From 0ca1a8f28c99cbb656fd6fc5f21f28322a77ad57 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 26 Nov 2018 23:23:16 -0500 Subject: [PATCH 1/4] version and extras last addition --- groups/group7_extras | 2 +- prowler | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/groups/group7_extras b/groups/group7_extras index c575b30f..a3abe52e 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,4 +15,4 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - [extras] **********************************************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739' diff --git a/prowler b/prowler index 903a4d45..5787b8ee 100755 --- a/prowler +++ b/prowler @@ -32,7 +32,7 @@ OPTRED="" OPTNORMAL="" # Set the defaults variables -PROWLER_VERSION=2.0-beta3 +PROWLER_VERSION=2.0 PROWLER_DIR=$(dirname "$0") REGION="" From 6c2d4d6b019747672997e8e87f113ff413d3e96e Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 27 Nov 2018 00:03:40 -0500 Subject: [PATCH 2/4] Adding newer checks to GDPR and extras group --- groups/group7_extras | 2 +- groups/group9_gdpr | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/groups/group7_extras b/groups/group7_extras index a3abe52e..1cb17917 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,4 +15,4 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - [extras] **********************************************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740' diff --git a/groups/group9_gdpr b/groups/group9_gdpr index 08a55c1c..7df4c6ec 100644 --- a/groups/group9_gdpr +++ b/groups/group9_gdpr @@ -15,7 +15,7 @@ GROUP_ID[9]='gdpr' GROUP_NUMBER[9]='9.0' GROUP_TITLE[9]='GDPR Readiness - ONLY AS REFERENCE - [gdpr] ********************' GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called -GROUP_CHECKS[9]='extra718,extra725,extra727,check12,check113,check114,extra71,extra731,extra732,extra733,check25,check39,check21,check22,check23,check24,check26,check27,check35,extra726,extra714,extra715,extra717,extra719,extra720,extra721,extra722,check43,check25,extra714,extra729,extra734,extra735,extra736,extra738' +GROUP_CHECKS[9]='extra718,extra725,extra727,check12,check113,check114,extra71,extra731,extra732,extra733,check25,check39,check21,check22,check23,check24,check26,check27,check35,extra726,extra714,extra715,extra717,extra719,extra720,extra721,extra722,check43,check25,extra714,extra729,extra734,extra735,extra736,extra738,extra740' # Resources: # https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf From 31a0de167cf91d40f5e822c44daeff79ec239062 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 27 Nov 2018 00:07:19 -0500 Subject: [PATCH 3/4] Adding extra340 to GDPR group --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 6f4a8832..107272d0 100644 --- a/README.md +++ b/README.md @@ -513,6 +513,7 @@ With this group of checks, Prowler shows result of checks related to GDPR, more - 7.35 [extra735] Check if RDS instances storage is encrypted (Not Scored) (Not part of CIS benchmark) - 7.36 [extra736] Check exposed KMS keys (Not Scored) (Not part of CIS benchmark) - 7.38 [extra738] Check if CloudFront distributions are set to HTTPS (Not Scored) (Not part of CIS benchmark) +- 7.40 [extra740] Check if EBS snapshots are encrypted (Not Scored) (Not part of CIS benchmark) The `gdpr` group of checks uses existing and extra checks. To get a GDPR report, run this command: From 573fa46aaca1ff109615800b201aeb91befe8af6 Mon Sep 17 00:00:00 2001 From: Samuel Dugo Date: Wed, 5 Dec 2018 11:35:44 +0100 Subject: [PATCH 4/4] Fixed AccessDeniedException on extra730 When executing Prowler using a specific profile (in my case to assume a role) , check_extra730 returns: "An error occurred (AccessDeniedException) when calling the DescribeCertificate operation: User: [ASSUMED_ROLE_ARN] is not authorized to perform: acm:DescribeCertificate on resource: [RESOURCE_ARN]" This is because line 28 did not contain the following parameters: "$PROFILE_OPT --region $regx" . --- checks/check_extra730 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check_extra730 b/checks/check_extra730 index f91b9b27..53be1c58 100644 --- a/checks/check_extra730 +++ b/checks/check_extra730 @@ -25,7 +25,7 @@ extra730(){ LIST_OF_ACM_CERTS=$($AWSCLI acm list-certificates $PROFILE_OPT --region $regx --query 'CertificateSummaryList[].CertificateArn' --output text) if [[ $LIST_OF_ACM_CERTS ]];then for cert in $LIST_OF_ACM_CERTS; do - CERT_DATA=$($AWSCLI acm describe-certificate --certificate-arn $cert --query 'Certificate.[DomainName,NotAfter]' --output text) + CERT_DATA=$($AWSCLI acm describe-certificate $PROFILE_OPT --region $regx --certificate-arn $cert --query 'Certificate.[DomainName,NotAfter]' --output text) echo "$CERT_DATA" | while read FQDN NOTAFTER; do EXPIRES_DATE=$(timestamp_to_date $NOTAFTER) COUNTER_DAYS=$(how_many_days_from_today $EXPIRES_DATE)