[bugfix] check122 has to check not only string but also array values of the Action field (#2796)

Co-authored-by: Francesco Badraun <francesco.badraun@zxsecurity.co.nz>

README.md

@@ -3,7 +3,7 @@
   <img align="center" src="docs/images/prowler-pro-light.png#gh-light-mode-only" width="15%" height="15%">
 </p>
 <p align="center">
-  <b><i>&nbsp&nbsp&nbspExplore the Pro version of Prowler at <a href="https://prowler.pro">prowler.pro</a></i></b>
+  <b><i>&nbsp&nbsp&nbsp See all the things you and your team can do with ProwlerPro at <a href="https://prowler.pro">prowler.pro</a></i></b>
 </p>
 <hr>
 <p align="center">
@@ -366,7 +366,11 @@ Install psql
 
 #### Audit ID Field
 
-Prowler can add an optional `audit_id` field to identify each audit that has been made in the database. You can do this by adding the `-u audit_id` flag to the prowler command.
+To use Prowler postgres connector it is needed to set the -u flag to include  `audit_id` field into the query. This field helps to identify each audit that has been made in the database. This field needs to be an UUID V4 to match the table schema.
+For example:  
+```
+./prowler -M csv -d postgresql -u e5a0f214-8bf9-4600-a0c3-ff659b30e6c0
+```
 
 #### Credentials
 
@@ -427,7 +431,7 @@ prowler_start_time text
 ```
 
 - Execute Prowler with `-d` flag, for example:
-  `./prowler -M csv -d postgresql`
+  `./prowler -M csv -d postgresql -u e5a0f214-8bf9-4600-a0c3-ff659b30e6c0`
   > _Note_: This command creates a `csv` output file and stores the Prowler output in the configured PostgreSQL DB. It's an example, `-d` flag **does not** require `-M` to run.
 
 ## Output Formats

checks/check122

@@ -32,7 +32,7 @@ check122(){
     for policy in $LIST_CUSTOM_POLICIES; do
       POLICY_ARN=$(awk 'BEGIN{FS=OFS=","}{NF--; print}' <<< "${policy}")
       POLICY_VERSION=$(awk -F ',' '{print $(NF)}' <<< "${policy}")
-      POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $POLICY_ARN --version-id $POLICY_VERSION --query "[PolicyVersion.Document.Statement] | [] | [?Action!=null] | [?Effect == 'Allow' && Resource == '*' && Action == '*']" $PROFILE_OPT --region $REGION)
+      POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $POLICY_ARN --version-id $POLICY_VERSION --query "[PolicyVersion.Document.Statement] | [] | [?Action!=null] | [?Effect == 'Allow' && Resource == '*' && contains(Action, '*')]" $PROFILE_OPT --region $REGION)
       if [[ $POLICY_WITH_FULL ]]; then
         POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $POLICY_ARN"
       else

checks/check23

@@ -57,6 +57,11 @@ check23(){
             textInfo "$regx: Trail ${TRAIL_NAME} with home region ${TRAIL_HOME_REGION} Access Denied getting bucket location for bucket $TRAIL_BUCKET" "$regx" "$TRAIL_NAME"
             continue
           fi
+          if [[ $(echo "$BUCKET_LOCATION" | grep NoSuchBucket) ]]
+          then
+            textInfo "$regx: Trail ${TRAIL_NAME} with home region ${TRAIL_HOME_REGION} S3 logging bucket $TRAIL_BUCKET does not exist" "$regx" "$TRAIL_NAME"
+            continue
+          fi
           if [[ $BUCKET_LOCATION == "None" ]]; then
               BUCKET_LOCATION="us-east-1"
           fi

checks/check_extra71

@@ -21,8 +21,8 @@ CHECK_ALTERNATE_check71="extra71"
 CHECK_ALTERNATE_check701="extra71"
 CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2"
 CHECK_SERVICENAME_extra71="iam"
-CHECK_RISK_extra71='Policy "may" allow Anonymous users to perform actions.'
-CHECK_REMEDIATION_extra71='Ensure this repository and its contents should be publicly accessible.'
+CHECK_RISK_extra71='Any user with AdministratorAccess is allowed to perform any action on an AWS account, so it needs to have a multi factor authentication enabled to avoid impersonation through a potential credentials leak'
+CHECK_REMEDIATION_extra71='Enable MFA for users belonging to groups with AdministratorAccess policies'
 CHECK_DOC_extra71='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html'
 CHECK_CAF_EPIC_extra71='Infrastructure Security'
 

checks/check_extra7131

@@ -18,15 +18,15 @@ CHECK_SEVERITY_extra7131="Low"
 CHECK_ASFF_RESOURCE_TYPE_extra7131="AwsRdsDbInstance"
 CHECK_ALTERNATE_check7131="extra7131"
 CHECK_SERVICENAME_extra7131="rds"
-CHECK_RISK_extra7131='Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs; and therefor should be applied.'
-CHECK_REMEDIATION_extra7131='Enable auto minor version upgrade for all databases and environments.'
+CHECK_RISK_extra7131='Auto Minor Version Upgrade is a feature that you can enable to have your relational database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs; and therefor should be applied.'
+CHECK_REMEDIATION_extra7131='Enable auto minor version upgrade for all relational databases and environments.'
 CHECK_DOC_extra7131='https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/'
 CHECK_CAF_EPIC_extra7131='Infrastructure Security'
 
 extra7131(){
   for regx in $REGIONS; do
     # LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true` && DBInstanceStatus==`"available"`].[DBInstanceIdentifier,Endpoint.Address]' --output text)
-    LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].[DBInstanceIdentifier,AutoMinorVersionUpgrade]'  --output text 2>&1)
+    LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query "DBInstances[?Engine != 'docdb'].[DBInstanceIdentifier,AutoMinorVersionUpgrade]"  --output text 2>&1)
     if [[ $(echo "$LIST_OF_RDS_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
         textInfo "$regx: Access Denied trying to describe DB instances" "$regx"
         continue

checks/check_extra7195

@@ -32,7 +32,7 @@
 
 
 CHECK_ID_extra7195="7.195"
-CHECK_TITLE_extra7195="[check7195] Ensure CodeArtifact internal packages do not allow external public source publishing."
+CHECK_TITLE_extra7195="[extra7195] Ensure CodeArtifact internal packages do not allow external public source publishing."
 CHECK_SCORED_extra7195="NOT_SCORED"
 CHECK_CIS_LEVEL_extra7195="EXTRA"
 CHECK_SEVERITY_extra7195="Critical"

checks/check_extra723

@@ -18,8 +18,8 @@ CHECK_SEVERITY_extra723="Critical"
 CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot"
 CHECK_ALTERNATE_check723="extra723"
 CHECK_SERVICENAME_extra723="rds"
-CHECK_RISK_extra723='Publicly accessible services could expose sensitive data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public; then the data which is backed up in that snapshot is accessible to all other AWS accounts.'
-CHECK_REMEDIATION_extra723='Use AWS Config to identify any sanpshot that is public.'
+CHECK_RISK_extra723='Publicly accessible services could expose sensitive data to bad actors. It is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public then the data which is backed up in that snapshot is accessible to all other AWS accounts.'
+CHECK_REMEDIATION_extra723='Use AWS Config to identify any snapshot that is public.'
 CHECK_DOC_extra723='https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html'
 CHECK_CAF_EPIC_extra723='Data Protection'
 

iam/create_role_to_assume_cfn.yaml

@@ -56,20 +56,27 @@ Resources:
             - Effect: Allow
               Action:
                 - 'account:Get*'
-                - 'appstream:DescribeFleets'
+                - 'appstream:Describe*'
+                - 'codeartifact:List*'
+                - 'codebuild:BatchGet*'
                 - 'ds:Get*'
                 - 'ds:Describe*'
                 - 'ds:List*'
                 - 'ec2:GetEbsEncryptionByDefault'
                 - 'ecr:Describe*'
                 - 'elasticfilesystem:DescribeBackupPolicy'
+                - 'eks:List*'
                 - 'glue:GetConnections'
                 - 'glue:GetSecurityConfiguration'
                 - 'glue:SearchTables'
                 - 'lambda:GetFunction'
+                - 'macie2:GetMacieSession'
                 - 's3:GetAccountPublicAccessBlock'
+                - 's3:GetEncryptionConfiguration'
+                - 's3:GetPublicAccessBlock'
                 - 'shield:DescribeProtection'
                 - 'shield:GetSubscriptionState'
+                - 'securityhub:BatchImportFindings'
                 - 'ssm:GetDocument'
                 - 'support:Describe*'
                 - 'tag:GetTagKeys'

iam/prowler-additions-policy.json

@@ -4,15 +4,16 @@
         {
             "Action": [
                 "account:Get*",
-                "appstream:DescribeFleets",
-                "codeartifact:ListRepositories",
-                "codebuild:BatchGetBuilds",
+                "appstream:Describe*",
+                "codeartifact:List*",
+                "codebuild:BatchGet*",
                 "ds:Get*",
                 "ds:Describe*",
                 "ds:List*",
                 "ec2:GetEbsEncryptionByDefault",
                 "ecr:Describe*",
                 "elasticfilesystem:DescribeBackupPolicy",
+                "eks:List*",
                 "glue:GetConnections",
                 "glue:GetSecurityConfiguration",
                 "glue:SearchTables",
@@ -23,6 +24,7 @@
                 "s3:GetPublicAccessBlock",
                 "shield:DescribeProtection",
                 "shield:GetSubscriptionState",
+                "securityhub:BatchImportFindings",
                 "ssm:GetDocument",
                 "support:Describe*",
                 "tag:GetTagKeys"

include/validate_options

@@ -248,7 +248,7 @@ validate_database() {
         then
             db_exit_abnormally "postgresql" "Database not exists, please check ${HOME}/.pgpass file - EXITING!"
         # and finally, if database exists -> table exists ?
-        elif ! psql -U "${POSTGRES_USER}" -h "${POSTGRES_HOST}" "${POSTGRES_DB}"  -c "SELECT * FROM ${POSTGRES_TABLE};" > /dev/null  2>&1
+        elif ! psql -U "${POSTGRES_USER}" -h "${POSTGRES_HOST}" "${POSTGRES_DB}"  -c "SELECT * FROM ${POSTGRES_TABLE} limit 1;" > /dev/null  2>&1
         then
             db_exit_abnormally "postgresql" "Table ${POSTGRES_TABLE} not exists, please check ${HOME}/.pgpass file - EXITING!"
         fi

prowler

@@ -23,7 +23,7 @@
 # I've just got to find my way...
 
 # Set the defaults variables
-PROWLER_VERSION=2.12.0-27October2022
+PROWLER_VERSION=2.12.1-19December2022
 PROWLER_DIR=$(dirname "$0")
 
 ############################################################