ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(GuardDuty): Add enabled_in_account parameter (#2979)

Browse Source
This commit is contained in:
Pepe Fagoaga
2023-10-30 19:39:22 +01:00
committed by GitHub
parent fcb979aae1
commit 373ce0ad04
4 changed files with 96 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py
View File

@@ -13,7 +13,8 @@ class guardduty_is_enabled(Check):
report.resource_tags = detector.tags
report.status = "PASS"
report.status_extended = f"GuardDuty detector {detector.id} enabled."
if detector.arn == guardduty_client.audited_account_arn:
if not detector.enabled_in_account:
report.status = "FAIL"
report.status_extended = "GuardDuty is not enabled."
elif detector.status is None:

34
prowler/providers/aws/services/guardduty/guardduty_service.py
View File

@@ -43,6 +43,7 @@ class GuardDuty(AWSService):
id=self.audited_account,
arn=self.audited_account_arn,
region=regional_client.region,
enabled_in_account=False,
)
)
except Exception as error:
@@ -54,15 +55,21 @@ class GuardDuty(AWSService):
logger.info("GuardDuty - getting detector info...")
try:
for detector in self.detectors:
if detector.id:
regional_client = self.regional_clients[detector.region]
detector_info = regional_client.get_detector(DetectorId=detector.id)
if (
"Status" in detector_info
and detector_info["Status"] == "ENABLED"
):
detector.status = True
try:
if detector.id and detector.enabled_in_account:
regional_client = self.regional_clients[detector.region]
detector_info = regional_client.get_detector(
DetectorId=detector.id
)
if (
"Status" in detector_info
and detector_info["Status"] == "ENABLED"
):
detector.status = True
except Exception as error:
logger.error(
f"{error.__class__.__name__}:{error.__traceback__.tb_lineno} -- {error}"
)
except Exception as error:
logger.error(
f"{error.__class__.__name__}:{error.__traceback__.tb_lineno} -- {error}"
@@ -72,7 +79,7 @@ class GuardDuty(AWSService):
logger.info("GuardDuty - getting administrator account...")
try:
for detector in self.detectors:
if detector.id:
if detector.id and detector.enabled_in_account:
try:
regional_client = self.regional_clients[detector.region]
detector_administrator = (
@@ -102,7 +109,7 @@ class GuardDuty(AWSService):
logger.info("GuardDuty - listing members...")
try:
for detector in self.detectors:
if detector.id:
if detector.id and detector.enabled_in_account:
try:
regional_client = self.regional_clients[detector.region]
list_members_paginator = regional_client.get_paginator(
@@ -127,7 +134,7 @@ class GuardDuty(AWSService):
logger.info("GuardDuty - listing findings...")
try:
for detector in self.detectors:
if detector.id:
if detector.id and detector.enabled_in_account:
regional_client = self.regional_clients[detector.region]
list_findings_paginator = regional_client.get_paginator(
"list_findings"
@@ -161,7 +168,7 @@ class GuardDuty(AWSService):
logger.info("Guardduty - List Tags...")
try:
for detector in self.detectors:
if detector.arn:
if detector.arn and detector.enabled_in_account:
regional_client = self.regional_clients[detector.region]
response = regional_client.list_tags_for_resource(
ResourceArn=detector.arn
@@ -177,6 +184,7 @@ class Detector(BaseModel):
id: str
arn: str
region: str
enabled_in_account: bool = True
status: bool = None
findings: list = []
member_accounts: list = []

49
tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py
View File

@@ -1,4 +1,3 @@
from re import search
from unittest import mock
from uuid import uuid4
@@ -8,11 +7,11 @@ AWS_REGION = "us-east-1"
AWS_ACCOUNT_ID = "123456789012"
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_ID}:root"
detector_id = str(uuid4())
detector_arn = f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_ID}:detector/{detector_id}"
DETECTOR_ID = str(uuid4())
DETECTOR_ARN = f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_ID}:detector/{DETECTOR_ID}"
class Test_guardduty_is_enabled:
class Test_:
def test_no_detectors(self):
guardduty_client = mock.MagicMock
guardduty_client.region = AWS_REGION
@@ -22,6 +21,7 @@ class Test_guardduty_is_enabled:
id=AWS_ACCOUNT_ID,
region=AWS_REGION,
arn=AWS_ACCOUNT_ARN,
enabled_in_account=False,
)
)
guardduty_client.audited_account_arn = AWS_ACCOUNT_ARN
@@ -37,7 +37,7 @@ class Test_guardduty_is_enabled:
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search("is not enabled", result[0].status_extended)
assert result[0].status_extended == "GuardDuty is not enabled."
assert result[0].resource_id == AWS_ACCOUNT_ID
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
@@ -47,9 +47,9 @@ class Test_guardduty_is_enabled:
guardduty_client.detectors = []
guardduty_client.detectors.append(
Detector(
id=detector_id,
id=DETECTOR_ID,
region=AWS_REGION,
arn=detector_arn,
arn=DETECTOR_ARN,
status=True,
)
)
@@ -65,9 +65,12 @@ class Test_guardduty_is_enabled:
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search("enabled", result[0].status_extended)
assert result[0].resource_id == detector_id
assert result[0].resource_arn == detector_arn
assert (
result[0].status_extended
== f"GuardDuty detector {DETECTOR_ID} enabled."
)
assert result[0].resource_id == DETECTOR_ID
assert result[0].resource_arn == DETECTOR_ARN
assert result[0].region == AWS_REGION
def test_guardduty_configured_but_suspended(self):
@@ -76,8 +79,8 @@ class Test_guardduty_is_enabled:
guardduty_client.detectors = []
guardduty_client.detectors.append(
Detector(
id=detector_id,
arn=detector_arn,
id=DETECTOR_ID,
arn=DETECTOR_ARN,
region=AWS_REGION,
status=False,
)
@@ -94,9 +97,12 @@ class Test_guardduty_is_enabled:
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search("configured but suspended", result[0].status_extended)
assert result[0].resource_id == detector_id
assert result[0].resource_arn == detector_arn
assert (
result[0].status_extended
== f"GuardDuty detector {DETECTOR_ID} configured but suspended."
)
assert result[0].resource_id == DETECTOR_ID
assert result[0].resource_arn == DETECTOR_ARN
assert result[0].region == AWS_REGION
def test_guardduty_not_configured(self):
@@ -105,8 +111,8 @@ class Test_guardduty_is_enabled:
guardduty_client.region = AWS_REGION
guardduty_client.detectors.append(
Detector(
id=detector_id,
arn=detector_arn,
id=DETECTOR_ID,
arn=DETECTOR_ARN,
region=AWS_REGION,
)
)
@@ -122,9 +128,12 @@ class Test_guardduty_is_enabled:
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search("not configured", result[0].status_extended)
assert result[0].resource_id == detector_id
assert result[0].resource_arn == detector_arn
assert (
result[0].status_extended
== f"GuardDuty detector {DETECTOR_ID} not configured."
)
assert result[0].resource_id == DETECTOR_ID
assert result[0].resource_arn == DETECTOR_ARN
assert result[0].region == AWS_REGION
def test_guardduty_not_configured_allowlisted(self):

51
tests/providers/aws/services/guardduty/guardduty_service_test.py
View File

@@ -121,6 +121,14 @@ class Test_GuardDuty_Service:
assert len(guardduty.detectors) == 1
assert guardduty.detectors[0].id == response["DetectorId"]
assert (
guardduty.detectors[0].arn
== f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:detector/{response['DetectorId']}"
)
assert guardduty.detectors[0].enabled_in_account
assert len(guardduty.detectors[0].findings) == 1
assert guardduty.detectors[0].member_accounts == ["123456789012"]
assert guardduty.detectors[0].administrator_account == "123456789013"
assert guardduty.detectors[0].region == AWS_REGION
assert guardduty.detectors[0].tags == [{"test": "test"}]
@@ -135,8 +143,16 @@ class Test_GuardDuty_Service:
assert len(guardduty.detectors) == 1
assert guardduty.detectors[0].id == response["DetectorId"]
assert (
guardduty.detectors[0].arn
== f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:detector/{response['DetectorId']}"
)
assert guardduty.detectors[0].enabled_in_account
assert len(guardduty.detectors[0].findings) == 1
assert guardduty.detectors[0].member_accounts == ["123456789012"]
assert guardduty.detectors[0].administrator_account == "123456789013"
assert guardduty.detectors[0].region == AWS_REGION
assert guardduty.detectors[0].status
assert guardduty.detectors[0].tags == [{"test": "test"}]
@mock_guardduty
# Test GuardDuty session
@@ -149,9 +165,16 @@ class Test_GuardDuty_Service:
assert len(guardduty.detectors) == 1
assert guardduty.detectors[0].id == response["DetectorId"]
assert guardduty.detectors[0].region == AWS_REGION
assert guardduty.detectors[0].status
assert (
guardduty.detectors[0].arn
== f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:detector/{response['DetectorId']}"
)
assert guardduty.detectors[0].enabled_in_account
assert len(guardduty.detectors[0].findings) == 1
assert guardduty.detectors[0].member_accounts == ["123456789012"]
assert guardduty.detectors[0].administrator_account == "123456789013"
assert guardduty.detectors[0].region == AWS_REGION
assert guardduty.detectors[0].tags == [{"test": "test"}]
@mock_guardduty
def test__list_members__(self):
@@ -163,9 +186,16 @@ class Test_GuardDuty_Service:
assert len(guardduty.detectors) == 1
assert guardduty.detectors[0].id == response["DetectorId"]
assert (
guardduty.detectors[0].arn
== f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:detector/{response['DetectorId']}"
)
assert guardduty.detectors[0].enabled_in_account
assert len(guardduty.detectors[0].findings) == 1
assert guardduty.detectors[0].member_accounts == ["123456789012"]
assert guardduty.detectors[0].administrator_account == "123456789013"
assert guardduty.detectors[0].region == AWS_REGION
assert guardduty.detectors[0].status
assert len(guardduty.detectors[0].member_accounts) == 1
assert guardduty.detectors[0].tags == [{"test": "test"}]
@mock_guardduty
# Test GuardDuty session
@@ -178,6 +208,13 @@ class Test_GuardDuty_Service:
assert len(guardduty.detectors) == 1
assert guardduty.detectors[0].id == response["DetectorId"]
assert (
guardduty.detectors[0].arn
== f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:detector/{response['DetectorId']}"
)
assert guardduty.detectors[0].enabled_in_account
assert len(guardduty.detectors[0].findings) == 1
assert guardduty.detectors[0].member_accounts == ["123456789012"]
assert guardduty.detectors[0].administrator_account == "123456789013"
assert guardduty.detectors[0].region == AWS_REGION
assert guardduty.detectors[0].status
assert guardduty.detectors[0].administrator_account == AWS_ACCOUNT_NUMBER_ADMIN
assert guardduty.detectors[0].tags == [{"test": "test"}]