From ba87f437d5c7d406adac80e64535e0857e73e39a Mon Sep 17 00:00:00 2001 From: Nick Malcolm Date: Thu, 20 Aug 2020 21:08:00 +1200 Subject: [PATCH 01/13] This check will identify IAM Policies which allow an IAM Principal (a Role or User) to escalate their privileges due to insecure STS permissions. It is AWS best practice to only use explicitly defined Resources (Role ARNs) for an `sts:AssumeRole` action. See more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy --- checks/check_extra798 | 75 +++++++++++++++++++++++++++++++++++++++++++ groups/group7_extras | 2 +- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 checks/check_extra798 diff --git a/checks/check_extra798 b/checks/check_extra798 new file mode 100644 index 00000000..c3f54f1c --- /dev/null +++ b/checks/check_extra798 @@ -0,0 +1,75 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente +# +# This check was contributed by Nick Malcolm (github.com/nickmalcolm), building +# on the hard work of others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra798="7.98" +CHECK_TITLE_extra798="[extra798] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)" +CHECK_SCORED_extra798="NOT_SCORED" +CHECK_TYPE_extra798="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra798="AwsIamPolicy" +CHECK_ALTERNATE_extra798="extra798" + +extra798(){ + # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)" + # + # A permissive STS Role assumption policy is one where the Resource (ARN) is not explicitly defined + # This is most often seen as sts:assumeRole on *, but can take other forms. + # + # Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy + LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}') + if [[ $LIST_CUSTOM_POLICIES ]]; then + textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)" + for policy in $LIST_CUSTOM_POLICIES; do + POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}') + POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}') + + POLICY_STATEMENTS_WITH_ALLOW=$($AWSCLI iam get-policy-version \ + --output json \ + --policy-arn $POLICY_ARN \ + --version-id $POLICY_VERSION \ + --query "[PolicyVersion.Document.Statement] | [] | [?Effect == 'Allow']" \ + $PROFILE_OPT \ + --region $REGION + ) + + # Identify permissive policies by: + # 1 & 2) Casting all the Resource and Action keys to Arrays (sometimes they're a single string) + # 3) Iterate over the policy statements + # 4) Narrow the scope to Actions which are sts:* or sts:assumeRole(WithSAML|WithWebIdentity) + # 5) Narrow the scope to Resources (IAM Roles) which include a wildcard + POLICY_WITH_PERMISSIVE_STS=$(echo $POLICY_STATEMENTS_WITH_ALLOW \ + | jq 'map( .Resource |= (if type=="array" then . else [.] end) )' \ + | jq 'map( .Action |= (if type=="array" then . else [.] end) )' \ + | jq '.[]' \ + | jq 'select(.Action[] | contains("sts:AssumeRole") or contains("sts:*"))' \ + | jq 'select(.Resource[] | contains("*"))') + + if [[ $POLICY_WITH_PERMISSIVE_STS ]]; then + PERMISSIVE_POLICIES_LIST="$PERMISSIVE_POLICIES_LIST $POLICY_ARN" + fi + + done + if [[ $PERMISSIVE_POLICIES_LIST ]]; then + textInfo "STS AssumeRole Policies should only include the complete ARNs for the Roles that the user needs" + textInfo "Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy" + for policy in $PERMISSIVE_POLICIES_LIST; do + textFail "Policy $policy allows permissive STS Role assumption" + done + else + textPass "No custom policies found that allow permissive STS Role assumption" + fi + else + textPass "No custom policies found" + fi +} diff --git a/groups/group7_extras b/groups/group7_extras index f490879a..47863406 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets` From 024190dd8a722df6b8cc69cfbc569df5d3274923 Mon Sep 17 00:00:00 2001 From: Joaquin Rinaudo Date: Fri, 21 Aug 2020 10:35:50 +0200 Subject: [PATCH 02/13] [Check12] Bugfix: Remove $ from grep Check is failing to detect users without MFA, solved by removing `$` sign addresses the issue. --- checks/check12 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check12 b/checks/check12 index adccb3c1..e2f9c12a 100644 --- a/checks/check12 +++ b/checks/check12 @@ -19,7 +19,7 @@ CHECK_ALTERNATE_check102="check12" check12(){ # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" # List users with password enabled - COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep -F ' true$' | awk '{ print $1 }') + COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep -F ' true' | awk '{ print $1 }') COMMAND12=$( for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "^$i " |grep false | awk '{ print $1 }' From 97e6a80bdc15e7325ebf3b3b181008fdfe6775c4 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 25 Aug 2020 16:49:20 +0200 Subject: [PATCH 03/13] Added AWS partition variable to the ASFF output format --- include/outputs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/outputs b/include/outputs index 97f8c29b..63d36f20 100644 --- a/include/outputs +++ b/include/outputs @@ -294,7 +294,7 @@ generateJsonAsffOutput(){ { "Type": $RESOURCE_TYPE, "Id": "AWS::::Account:\($ACCOUNT_NUM)", - "Partition": "aws", + "Partition": "$AWS_PARTITION", "Region": $REPREGION } ], From 03b1d898a63d3530bf99fe6873aee40c57d516da Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 25 Aug 2020 16:54:22 +0200 Subject: [PATCH 04/13] Added AWS partition variable to the ASFF output format --- include/outputs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/outputs b/include/outputs index 63d36f20..d4ddba7b 100644 --- a/include/outputs +++ b/include/outputs @@ -294,7 +294,7 @@ generateJsonAsffOutput(){ { "Type": $RESOURCE_TYPE, "Id": "AWS::::Account:\($ACCOUNT_NUM)", - "Partition": "$AWS_PARTITION", + "Partition": $AWS_PARTITION, "Region": $REPREGION } ], From ca471700c2a31bdebf0ec59ab8c5a8df50fac977 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 25 Aug 2020 19:06:06 +0200 Subject: [PATCH 05/13] Added [extra798] Check if Lambda functions have resource-based policy set as Public --- checks/check_extra798 | 44 ++++++++++++++++++++++++++++++++++ groups/group17_internetexposed | 2 +- groups/group7_extras | 2 +- 3 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 checks/check_extra798 diff --git a/checks/check_extra798 b/checks/check_extra798 new file mode 100644 index 00000000..fa15a011 --- /dev/null +++ b/checks/check_extra798 @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra798="7.98" +CHECK_TITLE_extra798="[extra798] Check if Lambda functions have resource-based policy set as Public" +CHECK_SCORED_extra798="NOT_SCORED" +CHECK_TYPE_extra798="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction" +CHECK_ALTERNATE_check798="extra798" + +extra798(){ + for regx in $REGIONS; do + LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --output text --query 'Functions[*].FunctionName') + if [[ $LIST_OF_FUNCTIONS ]]; then + for lambdafunction in $LIST_OF_FUNCTIONS; do + # get the policy per function + FUNCTION_POLICY=$($AWSCLI lambda get-policy $PROFILE_OPT --region $regx --function-name $lambdafunction --query Policy --output text 2>/dev/null) + if [[ $FUNCTION_POLICY ]]; then + FUNCTION_POLICY_ALLOW_ALL=$(echo $FUNCTION_POLICY \ + | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') + if [[ $FUNCTION_POLICY_ALLOW_ALL ]]; then + textFail "$regx: Lambda function $lambdafunction has a policy with public access" "$regx" + else + textPass "$regx: Lambda function $lambdafunction has a policy resource-based policy and is not public" "$regx" + fi + else + textPass "$regx: Lambda function $lambdafunction does not have resource-based policy" "$regx" + fi + done + else + textInfo "$regx: No Lambda functions found" "$regx" + fi + done +} diff --git a/groups/group17_internetexposed b/groups/group17_internetexposed index 73f51985..f2364b96 100644 --- a/groups/group17_internetexposed +++ b/groups/group17_internetexposed @@ -15,7 +15,7 @@ GROUP_ID[17]='internet-exposed' GROUP_NUMBER[17]='17.0' GROUP_TITLE[17]='Find resources exposed to the internet - [internet-exposed] *******' GROUP_RUN_BY_DEFAULT[17]='N' # run it when execute_all is called -GROUP_CHECKS[17]='check41,check42,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788' +GROUP_CHECKS[17]='check41,check42,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788,extra798' # 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored) [group4, cislevel1, cislevel2] # 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored) [group4, cislevel1, cislevel2] diff --git a/groups/group7_extras b/groups/group7_extras index f490879a..47863406 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets` From 33a53663db725ffcbc120ec23f35b0fae6b9c932 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 25 Aug 2020 19:54:57 +0200 Subject: [PATCH 06/13] Added [extra799] Check if Security Hub is enabled and its standard subscriptions --- checks/check_extra799 | 33 +++++++++++++++++++++++++++++++++ groups/group7_extras | 2 +- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 checks/check_extra799 diff --git a/checks/check_extra799 b/checks/check_extra799 new file mode 100644 index 00000000..f2bf742e --- /dev/null +++ b/checks/check_extra799 @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra799="7.99" +CHECK_TITLE_extra799="[extra799] Check if Security Hub is enabled and its standard subscriptions" +CHECK_SCORED_extra799="NOT_SCORED" +CHECK_TYPE_extra799="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra799="AwsSecurityHubHub" +CHECK_ALTERNATE_check799="extra799" +CHECK_SEVERITY_extra799="medium" + +extra799(){ + for regx in $REGIONS; do + # If command below fails get nothing then it there are no subscriptions and Security Hub is not enabled. + LIST_OF_SECHUB_SUBSCRIPTIONS=$($AWSCLI $PROFILE_OPT --region $regx securityhub get-enabled-standards --query 'StandardsSubscriptions[?StandardsStatus == `READY`].StandardsSubscriptionArn' --output json 2>/dev/null | awk -F "/" '{ print $2 }' | tr '\n' ' ' ) + if [[ $LIST_OF_SECHUB_SUBSCRIPTIONS ]]; then + textPass "$regx: Security Hub is enabled with standards $LIST_OF_SECHUB_SUBSCRIPTIONS" "$regx" + else + textInfo "$regx: Security Hub is not enabled" "$regx" + #textFail "$regx: Security Hub is not enabled" "$regx" + fi + done +} diff --git a/groups/group7_extras b/groups/group7_extras index 47863406..f6964d39 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets` From 553faf72ece3c2997c81db08df975025b43411c4 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 26 Aug 2020 16:57:20 +0200 Subject: [PATCH 07/13] Added [extra736] Check exposed KMS keys to group internet-exposed --- groups/group17_internetexposed | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/groups/group17_internetexposed b/groups/group17_internetexposed index f2364b96..51bb5940 100644 --- a/groups/group17_internetexposed +++ b/groups/group17_internetexposed @@ -15,7 +15,7 @@ GROUP_ID[17]='internet-exposed' GROUP_NUMBER[17]='17.0' GROUP_TITLE[17]='Find resources exposed to the internet - [internet-exposed] *******' GROUP_RUN_BY_DEFAULT[17]='N' # run it when execute_all is called -GROUP_CHECKS[17]='check41,check42,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788,extra798' +GROUP_CHECKS[17]='check41,check42,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra736,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788,extra798' # 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored) [group4, cislevel1, cislevel2] # 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored) [group4, cislevel1, cislevel2] From 89db9d4b70c59da54bca5f097e983d102612c8d1 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 26 Aug 2020 18:40:11 +0200 Subject: [PATCH 08/13] Update check12 --- checks/check12 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check12 b/checks/check12 index e2f9c12a..a5cbac6f 100644 --- a/checks/check12 +++ b/checks/check12 @@ -19,7 +19,7 @@ CHECK_ALTERNATE_check102="check12" check12(){ # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" # List users with password enabled - COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep -F ' true' | awk '{ print $1 }') + COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep 'true$' | awk '{ print $1 }') COMMAND12=$( for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "^$i " |grep false | awk '{ print $1 }' From 7868904c3b013028b3a4180a4cd4eadc40130f27 Mon Sep 17 00:00:00 2001 From: Joaquin Rinaudo Date: Wed, 26 Aug 2020 23:59:02 +0200 Subject: [PATCH 09/13] Fix getops OPTARG for custom checks Custom checks in folder are not being sourced. `./prowler -c extra800 -x custom` results in empty EXTERNAL_CHECKS_PATH variables due to missing colon. The fix was tested in both OSX and toniblyx/prowler:latest Docker. Regards, --- prowler | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prowler b/prowler index 45d52f6a..3c87ab8d 100755 --- a/prowler +++ b/prowler @@ -96,7 +96,7 @@ USAGE: exit } -while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsSxI:A:R:T:w:" OPTION; do +while getopts ":hlLkqp:r:c:g:f:m:M:E:x:enbVsSI:A:R:T:w:" OPTION; do case $OPTION in h ) usage From 565edf7b4b79577d3b63ce787afdf5f8a560e58c Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Thu, 27 Aug 2020 16:21:56 +0200 Subject: [PATCH 10/13] Change check ID to extra7100 Change check ID to extra7100 --- checks/check_extra798 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/checks/check_extra798 b/checks/check_extra798 index c3f54f1c..d032b159 100644 --- a/checks/check_extra798 +++ b/checks/check_extra798 @@ -13,14 +13,14 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra798="7.98" -CHECK_TITLE_extra798="[extra798] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)" -CHECK_SCORED_extra798="NOT_SCORED" -CHECK_TYPE_extra798="EXTRA" -CHECK_ASFF_RESOURCE_TYPE_extra798="AwsIamPolicy" -CHECK_ALTERNATE_extra798="extra798" +CHECK_ID_extra7100="7.100" +CHECK_TITLE_extra7100="[extra7100] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)" +CHECK_SCORED_extra7100="NOT_SCORED" +CHECK_TYPE_extra7100="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy" +CHECK_ALTERNATE_check7100="extra7100" -extra798(){ +extra7100(){ # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)" # # A permissive STS Role assumption policy is one where the Resource (ARN) is not explicitly defined From 1d4563f60d663088f0101b57589383da15c8d446 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Thu, 27 Aug 2020 16:23:08 +0200 Subject: [PATCH 11/13] Added extra799 and extra7100 to group extras Added extra799 and extra7100 to group extras --- groups/group7_extras | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/groups/group7_extras b/groups/group7_extras index 47863406..65766a9a 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets` From 36a291c4a91ab757c5dae574f8763f1ebf5355c0 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Thu, 27 Aug 2020 16:30:20 +0200 Subject: [PATCH 12/13] Rename check_extra798 to check_extra7100 --- checks/{check_extra798 => check_extra7100} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename checks/{check_extra798 => check_extra7100} (99%) diff --git a/checks/check_extra798 b/checks/check_extra7100 similarity index 99% rename from checks/check_extra798 rename to checks/check_extra7100 index c0444fc0..1b12481c 100644 --- a/checks/check_extra798 +++ b/checks/check_extra7100 @@ -73,4 +73,4 @@ extra7100(){ else textPass "No custom policies found" fi -} \ No newline at end of file +} From 7f03ef0e7eb17e2c7ec53ef9f9e0aece7cec852d Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Thu, 27 Aug 2020 16:50:48 +0200 Subject: [PATCH 13/13] Adding back extra798 --- checks/check_extra798 | 44 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 checks/check_extra798 diff --git a/checks/check_extra798 b/checks/check_extra798 new file mode 100644 index 00000000..74b05eaf --- /dev/null +++ b/checks/check_extra798 @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra798="7.98" +CHECK_TITLE_extra798="[extra798] Check if Lambda functions have resource-based policy set as Public" +CHECK_SCORED_extra798="NOT_SCORED" +CHECK_TYPE_extra798="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction" +CHECK_ALTERNATE_check798="extra798" + +extra798(){ + for regx in $REGIONS; do + LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --output text --query 'Functions[*].FunctionName') + if [[ $LIST_OF_FUNCTIONS ]]; then + for lambdafunction in $LIST_OF_FUNCTIONS; do + # get the policy per function + FUNCTION_POLICY=$($AWSCLI lambda get-policy $PROFILE_OPT --region $regx --function-name $lambdafunction --query Policy --output text 2>/dev/null) + if [[ $FUNCTION_POLICY ]]; then + FUNCTION_POLICY_ALLOW_ALL=$(echo $FUNCTION_POLICY \ + | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') + if [[ $FUNCTION_POLICY_ALLOW_ALL ]]; then + textFail "$regx: Lambda function $lambdafunction has a policy with public access" "$regx" + else + textPass "$regx: Lambda function $lambdafunction has a policy resource-based policy and is not public" "$regx" + fi + else + textPass "$regx: Lambda function $lambdafunction does not have resource-based policy" "$regx" + fi + done + else + textInfo "$regx: No Lambda functions found" "$regx" + fi + done +}