* chore(inventory): option included in main
* chore(inventory): quick inventory
* chore(inventory): functional version
* chore(inventory): functional version without echo
* Update include/quick_inventory
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* Update prowler
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
* Added new line at report line
* Added more information from IAM
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
* chore(inventory): option included in main
* chore(inventory): quick inventory
* chore(inventory): functional version
* chore(inventory): functional version without echo
* Update include/quick_inventory
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* Update prowler
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
* Added new line at report line
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
* fix(aws_profile_loader): New functions
* fix(shellcheck): Temporary remove Shellcheck
* fix(aws_cli_detector): new function
* fix(jq_detector): New function
* fix(os_detector): New function
* fix(output_bucket): Output bucket input check in main
* fix(python_detector): deleted unused python detector
* fix(credentials): credentials check out of whoami
* [break]refactor(main)
* [BREAK] Get list of checks parsing all input options
* [break]refactor(main): execute checks functions
* [break]refactor(main): move functions to libs
* fix(validations): custom check validation and typos
* refactor(validate_options): Include comments
* fix(custom_checks): Minor fixes
* refactor(closing_files): include libraries
* refactor(loader): Include ignored checks
* refactor(main): Fix shellcheck
* refactor(loader): beautify
* refactor(monochrome): without variables
* refactor(modes): MODES array not needed
* refactor(whoami): get error from AWSCLI
* refactor(secrets-detector)
* refactor(secrets-detector)
* fix(html_scoring): html scoring was fixed.
* fix(load_checks_from_file)
* fix(color-code): Print if not mono
* fix(not extra): Fixed if EXCLUDE_CHECK_ID is empty
* fix(IFS): Restore default IFS once modes are parsed
* fix(bucket): validate before whoami
* fix(bucket): validate before whoami
Co-authored-by: n4ch04 <nachor1992@gmail.com>
Co-authored-by: sergargar <sergio@verica.io>
Co-authored-by: Nacho Rivera <59198746+n4ch04@users.noreply.github.com>
* chore(db providers): db providers first version
* chore(db provider): added db provider setup into Readme
* fix(csv_line): csv_line out of conditional
* fix(README): text instead of varchar in table
* fix(help): help message extended
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
* fix(typo): Update README.md
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* fix(table): add if not exists
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* fix(typo): Readme postgreSQL
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* fix(db_connector): details to add a new provider
* fix(typo): Uppercase Prowler
Co-authored-by: Toni de la Fuente <toni@blyx.com>
* fix(prowler): deleted unused variable
* chore(checks): test db connector previous to send data
* chore(input tests): input tests moved to main
* fix(typo): Readme typos
* chore(table): table name from pgpass file
* fix(grep test): Added missing -E flag
* chore(table): check of table name and Readme
* chore(error colors): Added error colors
* chore(inputcheck): checks about mode and output inputs into main
* fix(inputs) custom output file name
* fix(outputs): comment profile
* chore(textXXX): both 3 textfunctions using general
* fix(allowlist): allowlist check included as function
* fix(headers): Add headers to certain output files
* fix(reformulate): change structure and delete comments
* fix(testing): Input test after load includes
* fix(variables): Added named vars
* fix(colors): Deleted unused colors
* fix(outputs): fine tuning
* fix(outputs): allowlist parameters read
* fix(allowlist): allowlist logic reformulated
* fix(REPREGION): REPREGION change by REGION_FROM_CHECK
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Toni de la Fuente <toni@blyx.com>
* chore(db providers): db providers first version
* chore(db provider): added db provider setup into Readme
* fix(csv_line): csv_line out of conditional
* fix(README): text instead of varchar in table
* fix(help): help message extended
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
* fix(typo): Update README.md
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* fix(table): add if not exists
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* fix(typo): Readme postgreSQL
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* fix(db_connector): details to add a new provider
* fix(typo): Uppercase Prowler
Co-authored-by: Toni de la Fuente <toni@blyx.com>
* fix(prowler): deleted unused variable
* chore(checks): test db connector previous to send data
* chore(input tests): input tests moved to main
* fix(typo): Readme typos
* chore(table): table name from pgpass file
* fix(grep test): Added missing -E flag
* chore(table): check of table name and Readme
* chore(error colors): Added error colors
* fix(tablename): table name in readme
* fix(typo)
* fix(db_provider): Exact match
* fix(error): One line message
* chore(pgpass check): Check added for pgpass file
* fix(pgpass): pgpass file and permissions test
* fix(unused vars): Deleted unused vars
* fix(TOP_PID): Deleted TOP_PID unused var and comment
* chore(db tests): Credentials, database and table tests added
* fix(empty pgpass): Look for empty fields at pgpass file
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Toni de la Fuente <toni@blyx.com>
* Add support for organizations accounts metadata part 1
* Add support for organizations accounts metadata part 2
* Add gathering account metadata from org
* chore(prowler): get accounts metadata
Use assume_role backing up normal assumed credentials to assume management account and then restore it to old ones
* fix(orgs metadata): deleted assume_role_orgs
* refactor(organization_metadata)
Reformulate to extract AWS Organizations metadata
* doc(org_metadata): include required -R in usage
* docs(org-metadata): Update README
Co-authored-by: n4ch04 <nachor1992@gmail.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
* fix(inlcude/outputs) Whitelist logic reformulated to exactly match input
* fix(include/outputs): Changed name of iterative variable that browses whitelisted values
* fix(include/outputs): Deleted missing echo and include and put variables in brackets
* Extra7161 EFS encryption at rest check
* Added check_extra7162 which checks if Log groups have 365 days retention
* fixed code to handle all regions and formatted output
* changed check title, resource type and service name as well as making the code more dynamic
* Extra7161 EFS encryption at rest check
* New check_extra7163 Secrets Manager key rotation enabled
* New check7160 Enabled AutomaticVersionUpgrade on RedShift Cluster
* Update ProwlerRole.yaml to have same permissions as util/org-multi-account/ProwlerRole.yaml
* Fix link to quicksight dashboard
* Install detect-secrets (e.g. for check_extra742)
* Updating check_extra7163 with requested changes
* fix(assumed-role): Check if -T and -A options are set
* docs(Readme): `-T` option is not mandatory
* fix(assume-role): Handle AWS STS CLI errors
* fix(assume-role): Handle AWS STS CLI errors
* Update group25_FTR
When trying to run the group 25 (Amazon FTR related security checks) nothing happens, after looking at the code there is a misconfiguration in 2 params: GROUP_RUN_BY_DEFAULT[9] and GROUP_CHECKS[9]. Updating values to 25 fixed the issue.
* Update README.md
broken link for capital letters in group file (group25_FTR)
* #938 issue assume_role multiple times should be fixed
* Label 2.7.0-1December2021 for tests
* Fixed error that appeared if the number of findings was very high.
* Adjusted the batch to only do 50 at a time. 100 caused capacity issues. Also added a check for an edge case where if the updated findings was a multiple of the batch size, it would throw an error for attempting to import 0 findings.
* Added line to delete the temp folder after everything is done.
* New check 7164 Check if Cloudwatch log groups are protected by AWS KMS@maisenhe
* updated CHECK_RISK
* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras
* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras
* Added issue templates
* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau
* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau
* Fix#963 check 792 to force json in ELB queries
* Fix#957 check 763 had us-east-1 region hardcoded
* Fix#962 check 7147 ALTERNATE NAME
* Fix#940 handling error when can not list functions
* Added new checks 7164 and 7165 to group extras
* Added invalid check or group id to the error message #962
* Fix Broken Link
* Add docker volume example to README.md
* Updated Dockerfile to use amazonlinux container
* Updated Dockerfile with AWS cli v2
* Added upgrade to the RUN
* Added cache purge to Dockerfile
* Backup AWS Credentials before AssumeRole and Restore them before CopyToS3
* exporting the ENV variables
* fixed bracket
* Improved documentation for install process
* fix checks with comma issues
* Added -D option to copy to S3 with the initial AWS credentials
* Cosmetic variable name change
* Added $PROFILE_OPT to CopyToS3 commands
* remove commas
* removed file as it is not needed
* Improved help usage options -h
* Fixed CIS LEVEL on 7163 through 7165
* When performing a restoreInitialAWSCredentials, unset the credentials ENV variables if they were never set
* New check 7166 Elastic IP addresses with associations are protected by AWS Shield Advanced
* New check 7167 Cloudfront distributions are protected by AWS Shield Advanced
* New check 7168 Route53 hosted zones are protected by AWS Shield Advanced
* New check 7169 Global accelerators are protected by AWS Shield Advanced
* New check 7170 Application load balancers are protected by AWS Shield Advanced
* New check 7171 Classic load balancers are protected by AWS Shield Advanced
* Include example for global resources
* Add AWS Advance Shield protection checks corrections
* Added Shield actions GetSubscriptionState and DescribeProtection
* Added Shield actions GetSubscriptionState and DescribeProtection
* docs(templates): Improve bug template with more info (#982)
* Removed echoes after role chaining fix
* Changed Route53 checks7152 and 7153 to INFO when no domains found
* Changed Route53 checks 7152 and 7153 title to clarify
* Added passed security groups in output to check 778
* Added passed security groups and updated title to check 777
* Added FAIL as error handling when SCP prevents queries to regions
* Label version 2.7.0-6January2022
* Updated .dockerignore with .github/
* Fix: issue #758 and #984
* Fix: issue #741 CloudFront and real-time logs
* Fix issues #971 set all as INFO instead of FAIL when no access to resource
* Fix: issue #986
* Add additional action permissions for Glue and Shield Advanced checks @lazize
* Add extra shield action permission
Allows the shield:GetSubscriptionState action
* Add permission actions
Make sure all files where permission actions are necessary will have the same actions
* Fix: Credential chaining from environment variables @lazize #996f
If profile is not defined, restore original credentials from environment variables,
if they exists, before assume-role
* Lable version 2.7.0-24January2022
Co-authored-by: Lee Myers <ichilegend@gmail.com>
Co-authored-by: Chinedu Obiakara <obiakac@amazon.com>
Co-authored-by: Daniel Peladeau <dcpeladeau@gmail.com>
Co-authored-by: Jonathan Lozano <jonloza@amazon.com>
Co-authored-by: Daniel Lorch <dlorch@gmail.com>
Co-authored-by: Pepe Fagoaga <jose.fagoaga@smartprotection.com>
Co-authored-by: Israel <6672089+lopmoris@users.noreply.github.com>
Co-authored-by: root <halfluke@gmail.com>
Co-authored-by: nikirby <nikirby@amazon.com>
Co-authored-by: Joel Maisenhelder <maisenhe@gmail.com>
Co-authored-by: RT <35173068+rtcms@users.noreply.github.com>
Co-authored-by: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com>
Co-authored-by: Joseph de CLERCK <clerckj@amazon.fr>
Co-authored-by: Michael Dickinson <45626543+michael-dickinson-sainsburys@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Leonardo Azize Martins <lazize@users.noreply.github.com>