From 24efb34d9119ba2a80a1abec1c64e14373dec90e Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Tue, 9 Jan 2024 18:08:00 +0100 Subject: [PATCH] chore(manual status): change INFO to MANUAL status (#3254) --- docs/developer-guide/checks.md | 2 +- docs/tutorials/misc.md | 2 +- docs/tutorials/mutelist.md | 2 +- prowler/config/config.py | 2 +- prowler/lib/banner.py | 2 +- prowler/lib/outputs/compliance/compliance.py | 2 +- prowler/lib/outputs/html.py | 2 +- prowler/lib/outputs/outputs.py | 4 ++-- prowler/providers/aws/lib/security_hub/security_hub.py | 4 ++-- .../account_maintain_current_contact_details.py | 4 ++-- .../account_security_contact_information_is_registered.py | 4 ++-- ...nt_security_questions_are_registered_in_the_aws_account.py | 4 ++-- .../cloudtrail_bucket_requires_mfa_delete.py | 2 +- .../cloudtrail_logs_s3_bucket_access_logging_enabled.py | 2 +- .../cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py | 2 +- .../trustedadvisor_errors_and_warnings.py | 2 +- tests/lib/outputs/outputs_test.py | 2 +- tests/providers/aws/lib/security_hub/security_hub_test.py | 4 ++-- .../cloudtrail_bucket_requires_mfa_delete_test.py | 4 ++-- .../cloudtrail_logs_s3_bucket_access_logging_enabled_test.py | 2 +- ...oudtrail_logs_s3_bucket_is_not_publicly_accessible_test.py | 2 +- .../trustedadvisor_errors_and_warnings_test.py | 2 +- 22 files changed, 29 insertions(+), 29 deletions(-) diff --git a/docs/developer-guide/checks.md b/docs/developer-guide/checks.md index affa6a1d16..9f72221daf 100644 --- a/docs/developer-guide/checks.md +++ b/docs/developer-guide/checks.md @@ -102,7 +102,7 @@ All the checks MUST fill the `report.status` and `report.status_extended` with t - Status -- `report.status` - `PASS` --> If the check is passing against the configured value. - `FAIL` --> If the check is passing against the configured value. - - `INFO` --> This value cannot be used unless a manual operation is required in order to determine if the `report.status` is whether `PASS` or `FAIL`. + - `MANUAL` --> This value cannot be used unless a manual operation is required in order to determine if the `report.status` is whether `PASS` or `FAIL`. - Status Extended -- `report.status_extended` - MUST end in a dot `.` - MUST include the service audited with the resource and a brief explanation of the result generated, e.g.: `EC2 AMI ami-0123456789 is not public.` diff --git a/docs/tutorials/misc.md b/docs/tutorials/misc.md index c12c94d87e..74fa48dbd6 100644 --- a/docs/tutorials/misc.md +++ b/docs/tutorials/misc.md @@ -12,7 +12,7 @@ prowler --verbose ## Filter findings by status Prowler can filter the findings by their status: ```console -prowler --status [PASS, FAIL, INFO] +prowler --status [PASS, FAIL, MANUAL] ``` ## Disable Exit Code 3 Prowler does not trigger exit code 3 with failed checks: diff --git a/docs/tutorials/mutelist.md b/docs/tutorials/mutelist.md index b14b265028..8320a4550d 100644 --- a/docs/tutorials/mutelist.md +++ b/docs/tutorials/mutelist.md @@ -1,7 +1,7 @@ # Mute Listing Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an AWS S3 Bucket open to the internet hosting a web site, or an AWS Security Group with an open port needed in your use case. -Mute List option works along with other options and adds a `MUTED` instead of `INFO`, `PASS` or `FAIL` to any output format. +Mute List option works along with other options and adds a `MUTED` instead of `MANUAL`, `PASS` or `FAIL` to any output format. You can use `-w`/`--mutelist-file` with the path of your mutelist yaml file, but first, let's review the syntax. diff --git a/prowler/config/config.py b/prowler/config/config.py index 73b11da450..b7e66ecf94 100644 --- a/prowler/config/config.py +++ b/prowler/config/config.py @@ -22,7 +22,7 @@ gcp_logo = "https://user-images.githubusercontent.com/38561120/235928332-eb4accd orange_color = "\033[38;5;208m" banner_color = "\033[1;92m" -finding_statuses = ["PASS", "FAIL", "INFO"] +finding_statuses = ["PASS", "FAIL", "MANUAL"] # Compliance actual_directory = pathlib.Path(os.path.dirname(os.path.realpath(__file__))) diff --git a/prowler/lib/banner.py b/prowler/lib/banner.py index 6989dce2f1..a60edc9801 100644 --- a/prowler/lib/banner.py +++ b/prowler/lib/banner.py @@ -19,7 +19,7 @@ def print_banner(args): print( f""" Color code for results: -- {Fore.YELLOW}INFO (Information){Style.RESET_ALL} +- {Fore.YELLOW}MANUAL (Manual check){Style.RESET_ALL} - {Fore.GREEN}PASS (Recommended value){Style.RESET_ALL} - {orange_color}MUTED (Muted by muted list){Style.RESET_ALL} - {Fore.RED}FAIL (Fix required){Style.RESET_ALL} diff --git a/prowler/lib/outputs/compliance/compliance.py b/prowler/lib/outputs/compliance/compliance.py index b567546590..b019d8f7e3 100644 --- a/prowler/lib/outputs/compliance/compliance.py +++ b/prowler/lib/outputs/compliance/compliance.py @@ -31,7 +31,7 @@ def add_manual_controls( manual_finding = Check_Report( output_options.bulk_checks_metadata["manual_check"].json() ) - manual_finding.status = "INFO" + manual_finding.status = "MANUAL" manual_finding.status_extended = "Manual check" manual_finding.resource_id = "manual_check" manual_finding.resource_name = "Manual check" diff --git a/prowler/lib/outputs/html.py b/prowler/lib/outputs/html.py index 99d76aa117..104f0c12f8 100644 --- a/prowler/lib/outputs/html.py +++ b/prowler/lib/outputs/html.py @@ -170,7 +170,7 @@ def add_html_header(file_descriptor, audit_info): def fill_html(file_descriptor, finding, output_options): try: row_class = "p-3 mb-2 bg-success-custom" - if finding.status == "INFO": + if finding.status == "MANUAL": row_class = "table-info" elif finding.status == "FAIL": row_class = "table-danger" diff --git a/prowler/lib/outputs/outputs.py b/prowler/lib/outputs/outputs.py index e31b9b1f3c..0886632563 100644 --- a/prowler/lib/outputs/outputs.py +++ b/prowler/lib/outputs/outputs.py @@ -152,7 +152,7 @@ def report(check_findings, output_options, audit_info): file_descriptors["json-ocsf"].write(",") else: # No service resources in the whole account - color = set_report_color("INFO") + color = set_report_color("MANUAL") if output_options.verbose: print(f"\t{color}INFO{Style.RESET_ALL} There are no resources") # Separator between findings and bar @@ -179,7 +179,7 @@ def set_report_color(status: str) -> str: color = Fore.BLACK elif status == "MUTED": color = orange_color - elif status == "INFO": + elif status == "MANUAL": color = Fore.YELLOW else: raise Exception("Invalid Report Status. Must be PASS, FAIL, ERROR or MUTED") diff --git a/prowler/providers/aws/lib/security_hub/security_hub.py b/prowler/providers/aws/lib/security_hub/security_hub.py index b301ae90ea..4c7f682a09 100644 --- a/prowler/providers/aws/lib/security_hub/security_hub.py +++ b/prowler/providers/aws/lib/security_hub/security_hub.py @@ -20,8 +20,8 @@ def prepare_security_hub_findings( security_hub_findings_per_region[region] = [] for finding in findings: - # We don't send the INFO findings to AWS Security Hub - if finding.status == "INFO": + # We don't send the MANUAL findings to AWS Security Hub + if finding.status == "MANUAL": continue # We don't send findings to not enabled regions diff --git a/prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.py b/prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.py index 19f1810822..fd9eff4db7 100644 --- a/prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.py +++ b/prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.py @@ -10,6 +10,6 @@ class account_maintain_current_contact_details(Check): report.region = account_client.region report.resource_id = account_client.audited_account report.resource_arn = account_client.audited_account_arn - report.status = "INFO" - report.status_extended = "Manual check: Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Contact Information." + report.status = "MANUAL" + report.status_extended = "Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Contact Information." return [report] diff --git a/prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.py b/prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.py index 5e41e8cd6b..f2ac5dd5c5 100644 --- a/prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.py +++ b/prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.py @@ -10,6 +10,6 @@ class account_security_contact_information_is_registered(Check): report.region = account_client.region report.resource_id = account_client.audited_account report.resource_arn = account_client.audited_account_arn - report.status = "INFO" - report.status_extended = "Manual check: Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Alternate Contacts -> Security Section." + report.status = "MANUAL" + report.status_extended = "Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Alternate Contacts -> Security Section." return [report] diff --git a/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.py b/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.py index 5b51f7ffdf..1ec4d53723 100644 --- a/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.py +++ b/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.py @@ -10,6 +10,6 @@ class account_security_questions_are_registered_in_the_aws_account(Check): report.region = account_client.region report.resource_id = account_client.audited_account report.resource_arn = account_client.audited_account_arn - report.status = "INFO" - report.status_extended = "Manual check: Login to the AWS Console as root. Choose your account name on the top right of the window -> My Account -> Configure Security Challenge Questions." + report.status = "MANUAL" + report.status_extended = "Login to the AWS Console as root. Choose your account name on the top right of the window -> My Account -> Configure Security Challenge Questions." return [report] diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py index 21582011de..92b0edc1b1 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py @@ -27,7 +27,7 @@ class cloudtrail_bucket_requires_mfa_delete(Check): report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) has MFA delete enabled." # check if trail bucket is a cross account bucket if not trail_bucket_is_in_account: - report.status = "INFO" + report.status = "MANUAL" report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually." findings.append(report) diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py index d7ee50e0a2..74120b782a 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py @@ -35,7 +35,7 @@ class cloudtrail_logs_s3_bucket_access_logging_enabled(Check): # check if trail is delivering logs in a cross account bucket if not trail_bucket_is_in_account: - report.status = "INFO" + report.status = "MANUAL" report.status_extended = f"Trail {trail.name} is delivering logs in a cross-account bucket {trail_bucket} in another account out of Prowler's permissions scope, please check it manually." findings.append(report) diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py index 4577944256..3b6fc76646 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py @@ -41,7 +41,7 @@ class cloudtrail_logs_s3_bucket_is_not_publicly_accessible(Check): break # check if trail bucket is a cross account bucket if not trail_bucket_is_in_account: - report.status = "INFO" + report.status = "MANUAL" report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually." findings.append(report) diff --git a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py index 980735d8ff..459fec488c 100644 --- a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py +++ b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py @@ -23,7 +23,7 @@ class trustedadvisor_errors_and_warnings(Check): findings.append(report) else: report = Check_Report_AWS(self.metadata()) - report.status = "INFO" + report.status = "MANUAL" report.status_extended = "Amazon Web Services Premium Support Subscription is required to use this service." report.resource_id = trustedadvisor_client.audited_account report.resource_arn = trustedadvisor_client.audited_account_arn diff --git a/tests/lib/outputs/outputs_test.py b/tests/lib/outputs/outputs_test.py index 97f9aca566..bd00f77e55 100644 --- a/tests/lib/outputs/outputs_test.py +++ b/tests/lib/outputs/outputs_test.py @@ -1238,7 +1238,7 @@ class Test_Outputs: def test_extract_findings_statistics_info_resources(self): finding_1 = mock.MagicMock() - finding_1.status = "INFO" + finding_1.status = "MANUAL" finding_1.resource_id = "test_resource_1" finding_2 = mock.MagicMock() finding_2.status = "PASS" diff --git a/tests/providers/aws/lib/security_hub/security_hub_test.py b/tests/providers/aws/lib/security_hub/security_hub_test.py index dad3a7103e..762a418241 100644 --- a/tests/providers/aws/lib/security_hub/security_hub_test.py +++ b/tests/providers/aws/lib/security_hub/security_hub_test.py @@ -141,10 +141,10 @@ class Test_SecurityHub: ], } - def test_prepare_security_hub_findings_quiet_INFO_finding(self): + def test_prepare_security_hub_findings_quiet_MANUAL_finding(self): enabled_regions = [AWS_REGION_EU_WEST_1] output_options = self.set_mocked_output_options(is_quiet=False) - findings = [self.generate_finding("INFO", AWS_REGION_EU_WEST_1)] + findings = [self.generate_finding("MANUAL", AWS_REGION_EU_WEST_1)] audit_info = set_mocked_aws_audit_info( audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2] ) diff --git a/tests/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete_test.py b/tests/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete_test.py index d47afb2b0a..87410db089 100644 --- a/tests/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete_test.py +++ b/tests/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete_test.py @@ -209,7 +209,7 @@ class Test_cloudtrail_bucket_requires_mfa_delete: check = cloudtrail_bucket_requires_mfa_delete() result = check.execute() assert len(result) == 1 - assert result[0].status == "INFO" + assert result[0].status == "MANUAL" assert ( result[0].status_extended == f"Trail {trail_name_us} bucket ({bucket_name_us}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually." @@ -262,7 +262,7 @@ class Test_cloudtrail_bucket_requires_mfa_delete: check = cloudtrail_bucket_requires_mfa_delete() result = check.execute() assert len(result) == 1 - assert result[0].status == "INFO" + assert result[0].status == "MANUAL" assert ( result[0].status_extended == f"Trail {trail_name_us} bucket ({bucket_name_us}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually." diff --git a/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled_test.py b/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled_test.py index 80efd00474..bbbe4b4c72 100644 --- a/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled_test.py +++ b/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled_test.py @@ -220,7 +220,7 @@ class Test_cloudtrail_logs_s3_bucket_access_logging_enabled: result = check.execute() assert len(result) == 1 - assert result[0].status == "INFO" + assert result[0].status == "MANUAL" assert search( "in another account out of Prowler's permissions scope, please check it manually", result[0].status_extended, diff --git a/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible_test.py b/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible_test.py index d27354ee8c..e1a682fd80 100644 --- a/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible_test.py +++ b/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible_test.py @@ -284,7 +284,7 @@ class Test_cloudtrail_logs_s3_bucket_is_not_publicly_accessible: result = check.execute() assert len(result) == 1 - assert result[0].status == "INFO" + assert result[0].status == "MANUAL" assert result[0].resource_id == trail_name_us assert result[0].resource_arn == trail_us["TrailARN"] assert search( diff --git a/tests/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings_test.py b/tests/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings_test.py index 53250fc585..5c6f95d140 100644 --- a/tests/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings_test.py +++ b/tests/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings_test.py @@ -31,7 +31,7 @@ class Test_trustedadvisor_errors_and_warnings: check = trustedadvisor_errors_and_warnings() result = check.execute() assert len(result) == 1 - assert result[0].status == "INFO" + assert result[0].status == "MANUAL" assert ( result[0].status_extended == "Amazon Web Services Premium Support Subscription is required to use this service."