Comments (13)
+1 - i agree. These tests should have different severities.
from prowler.
pired certificates as a (high / mediu
Good point, this is a great example to add the https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/scan-unused-services/ logic to the check, so by default not used won't be audited but could be using the --scan-unused-services
flag.
from prowler.
Hi @MrMoshkovitz @rubtoa what do you think about keeping just one check but modifying the severity regarding the scenario? I think there is no need for two checks since we can handle it there.
Thanks for using Prowler 🚀
from prowler.
Hi @jfagoagas I appreciate your reply. I get the idea to maintain a single check and adjust the level of severity according to the circumstances. Nonetheless, I think the following are good reasons to separate the checks:
Needs a Different Status:
Expired Certificates: Since the certificate has already expired and could pose a security risk, this situation calls for an urgent action level.
Near-Expiration Certificates: In order to facilitate proactive management prior to the certificate's actual expiration, this scenario calls for a separate status that indicates an impending issue.
Distinct Results:
Expired Certificates: This is a serious discovery that suggests a breach in security protocols and requires immediate attention.
Near-Expiration Certificates: This discovery makes it possible to take preventative measures like planning and mitigation before a security problem gets out of hand.
We can give clearer and more useful insights into the condition of ACM certificates by having distinct tests. This strategy guarantees that every kind of issue receives the proper amount of attention and urgency by adhering to best practices in compliance and monitoring.
I think this makes the purpose of having two separate checks clear. Kindly inform me if you have any more queries or worries.
Kind regards,
Mr. Moshkovitz
from prowler.
Hi @jfagoagas I appreciate your reply. I get the idea to maintain a single check and adjust the level of severity according to the circumstances. Nonetheless, I think the following are good reasons to separate the checks:
Needs a Different Status:
Expired Certificates: Since the certificate has already expired and could pose a security risk, this situation calls for an urgent action level. Near-Expiration Certificates: In order to facilitate proactive management prior to the certificate's actual expiration, this scenario calls for a separate status that indicates an impending issue.
Distinct Results:
Expired Certificates: This is a serious discovery that suggests a breach in security protocols and requires immediate attention. Near-Expiration Certificates: This discovery makes it possible to take preventative measures like planning and mitigation before a security problem gets out of hand. We can give clearer and more useful insights into the condition of ACM certificates by having distinct tests. This strategy guarantees that every kind of issue receives the proper amount of attention and urgency by adhering to best practices in compliance and monitoring.
I think this makes the purpose of having two separate checks clear. Kindly inform me if you have any more queries or worries.
Kind regards, Mr. Moshkovitz
As I pointed in the PR #3967 (comment) I think the best way is to modify the current check and handle both behaviours, we can also modify the severity if the certificate is near expiration.
Also we need to adjust/create tests accordingly.
Thanks!
from prowler.
@MrMoshkovitz, we can handle both cases in the same check by setting two different status extended with different severities, if the certificate is not expired yet, we can set a medium one with: report.check_metadata.Severity = "medium"
from prowler.
Thanks for the feedback, @jfagoagas @sergargar
I appreciate the suggestion for a single check with severity levels. While technically sound, I believe separate checks offer advantages in terms of:
- Clarity: Separate checks clearly distinguish critical expired certificates (requiring immediate attention) from near-expiring certificates (needing renewal soon).
- Maintainability: Dedicated checks improve code organization and future modifications.
- Flexibility: They allow for potential future features like tailored notifications.
Absolutely understandable, keeping the existing acm_certificates_expiration_check.py
name to avoid breaking changes makes sense.
As a compromise, how about we modify the check's logic to handle both scenarios with differentiated severities and titles/descriptions? We can:
- Retain the check name: Keep it as
acm_certificates_expiration_check.py
for continuity. - Update titles and descriptions: Craft clear titles and descriptions for expired and near-expiration scenarios within the check.
- Introduce new status: Implement a new status within the check to distinguish between the two.
- Assign severity levels: Set "high" severity for expired certificates and "medium" severity for near-expiration.
This approach would provide clear distinction between the two scenarios while maintaining compatibility with existing Prowler configurations.
I'm happy to modify the pull request accordingly. Please let me know if this sounds like a workable solution.
Best regards,
Mr. Moshkovitz
from prowler.
+1 - Separated checks would be much more helpful for prioritizing actions.
from prowler.
@MrMoshkovitz at the moment, let's first keep the existing acm_certificates_expiration_check
to avoid breaking changes and we think about decoupling it into two different checks in the future. As they are going to be two different findings with different status extended and severities, we can improve this situation. So, please, can you update the PR by updating the metadata and the severity in the check?
Let us know if you need any help from our side, thanks 😄 !
from prowler.
Updated - acm_certificates_expiration_check, acm_certificates_expired_check
from prowler.
Updated - acm_certificates_expiration_check, acm_certificates_expired_check
Hi @MrMoshkovitz, what @sergargar meant is just to leave the acm_certificates_expiration_check
and handle both scenarios within the check with two different finding.status_extended
and changing the severity within the check if needed.
from prowler.
Hi @MrMoshkovitz did you see the above message?
Thanks!
from prowler.
Chiming in here with a related point:
The current check does not consider if the certificates in question are actually InUse
. I've seen a number of AWS accounts with a number of expired certificates that were not actually used.
Does it make sense to still report unused, expired certificates as a (high / medium) issue, or should the check basically ignore such certificates? Happy to hear from you here @jfagoagas @MrMoshkovitz !
from prowler.
Related Issues (20)
- Dashboard overview no longer has pages HOT 5
- [Bug]: Unable to filter muted findings in HTML output HOT 3
- HTML outputs no filters HOT 3
- Prowler gets stuck / fails when running Lambda check against account with LZA HOT 2
- [Bug]: with the -B option o not create the report in S3 in HTML format, HOT 2
- [Bug]: Assume Role Region is not valid for GovCloud Regions HOT 2
- [Bug]: parameter --checks is not honored anymore since v4.2.4 HOT 5
- [Bug]: False Positive on check s3_bucket_public_access when Conditions in Policy HOT 4
- [Bug]: Prowler Dashboard in Kubernetes CronJob HOT 3
- [Bug]: Subnets with No Resource misses evaluation by Prowler for VPC HOT 3
- Specify a central security-hub aws account when sending findings HOT 2
- False Positive in iam_sa_no_administrative_privileges Check HOT 3
- [Bug]: Update Security Hub documentation to remove --quiet HOT 1
- Compliance report for NIST CSF 1.1 formatting is incorrect HOT 7
- Prowler ignores mutelist HOT 4
- ValueError with TimeData in AWS during iam_avoid_root_usage , iam_rotate_access_key_90_days , iam_user_accesskey_unused checks HOT 3
- Installing Prowler on AWS CloudShell fails due to no space left on device HOT 3
- HTML Assessment Overview Not Reporting Numbers HOT 5
- Custom delimiter for CSV / SSV outputs
- False Positive: AWS Opensearch domain is reported as publicly accessible when Opensearch is within VPC HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from prowler.