ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(inspector): refactor inspector2_findings_exist check into two (#3338)

Browse Source
This commit is contained in:
Sergio Garcia
2024-02-06 10:32:19 +01:00
committed by GitHub
parent ac44d4a27b
commit f21dcd8122
14 changed files with 505 additions and 570 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/tutorials/ignore-unused-services.md
View File

@@ -47,7 +47,7 @@ It is a best practice to encrypt both metadata and connection passwords in AWS G
#### Inspector
Amazon Inspector is a vulnerability discovery service that automates continuous scanning for security vulnerabilities within your Amazon EC2, Amazon ECR, and AWS Lambda environments. Prowler recommends to enable it and resolve all the Inspector's findings. Ignoring the unused services, Prowler will only notify you if there are any Lambda functions, EC2 instances or ECR repositories in the region where Amazon inspector should be enabled.
- `inspector2_findings_exist`
- `inspector2_is_enabled`
#### Macie
Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data in S3 buckets. Prowler will only create a finding when Macie is not enabled if there are S3 buckets in your account.

9
prowler/compliance/aws/ens_rd2022_aws.json
View File

@@ -814,7 +814,8 @@
}
],
"Checks": [
"inspector2_findings_exist"
"inspector2_is_enabled",
"inspector2_active_findings_exist"
]
},
{
@@ -1935,7 +1936,8 @@
}
],
"Checks": [
"inspector2_findings_exist"
"inspector2_is_enabled",
"inspector2_active_findings_exist"
]
},
{
@@ -2010,7 +2012,8 @@
}
],
"Checks": [
"inspector2_findings_exist"
"inspector2_is_enabled",
"inspector2_active_findings_exist"
]
},
{

12
prowler/compliance/aws/mitre_attack_aws.json
View File

@@ -29,7 +29,8 @@
"securityhub_enabled",
"elbv2_waf_acl_attached",
"guardduty_is_enabled",
"inspector2_findings_exist",
"inspector2_is_enabled",
"inspector2_active_findings_exist",
"awslambda_function_not_publicly_accessible",
"ec2_instance_public_ip"
],
@@ -576,7 +577,8 @@
"config_recorder_all_regions_enabled",
"securityhub_enabled",
"guardduty_is_enabled",
"inspector2_findings_exist"
"inspector2_is_enabled",
"inspector2_active_findings_exist"
],
"Attributes": [
{
@@ -737,7 +739,8 @@
"iam_user_hardware_mfa_enabled",
"iam_user_mfa_enabled_console_access",
"securityhub_enabled",
"inspector2_findings_exist"
"inspector2_is_enabled",
"inspector2_active_findings_exist"
],
"Attributes": [
{
@@ -1892,7 +1895,8 @@
"networkfirewall_in_all_vpc",
"elbv2_waf_acl_attached",
"guardduty_is_enabled",
"inspector2_findings_exist",
"inspector2_is_enabled",
"inspector2_active_findings_exist",
"ec2_networkacl_allow_ingress_any_port",
"ec2_networkacl_allow_ingress_tcp_port_22",
"ec2_networkacl_allow_ingress_tcp_port_3389",

0
prowler/providers/aws/services/inspector2/inspector2_findings_exist/__init__.py → prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/__init__.py
View File

6
prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.metadata.json → prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.metadata.json
View File

@@ -1,6 +1,6 @@
{
"Provider": "aws",
"CheckID": "inspector2_findings_exist",
"CheckID": "inspector2_active_findings_exist",
"CheckTitle": "Check if Inspector2 findings exist",
"CheckType": [],
"ServiceName": "inspector2",
@@ -13,13 +13,13 @@
"RelatedUrl": "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html",
"Remediation": {
"Code": {
"CLI": "aws inspector2 enable",
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Inspector/amazon-inspector-findings.html",
"Terraform": ""
},
"Recommendation": {
"Text": "Enable Inspector2",
"Text": "Review the active findings from Inspector2",
"Url": "https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html"
}
},

33
prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.py Normal file
View File

@@ -0,0 +1,33 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.inspector2.inspector2_client import (
inspector2_client,
)
class inspector2_active_findings_exist(Check):
def execute(self):
findings = []
for inspector in inspector2_client.inspectors:
report = Check_Report_AWS(self.metadata())
report.resource_id = inspector.id
report.resource_arn = inspector.arn
report.region = inspector.region
if inspector.status == "ENABLED":
active_findings = 0
report.status = "PASS"
report.status_extended = "Inspector2 is enabled with no findings."
for finding in inspector.findings:
if finding.status == "ACTIVE":
active_findings += 1
if len(inspector.findings) > 0:
report.status_extended = (
"Inspector2 is enabled with no active findings."
)
if active_findings > 0:
report.status = "FAIL"
report.status_extended = (
f"There are {active_findings} ACTIVE Inspector2 findings."
)
findings.append(report)
return findings

0
prowler/providers/aws/services/inspector2/inspector2_is_enabled/__init__.py Normal file
View File

30
prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.metadata.json Normal file
View File

@@ -0,0 +1,30 @@
{
"Provider": "aws",
"CheckID": "inspector2_is_enabled",
"CheckTitle": "Check if Inspector2 is enabled",
"CheckType": [],
"ServiceName": "inspector2",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:inspector2:region:account-id/detector-id",
"Severity": "medium",
"ResourceType": "Other",
"Description": "Check if Inspector2 is enabled",
"Risk": "Without using AWS Inspector, you may not be aware of all the security vulnerabilities in your AWS resources, which could lead to unauthorized access, data breaches, or other security incidents.",
"RelatedUrl": "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html",
"Remediation": {
"Code": {
"CLI": "aws inspector2 enable",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Inspector/amazon-inspector-findings.html",
"Terraform": ""
},
"Recommendation": {
"Text": "Enable Inspector2",
"Url": "https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html"
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}

24
prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.py → prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py
View File

@@ -7,31 +7,17 @@ from prowler.providers.aws.services.inspector2.inspector2_client import (
)
class inspector2_findings_exist(Check):
class inspector2_is_enabled(Check):
def execute(self):
findings = []
for inspector in inspector2_client.inspectors:
report = Check_Report_AWS(self.metadata())
report.resource_id = inspector2_client.audited_account
report.resource_arn = inspector2_client.audited_account_arn
report.resource_id = inspector.id
report.resource_arn = inspector.arn
report.region = inspector.region
if inspector.status == "ENABLED":
active_findings = 0
report.status = "PASS"
report.status_extended = "Inspector2 is enabled with no findings."
for finding in inspector.findings:
if finding.status == "ACTIVE":
active_findings += 1
if len(inspector.findings) > 0:
report.status_extended = (
"Inspector2 is enabled with no active findings."
)
if active_findings > 0:
report.status = "FAIL"
report.status_extended = (
f"There are {active_findings} ACTIVE Inspector2 findings."
)
findings.append(report)
report.status_extended = "Inspector2 is enabled."
else:
if inspector2_client.audit_info.ignore_unused_services:
funtions_in_region = False
@@ -49,6 +35,6 @@ class inspector2_findings_exist(Check):
):
report.status = "FAIL"
report.status_extended = "Inspector2 is not enabled."
findings.append(report)
findings.append(report)
return findings

4
prowler/providers/aws/services/inspector2/inspector2_service.py
View File

@@ -23,7 +23,8 @@ class Inspector2(AWSService):
][0]
self.inspectors.append(
Inspector(
id=self.audited_account,
id="Inspector2",
arn=f"arn:{self.audited_partition}:inspector2:{regional_client.region}:{self.audited_account}:inspector2",
status=batch_get_account_status.get("state").get("status"),
region=regional_client.region,
)
@@ -80,6 +81,7 @@ class InspectorFinding(BaseModel):
class Inspector(BaseModel):
id: str
arn: str
region: str
status: str
findings: list[InspectorFinding] = []

303
tests/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist_test.py Normal file
View File

@@ -0,0 +1,303 @@
from unittest import mock
from prowler.providers.aws.services.inspector2.inspector2_service import (
Inspector,
InspectorFinding,
)
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_WEST_1,
set_mocked_aws_audit_info,
)
FINDING_ARN = (
"arn:aws:inspector2:us-east-1:123456789012:finding/0e436649379db5f327e3cf5bb4421d76"
)
class Test_inspector2_active_findings_exist:
def test_enabled_no_finding(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
status="ENABLED",
region=AWS_REGION_EU_WEST_1,
findings=[],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist.inspector2_client",
new=inspector2_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist import (
inspector2_active_findings_exist,
)
check = inspector2_active_findings_exist()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== "Inspector2 is enabled with no findings."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2"
)
assert result[0].region == AWS_REGION_EU_WEST_1
def test_enabled_with_no_active_finding(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
region=AWS_REGION_EU_WEST_1,
status="ENABLED",
findings=[
InspectorFinding(
arn=FINDING_ARN,
region=AWS_REGION_EU_WEST_1,
severity="MEDIUM",
status="NOT_ACTIVE",
title="CVE-2022-40897 - setuptools",
)
],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist.inspector2_client",
new=inspector2_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist import (
inspector2_active_findings_exist,
)
check = inspector2_active_findings_exist()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== "Inspector2 is enabled with no active findings."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2"
)
assert result[0].region == AWS_REGION_EU_WEST_1
def test_enabled_with_active_finding(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
region=AWS_REGION_EU_WEST_1,
status="ENABLED",
findings=[
InspectorFinding(
arn=FINDING_ARN,
region=AWS_REGION_EU_WEST_1,
severity="MEDIUM",
status="ACTIVE",
title="CVE-2022-40897 - setuptools",
)
],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist.inspector2_client",
new=inspector2_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist import (
inspector2_active_findings_exist,
)
check = inspector2_active_findings_exist()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "There are 1 ACTIVE Inspector2 findings."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2"
)
assert result[0].region == AWS_REGION_EU_WEST_1
def test_enabled_with_active_and_closed_findings(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
region=AWS_REGION_EU_WEST_1,
status="ENABLED",
findings=[
InspectorFinding(
arn=FINDING_ARN,
region=AWS_REGION_EU_WEST_1,
severity="MEDIUM",
status="ACTIVE",
title="CVE-2022-40897 - setuptools",
),
InspectorFinding(
arn=FINDING_ARN,
region=AWS_REGION_EU_WEST_1,
severity="MEDIUM",
status="CLOSED",
title="CVE-2022-27404 - freetype",
),
],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist.inspector2_client",
new=inspector2_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist import (
inspector2_active_findings_exist,
)
check = inspector2_active_findings_exist()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "There are 1 ACTIVE Inspector2 findings."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2"
)
assert result[0].region == AWS_REGION_EU_WEST_1
def test_inspector2_disabled_ignoring(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
awslambda_client = mock.MagicMock
awslambda_client.functions = {}
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = mock.MagicMock
ecr_client.registries[AWS_REGION_EU_WEST_1].repositories = []
ec2_client = mock.MagicMock
ec2_client.instances = []
ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audit_info.ignore_unused_services = True
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
status="DISABLED",
region=AWS_REGION_EU_WEST_1,
findings=[],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist.inspector2_client",
new=inspector2_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist import (
inspector2_active_findings_exist,
)
check = inspector2_active_findings_exist()
result = check.execute()
assert len(result) == 0

538
tests/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist_test.py
View File

@@ -1,538 +0,0 @@
from unittest import mock
from prowler.providers.aws.services.ecr.ecr_service import Repository
from prowler.providers.aws.services.inspector2.inspector2_service import (
Inspector,
InspectorFinding,
)
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_WEST_1,
set_mocked_aws_audit_info,
)
FINDING_ARN = (
"arn:aws:inspector2:us-east-1:123456789012:finding/0e436649379db5f327e3cf5bb4421d76"
)
class Test_inspector2_findings_exist:
def test_inspector2_disabled(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
awslambda_client = mock.MagicMock
ecr_client = mock.MagicMock
ec2_client = mock.MagicMock
ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
status="DISABLED",
region=AWS_REGION_EU_WEST_1,
findings=[],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client",
new=inspector2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client",
new=ecr_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client",
new=ec2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client",
new=awslambda_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import (
inspector2_findings_exist,
)
check = inspector2_findings_exist()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "Inspector2 is not enabled."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
assert result[0].region == AWS_REGION_EU_WEST_1
def test_enabled_no_finding(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
awslambda_client = mock.MagicMock
ecr_client = mock.MagicMock
ec2_client = mock.MagicMock
ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
status="ENABLED",
region=AWS_REGION_EU_WEST_1,
findings=[],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client",
new=inspector2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client",
new=ecr_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client",
new=ec2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client",
new=awslambda_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import (
inspector2_findings_exist,
)
check = inspector2_findings_exist()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== "Inspector2 is enabled with no findings."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
assert result[0].region == AWS_REGION_EU_WEST_1
def test_enabled_with_no_active_finding(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
awslambda_client = mock.MagicMock
ecr_client = mock.MagicMock
ec2_client = mock.MagicMock
ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION_EU_WEST_1,
status="ENABLED",
findings=[
InspectorFinding(
arn=FINDING_ARN,
region=AWS_REGION_EU_WEST_1,
severity="MEDIUM",
status="NOT_ACTIVE",
title="CVE-2022-40897 - setuptools",
)
],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client",
new=inspector2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client",
new=ecr_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client",
new=ec2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client",
new=awslambda_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import (
inspector2_findings_exist,
)
check = inspector2_findings_exist()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== "Inspector2 is enabled with no active findings."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
assert result[0].region == AWS_REGION_EU_WEST_1
def test_enabled_with_active_finding(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
awslambda_client = mock.MagicMock
ecr_client = mock.MagicMock
ec2_client = mock.MagicMock
ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION_EU_WEST_1,
status="ENABLED",
findings=[
InspectorFinding(
arn=FINDING_ARN,
region=AWS_REGION_EU_WEST_1,
severity="MEDIUM",
status="ACTIVE",
title="CVE-2022-40897 - setuptools",
)
],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client",
new=inspector2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client",
new=ecr_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client",
new=ec2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client",
new=awslambda_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import (
inspector2_findings_exist,
)
check = inspector2_findings_exist()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "There are 1 ACTIVE Inspector2 findings."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
assert result[0].region == AWS_REGION_EU_WEST_1
def test_enabled_with_active_and_closed_findings(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
awslambda_client = mock.MagicMock
ecr_client = mock.MagicMock
ec2_client = mock.MagicMock
ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION_EU_WEST_1,
status="ENABLED",
findings=[
InspectorFinding(
arn=FINDING_ARN,
region=AWS_REGION_EU_WEST_1,
severity="MEDIUM",
status="ACTIVE",
title="CVE-2022-40897 - setuptools",
),
InspectorFinding(
arn=FINDING_ARN,
region=AWS_REGION_EU_WEST_1,
severity="MEDIUM",
status="CLOSED",
title="CVE-2022-27404 - freetype",
),
],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client",
new=inspector2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client",
new=ecr_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client",
new=ec2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client",
new=awslambda_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import (
inspector2_findings_exist,
)
check = inspector2_findings_exist()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "There are 1 ACTIVE Inspector2 findings."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
assert result[0].region == AWS_REGION_EU_WEST_1
def test_inspector2_disabled_ignoring(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
awslambda_client = mock.MagicMock
awslambda_client.functions = {}
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = mock.MagicMock
ecr_client.registries[AWS_REGION_EU_WEST_1].repositories = []
ec2_client = mock.MagicMock
ec2_client.instances = []
ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audit_info.ignore_unused_services = True
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
status="DISABLED",
region=AWS_REGION_EU_WEST_1,
findings=[],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client",
new=inspector2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client",
new=ecr_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client",
new=ec2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client",
new=awslambda_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import (
inspector2_findings_exist,
)
check = inspector2_findings_exist()
result = check.execute()
assert len(result) == 0
def test_inspector2_disabled_ignoring_with_resources(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
awslambda_client = mock.MagicMock
awslambda_client.functions = {}
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = mock.MagicMock
repository_name = "test_repo"
repository_arn = (
f"arn:aws:ecr:eu-west-1:{AWS_ACCOUNT_NUMBER}:repository/{repository_name}"
)
repo_policy_public = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECRRepositoryPolicy",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:user/username"
},
"Action": ["ecr:DescribeImages", "ecr:DescribeRepositories"],
}
],
}
ecr_client.registries[AWS_REGION_EU_WEST_1].repositories = [
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION_EU_WEST_1,
scan_on_push=True,
policy=repo_policy_public,
images_details=None,
lifecycle_policy="test-policy",
)
]
ec2_client = mock.MagicMock
ec2_client.instances = []
ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audit_info.ignore_unused_services = True
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
status="DISABLED",
region=AWS_REGION_EU_WEST_1,
findings=[],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client",
new=inspector2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client",
new=ecr_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client",
new=ec2_client,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client",
new=awslambda_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import (
inspector2_findings_exist,
)
check = inspector2_findings_exist()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== "Inspector2 is not enabled."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
assert result[0].region == AWS_REGION_EU_WEST_1

112
tests/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled_test.py Normal file
View File

@@ -0,0 +1,112 @@
from unittest import mock
from prowler.providers.aws.services.inspector2.inspector2_service import Inspector
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_WEST_1,
set_mocked_aws_audit_info,
)
FINDING_ARN = (
"arn:aws:inspector2:us-east-1:123456789012:finding/0e436649379db5f327e3cf5bb4421d76"
)
class Test_inspector2_is_enabled:
def test_inspector2_disabled(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
awslambda_client = mock.MagicMock
ecr_client = mock.MagicMock
ec2_client = mock.MagicMock
ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
status="DISABLED",
region=AWS_REGION_EU_WEST_1,
findings=[],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_is_enabled.inspector2_is_enabled.inspector2_client",
new=inspector2_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_is_enabled.inspector2_is_enabled import (
inspector2_is_enabled,
)
check = inspector2_is_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert result[0].status_extended == "Inspector2 is not enabled."
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2"
)
assert result[0].region == AWS_REGION_EU_WEST_1
def test_enabled_no_finding(self):
# Mock the inspector2 client
inspector2_client = mock.MagicMock
inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
inspector2_client.audited_account_arn = (
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
)
inspector2_client.region = AWS_REGION_EU_WEST_1
inspector2_client.inspectors = [
Inspector(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2",
status="ENABLED",
region=AWS_REGION_EU_WEST_1,
findings=[],
)
]
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
):
with mock.patch(
"prowler.providers.aws.services.inspector2.inspector2_is_enabled.inspector2_is_enabled.inspector2_client",
new=inspector2_client,
):
# Test Check
from prowler.providers.aws.services.inspector2.inspector2_is_enabled.inspector2_is_enabled import (
inspector2_is_enabled,
)
check = inspector2_is_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert result[0].status_extended == "Inspector2 is enabled."
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2"
)
assert result[0].region == AWS_REGION_EU_WEST_1

2
tests/providers/aws/services/inspector2/inspector2_service_test.py
View File

@@ -101,7 +101,7 @@ class Test_Inspector2_Service:
audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1])
inspector2 = Inspector2(audit_info)
assert len(inspector2.inspectors) == 1
assert inspector2.inspectors[0].id == AWS_ACCOUNT_NUMBER
assert inspector2.inspectors[0].id == "Inspector2"
assert inspector2.inspectors[0].region == AWS_REGION_EU_WEST_1
assert inspector2.inspectors[0].status == "ENABLED"