From 024190dd8a722df6b8cc69cfbc569df5d3274923 Mon Sep 17 00:00:00 2001 From: Joaquin Rinaudo Date: Fri, 21 Aug 2020 10:35:50 +0200 Subject: [PATCH 1/8] [Check12] Bugfix: Remove $ from grep Check is failing to detect users without MFA, solved by removing `$` sign addresses the issue. --- checks/check12 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check12 b/checks/check12 index adccb3c1..e2f9c12a 100644 --- a/checks/check12 +++ b/checks/check12 @@ -19,7 +19,7 @@ CHECK_ALTERNATE_check102="check12" check12(){ # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" # List users with password enabled - COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep -F ' true$' | awk '{ print $1 }') + COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep -F ' true' | awk '{ print $1 }') COMMAND12=$( for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "^$i " |grep false | awk '{ print $1 }' From 97e6a80bdc15e7325ebf3b3b181008fdfe6775c4 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 25 Aug 2020 16:49:20 +0200 Subject: [PATCH 2/8] Added AWS partition variable to the ASFF output format --- include/outputs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/outputs b/include/outputs index 97f8c29b..63d36f20 100644 --- a/include/outputs +++ b/include/outputs @@ -294,7 +294,7 @@ generateJsonAsffOutput(){ { "Type": $RESOURCE_TYPE, "Id": "AWS::::Account:\($ACCOUNT_NUM)", - "Partition": "aws", + "Partition": "$AWS_PARTITION", "Region": $REPREGION } ], From 03b1d898a63d3530bf99fe6873aee40c57d516da Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 25 Aug 2020 16:54:22 +0200 Subject: [PATCH 3/8] Added AWS partition variable to the ASFF output format --- include/outputs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/outputs b/include/outputs index 63d36f20..d4ddba7b 100644 --- a/include/outputs +++ b/include/outputs @@ -294,7 +294,7 @@ generateJsonAsffOutput(){ { "Type": $RESOURCE_TYPE, "Id": "AWS::::Account:\($ACCOUNT_NUM)", - "Partition": "$AWS_PARTITION", + "Partition": $AWS_PARTITION, "Region": $REPREGION } ], From ca471700c2a31bdebf0ec59ab8c5a8df50fac977 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 25 Aug 2020 19:06:06 +0200 Subject: [PATCH 4/8] Added [extra798] Check if Lambda functions have resource-based policy set as Public --- checks/check_extra798 | 44 ++++++++++++++++++++++++++++++++++ groups/group17_internetexposed | 2 +- groups/group7_extras | 2 +- 3 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 checks/check_extra798 diff --git a/checks/check_extra798 b/checks/check_extra798 new file mode 100644 index 00000000..fa15a011 --- /dev/null +++ b/checks/check_extra798 @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra798="7.98" +CHECK_TITLE_extra798="[extra798] Check if Lambda functions have resource-based policy set as Public" +CHECK_SCORED_extra798="NOT_SCORED" +CHECK_TYPE_extra798="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction" +CHECK_ALTERNATE_check798="extra798" + +extra798(){ + for regx in $REGIONS; do + LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --output text --query 'Functions[*].FunctionName') + if [[ $LIST_OF_FUNCTIONS ]]; then + for lambdafunction in $LIST_OF_FUNCTIONS; do + # get the policy per function + FUNCTION_POLICY=$($AWSCLI lambda get-policy $PROFILE_OPT --region $regx --function-name $lambdafunction --query Policy --output text 2>/dev/null) + if [[ $FUNCTION_POLICY ]]; then + FUNCTION_POLICY_ALLOW_ALL=$(echo $FUNCTION_POLICY \ + | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') + if [[ $FUNCTION_POLICY_ALLOW_ALL ]]; then + textFail "$regx: Lambda function $lambdafunction has a policy with public access" "$regx" + else + textPass "$regx: Lambda function $lambdafunction has a policy resource-based policy and is not public" "$regx" + fi + else + textPass "$regx: Lambda function $lambdafunction does not have resource-based policy" "$regx" + fi + done + else + textInfo "$regx: No Lambda functions found" "$regx" + fi + done +} diff --git a/groups/group17_internetexposed b/groups/group17_internetexposed index 73f51985..f2364b96 100644 --- a/groups/group17_internetexposed +++ b/groups/group17_internetexposed @@ -15,7 +15,7 @@ GROUP_ID[17]='internet-exposed' GROUP_NUMBER[17]='17.0' GROUP_TITLE[17]='Find resources exposed to the internet - [internet-exposed] *******' GROUP_RUN_BY_DEFAULT[17]='N' # run it when execute_all is called -GROUP_CHECKS[17]='check41,check42,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788' +GROUP_CHECKS[17]='check41,check42,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788,extra798' # 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored) [group4, cislevel1, cislevel2] # 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored) [group4, cislevel1, cislevel2] diff --git a/groups/group7_extras b/groups/group7_extras index f490879a..47863406 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets` From 33a53663db725ffcbc120ec23f35b0fae6b9c932 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 25 Aug 2020 19:54:57 +0200 Subject: [PATCH 5/8] Added [extra799] Check if Security Hub is enabled and its standard subscriptions --- checks/check_extra799 | 33 +++++++++++++++++++++++++++++++++ groups/group7_extras | 2 +- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 checks/check_extra799 diff --git a/checks/check_extra799 b/checks/check_extra799 new file mode 100644 index 00000000..f2bf742e --- /dev/null +++ b/checks/check_extra799 @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra799="7.99" +CHECK_TITLE_extra799="[extra799] Check if Security Hub is enabled and its standard subscriptions" +CHECK_SCORED_extra799="NOT_SCORED" +CHECK_TYPE_extra799="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra799="AwsSecurityHubHub" +CHECK_ALTERNATE_check799="extra799" +CHECK_SEVERITY_extra799="medium" + +extra799(){ + for regx in $REGIONS; do + # If command below fails get nothing then it there are no subscriptions and Security Hub is not enabled. + LIST_OF_SECHUB_SUBSCRIPTIONS=$($AWSCLI $PROFILE_OPT --region $regx securityhub get-enabled-standards --query 'StandardsSubscriptions[?StandardsStatus == `READY`].StandardsSubscriptionArn' --output json 2>/dev/null | awk -F "/" '{ print $2 }' | tr '\n' ' ' ) + if [[ $LIST_OF_SECHUB_SUBSCRIPTIONS ]]; then + textPass "$regx: Security Hub is enabled with standards $LIST_OF_SECHUB_SUBSCRIPTIONS" "$regx" + else + textInfo "$regx: Security Hub is not enabled" "$regx" + #textFail "$regx: Security Hub is not enabled" "$regx" + fi + done +} diff --git a/groups/group7_extras b/groups/group7_extras index 47863406..f6964d39 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets` From 553faf72ece3c2997c81db08df975025b43411c4 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 26 Aug 2020 16:57:20 +0200 Subject: [PATCH 6/8] Added [extra736] Check exposed KMS keys to group internet-exposed --- groups/group17_internetexposed | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/groups/group17_internetexposed b/groups/group17_internetexposed index f2364b96..51bb5940 100644 --- a/groups/group17_internetexposed +++ b/groups/group17_internetexposed @@ -15,7 +15,7 @@ GROUP_ID[17]='internet-exposed' GROUP_NUMBER[17]='17.0' GROUP_TITLE[17]='Find resources exposed to the internet - [internet-exposed] *******' GROUP_RUN_BY_DEFAULT[17]='N' # run it when execute_all is called -GROUP_CHECKS[17]='check41,check42,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788,extra798' +GROUP_CHECKS[17]='check41,check42,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra736,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788,extra798' # 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored) [group4, cislevel1, cislevel2] # 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored) [group4, cislevel1, cislevel2] From 89db9d4b70c59da54bca5f097e983d102612c8d1 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 26 Aug 2020 18:40:11 +0200 Subject: [PATCH 7/8] Update check12 --- checks/check12 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check12 b/checks/check12 index e2f9c12a..a5cbac6f 100644 --- a/checks/check12 +++ b/checks/check12 @@ -19,7 +19,7 @@ CHECK_ALTERNATE_check102="check12" check12(){ # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" # List users with password enabled - COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep -F ' true' | awk '{ print $1 }') + COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep 'true$' | awk '{ print $1 }') COMMAND12=$( for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "^$i " |grep false | awk '{ print $1 }' From 7868904c3b013028b3a4180a4cd4eadc40130f27 Mon Sep 17 00:00:00 2001 From: Joaquin Rinaudo Date: Wed, 26 Aug 2020 23:59:02 +0200 Subject: [PATCH 8/8] Fix getops OPTARG for custom checks Custom checks in folder are not being sourced. `./prowler -c extra800 -x custom` results in empty EXTERNAL_CHECKS_PATH variables due to missing colon. The fix was tested in both OSX and toniblyx/prowler:latest Docker. Regards, --- prowler | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prowler b/prowler index 45d52f6a..3c87ab8d 100755 --- a/prowler +++ b/prowler @@ -96,7 +96,7 @@ USAGE: exit } -while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsSxI:A:R:T:w:" OPTION; do +while getopts ":hlLkqp:r:c:g:f:m:M:E:x:enbVsSI:A:R:T:w:" OPTION; do case $OPTION in h ) usage