From bc9d4fe762edd3682663df1a01757e70e0152400 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 11 Mar 2019 23:59:02 -0400 Subject: [PATCH 1/8] Created a new Dockerfile based on Alpine --- util/Dockerfile | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/util/Dockerfile b/util/Dockerfile index 8b918078..7fd854aa 100644 --- a/util/Dockerfile +++ b/util/Dockerfile @@ -1,4 +1,9 @@ -FROM python -MAINTAINER Steve Neuharth -RUN apt-get update && apt-get upgrade -y && pip install awscli ansi2html -ADD prowler* /usr/local/bin/ +FROM alpine:3.9 + +RUN apk --update --no-cache add python3 bash curl git +RUN pip3 install --upgrade pip +RUN pip install awscli ansi2html boto3 +RUN git clone https://github.com/toniblyx/prowler/ + +ENTRYPOINT ["/prowler/prowler"] +CMD [] \ No newline at end of file From da9cb41b3b3465f80acff9578b5a113df5907748 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 12 Mar 2019 09:44:34 -0400 Subject: [PATCH 2/8] Added jq to Dockerfile and fixes --- util/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/util/Dockerfile b/util/Dockerfile index 7fd854aa..b482a97c 100644 --- a/util/Dockerfile +++ b/util/Dockerfile @@ -1,9 +1,8 @@ FROM alpine:3.9 -RUN apk --update --no-cache add python3 bash curl git +RUN apk --update --no-cache add python3 bash curl git jq RUN pip3 install --upgrade pip RUN pip install awscli ansi2html boto3 RUN git clone https://github.com/toniblyx/prowler/ ENTRYPOINT ["/prowler/prowler"] -CMD [] \ No newline at end of file From ea89242644ead0f720c7a99eb8d1cdce2a159683 Mon Sep 17 00:00:00 2001 From: Nic Doye Date: Tue, 12 Mar 2019 13:52:42 +0000 Subject: [PATCH 3/8] Merge RUNs. Run as non-root --- util/Dockerfile | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/util/Dockerfile b/util/Dockerfile index 7fd854aa..d162c457 100644 --- a/util/Dockerfile +++ b/util/Dockerfile @@ -1,9 +1,15 @@ FROM alpine:3.9 -RUN apk --update --no-cache add python3 bash curl git -RUN pip3 install --upgrade pip -RUN pip install awscli ansi2html boto3 -RUN git clone https://github.com/toniblyx/prowler/ +ARG USERNAME=prowler +ARG USERID=34000 + +RUN addgroup -g ${USERID} ${USERNAME} && \ + adduser -s /bin/sh -G ${USERNAME} -D -u ${USERID} ${USERNAME} && \ + apk --update --no-cache add python3 bash curl git && \ + pip3 install --upgrade pip && \ + pip install awscli ansi2html boto3 &&\ + git clone https://github.com/toniblyx/prowler/ + +USER ${USERNAME} ENTRYPOINT ["/prowler/prowler"] -CMD [] \ No newline at end of file From bde94829287d9134382700184087ca14eb6f97c3 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 12 Mar 2019 22:40:40 -0400 Subject: [PATCH 4/8] Added check extra742 to find keys in CloudFormation Outputs --- checks/check_extra742 | 47 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 checks/check_extra742 diff --git a/checks/check_extra742 b/checks/check_extra742 new file mode 100644 index 00000000..b0ba818b --- /dev/null +++ b/checks/check_extra742 @@ -0,0 +1,47 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra742="7.42" +CHECK_TITLE_extra742="[extra742] Find keys in CloudFormation outputs (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra742="NOT_SCORED" +CHECK_TYPE_extra742="EXTRA" +CHECK_ALTERNATE_check742="extra742" + +extra742(){ + textInfo "Looking for keys in CloudFormation output across all regions... " + for regx in $REGIONS; do + LIST_OF_CFN_STACKS=$($AWSCLI cloudformation describe-stacks $PROFILE_OPT --region $regx --query Stacks[*].[StackName] --output text) + if [[ $LIST_OF_CFN_STACKS ]];then + for stack in $LIST_OF_CFN_STACKS; do + OUTPUTS_FILE=$stack-$regx-output.txt + OUTPUTS=$($AWSCLI $PROFILE_OPT --region $regx cloudformation describe-stacks --query "Stacks[?StackName==\`$stack\`].Outputs[*].[OutputKey,OutputValue]" --output text > $OUTPUTS_FILE) + if [ -s $OUTPUTS ];then + #FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE | grep -i -e key -e secret -e token -e pass - |wc -l|tr -d '\ ') + #FINDINGS=$(grep -i -e key -e secret -e token -e pass $USERDATA_FILE |wc -l|tr -d '\ ') + # This finds ftp or http URLs with credentials and common keywords + FINDINGS=$(egrep -i '[[:alpha:]]*://[[:alnum:]]*:[[:alnum:]]*@.*/|key|secret|token|pass' $OUTPUTS_FILE |wc -l|tr -d '\ ') + if [[ $FINDINGS -eq 0 ]]; then + textPass "$regx: No keys found in Stack $stack" "$regx" + # delete file if nothing interesting is there + rm -f $OUTPUTS_FILE + else + textFail "$regx: Found $FINDINGS keys in $stack! Check file $OUTPUTS_FILE" "$regx" + fi + else + textPass "$regx: Stack $stack has not Outputs" "$regx" + fi + done + else + textInfo "$regx: No CloudFormation stacks found" "$regx" + fi + done +} From 9d526ff098a22594f42ea7dddd3d67381a739fbb Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 12 Mar 2019 23:14:50 -0400 Subject: [PATCH 5/8] Added group11 keys and improved 741 and 742 --- checks/check_extra741 | 2 +- checks/check_extra742 | 2 +- groups/group11_keys | 22 ++++++++++++++++++++++ 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 groups/group11_keys diff --git a/checks/check_extra741 b/checks/check_extra741 index fc48a852..f689bc18 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -31,7 +31,7 @@ extra741(){ # This finds ftp or http URLs with credentials and common keywords FINDINGS=$(egrep -i '[[:alpha:]]*://[[:alnum:]]*:[[:alnum:]]*@.*/|key|secret|token|pass' $USERDATA_FILE |wc -l|tr -d '\ ') if [[ $FILE_FORMAT_ASCII ]]; then - if [[ $FINDINGS -eq 0 ]]; then + if [[ $FINDINGS -eq "0" ]]; then textPass "$regx: No keys found in $instance" "$regx" # delete file if nothing interesting is there rm -f $USERDATA_FILE diff --git a/checks/check_extra742 b/checks/check_extra742 index b0ba818b..43420f08 100644 --- a/checks/check_extra742 +++ b/checks/check_extra742 @@ -29,7 +29,7 @@ extra742(){ #FINDINGS=$(grep -i -e key -e secret -e token -e pass $USERDATA_FILE |wc -l|tr -d '\ ') # This finds ftp or http URLs with credentials and common keywords FINDINGS=$(egrep -i '[[:alpha:]]*://[[:alnum:]]*:[[:alnum:]]*@.*/|key|secret|token|pass' $OUTPUTS_FILE |wc -l|tr -d '\ ') - if [[ $FINDINGS -eq 0 ]]; then + if [[ $FINDINGS -eq "0" ]]; then textPass "$regx: No keys found in Stack $stack" "$regx" # delete file if nothing interesting is there rm -f $OUTPUTS_FILE diff --git a/groups/group11_keys b/groups/group11_keys new file mode 100644 index 00000000..af1b348a --- /dev/null +++ b/groups/group11_keys @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +GROUP_ID[11]='keys' +GROUP_NUMBER[11]='11.0' +GROUP_TITLE[11]='Look for keys secrets or passwords around resources - [keys] ****************' +GROUP_RUN_BY_DEFAULT[11]='N' # run it when execute_all is called +GROUP_CHECKS[11]='extra741,extra742' + +# Initially: +# - EC2 UserData +# - CloudFormation Outputs From b03aca80a12f8185691d4fa904cc52c699da99f0 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 27 Mar 2019 22:35:50 +0000 Subject: [PATCH 6/8] Fixed issue #308 --- checks/check_extra739 | 35 ----------------------------------- groups/group10_hipaa | 2 +- groups/group7_extras | 2 +- groups/group8_forensics | 2 +- groups/group9_gdpr | 2 +- 5 files changed, 4 insertions(+), 39 deletions(-) delete mode 100644 checks/check_extra739 diff --git a/checks/check_extra739 b/checks/check_extra739 deleted file mode 100644 index bc357cec..00000000 --- a/checks/check_extra739 +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. -CHECK_ID_extra739="7.39" -CHECK_TITLE_extra739="[extra739] Check if ELBs have logging enabled (Not Scored) (Not part of CIS benchmark)" -CHECK_SCORED_extra739="NOT_SCORED" -CHECK_TYPE_extra739="EXTRA" -CHECK_ALTERNATE_check739="extra739" - -extra739(){ - for regx in $REGIONS; do - LIST_OF_ELB=$($AWSCLI elb describe-load-balancers --region $regx $PROFILE_OPT --query LoadBalancerDescriptions[*].LoadBalancerName --output text) - if [[ $LIST_OF_ELB ]];then - for elb_id in $LIST_OF_ELB; do - CHECK_LOG_STATUS=$($AWSCLI elb describe-load-balancer-attributes --region $regx $PROFILE_OPT --load-balancer-name $elb_id --query LoadBalancerAttributes.AccessLog.Enabled --output text|grep False) - if [[ $CHECK_LOG_STATUS ]]; then - textFail "$regx: ELB $elb_id has login disabled!" "$regx" - else - textPass "$regx: ELB $elb_id has login enabled" "$regx" - fi - done - else - textInfo "$regx: No ELBs found" "$regx" - fi - done -} diff --git a/groups/group10_hipaa b/groups/group10_hipaa index 92ce974e..9319e7e3 100644 --- a/groups/group10_hipaa +++ b/groups/group10_hipaa @@ -15,7 +15,7 @@ GROUP_ID[10]='hipaa' GROUP_NUMBER[10]='10.0' GROUP_TITLE[10]='HIPAA Compliance - ONLY AS REFERENCE - [hipaa] ****************' GROUP_RUN_BY_DEFAULT[10]='N' # run it when execute_all is called -GROUP_CHECKS[10]='check12,check113,check23,check26,check27,check29,extra718,extra725,extra72,extra75,extra739,extra729,extra734,check38,extra73,extra740,extra735' +GROUP_CHECKS[10]='check12,check113,check23,check26,check27,check29,extra718,extra725,extra72,extra75,extra717,extra729,extra734,check38,extra73,extra740,extra735' # Resources: # https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf diff --git a/groups/group7_extras b/groups/group7_extras index b84b7e2b..cc2e46b3 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,4 +15,4 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - [extras] **********************************************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra740,extra741' diff --git a/groups/group8_forensics b/groups/group8_forensics index f6f3265b..58508568 100644 --- a/groups/group8_forensics +++ b/groups/group8_forensics @@ -15,4 +15,4 @@ GROUP_ID[8]='forensics-ready' GROUP_NUMBER[8]='8.0' GROUP_TITLE[8]='Forensics Readiness - [forensics-ready] ************************' GROUP_RUN_BY_DEFAULT[8]='N' # run it when execute_all is called -GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check29,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722,extra725,extra739' +GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check29,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722,extra725' diff --git a/groups/group9_gdpr b/groups/group9_gdpr index 19698d6d..7df4c6ec 100644 --- a/groups/group9_gdpr +++ b/groups/group9_gdpr @@ -15,7 +15,7 @@ GROUP_ID[9]='gdpr' GROUP_NUMBER[9]='9.0' GROUP_TITLE[9]='GDPR Readiness - ONLY AS REFERENCE - [gdpr] ********************' GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called -GROUP_CHECKS[9]='extra718,extra725,extra727,check12,check113,check114,extra71,extra731,extra732,extra733,check25,check39,check21,check22,check23,check24,check26,check27,check35,extra726,extra714,extra715,extra717,extra719,extra720,extra721,extra722,check43,check25,extra714,extra729,extra734,extra735,extra736,extra738,extra739,extra740' +GROUP_CHECKS[9]='extra718,extra725,extra727,check12,check113,check114,extra71,extra731,extra732,extra733,check25,check39,check21,check22,check23,check24,check26,check27,check35,extra726,extra714,extra715,extra717,extra719,extra720,extra721,extra722,check43,check25,extra714,extra729,extra734,extra735,extra736,extra738,extra740' # Resources: # https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf From ddad72fc5f02f21c758d43fb361e4031a4c6e801 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 27 Mar 2019 22:42:13 +0000 Subject: [PATCH 7/8] Fix issue #309 --- checks/check_extra733 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check_extra733 b/checks/check_extra733 index 12665cb3..656b51d1 100644 --- a/checks/check_extra733 +++ b/checks/check_extra733 @@ -25,6 +25,6 @@ extra733(){ textInfo "SAML Provider $PROVIDER_NAME has been found" done else - textFail "No SAML Provider found, add one and use STS" + textInfo "No SAML Provider found, add one and use STS" fi } From a2ccac97d9cc6953863870d0d6cac5c6d0f9db62 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 8 Apr 2019 21:18:39 -0400 Subject: [PATCH 8/8] Make it work in FreeBSD issue #310 --- include/os_detector | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/os_detector b/include/os_detector index 1cbb368d..ea37d106 100644 --- a/include/os_detector +++ b/include/os_detector @@ -13,7 +13,7 @@ # Functions to manage dates depending on OS -if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then +if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ] || ["$OSTYPE" == "freebsd" ]; then TEMP_REPORT_FILE=$(mktemp -t -p /tmp prowler.cred_report-XXXXXX) # function to compare in days, usage how_older_from_today date # date format %Y-%m-%d