ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(pip): Prepare for PyPI (#1531)

Browse Source
This commit is contained in:
Sergio Garcia
2022-12-13 09:07:55 +01:00
committed by GitHub
parent 0cd13b90f4
commit bb09267f2a
1461 changed files with 6625 additions and 6904 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.github/workflows/pull-request.yml vendored
View File

@@ -3,14 +3,13 @@ name: Lint & Test
on:
push:
branches:
- 'prowler-3.0-dev'
- "prowler-3.0-dev"
pull_request:
branches:
- 'prowler-3.0-dev'
- "prowler-3.0-dev"
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
@@ -36,7 +35,7 @@ jobs:
pipenv run black --check .
- name: Lint with pylint
run: |
pipenv run pylint --disable=W,C,R,E -j 0 providers lib util config
pipenv run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
- name: Bandit
run: |
pipenv run bandit -q -lll -x '*_test.py,./contrib/' -r .
@@ -48,4 +47,4 @@ jobs:
pipenv run vulture --exclude "contrib" --min-confidence 100 .
- name: Test with pytest
run: |
pipenv run pytest -n auto
pipenv run pytest tests -n auto

3
.gitignore vendored
View File

@@ -8,6 +8,9 @@
# Python code
__pycache__
venv/
build/
dist/
*.egg-info/
# Session
Session.vim

4
.pre-commit-config.yaml
View File

@@ -57,12 +57,12 @@ repos:
hooks:
- id: pylint
name: pylint
entry: bash -c 'pylint --disable=W,C,R,E -j 0 -rn -sn providers lib util config'
entry: bash -c 'pylint --disable=W,C,R,E -j 0 -rn -sn prowler/'
language: system
- id: pytest-check
name: pytest-check
entry: bash -c 'pytest -n auto'
entry: bash -c 'pytest tests -n auto'
language: system
- id: bandit

12
Makefile
View File

@@ -22,6 +22,18 @@ lint: ## Lint Code
@echo "Running pylint..."
pylint --disable=W,C,R,E -j 0 providers lib util config
##@ PyPI
pypi-clean: ## Delete the distribution files
rm -rf ./dist && rm -rf ./build && rm -rf prowler_cloud.egg-info
pypi-build: ## Build package
$(MAKE) pypi-clean && \
python3 -m build
pypi-upload: ## Upload package
python3 -m twine upload --repository pypi dist/*
##@ Help
help: ## Show this help.
@echo "Prowler Makefile"

2
Pipfile
View File

@@ -28,7 +28,7 @@ flake8 = "5.0.4"
bandit = "1.7.4"
safety = "2.3.1"
vulture = "2.6"
moto = "4.0.9"
moto = "4.0.11"
docker = "6.0.0"
openapi-spec-validator = "0.5.1"
pytest = "7.1.2"

142
Pipfile.lock generated
View File

@@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
"sha256": "7860a43544b6af1c974d803ad88cd25d6750e4c72d98b71097baa3d59a260288"
"sha256": "267c2834261b566bdbfe631a063a481e14a0114871d7ca2f02d57a798e33ee56"
},
"pipfile-spec": 6,
"requires": {
@@ -112,27 +112,27 @@
},
"boto3": {
"hashes": [
"sha256:4b4edf893b01c651007d61534c1d248cd2350d311a4e295039bd23fd60bf899a",
"sha256:59aa6c7810a815fb52671f834d10ac4cd80b9c7c01a3cbde670cb41330059464"
"sha256:53badfc5f145b8a3f9117512b41bc5a64db1cce1b549061d8edba68909e63fdf",
"sha256:548081a0f8854bb2eea1e368ab29945478105f56989546f653c75528dcb07d88"
],
"index": "pypi",
"version": "==1.26.19"
"version": "==1.26.28"
},
"botocore": {
"hashes": [
"sha256:917807ee4ccca34a2f2848eb4fcf878d9e97a44a911a6965ff556d0830c471fd",
"sha256:a54561e591f5d8e653657ce04dcad09c10ebca9dbefba73471976e522abf038a"
"sha256:982732e7ed65cb6ed11ea3ce0e32dff2bcd465836c32376154f0802aa0a112c7",
"sha256:f0b8bb976e368dea20a960b47169e31fc0828feb6f0b9f59f1e5be8d08919b10"
],
"index": "pypi",
"version": "==1.29.19"
"version": "==1.29.28"
},
"certifi": {
"hashes": [
"sha256:0d9c601124e5a6ba9712dbc60d9c53c21e34f5f641fe83002317394311bdce14",
"sha256:90c1a32f1d68f940488354e36370f6cca89f0f106db09518524c88d6ed83f382"
"sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3",
"sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"
],
"markers": "python_version >= '3.6'",
"version": "==2022.9.24"
"version": "==2022.12.7"
},
"cffi": {
"hashes": [
@@ -562,54 +562,45 @@
},
"black": {
"hashes": [
"sha256:14ff67aec0a47c424bc99b71005202045dc09270da44a27848d534600ac64fc7",
"sha256:197df8509263b0b8614e1df1756b1dd41be6738eed2ba9e9769f3880c2b9d7b6",
"sha256:1e464456d24e23d11fced2bc8c47ef66d471f845c7b7a42f3bd77bf3d1789650",
"sha256:2039230db3c6c639bd84efe3292ec7b06e9214a2992cd9beb293d639c6402edb",
"sha256:21199526696b8f09c3997e2b4db8d0b108d801a348414264d2eb8eb2532e540d",
"sha256:2644b5d63633702bc2c5f3754b1b475378fbbfb481f62319388235d0cd104c2d",
"sha256:432247333090c8c5366e69627ccb363bc58514ae3e63f7fc75c54b1ea80fa7de",
"sha256:444ebfb4e441254e87bad00c661fe32df9969b2bf224373a448d8aca2132b395",
"sha256:5b9b29da4f564ba8787c119f37d174f2b69cdfdf9015b7d8c5c16121ddc054ae",
"sha256:5cc42ca67989e9c3cf859e84c2bf014f6633db63d1cbdf8fdb666dcd9e77e3fa",
"sha256:5d8f74030e67087b219b032aa33a919fae8806d49c867846bfacde57f43972ef",
"sha256:72ef3925f30e12a184889aac03d77d031056860ccae8a1e519f6cbb742736383",
"sha256:819dc789f4498ecc91438a7de64427c73b45035e2e3680c92e18795a839ebb66",
"sha256:915ace4ff03fdfff953962fa672d44be269deb2eaf88499a0f8805221bc68c87",
"sha256:9311e99228ae10023300ecac05be5a296f60d2fd10fff31cf5c1fa4ca4b1988d",
"sha256:974308c58d057a651d182208a484ce80a26dac0caef2895836a92dd6ebd725e0",
"sha256:b8b49776299fece66bffaafe357d929ca9451450f5466e997a7285ab0fe28e3b",
"sha256:c957b2b4ea88587b46cf49d1dc17681c1e672864fd7af32fc1e9664d572b3458",
"sha256:e41a86c6c650bcecc6633ee3180d80a025db041a8e2398dcc059b3afa8382cd4",
"sha256:f513588da599943e0cde4e32cc9879e825d58720d6557062d1098c5ad80080e1",
"sha256:fba8a281e570adafb79f7755ac8721b6cf1bbf691186a287e990c7929c7692ff"
"sha256:101c69b23df9b44247bd88e1d7e90154336ac4992502d4197bdac35dd7ee3320",
"sha256:159a46a4947f73387b4d83e87ea006dbb2337eab6c879620a3ba52699b1f4351",
"sha256:1f58cbe16dfe8c12b7434e50ff889fa479072096d79f0a7f25e4ab8e94cd8350",
"sha256:229351e5a18ca30f447bf724d007f890f97e13af070bb6ad4c0a441cd7596a2f",
"sha256:436cc9167dd28040ad90d3b404aec22cedf24a6e4d7de221bec2730ec0c97bcf",
"sha256:559c7a1ba9a006226f09e4916060982fd27334ae1998e7a38b3f33a37f7a2148",
"sha256:7412e75863aa5c5411886804678b7d083c7c28421210180d67dfd8cf1221e1f4",
"sha256:77d86c9f3db9b1bf6761244bc0b3572a546f5fe37917a044e02f3166d5aafa7d",
"sha256:82d9fe8fee3401e02e79767016b4907820a7dc28d70d137eb397b92ef3cc5bfc",
"sha256:9eedd20838bd5d75b80c9f5487dbcb06836a43833a37846cf1d8c1cc01cef59d",
"sha256:c116eed0efb9ff870ded8b62fe9f28dd61ef6e9ddd28d83d7d264a38417dcee2",
"sha256:d30b212bffeb1e252b31dd269dfae69dd17e06d92b87ad26e23890f3efea366f"
],
"index": "pypi",
"version": "==22.10.0"
"version": "==22.12.0"
},
"boto3": {
"hashes": [
"sha256:4b4edf893b01c651007d61534c1d248cd2350d311a4e295039bd23fd60bf899a",
"sha256:59aa6c7810a815fb52671f834d10ac4cd80b9c7c01a3cbde670cb41330059464"
"sha256:53badfc5f145b8a3f9117512b41bc5a64db1cce1b549061d8edba68909e63fdf",
"sha256:548081a0f8854bb2eea1e368ab29945478105f56989546f653c75528dcb07d88"
],
"index": "pypi",
"version": "==1.26.19"
"version": "==1.26.28"
},
"botocore": {
"hashes": [
"sha256:917807ee4ccca34a2f2848eb4fcf878d9e97a44a911a6965ff556d0830c471fd",
"sha256:a54561e591f5d8e653657ce04dcad09c10ebca9dbefba73471976e522abf038a"
"sha256:982732e7ed65cb6ed11ea3ce0e32dff2bcd465836c32376154f0802aa0a112c7",
"sha256:f0b8bb976e368dea20a960b47169e31fc0828feb6f0b9f59f1e5be8d08919b10"
],
"index": "pypi",
"version": "==1.29.19"
"version": "==1.29.28"
},
"certifi": {
"hashes": [
"sha256:0d9c601124e5a6ba9712dbc60d9c53c21e34f5f641fe83002317394311bdce14",
"sha256:90c1a32f1d68f940488354e36370f6cca89f0f106db09518524c88d6ed83f382"
"sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3",
"sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"
],
"markers": "python_version >= '3.6'",
"version": "==2022.9.24"
"version": "==2022.12.7"
},
"cffi": {
"hashes": [
@@ -866,11 +857,11 @@
},
"importlib-resources": {
"hashes": [
"sha256:c01b1b94210d9849f286b86bb51bcea7cd56dde0600d8db721d7b81330711668",
"sha256:ee17ec648f85480d523596ce49eae8ead87d5631ae1551f913c0100b5edd3437"
"sha256:32bb095bda29741f6ef0e5278c42df98d135391bee5f932841efc0041f748dc3",
"sha256:c09b067d82e72c66f4f8eb12332f5efbebc9b007c0b6c40818108c9870adc363"
],
"markers": "python_version >= '3.7'",
"version": "==5.10.0"
"version": "==5.10.1"
},
"iniconfig": {
"hashes": [
@@ -881,11 +872,11 @@
},
"isort": {
"hashes": [
"sha256:6f62d78e2f89b4500b080fe3a81690850cd254227f27f75c3a0c491a1f351ba7",
"sha256:e8443a5e7a020e9d7f97f1d7d9cd17c88bcb3bc7e218bf9cf5095fe550be2951"
"sha256:7c5bd998504826b6f1e6f2f98b533976b066baba29b8bae83fdeefd0b89c6b70",
"sha256:bf02c95f1fe615ebbe13a619cfed1619ddfe8941274c9e3de3143adca406cb02"
],
"markers": "python_full_version >= '3.6.1' and python_full_version < '4.0.0'",
"version": "==5.10.1"
"markers": "python_version >= '3.7'",
"version": "==5.11.1"
},
"jinja2": {
"hashes": [
@@ -995,7 +986,7 @@
"sha256:348e0240c33b60bbdf4e523192ef919f28cb2c3d7d5c7794f74009290f236325",
"sha256:6c2d30ab6be0e4a46919781807b4f0d834ebdd6c6e3dca0bda5a15f863427b6e"
],
"markers": "python_version >= '3.6'",
"markers": "python_full_version >= '3.6.0'",
"version": "==0.7.0"
},
"mock": {
@@ -1003,16 +994,16 @@
"sha256:122fcb64ee37cfad5b3f48d7a7d51875d7031aaf3d8be7c42e2bee25044eee62",
"sha256:7d3fbbde18228f4ff2f1f119a45cdffa458b4c0dee32eb4d2bb2f82554bac7bc"
],
"markers": "python_version >= '3.6'",
"markers": "python_full_version >= '3.6.0'",
"version": "==4.0.3"
},
"moto": {
"hashes": [
"sha256:356bf792b439228891c910e2a0fafd4264334cf9000b508c732ff43d8694fb6a",
"sha256:9ba96d04a472d5682493cad7fee33337da34ebef18b397af1ea6dfb41efbe148"
"sha256:704d6d38a4e6fe49e1fe9c6b4127ca46c66aac00368149bc1f1d70a0ceff8846",
"sha256:a6388de4a746e0b509286e1d7e70f86900b4f69ec65f6c92c47e570f95d05b14"
],
"index": "pypi",
"version": "==4.0.10"
"version": "==4.0.11"
},
"mypy-extensions": {
"hashes": [
@@ -1042,7 +1033,7 @@
"sha256:dd47c42927d89ab911e606518907cc2d3a1f38bbd026385970643f9c5b8ecfeb",
"sha256:ef103e05f519cdc783ae24ea4e2e0f508a9c99b2d4969652eed6a2e1ea5bd522"
],
"markers": "python_version >= '3.6'",
"markers": "python_full_version >= '3.6.0'",
"version": "==21.3"
},
"pathable": {
@@ -1055,11 +1046,11 @@
},
"pathspec": {
"hashes": [
"sha256:88c2606f2c1e818b978540f73ecc908e13999c6c3a383daf3705652ae79807a5",
"sha256:8f6bf73e5758fd365ef5d58ce09ac7c27d2833a8d7da51712eac6e27e35141b0"
"sha256:3c95343af8b756205e2aba76e843ba9520a24dd84f68c22b9f93251507509dd6",
"sha256:56200de4077d9d0791465aa9095a01d421861e405b5096955051deefd697d6f6"
],
"markers": "python_version >= '3.7'",
"version": "==0.10.2"
"version": "==0.10.3"
},
"pbr": {
"hashes": [
@@ -1071,18 +1062,18 @@
},
"platformdirs": {
"hashes": [
"sha256:1006647646d80f16130f052404c6b901e80ee4ed6bef6792e1f238a8969106f7",
"sha256:af0276409f9a02373d540bf8480021a048711d572745aef4b7842dad245eba10"
"sha256:1a89a12377800c81983db6be069ec068eee989748799b946cce2a6e80dcc54ca",
"sha256:b46ffafa316e6b83b47489d240ce17173f123a9b9c83282141c3daf26ad9ac2e"
],
"markers": "python_version >= '3.7'",
"version": "==2.5.4"
"version": "==2.6.0"
},
"pluggy": {
"hashes": [
"sha256:4224373bacce55f955a878bf9cfa763c1e360858e330072059e10bad68531159",
"sha256:74134bbf457f031a36d68416e1509f34bd5ccc019f0bcc952c7b909d06b37bd3"
],
"markers": "python_version >= '3.6'",
"markers": "python_full_version >= '3.6.0'",
"version": "==1.0.0"
},
"pycodestyle": {
@@ -1090,7 +1081,7 @@
"sha256:347187bdb476329d98f695c213d7295a846d1152ff4fe9bacb8a9590b8ee7053",
"sha256:8a4eaf0d0495c7395bdab3589ac2db602797d76207242c17d470186815706610"
],
"markers": "python_version >= '3.6'",
"markers": "python_full_version >= '3.6.0'",
"version": "==2.10.0"
},
"pycparser": {
@@ -1105,16 +1096,16 @@
"sha256:ec55bf7fe21fff7f1ad2f7da62363d749e2a470500eab1b555334b67aa1ef8cf",
"sha256:ec8b276a6b60bd80defed25add7e439881c19e64850afd9b346283d4165fd0fd"
],
"markers": "python_version >= '3.6'",
"markers": "python_full_version >= '3.6.0'",
"version": "==3.0.1"
},
"pylint": {
"hashes": [
"sha256:1d561d1d3e8be9dd880edc685162fbdaa0409c88b9b7400873c0cf345602e326",
"sha256:91e4776dbcb4b4d921a3e4b6fec669551107ba11f29d9199154a01622e460a57"
"sha256:ea82cd6a1e11062dc86d555d07c021b0fb65afe39becbe6fe692efd6c4a67443",
"sha256:ec4a87c33da054ab86a6c79afa6771dc8765cb5631620053e727fcf3ef8cbed7"
],
"index": "pypi",
"version": "==2.15.7"
"version": "==2.15.8"
},
"pyparsing": {
"hashes": [
@@ -1162,11 +1153,11 @@
},
"pytest-xdist": {
"hashes": [
"sha256:688da9b814370e891ba5de650c9327d1a9d861721a524eb917e620eec3e90291",
"sha256:9feb9a18e1790696ea23e1434fa73b325ed4998b0e9fcb221f16fd1945e6df1b"
"sha256:40fdb8f3544921c5dfcd486ac080ce22870e71d82ced6d2e78fa97c2addd480c",
"sha256:70a76f191d8a1d2d6be69fc440cdf85f3e4c03c08b520fd5dc5d338d6cf07d89"
],
"index": "pypi",
"version": "==3.0.2"
"version": "==3.1.0"
},
"python-dateutil": {
"hashes": [
@@ -1264,6 +1255,7 @@
"sha256:3243f48ecd450eddadc2d11b5feb08aca941b5cd98c9b1db14b2fd128be8c697",
"sha256:370445fd795706fd291ab00c9df38a0caed0f17a6fb46b0f607668ecb16ce763",
"sha256:40d030e2329ce5286d6b231b8726959ebbe0404c92f0a578c0e2482182e38282",
"sha256:41d0f1fa4c6830176eef5b276af04c89320ea616655d01327d5ce65e50575c94",
"sha256:4a4d8d417868d68b979076a9be6a38c676eca060785abaa6709c7b31593c35d1",
"sha256:4b3a93bb9bc662fc1f99c5c3ea8e623d8b23ad22f861eb6fce9377ac07ad6072",
"sha256:5bc0667c1eb8f83a3752b71b9c4ba55ef7c7058ae57022dd9b29065186a113d9",
@@ -1302,11 +1294,11 @@
},
"safety": {
"hashes": [
"sha256:2e17cf127472ca720cdcc65f834008b555a10fe56627646009ab7565dd2459cf",
"sha256:c12b2aaf3495faf42951fdd91d3c5ce6ecffd05efa423a29244408b72c556744"
"sha256:2227fcac1b22b53c1615af78872b48348661691450aa25d6704a5504dbd1f7e2",
"sha256:a60c11f8952f412cbb165d70cb1f673a3b43a2ba9a93ce11f97e6a4de834aa3a"
],
"index": "pypi",
"version": "==2.3.3"
"version": "==2.3.5"
},
"setuptools": {
"hashes": [
@@ -1329,7 +1321,7 @@
"sha256:2aba19d6a040e78d8b09de5c57e96207b09ed71d8e55ce0959eeee6c8e190d94",
"sha256:c840e62059cd3be204b0c9c9f74be2c09d5648eddd4580d9314c3ecde0b30936"
],
"markers": "python_version >= '3.6'",
"markers": "python_full_version >= '3.6.0'",
"version": "==5.0.0"
},
"stevedore": {
@@ -1360,7 +1352,7 @@
"sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc",
"sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f"
],
"markers": "python_full_version < '3.11.0a7'",
"markers": "python_version < '3.11'",
"version": "==2.0.1"
},
"tomlkit": {
@@ -1368,7 +1360,7 @@
"sha256:07de26b0d8cfc18f871aec595fda24d95b08fef89d147caa861939f37230bf4b",
"sha256:71b952e5721688937fb02cf9d354dbcf0785066149d2855e44531ebdd2b65d73"
],
"markers": "python_version >= '3.6'",
"markers": "python_full_version >= '3.6.0'",
"version": "==0.11.6"
},
"types-toml": {

3
contrib/html/generate-html-from-csv.sh
View File

@@ -228,6 +228,3 @@ while IFS=, read -r PROFILE ACCOUNT_NUM REPREGION TITLE_ID RESULT SCORED LEVEL T
fi
done < $INPUT
addHtmlFooter >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML

10
contrib/wazuh/prowler-wrapper.py
View File

@@ -19,15 +19,15 @@
# 6 - Error sending to socket
import signal
import sys
import socket
import argparse
import subprocess
import json
from datetime import datetime
import os
import re
import signal
import socket
import subprocess
import sys
from datetime import datetime
################################################################################
# Constants

22
groups/group10_hipaa
View File

@@ -1,22 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[10]='hipaa'
GROUP_NUMBER[10]='10.0'
GROUP_TITLE[10]='HIPAA Compliance - ONLY AS REFERENCE - [hipaa] ****************'
GROUP_RUN_BY_DEFAULT[10]='N' # run it when execute_all is called
GROUP_CHECKS[10]='check12,check113,check23,check26,check27,check29,extra718,extra725,extra72,extra75,extra717,extra729,extra734,check38,extra73,extra740,extra735,check112,check13,check15,check16,check17,check18,check19,check21,check24,check28,check31,check310,check311,check312,check313,check314,check32,check33,check34,check35,check36,check37,check39,extra792'
# Resources:
# https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf
# https://www.slideshare.net/AmazonWebServices/wps301navigating-hipaa-and-hitrustquickstart-guide-to-account-gov-stratpdf

22
groups/group11_secrets
View File

@@ -1,22 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[11]='secrets'
GROUP_NUMBER[11]='11.0'
GROUP_TITLE[11]='Look for keys secrets or passwords around resources - [secrets]'
GROUP_RUN_BY_DEFAULT[11]='N' # but it runs when execute_all is called (default)
GROUP_CHECKS[11]='extra741,extra742,extra759,extra760,extra768,extra775,extra7141'
# requires https://github.com/Yelp/detect-secrets
# `pip install detect-secrets`

19
groups/group12_apigateway
View File

@@ -1,19 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[12]='apigateway'
GROUP_NUMBER[12]='12.0'
GROUP_TITLE[12]='API Gateway security checks - [apigateway] ********************'
GROUP_RUN_BY_DEFAULT[12]='N' # run it when execute_all is called
GROUP_CHECKS[12]='extra722,extra743,extra744,extra745,extra746'

18
groups/group13_rds
View File

@@ -1,18 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[13]='rds'
GROUP_NUMBER[13]='13.0'
GROUP_TITLE[13]='RDS security checks - [rds] ***********************************'
GROUP_RUN_BY_DEFAULT[13]='N' # run it when execute_all is called
GROUP_CHECKS[13]='extra78,extra723,extra735,extra739,extra747,extra7113,extra7131,extra7132,extra7133'

18
groups/group14_elasticsearch
View File

@@ -1,18 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[14]='elasticsearch'
GROUP_NUMBER[14]='14.0'
GROUP_TITLE[14]='Elasticsearch related security checks - [elasticsearch] *******'
GROUP_RUN_BY_DEFAULT[14]='N' # run it when execute_all is called
GROUP_CHECKS[14]='extra715,extra716,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra787,extra788,extra7101'

133
groups/group15_pci
View File

@@ -1,133 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[15]='pci'
GROUP_NUMBER[15]='15.0'
GROUP_TITLE[15]='PCI-DSS v3.2.1 Readiness - ONLY AS REFERENCE - [pci] **********'
GROUP_RUN_BY_DEFAULT[15]='N' # run it when execute_all is called
GROUP_CHECKS[15]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check112,check113,check114,check116,check21,check23,check25,check26,check27,check28,check29,check314,check36,check38,check43,extra711,extra713,extra717,extra718,extra72,extra729,extra735,extra738,extra740,extra744,extra748,extra75,extra750,extra751,extra753,extra754,extra755,extra773,extra78,extra780,extra781,extra782,extra783,extra784,extra785,extra787,extra788,extra798'
# Resources:
# https://github.com/toniblyx/prowler/issues/296
# List of checks based on PCI v3.2.1
# 3.1 Requirement: Install and Maintain a Firewall Configuration to Protect Cardholder Data
# Ensure no security groups allow ingress from 0.0.0.0/0 to all ports and protocols extra748
# Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP 3389) check42
# Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP 22) check41
# Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (TCP 1521) extra749
# Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (TCP and UDP 2483) extra749
# Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (UDP 2483) extra749
# Ensure no security groups allow ingress from 0.0.0.0/0 to MySQL (TCP 3306) extra750
# Ensure no security groups allow ingress from 0.0.0.0/0 to Postgres (TCP 5432) extra751
# Ensure no security groups allow ingress from 0.0.0.0/0 to Redis (TCP 6379)extra752
# Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP 27017 and 27018) extra753
# Ensure no security groups allow ingress from 0.0.0.0/0 to Cassandra (TCP 7199, 9160 and 8888) extra754
# Ensure no security groups allow ingress from 0.0.0.0/0 to Memcached (TCP and UDP 11211) extra755
# Ensure no security groups allow ingress from 0.0.0.0/0 to Elasticsearch ports (TCP 9200/9300/5601) extra779
# Ensure the default security group restricts all traffic check43
# Remove unused security groups extra75
# RDS should not have Public interface open to a public scope extra78
# Check for Publicly Accessible Redshift Clusters extra711
# Ensure Lambda Functions are not publicly accessible extra798
# 3.2 Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
# Instance with administrative service: SSH (TCP:22) is exposed to the public Internet check41
# Instance with administrative service: RDP (TCP:3389) is exposed to the public Internet check42
# Instance with unencrypted Redis: (TCP:6379) is exposed to the public Internet extra752
# 3.3 Requirement 3: Protect Stored Cardholder Data
# S3 Buckets Server Side encryption at rest extra734
# Ensure ECS Cluster At-rest encryption TODO
# Ensure DynamoDB -Server Side Encryption DONE (default behavior)
# Check if RDS instances storage is encrypted extra735
# Ensure there are no EBS Volumes unencrypted extra729
# Ensure CloudTrail logs are encrypted at rest using KMS CMKs check27
# Ensure rotation for customer created CMKs is enabled check28
# Check if EBS snapshots are encrypted extra740
# Ensure there are no EBS Snapshots set as Public extra72
# Ensure there is no Fargate containers in use (/aws/containers-roadmap/issues/314) TODO
# 3.4 Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks
# Use encrypted connections between CloudFront and origin server extra738 and TODO
# Ensure that S3 Buckets only allow data transfer using SSL/TLS extra734
# ELB is setup with SSL for secure communications TODO
# Ensure the access keys are rotated every 90 days or less check14
# Network Load Balancer with unencrypted service: ElasticSearch (TCP:9200) is exposed to the public Internet TODO? ELB on SSL should be enough extra779 and extra716
# Network Load Balancer with unencrypted service: ElasticSearch (TCP:9300) is exposed to the public Internet TODO? ELB on SSL should be enough extra779 and extra716
# Network Load Balancer with unencrypted service: LDAP (UDP:389) is exposed to the public Internet TODO? ELB on SSL should be enough
# Network Load Balancer with unencrypted service: LDAP (TCP:389) is exposed to the public Internet TODO? ELB on SSL should be enough
# Instance with unencrypted service: ElasticSearch (TCP:9200) is exposed to the public Internet extra779 and extra716
# Instance with unencrypted service: ElasticSearch (TCP:9300) is exposed to the public Internet extra779 and extra716
# Instance with unencrypted service: LDAP (UDP:389) is exposed to the public Internet
# Instance with unencrypted service: LDAP (TCP:389) is exposed to the public Internet
# Instance with unencrypted Redis: (TCP:6379) is exposed to the public Internet
# 3.5. Requirement 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs
# N/A
# 3.6. Requirement 6: Develop and Maintain Secure Systems and Applications
# Ensure Inspector has Assessment Targets TODO
# Ensure Inspector has a Scheduled Assessment Template TODO
# Check for WAF IPSet TODO
# Check for WAF Constraint Sets TODO
# Check for WAF Web ACL extra744,extra773
# 3.7. Requirement 7: Restrict Access to Cardholder Data By Business Need To Know
# Credentials (access keys) unused for 90 days or more should be disabled check13
# Credentials (password enabled) unused for 90 days or more should be disabled check111
# Ensure IAM policies are attached only to groups or roles check116
# 3.8. Requirement 8: Identify and Authenticate Access to System Components
# Enforce password policy: IAM (check15, check16, check17, check18, check19, check110, check111)
# Ensure that MFA is enabled for root account check113
# Ensure MFA is enabled for all IAM users that have a console password check12
# Ensure no root account access key exist check112
# Ensure hardware MFA is enabled for the root account check114
# Avoid the use of root account. check11
# 3.9 Requirement 9: Restrict Physical Access to Cardholder Data
# N/A
# 3.10. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
# Ensure CloudTrail is enabled in all regions check21
# Ensure VPC Flow Logging is enabled in all the applicable Regions check29
# Ensure S3 Buckets access logging is enabled on the CloudTrail S3 bucket check26
# ELB is created with access logs enabled extra717
# S3 bucket should have server access logging enabled extra718
# Ensure AWS Config in all regions check25
# S3 bucket CloudTrail logs should not have public accessible check23
# S3 buckets should not be world-listable extra73
# S3 buckets should not be world-writable extra73
# S3 buckets should not be world-readable extra73
# Ensure a log metric filter and alarm exist for S3 bucket policy changes check38
# Ensure a log metric exist for AWS Management console authentication failures check36
# Ensure a log metric exist for VPC changes check314
# 3.11. Requirement 11: Regularly Test Security Systems and Processes
# Ensure AWS GuarDduty is enabled extra713
# Ensure Inspector has Assessment Targets
# Ensure Inspector has a Scheduled Assessment Template
# Requirement 12: Maintain a Policy That Addresses Information Security For All Personnel
# N/A

23
groups/group16_trustboundaries
View File

@@ -1,23 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[16]='trustboundaries'
GROUP_NUMBER[16]='16.0'
GROUP_TITLE[16]='Find cross-account trust boundaries - [trustboundaries] *******'
GROUP_RUN_BY_DEFAULT[16]='N' # run it when execute_all is called
GROUP_CHECKS[16]='extra789,extra790'
# Single account environment: No action required. The AWS account number will be automatically added by the checks.
# Multi account environment: Any additional trusted account number should be added as a space separated list, e.g.
# GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS="1234567890 0987654321 6789012345"
GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS=''

50
groups/group17_internetexposed
View File

@@ -1,50 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[17]='internet-exposed'
GROUP_NUMBER[17]='17.0'
GROUP_TITLE[17]='Find resources exposed to the internet - [internet-exposed] ***'
GROUP_RUN_BY_DEFAULT[17]='N' # run it when execute_all is called
GROUP_CHECKS[17]='check41,check42,check45,check46,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra736,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra770,extra771,extra778,extra779,extra787,extra788,extra795,extra796,extra798,extra7102,extra7134,extra7135,extra7136,extra7137,extra7138'
# 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored) [group4, cislevel1, cislevel2]
# 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored) [group4, cislevel1, cislevel2]
# 7.2 [extra72] Ensure there are no EBS Snapshots set as Public [extras, forensics-ready, gdpr, hipaa, apigateway, rds]
# 7.3 [extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user [extras, gdpr, hipaa, rds]
# 7.4 [extra74] Ensure there are no Security Groups without ingress filtering being used [extras, gdpr, hipaa, secrets, apigateway, rds]
# 7.6 [extra76] Ensure there are no EC2 AMIs set as Public [extras, gdpr, secrets]
# 7.7 [extra77] Ensure there are no ECR repositories set as Public [group1, extras, secrets, elasticsearch]
# 7.8 [extra78] Ensure there are no Public Accessible RDS instances [extras, rds, elasticsearch, trustboundaries]
# 7.9 [extra79] Check for internet facing Elastic Load Balancers [extras, trustboundaries]
# 7.10 [extra710] Check for internet facing EC2 Instances [extras]
# 7.11 [extra711] Check for Publicly Accessible Redshift Clusters [extras]
# 7.16 [extra716] Check if Amazon Elasticsearch Service (ES) domains are set as Public or if it has open policy access [extras, elasticsearch]
# 7.23 [extra723] Check if RDS Snapshots and Cluster Snapshots are public [extras, rds]
# 7.27 [extra727] Check if SQS queues have policy set as Public [extras, gdpr]
# 7.31 [extra731] Check if SNS topics have policy set as Public [extras, gdpr]
# 7.38 [extra738] Check if CloudFront distributions are set to HTTPS [extras, gdpr]
# 7.45 [extra745] Check if API Gateway endpoint is public or private [extras, apigateway]
# 7.48 [extra748] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port [extras]
# 7.49 [extra749] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483 [extras]
# 7.50 [extra750] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306 [extras]
# 7.51 [extra751] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432 [extras]
# 7.52 [extra752] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379 [extras]
# 7.53 [extra753] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018 [extras]
# 7.54 [extra754] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888 [extras]
# 7.55 [extra755] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211 [extras]
# 7.70 [extra770] Check for internet facing EC2 instances with Instance Profiles attached [extras]
# 7.78 [extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) [extras]
# 7.79 [extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports [extras, elasticsearch]
# 7.87 [extra787] Check connection and authentication for Internet exposed Elasticsearch/Kibana ports [extras, elasticsearch]
# 7.88 [extra788] Check connection and authentication for Internet exposed Amazon Elasticsearch Service (ES) domains [extras, elasticsearch]
# 7.71 [extra771] Check if S3 buckets have policies which allow WRITE access [extras]

174
groups/group18_iso27001
View File

@@ -1,174 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[18]='iso27001'
GROUP_NUMBER[18]='18.0'
GROUP_TITLE[18]='ISO 27001:2013 Readiness - ONLY AS REFERENCE - [iso27001] *****'
GROUP_RUN_BY_DEFAULT[18]='N' # run it when execute_all is called
GROUP_CHECKS[18]='check11,check110,check111,check112,check113,check114,check115,check116,check119,check12,check122,check13,check14,check15,check16,check17,check18,check19,check21,check22,check23,check24,check25,check26,check27,check28,check29,check31,check310,check311,check312,check313,check314,check32,check33,check34,check35,check36,check37,check38,check39,check41,check42,check43,check44,extra71,extra710,extra7100,extra711,extra7113,extra7123,extra7125,extra7126,extra7128,extra7129,extra713,extra714,extra7130,extra718,extra719,extra72,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra731,extra73,extra731,extra735,extra739,extra74,extra741,extra747,extra748,extra75,extra757,extra758,extra759,extra76,extra760,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra77,extra771,extra772,extra774,extra776,extra777,extra778,extra78,extra789,extra79,extra790,extra792,extra793,extra794,extra795,extra796,extra798'
# # Category Objective ID Objective Name Prowler check ID Check Summary
# 1 A.9 Access Control A.9.2 User Access Management check122 Ensure IAM policies that allow full "*:*" administrative privileges are not created.
# 2 A.9 Access Control A.9.2 User Access Management check111 Ensure IAM password policy expires passwords within 90 days or less
# 3 A.9 Access Control A.9.2 User Access Management check110 Ensure IAM password policy prevents password reuse
# 4 A.9 Access Control A.9.2 User Access Management check19 Ensure IAM password policy requires minimum length of 14 or greater
# 5 A.9 Access Control A.9.2 User Access Management check18 Ensure IAM password policy require at least one number
# 6 A.9 Access Control A.9.2 User Access Management check17 Ensure IAM password policy require at least one symbol
# 7 A.9 Access Control A.9.2 User Access Management check16 Ensure IAM password policy require at least one lowercase letter
# 8 A.9 Access Control A.9.2 User Access Management check15 Ensure IAM password policy requires at least one uppercase letter
# 9 A.9 Access Control A.9.2 User Access Management check11 Avoid the use of the 'root' account
# 10 A.9 Access Control A.9.2 User Access Management check116 Ensure IAM policies are attached only to groups or roles
# 11 A.9 Access Control A.9.2 User Access Management check12 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have console access
# 12 A.9 Access Control A.9.2 User Access Management check114 Ensure MFA is enabled for the 'root' account
# 13 A.9 Access Control A.9.2 User Access Management check115 Ensure security questions are registered in the AWS account
# 14 A.9 Access Control A.9.2 User Access Management check14 Ensure access keys are rotated every 90 days or less
# 15 A.9 Access Control A.9.2 User Access Management check13 Ensure credentials unused for 90 days or greater are disabled
# 16 A.9 Access Control A.9.2 User Access Management check112 Ensure no root account access key exists
# 17 A.9 Access Control A.9.2 User Access Management check119 Ensure IAM instance roles are used for AWS resource access from instances
# 18 A.9 Access Control A.9.2 User Access Management extra71 Ensure users of groups with AdministratorAccess policy have MFA tokens enabled
# 19 A.9 Access Control A.9.2 User Access Management extra7100 Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)
# 20 A.9 Access Control A.9.2 User Access Management extra7123 Check if IAM users have two active access keys
# 21 A.9 Access Control A.9.2 User Access Management extra7125 Check if IAM users have Hardware MFA enabled.
# 22 A.9 Access Control A.9.2 User Access Management extra769 Check if IAM Access Analyzer is enabled and its findings
# 23 A.9 Access Control A.9.2 User Access Management extra774 Ensure credentials unused for 30 days or greater are disabled.
# 24 A.9 Access Control A.9.3 User Responsibilities check111 Ensure IAM password policy expires passwords within 90 days or less
# 25 A.9 Access Control A.9.3 User Responsibilities check110 Ensure IAM password policy prevents password reuse
# 26 A.9 Access Control A.9.3 User Responsibilities check19 Ensure IAM password policy requires minimum length of 14 or greater
# 27 A.9 Access Control A.9.3 User Responsibilities check18 Ensure IAM password policy require at least one number
# 28 A.9 Access Control A.9.3 User Responsibilities check17 Ensure IAM password policy require at least one symbol
# 29 A.9 Access Control A.9.3 User Responsibilities check16 Ensure IAM password policy require at least one lowercase letter
# 30 A.9 Access Control A.9.3 User Responsibilities check15 Ensure IAM password policy requires at least one uppercase letter
# 31 A.9 Access Control A.9.3 User Responsibilities check12 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have console access
# 32 A.9 Access Control A.9.3 User Responsibilities check14 Ensure access keys are rotated every 90 days or less
# 33 A.9 Access Control A.9.3 User Responsibilities check13 Ensure credentials unused for 90 days or greater are disabled
# 34 A.9 Access Control A.9.4 System and Application Access Control check122 Ensure IAM policies that allow full "*:*" administrative privileges are not created.
# 35 A.9 Access Control A.9.4 System and Application Access Control check111 Ensure IAM password policy expires passwords within 90 days or less
# 36 A.9 Access Control A.9.4 System and Application Access Control check110 Ensure IAM password policy prevents password reuse
# 37 A.9 Access Control A.9.4 System and Application Access Control check19 Ensure IAM password policy requires minimum length of 14 or greater
# 38 A.9 Access Control A.9.4 System and Application Access Control check18 Ensure IAM password policy require at least one number
# 39 A.9 Access Control A.9.4 System and Application Access Control check17 Ensure IAM password policy require at least one symbol
# 40 A.9 Access Control A.9.4 System and Application Access Control check16 Ensure IAM password policy require at least one lowercase letter
# 41 A.9 Access Control A.9.4 System and Application Access Control check15 Ensure IAM password policy requires at least one uppercase letter
# 42 A.9 Access Control A.9.4 System and Application Access Control check11 Avoid the use of the 'root' account
# 43 A.9 Access Control A.9.4 System and Application Access Control check116 Ensure IAM policies are attached only to groups or roles
# 44 A.9 Access Control A.9.4 System and Application Access Control check12 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have console access
# 45 A.9 Access Control A.9.4 System and Application Access Control check113 Ensure MFA is enabled for the 'root' account
# 46 A.9 Access Control A.9.4 System and Application Access Control check14 Ensure access keys are rotated every 90 days or less
# 47 A.9 Access Control A.9.4 System and Application Access Control check13 Ensure credentials unused for 90 days or greater are disabled
# 48 A.9 Access Control A.9.4 System and Application Access Control check112 Ensure no root account access key exists
# 55 A.9 Access Control A.9.4 System and Application Access Control extra711 Check if Redshift cluster is Public Accessible
# 49 A.9 Access Control A.9.4 System and Application Access Control extra7113 Check if RDS instances have deletion protection enabled
# 50 A.9 Access Control A.9.4 System and Application Access Control extra72 Ensure there are no EBS Snapshots set as Public
# 51 A.9 Access Control A.9.4 System and Application Access Control extra723 Check if RDS Snapshots and Cluster Snapshots are public
# 52 A.9 Access Control A.9.4 System and Application Access Control extra727 Check if SQS queues have policy set as Public
# 53 A.9 Access Control A.9.4 System and Application Access Control extra73 Ensure there are no S3 buckets open to Everyone or Any AWS user
# 54 A.9 Access Control A.9.4 System and Application Access Control extra731 Check if SNS topics have policy set as Public
# 56 A.9 Access Control A.9.4 System and Application Access Control extra76 Ensure there are no EC2 AMIs set as Public
# 57 A.9 Access Control A.9.4 System and Application Access Control extra77 Ensure there are no ECR repositories set as Public
# 58 A.9 Access Control A.9.4 System and Application Access Control extra771 Check if S3 buckets have policies which allow WRITE access
# 59 A.9 Access Control A.9.4 System and Application Access Control extra795 Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled
# 60 A.9 Access Control A.9.4 System and Application Access Control extra796 Restrict Access to the EKS Control Plane Endpoint
# 61 A.10 Cryptography A.10.1 Cryptographic Controls extra735 Setup Encryption at rest for RDS instances
# 62 A.10 Cryptography A.10.1 Cryptographic Controls extra792 Check if Elastic Load Balancers have insecure SSL ciphers
# 63 A.10 Cryptography A.10.1 Cryptographic Controls check37 Detect Customer Master Keys (CMKs) scheduled for deletion
# 64 A.10 Cryptography A.10.1 Cryptographic Controls check27 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
# 65 A.10 Cryptography A.10.1 Cryptographic Controls check28 Ensure rotation for customer created KMS CMKs is enabled
# 66 A.10 Cryptography A.10.1 Cryptographic Controls extra7126 Check if there are CMK KMS keys not used
# 67 A.10 Cryptography A.10.1 Cryptographic Controls extra7128 Check if DynamoDB table has encryption at rest enabled using CMK KMS
# 68 A.10 Cryptography A.10.1 Cryptographic Controls extra7130 Ensure there are no SNS Topics unencrypted
# 69 A.10 Cryptography A.10.1 Cryptographic Controls extra724 Check if ACM certificates have Certificate Transparency logging enabled
# 70 A.10 Cryptography A.10.1 Cryptographic Controls extra728 Check if SQS queues have Server Side Encryption enabled
# 71 A.10 Cryptography A.10.1 Cryptographic Controls extra729 Ensure there are no EBS Volumes unencrypted
# 72 A.10 Cryptography A.10.1 Cryptographic Controls extra761 Check if EBS Default Encryption is activated
# 73 A.10 Cryptography A.10.1 Cryptographic Controls extra764 Check if S3 buckets have secure transport policy
# 74 A.10 Cryptography A.10.1 Cryptographic Controls extra767 Check if CloudFront distributions have Field Level Encryption enabled
# 75 A.10 Cryptography A.10.1 Cryptographic Controls extra791 Check if CloudFront distributions are using deprecated SSL protocols
# 76 A.10 Cryptography A.10.1 Cryptographic Controls extra793 Check if Elastic Load Balancers have SSL listeners
# 77 A.12 Operations Security A.12.3 Information Backup extra739 Check if RDS instances have backup enabled
# 78 A.12 Operations Security A.12.4 Logging and Monitoring check314 Ensure a log metric filter and alarm exist for VPC changes
# 79 A.12 Operations Security A.12.4 Logging and Monitoring check313 Ensure a log metric filter and alarm exist for route table changes
# 80 A.12 Operations Security A.12.4 Logging and Monitoring check312 Ensure a log metric filter and alarm exist for changes to network gateways
# 81 A.12 Operations Security A.12.4 Logging and Monitoring check311 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
# 82 A.12 Operations Security A.12.4 Logging and Monitoring check310 Ensure a log metric filter and alarm exist for security group changes
# 83 A.12 Operations Security A.12.4 Logging and Monitoring check39 Ensure a log metric filter and alarm exist for AWS Config configuration changes
# 84 A.12 Operations Security A.12.4 Logging and Monitoring check39 Check if CloudFront distributions have logging enabled
# 85 A.12 Operations Security A.12.4 Logging and Monitoring extra719 Check if Route53 public hosted zones are logging queries to CloudWatch Logs
# 86 A.12 Operations Security A.12.4 Logging and Monitoring extra720 Check if Lambda functions invoke API operations are being recorded by CloudTrail
# 87 A.12 Operations Security A.12.4 Logging and Monitoring extra722 Check if API Gateway has logging enabled
# 88 A.12 Operations Security A.12.4 Logging and Monitoring check38 Ensure a log metric filter and alarm exist for S3 bucket policy changes
# 89 A.12 Operations Security A.12.4 Logging and Monitoring check37 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
# 90 A.12 Operations Security A.12.4 Logging and Monitoring check36 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
# 91 A.12 Operations Security A.12.4 Logging and Monitoring check35 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
# 92 A.12 Operations Security A.12.4 Logging and Monitoring check34 Ensure a log metric filter and alarm exist for IAM policy changes
# 93 A.12 Operations Security A.12.4 Logging and Monitoring check33 Ensure a log metric filter and alarm exist for usage of "root" account
# 94 A.12 Operations Security A.12.4 Logging and Monitoring check32 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
# 95 A.12 Operations Security A.12.4 Logging and Monitoring check31 Ensure a log metric filter and alarm exist for unauthorized API calls
# 96 A.12 Operations Security A.12.4 Logging and Monitoring check26 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
# 97 A.12 Operations Security A.12.4 Logging and Monitoring check25 Ensure AWS Config is enabled in all regions
# 98 A.12 Operations Security A.12.4 Logging and Monitoring check24 Ensure CloudTrail trails are integrated with CloudWatch Logs
# 99 A.12 Operations Security A.12.4 Logging and Monitoring check29 Ensure VPC flow logging is enabled in all VPCs
#100 A.12 Operations Security A.12.4 Logging and Monitoring check23 Ensure the S3 bucket CloudTrail logs to is not publicly accessible
#101 A.12 Operations Security A.12.4 Logging and Monitoring check21 Ensure CloudTrail is enabled in all regions
#102 A.12 Operations Security A.12.4 Logging and Monitoring check21 Ensure CloudTrail is enabled in all regions
#103 A.12 Operations Security A.12.4 Logging and Monitoring extra725 Check if S3 buckets have Object-level logging enabled in CloudTrail
#104 A.12 Operations Security A.12.4 Logging and Monitoring extra794 Ensure EKS Control Plane Audit Logging is enabled for all log types
#105 A.12 Operations Security A.12.4 Logging and Monitoring extra747 Check if RDS instances is integrated with CloudWatch Logs
#106 A.12 Operations Security A.12.4 Logging and Monitoring extra718 Check if S3 buckets have server access logging enabled
#107 A.12 Operations Security A.12.6 Technical Vulnerability Management check43 Ensure the default security group of every VPC restricts all traffic
#108 A.12 Operations Security A.12.6 Technical Vulnerability Management check42 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
#109 A.12 Operations Security A.12.6 Technical Vulnerability Management check41 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
#110 A.12 Operations Security A.12.6 Technical Vulnerability Management extra76 Check for publicly shared AMIs
#111 A.12 Operations Security A.12.6 Technical Vulnerability Management extra72 Ensure EBS snapshots are not publicly accessible
#112 A.12 Operations Security A.12.6 Technical Vulnerability Management extra731 Ensure SNS topics do not allow global send or subscribe
#113 A.12 Operations Security A.12.6 Technical Vulnerability Management extra711 Ensure Redshift clusters do not have a public endpoint
#114 A.12 Operations Security A.12.6 Technical Vulnerability Management extra723 Ensure RDS snapshots are not publicly accessible
#115 A.12 Operations Security A.12.6 Technical Vulnerability Management extra78 Ensure RDS instances are not accessible to the world.
#116 A.12 Operations Security A.12.6 Technical Vulnerability Management check23 Ensure the S3 bucket CloudTrail logs to is not publicly accessible
#117 A.12 Operations Security A.12.6 Technical Vulnerability Management extra713 Check if GuardDuty is enabled
#118 A.12 Operations Security A.12.6 Technical Vulnerability Management extra726 Check Trusted Advisor for errors and warnings
#119 A.12 Operations Security A.12.6 Technical Vulnerability Management extra776 Check if ECR image scan found vulnerabilities in the newest image version
#120 A.13 Communications Security A.13.1 Network Security Management check43 Ensure the default security group of every VPC restricts all traffic
#121 A.13 Communications Security A.13.1 Network Security Management check42 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
#122 A.13 Communications Security A.13.1 Network Security Management check41 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
#123 A.13 Communications Security A.13.1 Network Security Management extra72 Ensure EBS snapshots are not publicly accessible
#124 A.13 Communications Security A.13.1 Network Security Management extra731 Ensure SNS topics do not allow global send or subscribe
#125 A.13 Communications Security A.13.1 Network Security Management extra711 Ensure Redshift clusters do not have a public endpoint
#126 A.13 Communications Security A.13.1 Network Security Management extra723 Ensure RDS snapshots are not publicly accessible
#127 A.13 Communications Security A.13.1 Network Security Management extra78 Ensure RDS instances are not accessible to the world.
#128 A.13 Communications Security A.13.1 Network Security Management extra798 Ensure Lambda Functions are not publicly accessible
#129 A.13 Communications Security A.13.1 Network Security Management check44 Ensure routing tables for VPC peering are \"least access\"
#130 A.13 Communications Security A.13.1 Network Security Management extra710 Check for internet facing EC2 Instances
#131 A.13 Communications Security A.13.1 Network Security Management extra711 Check for Publicly Accessible Redshift Clusters
#132 A.13 Communications Security A.13.1 Network Security Management extra748 Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port
#133 A.13 Communications Security A.13.1 Network Security Management extra7129 Check if Application Load Balancer has a WAF ACL attached
#134 A.13 Communications Security A.13.1 Network Security Management extra74 Ensure there are no Security Groups without ingress filtering being used
#135 A.13 Communications Security A.13.1 Network Security Management extra777 Find VPC security groups with many ingress or egress rules
#136 A.13 Communications Security A.13.1 Network Security Management extra778 Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918)
#137 A.13 Communications Security A.13.1 Network Security Management extra789 Find trust boundaries in VPC endpoint services connections
#138 A.13 Communications Security A.13.1 Network Security Management extra79 Check for internet facing Elastic Load Balancers
#139 A.13 Communications Security A.13.1 Network Security Management extra790 Find trust boundaries in VPC endpoint services allowlisted principles
#140 A.13 Communications Security A.13.1 Network Security Management extra78 Ensure there are no Public Accessible RDS instances
#141 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra731 Check if SNS topics have policy set as Public
#142 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra741 Find secrets in EC2 User Data
#143 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra75 Ensure there are no Security Groups not being used
#144 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra757 Check EC2 Instances older than 6 months
#145 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra758 Check EC2 Instances older than 12 months
#146 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra759 Find secrets in Lambda functions variables
#147 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra760 Find secrets in Lambda functions code
#148 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra762 Find obsolete Lambda runtimes
#149 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra765 Check if ECR image scan on push is enabled
#150 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra768 Find secrets in ECS task definitions variables
#151 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra772 Check if elastic IPs are unused
#152 A.18 Compliance A.18.1 Compliance with Legal and Regulatory Reqs check22 Ensure CloudTrail log file validation is enabled
#153 A.18 Compliance A.18.1 Compliance with Legal and Regulatory Reqs extra721 Check if Redshift cluster has audit logging enabled
#154 A.18 Compliance A.18.1 Compliance with Legal and Regulatory Reqs extra763 Check if S3 buckets have object versioning enabled

15
groups/group19_eks-cis
View File

@@ -1,15 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
GROUP_ID[19]='eks-cis'
GROUP_NUMBER[19]='19.0'
GROUP_TITLE[19]='CIS EKS Benchmark - [eks-cis] *********************************'
GROUP_RUN_BY_DEFAULT[19]='N' # run it when execute_all is called
GROUP_CHECKS[19]='extra765,extra794,extra795,extra796,extra797'

15
groups/group1_iam
View File

@@ -1,15 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
GROUP_ID[1]='group1'
GROUP_NUMBER[1]='1.0'
GROUP_TITLE[1]='Identity and Access Management - CIS only - [group1] ***********'
GROUP_RUN_BY_DEFAULT[1]='Y' # run it when execute_all is called
GROUP_CHECKS[1]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122'

22
groups/group20_ffiec
View File

@@ -1,22 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[20]='ffiec'
GROUP_NUMBER[20]='20.0'
GROUP_TITLE[20]='FFIEC Cybersecurity Readiness - ONLY AS REFERENCE - [ffiec] ***'
GROUP_RUN_BY_DEFAULT[20]='N' # run it when execute_all is called
GROUP_CHECKS[20]='check11,check12,check13,check14,check16,check18,check19,check21,check23,check25,check29,check29,check31,check32,check33,check34,check35,check36,check37,check37,check38,check39,check41,check42,check43,check110,check112,check113,check116,check310,check311,check312,check313,check314,extra72,extra76,extra78,extra711,extra723,extra729,extra731,extra734,extra735,extra763,extra792'
# References:
# 1. https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017.pdf
# 2. https://ithandbook.ffiec.gov/media/274793/ffiec_itbooklet_informationsecurity.pdf

23
groups/group21_soc2
View File

@@ -1,23 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[21]='soc2'
GROUP_NUMBER[21]='21.0'
GROUP_TITLE[21]='SOC2 Readiness - ONLY AS REFERENCE - [soc2] *******************'
GROUP_RUN_BY_DEFAULT[21]='N' # run it when execute_all is called
GROUP_CHECKS[21]='check110,check111,check113,check12,check122,check13,check15,check16,check17,check18,check19,check21,check31,check310,check32,check33,check34,check35,check36,check37,check38,check39,check41,check42,check43,extra711,extra72,extra723,extra729,extra731,extra734,extra735,extra739,extra76,extra78,extra792'
# References:
# 1. https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf
# 2. https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrelevanttothesocsuiteofservices.html
# 3. https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/othermapping/mapping-final-2017-tsc-to-extant-2016-tspc.xlsx

19
groups/group22_sagemaker
View File

@@ -1,19 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2222) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[22]='sagemaker'
GROUP_NUMBER[22]='22.0'
GROUP_TITLE[22]='Amazon SageMaker related security checks - [sagemaker] ********'
GROUP_RUN_BY_DEFAULT[22]='N' # run it when execute_all is called
GROUP_CHECKS[22]='extra7103,extra7104,extra7111,extra7112,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110'

83
groups/group23_ens
View File

@@ -1,83 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[23]='ens'
GROUP_NUMBER[23]='23.0'
GROUP_TITLE[23]='ENS Esquema Nacional de Seguridad security checks - [ens] *****'
GROUP_RUN_BY_DEFAULT[23]='N' # run it when execute_all is called
GROUP_CHECKS[23]='extra733,extra7123,check13,check14,check121,extra7100,check120,check116,extra7124,check12,extra7125,check14,check13,check21,check25,extra7127,check35,check24,check31,check36,check32,check33,check34,check22,extra71,check23,check23,check27,check37,extra736,check28,extra713,check21,check29,extra793,extra792,extra764,extra738,check43,extra74,extra710,extra75,check41,check42,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra7128,extra729,extra761,extra740,extra735,extra734,extra728,extra781,extra773,extra744,extra7126,extra7129'
# ENS Control ID for AWS;Prowler checks that apply
# ens-op.acc.1.aws.iam.1;extra733
# ens-op.acc.1.aws.iam.2;extra7123
# ens-op.acc.1.aws.iam.3;check13
# ens-op.acc.1.aws.iam.4;check14
# ens-op.acc.1.aws.iam.5;check121
# ens-op.acc.2.aws.iam.1;extra7100
# ens-op.acc.1.aws.iam.4;check120
# ens-op.acc.3.aws.iam.1;check116
# ens-op.acc.4.aws.sys.1;extra7124
# ens-op.acc.5.aws.iam.1;check12
# ens-op.acc.5.aws.iam.2;extra7125
# ens-op.acc.5.aws.iam.3;check14
# ens-op.acc.5.aws.iam.4;check13
# ens-op.acc.7.aws.iam.1;check21
# ens-op.exp.1.aws.cfg.1;check25
# ens-op.exp.1.aws.sys.1;extra7127
# ens-op.exp.4.aws.sys.1;extra7127
# ens-op.exp.8.aws.trail.1;check35
# ens-op.exp.8.aws.cw.1;check24
# ens-op.exp.8.aws.trail.2;check31
# ens-op.exp.8.aws.trail.3;check36
# ens-op.exp.8.aws.trail.4;check32
# ens-op.exp.8.aws.trail.5;check33
# ens-op.exp.8.aws.trail.6;check34
# ens-op.exp.10.aws.trail.1;check22
# ens-op.exp.10.aws.trail.2;extra71
# ens-op.exp.10.aws.trail.3;check23
# ens-op.exp.10.aws.trail.4;check23
# ens-op.exp.10.aws.trail.5;check27
# ens-op.exp.11.aws.kms.1;check37
# ens-op.exp.11.aws.kms.2;extra736*
# ens-op.exp.11.aws.kms.3;check28
# ens-op.mon.1.aws.duty.1;extra713
# ens-op.mon.1.aws.trail.1;check21
# ens-op.mon.1.aws.flow.1;check29
# ens-mp.com.2.aws.elb.1;extra793
# ens-mp.com.2.aws.elb.2;extra792
# ens-mp.com.2.aws.s3.1;extra764
# ens-mp.com.2.aws.front.1;extra738
# ens-mp.com.4.aws.sg.1;check43
# ens-mp.com.4.aws.sg.2;extra74
# ens-mp.com.4.aws.vpc.1;extra710
# ens-mp.com.4.aws.sg.3;extra75
# ens-mp.com.4.aws.sg.4;check41
# ens-mp.com.4.aws.sg.5;check42
# ens-mp.com.4.aws.sg.6;extra749
# ens-mp.com.4.aws.sg.7;extra750
# ens-mp.com.4.aws.sg.8;extra751
# ens-mp.com.4.aws.sg.9;extra752
# ens-mp.com.4.aws.sg.10;extra753
# ens-mp.com.4.aws.sg.11;extra754
# ens-mp.com.4.aws.sg.12;extra755
# ens-mp.info.3.aws.dyndb.1;extra7128
# ens-mp.info.3.aws.ebs.1;extra729
# ens-mp.info.3.aws.ebs.2;extra761
# ens-mp.info.3.aws.ebs.3;extra740
# ens-mp.info.3.aws.rds.1;extra735
# ens-mp.info.3.s3.1;extra734
# ens-mp.info.3.sns.1;extra728
# ens-mp.info.3.aws.au.1;extra781
# ens-mp.s.2.aws.waf.1;extra773
# ens-mp.s.2.aws.waf.2;extra744
# ens-mp.s.2.aws.waf.3;extra7129

18
groups/group24_glue
View File

@@ -1,18 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[24]='glue'
GROUP_NUMBER[24]='24.0'
GROUP_TITLE[24]='Amazon Glue related security checks - [glue] ******************'
GROUP_RUN_BY_DEFAULT[24]='N' # run it when execute_all is called
GROUP_CHECKS[24]='extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122'

46
groups/group25_FTR
View File

@@ -1,46 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[25]='ftr'
GROUP_NUMBER[25]='25.0'
GROUP_TITLE[25]='Amazon FTR related security checks - [ftr] ********************'
GROUP_RUN_BY_DEFAULT[25]='N' # run it when execute_all is called
GROUP_CHECKS[25]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check111,check112,check113,check117,check118,check122,check21,check22,extra759,extra760,extra768,extra775,extra797,extra7141,extra73'
# Checks from AWS FTR https://apn-checklists.s3.amazonaws.com/foundational/partner-hosted/partner-hosted/CVLHEC5X7.html
# 1.1 [check11] Avoid the use of the root account - iam [High]
# 1.2 [check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - iam [High]
# 1.3 [check13] Ensure credentials unused for 90 days or greater are disabled - iam [Medium]
# 1.4 [check14] Ensure access keys are rotated every 90 days or less - iam [Medium]
# 1.5 [check15] Ensure IAM password policy requires at least one uppercase letter - iam [Medium]
# 1.6 [check16] Ensure IAM password policy require at least one lowercase letter - iam [Medium]
# 1.7 [check17] Ensure IAM password policy require at least one symbol - iam [Medium]
# 1.8 [check18] Ensure IAM password policy require at least one number - iam [Medium]
# 1.9 [check19] Ensure IAM password policy requires minimum length of 14 or greater - iam [Medium]
# 1.10 [check110] Ensure IAM password policy prevents password reuse: 24 or greater - iam [Medium]
# 1.11 [check111] Ensure IAM password policy expires passwords within 90 days or less - iam [Medium]
# 1.12 [check112] Ensure no root account access key exists - iam [Critical]
# 1.13 [check113] Ensure MFA is enabled for the root account - iam [Critical]
# 1.17 [check117] Maintain current contact details - support [Medium]
# 1.18 [check118] Ensure security contact information is registered - support [Medium]
# 1.22 [check122] Ensure IAM policies that allow full "*:*" administrative privileges are not created - iam [Medium]
# 2.1 [check21] Ensure CloudTrail is enabled in all regions - cloudtrail [High]
# 2.2 [check22] Ensure CloudTrail log file validation is enabled - cloudtrail [Medium]
# 7.59 [extra759] Find secrets in Lambda functions variables - lambda [Critical]
# 7.60 [extra760] Find secrets in Lambda functions code - lambda [Critical]
# 7.68 [extra768] Find secrets in ECS task definitions variables - ecs [Critical]
# 7.75 [extra775] Find secrets in EC2 Auto Scaling Launch Configuration - autoscaling [Critical]
# 7.97 [extra797] Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) - eks [Medium]
# 7.141 [extra7141] Find secrets in SSM Documents - ssm [Critical]
# 7.3 [extra73] Ensure there are no S3 buckets open to Everyone or Any AWS user - s3 [Critical]

15
groups/group2_logging
View File

@@ -1,15 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
GROUP_ID[2]='group2'
GROUP_NUMBER[2]='2.0'
GROUP_TITLE[2]='Logging - CIS only - [group2] **********************************'
GROUP_RUN_BY_DEFAULT[2]='Y' # run it when execute_all is called
GROUP_CHECKS[2]='check21,check22,check23,check24,check25,check26,check27,check28,check29'

15
groups/group3_monitoring
View File

@@ -1,15 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
GROUP_ID[3]='group3'
GROUP_NUMBER[3]='3.0'
GROUP_TITLE[3]='Monitoring - CIS only - [group3] *******************************'
GROUP_RUN_BY_DEFAULT[3]='Y' # run it when execute_all is called
GROUP_CHECKS[3]='check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314'

15
groups/group4_networking
View File

@@ -1,15 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
GROUP_ID[4]='group4'
GROUP_NUMBER[4]='4.0'
GROUP_TITLE[4]='Networking - CIS only - [group4] *******************************'
GROUP_RUN_BY_DEFAULT[4]='Y' # run it when execute_all is called
GROUP_CHECKS[4]='check41,check42,check43,check44,check45,check46'

15
groups/group5_cislevel1
View File

@@ -1,15 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
GROUP_ID[5]='cislevel1'
GROUP_NUMBER[5]='5.0'
GROUP_TITLE[5]='CIS Level 1 - CIS only - [cislevel1] ***************************'
GROUP_RUN_BY_DEFAULT[5]='N' # run it when execute_all is called
GROUP_CHECKS[5]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check41,check42'

15
groups/group6_cislevel2
View File

@@ -1,15 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
GROUP_ID[6]='cislevel2'
GROUP_NUMBER[6]='6.0'
GROUP_TITLE[6]='CIS Level 2 - CIS only - [cislevel2] ***************************'
GROUP_RUN_BY_DEFAULT[6]='N' # run it when execute_all is called
GROUP_CHECKS[6]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check21,check22,check23,check24,check25,check26,check27,check28,check29,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check41,check42,check43,check44'

25
groups/group7_extras
View File

@@ -1,25 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[7]='extras'
GROUP_NUMBER[7]='7.0'
GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************'
GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140,extra7141,extra7142,extra7143,extra7144,extra7145,extra7146,extra7147,extra7148,extra7149,extra7150,extra7151,extra7152,extra7153,extra7154,extra7155,extra7156,extra7157,extra7158,extra7159,extra7160,extra7161,extra7162,extra7163,extra7164,extra7165,extra7166,extra7167,extra7168,extra7169,extra7170,extra7171,extra7172,extra7173,extra7174,extra7175,extra7176,extra7177,extra7178,extra7179,extra7180'
# Extras 759 and 760 (lambda variables and code secrets finder are not included)
# to run detect-secrets use `./prowler -g secrets`
# Extras 789 and 790 VPC trust boundaries are not included by default in Extras
# to run trust-boundaries use `./prowler -g trustboundaries`
# read more in https://github.com/toniblyx/prowler/#trust-boundaries-checks

18
groups/group8_forensics
View File

@@ -1,18 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[8]='forensics-ready'
GROUP_NUMBER[8]='8.0'
GROUP_TITLE[8]='Forensics Readiness - [forensics-ready] ************************'
GROUP_RUN_BY_DEFAULT[8]='N' # run it when execute_all is called
GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check29,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722,extra725,extra7101,extra794'

24
groups/group9_gdpr
View File

@@ -1,24 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[9]='gdpr'
GROUP_NUMBER[9]='9.0'
GROUP_TITLE[9]='GDPR Readiness - ONLY AS REFERENCE - [gdpr] ********************'
GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called
GROUP_CHECKS[9]='extra718,extra725,extra727,check12,check113,check114,extra71,extra731,extra732,extra733,check25,check39,check21,check22,check23,check24,check26,check27,check35,extra726,extra714,extra715,extra717,extra719,extra720,extra721,extra722,check43,check25,extra714,extra729,extra734,extra735,extra736,extra738,extra740,extra761,check11,check110,check111,check112,check116,check120,check122,check13,check14,check15,check16,check17,check18,check19,check28,check29,check31,check310,check311,check312,check313,check314,check32,check33,check34,check36,check37,check38,check41,check42,extra711,extra72,extra723,extra730,extra739,extra76,extra763,extra778,extra78,extra792,extra798'
# Resources:
# https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf
# https://www.slideshare.net/AmazonWebServices/sid303-navigating-gdpr-compliance-on-aws
# https://aws.amazon.com/compliance/gdpr-center/
# https://eur-lex.europa.eu/eli/reg/2016/679/2016-05-04

18
groups/groupN_sample
View File

@@ -1,18 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[9]='my-custom-group'
GROUP_NUMBER[9]='9.0'
GROUP_TITLE[9]='My Custom Group - [my-custom-group] ****************************'
GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called
GROUP_CHECKS[9]='checkNN,checkMM'

4
providers/aws/services/accessanalyzer/accessanalyzer_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.accessanalyzer.accessanalyzer_service import AccessAnalyzer
accessanalyzer_client = AccessAnalyzer(current_audit_info)

4
providers/aws/services/account/account_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.account.account_service import Account
account_client = Account(current_audit_info)

4
providers/aws/services/acm/acm_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.acm.acm_service import ACM
acm_client = ACM(current_audit_info)

4
providers/aws/services/apigateway/apigateway_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.apigateway.apigateway_service import APIGateway
apigateway_client = APIGateway(current_audit_info)

4
providers/aws/services/apigatewayv2/apigatewayv2_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.apigatewayv2.apigatewayv2_service import ApiGatewayV2
apigatewayv2_client = ApiGatewayV2(current_audit_info)

4
providers/aws/services/appstream/appstream_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.appstream.appstream_service import AppStream
appstream_client = AppStream(current_audit_info)

4
providers/aws/services/autoscaling/autoscaling_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.autoscaling.autoscaling_service import AutoScaling
autoscaling_client = AutoScaling(current_audit_info)

4
providers/aws/services/awslambda/awslambda_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.awslambda.awslambda_service import Lambda
awslambda_client = Lambda(current_audit_info)

4
providers/aws/services/cloudformation/cloudformation_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.cloudformation.cloudformation_service import CloudFormation
cloudformation_client = CloudFormation(current_audit_info)

4
providers/aws/services/cloudfront/cloudfront_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.cloudfront.cloudfront_service import CloudFront
cloudfront_client = CloudFront(current_audit_info)

4
providers/aws/services/cloudtrail/cloudtrail_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.cloudtrail.cloudtrail_service import Cloudtrail
cloudtrail_client = Cloudtrail(current_audit_info)

4
providers/aws/services/cloudwatch/cloudwatch_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.cloudwatch.cloudwatch_service import CloudWatch
cloudwatch_client = CloudWatch(current_audit_info)

4
providers/aws/services/cloudwatch/logs_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.cloudwatch.cloudwatch_service import Logs
logs_client = Logs(current_audit_info)

4
providers/aws/services/codeartifact/codeartifact_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.codeartifact.codeartifact_service import CodeArtifact
codeartifact_client = CodeArtifact(current_audit_info)

4
providers/aws/services/codebuild/codebuild_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.codebuild.codebuild_service import Codebuild
codebuild_client = Codebuild(current_audit_info)

4
providers/aws/services/config/config_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.config.config_service import Config
config_client = Config(current_audit_info)

6
providers/aws/services/directoryservice/directoryservice_client.py
View File

@@ -1,6 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.directoryservice.directoryservice_service import (
DirectoryService,
)
directoryservice_client = DirectoryService(current_audit_info)

4
providers/aws/services/dynamodb/dax_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.dynamodb.dynamodb_service import DAX
dax_client = DAX(current_audit_info)

4
providers/aws/services/dynamodb/dynamodb_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.dynamodb.dynamodb_service import DynamoDB
dynamodb_client = DynamoDB(current_audit_info)

4
providers/aws/services/ec2/ec2_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.ec2.ec2_service import EC2
ec2_client = EC2(current_audit_info)

4
providers/aws/services/ecr/ecr_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.ecr.ecr_service import ECR
ecr_client = ECR(current_audit_info)

4
providers/aws/services/ecs/ecs_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.ecs.ecs_service import ECS
ecs_client = ECS(current_audit_info)

4
providers/aws/services/efs/efs_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.efs.efs_service import EFS
efs_client = EFS(current_audit_info)

4
providers/aws/services/eks/eks_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.eks.eks_service import EKS
eks_client = EKS(current_audit_info)

4
providers/aws/services/elb/elb_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.elb.elb_service import ELB
elb_client = ELB(current_audit_info)

4
providers/aws/services/elbv2/elbv2_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.elbv2.elbv2_service import ELBv2
elbv2_client = ELBv2(current_audit_info)

4
providers/aws/services/emr/emr_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.emr.emr_service import EMR
emr_client = EMR(current_audit_info)

4
providers/aws/services/glacier/glacier_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.glacier.glacier_service import Glacier
glacier_client = Glacier(current_audit_info)

6
providers/aws/services/globalaccelerator/globalaccelerator_client.py
View File

@@ -1,6 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.globalaccelerator.globalaccelerator_service import (
GlobalAccelerator,
)
globalaccelerator_client = GlobalAccelerator(current_audit_info)

4
providers/aws/services/glue/glue_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.glue.glue_service import Glue
glue_client = Glue(current_audit_info)

4
providers/aws/services/guardduty/guardduty_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.guardduty.guardduty_service import GuardDuty
guardduty_client = GuardDuty(current_audit_info)

4
providers/aws/services/iam/iam_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.iam.iam_service import IAM
iam_client = IAM(current_audit_info)

4
providers/aws/services/kms/kms_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.kms.kms_service import KMS
kms_client = KMS(current_audit_info)

4
providers/aws/services/macie/macie_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.macie.macie_service import Macie
macie_client = Macie(current_audit_info)

4
providers/aws/services/opensearch/opensearch_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.opensearch.opensearch_service import OpenSearchService
opensearch_client = OpenSearchService(current_audit_info)

4
providers/aws/services/rds/rds_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.rds.rds_service import RDS
rds_client = RDS(current_audit_info)

4
providers/aws/services/redshift/redshift_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.redshift.redshift_service import Redshift
redshift_client = Redshift(current_audit_info)

4
providers/aws/services/route53/route53_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.route53.route53_service import Route53
route53_client = Route53(current_audit_info)

4
providers/aws/services/route53/route53domains_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.route53.route53_service import Route53Domains
route53domains_client = Route53Domains(current_audit_info)

4
providers/aws/services/s3/s3_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.s3.s3_service import S3
s3_client = S3(current_audit_info)

4
providers/aws/services/s3/s3control_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.s3.s3_service import S3Control
s3control_client = S3Control(current_audit_info)

4
providers/aws/services/sagemaker/sagemaker_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.sagemaker.sagemaker_service import SageMaker
sagemaker_client = SageMaker(current_audit_info)

4
providers/aws/services/secretsmanager/secretsmanager_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.secretsmanager.secretsmanager_service import SecretsManager
secretsmanager_client = SecretsManager(current_audit_info)

4
providers/aws/services/securityhub/securityhub_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.securityhub.securityhub_service import SecurityHub
securityhub_client = SecurityHub(current_audit_info)

4
providers/aws/services/shield/shield_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.shield.shield_service import Shield
shield_client = Shield(current_audit_info)

4
providers/aws/services/sns/sns_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.sns.sns_service import SNS
sns_client = SNS(current_audit_info)

4
providers/aws/services/sqs/sqs_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.sqs.sqs_service import SQS
sqs_client = SQS(current_audit_info)

4
providers/aws/services/ssm/ssm_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.ssm.ssm_service import SSM
ssm_client = SSM(current_audit_info)

4
providers/aws/services/trustedadvisor/trustedadvisor_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.trustedadvisor.trustedadvisor_service import TrustedAdvisor
trustedadvisor_client = TrustedAdvisor(current_audit_info)

4
providers/aws/services/vpc/vpc_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.vpc.vpc_service import VPC
vpc_client = VPC(current_audit_info)

4
providers/aws/services/waf/waf_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.waf.waf_service import WAF
waf_client = WAF(current_audit_info)

4
providers/aws/services/wafv2/wafv2_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.wafv2.wafv2_service import WAFv2
wafv2_client = WAFv2(current_audit_info)

4
providers/aws/services/workspaces/workspaces_client.py
View File

@@ -1,4 +0,0 @@
from providers.aws.lib.audit_info.audit_info import current_audit_info
from providers.aws.services.workspaces.workspaces_service import WorkSpaces
workspaces_client = WorkSpaces(current_audit_info)

3
providers/azure/lib/audit_info/audit_info.py
View File

@@ -1,3 +0,0 @@
from providers.azure.lib.audit_info.models import Azure_Audit_Info, Azure_Identity_Info
azure_audit_info = Azure_Audit_Info(credentials=None, identity=Azure_Identity_Info())

4
providers/azure/services/defender/defender_client.py
View File

@@ -1,4 +0,0 @@
from providers.azure.lib.audit_info.audit_info import azure_audit_info
from providers.azure.services.defender.defender_service import Defender
defender_client = Defender(azure_audit_info)

4
providers/azure/services/iam/iam_client.py
View File

@@ -1,4 +0,0 @@
from providers.azure.lib.audit_info.audit_info import azure_audit_info
from providers.azure.services.iam.iam_service import IAM
iam_client = IAM(azure_audit_info)

4
providers/azure/services/storage/storage_client.py
View File

@@ -1,4 +0,0 @@
from providers.azure.lib.audit_info.audit_info import azure_audit_info
from providers.azure.services.storage.storage_service import Storage
storage_client = Storage(azure_audit_info)

8
prowler.py Executable file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/env python3
import sys
from prowler.__main__ import prowler
if __name__ == "__main__":
sys.exit(prowler())

0
config/__init__.py → prowler/__init__.py
View File

33
prowler → prowler/__main__.py Executable file → Normal file
View File

@@ -6,13 +6,13 @@ import sys
from os import mkdir
from os.path import isdir
from config.config import (
from prowler.config.config import (
change_config_var,
default_output_directory,
output_file_timestamp,
)
from lib.banner import print_banner, print_version
from lib.check.check import (
from prowler.lib.banner import print_banner, print_version
from prowler.lib.check.check import (
bulk_load_checks_metadata,
bulk_load_compliance_frameworks,
exclude_checks_to_run,
@@ -27,25 +27,26 @@ from lib.check.check import (
print_services,
set_output_options,
)
from lib.check.checks_loader import load_checks_to_execute
from lib.check.compliance import update_checks_metadata_with_compliance
from lib.logger import logger, set_logging_config
from lib.outputs.outputs import (
from prowler.lib.check.checks_loader import load_checks_to_execute
from prowler.lib.check.compliance import update_checks_metadata_with_compliance
from prowler.lib.logger import logger, set_logging_config
from prowler.lib.outputs.outputs import (
add_html_footer,
close_json,
display_compliance_table,
display_summary_table,
send_to_s3_bucket,
)
from providers.aws.aws_provider import aws_provider_set_session
from providers.aws.lib.allowlist.allowlist import parse_allowlist_file
from providers.aws.lib.quick_inventory.quick_inventory import quick_inventory
from providers.aws.lib.security_hub.security_hub import (
from prowler.providers.aws.aws_provider import aws_provider_set_session
from prowler.providers.aws.lib.allowlist.allowlist import parse_allowlist_file
from prowler.providers.aws.lib.quick_inventory.quick_inventory import quick_inventory
from prowler.providers.aws.lib.security_hub.security_hub import (
resolve_security_hub_previous_findings,
)
from providers.azure.azure_provider import azure_provider_set_session
from prowler.providers.azure.azure_provider import azure_provider_set_session
if __name__ == "__main__":
def prowler():
# CLI Arguments
parser = argparse.ArgumentParser()
parser.add_argument(
@@ -238,7 +239,7 @@ if __name__ == "__main__":
"--allowlist-file",
nargs="?",
default=None,
help="Path for allowlist yaml file, supports local file, S3 URI or DynamoDB ARN. See example yaml in 'providers/allowlist.yaml' for reference and format.",
help="Path for allowlist yaml file. See example prowler/config/allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table ARN or S3 URI, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/",
)
parser.add_argument(
"--verbose",
@@ -517,3 +518,7 @@ if __name__ == "__main__":
audit_output_options.output_filename,
audit_output_options.output_directory,
)
if __name__ == "__main__":
prowler()

0
lib/__init__.py → prowler/compliance/aws/__init__.py
View File

0
compliance/aws/cis_1.4_aws.json → prowler/compliance/aws/cis_1.4_aws.json
View File

0
compliance/aws/cis_1.5_aws.json → prowler/compliance/aws/cis_1.5_aws.json
View File

0
compliance/aws/ens_rd2022_aws.json → prowler/compliance/aws/ens_rd2022_aws.json
View File

0
lib/check/__init__.py → prowler/compliance/azure/__init__.py
View File

0
lib/outputs/__init__.py → prowler/config/__init__.py
View File

Some files were not shown because too many files have changed in this diff Show More