From 8f3229928e62e7476c8cdbbf9b6d06d50c3f4b0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= Date: Wed, 18 Dec 2024 15:48:32 +0100 Subject: [PATCH] chore(config): set default values for empty config fields (#6225) --- prowler/config/config.yaml | 4 +- ...certificates_with_secure_key_algorithms.py | 2 +- ...ambda_function_using_supported_runtimes.py | 28 +++++- ...cloudtrail_threat_detection_enumeration.py | 96 ++++++++++++++++++- ...cloudtrail_threat_detection_llm_jacking.py | 18 +++- ...l_threat_detection_privilege_escalation.py | 57 ++++++++++- ...allow_ingress_from_internet_to_any_port.py | 8 +- ...control_plane_logging_all_types_enabled.py | 12 ++- .../apiserver_strong_ciphers_only.py | 9 +- .../kubelet_strong_ciphers_only.py | 15 ++- tests/config/config_test.py | 2 + tests/config/fixtures/config.yaml | 4 +- 12 files changed, 241 insertions(+), 14 deletions(-) diff --git a/prowler/config/config.yaml b/prowler/config/config.yaml index f9641eba56e..775e44cbac5 100644 --- a/prowler/config/config.yaml +++ b/prowler/config/config.yaml @@ -314,10 +314,12 @@ aws: # AWS ACM Configuration # aws.acm_certificates_expiration_check days_to_expire_threshold: 7 - # aws.acm_certificates_rsa_key_length + # aws.acm_certificates_with_secure_key_algorithms insecure_key_algorithms: [ "RSA-1024", + "P-192", + "SHA-1", ] # AWS EKS Configuration diff --git a/prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.py b/prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.py index 16f19ef061b..1dc788b797d 100644 --- a/prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.py +++ b/prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.py @@ -17,7 +17,7 @@ def execute(self): report.status = "PASS" report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} uses a secure key algorithm ({certificate.key_algorithm})." if certificate.key_algorithm in acm_client.audit_config.get( - "insecure_algorithms", ["RSA-1024"] + "insecure_key_algorithms", ["RSA-1024", "P-192", "SHA-1"] ): report.status = "FAIL" report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} does not use a secure key algorithm ({certificate.key_algorithm})." diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.py b/prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.py index dca9f6ff279..2890d467188 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.py @@ -1,6 +1,32 @@ from prowler.lib.check.models import Check, Check_Report_AWS from prowler.providers.aws.services.awslambda.awslambda_client import awslambda_client +default_obsolete_lambda_runtimes = [ + "java8", + "go1.x", + "provided", + "python3.6", + "python2.7", + "python3.7", + "nodejs4.3", + "nodejs4.3-edge", + "nodejs6.10", + "nodejs", + "nodejs8.10", + "nodejs10.x", + "nodejs12.x", + "nodejs14.x", + "nodejs16.x", + "dotnet5.0", + "dotnet7", + "dotnetcore1.0", + "dotnetcore2.0", + "dotnetcore2.1", + "dotnetcore3.1", + "ruby2.5", + "ruby2.7", +] + class awslambda_function_using_supported_runtimes(Check): def execute(self): @@ -14,7 +40,7 @@ def execute(self): report.resource_tags = function.tags if function.runtime in awslambda_client.audit_config.get( - "obsolete_lambda_runtimes", [] + "obsolete_lambda_runtimes", default_obsolete_lambda_runtimes ): report.status = "FAIL" report.status_extended = f"Lambda function {function.name} is using {function.runtime} which is obsolete." diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py index 8b8dfeca406..afc07c1b265 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py @@ -5,6 +5,99 @@ cloudtrail_client, ) +default_threat_detection_enumeration_actions = [ + "DescribeAccessEntry", + "DescribeAccountAttributes", + "DescribeAvailabilityZones", + "DescribeBundleTasks", + "DescribeCarrierGateways", + "DescribeClientVpnRoutes", + "DescribeCluster", + "DescribeDhcpOptions", + "DescribeFlowLogs", + "DescribeImages", + "DescribeInstanceAttribute", + "DescribeInstanceInformation", + "DescribeInstanceTypes", + "DescribeInstances", + "DescribeInstances", + "DescribeKeyPairs", + "DescribeLogGroups", + "DescribeLogStreams", + "DescribeOrganization", + "DescribeRegions", + "DescribeSecurityGroups", + "DescribeSnapshotAttribute", + "DescribeSnapshotTierStatus", + "DescribeSubscriptionFilters", + "DescribeTransitGatewayMulticastDomains", + "DescribeVolumes", + "DescribeVolumesModifications", + "DescribeVpcEndpointConnectionNotifications", + "DescribeVpcs", + "GetAccount", + "GetAccountAuthorizationDetails", + "GetAccountSendingEnabled", + "GetBucketAcl", + "GetBucketLogging", + "GetBucketPolicy", + "GetBucketReplication", + "GetBucketVersioning", + "GetCallerIdentity", + "GetCertificate", + "GetConsoleScreenshot", + "GetCostAndUsage", + "GetDetector", + "GetEbsDefaultKmsKeyId", + "GetEbsEncryptionByDefault", + "GetFindings", + "GetFlowLogsIntegrationTemplate", + "GetIdentityVerificationAttributes", + "GetInstances", + "GetIntrospectionSchema", + "GetLaunchTemplateData", + "GetLaunchTemplateData", + "GetLogRecord", + "GetParameters", + "GetPolicyVersion", + "GetPublicAccessBlock", + "GetQueryResults", + "GetRegions", + "GetSMSAttributes", + "GetSMSSandboxAccountStatus", + "GetSendQuota", + "GetTransitGatewayRouteTableAssociations", + "GetUserPolicy", + "HeadObject", + "ListAccessKeys", + "ListAccounts", + "ListAllMyBuckets", + "ListAssociatedAccessPolicies", + "ListAttachedUserPolicies", + "ListClusters", + "ListDetectors", + "ListDomains", + "ListFindings", + "ListHostedZones", + "ListIPSets", + "ListIdentities", + "ListInstanceProfiles", + "ListObjects", + "ListOrganizationalUnitsForParent", + "ListOriginationNumbers", + "ListPolicyVersions", + "ListRoles", + "ListRoles", + "ListRules", + "ListServiceQuotas", + "ListSubscriptions", + "ListTargetsByRule", + "ListTopics", + "ListUsers", + "LookupEvents", + "Search", +] + class cloudtrail_threat_detection_enumeration(Check): def execute(self): @@ -16,7 +109,8 @@ def execute(self): "threat_detection_enumeration_minutes", 1440 ) enumeration_actions = cloudtrail_client.audit_config.get( - "threat_detection_enumeration_actions", [] + "threat_detection_enumeration_actions", + default_threat_detection_enumeration_actions, ) potential_enumeration = {} found_potential_enumeration = False diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_llm_jacking/cloudtrail_threat_detection_llm_jacking.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_llm_jacking/cloudtrail_threat_detection_llm_jacking.py index 0dd77c4463c..c825c4563d1 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_llm_jacking/cloudtrail_threat_detection_llm_jacking.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_llm_jacking/cloudtrail_threat_detection_llm_jacking.py @@ -5,6 +5,21 @@ cloudtrail_client, ) +default_threat_detection_llm_jacking_actions = [ + "PutUseCaseForModelAccess", + "PutFoundationModelEntitlement", + "PutModelInvocationLoggingConfiguration", + "CreateFoundationModelAgreement", + "InvokeModel", + "InvokeModelWithResponseStream", + "GetUseCaseForModelAccess", + "GetModelInvocationLoggingConfiguration", + "GetFoundationModelAvailability", + "ListFoundationModelAgreementOffers", + "ListFoundationModels", + "ListProvisionedModelThroughputs", +] + class cloudtrail_threat_detection_llm_jacking(Check): def execute(self): @@ -16,7 +31,8 @@ def execute(self): "threat_detection_llm_jacking_minutes", 1440 ) llm_jacking_actions = cloudtrail_client.audit_config.get( - "threat_detection_llm_jacking_actions", [] + "threat_detection_llm_jacking_actions", + default_threat_detection_llm_jacking_actions, ) potential_llm_jacking = {} found_potential_llm_jacking = False diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.py index 676dde026fc..baea0a0af9d 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.py @@ -5,6 +5,60 @@ cloudtrail_client, ) +default_threat_detection_privilege_escalation_actions = [ + "AddPermission", + "AddRoleToInstanceProfile", + "AddUserToGroup", + "AssociateAccessPolicy", + "AssumeRole", + "AttachGroupPolicy", + "AttachRolePolicy", + "AttachUserPolicy", + "ChangePassword", + "CreateAccessEntry", + "CreateAccessKey", + "CreateDevEndpoint", + "CreateEventSourceMapping", + "CreateFunction", + "CreateGroup", + "CreateJob", + "CreateKeyPair", + "CreateLoginProfile", + "CreatePipeline", + "CreatePolicyVersion", + "CreateRole", + "CreateStack", + "DeleteRolePermissionsBoundary", + "DeleteRolePolicy", + "DeleteUserPermissionsBoundary", + "DeleteUserPolicy", + "DetachRolePolicy", + "DetachUserPolicy", + "GetCredentialsForIdentity", + "GetId", + "GetPolicyVersion", + "GetUserPolicy", + "Invoke", + "ModifyInstanceAttribute", + "PassRole", + "PutGroupPolicy", + "PutPipelineDefinition", + "PutRolePermissionsBoundary", + "PutRolePolicy", + "PutUserPermissionsBoundary", + "PutUserPolicy", + "ReplaceIamInstanceProfileAssociation", + "RunInstances", + "SetDefaultPolicyVersion", + "UpdateAccessKey", + "UpdateAssumeRolePolicy", + "UpdateDevEndpoint", + "UpdateEventSourceMapping", + "UpdateFunctionCode", + "UpdateJob", + "UpdateLoginProfile", +] + class cloudtrail_threat_detection_privilege_escalation(Check): def execute(self): @@ -16,7 +70,8 @@ def execute(self): "threat_detection_privilege_escalation_minutes", 1440 ) privilege_escalation_actions = cloudtrail_client.audit_config.get( - "threat_detection_privilege_escalation_actions", [] + "threat_detection_privilege_escalation_actions", + default_threat_detection_privilege_escalation_actions, ) potential_privilege_escalation = {} diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py index b9b504e6c43..ec232aa6983 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py @@ -58,24 +58,24 @@ def check_enis( report.status_extended = f"Security group {security_group_name} ({security_group_id}) has at least one port open to the Internet but it is not attached to any network interface." for eni in enis: if eni.type in ec2_client.audit_config.get( - "ec2_allowed_interface_types", [] + "ec2_allowed_interface_types", ["api_gateway_managed", "vpc_endpoint"] ): report.status = "PASS" report.status_extended = f"Security group {security_group_name} ({security_group_id}) has at least one port open to the Internet and it is attached to an allowed network interface type ({eni.type})." continue if eni.attachment.instance_owner_id in ec2_client.audit_config.get( - "ec2_allowed_instance_owners", [] + "ec2_allowed_instance_owners", ["amazon-elb"] ): report.status = "PASS" report.status_extended = f"Security group {security_group_name} ({security_group_id}) has at least one port open to the Internet and it is attached to an allowed network interface instance owner ({eni.attachment.instance_owner_id})." continue if eni.type not in ec2_client.audit_config.get( - "ec2_allowed_interface_types", [] + "ec2_allowed_interface_types", ["api_gateway_managed", "vpc_endpoint"] ): report.status = "FAIL" report.status_extended = f"Security group {security_group_name} ({security_group_id}) has at least one port open to the Internet but its network interface type ({eni.type}) is not allowed." elif eni.attachment.instance_owner_id not in ec2_client.audit_config.get( - "ec2_allowed_instance_owners", [] + "ec2_allowed_instance_owners", ["amazon-elb"] ): report.status = "FAIL" report.status_extended = f"Security group {security_group_name} ({security_group_id}) has at least one port open to the Internet but its network interface instance owner ({eni.attachment.instance_owner_id}) is not allowed." diff --git a/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py b/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py index ef030cd6db5..f2f465db1df 100644 --- a/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py +++ b/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py @@ -1,11 +1,21 @@ from prowler.lib.check.models import Check, Check_Report_AWS from prowler.providers.aws.services.eks.eks_client import eks_client +default_eks_required_log_types = [ + "api", + "audit", + "authenticator", + "controllerManager", + "scheduler", +] + class eks_control_plane_logging_all_types_enabled(Check): def execute(self): findings = [] - required_log_types = eks_client.audit_config.get("eks_required_log_types", []) + required_log_types = eks_client.audit_config.get( + "eks_required_log_types", default_eks_required_log_types + ) required_log_types_str = ", ".join(required_log_types) for cluster in eks_client.clusters: diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_strong_ciphers_only/apiserver_strong_ciphers_only.py b/prowler/providers/kubernetes/services/apiserver/apiserver_strong_ciphers_only/apiserver_strong_ciphers_only.py index 7248261b45c..ddfa05ddde0 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_strong_ciphers_only/apiserver_strong_ciphers_only.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_strong_ciphers_only/apiserver_strong_ciphers_only.py @@ -3,6 +3,12 @@ apiserver_client, ) +default_apiserver_strong_ciphers = [ + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256", +] + class apiserver_strong_ciphers_only(Check): def execute(self) -> Check_Report_Kubernetes: @@ -25,7 +31,8 @@ def execute(self) -> Check_Report_Kubernetes: .split(",") .issubset( apiserver_client.audit_config.get( - "apiserver_strong_ciphers", [] + "apiserver_strong_ciphers", + default_apiserver_strong_ciphers, ) ) ): diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_strong_ciphers_only/kubelet_strong_ciphers_only.py b/prowler/providers/kubernetes/services/kubelet/kubelet_strong_ciphers_only/kubelet_strong_ciphers_only.py index 4e873eb2920..a8a53d8e17b 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_strong_ciphers_only/kubelet_strong_ciphers_only.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_strong_ciphers_only/kubelet_strong_ciphers_only.py @@ -1,6 +1,17 @@ from prowler.lib.check.models import Check, Check_Report_Kubernetes from prowler.providers.kubernetes.services.kubelet.kubelet_client import kubelet_client +default_kubelet_strong_ciphers = [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_GCM_SHA256", +] + class kubelet_strong_ciphers_only(Check): def execute(self) -> Check_Report_Kubernetes: @@ -15,7 +26,9 @@ def execute(self) -> Check_Report_Kubernetes: report.status_extended = f"Kubelet does not have the argument `tlsCipherSuites` in config file {cm.name}, verify it in the node's arguments." else: if cm.kubelet_args["tlsCipherSuites"].issubset( - kubelet_client.audit_config.get("kubelet_strong_ciphers", []) + kubelet_client.audit_config.get( + "kubelet_strong_ciphers", default_kubelet_strong_ciphers + ) ): report.status = "PASS" report.status_extended = f"Kubelet is configured with strong cryptographic ciphers in config file {cm.name}." diff --git a/tests/config/config_test.py b/tests/config/config_test.py index 14e0077a88e..6ae22e99c14 100644 --- a/tests/config/config_test.py +++ b/tests/config/config_test.py @@ -296,6 +296,8 @@ def mock_prowler_get_latest_release(_, **kwargs): "days_to_expire_threshold": 7, "insecure_key_algorithms": [ "RSA-1024", + "P-192", + "SHA-1", ], "eks_required_log_types": [ "api", diff --git a/tests/config/fixtures/config.yaml b/tests/config/fixtures/config.yaml index 0994a496dc2..fda3de68e5b 100644 --- a/tests/config/fixtures/config.yaml +++ b/tests/config/fixtures/config.yaml @@ -312,10 +312,12 @@ aws: # AWS ACM Configuration # aws.acm_certificates_expiration_check days_to_expire_threshold: 7 - # aws.acm_certificates_rsa_key_length + # aws.acm_certificates_with_secure_key_algorithms insecure_key_algorithms: [ "RSA-1024", + "P-192", + "SHA-1", ] # AWS EKS Configuration