From d6ade7694e701a65e48174af07ea855e0b341f5d Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Wed, 13 Apr 2022 11:31:50 +0200 Subject: [PATCH] chore(allowlist): Rename references (#1108) * chore(allowlist): rename file * chore(allowlist): remove old references --- README.md | 14 +++++++------- whitelist_sample.txt => allowlist_example.txt | 4 ++-- checks/check_extra789 | 2 +- checks/check_extra790 | 2 +- groups/group18_iso27001 | 2 +- include/colors | 2 +- include/outputs | 8 ++++---- 7 files changed, 17 insertions(+), 17 deletions(-) rename whitelist_sample.txt => allowlist_example.txt (92%) diff --git a/README.md b/README.md index 07e49c6c..a0087c22 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ - [Advanced Usage](#advanced-usage) - [Security Hub integration](#security-hub-integration) - [CodeBuild deployment](#codebuild-deployment) -- [Whitelist/allowlist or remove FAIL from resources](#whitelist-or-allowlist-or-remove-a-fail-from-resources) +- [Allowlist or remove FAIL from resources](#allowlist-or-allowlist-or-remove-a-fail-from-resources) - [Fix](#how-to-fix-every-fail) - [Troubleshooting](#troubleshooting) - [Extras](#extras) @@ -484,18 +484,18 @@ The Cloud Formation template that helps you doing that is [here](https://github. > This is a simple solution to monitor one account. For multiples accounts see [Multi Account and Continuous Monitoring](util/org-multi-account/README.md). -## Whitelist or allowlist or remove a fail from resources +## Allowlist or remove a fail from resources -Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an S3 bucket open to the internet hosting a web site, or a security group with an open port needed in your use case. Now you can use `-w whitelist_sample.txt` and add your resources as `checkID:resourcename` as in this command: +Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an S3 bucket open to the internet hosting a web site, or a security group with an open port needed in your use case. Now you can use `-w allowlist_sample.txt` and add your resources as `checkID:resourcename` as in this command: ``` -./prowler -w whitelist_sample.txt +./prowler -w allowlist_sample.txt ``` S3 URIs are also supported as allowlist file, e.g. `s3://bucket/prefix/allowlist_sample.txt` ->Make sure that the used credentials have s3:GetObject permissions in the S3 path where the whitelist file is located. +>Make sure that the used credentials have s3:GetObject permissions in the S3 path where the allowlist file is located. -Whitelist option works along with other options and adds a `WARNING` instead of `INFO`, `PASS` or `FAIL` to any output format except for `json-asff`. +Allowlist option works along with other options and adds a `WARNING` instead of `INFO`, `PASS` or `FAIL` to any output format except for `json-asff`. ## How to fix every FAIL @@ -703,7 +703,7 @@ Current coverage of Amazon Web Service (AWS) taken from [here](https://docs.aws. | Topic | Service | Trust Boundary | |---------------------------------|------------|---------------------------------------------------------------------------| | Networking and Content Delivery | Amazon VPC | VPC endpoints connections ([extra786](checks/check_extra786)) | -| | | VPC endpoints whitelisted principals ([extra787](checks/check_extra787)) | +| | | VPC endpoints allowlisted principals ([extra787](checks/check_extra787)) | All ideas or recommendations to extend this group are very welcome [here](https://github.com/prowler-cloud/prowler/issues/new/choose). diff --git a/whitelist_sample.txt b/allowlist_example.txt similarity index 92% rename from whitelist_sample.txt rename to allowlist_example.txt index 7da90c0f..97d9c5ab 100644 --- a/whitelist_sample.txt +++ b/allowlist_example.txt @@ -16,12 +16,12 @@ check26:myignoredbucket #: # REGEXES -# This whitelist works with regexes (ERE, the same style of regex as grep -E and bash's =~ use) +# This allowlist works with regexes (ERE, the same style of regex as grep -E and bash's =~ use) # therefore: # extra718:[[:alnum:]]+-logs # will ignore all buckets containing the terms ci-logs, qa-logs, etc. # EXAMPLE: CONTROL TOWER -# When using Control Tower, guardrails prevent access to certain protected resources. The whitelist +# When using Control Tower, guardrails prevent access to certain protected resources. The allowlist # below ensures that warnings instead of errors are reported for the affected resources. #extra734:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+ #extra734:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+ diff --git a/checks/check_extra789 b/checks/check_extra789 index b4d90f23..1006a723 100644 --- a/checks/check_extra789 +++ b/checks/check_extra789 @@ -54,7 +54,7 @@ extra789(){ # Algorithm: # Remove all trusted ACCOUNT_IDs from ENDPOINT_CONNECTION_LIST. # As a result, the ENDPOINT_CONNECTION_LIST finally contains only unknown/untrusted account ids. - ENDPOINT_CONNECTION_LIST=("${ENDPOINT_CONNECTION_LIST[@]/$ENDPOINT_CONNECTION}") # remove hit from whitelist + ENDPOINT_CONNECTION_LIST=("${ENDPOINT_CONNECTION_LIST[@]/$ENDPOINT_CONNECTION}") # remove hit from allowlist fi done done diff --git a/checks/check_extra790 b/checks/check_extra790 index d562a40c..79f8bfee 100644 --- a/checks/check_extra790 +++ b/checks/check_extra790 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra790="7.90" -CHECK_TITLE_extra790="[extra790] Find trust boundaries in VPC endpoint services whitelisted principles" +CHECK_TITLE_extra790="[extra790] Find trust boundaries in VPC endpoint services allowlisted principles" CHECK_SCORED_extra790="NOT_SCORED" CHECK_CIS_LEVEL_extra790="EXTRA" CHECK_SEVERITY_extra790="Medium" diff --git a/groups/group18_iso27001 b/groups/group18_iso27001 index 60196080..fe8ba0ea 100644 --- a/groups/group18_iso27001 +++ b/groups/group18_iso27001 @@ -156,7 +156,7 @@ GROUP_CHECKS[18]='check11,check110,check111,check112,check113,check114,check115, #136 A.13 Communications Security A.13.1 Network Security Management extra778 Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) #137 A.13 Communications Security A.13.1 Network Security Management extra789 Find trust boundaries in VPC endpoint services connections #138 A.13 Communications Security A.13.1 Network Security Management extra79 Check for internet facing Elastic Load Balancers -#139 A.13 Communications Security A.13.1 Network Security Management extra790 Find trust boundaries in VPC endpoint services whitelisted principles +#139 A.13 Communications Security A.13.1 Network Security Management extra790 Find trust boundaries in VPC endpoint services allowlisted principles #140 A.13 Communications Security A.13.1 Network Security Management extra78 Ensure there are no Public Accessible RDS instances #141 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra731 Check if SNS topics have policy set as Public #142 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra741 Find secrets in EC2 User Data diff --git a/include/colors b/include/colors index d1f2afcb..43c84b70 100644 --- a/include/colors +++ b/include/colors @@ -70,7 +70,7 @@ printColorsCode(){ echo -e "\n$NORMAL Color code for results: " echo -e " - $NOTICE INFO (Information)$NORMAL" echo -e " - $OK PASS (Recommended value)$NORMAL" - echo -e " - $WARNING WARNING (Ignored by whitelist)$NORMAL" + echo -e " - $WARNING WARNING (Ignored by allowlist)$NORMAL" echo -e " - $BAD FAIL (Fix required)$NORMAL" fi } diff --git a/include/outputs b/include/outputs index 62b39cc4..c8393868 100644 --- a/include/outputs +++ b/include/outputs @@ -50,7 +50,7 @@ PROWLER_PARAMETERS=$@ # $ACCOUNT_NUM AWS Account ID # $REPREGION AWS region scanned # $TITLE_ID Numeric identifier of each check (1.2, 2.3, etc), originally based on CIS checks. -# $CHECK_RESULT values can be PASS, FAIL, INFO or WARNING if whitelisted +# $CHECK_RESULT values can be PASS, FAIL, INFO or WARNING if allowlisted # $ITEM_SCORED corresponds to CHECK_SCORED, values can be Scored/Not Scored. This is CIS only, will be deprecated in Prowler. # $ITEM_CIS_LEVEL corresponds to CHECK_TYPE_ currently only for CIS Level 1, CIS Level 2 and Extras (all checks not part of CIS) # $TITLE_TEXT corresponds to CHECK_TITLE_ shows title of each check @@ -173,11 +173,11 @@ textInfo(){ } textFail(){ - ## ignore whitelists for current check + ## ignore allowlists for current check level="FAIL" colorcode="$BAD" while read -r excluded_item; do - # ignore_check_name is the check with resources whitelisted + # ignore_check_name is the check with resources allowlisted ignore_check_name=$(awk -F ":" '{print $1}' <<< "${excluded_item}") # Resource value is what it comes after CHECK_NAME: : resource_value=$(awk -F "$CHECK_NAME:" '{print $2}' <<< "${excluded_item}") @@ -349,7 +349,7 @@ generateJsonAsffOutput(){ local message=$1 local status=$2 - #Checks to determine if the rule passes in a resource name that prowler uses to track the AWS Resource for whitelisting purposes + #Checks to determine if the rule passes in a resource name that prowler uses to track the AWS Resource for allowlisting purposes if [[ -z $3 ]]; then local resource_id="NONE_PROVIDED" else