PyPI - prowler - Versions diffs - 5.17.0__py3-none-any.whl → 5.18.0__py3-none-any.whl - Mend

prowler 5.17.0py3-none-any.whl → 5.18.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (219) hide show

prowler/providers/cloudflare/services/dns/dns_service.py CHANGED Viewed

@@ -4,7 +4,6 @@ from pydantic import BaseModel
 from prowler.lib.logger import logger
 from prowler.providers.cloudflare.lib.service.service import CloudflareService
-from prowler.providers.cloudflare.services.zone.zone_client import zone_client
 class DNS(CloudflareService):
@@ -19,10 +18,13 @@ class DNS(CloudflareService):
         """List DNS records for all zones."""
         logger.info("DNS - Listing DNS records...")
         try:
-            for zone in zone_client.zones.values():
+            # Get zones directly from API to avoid circular dependency with zone_client
+            zones = self._get_zones()
+            for zone_id, zone_name in zones.items():
                 seen_record_ids: set[str] = set()
                 try:
-                    for record in self.client.dns.records.list(zone_id=zone.id):
+                    for record in self.client.dns.records.list(zone_id=zone_id):
                         record_id = getattr(record, "id", None)
                         # Prevent infinite loop
                         if record_id in seen_record_ids:
@@ -32,8 +34,8 @@ class DNS(CloudflareService):
                         self.records.append(
                             CloudflareDNSRecord(
                                 id=record_id,
-                                zone_id=zone.id,
-                                zone_name=zone.name,
+                                zone_id=zone_id,
+                                zone_name=zone_name,
                                 name=getattr(record, "name", None),
                                 type=getattr(record, "type", None),
                                 content=getattr(record, "content", ""),
@@ -43,13 +45,57 @@ class DNS(CloudflareService):
                         )
                 except Exception as error:
                     logger.error(
-                        f"{zone.id} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                        f"{zone_id} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
                     )
         except Exception as error:
             logger.error(
                 f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
+    def _get_zones(self) -> dict[str, str]:
+        """Get zones directly from Cloudflare API.
+        Returns:
+            Dictionary mapping zone_id to zone_name.
+        """
+        zones = {}
+        audited_accounts = self.provider.identity.audited_accounts
+        filter_zones = self.provider.filter_zones
+        seen_zone_ids: set[str] = set()
+        try:
+            for zone in self.client.zones.list():
+                zone_id = getattr(zone, "id", None)
+                # Prevent infinite loop - skip if we've seen this zone
+                if zone_id in seen_zone_ids:
+                    break
+                seen_zone_ids.add(zone_id)
+                zone_account = getattr(zone, "account", None)
+                account_id = getattr(zone_account, "id", None) if zone_account else None
+                # Filter by audited accounts
+                if audited_accounts and account_id not in audited_accounts:
+                    continue
+                zone_name = getattr(zone, "name", None)
+                # Apply zone filter if specified via --region
+                if (
+                    filter_zones
+                    and zone_id not in filter_zones
+                    and zone_name not in filter_zones
+                ):
+                    continue
+                zones[zone_id] = zone_name
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+        return zones
 class CloudflareDNSRecord(BaseModel):
     """Cloudflare DNS record representation."""

prowler/providers/cloudflare/services/firewall/__init__.py ADDED Viewed

File without changes

prowler/providers/cloudflare/services/firewall/firewall_client.py ADDED Viewed

@@ -0,0 +1,4 @@
+from prowler.providers.cloudflare.services.firewall.firewall_service import Firewall
+from prowler.providers.common.provider import Provider
+firewall_client = Firewall(Provider.get_global_provider())

prowler/providers/cloudflare/services/firewall/firewall_service.py ADDED Viewed

@@ -0,0 +1,123 @@
+from typing import Optional
+from pydantic import BaseModel
+from prowler.lib.logger import logger
+from prowler.providers.cloudflare.lib.service.service import CloudflareService
+class Firewall(CloudflareService):
+    """Retrieve Cloudflare firewall rules for all zones."""
+    def __init__(self, provider):
+        super().__init__(__class__.__name__, provider)
+        self.rules: list["CloudflareFirewallRule"] = []
+        self._list_rulesets()
+    def _list_rulesets(self) -> None:
+        """List firewall rulesets for all zones."""
+        logger.info("Firewall - Listing firewall rulesets...")
+        try:
+            # Get zones directly from API to avoid circular dependency with zone_client
+            zones = self._get_zones()
+            for zone_id, zone_name in zones.items():
+                try:
+                    # Get all rulesets for the zone
+                    rulesets = self.client.rulesets.list(zone_id=zone_id)
+                    for ruleset in rulesets:
+                        ruleset_id = getattr(ruleset, "id", None)
+                        phase = getattr(ruleset, "phase", None)
+                        if not ruleset_id:
+                            continue
+                        # Get rules within each ruleset
+                        try:
+                            ruleset_detail = self.client.rulesets.get(
+                                ruleset_id=ruleset_id, zone_id=zone_id
+                            )
+                            rules = getattr(ruleset_detail, "rules", []) or []
+                            for rule in rules:
+                                self.rules.append(
+                                    CloudflareFirewallRule(
+                                        id=getattr(rule, "id", None),
+                                        zone_id=zone_id,
+                                        zone_name=zone_name,
+                                        ruleset_id=ruleset_id,
+                                        phase=phase,
+                                        action=getattr(rule, "action", None),
+                                        expression=getattr(rule, "expression", None),
+                                        description=getattr(rule, "description", None),
+                                        enabled=getattr(rule, "enabled", True),
+                                    )
+                                )
+                        except Exception as error:
+                            logger.debug(
+                                f"{zone_id} ruleset {ruleset_id} -- {error.__class__.__name__}: {error}"
+                            )
+                except Exception as error:
+                    logger.error(
+                        f"{zone_id} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                    )
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+    def _get_zones(self) -> dict[str, str]:
+        """Get zones directly from Cloudflare API.
+        Returns:
+            Dictionary mapping zone_id to zone_name.
+        """
+        zones = {}
+        audited_accounts = self.provider.identity.audited_accounts
+        filter_zones = self.provider.filter_zones
+        seen_zone_ids: set[str] = set()
+        try:
+            for zone in self.client.zones.list():
+                zone_id = getattr(zone, "id", None)
+                # Prevent infinite loop - skip if we've seen this zone
+                if zone_id in seen_zone_ids:
+                    break
+                seen_zone_ids.add(zone_id)
+                zone_account = getattr(zone, "account", None)
+                account_id = getattr(zone_account, "id", None) if zone_account else None
+                # Filter by audited accounts
+                if audited_accounts and account_id not in audited_accounts:
+                    continue
+                zone_name = getattr(zone, "name", None)
+                # Apply zone filter if specified via --region
+                if (
+                    filter_zones
+                    and zone_id not in filter_zones
+                    and zone_name not in filter_zones
+                ):
+                    continue
+                zones[zone_id] = zone_name
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+        return zones
+class CloudflareFirewallRule(BaseModel):
+    """Cloudflare firewall rule representation."""
+    id: Optional[str] = None
+    zone_id: str
+    zone_name: str
+    ruleset_id: Optional[str] = None
+    phase: Optional[str] = None
+    action: Optional[str] = None
+    expression: Optional[str] = None
+    description: Optional[str] = None
+    enabled: bool = True

prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/__init__.py ADDED Viewed

File without changes

prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/zone_firewall_blocking_rules_configured.metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "Provider": "cloudflare",
+  "CheckID": "zone_firewall_blocking_rules_configured",
+  "CheckTitle": "Cloudflare Zone Firewall Rules Use Blocking Actions to Protect Against Threats",
+  "CheckType": [],
+  "ServiceName": "zone",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "Zone",
+  "ResourceGroup": "network",
+  "Description": "**Cloudflare zones** are assessed for **firewall blocking rules** by checking if custom rules use block, challenge, js_challenge, or managed_challenge actions to actively protect against threats rather than only logging.",
+  "Risk": "Firewall rules configured only for **logging** provide visibility but no protection.\n- **Confidentiality**: malicious traffic can access and exfiltrate sensitive data\n- **Integrity**: application exploits can modify data without being blocked\n- **Availability**: credential stuffing and abuse attacks reach the origin unimpeded",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://developers.cloudflare.com/waf/custom-rules/"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Log in to the Cloudflare dashboard and select your account and domain\n2. Go to Security > WAF > Custom rules\n3. Review existing rules and their actions\n4. Update rules to use blocking actions (Block, Challenge, JS Challenge, Managed Challenge)\n5. Test rules in log mode first, then enable blocking actions",
+      "Terraform": "```hcl\n# Configure firewall rule with blocking action\nresource \"cloudflare_ruleset\" \"blocking_rule\" {\n  zone_id = \"<ZONE_ID>\"\n  name    = \"Block malicious requests\"\n  kind    = \"zone\"\n  phase   = \"http_request_firewall_custom\"\n  rules {\n    action      = \"block\" # Actively blocks matching traffic\n    expression  = \"(ip.geoip.country eq \\\"XX\\\")\"\n    description = \"Block traffic from high-risk country\"\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Configure **firewall rules** with blocking actions to enforce security policies.\n- Use challenge actions for suspicious traffic to verify human visitors\n- Use block actions for known malicious patterns and high-risk sources\n- Test rules in log mode before enabling blocking to avoid false positives\n- Follow the principle of least privilege in rule configuration",
+      "Url": "https://hub.prowler.com/checks/cloudflare/zone_firewall_blocking_rules_configured"
+    }
+  },
+  "Categories": [
+    "internet-exposed"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Blocking actions include: block, challenge, js_challenge, managed_challenge. Log-only rules provide visibility but do not prevent attacks."
+}

prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/zone_firewall_blocking_rules_configured.py ADDED Viewed

@@ -0,0 +1,53 @@
+from prowler.lib.check.models import Check, CheckReportCloudflare
+from prowler.providers.cloudflare.services.zone.zone_client import zone_client
+BLOCKING_ACTIONS = {"block", "challenge", "js_challenge", "managed_challenge"}
+class zone_firewall_blocking_rules_configured(Check):
+    """Ensure that firewall rules with blocking actions are configured for Cloudflare zones.
+    Firewall rules should use blocking actions (block, challenge, js_challenge,
+    managed_challenge) to actively protect against threats rather than only logging
+    traffic. Without blocking actions, malicious requests can reach the origin server
+    and potentially compromise the application's security.
+    """
+    def execute(self) -> list[CheckReportCloudflare]:
+        """Execute the firewall blocking rules configured check.
+        Iterates through all Cloudflare zones and verifies that at least one
+        firewall rule exists with a blocking action. Blocking actions include
+        block, challenge, js_challenge, and managed_challenge.
+        Returns:
+            A list of CheckReportCloudflare objects with PASS status if blocking
+            rules are configured, or FAIL status if no blocking rules exist.
+        """
+        findings = []
+        for zone in zone_client.zones.values():
+            report = CheckReportCloudflare(
+                metadata=self.metadata(),
+                resource=zone,
+            )
+            # Find blocking rules for this zone
+            blocking_rules = [
+                rule for rule in zone.firewall_rules if rule.action in BLOCKING_ACTIONS
+            ]
+            if blocking_rules:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Zone {zone.name} has firewall rules with blocking actions "
+                    f"({len(blocking_rules)} rule(s))."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Zone {zone.name} has no firewall rules with blocking actions."
+                )
+            findings.append(report)
+        return findings

prowler/providers/cloudflare/services/zone/zone_service.py CHANGED Viewed

@@ -17,6 +17,31 @@ class CloudflareRateLimitRule(BaseModel):
     expression: Optional[str] = None
+class CloudflareFirewallRule(BaseModel):
+    """Represents a firewall rule from custom rulesets."""
+    id: str
+    name: str = ""
+    description: Optional[str] = None
+    action: Optional[str] = None
+    enabled: bool = True
+    expression: Optional[str] = None
+    phase: Optional[str] = None
+    class Config:
+        arbitrary_types_allowed = True
+class CloudflareWAFRuleset(BaseModel):
+    """Represents a WAF ruleset (managed rules) for a zone."""
+    id: str
+    name: str
+    kind: Optional[str] = None
+    phase: Optional[str] = None
+    enabled: bool = True
 class Zone(CloudflareService):
     """Retrieve Cloudflare zones with security-relevant settings."""
@@ -29,6 +54,8 @@ class Zone(CloudflareService):
         self._get_zones_universal_ssl()
         self._get_zones_rate_limit_rules()
         self._get_zones_bot_management()
+        self._get_zones_firewall_rules()
+        self._get_zones_waf_rulesets()
     def _list_zones(self) -> None:
         """List all Cloudflare zones with their basic information."""
@@ -122,7 +149,7 @@ class Zone(CloudflareService):
     def _get_zones_universal_ssl(self) -> None:
         """Get Universal SSL settings for all zones."""
-        logger.info("Zones - Getting Universal SSL settings...")
+        logger.info("Zone - Getting Universal SSL settings...")
         for zone in self.zones.values():
             try:
                 universal_ssl = self.client.ssl.universal.settings.get(zone_id=zone.id)
@@ -191,6 +218,109 @@ class Zone(CloudflareService):
                     f"{zone.id} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
                 )
+    def _get_zones_firewall_rules(self) -> None:
+        """Get firewall rules for all zones."""
+        logger.info("Zone - Getting firewall rules...")
+        for zone in self.zones.values():
+            try:
+                self._get_zone_firewall_rules(zone)
+            except Exception as error:
+                logger.error(
+                    f"{zone.id} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+    def _get_zone_firewall_rules(self, zone: "CloudflareZone") -> None:
+        """List firewall rules from custom rulesets for a zone."""
+        seen_ruleset_ids: set[str] = set()
+        try:
+            for ruleset in self.client.rulesets.list(zone_id=zone.id):
+                ruleset_id = getattr(ruleset, "id", "")
+                if ruleset_id in seen_ruleset_ids:
+                    break
+                seen_ruleset_ids.add(ruleset_id)
+                ruleset_phase = getattr(ruleset, "phase", "")
+                if ruleset_phase in [
+                    "http_request_firewall_custom",
+                    "http_ratelimit",
+                    "http_request_firewall_managed",
+                ]:
+                    try:
+                        ruleset_detail = self.client.rulesets.get(
+                            ruleset_id=ruleset_id, zone_id=zone.id
+                        )
+                        rules = getattr(ruleset_detail, "rules", []) or []
+                        seen_rule_ids: set[str] = set()
+                        for rule in rules:
+                            rule_id = getattr(rule, "id", "")
+                            if rule_id in seen_rule_ids:
+                                break
+                            seen_rule_ids.add(rule_id)
+                            try:
+                                zone.firewall_rules.append(
+                                    CloudflareFirewallRule(
+                                        id=rule_id,
+                                        name=getattr(rule, "description", "")
+                                        or rule_id,
+                                        description=getattr(rule, "description", None),
+                                        action=getattr(rule, "action", None),
+                                        enabled=getattr(rule, "enabled", True),
+                                        expression=getattr(rule, "expression", None),
+                                        phase=ruleset_phase,
+                                    )
+                                )
+                            except Exception as error:
+                                logger.error(
+                                    f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                                )
+                    except Exception as error:
+                        logger.error(
+                            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                        )
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+    def _get_zones_waf_rulesets(self) -> None:
+        """Get WAF rulesets for all zones."""
+        logger.info("Zone - Getting WAF rulesets...")
+        for zone in self.zones.values():
+            try:
+                self._get_zone_waf_rulesets(zone)
+            except Exception as error:
+                logger.error(
+                    f"{zone.id} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+    def _get_zone_waf_rulesets(self, zone: "CloudflareZone") -> None:
+        """List WAF rulesets for a zone using the rulesets API."""
+        seen_ids: set[str] = set()
+        try:
+            for ruleset in self.client.rulesets.list(zone_id=zone.id):
+                ruleset_id = getattr(ruleset, "id", "")
+                if ruleset_id in seen_ids:
+                    break
+                seen_ids.add(ruleset_id)
+                try:
+                    zone.waf_rulesets.append(
+                        CloudflareWAFRuleset(
+                            id=ruleset_id,
+                            name=getattr(ruleset, "name", ""),
+                            kind=getattr(ruleset, "kind", None),
+                            phase=getattr(ruleset, "phase", None),
+                            enabled=True,
+                        )
+                    )
+                except Exception as error:
+                    logger.error(
+                        f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                    )
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
     def _get_zone_setting(self, zone_id: str, setting_id: str):
         """Get a single zone setting by ID."""
         try:
@@ -326,3 +456,5 @@ class CloudflareZone(BaseModel):
     settings: CloudflareZoneSettings = Field(default_factory=CloudflareZoneSettings)
     dnssec_status: Optional[str] = None
     rate_limit_rules: list[CloudflareRateLimitRule] = Field(default_factory=list)
+    firewall_rules: list[CloudflareFirewallRule] = Field(default_factory=list)
+    waf_rulesets: list[CloudflareWAFRuleset] = Field(default_factory=list)

prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/__init__.py ADDED Viewed

File without changes

prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/zone_waf_owasp_ruleset_enabled.metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "Provider": "cloudflare",
+  "CheckID": "zone_waf_owasp_ruleset_enabled",
+  "CheckTitle": "Cloudflare Zone OWASP Managed WAF Rulesets Are Enabled",
+  "CheckType": [],
+  "ServiceName": "zone",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "Zone",
+  "ResourceGroup": "network",
+  "Description": "**Cloudflare zones** are assessed for **OWASP managed rulesets** by checking if they are enabled to protect against common web application vulnerabilities including **SQL injection**, **XSS**, and other **OWASP Top 10** threats.",
+  "Risk": "Without **OWASP managed rulesets**, web applications are exposed to well-known attack vectors.\n- **Confidentiality**: SQL injection attacks can exfiltrate sensitive database contents\n- **Integrity**: XSS attacks can modify page content and steal session tokens\n- **Availability**: remote code execution can compromise server availability",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://developers.cloudflare.com/waf/managed-rules/"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Log in to the Cloudflare dashboard and select your account and domain\n2. Go to Security > WAF > Managed rules\n3. Enable the Cloudflare OWASP Core Ruleset\n4. Review and configure rule sensitivity based on your application\n5. Monitor WAF analytics to tune rules and reduce false positives",
+      "Terraform": "```hcl\n# Enable OWASP managed WAF rulesets\nresource \"cloudflare_ruleset\" \"waf_owasp\" {\n  zone_id = \"<ZONE_ID>\"\n  name    = \"OWASP Managed Rules\"\n  kind    = \"zone\"\n  phase   = \"http_request_firewall_managed\"\n  rules {\n    action = \"execute\"\n    action_parameters {\n      id = \"4814384a9e5d4991b9815dcfc25d2f1f\" # Cloudflare OWASP Core Ruleset\n    }\n    expression  = \"true\"\n    description = \"Execute Cloudflare OWASP Core Ruleset\"\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Enable **OWASP Core Ruleset** managed rules as part of a defense in depth strategy.\n- Protects against OWASP Top 10 vulnerabilities including SQLi and XSS\n- Regularly review and tune rule sensitivity based on application requirements\n- Monitor WAF analytics to identify and address false positives\n- Combine with custom rules for application-specific protection",
+      "Url": "https://hub.prowler.com/checks/cloudflare/zone_waf_owasp_ruleset_enabled"
+    }
+  },
+  "Categories": [
+    "vulnerabilities"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "OWASP managed rulesets are available on Pro, Business, and Enterprise plans. The Cloudflare OWASP Core Ruleset provides protection against common web application vulnerabilities."
+}

prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/zone_waf_owasp_ruleset_enabled.py ADDED Viewed

@@ -0,0 +1,58 @@
+from prowler.lib.check.models import Check, CheckReportCloudflare
+from prowler.providers.cloudflare.services.zone.zone_client import zone_client
+class zone_waf_owasp_ruleset_enabled(Check):
+    """Ensure that OWASP managed WAF rulesets are enabled for Cloudflare zones.
+    The OWASP Core Ruleset provides protection against common web application
+    vulnerabilities including SQL injection, cross-site scripting (XSS), and other
+    OWASP Top 10 threats. These managed rulesets are essential for defense in depth
+    and protecting applications from well-known attack vectors.
+    """
+    def execute(self) -> list[CheckReportCloudflare]:
+        """Execute the OWASP WAF ruleset enabled check.
+        Iterates through all Cloudflare zones and verifies that OWASP managed
+        WAF rulesets are enabled. The check identifies OWASP rulesets by name
+        containing "owasp" or by the http_request_firewall_managed phase.
+        Returns:
+            A list of CheckReportCloudflare objects with PASS status if OWASP
+            rulesets are enabled, or FAIL status if no OWASP protection exists.
+        """
+        findings = []
+        for zone in zone_client.zones.values():
+            report = CheckReportCloudflare(
+                metadata=self.metadata(),
+                resource=zone,
+            )
+            # Find OWASP managed rulesets for this zone
+            # Only match rulesets that explicitly contain "owasp" in the name
+            # The phase check was too broad as it matched any managed ruleset
+            owasp_rulesets = [
+                ruleset
+                for ruleset in zone.waf_rulesets
+                if "owasp" in (ruleset.name or "").lower()
+            ]
+            if owasp_rulesets:
+                report.status = "PASS"
+                ruleset_descriptions = ", ".join(
+                    ruleset.name for ruleset in owasp_rulesets
+                )
+                report.status_extended = (
+                    f"Zone {zone.name} has OWASP managed WAF ruleset enabled: "
+                    f"{ruleset_descriptions}."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Zone {zone.name} does not have OWASP managed WAF ruleset enabled."
+                )
+            findings.append(report)
+        return findings

prowler/providers/common/provider.py CHANGED Viewed

@@ -251,6 +251,7 @@ class Provider(ABC):
                 elif "cloudflare" in provider_class_name.lower():
                     provider_class(
                         filter_zones=arguments.region,
+                        filter_accounts=arguments.account_id,
                         config_path=arguments.config_file,
                         mutelist_path=arguments.mutelist_file,
                         fixer_config=fixer_config,
@@ -293,6 +294,28 @@ class Provider(ABC):
                         fixer_config=fixer_config,
                         use_instance_principal=arguments.use_instance_principal,
                     )
+                elif "openstack" in provider_class_name.lower():
+                    provider_class(
+                        clouds_yaml_file=getattr(arguments, "clouds_yaml_file", None),
+                        clouds_yaml_cloud=getattr(arguments, "clouds_yaml_cloud", None),
+                        auth_url=getattr(arguments, "os_auth_url", None),
+                        identity_api_version=getattr(
+                            arguments, "os_identity_api_version", None
+                        ),
+                        username=getattr(arguments, "os_username", None),
+                        password=getattr(arguments, "os_password", None),
+                        project_id=getattr(arguments, "os_project_id", None),
+                        region_name=getattr(arguments, "os_region_name", None),
+                        user_domain_name=getattr(
+                            arguments, "os_user_domain_name", None
+                        ),
+                        project_domain_name=getattr(
+                            arguments, "os_project_domain_name", None
+                        ),
+                        config_path=arguments.config_file,
+                        mutelist_path=arguments.mutelist_file,
+                        fixer_config=fixer_config,
+                    )
                 elif "alibabacloud" in provider_class_name.lower():
                     provider_class(
                         role_arn=arguments.role_arn,

prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/__init__.py ADDED Viewed

File without changes

prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/compute_instance_suspended_without_persistent_disks.metadata.json ADDED Viewed

@@ -0,0 +1,37 @@
+{
+  "Provider": "gcp",
+  "CheckID": "compute_instance_suspended_without_persistent_disks",
+  "CheckTitle": "Suspended VM instance does not have persistent disks attached",
+  "CheckType": [],
+  "ServiceName": "compute",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "compute.googleapis.com/Instance",
+  "ResourceGroup": "compute",
+  "Description": "This check identifies VM instances in a **SUSPENDED** or **SUSPENDING** state with persistent disks still attached.\n\nPersistent disks on suspended VMs remain accessible through the GCP API and could contain **sensitive data** while the instance is inactive, potentially creating security blind spots in long-forgotten infrastructure.",
+  "Risk": "Persistent disks on suspended VM instances remain accessible through the GCP API and may contain **sensitive data**, creating potential security risks:\n\n- **Unauthorized data access** if credentials are compromised or permissions are misconfigured\n- **Data exposure** from forgotten infrastructure that is no longer actively monitored\n- **Security blind spots** where suspended resources are overlooked during security reviews and audits",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/icompute/docs/instances/suspend-resume-instance",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/persistent-disks-attached-to-suspended-vms.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "gcloud compute instances delete INSTANCE_NAME --zone=ZONE",
+      "NativeIaC": "",
+      "Other": "1. Open the Google Cloud Console\n2. Navigate to Compute Engine > VM instances\n3. Identify suspended instances with attached disks\n4. If the instance is no longer needed, select it and click DELETE\n5. If the instance will be resumed, take no action or resume it with: gcloud compute instances resume INSTANCE_NAME --zone=ZONE",
+      "Terraform": "```hcl\n# To remediate, either delete the suspended instance or resume it\n# Delete by removing the resource from your Terraform configuration\n# Or resume by changing the desired_status\nresource \"google_compute_instance\" \"example_resource\" {\n  name         = \"example-instance\"\n  machine_type = \"e2-medium\"\n  zone         = \"us-central1-a\"\n\n  # Set desired_status to RUNNING to resume the instance\n  desired_status = \"RUNNING\"\n\n  boot_disk {\n    initialize_params {\n      image = \"debian-cloud/debian-11\"\n    }\n  }\n\n  network_interface {\n    network = \"default\"\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Regularly review suspended VM instances to reduce your attack surface. Either **resume** instances if still needed, or **delete** them along with their attached disks to eliminate potential data exposure. Implement automated policies to detect and alert on long-suspended instances as part of your security monitoring.",
+      "Url": "https://hub.prowler.com/check/compute_instance_suspended_without_persistent_disks"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [
+    "compute_instance_disk_auto_delete_disabled"
+  ],
+  "Notes": "This check is focused on security risks rather than cost optimization. Persistent disks on suspended VMs remain accessible and may contain sensitive data, creating potential unauthorized access risks."
+}

prowler 5.17.0__py3-none-any.whl → 5.18.0__py3-none-any.whl

prowler 5.17.0py3-none-any.whl → 5.18.0py3-none-any.whl