mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 06:45:08 +00:00
feat(compliance): Loader and Execute (#1465)
This commit is contained in:
Pepe Fagoaga
@@ -1,35 +1,36 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "elb_insecure_ssl_ciphers",
|
||||
"CheckTitle": "Check if Elastic Load Balancers have insecure SSL ciphers.",
|
||||
"CheckType": ["Data Protection"],
|
||||
"ServiceName": "elb",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsElbLoadBalancer",
|
||||
"Description": "Check if Elastic Load Balancers have insecure SSL ciphers.",
|
||||
"Risk": "Using insecure ciphers could affect privacy of in transit information.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws elb set-load-balancer-policies-of-listener --load-balancer-name <lb_name> --load-balancer-port 443 --policy-names ELBSecurityPolicy-TLS-1-2-2017-01",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-security-policy.html",
|
||||
"Terraform": "https://docs.bridgecrew.io/docs/bc_aws_general_43#terraform"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Use a Security policy with a ciphers that are stronger as possible. Drop legacy and unsecure ciphers.",
|
||||
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies"
|
||||
}
|
||||
"Provider": "aws",
|
||||
"CheckID": "elb_insecure_ssl_ciphers",
|
||||
"CheckTitle": "Check if Elastic Load Balancers have insecure SSL ciphers.",
|
||||
"CheckType": [
|
||||
"Data Protection"
|
||||
],
|
||||
"ServiceName": "elb",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsElbLoadBalancer",
|
||||
"Description": "Check if Elastic Load Balancers have insecure SSL ciphers.",
|
||||
"Risk": "Using insecure ciphers could affect privacy of in transit information.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws elb set-load-balancer-policies-of-listener --load-balancer-name <lb_name> --load-balancer-port 443 --policy-names ELBSecurityPolicy-TLS-1-2-2017-01",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-security-policy.html",
|
||||
"Terraform": "https://docs.bridgecrew.io/docs/bc_aws_general_43#terraform"
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
}
|
||||
"Recommendation": {
|
||||
"Text": "Use a Security policy with a ciphers that are stronger as possible. Drop legacy and unsecure ciphers.",
|
||||
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -9,7 +9,7 @@ class elb_insecure_ssl_ciphers(Check):
|
||||
"ELBSecurityPolicy-TLS-1-2-2017-01",
|
||||
]
|
||||
for lb in elb_client.loadbalancers:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = lb.region
|
||||
report.resource_id = lb.name
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -1,35 +1,36 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "elb_internet_facing",
|
||||
"CheckTitle": "Check for internet facing Elastic Load Balancers.",
|
||||
"CheckType": ["Data Protection"],
|
||||
"ServiceName": "elb",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsElbLoadBalancer",
|
||||
"Description": "Check for internet facing Elastic Load Balancers.",
|
||||
"Risk": "Publicly accessible load balancers could expose sensitive data to bad actors.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/internet-facing-load-balancers.html",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Ensure the load balancer should be publicly accessible. If publicly exposed ensure a WAF ACL is implemented.",
|
||||
"Url": "https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html"
|
||||
}
|
||||
"Provider": "aws",
|
||||
"CheckID": "elb_internet_facing",
|
||||
"CheckTitle": "Check for internet facing Elastic Load Balancers.",
|
||||
"CheckType": [
|
||||
"Data Protection"
|
||||
],
|
||||
"ServiceName": "elb",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsElbLoadBalancer",
|
||||
"Description": "Check for internet facing Elastic Load Balancers.",
|
||||
"Risk": "Publicly accessible load balancers could expose sensitive data to bad actors.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/internet-facing-load-balancers.html",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
}
|
||||
"Recommendation": {
|
||||
"Text": "Ensure the load balancer should be publicly accessible. If publicly exposed ensure a WAF ACL is implemented.",
|
||||
"Url": "https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class elb_internet_facing(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for lb in elb_client.loadbalancers:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = lb.region
|
||||
report.resource_id = lb.name
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -1,35 +1,36 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "elb_logging_enabled",
|
||||
"CheckTitle": "Check if Elastic Load Balancers have logging enabled.",
|
||||
"CheckType": ["Logging and Monitoring"],
|
||||
"ServiceName": "elb",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsElbLoadBalancer",
|
||||
"Description": "Check if Elastic Load Balancers have logging enabled.",
|
||||
"Risk": "If logs are not enabled monitoring of service use and threat analysis is not possible.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws elb modify-load-balancer-attributes --load-balancer-name <lb_name> --load-balancer-attributes '{AccessLog:{Enabled:true,EmitInterval:60,S3BucketName:<bucket_name>}}'",
|
||||
"NativeIaC": "https://docs.bridgecrew.io/docs/bc_aws_logging_23#cloudformation",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-access-log.html",
|
||||
"Terraform": "https://docs.bridgecrew.io/docs/bc_aws_logging_23#terraform"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Enable ELB logging, create la log lifecycle and define use cases.",
|
||||
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html"
|
||||
}
|
||||
"Provider": "aws",
|
||||
"CheckID": "elb_logging_enabled",
|
||||
"CheckTitle": "Check if Elastic Load Balancers have logging enabled.",
|
||||
"CheckType": [
|
||||
"Logging and Monitoring"
|
||||
],
|
||||
"ServiceName": "elb",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsElbLoadBalancer",
|
||||
"Description": "Check if Elastic Load Balancers have logging enabled.",
|
||||
"Risk": "If logs are not enabled monitoring of service use and threat analysis is not possible.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws elb modify-load-balancer-attributes --load-balancer-name <lb_name> --load-balancer-attributes '{AccessLog:{Enabled:true,EmitInterval:60,S3BucketName:<bucket_name>}}'",
|
||||
"NativeIaC": "https://docs.bridgecrew.io/docs/bc_aws_logging_23#cloudformation",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-access-log.html",
|
||||
"Terraform": "https://docs.bridgecrew.io/docs/bc_aws_logging_23#terraform"
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
}
|
||||
"Recommendation": {
|
||||
"Text": "Enable ELB logging, create la log lifecycle and define use cases.",
|
||||
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ class elb_logging_enabled(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for lb in elb_client.loadbalancers:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = lb.region
|
||||
report.resource_id = lb.name
|
||||
report.status = "FAIL"
|
||||
|
||||
@@ -1,35 +1,36 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "elb_ssl_listeners",
|
||||
"CheckTitle": "Check if Elastic Load Balancers have SSL listeners.",
|
||||
"CheckType": ["Data Protection"],
|
||||
"ServiceName": "elb",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsElbLoadBalancer",
|
||||
"Description": "Check if Elastic Load Balancers have SSL listeners.",
|
||||
"Risk": "Clear text communication could affect privacy of information in transit.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws elb create-load-balancer-listeners --load-balancer-name <lb_name> --listeners Protocol=HTTPS, LoadBalancerPort=443, InstanceProtocol=HTTP, InstancePort=80, SSLCertificateId=<certificate_arn>",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-listener-security.html",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Scan for Load Balancers with HTTP or TCP listeners and understand the reason for each of them. Check if the listener can be implemented as TLS instead..",
|
||||
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html"
|
||||
}
|
||||
"Provider": "aws",
|
||||
"CheckID": "elb_ssl_listeners",
|
||||
"CheckTitle": "Check if Elastic Load Balancers have SSL listeners.",
|
||||
"CheckType": [
|
||||
"Data Protection"
|
||||
],
|
||||
"ServiceName": "elb",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "AwsElbLoadBalancer",
|
||||
"Description": "Check if Elastic Load Balancers have SSL listeners.",
|
||||
"Risk": "Clear text communication could affect privacy of information in transit.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "aws elb create-load-balancer-listeners --load-balancer-name <lb_name> --listeners Protocol=HTTPS, LoadBalancerPort=443, InstanceProtocol=HTTP, InstancePort=80, SSLCertificateId=<certificate_arn>",
|
||||
"NativeIaC": "",
|
||||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-listener-security.html",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "",
|
||||
"Compliance": []
|
||||
}
|
||||
"Recommendation": {
|
||||
"Text": "Scan for Load Balancers with HTTP or TCP listeners and understand the reason for each of them. Check if the listener can be implemented as TLS instead..",
|
||||
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
}
|
||||
|
||||
@@ -7,7 +7,7 @@ class elb_ssl_listeners(Check):
|
||||
findings = []
|
||||
secure_protocols = ["SSL", "HTTPS"]
|
||||
for lb in elb_client.loadbalancers:
|
||||
report = Check_Report(self.metadata)
|
||||
report = Check_Report(self.metadata())
|
||||
report.region = lb.region
|
||||
report.resource_id = lb.name
|
||||
report.status = "PASS"
|
||||
|
||||
Reference in New Issue
Block a user