-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(aws): review checks with wrong attributes #5503
base: master
Are you sure you want to change the base?
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,7 @@ | |
from dateutil import relativedelta | ||
from pytz import utc | ||
|
||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.lib.check.models import Check, Check_Report_AWS, Severity | ||
from prowler.providers.aws.services.rds.rds_client import rds_client | ||
|
||
|
||
|
@@ -21,7 +21,7 @@ | |
report.resource_arn = db_instance_arn | ||
report.resource_tags = db_instance.tags | ||
report.status = "FAIL" | ||
report.check_metadata.Severity = "critical" | ||
report.check_metadata.Severity = Severity.critical | ||
report.status_extended = ( | ||
f"RDS Instance {db_instance.id} certificate has expired." | ||
) | ||
|
@@ -33,7 +33,7 @@ | |
utc | ||
) + relativedelta.relativedelta(months=6): | ||
report.status = "PASS" | ||
report.check_metadata.Severity = "informational" | ||
report.check_metadata.Severity = Severity.informational | ||
report.status_extended = f"RDS Instance {db_instance.id} certificate has over 6 months of validity left." | ||
elif cert.valid_till < datetime.now( | ||
utc | ||
|
@@ -45,7 +45,7 @@ | |
months=3 | ||
): | ||
report.status = "PASS" | ||
report.check_metadata.Severity = "low" | ||
report.check_metadata.Severity = Severity.low | ||
report.status_extended = f"RDS Instance {db_instance.id} certificate has between 3 and 6 months of validity." | ||
elif cert.valid_till < datetime.now( | ||
utc | ||
|
@@ -57,7 +57,7 @@ | |
months=1 | ||
): | ||
report.status = "FAIL" | ||
report.check_metadata.Severity = "medium" | ||
report.check_metadata.Severity = Severity.medium | ||
report.status_extended = f"RDS Instance {db_instance.id} certificate less than 3 months of validity." | ||
elif cert.valid_till < datetime.now( | ||
utc | ||
|
@@ -67,11 +67,11 @@ | |
utc | ||
): | ||
report.status = "FAIL" | ||
report.check_metadata.Severity = "high" | ||
report.check_metadata.Severity = Severity.high | ||
Check warning on line 70 in prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.py Codecov / codecov/patchprowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.py#L70
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please, add a test to cover this scenarion. |
||
report.status_extended = f"RDS Instance {db_instance.id} certificate less than 1 month of validity." | ||
else: | ||
report.status = "FAIL" | ||
report.check_metadata.Severity = "critical" | ||
report.check_metadata.Severity = Severity.critical | ||
report.status_extended = ( | ||
f"RDS Instance {db_instance.id} certificate has expired." | ||
) | ||
|
@@ -80,7 +80,7 @@ | |
utc | ||
) + relativedelta.relativedelta(months=6): | ||
report.status = "PASS" | ||
report.check_metadata.Severity = "informational" | ||
report.check_metadata.Severity = Severity.informational | ||
report.status_extended = f"RDS Instance {db_instance.id} custom certificate has over 6 months of validity left." | ||
elif cert.valid_till < datetime.now( | ||
utc | ||
|
@@ -92,7 +92,7 @@ | |
months=3 | ||
): | ||
report.status = "PASS" | ||
report.check_metadata.Severity = "low" | ||
report.check_metadata.Severity = Severity.low | ||
report.status_extended = f"RDS Instance {db_instance.id} custom certificate has between 3 and 6 months of validity." | ||
elif cert.valid_till < datetime.now( | ||
utc | ||
|
@@ -104,7 +104,7 @@ | |
months=1 | ||
): | ||
report.status = "FAIL" | ||
report.check_metadata.Severity = "medium" | ||
report.check_metadata.Severity = Severity.medium | ||
report.status_extended = f"RDS Instance {db_instance.id} custom certificate less than 3 months of validity." | ||
elif cert.valid_till < datetime.now( | ||
utc | ||
|
@@ -114,11 +114,11 @@ | |
utc | ||
): | ||
report.status = "FAIL" | ||
report.check_metadata.Severity = "high" | ||
report.check_metadata.Severity = Severity.high | ||
report.status_extended = f"RDS Instance {db_instance.id} custom certificate less than 1 month of validity." | ||
else: | ||
report.status = "FAIL" | ||
report.check_metadata.Severity = "critical" | ||
report.check_metadata.Severity = Severity.critical | ||
report.status_extended = f"RDS Instance {db_instance.id} custom certificate has expired." | ||
findings.append(report) | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,6 +11,7 @@ def execute(self) -> Check_Report_AWS: | |
for domain in route53domains_client.domains.values(): | ||
report = Check_Report_AWS(self.metadata()) | ||
report.resource_id = domain.name | ||
report.resource_arn = route53domains_client.audited_account_arn | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The same again to create an ARN for this one. |
||
report.region = domain.region | ||
report.resource_tags = domain.tags | ||
if domain.admin_privacy: | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,6 +11,7 @@ def execute(self) -> Check_Report_AWS: | |
for domain in route53domains_client.domains.values(): | ||
report = Check_Report_AWS(self.metadata()) | ||
report.resource_id = domain.name | ||
report.resource_arn = route53domains_client.audited_account_arn | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The same again to create an ARN for this one. |
||
report.region = domain.region | ||
report.resource_tags = domain.tags | ||
if domain.status_list and "clientTransferProhibited" in domain.status_list: | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,15 +14,21 @@ def __init__(self, provider): | |
self.rules = {} | ||
self.rule_groups = {} | ||
self.web_acls = {} | ||
self._list_rules() | ||
self.__threading_call__(self._get_rule, self.rules.values()) | ||
self._list_rule_groups() | ||
self.__threading_call__( | ||
self._list_activated_rules_in_rule_group, self.rule_groups.values() | ||
) | ||
self._list_web_acls() | ||
self.__threading_call__(self._get_web_acl, self.web_acls.values()) | ||
self.__threading_call__(self._get_logging_configuration, self.web_acls.values()) | ||
if self.audited_partition == "aws": | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why only There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You can see in https://docs.aws.amazon.com/general/latest/gr/waf-classic.html that only this partition is supported. |
||
# AWS WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your web ACL and any resources used in the web ACL, such as rule groups, IP sets, and regex pattern sets. | ||
self.region = "us-east-1" | ||
self.client = self.session.client(self.service, self.region) | ||
self._list_rules() | ||
self.__threading_call__(self._get_rule, self.rules.values()) | ||
self._list_rule_groups() | ||
self.__threading_call__( | ||
self._list_activated_rules_in_rule_group, self.rule_groups.values() | ||
) | ||
self._list_web_acls() | ||
self.__threading_call__(self._get_web_acl, self.web_acls.values()) | ||
self.__threading_call__( | ||
self._get_logging_configuration, self.web_acls.values() | ||
) | ||
|
||
def _list_rules(self): | ||
logger.info("WAF - Listing Global Rules...") | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think here we should create our own ARN, what do you think?