From 4fda29e3bdc82f5cff61ed24e6f3eab55c437197 Mon Sep 17 00:00:00 2001 From: pedrooot Date: Mon, 17 Feb 2025 08:48:17 +0100 Subject: [PATCH 1/5] feat(outputs): add sample outputs --- .gitignore | 2 +- examples/output/example_output_aws.csv | 5 + examples/output/example_output_aws.json | 625 ++++++++++++++ examples/output/example_output_azure.csv | 5 + examples/output/example_output_gcp.csv | 5 + examples/output/example_output_gcp.json | 636 ++++++++++++++ examples/output/example_output_kubernetes.csv | 5 + .../output/example_output_kubernetes.json | 800 ++++++++++++++++++ 8 files changed, 2082 insertions(+), 1 deletion(-) create mode 100644 examples/output/example_output_aws.csv create mode 100644 examples/output/example_output_aws.json create mode 100644 examples/output/example_output_azure.csv create mode 100644 examples/output/example_output_gcp.csv create mode 100644 examples/output/example_output_gcp.json create mode 100644 examples/output/example_output_kubernetes.csv create mode 100644 examples/output/example_output_kubernetes.json diff --git a/.gitignore b/.gitignore index 3b3d45c0eb..53d24facf6 100644 --- a/.gitignore +++ b/.gitignore @@ -31,7 +31,7 @@ tags *.DS_Store # Prowler output -output/ +/output # Prowler found secrets secrets-*/ diff --git a/examples/output/example_output_aws.csv b/examples/output/example_output_aws.csv new file mode 100644 index 0000000000..0a6f12839e --- /dev/null +++ b/examples/output/example_output_aws.csv @@ -0,0 +1,5 @@ +AUTH_METHOD;TIMESTAMP;ACCOUNT_UID;ACCOUNT_NAME;ACCOUNT_EMAIL;ACCOUNT_ORGANIZATION_UID;ACCOUNT_ORGANIZATION_NAME;ACCOUNT_TAGS;FINDING_UID;PROVIDER;CHECK_ID;CHECK_TITLE;CHECK_TYPE;STATUS;STATUS_EXTENDED;MUTED;SERVICE_NAME;SUBSERVICE_NAME;SEVERITY;RESOURCE_TYPE;RESOURCE_UID;RESOURCE_NAME;RESOURCE_DETAILS;RESOURCE_TAGS;PARTITION;REGION;DESCRIPTION;RISK;RELATED_URL;REMEDIATION_RECOMMENDATION_TEXT;REMEDIATION_RECOMMENDATION_URL;REMEDIATION_CODE_NATIVEIAC;REMEDIATION_CODE_TERRAFORM;REMEDIATION_CODE_CLI;REMEDIATION_CODE_OTHER;COMPLIANCE;CATEGORIES;DEPENDS_ON;RELATED_TO;NOTES;PROWLER_VERSION +;2025-02-14 14:27:03.913874;;;;;;;;aws;accessanalyzer_enabled;Check if IAM Access Analyzer is enabled;IAM;FAIL;IAM Access Analyzer in account is not enabled.;False;accessanalyzer;;low;Other;;;;;aws;;Check if IAM Access Analyzer is enabled;AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.;https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html;Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).;https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html;;;aws accessanalyzer create-analyzer --analyzer-name --type ;;CIS-1.4: 1.20 | CIS-1.5: 1.20 | KISA-ISMS-P-2023: 2.5.6, 2.6.4, 2.8.1, 2.8.2 | CIS-2.0: 1.20 | KISA-ISMS-P-2023-korean: 2.5.6, 2.6.4, 2.8.1, 2.8.2 | AWS-Account-Security-Onboarding: Enabled security services, Create analyzers in each active regions, Verify that events are present in SecurityHub aggregated view | CIS-3.0: 1.20;;;;; +;2025-02-14 14:27:03.913874;;;;;;;;aws;account_maintain_current_contact_details;Maintain current contact details.;IAM;MANUAL;Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Contact Information.;False;account;;medium;Other;;;;;aws;;Maintain current contact details.;Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.;;Using the Billing and Cost Management console complete contact details.;https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html;;;No command available.;https://docs.prowler.com/checks/aws/iam-policies/iam_18-maintain-contact-details#aws-console;CIS-1.4: 1.1 | CIS-1.5: 1.1 | KISA-ISMS-P-2023: 2.1.3 | CIS-2.0: 1.1 | KISA-ISMS-P-2023-korean: 2.1.3 | AWS-Well-Architected-Framework-Security-Pillar: SEC03-BP03, SEC10-BP01 | AWS-Account-Security-Onboarding: Billing, emergency, security contacts | CIS-3.0: 1.1 | ENS-RD2022: op.ext.7.aws.am.1;;;;; +;2025-02-14 14:27:03.913874;;;;;;;;aws;account_maintain_different_contact_details_to_security_billing_and_operations;Maintain different contact details to security, billing and operations.;IAM;FAIL;SECURITY, BILLING and OPERATIONS contacts not found or they are not different between each other and between ROOT contact.;False;account;;medium;Other;;;;;aws;;Maintain different contact details to security, billing and operations.;Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.;https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html;Using the Billing and Cost Management console complete contact details.;https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html;;;;https://docs.prowler.com/checks/aws/iam-policies/iam_18-maintain-contact-details#aws-console;KISA-ISMS-P-2023: 2.1.3 | KISA-ISMS-P-2023-korean: 2.1.3;;;;; +;2025-02-14 14:27:03.913874;;;;;;;;aws;account_security_contact_information_is_registered;Ensure security contact information is registered.;IAM;MANUAL;Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Alternate Contacts -> Security Section.;False;account;;medium;Other;:root;;;;aws;;Ensure security contact information is registered.;AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided. Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.;;Go to the My Account section and complete alternate contacts.;https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html;;;No command available.;https://docs.prowler.com/checks/aws/iam-policies/iam_19#aws-console;CIS-1.4: 1.2 | CIS-1.5: 1.2 | AWS-Foundational-Security-Best-Practices: account, acm | KISA-ISMS-P-2023: 2.1.3, 2.2.1 | CIS-2.0: 1.2 | KISA-ISMS-P-2023-korean: 2.1.3, 2.2.1 | AWS-Well-Architected-Framework-Security-Pillar: SEC03-BP03, SEC10-BP01 | AWS-Account-Security-Onboarding: Billing, emergency, security contacts | CIS-3.0: 1.2 | ENS-RD2022: op.ext.7.aws.am.1;;;;; diff --git a/examples/output/example_output_aws.json b/examples/output/example_output_aws.json new file mode 100644 index 0000000000..dea77b1f22 --- /dev/null +++ b/examples/output/example_output_aws.json @@ -0,0 +1,625 @@ +[ + { + "message": "IAM Access Analyzer in account is not enabled.", + "metadata": { + "event_code": "accessanalyzer_enabled", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 2, + "severity": "Low", + "status": "New", + "status_code": "FAIL", + "status_detail": "IAM Access Analyzer in account is not enabled.", + "status_id": 1, + "unmapped": { + "related_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", + "categories": [], + "depends_on": [], + "related_to": [], + "notes": "", + "compliance": { + "CIS-1.4": [ + "1.20" + ], + "CIS-1.5": [ + "1.20" + ], + "KISA-ISMS-P-2023": [ + "2.5.6", + "2.6.4", + "2.8.1", + "2.8.2" + ], + "CIS-2.0": [ + "1.20" + ], + "KISA-ISMS-P-2023-korean": [ + "2.5.6", + "2.6.4", + "2.8.1", + "2.8.2" + ], + "AWS-Account-Security-Onboarding": [ + "Enabled security services", + "Create analyzers in each active regions", + "Verify that events are present in SecurityHub aggregated view" + ], + "CIS-3.0": [ + "1.20" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539623, + "created_time_dt": "2025-02-14T14:27:03.913874", + "desc": "Check if IAM Access Analyzer is enabled", + "product_uid": "prowler", + "title": "Check if IAM Access Analyzer is enabled", + "types": [ + "IAM" + ], + "uid": "" + }, + "resources": [ + { + "cloud_partition": "aws", + "region": "", + "data": { + "details": "", + "metadata": { + "arn": "", + "name": "", + "status": "NOT_AVAILABLE", + "findings": [], + "tags": [], + "type": "", + "region": "" + } + }, + "group": { + "name": "accessanalyzer" + }, + "labels": [], + "name": "a", + "type": "Other", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "AWS Account", + "type_id": 10, + "uid": "", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "aws", + "region": "" + }, + "remediation": { + "desc": "Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).", + "references": [ + "aws accessanalyzer create-analyzer --analyzer-name --type ", + "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html" + ] + }, + "risk_details": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.", + "time": 1739539623, + "time_dt": "2025-02-14T14:27:03.913874", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Contact Information.", + "metadata": { + "event_code": "account_maintain_current_contact_details", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "MANUAL", + "status_detail": "Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Contact Information.", + "status_id": 1, + "unmapped": { + "related_url": "", + "categories": [], + "depends_on": [], + "related_to": [], + "notes": "", + "compliance": { + "CIS-1.4": [ + "1.1" + ], + "CIS-1.5": [ + "1.1" + ], + "KISA-ISMS-P-2023": [ + "2.1.3" + ], + "CIS-2.0": [ + "1.1" + ], + "KISA-ISMS-P-2023-korean": [ + "2.1.3" + ], + "AWS-Well-Architected-Framework-Security-Pillar": [ + "SEC03-BP03", + "SEC10-BP01" + ], + "AWS-Account-Security-Onboarding": [ + "Billing, emergency, security contacts" + ], + "CIS-3.0": [ + "1.1" + ], + "ENS-RD2022": [ + "op.ext.7.aws.am.1" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539623, + "created_time_dt": "2025-02-14T14:27:03.913874", + "desc": "Maintain current contact details.", + "product_uid": "prowler", + "title": "Maintain current contact details.", + "types": [ + "IAM" + ], + "uid": "" + }, + "resources": [ + { + "cloud_partition": "aws", + "region": "", + "data": { + "details": "", + "metadata": { + "type": "PRIMARY", + "email": null, + "name": "", + "phone_number": "" + } + }, + "group": { + "name": "account" + }, + "labels": [], + "name": "", + "type": "Other", + "uid": "arn:aws:iam:::root" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "AWS Account", + "type_id": 10, + "uid": "", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "aws", + "region": "" + }, + "remediation": { + "desc": "Using the Billing and Cost Management console complete contact details.", + "references": [ + "No command available.", + "https://docs.prowler.com/checks/aws/iam-policies/iam_18-maintain-contact-details#aws-console", + "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html" + ] + }, + "risk_details": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.", + "time": 1739539623, + "time_dt": "2025-02-14T14:27:03.913874", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "SECURITY, BILLING and OPERATIONS contacts not found or they are not different between each other and between ROOT contact.", + "metadata": { + "event_code": "account_maintain_different_contact_details_to_security_billing_and_operations", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "FAIL", + "status_detail": "SECURITY, BILLING and OPERATIONS contacts not found or they are not different between each other and between ROOT contact.", + "status_id": 1, + "unmapped": { + "related_url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html", + "categories": [], + "depends_on": [], + "related_to": [], + "notes": "", + "compliance": { + "KISA-ISMS-P-2023": [ + "2.1.3" + ], + "KISA-ISMS-P-2023-korean": [ + "2.1.3" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539623, + "created_time_dt": "2025-02-14T14:27:03.913874", + "desc": "Maintain different contact details to security, billing and operations.", + "product_uid": "prowler", + "title": "Maintain different contact details to security, billing and operations.", + "types": [ + "IAM" + ], + "uid": "" + }, + "resources": [ + { + "cloud_partition": "aws", + "region": "", + "data": { + "details": "", + "metadata": { + "type": "PRIMARY", + "email": null, + "name": "", + "phone_number": "" + } + }, + "group": { + "name": "account" + }, + "labels": [], + "name": "", + "type": "Other", + "uid": "arn:aws:iam:::root" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "AWS Account", + "type_id": 10, + "uid": "", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "aws", + "region": "" + }, + "remediation": { + "desc": "Using the Billing and Cost Management console complete contact details.", + "references": [ + "https://docs.prowler.com/checks/aws/iam-policies/iam_18-maintain-contact-details#aws-console", + "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html" + ] + }, + "risk_details": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.", + "time": 1739539623, + "time_dt": "2025-02-14T14:27:03.913874", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Alternate Contacts -> Security Section.", + "metadata": { + "event_code": "account_security_contact_information_is_registered", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "MANUAL", + "status_detail": "Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Alternate Contacts -> Security Section.", + "status_id": 1, + "unmapped": { + "related_url": "", + "categories": [], + "depends_on": [], + "related_to": [], + "notes": "", + "compliance": { + "CIS-1.4": [ + "1.2" + ], + "CIS-1.5": [ + "1.2" + ], + "AWS-Foundational-Security-Best-Practices": [ + "account", + "acm" + ], + "KISA-ISMS-P-2023": [ + "2.1.3", + "2.2.1" + ], + "CIS-2.0": [ + "1.2" + ], + "KISA-ISMS-P-2023-korean": [ + "2.1.3", + "2.2.1" + ], + "AWS-Well-Architected-Framework-Security-Pillar": [ + "SEC03-BP03", + "SEC10-BP01" + ], + "AWS-Account-Security-Onboarding": [ + "Billing, emergency, security contacts" + ], + "CIS-3.0": [ + "1.2" + ], + "ENS-RD2022": [ + "op.ext.7.aws.am.1" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539623, + "created_time_dt": "2025-02-14T14:27:03.913874", + "desc": "Ensure security contact information is registered.", + "product_uid": "prowler", + "title": "Ensure security contact information is registered.", + "types": [ + "IAM" + ], + "uid": "" + }, + "resources": [ + { + "cloud_partition": "aws", + "region": "", + "data": { + "details": "", + "metadata": { + "type": "PRIMARY", + "email": null, + "name": "", + "phone_number": "" + } + }, + "group": { + "name": "account" + }, + "labels": [], + "name": "", + "type": "Other", + "uid": "arn:aws:iam:::root" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "AWS Account", + "type_id": 10, + "uid": "", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "aws", + "region": "" + }, + "remediation": { + "desc": "Go to the My Account section and complete alternate contacts.", + "references": [ + "No command available.", + "https://docs.prowler.com/checks/aws/iam-policies/iam_19#aws-console", + "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html" + ] + }, + "risk_details": "AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided. Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.", + "time": 1739539623, + "time_dt": "2025-02-14T14:27:03.913874", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Login to the AWS Console as root. Choose your account name on the top right of the window -> My Account -> Configure Security Challenge Questions.", + "metadata": { + "event_code": "account_security_questions_are_registered_in_the_aws_account", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "MANUAL", + "status_detail": "Login to the AWS Console as root. Choose your account name on the top right of the window -> My Account -> Configure Security Challenge Questions.", + "status_id": 1, + "unmapped": { + "related_url": "", + "categories": [], + "depends_on": [], + "related_to": [], + "notes": "", + "compliance": { + "CIS-1.4": [ + "1.3" + ], + "CIS-1.5": [ + "1.3" + ], + "KISA-ISMS-P-2023": [ + "2.1.3" + ], + "CIS-2.0": [ + "1.3" + ], + "KISA-ISMS-P-2023-korean": [ + "2.1.3" + ], + "AWS-Well-Architected-Framework-Security-Pillar": [ + "SEC03-BP03", + "SEC10-BP01" + ], + "CIS-3.0": [ + "1.3" + ], + "ENS-RD2022": [ + "op.ext.7.aws.am.1" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539623, + "created_time_dt": "2025-02-14T14:27:03.913874", + "desc": "Ensure security questions are registered in the AWS account.", + "product_uid": "prowler", + "title": "Ensure security questions are registered in the AWS account.", + "types": [ + "IAM" + ], + "uid": "" + }, + "resources": [ + { + "cloud_partition": "aws", + "region": "", + "data": { + "details": "", + "metadata": { + "type": "SECURITY", + "email": null, + "name": null, + "phone_number": null + } + }, + "group": { + "name": "account" + }, + "labels": [], + "name": "", + "type": "Other", + "uid": "arn:aws:iam:::root" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "AWS Account", + "type_id": 10, + "uid": "", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "aws", + "region": "" + }, + "remediation": { + "desc": "Login as root account and from My Account configure Security questions.", + "references": [ + "No command available.", + "https://docs.prowler.com/checks/aws/iam-policies/iam_15", + "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-security-challenge.html" + ] + }, + "risk_details": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. When creating a new AWS account a default super user is automatically created. This account is referred to as the root account. It is recommended that the use of this account be limited and highly controlled. During events in which the root password is no longer accessible or the MFA token associated with root is lost/destroyed it is possible through authentication using secret questions and associated answers to recover root login access.", + "time": 1739539623, + "time_dt": "2025-02-14T14:27:03.913874", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + } +] diff --git a/examples/output/example_output_azure.csv b/examples/output/example_output_azure.csv new file mode 100644 index 0000000000..ca2ed7b325 --- /dev/null +++ b/examples/output/example_output_azure.csv @@ -0,0 +1,5 @@ +AUTH_METHOD;TIMESTAMP;ACCOUNT_UID;ACCOUNT_NAME;ACCOUNT_EMAIL;ACCOUNT_ORGANIZATION_UID;ACCOUNT_ORGANIZATION_NAME;ACCOUNT_TAGS;FINDING_UID;PROVIDER;CHECK_ID;CHECK_TITLE;CHECK_TYPE;STATUS;STATUS_EXTENDED;MUTED;SERVICE_NAME;SUBSERVICE_NAME;SEVERITY;RESOURCE_TYPE;RESOURCE_UID;RESOURCE_NAME;RESOURCE_DETAILS;RESOURCE_TAGS;PARTITION;REGION;DESCRIPTION;RISK;RELATED_URL;REMEDIATION_RECOMMENDATION_TEXT;REMEDIATION_RECOMMENDATION_URL;REMEDIATION_CODE_NATIVEIAC;REMEDIATION_CODE_TERRAFORM;REMEDIATION_CODE_CLI;REMEDIATION_CODE_OTHER;COMPLIANCE;CATEGORIES;DEPENDS_ON;RELATED_TO;NOTES;PROWLER_VERSION +;2025-02-14 14:27:30.710664;;;;;ProwlerPro.onmicrosoft.com;;;azure;aks_cluster_rbac_enabled;Ensure AKS RBAC is enabled;;PASS;RBAC is enabled for cluster '' in subscription ''.;False;aks;;medium;Microsoft.ContainerService/ManagedClusters;/subscriptions//resourcegroups/_group/providers/Microsoft.ContainerService/managedClusters/;;;;;;Azure Kubernetes Service (AKS) can be configured to use Azure Active Directory (AD) for user authentication. In this configuration, you sign in to an AKS cluster using an Azure AD authentication token. You can also configure Kubernetes role-based access control (Kubernetes RBAC) to limit access to cluster resources based a user's identity or group membership.;Kubernetes RBAC and AKS help you secure your cluster access and provide only the minimum required permissions to developers and operators.;https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac?tabs=portal;;https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle;;https://docs.prowler.com/checks/azure/azure-kubernetes-policies/bc_azr_kubernetes_2#terraform;;https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AKS/enable-role-based-access-control-for-kubernetes-service.html#;ENS-RD2022: op.acc.2.az.r1.eid.1;;;;; +;2025-02-14 14:27:30.710664;;;;;ProwlerPro.onmicrosoft.com;;;azure;aks_clusters_created_with_private_nodes;Ensure clusters are created with Private Nodes;;PASS;Cluster '' was created with private nodes in subscription '';False;aks;;high;Microsoft.ContainerService/ManagedClusters;/subscriptions//resourcegroups/_group/providers/Microsoft.ContainerService/managedClusters/;;;;;;Disable public IP addresses for cluster nodes, so that they only have private IP addresses. Private Nodes are nodes with no public IP addresses.;Disabling public IP addresses on cluster nodes restricts access to only internal networks, forcing attackers to obtain local network access before attempting to compromise the underlying Kubernetes hosts.;https://learn.microsoft.com/en-us/azure/aks/private-clusters;;https://learn.microsoft.com/en-us/azure/aks/access-private-cluster;;;;;ENS-RD2022: mp.com.4.r2.az.aks.1 | MITRE-ATTACK: T1190, T1530;;;;; +;2025-02-14 14:27:30.710664;;;;;ProwlerPro.onmicrosoft.com;;;azure;aks_clusters_public_access_disabled;Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled;;FAIL;Public access to nodes is enabled for cluster '' in subscription '';False;aks;;high;Microsoft.ContainerService/ManagedClusters;/subscriptions//resourcegroups/_group/providers/Microsoft.ContainerService/managedClusters/;;;;;;Disable access to the Kubernetes API from outside the node network if it is not required.;In a private cluster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master's wirtual network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master's virtual network. Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publically with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack. Unless required, disabling public endpoint will help prevent such threats, and require the attacker to be on the master's virtual network to perform any attack on the Kubernetes API.;https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=azure-portal;To use a private endpoint, create a new private endpoint in your virtual network then create a link between your virtual network and a new private DNS zone;https://learn.microsoft.com/en-us/azure/aks/access-private-cluster?tabs=azure-cli;;;az aks update -n -g --disable-public-fqdn;;ENS-RD2022: mp.com.4.az.aks.2 | MITRE-ATTACK: T1190, T1530;;;;; +;2025-02-14 14:27:30.710664;;;;;ProwlerPro.onmicrosoft.com;;;azure;aks_network_policy_enabled;Ensure Network Policy is Enabled and set as appropriate;;PASS;Network policy is enabled for cluster '' in subscription ''.;False;aks;;medium;Microsoft.ContainerService/managedClusters;/subscriptions//resourcegroups/_group/providers/Microsoft.ContainerService/managedClusters/;;;;;;When you run modern, microservices-based applications in Kubernetes, you often want to control which components can communicate with each other. The principle of least privilege should be applied to how traffic can flow between pods in an Azure Kubernetes Service (AKS) cluster. Let's say you likely want to block traffic directly to back-end applications. The Network Policy feature in Kubernetes lets you define rules for ingress and egress traffic between pods in a cluster.;All pods in an AKS cluster can send and receive traffic without limitations, by default. To improve security, you can define rules that control the flow of traffic. Back-end applications are often only exposed to required front-end services, for example. Or, database components are only accessible to the application tiers that connect to them. Network Policy is a Kubernetes specification that defines access policies for communication between Pods. Using Network Policies, you define an ordered set of rules to send and receive traffic and apply them to a collection of pods that match one or more label selectors. These network policy rules are defined as YAML manifests. Network policies can be included as part of a wider manifest that also creates a deployment or service.;https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-network-security#ns-2-connect-private-networks-together;;https://learn.microsoft.com/en-us/azure/aks/use-network-policies;;https://docs.prowler.com/checks/azure/azure-kubernetes-policies/bc_azr_kubernetes_4#terraform;;;ENS-RD2022: mp.com.4.r2.az.aks.1;;;;Network Policy requires the Network Policy add-on. This add-on is included automatically when a cluster with Network Policy is created, but for an existing cluster, needs to be added prior to enabling Network Policy. Enabling/Disabling Network Policy causes a rolling update of all cluster nodes, similar to performing a cluster upgrade. This operation is long-running and will block other operations on the cluster (including delete) until it has run to completion. If Network Policy is used, a cluster must have at least 2 nodes of type n1-standard-1 or higher. The recommended minimum size cluster to run Network Policy enforcement is 3 n1-standard-1 instances. Enabling Network Policy enforcement consumes additional resources in nodes. Specifically, it increases the memory footprint of the kube-system process by approximately 128MB, and requires approximately 300 millicores of CPU.; diff --git a/examples/output/example_output_gcp.csv b/examples/output/example_output_gcp.csv new file mode 100644 index 0000000000..3ed2be29d9 --- /dev/null +++ b/examples/output/example_output_gcp.csv @@ -0,0 +1,5 @@ +AUTH_METHOD;TIMESTAMP;ACCOUNT_UID;ACCOUNT_NAME;ACCOUNT_EMAIL;ACCOUNT_ORGANIZATION_UID;ACCOUNT_ORGANIZATION_NAME;ACCOUNT_TAGS;FINDING_UID;PROVIDER;CHECK_ID;CHECK_TITLE;CHECK_TYPE;STATUS;STATUS_EXTENDED;MUTED;SERVICE_NAME;SUBSERVICE_NAME;SEVERITY;RESOURCE_TYPE;RESOURCE_UID;RESOURCE_NAME;RESOURCE_DETAILS;RESOURCE_TAGS;PARTITION;REGION;DESCRIPTION;RISK;RELATED_URL;REMEDIATION_RECOMMENDATION_TEXT;REMEDIATION_RECOMMENDATION_URL;REMEDIATION_CODE_NATIVEIAC;REMEDIATION_CODE_TERRAFORM;REMEDIATION_CODE_CLI;REMEDIATION_CODE_OTHER;COMPLIANCE;CATEGORIES;DEPENDS_ON;RELATED_TO;NOTES;PROWLER_VERSION +;2025-02-14 14:27:20.697446;;;;;;;;gcp;apikeys_key_exists;Ensure API Keys Only Exist for Active Services;;PASS;Project does not have active API Keys.;False;apikeys;;medium;API Key;;;;;;;API Keys should only be used for services in cases where other authentication methods are unavailable. Unused keys with their permissions in tact may still exist within a project. Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.;Security risks involved in using API-Keys appear below: API keys are simple encrypted strings, API keys do not identify the user or the application making the API request, API keys are typically accessible to clients, making it easy to discover and steal an API key.;;To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.;https://cloud.google.com/docs/authentication/api-keys;;;gcloud alpha services api-keys delete;;MITRE-ATTACK: T1098 | CIS-2.0: 1.12 | ENS-RD2022: op.acc.2.gcp.rbak.1 | CIS-3.0: 1.12;;;;; +;2025-02-14 14:27:20.697446;;;;;;;;gcp;artifacts_container_analysis_enabled;Ensure Image Vulnerability Analysis using AR Container Analysis or a third-party provider;Security | Configuration;FAIL;AR Container Analysis is not enabled in project .;False;artifacts;Container Analysis;medium;Service;;;;;;;Scan images stored in Google Container Registry (GCR) for vulnerabilities using AR Container Analysis or a third-party provider. This helps identify and mitigate security risks associated with known vulnerabilities in container images.;Without image vulnerability scanning, container images stored in Artifact Registry may contain known vulnerabilities, increasing the risk of exploitation by malicious actors.;https://cloud.google.com/artifact-analysis/docs;Enable vulnerability scanning for images stored in Artifact Registry using AR Container Analysis or a third-party provider.;https://cloud.google.com/artifact-analysis/docs/container-scanning-overview;;;gcloud services enable containeranalysis.googleapis.com;;MITRE-ATTACK: T1525 | ENS-RD2022: op.exp.4.r4.gcp.log.1, op.mon.3.gcp.scc.1;;;;By default, AR Container Analysis is disabled.; +;2025-02-14 14:27:20.697446;;;;;;;;gcp;compute_firewall_rdp_access_from_the_internet_allowed;Ensure That RDP Access Is Restricted From the Internet;;PASS;Firewall does not expose port 3389 (RDP) to the internet.;False;networking;;critical;FirewallRule;;;;;;;GCP `Firewall Rules` are specific to a `VPC Network`. Each rule either `allows` or `denies` traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an `IPv4` address or `IPv4 block in CIDR` notation can be used. Generic `(0.0.0.0/0)` incoming traffic from the Internet to a VPC or VM instance using `RDP` on `Port 3389` can be avoided.;Allowing unrestricted Remote Desktop Protocol (RDP) access can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM) and Pass-The-Hash (PTH) attacks.;;Ensure that Google Cloud Virtual Private Cloud (VPC) firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 in order to restrict Remote Desktop Protocol (RDP) traffic to trusted IP addresses or IP ranges only and reduce the attack surface. TCP port 3389 is used for secure remote GUI login to Windows VM instances by connecting a RDP client application with an RDP server.;https://cloud.google.com/vpc/docs/using-firewalls;;https://docs./checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#terraform;https://docs./checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#cli-command;https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/unrestricted-rdp-access.html;MITRE-ATTACK: T1190, T1199, T1048, T1498, T1046 | CIS-2.0: 3.7 | ENS-RD2022: mp.com.1.gcp.fw.1 | CIS-3.0: 3.7;internet-exposed;;;; +;2025-02-14 14:27:20.697446;;;;;;;;gcp;compute_firewall_rdp_access_from_the_internet_allowed;Ensure That RDP Access Is Restricted From the Internet;;PASS;Firewall does not expose port 3389 (RDP) to the internet.;False;networking;;critical;FirewallRule;;;;;;;GCP `Firewall Rules` are specific to a `VPC Network`. Each rule either `allows` or `denies` traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an `IPv4` address or `IPv4 block in CIDR` notation can be used. Generic `(0.0.0.0/0)` incoming traffic from the Internet to a VPC or VM instance using `RDP` on `Port 3389` can be avoided.;Allowing unrestricted Remote Desktop Protocol (RDP) access can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM) and Pass-The-Hash (PTH) attacks.;;Ensure that Google Cloud Virtual Private Cloud (VPC) firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 in order to restrict Remote Desktop Protocol (RDP) traffic to trusted IP addresses or IP ranges only and reduce the attack surface. TCP port 3389 is used for secure remote GUI login to Windows VM instances by connecting a RDP client application with an RDP server.;https://cloud.google.com/vpc/docs/using-firewalls;;https://docs./checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#terraform;https://docs./checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#cli-command;https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/unrestricted-rdp-access.html;MITRE-ATTACK: T1190, T1199, T1048, T1498, T1046 | CIS-2.0: 3.7 | ENS-RD2022: mp.com.1.gcp.fw.1 | CIS-3.0: 3.7;internet-exposed;;;; diff --git a/examples/output/example_output_gcp.json b/examples/output/example_output_gcp.json new file mode 100644 index 0000000000..f66747d8a7 --- /dev/null +++ b/examples/output/example_output_gcp.json @@ -0,0 +1,636 @@ +[ + { + "message": "Project does not have active API Keys.", + "metadata": { + "event_code": "apikeys_key_exists", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "PASS", + "status_detail": "Project does not have active API Keys.", + "status_id": 1, + "unmapped": { + "related_url": "", + "categories": [], + "depends_on": [], + "related_to": [], + "notes": "", + "compliance": { + "MITRE-ATTACK": [ + "T1098" + ], + "CIS-2.0": [ + "1.12" + ], + "ENS-RD2022": [ + "op.acc.2.gcp.rbak.1" + ], + "CIS-3.0": [ + "1.12" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539640, + "created_time_dt": "2025-02-14T14:27:20.697446", + "desc": "API Keys should only be used for services in cases where other authentication methods are unavailable. Unused keys with their permissions in tact may still exist within a project. Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.", + "product_uid": "prowler", + "title": "Ensure API Keys Only Exist for Active Services", + "types": [], + "uid": "" + }, + "resources": [ + { + "region": "global", + "data": { + "details": "", + "metadata": { + "number": "", + "id": "", + "name": "", + "organization": { + "id": "", + "name": "organizations/", + "display_name": "prowler.com" + }, + "labels": { + "tag": "test", + "tag2": "test2", + "generative-language": "enabled" + }, + "lifecycle_state": "ACTIVE" + } + }, + "group": { + "name": "apikeys" + }, + "labels": [], + "name": "", + "type": "API Key", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "GCP Account", + "type_id": 5, + "uid": "", + "labels": [ + "tag:test" + ] + }, + "org": { + "name": "prowler.com", + "uid": "" + }, + "provider": "gcp", + "region": "global" + }, + "remediation": { + "desc": "To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.", + "references": [ + "gcloud alpha services api-keys delete", + "https://cloud.google.com/docs/authentication/api-keys" + ] + }, + "risk_details": "Security risks involved in using API-Keys appear below: API keys are simple encrypted strings, API keys do not identify the user or the application making the API request, API keys are typically accessible to clients, making it easy to discover and steal an API key.", + "time": 1739539640, + "time_dt": "2025-02-14T14:27:20.697446", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "AR Container Analysis is not enabled in project .", + "metadata": { + "event_code": "artifacts_container_analysis_enabled", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "FAIL", + "status_detail": "AR Container Analysis is not enabled in project .", + "status_id": 1, + "unmapped": { + "related_url": "https://cloud.google.com/artifact-analysis/docs", + "categories": [], + "depends_on": [], + "related_to": [], + "notes": "By default, AR Container Analysis is disabled.", + "compliance": { + "MITRE-ATTACK": [ + "T1525" + ], + "ENS-RD2022": [ + "op.exp.4.r4.gcp.log.1", + "op.mon.3.gcp.scc.1" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539640, + "created_time_dt": "2025-02-14T14:27:20.697446", + "desc": "Scan images stored in Google Container Registry (GCR) for vulnerabilities using AR Container Analysis or a third-party provider. This helps identify and mitigate security risks associated with known vulnerabilities in container images.", + "product_uid": "prowler", + "title": "Ensure Image Vulnerability Analysis using AR Container Analysis or a third-party provider", + "types": [ + "Security", + "Configuration" + ], + "uid": "" + }, + "resources": [ + { + "region": "global", + "data": { + "details": "", + "metadata": { + "number": "538174383574", + "id": "", + "name": "", + "organization": { + "id": "", + "name": "organizations/", + "display_name": "prowler.com" + }, + "labels": { + "tag": "test", + "tag2": "test2", + "generative-language": "enabled" + }, + "lifecycle_state": "ACTIVE" + } + }, + "group": { + "name": "artifacts" + }, + "labels": [], + "name": "AR Container Analysis", + "type": "Service", + "uid": "containeranalysis.googleapis.com" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "GCP Account", + "type_id": 5, + "uid": "", + "labels": [ + "tag:test" + ] + }, + "org": { + "name": "prowler.com", + "uid": "" + }, + "provider": "gcp", + "region": "global" + }, + "remediation": { + "desc": "Enable vulnerability scanning for images stored in Artifact Registry using AR Container Analysis or a third-party provider.", + "references": [ + "gcloud services enable containeranalysis.googleapis.com", + "https://cloud.google.com/artifact-analysis/docs/container-scanning-overview" + ] + }, + "risk_details": "Without image vulnerability scanning, container images stored in Artifact Registry may contain known vulnerabilities, increasing the risk of exploitation by malicious actors.", + "time": 1739539640, + "time_dt": "2025-02-14T14:27:20.697446", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Firewall does not expose port 3389 (RDP) to the internet.", + "metadata": { + "event_code": "compute_firewall_rdp_access_from_the_internet_allowed", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 5, + "severity": "Critical", + "status": "New", + "status_code": "PASS", + "status_detail": "Firewall does not expose port 3389 (RDP) to the internet.", + "status_id": 1, + "unmapped": { + "related_url": "", + "categories": [ + "internet-exposed" + ], + "depends_on": [], + "related_to": [], + "notes": "", + "compliance": { + "MITRE-ATTACK": [ + "T1190", + "T1199", + "T1048", + "T1498", + "T1046" + ], + "CIS-2.0": [ + "3.7" + ], + "ENS-RD2022": [ + "mp.com.1.gcp.fw.1" + ], + "CIS-3.0": [ + "3.7" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539640, + "created_time_dt": "2025-02-14T14:27:20.697446", + "desc": "GCP `Firewall Rules` are specific to a `VPC Network`. Each rule either `allows` or `denies` traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an `IPv4` address or `IPv4 block in CIDR` notation can be used. Generic `(0.0.0.0/0)` incoming traffic from the Internet to a VPC or VM instance using `RDP` on `Port 3389` can be avoided.", + "product_uid": "prowler", + "title": "Ensure That RDP Access Is Restricted From the Internet", + "types": [], + "uid": "" + }, + "resources": [ + { + "region": "global", + "data": { + "details": "", + "metadata": { + "name": "", + "id": "", + "source_ranges": [ + "" + ], + "direction": "INGRESS", + "allowed_rules": [ + { + "IPProtocol": "icmp" + } + ], + "project_id": "" + } + }, + "group": { + "name": "networking" + }, + "labels": [], + "name": "", + "type": "FirewallRule", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "GCP Account", + "type_id": 5, + "uid": "", + "labels": [ + "tag:test", + "tag2:test2" + ] + }, + "org": { + "name": "prowler.com", + "uid": "" + }, + "provider": "gcp", + "region": "global" + }, + "remediation": { + "desc": "Ensure that Google Cloud Virtual Private Cloud (VPC) firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 in order to restrict Remote Desktop Protocol (RDP) traffic to trusted IP addresses or IP ranges only and reduce the attack surface. TCP port 3389 is used for secure remote GUI login to Windows VM instances by connecting a RDP client application with an RDP server.", + "references": [ + "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#terraform", + "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#cli-command", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/unrestricted-rdp-access.html", + "https://cloud.google.com/vpc/docs/using-firewalls" + ] + }, + "risk_details": "Allowing unrestricted Remote Desktop Protocol (RDP) access can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM) and Pass-The-Hash (PTH) attacks.", + "time": 1739539640, + "time_dt": "2025-02-14T14:27:20.697446", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Firewall does not expose port 3389 (RDP) to the internet.", + "metadata": { + "event_code": "compute_firewall_rdp_access_from_the_internet_allowed", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 5, + "severity": "Critical", + "status": "New", + "status_code": "PASS", + "status_detail": "Firewall does not expose port 3389 (RDP) to the internet.", + "status_id": 1, + "unmapped": { + "related_url": "", + "categories": [ + "internet-exposed" + ], + "depends_on": [], + "related_to": [], + "notes": "", + "compliance": { + "MITRE-ATTACK": [ + "T1190", + "T1199", + "T1048", + "T1498", + "T1046" + ], + "CIS-2.0": [ + "3.7" + ], + "ENS-RD2022": [ + "mp.com.1.gcp.fw.1" + ], + "CIS-3.0": [ + "3.7" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539640, + "created_time_dt": "2025-02-14T14:27:20.697446", + "desc": "GCP `Firewall Rules` are specific to a `VPC Network`. Each rule either `allows` or `denies` traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an `IPv4` address or `IPv4 block in CIDR` notation can be used. Generic `(0.0.0.0/0)` incoming traffic from the Internet to a VPC or VM instance using `RDP` on `Port 3389` can be avoided.", + "product_uid": "prowler", + "title": "Ensure That RDP Access Is Restricted From the Internet", + "types": [], + "uid": "" + }, + "resources": [ + { + "region": "global", + "data": { + "details": "", + "metadata": { + "name": "", + "id": "", + "source_ranges": [ + "" + ], + "direction": "INGRESS", + "allowed_rules": [ + { + "IPProtocol": "tcp", + "ports": [ + "0-65535" + ] + }, + { + "IPProtocol": "udp", + "ports": [ + "0-65535" + ] + }, + { + "IPProtocol": "icmp" + } + ], + "project_id": "" + } + }, + "group": { + "name": "networking" + }, + "labels": [], + "name": "", + "type": "FirewallRule", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "GCP Account", + "type_id": 5, + "uid": "", + "labels": [ + "tag:test", + "tag2:test2" + ] + }, + "org": { + "name": "prowler.com", + "uid": "" + }, + "provider": "gcp", + "region": "global" + }, + "remediation": { + "desc": "Ensure that Google Cloud Virtual Private Cloud (VPC) firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 in order to restrict Remote Desktop Protocol (RDP) traffic to trusted IP addresses or IP ranges only and reduce the attack surface. TCP port 3389 is used for secure remote GUI login to Windows VM instances by connecting a RDP client application with an RDP server.", + "references": [ + "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#terraform", + "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#cli-command", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/unrestricted-rdp-access.html", + "https://cloud.google.com/vpc/docs/using-firewalls" + ] + }, + "risk_details": "Allowing unrestricted Remote Desktop Protocol (RDP) access can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM) and Pass-The-Hash (PTH) attacks.", + "time": 1739539640, + "time_dt": "2025-02-14T14:27:20.697446", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Firewall does exposes port 3389 (RDP) to the internet.", + "metadata": { + "event_code": "compute_firewall_rdp_access_from_the_internet_allowed", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 5, + "severity": "Critical", + "status": "New", + "status_code": "FAIL", + "status_detail": "Firewall does exposes port 3389 (RDP) to the internet.", + "status_id": 1, + "unmapped": { + "related_url": "", + "categories": [ + "internet-exposed" + ], + "depends_on": [], + "related_to": [], + "notes": "", + "compliance": { + "MITRE-ATTACK": [ + "T1190", + "T1199", + "T1048", + "T1498", + "T1046" + ], + "CIS-2.0": [ + "3.7" + ], + "ENS-RD2022": [ + "mp.com.1.gcp.fw.1" + ], + "CIS-3.0": [ + "3.7" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539640, + "created_time_dt": "2025-02-14T14:27:20.697446", + "desc": "GCP `Firewall Rules` are specific to a `VPC Network`. Each rule either `allows` or `denies` traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an `IPv4` address or `IPv4 block in CIDR` notation can be used. Generic `(0.0.0.0/0)` incoming traffic from the Internet to a VPC or VM instance using `RDP` on `Port 3389` can be avoided.", + "product_uid": "prowler", + "title": "Ensure That RDP Access Is Restricted From the Internet", + "types": [], + "uid": "" + }, + "resources": [ + { + "region": "global", + "data": { + "details": "", + "metadata": { + "name": "", + "id": "", + "source_ranges": [ + "" + ], + "direction": "INGRESS", + "allowed_rules": [ + { + "IPProtocol": "tcp", + "ports": [ + "3389" + ] + } + ], + "project_id": "" + } + }, + "group": { + "name": "networking" + }, + "labels": [], + "name": "", + "type": "FirewallRule", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "GCP Account", + "type_id": 5, + "uid": "", + "labels": [ + "tag:test", + "tag2:test2" + ] + }, + "org": { + "name": "prowler.com", + "uid": "" + }, + "provider": "gcp", + "region": "global" + }, + "remediation": { + "desc": "Ensure that Google Cloud Virtual Private Cloud (VPC) firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 in order to restrict Remote Desktop Protocol (RDP) traffic to trusted IP addresses or IP ranges only and reduce the attack surface. TCP port 3389 is used for secure remote GUI login to Windows VM instances by connecting a RDP client application with an RDP server.", + "references": [ + "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#terraform", + "https://docs.prowler.com/checks/gcp/google-cloud-networking-policies/bc_gcp_networking_2#cli-command", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudVPC/unrestricted-rdp-access.html", + "https://cloud.google.com/vpc/docs/using-firewalls" + ] + }, + "risk_details": "Allowing unrestricted Remote Desktop Protocol (RDP) access can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM) and Pass-The-Hash (PTH) attacks.", + "time": 1739539640, + "time_dt": "2025-02-14T14:27:20.697446", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + } +] diff --git a/examples/output/example_output_kubernetes.csv b/examples/output/example_output_kubernetes.csv new file mode 100644 index 0000000000..b4617a40e8 --- /dev/null +++ b/examples/output/example_output_kubernetes.csv @@ -0,0 +1,5 @@ +AUTH_METHOD;TIMESTAMP;ACCOUNT_UID;ACCOUNT_NAME;ACCOUNT_EMAIL;ACCOUNT_ORGANIZATION_UID;ACCOUNT_ORGANIZATION_NAME;ACCOUNT_TAGS;FINDING_UID;PROVIDER;CHECK_ID;CHECK_TITLE;CHECK_TYPE;STATUS;STATUS_EXTENDED;MUTED;SERVICE_NAME;SUBSERVICE_NAME;SEVERITY;RESOURCE_TYPE;RESOURCE_UID;RESOURCE_NAME;RESOURCE_DETAILS;RESOURCE_TAGS;PARTITION;REGION;DESCRIPTION;RISK;RELATED_URL;REMEDIATION_RECOMMENDATION_TEXT;REMEDIATION_RECOMMENDATION_URL;REMEDIATION_CODE_NATIVEIAC;REMEDIATION_CODE_TERRAFORM;REMEDIATION_CODE_CLI;REMEDIATION_CODE_OTHER;COMPLIANCE;CATEGORIES;DEPENDS_ON;RELATED_TO;NOTES;PROWLER_VERSION +;2025-02-14 14:27:38.533897;;context: ;;;;;;kubernetes;apiserver_always_pull_images_plugin;Ensure that the admission control plugin AlwaysPullImages is set;;FAIL;AlwaysPullImages admission control plugin is not set in pod ;False;apiserver;;medium;KubernetesAPIServer;;;;;;namespace: kube-system;This check verifies that the AlwaysPullImages admission control plugin is enabled in the Kubernetes API server. This plugin ensures that every new pod always pulls the required images, enforcing image access control and preventing the use of possibly outdated or altered images.;Without AlwaysPullImages, once an image is pulled to a node, any pod can use it without any authorization check, potentially leading to security risks.;https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages;Configure the API server to use the AlwaysPullImages admission control plugin to ensure image security and integrity.;https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers;https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-admission-control-plugin-alwayspullimages-is-set#kubernetes;;--enable-admission-plugins=...,AlwaysPullImages,...;;CIS-1.10: 1.2.11 | CIS-1.8: 1.2.11;cluster-security;;;Enabling AlwaysPullImages can increase network and registry load and decrease container startup speed. It may not be suitable for all environments.; +;2025-02-14 14:27:38.533897;;context: ;;;;;;kubernetes;apiserver_anonymous_requests;Ensure that the --anonymous-auth argument is set to false;;PASS;API Server does not have anonymous-auth enabled in pod ;False;apiserver;;high;KubernetesAPIServer;;;;;;namespace: kube-system;Disable anonymous requests to the API server. When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests, which are then served by the API server. Disallowing anonymous requests strengthens security by ensuring all access is authenticated.;Enabling anonymous access to the API server can expose the cluster to unauthorized access and potential security vulnerabilities.;https://kubernetes.io/docs/admin/authentication/#anonymous-requests;Ensure the --anonymous-auth argument in the API server is set to false. This will reject all anonymous requests, enforcing authenticated access to the server.;https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/;https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-anonymous-auth-argument-is-set-to-false-1#kubernetes;;--anonymous-auth=false;;CIS-1.10: 1.2.1 | CIS-1.8: 1.2.1;trustboundaries;;;While anonymous access can be useful for health checks and discovery, consider the security implications for your specific environment.; +;2025-02-14 14:27:38.533897;;context: ;;;;;;kubernetes;apiserver_audit_log_maxage_set;Ensure that the --audit-log-maxage argument is set to 30 or as appropriate;;FAIL;Audit log max age is not set to 30 or as appropriate in pod ;False;apiserver;;medium;KubernetesAPIServer;;;;;;namespace: kube-system;This check ensures that the Kubernetes API server is configured with an appropriate audit log retention period. Setting --audit-log-maxage to 30 or as per business requirements helps in maintaining logs for sufficient time to investigate past events.;Without an adequate log retention period, there may be insufficient audit history to investigate and analyze past events or security incidents.;https://kubernetes.io/docs/concepts/cluster-administration/audit/;Configure the API server audit log retention period to retain logs for at least 30 days or as per your organization's requirements.;https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/;https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-maxage-argument-is-set-to-30-or-as-appropriate#kubernetes;;--audit-log-maxage=30;;CIS-1.10: 1.2.17 | CIS-1.8: 1.2.18;logging;;;Ensure the audit log retention period is set appropriately to balance between storage constraints and the need for historical data.; +;2025-02-14 14:27:38.533897;;context: ;;;;;;kubernetes;apiserver_audit_log_maxbackup_set;Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate;;FAIL;Audit log max backup is not set to 10 or as appropriate in pod ;False;apiserver;;medium;KubernetesAPIServer;;;;;;namespace: kube-system;This check ensures that the Kubernetes API server is configured with an appropriate number of audit log backups. Setting --audit-log-maxbackup to 10 or as per business requirements helps maintain a sufficient log backup for investigations or analysis.;Without an adequate number of audit log backups, there may be insufficient log history to investigate past events or security incidents.;https://kubernetes.io/docs/concepts/cluster-administration/audit/;Configure the API server audit log backup retention to 10 or as per your organization's requirements.;https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/;https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate#kubernetes;;--audit-log-maxbackup=10;;CIS-1.10: 1.2.18 | CIS-1.8: 1.2.19;logging;;;Ensure the audit log backup retention period is set appropriately to balance between storage constraints and the need for historical data.; diff --git a/examples/output/example_output_kubernetes.json b/examples/output/example_output_kubernetes.json new file mode 100644 index 0000000000..de8693e37a --- /dev/null +++ b/examples/output/example_output_kubernetes.json @@ -0,0 +1,800 @@ +[ + { + "message": "AlwaysPullImages admission control plugin is not set in pod .", + "metadata": { + "event_code": "apiserver_always_pull_images_plugin", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "container", + "datetime" + ], + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "FAIL", + "status_detail": "AlwaysPullImages admission control plugin is not set in pod .", + "status_id": 1, + "unmapped": { + "related_url": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages", + "categories": [ + "cluster-security" + ], + "depends_on": [], + "related_to": [], + "notes": "Enabling AlwaysPullImages can increase network and registry load and decrease container startup speed. It may not be suitable for all environments.", + "compliance": { + "CIS-1.10": [ + "1.2.11" + ], + "CIS-1.8": [ + "1.2.11" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539658, + "created_time_dt": "2025-02-14T14:27:38.533897", + "desc": "This check verifies that the AlwaysPullImages admission control plugin is enabled in the Kubernetes API server. This plugin ensures that every new pod always pulls the required images, enforcing image access control and preventing the use of possibly outdated or altered images.", + "product_uid": "prowler", + "title": "Ensure that the admission control plugin AlwaysPullImages is set", + "types": [], + "uid": "" + }, + "resources": [ + { + "data": { + "details": "", + "metadata": { + "name": "", + "uid": "", + "namespace": "", + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "annotations": { + "kubernetes.io/config.source": "file" + }, + "node_name": "", + "service_account": null, + "status_phase": "Running", + "pod_ip": "", + "host_ip": "", + "host_pid": null, + "host_ipc": null, + "host_network": "True", + "security_context": { + "app_armor_profile": null, + "fs_group": null, + "fs_group_change_policy": null, + "run_as_group": null, + "run_as_non_root": null, + "run_as_user": null, + "se_linux_change_policy": null, + "se_linux_options": null, + "seccomp_profile": { + "localhost_profile": null, + "type": "RuntimeDefault" + }, + "supplemental_groups": null, + "supplemental_groups_policy": null, + "sysctls": null, + "windows_options": null + }, + "containers": { + "kube-apiserver": { + "name": "kube-apiserver", + "image": "", + "command": [ + "" + ], + "ports": null, + "env": null, + "security_context": {} + } + } + } + }, + "group": { + "name": "apiserver" + }, + "labels": [], + "name": "", + "namespace": "", + "type": "KubernetesAPIServer", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "remediation": { + "desc": "Configure the API server to use the AlwaysPullImages admission control plugin to ensure image security and integrity.", + "references": [ + "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-admission-control-plugin-alwayspullimages-is-set#kubernetes", + "--enable-admission-plugins=...,AlwaysPullImages,...", + "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers" + ] + }, + "risk_details": "Without AlwaysPullImages, once an image is pulled to a node, any pod can use it without any authorization check, potentially leading to security risks.", + "time": 1739539658, + "time_dt": "2025-02-14T14:27:38.533897", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "API Server does not have anonymous-auth enabled in pod .", + "metadata": { + "event_code": "apiserver_anonymous_requests", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "container", + "datetime" + ], + "version": "1.4.0" + }, + "severity_id": 4, + "severity": "High", + "status": "New", + "status_code": "PASS", + "status_detail": "API Server does not have anonymous-auth enabled in pod .", + "status_id": 1, + "unmapped": { + "related_url": "https://kubernetes.io/docs/admin/authentication/#anonymous-requests", + "categories": [ + "trustboundaries" + ], + "depends_on": [], + "related_to": [], + "notes": "While anonymous access can be useful for health checks and discovery, consider the security implications for your specific environment.", + "compliance": { + "CIS-1.10": [ + "1.2.1" + ], + "CIS-1.8": [ + "1.2.1" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539658, + "created_time_dt": "2025-02-14T14:27:38.533897", + "desc": "Disable anonymous requests to the API server. When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests, which are then served by the API server. Disallowing anonymous requests strengthens security by ensuring all access is authenticated.", + "product_uid": "prowler", + "title": "Ensure that the --anonymous-auth argument is set to false", + "types": [], + "uid": "" + }, + "resources": [ + { + "data": { + "details": "", + "metadata": { + "name": "", + "uid": "", + "namespace": "", + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "annotations": { + "kubernetes.io/config.source": "file" + }, + "node_name": "", + "service_account": null, + "status_phase": "Running", + "pod_ip": "", + "host_ip": "", + "host_pid": null, + "host_ipc": null, + "host_network": "True", + "security_context": { + "app_armor_profile": null, + "fs_group": null, + "fs_group_change_policy": null, + "run_as_group": null, + "run_as_non_root": null, + "run_as_user": null, + "se_linux_change_policy": null, + "se_linux_options": null, + "seccomp_profile": { + "localhost_profile": null, + "type": "RuntimeDefault" + }, + "supplemental_groups": null, + "supplemental_groups_policy": null, + "sysctls": null, + "windows_options": null + }, + "containers": { + "kube-apiserver": { + "name": "kube-apiserver", + "image": "", + "command": [ + "" + ], + "ports": null, + "env": null, + "security_context": {} + } + } + } + }, + "group": { + "name": "apiserver" + }, + "labels": [], + "name": "", + "namespace": "", + "type": "KubernetesAPIServer", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "remediation": { + "desc": "Ensure the --anonymous-auth argument in the API server is set to false. This will reject all anonymous requests, enforcing authenticated access to the server.", + "references": [ + "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-anonymous-auth-argument-is-set-to-false-1#kubernetes", + "--anonymous-auth=false", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" + ] + }, + "risk_details": "Enabling anonymous access to the API server can expose the cluster to unauthorized access and potential security vulnerabilities.", + "time": 1739539658, + "time_dt": "2025-02-14T14:27:38.533897", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Audit log max age is not set to 30 or as appropriate in pod .", + "metadata": { + "event_code": "apiserver_audit_log_maxage_set", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "container", + "datetime" + ], + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "FAIL", + "status_detail": "Audit log max age is not set to 30 or as appropriate in pod .", + "status_id": 1, + "unmapped": { + "related_url": "https://kubernetes.io/docs/concepts/cluster-administration/audit/", + "categories": [ + "logging" + ], + "depends_on": [], + "related_to": [], + "notes": "Ensure the audit log retention period is set appropriately to balance between storage constraints and the need for historical data.", + "compliance": { + "CIS-1.10": [ + "1.2.17" + ], + "CIS-1.8": [ + "1.2.18" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539658, + "created_time_dt": "2025-02-14T14:27:38.533897", + "desc": "This check ensures that the Kubernetes API server is configured with an appropriate audit log retention period. Setting --audit-log-maxage to 30 or as per business requirements helps in maintaining logs for sufficient time to investigate past events.", + "product_uid": "prowler", + "title": "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate", + "types": [], + "uid": "" + }, + "resources": [ + { + "data": { + "details": "", + "metadata": { + "name": "", + "uid": "", + "namespace": "", + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "annotations": { + "kubernetes.io/config.source": "file" + }, + "node_name": "", + "service_account": null, + "status_phase": "Running", + "pod_ip": "", + "host_ip": "", + "host_pid": null, + "host_ipc": null, + "host_network": "True", + "security_context": { + "app_armor_profile": null, + "fs_group": null, + "fs_group_change_policy": null, + "run_as_group": null, + "run_as_non_root": null, + "run_as_user": null, + "se_linux_change_policy": null, + "se_linux_options": null, + "seccomp_profile": { + "localhost_profile": null, + "type": "RuntimeDefault" + }, + "supplemental_groups": null, + "supplemental_groups_policy": null, + "sysctls": null, + "windows_options": null + }, + "containers": { + "kube-apiserver": { + "name": "kube-apiserver", + "image": "", + "command": [ + "" + ], + "ports": null, + "env": null, + "security_context": {} + } + } + } + }, + "group": { + "name": "apiserver" + }, + "labels": [], + "name": "", + "namespace": "", + "type": "KubernetesAPIServer", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "remediation": { + "desc": "Configure the API server audit log retention period to retain logs for at least 30 days or as per your organization's requirements.", + "references": [ + "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-maxage-argument-is-set-to-30-or-as-appropriate#kubernetes", + "--audit-log-maxage=30", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" + ] + }, + "risk_details": "Without an adequate log retention period, there may be insufficient audit history to investigate and analyze past events or security incidents.", + "time": 1739539658, + "time_dt": "2025-02-14T14:27:38.533897", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Audit log max backup is not set to 10 or as appropriate in pod .", + "metadata": { + "event_code": "apiserver_audit_log_maxbackup_set", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "container", + "datetime" + ], + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "FAIL", + "status_detail": "Audit log max backup is not set to 10 or as appropriate in pod .", + "status_id": 1, + "unmapped": { + "related_url": "https://kubernetes.io/docs/concepts/cluster-administration/audit/", + "categories": [ + "logging" + ], + "depends_on": [], + "related_to": [], + "notes": "Ensure the audit log backup retention period is set appropriately to balance between storage constraints and the need for historical data.", + "compliance": { + "CIS-1.10": [ + "1.2.18" + ], + "CIS-1.8": [ + "1.2.19" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539658, + "created_time_dt": "2025-02-14T14:27:38.533897", + "desc": "This check ensures that the Kubernetes API server is configured with an appropriate number of audit log backups. Setting --audit-log-maxbackup to 10 or as per business requirements helps maintain a sufficient log backup for investigations or analysis.", + "product_uid": "prowler", + "title": "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate", + "types": [], + "uid": "" + }, + "resources": [ + { + "data": { + "details": "", + "metadata": { + "name": "", + "uid": "", + "namespace": "", + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "annotations": { + "kubernetes.io/config.source": "file" + }, + "node_name": "", + "service_account": null, + "status_phase": "Running", + "pod_ip": "", + "host_ip": "", + "host_pid": null, + "host_ipc": null, + "host_network": "True", + "security_context": { + "app_armor_profile": null, + "fs_group": null, + "fs_group_change_policy": null, + "run_as_group": null, + "run_as_non_root": null, + "run_as_user": null, + "se_linux_change_policy": null, + "se_linux_options": null, + "seccomp_profile": { + "localhost_profile": null, + "type": "RuntimeDefault" + }, + "supplemental_groups": null, + "supplemental_groups_policy": null, + "sysctls": null, + "windows_options": null + }, + "containers": { + "kube-apiserver": { + "name": "kube-apiserver", + "image": "", + "command": [ + "" + ], + "ports": null, + "env": null, + "security_context": {} + } + } + } + }, + "group": { + "name": "apiserver" + }, + "labels": [], + "name": "", + "namespace": "", + "type": "KubernetesAPIServer", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "remediation": { + "desc": "Configure the API server audit log backup retention to 10 or as per your organization's requirements.", + "references": [ + "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate#kubernetes", + "--audit-log-maxbackup=10", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" + ] + }, + "risk_details": "Without an adequate number of audit log backups, there may be insufficient log history to investigate past events or security incidents.", + "time": 1739539658, + "time_dt": "2025-02-14T14:27:38.533897", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Audit log max size is not set to 100 MB or as appropriate in pod .", + "metadata": { + "event_code": "apiserver_audit_log_maxsize_set", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "container", + "datetime" + ], + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "FAIL", + "status_detail": "Audit log max size is not set to 100 MB or as appropriate in pod .", + "status_id": 1, + "unmapped": { + "related_url": "https://kubernetes.io/docs/concepts/cluster-administration/audit/", + "categories": [ + "logging" + ], + "depends_on": [], + "related_to": [], + "notes": "Adjust the audit log file size limit based on your organization's storage capabilities and logging requirements.", + "compliance": { + "CIS-1.10": [ + "1.2.19" + ], + "CIS-1.8": [ + "1.2.20" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539658, + "created_time_dt": "2025-02-14T14:27:38.533897", + "desc": "This check ensures that the Kubernetes API server is configured with an appropriate audit log file size limit. Setting --audit-log-maxsize to 100 MB or as per business requirements helps manage the size of log files and prevents them from growing excessively large.", + "product_uid": "prowler", + "title": "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate", + "types": [], + "uid": "" + }, + "resources": [ + { + "data": { + "details": "", + "metadata": { + "name": "", + "uid": "", + "namespace": "", + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "annotations": { + "kubernetes.io/config.source": "file" + }, + "node_name": "", + "service_account": null, + "status_phase": "Running", + "pod_ip": "", + "host_ip": "", + "host_pid": null, + "host_ipc": null, + "host_network": "True", + "security_context": { + "app_armor_profile": null, + "fs_group": null, + "fs_group_change_policy": null, + "run_as_group": null, + "run_as_non_root": null, + "run_as_user": null, + "se_linux_change_policy": null, + "se_linux_options": null, + "seccomp_profile": { + "localhost_profile": null, + "type": "RuntimeDefault" + }, + "supplemental_groups": null, + "supplemental_groups_policy": null, + "sysctls": null, + "windows_options": null + }, + "containers": { + "kube-apiserver": { + "name": "kube-apiserver", + "image": "", + "command": [ + "" + ], + "ports": null, + "env": null, + "security_context": {} + } + } + } + }, + "group": { + "name": "apiserver" + }, + "labels": [], + "name": "", + "namespace": "", + "type": "KubernetesAPIServer", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "remediation": { + "desc": "Configure the API server audit log file size limit to 100 MB or as per your organization's requirements.", + "references": [ + "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate#kubernetes", + "--audit-log-maxsize=100", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" + ] + }, + "risk_details": "Without an appropriate audit log file size limit, log files can grow excessively large, potentially leading to storage issues and difficulty in log analysis.", + "time": 1739539658, + "time_dt": "2025-02-14T14:27:38.533897", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Audit log path is not set in pod .", + "metadata": { + "event_code": "apiserver_audit_log_path_set", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "container", + "datetime" + ], + "version": "1.4.0" + }, + "severity_id": 4, + "severity": "High", + "status": "New", + "status_code": "FAIL", + "status_detail": "Audit log path is not set in pod .", + "status_id": 1, + "unmapped": { + "related_url": "https://kubernetes.io/docs/concepts/cluster-administration/audit/", + "categories": [ + "logging" + ], + "depends_on": [], + "related_to": [], + "notes": "Audit logs are not enabled by default in Kubernetes. Configuring them is essential for security monitoring and forensic analysis.", + "compliance": { + "CIS-1.10": [ + "1.2.16" + ], + "CIS-1.8": [ + "1.2.17" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539658, + "created_time_dt": "2025-02-14T14:27:38.533897", + "desc": "This check verifies that the Kubernetes API server is configured with an audit log path. Enabling audit logs helps in maintaining a chronological record of all activities and operations which can be critical for security analysis and troubleshooting.", + "product_uid": "prowler", + "title": "Ensure that the --audit-log-path argument is set", + "types": [], + "uid": "" + }, + "resources": [ + { + "data": { + "details": "", + "metadata": { + "name": "", + "uid": "", + "namespace": "", + "labels": { + "component": "kube-apiserver", + "tier": "control-plane" + }, + "annotations": { + "kubernetes.io/config.source": "file" + }, + "node_name": "", + "service_account": null, + "status_phase": "Running", + "pod_ip": "", + "host_ip": "", + "host_pid": null, + "host_ipc": null, + "host_network": "True", + "security_context": { + "app_armor_profile": null, + "fs_group": null, + "fs_group_change_policy": null, + "run_as_group": null, + "run_as_non_root": null, + "run_as_user": null, + "se_linux_change_policy": null, + "se_linux_options": null, + "seccomp_profile": { + "localhost_profile": null, + "type": "RuntimeDefault" + }, + "supplemental_groups": null, + "supplemental_groups_policy": null, + "sysctls": null, + "windows_options": null + }, + "containers": { + "kube-apiserver": { + "name": "kube-apiserver", + "image": "", + "command": [ + "" + ], + "ports": null, + "env": null, + "security_context": {} + } + } + } + }, + "group": { + "name": "apiserver" + }, + "labels": [], + "name": "", + "namespace": "", + "type": "KubernetesAPIServer", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "remediation": { + "desc": "Enable audit logging in the API server by specifying a valid path for --audit-log-path to ensure comprehensive activity logging within the cluster.", + "references": [ + "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-path-argument-is-set#kubernetes", + "--audit-log-path=/var/log/apiserver/audit.log", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" + ] + }, + "risk_details": "Without audit logs, it becomes difficult to track changes and activities within the cluster, potentially obscuring the detection of malicious activities or operational issues.", + "time": 1739539658, + "time_dt": "2025-02-14T14:27:38.533897", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + } +] From d7b0710577f20b6280e020b270ff8ba263cf95ec Mon Sep 17 00:00:00 2001 From: pedrooot Date: Mon, 17 Feb 2025 09:05:02 +0100 Subject: [PATCH 2/5] feat(output): rename from json to json-ocsf and add azure --- ..._aws.json => example_output_aws.ocsf.json} | 0 .../output/example_output_azure.ocsf.json | 552 ++++++++++++++++++ ..._gcp.json => example_output_gcp.ocsf.json} | 0 ...on => example_output_kubernetes.ocsf.json} | 0 4 files changed, 552 insertions(+) rename examples/output/{example_output_aws.json => example_output_aws.ocsf.json} (100%) create mode 100644 examples/output/example_output_azure.ocsf.json rename examples/output/{example_output_gcp.json => example_output_gcp.ocsf.json} (100%) rename examples/output/{example_output_kubernetes.json => example_output_kubernetes.ocsf.json} (100%) diff --git a/examples/output/example_output_aws.json b/examples/output/example_output_aws.ocsf.json similarity index 100% rename from examples/output/example_output_aws.json rename to examples/output/example_output_aws.ocsf.json diff --git a/examples/output/example_output_azure.ocsf.json b/examples/output/example_output_azure.ocsf.json new file mode 100644 index 0000000000..f90549ba48 --- /dev/null +++ b/examples/output/example_output_azure.ocsf.json @@ -0,0 +1,552 @@ +[ + { + "message": "There are no AppInsight configured in subscription .", + "metadata": { + "event_code": "appinsights_ensure_is_configured", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 2, + "severity": "Low", + "status": "New", + "status_code": "FAIL", + "status_detail": "There are no AppInsight configured in subscription .", + "status_id": 1, + "unmapped": { + "related_url": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview", + "categories": [], + "depends_on": [], + "related_to": [], + "notes": "Because Application Insights relies on a Log Analytics Workspace, an organization will incur additional expenses when using this service.", + "compliance": { + "CIS-2.1": [ + "5.3.1" + ], + "ENS-RD2022": [ + "mp.s.4.r1.az.nt.2" + ], + "CIS-3.0": [ + "6.3.1" + ], + "CIS-2.0": [ + "5.3.1" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539650, + "created_time_dt": "2025-02-14T14:27:30.710664", + "desc": "Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.", + "product_uid": "prowler", + "title": "Ensure Application Insights are Configured.", + "types": [], + "uid": "" + }, + "resources": [ + { + "cloud_partition": "AzureCloud", + "region": "global", + "data": { + "details": "", + "metadata": {} + }, + "group": { + "name": "appinsights" + }, + "labels": [], + "name": "AppInsights", + "type": "Microsoft.Insights/components", + "uid": "AppInsights" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "Azure AD Account", + "type_id": 6, + "uid": "", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "azure", + "region": "global" + }, + "remediation": { + "desc": "1. Navigate to Application Insights 2. Under the Basics tab within the PROJECT DETAILS section, select the Subscription 3. Select the Resource group 4. Within the INSTANCE DETAILS, enter a Name 5. Select a Region 6. Next to Resource Mode, select Workspace-based 7. Within the WORKSPACE DETAILS, select the Subscription for the log analytics workspace 8. Select the appropriate Log Analytics Workspace 9. Click Next:Tags > 10. Enter the appropriate Tags as Name, Value pairs. 11. Click Next:Review+Create 12. Click Create.", + "references": [ + "az monitor app-insights component create --app --resource-group --location --kind 'web' --retention-time --workspace -- subscription ", + "https://www.tenable.com/audits/items/CIS_Microsoft_Azure_Foundations_v2.0.0_L2.audit:8a7a608d180042689ad9d3f16aa359f1" + ] + }, + "risk_details": "Configuring Application Insights provides additional data not found elsewhere within Azure as part of a much larger logging and monitoring program within an organization's Information Security practice. The types and contents of these logs will act as both a potential cost saving measure (application performance) and a means to potentially confirm the source of a potential incident (trace logging). Metrics and Telemetry data provide organizations with a proactive approach to cost savings by monitoring an application's performance, while the trace logging data provides necessary details in a reactive incident response scenario by helping organizations identify the potential source of an incident within their application.", + "time": 1739539650, + "time_dt": "2025-02-14T14:27:30.710664", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "There is not another correct email configured for subscription .", + "metadata": { + "event_code": "defender_additional_email_configured_with_a_security_contact", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "FAIL", + "status_detail": "There is not another correct email configured for subscription .", + "status_id": 1, + "unmapped": { + "related_url": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details", + "categories": [], + "depends_on": [], + "related_to": [], + "notes": "", + "compliance": { + "CIS-2.1": [ + "2.1.18" + ], + "ENS-RD2022": [ + "op.mon.3.r3.az.de.1" + ], + "CIS-3.0": [ + "3.1.13" + ], + "CIS-2.0": [ + "2.1.19" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539650, + "created_time_dt": "2025-02-14T14:27:30.710664", + "desc": "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.", + "product_uid": "prowler", + "title": "Ensure 'Additional email addresses' is Configured with a Security Contact Email", + "types": [], + "uid": "" + }, + "resources": [ + { + "cloud_partition": "AzureCloud", + "region": "global", + "data": { + "details": "", + "metadata": { + "resource_id": "", + "name": "", + "emails": "", + "phone": "", + "alert_notifications_minimal_severity": "High", + "alert_notifications_state": "On", + "notified_roles": [ + "Owner" + ], + "notified_roles_state": "On" + } + }, + "group": { + "name": "defender" + }, + "labels": [], + "name": "", + "type": "AzureEmailNotifications", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "Azure AD Account", + "type_id": 6, + "uid": "", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "azure", + "region": "global" + }, + "remediation": { + "desc": "1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Enter a valid security contact email address (or multiple addresses separated by commas) in the Additional email addresses field 7. Click Save", + "references": [ + "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-security-contact-emails-is-set#terraform", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/security-contact-email.html", + "https://learn.microsoft.com/en-us/rest/api/defenderforcloud/security-contacts/list?view=rest-defenderforcloud-2020-01-01-preview&tabs=HTTP" + ] + }, + "risk_details": "Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.", + "time": 1739539650, + "time_dt": "2025-02-14T14:27:30.710664", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Defender Auto Provisioning Log Analytics Agents from subscription is set to OFF.", + "metadata": { + "event_code": "defender_auto_provisioning_log_analytics_agent_vms_on", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "FAIL", + "status_detail": "Defender Auto Provisioning Log Analytics Agents from subscription is set to OFF.", + "status_id": 1, + "unmapped": { + "related_url": "https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security", + "categories": [], + "depends_on": [], + "related_to": [], + "notes": "", + "compliance": { + "CIS-2.1": [ + "2.1.14" + ], + "ENS-RD2022": [ + "op.mon.3.r2.az.de.1", + "mp.s.4.r1.az.nt.5" + ], + "MITRE-ATTACK": [ + "T1190" + ], + "CIS-3.0": [ + "3.1.1.1" + ], + "CIS-2.0": [ + "2.1.15" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539650, + "created_time_dt": "2025-02-14T14:27:30.710664", + "desc": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.", + "product_uid": "prowler", + "title": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'", + "types": [], + "uid": "" + }, + "resources": [ + { + "cloud_partition": "AzureCloud", + "region": "global", + "data": { + "details": "", + "metadata": { + "resource_id": "", + "resource_name": "", + "resource_type": "Microsoft.Security/autoProvisioningSettings", + "auto_provision": "Off" + } + }, + "group": { + "name": "defender" + }, + "labels": [], + "name": "", + "type": "AzureDefenderPlan", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "Azure AD Account", + "type_id": 6, + "uid": "", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "azure", + "region": "global" + }, + "remediation": { + "desc": "Ensure comprehensive visibility into possible security vulnerabilities, including missing updates, misconfigured operating system security settings, and active threats, allowing for timely mitigation and improved overall security posture", + "references": [ + "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/SecurityCenter/automatic-provisioning-of-monitoring-agent.html", + "https://learn.microsoft.com/en-us/azure/defender-for-cloud/monitoring-components" + ] + }, + "risk_details": "Missing critical security information about your Azure VMs, such as security alerts, security recommendations, and change tracking.", + "time": 1739539650, + "time_dt": "2025-02-14T14:27:30.710664", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Container image scan is disabled in subscription .", + "metadata": { + "event_code": "defender_container_images_scan_enabled", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 3, + "severity": "Medium", + "status": "New", + "status_code": "FAIL", + "status_detail": "Container image scan is disabled in subscription .", + "status_id": 1, + "unmapped": { + "related_url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-check-health", + "categories": [], + "depends_on": [], + "related_to": [], + "notes": "When using an Azure container registry, you might occasionally encounter problems. For example, you might not be able to pull a container image because of an issue with Docker in your local environment. Or, a network issue might prevent you from connecting to the registry.", + "compliance": { + "MITRE-ATTACK": [ + "T1190", + "T1525" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539650, + "created_time_dt": "2025-02-14T14:27:30.710664", + "desc": "Scan images being deployed to Azure (AKS) for vulnerabilities. Vulnerability scanning for images stored in Azure Container Registry is generally available in Azure Security Center. This capability is powered by Qualys, a leading provider of information security. When you push an image to Container Registry, Security Center automatically scans it, then checks for known vulnerabilities in packages or dependencies defined in the file. When the scan completes (after about 10 minutes), Security Center provides details and a security classification for each vulnerability detected, along with guidance on how to remediate issues and protect vulnerable attack surfaces.", + "product_uid": "prowler", + "title": "Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider", + "types": [], + "uid": "prowler-azure-defender_container_images_scan_enabled--global-Dender plan for Containers" + }, + "resources": [ + { + "cloud_partition": "AzureCloud", + "region": "global", + "data": { + "details": "", + "metadata": { + "resource_id": "", + "pricing_tier": "Free", + "free_trial_remaining_time": 2592000.0, + "extensions": {} + } + }, + "group": { + "name": "defender" + }, + "labels": [], + "name": "", + "type": "Microsoft.Security", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "Azure AD Account", + "type_id": 6, + "uid": "", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "azure", + "region": "global" + }, + "remediation": { + "desc": "", + "references": [ + "https://learn.microsoft.com/en-us/azure/container-registry/scan-images-defender" + ] + }, + "risk_details": "Vulnerabilities in software packages can be exploited by hackers or malicious users to obtain unauthorized access to local cloud resources. Azure Defender and other third party products allow images to be scanned for known vulnerabilities.", + "time": 1739539650, + "time_dt": "2025-02-14T14:27:30.710664", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + }, + { + "message": "Defender plan Defender for App Services from subscription is set to OFF (pricing tier not standard).", + "metadata": { + "event_code": "defender_ensure_defender_for_app_services_is_on", + "product": { + "name": "Prowler", + "uid": "prowler", + "vendor_name": "Prowler", + "version": "5.4.0" + }, + "profiles": [ + "cloud", + "datetime" + ], + "tenant_uid": "", + "version": "1.4.0" + }, + "severity_id": 4, + "severity": "High", + "status": "New", + "status_code": "FAIL", + "status_detail": "Defender plan Defender for App Services from subscription is set to OFF (pricing tier not standard).", + "status_id": 1, + "unmapped": { + "related_url": "", + "categories": [], + "depends_on": [], + "related_to": [], + "notes": "", + "compliance": { + "CIS-2.1": [ + "2.1.2" + ], + "ENS-RD2022": [ + "mp.s.4.r1.az.nt.3" + ], + "MITRE-ATTACK": [ + "T1190", + "T1059", + "T1204", + "T1552", + "T1486", + "T1499", + "T1496", + "T1087" + ], + "CIS-3.0": [ + "3.1.6.1" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": 1739539650, + "created_time_dt": "2025-02-14T14:27:30.710664", + "desc": "Ensure That Microsoft Defender for App Services Is Set To 'On' ", + "product_uid": "prowler", + "title": "Ensure That Microsoft Defender for App Services Is Set To 'On' ", + "types": [], + "uid": "" + }, + "resources": [ + { + "cloud_partition": "AzureCloud", + "region": "global", + "data": { + "details": "", + "metadata": { + "resource_id": "", + "pricing_tier": "Free", + "free_trial_remaining_time": 2592000.0, + "extensions": {} + } + }, + "group": { + "name": "defender" + }, + "labels": [], + "name": "", + "type": "AzureDefenderPlan", + "uid": "" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "Azure AD Account", + "type_id": 6, + "uid": "", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "azure", + "region": "global" + }, + "remediation": { + "desc": "By , Microsoft Defender for Cloud is not enabled for your App Service instances. Enabling the Defender security service for App Service instances allows for advanced security defense using threat detection capabilities provided by Microsoft Security Response Center.", + "references": [ + "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-app-service#terraform", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-app-service.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-app-service.html" + ] + }, + "risk_details": "Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "time": 1739539650, + "time_dt": "2025-02-14T14:27:30.710664", + "type_uid": 200401, + "type_name": "Detection Finding: Create" + } +] diff --git a/examples/output/example_output_gcp.json b/examples/output/example_output_gcp.ocsf.json similarity index 100% rename from examples/output/example_output_gcp.json rename to examples/output/example_output_gcp.ocsf.json diff --git a/examples/output/example_output_kubernetes.json b/examples/output/example_output_kubernetes.ocsf.json similarity index 100% rename from examples/output/example_output_kubernetes.json rename to examples/output/example_output_kubernetes.ocsf.json From 1c46dd5b539ad5fcc39cea18a9a2396534161079 Mon Sep 17 00:00:00 2001 From: pedrooot Date: Tue, 25 Feb 2025 09:35:57 +0100 Subject: [PATCH 3/5] feat(examples): remove typo --- examples/output/example_output_aws.ocsf.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/output/example_output_aws.ocsf.json b/examples/output/example_output_aws.ocsf.json index dea77b1f22..bf0bee30f6 100644 --- a/examples/output/example_output_aws.ocsf.json +++ b/examples/output/example_output_aws.ocsf.json @@ -93,7 +93,7 @@ "name": "accessanalyzer" }, "labels": [], - "name": "a", + "name": "", "type": "Other", "uid": "" } From 06f11380c5e8fef0e5c99f9824f9623112131593 Mon Sep 17 00:00:00 2001 From: pedrooot Date: Tue, 25 Feb 2025 09:38:10 +0100 Subject: [PATCH 4/5] feat(outputs): disable tests --- .github/workflows/sdk-pull-request.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sdk-pull-request.yml b/.github/workflows/sdk-pull-request.yml index ecdb7198bb..2eb5ca1f50 100644 --- a/.github/workflows/sdk-pull-request.yml +++ b/.github/workflows/sdk-pull-request.yml @@ -39,6 +39,7 @@ jobs: .backportrc.json .env docker-compose* + examples/** - name: Install poetry if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' From 0376a41e760a2aa60bac988a4e77981253ad7a3a Mon Sep 17 00:00:00 2001 From: pedrooot Date: Tue, 25 Feb 2025 09:45:06 +0100 Subject: [PATCH 5/5] feat(actions): add gitignore --- .github/workflows/sdk-pull-request.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sdk-pull-request.yml b/.github/workflows/sdk-pull-request.yml index 2eb5ca1f50..0c41fed126 100644 --- a/.github/workflows/sdk-pull-request.yml +++ b/.github/workflows/sdk-pull-request.yml @@ -40,6 +40,7 @@ jobs: .env docker-compose* examples/** + .gitignore - name: Install poetry if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'