chore(v3): include latest v4 changes (#4350)

prowler-cloud · Jul 2, 2024 · bd474ef · bd474ef
1 parent 9e7ffa6
commit bd474ef
Show file tree

Hide file tree

Showing 41 changed files with 1,679 additions and 247 deletions.
diff --git a/docs/tutorials/configuration_file.md b/docs/tutorials/configuration_file.md
@@ -34,6 +34,8 @@ The following list includes all the AWS checks with configurable variables that
 | `guardduty_is_enabled`                                        | `allowlist_non_default_regions`                  | Boolean         |
 | `securityhub_enabled`                                         | `allowlist_non_default_regions`                  | Boolean         |
 | `rds_instance_backup_enabled`                                  | `check_rds_instance_replicas`      | Boolean        |
+| `acm_certificates_expiration_check`                           | `days_to_expire_threshold`                       | Integer         |
+
 ## Azure
 
 ### Configurable Checks
@@ -59,7 +61,6 @@ The following list includes all the Azure checks with configurable variables tha
 ```yaml title="config.yaml"
 # AWS Configuration
 aws:
-
   # AWS Global Configuration
   # aws.allowlist_non_default_regions --> Allowlist Failed Findings in non-default regions for GuardDuty, SecurityHub, DRS and Config
   allowlist_non_default_regions: False
@@ -72,6 +73,7 @@ aws:
 
   # AWS EC2 Configuration
   # aws.ec2_elastic_ip_shodan
+  # TODO: create common config
   shodan_api_key: null
   # aws.ec2_securitygroup_with_many_ingress_egress_rules --> by default is 50 rules
   max_security_group_rules: 50
@@ -124,38 +126,43 @@ aws:
     ]
 
   # AWS Organizations
-  # organizations_scp_check_deny_regions
-  # organizations_enabled_regions: [
-  #   'eu-central-1',
-  #   'eu-west-1',
+  # aws.organizations_scp_check_deny_regions
+  # aws.organizations_enabled_regions: [
+  #   "eu-central-1",
+  #   "eu-west-1",
   #   "us-east-1"
   # ]
   organizations_enabled_regions: []
   organizations_trusted_delegated_administrators: []
 
   # AWS ECR
-  # ecr_repositories_scan_vulnerabilities_in_latest_image
+  # aws.ecr_repositories_scan_vulnerabilities_in_latest_image
   # CRITICAL
   # HIGH
   # MEDIUM
   ecr_repository_vulnerability_minimum_severity: "MEDIUM"
 
   # AWS Trusted Advisor
-  # trustedadvisor_premium_support_plan_subscribed
+  # aws.trustedadvisor_premium_support_plan_subscribed
   verify_premium_support_plans: True
 
   # AWS RDS
   # aws.rds_instance_backup_enabled
   # Whether to check RDS instance replicas or not
   check_rds_instance_replicas: False
 
+  # AWS ACM Configuration
+  # aws.acm_certificates_expiration_check
+  days_to_expire_threshold: 7
+
 # Azure Configuration
 azure:
   # Azure Network Configuration
   # azure.network_public_ip_shodan
+  # TODO: create common config
   shodan_api_key: null
 
-  # Azure App Configuration
+  # Azure App Service
   # azure.app_ensure_php_version_is_latest
   php_latest_version: "8.2"
   # azure.app_ensure_python_version_is_latest

diff --git a/docs/tutorials/ignore-unused-services.md b/docs/tutorials/ignore-unused-services.md
@@ -11,6 +11,12 @@ prowler <provider> --ignore-unused-services
 
 ## Services that can be ignored
 ### AWS
+#### ACM
+You can have certificates in ACM that is not in use by any AWS resource.
+Prowler will check if every certificate is going to expire soon, if this certificate is not in use by default it is not going to be check if it is expired, is going to expire soon or it is good.
+
+- `acm_certificates_expiration_check`
+
 #### Athena
 When you create an AWS Account, Athena will create a default primary workgroup for you.
 Prowler will check if that workgroup is enabled and if it is being used by checking if there were queries in the last 45 days.

diff --git a/prowler/config/config.yaml b/prowler/config/config.yaml
@@ -101,6 +101,10 @@ aws:
   # Whether to check RDS instance replicas or not
   check_rds_instance_replicas: False
 
+  # AWS ACM Configuration
+  # aws.acm_certificates_expiration_check
+  days_to_expire_threshold: 7
+
 # Azure Configuration
 azure:
   # Azure Network Configuration

diff --git a/prowler/lib/check/compliance.py b/prowler/lib/check/compliance.py
@@ -34,6 +34,7 @@ def update_checks_metadata_with_compliance(
             # Save it into the check's metadata
             bulk_checks_metadata[check].Compliance = check_compliance
 
+        check_compliance = []
         # Add requirements of Manual Controls
         for framework in bulk_compliance_frameworks.values():
             for requirement in framework.Requirements:
@@ -70,7 +71,6 @@ def update_checks_metadata_with_compliance(
                     "Recommendation": {"Text": "", "Url": ""},
                 },
                 "Categories": [],
-                "Tags": {},
                 "DependsOn": [],
                 "RelatedTo": [],
                 "Notes": "",

diff --git a/prowler/lib/outputs/outputs.py b/prowler/lib/outputs/outputs.py
@@ -67,15 +67,15 @@ def report(check_findings, output_options, audit_info):
                             compliance in output_options.output_modes
                             for compliance in available_compliance_frameworks
                         ):
-                            fill_compliance(
+                            add_manual_controls(
                                 output_options,
-                                finding,
                                 audit_info,
                                 file_descriptors,
                             )
 
-                            add_manual_controls(
+                            fill_compliance(
                                 output_options,
+                                finding,
                                 audit_info,
                                 file_descriptors,
                             )