2.4.0
版本发布时间: 2021-04-09 22:55:54
prowler-cloud/prowler最新发布版本:4.3.7(2024-09-24 03:55:00)
Prowler 2.4.0
New version, new logo and new features, many community contributions, fixes and improvements.
Thanks to all the community for the continuous effort, contributing in many ways, including code and feedback. Prowler is being used by thousands of users and making your cloud infrastructure more secure. THANK YOU.
New Features:
Please read carefully this new features and changes (mostly for CSV output changes) if you have integrations, it may affect you.
Added Risk, Remediation, Link to doc and CAF security epics to controls @pablopagani
Added support for new fields Risk, Remediation, Link to doc and CAF security epics to CSV and HTML outputs. New fields are:
PROFILE,ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC
Added severity field to CSV and HTML output reports
Added new logo, screenshots and improved documentation sections
Added -N <shodan_api_key> support for extra7102
Added [extra736] Check exposed KMS keys to group internet-exposed
Added [extra798] Check if Lambda functions have resource-based policy set as Public
Added [extra799] Check if Security Hub is enabled and its standard subscriptions
Added 4 new EKS checks @jonjozwiak
Added access checks for several checks @zfLQ2qx2
Added additional checks to HIPAA group @gchib297
Added additional GDPR checks to GDPR group @gchib297
Added all new Sagemaker checks to extras
Added allow list All findings in single view in html report
Added AWS partition variable to the ASFF output format
Added AWS service name to json, csv and html outputs
Added back extra798
Added Better handle permissions and errors
Added CFN template helper for role
Added check extra7113
Added check extra798 to gdpr and pci groups @gchib297
Added check extra798 to iso27001 @gchib297
Added check extra798 to PCI
Added check for AccessDenied when calling GetBucketLocation in extra73,extra734,extra764 @zfLQ2qx2
Added Check for errors generating credential report, limit loop iterations @zfLQ2qx2
Added check for RDS enhanced monitoring @mpratsch
Added check if Enhanced monitoring is enabled on RDS instances
Added check23 to group17_internetexposed group @RyanJarv
Added check7130 to group7_extras and Fixed some issues
Added checks about EKS to groups internet-exposed and forensics
Added CodeBuild deployment section
Added CodeBuild template original from @stevecjones
Added coreutils to Dockerfile
Added EKS checks to eks-cis and extras group @jonjozwiak
Added Enable Security Hub official integration @toniblyx
Added ENS group with new checks
Added extra7102 ElasticIP Shodan integration
Added extra7102 to groups extras and internetexposed
Added extra7113: Check RDS deletion protection
Added extra7113: Check RDS instances deletion protection @gchib297
Added extra7133 RDS multi-AZ
Added extra796 EKS control plane access to internet-exposed group
Added extra799 and extra7100 to group extras
Added FFIEC cybersecurity assessment group @gchib297
Added Fixed to generate test summary so reports display graphs correctly @stevecjones
Added get_regions function in order to call after assume_role @HG00
Added GetFindings action to example IAM policy for Security Hub
Added Glue checks additional @dlpzx
Added Glue checks part 1 @ramondiez
Added GovCloud usage information
Added group for ENS Spanish Esquema Nacional de Seguridad
Added group for pci-dss as reference
Added group internet-exposed
Added group18 for ISO27001 thanks to @gchib297 issue #637
Added high level architecture
Added html to -M in usage
Added IAM to extra7100 title
Added latest checks to extras group
Added more checks mappings to ISO27001 group and reordered the list @mario-platt
Added New 7 checks required for ENS
Added new check [extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled
Added New check 7.98 [extra798] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) @nickmalcolm
Added new check extra_7130 to check encryption of a SNS topic @mpratsch
Added new check extra7131 RDS minor version upgrade
Added new check extra793 for SSL listeners on load balancers @jonjozwiak
Added new extras check (7130) to check encryption of a SNS topic
Added New group for Sagemaker with 10 new controls
Added parameters and made the template parameterised @pacohope
added parameters and made the template parameterised.
Added Refresh assumed role credentials to avoid role chaining limitations @michael-dickinson-sainsburys
Added script to generate html report from multiple csv outputs
Added service name to all checks
Added service name to sample check
Added session durantion option to 12h
Added sleep to extra7102 to avoid Shodan API limits
Added SOC2 compliance group @gchib297
Added start build automatically
Added Support custom folder checks when running all checks @xeroxnir
Added support to run inside AWS CloudShell
Added Whitelist feature improvements @QuinnStevens
Enhancements:
Enhanced Accept current most restrictive TLSv1.2-only ALB security policy as secure Enhanced Adapt check119 to exclude instances shutting down @stku1985 Enhanced Additional check for location of awscli @zfLQ2qx2 Enhanced Adjusted severity like in Security Hub @xeroxnir Enhanced Allow list checks and groups without credentials Enhanced better handle permissions and errors Enhanced Catch errors assuming role and describing regions @zfLQ2qx2 Enhanced check extra740: reworked to consider all snapshots, use JMESPath query @pacohope Enhanced check extra792 to accept current most restrictive TLSv1.2 @bazbremner Enhanced check119 to exclude instances shutting-down @stku1985 Enhanced clear AWS_DEFAULT_OUTPUT on start @zfLQ2qx2 Enhanced Cloudtrail metrics (check3x) pass if found on any, not every, cloudtrail log @zfLQ2qx2 Enhanced CodeBuild CFN template with scheduler and documentation Enhanced documentation about SecurityHub integration and region filter Enhanced Ensure check28 only looks at symmetric keys Enhanced Ensure that checks are sorted numerically when listing checks @marcjay Enhanced Ensures JSON is the default AWS command output. Enhanced error handling without credentials Enhanced extra7102 increased severity to medium Enhanced extra792 skip check if no HTTPS/SSL Listener plus Added NLB Support @jonjozwiak Enhanced feature to refresh assume role credentials before it expires Enhanced Force default AWS CLI output issue #696 @Kirizan Enhanced Handle shadow CloudTrails more gracefully in checks check21,check22,check24,check27 @zfLQ2qx2 Enhanced html output with scoring information, risk, remediation, doc link and CAF security epics. Enhanced Implement OS neutral method of converting rfc3339 dates to epoch @zfLQ2qx2 Enhanced In CSV output, changed NOTES field header by CHECK_RESULT_EXTENDED. New CSV header looks like: Enhanced PublicIP discovery used in Shodan check_extra7102 @as-km Enhanced reduce needed actions in additions policy @tekdj7 Enhanced Removed textInfo extra information on extra712 Enhanced Security Hub integration @xeroxnir Enhanced Security Hub integration improvement and Added severity for checks @xeroxnir Enhanced Security Hub: Mark as ARCHIVED + Fixed race condition @xeroxnir Enhanced Updated ProwlerExecRoleAdditionalViewPrivileges Policy with lambda:GetFunction Enhanced Use describe-network-interfaces instead of describe-addresses in order to get public IPs #768 Enhanced whitelisting to allow regexes and fuzzy/strict matching Enhanceed Adjusted severity to secrets and Shodan checks
Fixes:
Fixed account id in output file name Fixed changes made in check27 Fixed check extra73 fail message omits bucket name @zfLQ2qx2 Fixed check for public rds instances Fixed check_extra7107 condition Fixed check_extra7116 and check_extra7117 Fixed Check12 BugFixed Remove $ from grep Fixed check12 when MFA is enabled and user contains true in the name @xeroxnir Fixed date command for busybox @zfLQ2qx2 Fixed don't fail check extra737 for keys scheduled for deletion Fixed EKS related checks regarding us-west-1 @njgibbon Fixed error handling for SubscriptionRequiredException in extra77 Fixed execute_group_by_id @xeroxnir Fixed extra7103 parser error Fixed extra7108 parser error Fixed extra7110 title Fixed extra7111 parser error Fixed extra7116 extra7117 outputs and added to extras @ramondiez Fixed extra737 now doesn't fail for keys scheduled for deletion @QuinnStevens Fixed for busybox date command Fixed for check_extra764 @grzegorznittner Fixed for issue 713 Fixed FreeBSD $OSTYPE check @ring-pete Fixed getops OPTARG for custom checks @xeroxnir Fixed include lambda:GetFunction in prowler policy to check AWS Lambda related controls: extra720,extra759,extra760,extra762,extra798 Fixed Include missing AWS function lambda:GetFunction policy in prowler-additions-policy.json to check AWS Lambda @jfagoagas Fixed issue #624 ID of check_extra792 Fixed issue #659 Fixed issue assuming role in regions with STS disabled Fixed issue in extra776 when ECR Scanning imageDigest @adamcanzuk Fixed listing CloudFormation stacks if default output format is not JSON Fixed listing configurations if default output format is not JSON check119,extra742,extra75 and extra772 @anthirian Fixed listing EC2 instances if default output format is not JSON Fixed listing EC2 Security Groups if default output format is not JSON Fixed listing Elastic IPs if default output format is not JSON Fixed log metric filter check3x with multiple trails @bridgecrewio Fixed log metric filter checks (#33) Fixed Make check28 only look at symmetric keys @mdop-wh Fixed moved assume role before listing regions Fixedes issue #744 Fixed output on extra731 Fixed profile and region settings for extra792 ELB SSL ciphers @jonjozwiak Fixed quotes in check extra78 for public RDS instances @goldfiglabs Fixed regex in check43 @ilyas28 Fixed Replace empty space with '\s' in check43 regex @frannovo Fixed report metadata in html output Fixed Security Hub eventual consistency + PREFixed query bug + Archive PASSED @xeroxnir Fixed security-hub integration: Race condition timestamp @xeroxnir Fixed SecurityHub: other os/check Fixedes + batch in 100 findings @xeroxnir Fixed servicename variable in extra72 Fixed Store assumed role expiry time for later checking Fixed syntax in extra7110 Fixed title grammar in check_extra73 @CenturionGamer Fixed typos and Added to extras extra7132 Fixed Update check_extra7130 profile parameter was not set @soffensive