From 2e2fe96ff53ea1ec09225e64bd6d64f4def67363 Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni@blyx.com>
Date: Wed, 1 Apr 2020 21:57:20 +0200
Subject: [PATCH] Improved extra716 filters and auth check

---
 checks/check_extra716 | 82 ++++++++++++++++++++++++++++---------------
 1 file changed, 53 insertions(+), 29 deletions(-)

diff --git a/checks/check_extra716 b/checks/check_extra716
index 48a78df7..332baece 100644
--- a/checks/check_extra716
+++ b/checks/check_extra716
@@ -11,7 +11,7 @@
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 CHECK_ID_extra716="7.16"
-CHECK_TITLE_extra716="[extra716] Check if Amazon Elasticsearch Service (ES) domains are set as Public and have cross account access"
+CHECK_TITLE_extra716="[extra716] Check if Amazon Elasticsearch Service (ES) domains are set as Public and have cross account access "
 CHECK_SCORED_extra716="NOT_SCORED"
 CHECK_TYPE_extra716="EXTRA"
 CHECK_ALTERNATE_check716="extra716"
@@ -19,7 +19,7 @@ CHECK_ALTERNATE_check716="extra716"
 extra716(){
   # if TEST_AUTHENTICATION has a value Prowler will try to access each ElasticSearch server to the public URI endpoint.
   # That is from the host where Prowler is running and will try to read indices or get kibana status
-  TEST_ES_AUTHENTICATION=1
+  TEST_ES_AUTHENTICATION=
   httpStatus(){
     case $1 in 
       000) SERVER_RESPONSE="000 Not responding" ;;
@@ -45,35 +45,59 @@ extra716(){
     if [[ $LIST_OF_DOMAINS ]]; then
       for domain in $LIST_OF_DOMAINS;do
         TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-es-domain.policy.XXXXXXXXXX)
-        $AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.AccessPolicies.Options --output text > $TEMP_POLICY_FILE 2> /dev/null
-        # check if the policy has Principal as *
-        CHECK_ES_DOMAIN_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | jq -r '. | .Statement[] | select(.Effect == "Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and .Condition == null)')
-        if [[ $CHECK_ES_DOMAIN_ALLUSERS_POLICY ]];then
-          if [[ $TEST_ES_AUTHENTICATION ]];then
-            # get endpoint or vpc endpoints
-            ES_DOMAIN_ENDPOINT=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.[Endpoint || Endpoints]' --output text)
-
-            # check for Elasticsearch on port 443, rest API HTTP.
-            CHECH_ES_HTTPS=$(curl -m 2 -s -w "%{http_code}" -o /dev/null -X GET "https://$ES_DOMAIN_ENDPOINT/_cat/indices")
-            httpStatus $CHECH_ES_HTTPS
-            if [[ $CHECH_ES_HTTPS -eq "200" ]];then 
-              textFail "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\") and ES service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
-            else
-              textInfo "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\") but ES service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
+        # get endpoint or vpc endpoints
+        ES_DOMAIN_ENDPOINT=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.[Endpoint || Endpoints]' --output text)
+        # If the endpoint starts with "vpc-" it is in a VPC then it is fine.
+        if [[ "$ES_DOMAIN_ENDPOINT" =~ ^vpc-* ]];then
+          ES_DOMAIN_VPC=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.VPCOptions.VPCId' --output text)
+          textInfo "$regx: Amazon ES domain $domain is in VPC $ES_DOMAIN_VPC run extra779 to make sure it is not exposed using custom proxy" "$regx" 
+        else 
+          $AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.AccessPolicies.Options --output text > $TEMP_POLICY_FILE 2> /dev/null
+          CHECK_ES_DOMAIN_POLICY_OPEN=$(cat $TEMP_POLICY_FILE | jq -r '. | .Statement[] | select(.Effect == "Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and select(has("Condition") | not))')
+          CHECK_ES_DOMAIN_POLICY_HAS_CONDITION=$(cat $TEMP_POLICY_FILE | jq -r '. | .Statement[] | select(.Effect == "Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and select(has("Condition")))' )
+          CHECK_ES_DOMAIN_POLICY_CONDITION_PRIVATE_IP=$(cat $TEMP_POLICY_FILE | jq 'select (.Statement[0] .Condition.IpAddress."aws:SourceIp" | select( test("^192.168.[0-9]|^10.0.[0-9]|^172.(1[6-9]|2[0-9]|3[01])|^127.0.0.1")))' )
+          CHECK_ES_DOMAIN_POLICY_CONDITION_ZERO=$(cat $TEMP_POLICY_FILE | jq 'select (.Statement[0] .Condition.IpAddress."aws:SourceIp" | select( test("^0.0.0.0/0|^0.0.0.0/8")))' )
+          CHECK_ES_DOMAIN_POLICY_CONDITION_STAR=$(cat $TEMP_POLICY_FILE | jq 'select (.Statement[0] .Condition.IpAddress."aws:SourceIp" == "*")')
+          CHECK_ES_DOMAIN_POLICY_CONDITION_PUBLIC_IP=$(cat $TEMP_POLICY_FILE | jq 'select (.Statement[0] .Condition.IpAddress."aws:SourceIp" | select( test("^192.168.[0-9]|^10.0.[0-9]|^172.(1[6-9]|2[0-9]|3[01])|^127.0.0.1")| not))' )
+          if [[ $CHECK_ES_DOMAIN_POLICY_OPEN || $CHECK_ES_DOMAIN_POLICY_CONDITION_ZERO || $CHECK_ES_DOMAIN_POLICY_CONDITION_STAR ]];then
+            if [[ $TEST_ES_AUTHENTICATION ]];then
+              # check for REST API on port 443
+              CHECH_ES_HTTPS=$(curl -m 2 -s -w "%{http_code}" -o /dev/null -X GET "https://$ES_DOMAIN_ENDPOINT/_cat/indices")
+              httpStatus $CHECH_ES_HTTPS
+              if [[ $CHECH_ES_HTTPS -eq "200" ]];then 
+                textFail "$regx: Amazon ES domain $domain policy allows Anonymous access and ES service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
+              else
+                textInfo "$regx: Amazon ES domain $domain policy allows Anonymous access but ES service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
+              fi 
+              # check for Kibana on port 443
+              CHECH_KIBANA_HTTPS=$(curl -m 2 -s -w "%{http_code}" -o /dev/null -X GET "https://$ES_DOMAIN_ENDPOINT/_plugin/kibana/api/status")
+              httpStatus $CHECH_KIBANA_HTTPS
+              if [[ $CHECH_KIBANA_HTTPS -eq "200" ]];then
+                textFail "$regx: Amazon ES domain $domain policy allows Anonymous access and Kibana service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
+              else
+                textInfo "$regx: Amazon ES domain $domain policy allows Anonymous access but Kibana service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
+              fi  
+            else 
+              if [[ $CHECK_ES_DOMAIN_POLICY_OPEN ]];then 
+                textFail "$regx: Amazon ES domain $domain policy allows access (Principal: \"*\") AUTH NOT TESTED" "$regx"
+              fi 
+              if [[ $CHECK_ES_DOMAIN_POLICY_CONDITION_ZERO ]];then 
+                textFail "$regx: Amazon ES domain $domain policy allows access (Principal: \"*\" and network 0.0.0.0) AUTH NOT TESTED" "$regx"
+              fi 
+              if [[ $CHECK_ES_DOMAIN_POLICY_CONDITION_STAR ]];then 
+                textFail "$regx: Amazon ES domain $domain policy allows access (Principal: \"*\" and network \"*\") AUTH NOT TESTED" "$regx"
+              fi
             fi 
-            # check for Kibana on port 443
-            CHECH_KIBANA_HTTPS=$(curl -m 2 -s -w "%{http_code}" -o /dev/null -X GET "https://$ES_DOMAIN_ENDPOINT/_plugin/kibana/api/status")
-            httpStatus $CHECH_KIBANA_HTTPS
-            if [[ $CHECH_KIBANA_HTTPS -eq "200" ]];then
-              textFail "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\") and Kibana service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
-            else
-              textInfo "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\") but Kibana service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
+          elif [[ $CHECK_ES_DOMAIN_POLICY_HAS_CONDITION ]];then
+            if [[ $CHECK_ES_DOMAIN_POLICY_CONDITION_PRIVATE_IP ]];then
+              textInfo "$regx: Amazon ES domain $domain policy allows access from a RFC1918 PRIVATE IP or CIDR" "$regx"
             fi  
-          else 
-            textFail "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\")" "$regx"
-          fi 
-        else
-          textPass "$regx: Amazon ES domain $domain does not allow Anonymous cross account access" "$regx"
+            if [[ $CHECK_ES_DOMAIN_POLICY_CONDITION_PUBLIC_IP ]];then
+              textInfo "$regx: Amazon ES domain $domain policy allows access from a PUBLIC IP or CIDR" "$regx"
+            fi 
+          else
+            textPass "$regx: Amazon ES domain $domain does not allow Anonymous cross account access" "$regx"
+          fi
         fi
         rm -f $TEMP_POLICY_FILE
       done