From 3fadc1cce1cb63c75549f6c028097bbe7ab24b66 Mon Sep 17 00:00:00 2001 From: Ben Allen Date: Mon, 26 Jun 2017 10:48:56 -0500 Subject: [PATCH] convert NOTICE text to use output function --- prowler | 82 ++++++++++++++++++++++++++++++++------------------------- 1 file changed, 46 insertions(+), 36 deletions(-) diff --git a/prowler b/prowler index b8cb7059..5b52344e 100755 --- a/prowler +++ b/prowler @@ -311,21 +311,31 @@ infoReferenceLong(){ echo -e " $NOTICE https://github.com/Alfresco/aws-cis-security-benchmark/issues$NORMAL" } -infoReferenceShort(){ - # Report review note: - echo -e " $NOTICE http://bit.ly/2g3PEf7$NORMAL" -} + text_ok(){ echo " $OK OK! $NORMAL $@" } +text_notice(){ + echo " $NOTICE NOTICE! $@ $NORMAL" +} + +text_warn(){ + echo " $WARNING WARNING! $@ $NORMAL" +} + +infoReferenceShort(){ + # Report review note: + text_notice "http://bit.ly/2g3PEf7" +} + check11(){ TITLE11="$BLUE 1.1$NORMAL Avoid the use of the root account (Scored). Last time root account was used (password last used, access_key_1_last_used, access_key_2_last_used): " COMMAND11=$(cat $TEMP_REPORT_FILE| grep '' | cut -d, -f5,11,16 | sed 's/,/,\ /g') echo -e "\n$TITLE11" - echo -e " $NOTICE $COMMAND11 $NORMAL" + text_notice "$COMMAND11 $NORMAL" } check12(){ @@ -532,9 +542,9 @@ check115(){ TITLE115="$BLUE 1.15$NORMAL Ensure security questions are registered in the AWS account (Not Scored)" # No command available echo -e "\n$TITLE115" - echo -e " $NOTICE No command available for check 1.15 $NORMAL" - echo -e " $NOTICE Login to the AWS Console as root, click on the Account $NORMAL" - echo -e " $NOTICE Name -> My Account -> Configure Security Challenge Questions $NORMAL" + text_notice "No command available for check 1.15 " + text_notice "Login to the AWS Console as root, click on the Account " + text_notice "Name -> My Account -> Configure Security Challenge Questions " } check116(){ @@ -559,8 +569,8 @@ check117(){ TITLE117="$BLUE 1.17$NORMAL Enable detailed billing (Scored)" # No command available echo -e "\n$TITLE117 " - echo -e " $NOTICE No command available for check 1.17 $NORMAL" - echo -e " $NOTICE See section 1.17 on the CIS Benchmark guide for details $NORMAL" + text_notice "No command available for check 1.17 " + text_notice "See section 1.17 on the CIS Benchmark guide for details " infoReferenceShort } @@ -569,19 +579,19 @@ check118(){ echo -e "\n$TITLE118 " FINDMASTERANDMANAGER=$($AWSCLI iam list-roles --profile $PROFILE --region $REGION --query "Roles[*].{RoleName:RoleName}" --output text | grep -E 'Master|Manager'| tr '\n' ' ') if [[ $FINDMASTERANDMANAGER ]];then - echo -e " $NOTICE Found next roles as possible IAM Master and IAM Manager candidates: $NORMAL" - echo -e " $NOTICE $FINDMASTERANDMANAGER $NORMAL" - echo -e "\n $NOTICE INFO: run the commands below to check their policies with section 1.18 in the guide... $NORMAL" + text_notice "Found next roles as possible IAM Master and IAM Manager candidates: " + text_notice "$FINDMASTERANDMANAGER " + text_notice "run the commands below to check their policies with section 1.18 in the guide..." for role in $FINDMASTERANDMANAGER;do # find inline policies in found roles INLINEPOLICIES=$($AWSCLI iam list-role-policies --role-name $role --profile $PROFILE --region $REGION --query "PolicyNames[*]" --output text) for policy in $INLINEPOLICIES;do - echo " $NOTICE $AWSCLI iam get-role-policy --role-name $role --policy-name $policy --profile $PROFILE --region $REGION$NORMAL" + text_notice "$AWSCLI iam get-role-policy --role-name $role --policy-name $policy --profile $PROFILE --region $REGION" done # find attached policies in found roles ATTACHEDPOLICIES=$($AWSCLI iam list-attached-role-policies --role-name $role --profile $PROFILE --region $REGION --query "AttachedPolicies[*]" --output text) for policy in $ATTACHEDPOLICIES;do - echo " $NOTICE $AWSCLI iam get-role-policy --role-name $role --policy-name $policy --profile $PROFILE --region $REGION$NORMAL" + text-notice "$AWSCLI iam get-role-policy --role-name $role --policy-name $policy --profile $PROFILE --region $REGION" done done else @@ -593,8 +603,8 @@ check119(){ TITLE119="$BLUE 1.19$NORMAL Maintain current contact details (Scored)" # No command available echo -e "\n$TITLE119 " - echo -e " $NOTICE No command available for check 1.19 $NORMAL" - echo -e " $NOTICE See section 1.19 on the CIS Benchmark guide for details $NORMAL" + text_notice "No command available for check 1.19 " + text_notice "See section 1.19 on the CIS Benchmark guide for details " infoReferenceShort } @@ -602,16 +612,16 @@ check120(){ TITLE120="$BLUE 1.20$NORMAL Ensure security contact information is registered (Scored)" # No command available echo -e "\n$TITLE120 " - echo -e " $NOTICE No command available for check 1.20 $NORMAL" - echo -e " $NOTICE See section 1.20 on the CIS Benchmark guide for details $NORMAL" + text_notice "No command available for check 1.20 " + text_notice "See section 1.20 on the CIS Benchmark guide for details " infoReferenceShort } check121(){ TITLE121="$BLUE 1.21$NORMAL Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" echo -e "\n$TITLE121 " - echo -e " $NOTICE No command available for check 1.21 $NORMAL" - echo -e " $NOTICE See section 1.21 on the CIS Benchmark guide for details $NORMAL" + text_notice "No command available for check 1.21 " + text_notice "See section 1.21 on the CIS Benchmark guide for details " infoReferenceShort } @@ -624,7 +634,7 @@ check122(){ POLICYTOSHOW=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN --profile $PROFILE --region $REGION --output text) if [[ $POLICYTOSHOW ]];then text_ok "Support Policy attached to $POLICYTOSHOW" - echo -e " $NOTICE Make sure your team can create a Support case with AWS $NORMAL" + text_notice "Make sure your team can create a Support case with AWS " else echo -e " $BAD WARNING! Support Policy not applied to any Group, User or Role $NORMAL" fi @@ -642,8 +652,8 @@ check123(){ LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done) LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$9 }'|grep "true$"|awk '{ print $1 }'|sed 's/[:blank:]+/,/g' ; done) if [[ $LIST_USERS_KEY1_ACTIVE ]]; then - echo -e " $NOTICE List of users with Access Key 1 never used:$NORMAL" - echo -e " $NOTICE $LIST_USERS_KEY1_ACTIVE $NORMAL have never used Access Key 1" + text_notice "List of users with Access Key 1 never used:" + text_notice "$LIST_USERS_KEY1_ACTIVE have never used Access Key 1" else text_ok "No users found with Access Key 1 never used" fi @@ -651,8 +661,8 @@ check123(){ LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done) LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$14 }'|grep "true$" |awk '{ print $1 }' ; done) if [[ $LIST_USERS_KEY2_ACTIVE ]]; then - echo -e " $NOTICE List of users with Access Key 2 never used:$NORMAL" - echo -e " $NOTICE $LIST_USERS_KEY2_ACTIVE $NORMAL have never used Access Key 2" + text_notice "List of users with Access Key 2 never used:" + text_notice "$LIST_USERS_KEY2_ACTIVE have never used Access Key 2" else text_ok "No users found with Access Key 2 never used" fi @@ -663,7 +673,7 @@ check124(){ echo -e "\n$TITLE124" LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text --profile $PROFILE --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }') if [[ $LIST_CUSTOM_POLICIES ]]; then - echo -e " $NOTICE Looking for custom policies: (skipping default policies, it may take few seconds...)$NORMAL" + text_notice "Looking for custom policies: (skipping default policies, it may take few seconds...)" for policy in $LIST_CUSTOM_POLICIES; do POLICY_VERSION=$($AWSCLI iam list-policies --profile $PROFILE --region $REGION --query 'Policies[*].[Arn,DefaultVersionId]' --output text|grep -w $policy |awk '{ print $2}') POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $policy --version-id $POLICY_VERSION --query "PolicyVersion.Document.Statement[?Effect == 'Allow' && contains(Resource, '*') && contains (Action, '*')]" --profile $PROFILE --region $REGION) @@ -672,9 +682,9 @@ check124(){ fi done if [[ $POLICIES_ALLOW_LIST ]]; then - echo -e " $NOTICE List of custom policies: $NORMAL" + text_notice "List of custom policies: " for policy in $POLICIES_ALLOW_LIST; do - echo " $NOTICE Policy $policy allows \"*:*\" $NORMAL" + text_notice "Policy $policy allows \"*:*\"" done else text_ok "No custom policy found that allow full \"*:*\" administrative privileges" @@ -830,7 +840,7 @@ check28(){ if [[ $CHECK_KMS_KEY_ROTATION == "True" ]];then text_ok "Key $key in Region $regx is set correctly" elif [[ $CHECK_KMS_KEY_ROTATION == "False" && $CHECK_KMS_DEFAULT_KEY ]];then - echo -e " $NOTICE Region $regx key $key is an AWS default master key and cannot be deleted nor modified.$NORMAL" + text_notice "Region $regx key $key is an AWS default master key and cannot be deleted nor modified." else echo -e " $BAD WARNING! Key $key in Region $regx is not set to rotate!!!$NORMAL" fi @@ -838,7 +848,7 @@ check28(){ done else - echo -e " $NOTICE Region $regx doesn't have encryption keys $NORMAL" + text_notice "Region $regx doesn't have encryption keys " fi done } @@ -1077,15 +1087,15 @@ check315(){ CHECK_TOPIC_LIST=$($AWSCLI sns list-subscriptions-by-topic --topic-arn $topic --profile $PROFILE --region $regx --query 'Subscriptions[*].{Endpoint:Endpoint,Protocol:Protocol}' --output text --max-items $MAXITEMS | grep -v "None") if [[ $CHECK_TOPIC_LIST ]]; then TOPIC_SHORT=$(echo $topic | awk -F: '{ print $7 }') - echo -e " $NOTICE Region $regx with Topic $TOPIC_SHORT: $NORMAL " - echo -e " $NOTICE - Suscription: $CHECK_TOPIC_LIST $NORMAL" + text_notice "Region $regx with Topic $TOPIC_SHORT: " + text_notice "- Suscription: $CHECK_TOPIC_LIST " else echo -e " $BAD WARNING! No suscription found in: Region $regx and Topic $topic $NORMAL" echo -e " $BAD - Region $regx and Topic $topic $NORMAL" fi done else - echo -e " $NOTICE Region $regx doesn't have topics $NORMAL" + text_notice "Region $regx doesn't have topics " fi done } @@ -1152,11 +1162,11 @@ check45(){ #set -xe TITLE45="$BLUE 4.5$NORMAL Ensure routing tables for VPC peering are \"least access\" (Not Scored)" echo -e "\n$TITLE45 " - echo -e " $NOTICE Looking for VPC peering in all regions... $NORMAL " + text_notice "Looking for VPC peering in all regions... " for regx in $REGIONS; do LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text --profile $PROFILE --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId') if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then - echo -e " $NOTICE $regx: $LIST_OF_VPCS_PEERING_CONNECTIONS, review its routing tables $NORMAL " + text_notice "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS, review its routing tables " #LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs --profile $PROFILE --region $regx --query 'Vpcs[*].VpcId' --output text) #aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" --profile $PROFILE --region $regx # for vpc in $LIST_OF_VPCS; do