Seems to be a bug with the way the IAM password policy is scored. ou

ok, I got it now! Thanks for the detailed explanation <a class="user-mention notransla

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

makes perfect sense! <a href="#"

Fixed with PR <a class="issue-link js-issue-link" data-error-text="Failed to load titl

Password Policy Scored Incorrectly about prowler HOT 8 CLOSED

jamestford commented on May 29, 2024

Password Policy Scored Incorrectly

from prowler.

Comments (8)

toniblyx commented on May 29, 2024 1

ok, I got it now! Thanks for the detailed explanation @jamestford. I didn't think on that use case like yours and makes a lot of sense to add "--output" to all prowler commands to force the output I want and prevent taking default values that may incur in wrong results. Does it make sense?

from prowler.

jamestford commented on May 29, 2024

Okay, looks like this is an issue when using table output rather than json output based on the way the query action returns results. If you use json the policy will be scored correctly.

from prowler.

toniblyx commented on May 29, 2024

Hi @jamestford, thanks for your feedback. I have just tested it again and it works fine. What do you mean with table vs json? If you look at the code from here https://github.com/Alfresco/prowler/blob/master/prowler#L534 prowler checks just the output of each particular value in lowercase (true or false) unless you change the default output format it should work.

from prowler.

jamestford commented on May 29, 2024

When running aws from the command line you can tell it to output to json format or in table format. I had it set for table since it is more human readable (details here: http://docs.aws.amazon.com/cli/latest/userguide/controlling-output.html). But I noticed prowler would fail using the table format using the --query option, but when switching to json the --query option worked property (i.e., --query 'PasswordPolicy.RequireSymbols' ). When I get back to my test machine I can provide some screenshots. Thanks for the response!

from prowler.

toniblyx commented on May 29, 2024

I got your point, but you don't need to change anything on the command line to get prowler proper results. Prowler does queries and filter results in different formats depending on each test. Or am I missing something?

from prowler.

jamestford commented on May 29, 2024

Prowler is using the awscli command line utility to pull and query the aws settings. The first time a user installs or runs awscli it will ask them a series of questions and saves them in a aws config file, so when prowler runs it will leverage these values. For example prowler will call $AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.RequireLowercaseCharacters' It will expect the query to return true, but if you have awscli set to table output the value is null but if you switch it to json it will output true. I think you can test this from the command line by running the following: aws iam get-account-password-policy --profile $PROFILE --region $REGION --output json --query 'PasswordPolicy.RequireLowercaseCharacters' aws iam get-account-password-policy --profile $PROFILE --region $REGION --output table --query 'PasswordPolicy.RequireLowercaseCharacters' Example of configuring aws: *aws configure* AWS Access Key ID [None]: *AKIAIOSFODNN7EXAMPLE* AWS Secret Access Key [None]: *wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY* Default region name [None]: *us-west-2* Default output format [None]: *json*

…

On Mon, Jul 17, 2017 at 12:51 PM, Toni de la Fuente < ***@***.***> wrote: I got your point, but you don't need to change anything on the command line to get prowler proper results. Prowler does queries and filter results in different formats depending on each test. Or am I missing something? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#65 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA1WAb-B1fSKVR57MbD3ndrpBtPXmizHks5sO5EkgaJpZM4OZE0t> .

-- Sincerely, James

from prowler.

jamestford commented on May 29, 2024

makes perfect sense!

…

On Mon, Jul 17, 2017 at 1:34 PM, Toni de la Fuente ***@***.*** > wrote: ok, I got it now! Thanks for the detailed explanation @jamestford <https://github.com/jamestford>. I didn't think on that use case like yours and makes a lot of sense to add "--output" to all prowler commands to force the output I want and prevent taking default values that may incur in wrong results. Does it make sense? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#65 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA1WAZxQtR_loBxOxeNKlttucnRnD9gYks5sO5s7gaJpZM4OZE0t> .

-- Sincerely, James

from prowler.

toniblyx commented on May 29, 2024

Fixed with PR #67

from prowler.

Password Policy Scored Incorrectly about prowler HOT 8 CLOSED

Comments (8)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs