Prowling AWS

Snooping Around

Breaking and Entering

The README file offers some other useful options in the examples I shamelessly repeat and show in this section.

If you ever want to check one of the tests individually, use:

$ ./prowler -c check32

After the first Prowler run to make sure it runs correctly, then a handy tip is to spend some time looking through the benchmarks listed earlier to figure out what you might need to audit against, instead of running through all the many checks.

It's also not such a bad idea if you find the check numbers from the Prowler output and focus on specific areas to speed up your report generation time. Just delimit your list of checks with commas after the -c switch.

Additionally, use the -E command switch

$ ./prowler -E check17,check24

to run Prowler against lots of checks while excluding only a few.

Lookin' Oh So Pretty

As you'd expect, Prowler produces a nicely formatted text file for your auditing report, but harking back to the pip command earlier, you might remember that you also installed the ansi2html package, which allows the mighty Prowler to produce HTML by piping the output of your results:

$ ./prowler | ansi2html -la > prowler-audit.html

Similarly, you can output to JSON or CSV with the -M switch:

$ ./prowler -M json > prowler-audit.json

Just change json to csv (in the file name, too) if you prefer a CSV file.

The well-written Prowler docs also offer a nice example of saving a report to an S3 bucket:

$ ./prowler -M json | aws s3 cp - s3://your-bucket/prowler-audit.json

Finally, if you've worked with security audits before, you'll know that reaching an agreed level of compliance is the norm; therefore if, for example, you only needed to meet the requirements of CIS Benchmark Level 1, you could ask Prowler to focus on those checks only:

$ ./prowler -g cislevel1
If you want to check against multiple AWS accounts at once, then refer to the README file for a clever one-line command that runs Prowler across your accounts in parallel. A useful bootstrap script is offered, as well, to help you set up your AWS credentials via the AWS client and run Prowler, so it's definitely worth a read.

Additionally, a nice troubleshooting section looks at common errors and the use of multifactor authentication (MFA). Suffice it to say that the README file is comprehensive, easy to follow, and puts some other documentation to shame.

The End Is Nigh

Prowler boasts a number of checks that other tools miss, has thorough and considered documentation, and is a lightweight and reliable piece of software. I prefer the HTML reports, but running the JSON through the jq program is also useful for easy-to-read output.

Having scratched the surface of this clever open source tool, I trust you'll be tempted to do the same and to keep an eye on your security issues in an automated fashion.

The Author

Chris Binnie's latest book, Linux Server Security: Hack and Defend, shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords, so you can learn how to defend against such attacks. In the book, he also shows you how to make your servers invisible, perform penetration testing, and mitigate unwelcome attacks. You can find out more about DevOps, DevSecOps, Containers, and Linux security on his website:

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Reducing your attack surface
    Windows Defender Application Control protects systems against threats that traditional virus scanners and signature-based mechanisms cannot detect by restricting applications in the user context and reducing the code allowed in the system kernel.
  • AWS security scans with Scout2
    Scout2 is an open source auditing tool that helps you keep your AWS environments secure.
  • Linux nftables packet filter
    The latest nftables packet filter implementation, now available in the Linux kernel, promises better performance and simpler syntax and operation.
  • Advanced Windows security using EMET
    Although attacks on computers are numerous and varied, they are predominantly based on the same techniques. Microsoft closes these vulnerabilities on Windows computers using the Enhanced Mitigation Experience Toolkit (EMET).
  • Setting up SELinux policies
    Writing custom SELinux policy modules is not hard with some basic knowledge of SELinux. We show you how to distribute those modules to all the machines in your own system landscape.
comments powered by Disqus