prowler 5.17.0__py3-none-any.whl → 5.18.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dashboard/compliance/hipaa_azure.py +25 -0
- dashboard/pages/overview.py +20 -11
- prowler/AGENTS.md +1 -1
- prowler/CHANGELOG.md +43 -0
- prowler/__main__.py +5 -0
- prowler/compliance/azure/hipaa_azure.json +820 -0
- prowler/compliance/m365/cis_4.0_m365.json +6 -2
- prowler/compliance/m365/cis_6.0_m365.json +6 -2
- prowler/compliance/m365/iso27001_2022_m365.json +13 -11
- prowler/compliance/openstack/__init__.py +0 -0
- prowler/config/config.py +2 -1
- prowler/config/config.yaml +4 -1
- prowler/config/openstack_mutelist_example.yaml +60 -0
- prowler/lib/check/check.py +4 -0
- prowler/lib/check/models.py +27 -2
- prowler/lib/cli/parser.py +3 -2
- prowler/lib/outputs/finding.py +14 -0
- prowler/lib/outputs/html/html.py +72 -0
- prowler/lib/outputs/jira/jira.py +3 -3
- prowler/lib/outputs/outputs.py +2 -0
- prowler/lib/outputs/summary_table.py +7 -0
- prowler/lib/timeline/__init__.py +0 -0
- prowler/lib/timeline/models.py +27 -0
- prowler/lib/timeline/timeline.py +36 -0
- prowler/providers/aws/lib/cloudtrail_timeline/__init__.py +0 -0
- prowler/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline.py +218 -0
- prowler/providers/aws/services/codebuild/codebuild_project_webhook_filters_use_anchored_patterns/__init__.py +0 -0
- prowler/providers/aws/services/codebuild/codebuild_project_webhook_filters_use_anchored_patterns/codebuild_project_webhook_filters_use_anchored_patterns.metadata.json +40 -0
- prowler/providers/aws/services/codebuild/codebuild_project_webhook_filters_use_anchored_patterns/codebuild_project_webhook_filters_use_anchored_patterns.py +58 -0
- prowler/providers/aws/services/codebuild/codebuild_service.py +45 -0
- prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.metadata.json +1 -1
- prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.py +4 -0
- prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json +1 -1
- prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.py +4 -0
- prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.metadata.json +1 -1
- prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.py +2 -0
- prowler/providers/aws/services/iam/lib/policy.py +19 -3
- prowler/providers/aws/services/rds/rds_instance_extended_support/__init__.py +0 -0
- prowler/providers/aws/services/rds/rds_instance_extended_support/rds_instance_extended_support.metadata.json +41 -0
- prowler/providers/aws/services/rds/rds_instance_extended_support/rds_instance_extended_support.py +37 -0
- prowler/providers/aws/services/rds/rds_service.py +4 -0
- prowler/providers/aws/services/s3/s3_bucket_cross_account_access/s3_bucket_cross_account_access.metadata.json +1 -1
- prowler/providers/aws/services/s3/s3_bucket_cross_account_access/s3_bucket_cross_account_access.py +5 -1
- prowler/providers/azure/lib/service/service.py +23 -0
- prowler/providers/azure/services/app/app_client_certificates_on/app_client_certificates_on.metadata.json +18 -12
- prowler/providers/azure/services/app/app_ensure_auth_is_set_up/app_ensure_auth_is_set_up.metadata.json +18 -11
- prowler/providers/azure/services/app/app_ensure_http_is_redirected_to_https/app_ensure_http_is_redirected_to_https.metadata.json +19 -12
- prowler/providers/azure/services/app/app_ensure_java_version_is_latest/app_ensure_java_version_is_latest.metadata.json +19 -12
- prowler/providers/azure/services/app/app_ensure_php_version_is_latest/app_ensure_php_version_is_latest.metadata.json +19 -12
- prowler/providers/azure/services/app/app_ensure_python_version_is_latest/app_ensure_python_version_is_latest.metadata.json +19 -12
- prowler/providers/azure/services/app/app_ensure_using_http20/app_ensure_using_http20.metadata.json +18 -11
- prowler/providers/azure/services/app/app_ftp_deployment_disabled/app_ftp_deployment_disabled.metadata.json +21 -13
- prowler/providers/azure/services/app/app_function_access_keys_configured/app_function_access_keys_configured.metadata.json +19 -11
- prowler/providers/azure/services/app/app_function_application_insights_enabled/app_function_application_insights_enabled.metadata.json +21 -14
- prowler/providers/azure/services/app/app_function_ftps_deployment_disabled/app_function_ftps_deployment_disabled.metadata.json +18 -13
- prowler/providers/azure/services/app/app_function_identity_is_configured/app_function_identity_is_configured.metadata.json +20 -13
- prowler/providers/azure/services/app/app_function_identity_without_admin_privileges/app_function_identity_without_admin_privileges.metadata.json +18 -11
- prowler/providers/azure/services/app/app_function_latest_runtime_version/app_function_latest_runtime_version.metadata.json +20 -13
- prowler/providers/azure/services/app/app_function_not_publicly_accessible/app_function_not_publicly_accessible.metadata.json +20 -13
- prowler/providers/azure/services/app/app_function_vnet_integration_enabled/app_function_vnet_integration_enabled.metadata.json +21 -14
- prowler/providers/azure/services/app/app_http_logs_enabled/app_http_logs_enabled.metadata.json +18 -12
- prowler/providers/azure/services/app/app_minimum_tls_version_12/app_minimum_tls_version_12.metadata.json +20 -12
- prowler/providers/azure/services/app/app_register_with_identity/app_register_with_identity.metadata.json +18 -11
- prowler/providers/azure/services/appinsights/appinsights_ensure_is_configured/appinsights_ensure_is_configured.metadata.json +18 -12
- prowler/providers/azure/services/containerregistry/containerregistry_admin_user_disabled/containerregistry_admin_user_disabled.metadata.json +17 -11
- prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.metadata.json +18 -12
- prowler/providers/azure/services/containerregistry/containerregistry_uses_private_link/containerregistry_uses_private_link.metadata.json +21 -13
- prowler/providers/azure/services/cosmosdb/cosmosdb_account_firewall_use_selected_networks/cosmosdb_account_firewall_use_selected_networks.metadata.json +20 -12
- prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_aad_and_rbac/cosmosdb_account_use_aad_and_rbac.metadata.json +19 -13
- prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_private_endpoints/cosmosdb_account_use_private_endpoints.metadata.json +20 -13
- prowler/providers/azure/services/databricks/databricks_workspace_cmk_encryption_enabled/databricks_workspace_cmk_encryption_enabled.metadata.json +20 -14
- prowler/providers/azure/services/databricks/databricks_workspace_vnet_injection_enabled/databricks_workspace_vnet_injection_enabled.metadata.json +20 -14
- prowler/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact.metadata.json +20 -13
- prowler/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_attack_path_notifications_properly_configured/defender_attack_path_notifications_properly_configured.metadata.json +19 -13
- prowler/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on.metadata.json +20 -13
- prowler/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on.metadata.json +19 -12
- prowler/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities.metadata.json +20 -12
- prowler/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled.metadata.json +22 -13
- prowler/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on.metadata.json +19 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled.metadata.json +20 -12
- prowler/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high.metadata.json +19 -12
- prowler/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners.metadata.json +19 -12
- prowler/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied.metadata.json +17 -9
- prowler/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled.metadata.json +21 -13
- prowler/providers/azure/services/entra/entra_service.py +3 -11
- prowler/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa.py +6 -0
- prowler/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks.metadata.json +19 -13
- prowler/providers/azure/services/iam/iam_role_user_access_admin_restricted/iam_role_user_access_admin_restricted.metadata.json +16 -10
- prowler/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created.metadata.json +18 -12
- prowler/providers/azure/services/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set.py +10 -11
- prowler/providers/azure/services/keyvault/keyvault_service.py +164 -81
- prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_connection_activated/mysql_flexible_server_audit_log_connection_activated.metadata.json +18 -12
- prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_enabled/mysql_flexible_server_audit_log_enabled.metadata.json +19 -12
- prowler/providers/azure/services/mysql/mysql_flexible_server_minimum_tls_version_12/mysql_flexible_server_minimum_tls_version_12.metadata.json +18 -12
- prowler/providers/azure/services/mysql/mysql_flexible_server_ssl_connection_enabled/mysql_flexible_server_ssl_connection_enabled.metadata.json +19 -12
- prowler/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists.metadata.json +21 -12
- prowler/providers/azure/services/network/network_flow_log_captured_sent/network_flow_log_captured_sent.metadata.json +19 -12
- prowler/providers/azure/services/network/network_flow_log_more_than_90_days/network_flow_log_more_than_90_days.metadata.json +21 -12
- prowler/providers/azure/services/network/network_http_internet_access_restricted/network_http_internet_access_restricted.metadata.json +18 -12
- prowler/providers/azure/services/network/network_public_ip_shodan/network_public_ip_shodan.metadata.json +15 -10
- prowler/providers/azure/services/network/network_rdp_internet_access_restricted/network_rdp_internet_access_restricted.metadata.json +20 -12
- prowler/providers/azure/services/network/network_ssh_internet_access_restricted/network_ssh_internet_access_restricted.metadata.json +19 -12
- prowler/providers/azure/services/network/network_udp_internet_access_restricted/network_udp_internet_access_restricted.metadata.json +19 -12
- prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.metadata.json +21 -13
- prowler/providers/azure/services/policy/policy_ensure_asc_enforcement_enabled/policy_ensure_asc_enforcement_enabled.metadata.json +16 -11
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_allow_access_services_disabled/postgresql_flexible_server_allow_access_services_disabled.metadata.json +20 -13
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_connection_throttling_on/postgresql_flexible_server_connection_throttling_on.metadata.json +18 -12
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_enforce_ssl_enabled/postgresql_flexible_server_enforce_ssl_enabled.metadata.json +19 -13
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.metadata.json +4 -4
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_checkpoints_on/postgresql_flexible_server_log_checkpoints_on.metadata.json +19 -13
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_connections_on/postgresql_flexible_server_log_connections_on.metadata.json +18 -11
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_disconnections_on/postgresql_flexible_server_log_disconnections_on.metadata.json +18 -12
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_retention_days_greater_3/postgresql_flexible_server_log_retention_days_greater_3.metadata.json +18 -12
- prowler/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled.metadata.json +20 -13
- prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.metadata.json +20 -12
- prowler/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled.metadata.json +18 -12
- prowler/providers/azure/services/sqlserver/sqlserver_microsoft_defender_enabled/sqlserver_microsoft_defender_enabled.metadata.json +23 -13
- prowler/providers/azure/services/sqlserver/sqlserver_recommended_minimal_tls_version/sqlserver_recommended_minimal_tls_version.metadata.json +19 -12
- prowler/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk/sqlserver_tde_encrypted_with_cmk.metadata.json +20 -13
- prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.metadata.json +20 -13
- prowler/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access.metadata.json +18 -12
- prowler/providers/azure/services/sqlserver/sqlserver_va_emails_notifications_admins_enabled/sqlserver_va_emails_notifications_admins_enabled.metadata.json +19 -12
- prowler/providers/azure/services/sqlserver/sqlserver_va_periodic_recurring_scans_enabled/sqlserver_va_periodic_recurring_scans_enabled.metadata.json +19 -12
- prowler/providers/azure/services/sqlserver/sqlserver_va_scan_reports_configured/sqlserver_va_scan_reports_configured.metadata.json +18 -12
- prowler/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled/sqlserver_vulnerability_assessment_enabled.metadata.json +19 -12
- prowler/providers/azure/services/storage/storage_account_key_access_disabled/storage_account_key_access_disabled.metadata.json +17 -12
- prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.metadata.json +18 -12
- prowler/providers/azure/services/storage/storage_blob_versioning_is_enabled/storage_blob_versioning_is_enabled.metadata.json +19 -11
- prowler/providers/azure/services/storage/storage_cross_tenant_replication_disabled/storage_cross_tenant_replication_disabled.metadata.json +19 -13
- prowler/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied.metadata.json +19 -12
- prowler/providers/azure/services/storage/storage_default_to_entra_authorization_enabled/storage_default_to_entra_authorization_enabled.metadata.json +20 -13
- prowler/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled.metadata.json +17 -10
- prowler/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys.metadata.json +15 -10
- prowler/providers/azure/services/storage/storage_ensure_file_shares_soft_delete_is_enabled/storage_ensure_file_shares_soft_delete_is_enabled.metadata.json +18 -12
- prowler/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12.metadata.json +14 -10
- prowler/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts/storage_ensure_private_endpoints_in_storage_accounts.metadata.json +19 -11
- prowler/providers/azure/services/storage/storage_ensure_soft_delete_is_enabled/storage_ensure_soft_delete_is_enabled.metadata.json +17 -12
- prowler/providers/azure/services/storage/storage_geo_redundant_enabled/storage_geo_redundant_enabled.metadata.json +19 -12
- prowler/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled.metadata.json +13 -9
- prowler/providers/azure/services/storage/storage_key_rotation_90_days/storage_key_rotation_90_days.metadata.json +17 -12
- prowler/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled.metadata.json +15 -11
- prowler/providers/azure/services/storage/storage_smb_channel_encryption_with_secure_algorithm/storage_smb_channel_encryption_with_secure_algorithm.metadata.json +19 -12
- prowler/providers/azure/services/storage/storage_smb_protocol_version_is_latest/storage_smb_protocol_version_is_latest.metadata.json +19 -13
- prowler/providers/cloudflare/cloudflare_provider.py +95 -12
- prowler/providers/cloudflare/lib/arguments/arguments.py +7 -0
- prowler/providers/cloudflare/services/dns/dns_record_cname_target_valid/__init__.py +0 -0
- prowler/providers/cloudflare/services/dns/dns_record_cname_target_valid/dns_record_cname_target_valid.metadata.json +36 -0
- prowler/providers/cloudflare/services/dns/dns_record_cname_target_valid/dns_record_cname_target_valid.py +109 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_internal_ip/__init__.py +0 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_internal_ip/dns_record_no_internal_ip.metadata.json +36 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_internal_ip/dns_record_no_internal_ip.py +73 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_wildcard/__init__.py +0 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_wildcard/dns_record_no_wildcard.metadata.json +36 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_wildcard/dns_record_no_wildcard.py +60 -0
- prowler/providers/cloudflare/services/dns/dns_record_proxied/__init__.py +0 -0
- prowler/providers/cloudflare/services/dns/dns_record_proxied/dns_record_proxied.metadata.json +36 -0
- prowler/providers/cloudflare/services/dns/dns_record_proxied/dns_record_proxied.py +49 -0
- prowler/providers/cloudflare/services/dns/dns_service.py +52 -6
- prowler/providers/cloudflare/services/firewall/__init__.py +0 -0
- prowler/providers/cloudflare/services/firewall/firewall_client.py +4 -0
- prowler/providers/cloudflare/services/firewall/firewall_service.py +123 -0
- prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/__init__.py +0 -0
- prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/zone_firewall_blocking_rules_configured.metadata.json +36 -0
- prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/zone_firewall_blocking_rules_configured.py +53 -0
- prowler/providers/cloudflare/services/zone/zone_service.py +133 -1
- prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/__init__.py +0 -0
- prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/zone_waf_owasp_ruleset_enabled.metadata.json +36 -0
- prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/zone_waf_owasp_ruleset_enabled.py +58 -0
- prowler/providers/common/provider.py +23 -0
- prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/__init__.py +0 -0
- prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/compute_instance_suspended_without_persistent_disks.metadata.json +37 -0
- prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/compute_instance_suspended_without_persistent_disks.py +35 -0
- prowler/providers/gcp/services/compute/compute_service.py +2 -0
- prowler/providers/m365/lib/powershell/m365_powershell.py +47 -1
- prowler/providers/m365/services/defender/defender_service.py +52 -0
- prowler/providers/m365/services/defender/defender_zap_for_teams_enabled/__init__.py +0 -0
- prowler/providers/m365/services/defender/defender_zap_for_teams_enabled/defender_zap_for_teams_enabled.metadata.json +38 -0
- prowler/providers/m365/services/defender/defender_zap_for_teams_enabled/defender_zap_for_teams_enabled.py +53 -0
- prowler/providers/m365/services/exchange/exchange_service.py +78 -0
- prowler/providers/m365/services/exchange/exchange_shared_mailbox_sign_in_disabled/__init__.py +0 -0
- prowler/providers/m365/services/exchange/exchange_shared_mailbox_sign_in_disabled/exchange_shared_mailbox_sign_in_disabled.metadata.json +37 -0
- prowler/providers/m365/services/exchange/exchange_shared_mailbox_sign_in_disabled/exchange_shared_mailbox_sign_in_disabled.py +59 -0
- prowler/providers/openstack/__init__.py +0 -0
- prowler/providers/openstack/exceptions/__init__.py +0 -0
- prowler/providers/openstack/exceptions/exceptions.py +166 -0
- prowler/providers/openstack/lib/__init__.py +0 -0
- prowler/providers/openstack/lib/arguments/__init__.py +0 -0
- prowler/providers/openstack/lib/arguments/arguments.py +113 -0
- prowler/providers/openstack/lib/mutelist/__init__.py +0 -0
- prowler/providers/openstack/lib/mutelist/mutelist.py +31 -0
- prowler/providers/openstack/lib/service/__init__.py +0 -0
- prowler/providers/openstack/lib/service/service.py +21 -0
- prowler/providers/openstack/models.py +100 -0
- prowler/providers/openstack/openstack_provider.py +515 -0
- prowler/providers/openstack/services/__init__.py +0 -0
- prowler/providers/openstack/services/compute/__init__.py +0 -0
- prowler/providers/openstack/services/compute/compute_client.py +4 -0
- prowler/providers/openstack/services/compute/compute_instance_security_groups_attached/__init__.py +0 -0
- prowler/providers/openstack/services/compute/compute_instance_security_groups_attached/compute_instance_security_groups_attached.metadata.json +40 -0
- prowler/providers/openstack/services/compute/compute_instance_security_groups_attached/compute_instance_security_groups_attached.py +35 -0
- prowler/providers/openstack/services/compute/compute_service.py +63 -0
- {prowler-5.17.0.dist-info → prowler-5.18.0.dist-info}/METADATA +11 -9
- {prowler-5.17.0.dist-info → prowler-5.18.0.dist-info}/RECORD +219 -155
- {prowler-5.17.0.dist-info → prowler-5.18.0.dist-info}/LICENSE +0 -0
- {prowler-5.17.0.dist-info → prowler-5.18.0.dist-info}/WHEEL +0 -0
- {prowler-5.17.0.dist-info → prowler-5.18.0.dist-info}/entry_points.txt +0 -0
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
from concurrent.futures import ThreadPoolExecutor
|
|
1
2
|
from dataclasses import dataclass
|
|
2
3
|
from datetime import datetime
|
|
3
4
|
from typing import List, Optional, Union
|
|
@@ -20,99 +21,155 @@ class KeyVault(AzureService):
|
|
|
20
21
|
self.key_vaults = self._get_key_vaults(provider)
|
|
21
22
|
|
|
22
23
|
def _get_key_vaults(self, provider):
|
|
24
|
+
"""
|
|
25
|
+
Get all KeyVaults with parallel processing.
|
|
26
|
+
|
|
27
|
+
Optimizations:
|
|
28
|
+
1. Uses list_by_subscription() for full Vault objects
|
|
29
|
+
2. Processes vaults in parallel using __threading_call__
|
|
30
|
+
3. Each vault's keys/secrets/monitor fetched in parallel
|
|
31
|
+
"""
|
|
23
32
|
logger.info("KeyVault - Getting key_vaults...")
|
|
24
33
|
key_vaults = {}
|
|
34
|
+
|
|
25
35
|
for subscription, client in self.clients.items():
|
|
26
36
|
try:
|
|
27
|
-
key_vaults
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
subscription
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
properties=VaultProperties(
|
|
48
|
-
tenant_id=getattr(keyvault_properties, "tenant_id", ""),
|
|
49
|
-
enable_rbac_authorization=getattr(
|
|
50
|
-
keyvault_properties,
|
|
51
|
-
"enable_rbac_authorization",
|
|
52
|
-
False,
|
|
53
|
-
),
|
|
54
|
-
private_endpoint_connections=[
|
|
55
|
-
PrivateEndpointConnection(id=conn.id)
|
|
56
|
-
for conn in (
|
|
57
|
-
getattr(
|
|
58
|
-
keyvault_properties,
|
|
59
|
-
"private_endpoint_connections",
|
|
60
|
-
[],
|
|
61
|
-
)
|
|
62
|
-
or []
|
|
63
|
-
)
|
|
64
|
-
],
|
|
65
|
-
enable_soft_delete=getattr(
|
|
66
|
-
keyvault_properties, "enable_soft_delete", False
|
|
67
|
-
),
|
|
68
|
-
enable_purge_protection=getattr(
|
|
69
|
-
keyvault_properties,
|
|
70
|
-
"enable_purge_protection",
|
|
71
|
-
False,
|
|
72
|
-
),
|
|
73
|
-
public_network_access_disabled=(
|
|
74
|
-
getattr(
|
|
75
|
-
keyvault_properties,
|
|
76
|
-
"public_network_access",
|
|
77
|
-
"Enabled",
|
|
78
|
-
)
|
|
79
|
-
== "Disabled"
|
|
80
|
-
),
|
|
81
|
-
),
|
|
82
|
-
keys=keys,
|
|
83
|
-
secrets=secrets,
|
|
84
|
-
monitor_diagnostic_settings=self._get_vault_monitor_settings(
|
|
85
|
-
keyvault_name, resource_group, subscription
|
|
86
|
-
),
|
|
87
|
-
)
|
|
88
|
-
)
|
|
37
|
+
key_vaults[subscription] = []
|
|
38
|
+
vaults_list = list(client.vaults.list_by_subscription())
|
|
39
|
+
|
|
40
|
+
if not vaults_list:
|
|
41
|
+
continue
|
|
42
|
+
|
|
43
|
+
# Prepare items for parallel processing
|
|
44
|
+
items = [
|
|
45
|
+
{
|
|
46
|
+
"subscription": subscription,
|
|
47
|
+
"keyvault": vault,
|
|
48
|
+
"provider": provider,
|
|
49
|
+
}
|
|
50
|
+
for vault in vaults_list
|
|
51
|
+
]
|
|
52
|
+
|
|
53
|
+
# Process all KeyVaults in parallel
|
|
54
|
+
results = self.__threading_call__(self._process_single_keyvault, items)
|
|
55
|
+
key_vaults[subscription] = results
|
|
56
|
+
|
|
89
57
|
except Exception as error:
|
|
90
58
|
logger.error(
|
|
91
59
|
f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
|
92
60
|
)
|
|
61
|
+
|
|
93
62
|
return key_vaults
|
|
94
63
|
|
|
64
|
+
def _process_single_keyvault(self, item: dict) -> Optional["KeyVaultInfo"]:
|
|
65
|
+
"""Process a single KeyVault in parallel."""
|
|
66
|
+
subscription = item["subscription"]
|
|
67
|
+
keyvault = item["keyvault"]
|
|
68
|
+
provider = item["provider"]
|
|
69
|
+
|
|
70
|
+
try:
|
|
71
|
+
resource_group = keyvault.id.split("/")[4]
|
|
72
|
+
keyvault_name = keyvault.name
|
|
73
|
+
keyvault_properties = keyvault.properties
|
|
74
|
+
|
|
75
|
+
# Fetch keys, secrets, and monitor in parallel
|
|
76
|
+
with ThreadPoolExecutor(max_workers=3) as executor:
|
|
77
|
+
keys_future = executor.submit(
|
|
78
|
+
self._get_keys,
|
|
79
|
+
subscription,
|
|
80
|
+
resource_group,
|
|
81
|
+
keyvault_name,
|
|
82
|
+
provider,
|
|
83
|
+
)
|
|
84
|
+
secrets_future = executor.submit(
|
|
85
|
+
self._get_secrets, subscription, resource_group, keyvault_name
|
|
86
|
+
)
|
|
87
|
+
monitor_future = executor.submit(
|
|
88
|
+
self._get_vault_monitor_settings,
|
|
89
|
+
keyvault_name,
|
|
90
|
+
resource_group,
|
|
91
|
+
subscription,
|
|
92
|
+
)
|
|
93
|
+
|
|
94
|
+
keys = keys_future.result()
|
|
95
|
+
secrets = secrets_future.result()
|
|
96
|
+
monitor_settings = monitor_future.result()
|
|
97
|
+
|
|
98
|
+
return KeyVaultInfo(
|
|
99
|
+
id=getattr(keyvault, "id", ""),
|
|
100
|
+
name=getattr(keyvault, "name", ""),
|
|
101
|
+
location=getattr(keyvault, "location", ""),
|
|
102
|
+
resource_group=resource_group,
|
|
103
|
+
properties=VaultProperties(
|
|
104
|
+
tenant_id=getattr(keyvault_properties, "tenant_id", ""),
|
|
105
|
+
enable_rbac_authorization=getattr(
|
|
106
|
+
keyvault_properties,
|
|
107
|
+
"enable_rbac_authorization",
|
|
108
|
+
False,
|
|
109
|
+
),
|
|
110
|
+
private_endpoint_connections=[
|
|
111
|
+
PrivateEndpointConnection(id=conn.id)
|
|
112
|
+
for conn in (
|
|
113
|
+
getattr(
|
|
114
|
+
keyvault_properties,
|
|
115
|
+
"private_endpoint_connections",
|
|
116
|
+
[],
|
|
117
|
+
)
|
|
118
|
+
or []
|
|
119
|
+
)
|
|
120
|
+
],
|
|
121
|
+
enable_soft_delete=getattr(
|
|
122
|
+
keyvault_properties, "enable_soft_delete", False
|
|
123
|
+
),
|
|
124
|
+
enable_purge_protection=getattr(
|
|
125
|
+
keyvault_properties,
|
|
126
|
+
"enable_purge_protection",
|
|
127
|
+
False,
|
|
128
|
+
),
|
|
129
|
+
public_network_access_disabled=(
|
|
130
|
+
getattr(
|
|
131
|
+
keyvault_properties,
|
|
132
|
+
"public_network_access",
|
|
133
|
+
"Enabled",
|
|
134
|
+
)
|
|
135
|
+
== "Disabled"
|
|
136
|
+
),
|
|
137
|
+
),
|
|
138
|
+
keys=keys,
|
|
139
|
+
secrets=secrets,
|
|
140
|
+
monitor_diagnostic_settings=monitor_settings,
|
|
141
|
+
)
|
|
142
|
+
|
|
143
|
+
except Exception as error:
|
|
144
|
+
logger.error(
|
|
145
|
+
f"KeyVault {keyvault.name} in {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
|
146
|
+
)
|
|
147
|
+
return None
|
|
148
|
+
|
|
95
149
|
def _get_keys(self, subscription, resource_group, keyvault_name, provider):
|
|
96
150
|
logger.info(f"KeyVault - Getting keys for {keyvault_name}...")
|
|
97
151
|
keys = []
|
|
152
|
+
keys_dict = {}
|
|
153
|
+
|
|
98
154
|
try:
|
|
99
155
|
client = self.clients[subscription]
|
|
100
156
|
keys_list = client.keys.list(resource_group, keyvault_name)
|
|
101
157
|
for key in keys_list:
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
158
|
+
key_obj = Key(
|
|
159
|
+
id=getattr(key, "id", ""),
|
|
160
|
+
name=getattr(key, "name", ""),
|
|
161
|
+
enabled=getattr(key.attributes, "enabled", False),
|
|
162
|
+
location=getattr(key, "location", ""),
|
|
163
|
+
attributes=KeyAttributes(
|
|
106
164
|
enabled=getattr(key.attributes, "enabled", False),
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
updated=getattr(key.attributes, "updated", 0),
|
|
112
|
-
expires=getattr(key.attributes, "expires", 0),
|
|
113
|
-
),
|
|
114
|
-
)
|
|
165
|
+
created=getattr(key.attributes, "created", 0),
|
|
166
|
+
updated=getattr(key.attributes, "updated", 0),
|
|
167
|
+
expires=getattr(key.attributes, "expires", 0),
|
|
168
|
+
),
|
|
115
169
|
)
|
|
170
|
+
keys.append(key_obj)
|
|
171
|
+
keys_dict[key_obj.name] = key_obj
|
|
172
|
+
|
|
116
173
|
except Exception as error:
|
|
117
174
|
logger.error(
|
|
118
175
|
f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
|
@@ -124,12 +181,19 @@ class KeyVault(AzureService):
|
|
|
124
181
|
# TODO: review the following line
|
|
125
182
|
credential=provider.session,
|
|
126
183
|
)
|
|
127
|
-
properties = key_client.list_properties_of_keys()
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
184
|
+
properties = list(key_client.list_properties_of_keys())
|
|
185
|
+
|
|
186
|
+
if properties:
|
|
187
|
+
items = [
|
|
188
|
+
{"key_client": key_client, "prop": prop} for prop in properties
|
|
189
|
+
]
|
|
190
|
+
rotation_results = self.__threading_call__(
|
|
191
|
+
self._get_single_rotation_policy, items
|
|
192
|
+
)
|
|
193
|
+
|
|
194
|
+
for name, policy in rotation_results:
|
|
195
|
+
if policy and name in keys_dict:
|
|
196
|
+
keys_dict[name].rotation_policy = KeyRotationPolicy(
|
|
133
197
|
id=getattr(policy, "id", ""),
|
|
134
198
|
lifetime_actions=[
|
|
135
199
|
KeyRotationLifetimeAction(action=action.action)
|
|
@@ -142,8 +206,25 @@ class KeyVault(AzureService):
|
|
|
142
206
|
logger.warning(
|
|
143
207
|
f"Subscription name: {subscription} -- has no access policy configured for keyvault {keyvault_name}"
|
|
144
208
|
)
|
|
209
|
+
|
|
145
210
|
return keys
|
|
146
211
|
|
|
212
|
+
def _get_single_rotation_policy(self, item: dict) -> tuple:
|
|
213
|
+
"""Thread-safe rotation policy retrieval."""
|
|
214
|
+
key_client = item["key_client"]
|
|
215
|
+
prop = item["prop"]
|
|
216
|
+
|
|
217
|
+
try:
|
|
218
|
+
policy = key_client.get_key_rotation_policy(prop.name)
|
|
219
|
+
return (prop.name, policy)
|
|
220
|
+
except HttpResponseError:
|
|
221
|
+
return (prop.name, None)
|
|
222
|
+
except Exception as error:
|
|
223
|
+
logger.warning(
|
|
224
|
+
f"KeyVault - Failed to get rotation policy for key {prop.name}: {error}"
|
|
225
|
+
)
|
|
226
|
+
return (prop.name, None)
|
|
227
|
+
|
|
147
228
|
def _get_secrets(self, subscription, resource_group, keyvault_name):
|
|
148
229
|
logger.info(f"KeyVault - Getting secrets for {keyvault_name}...")
|
|
149
230
|
secrets = []
|
|
@@ -177,6 +258,7 @@ class KeyVault(AzureService):
|
|
|
177
258
|
logger.error(
|
|
178
259
|
f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
|
179
260
|
)
|
|
261
|
+
|
|
180
262
|
return secrets
|
|
181
263
|
|
|
182
264
|
def _get_vault_monitor_settings(self, keyvault_name, resource_group, subscription):
|
|
@@ -192,8 +274,9 @@ class KeyVault(AzureService):
|
|
|
192
274
|
)
|
|
193
275
|
except Exception as error:
|
|
194
276
|
logger.error(
|
|
195
|
-
f"Subscription name: {
|
|
277
|
+
f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
|
196
278
|
)
|
|
279
|
+
|
|
197
280
|
return monitor_diagnostics_settings
|
|
198
281
|
|
|
199
282
|
|
|
@@ -1,30 +1,36 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "mysql_flexible_server_audit_log_connection_activated",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "MySQL flexible server has audit_log_events including CONNECTION",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "mysql",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "medium",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.dbformysql/flexibleservers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure Database for MySQL Flexible Server** audit configuration includes the `CONNECTION` event in `audit_log_events`.",
|
|
13
|
+
"Risk": "Without **CONNECTION auditing**, login attempts are invisible, weakening detection of **brute-force**, **credential stuffing**, and anomalous access. This enables unnoticed account takeover and lateral movement, impacting **confidentiality** and **integrity**, and hinders **forensics** and timely response.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation",
|
|
17
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/MySQL/configure-audit-log-events-for-mysql-flexible-servers.html"
|
|
18
|
+
],
|
|
15
19
|
"Remediation": {
|
|
16
20
|
"Code": {
|
|
17
|
-
"CLI": "",
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": ""
|
|
21
|
+
"CLI": "az mysql flexible-server parameter set --resource-group <RESOURCE_GROUP> --server-name <SERVER_NAME> --name audit_log_events --value CONNECTION",
|
|
22
|
+
"NativeIaC": "```bicep\n// Set MySQL Flexible Server audit_log_events to include CONNECTION\nresource cfg 'Microsoft.DBforMySQL/flexibleServers/configurations@2021-05-01' = {\n name: '<example_resource_name>/audit_log_events'\n properties: {\n value: 'CONNECTION' // Critical: ensures 'CONNECTION' is logged, making the check PASS\n }\n}\n```",
|
|
23
|
+
"Other": "1. In the Azure Portal, go to Azure Database for MySQL flexible server\n2. Select your server, then go to Server parameters\n3. Search for audit_log_events\n4. Set its value to CONNECTION\n5. Click Save",
|
|
24
|
+
"Terraform": "```hcl\nresource \"azurerm_mysql_flexible_server_configuration\" \"<example_resource_name>\" {\n name = \"audit_log_events\"\n resource_group_name = \"<example_resource_group>\"\n server_name = \"<example_server_name>\"\n value = \"CONNECTION\" # Critical: includes CONNECTION in audit logs to pass the check\n}\n```"
|
|
21
25
|
},
|
|
22
26
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
27
|
+
"Text": "Include `CONNECTION` in `audit_log_events` to capture login activity. Centralize and retain **audit logs**, restrict access by **least privilege**, and protect logs from tampering. Monitor for anomalous sign-in patterns and alert. Pair with **defense-in-depth** controls (MFA, network allow-listing) to reduce exposure.",
|
|
28
|
+
"Url": "https://hub.prowler.com/check/mysql_flexible_server_audit_log_connection_activated"
|
|
25
29
|
}
|
|
26
30
|
},
|
|
27
|
-
"Categories": [
|
|
31
|
+
"Categories": [
|
|
32
|
+
"logging"
|
|
33
|
+
],
|
|
28
34
|
"DependsOn": [],
|
|
29
35
|
"RelatedTo": [],
|
|
30
36
|
"Notes": "There are further costs incurred for storage of logs. For high traffic databases these logs will be significant. Determine your organization's needs before enabling."
|
|
@@ -1,30 +1,37 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "mysql_flexible_server_audit_log_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "MySQL flexible server has audit_log_enabled set to ON",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "mysql",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "medium",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.dbformysql/flexibleservers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure Database for MySQL Flexible Server** with `audit_log_enabled` set to `ON` generates **audit logs** for connections, authentication, DDL/DML, and administrative actions.",
|
|
13
|
+
"Risk": "Missing **audit logs** reduces **accountability** and obscures activity affecting **confidentiality** and **integrity**. Unauthorized logins, privilege abuse, or suspicious queries may go undetected, impeding **forensics**, slowing incident response, and enabling covert data exfiltration.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-configure-audit",
|
|
17
|
+
"https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation",
|
|
18
|
+
"https://learn.microsoft.com/en-us/azure/mysql/flexible-server/scripts/sample-cli-audit-logs"
|
|
19
|
+
],
|
|
15
20
|
"Remediation": {
|
|
16
21
|
"Code": {
|
|
17
|
-
"CLI": "",
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": ""
|
|
22
|
+
"CLI": "az mysql flexible-server parameter set --name audit_log_enabled --resource-group <RESOURCE_GROUP> --server-name <SERVER_NAME> --value ON",
|
|
23
|
+
"NativeIaC": "```bicep\n// Enable audit logs on an existing MySQL Flexible Server\nresource server 'Microsoft.DBforMySQL/flexibleServers@2021-12-01-preview' existing = {\n name: '<example_resource_name>'\n}\n\nresource audit 'Microsoft.DBforMySQL/flexibleServers/configurations@2021-12-01-preview' = {\n name: 'audit_log_enabled'\n parent: server\n properties: {\n value: 'ON' // CRITICAL: turns audit_log_enabled ON to pass the check\n }\n}\n```",
|
|
24
|
+
"Other": "1. Sign in to the Azure portal\n2. Go to: Azure Database for MySQL flexible server > Your server\n3. Under Settings, select Server parameters\n4. Find audit_log_enabled and set it to ON\n5. Click Save",
|
|
25
|
+
"Terraform": "```hcl\n# Enable audit logs on MySQL Flexible Server\nresource \"azurerm_mysql_flexible_server_configuration\" \"<example_resource_name>\" {\n name = \"audit_log_enabled\"\n resource_group_name = \"<example_resource_name>\"\n server_name = \"<example_resource_name>\"\n value = \"ON\" # CRITICAL: enables audit logging to pass the check\n}\n```"
|
|
21
26
|
},
|
|
22
27
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
28
|
+
"Text": "Enable **audit logging** (`audit_log_enabled=ON`) and select events that matter. Export `MySqlAuditLogs` to a centralized store, enforce **least privilege** on log access, set retention, and create alerts for anomalies. Regularly review logs as part of **defense in depth**.",
|
|
29
|
+
"Url": "https://hub.prowler.com/check/mysql_flexible_server_audit_log_enabled"
|
|
25
30
|
}
|
|
26
31
|
},
|
|
27
|
-
"Categories": [
|
|
32
|
+
"Categories": [
|
|
33
|
+
"logging"
|
|
34
|
+
],
|
|
28
35
|
"DependsOn": [],
|
|
29
36
|
"RelatedTo": [],
|
|
30
37
|
"Notes": ""
|
|
@@ -1,30 +1,36 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "mysql_flexible_server_minimum_tls_version_12",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "MySQL flexible server enforces TLS 1.2 or higher",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "mysql",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "high",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.dbformysql/flexibleservers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure Database for MySQL Flexible Server** uses the `tls_version` setting to permit only **modern TLS** for client connections, requiring `TLSv1.2+` and excluding `TLSv1.0` and `TLSv1.1`.",
|
|
13
|
+
"Risk": "Allowing legacy TLS (`TLSv1.0`/`TLSv1.1`) weakens **confidentiality** and **integrity** of data in transit. Attackers can force downgrades and perform **man-in-the-middle** interception, exposing credentials and queries or altering results, leading to unauthorized access and data exfiltration.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/MySQL/mysql-flexible-server-tls-version.html",
|
|
17
|
+
"https://learn.microsoft.com/en-us/azure/mysql/flexible-server/security-tls-how-to-connect"
|
|
18
|
+
],
|
|
15
19
|
"Remediation": {
|
|
16
20
|
"Code": {
|
|
17
|
-
"CLI": "az mysql flexible-server parameter set --
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": "
|
|
21
|
+
"CLI": "az mysql flexible-server parameter set --resource-group <resourceGroupName> --server-name <serverName> --name tls_version --value TLSv1.2",
|
|
22
|
+
"NativeIaC": "```bicep\n// Set MySQL Flexible Server to enforce TLS 1.2\nresource tlsVersion 'Microsoft.DBforMySQL/flexibleServers/configurations@2022-01-01' = {\n name: '<example_resource_name>/tls_version'\n properties: {\n value: 'TLSv1.2' // Critical: enforces minimum TLS 1.2 and rejects TLS 1.0/1.1\n }\n}\n```",
|
|
23
|
+
"Other": "1. In Azure portal, go to Azure Database for MySQL flexible server <example_resource_name>\n2. Select Server parameters\n3. Search for tls_version\n4. Set the value to TLSv1.2\n5. Click Save",
|
|
24
|
+
"Terraform": "```hcl\n# Enforce TLS 1.2 on MySQL Flexible Server\nresource \"azurerm_mysql_flexible_server_configuration\" \"tls\" {\n name = \"tls_version\"\n resource_group_name = \"<example_resource_group>\"\n server_name = \"<example_server_name>\"\n value = \"TLSv1.2\" # Critical: sets minimum TLS to 1.2 (no 1.0/1.1)\n}\n```"
|
|
21
25
|
},
|
|
22
26
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
27
|
+
"Text": "Enforce a **minimum TLS** of `TLSv1.2` (prefer `TLSv1.3`) and disable `TLSv1.0`/`TLSv1.1`. Ensure clients and drivers support modern TLS, deprecate weak cipher suites, and validate in staging. Apply **defense in depth** with private connectivity and restricted network access.",
|
|
28
|
+
"Url": "https://hub.prowler.com/check/mysql_flexible_server_minimum_tls_version_12"
|
|
25
29
|
}
|
|
26
30
|
},
|
|
27
|
-
"Categories": [
|
|
31
|
+
"Categories": [
|
|
32
|
+
"encryption"
|
|
33
|
+
],
|
|
28
34
|
"DependsOn": [],
|
|
29
35
|
"RelatedTo": [],
|
|
30
36
|
"Notes": ""
|
|
@@ -1,30 +1,37 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "mysql_flexible_server_ssl_connection_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "MySQL Flexible Server enforces SSL connections",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "mysql",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "high",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.dbformysql/flexibleservers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure Database for MySQL Flexible Server** uses the `require_secure_transport` parameter to enforce **encrypted connections**. This evaluation determines whether the server is configured to require **TLS/SSL** for all client sessions.",
|
|
13
|
+
"Risk": "Without **TLS enforcement**, credentials and queries may traverse the network in cleartext, enabling **man-in-the-middle**, **credential theft**, tampering, and data exfiltration. This directly impacts **confidentiality** and **integrity** and can lead to compliance violations.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking",
|
|
17
|
+
"https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-troubleshoot-common-connection-issues",
|
|
18
|
+
"https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-connect-tls-ssl"
|
|
19
|
+
],
|
|
15
20
|
"Remediation": {
|
|
16
21
|
"Code": {
|
|
17
|
-
"CLI": "",
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": ""
|
|
22
|
+
"CLI": "az mysql flexible-server parameter set --resource-group <RESOURCE_GROUP> --server-name <SERVER_NAME> --name require_secure_transport --value ON",
|
|
23
|
+
"NativeIaC": "```bicep\n// Enforce SSL/TLS by enabling require_secure_transport on MySQL Flexible Server\nresource reqSecureTransport 'Microsoft.DBforMySQL/flexibleServers/configurations@2023-12-30' = {\n name: '<example_resource_name>/require_secure_transport'\n properties: {\n value: 'ON' // Critical: turns on SSL enforcement (require_secure_transport)\n }\n}\n```",
|
|
24
|
+
"Other": "1. Sign in to the Azure portal\n2. Go to: Azure Database for MySQL Flexible Server > <your server>\n3. Select Server parameters\n4. Find require_secure_transport and set it to ON\n5. Click Save\n6. Verify by refreshing Server parameters and confirming the value is ON",
|
|
25
|
+
"Terraform": "```hcl\n# Enforce SSL/TLS on MySQL Flexible Server\nresource \"azurerm_mysql_flexible_server_configuration\" \"secure\" {\n name = \"require_secure_transport\"\n resource_group_name = \"<example_resource_group>\"\n server_name = \"<example_server_name>\"\n value = \"ON\" # Critical: enables SSL enforcement\n}\n```"
|
|
21
26
|
},
|
|
22
27
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
28
|
+
"Text": "Set `require_secure_transport=ON` and permit only **TLS 1.2+**. Ensure clients validate certificates and use FQDNs. Combine with **private access** (Private Link or VNet), restrictive firewall rules, and **least privilege** to reduce exposure. *Avoid legacy TLS or plaintext connections.*",
|
|
29
|
+
"Url": "https://hub.prowler.com/check/mysql_flexible_server_ssl_connection_enabled"
|
|
25
30
|
}
|
|
26
31
|
},
|
|
27
|
-
"Categories": [
|
|
32
|
+
"Categories": [
|
|
33
|
+
"encryption"
|
|
34
|
+
],
|
|
28
35
|
"DependsOn": [],
|
|
29
36
|
"RelatedTo": [],
|
|
30
37
|
"Notes": ""
|
|
@@ -1,30 +1,39 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "network_bastion_host_exists",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Azure subscription has at least one Bastion Host",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "network",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "medium",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.network/bastionhosts",
|
|
11
11
|
"ResourceGroup": "network",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure subscription** contains an **Azure Bastion host** for secure RDP/SSH brokering over TLS on `443/TCP` to virtual machines using private IPs. The assessment identifies whether such a bastion is available.",
|
|
13
|
+
"Risk": "Absent **Bastion**, admins often assign public IPs or open `22/3389`, expanding attack surface.\n\nThis enables Internet brute force, credential stuffing, and RDP/SSH exploits, leading to unauthorized access, data exfiltration, and lateral movement. CIA impact: confidentiality/integrity loss and potential downtime from ransomware.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/powershell/module/az.network/get-azbastion?view=azps-9.2.0",
|
|
17
|
+
"https://learn.microsoft.com/en-us/azure/templates/microsoft.network/bastionhosts",
|
|
18
|
+
"https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/bastion-host-exists.html",
|
|
19
|
+
"https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku",
|
|
20
|
+
"https://learn.microsoft.com/en-us/azure/firewall/deploy-ps"
|
|
21
|
+
],
|
|
15
22
|
"Remediation": {
|
|
16
23
|
"Code": {
|
|
17
|
-
"CLI": "az network bastion create --
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": ""
|
|
24
|
+
"CLI": "az network bastion create --name <BASTION_NAME> --public-ip-address <PUBLIC_IP_NAME> --resource-group <RESOURCE_GROUP> --vnet-name <VNET_NAME> --location <LOCATION>",
|
|
25
|
+
"NativeIaC": "```bicep\n// Minimal Bicep to ensure at least one Bastion Host exists in the subscription\nparam location string = resourceGroup().location\n\nresource vnet 'Microsoft.Network/virtualNetworks@2022-07-01' = {\n name: '<example_resource_name>-vnet'\n location: location\n properties: {\n addressSpace: { addressPrefixes: ['10.0.0.0/24'] }\n subnets: [\n {\n name: 'AzureBastionSubnet'\n properties: { addressPrefix: '10.0.0.0/27' }\n }\n ]\n }\n}\n\nresource pip 'Microsoft.Network/publicIPAddresses@2022-07-01' = {\n name: '<example_resource_name>-pip'\n location: location\n sku: { name: 'Standard' }\n properties: { publicIPAllocationMethod: 'Static' }\n}\n\nresource bastion 'Microsoft.Network/bastionHosts@2024-10-01' = {\n name: '<example_resource_name>'\n location: location\n sku: { name: 'Basic' }\n properties: {\n ipConfigurations: [\n {\n name: 'IpConf'\n properties: {\n subnet: { id: resourceId('Microsoft.Network/virtualNetworks/subnets', vnet.name, 'AzureBastionSubnet') } // Critical: attaches Bastion to required AzureBastionSubnet so resource can be created\n publicIPAddress: { id: pip.id } // Critical: associates required Public IP with Bastion\n }\n }\n ]\n }\n}\n```",
|
|
26
|
+
"Other": "1. In the Azure portal, go to Networking > Bastions > Create\n2. Select your Subscription and a Resource group\n3. Enter a Name and Region\n4. Under Virtual network, select an existing VNet or click Create new\n5. Ensure a subnet named AzureBastionSubnet exists with a /27 address space; create it if prompted\n6. For Public IP address, click Create new and accept defaults\n7. Click Review + create, then Create\n8. After deployment completes, the subscription now has a Bastion Host (check passes)",
|
|
27
|
+
"Terraform": "```hcl\n# Minimal Terraform to create one Bastion Host (fixes FAIL by ensuring existence)\nresource \"azurerm_resource_group\" \"example\" {\n name = \"<example_resource_name>\"\n location = \"eastus\"\n}\n\nresource \"azurerm_virtual_network\" \"example\" {\n name = \"<example_resource_name>-vnet\"\n location = azurerm_resource_group.example.location\n resource_group_name = azurerm_resource_group.example.name\n address_space = [\"10.0.0.0/24\"]\n}\n\nresource \"azurerm_subnet\" \"bastion\" {\n name = \"AzureBastionSubnet\"\n resource_group_name = azurerm_resource_group.example.name\n virtual_network_name = azurerm_virtual_network.example.name\n address_prefixes = [\"10.0.0.0/27\"]\n}\n\nresource \"azurerm_public_ip\" \"example\" {\n name = \"<example_resource_name>-pip\"\n location = azurerm_resource_group.example.location\n resource_group_name = azurerm_resource_group.example.name\n allocation_method = \"Static\"\n sku = \"Standard\"\n}\n\nresource \"azurerm_bastion_host\" \"example\" {\n name = \"<example_resource_name>\"\n location = azurerm_resource_group.example.location\n resource_group_name = azurerm_resource_group.example.name\n\n # Critical: creating the Bastion Host resource is what changes the check to PASS\n sku = \"Basic\" # Critical: required for Bastion creation\n\n ip_configuration { \n name = \"IpConf\"\n subnet_id = azurerm_subnet.bastion.id # Critical: attaches Bastion to AzureBastionSubnet\n public_ip_address_id = azurerm_public_ip.example.id # Critical: associates required Public IP\n }\n}\n```"
|
|
21
28
|
},
|
|
22
29
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
30
|
+
"Text": "Standardize on **Azure Bastion** for admin access.\n\nRemove VM public IPs and deny inbound `22`/`3389` via perimeter controls and NSGs. Apply **least privilege** and just-in-time access, integrate **Entra ID** with **MFA** and conditional access, monitor sessions/logs, and segment networks so only Bastion can reach management ports.",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/network_bastion_host_exists"
|
|
25
32
|
}
|
|
26
33
|
},
|
|
27
|
-
"Categories": [
|
|
34
|
+
"Categories": [
|
|
35
|
+
"internet-exposed"
|
|
36
|
+
],
|
|
28
37
|
"DependsOn": [],
|
|
29
38
|
"RelatedTo": [],
|
|
30
39
|
"Notes": "The Azure Bastion service incurs additional costs and requires a specific virtual network configuration. The Standard tier offers additional configuration options compared to the Basic tier and may incur additional costs for those added features."
|