Prowler 2.0: New release with improvements and new checks ready for re:Invent and BlackHat EU

Taking advantage of this week AWS re:Invent and  next week BlackHat Europe, I wanted to push forward a new version of Prowler.

In case you are new to Prowler:

Prowler is an AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and DOZENS of additional checks including GDPR and HIPAA groups. Official CIS benchmark for AWS guide is here.

This new version has more than 20 new extra checks (of +90), including GDPR and HIPAA group of checks as for a reference to help organizations to check the status of their infrastructure regarding those regulations. Prowler has also been refactored to allow easier extensibility. Another important feature is the JSON output that allows Prowler to be integrated, for example, with Splunk or Wazuh (more about that soon!). For all details about what is new, fixes and improvements please see the release notes here: https://github.com/toniblyx/prowler/releases/tag/2.0

For me, personally, there are two main benefits of Prowler. First of all, it helps many organizations and individuals around the world to improve their security posture on AWS, and using just one easy and simple command, they realize what do they have to do and how to get started with their hardening. Second, I’m learning a lot about AWS, its API, features, limitations, differences between services and AWS security in general.

Said that, I’m so happy to present Prowler 2.0 in BlackHat Europe next week in London! It will be at the Arsenal

and I’ll talk about AWS security, and show all new features, how it works, how to take advantage of all checks and output methods and some other cool things. If you are around please come by and say hello, I’ve got a bunch of laptop sticklers! Here all details, Location:  Business Hall, Arsenal Station 2. Date: Wednesday, December 5 | 3:15pm-4:50pm. Track Vulnerability Assessment. Session Type: Arsenal

BIG THANKS!

I want to thank the Open Source community that has helped out since first day, almost a thousand stars in Github and more than 500 commits talk by itself. Prowler has become pretty popular out there and all the community support is awesome, it motivates me to keep up with improvements and features. Thanks to you all!!

Prowler future?

Main goals for future versions are: to improve speed and reporting, including switch base code to Python to support existing checks and new ones in any language.

If you are interested on helping out, don’t hesitate to reach out to me. \m/

Prowler 1.6: AWS Security Best Practices Assessment and Forensics Readiness Tool

It looks like Prowler has become a popular tool for those concerned about AWS security. I just made Prowler to solve an internal requirement we have here in Alfresco. I decided to make it public and I started getting a lot of feedback, pull requests, comments, advices, bugs reported, new ideas and I keep pushing to make it better and more comprehensive following all what cloud security community seems to need.
I know Prowler is not the best tool out there but it does what I wanted it to do: “Take a picture of my AWS account (or accounts) security settings and tell me from where to start working to improve it”. Do the basics, at least. And that’s what it does. I would use other tools to track service change, etc., I discuss that also in my talks.
Currently, Prowler performs 74 checks (for an entire list run `prowler -l`), being 52 of them part of the CIS benchmark.

Digital Forensics readiness capabilities into Prowler 1.6

`prowler -c forensics-ready`
I’m into DFIR, I love it and I read lot about cloud digital forensics and incident response, I enjoy investing my time R&D about that subject. And I’m concerned about random or targeted attacks to cloud infrastructure. For the talk I’m doing today at the SANS Cloud Security Summit 2018 in San Diego, I wanted to show something new and I thought about adding new checks to Prowler related to forensics and how to make sure you have all (or as much) what you need to perform a proper investigation in case of incident, logs that are not enabled by default in any AWS account by the way. Some of those checks are included and well described in the current CIS benchmark for AWS, or even in the CIS benchmark for AWS three tiers web deployments (another hardening guide that is way less popular but pretty interesting too), but there are checks that are not included anywhere. For example, I believe it is good idea to keep record of your API Gateway logs in your production accounts or even your ELB logs, among many others. So when you run  `prowler -c forensics-ready` now you will get the status of your resources across all regions, and you can make sure you are logging all what you may eventually need in case of security incident. Currently these are the checks supported (https://github.com/toniblyx/prowler#forensics-ready-checks):
  • 2.1 Ensure CloudTrail is enabled in all regions (Scored)
  • 2.2 Ensure CloudTrail log file validation is enabled (Scored)
  • 2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)
  • 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
  • 2.5 Ensure AWS Config is enabled in all regions (Scored)
  • 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
  • 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
  • 4.3 Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
  • 7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
  • 7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
  • 7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
  • 7.15 Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
  • 7.17 Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
  • 7.18 Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)
  • 7.19 Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)
  • 7.20 Check if Lambda functions are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)
  • 7.21 Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)
  • 7.22 Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)
Screenshot while running `forensics-ready` group of checks, here only showing 3 of the first checks that are part of that group
I haven’t added yet a RDS logging check and I’m probably missing many others so please feel free to open an issue in Github and let me know!
If you want to check out my slide deck used during my talk at the SANS Cloud Security Summit 2018 in San Diego, look at here: https://github.com/toniblyx/SANSCloudSecuritySummit2018

Automate or Die! My next talk at RootedCON 2017 in Madrid

UPDATED!  My talk will be on March, Friday the 3rd at 11AM (Sala 25)
Regardless I’ve given many talks in Spain during the last 18 years, It has been a while since I don’t do a talk in a security congress. I think last time was NcN when I presented phpRADmin in 2006.
I have to confess that I was mad to talk at RootedCON. Living abroad for more than four years now, the RootedCON has been a reference event for Spanish speakers and I always have been following it very closely, I think it is one of the most popular security conferences in Spain.
Last year I tried to attend with a “Docker Security” paper but it wasn’t good enough, and honestly I didn’t work much on the paper itself. This time I worked on a more decent paper (and better tittle as well) and voila! My talk was approved.
And what I’m gonna talk about? Security in IaaS, attacks, hardening, incident response, forensics and all about its automation. Despite I will talk about general concept related to AWS, Azure and GCP, I will show specific demos and threats in AWS and I will go in detail with some caveats and hazards in AWS. My talk is called “Automate or die! How to survive to an attack in the Cloud” and you have more details here.
If you are in Spain or around the place, don’t miss the opportunity to learn from people like Mikko Hypponen, Paul Vixie, Hugo Teso, Juan Garrido or Chema Alonso. As you may see in the full list, there are 3 days plenty of good material to improve your skills from very good professionals, they also offer a training day. And compared to the price of security cons in other countries, this one is not expensive at all.
My talk will be on March, Friday the 3rd at 11AM (Sala 25). Looking forward to see you there!

Proxmox VE: una alternativa libre a la gestión de la virtualización

logo_pveYa tengo muchas máquinas en casa y poco tiempo para dedicarle al hardware y el cacharreo por lo que hace ya un mes que adquirí en Hetzner un nuevo servidor para mi laboratorio, Hetzner es ISP alemán y sudafricano que permite alquilar máquinas físicas a un precio aceptable, ancho de banda de sobra y con un servicio magnífico comprobado a lo largo de más de un año con otros servidores que uso a titulo profesional. No conozco muchos ISP de la magnitud de Hetzner para poder haceros comparativas en cuanto a servicios/precio, pero son rápidos y en caso de problemas (tanto de sistema operativo, de red como físicos) están ahí para ayudar con un servicio 24×7 excelente incluido en el precio. La única pega es que el panel de control que ofrecen a los clientes está en alemán pero es sencillo y con Google Translator en unos minutos lo tenía dominado.

Hecha la “cuñita” publicitaria sin ánimo de nada a Hezner (cuando algo funciona también hay que decirlo). Paso a contaros qué infraestructura he configurado para gestionar este servidor.

Actualmente, gracias al furor “Cloud” y teniendo en cuenta que la virtualización forma parte del paradigma aunque no obligatoriamente, he estado mirando diferentes fórmulas o aplicaciones para gestión de la virtualización de forma sencilla, cómoda y rápida, por supuesto en Software Libre. Conocía desde hace tiempo Enomalism o actualmente AbiCloud* que es muy interesante y otras muchas soluciones web que permiten gestionar máquinas virtuales y aprovisionarlas, pero a la hora de la verdad la mayoría de estas aplicaciones de gestión de la virtualización no rinden como se espera, me refiero por ejemplo a la clusterización, migración de máquinas virtuales entre físicas y acciones afines o en algunos casos hay que pasar por caja para conseguir funcionalidades extra que generalmente no son Open Source. Los amigos de la Fundación I+D del Software Libre llevan usando Proxmox VE unos cuantos meses. Así que tras documentarme me lancé a la aventura y solicité a mi ISP que me montaran una máquina con Proxmox VE 1.1.

*AbiCloud no es sólo un gestor de máquinas virtuales sino que también puede gestionar máquinas físicas de una nube.

Proxmox VE es una plataforma de virtualización de código libre (GPLv2) realizada por la compañía alemana Proxmox Server Solutions GmbH, especializados en appliances virtuales empresariales.

¿Por qué usar Proxmox VE?

  • Porque hace gala del principio KISS, es simple y funciona.
  • Porque permite desplegar máquinas virtuales en cuestión de segundos ya sea desde las plantillas disponibles o desde 0.
  • Porque permite crear contenedores gracias a OpenVZ, permite virtualizar y paravirtualizar gracias a KVM, por lo que no hecho de menos ni VMware ni Xen.
  • Porque permite descargar plantillas con aplicaciones instaladas y configuradas listas para usar desde aquí.
  • Porque se pueden tener varios servidores físicos en cluster y migrar en vivo máquinas virtuales de un servidor a otro de forma rápida y sencilla. Permitiéndo aprovechar al máximo el hardware y alta disponibilidad de mis sistemas operativos virtualizados.
  • Porque permite hacer backup a otros discos de forma totalmente desatendida y controlar gráficamente el estado y consumo de cada una de las máquinas virtuales.
  • Porque puedes acceder por VNC a cualquiera de las máquinas desplegadas aún sin red configurada.
  • Porque se descarga en ISO, basada en Debian y se instala directamente en el servidor anfitrión, una vez instalado todo lo demás se hace vía web.

800px-screen-startpage-with-cluster

Y por muchas razones más. Pero no es oro todo lo que reluce, he echado de menos más información sobre el consumo de red y recursos. Aunque se muestran datos básicos, no hay acumulados y gráficas históricas que son importantes para adelantarse a los problemas. Realmente con ntop y Cacti se soluciona este problema. En cuanto a documentación y comunidad no está mal, ya que tanto OpenVZ como KVM además del propio ProxmoxVE cuentan con un importante número de colaboradores y manuales.

Para instalarlo mira este fantástico manual que nos ofrecen los amigos de Howtoforge.

Lo tengo claro, para montar un entorno corporativo o personal de virtualización ya tengo una solución Open Source que cubre mis necesidades: Proxmox VE.

Cloud computing, visto de una forma fácil

A través del blog de Oriol Rius he visto un video muy divertido sobre qué es el cloud computing. Esta presentación, realizada por la gente de rPath, se titula “Cloud Computing in plain english”, en mi pueblo lo traduciríamos como “Cloud Computing pa’ que te enteres”. Y bueno, quería compartirlo con vosotros aquí. Más abajo tenéis un resumen.

A modo de resumen decir que el Cloud Computing es la mezcla de unir virtualización, utility computing y software as a service, lo que es lo mismo, ofrecer una o varias aplicaciones, recursos computacionales y almacenamiento a través de virtualización como capa de abstracción física, de forma que usaremos una herramienta, posiblemente web, sin saber necesariamente donde está. Software as a Service (SaaS) suele ser confundido con Cloud Computing pero realmente este último es más simple y flexible, y pagas por uso en lugar de ser por suscripción. Para hacernos una idea, en el mundo del software tradicional es como comprar un coche, pagas un precio fijado por el fabricante, pagas por el soporte y garantía que puedes usar o no pero que tienes que pagar al fin y al cabo. Con el Software as a Service es como tener un coche en renting, tienes un buen coche por el pagas todos los meses por unos servicios mínimos establecidos y sin capacidad de personalización a posteriori de forma que se reducen los costes y responsabilidades. El Cloud Computing va mucho más allá, es como tomar un taxi, lo usas cuando quieras, pagas cuando lo usas, no hay costes de mantenimiento (combustible, reparaciones, etc.)  y tu decides sobre la marcha lo corto o largo que será el trayecto, además puedes tunearlo e incluso puedes montar a otros clientes en él, el motor del taxi, en este caso, es la virtualización.

Posiblemente no sea la metáfora perfecta pero ayuda bastante a entender el concepto.