跳转至

开源工具系列(三) Prowler

Prowler⚓︎

项目地址

Github 项目地址:hummerrisk/prowler

一、Prowler 是什么⚓︎

Prowler 是什么

  • Prowler 是一个命令行工具,可帮助您进行 AWS 安全评估、审计、强化和事件响应。
  • 它遵循 CIS Amazon Web Services Foundations Benchmark(49 项检查)的指导方针,并有 100 多项额外检查,包括与 GDPR、HIPAA、PCI-DSS、ISO-27001、FFIEC、SOC2 等相关的检查。

二、Prowler 安装⚓︎

  1. Prowler 是使用下面的 AWS-CLI 用 bash 编写的,它可以在 Linux、Mac OS 或 Windows 中使用 cygwin 或虚拟化运行。还需要jq和detect-secrets才能正常工作。
  2. 确保安装了最新版本的 AWS-CLI。它适用于 v1 或 v2,但如果使用新区域,建议使用最新的 v2,因为它们需要 STS v2 令牌和其他所需组件,并且已经安装了 Python pip。

对于 Amazon Linux(yum 基于 Linux 发行版和 AWS CLI v2)

sudo yum update -y
sudo yum remove -y awscli
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
sudo yum install -y python3 jq git
sudo pip3 install detect-secrets==1.0.3
git clone https://github.com/prowler-cloud/prowler

对于 Ubuntu Linux(apt 基于 Linux 发行版和 AWS CLI v2)

sudo apt update
sudo apt install python3 python3-pip jq git zip
pip install detect-secrets==1.0.3
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
git clone https://github.com/prowler-cloud/prowler

注意

注意:不再支持 detect-secrets Yelp 版本,现在维护来自 IBM 的版本。使用下面提到的一个或特定的 Yelp 版本 1.0.3 以确保它按预期工作 ( pip install detect-secrets==1.0.3)

#AWS-CLI 也可以通过其他方式安装,具体请参考官方文档:https ://aws.amazon.com/cli/ ,但必须使用或detect-secrets来安装。pippip3
#克隆 Prowler 存储库后,进入文件夹并运行它
cd prowler
./prowler

三、Prowler 使用⚓︎

Prowler 使用

# 工具使用:
cd prowler
./prowler -h

USAGE

# 上述命令将显示该工具的帮助信息,下面给出的是该工具的常用选项:
prowler [ -p <profile> -r <region>  -h ]

Options:

选项标签 描述信息
-p specify your AWS profile to use (i.e.: default)
-r specify an AWS region to direct API requests to (i.e.: us-east-1), all regions are checked anyway if the check requires it
-c specify one or multiple check ids separated by commas, to see all available checks use -l option (i.e.: check11 for check 1.1 or extra71,extra72 for extra check 71 and extra check 72)
-C Checklist file. See checklist.txt for reference and format.(i.e.: checklist.txt)
-g specify a group of checks by id, to see all available group of checks use -L (i.e.: group3 for entire section 3, cislevel1 for CIS Level 1 Profile Definitions or forensics-ready)
-f specify an AWS region to run checks against (i.e.: us-west-1 or for multiple regions use single quote like 'us-west-1 us-west-2')
-m specify the maximum number of items to return for long-running requests (default: 100)
-M output mode: text (default), mono, html, json, json-asff, junit-xml, csv. They can be used combined comma separated. (separator is ,; data is on stdout; progress on stderr).
-k keep the credential report
-n show check numbers to sort easier (i.e.: 1.01 instead of 1.1)
-l list all available checks only (does not perform any check). Add -g to only list checks within the specified group
-L list all groups (does not perform any check)
-e exclude group extras
-E execute all tests except a list of specified checks separated by comma (i.e. check21,check31)
-b do not print Prowler banner
-s show scoring report
-S send check output to AWS Security Hub - only valid when the output mode is json-asff (i.e. -M json-asff -S)
-x specify external directory with custom checks (i.e. /my/own/checks, files must start by check)
-q suppress info messages and passing test output
-A account id for the account where to assume a role, requires -R and -T (i.e.: 123456789012)
-R role name to assume in the account, requires -A and -T (i.e.: ProwlerRole)
-T session duration given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T (i.e.: 43200)
-I External ID to be used when assuming roles (not mandatory), requires -A and -R
-w whitelist file. See whitelist_sample.txt for reference and format (i.e.: whitelist_sample.txt)
-N Shoadan API key used by check extra7102.
-o Custom output directory, if not specified will use default prowler/output, requires -M (i.e.: -M csv -o /tmp/reports/)
-B Custom output bucket, requires -M and it can work also with -o flag. (i.e.: -M csv -B my-bucket or -M csv -B my-bucket/folder/)
-D Same as -B but do not use the assumed role credentials to put objects to the bucket, instead uses the initial credentials.
-F Custom output report name, if not specified will use default output/prowler-output-ACCOUNT_NUM-OUTPUT_DATE
-z Failed checks do not trigger exit code 3.
-Z Specify one or multiple check ids separated by commas that will trigger exit code 3 if they fail. Unspecified checks will not trigger exit code 3. This will override "-z".(i.e.: "-Z check11,check12" will cause check11 and/or check12 to trigger exit code 3)
--O Specify AWS Organizations management account ID. Used to get account details, requires -R.(requires organizations:ListAccounts* and organizations:ListTagsForResource)
-a Build your own on-the-fly custom check by specifying the AWS CLI command to execute. Requires "-c extra9999". Omit the "aws" command and only use its parameters within quotes.Do not nest quotes in the aws parameter. Note that --output text is already included in the check.i,e. -a 'ec2 describe-security-groups --filters Name=ip-permission.to-port,Values=80 --query SecurityGroups[*].GroupId[]]'
-V show version number & exit
-h this help
-d Send output to database through database connectors supported, currently only PostgreSQL. Prowler will get the credentials and table name from your ~/.pgpass file.
-i Run Prowler Quick Inventory. The inventory will be stored in an output csv by default.
-u Add audit_id field to use with postgres connector.

四、Prowler 工具检测⚓︎

prowler