
star
12

jazz-installer

Installer for Jazz Serverless Developer Platform!
Python
25
star
13

casquatch

Casquatch: an open source Java abstraction layer for Cassandra databases
Java
21
star
14

faas-java-templates

Java templates for OpenFaas, a serverless functions as a service platform built on Docker
Java
19
star
15

themes-platform-vendor-tmobile-apps-ThemeChooser

Java
18
star
16

DevEdge-IoTDevKit-ZephyrSDK

ZephyrSDK (TMO_shell) is a Zephyr application built by T-Mobile and comes shipped on the DevEdge - IoT Developer Kit
C
18
star
17

codeless

ETP codeless project allows you to quickly write tests using basic yaml and spreadsheet files without having to have in-depth understanding of writing Java automation tests.
Java
18
star
18

themes-platform-vendor-tmobile-themes-Androidian

13
star
19

DevEdge-IoTDevKit-ZephyrRTOS

T-Mobile Zephyr OS is a fork of zephyrproject-rtos/zephyr that is shipped on the DevKit and used for contributing upstream.
C
13
star
20

developer-puzzle

T-Mobile Developer Candidate Puzzles. Do not Fork, Do not submit a PR. Simply clone to your local and create a new repo in your public account. Solve the puzzle and send us the address of your repo. DO NOT FORK THIS REPO OR SUBMIT PULL REQUEST (your submission will be deleted!)
TypeScript
13
star
21

jest-jsdom-browser-compatibility

This is a matrix of issues and risks of using Jest with JSDOM to test browser applications. This will include several sub projects with example tests to demonstrate the failures.
TypeScript
12
star
22

passport-tmobileid

T-Mobile ID enabled authentication strategy for Passport and Node.js
JavaScript
12
star
23

percy-cake

Percival: A Configuration As Kode Editor to simplify managing distributed applications and services.
TypeScript
12
star
24

docinator

Build a website from your code's documentation with zero configuration.
JavaScript
11
star
25

pi-alarm

Raspberry Pi Alarm
Python
11
star
26

chaostoolkit-turbulence

Tools and resources to support Chaos Engineering
Python
11
star
27

themes-platform-vendor-tmobile-libs-com.tmobile.themes

Java
11
star
28

springboot-restapi-generator

Custom yoman generator for scaffolding REST API projects based on springboot
JavaScript
10
star
29

keybiner

Entitlements compression and validation library
Java
9
star
30

themes-platform-manifest

8
star
31

themes-platform-vendor-tmobile-providers-ThemeManager

Java
8
star
32

developer-kata

Some coding exercises for developers. There is not sample code here, only descriptions of problems to solve.
8
star
33

stf_ios_mirrorfeed

Stream IOS mirroring via USB to websocket
Go
7
star
34

themes-platform-frameworks-base

Java
7
star
35

opensource

t-mobile's open source microsite
CSS
7
star
36

cf-smoke-tests

Python
7
star
37

qapi

Query API
Java
5
star
38

orchestration-desk

Node module to connect to orchestration services like marathon to get details about applications, containers and more.
TypeScript
5
star
39

ducklett

Ducklett: managing all the little nodes of a Conducktor cluster
Go
5
star
40

themes-platform-vendor-tmobile-products-themes

Shell
5
star
41

parallelizer

A go library for building work pools.
Go
4
star
42

t-rover

Java
4
star
43

node-red-contrib-sms-send

JavaScript
4
star
44

DevEdge-IoTDevKit-Binaries

Zephyr DevKit Supporting Binaries
Makefile
4
star
45

themes-platform-packages-apps-Settings

Java
3
star
46

themes-platform-packages-apps-Contacts

Java
3
star
47

themes-platform-vendor-tmobile-libs-com.tmobile.themehelper

Java
3
star
48

DevEdge-IoTDevKit-SiLabs-WiseConnect

WiSeConnect Wi-Fi and Bluetooth Software used as a supporting module to DevEdge-IoTDevKit-ZephyrRTOS
C
3
star
49

node-red-contrib-yolo-object-detection

Node-RED contrib module that uses YOLO3 object detection to identify items in images.
Python
3
star
50

themes-platform-frameworks-policies-base

Java
3
star
51

node-red-contrib-object-to-array

Given a JavaScript object, when this node is executed it will transform the object key/value properties to an array of object properties with specified property names..
TypeScript
3
star
52

DevEdge-IoTDevKit-Sony-cxd5605

Zephyr module supporting Sony CXD5605 GNSS
C
3
star
53

node-red-contrib-rpi-adeept-motor

HTML
2
star
54

node-red-contrib-summarizer

Node-RED node to summarize arrays of data
HTML
2
star
55

themes-platform-packages-apps-Launcher2

Java
2
star
56

themes-platform-packages-apps-Email

Java
2
star
57

depaginator

Go
2
star
58

common-platform-vendor-tmobile-build-common

Shell
2
star
59

node-red-contrib-differences

A Node-RED node to detect differences between two sets of data
TypeScript
2
star
60

jazz-content

Static content for Jazz - https://github.com/tmobile/jazz
Dockerfile
2
star
61

node-red-contrib-array-iterator

Given an array input, when this node is executed it will pass the โ€œnextโ€ value of the array to the succeeding connected node(s).
TypeScript
2
star
62

qlkube-client

JS library to make interacting with qlkube easier
JavaScript
2
star
63

themes-platform-packages-apps-Music

Java
2
star
64

themes-platform-packages-apps-Mms

Java
2
star
65

emerald-platform-vendor-tmobile-themes-Androidian

Java
1
star
66

t-racer-legacy

consolidate t-racer projects into one repo
C++
1
star
67

gatsby-starter-gitlab

A Gatsby starter to generate a website from a list of Gitlab groups and/or projects.
TypeScript
1
star
68

node-red-contrib-tm-mjpg-server

Node red module to start a python mjpg server
Python
1
star
69

gatsby-source-gitlab

A Gatsby starter to generate a website from a list of Gitlab groups and/or projects.
TypeScript
1
star