ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(allowlist): add yaml structure validator (#1735)

Browse Source 
Co-authored-by: sergargar <sergio@verica.io>
This commit is contained in:
Sergio Garcia
2023-01-18 17:49:13 +01:00
committed by GitHub
parent 776ac9e3d4
commit c921782714
5 changed files with 1707 additions and 1665 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Pipfile
View File

@@ -9,6 +9,7 @@ boto3 = "1.26.3"
arnparse = "0.0.2" arnparse = "0.0.2"
botocore = "1.27.8" botocore = "1.27.8"
pydantic = "1.9.1" pydantic = "1.9.1"
schema = "0.7.5"
shodan = "1.28.0" shodan = "1.28.0"
detect-secrets = "1.4.0" detect-secrets = "1.4.0"
alive-progress = "2.4.1" alive-progress = "2.4.1"

3352
Pipfile.lock generated
View File

File diff suppressed because it is too large Load Diff

2
docs/tutorials/allowlist.md
View File

@@ -11,7 +11,7 @@ You can use `-w`/`--allowlist-file` with the path of your allowlist yaml file, b
### Resources is a list that can have either Regex or Keywords: ### Resources is a list that can have either Regex or Keywords:
########################### ALLOWLIST EXAMPLE ########################### ########################### ALLOWLIST EXAMPLE ###########################
Allowlist: Allowlist:
Accounts: Accounts:
"123456789012": "123456789012":
Checks: Checks:
"iam_user_hardware_mfa_enabled": "iam_user_hardware_mfa_enabled":

16
prowler/providers/aws/lib/allowlist/allowlist.py
View File

@@ -3,9 +3,14 @@ import sys
import yaml import yaml
from boto3.dynamodb.conditions import Attr from boto3.dynamodb.conditions import Attr
from schema import Schema
from prowler.lib.logger import logger from prowler.lib.logger import logger
allowlist_schema = Schema(
{"Accounts": {str: {"Checks": {str: {"Regions": list, "Resources": list}}}}}
)
def parse_allowlist_file(audit_info, allowlist_file): def parse_allowlist_file(audit_info, allowlist_file):
try: try:
@@ -56,9 +61,18 @@ def parse_allowlist_file(audit_info, allowlist_file):
else: else:
with open(allowlist_file) as f: with open(allowlist_file) as f:
allowlist = yaml.safe_load(f)["Allowlist"] allowlist = yaml.safe_load(f)["Allowlist"]
try:
allowlist_schema.validate(allowlist)
except Exception as error:
logger.critical(
f"{error.__class__.__name__} -- Allowlist YAML is malformed - {error}[{error.__traceback__.tb_lineno}]"
)
sys.exit()
return allowlist return allowlist
except Exception as error: except Exception as error:
logger.critical(f"{error.__class__.__name__} -- {error}") logger.critical(
f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
)
sys.exit() sys.exit()

1
pyproject.toml
View File

@@ -29,6 +29,7 @@ dependencies = [
"arnparse ~=0.0.2", "arnparse ~=0.0.2",
"botocore ~=1.29.18", "botocore ~=1.29.18",
"pydantic ~=1.9.1", "pydantic ~=1.9.1",
"schema ~=0.7.5",
"shodan ~=1.28.0", "shodan ~=1.28.0",
"detect-secrets ~=1.4.0", "detect-secrets ~=1.4.0",
"alive-progress ~=2.4.1", "alive-progress ~=2.4.1",