From 293560dcd4f9f4273f13a9580bbeecc7b5f4c60b Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Wed, 21 Jun 2023 15:18:02 +0200 Subject: [PATCH] fix(contrib): migrate `multi-account-securityhub/run-prowler-securityhub.sh` to v3 (#2503) Co-authored-by: Pepe Fagoaga --- contrib/multi-account-securityhub/Dockerfile | 51 ++++++------------- .../run-prowler-securityhub.sh | 51 +++++++++---------- 2 files changed, 39 insertions(+), 63 deletions(-) mode change 100644 => 100755 contrib/multi-account-securityhub/run-prowler-securityhub.sh diff --git a/contrib/multi-account-securityhub/Dockerfile b/contrib/multi-account-securityhub/Dockerfile index c3088a8a..1cc6c326 100644 --- a/contrib/multi-account-securityhub/Dockerfile +++ b/contrib/multi-account-securityhub/Dockerfile @@ -1,45 +1,24 @@ # Build command # docker build --platform=linux/amd64 --no-cache -t prowler:latest . -FROM public.ecr.aws/amazonlinux/amazonlinux:2022 +ARG PROWLER_VERSION=latest -ARG PROWLERVER=2.9.0 -ARG USERNAME=prowler -ARG USERID=34000 +FROM toniblyx/prowler:${PROWLER_VERSION} -# Install Dependencies -RUN \ - dnf update -y && \ - dnf install -y bash file findutils git jq python3 python3-pip \ - python3-setuptools python3-wheel shadow-utils tar unzip which && \ - dnf remove -y awscli && \ - dnf clean all && \ - useradd -l -s /bin/sh -U -u ${USERID} ${USERNAME} && \ - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \ - unzip awscliv2.zip && \ - ./aws/install && \ - pip3 install --no-cache-dir --upgrade pip && \ - pip3 install --no-cache-dir "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets" && \ - rm -rf aws awscliv2.zip /var/cache/dnf +USER 0 +# hadolint ignore=DL3018 +RUN apk --no-cache add bash aws-cli jq -# Place script and env vars -COPY .awsvariables run-prowler-securityhub.sh / +ARG MULTI_ACCOUNT_SECURITY_HUB_PATH=/home/prowler/multi-account-securityhub -# Installs prowler and change permissions -RUN \ - curl -L "https://github.com/prowler-cloud/prowler/archive/refs/tags/${PROWLERVER}.tar.gz" -o "prowler.tar.gz" && \ - tar xvzf prowler.tar.gz && \ - rm -f prowler.tar.gz && \ - mv prowler-${PROWLERVER} prowler && \ - chown ${USERNAME}:${USERNAME} /run-prowler-securityhub.sh && \ - chmod 500 /run-prowler-securityhub.sh && \ - chown ${USERNAME}:${USERNAME} /.awsvariables && \ - chmod 400 /.awsvariables && \ - chown ${USERNAME}:${USERNAME} -R /prowler && \ - chmod +x /prowler/prowler +USER prowler -# Drop to user -USER ${USERNAME} +# Move script and environment variables +RUN mkdir "${MULTI_ACCOUNT_SECURITY_HUB_PATH}" +COPY --chown=prowler:prowler .awsvariables run-prowler-securityhub.sh "${MULTI_ACCOUNT_SECURITY_HUB_PATH}"/ +RUN chmod 500 "${MULTI_ACCOUNT_SECURITY_HUB_PATH}"/run-prowler-securityhub.sh & \ + chmod 400 "${MULTI_ACCOUNT_SECURITY_HUB_PATH}"/.awsvariables -# Run script -ENTRYPOINT ["/run-prowler-securityhub.sh"] +WORKDIR ${MULTI_ACCOUNT_SECURITY_HUB_PATH} + +ENTRYPOINT ["./run-prowler-securityhub.sh"] diff --git a/contrib/multi-account-securityhub/run-prowler-securityhub.sh b/contrib/multi-account-securityhub/run-prowler-securityhub.sh old mode 100644 new mode 100755 index 357e980a..bb2ced55 --- a/contrib/multi-account-securityhub/run-prowler-securityhub.sh +++ b/contrib/multi-account-securityhub/run-prowler-securityhub.sh @@ -1,20 +1,17 @@ #!/bin/bash # Run Prowler against All AWS Accounts in an AWS Organization -# Change Directory (rest of the script, assumes you're in the root directory) -cd / || exit - # Show Prowler Version -./prowler/prowler -V +prowler -v # Source .awsvariables # shellcheck disable=SC1091 source .awsvariables # Get Values from Environment Variables -echo "ROLE: $ROLE" -echo "PARALLEL_ACCOUNTS: $PARALLEL_ACCOUNTS" -echo "REGION: $REGION" +echo "ROLE: ${ROLE}" +echo "PARALLEL_ACCOUNTS: ${PARALLEL_ACCOUNTS}" +echo "REGION: ${REGION}" # Function to unset AWS Profile Variables unset_aws() { @@ -24,33 +21,33 @@ unset_aws # Find THIS Account AWS Number CALLER_ARN=$(aws sts get-caller-identity --output text --query "Arn") -PARTITION=$(echo "$CALLER_ARN" | cut -d: -f2) -THISACCOUNT=$(echo "$CALLER_ARN" | cut -d: -f5) -echo "THISACCOUNT: $THISACCOUNT" -echo "PARTITION: $PARTITION" +PARTITION=$(echo "${CALLER_ARN}" | cut -d: -f2) +THISACCOUNT=$(echo "${CALLER_ARN}" | cut -d: -f5) +echo "THISACCOUNT: ${THISACCOUNT}" +echo "PARTITION: ${PARTITION}" # Function to Assume Role to THIS Account & Create Session this_account_session() { unset_aws - role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$THISACCOUNT":role/"$ROLE" --role-session-name ProwlerRun --output json) - AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId) - AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey) - AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken) + role_credentials=$(aws sts assume-role --role-arn arn:"${PARTITION}":iam::"${THISACCOUNT}":role/"${ROLE}" --role-session-name ProwlerRun --output json) + AWS_ACCESS_KEY_ID=$(echo "${role_credentials}" | jq -r .Credentials.AccessKeyId) + AWS_SECRET_ACCESS_KEY=$(echo "${role_credentials}" | jq -r .Credentials.SecretAccessKey) + AWS_SESSION_TOKEN=$(echo "${role_credentials}" | jq -r .Credentials.SessionToken) export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN } # Find AWS Master Account this_account_session AWSMASTER=$(aws organizations describe-organization --query Organization.MasterAccountId --output text) -echo "AWSMASTER: $AWSMASTER" +echo "AWSMASTER: ${AWSMASTER}" # Function to Assume Role to Master Account & Create Session master_account_session() { unset_aws - role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$AWSMASTER":role/"$ROLE" --role-session-name ProwlerRun --output json) - AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId) - AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey) - AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken) + role_credentials=$(aws sts assume-role --role-arn arn:"${PARTITION}":iam::"${AWSMASTER}":role/"${ROLE}" --role-session-name ProwlerRun --output json) + AWS_ACCESS_KEY_ID=$(echo "${role_credentials}" | jq -r .Credentials.AccessKeyId) + AWS_SECRET_ACCESS_KEY=$(echo "${role_credentials}" | jq -r .Credentials.SecretAccessKey) + AWS_SESSION_TOKEN=$(echo "${role_credentials}" | jq -r .Credentials.SessionToken) export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN } @@ -60,20 +57,20 @@ ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[*].Id --outp # Run Prowler against Accounts in AWS Organization echo "AWS Accounts in Organization" -echo "$ACCOUNTS_IN_ORGS" -for accountId in $ACCOUNTS_IN_ORGS; do +echo "${ACCOUNTS_IN_ORGS}" +for accountId in ${ACCOUNTS_IN_ORGS}; do # shellcheck disable=SC2015 - test "$(jobs | wc -l)" -ge $PARALLEL_ACCOUNTS && wait -n || true + test "$(jobs | wc -l)" -ge "${PARALLEL_ACCOUNTS}" && wait -n || true { - START_TIME=$SECONDS + START_TIME=${SECONDS} # Unset AWS Profile Variables unset_aws # Run Prowler - echo -e "Assessing AWS Account: $accountId, using Role: $ROLE on $(date)" + echo -e "Assessing AWS Account: ${accountId}, using Role: ${ROLE} on $(date)" # Pipe stdout to /dev/null to reduce unnecessary Cloudwatch logs - ./prowler/prowler -R "$ROLE" -A "$accountId" -M json-asff -q -S -f "$REGION" > /dev/null + prowler aws -R arn:"${PARTITION}":iam::"${accountId}":role/"${ROLE}" -q -S -f "${REGION}" > /dev/null TOTAL_SEC=$((SECONDS - START_TIME)) - printf "Completed AWS Account: $accountId in %02dh:%02dm:%02ds" $((TOTAL_SEC / 3600)) $((TOTAL_SEC % 3600 / 60)) $((TOTAL_SEC % 60)) + printf "Completed AWS Account: ${accountId} in %02dh:%02dm:%02ds" $((TOTAL_SEC / 3600)) $((TOTAL_SEC % 3600 / 60)) $((TOTAL_SEC % 60)) echo "" } & done