prowler-cloud 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dashboard/assets/images/providers/alibabacloud_provider.png +0 -0
- dashboard/compliance/cis_2_0_alibabacloud.py +24 -0
- dashboard/lib/layouts.py +1 -0
- dashboard/pages/compliance.py +8 -2
- dashboard/pages/overview.py +52 -1
- prowler/CHANGELOG.md +59 -20
- prowler/__main__.py +40 -0
- prowler/compliance/alibabacloud/__init__.py +0 -0
- prowler/compliance/alibabacloud/cis_2.0_alibabacloud.json +1833 -0
- prowler/compliance/aws/iso27001_2013_aws.json +158 -158
- prowler/compliance/aws/soc2_aws.json +100 -0
- prowler/compliance/azure/rbi_cyber_security_framework_azure.json +248 -0
- prowler/compliance/azure/soc2_azure.json +87 -1
- prowler/compliance/gcp/soc2_gcp.json +82 -1
- prowler/config/config.py +2 -1
- prowler/lib/check/check.py +47 -1
- prowler/lib/check/models.py +23 -0
- prowler/lib/check/utils.py +1 -1
- prowler/lib/cli/parser.py +3 -2
- prowler/lib/outputs/compliance/cis/cis_alibabacloud.py +106 -0
- prowler/lib/outputs/compliance/cis/models.py +35 -0
- prowler/lib/outputs/finding.py +16 -0
- prowler/lib/outputs/html/html.py +67 -0
- prowler/lib/outputs/outputs.py +2 -0
- prowler/lib/outputs/summary_table.py +3 -0
- prowler/providers/alibabacloud/__init__.py +0 -0
- prowler/providers/alibabacloud/alibabacloud_provider.py +872 -0
- prowler/providers/alibabacloud/config.py +41 -0
- prowler/providers/alibabacloud/exceptions/__init__.py +0 -0
- prowler/providers/alibabacloud/exceptions/exceptions.py +116 -0
- prowler/providers/alibabacloud/lib/__init__.py +0 -0
- prowler/providers/alibabacloud/lib/arguments/__init__.py +0 -0
- prowler/providers/alibabacloud/lib/arguments/arguments.py +58 -0
- prowler/providers/alibabacloud/lib/mutelist/__init__.py +0 -0
- prowler/providers/alibabacloud/lib/mutelist/mutelist.py +175 -0
- prowler/providers/alibabacloud/lib/service/__init__.py +0 -0
- prowler/providers/alibabacloud/lib/service/service.py +113 -0
- prowler/providers/alibabacloud/models.py +266 -0
- prowler/providers/alibabacloud/services/__init__.py +0 -0
- prowler/providers/alibabacloud/services/actiontrail/__init__.py +0 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_client.py +6 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/actiontrail_multi_region_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/actiontrail_multi_region_enabled.py +81 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/__init__.py +0 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/actiontrail_oss_bucket_not_publicly_accessible.metadata.json +40 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/actiontrail_oss_bucket_not_publicly_accessible.py +119 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_service.py +110 -0
- prowler/providers/alibabacloud/services/cs/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_client.py +4 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/cs_kubernetes_cloudmonitor_enabled.metadata.json +38 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/cs_kubernetes_cloudmonitor_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/cs_kubernetes_cluster_check_recent.metadata.json +38 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/cs_kubernetes_cluster_check_recent.py +62 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_weekly/cs_kubernetes_cluster_check_weekly.metadata.json +38 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_weekly/cs_kubernetes_cluster_check_weekly.py +62 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/cs_kubernetes_dashboard_disabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/cs_kubernetes_dashboard_disabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/cs_kubernetes_eni_multiple_ip_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/cs_kubernetes_eni_multiple_ip_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/cs_kubernetes_log_service_enabled.metadata.json +40 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/cs_kubernetes_log_service_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/cs_kubernetes_network_policy_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/cs_kubernetes_network_policy_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/cs_kubernetes_private_cluster_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/cs_kubernetes_private_cluster_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.metadata.json +40 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.py +28 -0
- prowler/providers/alibabacloud/services/cs/cs_service.py +354 -0
- prowler/providers/alibabacloud/services/ecs/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.metadata.json +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.py +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_client.py +4 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.metadata.json +41 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.py +47 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.metadata.json +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.py +50 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.metadata.json +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.py +34 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.py +68 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.py +68 -0
- prowler/providers/alibabacloud/services/ecs/ecs_service.py +380 -0
- prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.metadata.json +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.py +38 -0
- prowler/providers/alibabacloud/services/ecs/lib/security_groups.py +23 -0
- prowler/providers/alibabacloud/services/oss/__init__.py +0 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.py +37 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/__init__.py +0 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.metadata.json +39 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.py +89 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.metadata.json +38 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.py +87 -0
- prowler/providers/alibabacloud/services/oss/oss_client.py +4 -0
- prowler/providers/alibabacloud/services/oss/oss_service.py +317 -0
- prowler/providers/alibabacloud/services/ram/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_client.py +4 -0
- prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.py +33 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.py +32 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/ram_password_policy_max_login_attempts.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/ram_password_policy_max_login_attempts.py +32 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/ram_password_policy_max_password_age.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/ram_password_policy_max_password_age.py +35 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/ram_password_policy_minimum_length.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/ram_password_policy_minimum_length.py +30 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_number/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_number/ram_password_policy_number.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/ram_password_policy_password_reuse_prevention.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/ram_password_policy_password_reuse_prevention.py +35 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/ram_password_policy_symbol.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/ram_password_policy_symbol.py +34 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/ram_password_policy_uppercase.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/ram_password_policy_uppercase.py +32 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/ram_policy_attached_only_to_group_or_roles.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/ram_policy_attached_only_to_group_or_roles.py +35 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.py +73 -0
- prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.py +58 -0
- prowler/providers/alibabacloud/services/ram/ram_service.py +478 -0
- prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/ram_user_console_access_unused.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/ram_user_console_access_unused.py +56 -0
- prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/ram_user_mfa_enabled_console_access.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/ram_user_mfa_enabled_console_access.py +36 -0
- prowler/providers/alibabacloud/services/rds/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_client.py +4 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/rds_instance_no_public_access_whitelist.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/rds_instance_no_public_access_whitelist.py +36 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/rds_instance_postgresql_log_connections_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/rds_instance_postgresql_log_connections_enabled.py +29 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/rds_instance_postgresql_log_disconnections_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/rds_instance_postgresql_log_disconnections_enabled.py +29 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/rds_instance_postgresql_log_duration_enabled.metadata.json +38 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/rds_instance_postgresql_log_duration_enabled.py +29 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/rds_instance_sql_audit_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/rds_instance_sql_audit_enabled.py +32 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/rds_instance_sql_audit_retention.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/rds_instance_sql_audit_retention.py +41 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/rds_instance_ssl_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/rds_instance_ssl_enabled.py +30 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/rds_instance_tde_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/rds_instance_tde_enabled.py +32 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.py +38 -0
- prowler/providers/alibabacloud/services/rds/rds_service.py +274 -0
- prowler/providers/alibabacloud/services/securitycenter/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.metadata.json +43 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.py +48 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.metadata.json +42 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.py +48 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_client.py +6 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.metadata.json +42 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.py +65 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_service.py +394 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/securitycenter_vulnerability_scan_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/securitycenter_vulnerability_scan_enabled.py +68 -0
- prowler/providers/alibabacloud/services/sls/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_client.py +4 -0
- prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/sls_cloud_firewall_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/sls_cloud_firewall_changes_alert_enabled.py +50 -0
- prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.py +48 -0
- prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.metadata.json +38 -0
- prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.py +32 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.py +44 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.py +49 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.py +57 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.py +48 -0
- prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.py +54 -0
- prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.py +72 -0
- prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/sls_root_account_usage_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/sls_root_account_usage_alert_enabled.py +50 -0
- prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/sls_security_group_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/sls_security_group_changes_alert_enabled.py +56 -0
- prowler/providers/alibabacloud/services/sls/sls_service.py +137 -0
- prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/sls_unauthorized_api_calls_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/sls_unauthorized_api_calls_alert_enabled.py +56 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/sls_vpc_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/sls_vpc_changes_alert_enabled.py +57 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/sls_vpc_network_route_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/sls_vpc_network_route_changes_alert_enabled.py +52 -0
- prowler/providers/alibabacloud/services/vpc/__init__.py +0 -0
- prowler/providers/alibabacloud/services/vpc/vpc_client.py +4 -0
- prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py +30 -0
- prowler/providers/alibabacloud/services/vpc/vpc_service.py +102 -0
- prowler/providers/aws/aws_regions_by_service.json +20 -0
- prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json +1 -3
- prowler/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist.metadata.json +1 -1
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.metadata.json +0 -1
- prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.metadata.json +16 -10
- prowler/providers/aws/services/guardduty/guardduty_ec2_malware_protection_enabled/guardduty_ec2_malware_protection_enabled.metadata.json +23 -14
- prowler/providers/aws/services/guardduty/guardduty_eks_audit_log_enabled/guardduty_eks_audit_log_enabled.metadata.json +19 -13
- prowler/providers/aws/services/guardduty/guardduty_eks_runtime_monitoring_enabled/guardduty_eks_runtime_monitoring_enabled.metadata.json +18 -12
- prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.metadata.json +24 -13
- prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.metadata.json +20 -14
- prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.metadata.json +18 -9
- prowler/providers/aws/services/guardduty/guardduty_rds_protection_enabled/guardduty_rds_protection_enabled.metadata.json +18 -11
- prowler/providers/aws/services/guardduty/guardduty_s3_protection_enabled/guardduty_s3_protection_enabled.metadata.json +21 -12
- prowler/providers/aws/services/lightsail/lightsail_database_public/lightsail_database_public.metadata.json +21 -13
- prowler/providers/aws/services/lightsail/lightsail_instance_automated_snapshots/lightsail_instance_automated_snapshots.metadata.json +24 -13
- prowler/providers/aws/services/lightsail/lightsail_instance_public/lightsail_instance_public.metadata.json +21 -13
- prowler/providers/aws/services/lightsail/lightsail_static_ip_unused/lightsail_static_ip_unused.metadata.json +23 -14
- prowler/providers/aws/services/macie/macie_automated_sensitive_data_discovery_enabled/macie_automated_sensitive_data_discovery_enabled.metadata.json +20 -12
- prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.metadata.json +17 -12
- prowler/providers/aws/services/mq/mq_broker_active_deployment_mode/mq_broker_active_deployment_mode.metadata.json +22 -13
- prowler/providers/aws/services/mq/mq_broker_auto_minor_version_upgrades/mq_broker_auto_minor_version_upgrades.metadata.json +21 -12
- prowler/providers/aws/services/mq/mq_broker_cluster_deployment_mode/mq_broker_cluster_deployment_mode.metadata.json +23 -14
- prowler/providers/aws/services/mq/mq_broker_logging_enabled/mq_broker_logging_enabled.metadata.json +22 -13
- prowler/providers/aws/services/mq/mq_broker_not_publicly_accessible/mq_broker_not_publicly_accessible.metadata.json +20 -12
- prowler/providers/aws/services/networkfirewall/networkfirewall_deletion_protection/networkfirewall_deletion_protection.metadata.json +21 -13
- prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.metadata.json +23 -13
- prowler/providers/aws/services/networkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.metadata.json +20 -13
- prowler/providers/aws/services/networkfirewall/networkfirewall_multi_az/networkfirewall_multi_az.metadata.json +22 -14
- prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_fragmented_packets/networkfirewall_policy_default_action_fragmented_packets.metadata.json +26 -14
- prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_full_packets/networkfirewall_policy_default_action_full_packets.metadata.json +22 -13
- prowler/providers/aws/services/networkfirewall/networkfirewall_policy_rule_group_associated/networkfirewall_policy_rule_group_associated.metadata.json +25 -14
- prowler/providers/common/provider.py +12 -0
- prowler/providers/gcp/services/accesscontextmanager/__init__.py +0 -0
- prowler/providers/gcp/services/accesscontextmanager/accesscontextmanager_client.py +6 -0
- prowler/providers/gcp/services/accesscontextmanager/accesscontextmanager_service.py +101 -0
- prowler/providers/gcp/services/cloudresourcemanager/cloudresourcemanager_service.py +10 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +13 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/cloudstorage_uses_vpc_service_controls.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/cloudstorage_uses_vpc_service_controls.py +67 -0
- prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/compute_instance_automatic_restart_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/compute_instance_automatic_restart_enabled.py +35 -0
- prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/compute_instance_deletion_protection_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/compute_instance_deletion_protection_enabled.py +29 -0
- prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/__init__.py +0 -0
- prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/compute_instance_preemptible_vm_disabled.metadata.json +37 -0
- prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/compute_instance_preemptible_vm_disabled.py +32 -0
- prowler/providers/gcp/services/compute/compute_service.py +16 -0
- prowler/providers/github/services/repository/repository_immutable_releases_enabled/__init__.py +0 -0
- prowler/providers/github/services/repository/repository_immutable_releases_enabled/repository_immutable_releases_enabled.metadata.json +33 -0
- prowler/providers/github/services/repository/repository_immutable_releases_enabled/repository_immutable_releases_enabled.py +41 -0
- prowler/providers/github/services/repository/repository_service.py +52 -0
- {prowler_cloud-5.14.1.dist-info → prowler_cloud-5.15.0.dist-info}/METADATA +40 -22
- {prowler_cloud-5.14.1.dist-info → prowler_cloud-5.15.0.dist-info}/RECORD +326 -73
- {prowler_cloud-5.14.1.dist-info → prowler_cloud-5.15.0.dist-info}/LICENSE +0 -0
- {prowler_cloud-5.14.1.dist-info → prowler_cloud-5.15.0.dist-info}/WHEEL +0 -0
- {prowler_cloud-5.14.1.dist-info → prowler_cloud-5.15.0.dist-info}/entry_points.txt +0 -0
|
@@ -547,6 +547,106 @@
|
|
|
547
547
|
"cloudwatch_log_group_retention_policy_specific_days_enabled",
|
|
548
548
|
"kinesis_stream_data_retention_period"
|
|
549
549
|
]
|
|
550
|
+
},
|
|
551
|
+
{
|
|
552
|
+
"Id": "pi_1_2",
|
|
553
|
+
"Name": "PI1.2 System inputs are measured and recorded completely, accurately, and timely to meet the entity's processing integrity commitments and system requirements",
|
|
554
|
+
"Description": "The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives. This includes defining accuracy targets, monitoring input quality, and creating detailed records of each input event.",
|
|
555
|
+
"Attributes": [
|
|
556
|
+
{
|
|
557
|
+
"ItemId": "pi_1_2",
|
|
558
|
+
"Section": "PI1.0 - Processing Integrity",
|
|
559
|
+
"Service": "aws",
|
|
560
|
+
"Type": "automated"
|
|
561
|
+
}
|
|
562
|
+
],
|
|
563
|
+
"Checks": [
|
|
564
|
+
"apigateway_restapi_logging_enabled",
|
|
565
|
+
"apigatewayv2_api_access_logging_enabled",
|
|
566
|
+
"elbv2_logging_enabled",
|
|
567
|
+
"elb_logging_enabled",
|
|
568
|
+
"wafv2_webacl_logging_enabled",
|
|
569
|
+
"waf_global_webacl_logging_enabled",
|
|
570
|
+
"cloudtrail_s3_dataevents_write_enabled",
|
|
571
|
+
"cloudfront_distributions_logging_enabled"
|
|
572
|
+
]
|
|
573
|
+
},
|
|
574
|
+
{
|
|
575
|
+
"Id": "pi_1_3",
|
|
576
|
+
"Name": "PI1.3 Data is processed completely, accurately, and timely as authorized to meet the entity's processing integrity commitments and system requirements",
|
|
577
|
+
"Description": "The entity implements controls to ensure data is processed completely, accurately, and timely. This includes defining processing specifications, identifying processing activities, detecting and correcting errors throughout processing, recording processing activities with accurate logs, and ensuring completeness and timeliness of processing.",
|
|
578
|
+
"Attributes": [
|
|
579
|
+
{
|
|
580
|
+
"ItemId": "pi_1_3",
|
|
581
|
+
"Section": "PI1.0 - Processing Integrity",
|
|
582
|
+
"Service": "aws",
|
|
583
|
+
"Type": "automated"
|
|
584
|
+
}
|
|
585
|
+
],
|
|
586
|
+
"Checks": [
|
|
587
|
+
"cloudtrail_multi_region_enabled",
|
|
588
|
+
"cloudtrail_log_file_validation_enabled",
|
|
589
|
+
"cloudtrail_cloudwatch_logging_enabled",
|
|
590
|
+
"cloudwatch_log_metric_filter_unauthorized_api_calls",
|
|
591
|
+
"cloudwatch_log_metric_filter_authentication_failures",
|
|
592
|
+
"cloudwatch_log_metric_filter_policy_changes",
|
|
593
|
+
"cloudwatch_log_metric_filter_root_usage",
|
|
594
|
+
"config_recorder_all_regions_enabled",
|
|
595
|
+
"rds_instance_integration_cloudwatch_logs",
|
|
596
|
+
"rds_cluster_integration_cloudwatch_logs",
|
|
597
|
+
"glue_etl_jobs_logging_enabled",
|
|
598
|
+
"stepfunctions_statemachine_logging_enabled"
|
|
599
|
+
]
|
|
600
|
+
},
|
|
601
|
+
{
|
|
602
|
+
"Id": "pi_1_4",
|
|
603
|
+
"Name": "PI1.4 System outputs are complete, accurate, distributed only to intended parties, and retained to meet the entity's processing integrity commitments and system requirements",
|
|
604
|
+
"Description": "The entity implements controls to ensure system outputs are delivered to authorized recipients in the correct format and protected against unauthorized access, modification, theft, destruction, or corruption. This includes output encryption, access controls, and audit trails for output delivery.",
|
|
605
|
+
"Attributes": [
|
|
606
|
+
{
|
|
607
|
+
"ItemId": "pi_1_4",
|
|
608
|
+
"Section": "PI1.0 - Processing Integrity",
|
|
609
|
+
"Service": "aws",
|
|
610
|
+
"Type": "automated"
|
|
611
|
+
}
|
|
612
|
+
],
|
|
613
|
+
"Checks": [
|
|
614
|
+
"s3_bucket_default_encryption",
|
|
615
|
+
"s3_bucket_kms_encryption",
|
|
616
|
+
"cloudwatch_log_group_kms_encryption_enabled",
|
|
617
|
+
"sns_topics_kms_encryption_at_rest_enabled",
|
|
618
|
+
"kinesis_stream_encrypted_at_rest",
|
|
619
|
+
"cloudfront_distributions_field_level_encryption_enabled",
|
|
620
|
+
"cloudwatch_log_group_not_publicly_accessible",
|
|
621
|
+
"cloudwatch_cross_account_sharing_disabled",
|
|
622
|
+
"glue_etl_jobs_cloudwatch_logs_encryption_enabled",
|
|
623
|
+
"glue_etl_jobs_amazon_s3_encryption_enabled"
|
|
624
|
+
]
|
|
625
|
+
},
|
|
626
|
+
{
|
|
627
|
+
"Id": "pi_1_5",
|
|
628
|
+
"Name": "PI1.5 Stored data is maintained complete, accurate, and protected from unauthorized modification to meet the entity's processing integrity commitments and system requirements",
|
|
629
|
+
"Description": "The entity implements controls to protect stored inputs, items in processing, and outputs from theft, destruction, corruption, or deterioration. This includes data encryption at rest, key management, backup and recovery procedures, access controls, and data integrity validation.",
|
|
630
|
+
"Attributes": [
|
|
631
|
+
{
|
|
632
|
+
"ItemId": "pi_1_5",
|
|
633
|
+
"Section": "PI1.0 - Processing Integrity",
|
|
634
|
+
"Service": "aws",
|
|
635
|
+
"Type": "automated"
|
|
636
|
+
}
|
|
637
|
+
],
|
|
638
|
+
"Checks": [
|
|
639
|
+
"s3_bucket_object_versioning",
|
|
640
|
+
"s3_bucket_object_lock",
|
|
641
|
+
"rds_instance_storage_encrypted",
|
|
642
|
+
"rds_cluster_storage_encrypted",
|
|
643
|
+
"dynamodb_tables_kms_cmk_encryption_enabled",
|
|
644
|
+
"ec2_ebs_volume_encryption",
|
|
645
|
+
"backup_plans_exist",
|
|
646
|
+
"backup_recovery_point_encrypted",
|
|
647
|
+
"backup_vaults_encrypted",
|
|
648
|
+
"kms_cmk_rotation_enabled"
|
|
649
|
+
]
|
|
550
650
|
}
|
|
551
651
|
]
|
|
552
652
|
}
|
|
@@ -0,0 +1,248 @@
|
|
|
1
|
+
{
|
|
2
|
+
"Framework": "RBI-Cyber-Security-Framework",
|
|
3
|
+
"Name": "Reserve Bank of India (RBI) Cyber Security Framework",
|
|
4
|
+
"Version": "",
|
|
5
|
+
"Provider": "Azure",
|
|
6
|
+
"Description": "The Reserve Bank had prescribed a set of baseline cyber security controls for primary (Urban) cooperative banks (UCBs) in October 2018. On further examination, it has been decided to prescribe a comprehensive cyber security framework for the UCBs, as a graded approach, based on their digital depth and interconnectedness with the payment systems landscape, digital products offered by them and assessment of cyber security risk. The framework would mandate implementation of progressively stronger security measures based on the nature, variety and scale of digital product offerings of banks.",
|
|
7
|
+
"Requirements": [
|
|
8
|
+
{
|
|
9
|
+
"Id": "annex_i_1_1",
|
|
10
|
+
"Name": "Annex I (1.1)",
|
|
11
|
+
"Description": "UCBs should maintain an up-to-date business IT Asset Inventory Register containing the following fields, as a minimum: a) Details of the IT Asset (viz., hardware/software/network devices, key personnel, services, etc.), b. Details of systems where customer data are stored, c. Associated business applications, if any, d. Criticality of the IT asset (For example, High/Medium/Low).",
|
|
12
|
+
"Attributes": [
|
|
13
|
+
{
|
|
14
|
+
"ItemId": "annex_i_1_1",
|
|
15
|
+
"Service": "vm"
|
|
16
|
+
}
|
|
17
|
+
],
|
|
18
|
+
"Checks": [
|
|
19
|
+
"vm_ensure_using_approved_images",
|
|
20
|
+
"vm_ensure_using_managed_disks",
|
|
21
|
+
"vm_trusted_launch_enabled",
|
|
22
|
+
"aks_cluster_rbac_enabled",
|
|
23
|
+
"aks_clusters_created_with_private_nodes",
|
|
24
|
+
"appinsights_ensure_is_configured",
|
|
25
|
+
"containerregistry_admin_user_disabled"
|
|
26
|
+
]
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"Id": "annex_i_1_3",
|
|
30
|
+
"Name": "Annex I (1.3)",
|
|
31
|
+
"Description": "Appropriately manage and provide protection within and outside UCB/network, keeping in mind how the data/information is stored, transmitted, processed, accessed and put to use within/outside the UCB's network, and level of risk they are exposed to depending on the sensitivity of the data/information.",
|
|
32
|
+
"Attributes": [
|
|
33
|
+
{
|
|
34
|
+
"ItemId": "annex_i_1_3",
|
|
35
|
+
"Service": "azure"
|
|
36
|
+
}
|
|
37
|
+
],
|
|
38
|
+
"Checks": [
|
|
39
|
+
"keyvault_key_rotation_enabled",
|
|
40
|
+
"keyvault_access_only_through_private_endpoints",
|
|
41
|
+
"keyvault_private_endpoints",
|
|
42
|
+
"keyvault_rbac_enabled",
|
|
43
|
+
"app_function_not_publicly_accessible",
|
|
44
|
+
"app_ensure_http_is_redirected_to_https",
|
|
45
|
+
"app_minimum_tls_version_12",
|
|
46
|
+
"storage_blob_public_access_level_is_disabled",
|
|
47
|
+
"storage_secure_transfer_required_is_enabled",
|
|
48
|
+
"storage_ensure_encryption_with_customer_managed_keys",
|
|
49
|
+
"storage_ensure_minimum_tls_version_12",
|
|
50
|
+
"storage_default_network_access_rule_is_denied",
|
|
51
|
+
"storage_ensure_private_endpoints_in_storage_accounts",
|
|
52
|
+
"network_ssh_internet_access_restricted",
|
|
53
|
+
"sqlserver_unrestricted_inbound_access",
|
|
54
|
+
"sqlserver_tde_encryption_enabled",
|
|
55
|
+
"sqlserver_tde_encrypted_with_cmk",
|
|
56
|
+
"cosmosdb_account_use_private_endpoints",
|
|
57
|
+
"cosmosdb_account_firewall_use_selected_networks",
|
|
58
|
+
"mysql_flexible_server_ssl_connection_enabled",
|
|
59
|
+
"mysql_flexible_server_minimum_tls_version_12",
|
|
60
|
+
"postgresql_flexible_server_enforce_ssl_enabled",
|
|
61
|
+
"aks_clusters_public_access_disabled",
|
|
62
|
+
"containerregistry_not_publicly_accessible",
|
|
63
|
+
"containerregistry_uses_private_link",
|
|
64
|
+
"aisearch_service_not_publicly_accessible"
|
|
65
|
+
]
|
|
66
|
+
},
|
|
67
|
+
{
|
|
68
|
+
"Id": "annex_i_5_1",
|
|
69
|
+
"Name": "Annex I (5.1)",
|
|
70
|
+
"Description": "The firewall configurations should be set to the highest security level and evaluation of critical device (such as firewall, network switches, security devices, etc.) configurations should be done periodically.",
|
|
71
|
+
"Attributes": [
|
|
72
|
+
{
|
|
73
|
+
"ItemId": "annex_i_5_1",
|
|
74
|
+
"Service": "network"
|
|
75
|
+
}
|
|
76
|
+
],
|
|
77
|
+
"Checks": [
|
|
78
|
+
"network_rdp_internet_access_restricted",
|
|
79
|
+
"network_http_internet_access_restricted",
|
|
80
|
+
"network_udp_internet_access_restricted",
|
|
81
|
+
"network_ssh_internet_access_restricted",
|
|
82
|
+
"network_flow_log_captured_sent",
|
|
83
|
+
"network_flow_log_more_than_90_days",
|
|
84
|
+
"network_watcher_enabled",
|
|
85
|
+
"network_bastion_host_exists",
|
|
86
|
+
"aks_network_policy_enabled",
|
|
87
|
+
"storage_default_network_access_rule_is_denied"
|
|
88
|
+
]
|
|
89
|
+
},
|
|
90
|
+
{
|
|
91
|
+
"Id": "annex_i_6",
|
|
92
|
+
"Name": "Annex I (6)",
|
|
93
|
+
"Description": "Put in place systems and processes to identify, track, manage and monitor the status of patches to servers, operating system and application software running at the systems used by the UCB officials (end-users). Implement and update antivirus protection for all servers and applicable end points preferably through a centralised system.",
|
|
94
|
+
"Attributes": [
|
|
95
|
+
{
|
|
96
|
+
"ItemId": "annex_i_6",
|
|
97
|
+
"Service": "defender"
|
|
98
|
+
}
|
|
99
|
+
],
|
|
100
|
+
"Checks": [
|
|
101
|
+
"defender_ensure_system_updates_are_applied",
|
|
102
|
+
"defender_assessments_vm_endpoint_protection_installed",
|
|
103
|
+
"defender_ensure_defender_for_server_is_on",
|
|
104
|
+
"defender_ensure_defender_for_app_services_is_on",
|
|
105
|
+
"defender_ensure_defender_for_sql_servers_is_on",
|
|
106
|
+
"defender_ensure_defender_for_azure_sql_databases_is_on",
|
|
107
|
+
"defender_ensure_defender_for_storage_is_on",
|
|
108
|
+
"defender_ensure_defender_for_containers_is_on",
|
|
109
|
+
"defender_ensure_defender_for_keyvault_is_on",
|
|
110
|
+
"defender_ensure_defender_for_arm_is_on",
|
|
111
|
+
"defender_ensure_defender_for_dns_is_on",
|
|
112
|
+
"defender_ensure_defender_for_databases_is_on",
|
|
113
|
+
"defender_ensure_defender_for_cosmosdb_is_on",
|
|
114
|
+
"defender_container_images_scan_enabled",
|
|
115
|
+
"defender_container_images_resolved_vulnerabilities",
|
|
116
|
+
"defender_auto_provisioning_vulnerabilty_assessments_machines_on",
|
|
117
|
+
"vm_backup_enabled",
|
|
118
|
+
"app_ensure_java_version_is_latest",
|
|
119
|
+
"app_ensure_php_version_is_latest",
|
|
120
|
+
"app_ensure_python_version_is_latest"
|
|
121
|
+
]
|
|
122
|
+
},
|
|
123
|
+
{
|
|
124
|
+
"Id": "annex_i_7_1",
|
|
125
|
+
"Name": "Annex I (7.1)",
|
|
126
|
+
"Description": "Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a 'need to know' and 'need to do' basis.",
|
|
127
|
+
"Attributes": [
|
|
128
|
+
{
|
|
129
|
+
"ItemId": "annex_i_7_1",
|
|
130
|
+
"Service": "iam"
|
|
131
|
+
}
|
|
132
|
+
],
|
|
133
|
+
"Checks": [
|
|
134
|
+
"iam_role_user_access_admin_restricted",
|
|
135
|
+
"iam_subscription_roles_owner_custom_not_created",
|
|
136
|
+
"iam_custom_role_has_permissions_to_administer_resource_locks",
|
|
137
|
+
"entra_global_admin_in_less_than_five_users",
|
|
138
|
+
"entra_policy_ensure_default_user_cannot_create_apps",
|
|
139
|
+
"entra_policy_ensure_default_user_cannot_create_tenants",
|
|
140
|
+
"entra_policy_default_users_cannot_create_security_groups",
|
|
141
|
+
"entra_policy_guest_invite_only_for_admin_roles",
|
|
142
|
+
"entra_policy_guest_users_access_restrictions",
|
|
143
|
+
"app_function_identity_without_admin_privileges"
|
|
144
|
+
]
|
|
145
|
+
},
|
|
146
|
+
{
|
|
147
|
+
"Id": "annex_i_7_2",
|
|
148
|
+
"Name": "Annex I (7.2)",
|
|
149
|
+
"Description": "Passwords should be set as complex and lengthy and users should not use same passwords for all the applications/systems/devices.",
|
|
150
|
+
"Attributes": [
|
|
151
|
+
{
|
|
152
|
+
"ItemId": "annex_i_7_2",
|
|
153
|
+
"Service": "entra"
|
|
154
|
+
}
|
|
155
|
+
],
|
|
156
|
+
"Checks": [
|
|
157
|
+
"entra_non_privileged_user_has_mfa",
|
|
158
|
+
"entra_privileged_user_has_mfa",
|
|
159
|
+
"entra_policy_user_consent_for_verified_apps",
|
|
160
|
+
"entra_policy_restricts_user_consent_for_apps",
|
|
161
|
+
"entra_user_with_vm_access_has_mfa",
|
|
162
|
+
"entra_security_defaults_enabled",
|
|
163
|
+
"entra_conditional_access_policy_require_mfa_for_management_api",
|
|
164
|
+
"entra_trusted_named_locations_exists",
|
|
165
|
+
"sqlserver_azuread_administrator_enabled",
|
|
166
|
+
"postgresql_flexible_server_entra_id_authentication_enabled",
|
|
167
|
+
"cosmosdb_account_use_aad_and_rbac"
|
|
168
|
+
]
|
|
169
|
+
},
|
|
170
|
+
{
|
|
171
|
+
"Id": "annex_i_7_3",
|
|
172
|
+
"Name": "Annex I (7.3)",
|
|
173
|
+
"Description": "Remote Desktop Protocol (RDP) which allows others to access the computer remotely over a network or over the internet should be always disabled and should be enabled only with the approval of the authorised officer of the UCB. Logs for such remote access shall be enabled and monitored for suspicious activities.",
|
|
174
|
+
"Attributes": [
|
|
175
|
+
{
|
|
176
|
+
"ItemId": "annex_i_7_3",
|
|
177
|
+
"Service": "network"
|
|
178
|
+
}
|
|
179
|
+
],
|
|
180
|
+
"Checks": [
|
|
181
|
+
"network_rdp_internet_access_restricted",
|
|
182
|
+
"vm_jit_access_enabled",
|
|
183
|
+
"network_bastion_host_exists",
|
|
184
|
+
"vm_linux_enforce_ssh_authentication"
|
|
185
|
+
]
|
|
186
|
+
},
|
|
187
|
+
{
|
|
188
|
+
"Id": "annex_i_7_4",
|
|
189
|
+
"Name": "Annex I (7.4)",
|
|
190
|
+
"Description": "Implement appropriate (e.g. centralised) systems and controls to allow, manage, log and monitor privileged/super user/administrative access to critical systems (servers/databases, applications, network devices etc.)",
|
|
191
|
+
"Attributes": [
|
|
192
|
+
{
|
|
193
|
+
"ItemId": "annex_i_7_4",
|
|
194
|
+
"Service": "monitor"
|
|
195
|
+
}
|
|
196
|
+
],
|
|
197
|
+
"Checks": [
|
|
198
|
+
"monitor_alert_create_update_nsg",
|
|
199
|
+
"monitor_alert_delete_nsg",
|
|
200
|
+
"monitor_diagnostic_setting_with_appropriate_categories",
|
|
201
|
+
"monitor_diagnostic_settings_exists",
|
|
202
|
+
"monitor_alert_create_policy_assignment",
|
|
203
|
+
"monitor_alert_delete_policy_assignment",
|
|
204
|
+
"monitor_alert_create_update_security_solution",
|
|
205
|
+
"monitor_alert_delete_security_solution",
|
|
206
|
+
"monitor_alert_create_update_sqlserver_fr",
|
|
207
|
+
"monitor_alert_delete_sqlserver_fr",
|
|
208
|
+
"monitor_alert_create_update_public_ip_address_rule",
|
|
209
|
+
"monitor_alert_delete_public_ip_address_rule",
|
|
210
|
+
"monitor_alert_service_health_exists",
|
|
211
|
+
"monitor_storage_account_with_activity_logs_cmk_encrypted",
|
|
212
|
+
"monitor_storage_account_with_activity_logs_is_private",
|
|
213
|
+
"keyvault_logging_enabled",
|
|
214
|
+
"sqlserver_auditing_enabled",
|
|
215
|
+
"sqlserver_auditing_retention_90_days",
|
|
216
|
+
"app_http_logs_enabled",
|
|
217
|
+
"app_function_application_insights_enabled",
|
|
218
|
+
"defender_additional_email_configured_with_a_security_contact",
|
|
219
|
+
"defender_ensure_notify_alerts_severity_is_high",
|
|
220
|
+
"defender_ensure_notify_emails_to_owners",
|
|
221
|
+
"defender_ensure_mcas_is_enabled",
|
|
222
|
+
"defender_ensure_wdatp_is_enabled"
|
|
223
|
+
]
|
|
224
|
+
},
|
|
225
|
+
{
|
|
226
|
+
"Id": "annex_i_12",
|
|
227
|
+
"Name": "Annex I (12)",
|
|
228
|
+
"Description": "Take periodic back up of the important data and store this data 'off line' (i.e., transferring important files to a storage device that can be detached from a computer/system after copying all the files).",
|
|
229
|
+
"Attributes": [
|
|
230
|
+
{
|
|
231
|
+
"ItemId": "annex_i_12",
|
|
232
|
+
"Service": "azure"
|
|
233
|
+
}
|
|
234
|
+
],
|
|
235
|
+
"Checks": [
|
|
236
|
+
"vm_backup_enabled",
|
|
237
|
+
"vm_sufficient_daily_backup_retention_period",
|
|
238
|
+
"storage_ensure_file_shares_soft_delete_is_enabled",
|
|
239
|
+
"storage_blob_versioning_is_enabled",
|
|
240
|
+
"storage_ensure_soft_delete_is_enabled",
|
|
241
|
+
"storage_geo_redundant_enabled",
|
|
242
|
+
"keyvault_recoverable",
|
|
243
|
+
"sqlserver_vulnerability_assessment_enabled",
|
|
244
|
+
"sqlserver_va_periodic_recurring_scans_enabled"
|
|
245
|
+
]
|
|
246
|
+
}
|
|
247
|
+
]
|
|
248
|
+
}
|
|
@@ -619,6 +619,92 @@
|
|
|
619
619
|
"sqlserver_auditing_retention_90_days",
|
|
620
620
|
"storage_ensure_soft_delete_is_enabled"
|
|
621
621
|
]
|
|
622
|
+
},
|
|
623
|
+
{
|
|
624
|
+
"Id": "pi_1_2",
|
|
625
|
+
"Name": "PI1.2 System inputs are measured and recorded completely, accurately, and timely to meet the entity's processing integrity commitments and system requirements",
|
|
626
|
+
"Description": "The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives. This includes defining accuracy targets, monitoring input quality, and creating detailed records of each input event.",
|
|
627
|
+
"Attributes": [
|
|
628
|
+
{
|
|
629
|
+
"ItemId": "pi_1_2",
|
|
630
|
+
"Section": "PI1.0 - Processing Integrity",
|
|
631
|
+
"Service": "azure",
|
|
632
|
+
"Type": "automated"
|
|
633
|
+
}
|
|
634
|
+
],
|
|
635
|
+
"Checks": [
|
|
636
|
+
"app_http_logs_enabled",
|
|
637
|
+
"network_flow_log_captured_sent",
|
|
638
|
+
"keyvault_logging_enabled",
|
|
639
|
+
"monitor_diagnostic_settings_exists",
|
|
640
|
+
"sqlserver_auditing_enabled"
|
|
641
|
+
]
|
|
642
|
+
},
|
|
643
|
+
{
|
|
644
|
+
"Id": "pi_1_3",
|
|
645
|
+
"Name": "PI1.3 Data is processed completely, accurately, and timely as authorized to meet the entity's processing integrity commitments and system requirements",
|
|
646
|
+
"Description": "The entity implements controls to ensure data is processed completely, accurately, and timely. This includes defining processing specifications, identifying processing activities, detecting and correcting errors throughout processing, recording processing activities with accurate logs, and ensuring completeness and timeliness of processing.",
|
|
647
|
+
"Attributes": [
|
|
648
|
+
{
|
|
649
|
+
"ItemId": "pi_1_3",
|
|
650
|
+
"Section": "PI1.0 - Processing Integrity",
|
|
651
|
+
"Service": "azure",
|
|
652
|
+
"Type": "automated"
|
|
653
|
+
}
|
|
654
|
+
],
|
|
655
|
+
"Checks": [
|
|
656
|
+
"monitor_diagnostic_setting_with_appropriate_categories",
|
|
657
|
+
"monitor_diagnostic_settings_exists",
|
|
658
|
+
"defender_auto_provisioning_log_analytics_agent_vms_on",
|
|
659
|
+
"mysql_flexible_server_audit_log_enabled",
|
|
660
|
+
"postgresql_flexible_server_log_checkpoints_on",
|
|
661
|
+
"postgresql_flexible_server_log_connections_on",
|
|
662
|
+
"postgresql_flexible_server_log_disconnections_on",
|
|
663
|
+
"network_flow_log_more_than_90_days"
|
|
664
|
+
]
|
|
665
|
+
},
|
|
666
|
+
{
|
|
667
|
+
"Id": "pi_1_4",
|
|
668
|
+
"Name": "PI1.4 System outputs are complete, accurate, distributed only to intended parties, and retained to meet the entity's processing integrity commitments and system requirements",
|
|
669
|
+
"Description": "The entity implements controls to ensure system outputs are delivered to authorized recipients in the correct format and protected against unauthorized access, modification, theft, destruction, or corruption. This includes output encryption, access controls, and audit trails for output delivery.",
|
|
670
|
+
"Attributes": [
|
|
671
|
+
{
|
|
672
|
+
"ItemId": "pi_1_4",
|
|
673
|
+
"Section": "PI1.0 - Processing Integrity",
|
|
674
|
+
"Service": "azure",
|
|
675
|
+
"Type": "automated"
|
|
676
|
+
}
|
|
677
|
+
],
|
|
678
|
+
"Checks": [
|
|
679
|
+
"storage_ensure_encryption_with_customer_managed_keys",
|
|
680
|
+
"storage_infrastructure_encryption_is_enabled",
|
|
681
|
+
"monitor_storage_account_with_activity_logs_cmk_encrypted",
|
|
682
|
+
"monitor_storage_account_with_activity_logs_is_private",
|
|
683
|
+
"sqlserver_tde_encryption_enabled",
|
|
684
|
+
"sqlserver_tde_encrypted_with_cmk"
|
|
685
|
+
]
|
|
686
|
+
},
|
|
687
|
+
{
|
|
688
|
+
"Id": "pi_1_5",
|
|
689
|
+
"Name": "PI1.5 Stored data is maintained complete, accurate, and protected from unauthorized modification to meet the entity's processing integrity commitments and system requirements",
|
|
690
|
+
"Description": "The entity implements controls to protect stored inputs, items in processing, and outputs from theft, destruction, corruption, or deterioration. This includes data encryption at rest, key management, backup and recovery procedures, access controls, and data integrity validation.",
|
|
691
|
+
"Attributes": [
|
|
692
|
+
{
|
|
693
|
+
"ItemId": "pi_1_5",
|
|
694
|
+
"Section": "PI1.0 - Processing Integrity",
|
|
695
|
+
"Service": "azure",
|
|
696
|
+
"Type": "automated"
|
|
697
|
+
}
|
|
698
|
+
],
|
|
699
|
+
"Checks": [
|
|
700
|
+
"storage_ensure_encryption_with_customer_managed_keys",
|
|
701
|
+
"storage_infrastructure_encryption_is_enabled",
|
|
702
|
+
"storage_ensure_soft_delete_is_enabled",
|
|
703
|
+
"vm_ensure_attached_disks_encrypted_with_cmk",
|
|
704
|
+
"vm_ensure_unattached_disks_encrypted_with_cmk",
|
|
705
|
+
"keyvault_key_rotation_enabled",
|
|
706
|
+
"keyvault_recoverable"
|
|
707
|
+
]
|
|
622
708
|
}
|
|
623
709
|
]
|
|
624
|
-
}
|
|
710
|
+
}
|
|
@@ -492,6 +492,87 @@
|
|
|
492
492
|
"Checks": [
|
|
493
493
|
"cloudstorage_bucket_log_retention_policy_lock"
|
|
494
494
|
]
|
|
495
|
+
},
|
|
496
|
+
{
|
|
497
|
+
"Id": "pi_1_2",
|
|
498
|
+
"Name": "PI1.2 System inputs are measured and recorded completely, accurately, and timely to meet the entity's processing integrity commitments and system requirements",
|
|
499
|
+
"Description": "The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives. This includes defining accuracy targets, monitoring input quality, and creating detailed records of each input event.",
|
|
500
|
+
"Attributes": [
|
|
501
|
+
{
|
|
502
|
+
"ItemId": "pi_1_2",
|
|
503
|
+
"Section": "PI1.0 - Processing Integrity",
|
|
504
|
+
"Service": "gcp",
|
|
505
|
+
"Type": "automated"
|
|
506
|
+
}
|
|
507
|
+
],
|
|
508
|
+
"Checks": [
|
|
509
|
+
"compute_loadbalancer_logging_enabled",
|
|
510
|
+
"compute_subnet_flow_logs_enabled",
|
|
511
|
+
"logging_sink_created",
|
|
512
|
+
"iam_audit_logs_enabled"
|
|
513
|
+
]
|
|
514
|
+
},
|
|
515
|
+
{
|
|
516
|
+
"Id": "pi_1_3",
|
|
517
|
+
"Name": "PI1.3 Data is processed completely, accurately, and timely as authorized to meet the entity's processing integrity commitments and system requirements",
|
|
518
|
+
"Description": "The entity implements controls to ensure data is processed completely, accurately, and timely. This includes defining processing specifications, identifying processing activities, detecting and correcting errors throughout processing, recording processing activities with accurate logs, and ensuring completeness and timeliness of processing.",
|
|
519
|
+
"Attributes": [
|
|
520
|
+
{
|
|
521
|
+
"ItemId": "pi_1_3",
|
|
522
|
+
"Section": "PI1.0 - Processing Integrity",
|
|
523
|
+
"Service": "gcp",
|
|
524
|
+
"Type": "automated"
|
|
525
|
+
}
|
|
526
|
+
],
|
|
527
|
+
"Checks": [
|
|
528
|
+
"logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled",
|
|
529
|
+
"logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
|
|
530
|
+
"logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled",
|
|
531
|
+
"cloudsql_instance_postgres_log_connections_flag",
|
|
532
|
+
"cloudsql_instance_postgres_log_disconnections_flag",
|
|
533
|
+
"cloudsql_instance_postgres_log_statement_flag",
|
|
534
|
+
"iam_audit_logs_enabled"
|
|
535
|
+
]
|
|
536
|
+
},
|
|
537
|
+
{
|
|
538
|
+
"Id": "pi_1_4",
|
|
539
|
+
"Name": "PI1.4 System outputs are complete, accurate, distributed only to intended parties, and retained to meet the entity's processing integrity commitments and system requirements",
|
|
540
|
+
"Description": "The entity implements controls to ensure system outputs are delivered to authorized recipients in the correct format and protected against unauthorized access, modification, theft, destruction, or corruption. This includes output encryption, access controls, and audit trails for output delivery.",
|
|
541
|
+
"Attributes": [
|
|
542
|
+
{
|
|
543
|
+
"ItemId": "pi_1_4",
|
|
544
|
+
"Section": "PI1.0 - Processing Integrity",
|
|
545
|
+
"Service": "gcp",
|
|
546
|
+
"Type": "automated"
|
|
547
|
+
}
|
|
548
|
+
],
|
|
549
|
+
"Checks": [
|
|
550
|
+
"cloudstorage_bucket_uniform_bucket_level_access",
|
|
551
|
+
"bigquery_dataset_cmk_encryption",
|
|
552
|
+
"bigquery_table_cmk_encryption",
|
|
553
|
+
"compute_instance_confidential_computing_enabled",
|
|
554
|
+
"pubsub_topic_encryption_with_cmk"
|
|
555
|
+
]
|
|
556
|
+
},
|
|
557
|
+
{
|
|
558
|
+
"Id": "pi_1_5",
|
|
559
|
+
"Name": "PI1.5 Stored data is maintained complete, accurate, and protected from unauthorized modification to meet the entity's processing integrity commitments and system requirements",
|
|
560
|
+
"Description": "The entity implements controls to protect stored inputs, items in processing, and outputs from theft, destruction, corruption, or deterioration. This includes data encryption at rest, key management, backup and recovery procedures, access controls, and data integrity validation.",
|
|
561
|
+
"Attributes": [
|
|
562
|
+
{
|
|
563
|
+
"ItemId": "pi_1_5",
|
|
564
|
+
"Section": "PI1.0 - Processing Integrity",
|
|
565
|
+
"Service": "gcp",
|
|
566
|
+
"Type": "automated"
|
|
567
|
+
}
|
|
568
|
+
],
|
|
569
|
+
"Checks": [
|
|
570
|
+
"cloudstorage_bucket_log_retention_policy_lock",
|
|
571
|
+
"cloudsql_instance_automated_backups",
|
|
572
|
+
"compute_instance_encryption_with_csek_enabled",
|
|
573
|
+
"kms_key_rotation_enabled",
|
|
574
|
+
"dataproc_encrypted_with_cmks_disabled"
|
|
575
|
+
]
|
|
495
576
|
}
|
|
496
577
|
]
|
|
497
|
-
}
|
|
578
|
+
}
|
prowler/config/config.py
CHANGED
|
@@ -38,7 +38,7 @@ class _MutableTimestamp:
|
|
|
38
38
|
|
|
39
39
|
timestamp = _MutableTimestamp(datetime.today())
|
|
40
40
|
timestamp_utc = _MutableTimestamp(datetime.now(timezone.utc))
|
|
41
|
-
prowler_version = "5.
|
|
41
|
+
prowler_version = "5.15.0"
|
|
42
42
|
html_logo_url = "https://github.com/prowler-cloud/prowler/"
|
|
43
43
|
square_logo_img = "https://raw.githubusercontent.com/prowler-cloud/prowler/dc7d2d5aeb92fdf12e8604f42ef6472cd3e8e889/docs/img/prowler-logo-black.png"
|
|
44
44
|
aws_logo = "https://user-images.githubusercontent.com/38561120/235953920-3e3fba08-0795-41dc-b480-9bea57db9f2e.png"
|
|
@@ -60,6 +60,7 @@ class Provider(str, Enum):
|
|
|
60
60
|
NHN = "nhn"
|
|
61
61
|
MONGODBATLAS = "mongodbatlas"
|
|
62
62
|
ORACLECLOUD = "oraclecloud"
|
|
63
|
+
ALIBABACLOUD = "alibabacloud"
|
|
63
64
|
|
|
64
65
|
|
|
65
66
|
# Compliance
|
prowler/lib/check/check.py
CHANGED
|
@@ -14,7 +14,7 @@ from colorama import Fore, Style
|
|
|
14
14
|
import prowler
|
|
15
15
|
from prowler.config.config import orange_color
|
|
16
16
|
from prowler.lib.check.custom_checks_metadata import update_check_metadata
|
|
17
|
-
from prowler.lib.check.models import Check
|
|
17
|
+
from prowler.lib.check.models import Check, load_check_metadata
|
|
18
18
|
from prowler.lib.check.utils import recover_checks_from_provider
|
|
19
19
|
from prowler.lib.logger import logger
|
|
20
20
|
from prowler.lib.outputs.outputs import report
|
|
@@ -110,6 +110,48 @@ def parse_checks_from_folder(provider, input_folder: str) -> set:
|
|
|
110
110
|
sys.exit(1)
|
|
111
111
|
|
|
112
112
|
|
|
113
|
+
def load_custom_checks_metadata(input_folder: str) -> dict:
|
|
114
|
+
"""
|
|
115
|
+
Load check metadata from a custom checks folder without copying the checks.
|
|
116
|
+
This is used to validate check names before the provider is initialized.
|
|
117
|
+
|
|
118
|
+
Args:
|
|
119
|
+
input_folder (str): Path to the folder containing custom checks.
|
|
120
|
+
|
|
121
|
+
Returns:
|
|
122
|
+
dict: A dictionary with CheckID as key and CheckMetadata as value.
|
|
123
|
+
"""
|
|
124
|
+
custom_checks_metadata = {}
|
|
125
|
+
|
|
126
|
+
try:
|
|
127
|
+
if not os.path.isdir(input_folder):
|
|
128
|
+
return custom_checks_metadata
|
|
129
|
+
|
|
130
|
+
with os.scandir(input_folder) as checks:
|
|
131
|
+
for check in checks:
|
|
132
|
+
if check.is_dir():
|
|
133
|
+
check_name = check.name
|
|
134
|
+
metadata_file = os.path.join(
|
|
135
|
+
input_folder, check_name, f"{check_name}.metadata.json"
|
|
136
|
+
)
|
|
137
|
+
if os.path.isfile(metadata_file):
|
|
138
|
+
try:
|
|
139
|
+
check_metadata = load_check_metadata(metadata_file)
|
|
140
|
+
custom_checks_metadata[check_metadata.CheckID] = (
|
|
141
|
+
check_metadata
|
|
142
|
+
)
|
|
143
|
+
except Exception as error:
|
|
144
|
+
logger.warning(
|
|
145
|
+
f"Could not load metadata from {metadata_file}: {error}"
|
|
146
|
+
)
|
|
147
|
+
return custom_checks_metadata
|
|
148
|
+
except Exception as error:
|
|
149
|
+
logger.error(
|
|
150
|
+
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
|
|
151
|
+
)
|
|
152
|
+
return custom_checks_metadata
|
|
153
|
+
|
|
154
|
+
|
|
113
155
|
# Load checks from custom folder
|
|
114
156
|
def remove_custom_checks_module(input_folder: str, provider: str):
|
|
115
157
|
# Check if input folder is a S3 URI
|
|
@@ -641,6 +683,10 @@ def execute(
|
|
|
641
683
|
is_finding_muted_args["organization_id"] = (
|
|
642
684
|
global_provider.identity.organization_id
|
|
643
685
|
)
|
|
686
|
+
elif global_provider.type == "alibabacloud":
|
|
687
|
+
is_finding_muted_args["account_id"] = (
|
|
688
|
+
global_provider.identity.account_id
|
|
689
|
+
)
|
|
644
690
|
for finding in check_findings:
|
|
645
691
|
if global_provider.type == "azure":
|
|
646
692
|
is_finding_muted_args["subscription_id"] = (
|
prowler/lib/check/models.py
CHANGED
|
@@ -649,6 +649,29 @@ class Check_Report_OCI(Check_Report):
|
|
|
649
649
|
self.region = region or getattr(resource, "region", "")
|
|
650
650
|
|
|
651
651
|
|
|
652
|
+
@dataclass
|
|
653
|
+
class CheckReportAlibabaCloud(Check_Report):
|
|
654
|
+
"""Contains the Alibaba Cloud Check's finding information."""
|
|
655
|
+
|
|
656
|
+
resource_id: str
|
|
657
|
+
resource_arn: str
|
|
658
|
+
region: str
|
|
659
|
+
|
|
660
|
+
def __init__(self, metadata: Dict, resource: Any) -> None:
|
|
661
|
+
"""Initialize the Alibaba Cloud Check's finding information.
|
|
662
|
+
|
|
663
|
+
Args:
|
|
664
|
+
metadata: The metadata of the check.
|
|
665
|
+
resource: Basic information about the resource.
|
|
666
|
+
"""
|
|
667
|
+
super().__init__(metadata, resource)
|
|
668
|
+
self.resource_id = (
|
|
669
|
+
getattr(resource, "id", None) or getattr(resource, "name", None) or ""
|
|
670
|
+
)
|
|
671
|
+
self.resource_arn = getattr(resource, "arn", "")
|
|
672
|
+
self.region = getattr(resource, "region", "")
|
|
673
|
+
|
|
674
|
+
|
|
652
675
|
@dataclass
|
|
653
676
|
class Check_Report_Kubernetes(Check_Report):
|
|
654
677
|
# TODO change class name to CheckReportKubernetes
|
prowler/lib/check/utils.py
CHANGED
|
@@ -26,7 +26,7 @@ def recover_checks_from_provider(
|
|
|
26
26
|
# We need to exclude common shared libraries in services
|
|
27
27
|
if (
|
|
28
28
|
check_module_name.count(".") == 6
|
|
29
|
-
and "lib" not in check_module_name
|
|
29
|
+
and ".lib." not in check_module_name
|
|
30
30
|
and (not check_module_name.endswith("_fixer") or include_fixers)
|
|
31
31
|
):
|
|
32
32
|
check_path = module_name.module_finder.path
|