Updating my copy of Prowler to the main version #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Toni de la Fuente <[email protected]>
* docs(templates): include Codeowners * docs(templates): update PR template
…ter names (#1020) * fix(check32): filterName base64encoded to avoid space problems in filter names * fix(check32): base64 decoding atomic expression * fix(check32): Variable enclosing Co-authored-by: Nacho Rivera <nachor1992@gmail>
Co-authored-by: Daniel Lorch <[email protected]>
Co-authored-by: Daniel Lorch <[email protected]>
…block is not executed (#1015) * Fix: when prowler exits with a non-zero status, the remainder of the block is not executed * Fix: do not trigger exit code 3 on failed checks, so that the remainder of the block is executed
…nput (#1029) * fix(inlcude/outputs) Whitelist logic reformulated to exactly match input * fix(include/outputs): Changed name of iterative variable that browses whitelisted values * fix(include/outputs): Deleted missing echo and include and put variables in brackets
Since 2.7.0 this template failed:
```
An error occurred (AccessDeniedException) when calling the GetSubscriptionState operation: User: arn:aws:sts::863046042023:assumed-role/prowler-codebuild-role/AWSCodeBuild-2c3151c9-7c5d-4618-94e5-0234bddce775 is not authorized to perform: shield:GetSubscriptionState on resource: arn:aws:shield::863046042023:subscription/* because no identity-based policy allows the shield:GetSubscriptionState action
INFO! No AWS Shield Advanced subscription found. Skipping check.
7.167 [extra7167] Check if Cloudfront distributions are protected by AWS Shield Advanced - shield [Medium]
```
I aligned it with https://github.com/prowler-cloud/prowler/blob/master/iam/prowler-additions-policy.json#L19 .
* added check7172 for s3 bucket acls * Added more errors to error handling and an access check for s3 * Removed extra api call Co-authored-by: Jeff Maley <[email protected]>
* Fix AccessDenied issue when get document Add check to validate access denied when get document from SSM. Add missing action permission to allow ssm:GetDocument. * Double quote variables to prevent globbing and word splitting
* fix(check41/42): Added tcp protocol filter to query
* Include {} in vars
Co-authored-by: Pepe Fagoaga <[email protected]>
* Include {} in vars
Co-authored-by: Pepe Fagoaga <[email protected]>
Co-authored-by: Pepe Fagoaga <[email protected]>
* fix(include/outputs):Rolling back whitelist checking to RE check * fix(include/ouputs): Clarified variable assignation coming from argument
…ch/OpenSearch checks (#1032) * Fix CLI query and add error handling Check extra781, extra782, extra783, extra784 and extra785 * Fix CLI query, add error handling, combine AWS CLI calls when possible Checks related to Opensearch/ElasticSearch. * Fix CLI query, add error handling, combine AWS CLI calls when possible Checks related to Opensearch/ElasticSearch.
* Fix error handling and policy output * Fix jq filter when Action is an array Fix jq select condition to handle Action as string or as array. Add error handling. When fail, print policies as just one line. * Double quote variables to prevent globbing and word splitting * Replace comma character from json by word comma
* chore(db providers): db providers first version * chore(db provider): added db provider setup into Readme * fix(csv_line): csv_line out of conditional * fix(README): text instead of varchar in table * fix(help): help message extended Co-authored-by: Sergio Garcia <[email protected]> * fix(typo): Update README.md Co-authored-by: Pepe Fagoaga <[email protected]> * fix(table): add if not exists Co-authored-by: Pepe Fagoaga <[email protected]> * fix(typo): Readme postgreSQL Co-authored-by: Pepe Fagoaga <[email protected]> * fix(db_connector): details to add a new provider * fix(typo): Uppercase Prowler Co-authored-by: Toni de la Fuente <[email protected]> * fix(prowler): deleted unused variable * chore(checks): test db connector previous to send data * chore(input tests): input tests moved to main * fix(typo): Readme typos * chore(table): table name from pgpass file * fix(grep test): Added missing -E flag * chore(table): check of table name and Readme * chore(error colors): Added error colors * chore(inputcheck): checks about mode and output inputs into main * fix(inputs) custom output file name * fix(outputs): comment profile * chore(textXXX): both 3 textfunctions using general * fix(allowlist): allowlist check included as function * fix(headers): Add headers to certain output files * fix(reformulate): change structure and delete comments * fix(testing): Input test after load includes * fix(variables): Added named vars * fix(colors): Deleted unused colors * fix(outputs): fine tuning * fix(outputs): allowlist parameters read * fix(allowlist): allowlist logic reformulated * fix(REPREGION): REPREGION change by REGION_FROM_CHECK Co-authored-by: Sergio Garcia <[email protected]> Co-authored-by: Pepe Fagoaga <[email protected]> Co-authored-by: Toni de la Fuente <[email protected]>
* fix(aws_profile_loader): New functions * fix(shellcheck): Temporary remove Shellcheck * fix(aws_cli_detector): new function * fix(jq_detector): New function * fix(os_detector): New function * fix(output_bucket): Output bucket input check in main * fix(python_detector): deleted unused python detector * fix(credentials): credentials check out of whoami * [break]refactor(main) * [BREAK] Get list of checks parsing all input options * [break]refactor(main): execute checks functions * [break]refactor(main): move functions to libs * fix(validations): custom check validation and typos * refactor(validate_options): Include comments * fix(custom_checks): Minor fixes * refactor(closing_files): include libraries * refactor(loader): Include ignored checks * refactor(main): Fix shellcheck * refactor(loader): beautify * refactor(monochrome): without variables * refactor(modes): MODES array not needed * refactor(whoami): get error from AWSCLI * refactor(secrets-detector) * refactor(secrets-detector) * fix(html_scoring): html scoring was fixed. * fix(load_checks_from_file) * fix(color-code): Print if not mono * fix(not extra): Fixed if EXCLUDE_CHECK_ID is empty * fix(IFS): Restore default IFS once modes are parsed * fix(bucket): validate before whoami * fix(bucket): validate before whoami Co-authored-by: n4ch04 <[email protected]> Co-authored-by: sergargar <[email protected]> Co-authored-by: Nacho Rivera <[email protected]>
* Remove fail positive Exclude distributions that does not support `POST` requests * fix(extra767): Overall changes - Quoted and braced variables - Fix DefaultCacheBehavior twice in a AWS CLI query - Use regex =~ to match values * fix(check767): Change textInfo for textPass * fix(extra767): Include AWS CLI error handling Co-authored-by: Pepe Fagoaga <[email protected]>
* fix(instance-metadata): Credentials recovering * fix(expr): Dockerfile to root and expr in SESSION_TIME_REMAINING. Co-authored-by: Pepe Fagoaga <[email protected]> Co-authored-by: sergargar <[email protected]>
…commended security protocol (#1203) Co-authored-by: Sergio Garcia <[email protected]>
Co-authored-by: sergargar <[email protected]>
…urity Hub (#1219) Co-authored-by: sergargar <[email protected]>
…d be consider PASS (#1240) * 365 DAYS or More Retention log group in cloudwatch * fix(extra7162): Fix comparison errors Also include minor changes to texts * fix(extra7162): Set as Pass log groups that never expires * fix(typo) Co-authored-by: Pepe Fagoaga <[email protected]>
Co-authored-by: sergargar <[email protected]>
…et should be disabled. (#1233) Co-authored-by: sergargar <[email protected]>
…1238) * fix(dockerignore): Include files * fix(dockerfile): Keep python2 and organize * feat(db-connector): Include postgres dependencies * feat(dockerfile): Include hadolint pre-commit
* feat(db-connector): Include env variables * fix(typo) * fix(psql-test): Remove PGPASSWORD
* fix(postgres): Fix postgres connector issues. * fix(postgres): Update documentation Co-authored-by: sergargar <[email protected]>
* add regions to checks * add root as resource Co-authored-by: sergargar <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.