ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added whitelist option to README and recuce output for -w

Browse Source
This commit is contained in:
Toni de la Fuente
2020-05-06 23:24:42 +02:00
parent f618a16075
commit 977fe7408e
3 changed files with 60 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
README.md
View File

@@ -236,42 +236,43 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX
./prowler -h ./prowler -h
USAGE: USAGE:
prowler [ -p <profile> -r <region> -h ] prowler [ -p <profile> -r <region> -h ]
Options:
Options: -p <profile> specify your AWS profile to use (i.e.: default)
-p <profile> specify your AWS profile to use (i.e.: default) -r <region> specify an AWS region to direct API requests to
-r <region> specify an AWS region to direct API requests to (i.e.: us-east-1), all regions are checked anyway if the check requires it
(i.e.: us-east-1), all regions are checked anyway if the check requires it -c <check_id> specify one or multiple check ids separated by commas, to see all available checks use -l option
-c <check_id> specify a check id, to see all available checks use -l option (i.e.: check11 for check 1.1 or extra71,extra72 for extra check 71 and extra check 72)
(i.e.: check11 for check 1.1 or extra71 for extra check 71) -g <group_id> specify a group of checks by id, to see all available group of checks use -L
-g <group_id> specify a group of checks by id, to see all available group of checks use -L (i.e.: check3 for entire section 3, level1 for CIS Level 1 Profile Definitions or forensics-ready)
(i.e.: check3 for entire section 3, cislevel1 for CIS Level 1 Profile Definitions or forensics-ready) -f <filterregion> specify an AWS region to run checks against
-f <filterregion> specify an AWS region to run checks against (i.e.: us-west-1)
(i.e.: us-west-1) -m <maxitems> specify the maximum number of items to return for long-running requests (default: 100)
-m <maxitems> specify the maximum number of items to return for long-running requests (default: 100) -M <mode> output mode: text (default), mono, json, json-asff, junit-xml, csv. They can be used combined comma separated.
-M <mode> output mode: text (default), mono, json, json-asff, junit-xml, csv. They can be used combined comma separated. (separator is ,; data is on stdout; progress on stderr).
(separator is ","; data is on stdout; progress on stderr). -k keep the credential report
-k keep the credential report -n show check numbers to sort easier
-n show check numbers to sort easier (i.e.: 1.01 instead of 1.1)
(i.e.: 1.01 instead of 1.1) -l list all available checks only (does not perform any check). Add -g <group_id> to only list checks within the specified group
-l list all available checks only (does not perform any check). Add -g <group_id> to only list checks within the specified group -L list all groups (does not perform any check)
-L list all groups (does not perform any check) -e exclude group extras
-e exclude group extras -E execute all tests except a list of specified checks separated by comma (i.e. check21,check31)
-E execute all tests except a list of specified checks separated by comma (i.e. check21,check31) -b do not print Prowler banner
-b do not print Prowler banner -s show scoring report
-V show version number & exit -S send check output to AWS Security Hub - only valid when the output mode is json-asff (i.e. -M json-asff -S)
-s show scoring report -x specify external directory with custom checks (i.e. /my/own/checks, files must start by check)
-S send check output to AWS Security Hub - only valid when the output mode is json-asff (i.e. "-M json-asff -S") -q suppress info messages and passing test output
-x specify external directory with custom checks (i.e. /my/own/checks, files must start by check) -A account id for the account where to assume a role, requires -R and -T
-q suppress info messages and passing test output (i.e.: 123456789012)
-A account id for the account where to assume a role, requires -R and -T -R role name to assume in the account, requires -A and -T
(i.e.: 123456789012) (i.e.: ProwlerRole)
-R role name to assume in the account, requires -A and -T -T session duration given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T
(i.e.: ProwlerRole) (i.e.: 43200)
-T session durantion given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T -I External ID to be used when assuming roles (not mandatory), requires -A and -R
(i.e.: 43200) -w whitelist file. See whitelist_sample.txt for reference and format
-I External ID to be used when assuming roles (no mandatory) (i.e.: whitelist_sample.txt)
-h this help -V show version number & exit
-h this help
``` ```
## Advanced Usage ## Advanced Usage
@@ -353,6 +354,16 @@ There are two requirements:
>Note: to have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours. >Note: to have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours.
## Whitelist or remove FAIL from resources
Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an S3 bucket open to the internet hosting a web site, or a security group with an open port needed in your use case. Now you can use `-w whitelist_sample.txt` and add your resources as `checkID:resourcename` as in this command:
```
./prowler -w whitelist_sample.txt
```
Whitelist option works along with other options and adds a WARNING instead of INFO, PASS or FAIL to any output format except for json-asff.
## How to fix every FAIL ## How to fix every FAIL
Check your report and fix the issues following all specific guidelines per check in <https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf> Check your report and fix the issues following all specific guidelines per check in <https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf>

17
prowler
View File

@@ -32,7 +32,7 @@ OPTRED=""
OPTNORMAL="" OPTNORMAL=""
# Set the defaults variables # Set the defaults variables
PROWLER_VERSION=2.2.1 PROWLER_VERSION=2.3.0
PROWLER_DIR=$(dirname "$0") PROWLER_DIR=$(dirname "$0")
REGION="" REGION=""
@@ -77,7 +77,6 @@ USAGE:
-e exclude group extras -e exclude group extras
-E execute all tests except a list of specified checks separated by comma (i.e. check21,check31) -E execute all tests except a list of specified checks separated by comma (i.e. check21,check31)
-b do not print Prowler banner -b do not print Prowler banner
-V show version number & exit
-s show scoring report -s show scoring report
-S send check output to AWS Security Hub - only valid when the output mode is json-asff (i.e. "-M json-asff -S") -S send check output to AWS Security Hub - only valid when the output mode is json-asff (i.e. "-M json-asff -S")
-x specify external directory with custom checks (i.e. /my/own/checks, files must start by "check") -x specify external directory with custom checks (i.e. /my/own/checks, files must start by "check")
@@ -86,16 +85,12 @@ USAGE:
(i.e.: 123456789012) (i.e.: 123456789012)
-R role name to assume in the account, requires -A and -T -R role name to assume in the account, requires -A and -T
(i.e.: ProwlerRole) (i.e.: ProwlerRole)
-w whitelist file. (Lines starting with # are ignored as comments) Format:
# ignore these due to some reason
# check1 checks s3 buckets
<checkid1>:<resource to ignore 1>
<checkid1>:<resource to ignore 2>
# checkid2
<checkid2>:<resource to ignore 1>
-T session duration given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T -T session duration given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T
(i.e.: 43200) (i.e.: 43200)
-I External ID to be used when assuming roles (not mandatory), requires -A and -R. -I External ID to be used when assuming roles (not mandatory), requires -A and -R
-w whitelist file. See whitelist_sample.txt for reference and format
(i.e.: whitelist_sample.txt)
-V show version number & exit
-h this help -h this help
" "
exit exit
@@ -181,8 +176,6 @@ while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsSxI:A:R:T:w:" OPTION; do
;; ;;
w ) w )
WHITELIST_FILE=$OPTARG WHITELIST_FILE=$OPTARG
echo ""
echo "$OPTNORMAL Using Whitelist file: $OPTARG"
;; ;;
: ) : )
echo "" echo ""

8
whitelist_sample.txt
View File

@@ -2,3 +2,11 @@
# Example: Will not consider a myignoredbucket failures as full failure. (Still printed as a warning) # Example: Will not consider a myignoredbucket failures as full failure. (Still printed as a warning)
check26:myignoredbucket check26:myignoredbucket
# line starting with # are ignored as comments
# add a line per resource as here:
#<checkid1>:<resource to ignore 1>
#<checkid1>:<resource to ignore 2>
# checkid2
#<checkid2>:<resource to ignore 1>