prowler-cloud 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl

prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.metadata.json

@@ -0,0 +1,40 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "cs_kubernetes_rbac_enabled",
+  "CheckTitle": "Role-based access control (RBAC) authorization is Enabled on Kubernetes Engine Clusters",
+  "CheckType": [
+    "Threat detection during container runtime",
+    "Abnormal account"
+  ],
+  "ServiceName": "cs",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}",
+  "Severity": "high",
+  "ResourceType": "AlibabaCloudKubernetesCluster",
+  "Description": "In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions.\n\nTo ensure that **RBAC** limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, helps ensure that users only have access to specific cluster resources within their own namespace, and is now stable in Kubernetes.",
+  "Risk": "In Kubernetes, **RBAC** is used to grant permissions to resources at the cluster and namespace level. RBAC allows you to define roles with rules containing a set of permissions.\n\nWithout RBAC, legacy authorization mechanisms like **ABAC** grant **overly broad permissions**, increasing the risk of unauthorized access and privilege escalation.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://help.aliyun.com/document_detail/87656.html",
+    "https://help.aliyun.com/document_detail/119596.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-rbac-authorization.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "RBAC is enabled by default on new ACK clusters. Verify cluster authorization configuration.",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **ACK Console**\n2. Navigate to **Clusters** -> **Authorizations** page\n3. Select the target RAM sub-account and configure the RBAC roles on specific clusters or namespaces\n4. Ensure **RBAC** is enabled and legacy ABAC authorization is disabled",
+      "Url": "https://hub.prowler.com/check/cs_kubernetes_rbac_enabled"
+    }
+  },
+  "Categories": [
+    "identity-access"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.py

@@ -0,0 +1,28 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.cs.cs_client import cs_client
+
+
+class cs_kubernetes_rbac_enabled(Check):
+    """Check if RBAC authorization is enabled on Kubernetes Engine Clusters."""
+
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+
+        for cluster in cs_client.clusters:
+            report = CheckReportAlibabaCloud(metadata=self.metadata(), resource=cluster)
+            report.region = cluster.region
+            report.resource_id = cluster.id
+            report.resource_arn = f"acs:cs:{cluster.region}:{cs_client.audited_account}:cluster/{cluster.id}"
+
+            if cluster.rbac_enabled:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Kubernetes cluster {cluster.name} has RBAC authorization enabled."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = f"Kubernetes cluster {cluster.name} does not have RBAC authorization enabled or is using legacy ABAC authorization."
+
+            findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/cs/cs_service.py

@@ -0,0 +1,354 @@
+from datetime import datetime
+from typing import Optional
+
+from alibabacloud_cs20151215 import models as cs_models
+from pydantic.v1 import BaseModel
+
+from prowler.lib.logger import logger
+from prowler.lib.scan_filters.scan_filters import is_resource_filtered
+from prowler.providers.alibabacloud.lib.service.service import AlibabaCloudService
+
+
+class CS(AlibabaCloudService):
+    """
+    CS (Container Service) class for Alibaba Cloud Kubernetes (ACK).
+
+    This class provides methods to interact with Alibaba Cloud Container Service
+    to retrieve ACK clusters and their configurations.
+    """
+
+    def __init__(self, provider):
+        # Call AlibabaCloudService's __init__
+        super().__init__(__class__.__name__, provider, global_service=False)
+
+        # Fetch CS resources
+        self.clusters = []
+        self.__threading_call__(self._describe_clusters)
+
+    def _describe_clusters(self, regional_client):
+        """List all ACK clusters and fetch their details in a specific region."""
+        region = getattr(regional_client, "region", "unknown")
+        logger.info(f"CS - Describing Kubernetes clusters in {region}...")
+
+        try:
+            # DescribeClustersV1 returns cluster list
+            request = cs_models.DescribeClustersV1Request()
+            response = regional_client.describe_clusters_v1(request)
+
+            if response and response.body and response.body.clusters:
+                for cluster_data in response.body.clusters:
+                    cluster_id = getattr(cluster_data, "cluster_id", "")
+
+                    if not self.audit_resources or is_resource_filtered(
+                        cluster_id, self.audit_resources
+                    ):
+                        # Get detailed information for each cluster
+                        cluster_detail = self._get_cluster_detail(
+                            regional_client, cluster_id
+                        )
+
+                        if cluster_detail:
+                            # Extract audit project name from meta_data
+                            meta_data = cluster_detail.get("meta_data", {})
+                            audit_project_name = meta_data.get("AuditProjectName", "")
+
+                            # Check RBAC status - by default RBAC is enabled on ACK clusters
+                            # We check if there are any indicators that RBAC is disabled
+                            rbac_enabled = self._check_rbac_enabled(
+                                cluster_detail, region
+                            )
+
+                            # Get node pools to check CloudMonitor
+                            cloudmonitor_enabled = self._check_cloudmonitor_enabled(
+                                regional_client, cluster_id
+                            )
+
+                            # Check if cluster checks have been run in the last week
+                            last_check_time = self._get_last_cluster_check(
+                                regional_client, cluster_id
+                            )
+
+                            # Check addons for dashboard, network policy, etc.
+                            addons_status = self._check_cluster_addons(
+                                cluster_detail, region
+                            )
+
+                            # Check for public API server endpoint
+                            public_access_enabled = self._check_public_access(
+                                cluster_detail, region
+                            )
+
+                            self.clusters.append(
+                                Cluster(
+                                    id=cluster_id,
+                                    name=getattr(cluster_data, "name", cluster_id),
+                                    region=region,
+                                    cluster_type=getattr(
+                                        cluster_data, "cluster_type", ""
+                                    ),
+                                    state=getattr(cluster_data, "state", ""),
+                                    audit_project_name=audit_project_name,
+                                    log_service_enabled=bool(audit_project_name),
+                                    cloudmonitor_enabled=cloudmonitor_enabled,
+                                    rbac_enabled=rbac_enabled,
+                                    last_check_time=last_check_time,
+                                    dashboard_enabled=addons_status[
+                                        "dashboard_enabled"
+                                    ],
+                                    network_policy_enabled=addons_status[
+                                        "network_policy_enabled"
+                                    ],
+                                    eni_multiple_ip_enabled=addons_status[
+                                        "eni_multiple_ip_enabled"
+                                    ],
+                                    private_cluster_enabled=not public_access_enabled,
+                                )
+                            )
+
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+    def _get_cluster_detail(self, regional_client, cluster_id: str) -> dict:
+        """Get detailed information for a specific cluster."""
+        try:
+            # DescribeClusterDetail returns detailed cluster information
+            request = cs_models.DescribeClusterDetailRequest()
+            response = regional_client.describe_cluster_detail(cluster_id, request)
+
+            if response and response.body:
+                # Convert response body to dict
+                body = response.body
+                result = {"meta_data": {}}
+
+                # Check if meta_data exists in the response
+                if hasattr(body, "meta_data"):
+                    meta_data = body.meta_data
+                    if meta_data:
+                        result["meta_data"] = dict(meta_data)
+
+                return result
+
+            return {}
+
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return {}
+
+    def _check_cloudmonitor_enabled(self, regional_client, cluster_id: str) -> bool:
+        """Check if CloudMonitor is enabled on cluster node pools."""
+        try:
+            # DescribeClusterNodePools returns node pool information
+            request = cs_models.DescribeClusterNodePoolsRequest()
+            response = regional_client.describe_cluster_node_pools(cluster_id, request)
+
+            if response and response.body and response.body.nodepools:
+                nodepools = response.body.nodepools
+
+                # Check if ALL node pools have CloudMonitor enabled
+                # If any node pool has cms_enabled=false, the cluster fails
+                for nodepool in nodepools:
+                    kubernetes_config = getattr(nodepool, "kubernetes_config", None)
+                    if kubernetes_config:
+                        cms_enabled = getattr(kubernetes_config, "cms_enabled", False)
+                        if not cms_enabled:
+                            return False
+
+                # All node pools have CloudMonitor enabled
+                return True if nodepools else False
+
+            return False
+
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return False
+
+    def _check_rbac_enabled(self, cluster_detail: dict, region: str) -> bool:
+        """
+        Check if RBAC is enabled on the cluster.
+
+        By default, RBAC is enabled on ACK clusters and ABAC is disabled.
+        We check for any indicators that RBAC might be disabled or legacy auth enabled.
+        """
+        try:
+            # Check if cluster has RBAC enabled (default is true for ACK clusters)
+            # Look for security_options or parameters that indicate RBAC status
+
+            # Check meta_data for any RBAC-related settings
+            meta_data = cluster_detail.get("meta_data", {})
+
+            # If there's an explicit RBAC disabled flag, check it
+            if "RBACEnabled" in meta_data:
+                return meta_data.get("RBACEnabled", "true") in ["true", "True", True]
+
+            # Check parameters for authorization mode
+            parameters = cluster_detail.get("parameters", {})
+            if parameters:
+                # Check if there's an authorization mode parameter
+                auth_mode = parameters.get("authorization_mode", "RBAC")
+                if "ABAC" in auth_mode and "RBAC" not in auth_mode:
+                    # Legacy ABAC-only mode
+                    return False
+
+            # By default, RBAC is enabled on ACK clusters
+            # If we don't find explicit indicators that it's disabled, assume it's enabled
+            return True
+
+        except Exception as error:
+            logger.error(
+                f"{region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            # Default to True as RBAC is enabled by default on ACK
+            return True
+
+    def _get_last_cluster_check(self, regional_client, cluster_id: str):
+        """
+        Get the most recent successful cluster check time.
+
+        Returns the finished_at timestamp of the most recent successful cluster check,
+        or None if no successful checks found.
+        """
+        try:
+            # DescribeClusterChecks returns cluster check history
+            request = cs_models.DescribeClusterChecksRequest()
+            response = regional_client.describe_cluster_checks(cluster_id, request)
+
+            if response and response.body and response.body.checks:
+                checks = response.body.checks
+
+                # Find the most recent successful check
+                most_recent_check = None
+
+                for check in checks:
+                    status = getattr(check, "status", "")
+                    finished_at = getattr(check, "finished_at", None)
+
+                    if status == "Succeeded" and finished_at:
+                        # Parse the timestamp
+                        if most_recent_check is None or finished_at > most_recent_check:
+                            most_recent_check = finished_at
+
+                return most_recent_check
+
+            return None
+
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return None
+
+    def _check_cluster_addons(self, cluster_detail: dict, region: str) -> dict:
+        """
+        Check cluster addons for various security configurations.
+
+        Returns:
+            dict: {
+                "dashboard_enabled": bool,
+                "network_policy_enabled": bool,
+                "eni_multiple_ip_enabled": bool
+            }
+        """
+        result = {
+            "dashboard_enabled": False,
+            "network_policy_enabled": False,
+            "eni_multiple_ip_enabled": False,
+        }
+
+        try:
+            meta_data = cluster_detail.get("meta_data", {})
+
+            # Check Addons list in meta_data
+            # Note: Addons structure from API is typically a string representation of JSON or a list
+            # Based on sample: "Addons": [{"name": "gateway-api", ...}, ...]
+            addons = meta_data.get("Addons", [])
+
+            # If addons is string, try to parse it?
+            # The SDK typically handles this conversion, but let's be safe
+            if isinstance(addons, str):
+                import json
+
+                try:
+                    addons = json.loads(addons)
+                except Exception:
+                    addons = []
+
+            for addon in addons:
+                name = addon.get("name", "")
+                disabled = addon.get("disabled", False)
+
+                # Check 7.5: Kubernetes Dashboard
+                if name == "kubernetes-dashboard" and not disabled:
+                    result["dashboard_enabled"] = True
+
+                # Check 7.7 & 7.8: Terway network plugin
+                if name == "terway-eniip" or name == "terway":
+                    result["network_policy_enabled"] = True
+                    result["eni_multiple_ip_enabled"] = True
+
+            return result
+
+        except Exception as error:
+            logger.error(
+                f"{region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return result
+
+    def _check_public_access(self, cluster_detail: dict, region: str) -> bool:
+        """
+        Check if cluster API server is accessible from public internet.
+
+        Returns:
+            bool: True if public access is enabled, False otherwise.
+        """
+        try:
+            # Check master_url in cluster detail
+            master_url = cluster_detail.get("master_url", "")
+
+            # If master_url contains a public IP or DNS, public access is enabled
+            # Private clusters typically don't expose a public endpoint or have specific settings
+
+            # Check endpoint_public in parameters
+            parameters = cluster_detail.get("parameters", {})
+            endpoint_public = parameters.get("endpoint_public", "")
+
+            if endpoint_public:
+                return True
+
+            # If we can't find explicit indicator, check if master_url is present
+            # This is a heuristic - typical ACK public clusters expose a master_url
+            if master_url:
+                return True
+
+            return False
+
+        except Exception as error:
+            logger.error(
+                f"{region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return False
+
+
+# Models for CS service
+class Cluster(BaseModel):
+    """ACK Cluster model."""
+
+    id: str
+    name: str
+    region: str
+    cluster_type: str
+    state: str
+    audit_project_name: str = ""
+    log_service_enabled: bool = False
+    cloudmonitor_enabled: bool = False
+    rbac_enabled: bool = True  # Default is True for ACK clusters
+    last_check_time: Optional[datetime] = None
+    dashboard_enabled: bool = False
+    network_policy_enabled: bool = False
+    eni_multiple_ip_enabled: bool = False
+    private_cluster_enabled: bool = False

prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.metadata.json

@@ -0,0 +1,38 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "ecs_attached_disk_encrypted",
+  "CheckTitle": "Virtual Machines disk are encrypted",
+  "CheckType": [
+    "Sensitive file tampering"
+  ],
+  "ServiceName": "ecs",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:ecs:region:account-id:disk/{disk-id}",
+  "Severity": "high",
+  "ResourceType": "AlibabaCloudECSDisk",
+  "Description": "**ECS cloud disk encryption** protects your data at rest. The cloud disk data encryption feature automatically encrypts data when data is transferred from ECS instances to disks, and decrypts data when read from disks.\n\nEnsure that disks are encrypted when they are created with the creation of VM instances.",
+  "Risk": "**Unencrypted disks** attached to ECS instances pose a security risk as they may contain sensitive data that could be accessed if the disk is compromised or accessed by unauthorized parties.\n\nData at rest without encryption is vulnerable to **unauthorized access** if storage media is lost, stolen, or improperly decommissioned.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/59643.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/encrypt-vm-instance-disks.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aliyun ecs CreateDisk --DiskName <disk_name> --Size <size> --Encrypted true --KmsKeyId <kms_key_id>",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "resource \"alicloud_ecs_disk\" \"encrypted\" {\n  zone_id   = \"cn-hangzhou-a\"\n  disk_name = \"encrypted-disk\"\n  category  = \"cloud_efficiency\"\n  size      = 20\n  encrypted = true\n  kms_key_id = alicloud_kms_key.example.id\n}"
+    },
+    "Recommendation": {
+      "Text": "**Encrypt a system disk when copying an image:**\n1. Log on to the **ECS Console** > **Instances & Images** > **Images**\n2. Select the **Custom Image** tab and select target image\n3. Click **Copy Image** and check the **Encrypt** box\n4. Select a key and click **OK**\n\n**Encrypt a data disk when creating an instance:**\n1. Log on to the **ECS Console** > **Instances & Images** > **Instances** > **Create Instance**\n2. In the Storage section, click **Add Disk**\n3. Select **Disk Encryption** and choose a key\n\n**Note:** You cannot directly convert unencrypted disks to encrypted disks.",
+      "Url": "https://hub.prowler.com/check/ecs_attached_disk_encrypted"
+    }
+  },
+  "Categories": [
+    "encryption"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.py

@@ -0,0 +1,38 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.ecs.ecs_client import ecs_client
+
+
+class ecs_attached_disk_encrypted(Check):
+    """Check if attached disks are encrypted."""
+
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+
+        for disk in ecs_client.disks:
+            # Only check attached disks
+            if disk.is_attached:
+                report = CheckReportAlibabaCloud(
+                    metadata=self.metadata(), resource=disk
+                )
+                report.region = disk.region
+                report.resource_id = disk.id
+                report.resource_arn = (
+                    f"acs:ecs:{disk.region}:{ecs_client.audited_account}:disk/{disk.id}"
+                )
+
+                if disk.is_encrypted:
+                    report.status = "PASS"
+                    report.status_extended = (
+                        f"Disk {disk.name if disk.name else disk.id} attached to instance "
+                        f"{disk.attached_instance_id} is encrypted."
+                    )
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = (
+                        f"Disk {disk.name if disk.name else disk.id} attached to instance "
+                        f"{disk.attached_instance_id} is not encrypted."
+                    )
+
+                findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/ecs/ecs_client.py

@@ -0,0 +1,4 @@
+from prowler.providers.alibabacloud.services.ecs.ecs_service import ECS
+from prowler.providers.common.provider import Provider
+
+ecs_client = ECS(Provider.get_global_provider())

prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.metadata.json

@@ -0,0 +1,41 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "ecs_instance_endpoint_protection_installed",
+  "CheckTitle": "The endpoint protection for all Virtual Machines is installed",
+  "CheckType": [
+    "Suspicious process",
+    "Webshell",
+    "Unusual logon",
+    "Sensitive file tampering",
+    "Malicious software"
+  ],
+  "ServiceName": "ecs",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:ecs:region:account-id:instance/{instance-id}",
+  "Severity": "high",
+  "ResourceType": "AlibabaCloudECSInstance",
+  "Description": "Installing **endpoint protection systems** (like **Security Center** for Alibaba Cloud) provides real-time protection capability that helps identify and remove viruses, spyware, and other malicious software.\n\nConfigurable alerts notify when known malicious software attempts to install itself or run on ECS instances.",
+  "Risk": "ECS instances without **endpoint protection** are vulnerable to **malware**, **viruses**, and other security threats.\n\nEndpoint protection provides real-time monitoring and protection capabilities essential for detecting and preventing security incidents.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/enable-endpoint-protection.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "Logon to Security Center Console > Select Settings > Click Agent > Select virtual machines without Security Center agent > Click Install",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **Security Center Console**\n2. Select **Settings**\n3. Click **Agent**\n4. On the Agent tab, select the virtual machines without Security Center agent installed\n5. Click **Install**",
+      "Url": "https://hub.prowler.com/check/ecs_instance_endpoint_protection_installed"
+    }
+  },
+  "Categories": [
+    "forensics-ready"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.py

@@ -0,0 +1,47 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.ecs.ecs_client import ecs_client
+from prowler.providers.alibabacloud.services.securitycenter.securitycenter_client import (
+    securitycenter_client,
+)
+
+
+class ecs_instance_endpoint_protection_installed(Check):
+    """Check if endpoint protection for all Virtual Machines is installed."""
+
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+
+        # Check each ECS instance for Security Center agent
+        for instance in ecs_client.instances:
+            # Only check running instances
+            if instance.status.lower() not in ["running", "starting"]:
+                continue
+
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=instance
+            )
+            report.region = instance.region
+            report.resource_id = instance.id
+            report.resource_arn = f"acs:ecs:{instance.region}:{ecs_client.audited_account}:instance/{instance.id}"
+
+            # Check if Security Center agent is installed
+            instance_key = f"{instance.region}:{instance.id}"
+            agent = securitycenter_client.instance_agents.get(instance_key)
+
+            if agent:
+                if agent.agent_installed and agent.agent_status == "online":
+                    report.status = "PASS"
+                    report.status_extended = (
+                        f"ECS instance {instance.name if instance.name else instance.id} "
+                        "has Security Center agent installed and online."
+                    )
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = (
+                        f"ECS instance {instance.name if instance.name else instance.id} "
+                        f"does not have Security Center agent installed or agent is {agent.agent_status}."
+                    )
+
+                findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.metadata.json

@@ -0,0 +1,38 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "ecs_instance_latest_os_patches_applied",
+  "CheckTitle": "The latest OS Patches for all Virtual Machines are applied",
+  "CheckType": [
+    "Malicious software",
+    "Web application threat detection"
+  ],
+  "ServiceName": "ecs",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:ecs:region:account-id:instance/{instance-id}",
+  "Severity": "high",
+  "ResourceType": "AlibabaCloudECSInstance",
+  "Description": "Windows and Linux virtual machines should be kept updated to address specific bugs or flaws, improve OS or application's general stability, and fix **security vulnerabilities**.\n\nThe Alibaba Cloud **Security Center** checks for the latest updates in Linux and Windows systems.",
+  "Risk": "**Unpatched systems** are vulnerable to known security exploits and may be compromised by attackers.\n\nKeeping systems updated with the latest patches is critical for maintaining security and preventing **exploitation of known vulnerabilities**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/apply-latest-os-patches.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "Logon to Security Center Console > Select Vulnerabilities > Apply all patches for vulnerabilities",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **Security Center Console**\n2. Select **Vulnerabilities**\n3. Ensure all vulnerabilities are fixed\n4. Apply all patches for vulnerabilities",
+      "Url": "https://hub.prowler.com/check/ecs_instance_latest_os_patches_applied"
+    }
+  },
+  "Categories": [
+    "vulnerabilities"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}