From 6600df9be9646232aecd40c98298095064b959fb Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 29 Jan 2019 06:09:37 +0000 Subject: [PATCH 1/6] extra741 finding keys in UserData --- checks/check_extra741 | 53 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 checks/check_extra741 diff --git a/checks/check_extra741 b/checks/check_extra741 new file mode 100644 index 00000000..f8e93085 --- /dev/null +++ b/checks/check_extra741 @@ -0,0 +1,53 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra741="7.41" +CHECK_TITLE_extra741="[extra741] Find keys in EC2 UserData (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra741="NOT_SCORED" +CHECK_TYPE_extra741="EXTRA" +CHECK_ALTERNATE_check741="extra741" + +extra741(){ + textInfo "Looking for keys in EC2 User Data all regions... (max 100 instances per region, use -m to increase it) " + for regx in $REGIONS; do + LIST_OF_EC2_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query Reservations[*].Instances[*].InstanceId --output text --max-items $MAXITEMS | grep -v None) + if [[ $LIST_OF_EC2_INSTANCES ]];then + for instance in $LIST_OF_EC2_INSTANCES; do + USERDATA_FILE=$instance-userdata.decoded + USERDATA=$($AWSCLI ec2 describe-instance-attribute --attribute userData --query UserData.Value $PROFILE_OPT --region $regx --instance-id $instance --output text | decode_report > $USERDATA_FILE) + if [ -s $USERDATA_FILE ];then + FILE_FORMAT_ASCII=$(file -b $USERDATA_FILE|grep ASCII) + if [[ $FILE_FORMAT_ASCII ]]; then + FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE|wc -l) + if [[ $FINDINGS -eq 0 ]]; then + textPass "$regx: $instance nothing found" "$regx" + else + textFail "$regx: $instance FOUND! $FINDINGS" "$regx" + fi + else + mv $USERDATA_FILE $USERDATA_FILE.gz ; gunzip $USERDATA_FILE.gz + FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE|wc -l) + if [[ $FINDINGS -eq 0 ]]; then + textPass "$regx: $instance nothing found" "$regx" + else + textFail "$regx: $instance FOUND! $FINDINGS" "$regx" + fi + fi + else + textPass "$regx: $instance nothing found" "$regx" + fi + done + else + textInfo "$regx: No EC2 instances found" "$regx" + fi + done +} From 170557a422f4bb0f0530087089447d5d4fbfde37 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 8 Feb 2019 16:39:05 +0000 Subject: [PATCH 2/6] New POC scoring and extra741 key finder userdata --- checks/check111 | 2 +- checks/check_extra741 | 14 ++++++++------ include/outputs | 3 +++ prowler | 11 +++++++++-- 4 files changed, 21 insertions(+), 9 deletions(-) diff --git a/checks/check111 b/checks/check111 index 0a123178..ea652b63 100644 --- a/checks/check111 +++ b/checks/check111 @@ -17,7 +17,7 @@ CHECK_ALTERNATE_check111="check111" check111(){ # "Ensure IAM password policy expires passwords within 90 days or less (Scored)" COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query PasswordPolicy.MaxPasswordAge --output text 2> /dev/null) - if [[ $COMMAND111 ]];then + if [[ $COMMAND111 == [0-9]* ]];then if [[ "$COMMAND111" -le "90" ]];then textPass "Password Policy includes expiration (Value: $COMMAND111)" else diff --git a/checks/check_extra741 b/checks/check_extra741 index f8e93085..dbd66930 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -26,20 +26,22 @@ extra741(){ USERDATA=$($AWSCLI ec2 describe-instance-attribute --attribute userData --query UserData.Value $PROFILE_OPT --region $regx --instance-id $instance --output text | decode_report > $USERDATA_FILE) if [ -s $USERDATA_FILE ];then FILE_FORMAT_ASCII=$(file -b $USERDATA_FILE|grep ASCII) + FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE|wc -l|tr -d '\ ') if [[ $FILE_FORMAT_ASCII ]]; then - FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE|wc -l) if [[ $FINDINGS -eq 0 ]]; then - textPass "$regx: $instance nothing found" "$regx" + textPass "$regx: Nothing found in $instance" "$regx" + # delete file if nothing interesting is there + rm -f $USERDATA_FILE else - textFail "$regx: $instance FOUND! $FINDINGS" "$regx" + textFail "$regx: Found $FINDINGS keys in $instance! Check file $USERDATA_FILE" "$regx" fi else mv $USERDATA_FILE $USERDATA_FILE.gz ; gunzip $USERDATA_FILE.gz - FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE|wc -l) if [[ $FINDINGS -eq 0 ]]; then - textPass "$regx: $instance nothing found" "$regx" + textPass "$regx: Nothing found in $instance" "$regx" + rm -f $USERDATA_FILE.gz else - textFail "$regx: $instance FOUND! $FINDINGS" "$regx" + textFail "$regx: Found $FINDINGS keys in $instance! Check file $USERDATA_FILE" "$regx" fi fi else diff --git a/include/outputs b/include/outputs index 14656f59..a343a4ae 100644 --- a/include/outputs +++ b/include/outputs @@ -13,6 +13,7 @@ # Output formatting functions textPass(){ + PASS_COUNTER=$((PASS_COUNTER+1)) if [[ "$MODE" == "csv" ]]; then if [[ $2 ]]; then REPREGION=$2 @@ -95,6 +96,7 @@ textInfo(){ } textFail(){ + FAIL_COUNTER=$((FAIL_COUNTER+1)) EXITCODE=3 if [[ "$MODE" == "csv" ]]; then if [[ $2 ]]; then @@ -137,6 +139,7 @@ textFail(){ } textTitle(){ + CHECKS_COUNTER=$((CHECKS_COUNTER+1)) TITLE_ID=$1 if [[ $NUMERAL ]]; then TITLE_ID=$(echo $TITLE_ID | cut -d, -f2) diff --git a/prowler b/prowler index b0c7556a..323ee927 100755 --- a/prowler +++ b/prowler @@ -32,7 +32,7 @@ OPTRED="" OPTNORMAL="" # Set the defaults variables -PROWLER_VERSION=2.0 +PROWLER_VERSION=2.0.1-devel PROWLER_DIR=$(dirname "$0") REGION="" @@ -73,12 +73,13 @@ USAGE: -E execute all tests except a list of specified checks separated by comma (i.e. check21,check31) -b do not print Prowler banner -V show version number & exit + -s show scoring report -h this help " exit } -while getopts ":hlLkp:r:c:g:f:m:M:E:enbV" OPTION; do +while getopts ":hlLkp:r:c:g:f:m:M:E:enbVs" OPTION; do case $OPTION in h ) usage @@ -132,6 +133,9 @@ while getopts ":hlLkp:r:c:g:f:m:M:E:enbV" OPTION; do EXITCODE=0 exit $EXITCODE ;; + s ) + SCORING=1 + ;; : ) echo "" echo "$OPTRED ERROR!$OPTNORMAL -$OPTARG requires an argument" @@ -158,6 +162,7 @@ done . $PROWLER_DIR/include/banner . $PROWLER_DIR/include/whoami . $PROWLER_DIR/include/credentials_report +. $PROWLER_DIR/include/scoring # Get a list of all available AWS Regions REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \ @@ -369,6 +374,7 @@ if [[ $GROUP_ID_READ ]];then fi execute_group_by_id $GROUP_ID_READ cleanTemp + scoring exit $EXITCODE else textFail "Use a valid check group ID i.e.: group1, extras, forensics-ready, etc." @@ -378,5 +384,6 @@ if [[ $GROUP_ID_READ ]];then fi execute_all +scoring cleanTemp exit $EXITCODE From 11c7d552034e7143988d2838930e6898e562a048 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 8 Feb 2019 16:39:57 +0000 Subject: [PATCH 3/6] New POC scoring and extra741 key finder userdata --- include/scoring | 53 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 include/scoring diff --git a/include/scoring b/include/scoring new file mode 100644 index 00000000..a46b4d77 --- /dev/null +++ b/include/scoring @@ -0,0 +1,53 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +# Scoring POC +scoring(){ + if [[ $SCORING == "1" ]]; then + if [[ ! $PASS_COUNTER ]]; then + PASS_COUNTER=0 + fi + if [[ ! $FAIL_COUNTER ]]; then + FAIL_COUNTER=0 + fi + + # TOTAL_RESOURCES=$(awk "BEGIN {print $FAIL_COUNTER+$PASS_COUNTER; exit}") + TOTAL_RESOURCES=$(($FAIL_COUNTER + $PASS_COUNTER)) + # Score is % of passed compared to failures. The higher score, the better + PROWLER_SCORE=$(( $PASS_COUNTER * 100 / $TOTAL_RESOURCES )) + + echo -e "$BLUE------------------------------------------------------------------ $NORMAL" + echo -e "$CYAN _" + echo -e " _ __ _ __ _____ _| | ___ _ __" + echo -e " | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|" + echo -e " | |_) | | | (_) \ V V /| | __/ |" + echo -e " | .__/|_| \___/ \_/\_/ |_|\___|_|v$PROWLER_VERSION" + echo -e " |_|$NORMAL$BLUE the handy cloud security tool$NORMAL\n" + echo -e "$YELLOW Date: $(date)" + echo -e "\n$BLUE------------------------------------------------------------------ $NORMAL" + echo -e " Security Assessment Summary Report for AWS Account: $ACCOUNT_NUM $NORMAL" + echo -e "$BLUE------------------------------------------------------------------ $NORMAL" + echo -e " Your Prowler Score* is = $PROWLER_SCORE $NORMAL " + echo -e "$BLUE------------------------------------------------------------------ $NORMAL" + echo -e "$BAD FAIL$NORMAL =$BAD $FAIL_COUNTER $NORMAL" + echo -e "$BLUE------------------------------------------------------------------ $NORMAL" + echo -e "$OK PASS$NORMAL =$OK $PASS_COUNTER $NORMAL" + echo -e "$BLUE------------------------------------------------------------------ $NORMAL" + echo -e " Total Resources Reviewed =$NOTICE $TOTAL_RESOURCES $NORMAL" + echo -e "$BLUE------------------------------------------------------------------ $NORMAL" + echo -e " Checks Performed =$NOTICE $CHECKS_COUNTER $NORMAL" + echo -e "$BLUE------------------------------------------------------------------ $NORMAL" + echo -e " * the highest the better (0 to 100)$NORMAL" + echo -e " Prowler scoring uses any check, including CIS not scored checks$NORMAL" + fi +} From 9bf3fd87acf1c9bd837193ab893466d36d6b667a Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 8 Feb 2019 16:47:12 +0000 Subject: [PATCH 4/6] New POC scoring and extra741 key finder userdata --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index c0753e11..a2c0c7c4 100644 --- a/README.md +++ b/README.md @@ -199,6 +199,8 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX -e exclude group extras -E execute all tests except a list of specified checks separated by comma (i.e. check21,check31) -b do not print Prowler banner + -V show version number & exit + -s show scoring report -h this help ``` From be4bbe443046bf47469783bd30fa2822b6b14b35 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 8 Feb 2019 16:47:51 +0000 Subject: [PATCH 5/6] New POC scoring and extra741 key finder userdata --- groups/group7_extras | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/groups/group7_extras b/groups/group7_extras index 1cb17917..b84b7e2b 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,4 +15,4 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - [extras] **********************************************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741' From 069b54057b459347303573cb4924d014822b7931 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 11 Feb 2019 09:08:05 -0500 Subject: [PATCH 6/6] Fixed typo in hipaa --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a2c0c7c4..86302955 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ It covers hardening and security best practices for all AWS regions related to t - Extras (39 checks) *see Extras section* [extras] - Forensics related group of checks [forensics-ready] - GDPR [gdpr] Read more [here](#gdpr-checks) -- HIPPA [hippa] Read more [here](#hipaa-checks) +- HIPAA [hipaa] Read more [here](#hipaa-checks) For a comprehensive list and resolution look at the guide on the link above.