prowler 5.17.1__py3-none-any.whl → 5.18.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dashboard/compliance/hipaa_azure.py +25 -0
- dashboard/pages/overview.py +20 -11
- prowler/AGENTS.md +1 -1
- prowler/CHANGELOG.md +43 -0
- prowler/__main__.py +5 -0
- prowler/compliance/azure/hipaa_azure.json +820 -0
- prowler/compliance/m365/cis_4.0_m365.json +6 -2
- prowler/compliance/m365/cis_6.0_m365.json +6 -2
- prowler/compliance/m365/iso27001_2022_m365.json +13 -11
- prowler/compliance/openstack/__init__.py +0 -0
- prowler/config/config.py +2 -1
- prowler/config/config.yaml +4 -1
- prowler/config/openstack_mutelist_example.yaml +60 -0
- prowler/lib/check/check.py +4 -0
- prowler/lib/check/models.py +27 -2
- prowler/lib/cli/parser.py +3 -2
- prowler/lib/outputs/finding.py +14 -0
- prowler/lib/outputs/html/html.py +72 -0
- prowler/lib/outputs/jira/jira.py +3 -3
- prowler/lib/outputs/outputs.py +2 -0
- prowler/lib/outputs/summary_table.py +7 -0
- prowler/lib/timeline/__init__.py +0 -0
- prowler/lib/timeline/models.py +27 -0
- prowler/lib/timeline/timeline.py +36 -0
- prowler/providers/aws/lib/cloudtrail_timeline/__init__.py +0 -0
- prowler/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline.py +218 -0
- prowler/providers/aws/services/codebuild/codebuild_project_webhook_filters_use_anchored_patterns/__init__.py +0 -0
- prowler/providers/aws/services/codebuild/codebuild_project_webhook_filters_use_anchored_patterns/codebuild_project_webhook_filters_use_anchored_patterns.metadata.json +40 -0
- prowler/providers/aws/services/codebuild/codebuild_project_webhook_filters_use_anchored_patterns/codebuild_project_webhook_filters_use_anchored_patterns.py +58 -0
- prowler/providers/aws/services/codebuild/codebuild_service.py +45 -0
- prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.metadata.json +1 -1
- prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.py +4 -0
- prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json +1 -1
- prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.py +4 -0
- prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.metadata.json +1 -1
- prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.py +2 -0
- prowler/providers/aws/services/iam/lib/policy.py +19 -3
- prowler/providers/aws/services/rds/rds_instance_extended_support/__init__.py +0 -0
- prowler/providers/aws/services/rds/rds_instance_extended_support/rds_instance_extended_support.metadata.json +41 -0
- prowler/providers/aws/services/rds/rds_instance_extended_support/rds_instance_extended_support.py +37 -0
- prowler/providers/aws/services/rds/rds_service.py +4 -0
- prowler/providers/aws/services/s3/s3_bucket_cross_account_access/s3_bucket_cross_account_access.metadata.json +1 -1
- prowler/providers/aws/services/s3/s3_bucket_cross_account_access/s3_bucket_cross_account_access.py +5 -1
- prowler/providers/azure/lib/service/service.py +23 -0
- prowler/providers/azure/services/app/app_client_certificates_on/app_client_certificates_on.metadata.json +18 -12
- prowler/providers/azure/services/app/app_ensure_auth_is_set_up/app_ensure_auth_is_set_up.metadata.json +18 -11
- prowler/providers/azure/services/app/app_ensure_http_is_redirected_to_https/app_ensure_http_is_redirected_to_https.metadata.json +19 -12
- prowler/providers/azure/services/app/app_ensure_java_version_is_latest/app_ensure_java_version_is_latest.metadata.json +19 -12
- prowler/providers/azure/services/app/app_ensure_php_version_is_latest/app_ensure_php_version_is_latest.metadata.json +19 -12
- prowler/providers/azure/services/app/app_ensure_python_version_is_latest/app_ensure_python_version_is_latest.metadata.json +19 -12
- prowler/providers/azure/services/app/app_ensure_using_http20/app_ensure_using_http20.metadata.json +18 -11
- prowler/providers/azure/services/app/app_ftp_deployment_disabled/app_ftp_deployment_disabled.metadata.json +21 -13
- prowler/providers/azure/services/app/app_function_access_keys_configured/app_function_access_keys_configured.metadata.json +19 -11
- prowler/providers/azure/services/app/app_function_application_insights_enabled/app_function_application_insights_enabled.metadata.json +21 -14
- prowler/providers/azure/services/app/app_function_ftps_deployment_disabled/app_function_ftps_deployment_disabled.metadata.json +18 -13
- prowler/providers/azure/services/app/app_function_identity_is_configured/app_function_identity_is_configured.metadata.json +20 -13
- prowler/providers/azure/services/app/app_function_identity_without_admin_privileges/app_function_identity_without_admin_privileges.metadata.json +18 -11
- prowler/providers/azure/services/app/app_function_latest_runtime_version/app_function_latest_runtime_version.metadata.json +20 -13
- prowler/providers/azure/services/app/app_function_not_publicly_accessible/app_function_not_publicly_accessible.metadata.json +20 -13
- prowler/providers/azure/services/app/app_function_vnet_integration_enabled/app_function_vnet_integration_enabled.metadata.json +21 -14
- prowler/providers/azure/services/app/app_http_logs_enabled/app_http_logs_enabled.metadata.json +18 -12
- prowler/providers/azure/services/app/app_minimum_tls_version_12/app_minimum_tls_version_12.metadata.json +20 -12
- prowler/providers/azure/services/app/app_register_with_identity/app_register_with_identity.metadata.json +18 -11
- prowler/providers/azure/services/appinsights/appinsights_ensure_is_configured/appinsights_ensure_is_configured.metadata.json +18 -12
- prowler/providers/azure/services/containerregistry/containerregistry_admin_user_disabled/containerregistry_admin_user_disabled.metadata.json +17 -11
- prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.metadata.json +18 -12
- prowler/providers/azure/services/containerregistry/containerregistry_uses_private_link/containerregistry_uses_private_link.metadata.json +21 -13
- prowler/providers/azure/services/cosmosdb/cosmosdb_account_firewall_use_selected_networks/cosmosdb_account_firewall_use_selected_networks.metadata.json +20 -12
- prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_aad_and_rbac/cosmosdb_account_use_aad_and_rbac.metadata.json +19 -13
- prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_private_endpoints/cosmosdb_account_use_private_endpoints.metadata.json +20 -13
- prowler/providers/azure/services/databricks/databricks_workspace_cmk_encryption_enabled/databricks_workspace_cmk_encryption_enabled.metadata.json +20 -14
- prowler/providers/azure/services/databricks/databricks_workspace_vnet_injection_enabled/databricks_workspace_vnet_injection_enabled.metadata.json +20 -14
- prowler/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact.metadata.json +20 -13
- prowler/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_attack_path_notifications_properly_configured/defender_attack_path_notifications_properly_configured.metadata.json +19 -13
- prowler/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on.metadata.json +20 -13
- prowler/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on.metadata.json +19 -12
- prowler/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities.metadata.json +20 -12
- prowler/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled.metadata.json +22 -13
- prowler/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on.metadata.json +19 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on.metadata.json +17 -11
- prowler/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled.metadata.json +20 -12
- prowler/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high.metadata.json +19 -12
- prowler/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners.metadata.json +19 -12
- prowler/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied.metadata.json +17 -9
- prowler/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled.metadata.json +21 -13
- prowler/providers/azure/services/entra/entra_service.py +3 -11
- prowler/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa.py +6 -0
- prowler/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks.metadata.json +19 -13
- prowler/providers/azure/services/iam/iam_role_user_access_admin_restricted/iam_role_user_access_admin_restricted.metadata.json +16 -10
- prowler/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created.metadata.json +18 -12
- prowler/providers/azure/services/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set.py +10 -11
- prowler/providers/azure/services/keyvault/keyvault_service.py +164 -81
- prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_connection_activated/mysql_flexible_server_audit_log_connection_activated.metadata.json +18 -12
- prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_enabled/mysql_flexible_server_audit_log_enabled.metadata.json +19 -12
- prowler/providers/azure/services/mysql/mysql_flexible_server_minimum_tls_version_12/mysql_flexible_server_minimum_tls_version_12.metadata.json +18 -12
- prowler/providers/azure/services/mysql/mysql_flexible_server_ssl_connection_enabled/mysql_flexible_server_ssl_connection_enabled.metadata.json +19 -12
- prowler/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists.metadata.json +21 -12
- prowler/providers/azure/services/network/network_flow_log_captured_sent/network_flow_log_captured_sent.metadata.json +19 -12
- prowler/providers/azure/services/network/network_flow_log_more_than_90_days/network_flow_log_more_than_90_days.metadata.json +21 -12
- prowler/providers/azure/services/network/network_http_internet_access_restricted/network_http_internet_access_restricted.metadata.json +18 -12
- prowler/providers/azure/services/network/network_public_ip_shodan/network_public_ip_shodan.metadata.json +15 -10
- prowler/providers/azure/services/network/network_rdp_internet_access_restricted/network_rdp_internet_access_restricted.metadata.json +20 -12
- prowler/providers/azure/services/network/network_ssh_internet_access_restricted/network_ssh_internet_access_restricted.metadata.json +19 -12
- prowler/providers/azure/services/network/network_udp_internet_access_restricted/network_udp_internet_access_restricted.metadata.json +19 -12
- prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.metadata.json +21 -13
- prowler/providers/azure/services/policy/policy_ensure_asc_enforcement_enabled/policy_ensure_asc_enforcement_enabled.metadata.json +16 -11
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_allow_access_services_disabled/postgresql_flexible_server_allow_access_services_disabled.metadata.json +20 -13
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_connection_throttling_on/postgresql_flexible_server_connection_throttling_on.metadata.json +18 -12
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_enforce_ssl_enabled/postgresql_flexible_server_enforce_ssl_enabled.metadata.json +19 -13
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.metadata.json +4 -4
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_checkpoints_on/postgresql_flexible_server_log_checkpoints_on.metadata.json +19 -13
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_connections_on/postgresql_flexible_server_log_connections_on.metadata.json +18 -11
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_disconnections_on/postgresql_flexible_server_log_disconnections_on.metadata.json +18 -12
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_retention_days_greater_3/postgresql_flexible_server_log_retention_days_greater_3.metadata.json +18 -12
- prowler/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled.metadata.json +20 -13
- prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.metadata.json +20 -12
- prowler/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled.metadata.json +18 -12
- prowler/providers/azure/services/sqlserver/sqlserver_microsoft_defender_enabled/sqlserver_microsoft_defender_enabled.metadata.json +23 -13
- prowler/providers/azure/services/sqlserver/sqlserver_recommended_minimal_tls_version/sqlserver_recommended_minimal_tls_version.metadata.json +19 -12
- prowler/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk/sqlserver_tde_encrypted_with_cmk.metadata.json +20 -13
- prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.metadata.json +20 -13
- prowler/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access.metadata.json +18 -12
- prowler/providers/azure/services/sqlserver/sqlserver_va_emails_notifications_admins_enabled/sqlserver_va_emails_notifications_admins_enabled.metadata.json +19 -12
- prowler/providers/azure/services/sqlserver/sqlserver_va_periodic_recurring_scans_enabled/sqlserver_va_periodic_recurring_scans_enabled.metadata.json +19 -12
- prowler/providers/azure/services/sqlserver/sqlserver_va_scan_reports_configured/sqlserver_va_scan_reports_configured.metadata.json +18 -12
- prowler/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled/sqlserver_vulnerability_assessment_enabled.metadata.json +19 -12
- prowler/providers/azure/services/storage/storage_account_key_access_disabled/storage_account_key_access_disabled.metadata.json +17 -12
- prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.metadata.json +18 -12
- prowler/providers/azure/services/storage/storage_blob_versioning_is_enabled/storage_blob_versioning_is_enabled.metadata.json +19 -11
- prowler/providers/azure/services/storage/storage_cross_tenant_replication_disabled/storage_cross_tenant_replication_disabled.metadata.json +19 -13
- prowler/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied.metadata.json +19 -12
- prowler/providers/azure/services/storage/storage_default_to_entra_authorization_enabled/storage_default_to_entra_authorization_enabled.metadata.json +20 -13
- prowler/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled.metadata.json +17 -10
- prowler/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys.metadata.json +15 -10
- prowler/providers/azure/services/storage/storage_ensure_file_shares_soft_delete_is_enabled/storage_ensure_file_shares_soft_delete_is_enabled.metadata.json +18 -12
- prowler/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12.metadata.json +14 -10
- prowler/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts/storage_ensure_private_endpoints_in_storage_accounts.metadata.json +19 -11
- prowler/providers/azure/services/storage/storage_ensure_soft_delete_is_enabled/storage_ensure_soft_delete_is_enabled.metadata.json +17 -12
- prowler/providers/azure/services/storage/storage_geo_redundant_enabled/storage_geo_redundant_enabled.metadata.json +19 -12
- prowler/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled.metadata.json +13 -9
- prowler/providers/azure/services/storage/storage_key_rotation_90_days/storage_key_rotation_90_days.metadata.json +17 -12
- prowler/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled.metadata.json +15 -11
- prowler/providers/azure/services/storage/storage_smb_channel_encryption_with_secure_algorithm/storage_smb_channel_encryption_with_secure_algorithm.metadata.json +19 -12
- prowler/providers/azure/services/storage/storage_smb_protocol_version_is_latest/storage_smb_protocol_version_is_latest.metadata.json +19 -13
- prowler/providers/cloudflare/cloudflare_provider.py +95 -12
- prowler/providers/cloudflare/lib/arguments/arguments.py +7 -0
- prowler/providers/cloudflare/services/dns/dns_record_cname_target_valid/__init__.py +0 -0
- prowler/providers/cloudflare/services/dns/dns_record_cname_target_valid/dns_record_cname_target_valid.metadata.json +36 -0
- prowler/providers/cloudflare/services/dns/dns_record_cname_target_valid/dns_record_cname_target_valid.py +109 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_internal_ip/__init__.py +0 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_internal_ip/dns_record_no_internal_ip.metadata.json +36 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_internal_ip/dns_record_no_internal_ip.py +73 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_wildcard/__init__.py +0 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_wildcard/dns_record_no_wildcard.metadata.json +36 -0
- prowler/providers/cloudflare/services/dns/dns_record_no_wildcard/dns_record_no_wildcard.py +60 -0
- prowler/providers/cloudflare/services/dns/dns_record_proxied/__init__.py +0 -0
- prowler/providers/cloudflare/services/dns/dns_record_proxied/dns_record_proxied.metadata.json +36 -0
- prowler/providers/cloudflare/services/dns/dns_record_proxied/dns_record_proxied.py +49 -0
- prowler/providers/cloudflare/services/dns/dns_service.py +52 -6
- prowler/providers/cloudflare/services/firewall/__init__.py +0 -0
- prowler/providers/cloudflare/services/firewall/firewall_client.py +4 -0
- prowler/providers/cloudflare/services/firewall/firewall_service.py +123 -0
- prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/__init__.py +0 -0
- prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/zone_firewall_blocking_rules_configured.metadata.json +36 -0
- prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/zone_firewall_blocking_rules_configured.py +53 -0
- prowler/providers/cloudflare/services/zone/zone_service.py +133 -1
- prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/__init__.py +0 -0
- prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/zone_waf_owasp_ruleset_enabled.metadata.json +36 -0
- prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/zone_waf_owasp_ruleset_enabled.py +58 -0
- prowler/providers/common/provider.py +23 -0
- prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/__init__.py +0 -0
- prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/compute_instance_suspended_without_persistent_disks.metadata.json +37 -0
- prowler/providers/gcp/services/compute/compute_instance_suspended_without_persistent_disks/compute_instance_suspended_without_persistent_disks.py +35 -0
- prowler/providers/gcp/services/compute/compute_service.py +2 -0
- prowler/providers/m365/lib/powershell/m365_powershell.py +47 -1
- prowler/providers/m365/services/defender/defender_service.py +52 -0
- prowler/providers/m365/services/defender/defender_zap_for_teams_enabled/__init__.py +0 -0
- prowler/providers/m365/services/defender/defender_zap_for_teams_enabled/defender_zap_for_teams_enabled.metadata.json +38 -0
- prowler/providers/m365/services/defender/defender_zap_for_teams_enabled/defender_zap_for_teams_enabled.py +53 -0
- prowler/providers/m365/services/exchange/exchange_service.py +78 -0
- prowler/providers/m365/services/exchange/exchange_shared_mailbox_sign_in_disabled/__init__.py +0 -0
- prowler/providers/m365/services/exchange/exchange_shared_mailbox_sign_in_disabled/exchange_shared_mailbox_sign_in_disabled.metadata.json +37 -0
- prowler/providers/m365/services/exchange/exchange_shared_mailbox_sign_in_disabled/exchange_shared_mailbox_sign_in_disabled.py +59 -0
- prowler/providers/openstack/__init__.py +0 -0
- prowler/providers/openstack/exceptions/__init__.py +0 -0
- prowler/providers/openstack/exceptions/exceptions.py +166 -0
- prowler/providers/openstack/lib/__init__.py +0 -0
- prowler/providers/openstack/lib/arguments/__init__.py +0 -0
- prowler/providers/openstack/lib/arguments/arguments.py +113 -0
- prowler/providers/openstack/lib/mutelist/__init__.py +0 -0
- prowler/providers/openstack/lib/mutelist/mutelist.py +31 -0
- prowler/providers/openstack/lib/service/__init__.py +0 -0
- prowler/providers/openstack/lib/service/service.py +21 -0
- prowler/providers/openstack/models.py +100 -0
- prowler/providers/openstack/openstack_provider.py +515 -0
- prowler/providers/openstack/services/__init__.py +0 -0
- prowler/providers/openstack/services/compute/__init__.py +0 -0
- prowler/providers/openstack/services/compute/compute_client.py +4 -0
- prowler/providers/openstack/services/compute/compute_instance_security_groups_attached/__init__.py +0 -0
- prowler/providers/openstack/services/compute/compute_instance_security_groups_attached/compute_instance_security_groups_attached.metadata.json +40 -0
- prowler/providers/openstack/services/compute/compute_instance_security_groups_attached/compute_instance_security_groups_attached.py +35 -0
- prowler/providers/openstack/services/compute/compute_service.py +63 -0
- {prowler-5.17.1.dist-info → prowler-5.18.0.dist-info}/METADATA +11 -9
- {prowler-5.17.1.dist-info → prowler-5.18.0.dist-info}/RECORD +219 -155
- {prowler-5.17.1.dist-info → prowler-5.18.0.dist-info}/LICENSE +0 -0
- {prowler-5.17.1.dist-info → prowler-5.18.0.dist-info}/WHEEL +0 -0
- {prowler-5.17.1.dist-info → prowler-5.18.0.dist-info}/entry_points.txt +0 -0
|
@@ -1,30 +1,38 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "defender_ensure_mcas_is_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Defender for Cloud Apps is enabled",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "defender",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "medium",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.security/pricings",
|
|
11
11
|
"ResourceGroup": "security",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Subscription settings** contain the `MCAS` integration for **Microsoft Defender for Cloud Apps**, and the setting is `enabled`.",
|
|
13
|
+
"Risk": "Missing integration leaves **Defender for Cloud** blind to SaaS context, weakening correlation of control-plane activity with app usage. Attackers can hide data exfiltration via cloud apps, abuse OAuth grants, or mask unauthorized ARM changes-impacting confidentiality and integrity and slowing incident response.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-in/azure/defender-for-cloud/defender-for-cloud-introduction#secure-cloud-applications",
|
|
17
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-cloud-apps-integration.html#",
|
|
18
|
+
"https://learn.microsoft.com/en-us/answers/questions/2045272/integrating-microsoft-defender-for-cloud-apps-with"
|
|
19
|
+
],
|
|
15
20
|
"Remediation": {
|
|
16
21
|
"Code": {
|
|
17
|
-
"CLI": "",
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": ""
|
|
22
|
+
"CLI": "az rest --method PUT --uri https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/settings/MCAS?api-version=2021-06-01 --body '{\"properties\":{\"enabled\":true}}'",
|
|
23
|
+
"NativeIaC": "```bicep\n// Enable Microsoft Defender for Cloud Apps (MCAS) at subscription scope\ntargetScope = 'subscription'\n\nresource mcas 'Microsoft.Security/settings@2021-06-01' = {\n name: 'MCAS'\n properties: {\n enabled: true // Critical: turns on MCAS integration for the subscription\n }\n}\n```",
|
|
24
|
+
"Other": "1. In the Azure portal, open Microsoft Defender for Cloud\n2. Go to Environment settings and select your subscription\n3. Open Settings & monitoring (or Integrations)\n4. Turn on \"Allow Microsoft Defender for Cloud Apps to access my data\"\n5. Click Save",
|
|
25
|
+
"Terraform": "```hcl\n# Enable Microsoft Defender for Cloud Apps (MCAS)\nresource \"azurerm_security_center_setting\" \"example\" {\n setting_name = \"MCAS\"\n enabled = true # Critical: enables MCAS integration for the subscription\n}\n```"
|
|
21
26
|
},
|
|
22
27
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
28
|
+
"Text": "Enable and keep the `MCAS` integration consistent across subscriptions.\n- Apply **least privilege** to integration roles and data access\n- Use policy to enforce the setting and prevent drift\n- Practice **defense in depth** by correlating SaaS and cloud signals\n- Review licensing and validate alert coverage regularly",
|
|
29
|
+
"Url": "https://hub.prowler.com/check/defender_ensure_mcas_is_enabled"
|
|
25
30
|
}
|
|
26
31
|
},
|
|
27
|
-
"Categories": [
|
|
32
|
+
"Categories": [
|
|
33
|
+
"logging",
|
|
34
|
+
"forensics-ready"
|
|
35
|
+
],
|
|
28
36
|
"DependsOn": [],
|
|
29
37
|
"RelatedTo": [],
|
|
30
38
|
"Notes": "Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource."
|
|
@@ -1,30 +1,37 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "defender_ensure_notify_alerts_severity_is_high",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Security contact has alert notifications enabled with minimum severity High or lower",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "defender",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "high",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.resources/subscriptions",
|
|
11
11
|
"ResourceGroup": "monitoring",
|
|
12
|
-
"Description": "Microsoft Defender for Cloud
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Microsoft Defender for Cloud** email notifications use a minimum alert severity of `High` or more inclusive (`Medium`/`Low`). The evaluation inspects security contacts to confirm a threshold is defined and not `Critical`.",
|
|
13
|
+
"Risk": "Setting the threshold to `Critical` or leaving it unset limits alerting, causing **delayed detection** of `High`/`Medium` threats. Attackers can persist, escalate privileges, and exfiltrate data, impacting **confidentiality**, **integrity**, and **availability** via ransomware or service disruption.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications",
|
|
17
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/enable-high-severity-email-notifications.html",
|
|
18
|
+
"https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list"
|
|
19
|
+
],
|
|
15
20
|
"Remediation": {
|
|
16
21
|
"Code": {
|
|
17
|
-
"CLI": "",
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": "
|
|
22
|
+
"CLI": "az rest --method PUT --url \"https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/securityContacts/default?api-version=2023-12-01-preview\" --body '{\"properties\":{\"emails\":\"<EMAIL>\",\"isEnabled\":true,\"notificationsSources\":[{\"sourceType\":\"Alert\",\"minimalSeverity\":\"High\"}]}}'",
|
|
23
|
+
"NativeIaC": "```bicep\ntargetScope = 'subscription'\n\nresource contact 'Microsoft.Security/securityContacts@2023-12-01-preview' = {\n name: '<example_resource_name>'\n properties: {\n emails: '<EMAIL>'\n isEnabled: true\n notificationsSources: [\n {\n sourceType: 'Alert'\n minimalSeverity: 'High' // Critical line: sets minimum alert severity to High to pass the check\n }\n ]\n }\n}\n```",
|
|
24
|
+
"Other": "1. In Azure Portal, go to Defender for Cloud > Environment settings > select your subscription\n2. Open Email notifications\n3. Turn on \"Send email notifications for alerts\"\n4. Set \"Minimum alert severity\" to High (or Medium/Low)\n5. Enter at least one email address\n6. Click Save",
|
|
25
|
+
"Terraform": "```hcl\nresource \"azapi_resource\" \"<example_resource_name>\" {\n type = \"Microsoft.Security/securityContacts@2023-12-01-preview\"\n name = \"<example_resource_name>\"\n parent_id = \"/subscriptions/<SUBSCRIPTION_ID>\"\n\n body = jsonencode({\n properties = {\n emails = \"<EMAIL>\"\n isEnabled = true\n notificationsSources = [\n {\n sourceType = \"Alert\"\n minimalSeverity = \"High\" # Critical line: sets minimum alert severity to High to pass the check\n }\n ]\n }\n })\n}\n```"
|
|
21
26
|
},
|
|
22
27
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
28
|
+
"Text": "Configure the minimum alert notification severity to `High` (or `Medium`/`Low`) and send to accountable recipients and RBAC roles. Apply **defense in depth**: route alerts to SIEM, use redundant contacts, and periodically test delivery. Review thresholds regularly to balance noise while avoiding false negatives.",
|
|
29
|
+
"Url": "https://hub.prowler.com/check/defender_ensure_notify_alerts_severity_is_high"
|
|
25
30
|
}
|
|
26
31
|
},
|
|
27
|
-
"Categories": [
|
|
32
|
+
"Categories": [
|
|
33
|
+
"logging"
|
|
34
|
+
],
|
|
28
35
|
"DependsOn": [],
|
|
29
36
|
"RelatedTo": [],
|
|
30
37
|
"Notes": ""
|
|
@@ -1,30 +1,37 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "defender_ensure_notify_emails_to_owners",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Security contact notifications include the Owner role",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "defender",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "medium",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.resources/subscriptions",
|
|
11
11
|
"ResourceGroup": "monitoring",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Microsoft Defender for Cloud** email notifications target subscription users in the `Owner` role through role-based recipients.",
|
|
13
|
+
"Risk": "Without notifying **Owners**, critical alerts can be missed, delaying incident response. Attackers gain longer dwell time for data exfiltration, privilege abuse, and service disruption, undermining **confidentiality**, **integrity**, and **availability**.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/rest/api/defenderforcloud/security-contacts/list?view=rest-defenderforcloud-2023-12-01-preview&tabs=HTTP",
|
|
17
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/email-to-subscription-owners.html",
|
|
18
|
+
"https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications"
|
|
19
|
+
],
|
|
15
20
|
"Remediation": {
|
|
16
21
|
"Code": {
|
|
17
|
-
"CLI": "",
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": ""
|
|
22
|
+
"CLI": "az security contact create --name default --email <EMAIL> --alerts-admins On",
|
|
23
|
+
"NativeIaC": "```bicep\n// Enable Defender for Cloud notifications to the Owner role\nresource contact 'Microsoft.Security/securityContacts@2023-12-01-preview' = {\n name: 'default'\n properties: {\n emails: '<email@example.com>'\n notificationsByRole: {\n state: 'On' // CRITICAL: Turn on role-based notifications\n roles: [ 'Owner' ] // CRITICAL: Ensure the Owner role is notified\n }\n }\n}\n```",
|
|
24
|
+
"Other": "1. In the Azure portal, go to Microsoft Defender for Cloud\n2. Select Environment settings > choose the target subscription\n3. Open Email notifications\n4. Enable \"Send email notifications to users with the following roles\"\n5. Select the role: Owner\n6. Click Save",
|
|
25
|
+
"Terraform": "```hcl\n# Enable notifications to subscription owners (Owner role)\nresource \"azurerm_security_center_contact\" \"<example_resource_name>\" {\n email = \"<email@example.com>\"\n alert_notifications = true\n alerts_to_admins = true # CRITICAL: Notifies users with the Owner role\n}\n```"
|
|
21
26
|
},
|
|
22
27
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
28
|
+
"Text": "Enable role-based notifications to the `Owner` role and use monitored, up-to-date distribution lists. Add secondary recipients (SOC/security admins) for redundancy, tune thresholds to reduce noise, and integrate with SIEM/automation. Apply **defense in depth** and **least privilege** for alert dissemination.",
|
|
29
|
+
"Url": "https://hub.prowler.com/check/defender_ensure_notify_emails_to_owners"
|
|
25
30
|
}
|
|
26
31
|
},
|
|
27
|
-
"Categories": [
|
|
32
|
+
"Categories": [
|
|
33
|
+
"identity-access"
|
|
34
|
+
],
|
|
28
35
|
"DependsOn": [],
|
|
29
36
|
"RelatedTo": [],
|
|
30
37
|
"Notes": ""
|
|
@@ -1,30 +1,38 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "defender_ensure_system_updates_are_applied",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "All virtual machines in the subscription have system updates applied",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "defender",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "high",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.compute/virtualmachines",
|
|
11
11
|
"ResourceGroup": "security",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure VMs** are evaluated for:\n- Presence of a monitoring agent\n- Periodic checks for missing updates\n- Installation of the latest **security and critical OS updates** on Windows and Linux",
|
|
13
|
+
"Risk": "Unpatched VMs are exposed to **known exploits** (RCE, privilege escalation), enabling **initial access** and **lateral movement**. This endangers **confidentiality** (data theft), **integrity** (tampering), and **availability** (ransomware, outages). Lapses in periodic assessment prolong exposure to critical vulnerabilities.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/VirtualMachines/apply-latest-os-patches.html",
|
|
17
|
+
"https://learn.microsoft.com/en-us/azure/virtual-machines/updates-maintenance-overview",
|
|
18
|
+
"https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities"
|
|
19
|
+
],
|
|
15
20
|
"Remediation": {
|
|
16
21
|
"Code": {
|
|
17
22
|
"CLI": "",
|
|
18
23
|
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
24
|
+
"Other": "1. In the Azure portal, go to Microsoft Defender for Cloud > Recommendations\n2. Search for \"Log Analytics agent should be installed on virtual machines\"\n - Select affected VMs > Fix > choose a Log Analytics workspace > Apply\n3. Search for \"Machines should be configured to periodically check for missing system updates\"\n - Select affected VMs > Fix > Apply\n4. Search for \"System updates should be installed on your machines\" (may show as powered by Azure Update Manager)\n - Select affected VMs > Fix > Install updates now (or One-time update) > Install\n5. Wait for installation to complete, then verify all three recommendations show Healthy for the subscription",
|
|
20
25
|
"Terraform": ""
|
|
21
26
|
},
|
|
22
27
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
28
|
+
"Text": "Adopt **automated patching** for all VMs:\n- Schedule recurring assessments\n- Deploy security/critical updates promptly using maintenance windows and rings\n- Ensure a supported update/monitoring agent\n- Enforce risk-based SLAs, test in stages, keep backups, and use **least privilege** for patch tools",
|
|
29
|
+
"Url": "https://hub.prowler.com/check/defender_ensure_system_updates_are_applied"
|
|
25
30
|
}
|
|
26
31
|
},
|
|
27
|
-
"Categories": [
|
|
32
|
+
"Categories": [
|
|
33
|
+
"vulnerabilities",
|
|
34
|
+
"logging"
|
|
35
|
+
],
|
|
28
36
|
"DependsOn": [],
|
|
29
37
|
"RelatedTo": [],
|
|
30
38
|
"Notes": "Running Microsoft Defender for Cloud incurs additional charges for each resource monitored. Please see attached reference for exact charges per hour."
|
|
@@ -1,30 +1,38 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "defender_ensure_wdatp_is_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Defender for Endpoint is enabled",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "defender",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
|
-
"Severity": "
|
|
10
|
-
"ResourceType": "
|
|
9
|
+
"Severity": "high",
|
|
10
|
+
"ResourceType": "microsoft.security/integrations",
|
|
11
11
|
"ResourceGroup": "security",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure subscription** integrates **Microsoft Defender for Endpoint** with **Defender for Cloud** via `WDATP`. The setting's presence and enabled state at the subscription scope are evaluated.",
|
|
13
|
+
"Risk": "Without this integration, servers lack **EDR telemetry**, automated onboarding, and unified alerts, shrinking visibility. Hands-on-keyboard intrusions, ransomware, and credential theft can persist unnoticed, enabling data exfiltration (**confidentiality**), unauthorized changes (**integrity**), and outages (**availability**).",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/azure-server-integration?view=o365-worldwide",
|
|
17
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-endpoint-integration.html",
|
|
18
|
+
"https://learn.microsoft.com/en-in/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows"
|
|
19
|
+
],
|
|
15
20
|
"Remediation": {
|
|
16
21
|
"Code": {
|
|
17
|
-
"CLI": "",
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": ""
|
|
22
|
+
"CLI": "az rest --method put --uri https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/settings/WDATP?api-version=2019-01-01 --body '{\"properties\":{\"isEnabled\":true}}'",
|
|
23
|
+
"NativeIaC": "```bicep\n// Enable Microsoft Defender for Endpoint (WDATP) integration at subscription scope\nresource <example_resource_name> 'Microsoft.Security/settings@2019-01-01' = {\n name: 'WDATP'\n properties: {\n isEnabled: true // Critical: turns on the WDATP (Defender for Endpoint) integration\n }\n}\n```",
|
|
24
|
+
"Other": "1. In Azure Portal, go to Microsoft Defender for Cloud\n2. Select Environment settings > choose your subscription\n3. Open Settings (or Integrations)\n4. Find Microsoft Defender for Endpoint (WDATP) integration\n5. Toggle On and Save",
|
|
25
|
+
"Terraform": "```hcl\n# Enable Microsoft Defender for Endpoint (WDATP) integration\nresource \"azurerm_security_center_setting\" \"<example_resource_name>\" {\n setting_name = \"WDATP\"\n enabled = true # Critical: turns on WDATP integration\n}\n```"
|
|
21
26
|
},
|
|
22
27
|
"Recommendation": {
|
|
23
|
-
"Text": "",
|
|
24
|
-
"Url": "https://
|
|
28
|
+
"Text": "Enable the **Defender for Endpoint** integration in **Defender for Cloud** at the subscription scope and ensure agents are deployed on supported machines.\n\n- Apply **least privilege** to onboarding roles\n- Centralize alerting and response\n- Use **defense in depth** with hardening and network controls to reduce attack surface",
|
|
29
|
+
"Url": "https://hub.prowler.com/check/defender_ensure_wdatp_is_enabled"
|
|
25
30
|
}
|
|
26
31
|
},
|
|
27
|
-
"Categories": [
|
|
32
|
+
"Categories": [
|
|
33
|
+
"vulnerabilities",
|
|
34
|
+
"forensics-ready"
|
|
35
|
+
],
|
|
28
36
|
"DependsOn": [],
|
|
29
37
|
"RelatedTo": [],
|
|
30
38
|
"Notes": "Microsoft Defender for Endpoint works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource."
|
|
@@ -89,17 +89,9 @@ class Entra(AzureService):
|
|
|
89
89
|
users_response = await client.users.with_url(next_link).get()
|
|
90
90
|
|
|
91
91
|
except Exception as error:
|
|
92
|
-
|
|
93
|
-
error.__class__.__name__
|
|
94
|
-
|
|
95
|
-
):
|
|
96
|
-
logger.error(
|
|
97
|
-
"You need 'UserAuthenticationMethod.Read.All' permission to access this information. It only can be granted through Service Principal authentication."
|
|
98
|
-
)
|
|
99
|
-
else:
|
|
100
|
-
logger.error(
|
|
101
|
-
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
|
102
|
-
)
|
|
92
|
+
logger.error(
|
|
93
|
+
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
|
94
|
+
)
|
|
103
95
|
except Exception as error:
|
|
104
96
|
logger.error(
|
|
105
97
|
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
|
@@ -15,6 +15,7 @@ from prowler.providers.azure.services.iam.iam_client import iam_client
|
|
|
15
15
|
class entra_user_with_vm_access_has_mfa(Check):
|
|
16
16
|
def execute(self) -> Check_Report_Azure:
|
|
17
17
|
findings = []
|
|
18
|
+
already_reported = set()
|
|
18
19
|
|
|
19
20
|
for users in entra_client.users.values():
|
|
20
21
|
for user in users.values():
|
|
@@ -22,6 +23,9 @@ class entra_user_with_vm_access_has_mfa(Check):
|
|
|
22
23
|
subscription_name,
|
|
23
24
|
role_assigns,
|
|
24
25
|
) in iam_client.role_assignments.items():
|
|
26
|
+
if (user.id, subscription_name) in already_reported:
|
|
27
|
+
continue
|
|
28
|
+
|
|
25
29
|
for assignment in role_assigns.values():
|
|
26
30
|
if (
|
|
27
31
|
assignment.agent_type == "User"
|
|
@@ -48,5 +52,7 @@ class entra_user_with_vm_access_has_mfa(Check):
|
|
|
48
52
|
report.status_extended = f"User {user.name} can access VMs in subscription {subscription_name} but it has MFA."
|
|
49
53
|
|
|
50
54
|
findings.append(report)
|
|
55
|
+
already_reported.add((user.id, subscription_name))
|
|
56
|
+
break
|
|
51
57
|
|
|
52
58
|
return findings
|
|
@@ -1,30 +1,36 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "iam_custom_role_has_permissions_to_administer_resource_locks",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Custom role has permission to administer resource locks",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "iam",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
|
-
"Severity": "
|
|
10
|
-
"ResourceType": "
|
|
9
|
+
"Severity": "medium",
|
|
10
|
+
"ResourceType": "microsoft.authorization/roledefinitions",
|
|
11
11
|
"ResourceGroup": "IAM",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure custom RBAC roles** include the `Microsoft.Authorization/locks/*` action, indicating permission to administer **management locks** at subscription, resource group, or resource scope.",
|
|
13
|
+
"Risk": "Absent a scoped custom role for `Microsoft.Authorization/locks/*`, lock control falls to broad roles (e.g., Owner), weakening **least privilege**. Locks can be disabled or altered, enabling unauthorized changes or deletion, harming **integrity** and **availability**, and reducing **separation of duties** and accountability.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json",
|
|
17
|
+
"https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/AccessControl/resource-lock-custom-role.html"
|
|
18
|
+
],
|
|
15
19
|
"Remediation": {
|
|
16
20
|
"Code": {
|
|
17
|
-
"CLI": "",
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": ""
|
|
21
|
+
"CLI": "az role definition create --role-definition '{\"Name\":\"<role_name>\",\"Description\":\"Custom role to administer resource locks\",\"IsCustom\":true,\"Actions\":[\"Microsoft.Authorization/locks/*\"],\"NotActions\":[],\"AssignableScopes\":[\"/subscriptions/<subscription_id>\"]}'",
|
|
22
|
+
"NativeIaC": "```bicep\n// Custom role that can administer resource locks\ntargetScope = 'subscription'\n\nresource roleDef 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {\n name: guid(subscription().id, '<role_name>') // CRITICAL: use GUID for role definition name\n properties: {\n roleName: '<role_name>'\n description: 'Custom role to administer resource locks'\n permissions: [\n {\n actions: [\n 'Microsoft.Authorization/locks/*' // CRITICAL: grants lock administration to pass the check\n ]\n notActions: []\n }\n ]\n assignableScopes: [ subscription().id ]\n }\n}\n```",
|
|
23
|
+
"Other": "1. In the Azure portal, go to the target scope (Subscription or Resource group) and open Access control (IAM)\n2. Click Roles, find your custom role, and select Edit\n3. Go to Permissions > Add permissions\n4. Search for \"Microsoft.Authorization/locks\" and select Microsoft.Authorization/locks/*\n5. Click Add, then Review + save > Save",
|
|
24
|
+
"Terraform": "```hcl\n# Custom role with permission to administer resource locks\nresource \"azurerm_role_definition\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n scope = \"/subscriptions/<example_resource_id>\"\n\n permissions {\n actions = [\n \"Microsoft.Authorization/locks/*\" # CRITICAL: adds lock admin permission to pass the check\n ]\n }\n\n assignable_scopes = [\"/subscriptions/<example_resource_id>\"]\n}\n```"
|
|
21
25
|
},
|
|
22
26
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
27
|
+
"Text": "Define a **least-privilege custom role** restricted to `Microsoft.Authorization/locks/*` and assign it to a tightly controlled group at minimal scope. Apply **separation of duties**, use just-in-time elevation, audit lock changes, and avoid broad roles or pipeline identities managing locks. Layer with **defense-in-depth** controls.",
|
|
28
|
+
"Url": "https://hub.prowler.com/check/iam_custom_role_has_permissions_to_administer_resource_locks"
|
|
25
29
|
}
|
|
26
30
|
},
|
|
27
|
-
"Categories": [
|
|
31
|
+
"Categories": [
|
|
32
|
+
"identity-access"
|
|
33
|
+
],
|
|
28
34
|
"DependsOn": [],
|
|
29
35
|
"RelatedTo": [],
|
|
30
36
|
"Notes": ""
|
|
@@ -1,30 +1,36 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "iam_role_user_access_admin_restricted",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Role assignment does not grant the User Access Administrator role",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "iam",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "high",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.authorization/roleassignments",
|
|
11
11
|
"ResourceGroup": "IAM",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "Persistent
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure subscription role assignments** granting **User Access Administrator** are identified to surface principals able to manage access (`Azure RBAC`) at that scope.",
|
|
13
|
+
"Risk": "Persistent `User Access Administrator` enables assigning high-privilege roles and reading control-plane data, enabling privilege escalation and unauthorized access. Impact: **confidentiality** (data exposure), **integrity** (unauthorized changes), **availability** (service disruption).",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs",
|
|
17
|
+
"https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/privileged#user-access-administrator"
|
|
18
|
+
],
|
|
15
19
|
"Remediation": {
|
|
16
20
|
"Code": {
|
|
17
|
-
"CLI": "az role assignment delete --role
|
|
21
|
+
"CLI": "az role assignment delete --assignee <principal_id_or_upn> --role \"User Access Administrator\" --scope \"/subscriptions/<subscription_id>\"",
|
|
18
22
|
"NativeIaC": "",
|
|
19
|
-
"Other": "",
|
|
23
|
+
"Other": "1. In the Azure portal, go to Subscriptions and select <subscription>.\n2. Open Access control (IAM) > Role assignments.\n3. Filter by Role = User Access Administrator.\n4. Select the assignment(s) and click Remove. Confirm.",
|
|
20
24
|
"Terraform": ""
|
|
21
25
|
},
|
|
22
26
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
27
|
+
"Text": "Enforce **least privilege**:\n- Avoid standing `User Access Administrator`; use time-bound, approval-based elevation (PIM)\n- Scope access to only required subscriptions/resource groups\n- Require MFA and monitor role activity\n- Review regularly and remove unused grants",
|
|
28
|
+
"Url": "https://hub.prowler.com/check/iam_role_user_access_admin_restricted"
|
|
25
29
|
}
|
|
26
30
|
},
|
|
27
|
-
"Categories": [
|
|
31
|
+
"Categories": [
|
|
32
|
+
"identity-access"
|
|
33
|
+
],
|
|
28
34
|
"DependsOn": [],
|
|
29
35
|
"RelatedTo": [],
|
|
30
36
|
"Notes": ""
|
|
@@ -1,30 +1,36 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "azure",
|
|
3
3
|
"CheckID": "iam_subscription_roles_owner_custom_not_created",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Custom role is not a subscription owner role",
|
|
5
5
|
"CheckType": [],
|
|
6
6
|
"ServiceName": "iam",
|
|
7
7
|
"SubServiceName": "",
|
|
8
8
|
"ResourceIdTemplate": "",
|
|
9
9
|
"Severity": "high",
|
|
10
|
-
"ResourceType": "
|
|
10
|
+
"ResourceType": "microsoft.authorization/roledefinitions",
|
|
11
11
|
"ResourceGroup": "IAM",
|
|
12
|
-
"Description": "
|
|
13
|
-
"Risk": "
|
|
14
|
-
"RelatedUrl": "
|
|
12
|
+
"Description": "**Azure custom roles** are analyzed for wildcard permissions. Roles that allow `*` in `actions` within their assignable scopes are treated as **owner-equivalent**, granting unrestricted control over subscription resources.",
|
|
13
|
+
"Risk": "Wildcard access grants full administrative control at subscription scope. If abused or compromised, an actor can exfiltrate data, alter configurations, deploy malware, delete resources, and disable logging, impacting confidentiality, integrity, and availability across the subscription.",
|
|
14
|
+
"RelatedUrl": "",
|
|
15
|
+
"AdditionalURLs": [
|
|
16
|
+
"https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles",
|
|
17
|
+
"https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/AccessControl/remove-custom-owner-roles.html"
|
|
18
|
+
],
|
|
15
19
|
"Remediation": {
|
|
16
20
|
"Code": {
|
|
17
|
-
"CLI": "",
|
|
18
|
-
"NativeIaC": "",
|
|
19
|
-
"Other": "
|
|
20
|
-
"Terraform": ""
|
|
21
|
+
"CLI": "az role definition update --role-definition '{\"Name\":\"<example_role_name>\",\"Description\":\"Restricted custom role\",\"Actions\":[\"Microsoft.Resources/subscriptions/resourceGroups/read\"],\"NotActions\":[],\"DataActions\":[],\"NotDataActions\":[],\"AssignableScopes\":[\"/subscriptions/<example_subscription_id>\"]}'",
|
|
22
|
+
"NativeIaC": "```bicep\n// Subscription-scoped deployment to ensure the custom role does not use global \"*\" permissions\ntargetScope = 'subscription'\n\nresource roleDef 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {\n name: guid(subscription().id, '<role_name>') // CRITICAL: use GUID for role definition name\n properties: {\n roleName: '<role_name>'\n description: 'Restricted custom role'\n assignableScopes: [\n subscription().id\n ]\n permissions: [\n {\n actions: [\n 'Microsoft.Resources/subscriptions/resourceGroups/read' // CRITICAL: remove \"*\" and allow only specific actions to avoid owner-equivalent wildcard\n ]\n notActions: []\n dataActions: []\n notDataActions: []\n }\n ]\n }\n}\n```",
|
|
23
|
+
"Other": "1. In the Azure portal, go to Subscriptions > <your subscription> > Access control (IAM)\n2. Select the Roles tab, then open the Custom roles tab\n3. Click the custom role that is failing, then click Edit\n4. In Permissions, remove the action \"*\" (All permissions)\n5. Add only the specific actions required (avoid using \"*\")\n6. Click Save",
|
|
24
|
+
"Terraform": "```hcl\n# Define a custom role without using the global \"*\" action\nresource \"azurerm_role_definition\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n scope = \"/subscriptions/<example_subscription_id>\"\n\n permissions {\n actions = [\"Microsoft.Resources/subscriptions/resourceGroups/read\"] # CRITICAL: do not use \"*\"; specify only required actions\n }\n\n assignable_scopes = [\"/subscriptions/<example_subscription_id>\"]\n}\n```"
|
|
21
25
|
},
|
|
22
26
|
"Recommendation": {
|
|
23
|
-
"Text": "
|
|
24
|
-
"Url": "https://
|
|
27
|
+
"Text": "Avoid owner-equivalent custom roles. Apply **least privilege**: prefer built-in roles, define explicit allowed `actions` (avoid `*`), and limit assignment scope to the minimum needed. Enforce **separation of duties**, require just-in-time elevation, and perform periodic access reviews to prevent privilege creep.",
|
|
28
|
+
"Url": "https://hub.prowler.com/check/iam_subscription_roles_owner_custom_not_created"
|
|
25
29
|
}
|
|
26
30
|
},
|
|
27
|
-
"Categories": [
|
|
31
|
+
"Categories": [
|
|
32
|
+
"identity-access"
|
|
33
|
+
],
|
|
28
34
|
"DependsOn": [],
|
|
29
35
|
"RelatedTo": [],
|
|
30
36
|
"Notes": ""
|
|
@@ -5,22 +5,21 @@ from prowler.providers.azure.services.keyvault.keyvault_client import keyvault_c
|
|
|
5
5
|
class keyvault_rbac_secret_expiration_set(Check):
|
|
6
6
|
def execute(self) -> Check_Report_Azure:
|
|
7
7
|
findings = []
|
|
8
|
+
|
|
8
9
|
for subscription, key_vaults in keyvault_client.key_vaults.items():
|
|
9
10
|
for keyvault in key_vaults:
|
|
10
11
|
if keyvault.properties.enable_rbac_authorization and keyvault.secrets:
|
|
11
|
-
report = Check_Report_Azure(
|
|
12
|
-
metadata=self.metadata(), resource=keyvault
|
|
13
|
-
)
|
|
14
|
-
report.subscription = subscription
|
|
15
|
-
report.status = "PASS"
|
|
16
|
-
report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has all the secrets with expiration date set."
|
|
17
|
-
has_secret_without_expiration = False
|
|
18
12
|
for secret in keyvault.secrets:
|
|
13
|
+
report = Check_Report_Azure(
|
|
14
|
+
metadata=self.metadata(), resource=secret
|
|
15
|
+
)
|
|
16
|
+
report.subscription = subscription
|
|
19
17
|
if not secret.attributes.expires and secret.enabled:
|
|
20
18
|
report.status = "FAIL"
|
|
21
|
-
report.status_extended = f"
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
19
|
+
report.status_extended = f"Secret '{secret.name}' in KeyVault '{keyvault.name}' does not have expiration date set."
|
|
20
|
+
else:
|
|
21
|
+
report.status = "PASS"
|
|
22
|
+
report.status_extended = f"Secret '{secret.name}' in KeyVault '{keyvault.name}' has expiration date set."
|
|
25
23
|
findings.append(report)
|
|
24
|
+
|
|
26
25
|
return findings
|