ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-11 23:35:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(vpc): add vpc, nacl or subnet names in findings (#2928)

Browse Source
This commit is contained in:
Sergio Garcia
2023-10-18 16:07:53 +02:00
committed by GitHub
parent 236f57ab0e
commit eb3cb97115
15 changed files with 170 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py
View File

@@ -15,13 +15,11 @@ class ec2_networkacl_allow_ingress_any_port(Check):
report.resource_arn = network_acl.arn
report.resource_tags = network_acl.tags
report.status = "PASS"
report.status_extended = f"Network ACL {network_acl.id} does not have every port open to the Internet."
report.status_extended = f"Network ACL {network_acl.name if network_acl.name else network_acl.id} does not have every port open to the Internet."
# If some entry allows it, that ACL is not securely configured
if check_network_acl(network_acl.entries, tcp_protocol, check_port):
report.status = "FAIL"
report.status_extended = (
f"Network ACL {network_acl.id} has every port open to the Internet."
)
report.status_extended = f"Network ACL {network_acl.name if network_acl.name else network_acl.id} has every port open to the Internet."
findings.append(report)
return findings

4
prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py
View File

@@ -14,12 +14,12 @@ class ec2_networkacl_allow_ingress_tcp_port_22(Check):
report.resource_arn = network_acl.arn
report.resource_tags = network_acl.tags
report.status = "PASS"
report.status_extended = f"Network ACL {network_acl.id} does not have SSH port 22 open to the Internet."
report.status_extended = f"Network ACL {network_acl.name if network_acl.name else network_acl.id} does not have SSH port 22 open to the Internet."
report.resource_id = network_acl.id
# If some entry allows it, that ACL is not securely configured
if check_network_acl(network_acl.entries, tcp_protocol, check_port):
report.status = "FAIL"
report.status_extended = f"Network ACL {network_acl.id} has SSH port 22 open to the Internet."
report.status_extended = f"Network ACL {network_acl.name if network_acl.name else network_acl.id} has SSH port 22 open to the Internet."
findings.append(report)
return findings

4
prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py
View File

@@ -14,12 +14,12 @@ class ec2_networkacl_allow_ingress_tcp_port_3389(Check):
report.resource_arn = network_acl.arn
report.resource_tags = network_acl.tags
report.status = "PASS"
report.status_extended = f"Network ACL {network_acl.id} does not have Microsoft RDP port 3389 open to the Internet."
report.status_extended = f"Network ACL {network_acl.name if network_acl.name else network_acl.id} does not have Microsoft RDP port 3389 open to the Internet."
report.resource_id = network_acl.id
# If some entry allows it, that ACL is not securely configured
if check_network_acl(network_acl.entries, tcp_protocol, check_port):
report.status = "FAIL"
report.status_extended = f"Network ACL {network_acl.id} has Microsoft RDP port 3389 open to the Internet."
report.status_extended = f"Network ACL {network_acl.name if network_acl.name else network_acl.id} has Microsoft RDP port 3389 open to the Internet."
findings.append(report)
return findings

6
prowler/providers/aws/services/ec2/ec2_service.py
View File

@@ -157,10 +157,15 @@ class EC2(AWSService):
if not self.audit_resources or (
is_resource_filtered(arn, self.audit_resources)
):
nacl_name = ""
for tag in nacl.get("Tags", []):
if tag["Key"] == "Name":
nacl_name = tag["Value"]
self.network_acls.append(
NetworkACL(
id=nacl["NetworkAclId"],
arn=arn,
name=nacl_name,
region=regional_client.region,
entries=nacl["Entries"],
tags=nacl.get("Tags"),
@@ -458,6 +463,7 @@ class SecurityGroup(BaseModel):
class NetworkACL(BaseModel):
id: str
arn: str
name: str
region: str
entries: list[dict]
tags: Optional[list] = []

8
prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py
View File

@@ -15,15 +15,11 @@ class networkfirewall_in_all_vpc(Check):
report.resource_arn = vpc.arn
report.resource_tags = vpc.tags
report.status = "FAIL"
report.status_extended = (
f"VPC {vpc.id} does not have Network Firewall enabled."
)
report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} does not have Network Firewall enabled."
for firewall in networkfirewall_client.network_firewalls:
if firewall.vpc_id == vpc.id:
report.status = "PASS"
report.status_extended = (
f"VPC {vpc.id} has Network Firewall enabled."
)
report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} has Network Firewall enabled."
break
findings.append(report)

8
prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py
View File

@@ -12,10 +12,14 @@ class vpc_flow_logs_enabled(Check):
report.resource_id = vpc.id
report.resource_arn = vpc.arn
report.status = "FAIL"
report.status_extended = f"VPC {vpc.id} Flow logs are disabled."
report.status_extended = (
f"VPC {vpc.name if vpc.name else vpc.id} Flow logs are disabled."
)
if vpc.flow_log:
report.status = "PASS"
report.status_extended = f"VPC {vpc.id} Flow logs are enabled."
report.status_extended = (
f"VPC {vpc.name if vpc.name else vpc.id} Flow logs are enabled."
)
findings.append(report)

12
prowler/providers/aws/services/vpc/vpc_service.py
View File

@@ -38,9 +38,14 @@ class VPC(AWSService):
if not self.audit_resources or (
is_resource_filtered(arn, self.audit_resources)
):
vpc_name = ""
for tag in vpc.get("Tags", []):
if tag["Key"] == "Name":
vpc_name = tag["Value"]
self.vpcs[vpc["VpcId"]] = VPCs(
arn=arn,
id=vpc["VpcId"],
name=vpc_name,
default=vpc["IsDefault"],
cidr_block=vpc["CidrBlock"],
region=regional_client.region,
@@ -278,10 +283,15 @@ class VPC(AWSService):
public = True
if "NatGatewayId" in route:
nat_gateway = True
subnet_name = ""
for tag in subnet.get("Tags", []):
if tag["Key"] == "Name":
subnet_name = tag["Value"]
# Add it to to list of vpc_subnets and to the VPC object
object = VpcSubnet(
arn=subnet["SubnetArn"],
id=subnet["SubnetId"],
name=subnet_name,
default=subnet["DefaultForAz"],
vpc_id=subnet["VpcId"],
cidr_block=subnet.get("CidrBlock"),
@@ -310,6 +320,7 @@ class VPC(AWSService):
class VpcSubnet(BaseModel):
arn: str
id: str
name: str
default: bool
vpc_id: str
cidr_block: Optional[str]
@@ -324,6 +335,7 @@ class VpcSubnet(BaseModel):
class VPCs(BaseModel):
arn: str
id: str
name: str
default: bool
cidr_block: str
flow_log: bool = False

10
prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py
View File

@@ -10,7 +10,9 @@ class vpc_subnet_different_az(Check):
report.region = vpc.region
report.resource_tags = vpc.tags
report.status = "FAIL"
report.status_extended = f"VPC {vpc.id} has no subnets."
report.status_extended = (
f"VPC {vpc.name if vpc.name else vpc.id} has no subnets."
)
report.resource_id = vpc.id
report.resource_arn = vpc.arn
if vpc.subnets:
@@ -21,12 +23,10 @@ class vpc_subnet_different_az(Check):
and subnet.availability_zone != availability_zone
):
report.status = "PASS"
report.status_extended = f"VPC {vpc.id} has subnets in more than one availability zone."
report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} has subnets in more than one availability zone."
break
availability_zone = subnet.availability_zone
report.status_extended = (
f"VPC {vpc.id} has only subnets in {availability_zone}."
)
report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} has only subnets in {availability_zone}."
findings.append(report)

8
prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py
View File

@@ -14,14 +14,10 @@ class vpc_subnet_no_public_ip_by_default(Check):
report.resource_arn = subnet.arn
if subnet.mapPublicIpOnLaunch:
report.status = "FAIL"
report.status_extended = (
f"VPC subnet {subnet.id} assigns public IP by default."
)
report.status_extended = f"VPC subnet {subnet.name if subnet.name else subnet.id} assigns public IP by default."
else:
report.status = "PASS"
report.status_extended = (
f"VPC subnet {subnet.id} does NOT assign public IP by default."
)
report.status_extended = f"VPC subnet {subnet.name if subnet.name else subnet.id} does NOT assign public IP by default."
findings.append(report)
return findings

16
prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py
View File

@@ -10,7 +10,9 @@ class vpc_subnet_separate_private_public(Check):
report.region = vpc.region
report.resource_tags = vpc.tags
report.status = "FAIL"
report.status_extended = f"VPC {vpc.id} has no subnets."
report.status_extended = (
f"VPC {vpc.name if vpc.name else vpc.id} has no subnets."
)
report.resource_id = vpc.id
report.resource_arn = vpc.arn
if vpc.subnets:
@@ -19,19 +21,13 @@ class vpc_subnet_separate_private_public(Check):
for subnet in vpc.subnets:
if subnet.public:
public = True
report.status_extended = (
f"VPC {vpc.id} has only public subnets."
)
report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} has only public subnets."
if not subnet.public:
private = True
report.status_extended = (
f"VPC {vpc.id} has only private subnets."
)
report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} has only private subnets."
if public and private:
report.status = "PASS"
report.status_extended = (
f"VPC {vpc.id} has private and public subnets."
)
report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} has private and public subnets."
findings.append(report)
return findings