ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
33c68015017ca16cddb6116fcc0ae63063497ea0
prowler/prowler.py
Nacho Rivera 33c6801501 feat(core): AWS Role Assumption support (#1199) 
* chore(assuming role): assume role logic and exceptions demo

* chore(exceptions): Exception handling

* fix(get_caller_identity): Deleted duplicate get_caller_identity and add info entries

* chore(creds renewal): Added support to credential renewal

* chore(assume options): Added condition for -I/-T options

* fix(typo/comments): Deleted f in logger config and comments

* chore(session_duration): limits for -T option

* fix(log messages): Changed -A/-R log messages

* fix(critical error): Errors in input options are critical

* fix(ClientError): IAM service ClientError exception support
2022-06-16 12:00:46 +02:00

168 lines
4.8 KiB
Python
Raw Blame History

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
import importlib
import pkgutil
from lib.banner import print_banner, print_version
from lib.logger import logger, logging_levels
from lib.outputs import report
from providers.aws.aws_provider import Input_Data, provider_set_session
def run_check(check):
print(f"\nCheck Name: {check.CheckName}")
findings = check.execute()
report(findings)
def import_check(check_path):
lib = importlib.import_module(f"{check_path}")
return lib
def recover_modules_from_provider(provider):
modules = []
for module_name in pkgutil.walk_packages(
importlib.import_module(f"providers.{provider}.services").__path__,
importlib.import_module(f"providers.{provider}.services").__name__ + ".",
):
if module_name.name.count(".") == 5:
modules.append(module_name.name)
return modules
if __name__ == "__main__":
# start_time = time.time()
parser = argparse.ArgumentParser()
parser.add_argument("provider", help="Specify Provider: AWS")
parser.add_argument(
"-c", "--checks", nargs="+", help="Comma separated list of checks"
)
parser.add_argument(
"-b", "--no-banner", action="store_false", help="Hide Prowler Banner"
)
parser.add_argument(
"-v", "--version", action="store_true", help="Show Prowler version"
)
parser.add_argument(
"--log-level",
choices=["DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"],
default="CRITICAL",
help="Select Log Level",
)
parser.add_argument(
"-p",
"--profile",
nargs="?",
default=None,
help="AWS profile to launch prowler with",
)
parser.add_argument(
"-R",
"--role",
nargs="?",
default=None,
help="Role name to be assumed in account passed with -A",
)
parser.add_argument(
"-A",
"--account",
nargs="?",
default=None,
help="AWS account id where the role passed by -R is assumed",
)
parser.add_argument(
"-T",
"--session-duration",
nargs="?",
default=3600,
type=int,
help="Assumed role session duration in seconds, by default 3600",
)
parser.add_argument(
"-I",
"--external-id",
nargs="?",
default=None,
help="External ID to be passed when assuming role",
)
# Parse Arguments
args = parser.parse_args()
provider = args.provider
checks = args.checks
# Role assumption input options tests
if args.role or args.account:
if not args.account:
logger.critical(
"It is needed to input an Account Id to assume the role (-A option) when an IAM Role is provided with -R"
)
quit()
elif not args.role:
logger.critical(
"It is needed to input an IAM Role name (-R option) when an Account Id is provided with -A"
)
quit()
if args.session_duration not in range(900, 43200):
logger.critical("Value for -T option must be between 900 and 43200")
quit()
if args.session_duration != 3600 or args.external_id:
if not args.account or not args.role:
logger.critical("To use -I/-T options both -A and -R options are needed")
quit()
session_input = Input_Data(
profile=args.profile,
role_name=args.role,
account_to_assume=args.account,
session_duration=args.session_duration,
external_id=args.external_id,
)
# Set Logger
logger.setLevel(logging_levels.get(args.log_level))
if args.version:
print_version()
quit()
if args.no_banner:
print_banner()
# Setting session
provider_set_session(session_input)
# libreria para generar la lista de checks
if checks:
for check in checks:
# Recover service from check name
service = check.split("_")[0]
# Import check module
lib = import_check(
f"providers.{provider}.services.{service}.{check}.{check}"
)
# Recover functions from check
check_to_execute = getattr(lib, check)
c = check_to_execute()
# Run check
run_check(c)
else:
# Get all check modules to run
modules = recover_modules_from_provider(provider)
# Run checks
for check_module in modules:
print(check_module)
# Import check module
lib = import_check(check_module)
# Recover module from check name
check_name = check_module.split(".")[5]
# Recover functions from check
check_to_execute = getattr(lib, check_name)
c = check_to_execute()
# Run check
run_check(c)
Reference in New Issue View Git Blame Copy Permalink