diff --git a/checks/check_extra733 b/checks/check_extra733 index 12665cb3..656b51d1 100644 --- a/checks/check_extra733 +++ b/checks/check_extra733 @@ -25,6 +25,6 @@ extra733(){ textInfo "SAML Provider $PROVIDER_NAME has been found" done else - textFail "No SAML Provider found, add one and use STS" + textInfo "No SAML Provider found, add one and use STS" fi } diff --git a/checks/check_extra741 b/checks/check_extra741 index fc48a852..f689bc18 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -31,7 +31,7 @@ extra741(){ # This finds ftp or http URLs with credentials and common keywords FINDINGS=$(egrep -i '[[:alpha:]]*://[[:alnum:]]*:[[:alnum:]]*@.*/|key|secret|token|pass' $USERDATA_FILE |wc -l|tr -d '\ ') if [[ $FILE_FORMAT_ASCII ]]; then - if [[ $FINDINGS -eq 0 ]]; then + if [[ $FINDINGS -eq "0" ]]; then textPass "$regx: No keys found in $instance" "$regx" # delete file if nothing interesting is there rm -f $USERDATA_FILE diff --git a/checks/check_extra742 b/checks/check_extra742 new file mode 100644 index 00000000..43420f08 --- /dev/null +++ b/checks/check_extra742 @@ -0,0 +1,47 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra742="7.42" +CHECK_TITLE_extra742="[extra742] Find keys in CloudFormation outputs (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra742="NOT_SCORED" +CHECK_TYPE_extra742="EXTRA" +CHECK_ALTERNATE_check742="extra742" + +extra742(){ + textInfo "Looking for keys in CloudFormation output across all regions... " + for regx in $REGIONS; do + LIST_OF_CFN_STACKS=$($AWSCLI cloudformation describe-stacks $PROFILE_OPT --region $regx --query Stacks[*].[StackName] --output text) + if [[ $LIST_OF_CFN_STACKS ]];then + for stack in $LIST_OF_CFN_STACKS; do + OUTPUTS_FILE=$stack-$regx-output.txt + OUTPUTS=$($AWSCLI $PROFILE_OPT --region $regx cloudformation describe-stacks --query "Stacks[?StackName==\`$stack\`].Outputs[*].[OutputKey,OutputValue]" --output text > $OUTPUTS_FILE) + if [ -s $OUTPUTS ];then + #FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE | grep -i -e key -e secret -e token -e pass - |wc -l|tr -d '\ ') + #FINDINGS=$(grep -i -e key -e secret -e token -e pass $USERDATA_FILE |wc -l|tr -d '\ ') + # This finds ftp or http URLs with credentials and common keywords + FINDINGS=$(egrep -i '[[:alpha:]]*://[[:alnum:]]*:[[:alnum:]]*@.*/|key|secret|token|pass' $OUTPUTS_FILE |wc -l|tr -d '\ ') + if [[ $FINDINGS -eq "0" ]]; then + textPass "$regx: No keys found in Stack $stack" "$regx" + # delete file if nothing interesting is there + rm -f $OUTPUTS_FILE + else + textFail "$regx: Found $FINDINGS keys in $stack! Check file $OUTPUTS_FILE" "$regx" + fi + else + textPass "$regx: Stack $stack has not Outputs" "$regx" + fi + done + else + textInfo "$regx: No CloudFormation stacks found" "$regx" + fi + done +} diff --git a/groups/group10_hipaa b/groups/group10_hipaa index 92ce974e..9319e7e3 100644 --- a/groups/group10_hipaa +++ b/groups/group10_hipaa @@ -15,7 +15,7 @@ GROUP_ID[10]='hipaa' GROUP_NUMBER[10]='10.0' GROUP_TITLE[10]='HIPAA Compliance - ONLY AS REFERENCE - [hipaa] ****************' GROUP_RUN_BY_DEFAULT[10]='N' # run it when execute_all is called -GROUP_CHECKS[10]='check12,check113,check23,check26,check27,check29,extra718,extra725,extra72,extra75,extra739,extra729,extra734,check38,extra73,extra740,extra735' +GROUP_CHECKS[10]='check12,check113,check23,check26,check27,check29,extra718,extra725,extra72,extra75,extra717,extra729,extra734,check38,extra73,extra740,extra735' # Resources: # https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf diff --git a/groups/group11_keys b/groups/group11_keys new file mode 100644 index 00000000..af1b348a --- /dev/null +++ b/groups/group11_keys @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +GROUP_ID[11]='keys' +GROUP_NUMBER[11]='11.0' +GROUP_TITLE[11]='Look for keys secrets or passwords around resources - [keys] ****************' +GROUP_RUN_BY_DEFAULT[11]='N' # run it when execute_all is called +GROUP_CHECKS[11]='extra741,extra742' + +# Initially: +# - EC2 UserData +# - CloudFormation Outputs diff --git a/groups/group7_extras b/groups/group7_extras index b84b7e2b..cc2e46b3 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,4 +15,4 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - [extras] **********************************************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra740,extra741' diff --git a/groups/group8_forensics b/groups/group8_forensics index f6f3265b..58508568 100644 --- a/groups/group8_forensics +++ b/groups/group8_forensics @@ -15,4 +15,4 @@ GROUP_ID[8]='forensics-ready' GROUP_NUMBER[8]='8.0' GROUP_TITLE[8]='Forensics Readiness - [forensics-ready] ************************' GROUP_RUN_BY_DEFAULT[8]='N' # run it when execute_all is called -GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check29,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722,extra725,extra739' +GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check29,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722,extra725' diff --git a/groups/group9_gdpr b/groups/group9_gdpr index 19698d6d..7df4c6ec 100644 --- a/groups/group9_gdpr +++ b/groups/group9_gdpr @@ -15,7 +15,7 @@ GROUP_ID[9]='gdpr' GROUP_NUMBER[9]='9.0' GROUP_TITLE[9]='GDPR Readiness - ONLY AS REFERENCE - [gdpr] ********************' GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called -GROUP_CHECKS[9]='extra718,extra725,extra727,check12,check113,check114,extra71,extra731,extra732,extra733,check25,check39,check21,check22,check23,check24,check26,check27,check35,extra726,extra714,extra715,extra717,extra719,extra720,extra721,extra722,check43,check25,extra714,extra729,extra734,extra735,extra736,extra738,extra739,extra740' +GROUP_CHECKS[9]='extra718,extra725,extra727,check12,check113,check114,extra71,extra731,extra732,extra733,check25,check39,check21,check22,check23,check24,check26,check27,check35,extra726,extra714,extra715,extra717,extra719,extra720,extra721,extra722,check43,check25,extra714,extra729,extra734,extra735,extra736,extra738,extra740' # Resources: # https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf diff --git a/include/os_detector b/include/os_detector index 1cbb368d..ea37d106 100644 --- a/include/os_detector +++ b/include/os_detector @@ -13,7 +13,7 @@ # Functions to manage dates depending on OS -if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then +if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ] || ["$OSTYPE" == "freebsd" ]; then TEMP_REPORT_FILE=$(mktemp -t -p /tmp prowler.cred_report-XXXXXX) # function to compare in days, usage how_older_from_today date # date format %Y-%m-%d diff --git a/util/Dockerfile b/util/Dockerfile index 8b918078..2af2f3d5 100644 --- a/util/Dockerfile +++ b/util/Dockerfile @@ -1,4 +1,15 @@ -FROM python -MAINTAINER Steve Neuharth -RUN apt-get update && apt-get upgrade -y && pip install awscli ansi2html -ADD prowler* /usr/local/bin/ +FROM alpine:3.9 + +ARG USERNAME=prowler +ARG USERID=34000 + +RUN addgroup -g ${USERID} ${USERNAME} && \ + adduser -s /bin/sh -G ${USERNAME} -D -u ${USERID} ${USERNAME} && \ + apk --update --no-cache add python3 bash curl git jq && \ + pip3 install --upgrade pip && \ + pip install awscli ansi2html boto3 &&\ + git clone https://github.com/toniblyx/prowler/ + +USER ${USERNAME} + +ENTRYPOINT ["/prowler/prowler"] \ No newline at end of file