PyPI - prowler-cloud - Versions diffs - 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl - Mend

prowler-cloud 5.14.1py3-none-any.whl → 5.15.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (326) hide show

prowler/providers/alibabacloud/services/ecs/ecs_service.py ADDED Viewed

@@ -0,0 +1,380 @@
+from datetime import datetime
+from typing import Optional
+from alibabacloud_ecs20140526 import models as ecs_models
+from pydantic.v1 import BaseModel
+from prowler.lib.logger import logger
+from prowler.lib.scan_filters.scan_filters import is_resource_filtered
+from prowler.providers.alibabacloud.lib.service.service import AlibabaCloudService
+class ECS(AlibabaCloudService):
+    """
+    ECS (Elastic Compute Service) service class for Alibaba Cloud.
+    This class provides methods to interact with Alibaba Cloud ECS service
+    to retrieve instances, security groups, etc.
+    """
+    def __init__(self, provider):
+        # Call AlibabaCloudService's __init__
+        super().__init__(__class__.__name__, provider, global_service=False)
+        # Fetch ECS resources
+        self.instances = []
+        self.__threading_call__(self._describe_instances)
+        self.security_groups = {}
+        self.__threading_call__(self._describe_security_groups)
+        self.disks = []
+        self.__threading_call__(self._describe_disks)
+    def _describe_instances(self, regional_client):
+        """List all ECS instances in the region."""
+        region = getattr(regional_client, "region", "unknown")
+        logger.info(f"ECS - Describing Instances in {region}...")
+        try:
+            request = ecs_models.DescribeInstancesRequest()
+            request.region_id = region
+            # Get all instances (paginated)
+            page_number = 1
+            page_size = 50
+            while True:
+                request.page_number = page_number
+                request.page_size = page_size
+                response = regional_client.describe_instances(request)
+                if response and response.body and response.body.instances:
+                    instances_data = response.body.instances.instance
+                    if not instances_data:
+                        break
+                    for instance_data in instances_data:
+                        instance_id = instance_data.instance_id
+                        if not self.audit_resources or is_resource_filtered(
+                            instance_id, self.audit_resources
+                        ):
+                            # Check network type
+                            # InstanceNetworkType can be "classic" or "vpc"
+                            # If VpcAttributes exists, it's VPC; if not, it might be classic
+                            network_type = "vpc"  # Default to VPC
+                            vpc_attributes = getattr(
+                                instance_data, "vpc_attributes", None
+                            )
+                            instance_network_type = getattr(
+                                instance_data, "instance_network_type", None
+                            )
+                            # Determine network type
+                            if instance_network_type:
+                                network_type = instance_network_type
+                            elif not vpc_attributes:
+                                # If no VPC attributes, it's likely classic network
+                                network_type = "classic"
+                            vpc_id = ""
+                            if vpc_attributes:
+                                vpc_id = getattr(vpc_attributes, "vpc_id", "")
+                            self.instances.append(
+                                Instance(
+                                    id=instance_id,
+                                    name=getattr(
+                                        instance_data, "instance_name", instance_id
+                                    ),
+                                    region=region,
+                                    status=getattr(instance_data, "status", ""),
+                                    instance_type=getattr(
+                                        instance_data, "instance_type", ""
+                                    ),
+                                    network_type=network_type,
+                                    vpc_id=vpc_id,
+                                    create_time=getattr(
+                                        instance_data, "creation_time", None
+                                    ),
+                                )
+                            )
+                    # Check if there are more pages
+                    total_count = getattr(response.body, "total_count", 0)
+                    if page_number * page_size >= total_count:
+                        break
+                    page_number += 1
+                else:
+                    break
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+    def _describe_security_groups(self, regional_client):
+        """List all security groups and their rules in the region."""
+        region = getattr(regional_client, "region", "unknown")
+        logger.info(f"ECS - Describing Security Groups in {region}...")
+        try:
+            request = ecs_models.DescribeSecurityGroupsRequest()
+            request.region_id = region
+            # Get all security groups (paginated)
+            page_number = 1
+            page_size = 50
+            while True:
+                request.page_number = page_number
+                request.page_size = page_size
+                response = regional_client.describe_security_groups(request)
+                if response and response.body and response.body.security_groups:
+                    security_groups_data = response.body.security_groups.security_group
+                    if not security_groups_data:
+                        break
+                    for sg_data in security_groups_data:
+                        sg_id = sg_data.security_group_id
+                        if not self.audit_resources or is_resource_filtered(
+                            sg_id, self.audit_resources
+                        ):
+                            # Get security group rules
+                            ingress_rules = []
+                            egress_rules = []
+                            # Get ingress rules
+                            try:
+                                rules_request = (
+                                    ecs_models.DescribeSecurityGroupAttributeRequest()
+                                )
+                                rules_request.security_group_id = sg_id
+                                rules_request.region_id = region
+                                rules_request.direction = "ingress"
+                                rules_response = (
+                                    regional_client.describe_security_group_attribute(
+                                        rules_request
+                                    )
+                                )
+                                if (
+                                    rules_response
+                                    and rules_response.body
+                                    and rules_response.body.permissions
+                                ):
+                                    permissions = (
+                                        rules_response.body.permissions.permission
+                                    )
+                                    if permissions:
+                                        for rule in permissions:
+                                            ingress_rules.append(
+                                                {
+                                                    "port_range": getattr(
+                                                        rule, "port_range", ""
+                                                    ),
+                                                    "source_cidr_ip": getattr(
+                                                        rule, "source_cidr_ip", ""
+                                                    ),
+                                                    "ip_protocol": getattr(
+                                                        rule, "ip_protocol", ""
+                                                    ),
+                                                    "policy": getattr(
+                                                        rule, "policy", "accept"
+                                                    ),
+                                                }
+                                            )
+                            except Exception as error:
+                                logger.warning(
+                                    f"Could not get ingress rules for security group {sg_id}: {error}"
+                                )
+                            # Get egress rules
+                            try:
+                                rules_request = (
+                                    ecs_models.DescribeSecurityGroupAttributeRequest()
+                                )
+                                rules_request.security_group_id = sg_id
+                                rules_request.region_id = region
+                                rules_request.direction = "egress"
+                                rules_response = (
+                                    regional_client.describe_security_group_attribute(
+                                        rules_request
+                                    )
+                                )
+                                if (
+                                    rules_response
+                                    and rules_response.body
+                                    and rules_response.body.permissions
+                                ):
+                                    permissions = (
+                                        rules_response.body.permissions.permission
+                                    )
+                                    if permissions:
+                                        for rule in permissions:
+                                            egress_rules.append(
+                                                {
+                                                    "port_range": getattr(
+                                                        rule, "port_range", ""
+                                                    ),
+                                                    "dest_cidr_ip": getattr(
+                                                        rule, "dest_cidr_ip", ""
+                                                    ),
+                                                    "ip_protocol": getattr(
+                                                        rule, "ip_protocol", ""
+                                                    ),
+                                                    "policy": getattr(
+                                                        rule, "policy", "accept"
+                                                    ),
+                                                }
+                                            )
+                            except Exception as error:
+                                logger.warning(
+                                    f"Could not get egress rules for security group {sg_id}: {error}"
+                                )
+                            sg_arn = f"acs:ecs:{region}:{self.audited_account}:security-group/{sg_id}"
+                            self.security_groups[sg_arn] = SecurityGroup(
+                                id=sg_id,
+                                name=getattr(sg_data, "security_group_name", sg_id),
+                                region=region,
+                                arn=sg_arn,
+                                vpc_id=getattr(sg_data, "vpc_id", ""),
+                                description=getattr(sg_data, "description", ""),
+                                ingress_rules=ingress_rules,
+                                egress_rules=egress_rules,
+                            )
+                    # Check if there are more pages
+                    total_count = getattr(response.body, "total_count", 0)
+                    if page_number * page_size >= total_count:
+                        break
+                    page_number += 1
+                else:
+                    break
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+    def _describe_disks(self, regional_client):
+        """List all disks in the region."""
+        region = getattr(regional_client, "region", "unknown")
+        logger.info(f"ECS - Describing Disks in {region}...")
+        try:
+            request = ecs_models.DescribeDisksRequest()
+            request.region_id = region
+            # Get all disks (paginated)
+            page_number = 1
+            page_size = 50
+            while True:
+                request.page_number = page_number
+                request.page_size = page_size
+                response = regional_client.describe_disks(request)
+                if response and response.body and response.body.disks:
+                    disks_data = response.body.disks.disk
+                    if not disks_data:
+                        break
+                    for disk_data in disks_data:
+                        disk_id = disk_data.disk_id
+                        if not self.audit_resources or is_resource_filtered(
+                            disk_id, self.audit_resources
+                        ):
+                            # Check if disk is attached
+                            attached_instance_id = getattr(disk_data, "instance_id", "")
+                            is_attached = bool(attached_instance_id)
+                            # Check encryption status
+                            # In Alibaba Cloud, encryption can be indicated by:
+                            # 1. encrypted field (boolean)
+                            # 2. encryption_algorithm field (non-empty string)
+                            # 3. kms_key_id field (non-empty string)
+                            encrypted = getattr(disk_data, "encrypted", False)
+                            encryption_algorithm = getattr(
+                                disk_data, "encryption_algorithm", ""
+                            )
+                            kms_key_id = getattr(disk_data, "kms_key_id", "")
+                            # Disk is encrypted if any of these conditions are true
+                            is_encrypted = (
+                                encrypted
+                                or bool(encryption_algorithm)
+                                or bool(kms_key_id)
+                            )
+                            self.disks.append(
+                                Disk(
+                                    id=disk_id,
+                                    name=getattr(disk_data, "disk_name", disk_id),
+                                    region=region,
+                                    status=getattr(disk_data, "status", ""),
+                                    disk_category=getattr(disk_data, "category", ""),
+                                    size=getattr(disk_data, "size", 0),
+                                    is_attached=is_attached,
+                                    attached_instance_id=attached_instance_id,
+                                    is_encrypted=is_encrypted,
+                                    encryption_algorithm=encryption_algorithm or "",
+                                    create_time=getattr(
+                                        disk_data, "creation_time", None
+                                    ),
+                                )
+                            )
+                    # Check if there are more pages
+                    total_count = getattr(response.body, "total_count", 0)
+                    if page_number * page_size >= total_count:
+                        break
+                    page_number += 1
+                else:
+                    break
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+# Models for ECS service
+class Instance(BaseModel):
+    """ECS Instance model."""
+    id: str
+    name: str
+    region: str
+    status: str
+    instance_type: str
+    network_type: str  # "classic" or "vpc"
+    vpc_id: str = ""
+    create_time: Optional[datetime] = None
+class SecurityGroup(BaseModel):
+    """ECS Security Group model."""
+    id: str
+    name: str
+    region: str
+    arn: str
+    vpc_id: str = ""
+    description: str = ""
+    ingress_rules: list[dict] = []
+    egress_rules: list[dict] = []
+class Disk(BaseModel):
+    """ECS Disk model."""
+    id: str
+    name: str
+    region: str
+    status: str
+    disk_category: str
+    size: int
+    is_attached: bool
+    attached_instance_id: str = ""
+    is_encrypted: bool
+    encryption_algorithm: str = ""
+    create_time: Optional[datetime] = None

prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/__init__.py ADDED Viewed

File without changes

prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.metadata.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "ecs_unattached_disk_encrypted",
+  "CheckTitle": "Unattached disks are encrypted",
+  "CheckType": [
+    "Sensitive file tampering"
+  ],
+  "ServiceName": "ecs",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:ecs:region:account-id:disk/{disk-id}",
+  "Severity": "high",
+  "ResourceType": "AlibabaCloudECSDisk",
+  "Description": "**Cloud disk encryption** protects your data at rest. The cloud disk data encryption feature automatically encrypts data when data is transferred from ECS instances to disks, and decrypts data when read from disks.",
+  "Risk": "**Unencrypted unattached disks** pose a security risk as they may contain sensitive data that could be accessed if the disk is compromised or accessed by unauthorized parties.\n\nUnattached disks are especially vulnerable as they may be forgotten or not monitored, increasing the risk of **unauthorized access**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/59643.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/encrypt-unattached-disks.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aliyun ecs CreateDisk --DiskName <disk_name> --Size <size> --Encrypted true --KmsKeyId <kms_key_id>",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "resource \"alicloud_ecs_disk\" \"encrypted\" {\n  zone_id   = \"cn-hangzhou-a\"\n  disk_name = \"encrypted-disk\"\n  category  = \"cloud_efficiency\"\n  size      = 20\n  encrypted = true\n  kms_key_id = alicloud_kms_key.example.id\n}"
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **ECS Console**\n2. In the left-side navigation pane, choose **Storage & Snapshots** > **Disk**\n3. In the upper-right corner of the Disks page, click **Create Disk**\n4. In the Disk section, check the **Disk Encryption** box and select a key from the drop-down list\n\n**Note:** After a data disk is created, you can only encrypt the data disk by manually copying data from the unencrypted disk to a new encrypted disk.",
+      "Url": "https://hub.prowler.com/check/ecs_unattached_disk_encrypted"
+    }
+  },
+  "Categories": [
+    "encryption"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.py ADDED Viewed

@@ -0,0 +1,38 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.ecs.ecs_client import ecs_client
+class ecs_unattached_disk_encrypted(Check):
+    """Check if unattached disks are encrypted."""
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        for disk in ecs_client.disks:
+            # Only check unattached disks
+            if not disk.is_attached:
+                report = CheckReportAlibabaCloud(
+                    metadata=self.metadata(), resource=disk
+                )
+                report.region = disk.region
+                report.resource_id = disk.id
+                report.resource_arn = (
+                    f"acs:ecs:{disk.region}:{ecs_client.audited_account}:disk/{disk.id}"
+                )
+                if disk.is_encrypted:
+                    report.status = "PASS"
+                    report.status_extended = (
+                        f"Unattached disk {disk.name if disk.name else disk.id} "
+                        f"is encrypted."
+                    )
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = (
+                        f"Unattached disk {disk.name if disk.name else disk.id} "
+                        f"is not encrypted."
+                    )
+                findings.append(report)
+        return findings

prowler/providers/alibabacloud/services/ecs/lib/security_groups.py ADDED Viewed

@@ -0,0 +1,23 @@
+def is_public_cidr(cidr: str) -> bool:
+    """Return True when the CIDR represents public/unrestricted access."""
+    return cidr in ("0.0.0.0/0", "::/0")
+def port_in_range(port_range: str, target_port: int) -> bool:
+    """
+    Check if target_port is within the provided port range.
+    Port range examples:
+    - "3389/3389" -> single port range
+    - "22" -> single port
+    """
+    if not port_range:
+        return False
+    try:
+        if "/" in port_range:
+            from_port, to_port = map(int, port_range.split("/"))
+            return from_port <= target_port <= to_port
+        return int(port_range) == target_port
+    except (ValueError, AttributeError):
+        return False

prowler/providers/alibabacloud/services/oss/__init__.py ADDED Viewed

File without changes

prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/__init__.py ADDED Viewed

File without changes

prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.metadata.json ADDED Viewed

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "oss_bucket_logging_enabled",
+  "CheckTitle": "Logging is enabled for OSS buckets",
+  "CheckType": [
+    "Sensitive file tampering",
+    "Cloud threat detection"
+  ],
+  "ServiceName": "oss",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:oss::account-id:bucket-name",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudOSSBucket",
+  "Description": "**OSS Bucket Access Logging** generates a log that contains access records for each request made to your OSS bucket.\n\nAn access log record contains details about the request, such as the request type, the resources specified in the request, and the time and date the request was processed. It is recommended that bucket access logging be enabled on OSS buckets.",
+  "Risk": "By enabling **OSS bucket logging** on target OSS buckets, it is possible to capture all events which may affect objects within target buckets.\n\nConfiguring logs to be placed in a separate bucket allows access to log information useful in **security** and **incident response** workflows.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/31900.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/enable-bucket-access-logging.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "ossutil logging --method put oss://<bucket-name> --target-bucket <target-bucket> --target-prefix <prefix>",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "resource \"alicloud_oss_bucket_logging\" \"example\" {\n  bucket        = alicloud_oss_bucket.example.bucket\n  target_bucket = alicloud_oss_bucket.log_bucket.bucket\n  target_prefix = \"log/\"\n}"
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **OSS Console**\n2. In the bucket-list pane, click on a target OSS bucket\n3. Under **Log**, click **Configure**\n4. Click the **Enabled** checkbox\n5. Select `Target Bucket` from the list\n6. Enter a `Target Prefix`\n7. Click **Save**",
+      "Url": "https://hub.prowler.com/check/oss_bucket_logging_enabled"
+    }
+  },
+  "Categories": [
+    "logging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.py ADDED Viewed

@@ -0,0 +1,37 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.oss.oss_client import oss_client
+class oss_bucket_logging_enabled(Check):
+    """Check if logging is enabled for OSS buckets."""
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        for bucket in oss_client.buckets.values():
+            report = CheckReportAlibabaCloud(metadata=self.metadata(), resource=bucket)
+            report.region = bucket.region
+            report.resource_id = bucket.name
+            report.resource_arn = bucket.arn
+            if bucket.logging_enabled:
+                report.status = "PASS"
+                if bucket.logging_target_bucket:
+                    report.status_extended = (
+                        f"OSS bucket {bucket.name} has logging enabled. "
+                        f"Logs are stored in bucket '{bucket.logging_target_bucket}' "
+                        f"with prefix {bucket.logging_target_prefix}."
+                    )
+                else:
+                    report.status_extended = (
+                        f"OSS bucket {bucket.name} has logging enabled."
+                    )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"OSS bucket {bucket.name} does not have logging enabled."
+                )
+            findings.append(report)
+        return findings

prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/__init__.py ADDED Viewed

File without changes

prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.metadata.json ADDED Viewed

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "oss_bucket_not_publicly_accessible",
+  "CheckTitle": "OSS bucket is not anonymously or publicly accessible",
+  "CheckType": [
+    "Sensitive file tampering",
+    "Cloud threat detection"
+  ],
+  "ServiceName": "oss",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:oss::account-id:bucket-name",
+  "Severity": "critical",
+  "ResourceType": "AlibabaCloudOSSBucket",
+  "Description": "A bucket is a container used to store objects in **Object Storage Service (OSS)**. All objects in OSS are stored in buckets.\n\nIt is recommended that the access policy on OSS buckets does not allow **anonymous** and/or **public access**.",
+  "Risk": "Allowing **anonymous** and/or **public access** grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data.\n\nPublic buckets can lead to **data breaches**, **unauthorized data access**, and **compliance violations**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/31896.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/publicly-accessible-oss-bucket.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aliyun oss PutBucketAcl --bucket <bucket-name> --acl private",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "resource \"alicloud_oss_bucket_public_access_block\" \"example\" {\n  bucket              = alicloud_oss_bucket.example.bucket\n  block_public_access = true\n}"
+    },
+    "Recommendation": {
+      "Text": "**Set Bucket ACL to Private:**\n1. Log on to the **OSS Console**\n2. In the bucket-list pane, click on a target OSS bucket\n3. Click on **Basic Setting** in the top middle of the console\n4. Under ACL section, click on **Configure**\n5. Click **Private** and click **Save**\n\n**For Bucket Policy:**\n1. Click **Bucket**, and then click the name of the target bucket\n2. Click the **Files** tab and click **Authorize**\n3. In the Authorize dialog, choose `Anonymous Accounts (*)` for Accounts and choose `None` for Authorized Operation\n4. Click **OK**",
+      "Url": "https://hub.prowler.com/check/oss_bucket_not_publicly_accessible"
+    }
+  },
+  "Categories": [
+    "internet-exposed"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler-cloud 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl

prowler-cloud 5.14.1py3-none-any.whl → 5.15.0py3-none-any.whl