mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
rename(provider): keep old version
This commit is contained in:
Pepe Fagoaga
@@ -40,7 +40,7 @@ extra769(){
|
||||
if [[ $ANALYZER_ACTIVE_FINDINGS_COUNT -eq 0 ]];then
|
||||
textPass "$regx: IAM Access Analyzer $accessAnalyzerArn has no active findings" "$regx" "$accessAnalyzerArn"
|
||||
else
|
||||
textInfo "$regx: IAM Access Analyzer $accessAnalyzerArn has $ANALYZER_ACTIVE_FINDINGS_COUNT active findings" "$regx"
|
||||
textInfo "$regx: IAM Access Analyzer $accessAnalyzerArn has $ANALYZER_ACTIVE_FINDINGS_COUNT active findings" "$regx"
|
||||
fi
|
||||
done
|
||||
else
|
||||
@@ -54,4 +54,4 @@ extra7156(){
|
||||
textInfo "$regx: No API Gateway found" "$regx"
|
||||
fi
|
||||
done
|
||||
}
|
||||
}
|
||||
@@ -30,7 +30,7 @@ extra722(){
|
||||
if [[ $(echo "$LIST_OF_API_GW" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
|
||||
textInfo "$regx: Access Denied trying to get rest APIs" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $LIST_OF_API_GW ]];then
|
||||
for apigwid in $LIST_OF_API_GW;do
|
||||
API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$apigwid\`].name" --output text)
|
||||
@@ -29,7 +29,7 @@ extra743(){
|
||||
if [[ $(echo "$LIST_OF_REST_APIS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to get rest APIs" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $LIST_OF_REST_APIS ]];then
|
||||
for api in $LIST_OF_REST_APIS; do
|
||||
API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text)
|
||||
@@ -30,7 +30,7 @@ extra744(){
|
||||
if [[ $(echo "$LIST_OF_REST_APIS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to get rest APIs" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $LIST_OF_REST_APIS ]];then
|
||||
for api in $LIST_OF_REST_APIS; do
|
||||
API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text)
|
||||
@@ -29,7 +29,7 @@ extra745(){
|
||||
if [[ $(echo "$LIST_OF_REST_APIS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to get rest APIs" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $LIST_OF_REST_APIS ]];then
|
||||
for api in $LIST_OF_REST_APIS; do
|
||||
API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text)
|
||||
@@ -29,7 +29,7 @@ extra746(){
|
||||
if [[ $(echo "$LIST_OF_REST_APIS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to get rest APIs" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $LIST_OF_REST_APIS ]];then
|
||||
for api in $LIST_OF_REST_APIS; do
|
||||
API_GW_NAME=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query "items[?id==\`$api\`].name" --output text)
|
||||
@@ -24,10 +24,10 @@ CHECK_CAF_EPIC_extra775='IAM'
|
||||
|
||||
extra775(){
|
||||
SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM-$PROWLER_START_TIME"
|
||||
if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then
|
||||
if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then
|
||||
# this folder is deleted once this check is finished
|
||||
mkdir $SECRETS_TEMP_FOLDER
|
||||
fi
|
||||
fi
|
||||
|
||||
for regx in $REGIONS; do
|
||||
CHECK_DETECT_SECRETS_INSTALLATION=$(secretsDetector)
|
||||
@@ -69,7 +69,7 @@ extra775(){
|
||||
textFail "$regx: Potential secret found in $autoscaling_configuration" "$regx" "$autoscaling_configuration"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
else
|
||||
textPass "$regx: No secrets found in $autoscaling_configuration User Data or it is empty" "$regx" "$autoscaling_configuration"
|
||||
fi
|
||||
done
|
||||
@@ -33,10 +33,10 @@ extra714(){
|
||||
if [[ $LOG_ENABLED || $LOG_ENABLED_REALTIME ]]; then
|
||||
textPass "$REGION: CloudFront distribution $dist has logging enabled" "$REGION" "$dist"
|
||||
else
|
||||
textFail "$REGION: CloudFront distribution $dist has logging disabled" "$REGION" "$dist"
|
||||
textFail "$REGION: CloudFront distribution $dist has logging disabled" "$REGION" "$dist"
|
||||
fi
|
||||
done
|
||||
else
|
||||
textInfo "$REGION: No CloudFront distributions found" "$REGION" "$dist"
|
||||
textInfo "$REGION: No CloudFront distributions found" "$REGION" "$dist"
|
||||
fi
|
||||
}
|
||||
@@ -53,7 +53,7 @@ check21(){
|
||||
textFail "$regx: Trail $trail is configured for all regions but it is OFF" "$regx" "$trail"
|
||||
else
|
||||
textPass "$regx: Trail $trail is enabled for all regions" "$regx" "$trail"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@@ -63,6 +63,6 @@ check21(){
|
||||
textFail "$regx: No CloudTrail trails were found in the filtered region" "$regx" "$trail"
|
||||
else
|
||||
textFail "$regx: No CloudTrail trails were found in the account" "$regx" "$trail"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
}
|
||||
@@ -48,7 +48,7 @@ extra7162() {
|
||||
:
|
||||
else
|
||||
textInfo "$regx does not have a Log Group!" "$regx"
|
||||
|
||||
|
||||
fi
|
||||
done
|
||||
}
|
||||
@@ -56,7 +56,7 @@ extra7174(){
|
||||
fi
|
||||
fi
|
||||
done
|
||||
else
|
||||
else
|
||||
textInfo "${regx}: No CodeBuild Projects found" "${regx}"
|
||||
fi
|
||||
done
|
||||
@@ -45,7 +45,7 @@ extra7175(){
|
||||
textPass "${regx}: Codebuild project ${project} not uses a user controlled buildspec" "${regx}" "${project}"
|
||||
fi
|
||||
done
|
||||
else
|
||||
else
|
||||
textInfo "${regx}: No CodeBuild Projects found" "${regx}"
|
||||
fi
|
||||
done
|
||||
@@ -32,7 +32,7 @@ extra9999(){
|
||||
continue
|
||||
fi
|
||||
if [[ $MY_CUSTOM_CMD ]]; then
|
||||
for element in $MY_CUSTOM_CMD; do
|
||||
for element in $MY_CUSTOM_CMD; do
|
||||
textFail "$regx: Custom output is: $element" "$regx" "$CHECK_SGDEFAULT_ID"
|
||||
done
|
||||
else
|
||||
@@ -40,8 +40,8 @@ extra7128(){
|
||||
textInfo "$regx: DynamoDB table $table does have DEFAULT encryption enabled" "$regx" "$table"
|
||||
fi
|
||||
done
|
||||
else
|
||||
else
|
||||
textInfo "$regx: There are no DynamoDB tables" "$regx"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
}
|
||||
@@ -65,4 +65,4 @@ extra7165(){
|
||||
textInfo "$regx: No DynamoDB: DAX Clusters found." "$regx"
|
||||
fi
|
||||
done
|
||||
}
|
||||
}
|
||||
@@ -23,7 +23,7 @@ CHECK_REMEDIATION_extra7102='Check Identified IPs; consider changing them to pri
|
||||
CHECK_DOC_extra7102='https://www.shodan.io/'
|
||||
CHECK_CAF_EPIC_extra7102='Infrastructure Security'
|
||||
|
||||
# Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively
|
||||
# Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively
|
||||
# your IP will be banned by Shodan
|
||||
|
||||
# This is the right way to do so
|
||||
@@ -34,7 +34,7 @@ CHECK_CAF_EPIC_extra7102='Infrastructure Security'
|
||||
extra7102(){
|
||||
if [[ ! $SHODAN_API_KEY ]]; then
|
||||
textInfo "[extra7102] Requires a Shodan API key to work. Use -N <shodan_api_key>"
|
||||
else
|
||||
else
|
||||
for regx in $REGIONS; do
|
||||
LIST_OF_EIP=$($AWSCLI $PROFILE_OPT --region $regx ec2 describe-network-interfaces --query 'NetworkInterfaces[*].Association.PublicIp' --output text 2>&1)
|
||||
if [[ $(echo "$LIST_OF_EIP" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
@@ -38,4 +38,4 @@ extra7134(){
|
||||
textPass "$regx: No Security Groups found with any port open to 0.0.0.0/0 for FTP ports" "$regx" "$SG"
|
||||
fi
|
||||
done
|
||||
}
|
||||
}
|
||||
@@ -38,4 +38,4 @@ extra7135(){
|
||||
textPass "$regx: No Security Groups found with any port open to 0.0.0.0/0 for Kafka ports" "$regx"
|
||||
fi
|
||||
done
|
||||
}
|
||||
}
|
||||
@@ -38,4 +38,4 @@ extra7136(){
|
||||
textPass "$regx: No Security Groups found with any port open to 0.0.0.0/0 for Telnet ports" "$regx" "$SG"
|
||||
fi
|
||||
done
|
||||
}
|
||||
}
|
||||
@@ -38,4 +38,4 @@ extra7137(){
|
||||
textPass "$regx: No Security Groups found with any port open to 0.0.0.0/0 for Microsoft SQL Server ports" "$regx"
|
||||
fi
|
||||
done
|
||||
}
|
||||
}
|
||||
@@ -39,4 +39,4 @@ extra7138(){
|
||||
textPass "$regx: No Network ACL found with any port open to 0.0.0.0/0" "$regx" "$NACL"
|
||||
fi
|
||||
done
|
||||
}
|
||||
}
|
||||
@@ -38,7 +38,7 @@ extra7173(){
|
||||
textFail "${regx}: Security Group ${SECURITY_GROUP_NAME} (ID: ${CHECK_SGDEFAULT_ID}) was created using the EC2 Launch Wizard" "${regx}" "${CHECK_SGDEFAULT_ID}"
|
||||
done
|
||||
else
|
||||
textPass "${regx}: No Security Groups found that were created using the Wizard" "${regx}" "${CHECK_SGDEFAULT_ID}"
|
||||
textPass "${regx}: No Security Groups found that were created using the Wizard" "${regx}" "${CHECK_SGDEFAULT_ID}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
@@ -32,7 +32,7 @@ extra729(){
|
||||
if [[ $(echo "$LIST_OF_EBS_NON_ENC_VOLUMES" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe volumes" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $LIST_OF_EBS_NON_ENC_VOLUMES ]];then
|
||||
for volume in $LIST_OF_EBS_NON_ENC_VOLUMES; do
|
||||
textFail "$regx: $volume is not encrypted!" "$regx" "$volume"
|
||||
@@ -26,7 +26,7 @@ CHECK_CAF_EPIC_extra740='Data Protection'
|
||||
|
||||
extra740(){
|
||||
# This does NOT use max-items, which would limit the number of items
|
||||
# considered. It considers all snapshots, but only reports at most
|
||||
# considered. It considers all snapshots, but only reports at most
|
||||
# max-items passing and max-items failing.
|
||||
for regx in ${REGIONS}; do
|
||||
UNENCRYPTED_SNAPSHOTS=$(${AWSCLI} ec2 describe-snapshots ${PROFILE_OPT} \
|
||||
@@ -36,8 +36,8 @@ extra740(){
|
||||
if [[ $(echo "$UNENCRYPTED_SNAPSHOTS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe snapshots" "$regx"
|
||||
continue
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
ENCRYPTED_SNAPSHOTS=$(${AWSCLI} ec2 describe-snapshots ${PROFILE_OPT} \
|
||||
--region ${regx} --owner-ids ${ACCOUNT_NUM} --output text \
|
||||
--query 'Snapshots[?Encrypted==`true`]|[*].{Id:SnapshotId}' 2>&1 \
|
||||
@@ -45,7 +45,7 @@ extra740(){
|
||||
if [[ $(echo "$ENCRYPTED_SNAPSHOTS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe snapshots" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
typeset -i unencrypted
|
||||
typeset -i encrypted
|
||||
unencrypted=0
|
||||
@@ -39,7 +39,7 @@ extra741(){
|
||||
if [[ $(echo "$LIST_OF_EC2_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe instances" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $LIST_OF_EC2_INSTANCES ]];then
|
||||
for instance in $LIST_OF_EC2_INSTANCES; do
|
||||
EC2_USERDATA_FILE="$SECRETS_TEMP_FOLDER/extra741-$instance-userData.decoded"
|
||||
@@ -29,7 +29,7 @@ extra748(){
|
||||
if [[ $(echo "$SG_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $SG_LIST ]];then
|
||||
for SG in $SG_LIST;do
|
||||
textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0" "$regx" "$SG"
|
||||
@@ -30,7 +30,7 @@ extra749(){
|
||||
if [[ $(echo "$SG_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $SG_LIST ]];then
|
||||
for SG in $SG_LIST;do
|
||||
textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0 for Oracle ports" "$regx" "$SG"
|
||||
@@ -30,7 +30,7 @@ extra750(){
|
||||
if [[ $(echo "$SG_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $SG_LIST ]];then
|
||||
for SG in $SG_LIST;do
|
||||
textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0 for MySQL port" "$regx" "$SG"
|
||||
@@ -30,7 +30,7 @@ extra751(){
|
||||
if [[ $(echo "$SG_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $SG_LIST ]];then
|
||||
for SG in $SG_LIST;do
|
||||
textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0 for Postgres port" "$regx" "$SG"
|
||||
@@ -30,7 +30,7 @@ extra752(){
|
||||
if [[ $(echo "$SG_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $SG_LIST ]];then
|
||||
for SG in $SG_LIST;do
|
||||
textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0 for Redis port" "$regx" "$SG"
|
||||
@@ -30,7 +30,7 @@ extra753(){
|
||||
if [[ $(echo "$SG_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $SG_LIST ]];then
|
||||
for SG in $SG_LIST;do
|
||||
textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0 for MongoDB ports" "$regx" "$SG"
|
||||
@@ -30,7 +30,7 @@ extra754(){
|
||||
if [[ $(echo "$SG_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $SG_LIST ]];then
|
||||
for SG in $SG_LIST;do
|
||||
textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0 for Cassandra ports" "$regx" "$SG"
|
||||
@@ -30,7 +30,7 @@ extra755(){
|
||||
if [[ $(echo "$SG_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $SG_LIST ]];then
|
||||
for SG in $SG_LIST;do
|
||||
textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0 for Memcached port" "$regx" "$SG"
|
||||
@@ -30,7 +30,7 @@ extra757(){
|
||||
if [[ $(echo "$EC2_RUNNING" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe instances" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $EC2_RUNNING ]]; then
|
||||
INSTACES_OLD_THAN_AGE=$($AWSCLI ec2 describe-instances --query "Reservations[].Instances[?LaunchTime<='$OLDAGE'][].{id: InstanceId, launched: LaunchTime}" $PROFILE_OPT --region $regx --output text)
|
||||
if [[ $INSTACES_OLD_THAN_AGE ]]; then
|
||||
@@ -31,7 +31,7 @@ extra758(){
|
||||
if [[ $(echo "${INSTACES_OLD_THAN_AGE}" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "${regx}: Access Denied trying to describe instances" "${regx}"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ "${INSTACES_OLD_THAN_AGE}" ]]; then
|
||||
while read -r EC2_ID LAUNCH_DATE STATE
|
||||
do
|
||||
@@ -30,7 +30,7 @@ extra770(){
|
||||
if [[ $(echo "$LIST_OF_PUBLIC_INSTANCES_WITH_INSTANCE_PROFILES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe instances" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $LIST_OF_PUBLIC_INSTANCES_WITH_INSTANCE_PROFILES ]];then
|
||||
while read -r instance;do
|
||||
INSTANCE_ID=$(echo $instance | awk '{ print $1; }')
|
||||
@@ -29,7 +29,7 @@ extra772(){
|
||||
if [[ $(echo "$EIP_DUMP" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe addresses" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
EIP_LIST=$(echo $EIP_DUMP | jq -r '.Addresses[].AllocationId')
|
||||
if [[ $EIP_LIST ]]; then
|
||||
for eip in $EIP_LIST; do
|
||||
@@ -49,7 +49,7 @@ extra779(){
|
||||
if [[ "$eip" == "None" ]];then
|
||||
textInfo "$regx: Found instance $instance with private IP on Security Group: $sg" "$regx"
|
||||
else
|
||||
textFail "$regx: Found instance $instance with public IP $eip on Security Group: $sg open to 0.0.0.0/0 on for Elasticsearch/Kibana ports - use extra787 to test AUTH" "$regx" "$sg"
|
||||
textFail "$regx: Found instance $instance with public IP $eip on Security Group: $sg open to 0.0.0.0/0 on for Elasticsearch/Kibana ports - use extra787 to test AUTH" "$regx" "$sg"
|
||||
fi
|
||||
done < <(cat $TEMP_EXTRA779_FILE)
|
||||
fi
|
||||
@@ -38,7 +38,7 @@ extra768(){
|
||||
if [[ $(echo "$FAMILIES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to list task definition families" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $(echo $FAMILIES | jq -r .families[]) ]]; then
|
||||
for FAMILY in $(echo $FAMILIES | jq -r .families[]);do
|
||||
# Get the full task definition arn:
|
||||
@@ -33,7 +33,7 @@ extra7129(){
|
||||
if [[ $(echo "$LIST_OF_ELBSV2" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
|
||||
textInfo "$regx: Access Denied trying to describe load balancers" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
LIST_OF_WAFV2_WEBACL_ARN=$($AWSCLI wafv2 list-web-acls $PROFILE_OPT --region=$regx --scope=REGIONAL --query WebACLs[*].ARN --output text)
|
||||
LIST_OF_WAFV1_WEBACL_WEBACLID=$($AWSCLI waf-regional list-web-acls $PROFILE_OPT --region $regx --query WebACLs[*].[WebACLId] --output text)
|
||||
|
||||
@@ -75,7 +75,7 @@ extra7129(){
|
||||
else
|
||||
textInfo "$regx: No Application Load Balancers found" "$regx"
|
||||
fi
|
||||
# ) &
|
||||
# ) &
|
||||
done
|
||||
# wait
|
||||
}
|
||||
}
|
||||
@@ -41,7 +41,7 @@ extra7142(){
|
||||
textFail "$regx: Application Load Balancer $alb is not dropping invalid header fields" "$regx" "$alb"
|
||||
fi
|
||||
done
|
||||
else
|
||||
else
|
||||
textInfo "$regx: no ALBs found"
|
||||
fi
|
||||
done
|
||||
@@ -14,7 +14,7 @@
|
||||
#
|
||||
# https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html
|
||||
#
|
||||
# aws elbv2 modify-load-balancer-attributes
|
||||
# aws elbv2 modify-load-balancer-attributes
|
||||
# --load-balancer-arn <alb arn>\
|
||||
# --attributes Key=routing.http.desync_mitigation_mode,Value=<defensive/strictest>
|
||||
|
||||
@@ -44,4 +44,4 @@ extra7158(){
|
||||
textInfo "$regx: No ELBs found" "$regx"
|
||||
fi
|
||||
done
|
||||
}
|
||||
}
|
||||
@@ -43,4 +43,4 @@ extra7159(){
|
||||
textInfo "$regx: No ELBs found" "$regx"
|
||||
fi
|
||||
done
|
||||
}
|
||||
}
|
||||
@@ -30,12 +30,12 @@ extra717(){
|
||||
if [[ $(echo "$LIST_OF_ELBS" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
|
||||
textInfo "$regx: Access Denied trying to list load balancers v1" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[*].LoadBalancerArn' --output text 2>&1 |xargs -n1)
|
||||
if [[ $(echo "$LIST_OF_ELBSV2" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
|
||||
textInfo "$regx: Access Denied trying to list load balancers v2" "$regx"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
if [[ $LIST_OF_ELBS || $LIST_OF_ELBSV2 ]]; then
|
||||
if [[ $LIST_OF_ELBS ]]; then
|
||||
for elb in $LIST_OF_ELBS; do
|
||||
@@ -49,12 +49,12 @@ extra792(){
|
||||
|
||||
ELB_PROTOCOLS=$(echo $ELB_LISTENERS | jq -r '.ListenerDescriptions[].Listener.Protocol')
|
||||
if [[ $(echo $ELB_PROTOCOLS | grep HTTPS) || $(echo $ELB_PROTOCOLS | grep SSL) ]]; then
|
||||
ELB_POLICIES=$(echo $ELB_LISTENERS | jq -r '.ListenerDescriptions[].PolicyNames | .[]')
|
||||
ELB_POLICIES=$(echo $ELB_LISTENERS | jq -r '.ListenerDescriptions[].PolicyNames | .[]')
|
||||
passed=true
|
||||
for policy in $ELB_POLICIES; do
|
||||
# Check for secure default policy
|
||||
# Check for secure default policy
|
||||
REFPOLICY=$($AWSCLI elb describe-load-balancer-policies $PROFILE_OPT --region $regx --load-balancer-name $elb --policy-name $policy --query "PolicyDescriptions[0].PolicyAttributeDescriptions[?(AttributeName == 'Reference-Security-Policy')].AttributeValue" --output text)
|
||||
if [[ -n "$REFPOLICY" ]]; then
|
||||
if [[ -n "$REFPOLICY" ]]; then
|
||||
if array_contains ELBSECUREPOLICIES "$REFPOLICY"; then
|
||||
continue # Passed for this listener/policy
|
||||
else
|
||||
@@ -68,11 +68,11 @@ extra792(){
|
||||
continue
|
||||
else
|
||||
passed=false
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
if $passed; then
|
||||
textPass "$regx: $elb has no insecure SSL ciphers" "$regx" "$elb"
|
||||
else
|
||||
@@ -84,7 +84,7 @@ extra792(){
|
||||
done
|
||||
fi
|
||||
if [[ $LIST_OF_ELBSV2 ]]; then
|
||||
# NOTE - ALBs do NOT support custom security policies
|
||||
# NOTE - ALBs do NOT support custom security policies
|
||||
# https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
|
||||
ELBV2SECUREPOLICIES=("ELBSecurityPolicy-TLS-1-2-2017-01" "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" "ELBSecurityPolicy-FS-1-2-2019-08" "ELBSecurityPolicy-FS-1-2-Res-2019-08" "ELBSecurityPolicy-FS-1-2-Res-2020-10" "ELBSecurityPolicy-TLS13-1-2-2021-06" "ELBSecurityPolicy-TLS13-1-3-2021-06" "ELBSecurityPolicy-TLS13-1-2-Res-2021-06" "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06" "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06")
|
||||
|
||||
@@ -104,7 +104,7 @@ extra792(){
|
||||
|
||||
if [[ $(echo $ELBV2_PROTOCOLS | grep HTTPS) || $(echo $ELBV2_PROTOCOLS | grep TLS) ]]; then
|
||||
ELBV2_SSL_POLICIES=$($AWSCLI elbv2 describe-listeners $PROFILE_OPT --region $regx --load-balancer-arn $elbarn --query 'Listeners[*].SslPolicy' --output text)
|
||||
|
||||
|
||||
for policy in $ELBV2_SSL_POLICIES; do
|
||||
if array_contains ELBV2SECUREPOLICIES "$policy"; then
|
||||
continue # Passed for this listener/policy
|
||||
@@ -112,7 +112,7 @@ extra792(){
|
||||
passed=false
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
if $passed; then
|
||||
textPass "$regx: $elbname has no insecure SSL ciphers" "$regx" "$elbname"
|
||||
else
|
||||
@@ -129,7 +129,7 @@ extra792(){
|
||||
done
|
||||
}
|
||||
|
||||
array_contains () {
|
||||
array_contains () {
|
||||
local array="$1[@]"
|
||||
local seeking=$2
|
||||
local in=1
|
||||
@@ -39,9 +39,9 @@ extra793(){
|
||||
fi
|
||||
if [[ $LIST_OF_ELBS || $LIST_OF_ELBSV2 ]]; then
|
||||
if [[ $LIST_OF_ELBS ]]; then
|
||||
ENCRYPTEDPROTOCOLS=("HTTPS" "SSL")
|
||||
ENCRYPTEDPROTOCOLS=("HTTPS" "SSL")
|
||||
for elb in $LIST_OF_ELBS; do
|
||||
ELB_PROTOCOLS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --load-balancer-name $elb --query "LoadBalancerDescriptions[0].ListenerDescriptions[*].Listener.Protocol" --output text)
|
||||
ELB_PROTOCOLS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --load-balancer-name $elb --query "LoadBalancerDescriptions[0].ListenerDescriptions[*].Listener.Protocol" --output text)
|
||||
passed=true
|
||||
potential_redirect=false
|
||||
for protocol in $ELB_PROTOCOLS; do
|
||||
@@ -49,13 +49,13 @@ extra793(){
|
||||
continue
|
||||
else
|
||||
# Check if both HTTP and HTTPS in use
|
||||
if [[ $(echo $ELB_PROTOCOLS | grep HTTPS) ]]; then
|
||||
if [[ $(echo $ELB_PROTOCOLS | grep HTTPS) ]]; then
|
||||
potential_redirect=true
|
||||
fi
|
||||
passed=false
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
if $passed; then
|
||||
textPass "$regx: $elb has encrypted listeners" "$regx"
|
||||
else
|
||||
@@ -63,7 +63,7 @@ extra793(){
|
||||
textInfo "$regx: $elb has both encrypted and non-encrypted listeners" "$regx"
|
||||
else
|
||||
textFail "$regx: $elb has non-encrypted listeners" "$regx" "$elb"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@@ -75,7 +75,7 @@ extra793(){
|
||||
|
||||
ELBV2_LISTENERS=$($AWSCLI elbv2 describe-listeners $PROFILE_OPT --region $regx --load-balancer-arn $elbarn --query "Listeners[*]")
|
||||
ELBV2_PROTOCOLS=$(echo $ELBV2_LISTENERS | jq -r '.[].Protocol')
|
||||
|
||||
|
||||
if [[ $(echo $ELBV2_PROTOCOLS | grep HTTPS) ]]; then
|
||||
for line in $(echo $ELBV2_LISTENERS | jq -r '.[] | .Protocol + "," + .ListenerArn'); do
|
||||
protocol=$(echo $line | awk -F ',' '{print $1}')
|
||||
@@ -110,7 +110,7 @@ extra793(){
|
||||
done
|
||||
}
|
||||
|
||||
array_contains () {
|
||||
array_contains () {
|
||||
local array="$1[@]"
|
||||
local seeking=$2
|
||||
local in=1
|
||||
@@ -27,7 +27,7 @@ CHECK_CAF_EPIC_extra7176='Infrastructure Security'
|
||||
extra7176(){
|
||||
# Public EMR cluster have their DNS ending with .amazonaws.com while private ones have format of ip-xxx-xx-xx.us-east-1.compute.internal.
|
||||
for regx in ${REGIONS}; do
|
||||
# List only EMR clusters with the following states: STARTING, BOOTSTRAPPING, RUNNING, WAITING, TERMINATING
|
||||
# List only EMR clusters with the following states: STARTING, BOOTSTRAPPING, RUNNING, WAITING, TERMINATING
|
||||
# [NOT TERMINATED AND TERMINATED_WITH_ERRORS]
|
||||
LIST_OF_CLUSTERS=$("${AWSCLI}" emr list-clusters ${PROFILE_OPT} --region "${regx}" --query 'Clusters[?(Status.State!=`TERMINATED` && Status.State!=`TERMINATED_WITH_ERRORS`)].Id' --output text 2>&1)
|
||||
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_CLUSTERS}"; then
|
||||
@@ -27,7 +27,7 @@ CHECK_CAF_EPIC_extra7177='Infrastructure Security'
|
||||
|
||||
extra7177(){
|
||||
for regx in ${REGIONS}; do
|
||||
# List only EMR clusters with the following states: STARTING, BOOTSTRAPPING, RUNNING, WAITING, TERMINATING
|
||||
# List only EMR clusters with the following states: STARTING, BOOTSTRAPPING, RUNNING, WAITING, TERMINATING
|
||||
# [NOT TERMINATED AND TERMINATED_WITH_ERRORS]
|
||||
LIST_OF_CLUSTERS=$("${AWSCLI}" emr list-clusters ${PROFILE_OPT} --region "${regx}" --query 'Clusters[?(Status.State!=`TERMINATED` && Status.State!=`TERMINATED_WITH_ERRORS`)].Id' --output text 2>&1)
|
||||
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_CLUSTERS}"; then
|
||||
@@ -110,7 +110,7 @@ extra7177(){
|
||||
# Check if EMR Cluster is publicly accessible through a Security Group
|
||||
if [[ -n "${master_node_sg_internet_open}" || -n "${slave_node_sg_internet_open}" || "${#additional_master_node_sg_internet_open_list[@]}" -ne 0 || "${#additional_slave_node_sg_internet_open_list[@]}" -ne 0 ]]; then
|
||||
textFail "${regx}: EMR Cluster ${cluster_id} is publicly accessible through the following Security Groups: Master Node ${master_node_sg_internet_open} ${additional_master_node_sg_internet_open_list[*]} -- Slaves Nodes ${slave_node_sg_internet_open} ${additional_slave_node_sg_internet_open_list[*]}" "${regx}" "${cluster_id}"
|
||||
else
|
||||
else
|
||||
textPass "${regx}: EMR Cluster ${cluster_id} is not publicly accessible" "${regx}" "${cluster_id}"
|
||||
fi
|
||||
else
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user