From 58fdd454247223a59e037828ca2f65c2dd6a779a Mon Sep 17 00:00:00 2001
From: Martin Kemp <martinkemp@deloitte.co.uk>
Date: Wed, 10 Jul 2019 12:46:51 +0100
Subject: [PATCH 1/3] Ability to exclude check from group run

Fixes #351
---
 prowler | 62 ++++++++++++++++++++++++++++++++++++---------------------
 1 file changed, 39 insertions(+), 23 deletions(-)

diff --git a/prowler b/prowler
index c74f2db8..89c7d333 100755
--- a/prowler
+++ b/prowler
@@ -241,11 +241,26 @@ execute_check() {
 
 # Function to execute all checks in a group
 execute_group() {
-	show_group_title $1
-  # run the checks in the group
+    show_group_title $1
+    # run the checks in the group
 	IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$1]}
+
+	# Exclude any checks specified
+	if [[ -n ${2} ]]; then
+        EXCLUDED_CHECKS=()
+        NEW_CHECKS=()
+	    IFS=',' read -ra EXCLUDED_CHECKS <<< "${2},"
+        for exc in ${EXCLUDED_CHECKS[@]} ; do
+            for i in ${CHECKS[@]} ; do
+                [[ ${i} != ${exc} ]] && NEW_CHECKS+=(${i})
+            done
+        done
+        CHECKS=("${NEW_CHECKS[@]}")
+        unset NEW_CHECKS
+        unset EXCLUDED_CHECKS
+	fi
 	for i in ${CHECKS[@]}; do
-    execute_check $i
+        execute_check ${i}
 	done
 }
 
@@ -257,7 +272,7 @@ execute_group_by_id() {
   fi
 	for i in "${!GROUP_ID[@]}"; do
 		if [ "${GROUP_ID[$i]}" == "$1" ]; then
-			execute_group $i
+			execute_group ${i} $2
 		fi
 	done
 }
@@ -350,14 +365,31 @@ fi
 # Gather account data / test aws cli connectivity
 getWhoami
 
+# Execute group of checks if called with -g
+if [[ $GROUP_ID_READ ]];then
+  if [[ " ${GROUP_ID[@]} " =~ " ${GROUP_ID_READ} " ]]; then
+    if [[ $MODE == "csv" ]]; then
+      BANNER=0
+    fi
+    execute_group_by_id ${GROUP_ID_READ} ${EXCLUDE_CHECK_ID}
+    cleanTemp
+    scoring
+    exit $EXITCODE
+  else
+    textFail "Use a valid check group ID i.e.: group1, extras, forensics-ready, etc."
+    show_all_group_titles
+    exit $EXITCODE
+  fi
+fi
+
 # Get a list of total checks excluding a list provided by the user and overwrite CHECK_ID with the result
 # if the list provided by the user contains an invalid check, this will be discarded.
 # if the list provided by the user contains  just one argument and is invalid, then it will be discarded and all tests will be executed
-if [[ $EXCLUDE_CHECK_ID ]];then
-  get_all_checks_without_exclusion $EXCLUDE_CHECK_ID
+if [[ ${EXCLUDE_CHECK_ID} ]];then
+  get_all_checks_without_exclusion ${EXCLUDE_CHECK_ID}
   function join { local IFS="$1"; shift; echo "$*"; }
   CHECKS_EXCLUDED=$(join , "${CHECKS_EXCLUDED[@]}")
-  CHECK_ID=$CHECKS_EXCLUDED
+  CHECK_ID=${CHECKS_EXCLUDED}
 fi
 
 # Execute single check if called with -c
@@ -370,22 +402,6 @@ if [[ $CHECK_ID ]];then
   exit $EXITCODE
 fi
 
-# Execute group of checks if called with -g
-if [[ $GROUP_ID_READ ]];then
-  if [[ " ${GROUP_ID[@]} " =~ " ${GROUP_ID_READ} " ]]; then
-    if [[ $MODE == "csv" ]]; then
-      BANNER=0
-    fi
-    execute_group_by_id $GROUP_ID_READ
-    cleanTemp
-    scoring
-    exit $EXITCODE
-  else
-    textFail "Use a valid check group ID i.e.: group1, extras, forensics-ready, etc."
-    show_all_group_titles
-    exit $EXITCODE
-  fi
-fi
 
 execute_all
 scoring

From a430ad421b98a375d742e17db777c848859dec02 Mon Sep 17 00:00:00 2001
From: Martin Kemp <martinkemp@deloitte.co.uk>
Date: Wed, 10 Jul 2019 12:57:32 +0100
Subject: [PATCH 2/3] Tabs to 4 spaces

---
 prowler | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/prowler b/prowler
index 89c7d333..c63a698e 100755
--- a/prowler
+++ b/prowler
@@ -243,13 +243,13 @@ execute_check() {
 execute_group() {
     show_group_title $1
     # run the checks in the group
-	IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$1]}
+    IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$1]}
 
-	# Exclude any checks specified
-	if [[ -n ${2} ]]; then
+    # Exclude any checks specified
+    if [[ -n ${2} ]]; then
         EXCLUDED_CHECKS=()
         NEW_CHECKS=()
-	    IFS=',' read -ra EXCLUDED_CHECKS <<< "${2},"
+        IFS=',' read -ra EXCLUDED_CHECKS <<< "${2},"
         for exc in ${EXCLUDED_CHECKS[@]} ; do
             for i in ${CHECKS[@]} ; do
                 [[ ${i} != ${exc} ]] && NEW_CHECKS+=(${i})
@@ -258,10 +258,10 @@ execute_group() {
         CHECKS=("${NEW_CHECKS[@]}")
         unset NEW_CHECKS
         unset EXCLUDED_CHECKS
-	fi
-	for i in ${CHECKS[@]}; do
+    fi
+    for i in ${CHECKS[@]}; do
         execute_check ${i}
-	done
+    done
 }
 
 # Function to execute group by name

From e5e5e84112e549bf6a14865c2a349f35fc0e7338 Mon Sep 17 00:00:00 2001
From: Martin Kemp <martinkemp@deloitte.co.uk>
Date: Wed, 10 Jul 2019 13:15:10 +0100
Subject: [PATCH 3/3] Add documentation for excluding group checks

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 6e08cf35..bdae4ff3 100644
--- a/README.md
+++ b/README.md
@@ -125,6 +125,10 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX
     ```sh
     ./prowler -g group1 # for iam related checks
     ```
+    or exclude some checks in the group:
+    ```sh
+    ./prowler -g group4 -E check42,check43
+    ```
 
     Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310