prowler-cloud 5.14.2__py3-none-any.whl → 5.15.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dashboard/assets/images/providers/alibabacloud_provider.png +0 -0
- dashboard/compliance/cis_2_0_alibabacloud.py +24 -0
- dashboard/lib/layouts.py +1 -0
- dashboard/pages/compliance.py +8 -2
- dashboard/pages/overview.py +52 -1
- prowler/CHANGELOG.md +53 -21
- prowler/__main__.py +34 -0
- prowler/compliance/alibabacloud/__init__.py +0 -0
- prowler/compliance/alibabacloud/cis_2.0_alibabacloud.json +1833 -0
- prowler/compliance/aws/iso27001_2013_aws.json +158 -158
- prowler/compliance/aws/soc2_aws.json +100 -0
- prowler/compliance/azure/rbi_cyber_security_framework_azure.json +248 -0
- prowler/compliance/azure/soc2_azure.json +87 -1
- prowler/compliance/gcp/soc2_gcp.json +82 -1
- prowler/config/config.py +2 -1
- prowler/lib/check/check.py +4 -0
- prowler/lib/check/models.py +23 -0
- prowler/lib/check/utils.py +1 -1
- prowler/lib/cli/parser.py +3 -2
- prowler/lib/outputs/compliance/cis/cis_alibabacloud.py +106 -0
- prowler/lib/outputs/compliance/cis/models.py +35 -0
- prowler/lib/outputs/finding.py +16 -0
- prowler/lib/outputs/html/html.py +67 -0
- prowler/lib/outputs/outputs.py +2 -0
- prowler/lib/outputs/summary_table.py +3 -0
- prowler/providers/alibabacloud/__init__.py +0 -0
- prowler/providers/alibabacloud/alibabacloud_provider.py +872 -0
- prowler/providers/alibabacloud/config.py +41 -0
- prowler/providers/alibabacloud/exceptions/__init__.py +0 -0
- prowler/providers/alibabacloud/exceptions/exceptions.py +116 -0
- prowler/providers/alibabacloud/lib/__init__.py +0 -0
- prowler/providers/alibabacloud/lib/arguments/__init__.py +0 -0
- prowler/providers/alibabacloud/lib/arguments/arguments.py +58 -0
- prowler/providers/alibabacloud/lib/mutelist/__init__.py +0 -0
- prowler/providers/alibabacloud/lib/mutelist/mutelist.py +175 -0
- prowler/providers/alibabacloud/lib/service/__init__.py +0 -0
- prowler/providers/alibabacloud/lib/service/service.py +113 -0
- prowler/providers/alibabacloud/models.py +266 -0
- prowler/providers/alibabacloud/services/__init__.py +0 -0
- prowler/providers/alibabacloud/services/actiontrail/__init__.py +0 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_client.py +6 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/actiontrail_multi_region_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/actiontrail_multi_region_enabled.py +81 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/__init__.py +0 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/actiontrail_oss_bucket_not_publicly_accessible.metadata.json +40 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/actiontrail_oss_bucket_not_publicly_accessible.py +119 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_service.py +110 -0
- prowler/providers/alibabacloud/services/cs/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_client.py +4 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/cs_kubernetes_cloudmonitor_enabled.metadata.json +38 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/cs_kubernetes_cloudmonitor_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/cs_kubernetes_cluster_check_recent.metadata.json +38 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/cs_kubernetes_cluster_check_recent.py +62 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_weekly/cs_kubernetes_cluster_check_weekly.metadata.json +38 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_weekly/cs_kubernetes_cluster_check_weekly.py +62 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/cs_kubernetes_dashboard_disabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/cs_kubernetes_dashboard_disabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/cs_kubernetes_eni_multiple_ip_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/cs_kubernetes_eni_multiple_ip_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/cs_kubernetes_log_service_enabled.metadata.json +40 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/cs_kubernetes_log_service_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/cs_kubernetes_network_policy_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/cs_kubernetes_network_policy_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/cs_kubernetes_private_cluster_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/cs_kubernetes_private_cluster_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.metadata.json +40 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.py +28 -0
- prowler/providers/alibabacloud/services/cs/cs_service.py +354 -0
- prowler/providers/alibabacloud/services/ecs/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.metadata.json +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.py +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_client.py +4 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.metadata.json +41 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.py +47 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.metadata.json +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.py +50 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.metadata.json +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.py +34 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.py +68 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.py +68 -0
- prowler/providers/alibabacloud/services/ecs/ecs_service.py +380 -0
- prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.metadata.json +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.py +38 -0
- prowler/providers/alibabacloud/services/ecs/lib/security_groups.py +23 -0
- prowler/providers/alibabacloud/services/oss/__init__.py +0 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.py +37 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/__init__.py +0 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.metadata.json +39 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.py +89 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.metadata.json +38 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.py +87 -0
- prowler/providers/alibabacloud/services/oss/oss_client.py +4 -0
- prowler/providers/alibabacloud/services/oss/oss_service.py +317 -0
- prowler/providers/alibabacloud/services/ram/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_client.py +4 -0
- prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.py +33 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.py +32 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/ram_password_policy_max_login_attempts.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/ram_password_policy_max_login_attempts.py +32 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/ram_password_policy_max_password_age.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/ram_password_policy_max_password_age.py +35 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/ram_password_policy_minimum_length.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/ram_password_policy_minimum_length.py +30 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_number/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_number/ram_password_policy_number.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/ram_password_policy_password_reuse_prevention.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/ram_password_policy_password_reuse_prevention.py +35 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/ram_password_policy_symbol.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/ram_password_policy_symbol.py +34 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/ram_password_policy_uppercase.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/ram_password_policy_uppercase.py +32 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/ram_policy_attached_only_to_group_or_roles.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/ram_policy_attached_only_to_group_or_roles.py +35 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.py +73 -0
- prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.py +58 -0
- prowler/providers/alibabacloud/services/ram/ram_service.py +478 -0
- prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/ram_user_console_access_unused.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/ram_user_console_access_unused.py +56 -0
- prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/ram_user_mfa_enabled_console_access.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/ram_user_mfa_enabled_console_access.py +36 -0
- prowler/providers/alibabacloud/services/rds/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_client.py +4 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/rds_instance_no_public_access_whitelist.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/rds_instance_no_public_access_whitelist.py +36 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/rds_instance_postgresql_log_connections_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/rds_instance_postgresql_log_connections_enabled.py +29 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/rds_instance_postgresql_log_disconnections_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/rds_instance_postgresql_log_disconnections_enabled.py +29 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/rds_instance_postgresql_log_duration_enabled.metadata.json +38 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/rds_instance_postgresql_log_duration_enabled.py +29 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/rds_instance_sql_audit_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/rds_instance_sql_audit_enabled.py +32 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/rds_instance_sql_audit_retention.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/rds_instance_sql_audit_retention.py +41 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/rds_instance_ssl_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/rds_instance_ssl_enabled.py +30 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/rds_instance_tde_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/rds_instance_tde_enabled.py +32 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.py +38 -0
- prowler/providers/alibabacloud/services/rds/rds_service.py +274 -0
- prowler/providers/alibabacloud/services/securitycenter/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.metadata.json +43 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.py +48 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.metadata.json +42 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.py +48 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_client.py +6 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.metadata.json +42 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.py +65 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_service.py +394 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/securitycenter_vulnerability_scan_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/securitycenter_vulnerability_scan_enabled.py +68 -0
- prowler/providers/alibabacloud/services/sls/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_client.py +4 -0
- prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/sls_cloud_firewall_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/sls_cloud_firewall_changes_alert_enabled.py +50 -0
- prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.py +48 -0
- prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.metadata.json +38 -0
- prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.py +32 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.py +44 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.py +49 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.py +57 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.py +48 -0
- prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.py +54 -0
- prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.py +72 -0
- prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/sls_root_account_usage_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/sls_root_account_usage_alert_enabled.py +50 -0
- prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/sls_security_group_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/sls_security_group_changes_alert_enabled.py +56 -0
- prowler/providers/alibabacloud/services/sls/sls_service.py +137 -0
- prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/sls_unauthorized_api_calls_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/sls_unauthorized_api_calls_alert_enabled.py +56 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/sls_vpc_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/sls_vpc_changes_alert_enabled.py +57 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/sls_vpc_network_route_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/sls_vpc_network_route_changes_alert_enabled.py +52 -0
- prowler/providers/alibabacloud/services/vpc/__init__.py +0 -0
- prowler/providers/alibabacloud/services/vpc/vpc_client.py +4 -0
- prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py +30 -0
- prowler/providers/alibabacloud/services/vpc/vpc_service.py +102 -0
- prowler/providers/aws/aws_regions_by_service.json +20 -0
- prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json +1 -3
- prowler/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist.metadata.json +1 -1
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.metadata.json +0 -1
- prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.metadata.json +16 -10
- prowler/providers/aws/services/guardduty/guardduty_ec2_malware_protection_enabled/guardduty_ec2_malware_protection_enabled.metadata.json +23 -14
- prowler/providers/aws/services/guardduty/guardduty_eks_audit_log_enabled/guardduty_eks_audit_log_enabled.metadata.json +19 -13
- prowler/providers/aws/services/guardduty/guardduty_eks_runtime_monitoring_enabled/guardduty_eks_runtime_monitoring_enabled.metadata.json +18 -12
- prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.metadata.json +24 -13
- prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.metadata.json +20 -14
- prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.metadata.json +18 -9
- prowler/providers/aws/services/guardduty/guardduty_rds_protection_enabled/guardduty_rds_protection_enabled.metadata.json +18 -11
- prowler/providers/aws/services/guardduty/guardduty_s3_protection_enabled/guardduty_s3_protection_enabled.metadata.json +21 -12
- prowler/providers/aws/services/lightsail/lightsail_database_public/lightsail_database_public.metadata.json +21 -13
- prowler/providers/aws/services/lightsail/lightsail_instance_automated_snapshots/lightsail_instance_automated_snapshots.metadata.json +24 -13
- prowler/providers/aws/services/lightsail/lightsail_instance_public/lightsail_instance_public.metadata.json +21 -13
- prowler/providers/aws/services/lightsail/lightsail_static_ip_unused/lightsail_static_ip_unused.metadata.json +23 -14
- prowler/providers/aws/services/macie/macie_automated_sensitive_data_discovery_enabled/macie_automated_sensitive_data_discovery_enabled.metadata.json +20 -12
- prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.metadata.json +17 -12
- prowler/providers/aws/services/mq/mq_broker_active_deployment_mode/mq_broker_active_deployment_mode.metadata.json +22 -13
- prowler/providers/aws/services/mq/mq_broker_auto_minor_version_upgrades/mq_broker_auto_minor_version_upgrades.metadata.json +21 -12
- prowler/providers/aws/services/mq/mq_broker_cluster_deployment_mode/mq_broker_cluster_deployment_mode.metadata.json +23 -14
- prowler/providers/aws/services/mq/mq_broker_logging_enabled/mq_broker_logging_enabled.metadata.json +22 -13
- prowler/providers/aws/services/mq/mq_broker_not_publicly_accessible/mq_broker_not_publicly_accessible.metadata.json +20 -12
- prowler/providers/aws/services/networkfirewall/networkfirewall_deletion_protection/networkfirewall_deletion_protection.metadata.json +21 -13
- prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.metadata.json +23 -13
- prowler/providers/aws/services/networkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.metadata.json +20 -13
- prowler/providers/aws/services/networkfirewall/networkfirewall_multi_az/networkfirewall_multi_az.metadata.json +22 -14
- prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_fragmented_packets/networkfirewall_policy_default_action_fragmented_packets.metadata.json +26 -14
- prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_full_packets/networkfirewall_policy_default_action_full_packets.metadata.json +22 -13
- prowler/providers/aws/services/networkfirewall/networkfirewall_policy_rule_group_associated/networkfirewall_policy_rule_group_associated.metadata.json +25 -14
- prowler/providers/common/provider.py +12 -0
- prowler/providers/gcp/services/accesscontextmanager/__init__.py +0 -0
- prowler/providers/gcp/services/accesscontextmanager/accesscontextmanager_client.py +6 -0
- prowler/providers/gcp/services/accesscontextmanager/accesscontextmanager_service.py +101 -0
- prowler/providers/gcp/services/cloudresourcemanager/cloudresourcemanager_service.py +10 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +13 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/cloudstorage_uses_vpc_service_controls.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/cloudstorage_uses_vpc_service_controls.py +67 -0
- prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/compute_instance_automatic_restart_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/compute_instance_automatic_restart_enabled.py +35 -0
- prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/compute_instance_deletion_protection_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/compute_instance_deletion_protection_enabled.py +29 -0
- prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/__init__.py +0 -0
- prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/compute_instance_preemptible_vm_disabled.metadata.json +37 -0
- prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/compute_instance_preemptible_vm_disabled.py +32 -0
- prowler/providers/gcp/services/compute/compute_service.py +16 -0
- prowler/providers/github/services/repository/repository_immutable_releases_enabled/__init__.py +0 -0
- prowler/providers/github/services/repository/repository_immutable_releases_enabled/repository_immutable_releases_enabled.metadata.json +33 -0
- prowler/providers/github/services/repository/repository_immutable_releases_enabled/repository_immutable_releases_enabled.py +41 -0
- prowler/providers/github/services/repository/repository_service.py +52 -0
- {prowler_cloud-5.14.2.dist-info → prowler_cloud-5.15.0.dist-info}/METADATA +40 -22
- {prowler_cloud-5.14.2.dist-info → prowler_cloud-5.15.0.dist-info}/RECORD +326 -73
- {prowler_cloud-5.14.2.dist-info → prowler_cloud-5.15.0.dist-info}/LICENSE +0 -0
- {prowler_cloud-5.14.2.dist-info → prowler_cloud-5.15.0.dist-info}/WHEEL +0 -0
- {prowler_cloud-5.14.2.dist-info → prowler_cloud-5.15.0.dist-info}/entry_points.txt +0 -0
|
@@ -0,0 +1,266 @@
|
|
|
1
|
+
from datetime import datetime
|
|
2
|
+
from typing import Optional
|
|
3
|
+
|
|
4
|
+
from alibabacloud_actiontrail20200706.client import Client as ActionTrailClient
|
|
5
|
+
from alibabacloud_cs20151215.client import Client as CSClient
|
|
6
|
+
from alibabacloud_ecs20140526.client import Client as EcsClient
|
|
7
|
+
from alibabacloud_oss20190517.client import Client as OssClient
|
|
8
|
+
from alibabacloud_ram20150501.client import Client as RamClient
|
|
9
|
+
from alibabacloud_rds20140815.client import Client as RdsClient
|
|
10
|
+
from alibabacloud_sas20181203.client import Client as SasClient
|
|
11
|
+
from alibabacloud_sls20201230.client import Client as SlsClient
|
|
12
|
+
from alibabacloud_tea_openapi import models as open_api_models
|
|
13
|
+
from alibabacloud_vpc20160428.client import Client as VpcClient
|
|
14
|
+
from pydantic.v1 import BaseModel
|
|
15
|
+
|
|
16
|
+
from prowler.lib.logger import logger
|
|
17
|
+
from prowler.providers.alibabacloud.config import (
|
|
18
|
+
ALIBABACLOUD_DEFAULT_REGION,
|
|
19
|
+
ALIBABACLOUD_SDK_CONNECT_TIMEOUT,
|
|
20
|
+
ALIBABACLOUD_SDK_READ_TIMEOUT,
|
|
21
|
+
)
|
|
22
|
+
from prowler.providers.common.models import ProviderOutputOptions
|
|
23
|
+
|
|
24
|
+
|
|
25
|
+
class AlibabaCloudCallerIdentity(BaseModel):
|
|
26
|
+
"""
|
|
27
|
+
AlibabaCloudCallerIdentity stores the caller identity information from STS GetCallerIdentity.
|
|
28
|
+
|
|
29
|
+
Attributes:
|
|
30
|
+
account_id: The Alibaba Cloud account ID
|
|
31
|
+
principal_id: The principal ID (user ID or root account ID)
|
|
32
|
+
arn: The ARN-like identifier for the identity
|
|
33
|
+
identity_type: The type of identity (e.g., "RamUser", "Root")
|
|
34
|
+
"""
|
|
35
|
+
|
|
36
|
+
account_id: str
|
|
37
|
+
principal_id: str
|
|
38
|
+
arn: str
|
|
39
|
+
identity_type: str = ""
|
|
40
|
+
|
|
41
|
+
|
|
42
|
+
class AlibabaCloudIdentityInfo(BaseModel):
|
|
43
|
+
"""
|
|
44
|
+
AlibabaCloudIdentityInfo stores the Alibaba Cloud account identity information.
|
|
45
|
+
|
|
46
|
+
Attributes:
|
|
47
|
+
account_id: The Alibaba Cloud account ID
|
|
48
|
+
account_name: The Alibaba Cloud account name (if available)
|
|
49
|
+
user_id: The RAM user ID or root account ID
|
|
50
|
+
user_name: The RAM user name or "root" for root account
|
|
51
|
+
identity_arn: The ARN-like identifier for the identity
|
|
52
|
+
profile: The profile name used for authentication
|
|
53
|
+
profile_region: The default region from the profile
|
|
54
|
+
audited_regions: Set of regions to be audited
|
|
55
|
+
is_root: Whether this is the root account (True) or a RAM user (False)
|
|
56
|
+
"""
|
|
57
|
+
|
|
58
|
+
account_id: str
|
|
59
|
+
account_name: str
|
|
60
|
+
user_id: str
|
|
61
|
+
user_name: str
|
|
62
|
+
identity_arn: str
|
|
63
|
+
profile: str
|
|
64
|
+
profile_region: str
|
|
65
|
+
audited_regions: set[str]
|
|
66
|
+
is_root: bool = False
|
|
67
|
+
|
|
68
|
+
|
|
69
|
+
class AlibabaCloudCredentials(BaseModel):
|
|
70
|
+
"""
|
|
71
|
+
AlibabaCloudCredentials stores the Alibaba Cloud credentials.
|
|
72
|
+
|
|
73
|
+
Attributes:
|
|
74
|
+
access_key_id: The Access Key ID
|
|
75
|
+
access_key_secret: The Access Key Secret
|
|
76
|
+
security_token: The Security Token (for STS temporary credentials)
|
|
77
|
+
expiration: The expiration time for temporary credentials
|
|
78
|
+
"""
|
|
79
|
+
|
|
80
|
+
access_key_id: str
|
|
81
|
+
access_key_secret: str
|
|
82
|
+
security_token: Optional[str] = None
|
|
83
|
+
expiration: Optional[datetime] = None
|
|
84
|
+
|
|
85
|
+
|
|
86
|
+
class AlibabaCloudAssumeRoleInfo(BaseModel):
|
|
87
|
+
"""
|
|
88
|
+
AlibabaCloudAssumeRoleInfo stores the information for assuming a RAM role.
|
|
89
|
+
|
|
90
|
+
Attributes:
|
|
91
|
+
role_arn: The ARN of the role to assume
|
|
92
|
+
role_session_name: The session name for the assumed role
|
|
93
|
+
session_duration: The duration of the assumed role session (in seconds)
|
|
94
|
+
external_id: The external ID for role assumption
|
|
95
|
+
region: The region for STS endpoint
|
|
96
|
+
"""
|
|
97
|
+
|
|
98
|
+
role_arn: str
|
|
99
|
+
role_session_name: str
|
|
100
|
+
session_duration: int
|
|
101
|
+
external_id: Optional[str] = None
|
|
102
|
+
region: str = "cn-hangzhou"
|
|
103
|
+
|
|
104
|
+
|
|
105
|
+
class AlibabaCloudRegion(BaseModel):
|
|
106
|
+
"""
|
|
107
|
+
AlibabaCloudRegion stores information about an Alibaba Cloud region.
|
|
108
|
+
|
|
109
|
+
Attributes:
|
|
110
|
+
region_id: The region identifier (e.g., cn-hangzhou, cn-shanghai)
|
|
111
|
+
region_name: The human-readable region name
|
|
112
|
+
region_endpoint: The API endpoint for the region
|
|
113
|
+
"""
|
|
114
|
+
|
|
115
|
+
region_id: str
|
|
116
|
+
region_name: str
|
|
117
|
+
region_endpoint: Optional[str] = None
|
|
118
|
+
|
|
119
|
+
|
|
120
|
+
class AlibabaCloudSession:
|
|
121
|
+
"""
|
|
122
|
+
AlibabaCloudSession stores the Alibaba Cloud session and credentials.
|
|
123
|
+
|
|
124
|
+
This class provides methods to get credentials and create service clients.
|
|
125
|
+
"""
|
|
126
|
+
|
|
127
|
+
def __init__(self, cred_client):
|
|
128
|
+
"""
|
|
129
|
+
Initialize the Alibaba Cloud session.
|
|
130
|
+
|
|
131
|
+
Args:
|
|
132
|
+
cred_client: The Alibaba Cloud credentials client
|
|
133
|
+
"""
|
|
134
|
+
self.cred_client = cred_client
|
|
135
|
+
self._credentials = None
|
|
136
|
+
|
|
137
|
+
def get_credentials(self):
|
|
138
|
+
"""
|
|
139
|
+
Get the Alibaba Cloud credentials.
|
|
140
|
+
|
|
141
|
+
Returns:
|
|
142
|
+
AlibabaCloudCredentials object
|
|
143
|
+
"""
|
|
144
|
+
if self._credentials is None:
|
|
145
|
+
cred = self.cred_client.get_credential()
|
|
146
|
+
self._credentials = AlibabaCloudCredentials(
|
|
147
|
+
access_key_id=cred.get_access_key_id(),
|
|
148
|
+
access_key_secret=cred.get_access_key_secret(),
|
|
149
|
+
security_token=cred.get_security_token(),
|
|
150
|
+
)
|
|
151
|
+
return self._credentials
|
|
152
|
+
|
|
153
|
+
def client(self, service: str, region: str = None):
|
|
154
|
+
"""
|
|
155
|
+
Create a service client for the given service and region.
|
|
156
|
+
|
|
157
|
+
Args:
|
|
158
|
+
service: The service name (e.g., 'ram')
|
|
159
|
+
region: The region (optional, some services are global)
|
|
160
|
+
|
|
161
|
+
Returns:
|
|
162
|
+
A client instance for the specified service
|
|
163
|
+
"""
|
|
164
|
+
|
|
165
|
+
# Get credentials
|
|
166
|
+
cred = self.get_credentials()
|
|
167
|
+
|
|
168
|
+
# Create client configuration with timeout settings
|
|
169
|
+
config = open_api_models.Config(
|
|
170
|
+
access_key_id=cred.access_key_id,
|
|
171
|
+
access_key_secret=cred.access_key_secret,
|
|
172
|
+
read_timeout=ALIBABACLOUD_SDK_READ_TIMEOUT
|
|
173
|
+
* 1000, # Convert to milliseconds
|
|
174
|
+
connect_timeout=ALIBABACLOUD_SDK_CONNECT_TIMEOUT
|
|
175
|
+
* 1000, # Convert to milliseconds
|
|
176
|
+
)
|
|
177
|
+
if cred.security_token:
|
|
178
|
+
config.security_token = cred.security_token
|
|
179
|
+
|
|
180
|
+
# Set endpoint based on service
|
|
181
|
+
if service == "ram":
|
|
182
|
+
config.endpoint = "ram.aliyuncs.com"
|
|
183
|
+
return RamClient(config)
|
|
184
|
+
elif service == "vpc":
|
|
185
|
+
# VPC endpoint is regional: vpc.{region}.aliyuncs.com
|
|
186
|
+
if region:
|
|
187
|
+
config.endpoint = f"vpc.{region}.aliyuncs.com"
|
|
188
|
+
else:
|
|
189
|
+
config.endpoint = f"vpc.{ALIBABACLOUD_DEFAULT_REGION}.aliyuncs.com"
|
|
190
|
+
return VpcClient(config)
|
|
191
|
+
elif service == "ecs":
|
|
192
|
+
# ECS endpoint is regional: ecs.{region}.aliyuncs.com
|
|
193
|
+
if region:
|
|
194
|
+
config.endpoint = f"ecs.{region}.aliyuncs.com"
|
|
195
|
+
else:
|
|
196
|
+
config.endpoint = f"ecs.{ALIBABACLOUD_DEFAULT_REGION}.aliyuncs.com"
|
|
197
|
+
return EcsClient(config)
|
|
198
|
+
elif service == "sas" or service == "securitycenter":
|
|
199
|
+
# SAS (Security Center) endpoint is regional: sas.{region}.aliyuncs.com
|
|
200
|
+
if region:
|
|
201
|
+
config.endpoint = f"sas.{region}.aliyuncs.com"
|
|
202
|
+
else:
|
|
203
|
+
config.endpoint = f"sas.{ALIBABACLOUD_DEFAULT_REGION}.aliyuncs.com"
|
|
204
|
+
return SasClient(config)
|
|
205
|
+
elif service == "oss":
|
|
206
|
+
if region:
|
|
207
|
+
config.endpoint = f"oss-{region}.aliyuncs.com"
|
|
208
|
+
config.region_id = region
|
|
209
|
+
else:
|
|
210
|
+
config.endpoint = f"oss-{ALIBABACLOUD_DEFAULT_REGION}.aliyuncs.com"
|
|
211
|
+
config.region_id = ALIBABACLOUD_DEFAULT_REGION
|
|
212
|
+
return OssClient(config)
|
|
213
|
+
elif service == "actiontrail":
|
|
214
|
+
# ActionTrail endpoint is regional: actiontrail.{region}.aliyuncs.com
|
|
215
|
+
if region:
|
|
216
|
+
config.endpoint = f"actiontrail.{region}.aliyuncs.com"
|
|
217
|
+
else:
|
|
218
|
+
config.endpoint = (
|
|
219
|
+
f"actiontrail.{ALIBABACLOUD_DEFAULT_REGION}.aliyuncs.com"
|
|
220
|
+
)
|
|
221
|
+
return ActionTrailClient(config)
|
|
222
|
+
elif service == "cs":
|
|
223
|
+
if region:
|
|
224
|
+
config.endpoint = f"cs.{region}.aliyuncs.com"
|
|
225
|
+
else:
|
|
226
|
+
config.endpoint = f"cs.{ALIBABACLOUD_DEFAULT_REGION}.aliyuncs.com"
|
|
227
|
+
return CSClient(config)
|
|
228
|
+
elif service == "rds":
|
|
229
|
+
if region:
|
|
230
|
+
config.endpoint = f"rds.{region}.aliyuncs.com"
|
|
231
|
+
else:
|
|
232
|
+
config.endpoint = f"rds.{ALIBABACLOUD_DEFAULT_REGION}.aliyuncs.com"
|
|
233
|
+
return RdsClient(config)
|
|
234
|
+
elif service == "sls":
|
|
235
|
+
if region:
|
|
236
|
+
config.endpoint = f"{region}.log.aliyuncs.com"
|
|
237
|
+
else:
|
|
238
|
+
config.endpoint = f"{ALIBABACLOUD_DEFAULT_REGION}.log.aliyuncs.com"
|
|
239
|
+
return SlsClient(config)
|
|
240
|
+
else:
|
|
241
|
+
# For other services, implement as needed
|
|
242
|
+
logger.warning(f"Service {service} not yet implemented")
|
|
243
|
+
return None
|
|
244
|
+
|
|
245
|
+
|
|
246
|
+
class AlibabaCloudOutputOptions(ProviderOutputOptions):
|
|
247
|
+
"""
|
|
248
|
+
AlibabaCloudOutputOptions extends ProviderOutputOptions for Alibaba Cloud specific output options.
|
|
249
|
+
"""
|
|
250
|
+
|
|
251
|
+
def __init__(self, arguments, bulk_checks_metadata, identity):
|
|
252
|
+
# Call parent class init
|
|
253
|
+
super().__init__(arguments, bulk_checks_metadata)
|
|
254
|
+
|
|
255
|
+
# Set default output filename if not provided
|
|
256
|
+
if (
|
|
257
|
+
not hasattr(arguments, "output_filename")
|
|
258
|
+
or arguments.output_filename is None
|
|
259
|
+
):
|
|
260
|
+
from prowler.config.config import output_file_timestamp
|
|
261
|
+
|
|
262
|
+
self.output_filename = (
|
|
263
|
+
f"prowler-output-{identity.account_id}-{output_file_timestamp}"
|
|
264
|
+
)
|
|
265
|
+
else:
|
|
266
|
+
self.output_filename = arguments.output_filename
|
|
File without changes
|
|
File without changes
|
prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/__init__.py
ADDED
|
File without changes
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
{
|
|
2
|
+
"Provider": "alibabacloud",
|
|
3
|
+
"CheckID": "actiontrail_multi_region_enabled",
|
|
4
|
+
"CheckTitle": "ActionTrail are configured to export copies of all Log entries",
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Unusual logon",
|
|
7
|
+
"Cloud threat detection"
|
|
8
|
+
],
|
|
9
|
+
"ServiceName": "actiontrail",
|
|
10
|
+
"SubServiceName": "",
|
|
11
|
+
"ResourceIdTemplate": "acs:actiontrail::account-id:trail",
|
|
12
|
+
"Severity": "critical",
|
|
13
|
+
"ResourceType": "AlibabaCloudActionTrail",
|
|
14
|
+
"Description": "**ActionTrail** is a web service that records API calls for your account and delivers log files to you.\n\nThe recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the Alibaba Cloud service. ActionTrail provides a history of API calls for an account, including API calls made via the Management Console, SDKs, and command line tools.",
|
|
15
|
+
"Risk": "The API call history produced by ActionTrail enables **security analysis**, **resource change tracking**, and **compliance auditing**.\n\nEnsuring that a **multi-region trail** exists will detect unexpected activities occurring in otherwise unused regions. Global Service Logging should be enabled by default to capture events generated on Alibaba Cloud global services, ensuring the recording of management operations performed on all resources in an Alibaba Cloud account.",
|
|
16
|
+
"RelatedUrl": "",
|
|
17
|
+
"AdditionalURLs": [
|
|
18
|
+
"https://www.alibabacloud.com/help/doc-detail/28829.htm",
|
|
19
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ActionTrail/enable-multi-region-trails.html"
|
|
20
|
+
],
|
|
21
|
+
"Remediation": {
|
|
22
|
+
"Code": {
|
|
23
|
+
"CLI": "aliyun actiontrail CreateTrail --Name <trail_name> --OssBucketName <oss_bucket_for_actiontrail> --RoleName aliyunactiontraildefaultrole --SlsProjectArn <sls_project_arn_for_actiontrail> --SlsWriteRoleArn <sls_role_arn_for_actiontrail> --EventRW <api_type_for_actiontrail>",
|
|
24
|
+
"NativeIaC": "",
|
|
25
|
+
"Other": "",
|
|
26
|
+
"Terraform": "resource \"alicloud_actiontrail_trail\" \"example\" {\n trail_name = \"multi-region-trail\"\n trail_region = \"All\"\n sls_project_arn = \"acs:log:cn-hangzhou:123456789:project/actiontrail-project\"\n sls_write_role_arn = data.alicloud_ram_roles.actiontrail.roles.0.arn\n}"
|
|
27
|
+
},
|
|
28
|
+
"Recommendation": {
|
|
29
|
+
"Text": "1. Log on to the **ActionTrail Console**\n2. Click on **Trails** in the left navigation pane\n3. Click **Add new trail**\n4. Enter a trail name in the `Trail name` box\n5. Set **Yes** for `Apply Trail to All Regions`\n6. Specify an OSS bucket name in the `OSS bucket` box\n7. Specify an SLS project name in the `SLS project` box\n8. Click **Create**",
|
|
30
|
+
"Url": "https://hub.prowler.com/check/actiontrail_multi_region_enabled"
|
|
31
|
+
}
|
|
32
|
+
},
|
|
33
|
+
"Categories": [
|
|
34
|
+
"logging"
|
|
35
|
+
],
|
|
36
|
+
"DependsOn": [],
|
|
37
|
+
"RelatedTo": [],
|
|
38
|
+
"Notes": ""
|
|
39
|
+
}
|
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
from prowler.lib.check.models import Check, CheckReportAlibabaCloud
|
|
2
|
+
from prowler.providers.alibabacloud.services.actiontrail.actiontrail_client import (
|
|
3
|
+
actiontrail_client,
|
|
4
|
+
)
|
|
5
|
+
|
|
6
|
+
|
|
7
|
+
class actiontrail_multi_region_enabled(Check):
|
|
8
|
+
"""Check if ActionTrail is configured to export copies of all log entries."""
|
|
9
|
+
|
|
10
|
+
def execute(self) -> list[CheckReportAlibabaCloud]:
|
|
11
|
+
findings = []
|
|
12
|
+
|
|
13
|
+
# Check if there's at least one multi-region trail that is enabled
|
|
14
|
+
multi_region_trails = []
|
|
15
|
+
for trail in actiontrail_client.trails.values():
|
|
16
|
+
if trail.trail_region == "All" and trail.status == "Enable":
|
|
17
|
+
multi_region_trails.append(trail)
|
|
18
|
+
|
|
19
|
+
# Create a single report for the overall check
|
|
20
|
+
report = CheckReportAlibabaCloud(metadata=self.metadata(), resource={})
|
|
21
|
+
report.region = actiontrail_client.region
|
|
22
|
+
report.resource_id = actiontrail_client.audited_account
|
|
23
|
+
report.resource_arn = (
|
|
24
|
+
f"acs:actiontrail::{actiontrail_client.audited_account}:trail"
|
|
25
|
+
)
|
|
26
|
+
|
|
27
|
+
if multi_region_trails:
|
|
28
|
+
# At least one multi-region trail is enabled
|
|
29
|
+
trail_names = [trail.name for trail in multi_region_trails]
|
|
30
|
+
report.status = "PASS"
|
|
31
|
+
report.status_extended = (
|
|
32
|
+
f"ActionTrail is configured with {len(multi_region_trails)} multi-region trail(s) "
|
|
33
|
+
f"that are enabled: {', '.join(trail_names)}. "
|
|
34
|
+
"These trails export copies of all log entries across all regions."
|
|
35
|
+
)
|
|
36
|
+
else:
|
|
37
|
+
# Check if there are any trails at all
|
|
38
|
+
if actiontrail_client.trails:
|
|
39
|
+
# There are trails but none are multi-region or enabled
|
|
40
|
+
enabled_trails = [
|
|
41
|
+
t
|
|
42
|
+
for t in actiontrail_client.trails.values()
|
|
43
|
+
if t.status == "Enable"
|
|
44
|
+
]
|
|
45
|
+
multi_region_trails_disabled = [
|
|
46
|
+
t
|
|
47
|
+
for t in actiontrail_client.trails.values()
|
|
48
|
+
if t.trail_region == "All" and t.status != "Enable"
|
|
49
|
+
]
|
|
50
|
+
|
|
51
|
+
if enabled_trails and not multi_region_trails_disabled:
|
|
52
|
+
report.status = "FAIL"
|
|
53
|
+
report.status_extended = (
|
|
54
|
+
f"ActionTrail has {len(enabled_trails)} enabled trail(s), but none are configured "
|
|
55
|
+
"for multi-region logging (TrailRegion is not set to 'All'). "
|
|
56
|
+
"Multi-region trails are required to capture events from all regions."
|
|
57
|
+
)
|
|
58
|
+
elif multi_region_trails_disabled:
|
|
59
|
+
trail_names = [t.name for t in multi_region_trails_disabled]
|
|
60
|
+
report.status = "FAIL"
|
|
61
|
+
report.status_extended = (
|
|
62
|
+
f"ActionTrail has multi-region trail(s) but they are disabled: {', '.join(trail_names)}. "
|
|
63
|
+
"Enable the multi-region trail(s) to export copies of all log entries."
|
|
64
|
+
)
|
|
65
|
+
else:
|
|
66
|
+
report.status = "FAIL"
|
|
67
|
+
report.status_extended = (
|
|
68
|
+
"ActionTrail has trails configured, but none are enabled or configured for multi-region logging. "
|
|
69
|
+
"At least one trail with TrailRegion set to 'All' and Status set to 'Enable' is required."
|
|
70
|
+
)
|
|
71
|
+
else:
|
|
72
|
+
# No trails configured at all
|
|
73
|
+
report.status = "FAIL"
|
|
74
|
+
report.status_extended = (
|
|
75
|
+
"ActionTrail is not configured. No trails exist. "
|
|
76
|
+
"Create at least one multi-region trail (TrailRegion='All') and enable it "
|
|
77
|
+
"to export copies of all log entries across all regions."
|
|
78
|
+
)
|
|
79
|
+
|
|
80
|
+
findings.append(report)
|
|
81
|
+
return findings
|
|
File without changes
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
{
|
|
2
|
+
"Provider": "alibabacloud",
|
|
3
|
+
"CheckID": "actiontrail_oss_bucket_not_publicly_accessible",
|
|
4
|
+
"CheckTitle": "The OSS used to store ActionTrail logs is not publicly accessible",
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Sensitive file tampering"
|
|
7
|
+
],
|
|
8
|
+
"ServiceName": "actiontrail",
|
|
9
|
+
"SubServiceName": "",
|
|
10
|
+
"ResourceIdTemplate": "acs:oss::account-id:bucket-name",
|
|
11
|
+
"Severity": "critical",
|
|
12
|
+
"ResourceType": "AlibabaCloudOSSBucket",
|
|
13
|
+
"Description": "**ActionTrail** logs a record of every API call made in your Alibaba Cloud account. These log files are stored in an **OSS bucket**.\n\nIt is recommended that the **Access Control List (ACL)** of the OSS bucket, which ActionTrail logs to, prevents public access to the ActionTrail logs.",
|
|
14
|
+
"Risk": "Allowing **public access** to ActionTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.\n\nExposed audit logs can reveal sensitive information about your infrastructure, API usage patterns, and security configurations.",
|
|
15
|
+
"RelatedUrl": "",
|
|
16
|
+
"AdditionalURLs": [
|
|
17
|
+
"https://help.aliyun.com/document_detail/31954.html",
|
|
18
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ActionTrail/trail-bucket-publicly-accessible.html"
|
|
19
|
+
],
|
|
20
|
+
"Remediation": {
|
|
21
|
+
"Code": {
|
|
22
|
+
"CLI": "ossutil set-acl oss://<bucketName> private -b",
|
|
23
|
+
"NativeIaC": "",
|
|
24
|
+
"Other": "",
|
|
25
|
+
"Terraform": "resource \"alicloud_oss_bucket_public_access_block\" \"actiontrail\" {\n bucket = alicloud_oss_bucket.actiontrail.bucket\n block_public_access = true\n}"
|
|
26
|
+
},
|
|
27
|
+
"Recommendation": {
|
|
28
|
+
"Text": "1. Log on to the **OSS Console**\n2. Right-click on the bucket and select **Basic Settings**\n3. In the Access Control List pane, click **Configure**\n4. The Bucket ACL tab shows three types of grants: `Private`, `Public Read`, `Public Read/Write`\n5. Ensure **Private** is set for the bucket\n6. Click **Save** to save the ACL",
|
|
29
|
+
"Url": "https://hub.prowler.com/check/actiontrail_oss_bucket_not_publicly_accessible"
|
|
30
|
+
}
|
|
31
|
+
},
|
|
32
|
+
"Categories": [
|
|
33
|
+
"logging"
|
|
34
|
+
],
|
|
35
|
+
"DependsOn": [
|
|
36
|
+
"oss_bucket_not_publicly_accessible"
|
|
37
|
+
],
|
|
38
|
+
"RelatedTo": [],
|
|
39
|
+
"Notes": ""
|
|
40
|
+
}
|
|
@@ -0,0 +1,119 @@
|
|
|
1
|
+
from prowler.lib.check.models import Check, CheckReportAlibabaCloud
|
|
2
|
+
from prowler.providers.alibabacloud.services.actiontrail.actiontrail_client import (
|
|
3
|
+
actiontrail_client,
|
|
4
|
+
)
|
|
5
|
+
from prowler.providers.alibabacloud.services.oss.oss_client import oss_client
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
def _is_policy_public(policy_document: dict) -> bool:
|
|
9
|
+
"""
|
|
10
|
+
Check if a bucket policy allows public access.
|
|
11
|
+
|
|
12
|
+
A policy is considered public if it has a statement with:
|
|
13
|
+
- Effect: "Allow"
|
|
14
|
+
- Principal: ["*"] (or contains "*")
|
|
15
|
+
- No Condition elements
|
|
16
|
+
|
|
17
|
+
Args:
|
|
18
|
+
policy_document: The parsed policy document as a dictionary.
|
|
19
|
+
|
|
20
|
+
Returns:
|
|
21
|
+
bool: True if policy allows public access, False otherwise.
|
|
22
|
+
"""
|
|
23
|
+
if not policy_document:
|
|
24
|
+
return False
|
|
25
|
+
|
|
26
|
+
statements = policy_document.get("Statement", [])
|
|
27
|
+
if not isinstance(statements, list):
|
|
28
|
+
statements = [statements]
|
|
29
|
+
|
|
30
|
+
for statement in statements:
|
|
31
|
+
effect = statement.get("Effect", "")
|
|
32
|
+
principal = statement.get("Principal", [])
|
|
33
|
+
condition = statement.get("Condition")
|
|
34
|
+
|
|
35
|
+
# If there's a condition, it's not truly public
|
|
36
|
+
if condition:
|
|
37
|
+
continue
|
|
38
|
+
|
|
39
|
+
if effect == "Allow":
|
|
40
|
+
# Check if Principal is "*" or contains "*"
|
|
41
|
+
if isinstance(principal, list):
|
|
42
|
+
if "*" in principal:
|
|
43
|
+
return True
|
|
44
|
+
elif principal == "*":
|
|
45
|
+
return True
|
|
46
|
+
|
|
47
|
+
return False
|
|
48
|
+
|
|
49
|
+
|
|
50
|
+
class actiontrail_oss_bucket_not_publicly_accessible(Check):
|
|
51
|
+
"""Check if the OSS bucket used to store ActionTrail logs is not publicly accessible."""
|
|
52
|
+
|
|
53
|
+
def execute(self) -> list[CheckReportAlibabaCloud]:
|
|
54
|
+
findings = []
|
|
55
|
+
|
|
56
|
+
# Get all ActionTrail trails
|
|
57
|
+
for trail in actiontrail_client.trails.values():
|
|
58
|
+
# Only check trails that have an OSS bucket configured
|
|
59
|
+
if not trail.oss_bucket_name:
|
|
60
|
+
continue
|
|
61
|
+
|
|
62
|
+
# Find the OSS bucket used by this trail
|
|
63
|
+
bucket = None
|
|
64
|
+
for oss_bucket in oss_client.buckets.values():
|
|
65
|
+
if oss_bucket.name == trail.oss_bucket_name:
|
|
66
|
+
bucket = oss_bucket
|
|
67
|
+
break
|
|
68
|
+
|
|
69
|
+
# Create report for this trail's OSS bucket
|
|
70
|
+
report = CheckReportAlibabaCloud(metadata=self.metadata(), resource=trail)
|
|
71
|
+
report.region = trail.home_region
|
|
72
|
+
report.resource_id = trail.oss_bucket_name
|
|
73
|
+
report.resource_arn = (
|
|
74
|
+
f"acs:oss::{actiontrail_client.audited_account}:{trail.oss_bucket_name}"
|
|
75
|
+
)
|
|
76
|
+
|
|
77
|
+
if not bucket:
|
|
78
|
+
# Bucket not found in OSS service (might not have permissions or bucket doesn't exist)
|
|
79
|
+
report.status = "MANUAL"
|
|
80
|
+
report.status_extended = (
|
|
81
|
+
f"ActionTrail trail {trail.name} uses OSS bucket {trail.oss_bucket_name}, "
|
|
82
|
+
"but the bucket could not be found or accessed. Please verify the bucket exists "
|
|
83
|
+
"and that you have permissions to access it."
|
|
84
|
+
)
|
|
85
|
+
findings.append(report)
|
|
86
|
+
continue
|
|
87
|
+
|
|
88
|
+
# Check bucket ACL
|
|
89
|
+
acl_public = False
|
|
90
|
+
if bucket.acl and bucket.acl != "private":
|
|
91
|
+
if bucket.acl in ["public-read", "public-read-write"]:
|
|
92
|
+
acl_public = True
|
|
93
|
+
|
|
94
|
+
# Check bucket policy
|
|
95
|
+
policy_public = _is_policy_public(bucket.policy)
|
|
96
|
+
|
|
97
|
+
# Determine status
|
|
98
|
+
if acl_public or policy_public:
|
|
99
|
+
report.status = "FAIL"
|
|
100
|
+
issues = []
|
|
101
|
+
if acl_public:
|
|
102
|
+
issues.append(f"Bucket ACL is set to {bucket.acl}")
|
|
103
|
+
if policy_public:
|
|
104
|
+
issues.append("Bucket policy allows public access (Principal: '*')")
|
|
105
|
+
report.status_extended = (
|
|
106
|
+
f"OSS bucket {trail.oss_bucket_name} used by ActionTrail trail {trail.name} "
|
|
107
|
+
f"is publicly accessible. {'; '.join(issues)}. "
|
|
108
|
+
"ActionTrail logs contain sensitive information and should not be publicly accessible."
|
|
109
|
+
)
|
|
110
|
+
else:
|
|
111
|
+
report.status = "PASS"
|
|
112
|
+
report.status_extended = (
|
|
113
|
+
f"OSS bucket {trail.oss_bucket_name} used by ActionTrail trail {trail.name} "
|
|
114
|
+
f"is not publicly accessible. ACL is {bucket.acl} and bucket policy does not allow public access."
|
|
115
|
+
)
|
|
116
|
+
|
|
117
|
+
findings.append(report)
|
|
118
|
+
|
|
119
|
+
return findings
|
|
@@ -0,0 +1,110 @@
|
|
|
1
|
+
from datetime import datetime
|
|
2
|
+
from typing import Optional
|
|
3
|
+
|
|
4
|
+
from alibabacloud_actiontrail20200706 import models as actiontrail_models
|
|
5
|
+
from pydantic.v1 import BaseModel
|
|
6
|
+
|
|
7
|
+
from prowler.lib.logger import logger
|
|
8
|
+
from prowler.lib.scan_filters.scan_filters import is_resource_filtered
|
|
9
|
+
from prowler.providers.alibabacloud.lib.service.service import AlibabaCloudService
|
|
10
|
+
|
|
11
|
+
|
|
12
|
+
class ActionTrail(AlibabaCloudService):
|
|
13
|
+
"""
|
|
14
|
+
ActionTrail service class for Alibaba Cloud.
|
|
15
|
+
|
|
16
|
+
This class provides methods to interact with Alibaba Cloud ActionTrail service
|
|
17
|
+
to retrieve trails and their configuration.
|
|
18
|
+
"""
|
|
19
|
+
|
|
20
|
+
def __init__(self, provider):
|
|
21
|
+
# Call AlibabaCloudService's __init__
|
|
22
|
+
# ActionTrail is a regional service
|
|
23
|
+
super().__init__(__class__.__name__, provider, global_service=False)
|
|
24
|
+
|
|
25
|
+
# Fetch ActionTrail resources
|
|
26
|
+
self.trails = {}
|
|
27
|
+
self.__threading_call__(self._describe_trails)
|
|
28
|
+
|
|
29
|
+
def _describe_trails(self, regional_client):
|
|
30
|
+
"""List all ActionTrail trails."""
|
|
31
|
+
region = getattr(regional_client, "region", "unknown")
|
|
32
|
+
logger.info(f"ActionTrail - Describing trails in {region}...")
|
|
33
|
+
try:
|
|
34
|
+
# Use Tea SDK client (ActionTrail is regional service)
|
|
35
|
+
request = actiontrail_models.DescribeTrailsRequest()
|
|
36
|
+
response = regional_client.describe_trails(request)
|
|
37
|
+
|
|
38
|
+
if response and response.body and response.body.trail_list:
|
|
39
|
+
# trail_list is already a list, not an object with a trail attribute
|
|
40
|
+
trails_list = response.body.trail_list
|
|
41
|
+
if not isinstance(trails_list, list):
|
|
42
|
+
trails_list = [trails_list]
|
|
43
|
+
|
|
44
|
+
for trail_data in trails_list:
|
|
45
|
+
trail_name = getattr(trail_data, "name", "")
|
|
46
|
+
if not trail_name:
|
|
47
|
+
continue
|
|
48
|
+
|
|
49
|
+
# Get trail region (can be specific region or "All")
|
|
50
|
+
trail_region = getattr(trail_data, "trail_region", "")
|
|
51
|
+
home_region = getattr(trail_data, "home_region", "")
|
|
52
|
+
status = getattr(trail_data, "status", "")
|
|
53
|
+
|
|
54
|
+
# Create ARN
|
|
55
|
+
arn = f"acs:actiontrail::{self.audited_account}:trail/{trail_name}"
|
|
56
|
+
|
|
57
|
+
if not self.audit_resources or is_resource_filtered(
|
|
58
|
+
arn, self.audit_resources
|
|
59
|
+
):
|
|
60
|
+
# Parse creation date if available
|
|
61
|
+
creation_date = None
|
|
62
|
+
creation_date_str = getattr(trail_data, "create_time", None)
|
|
63
|
+
if creation_date_str:
|
|
64
|
+
try:
|
|
65
|
+
# ActionTrail date format: "2024-02-02T10:02:11Z" or similar
|
|
66
|
+
creation_date = datetime.strptime(
|
|
67
|
+
creation_date_str.replace("Z", "+00:00"),
|
|
68
|
+
"%Y-%m-%dT%H:%M:%S%z",
|
|
69
|
+
)
|
|
70
|
+
except (ValueError, AttributeError):
|
|
71
|
+
creation_date = datetime.strptime(
|
|
72
|
+
creation_date_str.replace("Z", "+00:00"),
|
|
73
|
+
"%Y-%m-%dT%H:%M:%S.%f%z",
|
|
74
|
+
)
|
|
75
|
+
|
|
76
|
+
self.trails[arn] = Trail(
|
|
77
|
+
arn=arn,
|
|
78
|
+
name=trail_name,
|
|
79
|
+
home_region=home_region,
|
|
80
|
+
trail_region=trail_region,
|
|
81
|
+
status=status,
|
|
82
|
+
oss_bucket_name=getattr(trail_data, "oss_bucket_name", ""),
|
|
83
|
+
oss_bucket_location=getattr(
|
|
84
|
+
trail_data, "oss_bucket_location", ""
|
|
85
|
+
),
|
|
86
|
+
sls_project_arn=getattr(trail_data, "sls_project_arn", ""),
|
|
87
|
+
event_rw=getattr(trail_data, "event_rw", ""),
|
|
88
|
+
creation_date=creation_date,
|
|
89
|
+
)
|
|
90
|
+
|
|
91
|
+
except Exception as error:
|
|
92
|
+
logger.error(
|
|
93
|
+
f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
|
94
|
+
)
|
|
95
|
+
|
|
96
|
+
|
|
97
|
+
# Service Models
|
|
98
|
+
class Trail(BaseModel):
|
|
99
|
+
"""ActionTrail Trail model."""
|
|
100
|
+
|
|
101
|
+
arn: str
|
|
102
|
+
name: str
|
|
103
|
+
home_region: str
|
|
104
|
+
trail_region: str # "All" for multi-region, or specific region name
|
|
105
|
+
status: str # "Enable" or "Disable"
|
|
106
|
+
oss_bucket_name: str = ""
|
|
107
|
+
oss_bucket_location: str = ""
|
|
108
|
+
sls_project_arn: str = ""
|
|
109
|
+
event_rw: str = "" # "All", "Read", "Write"
|
|
110
|
+
creation_date: Optional[datetime] = None
|
|
File without changes
|