prowler 5.17.0__py3-none-any.whl → 5.18.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dashboard/compliance/hipaa_azure.py +25 -0
- dashboard/pages/overview.py +20 -11
- prowler/AGENTS.md +1 -1
- prowler/CHANGELOG.md +43 -0
- prowler/__main__.py +5 -0
- prowler/compliance/azure/hipaa_azure.json +820 -0
- prowler/compliance/m365/cis_4.0_m365.json +6 -2
- prowler/compliance/m365/cis_6.0_m365.json +6 -2
- prowler/compliance/m365/iso27001_2022_m365.json +13 -11
- prowler/compliance/openstack/__init__.py +0 -0
- prowler/config/config.py +2 -1
- prowler/config/config.yaml +4 -1
- prowler/config/openstack_mutelist_example.yaml +60 -0
- prowler/lib/check/check.py +4 -0
- prowler/lib/check/models.py +27 -2
- prowler/lib/cli/parser.py +3 -2
- prowler/lib/outputs/finding.py +14 -0
- prowler/lib/outputs/html/html.py +72 -0
- prowler/lib/outputs/jira/jira.py +3 -3
- prowler/lib/outputs/outputs.py +2 -0
- prowler/lib/outputs/summary_table.py +7 -0
- prowler/lib/timeline/__init__.py +0 -0
- prowler/lib/timeline/models.py +27 -0
- prowler/lib/timeline/timeline.py +36 -0
- prowler/providers/aws/lib/cloudtrail_timeline/__init__.py +0 -0
- prowler/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline.py +218 -0
- prowler/providers/aws/services/codebuild/codebuild_project_webhook_filters_use_anchored_patterns/__init__.py +0 -0
- prowler/providers/aws/services/codebuild/codebuild_project_webhook_filters_use_anchored_patterns/codebuild_project_webhook_filters_use_anchored_patterns.metadata.json +40 -0
- prowler/providers/aws/services/codebuild/codebuild_project_webhook_filters_use_anchored_patterns/codebuild_project_webhook_filters_use_anchored_patterns.py +58 -0
- prowler/providers/aws/services/codebuild/codebuild_service.py +45 -0
- prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.metadata.json +1 -1
- prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.py +4 -0
- prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json +1 -1
- prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.py +4 -0
- prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.metadata.json +1 -1
- prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.py +2 -0
- prowler/providers/aws/services/iam/lib/policy.py +19 -3
- prowler/providers/aws/services/rds/rds_instance_extended_support/__init__.py +0 -0
- prowler/providers/aws/services/rds/rds_instance_extended_support/rds_instance_extended_support.metadata.json +41 -0
- prowler/providers/aws/services/rds/rds_instance_extended_support/rds_instance_extended_support.py +37 -0
- prowler/providers/aws/services/rds/rds_service.py +4 -0
- prowler/providers/aws/services/s3/s3_bucket_cross_account_access/s3_bucket_cross_account_access.metadata.json +1 -1
- prowler/providers/aws/services/s3/s3_bucket_cross_account_access/s3_bucket_cross_account_access.py +5 -1
- prowler/providers/azure/lib/service/service.py +23 -0
- prowler/providers/azure/services/app/app_client_certificates_on/app_client_certificates_on.metadata.json +18 -12
- prowler/providers/azure/services/app/app_ensure_auth_is_set_up/app_ensure_auth_is_set_up.metadata.json +18 -11
- prowler/providers/azure/services/app/app_ensure_http_is_redirected_to_https/app_ensure_http_is_redirected_to_https.metadata.json +19 -12
- prowler/providers/azure/services/app/app_ensure_java_version_is_latest/app_ensure_java_version_is_latest.metadata.json +19 -12
- prowler/providers/azure/services/app/app_ensure_php_version_is_latest/app_ensure_php_version_is_latest.metadata.json +19 -12
- prowler/providers/azure/services/app/app_ensure_python_version_is_latest/app_ensure_python_version_is_latest.metadata.json +19 -12
- prowler/providers/azure/services/app/app_ensure_using_http20/app_ensure_using_http20.metadata.json +18 -11
- prowler/providers/azure/services/app/app_ftp_deployment_disabled/app_ftp_deployment_disabled.metadata.json +21 -13
- prowler/providers/azure/services/app/app_function_access_keys_configured/app_function_access_keys_configured.metadata.json +19 -11
- prowler/providers/azure/services/app/app_function_application_insights_enabled/app_function_application_insights_enabled.metadata.json +21 -14
- prowler/providers/azure/services/app/app_function_ftps_deployment_disabled/app_function_ftps_deployment_disabled.metadata.json +18 -13
- prowler/providers/azure/services/app/app_function_identity_is_configured/app_function_identity_is_configured.metadata.json +20 -13
- prowler/providers/azure/services/app/app_function_identity_without_admin_privileges/app_function_identity_without_admin_privileges.metadata.json +18 -11
- prowler/providers/azure/services/app/app_function_latest_runtime_version/app_function_latest_runtime_version.metadata.json +20 -13
- prowler/providers/azure/services/app/app_function_not_publicly_accessible/app_function_not_publicly_accessible.metadata.json +20 -13
- prowler/providers/azure/services/app/app_function_vnet_integration_enabled/app_function_vnet_integration_enabled.metadata.json +21 -14
- prowler/providers/azure/services/app/app_http_logs_enabled/app_http_logs_enabled.metadata.json +18 -12
- prowler/providers/azure/services/app/app_minimum_tls_version_12/app_minimum_tls_version_12.metadata.json +20 -12
- prowler/providers/azure/services/app/app_register_with_identity/app_register_with_identity.metadata.json +18 -11
- prowler/providers/azure/services/appinsights/appinsights_ensure_is_configured/appinsights_ensure_is_configured.metadata.json +18 -12
- prowler/providers/azure/services/containerregistry/containerregistry_admin_user_disabled/containerregistry_admin_user_disabled.metadata.json +17 -11
- prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.metadata.json +18 -12
- prowler/providers/azure/services/containerregistry/containerregistry_uses_private_link/containerregistry_uses_private_link.metadata.json +21 -13
- prowler/providers/azure/services/cosmosdb/cosmosdb_account_firewall_use_selected_networks/cosmosdb_account_firewall_use_selected_networks.metadata.json +20 -12
- prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_aad_and_rbac/cosmosdb_account_use_aad_and_rbac.metadata.json +19 -13
- prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_private_endpoints/cosmosdb_account_use_private_endpoints.metadata.json +20 -13
- prowler/providers/azure/services/databricks/databricks_workspace_cmk_encryption_enabled/databricks_workspace_cmk_encryption_enabled.metadata.json +20 -14
- prowler/providers/azure/services/databricks/databricks_workspace_vnet_injection_enabled/databricks_workspace_vnet_injection_enabled.metadata.json +20 -14
- prowler/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact.metadata.json +20 -13
- prowler/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_attack_path_notifications_properly_configured/defender_attack_path_notifications_properly_configured.metadata.json +19 -13
- prowler/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on.metadata.json +20 -13
- prowler/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on.metadata.json +19 -12
- prowler/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities.metadata.json +20 -12
- prowler/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled.metadata.json +22 -13
- prowler/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on.metadata.json +19 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled.metadata.json +20 -12
- prowler/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high.metadata.json +19 -12
- prowler/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners.metadata.json +19 -12
- prowler/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied.metadata.json +17 -9
- prowler/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled.metadata.json +21 -13
- prowler/providers/azure/services/entra/entra_service.py +3 -11
- prowler/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa.py +6 -0
- prowler/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks.metadata.json +19 -13
- prowler/providers/azure/services/iam/iam_role_user_access_admin_restricted/iam_role_user_access_admin_restricted.metadata.json +16 -10
- prowler/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created.metadata.json +18 -12
- prowler/providers/azure/services/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set.py +10 -11
- prowler/providers/azure/services/keyvault/keyvault_service.py +164 -81
- prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_connection_activated/mysql_flexible_server_audit_log_connection_activated.metadata.json +18 -12
- prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_enabled/mysql_flexible_server_audit_log_enabled.metadata.json +19 -12
- prowler/providers/azure/services/mysql/mysql_flexible_server_minimum_tls_version_12/mysql_flexible_server_minimum_tls_version_12.metadata.json +18 -12
- prowler/providers/azure/services/mysql/mysql_flexible_server_ssl_connection_enabled/mysql_flexible_server_ssl_connection_enabled.metadata.json +19 -12
- prowler/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists.metadata.json +21 -12
- prowler/providers/azure/services/network/network_flow_log_captured_sent/network_flow_log_captured_sent.metadata.json +19 -12
- prowler/providers/azure/services/network/network_flow_log_more_than_90_days/network_flow_log_more_than_90_days.metadata.json +21 -12
- prowler/providers/azure/services/network/network_http_internet_access_restricted/network_http_internet_access_restricted.metadata.json +18 -12
- prowler/providers/azure/services/network/network_public_ip_shodan/network_public_ip_shodan.metadata.json +15 -10
- prowler/providers/azure/services/network/network_rdp_internet_access_restricted/network_rdp_internet_access_restricted.metadata.json +20 -12
- prowler/providers/azure/services/network/network_ssh_internet_access_restricted/network_ssh_internet_access_restricted.metadata.json +19 -12
- prowler/providers/azure/services/network/network_udp_internet_access_restricted/network_udp_internet_access_restricted.metadata.json +19 -12
- prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.metadata.json +21 -13
- prowler/providers/azure/services/policy/policy_ensure_asc_enforcement_enabled/policy_ensure_asc_enforcement_enabled.metadata.json +16 -11
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_allow_access_services_disabled/postgresql_flexible_server_allow_access_services_disabled.metadata.json +20 -13
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_connection_throttling_on/postgresql_flexible_server_connection_throttling_on.metadata.json +18 -12
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_enforce_ssl_enabled/postgresql_flexible_server_enforce_ssl_enabled.metadata.json +19 -13
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.metadata.json +4 -4
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_checkpoints_on/postgresql_flexible_server_log_checkpoints_on.metadata.json +19 -13
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_connections_on/postgresql_flexible_server_log_connections_on.metadata.json +18 -11
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_disconnections_on/postgresql_flexible_server_log_disconnections_on.metadata.json +18 -12
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_retention_days_greater_3/postgresql_flexible_server_log_retention_days_greater_3.metadata.json +18 -12
- prowler/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled.metadata.json +20 -13
- prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.metadata.json +20 -12
- prowler/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled.metadata.json +18 -12
- prowler/providers/azure/services/sqlserver/sqlserver_microsoft_defender_enabled/sqlserver_microsoft_defender_enabled.metadata.json +23 -13
- prowler/providers/azure/services/sqlserver/sqlserver_recommended_minimal_tls_version/sqlserver_recommended_minimal_tls_version.metadata.json +19 -12
- prowler/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk/sqlserver_tde_encrypted_with_cmk.metadata.json +20 -13
- prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.metadata.json +20 -13
- prowler/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access.metadata.json +18 -12
- prowler/providers/azure/services/sqlserver/sqlserver_va_emails_notifications_admins_enabled/sqlserver_va_emails_notifications_admins_enabled.metadata.json +19 -12
- prowler/providers/azure/services/sqlserver/sqlserver_va_periodic_recurring_scans_enabled/sqlserver_va_periodic_recurring_scans_enabled.metadata.json +19 -12
- prowler/providers/azure/services/sqlserver/sqlserver_va_scan_reports_configured/sqlserver_va_scan_reports_configured.metadata.json +18 -12
- prowler/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled/sqlserver_vulnerability_assessment_enabled.metadata.json +19 -12
- prowler/providers/azure/services/storage/storage_account_key_access_disabled/storage_account_key_access_disabled.metadata.json +17 -12
- prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.metadata.json +18 -12
- prowler/providers/azure/services/storage/storage_blob_versioning_is_enabled/storage_blob_versioning_is_enabled.metadata.json +19 -11
- prowler/providers/azure/services/storage/storage_cross_tenant_replication_disabled/storage_cross_tenant_replication_disabled.metadata.json +19 -13
- prowler/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied.metadata.json +19 -12
- prowler/providers/azure/services/storage/storage_default_to_entra_authorization_enabled/storage_default_to_entra_authorization_enabled.metadata.json +20 -13
- prowler/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled.metadata.json +17 -10
- prowler/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys.metadata.json +15 -10
- prowler/providers/azure/services/storage/storage_ensure_file_shares_soft_delete_is_enabled/storage_ensure_file_shares_soft_delete_is_enabled.metadata.json +18 -12
- prowler/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12.metadata.json +14 -10
- prowler/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts/storage_ensure_private_endpoints_in_storage_accounts.metadata.json +19 -11
- prowler/providers/azure/services/storage/storage_ensure_soft_delete_is_enabled/storage_ensure_soft_delete_is_enabled.metadata.json +17 -12
- prowler/providers/azure/services/storage/storage_geo_redundant_enabled/storage_geo_redundant_enabled.metadata.json +19 -12
- prowler/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled.metadata.json +13 -9
- prowler/providers/azure/services/storage/storage_key_rotation_90_days/storage_key_rotation_90_days.metadata.json +17 -12
- prowler/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled.metadata.json +15 -11
- prowler/providers/azure/services/storage/storage_smb_channel_encryption_with_secure_algorithm/storage_smb_channel_encryption_with_secure_algorithm.metadata.json +19 -12
- prowler/providers/azure/services/storage/storage_smb_protocol_version_is_latest/storage_smb_protocol_version_is_latest.metadata.json +19 -13
- prowler/providers/cloudflare/cloudflare_provider.py +95 -12
- prowler/providers/cloudflare/lib/arguments/arguments.py +7 -0
- prowler/providers/cloudflare/services/dns/dns_record_cname_target_valid/__init__.py +0 -0
- prowler/providers/cloudflare/services/dns/dns_record_cname_target_valid/dns_record_cname_target_valid.metadata.json +36 -0
- prowler/providers/cloudflare/services/dns/dns_record_cname_target_valid/dns_record_cname_target_valid.py +109 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_internal_ip/__init__.py +0 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_internal_ip/dns_record_no_internal_ip.metadata.json +36 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_internal_ip/dns_record_no_internal_ip.py +73 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_wildcard/__init__.py +0 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_wildcard/dns_record_no_wildcard.metadata.json +36 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_wildcard/dns_record_no_wildcard.py +60 -0
- prowler/providers/cloudflare/services/dns/dns_record_proxied/__init__.py +0 -0
- prowler/providers/cloudflare/services/dns/dns_record_proxied/dns_record_proxied.metadata.json +36 -0
- prowler/providers/cloudflare/services/dns/dns_record_proxied/dns_record_proxied.py +49 -0
- prowler/providers/cloudflare/services/dns/dns_service.py +52 -6
- prowler/providers/cloudflare/services/firewall/__init__.py +0 -0
- prowler/providers/cloudflare/services/firewall/firewall_client.py +4 -0
- prowler/providers/cloudflare/services/firewall/firewall_service.py +123 -0
- prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/__init__.py +0 -0
- prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/zone_firewall_blocking_rules_configured.metadata.json +36 -0
- prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/zone_firewall_blocking_rules_configured.py +53 -0
- prowler/providers/cloudflare/services/zone/zone_service.py +133 -1
- prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/__init__.py +0 -0
- prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/zone_waf_owasp_ruleset_enabled.metadata.json +36 -0
- prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/zone_waf_owasp_ruleset_enabled.py +58 -0
- prowler/providers/common/provider.py +23 -0
- prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/__init__.py +0 -0
- prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/compute_instance_suspended_without_persistent_disks.metadata.json +37 -0
- prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/compute_instance_suspended_without_persistent_disks.py +35 -0
- prowler/providers/gcp/services/compute/compute_service.py +2 -0
- prowler/providers/m365/lib/powershell/m365_powershell.py +47 -1
- prowler/providers/m365/services/defender/defender_service.py +52 -0
- prowler/providers/m365/services/defender/defender_zap_for_teams_enabled/__init__.py +0 -0
- prowler/providers/m365/services/defender/defender_zap_for_teams_enabled/defender_zap_for_teams_enabled.metadata.json +38 -0
- prowler/providers/m365/services/defender/defender_zap_for_teams_enabled/defender_zap_for_teams_enabled.py +53 -0
- prowler/providers/m365/services/exchange/exchange_service.py +78 -0
- prowler/providers/m365/services/exchange/exchange_shared_mailbox_sign_in_disabled/__init__.py +0 -0
- prowler/providers/m365/services/exchange/exchange_shared_mailbox_sign_in_disabled/exchange_shared_mailbox_sign_in_disabled.metadata.json +37 -0
- prowler/providers/m365/services/exchange/exchange_shared_mailbox_sign_in_disabled/exchange_shared_mailbox_sign_in_disabled.py +59 -0
- prowler/providers/openstack/__init__.py +0 -0
- prowler/providers/openstack/exceptions/__init__.py +0 -0
- prowler/providers/openstack/exceptions/exceptions.py +166 -0
- prowler/providers/openstack/lib/__init__.py +0 -0
- prowler/providers/openstack/lib/arguments/__init__.py +0 -0
- prowler/providers/openstack/lib/arguments/arguments.py +113 -0
- prowler/providers/openstack/lib/mutelist/__init__.py +0 -0
- prowler/providers/openstack/lib/mutelist/mutelist.py +31 -0
- prowler/providers/openstack/lib/service/__init__.py +0 -0
- prowler/providers/openstack/lib/service/service.py +21 -0
- prowler/providers/openstack/models.py +100 -0
- prowler/providers/openstack/openstack_provider.py +515 -0
- prowler/providers/openstack/services/__init__.py +0 -0
- prowler/providers/openstack/services/compute/__init__.py +0 -0
- prowler/providers/openstack/services/compute/compute_client.py +4 -0
- prowler/providers/openstack/services/compute/compute_instance_security_groups_attached/__init__.py +0 -0
- prowler/providers/openstack/services/compute/compute_instance_security_groups_attached/compute_instance_security_groups_attached.metadata.json +40 -0
- prowler/providers/openstack/services/compute/compute_instance_security_groups_attached/compute_instance_security_groups_attached.py +35 -0
- prowler/providers/openstack/services/compute/compute_service.py +63 -0
- {prowler-5.17.0.dist-info → prowler-5.18.0.dist-info}/METADATA +11 -9
- {prowler-5.17.0.dist-info → prowler-5.18.0.dist-info}/RECORD +219 -155
- {prowler-5.17.0.dist-info → prowler-5.18.0.dist-info}/LICENSE +0 -0
- {prowler-5.17.0.dist-info → prowler-5.18.0.dist-info}/WHEEL +0 -0
- {prowler-5.17.0.dist-info → prowler-5.18.0.dist-info}/entry_points.txt +0 -0
|
@@ -1,30 +1,37 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "postgresql_flexible_server_allow_access_services_disabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "PostgreSQL flexible server has 'Allow public access from any Azure service' disabled",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "postgresql",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
|
-
"Severity": "
|
|
10
|
-
"ResourceType": "
|
|
9
|
+
"Severity": "high",
|
|
10
|
+
"ResourceType": "microsoft.dbforpostgresql/flexibleservers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure Database for PostgreSQL Flexible Server** firewall should not include the rule that allows connections from **any Azure service**, represented by `start_ip=0.0.0.0` and `end_ip=0.0.0.0`.",
|
|
13
|
+
"Risk": "Allowing **all Azure services** erodes network isolation, permitting unsolicited connections from other subscriptions and tenants. This enables credential brute force and unauthorized access paths, risking data **confidentiality** and **integrity**, and increasing the chance of service disruption (**availability**).",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/cli/azure/postgres/flexible-server/firewall-rule?view=azure-cli-latest",
|
|
17
|
+
"https://learn.microsoft.com/en-us/azure/postgresql/network/how-to-networking-servers-deployed-public-access-disable-public-access?tabs=portal-disable-public-access",
|
|
18
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/PostgreSQL/disable-all-services-access.html#"
|
|
19
|
+
],
|
|
15
20
|
"Remediation": {
|
|
16
21
|
"Code": {
|
|
17
|
-
"CLI": "az postgres server firewall-rule delete --
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": "
|
|
22
|
+
"CLI": "az postgres flexible-server firewall-rule delete --resource-group <resourceGroupName> --name <serverName> --rule-name <rule_name>",
|
|
23
|
+
"NativeIaC": "```bicep\n// Update the existing firewall rule that allowed Azure services (0.0.0.0) to a specific IP/range\nresource fwRule 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2023-03-01-preview' = {\n name: '<example_server_name>/<example_rule_name>'\n properties: {\n startIpAddress: '<START_IP>' // critical: not 0.0.0.0; disables \"Allow Azure services\"\n endIpAddress: '<END_IP>' // critical: not 0.0.0.0\n }\n}\n```",
|
|
24
|
+
"Other": "1. In Azure Portal, go to Azure Database for PostgreSQL flexible server and select your server\n2. Open Networking > Firewall rules\n3. Find the rule where Start IP and End IP are both 0.0.0.0\n4. Select it and click Delete\n5. Click Save",
|
|
25
|
+
"Terraform": "```hcl\n# Update the existing rule to not use 0.0.0.0 (disables \"Allow Azure services\")\nresource \"azurerm_postgresql_flexible_server_firewall_rule\" \"<example_resource_name>\" {\n name = \"<example_rule_name>\"\n server_id = \"<example_resource_id>\"\n start_ip_address = \"<START_IP>\" # critical: not 0.0.0.0\n end_ip_address = \"<END_IP>\" # critical: not 0.0.0.0\n}\n```"
|
|
21
26
|
},
|
|
22
27
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
28
|
+
"Text": "Remove the `0.0.0.0` rule and apply **least privilege**:\n- Use **Private Endpoints** for access\n- Allow only required source IP ranges\n- Isolate with VNET rules and NSGs\n- Enforce TLS and strong authentication\n- Monitor connection logs for anomalies",
|
|
29
|
+
"Url": "https://hub.prowler.com/check/postgresql_flexible_server_allow_access_services_disabled"
|
|
25
30
|
}
|
|
26
31
|
},
|
|
27
|
-
"Categories": [
|
|
32
|
+
"Categories": [
|
|
33
|
+
"trust-boundaries"
|
|
34
|
+
],
|
|
28
35
|
"DependsOn": [],
|
|
29
36
|
"RelatedTo": [],
|
|
30
37
|
"Notes": ""
|
|
@@ -1,30 +1,36 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "postgresql_flexible_server_connection_throttling_on",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Flexible PostgreSQL server has connection_throttling enabled",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "postgresql",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "medium",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.dbforpostgresql/flexibleservers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure PostgreSQL flexible servers** where the `connection_throttling` parameter is set to `ON`",
|
|
13
|
+
"Risk": "Without `connection_throttling`, bursts of new sessions can exhaust connection slots and CPU, degrading **availability** and causing timeouts.\n\nReduced telemetry delays detection of **DoS** or runaway clients, extending impact and recovery time.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/PostgreSQL/connection-throttling.html",
|
|
17
|
+
"https://support.icompaas.com/support/solutions/articles/62000229889-ensure-server-parameter-connection-throttling-is-set-to-on-for-postgresql-database-server"
|
|
18
|
+
],
|
|
15
19
|
"Remediation": {
|
|
16
20
|
"Code": {
|
|
17
|
-
"CLI": "az postgres server
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": "
|
|
21
|
+
"CLI": "az postgres flexible-server parameter set --resource-group <resourceGroupName> --server-name <serverName> --name connection_throttle.enable --value on",
|
|
22
|
+
"NativeIaC": "```bicep\n// Configure an existing Flexible Server parameter\nresource exampleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource connectionThrottling 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2022-12-01' = {\n name: 'connection_throttle.enable'\n parent: exampleServer\n properties: {\n value: 'on' // CRITICAL: Enables connection_throttle.enable to pass the check\n }\n}\n```",
|
|
23
|
+
"Other": "1. Sign in to Azure Portal and go to Azure Database for PostgreSQL flexible servers\n2. Select the target server\n3. In Settings, click Server parameters\n4. Search for connection_throttle.enable\n5. Set the value to ON and click Save",
|
|
24
|
+
"Terraform": "```hcl\nresource \"azurerm_postgresql_flexible_server_configuration\" \"<example_resource_name>\" {\n name = \"connection_throttle.enable\"\n server_id = \"<example_resource_id>\"\n value = \"on\" # CRITICAL: Enables connection_throttle.enable to pass the check\n}\n```"
|
|
21
25
|
},
|
|
22
26
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
27
|
+
"Text": "Enable `connection_throttling` and align connection limits with expected load.\n\nApply **defense in depth**: use connection pooling, exponential backoff, and alerts on connection spikes; prefer private access and restrictive networking to reduce exposure.",
|
|
28
|
+
"Url": "https://hub.prowler.com/check/postgresql_flexible_server_connection_throttling_on"
|
|
25
29
|
}
|
|
26
30
|
},
|
|
27
|
-
"Categories": [
|
|
31
|
+
"Categories": [
|
|
32
|
+
"logging"
|
|
33
|
+
],
|
|
28
34
|
"DependsOn": [],
|
|
29
35
|
"RelatedTo": [],
|
|
30
36
|
"Notes": ""
|
|
@@ -1,30 +1,36 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "postgresql_flexible_server_enforce_ssl_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "PostgreSQL Flexible Server enforces SSL connections",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "postgresql",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
|
-
"Severity": "
|
|
10
|
-
"ResourceType": "
|
|
9
|
+
"Severity": "high",
|
|
10
|
+
"ResourceType": "microsoft.dbforpostgresql/flexibleservers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure Database for PostgreSQL flexible servers** are evaluated for **encrypted in-transit connections**, specifically whether `require_secure_transport` is set to `ON` to force TLS for all client sessions.",
|
|
13
|
+
"Risk": "Without enforced **TLS**, clients may connect in plaintext or with weak settings, exposing credentials and data to **man-in-the-middle**, query tampering, and session hijacking. This undermines **confidentiality** and **integrity**, and can enable lateral movement if stolen creds are reused.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-security?source=recommendations",
|
|
17
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/PostgreSQL/require-secure-transport-for-postgres-flexible-servers.html"
|
|
18
|
+
],
|
|
15
19
|
"Remediation": {
|
|
16
20
|
"Code": {
|
|
17
|
-
"CLI": "az postgres server
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": "
|
|
21
|
+
"CLI": "az postgres flexible-server parameter set --resource-group <RESOURCE_GROUP> --server-name <SERVER_NAME> --name require_secure_transport --value ON",
|
|
22
|
+
"NativeIaC": "```bicep\n// Enable SSL/TLS enforcement on an existing PostgreSQL Flexible Server\nresource server 'Microsoft.DBforPostgreSQL/flexibleServers@2023-12-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource requireSecureTransport 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2023-12-01' = {\n name: '${server.name}/require_secure_transport'\n properties: {\n value: 'ON' // CRITICAL: Enforces SSL/TLS by turning require_secure_transport ON\n }\n}\n```",
|
|
23
|
+
"Other": "1. Sign in to the Azure portal\n2. Go to: Azure Database for PostgreSQL flexible server > your server\n3. Select Server parameters\n4. Search for require_secure_transport\n5. Set it to ON\n6. Click Save",
|
|
24
|
+
"Terraform": "```hcl\n# Enable SSL/TLS enforcement on a PostgreSQL Flexible Server\nresource \"azurerm_postgresql_flexible_server_configuration\" \"<example_resource_name>\" {\n name = \"require_secure_transport\" # CRITICAL: Target the SSL enforcement parameter\n server_id = \"<example_resource_id>\" # ID of the target flexible server\n value = \"ON\" # CRITICAL: Enforce SSL/TLS\n}\n```"
|
|
21
25
|
},
|
|
22
26
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
27
|
+
"Text": "Enforce encryption in transit: set `require_secure_transport=ON`, prefer **TLS 1.3** (or at least `ssl_min_protocol_version=1.2`), and require clients to verify server identity. Disable mixed modes, rotate certificates, and restrict access via **private endpoints** to apply **defense in depth**.",
|
|
28
|
+
"Url": "https://hub.prowler.com/check/postgresql_flexible_server_enforce_ssl_enabled"
|
|
25
29
|
}
|
|
26
30
|
},
|
|
27
|
-
"Categories": [
|
|
31
|
+
"Categories": [
|
|
32
|
+
"encryption"
|
|
33
|
+
],
|
|
28
34
|
"DependsOn": [],
|
|
29
35
|
"RelatedTo": [],
|
|
30
36
|
"Notes": "."
|
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "postgresql_flexible_server_entra_id_authentication_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Microsoft Entra ID authentication is enabled for PostgreSQL Flexible Server",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "postgresql",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "medium",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.dbforpostgresql/flexibleservers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
12
|
"Description": "**PostgreSQL Flexible Servers** must set `authConfig.activeDirectoryAuth` to `Enabled` and keep at least one **Microsoft Entra administrator** assigned so database sessions inherit centrally governed identities instead of unmanaged PostgreSQL accounts.",
|
|
13
13
|
"Risk": "Without Entra ID authentication, stolen local passwords bypass **MFA** and conditional access, enabling persistent database logins. Missing administrators leaves the feature unusable, blocking security teams from rotating duties and allowing unauthorized access or **privilege escalation**.",
|
|
@@ -18,8 +18,8 @@
|
|
|
18
18
|
],
|
|
19
19
|
"Remediation": {
|
|
20
20
|
"Code": {
|
|
21
|
-
"CLI": "az postgres flexible-server update --resource-group <resourceGroupName> --name <serverName> --active-directory-auth Enabled\naz postgres flexible-server
|
|
22
|
-
"NativeIaC": "",
|
|
21
|
+
"CLI": "az postgres flexible-server update --resource-group <resourceGroupName> --name <serverName> --active-directory-auth Enabled\naz postgres flexible-server ad-admin create --resource-group <resourceGroupName> --server-name <serverName> --object-id <objectId> --display-name <displayName> --type User",
|
|
22
|
+
"NativeIaC": "```bicep\n// Enable Microsoft Entra ID authentication on an existing PostgreSQL Flexible Server\nresource server 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' existing = {\n name: '<example_resource_name>'\n}\n\n// Update server to enable Entra ID authentication\nresource serverUpdate 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {\n name: server.name\n location: server.location\n properties: {\n authConfig: {\n activeDirectoryAuth: 'Enabled' // CRITICAL: Enables Entra ID authentication\n tenantId: tenant().tenantId\n }\n }\n}\n\n// Add Entra ID administrator\nresource entraAdmin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2023-12-01-preview' = {\n parent: server\n name: '<objectId>' // CRITICAL: Object ID of the Entra ID principal\n properties: {\n principalName: '<displayName>' // User principal name or group display name\n principalType: 'User' // CRITICAL: Can be 'User', 'Group', or 'ServicePrincipal'\n tenantId: tenant().tenantId\n }\n dependsOn: [\n serverUpdate\n ]\n}\n```",
|
|
23
23
|
"Other": "1. In the Azure Portal, open Azure Database for PostgreSQL flexible server and select the target server.\n2. Under Security > Authentication, set Microsoft Entra ID authentication (or combined mode) to Enabled and save the change.\n3. Under Security > Microsoft Entra ID, add at least one administrator (user or group) linked to an Entra object ID and confirm the assignment.",
|
|
24
24
|
"Terraform": "```hcl\ndata \"azurerm_client_config\" \"current\" {}\n\nresource \"azurerm_postgresql_flexible_server\" \"example\" {\n name = \"pg-flex\"\n resource_group_name = azurerm_resource_group.example.name\n location = azurerm_resource_group.example.location\n sku_name = \"GP_Standard_D4s_v3\"\n administrator_login = \"pgadmin\"\n administrator_password = \"<complexPassword>\"\n storage_mb = 131072\n version = \"16\"\n\n authentication {\n active_directory_auth_enabled = true\n tenant_id = data.azurerm_client_config.current.tenant_id\n }\n}\n\nresource \"azurerm_postgresql_flexible_server_active_directory_administrator\" \"entra_admin\" {\n server_id = azurerm_postgresql_flexible_server.example.id\n object_id = var.entra_object_id\n principal_name = var.entra_principal_name\n principal_type = \"User\"\n tenant_id = data.azurerm_client_config.current.tenant_id\n}\n```"
|
|
25
25
|
},
|
|
@@ -1,30 +1,36 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "postgresql_flexible_server_log_checkpoints_on",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "PostgreSQL Flexible Server has checkpoint logging enabled",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "postgresql",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
|
-
"Severity": "
|
|
10
|
-
"ResourceType": "
|
|
9
|
+
"Severity": "low",
|
|
10
|
+
"ResourceType": "microsoft.dbforpostgresql/flexibleservers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure PostgreSQL Flexible Server** has **checkpoint logging** enabled when `log_checkpoints=on`, recording each checkpoint in the server logs",
|
|
13
|
+
"Risk": "Without **checkpoint logging**, visibility into write and recovery activity is reduced, hindering incident investigation and tamper detection. Unseen checkpoint storms or WAL pressure can degrade I/O and recovery, threatening **availability** and data **integrity**.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://support.icompaas.com/support/solutions/articles/62000234792-enable-log-checkpoints-parameter-on-azure-postgresql-servers-for-improved-monitoring-and-troubleshoot",
|
|
17
|
+
"https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/PostgreSQL/log-checkpoints.html#"
|
|
18
|
+
],
|
|
15
19
|
"Remediation": {
|
|
16
20
|
"Code": {
|
|
17
|
-
"CLI": "az postgres server
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": "
|
|
21
|
+
"CLI": "az postgres flexible-server parameter set --resource-group <resourceGroupName> --server-name <serverName> --name log_checkpoints --value ON",
|
|
22
|
+
"NativeIaC": "```bicep\n// Set log_checkpoints to ON on an existing Flexible Server\nresource server 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource cfg 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2022-12-01' = {\n name: 'log_checkpoints'\n parent: server\n properties: {\n value: 'ON' // CRITICAL: enables checkpoint logging to pass the check\n }\n}\n```",
|
|
23
|
+
"Other": "1. In the Azure portal, open your Azure Database for PostgreSQL flexible server\n2. Go to Settings > Server parameters\n3. Search for \"log_checkpoints\"\n4. Set the value to ON\n5. Click Save",
|
|
24
|
+
"Terraform": "```hcl\nresource \"azurerm_postgresql_flexible_server_configuration\" \"<example_resource_name>\" {\n name = \"log_checkpoints\"\n server_id = \"<example_resource_id>\"\n \n value = \"ON\" # CRITICAL: enables checkpoint logging to pass the check\n}\n```"
|
|
21
25
|
},
|
|
22
26
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
27
|
+
"Text": "Enable `log_checkpoints=on` and send logs to centralized, tamper-resistant storage. Monitor checkpoint frequency and failures with alerts. Apply **least privilege** to log access and set retention to support forensics as part of a **defense-in-depth** logging strategy.",
|
|
28
|
+
"Url": "https://hub.prowler.com/check/postgresql_flexible_server_log_checkpoints_on"
|
|
25
29
|
}
|
|
26
30
|
},
|
|
27
|
-
"Categories": [
|
|
31
|
+
"Categories": [
|
|
32
|
+
"logging"
|
|
33
|
+
],
|
|
28
34
|
"DependsOn": [],
|
|
29
35
|
"RelatedTo": [],
|
|
30
36
|
"Notes": ""
|
|
@@ -1,30 +1,37 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "postgresql_flexible_server_log_connections_on",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "PostgreSQL flexible server has log_connections enabled",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "postgresql",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "medium",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.dbforpostgresql/flexibleservers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure Database for PostgreSQL Flexible Server** evaluates the `log_connections` setting that controls logging of client connection attempts and authentication results.\n\nThe finding indicates whether this parameter is set to `ON`.",
|
|
13
|
+
"Risk": "Without **connection logging**, visibility of access attempts is lost, making **brute force** and **credential stuffing** harder to detect. This weakens **confidentiality** and **integrity**, hinders incident investigations, and can mask **lateral movement** or unauthorized data access.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/answers/questions/683954/log-connections-cannot-be-set-on-azure-postgresql",
|
|
17
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/PostgreSQL/log-connections.html",
|
|
18
|
+
"https://learn.microsoft.com/en-us/azure/postgresql/security/security-audit?tabs=portal"
|
|
19
|
+
],
|
|
15
20
|
"Remediation": {
|
|
16
21
|
"Code": {
|
|
17
|
-
"CLI": "
|
|
22
|
+
"CLI": "",
|
|
18
23
|
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": "
|
|
24
|
+
"Other": "1. Sign in to the Azure portal\n2. Go to: Azure Database for PostgreSQL > Flexible servers > select <example_resource_name>\n3. Under Settings, open Server parameters and search for \"log_connections\"\n4. Confirm the parameter shows Value: ON and is Read-only (no change required)",
|
|
25
|
+
"Terraform": ""
|
|
21
26
|
},
|
|
22
27
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
28
|
+
"Text": "Set `log_connections` to `ON` and integrate logs with centralized monitoring. Define retention and alerts for abnormal patterns. Combine with **least privilege**, strong authentication, and network restrictions to deliver **defense in depth** and prevent unauthorized access.",
|
|
29
|
+
"Url": "https://hub.prowler.com/check/postgresql_flexible_server_log_connections_on"
|
|
25
30
|
}
|
|
26
31
|
},
|
|
27
|
-
"Categories": [
|
|
32
|
+
"Categories": [
|
|
33
|
+
"logging"
|
|
34
|
+
],
|
|
28
35
|
"DependsOn": [],
|
|
29
36
|
"RelatedTo": [],
|
|
30
37
|
"Notes": ""
|
|
@@ -1,30 +1,36 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "postgresql_flexible_server_log_disconnections_on",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "PostgreSQL Flexible Server has disconnection logging enabled",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "postgresql",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "medium",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.dbforpostgresql/flexibleservers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure Database for PostgreSQL Flexible Server** uses the `log_disconnections` setting to record when client sessions end and how long they lasted.",
|
|
13
|
+
"Risk": "Without **disconnection logs**, session timelines and user activity are opaque, weakening **auditability** and **forensics**.\n\nAbuse such as stolen credentials, short-lived access, or hijacked sessions can go unnoticed, enabling data exfiltration and privilege misuse, impacting **confidentiality** and **integrity**.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/azure/postgresql/security/security-audit?tabs=portal",
|
|
17
|
+
"https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-configure-server-parameters-using-portal"
|
|
18
|
+
],
|
|
15
19
|
"Remediation": {
|
|
16
20
|
"Code": {
|
|
17
|
-
"CLI": "az postgres server
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": ""
|
|
21
|
+
"CLI": "az postgres flexible-server parameter set --resource-group <RESOURCE_GROUP> --server-name <SERVER_NAME> --name log_disconnections --value on",
|
|
22
|
+
"NativeIaC": "```bicep\n// Enable log_disconnections on an existing PostgreSQL Flexible Server\nresource server 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource logDisconnections 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2022-12-01' = {\n name: 'log_disconnections'\n parent: server\n properties: {\n value: 'on' // Critical: turns log_disconnections ON to pass the check\n }\n}\n```",
|
|
23
|
+
"Other": "1. In Azure Portal, go to Azure Database for PostgreSQL flexible servers\n2. Select your server\n3. Under Settings, open Server parameters\n4. Search for log_disconnections\n5. Set it to ON\n6. Click Save",
|
|
24
|
+
"Terraform": "```hcl\n# Enable log_disconnections on a PostgreSQL Flexible Server\nresource \"azurerm_postgresql_flexible_server_configuration\" \"log_disconnections\" {\n server_id = \"<example_resource_id>\"\n name = \"log_disconnections\"\n value = \"on\" # Critical: turns log_disconnections ON to pass the check\n}\n```"
|
|
21
25
|
},
|
|
22
26
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
27
|
+
"Text": "Enable `log_disconnections` on all Flexible Servers. Complement with `log_connections` and appropriate duration/statement logging, centralize and retain logs, and alert on abnormal connect/disconnect patterns. Restrict log access. This enforces **accountability**, supports **defense in depth**, and speeds incident response.",
|
|
28
|
+
"Url": "https://hub.prowler.com/check/postgresql_flexible_server_log_disconnections_on"
|
|
25
29
|
}
|
|
26
30
|
},
|
|
27
|
-
"Categories": [
|
|
31
|
+
"Categories": [
|
|
32
|
+
"logging"
|
|
33
|
+
],
|
|
28
34
|
"DependsOn": [],
|
|
29
35
|
"RelatedTo": [],
|
|
30
36
|
"Notes": "Enabling this setting will enable a log of all disconnections. If this is enabled for a high traffic server, the log may grow exponentially."
|
|
@@ -1,30 +1,36 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "postgresql_flexible_server_log_retention_days_greater_3",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "PostgreSQL flexible server log_retention_days is between 4 and 7 days",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "postgresql",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "medium",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.dbforpostgresql/flexibleservers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "Log retention on **Azure Database for PostgreSQL Flexible Server** is governed by `log_retention_days`. Configuration is assessed as set and within `4-7` days versus unset or outside this range.",
|
|
13
|
+
"Risk": "**Insufficient or disabled log retention** limits the audit trail needed to detect brute-force, SQL injection, or insider misuse, impeding investigation. **Excessive retention** enlarges exposure if logs are accessed, risking sensitive query data leakage and policy violations. This reduces visibility and weakens confidentiality and integrity.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/azure/postgresql/monitor/concepts-logging",
|
|
17
|
+
"https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/PostgreSQL/log-retention-days.html"
|
|
18
|
+
],
|
|
15
19
|
"Remediation": {
|
|
16
20
|
"Code": {
|
|
17
|
-
"CLI": "az postgres server
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": ""
|
|
21
|
+
"CLI": "az postgres flexible-server parameter set --resource-group <RESOURCE_GROUP> --server-name <SERVER_NAME> --name logfiles.retention_days --value 7",
|
|
22
|
+
"NativeIaC": "```bicep\n// Set log retention to a compliant value (4-7 days) for an existing Flexible Server\nresource cfg 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2023-03-01-preview' = {\n name: '<example_resource_name>/logfiles.retention_days'\n properties: {\n value: '7' // Critical: sets logfiles.retention_days within 4-7 to pass the check\n }\n}\n```",
|
|
23
|
+
"Other": "1. In Azure Portal, go to Azure Database for PostgreSQL > Flexible servers and open your server\n2. Select Server parameters\n3. Search for logfiles.retention_days\n4. Set the value to a number between 4 and 7 (e.g., 7)\n5. Click Save",
|
|
24
|
+
"Terraform": "```hcl\nresource \"azurerm_postgresql_flexible_server_configuration\" \"<example_resource_name>\" {\n server_id = \"<example_resource_id>\"\n name = \"logfiles.retention_days\"\n value = \"7\" # Critical: sets retention within 4-7 to pass the check\n}\n```"
|
|
21
25
|
},
|
|
22
26
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
27
|
+
"Text": "Set `log_retention_days` to `4-7` to balance visibility and exposure. Export logs to centralized SIEM or secure storage for longer retention and analysis. Enforce **least privilege**, encryption, and immutability on log data, and monitor for gaps. Apply **defense in depth** with alerts on anomalous queries and failed logins.",
|
|
28
|
+
"Url": "https://hub.prowler.com/check/postgresql_flexible_server_log_retention_days_greater_3"
|
|
25
29
|
}
|
|
26
30
|
},
|
|
27
|
-
"Categories": [
|
|
31
|
+
"Categories": [
|
|
32
|
+
"logging"
|
|
33
|
+
],
|
|
28
34
|
"DependsOn": [],
|
|
29
35
|
"RelatedTo": [],
|
|
30
36
|
"Notes": "Configuring this setting will result in logs being retained for the specified number of days. If this is configured on a high traffic server, the log may grow quickly to occupy a large amount of disk space. In this case you may want to set this to a lower number."
|
|
@@ -1,30 +1,37 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "sqlserver_auditing_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "SQL Server has an auditing policy configured",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "sqlserver",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
|
-
"Severity": "
|
|
10
|
-
"ResourceType": "
|
|
9
|
+
"Severity": "high",
|
|
10
|
+
"ResourceType": "microsoft.sql/servers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure SQL Server** auditing is assessed at the server level to confirm audit logging is active. Configurations with any auditing policy state set to `Disabled` indicate auditing is not configured for the server and its databases.",
|
|
13
|
+
"Risk": "Without **SQL auditing**, visibility into logins, privilege changes, and query activity is lost. Stealthy data exfiltration and tampering can go undetected, impacting **confidentiality** and **integrity**. Absent audit trails hinder **forensics**, slow incident response, and weaken compliance evidence.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/is-is/azure/azure-sql/database/auditing-overview?view=azuresql&viewFallbackFrom=azuresql-vm",
|
|
17
|
+
"https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-overview?view=azuresql",
|
|
18
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/auditing.html"
|
|
19
|
+
],
|
|
15
20
|
"Remediation": {
|
|
16
21
|
"Code": {
|
|
17
|
-
"CLI": "
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": "https
|
|
22
|
+
"CLI": "az sql server audit-policy update --resource-group <RESOURCE_GROUP_NAME> --name <SERVER_NAME> --state Enabled --storage-account <STORAGE_ACCOUNT_NAME>",
|
|
23
|
+
"NativeIaC": "```bicep\n// Enable server-level auditing to an existing Storage Account\nparam sqlServerName string = \"<example_resource_name>\"\nparam storageAccountName string = \"<example_resource_name>\"\n\nresource sql 'Microsoft.Sql/servers@2021-11-01' existing = {\n name: sqlServerName\n}\n\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' existing = {\n name: storageAccountName\n}\n\nresource audit 'Microsoft.Sql/servers/auditingSettings@2021-11-01-preview' = {\n name: 'default'\n parent: sql\n properties: {\n state: 'Enabled' // Critical: turns on auditing\n storageEndpoint: 'https://${sa.name}.blob.core.windows.net/' // Critical: audit log destination\n storageAccountAccessKey: listKeys(sa.id, '2023-01-01').keys[0].value // Critical: grants write access to logs\n }\n}\n```",
|
|
24
|
+
"Other": "1. In Azure Portal, go to SQL servers and select your server\n2. Under Security, click Auditing\n3. Set Auditing to On\n4. Select Storage as the destination and choose a Storage account\n5. Click Save",
|
|
25
|
+
"Terraform": "```hcl\n# Enable server-level auditing to Azure Storage\nresource \"azurerm_mssql_server_extended_auditing_policy\" \"<example_resource_name>\" {\n server_id = \"<example_resource_id>\"\n storage_endpoint = \"https://<STORAGE_ACCOUNT_NAME>.blob.core.windows.net/\" # Critical: audit log destination\n storage_account_access_key = \"<STORAGE_ACCOUNT_KEY>\" # Critical: allows writing audit logs\n}\n```"
|
|
21
26
|
},
|
|
22
27
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
28
|
+
"Text": "Enable server-level **auditing** and send logs to a centralized, tamper-resistant store with defined retention. Enforce **least privilege** and **separation of duties** for log access, integrate with monitoring for alerts, and periodically validate coverage. Use database-level auditing only for specific exceptions.",
|
|
29
|
+
"Url": "https://hub.prowler.com/check/sqlserver_auditing_enabled"
|
|
25
30
|
}
|
|
26
31
|
},
|
|
27
|
-
"Categories": [
|
|
32
|
+
"Categories": [
|
|
33
|
+
"logging"
|
|
34
|
+
],
|
|
28
35
|
"DependsOn": [],
|
|
29
36
|
"RelatedTo": [],
|
|
30
37
|
"Notes": ""
|
|
@@ -1,30 +1,38 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "sqlserver_auditing_retention_90_days",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "SQL server has auditing enabled with retention greater than 90 days",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "sqlserver",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "medium",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.sql/servers",
|
|
11
11
|
"ResourceGroup": "database",
|
|
12
|
-
"Description": "SQL Server
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure SQL Server auditing** settings are evaluated to ensure **auditing is enabled** and log retention is greater than `90` days. It considers the auditing policy state and the configured `retention_days` value.",
|
|
13
|
+
"Risk": "Without adequate retention or with auditing disabled, **activity trails expire too soon**, limiting detection and investigation of **unauthorized access, data exfiltration, and privilege abuse**. This weakens **confidentiality** and **integrity** and slows incident response.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/purview/audit-log-retention-policies",
|
|
17
|
+
"https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/auditing-retention.html#",
|
|
18
|
+
"https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing"
|
|
19
|
+
],
|
|
15
20
|
"Remediation": {
|
|
16
21
|
"Code": {
|
|
17
|
-
"CLI": "Set-AzSqlServerAudit -ResourceGroupName
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": "
|
|
22
|
+
"CLI": "Set-AzSqlServerAudit -ResourceGroupName <example_resource_name> -ServerName <example_resource_name> -RetentionInDays 91 -LogAnalyticsTargetState Enabled -WorkspaceResourceId <example_resource_id>",
|
|
23
|
+
"NativeIaC": "```bicep\n// Enable server-level auditing with retention > 90 days\nresource audit 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = {\n name: '<example_resource_name>/default'\n properties: {\n state: 'Enabled' // Critical: turns auditing ON\n retentionDays: 91 // Critical: > 90 days\n isAzureMonitorTargetEnabled: true // Critical: send to Log Analytics\n workspaceResourceId: '<example_resource_id>' // Critical: target workspace\n }\n}\n```",
|
|
24
|
+
"Other": "1. In Azure Portal, go to SQL servers and select <example_resource_name>\n2. Under Security, click Auditing\n3. Set Auditing to On\n4. Destination: select Log Analytics workspace and choose your workspace\n5. Set Retention (days) to 91\n6. Click Save",
|
|
25
|
+
"Terraform": "```hcl\n# Enable server-level auditing with retention > 90 days\nresource \"azurerm_mssql_server_extended_auditing_policy\" \"audit\" {\n server_id = \"<example_resource_id>\"\n log_monitoring_enabled = true # Critical: enable Log Analytics target\n retention_in_days = 91 # Critical: > 90 days\n}\n```"
|
|
21
26
|
},
|
|
22
27
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
28
|
+
"Text": "Enable **server-level auditing** and set retention above `90` days, aligned with policy needs. Store logs in **tamper-resistant, centralized storage**, restrict access with **least privilege**, and integrate alerting and review. Apply **defense in depth** with continuous monitoring.",
|
|
29
|
+
"Url": "https://hub.prowler.com/check/sqlserver_auditing_retention_90_days"
|
|
25
30
|
}
|
|
26
31
|
},
|
|
27
|
-
"Categories": [
|
|
32
|
+
"Categories": [
|
|
33
|
+
"logging",
|
|
34
|
+
"forensics-ready"
|
|
35
|
+
],
|
|
28
36
|
"DependsOn": [],
|
|
29
37
|
"RelatedTo": [],
|
|
30
38
|
"Notes": ""
|