From 2ddf3c88814f80cfcdaa28e46e21bfcb7386a0fa Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Mon, 19 Dec 2022 14:27:25 +0100 Subject: [PATCH] feat(docs): add Powler config.yaml information to docs (#1546) Co-authored-by: sergargar --- README.md | 15 ++++-- docs/tutorials/configuration_file.md | 76 ++++++++++++++++++++++++++++ mkdocs.yml | 1 + 3 files changed, 88 insertions(+), 4 deletions(-) create mode 100644 docs/tutorials/configuration_file.md diff --git a/README.md b/README.md index a59f88c0..0688f2c9 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@

- - + +

    See all the things you and your team can do with ProwlerPro at prowler.pro @@ -58,7 +58,7 @@ The container images are available here: You can run Prowler from your workstation, an EC2 instance, Fargate or any other container, Codebuild, CloudShell and Cloud9. -![Architecture](https://github.com/prowler-cloud/prowler/tree/prowler-3.0-dev/docs/img/architecture.png) +![Architecture](docs/img/architecture.png) # 📝 Requirements @@ -98,7 +98,7 @@ To run prowler, you will need to specify the provider (e.g aws or azure): prowler ``` -![Prowler Execution](https://github.com/prowler-cloud/prowler/tree/prowler-3.0-dev/docs/img/short-display.png) +![Prowler Execution](docs/img/short-display.png) > Running the `prowler` command without options will use your environment variable credentials. @@ -135,6 +135,13 @@ You can always use `-h`/`--help` to access to the usage information and all the prowler -h ``` +## Checks Configurations +Several Prowler's checks have user configurable variables that can be modified in a common **configuration file**. +This file can be found in the following path: +``` +prowler/config/config.yaml +``` + ## AWS Use a custom AWS profile with `-p`/`--profile` and/or AWS regions which you want to audit with `-f`/`--filter-region`: diff --git a/docs/tutorials/configuration_file.md b/docs/tutorials/configuration_file.md new file mode 100644 index 00000000..c3e6eada --- /dev/null +++ b/docs/tutorials/configuration_file.md @@ -0,0 +1,76 @@ +# Configuration File +Several Prowler's checks have user configurable variables that can be modified in a common **configuration file**. +This file can be found in the following path: +``` +prowler/config/config.yaml +``` + +## Configurable Checks +The following list includes all the checks with configurable variables that can be changed in the mentioned configuration yaml file: + +1. aws.ec2_elastic_ip_shodan + - shodan_api_key (String) +- aws.ec2_securitygroup_with_many_ingress_egress_rules + - max_security_group_rules (Integer) +- aws.ec2_instance_older_than_specific_days + - max_ec2_instance_age_in_days (Integer) +- aws.vpc_endpoint_connections_trust_boundaries + - trusted_account_ids (List of Strings) +- aws.vpc_endpoint_services_allowed_principals_trust_boundaries + - trusted_account_ids (List of Strings) +- aws.cloudwatch_log_group_retention_policy_specific_days_enabled + - log_group_retention_days (Integer) +- aws.appstream_fleet_session_idle_disconnect_timeout + - max_idle_disconnect_timeout_in_seconds (Integer) +- aws.appstream_fleet_session_disconnect_timeout + - max_disconnect_timeout_in_seconds (Integer) +- aws.appstream_fleet_maximum_session_duration + - max_session_duration_seconds (Integer) +- aws.awslambda_function_using_supported_runtimes + - obsolete_lambda_runtimes (List of Strings) + +## Config Yaml File + + # AWS EC2 Configuration + # aws.ec2_elastic_ip_shodan + shodan_api_key: null + # aws.ec2_securitygroup_with_many_ingress_egress_rules --> by default is 50 rules + max_security_group_rules: 50 + # aws.ec2_instance_older_than_specific_days --> by default is 6 months (180 days) + max_ec2_instance_age_in_days: 180 + + # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries) + # Single account environment: No action required. The AWS account number will be automatically added by the checks. + # Multi account environment: Any additional trusted account number should be added as a space separated list, e.g. + # trusted_account_ids : ["123456789012", "098765432109", "678901234567"] + trusted_account_ids: [] + + # AWS Cloudwatch Configuration + # aws.cloudwatch_log_group_retention_policy_specific_days_enabled --> by default is 365 days + log_group_retention_days: 365 + + # AWS AppStream Session Configuration + # aws.appstream_fleet_session_idle_disconnect_timeout + max_idle_disconnect_timeout_in_seconds: 600 # 10 Minutes + # aws.appstream_fleet_session_disconnect_timeout + max_disconnect_timeout_in_seconds: 300 # 5 Minutes + # aws.appstream_fleet_maximum_session_duration + max_session_duration_seconds: 36000 # 10 Hours + + # AWS Lambda Configuration + # aws.awslambda_function_using_supported_runtimes + obsolete_lambda_runtimes: + [ + "python3.6", + "python2.7", + "nodejs4.3", + "nodejs4.3-edge", + "nodejs6.10", + "nodejs", + "nodejs8.10", + "nodejs10.x", + "dotnetcore1.0", + "dotnetcore2.0", + "dotnetcore2.1", + "ruby2.5", + ] diff --git a/mkdocs.yml b/mkdocs.yml index 3b799a8c..7596065c 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -33,6 +33,7 @@ nav: - Reporting: tutorials/reporting.md - Compliance: tutorials/compliance.md - Quick Inventory: tutorials/quick-inventory.md + - Configuration File: tutorials/configuration_file.md - Logging: tutorials/logging.md - Allowlist: tutorials/allowlist.md - Pentesting: tutorials/pentesting.md