feat(prowler3): first commit

providers/aws/aws_provider.py

@@ -0,0 +1,24 @@
+from boto3 import session
+
+
+################## AWS PROVIDER
+class AWS_Provider:
+    def __init__(self, profile):
+        self.aws_session = session.Session(profile_name=profile)
+
+    def get_session(self):
+        return self.aws_session
+
+
+def provider_set_profile(profile):
+    global session
+    session = AWS_Provider(profile).get_session()
+
+
+# ################## AWS Service
+# class AWS_Service():
+#     def __init__(self, service, session):
+#         self.client = session.client(service)
+
+#     def get_client(self):
+#         return self.client

providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.metadata.json

@@ -0,0 +1,58 @@
+{
+  "Categories": [
+    "cat1",
+    "cat2"
+  ],
+  "CheckAlias": "extra764",
+  "CheckID": "iam-check-credentials-expiration-30-days",
+  "CheckName": "iam-check-credentials-expiration-30-days",
+  "CheckTitle": "IAM Access Analyzer Enabled",
+  "CheckType": "Software and Configuration Checks",
+  "Compliance": [
+    {
+      "Control": [
+        "4.4"
+      ],
+      "Framework": "CIS-AWS",
+      "Group": [
+        "level1",
+        "level2"
+      ],
+      "Version": "1.4"
+    }
+  ],
+  "DependsOn": [
+    "othercheck1",
+    "othercheck2"
+  ],
+  "Description": "If Security groups are not properly configured the attack surface is increased.",
+  "Notes": "additional information",
+  "Provider": "aws",
+  "RelatedTo": [
+    "othercheck3",
+    "othercheck4"
+  ],
+  "RelatedUrl": "https://serviceofficialsiteorpageforthissubject",
+  "Remediation": {
+    "Code": {
+      "NativeIaC": "code or URL to the code location.",
+      "Terraform": "code or URL to the code location.",
+      "cli": "cli command or URL to the cli command location.",
+      "other": "cli command or URL to the cli command location."
+    },
+    "Recommendation": {
+      "Text": "Run sudo yum update and cross your fingers and toes.",
+      "Url": "https://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html"
+    }
+  },
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceType": "AwsIamAccessAnalyzer",
+  "Risk": "Risk associated.",
+  "ServiceName": "iam",
+  "Severity": "low",
+  "SubServiceName": "accessanalyzer",
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  }
+}

providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py

@@ -0,0 +1,49 @@
+from datetime import datetime
+
+from lib.check import Check, Check_Report
+from providers.aws.services.iam.iam_service import iam_client
+
+maximum_expiration_days = 30
+
+
+class iam_disable_30_days_credentials(Check):
+    def execute(self) -> Check_Report:
+        findings = []
+        report = Check_Report
+
+        response = iam_client.users
+
+        if response:
+            for user in response:
+                report = Check_Report
+                if "PasswordLastUsed" in user and user["PasswordLastUsed"] != "":
+                    try:
+                        time_since_insertion = (
+                            datetime.datetime.now(datetime.timezone.utc)
+                            - user["PasswordLastUsed"]
+                        )
+                        if time_since_insertion.days > maximum_expiration_days:
+                            report.status = "FAIL"
+                            report.result_extended = f"User {user['UserName']} has not logged into the console in the past 90 days"
+                            report.region = "us-east-1"
+                        else:
+                            report.status = "PASS"
+                            report.result_extended = f"User {user['UserName']} has logged into the console in the past 90 days"
+                            report.region = "us-east-1"
+                    except KeyError:
+                        pass
+                else:
+                    report.status = "PASS"
+                    report.result_extended = (
+                        f"User {user['UserName']} has not console password"
+                    )
+                    report.region = "us-east-1"
+
+                # Append report
+                findings.append(report)
+        else:
+            report.status = "PASS"
+            report.result_extended = "There is no IAM users"
+            report.region = "us-east-1"
+
+        return findings

providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.metadata.json

@@ -0,0 +1,58 @@
+{
+  "Categories": [
+    "cat1",
+    "cat2"
+  ],
+  "CheckAlias": "extra764",
+  "CheckID": "iam-check-credentials-expiration-90-days",
+  "CheckName": "iam-check-credentials-expiration-90-days",
+  "CheckTitle": "IAM Access Analyzer Enabled",
+  "CheckType": "Software and Configuration Checks",
+  "Compliance": [
+    {
+      "Control": [
+        "4.4"
+      ],
+      "Framework": "CIS-AWS",
+      "Group": [
+        "level1",
+        "level2"
+      ],
+      "Version": "1.4"
+    }
+  ],
+  "DependsOn": [
+    "othercheck1",
+    "othercheck2"
+  ],
+  "Description": "If Security groups are not properly configured the attack surface is increased.",
+  "Notes": "additional information",
+  "Provider": "aws",
+  "RelatedTo": [
+    "othercheck3",
+    "othercheck4"
+  ],
+  "RelatedUrl": "https://serviceofficialsiteorpageforthissubject",
+  "Remediation": {
+    "Code": {
+      "NativeIaC": "code or URL to the code location.",
+      "Terraform": "code or URL to the code location.",
+      "cli": "cli command or URL to the cli command location.",
+      "other": "cli command or URL to the cli command location."
+    },
+    "Recommendation": {
+      "Text": "Run sudo yum update and cross your fingers and toes.",
+      "Url": "https://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html"
+    }
+  },
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceType": "AwsIamAccessAnalyzer",
+  "Risk": "Risk associated.",
+  "ServiceName": "iam",
+  "Severity": "low",
+  "SubServiceName": "accessanalyzer",
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  }
+}

providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py

@@ -0,0 +1,46 @@
+from datetime import datetime
+
+from lib.check import Check, Check_Report
+from providers.aws.services.iam.iam_service import iam_client
+
+maximum_expiration_days = 90
+
+
+class iam_disable_90_days_credentials(Check):
+    def execute(self):
+        findings = []
+        report = Check_Report
+
+        response = iam_client.users
+        if response:
+            for user in response:
+                report = Check_Report
+                if "PasswordLastUsed" in user and user["PasswordLastUsed"] != "":
+                    try:
+                        time_since_insertion = (
+                            datetime.datetime.now(datetime.timezone.utc)
+                            - user["PasswordLastUsed"]
+                        )
+                        if time_since_insertion.days > maximum_expiration_days:
+                            report.status = "FAIL"
+                            report.result_extended = f"User {user['UserName']} has not logged into the console in the past 90 days"
+                            report.region = "us-east-1"
+                        else:
+                            report.status = "PASS"
+                            report.result_extended = f"User {user['UserName']} has logged into the console in the past 90 days"
+                            report.region = "us-east-1"
+                    except KeyError:
+                        pass
+                else:
+                    report.status = "PASS"
+                    report.result_extended = (
+                        f"User {user['UserName']} has not console password"
+                    )
+                    report.region = "us-east-1"
+                findings.append(report)
+        else:
+            report.status = "PASS"
+            report.result_extended = "There is no IAM users"
+            report.region = "us-east-1"
+
+        return findings

providers/aws/services/iam/iam_service.py

@@ -0,0 +1,93 @@
+import botocore
+from boto3 import session
+
+from providers.aws.aws_provider import session
+
+
+################## IAM
+class IAM:
+    def __init__(self, session):
+        self.service = "iam"
+        self.session = session
+        self.client = session.client(self.service)
+        self.users = self.__get_users__()
+        self.roles = self.__get_roles__()
+        self.customer_managed_policies = self.__get_customer_managed_policies__()
+        self.credential_report = self.__get_credential_report__()
+        self.groups = self.__get_groups__()
+
+    def __get_client__(self):
+        return self.client
+
+    def __get_session__(self):
+        return self.session
+
+    def __get_roles__(self):
+        try:
+            get_roles_paginator = self.client.get_paginator("list_roles")
+        except botocore.exceptions.ClientError as error:
+            raise error
+        else:
+            roles = []
+            for page in get_roles_paginator.paginate():
+                for role in page["Roles"]:
+                    roles.append(role)
+
+            return roles
+
+    def __get_credential_report__(self):
+        report_is_completed = False
+        while not report_is_completed:
+            try:
+                report_status = self.client.generate_credential_report()
+            except botocore.exceptions.ClientError as error:
+                raise error
+            else:
+                if report_status["State"] == "COMPLETE":
+                    report_is_completed = True
+
+        return self.client.get_credential_report()
+
+    def __get_groups__(self):
+        try:
+            get_groups_paginator = self.client.get_paginator("list_groups")
+        except botocore.exceptions.ClientError as error:
+            raise error
+        else:
+            groups = []
+            for page in get_groups_paginator.paginate():
+                for group in page["Groups"]:
+                    groups.append(group)
+
+            return groups
+
+    def __get_customer_managed_policies__(self):
+        try:
+            get_customer_managed_policies_paginator = self.client.get_paginator(
+                "list_policies"
+            )
+        except botocore.exceptions.ClientError as error:
+            raise error
+        else:
+            customer_managed_policies = []
+            for page in get_customer_managed_policies_paginator.paginate(Scope="Local"):
+                for customer_managed_policy in page["Policies"]:
+                    customer_managed_policies.append(customer_managed_policy)
+
+            return customer_managed_policies
+
+    def __get_users__(self):
+        try:
+            get_users_paginator = self.client.get_paginator("list_users")
+        except botocore.exceptions.ClientError as error:
+            raise error
+        else:
+            users = []
+            for page in get_users_paginator.paginate():
+                for user in page["Users"]:
+                    users.append(user)
+
+            return users
+
+
+iam_client = IAM(session)