Guardian SFTP Monitoring, TLS Version Compliance Checks and Http Check Updates

Guardian 0.3.0 will be released with the following new features. The new version will be rolled out through Bearse.

Sftp Monitoring

Guardian adds the ability to monitor sftp endpoints for availability and response times, checking the existence of a file, the time it takes to get the file and a body regex matcher for the file. The custom sftp lambda check supports both user/password and public/private key authentication methods.

This sample config creates a sftp lambda check using user/password auth, checks for the existence of the file file.txt and performs a regex match of ok against the body of file.txt. See the Guardian docs for further config options.

Resources:
  SFTP:
  - Id: sftp.reference.ci.base2.services
    User: sftp
    Password: /sftp/check/password
    File: file.txt
    FileRegexMatch: ok

If you require a static IP due to security group white listings you can use InternalSFTP to create the lambda check in a vpc behind a NAT gateway.

TLS Version Compliance Checks

Guardian now has the ability to check endpoints for compatibility of TLS versions SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2. This allows us to alert on endpoints that are supporting TLS versions that should not be enabled for security reasons or alert us if TLS versions are not supported when they should be.

The sample config enables the TLS check for the endpoint example.com and will alter us if TLS versions SSLv2 and SSLv3 are enabled an alert us if version TLSv1, TLSv1.1, TLSv1.2 are not enabled. This is the default behaviour but it is customisable by selecting the versions you want to check for by suppling a list of version using the Versions: key.

Resources:
  TLS:
  - Id: example.com

To alter whether the version should be enabled or disabled you can change the threshold and comparison operator in the template section. The following examples sets TLSv1 to alert when enabled.

Templates:
  
  TLS:
    TLSVersionTLSv1:
      Threshold: 0
      ComparisonOperator: GreaterThanThreshold

Http Support for Gzip and Images

The http check function can work with images. It downloads the image and stores the response a md5 hash. This allows the ability to set BodyRegexMatch with the expected md5 value.

The http check function supports gzip endpoints by requesting a compressed response using gzip and decompresses the response to text. This can be enabled on a http check by setting the config key Compressed: to true.

See Guardian docs for more details.


Source