ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.5' into delete_check_extra737_is_duplicated

Browse Source
This commit is contained in:
Toni de la Fuente
2021-08-02 14:14:45 +02:00
committed by GitHub
parent 0d9ec6320e ad28cf4671
commit 5685cb8959
10 changed files with 36 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@@ -185,6 +185,12 @@ Prowler has been written in bash using AWS-CLI and it works in Linux and OSX.
Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310
### Regions
By default Prowler scans all opt-in regions available, that might take a long execution time depending on the number of resources and regions used. Same applies for GovCloud or China regions. See below Advance usage for examples.
Prowler has to parameters related to regions: `-r` that is used query AWS services API endpoints (it uses `us-east-1` by default and required for GovCloud or China) and the option `-f` that is to filter those regions you only want to scan. For example if you want to scan Dublin only use `-f eu-west-1` and if you want to scan Dublin and Ohio `-f 'eu-west-1 us-east-s'`, note the single quotes and space between regions.
## Screenshots
- Sample screenshot of report first lines:

42
checks/check_extra756
View File

@@ -1,42 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra756="7.56"
CHECK_TITLE_extra756="[extra756] Check if Redshift cluster is Public Accessible"
CHECK_SCORED_extra756="NOT_SCORED"
CHECK_TYPE_extra756="EXTRA"
CHECK_SEVERITY_extra756="High"
CHECK_ASFF_RESOURCE_TYPE_extra756="AwsRedshiftCluster"
CHECK_ALTERNATE_check756="extra756"
CHECK_SERVICENAME_extra756="redshift"
CHECK_RISK_extra756='Publicly accessible services could expose sensible data to bad actors.'
CHECK_REMEDIATION_extra756='Ensure there is a business requirement for service to be public. Use the cluster security group to control access to the service.'
CHECK_DOC_extra756='https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html'
CHECK_CAF_EPIC_extra756='Infrastructure Security'
extra756(){
for regx in $REGIONS; do
LIST_OF_RS_CLUSTERS=$($AWSCLI $PROFILE_OPT redshift describe-clusters --region $regx --query Clusters[*].ClusterIdentifier --output text)
if [[ $LIST_OF_RS_CLUSTERS ]];then
for cluster in $LIST_OF_RS_CLUSTERS; do
IS_PUBLICLY_ACCESSIBLE=$($AWSCLI $PROFILE_OPT redshift describe-clusters --region $regx --cluster-identifier $cluster --query Clusters[*].PubliclyAccessible --output text|grep True)
if [[ $IS_PUBLICLY_ACCESSIBLE ]]; then
textFail "$regx: Redshift cluster $cluster is publicly accessible" "$regx" "$cluster"
else
textPass "$regx: Redshift cluster $cluster is not publicly accessible" "$regx" "$cluster"
fi
done
else
textInfo "$regx: No Redshift clusters found" "$regx"
fi
done
}

4
groups/group15_pci
View File

@@ -15,7 +15,7 @@ GROUP_ID[15]='pci'
GROUP_NUMBER[15]='15.0'
GROUP_TITLE[15]='PCI-DSS v3.2.1 Readiness - ONLY AS REFERENCE - [pci] **********'
GROUP_RUN_BY_DEFAULT[15]='N' # run it when execute_all is called
GROUP_CHECKS[15]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check112,check113,check114,check116,check21,check23,check25,check26,check27,check28,check29,check314,check36,check38,check43,extra713,extra717,extra718,extra72,extra729,extra735,extra738,extra740,extra744,extra748,extra75,extra750,extra751,extra753,extra754,extra755,extra756,extra773,extra78,extra780,extra781,extra782,extra783,extra784,extra785,extra787,extra788,extra798'
GROUP_CHECKS[15]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check112,check113,check114,check116,check21,check23,check25,check26,check27,check28,check29,check314,check36,check38,check43,extra711,extra713,extra717,extra718,extra72,extra729,extra735,extra738,extra740,extra744,extra748,extra75,extra750,extra751,extra753,extra754,extra755,extra773,extra78,extra780,extra781,extra782,extra783,extra784,extra785,extra787,extra788,extra798'
# Resources:
# https://github.com/toniblyx/prowler/issues/296
@@ -39,7 +39,7 @@ GROUP_CHECKS[15]='check11,check12,check13,check14,check15,check16,check17,check1
# Ensure the default security group restricts all traffic check43
# Remove unused security groups extra75
# RDS should not have Public interface open to a public scope extra78
# Check for Publicly Accessible Redshift Clusters extra756
# Check for Publicly Accessible Redshift Clusters extra711
# Ensure Lambda Functions are not publicly accessible extra798
# 3.2 Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

3
groups/group17_internetexposed
View File

@@ -15,7 +15,7 @@ GROUP_ID[17]='internet-exposed'
GROUP_NUMBER[17]='17.0'
GROUP_TITLE[17]='Find resources exposed to the internet - [internet-exposed] ***'
GROUP_RUN_BY_DEFAULT[17]='N' # run it when execute_all is called
GROUP_CHECKS[17]='check41,check42,check45,check46,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra736,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788,extra795,extra796,extra798,extra7102,extra7134,extra7135,extra7136,extra7137,extra7138'
GROUP_CHECKS[17]='check41,check42,check45,check46,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra736,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra770,extra771,extra778,extra779,extra787,extra788,extra795,extra796,extra798,extra7102,extra7134,extra7135,extra7136,extra7137,extra7138'
# 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored) [group4, cislevel1, cislevel2]
# 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored) [group4, cislevel1, cislevel2]
@@ -42,7 +42,6 @@ GROUP_CHECKS[17]='check41,check42,check45,check46,extra72,extra73,extra74,extra7
# 7.53 [extra753] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018 [extras]
# 7.54 [extra754] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888 [extras]
# 7.55 [extra755] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211 [extras]
# redundant 7.56 [extra756] Check if Redshift cluster is Public Accessible [extras]
# 7.70 [extra770] Check for internet facing EC2 instances with Instance Profiles attached [extras]
# 7.78 [extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) [extras]
# 7.79 [extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports [extras, elasticsearch]

4
groups/group18_iso27001
View File

@@ -15,7 +15,7 @@ GROUP_ID[18]='iso27001'
GROUP_NUMBER[18]='18.0'
GROUP_TITLE[18]='ISO 27001:2013 Readiness - ONLY AS REFERENCE - [iso27001] *****'
GROUP_RUN_BY_DEFAULT[18]='N' # run it when execute_all is called
GROUP_CHECKS[18]='check11,check110,check111,check112,check113,check114,check115,check116,check119,check12,check122,check13,check14,check15,check16,check17,check18,check19,check21,check22,check23,check24,check25,check26,check27,check28,check29,check31,check310,check311,check312,check313,check314,check32,check33,check34,check35,check36,check37,check38,check39,check41,check42,check43,check44,extra71,extra710,extra7100,extra711,extra7113,extra7123,extra7125,extra7126,extra7128,extra7129,extra713,extra714,extra7130,extra718,extra719,extra72,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra731,extra73,extra731,extra735,extra739,extra74,extra741,extra747,extra748,extra75,extra756,extra757,extra758,extra759,extra76,extra760,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra77,extra771,extra772,extra774,extra776,extra777,extra778,extra78,extra789,extra79,extra790,extra792,extra793,extra794,extra795,extra796,extra798'
GROUP_CHECKS[18]='check11,check110,check111,check112,check113,check114,check115,check116,check119,check12,check122,check13,check14,check15,check16,check17,check18,check19,check21,check22,check23,check24,check25,check26,check27,check28,check29,check31,check310,check311,check312,check313,check314,check32,check33,check34,check35,check36,check37,check38,check39,check41,check42,check43,check44,extra71,extra710,extra7100,extra711,extra7113,extra7123,extra7125,extra7126,extra7128,extra7129,extra713,extra714,extra7130,extra718,extra719,extra72,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra731,extra73,extra731,extra735,extra739,extra74,extra741,extra747,extra748,extra75,extra757,extra758,extra759,extra76,extra760,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra77,extra771,extra772,extra774,extra776,extra777,extra778,extra78,extra789,extra79,extra790,extra792,extra793,extra794,extra795,extra796,extra798'
# # Category Objective ID Objective Name Prowler check ID Check Summary
# 1 A.9 Access Control A.9.2 User Access Management check122 Ensure IAM policies that allow full "*:*" administrative privileges are not created.
@@ -66,13 +66,13 @@ GROUP_CHECKS[18]='check11,check110,check111,check112,check113,check114,check115,
# 46 A.9 Access Control A.9.4 System and Application Access Control check14 Ensure access keys are rotated every 90 days or less
# 47 A.9 Access Control A.9.4 System and Application Access Control check13 Ensure credentials unused for 90 days or greater are disabled
# 48 A.9 Access Control A.9.4 System and Application Access Control check112 Ensure no root account access key exists
# 55 A.9 Access Control A.9.4 System and Application Access Control extra711 Check if Redshift cluster is Public Accessible
# 49 A.9 Access Control A.9.4 System and Application Access Control extra7113 Check if RDS instances have deletion protection enabled
# 50 A.9 Access Control A.9.4 System and Application Access Control extra72 Ensure there are no EBS Snapshots set as Public
# 51 A.9 Access Control A.9.4 System and Application Access Control extra723 Check if RDS Snapshots and Cluster Snapshots are public
# 52 A.9 Access Control A.9.4 System and Application Access Control extra727 Check if SQS queues have policy set as Public
# 53 A.9 Access Control A.9.4 System and Application Access Control extra73 Ensure there are no S3 buckets open to Everyone or Any AWS user
# 54 A.9 Access Control A.9.4 System and Application Access Control extra731 Check if SNS topics have policy set as Public
# 55 A.9 Access Control A.9.4 System and Application Access Control extra756 Check if Redshift cluster is Public Accessible
# 56 A.9 Access Control A.9.4 System and Application Access Control extra76 Ensure there are no EC2 AMIs set as Public
# 57 A.9 Access Control A.9.4 System and Application Access Control extra77 Ensure there are no ECR repositories set as Public
# 58 A.9 Access Control A.9.4 System and Application Access Control extra771 Check if S3 buckets have policies which allow WRITE access

4
iam/create_role_to_assume_cfn.yaml
View File

@@ -55,12 +55,12 @@ Resources:
Statement:
- Effect: Allow
Action:
- 'dax:ListTables'
- 'ds:ListAuthorizedApplications'
- 'ds:DescribeRoles'
- 'ec2:GetEbsEncryptionByDefault'
- 'ecr:Describe*'
- 'support:Describe*'
- 'tag:GetTagKeys'
- 'lambda:GetFunction'
- 'glue:GetConnections'
- 's3:GetAccountPublicAccessBlock'
Resource: '*'

7
iam/prowler-additions-policy.json
View File

@@ -3,14 +3,15 @@
"Statement": [
{
"Action": [
"dax:ListTables",
"ds:ListAuthorizedApplications",
"ds:DescribeRoles",
"ec2:GetEbsEncryptionByDefault",
"ecr:Describe*",
"support:Describe*",
"tag:GetTagKeys",
"lambda:GetFunction"
"lambda:GetFunction",
"glue:GetConnections",
"glue:SearchTables",
"s3:GetAccountPublicAccessBlock"
],
"Resource": "*",
"Effect": "Allow",

4
include/outputs
View File

@@ -326,7 +326,7 @@ generateJsonAsffOutput(){
local status=$2
#Checks to determine if the rule passes in a resource name that prowler uses to track the AWS Resource for whitelisting purposes
if [ -z $3 ]; then
if [[ -z $3 ]]; then
local resource_id="NONE_PROVIDED"
else
local resource_id=$3
@@ -337,7 +337,7 @@ generateJsonAsffOutput(){
fi
jq -M -c \
--arg ACCOUNT_NUM "$ACCOUNT_NUM" \
--arg TITLE_TEXT "$TITLE_TEXT" \
--arg TITLE_TEXT "$CHECK_SERVICENAME.$TITLE_TEXT" \
--arg MESSAGE "$(echo -e "${message}")" \
--arg UNIQUE_ID "$(LC_ALL=C echo -e -n "${message}" | tr -cs '[:alnum:]._~-' '_')" \
--arg STATUS "$status" \

16
util/codebuild/codebuild-prowler-audit-account-cfn.yaml
View File

@@ -179,6 +179,22 @@ Resources:
- s3:GetBucketLocation
Effect: Allow
Resource: !Sub 'arn:aws:s3:::${ArtifactBucket}/*'
- PolicyName: ProwlerAdditions
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- s3:GetAccountPublicAccessBlock
- glue:GetConnections
- glue:SearchTables
- ds:ListAuthorizedApplications
- ec2:GetEbsEncryptionByDefault
- ecr:Describe*
- support:Describe*
- tag:GetTagKeys
- lambda:GetFunction
Effect: Allow
Resource: !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog'
- PolicyName: CodeBuild
PolicyDocument:
Version: '2012-10-17'