Prowler scan without Compliance

prowler-cloud / prowler

Prowler is an Open Cloud Security tool for AWS, Azure, GCP and Kubernetes. It helps for continuos monitoring, security assessments and audits, incident response, compliance, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more.

https://prowler.com

Apache License 2.0

10.9k stars 1.55k forks source link

Prowler scan without Compliance #4549

Closed Imiler closed 1 month ago

Imiler commented 4 months ago

New feature motivation

I have hopefully simple request. I would like to be able to do scan on my environment but without getting compliance reports.

I searched in documentation but i could not find how to exclude complete compliance scanning when running "prowler kubernetes" report.

In my instance i am having some issues with compliance output as i am running prowler inside cronjob and therefore i want to run only prowler findings scan without compliance

Solution Proposed

Include flag or something to be able to exclude compliance scan.

Describe alternatives you've considered

All alternatives are to just separate this scans or give ability to exclude compliance scan from main scan.

Additional context

No response

puchy22 commented 4 months ago

Hi @Imiler,

What you are requesting is actually the default behavior of Prowler in v4. By default, Prowler runs all its checks and maps those findings to different compliance standards. If you don't want to focus on certain outputs, you can simply ignore them.

Regarding the errors you're encountering when running Prowler in your cron job, could you provide more details? Even if Prowler is being executed inside a cron job, it shouldn't produce any errors. Specific error messages or logs would help me assist you better.

I look forward to your reply. Thank you for using Prowler 🚀

Imiler commented 4 months ago

Hi,

Let me explain my setup better.

I am running prowler as kubernetes cronjob to scan cluster and output reports to S3 bucket. (i am already using this s3 bucket output with prowler as cronjob but for AWS provider), i have granted it same permissions to be able to read/write to s3 bucket on my account/

In this cronjob i have one container that is doing prowler scan command with output to volume that is mounted to it. (this is EFS shared volume mount so multiple cronjobs can use it)

In other cronjob i have single container to perform AWS cp S3 command because my prowler container does not recognize that command. (this container literally only reads stored reports in my output folder from first container and should output that to S3 bucket)

Now issue that happens is that i am unable to give permissions to my cronjob to create new compliance folder when prowler scan runs. everything is fine i am just having issue because compliance gets generated in different folder.

I hope this helps more. All i need is if its possible to explain how to run kubernetes scan and output to s3 in same prowler command or somehow to disable compliance scan so i dont get permission error

Imiler commented 4 months ago

I just wanted to add up that most weird thing here is that i am unable at all to run any aws cli command.

As example for dashboard it is stated to use: aws s3 cp s3:///output/csv ./output --recursive

i cannot run this command at all. I wanted to use this to copy paste output from prowler kubernetes scan to s3 bucket which i normally use for my other prowler aws scan. in prowler aws scan my command looks like this:

prowler aws -M html csv -R arn:aws:iam::$accountID:role/iam-prowler-access-xxxxxxxxx-D prowler-xxxxxxxxx

This command above runs my aws scan with no problems across multiple accounts and stores all reports in same place.

thejaywhy commented 4 months ago

Hi @Imiler, I want to make sure I understand your use case.

It looks like you are running prowler kubernetes within the cluster, but are having trouble exporting to S3.

Currently the prowler kubernetes provider does not support direct export to S3 the same way that prowler aws can.

To accomplish the S3 export you have attached a volume to the prowler kubernetes pod. However, saving the compliance reports results in a file system error.

Does this sound correct? If so, could you share the file system error you are receiving with us?

By default prowler stores results in the path it was executed from, are you using --output-directory argument to change that location?

If you'd like, you can join our Prowler community on Slack to share any specific details: https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog

puchy22 commented 2 months ago

Hi @Imiler,

Did you manage to solve your problem at the end with Jon's comment or do you have any more questions? In case everything is ok close the issue, please. In case everything is ok feel free to finish the issue. Otherwise feel free to ask whatever you need, here or in Slack community as Jon mentioned.

Thanks for using Prowler

puchy22 commented 1 month ago

I am closing the issue since we got no response. Please feel free to reopen it again. Thanks for using Prowler 🚀