ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c4ba061f303b33ef25ef607b4d4ca8ae4aa1eb9f
prowler/examples/output/example_output_gcp.ocsf.json
Hugo Pereira Brito c4ba061f30 chore(outputs): adapt to new metadata specification (#8651)
2025-09-10 17:21:19 +02:00

642 lines
22 KiB
JSON
Raw Blame History

[
{
"message": "Project <project_id> does not have active API Keys.",
"metadata": {
"event_code": "apikeys_key_exists",
"product": {
"name": "Prowler",
"uid": "prowler",
"vendor_name": "Prowler",
"version": "5.4.0"
},
"profiles": [
"cloud",
"datetime"
],
"tenant_uid": "<tenant_uid>",
"version": "1.4.0"
},
"severity_id": 3,
"severity": "Medium",
"status": "New",
"status_code": "PASS",
"status_detail": "Project <project_id> does not have active API Keys.",
"status_id": 1,
"unmapped": {
"related_url": "",
"categories": [],
"depends_on": [],
"related_to": [],
"additional_urls": [],
"notes": "",
"compliance": {
"MITRE-ATTACK": [
"T1098"
],
"CIS-2.0": [
"1.12"
],
"ENS-RD2022": [
"op.acc.2.gcp.rbak.1"
],
"CIS-3.0": [
"1.12"
]
}
},
"activity_name": "Create",
"activity_id": 1,
"finding_info": {
"created_time": 1739539640,
"created_time_dt": "2025-02-14T14:27:20.697446",
"desc": "API Keys should only be used for services in cases where other authentication methods are unavailable. Unused keys with their permissions in tact may still exist within a project. Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.",
"product_uid": "prowler",
"title": "Ensure API Keys Only Exist for Active Services",
"types": [],
"uid": "<finding_uid>"
},
"resources": [
{
"region": "global",
"data": {
"details": "",
"metadata": {
"number": "<uid>",
"id": "<project_id>",
"name": "<project_name>",
"organization": {
"id": "<tenant_uid>",
"name": "organizations/<tenant_uid>",
"display_name": "prowler.com"
},
"labels": {
"tag": "test",
"tag2": "test2",
"generative-language": "enabled"
},
"lifecycle_state": "ACTIVE"
}
},
"group": {
"name": "apikeys"
},
"labels": [],
"name": "<project_name>",
"type": "API Key",
"uid": "<project_id>"
}
],
"category_name": "Findings",
"category_uid": 2,
"class_name": "Detection Finding",
"class_uid": 2004,
"cloud": {
"account": {
"name": "<project_name>",
"type": "GCP Account",
"type_id": 5,
"uid": "<project_id>",
"labels": [
"tag:test"
]
},
"org": {
"name": "prowler.com",
"uid": "<tenant_uid>"
},
"provider": "gcp",
"region": "global"
},
"remediation": {
"desc": "To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.",
"references": [
"gcloud alpha services api-keys delete",
"https://cloud.google.com/docs/authentication/api-keys"
]
},
"risk_details": "Security risks involved in using API-Keys appear below: API keys are simple encrypted strings, API keys do not identify the user or the application making the API request, API keys are typically accessible to clients, making it easy to discover and steal an API key.",
"time": 1739539640,
"time_dt": "2025-02-14T14:27:20.697446",
"type_uid": 200401,
"type_name": "Detection Finding: Create"
},
{
"message": "AR Container Analysis is not enabled in project <project_id>.",
"metadata": {
"event_code": "artifacts_container_analysis_enabled",
"product": {
"name": "Prowler",
"uid": "prowler",
"vendor_name": "Prowler",
"version": "5.4.0"
},
"profiles": [
"cloud",
"datetime"
],
"tenant_uid": "<tenant_uid>",
"version": "1.4.0"
},
"severity_id": 3,
"severity": "Medium",
"status": "New",
"status_code": "FAIL",
"status_detail": "AR Container Analysis is not enabled in project <project_id>.",
"status_id": 1,
"unmapped": {
"related_url": "https://cloud.google.com/artifact-analysis/docs",
"categories": [],
"depends_on": [],
"related_to": [],
"additional_urls": [],
"notes": "By default, AR Container Analysis is disabled.",
"compliance": {
"MITRE-ATTACK": [
"T1525"
],
"ENS-RD2022": [
"op.exp.4.r4.gcp.log.1",
"op.mon.3.gcp.scc.1"
]
}
},
"activity_name": "Create",
"activity_id": 1,
"finding_info": {
"created_time": 1739539640,
"created_time_dt": "2025-02-14T14:27:20.697446",
"desc": "Scan images stored in Google Container Registry (GCR) for vulnerabilities using AR Container Analysis or a third-party provider. This helps identify and mitigate security risks associated with known vulnerabilities in container images.",
"product_uid": "prowler",
"title": "Ensure Image Vulnerability Analysis using AR Container Analysis or a third-party provider",
"types": [
"Security",
"Configuration"
],
"uid": "<finding_uid>"
},
"resources": [
{
"region": "global",
"data": {
"details": "",
"metadata": {
"number": "538174383574",
"id": "<project_id>",
"name": "<project_name>",
"organization": {
"id": "<tenant_uid>",
"name": "organizations/<tenant_uid>",
"display_name": "prowler.com"
},
"labels": {
"tag": "test",
"tag2": "test2",
"generative-language": "enabled"
},
"lifecycle_state": "ACTIVE"
}
},
"group": {
"name": "artifacts"
},
"labels": [],
"name": "AR Container Analysis",
"type": "Service",
"uid": "containeranalysis.googleapis.com"
}
],
"category_name": "Findings",
"category_uid": 2,
"class_name": "Detection Finding",
"class_uid": 2004,
"cloud": {
"account": {
"name": "<project_name>",
"type": "GCP Account",
"type_id": 5,
"uid": "<project_id>",
"labels": [
"tag:test"
]
},
"org": {
"name": "prowler.com",
"uid": "<tenant_uid>"
},
"provider": "gcp",
"region": "global"
},
"remediation": {
"desc": "Enable vulnerability scanning for images stored in Artifact Registry using AR Container Analysis or a third-party provider.",
"references": [
"gcloud services enable containeranalysis.googleapis.com",
"https://cloud.google.com/artifact-analysis/docs/container-scanning-overview"
]
},
"risk_details": "Without image vulnerability scanning, container images stored in Artifact Registry may contain known vulnerabilities, increasing the risk of exploitation by malicious actors.",
"time": 1739539640,
"time_dt": "2025-02-14T14:27:20.697446",
"type_uid": 200401,
"type_name": "Detection Finding: Create"
},
{
"message": "Firewall <resource_id> does not expose port 3389 (RDP) to the internet.",
"metadata": {
"event_code": "compute_firewall_rdp_access_from_the_internet_allowed",
"product": {
"name": "Prowler",
"uid": "prowler",
"vendor_name": "Prowler",
"version": "5.4.0"
},
"profiles": [
"cloud",
"datetime"
],
"tenant_uid": "<tenant_uid>",
"version": "1.4.0"
},
"severity_id": 5,
"severity": "Critical",
"status": "New",
"status_code": "PASS",
"status_detail": "Firewall <resource_id> does not expose port 3389 (RDP) to the internet.",
"status_id": 1,
"unmapped": {
"related_url": "",
"categories": [
"internet-exposed"
],
"depends_on": [],
"related_to": [],
"additional_urls": [],
"notes": "",
"compliance": {
"MITRE-ATTACK": [
"T1190",
"T1199",
"T1048",
"T1498",
"T1046"
],
"CIS-2.0": [
"3.7"
],
"ENS-RD2022": [
"mp.com.1.gcp.fw.1"
],
"CIS-3.0": [
"3.7"
]
}
},
"activity_name": "Create",
"activity_id": 1,
"finding_info": {
"created_time": 1739539640,
"created_time_dt": "2025-02-14T14:27:20.697446",
"desc": "GCP `Firewall Rules` are specific to a `VPC Network`. Each rule either `allows` or `denies` traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an `IPv4` address or `IPv4 block in CIDR` notation can be used. Generic `(0.0.0.0/0)` incoming traffic from the Internet to a VPC or VM instance using `RDP` on `Port 3389` can be avoided.",
"product_uid": "prowler",
"title": "Ensure That RDP Access Is Restricted From the Internet",
"types": [],
"uid": "<finding_uid>"
},
"resources": [
{
"region": "global",
"data": {
"details": "",
"metadata": {
"name": "<resource_id>",
"id": "<uid>",
"source_ranges": [
"<value>"
],
"direction": "INGRESS",
"allowed_rules": [
{
"IPProtocol": "icmp"
}
],
"project_id": "<project_id>"
}
},
"group": {
"name": "networking"
},
"labels": [],
"name": "<resource_id>",
"type": "FirewallRule",
"uid": "<uid>"
}
],
"category_name": "Findings",
"category_uid": 2,
"class_name": "Detection Finding",
"class_uid": 2004,
"cloud": {
"account": {
"name": "<project_name>",
"type": "GCP Account",
"type_id": 5,
"uid": "<project_id>",
"labels": [
"tag:test",
"tag2:test2"
]
},
"org": {
"name": "prowler.com",
"uid": "<tenant_uid>"
},
"provider": "gcp",
"region": "global"
},
"remediation": {
"desc": "Ensure that Google Cloud Virtual Private Cloud (VPC) firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 in order to restrict Remote Desktop Protocol (RDP) traffic to trusted IP addresses or IP ranges only and reduce the attack surface. TCP port 3389 is used for secure remote GUI login to Windows VM instances by connecting a RDP client application with an RDP server.",
"references": [
"https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#terraform",
"https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#cli-command",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/unrestricted-rdp-access.html",
"https://cloud.google.com/vpc/docs/using-firewalls"
]
},
"risk_details": "Allowing unrestricted Remote Desktop Protocol (RDP) access can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM) and Pass-The-Hash (PTH) attacks.",
"time": 1739539640,
"time_dt": "2025-02-14T14:27:20.697446",
"type_uid": 200401,
"type_name": "Detection Finding: Create"
},
{
"message": "Firewall <resource_id> does not expose port 3389 (RDP) to the internet.",
"metadata": {
"event_code": "compute_firewall_rdp_access_from_the_internet_allowed",
"product": {
"name": "Prowler",
"uid": "prowler",
"vendor_name": "Prowler",
"version": "5.4.0"
},
"profiles": [
"cloud",
"datetime"
],
"tenant_uid": "<tenant_uid>",
"version": "1.4.0"
},
"severity_id": 5,
"severity": "Critical",
"status": "New",
"status_code": "PASS",
"status_detail": "Firewall <resource_id> does not expose port 3389 (RDP) to the internet.",
"status_id": 1,
"unmapped": {
"related_url": "",
"categories": [
"internet-exposed"
],
"depends_on": [],
"related_to": [],
"additional_urls": [],
"notes": "",
"compliance": {
"MITRE-ATTACK": [
"T1190",
"T1199",
"T1048",
"T1498",
"T1046"
],
"CIS-2.0": [
"3.7"
],
"ENS-RD2022": [
"mp.com.1.gcp.fw.1"
],
"CIS-3.0": [
"3.7"
]
}
},
"activity_name": "Create",
"activity_id": 1,
"finding_info": {
"created_time": 1739539640,
"created_time_dt": "2025-02-14T14:27:20.697446",
"desc": "GCP `Firewall Rules` are specific to a `VPC Network`. Each rule either `allows` or `denies` traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an `IPv4` address or `IPv4 block in CIDR` notation can be used. Generic `(0.0.0.0/0)` incoming traffic from the Internet to a VPC or VM instance using `RDP` on `Port 3389` can be avoided.",
"product_uid": "prowler",
"title": "Ensure That RDP Access Is Restricted From the Internet",
"types": [],
"uid": "<finding_uid>"
},
"resources": [
{
"region": "global",
"data": {
"details": "",
"metadata": {
"name": "<resource_id>",
"id": "<uid>",
"source_ranges": [
"<value>"
],
"direction": "INGRESS",
"allowed_rules": [
{
"IPProtocol": "tcp",
"ports": [
"0-65535"
]
},
{
"IPProtocol": "udp",
"ports": [
"0-65535"
]
},
{
"IPProtocol": "icmp"
}
],
"project_id": "<project_id>"
}
},
"group": {
"name": "networking"
},
"labels": [],
"name": "<resource_id>",
"type": "FirewallRule",
"uid": "<uid>"
}
],
"category_name": "Findings",
"category_uid": 2,
"class_name": "Detection Finding",
"class_uid": 2004,
"cloud": {
"account": {
"name": "<project_name>",
"type": "GCP Account",
"type_id": 5,
"uid": "<project_id>",
"labels": [
"tag:test",
"tag2:test2"
]
},
"org": {
"name": "prowler.com",
"uid": "<tenant_uid>"
},
"provider": "gcp",
"region": "global"
},
"remediation": {
"desc": "Ensure that Google Cloud Virtual Private Cloud (VPC) firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 in order to restrict Remote Desktop Protocol (RDP) traffic to trusted IP addresses or IP ranges only and reduce the attack surface. TCP port 3389 is used for secure remote GUI login to Windows VM instances by connecting a RDP client application with an RDP server.",
"references": [
"https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#terraform",
"https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#cli-command",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/unrestricted-rdp-access.html",
"https://cloud.google.com/vpc/docs/using-firewalls"
]
},
"risk_details": "Allowing unrestricted Remote Desktop Protocol (RDP) access can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM) and Pass-The-Hash (PTH) attacks.",
"time": 1739539640,
"time_dt": "2025-02-14T14:27:20.697446",
"type_uid": 200401,
"type_name": "Detection Finding: Create"
},
{
"message": "Firewall <resource_id> does exposes port 3389 (RDP) to the internet.",
"metadata": {
"event_code": "compute_firewall_rdp_access_from_the_internet_allowed",
"product": {
"name": "Prowler",
"uid": "prowler",
"vendor_name": "Prowler",
"version": "5.4.0"
},
"profiles": [
"cloud",
"datetime"
],
"tenant_uid": "<tenant_uid>",
"version": "1.4.0"
},
"severity_id": 5,
"severity": "Critical",
"status": "New",
"status_code": "FAIL",
"status_detail": "Firewall <resource_id> does exposes port 3389 (RDP) to the internet.",
"status_id": 1,
"unmapped": {
"related_url": "",
"categories": [
"internet-exposed"
],
"depends_on": [],
"related_to": [],
"additional_urls": [],
"notes": "",
"compliance": {
"MITRE-ATTACK": [
"T1190",
"T1199",
"T1048",
"T1498",
"T1046"
],
"CIS-2.0": [
"3.7"
],
"ENS-RD2022": [
"mp.com.1.gcp.fw.1"
],
"CIS-3.0": [
"3.7"
]
}
},
"activity_name": "Create",
"activity_id": 1,
"finding_info": {
"created_time": 1739539640,
"created_time_dt": "2025-02-14T14:27:20.697446",
"desc": "GCP `Firewall Rules` are specific to a `VPC Network`. Each rule either `allows` or `denies` traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an `IPv4` address or `IPv4 block in CIDR` notation can be used. Generic `(0.0.0.0/0)` incoming traffic from the Internet to a VPC or VM instance using `RDP` on `Port 3389` can be avoided.",
"product_uid": "prowler",
"title": "Ensure That RDP Access Is Restricted From the Internet",
"types": [],
"uid": "<finding_uid>"
},
"resources": [
{
"region": "global",
"data": {
"details": "",
"metadata": {
"name": "<resource_id>",
"id": "<uid>",
"source_ranges": [
"<value>"
],
"direction": "INGRESS",
"allowed_rules": [
{
"IPProtocol": "tcp",
"ports": [
"3389"
]
}
],
"project_id": "<project_id>"
}
},
"group": {
"name": "networking"
},
"labels": [],
"name": "<resource_id>",
"type": "FirewallRule",
"uid": "<uid>"
}
],
"category_name": "Findings",
"category_uid": 2,
"class_name": "Detection Finding",
"class_uid": 2004,
"cloud": {
"account": {
"name": "<project_name>",
"type": "GCP Account",
"type_id": 5,
"uid": "<project_id>",
"labels": [
"tag:test",
"tag2:test2"
]
},
"org": {
"name": "prowler.com",
"uid": "<tenant_uid>"
},
"provider": "gcp",
"region": "global"
},
"remediation": {
"desc": "Ensure that Google Cloud Virtual Private Cloud (VPC) firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 in order to restrict Remote Desktop Protocol (RDP) traffic to trusted IP addresses or IP ranges only and reduce the attack surface. TCP port 3389 is used for secure remote GUI login to Windows VM instances by connecting a RDP client application with an RDP server.",
"references": [
"https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#terraform",
"https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#cli-command",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/unrestricted-rdp-access.html",
"https://cloud.google.com/vpc/docs/using-firewalls"
]
},
"risk_details": "Allowing unrestricted Remote Desktop Protocol (RDP) access can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM) and Pass-The-Hash (PTH) attacks.",
"time": 1739539640,
"time_dt": "2025-02-14T14:27:20.697446",
"type_uid": 200401,
"type_name": "Detection Finding: Create"
}
]
Reference in New Issue View Git Blame Copy Permalink