From 373ce0ad04bfe050103882287a2b8e52191d88c5 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Mon, 30 Oct 2023 19:39:22 +0100 Subject: [PATCH] fix(GuardDuty): Add `enabled_in_account` parameter (#2979) --- .../guardduty_is_enabled.py | 3 +- .../services/guardduty/guardduty_service.py | 34 ++++++++----- .../guardduty_is_enabled_test.py | 49 ++++++++++-------- .../guardduty/guardduty_service_test.py | 51 ++++++++++++++++--- 4 files changed, 96 insertions(+), 41 deletions(-) diff --git a/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py b/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py index 5a27f4be..0d81e170 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py +++ b/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py @@ -13,7 +13,8 @@ class guardduty_is_enabled(Check): report.resource_tags = detector.tags report.status = "PASS" report.status_extended = f"GuardDuty detector {detector.id} enabled." - if detector.arn == guardduty_client.audited_account_arn: + + if not detector.enabled_in_account: report.status = "FAIL" report.status_extended = "GuardDuty is not enabled." elif detector.status is None: diff --git a/prowler/providers/aws/services/guardduty/guardduty_service.py b/prowler/providers/aws/services/guardduty/guardduty_service.py index 43b53235..f666a342 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_service.py +++ b/prowler/providers/aws/services/guardduty/guardduty_service.py @@ -43,6 +43,7 @@ class GuardDuty(AWSService): id=self.audited_account, arn=self.audited_account_arn, region=regional_client.region, + enabled_in_account=False, ) ) except Exception as error: @@ -54,15 +55,21 @@ class GuardDuty(AWSService): logger.info("GuardDuty - getting detector info...") try: for detector in self.detectors: - if detector.id: - regional_client = self.regional_clients[detector.region] - detector_info = regional_client.get_detector(DetectorId=detector.id) - if ( - "Status" in detector_info - and detector_info["Status"] == "ENABLED" - ): - detector.status = True - + try: + if detector.id and detector.enabled_in_account: + regional_client = self.regional_clients[detector.region] + detector_info = regional_client.get_detector( + DetectorId=detector.id + ) + if ( + "Status" in detector_info + and detector_info["Status"] == "ENABLED" + ): + detector.status = True + except Exception as error: + logger.error( + f"{error.__class__.__name__}:{error.__traceback__.tb_lineno} -- {error}" + ) except Exception as error: logger.error( f"{error.__class__.__name__}:{error.__traceback__.tb_lineno} -- {error}" @@ -72,7 +79,7 @@ class GuardDuty(AWSService): logger.info("GuardDuty - getting administrator account...") try: for detector in self.detectors: - if detector.id: + if detector.id and detector.enabled_in_account: try: regional_client = self.regional_clients[detector.region] detector_administrator = ( @@ -102,7 +109,7 @@ class GuardDuty(AWSService): logger.info("GuardDuty - listing members...") try: for detector in self.detectors: - if detector.id: + if detector.id and detector.enabled_in_account: try: regional_client = self.regional_clients[detector.region] list_members_paginator = regional_client.get_paginator( @@ -127,7 +134,7 @@ class GuardDuty(AWSService): logger.info("GuardDuty - listing findings...") try: for detector in self.detectors: - if detector.id: + if detector.id and detector.enabled_in_account: regional_client = self.regional_clients[detector.region] list_findings_paginator = regional_client.get_paginator( "list_findings" @@ -161,7 +168,7 @@ class GuardDuty(AWSService): logger.info("Guardduty - List Tags...") try: for detector in self.detectors: - if detector.arn: + if detector.arn and detector.enabled_in_account: regional_client = self.regional_clients[detector.region] response = regional_client.list_tags_for_resource( ResourceArn=detector.arn @@ -177,6 +184,7 @@ class Detector(BaseModel): id: str arn: str region: str + enabled_in_account: bool = True status: bool = None findings: list = [] member_accounts: list = [] diff --git a/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py b/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py index d5f5775f..8ca4e7c3 100644 --- a/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py +++ b/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py @@ -1,4 +1,3 @@ -from re import search from unittest import mock from uuid import uuid4 @@ -8,11 +7,11 @@ AWS_REGION = "us-east-1" AWS_ACCOUNT_ID = "123456789012" AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_ID}:root" -detector_id = str(uuid4()) -detector_arn = f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_ID}:detector/{detector_id}" +DETECTOR_ID = str(uuid4()) +DETECTOR_ARN = f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_ID}:detector/{DETECTOR_ID}" -class Test_guardduty_is_enabled: +class Test_: def test_no_detectors(self): guardduty_client = mock.MagicMock guardduty_client.region = AWS_REGION @@ -22,6 +21,7 @@ class Test_guardduty_is_enabled: id=AWS_ACCOUNT_ID, region=AWS_REGION, arn=AWS_ACCOUNT_ARN, + enabled_in_account=False, ) ) guardduty_client.audited_account_arn = AWS_ACCOUNT_ARN @@ -37,7 +37,7 @@ class Test_guardduty_is_enabled: result = check.execute() assert len(result) == 1 assert result[0].status == "FAIL" - assert search("is not enabled", result[0].status_extended) + assert result[0].status_extended == "GuardDuty is not enabled." assert result[0].resource_id == AWS_ACCOUNT_ID assert result[0].resource_arn == AWS_ACCOUNT_ARN assert result[0].region == AWS_REGION @@ -47,9 +47,9 @@ class Test_guardduty_is_enabled: guardduty_client.detectors = [] guardduty_client.detectors.append( Detector( - id=detector_id, + id=DETECTOR_ID, region=AWS_REGION, - arn=detector_arn, + arn=DETECTOR_ARN, status=True, ) ) @@ -65,9 +65,12 @@ class Test_guardduty_is_enabled: result = check.execute() assert len(result) == 1 assert result[0].status == "PASS" - assert search("enabled", result[0].status_extended) - assert result[0].resource_id == detector_id - assert result[0].resource_arn == detector_arn + assert ( + result[0].status_extended + == f"GuardDuty detector {DETECTOR_ID} enabled." + ) + assert result[0].resource_id == DETECTOR_ID + assert result[0].resource_arn == DETECTOR_ARN assert result[0].region == AWS_REGION def test_guardduty_configured_but_suspended(self): @@ -76,8 +79,8 @@ class Test_guardduty_is_enabled: guardduty_client.detectors = [] guardduty_client.detectors.append( Detector( - id=detector_id, - arn=detector_arn, + id=DETECTOR_ID, + arn=DETECTOR_ARN, region=AWS_REGION, status=False, ) @@ -94,9 +97,12 @@ class Test_guardduty_is_enabled: result = check.execute() assert len(result) == 1 assert result[0].status == "FAIL" - assert search("configured but suspended", result[0].status_extended) - assert result[0].resource_id == detector_id - assert result[0].resource_arn == detector_arn + assert ( + result[0].status_extended + == f"GuardDuty detector {DETECTOR_ID} configured but suspended." + ) + assert result[0].resource_id == DETECTOR_ID + assert result[0].resource_arn == DETECTOR_ARN assert result[0].region == AWS_REGION def test_guardduty_not_configured(self): @@ -105,8 +111,8 @@ class Test_guardduty_is_enabled: guardduty_client.region = AWS_REGION guardduty_client.detectors.append( Detector( - id=detector_id, - arn=detector_arn, + id=DETECTOR_ID, + arn=DETECTOR_ARN, region=AWS_REGION, ) ) @@ -122,9 +128,12 @@ class Test_guardduty_is_enabled: result = check.execute() assert len(result) == 1 assert result[0].status == "FAIL" - assert search("not configured", result[0].status_extended) - assert result[0].resource_id == detector_id - assert result[0].resource_arn == detector_arn + assert ( + result[0].status_extended + == f"GuardDuty detector {DETECTOR_ID} not configured." + ) + assert result[0].resource_id == DETECTOR_ID + assert result[0].resource_arn == DETECTOR_ARN assert result[0].region == AWS_REGION def test_guardduty_not_configured_allowlisted(self): diff --git a/tests/providers/aws/services/guardduty/guardduty_service_test.py b/tests/providers/aws/services/guardduty/guardduty_service_test.py index 7029feb3..28be7744 100644 --- a/tests/providers/aws/services/guardduty/guardduty_service_test.py +++ b/tests/providers/aws/services/guardduty/guardduty_service_test.py @@ -121,6 +121,14 @@ class Test_GuardDuty_Service: assert len(guardduty.detectors) == 1 assert guardduty.detectors[0].id == response["DetectorId"] + assert ( + guardduty.detectors[0].arn + == f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:detector/{response['DetectorId']}" + ) + assert guardduty.detectors[0].enabled_in_account + assert len(guardduty.detectors[0].findings) == 1 + assert guardduty.detectors[0].member_accounts == ["123456789012"] + assert guardduty.detectors[0].administrator_account == "123456789013" assert guardduty.detectors[0].region == AWS_REGION assert guardduty.detectors[0].tags == [{"test": "test"}] @@ -135,8 +143,16 @@ class Test_GuardDuty_Service: assert len(guardduty.detectors) == 1 assert guardduty.detectors[0].id == response["DetectorId"] + assert ( + guardduty.detectors[0].arn + == f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:detector/{response['DetectorId']}" + ) + assert guardduty.detectors[0].enabled_in_account + assert len(guardduty.detectors[0].findings) == 1 + assert guardduty.detectors[0].member_accounts == ["123456789012"] + assert guardduty.detectors[0].administrator_account == "123456789013" assert guardduty.detectors[0].region == AWS_REGION - assert guardduty.detectors[0].status + assert guardduty.detectors[0].tags == [{"test": "test"}] @mock_guardduty # Test GuardDuty session @@ -149,9 +165,16 @@ class Test_GuardDuty_Service: assert len(guardduty.detectors) == 1 assert guardduty.detectors[0].id == response["DetectorId"] - assert guardduty.detectors[0].region == AWS_REGION - assert guardduty.detectors[0].status + assert ( + guardduty.detectors[0].arn + == f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:detector/{response['DetectorId']}" + ) + assert guardduty.detectors[0].enabled_in_account assert len(guardduty.detectors[0].findings) == 1 + assert guardduty.detectors[0].member_accounts == ["123456789012"] + assert guardduty.detectors[0].administrator_account == "123456789013" + assert guardduty.detectors[0].region == AWS_REGION + assert guardduty.detectors[0].tags == [{"test": "test"}] @mock_guardduty def test__list_members__(self): @@ -163,9 +186,16 @@ class Test_GuardDuty_Service: assert len(guardduty.detectors) == 1 assert guardduty.detectors[0].id == response["DetectorId"] + assert ( + guardduty.detectors[0].arn + == f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:detector/{response['DetectorId']}" + ) + assert guardduty.detectors[0].enabled_in_account + assert len(guardduty.detectors[0].findings) == 1 + assert guardduty.detectors[0].member_accounts == ["123456789012"] + assert guardduty.detectors[0].administrator_account == "123456789013" assert guardduty.detectors[0].region == AWS_REGION - assert guardduty.detectors[0].status - assert len(guardduty.detectors[0].member_accounts) == 1 + assert guardduty.detectors[0].tags == [{"test": "test"}] @mock_guardduty # Test GuardDuty session @@ -178,6 +208,13 @@ class Test_GuardDuty_Service: assert len(guardduty.detectors) == 1 assert guardduty.detectors[0].id == response["DetectorId"] + assert ( + guardduty.detectors[0].arn + == f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:detector/{response['DetectorId']}" + ) + assert guardduty.detectors[0].enabled_in_account + assert len(guardduty.detectors[0].findings) == 1 + assert guardduty.detectors[0].member_accounts == ["123456789012"] + assert guardduty.detectors[0].administrator_account == "123456789013" assert guardduty.detectors[0].region == AWS_REGION - assert guardduty.detectors[0].status - assert guardduty.detectors[0].administrator_account == AWS_ACCOUNT_NUMBER_ADMIN + assert guardduty.detectors[0].tags == [{"test": "test"}]