feat(openstack): object storage service with 7 new checks (#10258)

Author: danibarranqueroo

prowler/CHANGELOG.md

@@ -10,6 +10,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required` check for M365 provider [(#10197)](https://github.com/prowler-cloud/prowler/pull/10197)
 - Add `trusted_ips` configurable option to `opensearch_service_domains_not_publicly_accessible` check to reduce false positives on IP-restricted policies [(#8631)](https://github.com/prowler-cloud/prowler/pull/8631)
 - `guardduty_delegated_admin_enabled_all_regions` check for AWS provider [(#9867)](https://github.com/prowler-cloud/prowler/pull/9867)
+- OpenStack object storage service with 7 checks [(#10258)](https://github.com/prowler-cloud/prowler/pull/10258)
 
 ### 🔄 Changed
 

prowler/providers/openstack/services/objectstorage/__init__.py

@@ -0,0 +1,6 @@
+from prowler.providers.common.provider import Provider
+from prowler.providers.openstack.services.objectstorage.objectstorage_service import (
+    ObjectStorage,
+)
+
+objectstorage_client = ObjectStorage(Provider.get_global_provider())

prowler/providers/openstack/services/objectstorage/objectstorage_client.py

@@ -0,0 +1,37 @@
+{
+  "Provider": "openstack",
+  "CheckID": "objectstorage_container_acl_not_globally_shared",
+  "CheckTitle": "Object storage container read ACL is not globally shared",
+  "CheckType": [],
+  "ServiceName": "objectstorage",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "OS::Swift::Container",
+  "ResourceGroup": "storage",
+  "Description": "**OpenStack Swift containers** are evaluated to verify that the **read ACL** does not use `*:*` (global sharing). The `*:*` ACL grants read access to all authenticated users from any project in the OpenStack deployment, violating project isolation and the principle of least privilege.",
+  "Risk": "Containers with `*:*` read ACL are accessible to **every authenticated user** in the OpenStack deployment, regardless of their project. This breaks **multi-tenant isolation**, exposing data to users in other projects. **Compromised credentials** from any project can access the container's contents.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.openstack.org/swift/latest/overview_acl.html",
+    "https://docs.openstack.org/security-guide/object-storage.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "swift post <container_name> --read-acl '<project_id>:*'",
+      "NativeIaC": "",
+      "Other": "1. Navigate to **Object Store > Containers**\n2. Select the container with global read ACL\n3. Edit the container metadata\n4. Replace `*:*` with specific project-scoped ACLs\n5. Save changes",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Replace `*:*` read ACLs with **project-scoped ACLs** (e.g., `project-id:*` or `project-id:user-id`). Use the **most restrictive ACL** that meets access requirements. Implement regular ACL audits to detect overly permissive configurations. Consider using **Keystone role-based access control** for fine-grained permissions.",
+      "Url": "https://hub.prowler.com/check/objectstorage_container_acl_not_globally_shared"
+    }
+  },
+  "Categories": [
+    "identity-access"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "The `*:*` ACL means 'any user in any project'. This is different from `.r:*` which grants anonymous (unauthenticated) access. Both are overly permissive but target different audiences: `*:*` targets all authenticated users while `.r:*` targets everyone including unauthenticated users."
+}

prowler/providers/openstack/services/objectstorage/objectstorage_container_acl_not_globally_shared/__init__.py

@@ -0,0 +1,29 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportOpenStack
+from prowler.providers.openstack.services.objectstorage.objectstorage_client import (
+    objectstorage_client,
+)
+
+
+class objectstorage_container_acl_not_globally_shared(Check):
+    """Ensure object storage container read ACL does not use global sharing."""
+
+    def execute(self) -> List[CheckReportOpenStack]:
+        findings: List[CheckReportOpenStack] = []
+
+        for container in objectstorage_client.containers:
+            report = CheckReportOpenStack(metadata=self.metadata(), resource=container)
+            acl_entries = [entry.strip() for entry in container.read_ACL.split(",")]
+            if "*:*" in acl_entries or "*" in acl_entries:
+                report.status = "FAIL"
+                report.status_extended = f"Container {container.name} has globally shared read ACL (*:*) allowing all authenticated users from any project."
+            else:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Container {container.name} read ACL is not globally shared."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/openstack/services/objectstorage/objectstorage_container_acl_not_globally_shared/objectstorage_container_acl_not_globally_shared.metadata.json

@@ -0,0 +1,37 @@
+{
+  "Provider": "openstack",
+  "CheckID": "objectstorage_container_listing_disabled",
+  "CheckTitle": "Object storage container listings are not publicly accessible",
+  "CheckType": [],
+  "ServiceName": "objectstorage",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "OS::Swift::Container",
+  "ResourceGroup": "storage",
+  "Description": "**OpenStack Swift containers** are evaluated to verify that **public container listings** are disabled. The `.rlistings` ACL allows users with read access to list all objects within the container. When combined with `.r:*`, this enables unauthenticated users to enumerate all objects, facilitating targeted data exfiltration.",
+  "Risk": "Containers with `.rlistings` enabled allow attackers to enumerate all object names, sizes, and modification dates. This **metadata exposure** aids **targeted attacks**, reveals application structure, and can expose sensitive file names. Combined with public read access, it enables complete **data exfiltration**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.openstack.org/swift/latest/overview_acl.html",
+    "https://docs.openstack.org/security-guide/object-storage.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "swift post <container_name> --read-acl ''",
+      "NativeIaC": "",
+      "Other": "1. Navigate to **Object Store > Containers**\n2. Select the container with public listing\n3. Edit the container metadata\n4. Remove `.rlistings` from the Read ACL\n5. Save changes",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Remove `.rlistings` from container read ACLs to prevent **public object enumeration**. Listings should only be available to **authenticated project members**. If external access is needed, implement application-level access control with authenticated APIs.",
+      "Url": "https://hub.prowler.com/check/objectstorage_container_listing_disabled"
+    }
+  },
+  "Categories": [
+    "internet-exposed"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "The `.rlistings` ACL controls whether container listings (GET on container) are allowed. Even without `.rlistings`, individual objects may still be readable if `.r:*` is set. Both ACLs should be removed for full protection."
+}

prowler/providers/openstack/services/objectstorage/objectstorage_container_acl_not_globally_shared/objectstorage_container_acl_not_globally_shared.py

@@ -0,0 +1,32 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportOpenStack
+from prowler.providers.openstack.services.objectstorage.objectstorage_client import (
+    objectstorage_client,
+)
+
+
+class objectstorage_container_listing_disabled(Check):
+    """Ensure object storage container object listings are not publicly accessible."""
+
+    def execute(self) -> List[CheckReportOpenStack]:
+        findings: List[CheckReportOpenStack] = []
+
+        for container in objectstorage_client.containers:
+            report = CheckReportOpenStack(metadata=self.metadata(), resource=container)
+            acl_entries = [entry.strip() for entry in container.read_ACL.split(",")]
+            if ".rlistings" in acl_entries:
+                report.status = "FAIL"
+                report.status_extended = f"Container {container.name} has public listing enabled (.rlistings) allowing anonymous object enumeration."
+            elif "*:*" in acl_entries or "*" in acl_entries:
+                report.status = "FAIL"
+                report.status_extended = f"Container {container.name} has listing enabled via global read ACL (*:*) allowing all authenticated users to list objects."
+            else:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Container {container.name} does not have public listing enabled."
+                )
+
+            findings.append(report)
+
+        return findings