diff --git a/docs/tutorials/mutelist.md b/docs/tutorials/mutelist.md index ec2af11dc0..6464ebf658 100644 --- a/docs/tutorials/mutelist.md +++ b/docs/tutorials/mutelist.md @@ -1,14 +1,14 @@ -# Mute Listing +# Mutelisting Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an AWS S3 Bucket open to the internet hosting a web site, or an AWS Security Group with an open port needed in your use case. -Mute List option works along with other options and adds a `MUTED` instead of `MANUAL`, `PASS` or `FAIL` to any output format. +Mutelist option works along with other options and adds a `MUTED` instead of `MANUAL`, `PASS` or `FAIL` to any output format. You can use `-w`/`--mutelist-file` with the path of your mutelist yaml file: ``` prowler -w mutelist.yaml ``` -## Mute List Yaml File Syntax +## Mutelist Yaml File Syntax ???+ note For Azure provider, the Account ID is the Subscription Name and the Region is the Location. @@ -19,7 +19,7 @@ prowler -w mutelist.yaml ???+ note For Kubernetes provider, the Account ID is the Cluster Name and the Region is the Namespace. -The Mute List file is a YAML file with the following syntax: +The Mutelist file is a YAML file with the following syntax: ```yaml ### Account, Check and/or Region can be * to apply for all the cases. @@ -27,8 +27,8 @@ The Mute List file is a YAML file with the following syntax: ### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together. ### Use an alternation Regex to match one of multiple tags with "ORed" logic. ### For each check you can except Accounts, Regions, Resources and/or Tags. - ########################### MUTE LIST EXAMPLE ########################### - Mute List: + ########################### MUTELIST EXAMPLE ########################### + Mutelist: Accounts: "123456789012": Checks: @@ -97,7 +97,7 @@ The Mute List file is a YAML file with the following syntax: ## Mute specific AWS regions If you want to mute failed findings only in specific regions, create a file with the following syntax and run it with `prowler aws -w mutelist.yaml`: - Mute List: + Mutelist: Accounts: "*": Checks: @@ -108,16 +108,16 @@ If you want to mute failed findings only in specific regions, create a file with Resources: - "*" -## Default AWS Mute List -For the AWS Provider, Prowler is executed with a Default AWS Mute List with the AWS Resources that should be muted such as all resources created by AWS Control Tower when setting up a landing zone. -You can see this Mute List file in [`prowler/config/aws_mutelist.yaml`](https://github.com/prowler-cloud/prowler/blob/master/prowler/config/aws_allowlist.yaml). +## Default AWS Mutelist +For the AWS Provider, Prowler is executed with a Default AWS Mutelist with the AWS Resources that should be muted such as all resources created by AWS Control Tower when setting up a landing zone. +You can see this Mutelist file in [`prowler/config/aws_mutelist.yaml`](https://github.com/prowler-cloud/prowler/blob/master/prowler/config/aws_allowlist.yaml). -## Supported AWS Mute List Locations +## Supported AWS Mutelist Locations The mutelisting flag supports the following AWS locations when using the AWS Provider: ### AWS S3 URI -You will need to pass the S3 URI where your Mute List YAML file was uploaded to your bucket: +You will need to pass the S3 URI where your Mutelist YAML file was uploaded to your bucket: ``` prowler aws -w s3:////mutelist.yaml ``` @@ -126,7 +126,7 @@ prowler aws -w s3:////mutelist.yaml ### AWS DynamoDB Table ARN -You will need to pass the DynamoDB Mute List Table ARN: +You will need to pass the DynamoDB Mutelist Table ARN: ``` prowler aws -w arn:aws:dynamodb:::table/ @@ -135,7 +135,7 @@ prowler aws -w arn:aws:dynamodb:::table/ 1. The DynamoDB Table must have the following String keys: -- The Mute List Table must have the following columns: +- The Mutelist Table must have the following columns: - Accounts (String): This field can contain either an Account ID or an `*` (which applies to all the accounts that use this table as an mutelist). - Checks (String): This field can contain either a Prowler Check Name or an `*` (which applies to all the scanned checks). - Regions (List): This field contains a list of regions where this mutelist rule is applied (it can also contains an `*` to apply all scanned regions). @@ -170,14 +170,14 @@ Make sure that the credentials that Prowler uses can invoke the Lambda Function: Resource: arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME ``` -The Lambda Function can then generate an Mute List dynamically. Here is the code an example Python Lambda Function that -generates an Mute List: +The Lambda Function can then generate an Mutelist dynamically. Here is the code an example Python Lambda Function that +generates an Mutelist: ``` def handler(event, context): checks = {} checks["vpc_flow_logs_enabled"] = { "Regions": [ "*" ], "Resources": [ "" ], Optional("Tags"): [ "key:value" ] } - al = { "Mute List": { "Accounts": { "*": { "Checks": checks } } } } + al = { "Mutelist": { "Accounts": { "*": { "Checks": checks } } } } return al ``` diff --git a/mkdocs.yml b/mkdocs.yml index fa4dea4776..7bc8c28f68 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -42,7 +42,7 @@ nav: - Slack Integration: tutorials/integrations.md - Configuration File: tutorials/configuration_file.md - Logging: tutorials/logging.md - - Mute List: tutorials/mutelist.md + - Mutelist: tutorials/mutelist.md - Check Aliases: tutorials/check-aliases.md - Custom Metadata: tutorials/custom-checks-metadata.md - Scan Unused Services: tutorials/scan-unused-services.md diff --git a/prowler/__main__.py b/prowler/__main__.py index 46cc7dd2d4..f73b77b2bc 100644 --- a/prowler/__main__.py +++ b/prowler/__main__.py @@ -194,7 +194,7 @@ def prowler(): # Sort final check list checks_to_execute = sorted(checks_to_execute) - # Setup Mute List + # Setup Mutelist global_provider.mutelist = args.mutelist_file # Setup Output Options diff --git a/prowler/config/aws_mutelist.yaml b/prowler/config/aws_mutelist.yaml index facda6b51d..be30d3df6e 100644 --- a/prowler/config/aws_mutelist.yaml +++ b/prowler/config/aws_mutelist.yaml @@ -1,4 +1,4 @@ -Mute List: +Mutelist: Accounts: "*": ########################### AWS CONTROL TOWER ########################### diff --git a/prowler/config/aws_mutelist_example.yaml b/prowler/config/aws_mutelist_example.yaml index 64a2493945..b0a1c87fd7 100644 --- a/prowler/config/aws_mutelist_example.yaml +++ b/prowler/config/aws_mutelist_example.yaml @@ -3,8 +3,8 @@ ### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together. ### Use an alternation Regex to match one of multiple tags with "ORed" logic. ### For each check you can except Accounts, Regions, Resources and/or Tags. -########################### MUTE LIST EXAMPLE ########################### -Mute List: +########################### MUTELIST EXAMPLE ########################### +Mutelist: Accounts: "123456789012": Checks: diff --git a/prowler/config/azure_mutelist_example.yaml b/prowler/config/azure_mutelist_example.yaml index 7fc2172d80..d008ddffaa 100644 --- a/prowler/config/azure_mutelist_example.yaml +++ b/prowler/config/azure_mutelist_example.yaml @@ -4,8 +4,8 @@ ### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together. ### Use an alternation Regex to match one of multiple tags with "ORed" logic. ### For each check you can except Accounts, Regions, Resources and/or Tags. -########################### MUTE LIST EXAMPLE ########################### -Mute List: +########################### MUTELIST EXAMPLE ########################### +Mutelist: Accounts: "Azure subscription 1": Checks: diff --git a/prowler/config/gcp_mutelist_example.yaml b/prowler/config/gcp_mutelist_example.yaml index 1631c9c85d..78d5ea1179 100644 --- a/prowler/config/gcp_mutelist_example.yaml +++ b/prowler/config/gcp_mutelist_example.yaml @@ -4,8 +4,8 @@ ### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together. ### Use an alternation Regex to match one of multiple tags with "ORed" logic. ### For each check you can except Accounts, Regions, Resources and/or Tags. -########################### MUTE LIST EXAMPLE ########################### -Mute List: +########################### MUTELIST EXAMPLE ########################### +Mutelist: Accounts: "gcp-project-id-1": Checks: diff --git a/prowler/config/kubernetes_mutelist_example.yaml b/prowler/config/kubernetes_mutelist_example.yaml index 727d3bebf6..060db0910a 100644 --- a/prowler/config/kubernetes_mutelist_example.yaml +++ b/prowler/config/kubernetes_mutelist_example.yaml @@ -4,8 +4,8 @@ ### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together. ### Use an alternation Regex to match one of multiple tags with "ORed" logic. ### For each check you can except Accounts, Regions, Resources and/or Tags. -########################### MUTE LIST EXAMPLE ########################### -Mute List: +########################### MUTELIST EXAMPLE ########################### +Mutelist: Accounts: "k8s-cluster-1": Checks: diff --git a/prowler/lib/check/check.py b/prowler/lib/check/check.py index 467ea0de7c..61289a316c 100644 --- a/prowler/lib/check/check.py +++ b/prowler/lib/check/check.py @@ -576,7 +576,7 @@ def execute_checks( messages = [f"Config File: {Fore.YELLOW}{config_file}{Style.RESET_ALL}"] if mutelist_file: messages.append( - f"Mute List File: {Fore.YELLOW}{mutelist_file}{Style.RESET_ALL}" + f"Mutelist File: {Fore.YELLOW}{mutelist_file}{Style.RESET_ALL}" ) if global_provider.type == "aws": messages.append( @@ -670,7 +670,7 @@ def execute( global_provider.audit_metadata, services_executed, checks_executed ) - # Mute List findings + # Mutelist findings if hasattr(global_provider, "mutelist") and global_provider.mutelist: check_findings = mutelist_findings( global_provider, diff --git a/prowler/lib/cli/parser.py b/prowler/lib/cli/parser.py index c451c0eb0c..7be89362ac 100644 --- a/prowler/lib/cli/parser.py +++ b/prowler/lib/cli/parser.py @@ -314,9 +314,7 @@ def __init_list_checks_parser__(self): ) def __init_mutelist_parser__(self): - mutelist_subparser = self.common_providers_parser.add_argument_group( - "Mute List" - ) + mutelist_subparser = self.common_providers_parser.add_argument_group("Mutelist") provider = sys.argv[1] if len(sys.argv) > 1 else "aws" mutelist_subparser.add_argument( "--mutelist-file", diff --git a/prowler/lib/mutelist/mutelist.py b/prowler/lib/mutelist/mutelist.py index 8cb99e8e64..432f5ef121 100644 --- a/prowler/lib/mutelist/mutelist.py +++ b/prowler/lib/mutelist/mutelist.py @@ -44,7 +44,7 @@ def parse_mutelist_file( s3_client = aws_session.client("s3") mutelist = yaml.safe_load( s3_client.get_object(Bucket=bucket, Key=key)["Body"] - )["Mute List"] + )["Mutelist"] # Check if file is a Lambda Function ARN elif re.search(r"^arn:(\w+):lambda:", mutelist_path): lambda_region = mutelist_path.split(":")[3] @@ -53,7 +53,7 @@ def parse_mutelist_file( FunctionName=mutelist_path, InvocationType="RequestResponse" ) lambda_payload = lambda_response["Payload"].read() - mutelist = yaml.safe_load(lambda_payload)["Mute List"] + mutelist = yaml.safe_load(lambda_payload)["Mutelist"] # Check if file is a DynamoDB ARN elif re.search( r"^arn:aws(-cn|-us-gov)?:dynamodb:[a-z]{2}-[a-z-]+-[1-9]{1}:[0-9]{12}:table\/[a-zA-Z0-9._-]+$", @@ -96,12 +96,12 @@ def parse_mutelist_file( ] = item["Exceptions"] else: with open(mutelist_path) as f: - mutelist = yaml.safe_load(f)["Mute List"] + mutelist = yaml.safe_load(f)["Mutelist"] try: mutelist_schema.validate(mutelist) except Exception as error: logger.critical( - f"{error.__class__.__name__} -- Mute List YAML is malformed - {error}[{error.__traceback__.tb_lineno}]" + f"{error.__class__.__name__} -- Mutelist YAML is malformed - {error}[{error.__traceback__.tb_lineno}]" ) sys.exit(1) return mutelist diff --git a/tests/lib/mutelist/fixtures/aws_mutelist.yaml b/tests/lib/mutelist/fixtures/aws_mutelist.yaml index 70fcb29aaa..a18dd7b202 100644 --- a/tests/lib/mutelist/fixtures/aws_mutelist.yaml +++ b/tests/lib/mutelist/fixtures/aws_mutelist.yaml @@ -3,8 +3,8 @@ ### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together. ### Use an alternation Regex to match one of multiple tags with "ORed" logic. ### For each check you can except Accounts, Regions, Resources and/or Tags. -########################### MUTE LIST EXAMPLE ########################### -Mute List: +########################### MUTELIST EXAMPLE ########################### +Mutelist: Accounts: "123456789012": Checks: diff --git a/tests/lib/mutelist/mutelist_test.py b/tests/lib/mutelist/mutelist_test.py index b68b579e01..f89f47704f 100644 --- a/tests/lib/mutelist/mutelist_test.py +++ b/tests/lib/mutelist/mutelist_test.py @@ -39,7 +39,7 @@ def test_s3_mutelist(self): ) with open("tests//lib/mutelist/fixtures/aws_mutelist.yaml") as f: - assert yaml.safe_load(f)["Mute List"] == parse_mutelist_file( + assert yaml.safe_load(f)["Mutelist"] == parse_mutelist_file( "s3://test-mutelist/mutelist.yaml", aws_provider.session.current_session, aws_provider.identity.account, diff --git a/tests/providers/aws/aws_provider_test.py b/tests/providers/aws/aws_provider_test.py index e077755b8d..f4100ed6b8 100644 --- a/tests/providers/aws/aws_provider_test.py +++ b/tests/providers/aws/aws_provider_test.py @@ -529,7 +529,7 @@ def test_aws_provider_mutelist(self): } } } - mutelist_content = {"Mute List": mutelist} + mutelist_content = {"Mutelist": mutelist} config_file = tempfile.NamedTemporaryFile(delete=False) with open(config_file.name, "w") as allowlist_file: