ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 23:05:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prowler 2.7.0 - Brave (#998)

Browse Source 
* Extra7161 EFS encryption at rest check

* Added check_extra7162 which checks if Log groups have 365 days retention

* fixed code to handle all regions and formatted output

* changed check title, resource type and service name as well as making the code more dynamic

* Extra7161 EFS encryption at rest check

* New check_extra7163 Secrets Manager key rotation enabled

* New check7160 Enabled AutomaticVersionUpgrade on RedShift Cluster

* Update ProwlerRole.yaml to have same permissions as util/org-multi-account/ProwlerRole.yaml

* Fix link to quicksight dashboard

* Install detect-secrets (e.g. for check_extra742)

* Updating check_extra7163 with requested changes

* fix(assumed-role): Check if -T and -A options are set

* docs(Readme): `-T` option is not mandatory

* fix(assume-role): Handle AWS STS CLI errors

* fix(assume-role): Handle AWS STS CLI errors

* Update group25_FTR

When trying to run the group 25 (Amazon FTR related security checks) nothing happens, after looking at the code there is a misconfiguration in 2 params: GROUP_RUN_BY_DEFAULT[9] and GROUP_CHECKS[9]. Updating values to 25 fixed the issue.

* Update README.md

broken link for capital letters in group file (group25_FTR)

* #938 issue assume_role multiple times should be fixed

* Label 2.7.0-1December2021 for tests

* Fixed error that appeared if the number of findings was very high.

* Adjusted the batch to only do 50 at a time. 100 caused capacity issues. Also added a check for an edge case where if the updated findings was a multiple of the batch size, it would throw an error for attempting to import 0 findings.

* Added line to delete the temp folder after everything is done.

* New check 7164 Check if Cloudwatch log groups are protected by AWS KMS@maisenhe

* updated CHECK_RISK

* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras

* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras

* Added issue templates

* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau

* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau

* Fix #963 check 792 to force json in ELB queries

* Fix #957 check 763 had us-east-1 region hardcoded

* Fix #962 check 7147 ALTERNATE NAME

* Fix #940 handling error when can not list functions

* Added new checks 7164 and 7165 to group extras

* Added invalid check or group id to the error message #962

* Fix Broken Link

* Add docker volume example to README.md

* Updated Dockerfile to use amazonlinux container

* Updated Dockerfile with AWS cli v2

* Added upgrade to the RUN

* Added cache purge to Dockerfile

* Backup AWS Credentials before AssumeRole and Restore them before CopyToS3

* exporting the ENV variables

* fixed bracket

* Improved documentation for install process

* fix checks with comma issues

* Added -D option to copy to S3 with the initial AWS credentials

* Cosmetic variable name change

* Added $PROFILE_OPT to CopyToS3 commands

* remove commas

* removed file as it is not needed

* Improved help usage options -h

* Fixed CIS LEVEL on 7163 through 7165

* When performing a restoreInitialAWSCredentials, unset the credentials ENV variables if they were never set

* New check 7166 Elastic IP addresses with associations are protected by AWS Shield Advanced

* New check 7167 Cloudfront distributions are protected by AWS Shield Advanced

* New check 7168 Route53 hosted zones are protected by AWS Shield Advanced

* New check 7169 Global accelerators are protected by AWS Shield Advanced

* New check 7170 Application load balancers are protected by AWS Shield Advanced

* New check 7171 Classic load balancers are protected by AWS Shield Advanced

* Include example for global resources

* Add AWS Advance Shield protection checks corrections

* Added Shield actions GetSubscriptionState and DescribeProtection

* Added Shield actions GetSubscriptionState and DescribeProtection

* docs(templates): Improve bug template with more info (#982)

* Removed echoes after role chaining fix

* Changed Route53 checks7152 and 7153 to INFO when no domains found

* Changed Route53 checks 7152 and 7153 title to clarify

* Added passed security groups in output to check 778

* Added passed security groups and updated title to check 777

* Added FAIL as error handling when SCP prevents queries to regions

* Label version 2.7.0-6January2022

* Updated .dockerignore with .github/

* Fix: issue #758 and #984

* Fix: issue #741 CloudFront and real-time logs

* Fix issues #971 set all as INFO instead of FAIL when no access to resource

* Fix: issue #986

* Add additional action permissions for Glue and Shield Advanced checks @lazize

* Add extra shield action permission

Allows the shield:GetSubscriptionState action

* Add permission actions

Make sure all files where permission actions are necessary will have the same actions

* Fix: Credential chaining from environment variables @lazize #996f

If profile is not defined, restore original credentials from environment variables,
if they exists, before assume-role

* Lable version 2.7.0-24January2022

Co-authored-by: Lee Myers <ichilegend@gmail.com>
Co-authored-by: Chinedu Obiakara <obiakac@amazon.com>
Co-authored-by: Daniel Peladeau <dcpeladeau@gmail.com>
Co-authored-by: Jonathan Lozano <jonloza@amazon.com>
Co-authored-by: Daniel Lorch <dlorch@gmail.com>
Co-authored-by: Pepe Fagoaga <jose.fagoaga@smartprotection.com>
Co-authored-by: Israel <6672089+lopmoris@users.noreply.github.com>
Co-authored-by: root <halfluke@gmail.com>
Co-authored-by: nikirby <nikirby@amazon.com>
Co-authored-by: Joel Maisenhelder <maisenhe@gmail.com>
Co-authored-by: RT <35173068+rtcms@users.noreply.github.com>
Co-authored-by: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com>
Co-authored-by: Joseph de CLERCK <clerckj@amazon.fr>
Co-authored-by: Michael Dickinson <45626543+michael-dickinson-sainsburys@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Leonardo Azize Martins <lazize@users.noreply.github.com>
This commit is contained in:
Toni de la Fuente
2022-01-24 13:49:47 +01:00
committed by GitHub
parent 42e54c42cf
commit 2b2814723f
186 changed files with 1746 additions and 394 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
util/Dockerfile
View File

@@ -1,13 +1,25 @@
FROM alpine:3.13
# Build command
# docker build --platform=linux/amd64 --no-cache -t prowler:latest -f util/Dockerfile .
FROM public.ecr.aws/amazonlinux/amazonlinux:latest
LABEL maintainer="https://github.com/toniblyx/prowler"
ARG USERNAME=prowler
ARG USERID=34000
RUN addgroup -g ${USERID} ${USERNAME} && \
adduser -s /bin/sh -G ${USERNAME} -D -u ${USERID} ${USERNAME} && \
apk --update --no-cache add python3 bash curl jq file coreutils py3-pip git && \
pip3 install --upgrade pip && \
pip3 install awscli boto3 detect-secrets==1.0.3
RUN yum install -y shadow-utils && \
useradd -s /bin/sh -U -u ${USERID} ${USERNAME} && \
yum install -y python3 bash curl jq coreutils py3-pip which unzip && \
yum upgrade -y && \
yum clean all && \
pip3 install --upgrade pip && \
pip3 install boto3 detect-secrets==1.0.3 && \
pip3 cache purge && \
curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip && \
unzip awscliv2.zip && \
aws/install && \
rm -rf aws awscliv2.zip /var/cache/yum
WORKDIR /prowler

9
util/codebuild/codebuild-prowler-audit-account-cfn.yaml
View File

@@ -184,15 +184,18 @@ Resources:
Version: '2012-10-17'
Statement:
- Action:
- s3:GetAccountPublicAccessBlock
- glue:GetConnections
- glue:SearchTables
- ds:ListAuthorizedApplications
- ec2:GetEbsEncryptionByDefault
- ecr:Describe*
- support:Describe*
- tag:GetTagKeys
- lambda:GetFunction
- glue:GetConnections
- glue:GetSecurityConfiguration
- glue:SearchTables
- s3:GetAccountPublicAccessBlock
- shield:GetSubscriptionState
- shield:DescribeProtection
Effect: Allow
Resource: !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog'
- PolicyName: CodeBuild

2
util/org-multi-account/ProwlerRole.yaml
View File

@@ -96,6 +96,8 @@ Resources:
- states:ListActivities
- support:Describe*
- tag:GetTagKeys
- shield:GetSubscriptionState
- shield:DescribeProtection
- PolicyName: Prowler-S3-Reports
PolicyDocument:
Version: 2012-10-17

6
util/org-multi-account/serverless_codebuild/templates/ProwlerCodeBuildStack.yaml
View File

@@ -123,8 +123,12 @@ Resources:
runtime-versions:
python: 3.8
commands:
- echo "Updating yum..."
- echo "Updating yum ..."
- yum -y update
- echo "Updating pip ..."
- python -m pip install --upgrade pip
- echo "Installing requirements ..."
- pip install "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets"
build:
commands:
- echo "Running Prowler with script"

3
util/org-multi-account/serverless_codebuild/templates/ProwlerRole.yaml
View File

@@ -83,6 +83,7 @@ Resources:
- dax:ListTables
- ds:ListAuthorizedApplications
- ds:DescribeRoles
- ec2:GetEbsEncryptionByDefault
- ecr:Describe*
- lambda:GetAccountSettings
- lambda:GetFunctionConfiguration
@@ -96,6 +97,8 @@ Resources:
- states:ListActivities
- support:Describe*
- tag:GetTagKeys
- shield:GetSubscriptionState
- shield:DescribeProtection
- PolicyName: Prowler-S3-Reports
PolicyDocument:
Version: 2012-10-17

11
util/terraform-kickstarter/main.tf
View File

@@ -311,15 +311,18 @@ resource "aws_iam_policy" "prowler_kickstarter_iam_policy" {
},
{
Action = [
"s3:GetAccountPublicAccessBlock",
"glue:GetConnections",
"glue:SearchTables",
"ds:ListAuthorizedApplications",
"ec2:GetEbsEncryptionByDefault",
"ecr:Describe*",
"support:Describe*",
"tag:GetTagKeys",
"lambda:GetFunction"
"lambda:GetFunction",
"glue:GetConnections",
"glue:GetSecurityConfiguration",
"glue:SearchTables",
"s3:GetAccountPublicAccessBlock",
"shield:GetSubscriptionState",
"shield:DescribeProtection"
]
Effect = "Allow"
Resource = "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"