ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added custom ports variable to extra779

Browse Source
This commit is contained in:
Toni de la Fuente
2020-04-01 16:52:52 +02:00
parent ba75d89911
commit 1ae5d5d725
2 changed files with 72 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
checks/check_extra716
View File

@@ -17,6 +17,28 @@ CHECK_TYPE_extra716="EXTRA"
CHECK_ALTERNATE_check716="extra716"
extra716(){
# if TEST_AUTHENTICATION has a value Prowler will try to access each ElasticSearch server to the public URI endpoint.
# That is from the host where Prowler is running and will try to read indices or get kibana status
TEST_ES_AUTHENTICATION=1
httpStatus(){
case $1 in
000) SERVER_RESPONSE="000 Not responding" ;;
200) SERVER_RESPONSE="200 Successful" ;;
400) SERVER_RESPONSE="400 Error: Bad Request" ;;
401) SERVER_RESPONSE="401 Error: Unauthorized" ;;
403) SERVER_RESPONSE="403 Error: Forbidden" ;;
404) SERVER_RESPONSE="404 Error: Not Found" ;;
407) SERVER_RESPONSE="407 Error: Proxy Authentication Required" ;;
408) SERVER_RESPONSE="408 Error: Request Timeout" ;;
500) SERVER_RESPONSE="500 Error: Internal Server Error" ;;
502) SERVER_RESPONSE="502 Error: Bad Gateway" ;;
503) SERVER_RESPONSE="503 Error: Service Unavailable" ;;
504) SERVER_RESPONSE="504 Error: Gateway Timeout" ;;
505) SERVER_RESPONSE="505 Error: HTTP Version Not Supported" ;;
*) SERVER_RESPONSE="HTTP: status not defined." ;;
esac
}
# "Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
for regx in $REGIONS; do
LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
@@ -27,7 +49,29 @@ extra716(){
# check if the policy has Principal as *
CHECK_ES_DOMAIN_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | jq -r '. | .Statement[] | select(.Effect == "Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and .Condition == null)')
if [[ $CHECK_ES_DOMAIN_ALLUSERS_POLICY ]];then
textFail "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\")" "$regx"
if [[ $TEST_ES_AUTHENTICATION ]];then
# get endpoint or vpc endpoints
ES_DOMAIN_ENDPOINT=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.[Endpoint || Endpoints]' --output text)
# check for Elasticsearch on port 443, rest API HTTP.
CHECH_ES_HTTPS=$(curl -m 2 -s -w "%{http_code}" -o /dev/null -X GET "https://$ES_DOMAIN_ENDPOINT/_cat/indices")
httpStatus $CHECH_ES_HTTPS
if [[ $CHECH_ES_HTTPS -eq "200" ]];then
textFail "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\") and ES service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
else
textInfo "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\") but ES service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
fi
# check for Kibana on port 443
CHECH_KIBANA_HTTPS=$(curl -m 2 -s -w "%{http_code}" -o /dev/null -X GET "https://$ES_DOMAIN_ENDPOINT/_plugin/kibana/api/status")
httpStatus $CHECH_KIBANA_HTTPS
if [[ $CHECH_KIBANA_HTTPS -eq "200" ]];then
textFail "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\") and Kibana service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
else
textInfo "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\") but Kibana service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
fi
else
textFail "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\")" "$regx"
fi
else
textPass "$regx: Amazon ES domain $domain does not allow Anonymous cross account access" "$regx"
fi
@@ -37,4 +81,4 @@ extra716(){
textInfo "$regx: No Amazon ES domain found" "$regx"
fi
done
}
}

48
checks/check_extra779
View File

@@ -11,8 +11,8 @@
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra779="7.79"
CHECK_TITLE_extra779="[extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports 9200/9300/5601"
CHECK_SCORED_extra779="NOT_SCORED"
CHECK_TITLE_extra779="[extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports"
CHECK_SCORED_extra779="NOT_SCORED"
CHECK_TYPE_extra779="EXTRA"
CHECK_ALTERNATE_check779="extra779"
@@ -21,6 +21,10 @@ extra779(){
# 9200 API, 9300 Communcation and 5601 Kibana to figure out if authentication is enabled.
# That is from the host where Prowler is running and will try to read indices or get kibana status
TEST_ES_AUTHENTICATION=
ES_API_PORT="9200"
ES_DATA_PORT="9300"
ES_KIBANA_PORT="5601"
httpStatus(){
case $1 in
000) SERVER_RESPONSE="000 Not responding" ;;
@@ -41,9 +45,9 @@ extra779(){
}
for regx in $REGIONS; do
# crate a list of SG open to the world with port 9200 or 9300 or 5601
# crate a list of SG open to the world with port $ES_API_PORT or $ES_DATA_PORT or $ES_KIBANA_PORT
SG_LIST=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --output text \
--query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`9200` && ToPort>=`9200`) || (FromPort<=`9300` && ToPort>=`9300`) || (FromPort<=`5601` && ToPort>=`5601 `)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}')
--query "SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=\`$ES_API_PORT\` && ToPort>=\`$ES_API_PORT\`) || (FromPort<=\`$ES_DATA_PORT\` && ToPort>=\`$ES_DATA_PORT\`) || (FromPort<=\`$ES_KIBANA_PORT\` && ToPort>=\`$ES_KIBANA_PORT\`)) && (contains(IpRanges[].CidrIp, \`0.0.0.0/0\`) || contains(Ipv6Ranges[].CidrIpv6, \`::/0\`))]) > \`0\`].{GroupId:GroupId}")
# in case of open security groups goes through each one
if [[ $SG_LIST ]];then
for sg in $SG_LIST;do
@@ -56,42 +60,42 @@ extra779(){
while read instance eip ; do
if [[ $TEST_ES_AUTHENTICATION ]];then
if [[ "$eip" != "None" ]];then
# check for Elasticsearch on port 9200, rest API HTTP.
CHECH_HTTP_9200=$(curl -m 2 -s -w "%{http_code}" -o /dev/null -X GET "http://$eip:9200/_cat/indices")
httpStatus $CHECH_HTTP_9200
if [[ $CHECH_HTTP_9200 -eq "200" ]];then
textFail "$regx: Found instance $instance with public IP $eip on Security Group: $sg with Elasticsearch port 9200 response $SERVER_RESPONSE" "$regx"
# check for Elasticsearch on port $ES_API_PORT, rest API HTTP.
CHECH_HTTP_ES_API=$(curl -m 2 -s -w "%{http_code}" -o /dev/null -X GET "http://$eip:$ES_API_PORT/_cat/indices")
httpStatus $CHECH_HTTP_ES_API
if [[ $CHECH_HTTP_ES_API -eq "200" ]];then
textFail "$regx: Found instance $instance with public IP $eip on Security Group: $sg with Elasticsearch port $ES_API_PORT response $SERVER_RESPONSE" "$regx"
else
textInfo "$regx: Found instance $instance with public IP $eip on Security Group: $sg with Elasticsearch port 9200 response $SERVER_RESPONSE" "$regx"
textInfo "$regx: Found instance $instance with public IP $eip on Security Group: $sg with Elasticsearch port $ES_API_PORT response $SERVER_RESPONSE" "$regx"
fi
# check for port 9300 TCP, this is the communication port, not:
# check for port $ES_DATA_PORT TCP, this is the communication port, not:
# test_tcp_connectivity is in include/os_detector
# syntax is 'test_tcp_connectivity $HOST $PORT $TIMEOUT' (in seconds)
CHECK_TCP_9300=$(test_tcp_connectivity $eip 9300 2)
CHECH_HTTP_ES_DATA=$(test_tcp_connectivity $eip $ES_DATA_PORT 2)
# Using HTTP error codes here as well to reuse httpStatus function
# codes for better handling, so 200 is open and 000 is not responding
httpStatus $CHECK_TCP_9300
if [[ $CHECK_TCP_9300 -eq "200" ]];then
textFail "$regx: Found instance $instance with public IP $eip on Security Group: $sg with Elasticsearch port 9300 response $SERVER_RESPONSE" "$regx"
httpStatus $CHECH_HTTP_ES_DATA
if [[ $CHECH_HTTP_ES_DATA -eq "200" ]];then
textFail "$regx: Found instance $instance with public IP $eip on Security Group: $sg with Elasticsearch port $ES_DATA_PORT response $SERVER_RESPONSE" "$regx"
else
textInfo "$regx: Found instance $instance with public IP $eip on Security Group: $sg with Elasticsearch port 9300 response $SERVER_RESPONSE" "$regx"
textInfo "$regx: Found instance $instance with public IP $eip on Security Group: $sg with Elasticsearch port $ES_DATA_PORT response $SERVER_RESPONSE" "$regx"
fi
# check for Kibana on port 5601
CHECH_HTTP_5601=$(curl -m 2 -s -w "%{http_code}" -o /dev/null -X GET "http://$eip:5601/api/status")
httpStatus $CHECH_HTTP_5601
# check for Kibana on port $ES_KIBANA_PORT
CHECH_HTTP_ES_KIBANA=$(curl -m 2 -s -w "%{http_code}" -o /dev/null -X GET "http://$eip:$ES_KIBANA_PORT/api/status")
httpStatus $CHECH_HTTP_ES_KIBANA
if [[ $CHECH_AUTH_5601 -eq "200" ]];then
textFail "$regx: Found instance $instance with public IP $eip on Security Group: $sg with Kibana response $SERVER_RESPONSE" "$regx"
textFail "$regx: Found instance $instance with public IP $eip on Security Group: $sg with Kibana on port $ES_KIBANA_PORT response $SERVER_RESPONSE" "$regx"
else
textInfo "$regx: Found instance $instance with public IP $eip on Security Group: $sg with Kibana response $SERVER_RESPONSE" "$regx"
textInfo "$regx: Found instance $instance with public IP $eip on Security Group: $sg with Kibana on port $ES_KIBANA_PORT response $SERVER_RESPONSE" "$regx"
fi
fi
else
if [[ "$eip" == "None" ]];then
textInfo "$regx: Found instance $instance with private IP on Security Group: $sg" "$regx"
else
textFail "$regx: Found instance $instance with public IP $eip on Security Group: $sg open to 0.0.0.0/0 on for Elasticsearch/Kibana ports" "$regx"
textFail "$regx: Found instance $instance with public IP $eip on Security Group: $sg open to 0.0.0.0/0 on for Elasticsearch/Kibana ports $ES_API_PORT/$ES_DATA_PORT/$ES_KIBANA_PORT" "$regx"
fi
fi
if [[ "$eip" == "None" ]];then