ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-13 00:05:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(allowlist): Rename references (#1108)

Browse Source 
* chore(allowlist): rename file

* chore(allowlist): remove old references
This commit is contained in:
Pepe Fagoaga
2022-04-13 11:31:50 +02:00
committed by GitHub
parent c9e282f236
commit d6ade7694e
7 changed files with 17 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@@ -33,7 +33,7 @@
- [Advanced Usage](#advanced-usage) - [Advanced Usage](#advanced-usage)
- [Security Hub integration](#security-hub-integration) - [Security Hub integration](#security-hub-integration)
- [CodeBuild deployment](#codebuild-deployment) - [CodeBuild deployment](#codebuild-deployment)
- [Whitelist/allowlist or remove FAIL from resources](#whitelist-or-allowlist-or-remove-a-fail-from-resources) - [Allowlist or remove FAIL from resources](#allowlist-or-allowlist-or-remove-a-fail-from-resources)
- [Fix](#how-to-fix-every-fail) - [Fix](#how-to-fix-every-fail)
- [Troubleshooting](#troubleshooting) - [Troubleshooting](#troubleshooting)
- [Extras](#extras) - [Extras](#extras)
@@ -484,18 +484,18 @@ The Cloud Formation template that helps you doing that is [here](https://github.
> This is a simple solution to monitor one account. For multiples accounts see [Multi Account and Continuous Monitoring](util/org-multi-account/README.md). > This is a simple solution to monitor one account. For multiples accounts see [Multi Account and Continuous Monitoring](util/org-multi-account/README.md).
## Whitelist or allowlist or remove a fail from resources ## Allowlist or remove a fail from resources
Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an S3 bucket open to the internet hosting a web site, or a security group with an open port needed in your use case. Now you can use `-w whitelist_sample.txt` and add your resources as `checkID:resourcename` as in this command: Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an S3 bucket open to the internet hosting a web site, or a security group with an open port needed in your use case. Now you can use `-w allowlist_sample.txt` and add your resources as `checkID:resourcename` as in this command:
``` ```
./prowler -w whitelist_sample.txt ./prowler -w allowlist_sample.txt
``` ```
S3 URIs are also supported as allowlist file, e.g. `s3://bucket/prefix/allowlist_sample.txt` S3 URIs are also supported as allowlist file, e.g. `s3://bucket/prefix/allowlist_sample.txt`
>Make sure that the used credentials have s3:GetObject permissions in the S3 path where the whitelist file is located. >Make sure that the used credentials have s3:GetObject permissions in the S3 path where the allowlist file is located.
Whitelist option works along with other options and adds a `WARNING` instead of `INFO`, `PASS` or `FAIL` to any output format except for `json-asff`. Allowlist option works along with other options and adds a `WARNING` instead of `INFO`, `PASS` or `FAIL` to any output format except for `json-asff`.
## How to fix every FAIL ## How to fix every FAIL
@@ -703,7 +703,7 @@ Current coverage of Amazon Web Service (AWS) taken from [here](https://docs.aws.
| Topic | Service | Trust Boundary | | Topic | Service | Trust Boundary |
|---------------------------------|------------|---------------------------------------------------------------------------| |---------------------------------|------------|---------------------------------------------------------------------------|
| Networking and Content Delivery | Amazon VPC | VPC endpoints connections ([extra786](checks/check_extra786)) | | Networking and Content Delivery | Amazon VPC | VPC endpoints connections ([extra786](checks/check_extra786)) |
| | | VPC endpoints whitelisted principals ([extra787](checks/check_extra787)) | | | | VPC endpoints allowlisted principals ([extra787](checks/check_extra787)) |
All ideas or recommendations to extend this group are very welcome [here](https://github.com/prowler-cloud/prowler/issues/new/choose). All ideas or recommendations to extend this group are very welcome [here](https://github.com/prowler-cloud/prowler/issues/new/choose).

4
whitelist_sample.txt → allowlist_example.txt
View File

@@ -16,12 +16,12 @@ check26:myignoredbucket
#<checkid2>:<resource to ignore 1> #<checkid2>:<resource to ignore 1>
# REGEXES # REGEXES
# This whitelist works with regexes (ERE, the same style of regex as grep -E and bash's =~ use) # This allowlist works with regexes (ERE, the same style of regex as grep -E and bash's =~ use)
# therefore: # therefore:
# extra718:[[:alnum:]]+-logs # will ignore all buckets containing the terms ci-logs, qa-logs, etc. # extra718:[[:alnum:]]+-logs # will ignore all buckets containing the terms ci-logs, qa-logs, etc.
# EXAMPLE: CONTROL TOWER # EXAMPLE: CONTROL TOWER
# When using Control Tower, guardrails prevent access to certain protected resources. The whitelist # When using Control Tower, guardrails prevent access to certain protected resources. The allowlist
# below ensures that warnings instead of errors are reported for the affected resources. # below ensures that warnings instead of errors are reported for the affected resources.
#extra734:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+ #extra734:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
#extra734:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+ #extra734:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+

2
checks/check_extra789
View File

@@ -54,7 +54,7 @@ extra789(){
# Algorithm: # Algorithm:
# Remove all trusted ACCOUNT_IDs from ENDPOINT_CONNECTION_LIST. # Remove all trusted ACCOUNT_IDs from ENDPOINT_CONNECTION_LIST.
# As a result, the ENDPOINT_CONNECTION_LIST finally contains only unknown/untrusted account ids. # As a result, the ENDPOINT_CONNECTION_LIST finally contains only unknown/untrusted account ids.
ENDPOINT_CONNECTION_LIST=("${ENDPOINT_CONNECTION_LIST[@]/$ENDPOINT_CONNECTION}") # remove hit from whitelist ENDPOINT_CONNECTION_LIST=("${ENDPOINT_CONNECTION_LIST[@]/$ENDPOINT_CONNECTION}") # remove hit from allowlist
fi fi
done done
done done

2
checks/check_extra790
View File

@@ -12,7 +12,7 @@
# specific language governing permissions and limitations under the License. # specific language governing permissions and limitations under the License.
CHECK_ID_extra790="7.90" CHECK_ID_extra790="7.90"
CHECK_TITLE_extra790="[extra790] Find trust boundaries in VPC endpoint services whitelisted principles" CHECK_TITLE_extra790="[extra790] Find trust boundaries in VPC endpoint services allowlisted principles"
CHECK_SCORED_extra790="NOT_SCORED" CHECK_SCORED_extra790="NOT_SCORED"
CHECK_CIS_LEVEL_extra790="EXTRA" CHECK_CIS_LEVEL_extra790="EXTRA"
CHECK_SEVERITY_extra790="Medium" CHECK_SEVERITY_extra790="Medium"

2
groups/group18_iso27001
View File

@@ -156,7 +156,7 @@ GROUP_CHECKS[18]='check11,check110,check111,check112,check113,check114,check115,
#136 A.13 Communications Security A.13.1 Network Security Management extra778 Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) #136 A.13 Communications Security A.13.1 Network Security Management extra778 Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918)
#137 A.13 Communications Security A.13.1 Network Security Management extra789 Find trust boundaries in VPC endpoint services connections #137 A.13 Communications Security A.13.1 Network Security Management extra789 Find trust boundaries in VPC endpoint services connections
#138 A.13 Communications Security A.13.1 Network Security Management extra79 Check for internet facing Elastic Load Balancers #138 A.13 Communications Security A.13.1 Network Security Management extra79 Check for internet facing Elastic Load Balancers
#139 A.13 Communications Security A.13.1 Network Security Management extra790 Find trust boundaries in VPC endpoint services whitelisted principles #139 A.13 Communications Security A.13.1 Network Security Management extra790 Find trust boundaries in VPC endpoint services allowlisted principles
#140 A.13 Communications Security A.13.1 Network Security Management extra78 Ensure there are no Public Accessible RDS instances #140 A.13 Communications Security A.13.1 Network Security Management extra78 Ensure there are no Public Accessible RDS instances
#141 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra731 Check if SNS topics have policy set as Public #141 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra731 Check if SNS topics have policy set as Public
#142 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra741 Find secrets in EC2 User Data #142 A.14 System acquisition, dev & maintenance A.14.2 Security in Dev & Support extra741 Find secrets in EC2 User Data

2
include/colors
View File

@@ -70,7 +70,7 @@ printColorsCode(){
echo -e "\n$NORMAL Color code for results: " echo -e "\n$NORMAL Color code for results: "
echo -e " - $NOTICE INFO (Information)$NORMAL" echo -e " - $NOTICE INFO (Information)$NORMAL"
echo -e " - $OK PASS (Recommended value)$NORMAL" echo -e " - $OK PASS (Recommended value)$NORMAL"
echo -e " - $WARNING WARNING (Ignored by whitelist)$NORMAL" echo -e " - $WARNING WARNING (Ignored by allowlist)$NORMAL"
echo -e " - $BAD FAIL (Fix required)$NORMAL" echo -e " - $BAD FAIL (Fix required)$NORMAL"
fi fi
} }

8
include/outputs
View File

@@ -50,7 +50,7 @@ PROWLER_PARAMETERS=$@
# $ACCOUNT_NUM AWS Account ID # $ACCOUNT_NUM AWS Account ID
# $REPREGION AWS region scanned # $REPREGION AWS region scanned
# $TITLE_ID Numeric identifier of each check (1.2, 2.3, etc), originally based on CIS checks. # $TITLE_ID Numeric identifier of each check (1.2, 2.3, etc), originally based on CIS checks.
# $CHECK_RESULT values can be PASS, FAIL, INFO or WARNING if whitelisted # $CHECK_RESULT values can be PASS, FAIL, INFO or WARNING if allowlisted
# $ITEM_SCORED corresponds to CHECK_SCORED, values can be Scored/Not Scored. This is CIS only, will be deprecated in Prowler. # $ITEM_SCORED corresponds to CHECK_SCORED, values can be Scored/Not Scored. This is CIS only, will be deprecated in Prowler.
# $ITEM_CIS_LEVEL corresponds to CHECK_TYPE_ currently only for CIS Level 1, CIS Level 2 and Extras (all checks not part of CIS) # $ITEM_CIS_LEVEL corresponds to CHECK_TYPE_ currently only for CIS Level 1, CIS Level 2 and Extras (all checks not part of CIS)
# $TITLE_TEXT corresponds to CHECK_TITLE_ shows title of each check # $TITLE_TEXT corresponds to CHECK_TITLE_ shows title of each check
@@ -173,11 +173,11 @@ textInfo(){
} }
textFail(){ textFail(){
## ignore whitelists for current check ## ignore allowlists for current check
level="FAIL" level="FAIL"
colorcode="$BAD" colorcode="$BAD"
while read -r excluded_item; do while read -r excluded_item; do
# ignore_check_name is the check with resources whitelisted # ignore_check_name is the check with resources allowlisted
ignore_check_name=$(awk -F ":" '{print $1}' <<< "${excluded_item}") ignore_check_name=$(awk -F ":" '{print $1}' <<< "${excluded_item}")
# Resource value is what it comes after CHECK_NAME: : # Resource value is what it comes after CHECK_NAME: :
resource_value=$(awk -F "$CHECK_NAME:" '{print $2}' <<< "${excluded_item}") resource_value=$(awk -F "$CHECK_NAME:" '{print $2}' <<< "${excluded_item}")
@@ -349,7 +349,7 @@ generateJsonAsffOutput(){
local message=$1 local message=$1
local status=$2 local status=$2
#Checks to determine if the rule passes in a resource name that prowler uses to track the AWS Resource for whitelisting purposes #Checks to determine if the rule passes in a resource name that prowler uses to track the AWS Resource for allowlisting purposes
if [[ -z $3 ]]; then if [[ -z $3 ]]; then
local resource_id="NONE_PROVIDED" local resource_id="NONE_PROVIDED"
else else