Netflix has received quite a bit of well-deserved praise for their Simian Army set of tools which ensures that their services on Amazon Web Services can survive any unexpected interruption. The Simian Army is an amazing technical artifact of the DevOps culture that makes Netflix such a poster-child for DevOps Unicorn status. As terrific as Chaos Monkey and friends are, as a security risk manager at a traditional enterprise, they’ve not been the most immediately applicable tools. That all changed when Netflix open sourced their Security Monkey project at the close of last month.
The Security Monkey is a python-based tool used by Netflix to maintain visibility into the security-related changes and status on their AWS accounts. With a number of pre-defined checks and a searchable web interface, this is a pretty slick looking package for a 1.0 release. I’ve recently been working a fair amount on my organization’s cloud strategy as well as deploying a few proof-of-concept solutions there for my team’s needs. I was eager to try out this new tool.
The quickstart guide for the code is quite thorough, but it is long and there are a lot of dependencies that need to be put into place. Apart from the AWS credentials themselves, a postgres install (or an RDS setup) is needed, there are a number of package dependencies, and then there is the Security Monkey code itself. The quickstart guide has the user installing as root, which is fine for a quick kick the tires, but not something you want to do in production (as the guide indicates). Well, production is what I wanted and I certainly didn’t want to try to create a bunch of hacked up scripts to make this monkey go “ook.” Working with the code showed that getting this running as a non-privileged user was not going to be straightforward as a number of files are created with root permissions when using the quickstart guide. Time for some Chef cookbook authoring!
Today I am releasing my Chef cookbook for Security Monkey. This set of recipes allows a user to configure a postgres database, install the Security Monkey python code, and get the service up and running. This is definitely an alpha-quality code release. While there are some nice features included such as auto-setup of nginx for proxying, generation of a self-signed SSL cert, etc., there are a couple of problem areas both related to Security Monkey (improper redirects from HTTPS to HTTP for account creation, reportedly fixed on the development branch) and a pesky issue with the scheduler service that I haven’t yet tracked down.
Warts notwithstanding, this should be a useful starting point for anyone wanting to kick the tires with Security Monkey. Pull requests, issues, and general comments are most welcome. Have fun with this monkey in your kitchen!