diff --git a/docs/tutorials/check-aliases.md b/docs/tutorials/check-aliases.md new file mode 100644 index 00000000..d94781d8 --- /dev/null +++ b/docs/tutorials/check-aliases.md @@ -0,0 +1,20 @@ +# Check Aliases + +Prowler allows you to use aliases for the checks. You only have to add the `CheckAliases` key to the check's metadata with a list of the aliases: + + "Provider": "", + "CheckID": "", + "CheckTitle": "", + "CheckAliases": [ + "" + "", + ... + ], + ... + +Then, you can execute the check either with its check ID or with one of the previous aliases: +```console +prowler -c/--checks + +Using alias for check ... +``` diff --git a/mkdocs.yml b/mkdocs.yml index da63b9fb..d06c747a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -37,6 +37,7 @@ nav: - Configuration File: tutorials/configuration_file.md - Logging: tutorials/logging.md - Allowlist: tutorials/allowlist.md + - Check Aliases: tutorials/check-aliases.md - Ignore Unused Services: tutorials/ignore-unused-services.md - Pentesting: tutorials/pentesting.md - Developer Guide: developer-guide/introduction.md diff --git a/prowler/lib/check/check.py b/prowler/lib/check/check.py index 71f80356..daeef528 100644 --- a/prowler/lib/check/check.py +++ b/prowler/lib/check/check.py @@ -289,10 +289,9 @@ def print_checks( f"[{bulk_checks_metadata[check].CheckID}] {bulk_checks_metadata[check].CheckTitle} - {Fore.MAGENTA}{bulk_checks_metadata[check].ServiceName} {Fore.YELLOW}[{bulk_checks_metadata[check].Severity}]{Style.RESET_ALL}" ) except KeyError as error: - logger.critical( + logger.error( f"Check {error} was not found for the {provider.upper()} provider" ) - sys.exit(1) checks_num = len(check_list) plural_string = ( @@ -365,7 +364,7 @@ def list_compliance_modules(): """ list_compliance_modules returns the available compliance frameworks and returns their path """ - # This module path requires the full path includig "prowler." + # This module path requires the full path including "prowler." module_path = "prowler.compliance" return walk_packages( importlib.import_module(module_path).__path__, @@ -375,7 +374,7 @@ def list_compliance_modules(): # List all available modules in the selected provider and service def list_modules(provider: str, service: str): - # This module path requires the full path includig "prowler." + # This module path requires the full path including "prowler." module_path = f"prowler.providers.{provider}.services" if service: module_path += f".{service}" @@ -467,10 +466,9 @@ def execute_checks( # If check does not exists in the provider or is from another provider except ModuleNotFoundError: - logger.critical( + logger.error( f"Check '{check_name}' was not found for the {provider.upper()} provider" ) - sys.exit(1) except Exception as error: logger.error( f"{check_name} - {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" @@ -510,19 +508,17 @@ def execute_checks( checks_executed, ) all_findings.extend(check_findings) - bar() # If check does not exists in the provider or is from another provider except ModuleNotFoundError: - logger.critical( + logger.error( f"Check '{check_name}' was not found for the {provider.upper()} provider" ) - bar.title = f"-> {Fore.RED}Scan was aborted!{Style.RESET_ALL}" - sys.exit(1) except Exception as error: logger.error( f"{check_name} - {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" ) + bar() bar.title = f"-> {Fore.GREEN}Scan completed!{Style.RESET_ALL}" return all_findings diff --git a/prowler/lib/check/checks_loader.py b/prowler/lib/check/checks_loader.py index 1fd2fc70..6a0a92db 100644 --- a/prowler/lib/check/checks_loader.py +++ b/prowler/lib/check/checks_loader.py @@ -1,3 +1,5 @@ +from colorama import Fore, Style + from prowler.lib.check.check import ( parse_checks_from_compliance_framework, parse_checks_from_file, @@ -77,4 +79,23 @@ def load_checks_to_execute( check_name = check_info[0] checks_to_execute.add(check_name) + # Get Check Aliases mapping + check_aliases = {} + for check, metadata in bulk_checks_metadata.items(): + for alias in metadata.CheckAliases: + check_aliases[alias] = check + + # Verify if any input check is an alias of another check + for input_check in checks_to_execute: + if ( + input_check in check_aliases + and check_aliases[input_check] not in checks_to_execute + ): + # Remove input check name and add the real one + checks_to_execute.remove(input_check) + checks_to_execute.add(check_aliases[input_check]) + print( + f"\nUsing alias {Fore.YELLOW}{input_check}{Style.RESET_ALL} for check {Fore.YELLOW}{check_aliases[input_check]}{Style.RESET_ALL}...\n" + ) + return checks_to_execute diff --git a/prowler/lib/check/models.py b/prowler/lib/check/models.py index c89d0142..ce4a6d02 100644 --- a/prowler/lib/check/models.py +++ b/prowler/lib/check/models.py @@ -38,6 +38,7 @@ class Check_Metadata_Model(BaseModel): CheckID: str CheckTitle: str CheckType: list[str] + CheckAliases: list[str] = [] ServiceName: str SubServiceName: str ResourceIdTemplate: str diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.metadata.json b/prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.metadata.json index d615458e..1d8b25f2 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.metadata.json +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.metadata.json @@ -2,6 +2,9 @@ "Provider": "aws", "CheckID": "apigateway_restapi_authorizers_enabled", "CheckTitle": "Check if API Gateway has configured authorizers.", + "CheckAliases": [ + "apigateway_authorizers_enabled" + ], "CheckType": [ "IAM" ], diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.metadata.json b/prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.metadata.json index 230a342a..77c5734f 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.metadata.json +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.metadata.json @@ -2,6 +2,9 @@ "Provider": "aws", "CheckID": "apigateway_restapi_client_certificate_enabled", "CheckTitle": "Check if API Gateway Stage has client certificate enabled to access your backend endpoint.", + "CheckAliases": [ + "apigateway_client_certificate_enabled" + ], "CheckType": [ "Data Protection" ], diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.metadata.json b/prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.metadata.json index 8f9e559d..7ccbf0ec 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.metadata.json +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.metadata.json @@ -2,6 +2,9 @@ "Provider": "aws", "CheckID": "apigateway_restapi_logging_enabled", "CheckTitle": "Check if API Gateway Stage has logging enabled.", + "CheckAliases": [ + "apigateway_logging_enabled" + ], "CheckType": [ "Logging and Monitoring" ], diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_public/apigateway_restapi_public.metadata.json b/prowler/providers/aws/services/apigateway/apigateway_restapi_public/apigateway_restapi_public.metadata.json index 4722217f..ee69b7b3 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_public/apigateway_restapi_public.metadata.json +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_public/apigateway_restapi_public.metadata.json @@ -2,6 +2,9 @@ "Provider": "aws", "CheckID": "apigateway_restapi_public", "CheckTitle": "Check if API Gateway endpoint is public or private.", + "CheckAliases": [ + "apigateway_public" + ], "CheckType": [ "Infrastructure Security" ], diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_public_with_authorizer/apigateway_restapi_public_with_authorizer.metadata.json b/prowler/providers/aws/services/apigateway/apigateway_restapi_public_with_authorizer/apigateway_restapi_public_with_authorizer.metadata.json index 9640588d..dc68710d 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_public_with_authorizer/apigateway_restapi_public_with_authorizer.metadata.json +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_public_with_authorizer/apigateway_restapi_public_with_authorizer.metadata.json @@ -2,6 +2,9 @@ "Provider": "aws", "CheckID": "apigateway_restapi_public_with_authorizer", "CheckTitle": "Check if API Gateway public endpoint has an authorizer configured.", + "CheckAliases": [ + "apigateway_public_with_authorizer" + ], "CheckType": [ "Infrastructure Security" ], diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json b/prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json index d7a2a536..62ba94c6 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json @@ -2,6 +2,9 @@ "Provider": "aws", "CheckID": "apigateway_restapi_waf_acl_attached", "CheckTitle": "Check if API Gateway Stage has a WAF ACL attached.", + "CheckAliases": [ + "apigateway_waf_acl_attached" + ], "CheckType": [ "Infrastructure Security" ], diff --git a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.metadata.json b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.metadata.json index ee6bd19c..da4337cc 100644 --- a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.metadata.json +++ b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.metadata.json @@ -2,6 +2,9 @@ "Provider": "aws", "CheckID": "apigatewayv2_api_access_logging_enabled", "CheckTitle": "Ensure API Gateway V2 has Access Logging enabled.", + "CheckAliases": [ + "apigatewayv2_access_logging_enabled" + ], "CheckType": [ "IAM" ], diff --git a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_authorizers_enabled/apigatewayv2_api_authorizers_enabled.metadata.json b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_authorizers_enabled/apigatewayv2_api_authorizers_enabled.metadata.json index 1a079c39..671c1372 100644 --- a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_authorizers_enabled/apigatewayv2_api_authorizers_enabled.metadata.json +++ b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_authorizers_enabled/apigatewayv2_api_authorizers_enabled.metadata.json @@ -2,6 +2,9 @@ "Provider": "aws", "CheckID": "apigatewayv2_api_authorizers_enabled", "CheckTitle": "Checks if API Gateway V2 has configured authorizers.", + "CheckAliases": [ + "apigatewayv2_authorizers_enabled" + ], "CheckType": [ "Logging and Monitoring" ],