ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-11 07:15:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,221 Commits 1 Branch 0 Tags
ba87f437d5c7d406adac80e64535e0857e73e39a
Commit Graph

411 Commits

Author SHA1 Message Date
Nick Malcolm
ba87f437d5 This check will identify IAM Policies which allow an IAM Principal (a Role or User) to escalate their privileges due to insecure STS permissions. It is AWS best practice to only use explicitly defined Resources (Role ARNs) for an sts:AssumeRole action. 
See more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy
 2020-08-20 21:08:00 +12:00
Toni de la Fuente
f5ec2bceda Adding 4 new EKS checks @jonjozwiak 
Adding 4 new EKS checks @jonjozwiak
 2020-07-31 21:40:38 +02:00
Quinn Stevens
93c89530ff Explicitly set output --json for aws call 2020-07-31 20:30:20 +01:00
jonjozwiak
a2c92c2e7b Adding 4 EKS checks 2020-07-31 10:42:16 -05:00
Quinn Stevens
e58d8cbc8d Don't fail check extra737 for keys scheduled for deletion 2020-07-24 12:44:57 +01:00
Toni de la Fuente
9b1c152607 New check extra793 for SSL listeners on load balancers @jonjozwiak 
New check extra793 for SSL listeners on load balancers
 2020-07-21 16:57:20 +02:00
jonjozwiak
6ba9be46fb Adding check for SSL load balancers 2020-07-17 09:59:53 -05:00
jonjozwiak
1c970b0387 extra792 skip check if no HTTPS/SSL Listener and add NLB support 2020-07-16 16:08:33 -05:00
Geert Smelt
d3553b642e Fix listing Elastic IPs if default output format is not JSON 2020-06-26 12:50:09 +02:00
Geert Smelt
63d06212db Fix listing CloudFormation stacks if default output format is not JSON 2020-06-26 11:55:12 +02:00
Geert Smelt
a0c58e1cb2 Fix listing EC2 Security Groups if default output format is not JSON 2020-06-26 11:25:16 +02:00
Geert Smelt
0878511abf Fix listing EC2 instances if default output format is not JSON 2020-06-26 11:16:59 +02:00
Toni de la Fuente
dac24b3aa8 Fix issue #624 ID of check_extra792 2020-06-23 19:34:41 +02:00
jonjozwiak
4db109bb26 Fixing profile and region settings for check_extra792 - ELB SSL ciphers 2020-06-10 15:46:34 -05:00
Toni de la Fuente
26665a4645 Fix extra734 - handle us-east-1 @nimrodkor 
Fix extra734 - handle us-east-1
 2020-06-05 11:09:44 +02:00
Nimrod Kor
4dae0718c1 Fix extra764 - handle us-east-1 & check validity of policy 
(cherry picked from commit 89bd8a90d5767c70a59ab29928501bad3be6ad84)
 2020-06-04 23:18:08 +03:00
Nimrod Kor
ef4d2d33be Fix extra734 - handle us-east-1 
(cherry picked from commit 5f2eb7f82e3814478b380ae5fbb6c8a69536e043)
 2020-06-04 23:15:21 +03:00
Jon Jozwiak
06e81a7f33 Update check_extra792 ASFF resource tye 2020-05-26 09:35:48 -05:00
Jon Jozwiak
70337ecd84 Add ASFF resource type 2020-05-26 09:34:37 -05:00
jonjozwiak
df15388577 Adding insecure SSL checks for CloudFront and CLB/ALB 
(cherry picked from commit c9a60c07a2b5497cbed2d70c53821d826171dd68)
 2020-05-26 16:33:18 +03:00
Toni de la Fuente
c7ed6a6693 Improved region handing for extra734 and extra764 2020-05-19 15:03:42 +02:00
Toni de la Fuente
e0c2ca2436 Fixed issue #596 for extra71 2020-05-11 13:21:06 +02:00
Toni de la Fuente
c79d346961 Fixed issue #596 on check114 2020-05-11 13:16:38 +02:00
Toni de la Fuente
996f785af6 Improve check21 If no account cloudtrail trail is found, check org trail @nimrodkor @bridgecrewio 
check21 - If no account CloudTrail trail is found, check org trail
 2020-04-29 22:24:24 +02:00
Nimrod Kor
dd0ef8c0b4 If no local cloudtrail trail is found - check org trail 2020-04-29 21:39:27 +03:00
Toni de la Fuente
5450bf949e Fix check12's grep to find users with true in their name who really have password access @nimrodkor @bridgecrewio 
Fix check12's grep to find users with true in their name who really have password access @nimrodkor @bridgecrewio
 2020-04-29 13:02:26 +02:00
Toni de la Fuente
1f949b4175 Improved AWS partition handle 2020-04-29 12:06:47 +02:00
Nimrod Kor
dbca70ef2e Add $ to end of regex 2020-04-28 14:28:59 +03:00
Nimrod Kor
54f2b72cb6 Fix check12's grep to find users who really have password access 
(cherry picked from commit 4006c581a06c449b66ede8892b9ae18c735ad34c)
 2020-04-28 14:13:32 +03:00
Toni de la Fuente
13ca147d02 Updated checks with hardcoded arn to support GovCloud partition 2020-04-22 23:23:17 +02:00
Toni de la Fuente
dbb3ed9663 Improved extra734 for GovCloud 2020-04-22 22:19:21 +02:00
Toni de la Fuente
1beb483be3 Fixed issue with govcloud on extra764 #536 2020-04-22 20:40:18 +02:00
Toni de la Fuente
7dc790a3f5 Fixed issue with govcloud on extra764 #536 2020-04-22 20:05:39 +02:00
Toni de la Fuente
b9051e6fc9 Merge pull request #563 from marcjay/correct-check13-496 
Extend check13 to meet all CIS rules and consolidate with extra774
 2020-04-22 10:46:37 +02:00
Toni de la Fuente
92091d9ecd Rollback #562 fix issue #564 2020-04-22 10:31:30 +02:00
Marc Jay
ad66254b45 Extend check13 to meet all CIS rules and consolidate with extra774 
Create `include/check_creds_last_used` and move all logic for checking last usages of passwords and access keys there
Modify check13 and extra774 to call new function, specifying time-range of last 90 days and last 30 days respectively
Modify messages in check14 and check121 so that all mentions of 'access key's are consistent

Fixes #496
 2020-04-21 01:21:55 +01:00
Toni de la Fuente
d6374f8bc8 Updated textInfo message on extra712 2020-04-20 19:27:39 +02:00
Toni de la Fuente
0c7805356e Enhancement: extra712 improved with Macie API call instead of IAM @eko0126 
using api commands to check if macie is enabled instead of looking ia…
 2020-04-20 19:20:13 +02:00
Toni de la Fuente
86ea46d77c Update check_extra712 2020-04-20 19:19:05 +02:00
Toni de la Fuente
38a970f4fc Enhancement: extra768 only check latest version of ECS task definition 
Only check latest version of task definition
 2020-04-20 19:00:26 +02:00
Toni de la Fuente
d02d9e1c95 Merge branch 'extra725' of https://github.com/nalansitan/prowler into nalansitan-extra725 2020-04-20 18:46:39 +02:00
Alex Gray
5b8370179a Get the list of families and then get latest task definition 2020-04-20 09:15:15 -04:00
He.Longfei
b42cc33a6c using api commands to check if macie is enabled instead of looking iam role 2020-04-20 15:01:38 +08:00
Toni de la Fuente
6747b208ce Improved extra716 and extra788 2020-04-17 15:16:55 +02:00
Alex Gray
172f4b2681 Only check latest version of task definition 2020-04-15 15:19:44 -04:00
Toni de la Fuente
3311acf82c Merge branch 'simplify-check-id-variables' of https://github.com/marcjay/prowler into marcjay-simplify-check-id-variables 2020-04-15 00:23:54 +02:00
Toni de la Fuente
973f6b39a0 Merge branch 'master' of https://github.com/toniblyx/prowler 2020-04-14 16:45:54 +02:00
Toni de la Fuente
11c182c5fe Fixed issue with regions on check21 2020-04-14 16:45:37 +02:00
nalansitan
036ae640e5 support arn:aws:s3::: on extra725 2020-04-14 10:38:01 +08:00
Marc Jay
0f49468601 Limit CHECK_ID to a single value, handing the left-pad formatting in one place 
Remove the second entry in any comma-separated check IDs from each check, formatting
the check ID with leading zeros in `include/outputs` if the `-n` flag is active
 2020-04-14 02:02:48 +01:00