Skip to content

Prowler 2.0
Compare
Choose a tag to compare
@toniblyx toniblyx released this 27 Nov 05:09
· 3775 commits to master since this release
2.0
31a0de1

New features:

  • Refactored code:
    • reduced number of lines in prowler main script and add includes folder with parts to easily find and manage all components
    • dedicated folder for checks, a check per file,
    • same for groups of checks, now we can create custom groups and run Prowler against your custom group (for example only the checks that your company needs).
    • moved Dockerfile to utils folder.
    • moved IAM policy additions to iam folder
  • Output changed PASS and FAIL instead of OK and WARNING messages displayed.
  • Option -g <group_id>: run specific group from the existing or new one
  • Option -b: hide banner
  • Check whitelisting: thanks to the new groups management, you can create your own checks based on your needs.
  • Custom checks: now it is easier to add a new check, just create your check based on the sample one and add it to a group, or create your own group.
  • Added version to the banner and changed description
  • Added new check extra723 that looks for public RDS snapshots (single and cluster)
  • Added check extra724 Certificate Transparency
  • Added check ID on every check and group title.
  • Added check extra725 S3 object-level logging (extras and forensics)
  • Added check extra726 Trusted Advisor errors and warnings
  • Added check extra727 SQS queues have policy public
  • Added check extra728 SQS queues have encryption enabled
  • Added -V flag to see version
  • Added check extra729 no EBS Volumes unencrypted
  • Added check extra730 ACM Certificates are about to expire in 7 days or less
  • Added check extra731 SNS topics have policy set as Public
  • Added check extra732 Geo restrictions are enabled in CloudFront distributions
  • Added check extra733 SAML Providers then STS can be used
  • Added check extra734 S3 buckets have default encryption (SSE) enabled and policy to enforce it
  • Added check extra735 RDS instances storage is encrypted
  • Added check extra736 exposed KMS keys
  • Added check extra737 KMS keys with key rotation disabled
  • Added check extra738 CloudFront distributions are set to HTTPS
  • Added check extra739 ELBs have logging enabled
  • Added check extra740 EBS snapshots are encrypted
  • JSON support as output mode -M json, thanks to @hb3b
  • Added support to run on Fargate and uses metadata for credentials, thanks to @mattfinlayson
  • Added group checks for GDPR and HIPAA, thanks to @crashGoBoom for helping out with HIPAA

Improvements:

  • Adapted to the latest CIS for AWS 1.2, thanks to @gpatt
  • option -l now shows all groups not only default ones, with all its checks title.
  • changed #!/bin/bash to #!/usr/bin/env bash #182 thanks to @doshitan
  • check28 #181 thanks to @doshitan
  • check41 and check44 #180 thanks to @subramani95
  • Changed output functions to textInfo, textFail and textPass
  • Hide banner on CSV output mode for group check
  • Added version to banner
  • Improved current directory handler for includes
  • Improved error handling on check111
  • Improved instance profile handling issue #200, thanks to @netflash and @ceyes
  • Improved default region handling issue #202, thanks to @ceyes
  • Improvements on account ID handling in CSV output issue #205, thanks to @MrSecure
  • Improved check28, thanks to @nexeck
  • Improved check_extra73 to support graceful failing of buckets with corrupt/unintended permissions, thanks to @hb3b
  • Improved check111, thanks to @roo7break and @martinusnel
  • Improved check27
  • Improved group error handling
  • Improved check115, check315 and check13 and its documentaion, thanks to @rheak
  • Improved extra725, thanks to @martinusnel
  • Improved username filtering for check12 for CIS 1.2, thanks to @gpatt
  • Improved username filtering for check116 for CIS 1.2, thanks to @gpatt
  • Improved extra713, thanks to @mbode
  • Improved credentials handling, thanks to @flomotlik
  • Improved check112 to avoid extra API call, thanks to @jlamande
  • Improved check29, thanks @onkymykiss1

Fixes:

  • check22 #194 thanks to @mbode
  • check717 #188 thanks to @ahhh
  • Fixed required IAM permissions #187 thanks to @rtkjbillo
  • Disable concurrency checks to check_extra73 due to API limits
  • Fixed issue #268
  • Mark CIS level2 and 2 properly, also marker to sample check thanks to @MrSecure
  • Fixed mismatched check_type on check18 thanks to @MrSecure
  • Fixed typo on check311 thanks to @MrSecure
  • Ensure credential report is available before running any checks thanks to @MrSecure
  • Fixed checks on group3 to prevent duplicates, thanks to @myoung34
  • Fixed extra73 to use $PROFILE_OPT properly, thanks to @sidewinder12s
  • Fixed checks extra727 and extra728 to use $PROFILE_OPT properly, thanks to @tmonk42
  • Fixed check14, thanks to @atomdampflok
  • Fixed checks listing, thanks to @UranusBytes
  • Fixed check13 for never logged users, thanks to @jlamande

Documentation:

  • Added new way to create custom checks and custom groups
  • Improved Prowler description
  • Added command to save report to S3
  • Update all CIS document links to AWS version thanks to @sidewinder12s
  • Changed license for checks that are not CIS and rest of code but CIS checks to Apache 2.0
  • Added license and commercial use disclaimer to README
  • Added info about GDPR and HIPAA
  • Improved README formatting and typos, thanks to @craighurley and @slmingol
  • Added new needed IAM roles, thanks to @yapale, @mixmatch and @jlamande

Special thanks to:

@philipmeadows for his help and ideas on code refactoring

Assets 2
Loading