Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(networkfirewall): add new check networkfirewall_logging_enabled #5145

Merged
merged 15 commits into from
Oct 2, 2024
Merged

feat(networkfirewall): add new check networkfirewall_logging_enabled #5145

merged 15 commits into from
Oct 2, 2024

Conversation

HugoPBrito
Copy link
Member

Context

The security of our network is vital to protect sensitive data and infrastructure. Without logging enabled on AWS Network Firewall, we lose visibility into network traffic and firewall actions, which can lead to vulnerabilities and compliance issues.

Description

This check fails when logging is not enabled in 1 or more Network Firewall firewalls and returns a list of them.

Checklist

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@HugoPBrito HugoPBrito requested review from a team as code owners September 23, 2024 10:16
@github-actions github-actions bot added the provider/aws Issues/PRs related with the AWS provider label Sep 23, 2024
@codecov Codecov
Copy link

codecov bot commented Sep 23, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 84.00000% with 8 lines in your changes missing coverage. Please review.

Project coverage is 89.09%. Comparing base (8805230) to head (43706da).
Report is 15 commits behind head on master.

Files with missing lines Patch % Lines
...ervices/networkfirewall/networkfirewall_service.py 73.33% 8 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5145      +/-   ##
==========================================
- Coverage   89.12%   89.09%   -0.03%     
==========================================
  Files         993      998       +5     
  Lines       30509    30693     +184     
==========================================
+ Hits        27190    27346     +156     
- Misses       3319     3347      +28

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

MrCloudSec
MrCloudSec reviewed Sep 24, 2024
View reviewed changes
.../services/networkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.py Outdated
Comment on lines 21 to 23

print(firewall.logging_configuration)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
print(firewall.logging_configuration)

MrCloudSec
MrCloudSec reviewed Sep 24, 2024
View reviewed changes
prowler/providers/aws/services/networkfirewall/networkfirewall_service.py Outdated
"Network Firewall - Describe Network Firewalls Logging Configuration..."
)
try:
for network_firewall in self.network_firewalls:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use the dict logic please.

MrCloudSec
MrCloudSec reviewed Sep 24, 2024
View reviewed changes
.../services/networkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.py Outdated
Comment on lines 25 to 28
if (
configuration.log_type in LogType
and configuration.log_destination != {}
):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic should be:

The control fails if logging isn't enabled for at least one log type or if the logging destination doesn't exist.

MrCloudSec
MrCloudSec reviewed Sep 24, 2024
View reviewed changes
...etworkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.metadata.json Outdated
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53"
],
"ServiceName": "Network Firewall",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"ServiceName": "Network Firewall",
"ServiceName": "networkfirewall",

MrCloudSec
MrCloudSec reviewed Sep 24, 2024
View reviewed changes
...etworkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.metadata.json Outdated
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53"
],
"ServiceName": "Network Firewall",
"SubServiceName": "Logging",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"SubServiceName": "Logging",
"SubServiceName": "",

MrCloudSec
MrCloudSec reviewed Sep 24, 2024
View reviewed changes
...etworkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.metadata.json Outdated
"SubServiceName": "Logging",
"ResourceIdTemplate": "arn:partition:network-firewall::account-id:firewall/firewall-name",
"Severity": "medium",
"ResourceType": "AwsNetworkFirewallLoggingConfiguration",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"ResourceType": "AwsNetworkFirewallLoggingConfiguration",
"ResourceType": "AwsNetworkFirewallFirewall",

@MrCloudSec MrCloudSec self-requested a review October 2, 2024 15:27
@MrCloudSec MrCloudSec merged commit ff10108 into master Oct 2, 2024
9 of 11 checks passed
@MrCloudSec MrCloudSec deleted the PRWLR-4556-ensure-logging-is-enabled-for-aws-network-firewall branch October 2, 2024 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MrCloudSec MrCloudSec MrCloudSec approved these changes

Assignees
No one assigned
Labels
provider/aws Issues/PRs related with the AWS provider
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@HugoPBrito @MrCloudSec