From e1013682c279a3a0e3f90e1f97ec9ef53ebef0ae Mon Sep 17 00:00:00 2001 From: Sergio Date: Wed, 27 Mar 2024 14:36:44 +0100 Subject: [PATCH] change config vars --- docs/tutorials/configuration_file.md | 10 +- prowler/config/config.yaml | 159 +++++++++++++++++- ...cloudtrail_threat_detection_enumeration.py | 101 +---------- ...l_threat_detection_privilege_escalation.py | 62 +------ 4 files changed, 173 insertions(+), 159 deletions(-) diff --git a/docs/tutorials/configuration_file.md b/docs/tutorials/configuration_file.md index c9a03a5950..343766b244 100644 --- a/docs/tutorials/configuration_file.md +++ b/docs/tutorials/configuration_file.md @@ -33,10 +33,12 @@ The following list includes all the AWS checks with configurable variables that | `drs_job_exist` | `mute_non_default_regions` | Boolean | | `guardduty_is_enabled` | `mute_non_default_regions` | Boolean | | `securityhub_enabled` | `mute_non_default_regions` | Boolean | -| `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_entropy` | Integer | -| `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_minutes` | Integer | -| `cloudtrail_threat_detection_enumeration` | `threat_detection_entropy` | Integer | -| `cloudtrail_threat_detection_enumeration` | `threat_detection_minutes` | Integer | +| `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_privilege_escalation_entropy` | Integer | +| `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_privilege_escalation_minutes` | Integer | +| `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_privilege_escalation_actions` | List of Strings | +| `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_entropy` | Integer | +| `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_minutes` | Integer | +| `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_actions` | List of Strings | ## Azure ### Configurable Checks diff --git a/prowler/config/config.yaml b/prowler/config/config.yaml index e0b5e2d4b2..1bddceef20 100644 --- a/prowler/config/config.yaml +++ b/prowler/config/config.yaml @@ -40,12 +40,6 @@ aws: # aws.cloudwatch_log_group_retention_policy_specific_days_enabled --> by default is 365 days log_group_retention_days: 365 - # AWS CloudTrail Configuration - # aws.cloudtrail_threat_detection_privilege_escalation - # aws.cloudtrail_threat_detection_enumeration - threat_detection_entropy: 0.7 # Percentage of actions found to decide if it is an attack event, by default is 0.7 (70%) - threat_detection_minutes: 1440 # Past minutes to check for attacks, by default is 1440 minutes (24 hours) - # AWS AppStream Session Configuration # aws.appstream_fleet_session_idle_disconnect_timeout max_idle_disconnect_timeout_in_seconds: 600 # 10 Minutes @@ -93,6 +87,159 @@ aws: # aws.trustedadvisor_premium_support_plan_subscribed verify_premium_support_plans: True + # AWS CloudTrail Configuration + # aws.cloudtrail_threat_detection_privilege_escalation + threat_detection_privilege_escalation_entropy: 0.7 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.7 (70%) + threat_detection_privilege_escalation_minutes: 1440 # Past minutes to check for privilege_escalation attacks, by default is 1440 minutes (24 hours) + threat_detection_privilege_escalation_actions: [ + "AddPermission", + "AddRoleToInstanceProfile", + "AddUserToGroup", + "AssociateAccessPolicy", + "AssumeRole", + "AttachGroupPolicy", + "AttachRolePolicy", + "AttachUserPolicy", + "ChangePassword", + "CreateAccessEntry", + "CreateAccessKey", + "CreateDevEndpoint", + "CreateEventSourceMapping", + "CreateFunction", + "CreateGroup", + "CreateJob", + "CreateKeyPair", + "CreateLoginProfile", + "CreatePipeline", + "CreatePolicyVersion", + "CreateRole", + "CreateStack", + "DeleteRolePermissionsBoundary", + "DeleteRolePolicy", + "DeleteUserPermissionsBoundary", + "DeleteUserPolicy", + "DetachRolePolicy", + "DetachUserPolicy", + "GetCredentialsForIdentity", + "GetId", + "GetPolicyVersion", + "GetUserPolicy", + "Invoke", + "ModifyInstanceAttribute", + "PassRole", + "PutGroupPolicy", + "PutPipelineDefinition", + "PutRolePermissionsBoundary", + "PutRolePolicy", + "PutUserPermissionsBoundary", + "PutUserPolicy", + "ReplaceIamInstanceProfileAssociation", + "RunInstances", + "SetDefaultPolicyVersion", + "UpdateAccessKey", + "UpdateAssumeRolePolicy", + "UpdateDevEndpoint", + "UpdateEventSourceMapping", + "UpdateFunctionCode", + "UpdateJob", + "UpdateLoginProfile", +] + # aws.cloudtrail_threat_detection_enumeration + threat_detection_enumeration_entropy: 0.7 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.7 (70%) + threat_detection_enumeration_minutes: 1440 # Past minutes to check for enumeration attacks, by default is 1440 minutes (24 hours) + threat_detection_enumeration_actions: [ + "DescribeAccessEntry", + "DescribeAccountAttributes", + "DescribeAvailabilityZones", + "DescribeBundleTasks", + "DescribeCarrierGateways", + "DescribeClientVpnRoutes", + "DescribeCluster", + "DescribeDhcpOptions", + "DescribeFlowLogs", + "DescribeImages", + "DescribeInstanceAttribute", + "DescribeInstanceInformation", + "DescribeInstanceTypes", + "DescribeInstances", + "DescribeInstances", + "DescribeKeyPairs", + "DescribeLogGroups", + "DescribeLogStreams", + "DescribeOrganization", + "DescribeRegions", + "DescribeSecurityGroups", + "DescribeSnapshotAttribute", + "DescribeSnapshotTierStatus", + "DescribeSubscriptionFilters", + "DescribeTransitGatewayMulticastDomains", + "DescribeVolumes", + "DescribeVolumesModifications", + "DescribeVpcEndpointConnectionNotifications", + "DescribeVpcs", + "GetAccount", + "GetAccountAuthorizationDetails", + "GetAccountSendingEnabled", + "GetBucketAcl", + "GetBucketLogging", + "GetBucketPolicy", + "GetBucketReplication", + "GetBucketVersioning", + "GetCallerIdentity", + "GetCertificate", + "GetConsoleScreenshot", + "GetCostAndUsage", + "GetDetector", + "GetEbsDefaultKmsKeyId", + "GetEbsEncryptionByDefault", + "GetFindings", + "GetFlowLogsIntegrationTemplate", + "GetIdentityVerificationAttributes", + "GetInstances", + "GetIntrospectionSchema", + "GetLaunchTemplateData", + "GetLaunchTemplateData", + "GetLogRecord", + "GetParameters", + "GetPolicyVersion", + "GetPublicAccessBlock", + "GetQueryResults", + "GetRegions", + "GetSMSAttributes", + "GetSMSSandboxAccountStatus", + "GetSendQuota", + "GetTransitGatewayRouteTableAssociations", + "GetUserPolicy", + "HeadObject", + "ListAccessKeys", + "ListAccounts", + "ListAllMyBuckets", + "ListAssociatedAccessPolicies", + "ListAttachedUserPolicies", + "ListClusters", + "ListDetectors", + "ListDomains", + "ListFindings", + "ListHostedZones", + "ListIPSets", + "ListIdentities", + "ListInstanceProfiles", + "ListObjects", + "ListOrganizationalUnitsForParent", + "ListOriginationNumbers", + "ListPolicyVersions", + "ListRoles", + "ListRoles", + "ListRules", + "ListServiceQuotas", + "ListSubscriptions", + "ListTargetsByRule", + "ListTopics", + "ListUsers", + "LookupEvents", + "Search", +] + # Azure Configuration azure: # Azure Network Configuration diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py index f14f0fbbd0..505abdd5aa 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py @@ -5,102 +5,15 @@ cloudtrail_client, ) -ENTROPY_THRESHOLD = cloudtrail_client.audit_config.get("threat_detection_entropy", 0.7) +ENTROPY_THRESHOLD = cloudtrail_client.audit_config.get( + "threat_detection_enumeration_entropy", 0.7 +) THREAT_DETECTION_MINUTES = cloudtrail_client.audit_config.get( - "threat_detection_minutes", 1440 + "threat_detection_enumeration_minutes", 1440 +) +ENUMERATION_ACTIONS = cloudtrail_client.audit_config.get( + "threat_detection_enumeration_actions", [] ) -ENUMERATION_ACTIONS = [ - "DescribeAccessEntry", - "DescribeAccountAttributes", - "DescribeAvailabilityZones", - "DescribeBundleTasks", - "DescribeCarrierGateways", - "DescribeClientVpnRoutes", - "DescribeCluster", - "DescribeDhcpOptions", - "DescribeFlowLogs", - "DescribeImages", - "DescribeInstanceAttribute", - "DescribeInstanceInformation", - "DescribeInstanceTypes", - "DescribeInstances", - "DescribeInstances", - "DescribeKeyPairs", - "DescribeLogGroups", - "DescribeLogStreams", - "DescribeOrganization", - "DescribeRegions", - "DescribeSecurityGroups", - "DescribeSnapshotAttribute", - "DescribeSnapshotTierStatus", - "DescribeSubscriptionFilters", - "DescribeTransitGatewayMulticastDomains", - "DescribeVolumes", - "DescribeVolumesModifications", - "DescribeVpcEndpointConnectionNotifications", - "DescribeVpcs", - "GetAccount", - "GetAccountAuthorizationDetails", - "GetAccountSendingEnabled", - "GetBucketAcl", - "GetBucketLogging", - "GetBucketPolicy", - "GetBucketReplication", - "GetBucketVersioning", - "GetCallerIdentity", - "GetCertificate", - "GetConsoleScreenshot", - "GetCostAndUsage", - "GetDetector", - "GetEbsDefaultKmsKeyId", - "GetEbsEncryptionByDefault", - "GetFindings", - "GetFlowLogsIntegrationTemplate", - "GetIdentityVerificationAttributes", - "GetInstances", - "GetIntrospectionSchema", - "GetLaunchTemplateData", - "GetLaunchTemplateData", - "GetLogRecord", - "GetParameters", - "GetPolicyVersion", - "GetPublicAccessBlock", - "GetQueryResults", - "GetRegions", - "GetSMSAttributes", - "GetSMSSandboxAccountStatus", - "GetSendQuota", - "GetTransitGatewayRouteTableAssociations", - "GetUserPolicy", - "HeadObject", - "ListAccessKeys", - "ListAccounts", - "ListAllMyBuckets", - "ListAssociatedAccessPolicies", - "ListAttachedUserPolicies", - "ListClusters", - "ListDetectors", - "ListDomains", - "ListFindings", - "ListHostedZones", - "ListIPSets", - "ListIdentities", - "ListInstanceProfiles", - "ListObjects", - "ListOrganizationalUnitsForParent", - "ListOriginationNumbers", - "ListPolicyVersions", - "ListRoles", - "ListRoles", - "ListRules", - "ListServiceQuotas", - "ListSubscriptions", - "ListTargetsByRule", - "ListTopics", - "ListUsers", - "LookupEvents", - "Search", -] class cloudtrail_threat_detection_enumeration(Check): diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.py index e679424bff..3a631e5124 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.py @@ -5,63 +5,15 @@ cloudtrail_client, ) -ENTROPY_THRESHOLD = cloudtrail_client.audit_config.get("threat_detection_entropy", 0.7) +ENTROPY_THRESHOLD = cloudtrail_client.audit_config.get( + "threat_detection_privilege_escalation_entropy", 0.7 +) THREAT_DETECTION_MINUTES = cloudtrail_client.audit_config.get( - "threat_detection_minutes", 1440 + "threat_detection_privilege_escalation_minutes", 1440 +) +PRIVILEGE_ESCALATION_ACTIONS = cloudtrail_client.audit_config.get( + "threat_detection_privilege_escalation_actions", [] ) -PRIVILEGE_ESCALATION_ACTIONS = [ - "AddPermission", - "AddRoleToInstanceProfile", - "AddUserToGroup", - "AssociateAccessPolicy", - "AssumeRole", - "AttachGroupPolicy", - "AttachRolePolicy", - "AttachUserPolicy", - "ChangePassword", - "CreateAccessEntry", - "CreateAccessKey", - "CreateDevEndpoint", - "CreateEventSourceMapping", - "CreateFunction", - "CreateGroup", - "CreateJob", - "CreateKeyPair", - "CreateLoginProfile", - "CreatePipeline", - "CreatePolicyVersion", - "CreateRole", - "CreateStack", - "DeleteRolePermissionsBoundary", - "DeleteRolePolicy", - "DeleteUserPermissionsBoundary", - "DeleteUserPolicy", - "DetachRolePolicy", - "DetachUserPolicy", - "GetCredentialsForIdentity", - "GetId", - "GetPolicyVersion", - "GetUserPolicy", - "Invoke", - "ModifyInstanceAttribute", - "PassRole", - "PutGroupPolicy", - "PutPipelineDefinition", - "PutRolePermissionsBoundary", - "PutRolePolicy", - "PutUserPermissionsBoundary", - "PutUserPolicy", - "ReplaceIamInstanceProfileAssociation", - "RunInstances", - "SetDefaultPolicyVersion", - "UpdateAccessKey", - "UpdateAssumeRolePolicy", - "UpdateDevEndpoint", - "UpdateEventSourceMapping", - "UpdateFunctionCode", - "UpdateJob", - "UpdateLoginProfile", -] class cloudtrail_threat_detection_privilege_escalation(Check):