ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into master

Browse Source
This commit is contained in:
Toni de la Fuente
2020-08-27 16:28:35 +02:00
committed by GitHub
parent 1d4563f60d 5552ea1eb6
commit 0b9d3e39d4
6 changed files with 39 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
checks/check12
View File

@@ -19,7 +19,7 @@ CHECK_ALTERNATE_check102="check12"
check12(){ check12(){
# "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
# List users with password enabled # List users with password enabled
COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep -F ' true$' | awk '{ print $1 }') COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep 'true$' | awk '{ print $1 }')
COMMAND12=$( COMMAND12=$(
for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "^$i " |grep false | awk '{ print $1 }' cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "^$i " |grep false | awk '{ print $1 }'

3
checks/check_extra798
View File

@@ -13,6 +13,7 @@
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the # CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License. # specific language governing permissions and limitations under the License.
CHECK_ID_extra7100="7.100" CHECK_ID_extra7100="7.100"
CHECK_TITLE_extra7100="[extra7100] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)" CHECK_TITLE_extra7100="[extra7100] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)"
CHECK_SCORED_extra7100="NOT_SCORED" CHECK_SCORED_extra7100="NOT_SCORED"
@@ -72,4 +73,4 @@ extra7100(){
else else
textPass "No custom policies found" textPass "No custom policies found"
fi fi
} }

33
checks/check_extra799 Normal file
View File

@@ -0,0 +1,33 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra799="7.99"
CHECK_TITLE_extra799="[extra799] Check if Security Hub is enabled and its standard subscriptions"
CHECK_SCORED_extra799="NOT_SCORED"
CHECK_TYPE_extra799="EXTRA"
CHECK_ASFF_RESOURCE_TYPE_extra799="AwsSecurityHubHub"
CHECK_ALTERNATE_check799="extra799"
CHECK_SEVERITY_extra799="medium"
extra799(){
for regx in $REGIONS; do
# If command below fails get nothing then it there are no subscriptions and Security Hub is not enabled.
LIST_OF_SECHUB_SUBSCRIPTIONS=$($AWSCLI $PROFILE_OPT --region $regx securityhub get-enabled-standards --query 'StandardsSubscriptions[?StandardsStatus == `READY`].StandardsSubscriptionArn' --output json 2>/dev/null | awk -F "/" '{ print $2 }' | tr '\n' ' ' )
if [[ $LIST_OF_SECHUB_SUBSCRIPTIONS ]]; then
textPass "$regx: Security Hub is enabled with standards $LIST_OF_SECHUB_SUBSCRIPTIONS" "$regx"
else
textInfo "$regx: Security Hub is not enabled" "$regx"
#textFail "$regx: Security Hub is not enabled" "$regx"
fi
done
}

2
groups/group17_internetexposed
View File

@@ -15,7 +15,7 @@ GROUP_ID[17]='internet-exposed'
GROUP_NUMBER[17]='17.0' GROUP_NUMBER[17]='17.0'
GROUP_TITLE[17]='Find resources exposed to the internet - [internet-exposed] *******' GROUP_TITLE[17]='Find resources exposed to the internet - [internet-exposed] *******'
GROUP_RUN_BY_DEFAULT[17]='N' # run it when execute_all is called GROUP_RUN_BY_DEFAULT[17]='N' # run it when execute_all is called
GROUP_CHECKS[17]='check41,check42,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788' GROUP_CHECKS[17]='check41,check42,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra736,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788,extra798'
# 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored) [group4, cislevel1, cislevel2] # 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored) [group4, cislevel1, cislevel2]
# 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored) [group4, cislevel1, cislevel2] # 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored) [group4, cislevel1, cislevel2]

2
include/outputs
View File

@@ -294,7 +294,7 @@ generateJsonAsffOutput(){
{ {
"Type": $RESOURCE_TYPE, "Type": $RESOURCE_TYPE,
"Id": "AWS::::Account:\($ACCOUNT_NUM)", "Id": "AWS::::Account:\($ACCOUNT_NUM)",
"Partition": "aws", "Partition": $AWS_PARTITION,
"Region": $REPREGION "Region": $REPREGION
} }
], ],

2
prowler
View File

@@ -96,7 +96,7 @@ USAGE:
exit exit
} }
while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsSxI:A:R:T:w:" OPTION; do while getopts ":hlLkqp:r:c:g:f:m:M:E:x:enbVsSI:A:R:T:w:" OPTION; do
case $OPTION in case $OPTION in
h ) h )
usage usage