From 5caeba00e868b28192bd2cc5d504c552fa29f0da Mon Sep 17 00:00:00 2001 From: Ivan Morgun Date: Thu, 7 Nov 2024 15:00:43 +0300 Subject: [PATCH 1/7] #11210 prowler_v4.py Prowler v4.5.0 changed the 'event_time' key in finding with 'time_dt' --- dojo/tools/aws_prowler_v3plus/prowler_v4.py | 4 +++- unittests/scans/aws_prowler_v3plus/many_vuln.ocsf.json | 6 +++--- unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/dojo/tools/aws_prowler_v3plus/prowler_v4.py b/dojo/tools/aws_prowler_v3plus/prowler_v4.py index 1b9c155b63a..638ddcdd4f8 100644 --- a/dojo/tools/aws_prowler_v3plus/prowler_v4.py +++ b/dojo/tools/aws_prowler_v3plus/prowler_v4.py @@ -37,7 +37,9 @@ def process_ocsf_json(self, file, test): documentation = deserialized.get("remediation", {}).get("references", "") documentation = str(documentation) + "\n" + str(deserialized.get("unmapped", {}).get("related_url", "")) security_domain = deserialized.get("resources", [{}])[0].get("type", "") - timestamp = deserialized.get("event_time") + # Prowler v4.5.0 changed 'event_time' key in report with 'time_dt' + timestamp = deserialized.get( + "time_dt") or deserialized.get("event_time") resource_arn = deserialized.get("resources", [{}])[0].get("uid", "") resource_id = deserialized.get("resources", [{}])[0].get("name", "") unique_id_from_tool = deserialized.get("finding_info", {}).get("uid", "") diff --git a/unittests/scans/aws_prowler_v3plus/many_vuln.ocsf.json b/unittests/scans/aws_prowler_v3plus/many_vuln.ocsf.json index 298e67210ce..36c0219e396 100644 --- a/unittests/scans/aws_prowler_v3plus/many_vuln.ocsf.json +++ b/unittests/scans/aws_prowler_v3plus/many_vuln.ocsf.json @@ -67,7 +67,7 @@ "provider": "aws", "region": "us-east-1" }, - "event_time": "2024-06-03T14:15:19.382075", + "time_dt": "2024-06-03T14:15:19.382075", "remediation": { "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.", "references": [ @@ -155,7 +155,7 @@ "provider": "aws", "region": "us-east-1" }, - "event_time": "2024-06-03T14:15:19.382075", + "time_dt": "2024-06-03T14:15:19.382075", "remediation": { "desc": "Remove the AWS-managed ReadOnlyAccess policy from all roles that have a trust policy, including third-party cloud accounts, or remove third-party cloud accounts from the trust policy of all roles that need the ReadOnlyAccess policy.", "references": [ @@ -234,7 +234,7 @@ "provider": "aws", "region": "us-east-1" }, - "event_time": "2024-06-03T14:15:19.382075", + "time_dt": "2024-06-03T14:15:19.382075", "remediation": { "desc": "Ensure IAM Roles do not allow assume role from any role of a cross account but only from specific roles of specific accounts.", "references": [ diff --git a/unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json b/unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json index aefdfd8ac58..e8e79e2f71f 100644 --- a/unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json +++ b/unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json @@ -67,7 +67,7 @@ "provider": "aws", "region": "us-east-1" }, - "event_time": "2024-06-03T14:15:19.382075", + "time_dt": "2024-06-03T14:15:19.382075", "remediation": { "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.", "references": [ From 1c6fbf11cab5c59c01a7d196ee1e0ae5f6234172 Mon Sep 17 00:00:00 2001 From: Ivan Morgun Date: Thu, 7 Nov 2024 15:03:05 +0300 Subject: [PATCH 2/7] #11210 prowler_v4.py Prowler v4.5.0 changed the 'event_time' key in finding with 'time_dt' --- dojo/tools/aws_prowler_v3plus/prowler_v4.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dojo/tools/aws_prowler_v3plus/prowler_v4.py b/dojo/tools/aws_prowler_v3plus/prowler_v4.py index 638ddcdd4f8..dd543f27f57 100644 --- a/dojo/tools/aws_prowler_v3plus/prowler_v4.py +++ b/dojo/tools/aws_prowler_v3plus/prowler_v4.py @@ -38,8 +38,7 @@ def process_ocsf_json(self, file, test): documentation = str(documentation) + "\n" + str(deserialized.get("unmapped", {}).get("related_url", "")) security_domain = deserialized.get("resources", [{}])[0].get("type", "") # Prowler v4.5.0 changed 'event_time' key in report with 'time_dt' - timestamp = deserialized.get( - "time_dt") or deserialized.get("event_time") + timestamp = deserialized.get("time_dt") or deserialized.get("event_time") resource_arn = deserialized.get("resources", [{}])[0].get("uid", "") resource_id = deserialized.get("resources", [{}])[0].get("name", "") unique_id_from_tool = deserialized.get("finding_info", {}).get("uid", "") From b1b030d526a9a86a15e7d9cc7f1543e333e03ac2 Mon Sep 17 00:00:00 2001 From: Ivan Morgun Date: Thu, 7 Nov 2024 22:15:22 +0300 Subject: [PATCH 3/7] Add tesst to support prowler version <4.5.0 --- .../many_vuln_before_4_5_0.ocsf.json | 247 ++++++++++++++++++ .../one_vuln_before_4_5_0.ocsf.json | 80 ++++++ .../tools/test_aws_prowler_v3plus_parser.py | 22 +- 3 files changed, 348 insertions(+), 1 deletion(-) create mode 100644 unittests/scans/aws_prowler_v3plus/many_vuln_before_4_5_0.ocsf.json create mode 100644 unittests/scans/aws_prowler_v3plus/one_vuln_before_4_5_0.ocsf.json diff --git a/unittests/scans/aws_prowler_v3plus/many_vuln_before_4_5_0.ocsf.json b/unittests/scans/aws_prowler_v3plus/many_vuln_before_4_5_0.ocsf.json new file mode 100644 index 00000000000..298e67210ce --- /dev/null +++ b/unittests/scans/aws_prowler_v3plus/many_vuln_before_4_5_0.ocsf.json @@ -0,0 +1,247 @@ +[{ + "metadata": { + "event_code": "iam_role_administratoraccess_policy_permissive_trust_relationship", + "product": { + "name": "Prowler", + "vendor_name": "Prowler", + "version": "4.2.1" + }, + "version": "1.2.0" + }, + "severity_id": 4, + "severity": "High", + "status": "New", + "status_code": "FAIL", + "status_detail": "IAM Role myAdministratorExecutionRole has AdministratorAccess policy attached that has too permissive trust relationship.", + "status_id": 3, + "unmapped": { + "check_type": "", + "related_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator", + "categories": "trustboundaries", + "depends_on": "", + "related_to": "", + "notes": "CAF Security Epic: IAM", + "compliance": {} + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": "2024-06-03T14:15:19.382075", + "desc": "Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", + "product_uid": "prowler", + "title": "Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", + "uid": "prowler-aws-iam_role_administratoraccess_policy_permissive_trust_relationship-123456789012-us-east-1-myAdministratorExecutionRole" + }, + "resources": [ + { + "cloud_partition": "aws", + "region": "us-east-1", + "data": { + "details": "" + }, + "group": { + "name": "iam" + }, + "labels": [], + "name": "myAdministratorExecutionRole", + "type": "AwsIamRole", + "uid": "arn:aws:iam::123456789012:role/myAdministratorExecutionRole" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "DetectionFinding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "AWS_Account", + "type_id": 10, + "uid": "123456789012", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "aws", + "region": "us-east-1" + }, + "event_time": "2024-06-03T14:15:19.382075", + "remediation": { + "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege" + ] + }, + "risk_details": "The AWS-managed AdministratorAccess policy grants all actions for all AWS services and for all resources in the account and as such exposes the customer to a significant data leakage threat. It is therefore particularly important that the trust relationship is well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.", + "type_uid": 200401, + "type_name": "Create" +},{ + "metadata": { + "event_code": "iam_role_cross_account_readonlyaccess_policy", + "product": { + "name": "Prowler", + "vendor_name": "Prowler", + "version": "4.2.1" + }, + "version": "1.2.0" + }, + "severity_id": 4, + "severity": "High", + "status": "New", + "status_code": "FAIL", + "status_detail": "IAM Role AuditRole gives cross account read-only access.", + "status_id": 3, + "unmapped": { + "check_type": "", + "related_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#awsmp_readonlyaccess", + "categories": "trustboundaries", + "depends_on": "", + "related_to": "", + "notes": "CAF Security Epic: IAM", + "compliance": { + "MITRE-ATTACK": [ + "T1078" + ], + "AWS-Foundational-Technical-Review": [ + "IAM-0012" + ] + } + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": "2024-06-03T14:15:19.382075", + "desc": "Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts", + "product_uid": "prowler", + "title": "Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts", + "uid": "prowler-aws-iam_role_cross_account_readonlyaccess_policy-123456789012-us-east-1-AuditRole" + }, + "resources": [ + { + "cloud_partition": "aws", + "region": "us-east-1", + "data": { + "details": "" + }, + "group": { + "name": "iam" + }, + "labels": [ + "some-label=some value" + ], + "name": "AuditRole", + "type": "AwsIamRole", + "uid": "arn:aws:iam::123456789012:role/AuditRole" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "DetectionFinding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "AWS_Account", + "type_id": 10, + "uid": "123456789012", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "aws", + "region": "us-east-1" + }, + "event_time": "2024-06-03T14:15:19.382075", + "remediation": { + "desc": "Remove the AWS-managed ReadOnlyAccess policy from all roles that have a trust policy, including third-party cloud accounts, or remove third-party cloud accounts from the trust policy of all roles that need the ReadOnlyAccess policy.", + "references": [ + "https://docs.securestate.vmware.com/rule-docs/aws-iam-role-cross-account-readonlyaccess-policy" + ] + }, + "risk_details": "The AWS-managed ReadOnlyAccess policy is highly potent and exposes the customer to a significant data leakage threat. It should be granted very conservatively. For granting access to 3rd party vendors, consider using alternative managed policies, such as ViewOnlyAccess or SecurityAudit.", + "type_uid": 200401, + "type_name": "Create" +},{ + "metadata": { + "event_code": "iam_role_permissive_trust_relationship", + "product": { + "name": "Prowler", + "vendor_name": "Prowler", + "version": "4.2.1" + }, + "version": "1.2.0" + }, + "severity_id": 4, + "severity": "High", + "status": "Suppressed", + "status_code": "FAIL", + "status_detail": "IAM Role CrossAccountResourceAccessRole has permissive trust relationship to other accounts", + "status_id": 3, + "unmapped": { + "check_type": "", + "related_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts", + "categories": "trustboundaries", + "depends_on": "", + "related_to": "", + "notes": "CAF Security Epic: IAM", + "compliance": {} + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": "2024-06-03T14:15:19.382075", + "desc": "Ensure IAM Roles do not allow assume role from any role of a cross account", + "product_uid": "prowler", + "title": "Ensure IAM Roles do not allow assume role from any role of a cross account", + "uid": "prowler-aws-iam_role_permissive_trust_relationship-123456789012-us-east-1-CrossAccountResourceAccessRole" + }, + "resources": [ + { + "cloud_partition": "aws", + "region": "us-east-1", + "data": { + "details": "" + }, + "group": { + "name": "iam" + }, + "labels": [], + "name": "CrossAccountResourceAccessRole", + "type": "AwsIamRole", + "uid": "arn:aws:iam::123456789012:role/CrossAccountResourceAccessRole" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "DetectionFinding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "AWS_Account", + "type_id": 10, + "uid": "123456789012", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "aws", + "region": "us-east-1" + }, + "event_time": "2024-06-03T14:15:19.382075", + "remediation": { + "desc": "Ensure IAM Roles do not allow assume role from any role of a cross account but only from specific roles of specific accounts.", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-roles" + ] + }, + "risk_details": "If an IAM role allows assume role from any role of a cross account, it can lead to privilege escalation.", + "type_uid": 200401, + "type_name": "Create" +}] \ No newline at end of file diff --git a/unittests/scans/aws_prowler_v3plus/one_vuln_before_4_5_0.ocsf.json b/unittests/scans/aws_prowler_v3plus/one_vuln_before_4_5_0.ocsf.json new file mode 100644 index 00000000000..aefdfd8ac58 --- /dev/null +++ b/unittests/scans/aws_prowler_v3plus/one_vuln_before_4_5_0.ocsf.json @@ -0,0 +1,80 @@ +[{ + "metadata": { + "event_code": "iam_role_administratoraccess_policy_permissive_trust_relationship", + "product": { + "name": "Prowler", + "vendor_name": "Prowler", + "version": "4.2.1" + }, + "version": "1.2.0" + }, + "severity_id": 4, + "severity": "High", + "status": "New", + "status_code": "FAIL", + "status_detail": "IAM Role myAdministratorExecutionRole has AdministratorAccess policy attached that has too permissive trust relationship.", + "status_id": 3, + "unmapped": { + "check_type": "", + "related_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator", + "categories": "trustboundaries", + "depends_on": "", + "related_to": "", + "notes": "CAF Security Epic: IAM", + "compliance": {} + }, + "activity_name": "Create", + "activity_id": 1, + "finding_info": { + "created_time": "2024-06-03T14:15:19.382075", + "desc": "Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", + "product_uid": "prowler", + "title": "Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", + "uid": "prowler-aws-iam_role_administratoraccess_policy_permissive_trust_relationship-123456789012-us-east-1-myAdministratorExecutionRole" + }, + "resources": [ + { + "cloud_partition": "aws", + "region": "us-east-1", + "data": { + "details": "" + }, + "group": { + "name": "iam" + }, + "labels": [], + "name": "myAdministratorExecutionRole", + "type": "AwsIamRole", + "uid": "arn:aws:iam::123456789012:role/myAdministratorExecutionRole" + } + ], + "category_name": "Findings", + "category_uid": 2, + "class_name": "DetectionFinding", + "class_uid": 2004, + "cloud": { + "account": { + "name": "", + "type": "AWS_Account", + "type_id": 10, + "uid": "123456789012", + "labels": [] + }, + "org": { + "name": "", + "uid": "" + }, + "provider": "aws", + "region": "us-east-1" + }, + "event_time": "2024-06-03T14:15:19.382075", + "remediation": { + "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege" + ] + }, + "risk_details": "The AWS-managed AdministratorAccess policy grants all actions for all AWS services and for all resources in the account and as such exposes the customer to a significant data leakage threat. It is therefore particularly important that the trust relationship is well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.", + "type_uid": 200401, + "type_name": "Create" +}] \ No newline at end of file diff --git a/unittests/tools/test_aws_prowler_v3plus_parser.py b/unittests/tools/test_aws_prowler_v3plus_parser.py index 6eb22c296cf..a40428ef283 100644 --- a/unittests/tools/test_aws_prowler_v3plus_parser.py +++ b/unittests/tools/test_aws_prowler_v3plus_parser.py @@ -43,6 +43,26 @@ def test_aws_prowler_parser_with_no_vuln_has_no_findings_ocsf_json(self): open("unittests/scans/aws_prowler_v3plus/no_vuln.ocsf.json", encoding="utf-8")) self.assertEqual(0, len(findings)) + def test_aws_prowler_parser_before_4_5_0_with_critical_vuln_has_one_findings_ocsf_json(self): + findings = self.setup( + open("unittests/scans/aws_prowler_v3plus/one_vuln_before_4_5_0.ocsf.json", encoding="utf-8")) + self.assertEqual(1, len(findings)) + self.assertEqual("prowler-aws-iam_role_administratoraccess_policy_permissive_trust_relationship-123456789012-us-east-1-myAdministratorExecutionRole", findings[0].unique_id_from_tool) + self.assertIn("Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", findings[0].description) + self.assertEqual("arn:aws:iam::123456789012:role/myAdministratorExecutionRole", findings[0].component_name) + self.assertIn("https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege", findings[0].references) + + def test_aws_prowler_parser_before_4_5_0_with_many_vuln_has_many_findings_ocsf_json(self): + findings = self.setup( + open("unittests/scans/aws_prowler_v3plus/many_vuln_before_4_5_0.ocsf.json", encoding="utf-8")) + self.assertEqual(2, len(findings)) + with self.subTest(i=0): + self.assertEqual("prowler-aws-iam_role_administratoraccess_policy_permissive_trust_relationship-123456789012-us-east-1-myAdministratorExecutionRole", findings[0].unique_id_from_tool) + self.assertIn("Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", findings[0].description) + with self.subTest(i=1): + self.assertEqual("prowler-aws-iam_role_cross_account_readonlyaccess_policy-123456789012-us-east-1-AuditRole", findings[1].unique_id_from_tool) + self.assertIn("Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts", findings[1].description) + def test_aws_prowler_parser_with_critical_vuln_has_one_findings_ocsf_json(self): findings = self.setup( open("unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json", encoding="utf-8")) @@ -61,4 +81,4 @@ def test_aws_prowler_parser_with_many_vuln_has_many_findings_ocsf_json(self): self.assertIn("Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", findings[0].description) with self.subTest(i=1): self.assertEqual("prowler-aws-iam_role_cross_account_readonlyaccess_policy-123456789012-us-east-1-AuditRole", findings[1].unique_id_from_tool) - self.assertIn("Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts", findings[1].description) + self.assertIn("Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts", findings[1].description) \ No newline at end of file From 83fe2ba6dbf4b29ee59c128bff4ff6fb0f9f0b0b Mon Sep 17 00:00:00 2001 From: Ivan Morgun Date: Thu, 7 Nov 2024 22:16:44 +0300 Subject: [PATCH 4/7] Return new-line --- unittests/tools/test_aws_prowler_v3plus_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/tools/test_aws_prowler_v3plus_parser.py b/unittests/tools/test_aws_prowler_v3plus_parser.py index a40428ef283..82ebf83a50a 100644 --- a/unittests/tools/test_aws_prowler_v3plus_parser.py +++ b/unittests/tools/test_aws_prowler_v3plus_parser.py @@ -81,4 +81,4 @@ def test_aws_prowler_parser_with_many_vuln_has_many_findings_ocsf_json(self): self.assertIn("Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", findings[0].description) with self.subTest(i=1): self.assertEqual("prowler-aws-iam_role_cross_account_readonlyaccess_policy-123456789012-us-east-1-AuditRole", findings[1].unique_id_from_tool) - self.assertIn("Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts", findings[1].description) \ No newline at end of file + self.assertIn("Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts", findings[1].description) From 486aca732e8781be3cb4edc9d8796847c92f042c Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Fri, 15 Nov 2024 11:40:02 -0600 Subject: [PATCH 5/7] Update tests, clean up scans --- .../scans/aws_prowler_v3plus/many_vuln.ocsf.json | 6 +++--- unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json | 2 +- unittests/tools/test_aws_prowler_v3plus_parser.py | 11 +++++++++++ 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/unittests/scans/aws_prowler_v3plus/many_vuln.ocsf.json b/unittests/scans/aws_prowler_v3plus/many_vuln.ocsf.json index 36c0219e396..298e67210ce 100644 --- a/unittests/scans/aws_prowler_v3plus/many_vuln.ocsf.json +++ b/unittests/scans/aws_prowler_v3plus/many_vuln.ocsf.json @@ -67,7 +67,7 @@ "provider": "aws", "region": "us-east-1" }, - "time_dt": "2024-06-03T14:15:19.382075", + "event_time": "2024-06-03T14:15:19.382075", "remediation": { "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.", "references": [ @@ -155,7 +155,7 @@ "provider": "aws", "region": "us-east-1" }, - "time_dt": "2024-06-03T14:15:19.382075", + "event_time": "2024-06-03T14:15:19.382075", "remediation": { "desc": "Remove the AWS-managed ReadOnlyAccess policy from all roles that have a trust policy, including third-party cloud accounts, or remove third-party cloud accounts from the trust policy of all roles that need the ReadOnlyAccess policy.", "references": [ @@ -234,7 +234,7 @@ "provider": "aws", "region": "us-east-1" }, - "time_dt": "2024-06-03T14:15:19.382075", + "event_time": "2024-06-03T14:15:19.382075", "remediation": { "desc": "Ensure IAM Roles do not allow assume role from any role of a cross account but only from specific roles of specific accounts.", "references": [ diff --git a/unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json b/unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json index e8e79e2f71f..aefdfd8ac58 100644 --- a/unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json +++ b/unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json @@ -67,7 +67,7 @@ "provider": "aws", "region": "us-east-1" }, - "time_dt": "2024-06-03T14:15:19.382075", + "event_time": "2024-06-03T14:15:19.382075", "remediation": { "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.", "references": [ diff --git a/unittests/tools/test_aws_prowler_v3plus_parser.py b/unittests/tools/test_aws_prowler_v3plus_parser.py index 82ebf83a50a..28d2b23200f 100644 --- a/unittests/tools/test_aws_prowler_v3plus_parser.py +++ b/unittests/tools/test_aws_prowler_v3plus_parser.py @@ -1,6 +1,7 @@ from dojo.models import Test from dojo.tools.aws_prowler_v3plus.parser import AWSProwlerV3plusParser from unittests.dojo_test_case import DojoTestCase +from datetime import date class TestAwsProwlerV3plusParser(DojoTestCase): @@ -23,6 +24,7 @@ def test_aws_prowler_parser_with_critical_vuln_has_one_findings_json(self): self.assertIn("Check if ACM Certificates are about to expire in specific days or less", findings[0].description) self.assertEqual("arn:aws:acm:us-east-1:999999999999:certificate/ffffffff-0000-0000-0000-000000000000", findings[0].component_name) self.assertIn("https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html", findings[0].references) + self.assertEqual(date.fromisoformat("2023-04-25"), findings[0].date) def test_aws_prowler_parser_with_many_vuln_has_many_findings_json(self): findings = self.setup( @@ -31,12 +33,15 @@ def test_aws_prowler_parser_with_many_vuln_has_many_findings_json(self): with self.subTest(i=0): self.assertEqual("prowler-aws-acm_certificates_expiration_check-999999999999-us-east-1-api.teste.teste.com", findings[0].unique_id_from_tool) self.assertIn("Check if ACM Certificates are about to expire in specific days or less", findings[0].description) + self.assertEqual(date.fromisoformat("2023-04-25"), findings[0].date) with self.subTest(i=1): self.assertEqual("prowler-aws-accessanalyzer_enabled-999999999999-us-east-1-999999999999", findings[1].unique_id_from_tool) self.assertIn("Check if IAM Access Analyzer is enabled", findings[1].description) + self.assertEqual(date.fromisoformat("2023-04-25"), findings[1].date) with self.subTest(i=3): self.assertEqual("prowler-aws-account_maintain_current_contact_details-999999999999-us-east-1-999999999999", findings[2].unique_id_from_tool) self.assertIn("Maintain current contact details.", findings[2].description) + self.assertEqual(date.fromisoformat("2023-04-25"), findings[2].date) def test_aws_prowler_parser_with_no_vuln_has_no_findings_ocsf_json(self): findings = self.setup( @@ -51,6 +56,7 @@ def test_aws_prowler_parser_before_4_5_0_with_critical_vuln_has_one_findings_ocs self.assertIn("Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", findings[0].description) self.assertEqual("arn:aws:iam::123456789012:role/myAdministratorExecutionRole", findings[0].component_name) self.assertIn("https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege", findings[0].references) + self.assertEqual(date.fromisoformat("2024-06-03"), findings[0].date) def test_aws_prowler_parser_before_4_5_0_with_many_vuln_has_many_findings_ocsf_json(self): findings = self.setup( @@ -59,9 +65,11 @@ def test_aws_prowler_parser_before_4_5_0_with_many_vuln_has_many_findings_ocsf_j with self.subTest(i=0): self.assertEqual("prowler-aws-iam_role_administratoraccess_policy_permissive_trust_relationship-123456789012-us-east-1-myAdministratorExecutionRole", findings[0].unique_id_from_tool) self.assertIn("Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", findings[0].description) + self.assertEqual(date.fromisoformat("2024-06-03"), findings[0].date) with self.subTest(i=1): self.assertEqual("prowler-aws-iam_role_cross_account_readonlyaccess_policy-123456789012-us-east-1-AuditRole", findings[1].unique_id_from_tool) self.assertIn("Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts", findings[1].description) + self.assertEqual(date.fromisoformat("2024-06-03"), findings[1].date) def test_aws_prowler_parser_with_critical_vuln_has_one_findings_ocsf_json(self): findings = self.setup( @@ -71,6 +79,7 @@ def test_aws_prowler_parser_with_critical_vuln_has_one_findings_ocsf_json(self): self.assertIn("Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", findings[0].description) self.assertEqual("arn:aws:iam::123456789012:role/myAdministratorExecutionRole", findings[0].component_name) self.assertIn("https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege", findings[0].references) + self.assertEqual(date.fromisoformat("2024-06-03"), findings[0].date) def test_aws_prowler_parser_with_many_vuln_has_many_findings_ocsf_json(self): findings = self.setup( @@ -79,6 +88,8 @@ def test_aws_prowler_parser_with_many_vuln_has_many_findings_ocsf_json(self): with self.subTest(i=0): self.assertEqual("prowler-aws-iam_role_administratoraccess_policy_permissive_trust_relationship-123456789012-us-east-1-myAdministratorExecutionRole", findings[0].unique_id_from_tool) self.assertIn("Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", findings[0].description) + self.assertEqual(date.fromisoformat("2024-06-03"), findings[0].date) with self.subTest(i=1): self.assertEqual("prowler-aws-iam_role_cross_account_readonlyaccess_policy-123456789012-us-east-1-AuditRole", findings[1].unique_id_from_tool) self.assertIn("Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts", findings[1].description) + self.assertEqual(date.fromisoformat("2024-06-03"), findings[1].date) From d1565758d22d1de2dbdfa248d5fbf1080d01f59d Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Fri, 15 Nov 2024 11:40:43 -0600 Subject: [PATCH 6/7] Fix ruff --- unittests/tools/test_aws_prowler_v3plus_parser.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unittests/tools/test_aws_prowler_v3plus_parser.py b/unittests/tools/test_aws_prowler_v3plus_parser.py index 28d2b23200f..f679af8e666 100644 --- a/unittests/tools/test_aws_prowler_v3plus_parser.py +++ b/unittests/tools/test_aws_prowler_v3plus_parser.py @@ -1,7 +1,8 @@ +from datetime import date + from dojo.models import Test from dojo.tools.aws_prowler_v3plus.parser import AWSProwlerV3plusParser from unittests.dojo_test_case import DojoTestCase -from datetime import date class TestAwsProwlerV3plusParser(DojoTestCase): From f45e9a4b9415215ed3189b9bc97ab27052d7ba2e Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Fri, 15 Nov 2024 18:01:34 -0600 Subject: [PATCH 7/7] Rename some stuff --- ...re_4_5_0.ocsf.json => many_vuln_after_4_5_0.ocsf.json} | 6 +++--- ...ore_4_5_0.ocsf.json => one_vuln_after_4_5_0.ocsf.json} | 2 +- unittests/tools/test_aws_prowler_v3plus_parser.py | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) rename unittests/scans/aws_prowler_v3plus/{many_vuln_before_4_5_0.ocsf.json => many_vuln_after_4_5_0.ocsf.json} (98%) rename unittests/scans/aws_prowler_v3plus/{one_vuln_before_4_5_0.ocsf.json => one_vuln_after_4_5_0.ocsf.json} (98%) diff --git a/unittests/scans/aws_prowler_v3plus/many_vuln_before_4_5_0.ocsf.json b/unittests/scans/aws_prowler_v3plus/many_vuln_after_4_5_0.ocsf.json similarity index 98% rename from unittests/scans/aws_prowler_v3plus/many_vuln_before_4_5_0.ocsf.json rename to unittests/scans/aws_prowler_v3plus/many_vuln_after_4_5_0.ocsf.json index 298e67210ce..36c0219e396 100644 --- a/unittests/scans/aws_prowler_v3plus/many_vuln_before_4_5_0.ocsf.json +++ b/unittests/scans/aws_prowler_v3plus/many_vuln_after_4_5_0.ocsf.json @@ -67,7 +67,7 @@ "provider": "aws", "region": "us-east-1" }, - "event_time": "2024-06-03T14:15:19.382075", + "time_dt": "2024-06-03T14:15:19.382075", "remediation": { "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.", "references": [ @@ -155,7 +155,7 @@ "provider": "aws", "region": "us-east-1" }, - "event_time": "2024-06-03T14:15:19.382075", + "time_dt": "2024-06-03T14:15:19.382075", "remediation": { "desc": "Remove the AWS-managed ReadOnlyAccess policy from all roles that have a trust policy, including third-party cloud accounts, or remove third-party cloud accounts from the trust policy of all roles that need the ReadOnlyAccess policy.", "references": [ @@ -234,7 +234,7 @@ "provider": "aws", "region": "us-east-1" }, - "event_time": "2024-06-03T14:15:19.382075", + "time_dt": "2024-06-03T14:15:19.382075", "remediation": { "desc": "Ensure IAM Roles do not allow assume role from any role of a cross account but only from specific roles of specific accounts.", "references": [ diff --git a/unittests/scans/aws_prowler_v3plus/one_vuln_before_4_5_0.ocsf.json b/unittests/scans/aws_prowler_v3plus/one_vuln_after_4_5_0.ocsf.json similarity index 98% rename from unittests/scans/aws_prowler_v3plus/one_vuln_before_4_5_0.ocsf.json rename to unittests/scans/aws_prowler_v3plus/one_vuln_after_4_5_0.ocsf.json index aefdfd8ac58..e8e79e2f71f 100644 --- a/unittests/scans/aws_prowler_v3plus/one_vuln_before_4_5_0.ocsf.json +++ b/unittests/scans/aws_prowler_v3plus/one_vuln_after_4_5_0.ocsf.json @@ -67,7 +67,7 @@ "provider": "aws", "region": "us-east-1" }, - "event_time": "2024-06-03T14:15:19.382075", + "time_dt": "2024-06-03T14:15:19.382075", "remediation": { "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.", "references": [ diff --git a/unittests/tools/test_aws_prowler_v3plus_parser.py b/unittests/tools/test_aws_prowler_v3plus_parser.py index f679af8e666..5ef20b764af 100644 --- a/unittests/tools/test_aws_prowler_v3plus_parser.py +++ b/unittests/tools/test_aws_prowler_v3plus_parser.py @@ -49,9 +49,9 @@ def test_aws_prowler_parser_with_no_vuln_has_no_findings_ocsf_json(self): open("unittests/scans/aws_prowler_v3plus/no_vuln.ocsf.json", encoding="utf-8")) self.assertEqual(0, len(findings)) - def test_aws_prowler_parser_before_4_5_0_with_critical_vuln_has_one_findings_ocsf_json(self): + def test_aws_prowler_parser_after_4_5_0_with_critical_vuln_has_one_findings_ocsf_json(self): findings = self.setup( - open("unittests/scans/aws_prowler_v3plus/one_vuln_before_4_5_0.ocsf.json", encoding="utf-8")) + open("unittests/scans/aws_prowler_v3plus/one_vuln_after_4_5_0.ocsf.json", encoding="utf-8")) self.assertEqual(1, len(findings)) self.assertEqual("prowler-aws-iam_role_administratoraccess_policy_permissive_trust_relationship-123456789012-us-east-1-myAdministratorExecutionRole", findings[0].unique_id_from_tool) self.assertIn("Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship", findings[0].description) @@ -59,9 +59,9 @@ def test_aws_prowler_parser_before_4_5_0_with_critical_vuln_has_one_findings_ocs self.assertIn("https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege", findings[0].references) self.assertEqual(date.fromisoformat("2024-06-03"), findings[0].date) - def test_aws_prowler_parser_before_4_5_0_with_many_vuln_has_many_findings_ocsf_json(self): + def test_aws_prowler_parser_after_4_5_0_with_many_vuln_has_many_findings_ocsf_json(self): findings = self.setup( - open("unittests/scans/aws_prowler_v3plus/many_vuln_before_4_5_0.ocsf.json", encoding="utf-8")) + open("unittests/scans/aws_prowler_v3plus/many_vuln_after_4_5_0.ocsf.json", encoding="utf-8")) self.assertEqual(2, len(findings)) with self.subTest(i=0): self.assertEqual("prowler-aws-iam_role_administratoraccess_policy_permissive_trust_relationship-123456789012-us-east-1-myAdministratorExecutionRole", findings[0].unique_id_from_tool)