Excluded Checks File

[jmanduca-psfy]

New feature motivation

We have configuration file options for muting, altering, and including custom checks, but if we want to exclude a check completely, the only way to do so is in the prowler command itself. This makes it much less convenient to use.

Solution Proposed

Add an option for an Exclude Checks file, similar to the mute and custom checks files.

Describe alternatives you've considered

Could generate this on the fly into the command, but it is messy.
Could add checks to the mutelist for all resources, but then the check is still run - if it is a check we truly do not care about, why waste processing time checking it at all?

Additional context

No response

[pedrooot]

Hey! Thanks for the feature request! We'll take this into account.

[toniblyx]

hey @jmanduca-psfy why excluding checks instead of muting findings? It is always better to mute and keep track of all what Prowler can find instead of avoiding checking something. Does that make sense? can you share more about your use case for us to learn? Thanks!

[jmanduca-psfy]

why excluding checks instead of muting findings?

@toniblyx
Excluding and Muting have different functions. Mutes are useful when you want to have exceptions to a check (ex. a public S3 bucket or EC2 SG rule with a "dangerous port" is normally no good, but there are still legitimate uses or alternate uses for a port that warrant keeping track of, but not alerting on). Mutes are also flexible, allowing for muting in some situations but not others, and providing a paper trail to review and validate what you have muted.
Exclusions would be for checks that you do not need in your findings at all. ex. the iam_root_hardware_mfa_enabled check - with our remote-first business, there is no good way to do this, nor would we want to anyway, as "virtual" MFA is more than enough for our use-case. And if we don't care about the check, why waste the compute and log space on it? I know it's not much for a single check, but when you have lots of accounts with multiple resources, and log-retention requirements, it is non-zero cost (though admittedly low) to run these.

It is always better to mute and keep track of all what Prowler can find instead of avoiding checking something.

I disagree with that based on my comments above - also if that is the case why have an exclude option at all?

[toniblyx]

Thanks for sharing your view on this.

All features are available to help users so don't get me wrong, use anything that suits your use case :) our view is to scan all possible as often as possible to get records and be able to better understand what has happened, when, etc. Your example is a very good one for "exclude" of course. Just for the record, if you want to mute that check you can do it with:

Mutelist:
  Accounts:
    "*":
      Checks:
        "iam_root_hardware_mfa_enabled":
          Regions:
            - "*"
          Resources:
            - "*" 

[jmanduca-psfy]

I did find a method to make my own exclusion list and push it to the cli command using a simple text file, for anyone with a similar request:
exclusions.txt:

iam_root_hardware_mfa_enabled
s3_bucket_no_mfa_delete
s3_bucket_object_lock

Running prowler:

prowler aws --excluded-checks $(cat exclusions.txt) [--other-options...]

While it would be handy to have a standard file input, this suits my niche use case of the feature as long as the syntax of the flag remains the same.

[toniblyx]

Thanks for the advice. Same what we do have a check file list for execution we can have a check List file for exclusion. And this is helpful as backend and frontend.