Skip to content

Releases: prowler-cloud/prowler

Prowler 2.6.1

15 Nov 17:55
@toniblyx toniblyx
2.6.1
d272fad
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Prowler 2.6.1

What's Changed

  • e4edb5e - Enhancement IAM assumed role session duration error handling by @jfagoagas
  • 3e78f01 - Fix Terraform Kickstarter path in README by @z0ph
  • cee6437 - Fix issue #926 resource id and remediation typo
  • b251f31 - Fix issue #925 replace sensible by sensitive in multiple checks
  • 50de9f2 - Fix output for checks check3x when no CW group is in place
  • a6ba580 - Fix severity case variable

New Contributors

Full Changelog: 2.6.0...2.6.1

Contributors

jfagoagas, z0ph, and fredski-github
Assets 2

Prowler 2.6.0 - Phantom

12 Nov 11:10
@toniblyx toniblyx
2.6.0
79c32a3
Compare
Choose a tag to compare
Prowler 2.6.0 - Phantom

Prowler 2.6.0 - Phantom

This release name is in honor to Phantom of the Opera, one of my favorite songs and a master piece of 🔥Iron Maiden🔥. It starts by "I've been lookin' so long for you now" like looking for security issues, isn't it? 🤘🏼 Enjoy it here while reading the rest of this note.

Important changes in this version:

New Features:

  • 12 New checks for efs, redshift, elb, dynamodb, route53, cloiudformation, elb and apigateway:
7.148 [extra7148] Check if EFS File systems have backup enabled - efs [Medium]
7.149 [extra7149] Check if Redshift Clusters have automated snapshots enabled - redshift [Medium]
7.150 [extra7150] Check if Elastic Load Balancers have deletion protection enabled - elb [Medium]
7.151 [extra7151] Check if DynamoDB tables point-in-time recovery (PITR) is enabled - dynamodb [Medium]
7.152 [extra7152] Enable Privacy Protection for for a Route53 Domain - route53 [Medium]
7.153 [extra7153] Enable Transfer Lock for a Route53 Domain - route53 [Medium]
7.154 [extra7154] Enable termination protection for Cloudformation Stacks - cloudformation [MEDIUM]
7.155 [extra7155] Check whether the Application Load Balancer is configured with defensive or strictest desync mitigation mode - elb [MEDIUM]
7.156 [extra7156] Checks if API Gateway V2 has Access Logging enabled - apigateway [Medium]
7.157 [extra7157] Check if API Gateway V2 has configured authorizers - apigateway [Medium]
7.158 [extra7158] Check if ELBV2 has listeners underneath - elb [Medium]
7.159 [extra7159] Check if ELB has listeners underneath - elb [Medium]

Enhancements:

Fixes:

New Contributors

Full Changelog: 2.5.0...2.6.0

Thank you all for your contributions, Prowler community is awesome! 🥳

Contributors

chbiel, FallenAtticus, and 25 other contributors
Assets 2

Prowler 2.5.0 - Senjutsu

13 Aug 08:12
@toniblyx toniblyx
2.5.0
e0f6011
Compare
Choose a tag to compare
Prowler 2.5.0 - Senjutsu

Prowler 2.5.0 - Senjutsu

prowler-logo-new

This new version was planned to celebrate AWS re:Inforce that would have taken place on August 24th and 25th but has been cancelled and the new studio album of Iron Maiden (Senjutsu) to be released on September 3rd 2021. In any case, enjoy this new version. More cool stuff coming soon!

Prowler would have been present in the re:Inforce 2021 conference with a pretty expected workshop called "Building Prowler into a QuickSight powered AWS security dashboard". Templates and workshop link to be public soon. For updates follow me on Twitter: https://twitter.com/ToniBlyx.

image

As Prowler keeps growing in user base and downloads (averages 1400 clones/day), there are more contributions and I want to thank you all for your feedback and code. Please keep contributing to make the Internet more secure.

New Features:

Please read carefully this new features and changes (for CSV output and also to improve the data in json ASFF for Security Hub integration) if you have integrations using CSV, it may affect you.

  • New CSV headers, added PROWLER_START_TIME:
    PROFILE{SEP}ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC,CHECK_RESOURCE_ID,PROWLER_START_TIME.
  • 14 New checks (@jfagoagas, @nayabpatel, @Outrun207 and @pablopagani):
7.134 [extra7134] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21  - ec2 [High]
7.135 [extra7135] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092  - ec2 [High]
7.136 [extra7136] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23  - ec2 [High]
7.137 [extra7137] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434  - ec2 [High]
7.138 [extra7138] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to any port - ec2 [High]
7.139 [extra7139] There are High severity GuardDuty findings  - guardduty [High]
7.140 [extra7140] Check if there are SSM Documents set as public - ssm [High]
7.141 [extra7141] Find secrets in SSM Documents - ssm [Critical]
7.142 [extra7142] Check if Application Load Balancer is dropping invalid packets to prevent header based http request smuggling - elb [Medium]
7.143 [extra7143] Check if EFS have policies which allow access to everyone - efs [Critical]
7.144 [extra7144] Check if CloudWatch has allowed cross-account sharing - cloudwatch [Medium]
7.145 [extra7145] Check if Lambda functions have policies which allow access to any AWS account - lambda [Critical]
7.146 [extra7146] Check if there is any unassigned Elastic IP - ec2 [Low]
7.147 [extra7147] Check if S3 Glacier vaults have policies which allow access to everyone - glacier [Critical]
  • Docker images are available in the official ECR https://gallery.ecr.aws/prowler/prowler (if you run Prowler with Fargate this will help you). Images at https://hub.docker.com/r/toniblyx/prowler won't be updated.
  • Now when using -M option prowler shows standard output but saves desired reports in background
  • Added code for better experience running Prowler in AWS CloudShell @hackersifu
  • Added support for custom output folder and S3 bucket (see ./prowler -h for details) using bucket-owner-full-control.
  • Added support for custom output file (see ./prowler -h for details) @yangsec888
  • Added servicename to the title for ASFF and used for QuickSight dashboard
  • Added resourceid and more metadata to the ASFF file to be imported in Security Hub @singergs
  • Added s3 and glue required permissions and removed obsoletes
  • Added section with info about regions in README.md
  • Added WAF CLASSIC check for extra7129 @kamiryo
  • Added severity and servicename to the default output, removed blue color on check ID.
  • Removed duplicated checks extra756 and extra737 @w0rmr1d3r

Enhancements:

  • HTML report: filtering and other nice things @nickmalcolm
  • License file and banner cosolidation
  • Now it shows default output regardless custom outputs called with -M
  • Clean up check title without info related to CIS (like scored, etc. CIS support still in Prowler)
  • Updated Docker image to Alpine to 3.13 and with py3-pip in Dockerfile @gliptak
  • Improved error handling sts get-caller-identity @pablopagani
  • Improved error handling when listing regions @pablopagani
  • Updated html report color contrast for WCAG 2.1 accessibility standards @danielperez660
  • Updated Prowler additions policy
  • Updated check12 - Missing MFA at the beginning of remediation @thorkill
  • Removed CSV header in stdout
  • Updated README to include reference to CloudShell https://github.com/toniblyx/prowler/tree/2.5/util/cloudshell @hackersifu
  • Updated README with better coverage of -f <filterregion> usage info

Fixes:

  • Fixed Security Hub integration error resource type is always empty #776
  • Fixed credential renewal broke on Alpine Linux #775
  • Fixed check extra747 grammar #774
  • Fixed grammar issue in scoring @w0rmr1d3r
  • Fixed check21 to fail if trail is off
  • Fixed aws organizations multi-account deployment s3 upload issue @owlvat
  • Corrected bug on groups when listing checks @pablopagani
  • Fixed issue #811 @h1008
  • Fixed kms keys compatibility in cli v2 and v1 @dbellizzi
  • Fixed typo in check extra7141 ID
  • Fixed alias of extra7139
  • Fixed link to doc for check45 check46 extra7138 and extras

*If you have made a contribution to this released and I missed your Github id here, my apologies and please let me know to include you. Thank you!

Contributors

gliptak, nickmalcolm, and 14 other contributors
Assets 2

Prowler 2.4.1

15 Apr 08:23
@toniblyx toniblyx
2.4.1
583cffa
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Prowler 2.4.1

Prowler 2.4.1

Fixes

Fixed Security Hub integration error resource type is always empty #776
Fixed credential renewal broke on Alpine Linux #775
Fixed check extra747 grammar #774

Assets 2

Prowler 2.4.0

09 Apr 14:55
@toniblyx toniblyx
2.4.0
b0fd6ce
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Prowler 2.4.0

Prowler 2.4.0

New version, new logo and new features, many community contributions, fixes and improvements.

prowler-logo-new

Thanks to all the community for the continuous effort, contributing in many ways, including code and feedback. Prowler is being used by thousands of users and making your cloud infrastructure more secure. THANK YOU.

New Features:

Please read carefully this new features and changes (mostly for CSV output changes) if you have integrations, it may affect you.

Added Risk, Remediation, Link to doc and CAF security epics to controls @pablopagani
Added support for new fields Risk, Remediation, Link to doc and CAF security epics to CSV and HTML outputs. New fields are:
PROFILE,ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC
Added severity field to CSV and HTML output reports
Added new logo, screenshots and improved documentation sections
Added -N <shodan_api_key> support for extra7102
Added [extra736] Check exposed KMS keys to group internet-exposed
Added [extra798] Check if Lambda functions have resource-based policy set as Public
Added [extra799] Check if Security Hub is enabled and its standard subscriptions
Added 4 new EKS checks @jonjozwiak
Added access checks for several checks @zfLQ2qx2
Added additional checks to HIPAA group @gchib297
Added additional GDPR checks to GDPR group @gchib297
Added all new Sagemaker checks to extras
Added allow list All findings in single view in html report
Added AWS partition variable to the ASFF output format
Added AWS service name to json, csv and html outputs
Added back extra798
Added Better handle permissions and errors
Added CFN template helper for role
Added check extra7113
Added check extra798 to gdpr and pci groups @gchib297
Added check extra798 to iso27001 @gchib297
Added check extra798 to PCI
Added check for AccessDenied when calling GetBucketLocation in extra73,extra734,extra764 @zfLQ2qx2
Added Check for errors generating credential report, limit loop iterations @zfLQ2qx2
Added check for RDS enhanced monitoring @mpratsch
Added check if Enhanced monitoring is enabled on RDS instances
Added check23 to group17_internetexposed group @RyanJarv
Added check7130 to group7_extras and Fixed some issues
Added checks about EKS to groups internet-exposed and forensics
Added CodeBuild deployment section
Added CodeBuild template original from @stevecjones
Added coreutils to Dockerfile
Added EKS checks to eks-cis and extras group @jonjozwiak
Added Enable Security Hub official integration @toniblyx
Added ENS group with new checks
Added extra7102 ElasticIP Shodan integration
Added extra7102 to groups extras and internetexposed
Added extra7113: Check RDS deletion protection
Added extra7113: Check RDS instances deletion protection @gchib297
Added extra7133 RDS multi-AZ
Added extra796 EKS control plane access to internet-exposed group
Added extra799 and extra7100 to group extras
Added FFIEC cybersecurity assessment group @gchib297
Added Fixed to generate test summary so reports display graphs correctly @stevecjones
Added get_regions function in order to call after assume_role @HG00
Added GetFindings action to example IAM policy for Security Hub
Added Glue checks additional  @dlpzx
Added Glue checks part 1 @ramondiez
Added GovCloud usage information
Added group for ENS Spanish Esquema Nacional de Seguridad
Added group for pci-dss as reference
Added group internet-exposed
Added group18 for ISO27001 thanks to @gchib297 issue #637
Added high level architecture
Added html to -M in usage
Added IAM to extra7100 title
Added latest checks to extras group
Added more checks mappings to ISO27001 group and reordered the list @mario-platt
Added New 7 checks required for ENS
Added new check [extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled
Added New check 7.98 [extra798] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) @nickmalcolm
Added new check extra_7130 to check encryption of a SNS topic @mpratsch
Added new check extra7131 RDS minor version upgrade
Added new check extra793 for SSL listeners on load balancers @jonjozwiak
Added new extras check (7130) to check encryption of a SNS topic
Added New group for Sagemaker with 10 new controls
Added parameters and made the template parameterised @pacohope
added parameters and made the template parameterised.
Added Refresh assumed role credentials to avoid role chaining limitations @michael-dickinson-sainsburys
Added script to generate html report from multiple csv outputs
Added service name to all checks
Added service name to sample check
Added session durantion option to 12h
Added sleep to extra7102 to avoid Shodan API limits
Added SOC2 compliance group @gchib297
Added start build automatically
Added Support custom folder checks when running all checks @xeroxnir
Added support to run inside AWS CloudShell
Added Whitelist feature improvements @QuinnStevens

Enhancements:

Enhanced Accept current most restrictive TLSv1.2-only ALB security policy as secure
Enhanced Adapt check119 to exclude instances shutting down @stku1985
Enhanced Additional check for location of awscli @zfLQ2qx2
Enhanced Adjusted severity like in Security Hub @xeroxnir
Enhanced Allow list checks and groups without credentials
Enhanced better handle permissions and errors
Enhanced Catch errors assuming role and describing regions @zfLQ2qx2
Enhanced check extra740: reworked to consider all snapshots, use JMESPath query @pacohope
Enhanced check extra792 to accept current most restrictive TLSv1.2 @bazbremner
Enhanced check119 to exclude instances shutting-down @stku1985
Enhanced clear AWS_DEFAULT_OUTPUT on start @zfLQ2qx2
Enhanced Cloudtrail metrics (check3x) pass if found on any, not every, cloudtrail log @zfLQ2qx2
Enhanced CodeBuild CFN template with scheduler and documentation
Enhanced documentation about SecurityHub integration and region filter
Enhanced Ensure check28 only looks at symmetric keys
Enhanced Ensure that checks are sorted numerically when listing checks @marcjay
Enhanced Ensures JSON is the default AWS command output.
Enhanced error handling without credentials
Enhanced extra7102 increased severity to medium
Enhanced extra792 skip check if no HTTPS/SSL Listener plus Added NLB Support @jonjozwiak
Enhanced feature to refresh assume role credentials before it expires
Enhanced Force default AWS CLI output issue #696 @Kirizan
Enhanced Handle shadow CloudTrails more gracefully in checks check21,check22,check24,check27 @zfLQ2qx2
Enhanced html output with scoring information, risk, remediation, doc link and CAF security epics.
Enhanced Implement OS neutral method of converting rfc3339 dates to epoch @zfLQ2qx2
Enhanced In CSV output, changed NOTES field header by CHECK_RESULT_EXTENDED. New CSV header looks like:
Enhanced PublicIP discovery used in Shodan check_extra7102 @as-km
Enhanced reduce needed actions in additions policy @tekdj7
Enhanced Removed textInfo extra information on extra712
Enhanced Security Hub integration @xeroxnir
Enhanced Security Hub integration improvement and Added severity for checks @xeroxnir
Enhanced Security Hub: Mark as ARCHIVED + Fixed race condition @xeroxnir
Enhanced Updated ProwlerExecRoleAdditionalViewPrivileges Policy with lambda:GetFunction
Enhanced Use describe-network-interfaces instead of describe-addresses in order to get public IPs #768
Enhanced whitelisting to allow regexes and fuzzy/strict matching
Enhanceed Adjusted severity to secrets and Shodan checks

Fixes:

Fixed account id in output file name
Fixed changes made in check27
Fixed check extra73 fail message omits bucket name @zfLQ2qx2
Fixed check for public rds instances
Fixed check_extra7107 condition
Fixed check_extra7116 and check_extra7117
Fixed Check12 BugFixed Remove $ from grep
Fixed check12 when MFA is enabled and user contains true in the name @xeroxnir
Fixed date command for busybox @zfLQ2qx2
Fixed don't fail check extra737 for keys scheduled for deletion
Fixed EKS related checks regarding us-west-1 @njgibbon
Fixed error handling for SubscriptionRequiredException in extra77
Fixed execute_group_by_id @xeroxnir
Fixed extra7103 parser error
Fixed extra7108 parser error
Fixed extra7110 title
Fixed extra7111 parser error
Fixed extra7116 extra7117 outputs and added to extras @ramondiez
Fixed extra737 now doesn't fail for keys scheduled for deletion @QuinnStevens
Fixed for busybox date command
Fixed for check_extra764 @grzegorznittner
Fixed for issue 713
Fixed FreeBSD $OSTYPE check @ring-pete
Fixed getops OPTARG for custom checks @xeroxnir
Fixed include lambda:GetFunction in prowler policy to check AWS Lambda related controls: extra720,extra759,extra760,extra762,extra798
Fixed Include missing AWS function lambda:GetFunction policy in prowler-additions-policy.json to check AWS Lambda @jfagoagas
Fixed issue #624 ID of check_extra792
Fixed issue #659
Fixed issue assuming role in regions with STS disabled
Fixed issue in extra776 when ECR Scanning imageDigest @adamcanzuk
Fixed listing CloudFormation stacks if default output format is not JSON
Fixed listing configurations if default output format is not JSON check119,extra742,extra75 and extra772 @Anthirian
Fixed listing EC2 instances if default output format is not JSON
Fixed li...

Read more
Assets 2

Prowler 2.3.0-18122020

18 Dec 12:11
@toniblyx toniblyx
2.3.0-18122020
297eeea
Compare
Choose a tag to compare
Prowler 2.3.0-18122020 
Label version 2.3.0-18122020
Assets 2

Prowler 2.3.0RC

06 May 22:55
@toniblyx toniblyx
2.3.0RC
376cc0f
Compare
Choose a tag to compare
Prowler 2.3.0RC Pre-release
Pre-release

List of Contributors for this release:

This new version of Prowler wouldn't be possible without you all. Thanks!

Marc Jay
Urjit Singh Bhatia
Philipp Zeuner
Ngọ Anh Đức
Patrick Downey
Nimrod Kor and the Bridgecrewio guys
Huang Yaming
Marcel Beck
Faraz Angabini
Kasprzykowski
Huang Yaming
Alex Gray
nalansitan
jonjozwiak
dhirajdatar
Julio Delgado Jr
He.Longfei
Christopher Morrow

Reach out to me on Twitter @toniblyx if you have contributed to this release and you have been missed, sorry about that!

New features:

Other improvements:

New checks:

  • 7.75 [extra775] Find secrets in EC2 Auto Scaling Launch Configuration (Not Scored) (Not part of CIS benchmark) [extras, secrets]
  • 7.76 [extra776] Check if ECR image scan found vulnerabilities in the newest image version (Not Scored) (Not part of CIS benchmark) [extras]
  • 7.77 [extra777] Find VPC security groups with many ingress or egress rules (Not Scored) (Not part of CIS benchmark) [extras]
  • 7.78 [extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS benchmark) [extras]
  • 7.79 [extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports [extras, elasticsearch]
  • 7.80 [extra780] Check if Amazon Elasticsearch Service (ES) domains has Amazon Cognito authentication for Kibana enabled [extras, elasticsearch]
  • 7.81 [extra781] Check if Amazon Elasticsearch Service (ES) domains has encryption at-rest enabled [extras, elasticsearch]
  • 7.82 [extra782] Check if Amazon Elasticsearch Service (ES) domains has node-to-node encryption enabled [extras, elasticsearch]
  • 7.83 [extra783] Check if Amazon Elasticsearch Service (ES) domains has enforce HTTPS enabled [extras, elasticsearch]
  • 7.84 [extra784] Check if Amazon Elasticsearch Service (ES) domains internal user database enabled [extras, elasticsearch]
  • 7.85 [extra785] Check if Amazon Elasticsearch Service (ES) domains have updates available [extras, elasticsearch]
  • 7.86 [extra786] Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required (Not Scored) (Not part of CIS benchmark) [extras]
  • 7.87 [extra787] Check connection and authentication for Internet exposed Elasticsearch/Kibana ports [extras, elasticsearch]
  • 7.88 [extra788] Check connection and authentication for Internet exposed Amazon Elasticsearch Service (ES) domains [extras, elasticsearch]
  • 7.89 [extra789] Find trust boundaries in VPC endpoint services connections [trustboundaries]
  • 7.90 [extra790] Find trust boundaries in VPC endpoint services whitelisted principles [trustboundaries]

And in case you missed them because they were hidden:

  • 7.59 [extra759] Find secrets in Lambda functions variables (Not Scored) (Not part of CIS benchmark) [secrets]
  • 7.60 [extra760] Find secrets in Lambda functions code (Not Scored) (Not part of CIS benchmark) [secrets]

Fixes and minor changes:

  • Fixed AWS partition variable on generateJsonAsffOutput (f618a16)
  • Added back LIST_OF_CHECKS_AND_GROUPS.md (412c9c1)
  • Print warnings with the right color code (8cdf383)
  • Improve check21 If no account cloudtrail trail is found, check org trail @nimrodkor @bridgecrewio (996f785)
  • If no local cloudtrail trail is found - check org trail (dd0ef8c)
  • Fix issue with aws-cli v2 and timestamp on check24 #585 (a2cbcc0)
  • Fix check12's grep to find users with true in their name who really have password access @nimrodkor @bridgecrewio (5450bf9)
  • Ensure that hyphen is at end of tr string to prevent 'reverse collating sequence order' error in GNU tr @marcjay (e4ae0a4)
  • Improved AWS partition handle (1f949b4)
  • Add $ to end of regex (dbca70e)
  • Fix check12's grep to find users who really have password access (54f2b72)
  • Fix output modes strings to ensure correct outputs are selected @marcjay (6844733)
  • Ensure that hyphen is at end of tr string to prevent 'reverse collating sequence order' error in GNU tr Stop echo from adding newlines using -n, removing the need to stop replacing new-line characters with underscores (e25125f)
  • Updated checks with hardcoded arn to support GovCloud partition (13ca147)
  • Improved extra734 for GovCloud (dbb3ed9)
  • Fixed issue with govcloud on extra764 #536 (7dc790a)
  • Improved GetCallerIdentity handling / credentials (8c9aea1)
  • Added txt output as mono for -M (9f03bd7)
  • Added account id to the output filename (43fb877)
  • Simplified caller id info on outputs (ef952ce)
  • Check if gbase64 (GNU) is available on Mac and use it in preference to BSD base64 @marcjay (0cca77a)
  • Fix -E flag no longer excluding checks @marcjay (5b9cf7f)
  • Added CSV header to the output file too #565 (9cbdefc)
  • Extend check13 to meet all CIS rules and consolidate with extra774 (ad66254)
  • Updated textInfo message on extra712 (d6374f8)
  • Enhancement: extra768 only check latest version of ECS task definition (38a970f)
  • Get the list of families and then get latest task definition (5b83701)
  • Fix invalid references to $i when it should reference a local $group_index variable (8f17933)
  • Improved extra716 and extra788 (6747b20)
  • Only check latest version of task definition (172f4b2)
  • Fix arithmetic expression for calculating test duration (fa17829)
  • Add the ability to generate JUnit XML reports with a -J flag (9943903)
  • Ignore inline whitelist comments, pass checkid to filter ignores specifically for checks (bf72025)
  • Merge branch 'marcjay-simplify-check-id-variables' (4625270)
  • Fixed title in group16_trustboundaries (f065beb)
  • Added more sample commands and updates (2de49c3)
  • Allow multiple report types at once #345 (4ea1864)
  • Fixed issue with regions on check21 (11c182c)
  • support arn:aws:s3::: on extra725 (036ae64)
  • Adjust execute_check() now that check71's ID has changed Fix minor typo in a comment (7e5a4a1)
  • Limit CHECK_ID to a single value, handing the left-pad formatting in one place (0f49468)
  • Fix: extra741 - Check if User Data is a valid GZIP file before attempting to gunzip @marcjay (df52057)
  • Add clarifying text to pass/fail messages (460f656)
  • Extra741 - Check if User Data is a valid GZIP file before attempting to gunzip (c4374a2)
  • Prowler IAM Policy Enhancements and README Updates @tekdj7 (9be0b3f)
  • Extra725 - Improved support cross account and region cloudtrail @patdowney (a426462)
  • Extra720 - Support cross account and cross-region cloudtrail @patdowney (8a7344e)
  • Fixed check23_error_fails (7f2e097)
  • Fixed check26_error_fails (67504e8)
  • Fixed check121-filter-out-password-access-513 (3c77130)
  • Fixed fix-no-information-extra774-501 (d855432)
  • Fixed handle-gnu-date-as-default-on-mac-osx-534 (3e1d9ea)
  • Convert tabs to spaces within modified function (24e6919)
  • Avoid changing the execution order of checks when some checks are excluded (57c15c2)
  • Fixed check121 - Filter out users who do not have a console password (4f623b4)
  • Detect when GNU coreutils is installed on Mac OS X and use the correct date functions (d9588f4)
  • Remove the varying number of days in the message so that message stays consistent over time (ce1058d)
  • Handle IAM credential report containing 'no_information' for a user's last console login date (8d9c7e8)
  • Add CHECK_ASFF_RESOURCE_TYPE variables for recently added checks (c02811f)
  • Remove --output text in CLOUDTRAILBUCKET_LOGENABLED (7982cc4)
  • Support cross-region and cross-account object-level cloudtrail logs for S3 (b6adfd5)
  • Remove HomeRegion predicate from describe-trails in extras725 (78ccc7d)
  • Use TrailARN property to query get-event-selectors in checks_extra725 (fc83a98)
  • Added new checks to group extras (effc3eb)
  • Improvements and new checks for elasticsearch (6ea37b0)
  • Remove HomeRegion predicate from describe-trails to look for cross-region trails too (84711d1)
  • Use TrailARN property to query get-event-selectors (4ff6856)
  • Fixed typo in extra786 (9c4e629)
  • New check for Metadata Service Version 2 #413 (bd432fe)
  • Improved policy handling on extra716 (b5e1c90)
  • Improved policy handling on extra716 (afb908f)
  • v2.2.1 with new function and Improved extra779 and extra716 (e567ccb)
  • Improved extra716 filters and auth check (2e2fe96)
  • Added custom ports variable to extra779 (1ae5d5d)
  • Ignore imported ACM Certificate in check_extra724 (1419d48)
  • Added connection test for port 9300 in both linux and macosx on extra779 (8faf1f4)
  • Updated ES check titles and results (eae4722)
  • Enhanced extra...
Read more
Assets 2

Prowler 2.2.0

21 Feb 16:36
@toniblyx toniblyx
2.2.0
24cccf6
Compare
Choose a tag to compare
Prowler 2.2.0

Special thanks to all contributors mentioned below.

This new version of Prowler wouldn't be possible without you all. Thanks!

List of Contributors for this release:

zfLQ2qx2
gabrielsoltz
Nimrod Kor
Mr. Secure
Tobi Fuhrimann
jonnyCodev
Or Evron
soffensive
Venki
angabini
Venkatadri Duggina
Samuel Dugo
Martin Kemp
Marcus Maxwell
Fayez Barbari
Dominick Bellizzi
David Lladro
C.J
Ricardo Oliveira
Kim Oliver Fehrs
Kasprzykowski
Jonathan Rau
Jerome Caffet
Barak Schoster Goihman
tomcrawf90
shaunography
james-portman-contino
bgeesaman
barnhartguy
alphad05
Will Thames
Tom Crawford
Ryan John Peck
Roman Vynar
Richard Nienaber
Ralph Rodkey
Nick Malcolm
Nic Doye
Ngọ Anh Đức
Morey Straus
Michael Peterson
Kinnaird McQuade
Kevin Pawloski
JohnVonNeumann
Dom Bellizzi
Clint Moyer
Christopher Morrow
Brian Fallik
Artashes Arabajyan
Affan Malik

New features:

f3bfe90: Add native support for AssumeRole
f979c73: Add quiet mode that only shows failures
be4bbe4: New POC for scoring report
00e5e65: Option "-c" supports one or multiple checks
71355b0: New option "-E" supports exclusion of one or multiple checks
ab5968c: Re remove colors in json output
f006c81: Use custom AWS profile with Role to assume
cea0cfb: Prevent colorization on Failed and Info
8bb1529: More jq_improvements
61ef02e: Reduced API calls
64e38dd: Added megaprowler code for multiaccount (sample implementation)
f32b769: Make 3.x tests simpler and more useful
4bc64e9: Create Pipfile
ea6d9c9: Integration with Yelp detect-secrets
58fdd45: Ability to exclude check from group run
e273ae3: Adding detect_secrets support to Docker
da9cb41: Added jq to Dockerfile and fixes
bc9d4fe: Created a new Dockerfile based on Alpine
a2ccac9: FreeBSD support

New checks:

4098521: Check find secrets in UserData for Auto Scaling groups check_extra775
a824e06: Check if user have unused console login
2f17cfb: Check if CloudFront is using a WAF
4c1d188: Check for unused Elastic IP addresses
3b264d5: Check for internet facing instances with an Instance Profile attached.
7b5ece8: Check IAM Access Analyzer
fe65eaf: Check ECS scan on push
b61af3a: Check secrets in ECS task definition environment variables
961b79a: Check for CloudFront field level encryption
264b84a: Check for ECR scanning
2c531a2: Check for unsupported lambda runtimes
66c59ea: Check for EBS default encryption
40117ed: Checks for EC2 age
b8c7915: Check extra756 Redshift cluster public
5cd7214: Check extra755 open Memcached port
4f00760: Check extra754 open Cassandra port
660b573: Check open MongoDB port
1d45c45: Check open Redis port
3693ee3: Check SG open Postgres port
c36a606: Check SG open MySQL ports
5325bab: Check SG open MySQL ports
e283d35: Check SG open Oracle ports
b95cf5b: Check SG open to any port
c6dfbfd: Check IPv6 support to networking checks
62991cf: Check RDS CloudWatch Log integration
8b4b59e: Check RDS backup and RDS group of checks
a6569a0: Added group12 apigateway checks
50b6e63: Check API Gateway has authorizers
3582b42: Check API Gateway has CloudWatch Logs
65e2ff7: Check API Gateway has authorizers
504a11b: Check API Gateway public or private
f03eccf: Check API Gateway has a WAF ACL attached
d078985: Check API Gateway has client certificate enabled
bde9482: Check to find keys in CloudFormation Outputs

Documentation improvements:

e5e5e84: Add documentation for excluding group checks
4f4591d: Added more install details and docker run
1e1de4f: Added Security Hub integration link
24780b4: Improve documentation with prowler-additions-policy.json
2da125f: UPDATE README.md - fix incorrect group flag
04acb74: Enhanced requirements and installation
bc12717: Added MFA help
d818381: Wazuh integration guide DRAFT
b59d5db: Added new option exclude
2700365: Improved rules ID
08cdf35: Added CODE_OF_CONDUCT.md

Fixes:

0210c43: check_11_check_access_keys_usage
4a1d406: Check Extra 774 - Fixed bug - was checking account creation time instead of last logon date.
44716cf: mark_only_available_rds_instances_as_violating
1f3aaa8: es_public_domains_filter_condition
6213a74: public_bucket_policy_check_for_conditions
bf9ffc0: extra748_check_for_all_ports
fff605b: fix_extra_764_handle_all_aws
a6516e4: Check 1.1 - check password access and access key usage
4fe5750: Filter for only available rds instances in check
178a34e: Add conditions check for extra716
5f3293a: Add conditions check for extra771
28a8ae7: Check extra748 should fail in case of all ports (0-65535) open
daa26ed: extra764 should also check for principal being AWS = ""
9bd54ca: Fixed issue #378
4d683a7: fix-check11
4476571: check if last_login_date is a valid date
5069fd2: Associate VPCFlowLog with VPC
0d1807b: Remove ses:sendemails
a77d3b0: handle_get_bucket_policy_error
5cebebb: handle_get_bucket_policy_error
528e14d: Update check119
fe2d2b4: check root account access login and fail if used in the last day
74cbbdd: add text info in case of error occurred
029c330: fix check extra 764
2abe360: Update group7_extras
d473ebe: moving MAX_DAYS to the inner scope of the function
f038074: Update prowler-additions-policy.json
f797805: issue 458
ef001af: issue 459
2d712f6: issue-163-CloudFront-WAF
278e382: Update group7_extras
3452ecd: eip_check
f2f8216: issue 460
f735de8: Rewrite of check extra73
9fc0f6c: Remove check 766, dupe of check 765
41ccd45: Add additional error checking to address issue 459
9ed7d75: Add command for check119
b3b9039: cleanup_temp_files
4806d5f: update_check_extra764
a755ec8: update_extra769
3c703de: update_check_extra726
7d324be: Resolve issue with not_available state in results
b22b0af: Misc fixes to check extra764
4cc5cd1: Try to make sure prowler cleans up its temporary files
688f028: Add additional error checkings to check extra769
c84190c: Add error checking to checks extra77 and extra765
23be47a: Enhanced title for check extra723
ab75f19: small_fixes_to_extra731_extra716
20b127f: Added DS IAM actions
cc5da42: add lambda:get to prowler-additions-policy
1087d60: Small check fixes
d2b3e5e: Added new checks to extras group
0d120a4: check_bucket_policies_public_write
0ab5d87: public-instance-with-instance-profile-attached
39c7ea5: Add feature custom checks folder issue #439
933e415: fix_check26
fc3f4e8: Reuse ACCOUNT_NUM
7e803bb: Change to check 771
8e1aa17: Fix check26 - get the account ID from sts
dd5bf6c: fix_check21
7cb869a: use more generic access-analyzer:List*
559b058: Add trail count to check21 and fail if no trail exist
53f097c: Add "access-analyzer:ListTagsForResource" to prowler-additions-policy.json
b6e34ad: Fix issue #409
4af3dc1: Fix issue #426 updated base64 function
923fadb: check-3xx-whitespace-tolerance
3f68acc: Added missing file iam/prowler-additions-policy.json
2e11e0a: Fix extra764 check
c630c02: Update check_extra768
e18cea2: consolidated ProwlerReadOnlyPolicy and available json
8f91bfe: clean up documentation and added info to check_sample
c513e7a: ecs_task_definition_secrets_check_contribute
2e1cead: extra719
5c8b0aa: check726
15dda01: prowler-misc-updates
d19ae27: Fix merge issue
687686c: Filter out private zones in check extra719
94a9059: Handle Trusted Advisor entitlement issue gracefully
669469e: Update extra764 and extra734, add .gitignore rules for vim
031b68a: fixed typo in iam policy
d737193: extra75-enhancement
f83ce78: prowler-3x-checks
054043d: Update extra75 to aware of default security groups
603ed0b: Update log metric filter checks to latest AWS CIS Foundations Benchmark and provide hints on how to remediate
3a89388: Misc prowler fixes
2e18192: Added pull request template
508a935: fix jq array
6389869: remove_old_check
d026ed5: improve_extra727
529fc64: better_output
5cadd0c: remove_unused_variable
df5def4: comments_and_fix
5252518: extra73
be0bc7a: extra 7.62 - output cleanup
c460e35: obsolete_runtimes
827b1fd: add region info to textFail,textPass output
23a7c7f: fix spelling error in message
e683ea5: fix over-quoting bug
826cc00: replacing git clone with ADD as to not cache layer indefinetely
77b3a9b: unsetting excluded_checks
d4fad17: update pipeline commands to use multi-account path
ddb4983: bring in quoting nits
31a4024: Merge pull request #392 from MrSecure/mega
40a2ea6: fixed region for extra757 and extra758
7e28f85: add cli options
64667ea: grant codebuild the ability to assume audit role
70304dc: suppress remaining shell check warnings
e0a77b3: cleanup using shellcheck
70de023: more output structure cleanup
b5ccdad: change bucket resource name
d0af7f4: remove 'out' from artifact storage path
fc77b4a: Merge pull request #390 from Quiq/master
4540fd7: Add missing permission
44cfa71: updated logging
ecde624: remove unnecessary variables and removed echo
d5f22ab: fixing check26 cross access bug
72b1421: fixing cross account cloudtrail issue
cd52bf8: fix typo
aba697a: List CloudFront distributions only once
49994d1: List successful cases as PASS! for 7.27
f3d617a: Fix Pipfile
1be58e0: Fix issue #323
8333c57: Fixed issue #348 -e option back to work
02d2561: Fix issue #354
30b2f55: support_role_added_to_groups
253fa5e: #351
188a681: check314_case_sensitivity
9e06297: fix_check_extra741
eecb272: Fixed output for PR #339
2ed3378: refactor_check_extra734
bd9ae4b: improve_check_extra73
30e2360: remove filter by roles so that groups are included as well
033e262: [FIX] remove duplicated filter condition | kf/aa/if
2b95f69: [FIX] allow 1.22 checks on policies with only one statement block | kf/aa/if
5bd3f0b: Fix typo
a430ad4: Tabs to 4 spaces
85dc040: Made check314 less case sensitive
a259571: Fixing missing &&
8b2c113: add_detect_secrets_to_docker
cea45f4: remove REGION from Bucket Listing
d7d2246: improved for other file types like empty and very short
e6992e8: ignore None when user data is empty
c8622bc: better check denied
76e665...

Read more
Assets 2

Prowler 2.0

27 Nov 05:09
@toniblyx toniblyx
2.0
31a0de1
Compare
Choose a tag to compare
Prowler 2.0

New features:

  • Refactored code:
    • reduced number of lines in prowler main script and add includes folder with parts to easily find and manage all components
    • dedicated folder for checks, a check per file,
    • same for groups of checks, now we can create custom groups and run Prowler against your custom group (for example only the checks that your company needs).
    • moved Dockerfile to utils folder.
    • moved IAM policy additions to iam folder
  • Output changed PASS and FAIL instead of OK and WARNING messages displayed.
  • Option -g <group_id>: run specific group from the existing or new one
  • Option -b: hide banner
  • Check whitelisting: thanks to the new groups management, you can create your own checks based on your needs.
  • Custom checks: now it is easier to add a new check, just create your check based on the sample one and add it to a group, or create your own group.
  • Added version to the banner and changed description
  • Added new check extra723 that looks for public RDS snapshots (single and cluster)
  • Added check extra724 Certificate Transparency
  • Added check ID on every check and group title.
  • Added check extra725 S3 object-level logging (extras and forensics)
  • Added check extra726 Trusted Advisor errors and warnings
  • Added check extra727 SQS queues have policy public
  • Added check extra728 SQS queues have encryption enabled
  • Added -V flag to see version
  • Added check extra729 no EBS Volumes unencrypted
  • Added check extra730 ACM Certificates are about to expire in 7 days or less
  • Added check extra731 SNS topics have policy set as Public
  • Added check extra732 Geo restrictions are enabled in CloudFront distributions
  • Added check extra733 SAML Providers then STS can be used
  • Added check extra734 S3 buckets have default encryption (SSE) enabled and policy to enforce it
  • Added check extra735 RDS instances storage is encrypted
  • Added check extra736 exposed KMS keys
  • Added check extra737 KMS keys with key rotation disabled
  • Added check extra738 CloudFront distributions are set to HTTPS
  • Added check extra739 ELBs have logging enabled
  • Added check extra740 EBS snapshots are encrypted
  • JSON support as output mode -M json, thanks to @hb3b
  • Added support to run on Fargate and uses metadata for credentials, thanks to @mattfinlayson
  • Added group checks for GDPR and HIPAA, thanks to @crashGoBoom for helping out with HIPAA

Improvements:

  • Adapted to the latest CIS for AWS 1.2, thanks to @gpatt
  • option -l now shows all groups not only default ones, with all its checks title.
  • changed #!/bin/bash to #!/usr/bin/env bash #182 thanks to @doshitan
  • check28 #181 thanks to @doshitan
  • check41 and check44 #180 thanks to @subramani95
  • Changed output functions to textInfo, textFail and textPass
  • Hide banner on CSV output mode for group check
  • Added version to banner
  • Improved current directory handler for includes
  • Improved error handling on check111
  • Improved instance profile handling issue #200, thanks to @netflash and @ceyes
  • Improved default region handling issue #202, thanks to @ceyes
  • Improvements on account ID handling in CSV output issue #205, thanks to @MrSecure
  • Improved check28, thanks to @nexeck
  • Improved check_extra73 to support graceful failing of buckets with corrupt/unintended permissions, thanks to @hb3b
  • Improved check111, thanks to @roo7break and @martinusnel
  • Improved check27
  • Improved group error handling
  • Improved check115, check315 and check13 and its documentaion, thanks to @rheak
  • Improved extra725, thanks to @martinusnel
  • Improved username filtering for check12 for CIS 1.2, thanks to @gpatt
  • Improved username filtering for check116 for CIS 1.2, thanks to @gpatt
  • Improved extra713, thanks to @mbode
  • Improved credentials handling, thanks to @flomotlik
  • Improved check112 to avoid extra API call, thanks to @jlamande
  • Improved check29, thanks @onkymykiss1

Fixes:

  • check22 #194 thanks to @mbode
  • check717 #188 thanks to @ahhh
  • Fixed required IAM permissions #187 thanks to @rtkjbillo
  • Disable concurrency checks to check_extra73 due to API limits
  • Fixed issue #268
  • Mark CIS level2 and 2 properly, also marker to sample check thanks to @MrSecure
  • Fixed mismatched check_type on check18 thanks to @MrSecure
  • Fixed typo on check311 thanks to @MrSecure
  • Ensure credential report is available before running any checks thanks to @MrSecure
  • Fixed checks on group3 to prevent duplicates, thanks to @myoung34
  • Fixed extra73 to use $PROFILE_OPT properly, thanks to @sidewinder12s
  • Fixed checks extra727 and extra728 to use $PROFILE_OPT properly, thanks to @tmonk42
  • Fixed check14, thanks to @atomdampflok
  • Fixed checks listing, thanks to @UranusBytes
  • Fixed check13 for never logged users, thanks to @jlamande

Documentation:

  • Added new way to create custom checks and custom groups
  • Improved Prowler description
  • Added command to save report to S3
  • Update all CIS document links to AWS version thanks to @sidewinder12s
  • Changed license for checks that are not CIS and rest of code but CIS checks to Apache 2.0
  • Added license and commercial use disclaimer to README
  • Added info about GDPR and HIPAA
  • Improved README formatting and typos, thanks to @craighurley and @slmingol
  • Added new needed IAM roles, thanks to @yapale, @mixmatch and @jlamande

Special thanks to:

@philipmeadows for his help and ideas on code refactoring

Assets 2

Prowler 2.0 Beta

27 Mar 22:11
@toniblyx toniblyx
2.0-Beta
39b597e
Compare
Choose a tag to compare
Prowler 2.0 Beta Pre-release
Pre-release

New features:

  • Refactored code:
    • reduced number of lines in prowler main script and add includes folder with parts to easily find and manage all components
    • dedicated folder for checks, a check per file,
    • same for groups of checks, now we can create custom groups and run Prowler against your custom group (for example only the checks that your company needs).
    • moved Dockerfile to utils folder.
    • moved IAM policy additions to iam folder
  • Output changed PASS and FAIL instead of OK and WARNING messages displayed.
  • Option -g <group_id>: run specific group from the existing or new one
  • Option -b: hide banner
  • Check whitelisting: thanks to the new groups management, you can create your own checks based on your needs.
  • Custom checks: now it is easier to add a new check, just create your check based on the sample one and add it to a group, or create your own group.
  • Added version to the banner and changed description
  • Added new check extra723 that looks for public RDS snapshots (single and cluster)

Improvements:

  • option -l now shows all groups not only default ones, with all its checks title.
  • check73 now doees the S3 check in parallel thanks to @vsMeecles and Jonathan Glass
  • changed #!/bin/bash to #!/usr/bin/env bash #182 thanks to @doshitan
  • check28 #181 thanks to @doshitan
  • check41 and check44 #180 thanks to @subramani95

Fixes:

Documentation:

  • Added new way to create custom checks and custom groups

Special thanks to:

@philipmeadows for his help and ideas on code refactoring

Assets 2