From 170557a422f4bb0f0530087089447d5d4fbfde37 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 8 Feb 2019 16:39:05 +0000 Subject: [PATCH] New POC scoring and extra741 key finder userdata --- checks/check111 | 2 +- checks/check_extra741 | 14 ++++++++------ include/outputs | 3 +++ prowler | 11 +++++++++-- 4 files changed, 21 insertions(+), 9 deletions(-) diff --git a/checks/check111 b/checks/check111 index 0a123178..ea652b63 100644 --- a/checks/check111 +++ b/checks/check111 @@ -17,7 +17,7 @@ CHECK_ALTERNATE_check111="check111" check111(){ # "Ensure IAM password policy expires passwords within 90 days or less (Scored)" COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query PasswordPolicy.MaxPasswordAge --output text 2> /dev/null) - if [[ $COMMAND111 ]];then + if [[ $COMMAND111 == [0-9]* ]];then if [[ "$COMMAND111" -le "90" ]];then textPass "Password Policy includes expiration (Value: $COMMAND111)" else diff --git a/checks/check_extra741 b/checks/check_extra741 index f8e93085..dbd66930 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -26,20 +26,22 @@ extra741(){ USERDATA=$($AWSCLI ec2 describe-instance-attribute --attribute userData --query UserData.Value $PROFILE_OPT --region $regx --instance-id $instance --output text | decode_report > $USERDATA_FILE) if [ -s $USERDATA_FILE ];then FILE_FORMAT_ASCII=$(file -b $USERDATA_FILE|grep ASCII) + FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE|wc -l|tr -d '\ ') if [[ $FILE_FORMAT_ASCII ]]; then - FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE|wc -l) if [[ $FINDINGS -eq 0 ]]; then - textPass "$regx: $instance nothing found" "$regx" + textPass "$regx: Nothing found in $instance" "$regx" + # delete file if nothing interesting is there + rm -f $USERDATA_FILE else - textFail "$regx: $instance FOUND! $FINDINGS" "$regx" + textFail "$regx: Found $FINDINGS keys in $instance! Check file $USERDATA_FILE" "$regx" fi else mv $USERDATA_FILE $USERDATA_FILE.gz ; gunzip $USERDATA_FILE.gz - FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE|wc -l) if [[ $FINDINGS -eq 0 ]]; then - textPass "$regx: $instance nothing found" "$regx" + textPass "$regx: Nothing found in $instance" "$regx" + rm -f $USERDATA_FILE.gz else - textFail "$regx: $instance FOUND! $FINDINGS" "$regx" + textFail "$regx: Found $FINDINGS keys in $instance! Check file $USERDATA_FILE" "$regx" fi fi else diff --git a/include/outputs b/include/outputs index 14656f59..a343a4ae 100644 --- a/include/outputs +++ b/include/outputs @@ -13,6 +13,7 @@ # Output formatting functions textPass(){ + PASS_COUNTER=$((PASS_COUNTER+1)) if [[ "$MODE" == "csv" ]]; then if [[ $2 ]]; then REPREGION=$2 @@ -95,6 +96,7 @@ textInfo(){ } textFail(){ + FAIL_COUNTER=$((FAIL_COUNTER+1)) EXITCODE=3 if [[ "$MODE" == "csv" ]]; then if [[ $2 ]]; then @@ -137,6 +139,7 @@ textFail(){ } textTitle(){ + CHECKS_COUNTER=$((CHECKS_COUNTER+1)) TITLE_ID=$1 if [[ $NUMERAL ]]; then TITLE_ID=$(echo $TITLE_ID | cut -d, -f2) diff --git a/prowler b/prowler index b0c7556a..323ee927 100755 --- a/prowler +++ b/prowler @@ -32,7 +32,7 @@ OPTRED="" OPTNORMAL="" # Set the defaults variables -PROWLER_VERSION=2.0 +PROWLER_VERSION=2.0.1-devel PROWLER_DIR=$(dirname "$0") REGION="" @@ -73,12 +73,13 @@ USAGE: -E execute all tests except a list of specified checks separated by comma (i.e. check21,check31) -b do not print Prowler banner -V show version number & exit + -s show scoring report -h this help " exit } -while getopts ":hlLkp:r:c:g:f:m:M:E:enbV" OPTION; do +while getopts ":hlLkp:r:c:g:f:m:M:E:enbVs" OPTION; do case $OPTION in h ) usage @@ -132,6 +133,9 @@ while getopts ":hlLkp:r:c:g:f:m:M:E:enbV" OPTION; do EXITCODE=0 exit $EXITCODE ;; + s ) + SCORING=1 + ;; : ) echo "" echo "$OPTRED ERROR!$OPTNORMAL -$OPTARG requires an argument" @@ -158,6 +162,7 @@ done . $PROWLER_DIR/include/banner . $PROWLER_DIR/include/whoami . $PROWLER_DIR/include/credentials_report +. $PROWLER_DIR/include/scoring # Get a list of all available AWS Regions REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \ @@ -369,6 +374,7 @@ if [[ $GROUP_ID_READ ]];then fi execute_group_by_id $GROUP_ID_READ cleanTemp + scoring exit $EXITCODE else textFail "Use a valid check group ID i.e.: group1, extras, forensics-ready, etc." @@ -378,5 +384,6 @@ if [[ $GROUP_ID_READ ]];then fi execute_all +scoring cleanTemp exit $EXITCODE