From 977fe7408e8aa93ad8b860ba5ae1365005166c05 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 6 May 2020 23:24:42 +0200 Subject: [PATCH] Added whitelist option to README and recuce output for -w --- README.md | 83 +++++++++++++++++++++++++------------------- prowler | 17 +++------ whitelist_sample.txt | 8 +++++ 3 files changed, 60 insertions(+), 48 deletions(-) diff --git a/README.md b/README.md index 9e615411..cf6e7e33 100644 --- a/README.md +++ b/README.md @@ -236,42 +236,43 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX ./prowler -h USAGE: - prowler [ -p -r -h ] - - Options: - -p specify your AWS profile to use (i.e.: default) - -r specify an AWS region to direct API requests to - (i.e.: us-east-1), all regions are checked anyway if the check requires it - -c specify a check id, to see all available checks use -l option - (i.e.: check11 for check 1.1 or extra71 for extra check 71) - -g specify a group of checks by id, to see all available group of checks use -L - (i.e.: check3 for entire section 3, cislevel1 for CIS Level 1 Profile Definitions or forensics-ready) - -f specify an AWS region to run checks against - (i.e.: us-west-1) - -m specify the maximum number of items to return for long-running requests (default: 100) - -M output mode: text (default), mono, json, json-asff, junit-xml, csv. They can be used combined comma separated. - (separator is ","; data is on stdout; progress on stderr). - -k keep the credential report - -n show check numbers to sort easier - (i.e.: 1.01 instead of 1.1) - -l list all available checks only (does not perform any check). Add -g to only list checks within the specified group - -L list all groups (does not perform any check) - -e exclude group extras - -E execute all tests except a list of specified checks separated by comma (i.e. check21,check31) - -b do not print Prowler banner - -V show version number & exit - -s show scoring report - -S send check output to AWS Security Hub - only valid when the output mode is json-asff (i.e. "-M json-asff -S") - -x specify external directory with custom checks (i.e. /my/own/checks, files must start by check) - -q suppress info messages and passing test output - -A account id for the account where to assume a role, requires -R and -T - (i.e.: 123456789012) - -R role name to assume in the account, requires -A and -T - (i.e.: ProwlerRole) - -T session durantion given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T - (i.e.: 43200) - -I External ID to be used when assuming roles (no mandatory) - -h this help + prowler [ -p -r -h ] + Options: + -p specify your AWS profile to use (i.e.: default) + -r specify an AWS region to direct API requests to + (i.e.: us-east-1), all regions are checked anyway if the check requires it + -c specify one or multiple check ids separated by commas, to see all available checks use -l option + (i.e.: check11 for check 1.1 or extra71,extra72 for extra check 71 and extra check 72) + -g specify a group of checks by id, to see all available group of checks use -L + (i.e.: check3 for entire section 3, level1 for CIS Level 1 Profile Definitions or forensics-ready) + -f specify an AWS region to run checks against + (i.e.: us-west-1) + -m specify the maximum number of items to return for long-running requests (default: 100) + -M output mode: text (default), mono, json, json-asff, junit-xml, csv. They can be used combined comma separated. + (separator is ,; data is on stdout; progress on stderr). + -k keep the credential report + -n show check numbers to sort easier + (i.e.: 1.01 instead of 1.1) + -l list all available checks only (does not perform any check). Add -g to only list checks within the specified group + -L list all groups (does not perform any check) + -e exclude group extras + -E execute all tests except a list of specified checks separated by comma (i.e. check21,check31) + -b do not print Prowler banner + -s show scoring report + -S send check output to AWS Security Hub - only valid when the output mode is json-asff (i.e. -M json-asff -S) + -x specify external directory with custom checks (i.e. /my/own/checks, files must start by check) + -q suppress info messages and passing test output + -A account id for the account where to assume a role, requires -R and -T + (i.e.: 123456789012) + -R role name to assume in the account, requires -A and -T + (i.e.: ProwlerRole) + -T session duration given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T + (i.e.: 43200) + -I External ID to be used when assuming roles (not mandatory), requires -A and -R + -w whitelist file. See whitelist_sample.txt for reference and format + (i.e.: whitelist_sample.txt) + -V show version number & exit + -h this help ``` ## Advanced Usage @@ -353,6 +354,16 @@ There are two requirements: >Note: to have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours. +## Whitelist or remove FAIL from resources + +Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an S3 bucket open to the internet hosting a web site, or a security group with an open port needed in your use case. Now you can use `-w whitelist_sample.txt` and add your resources as `checkID:resourcename` as in this command: + +``` +./prowler -w whitelist_sample.txt +``` + +Whitelist option works along with other options and adds a WARNING instead of INFO, PASS or FAIL to any output format except for json-asff. + ## How to fix every FAIL Check your report and fix the issues following all specific guidelines per check in diff --git a/prowler b/prowler index eb1f1c53..c93a5f4c 100755 --- a/prowler +++ b/prowler @@ -32,7 +32,7 @@ OPTRED="" OPTNORMAL="" # Set the defaults variables -PROWLER_VERSION=2.2.1 +PROWLER_VERSION=2.3.0 PROWLER_DIR=$(dirname "$0") REGION="" @@ -77,7 +77,6 @@ USAGE: -e exclude group extras -E execute all tests except a list of specified checks separated by comma (i.e. check21,check31) -b do not print Prowler banner - -V show version number & exit -s show scoring report -S send check output to AWS Security Hub - only valid when the output mode is json-asff (i.e. "-M json-asff -S") -x specify external directory with custom checks (i.e. /my/own/checks, files must start by "check") @@ -86,16 +85,12 @@ USAGE: (i.e.: 123456789012) -R role name to assume in the account, requires -A and -T (i.e.: ProwlerRole) - -w whitelist file. (Lines starting with # are ignored as comments) Format: - # ignore these due to some reason - # check1 checks s3 buckets - : - : - # checkid2 - : -T session duration given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T (i.e.: 43200) - -I External ID to be used when assuming roles (not mandatory), requires -A and -R. + -I External ID to be used when assuming roles (not mandatory), requires -A and -R + -w whitelist file. See whitelist_sample.txt for reference and format + (i.e.: whitelist_sample.txt) + -V show version number & exit -h this help " exit @@ -181,8 +176,6 @@ while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsSxI:A:R:T:w:" OPTION; do ;; w ) WHITELIST_FILE=$OPTARG - echo "" - echo "$OPTNORMAL Using Whitelist file: $OPTARG" ;; : ) echo "" diff --git a/whitelist_sample.txt b/whitelist_sample.txt index e4bccdf8..5a538b38 100644 --- a/whitelist_sample.txt +++ b/whitelist_sample.txt @@ -2,3 +2,11 @@ # Example: Will not consider a myignoredbucket failures as full failure. (Still printed as a warning) check26:myignoredbucket + +# line starting with # are ignored as comments +# add a line per resource as here: +#: +#: +# checkid2 +#: +