prowler-cloud 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl

prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.py

@@ -0,0 +1,50 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.ecs.ecs_client import ecs_client
+from prowler.providers.alibabacloud.services.securitycenter.securitycenter_client import (
+    securitycenter_client,
+)
+
+
+class ecs_instance_latest_os_patches_applied(Check):
+    """Check if the latest OS patches for all Virtual Machines are applied."""
+
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+
+        # Check each ECS instance for vulnerabilities
+        for instance in ecs_client.instances:
+            # Only check running instances
+            if instance.status.lower() not in ["running", "starting"]:
+                continue
+
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=instance
+            )
+            report.region = instance.region
+            report.resource_id = instance.id
+            report.resource_arn = f"acs:ecs:{instance.region}:{ecs_client.audited_account}:instance/{instance.id}"
+
+            # Check if instance has vulnerabilities
+            instance_key = f"{instance.region}:{instance.id}"
+            vulnerability = securitycenter_client.instance_vulnerabilities.get(
+                instance_key
+            )
+
+            if vulnerability:
+                if vulnerability.has_vulnerabilities:
+                    report.status = "FAIL"
+                    report.status_extended = (
+                        f"ECS instance {instance.name if instance.name else instance.id} "
+                        f"has {vulnerability.vulnerability_count} unpatched vulnerabilities. "
+                        "Latest OS patches are not applied."
+                    )
+                else:
+                    report.status = "PASS"
+                    report.status_extended = (
+                        f"ECS instance {instance.name if instance.name else instance.id} "
+                        "has all latest OS patches applied."
+                    )
+
+                findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.metadata.json

@@ -0,0 +1,38 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "ecs_instance_no_legacy_network",
+  "CheckTitle": "Legacy networks does not exist",
+  "CheckType": [
+    "Suspicious network connection"
+  ],
+  "ServiceName": "ecs",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:ecs:region:account-id:instance/{instance-id}",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudECSInstance",
+  "Description": "In order to prevent use of **legacy networks**, ECS instances should not have a legacy network configured.\n\nLegacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. With legacy networks, you cannot create subnetworks or switch from legacy to auto or custom subnet networks.",
+  "Risk": "**Legacy networks** can have an impact on high network traffic ECS instances and are subject to a **single point of failure**.\n\nThey also lack the security isolation and network segmentation capabilities provided by **VPCs**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/87190.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-VPC/legacy-network-usage.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aliyun ecs CreateInstance --InstanceName <instance_name> --ImageId <image_id> --InstanceType <instance_type> --VSwitchId <vswitch_id>",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **ECS Console**\n2. In the left-side navigation pane, choose **Instance & Image** > **Instances**\n3. Click **Create Instance**\n4. Specify the basic instance information required and click **Next: Networking**\n5. Select the Network Type of **VPC**",
+      "Url": "https://hub.prowler.com/check/ecs_instance_no_legacy_network"
+    }
+  },
+  "Categories": [
+    "trust-boundaries"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.py

@@ -0,0 +1,34 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.ecs.ecs_client import ecs_client
+
+
+class ecs_instance_no_legacy_network(Check):
+    """Check if ECS instances are not using legacy (classic) network."""
+
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+
+        for instance in ecs_client.instances:
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=instance
+            )
+            report.region = instance.region
+            report.resource_id = instance.id
+            report.resource_arn = f"acs:ecs:{instance.region}:{ecs_client.audited_account}:instance/{instance.id}"
+
+            if instance.network_type == "classic":
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"ECS instance {instance.name if instance.name else instance.id} "
+                    f"is using legacy (classic) network type."
+                )
+            else:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"ECS instance {instance.name if instance.name else instance.id} "
+                    f"is using VPC network type."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.metadata.json

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "ecs_securitygroup_restrict_rdp_internet",
+  "CheckTitle": "RDP access is restricted from the internet",
+  "CheckType": [
+    "Unusual logon",
+    "Suspicious network connection"
+  ],
+  "ServiceName": "ecs",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:ecs:region:account-id:security-group/{security-group-id}",
+  "Severity": "high",
+  "ResourceType": "AlibabaCloudECSSecurityGroup",
+  "Description": "**Security groups** provide stateful filtering of ingress/egress network traffic to Alibaba Cloud resources.\n\nIt is recommended that no security group allows unrestricted ingress access to port **3389 (RDP)**.",
+  "Risk": "Removing unfettered connectivity to remote console services, such as **RDP**, reduces a server's exposure to risk.\n\nUnrestricted RDP access from the internet (`0.0.0.0/0`) exposes systems to **brute force attacks**, **credential stuffing**, and **exploitation of RDP vulnerabilities**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/25387.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/unrestricted-rdp-access.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aliyun ecs RevokeSecurityGroup --SecurityGroupId <security_group_id> --IpProtocol tcp --PortRange 3389/3389 --SourceCidrIp 0.0.0.0/0",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "resource \"alicloud_security_group_rule\" \"deny_rdp_internet\" {\n  type              = \"ingress\"\n  ip_protocol       = \"tcp\"\n  port_range        = \"3389/3389\"\n  security_group_id = alicloud_security_group.example.id\n  cidr_ip           = \"10.0.0.0/8\"  # Restrict to internal network\n  policy            = \"accept\"\n}"
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **ECS Console**\n2. In the left-side navigation pane, choose **Network & Security** > **Security Groups**\n3. Find the Security Group you want to modify\n4. Modify Source IP range to specific IP instead of `0.0.0.0/0`\n5. Click **Save**",
+      "Url": "https://hub.prowler.com/check/ecs_securitygroup_restrict_rdp_internet"
+    }
+  },
+  "Categories": [
+    "internet-exposed"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.py

@@ -0,0 +1,68 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.ecs.ecs_client import ecs_client
+from prowler.providers.alibabacloud.services.ecs.lib.security_groups import (
+    is_public_cidr,
+    port_in_range,
+)
+
+
+class ecs_securitygroup_restrict_rdp_internet(Check):
+    """Check if security groups restrict RDP (port 3389) access from the internet."""
+
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        check_port = 3389  # RDP port
+
+        for sg_arn, security_group in ecs_client.security_groups.items():
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=security_group
+            )
+            report.region = security_group.region
+            report.resource_id = security_group.id
+            report.resource_arn = security_group.arn
+
+            # Check ingress rules for unrestricted access to RDP port
+            has_unrestricted_access = False
+
+            for ingress_rule in security_group.ingress_rules:
+                # Check if rule allows traffic (policy == "accept")
+                if ingress_rule.get("policy", "accept") != "accept":
+                    continue
+
+                # Check protocol (tcp for RDP)
+                protocol = ingress_rule.get("ip_protocol", "").lower()
+                if protocol not in ["tcp", "all"]:
+                    continue
+
+                # Check if source is public (0.0.0.0/0)
+                source_cidr = ingress_rule.get("source_cidr_ip", "")
+                if not is_public_cidr(source_cidr):
+                    continue
+
+                # Check if port range includes RDP port
+                port_range = ingress_rule.get("port_range", "")
+
+                if protocol == "all":
+                    # If protocol is "all", all ports are open
+                    has_unrestricted_access = True
+                    break
+                elif port_in_range(port_range, check_port):
+                    has_unrestricted_access = True
+                    break
+
+            if has_unrestricted_access:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Security group {security_group.name} ({security_group.id}) "
+                    f"has Microsoft RDP port 3389 open to the internet (0.0.0.0/0)."
+                )
+            else:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Security group {security_group.name} ({security_group.id}) "
+                    f"does not have Microsoft RDP port 3389 open to the internet."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.metadata.json

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "ecs_securitygroup_restrict_ssh_internet",
+  "CheckTitle": "SSH access is restricted from the internet",
+  "CheckType": [
+    "Unusual logon",
+    "Suspicious network connection"
+  ],
+  "ServiceName": "ecs",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:ecs:region:account-id:security-group/{security-group-id}",
+  "Severity": "high",
+  "ResourceType": "AlibabaCloudECSSecurityGroup",
+  "Description": "**Security groups** provide stateful filtering of ingress/egress network traffic to Alibaba Cloud resources.\n\nIt is recommended that no security group allows unrestricted ingress access to port **22 (SSH)**.",
+  "Risk": "Removing unfettered connectivity to remote console services, such as **SSH**, reduces a server's exposure to risk.\n\nUnrestricted SSH access from the internet (`0.0.0.0/0`) exposes systems to **brute force attacks**, **credential stuffing**, and **exploitation of SSH vulnerabilities**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/25387.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/unrestricted-ssh-access.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aliyun ecs RevokeSecurityGroup --SecurityGroupId <security_group_id> --IpProtocol tcp --PortRange 22/22 --SourceCidrIp 0.0.0.0/0",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "resource \"alicloud_security_group_rule\" \"deny_ssh_internet\" {\n  type              = \"ingress\"\n  ip_protocol       = \"tcp\"\n  port_range        = \"22/22\"\n  security_group_id = alicloud_security_group.example.id\n  cidr_ip           = \"10.0.0.0/8\"  # Restrict to internal network\n  policy            = \"accept\"\n}"
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **ECS Console**\n2. In the left-side navigation pane, choose **Network & Security** > **Security Groups**\n3. Find the Security Group you want to modify\n4. Modify Source IP range to specific IP instead of `0.0.0.0/0`\n5. Click **Save**",
+      "Url": "https://hub.prowler.com/check/ecs_securitygroup_restrict_ssh_internet"
+    }
+  },
+  "Categories": [
+    "internet-exposed"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.py

@@ -0,0 +1,68 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.ecs.ecs_client import ecs_client
+from prowler.providers.alibabacloud.services.ecs.lib.security_groups import (
+    is_public_cidr,
+    port_in_range,
+)
+
+
+class ecs_securitygroup_restrict_ssh_internet(Check):
+    """Check if security groups restrict SSH (port 22) access from the internet."""
+
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        check_port = 22  # SSH port
+
+        for sg_arn, security_group in ecs_client.security_groups.items():
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=security_group
+            )
+            report.region = security_group.region
+            report.resource_id = security_group.id
+            report.resource_arn = security_group.arn
+
+            # Check ingress rules for unrestricted access to SSH port
+            has_unrestricted_access = False
+
+            for ingress_rule in security_group.ingress_rules:
+                # Check if rule allows traffic (policy == "accept")
+                if ingress_rule.get("policy", "accept") != "accept":
+                    continue
+
+                # Check protocol (tcp for SSH)
+                protocol = ingress_rule.get("ip_protocol", "").lower()
+                if protocol not in ["tcp", "all"]:
+                    continue
+
+                # Check if source is public (0.0.0.0/0)
+                source_cidr = ingress_rule.get("source_cidr_ip", "")
+                if not is_public_cidr(source_cidr):
+                    continue
+
+                # Check if port range includes SSH port
+                port_range = ingress_rule.get("port_range", "")
+
+                if protocol == "all":
+                    # If protocol is "all", all ports are open
+                    has_unrestricted_access = True
+                    break
+                elif port_in_range(port_range, check_port):
+                    has_unrestricted_access = True
+                    break
+
+            if has_unrestricted_access:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Security group {security_group.name} ({security_group.id}) "
+                    f"has SSH port 22 open to the internet (0.0.0.0/0)."
+                )
+            else:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Security group {security_group.name} ({security_group.id}) "
+                    f"does not have SSH port 22 open to the internet."
+                )
+
+            findings.append(report)
+
+        return findings