ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 23:05:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add additional error checking to address issue 459

Browse Source
This commit is contained in:
C.J
2020-01-25 15:22:39 -05:00
parent b3b903959b
commit 41ccd4517b
2 changed files with 16 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
checks/check23
View File

@@ -17,10 +17,14 @@ CHECK_ALTERNATE_check203="check23"
check23(){
# "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text $PROFILE_OPT --region $REGION)
if [[ $CLOUDTRAILBUCKET ]];then
if [[ $CLOUDTRAILBUCKET ]]; then
for bucket in $CLOUDTRAILBUCKET;do
CLOUDTRAILBUCKET_HASALLPERMISIONS=$($AWSCLI s3api get-bucket-acl --bucket $bucket --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' $PROFILE_OPT --region $REGION --output text)
if [[ $CLOUDTRAILBUCKET_HASALLPERMISIONS ]];then
CLOUDTRAILBUCKET_HASALLPERMISIONS=$($AWSCLI s3api get-bucket-acl --bucket $bucket --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' $PROFILE_OPT --region $REGION --output text 2>&1)
if [[ $(echo "$CLOUDTRAILBUCKET_HASALLPERMISIONS" | grep AccessDenied) ]]; then
textFail "Access Denied Trying to Get Bucket Acl for $bucket"
continue
fi
if [[ $CLOUDTRAILBUCKET_HASALLPERMISIONS ]]; then
textFail "check your $bucket CloudTrail bucket ACL and Policy!"
else
textPass "Bucket $bucket is set correctly"

15
checks/check26
View File

@@ -19,16 +19,20 @@ check26(){
CLOUDTRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].Name' --output text| tr '\011' '\012' | awk -F: '{print $1}')
if [[ $CLOUDTRAILS ]];then
if [[ $CLOUDTRAILS ]]; then
for trail in $CLOUDTRAILS; do
CLOUDTRAIL_ACCOUNT_ID=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].TrailARN' --output text | tr '\011' '\012' | grep "$trail" | awk -F: '{ print $5 }' | head -n 1)
CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].[Name, S3BucketName]' --output text | tr '\011' ':' | grep "$trail" | awk -F: '{ print $2 }' )
if [[ $CLOUDTRAILBUCKET ]];then
if [[ $CLOUDTRAILBUCKET ]]; then
bucket=$CLOUDTRAILBUCKET
if [ "$CLOUDTRAIL_ACCOUNT_ID" == "$ACCOUNT_NUM" ];then
CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None)
if [[ $CLOUDTRAILBUCKET_LOGENABLED ]];then
if [ "$CLOUDTRAIL_ACCOUNT_ID" == "$ACCOUNT_NUM" ]; then
CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --region $REGION --query 'LoggingEnabled.TargetBucket' --output text 2>&1)
if [[ $(echo "$CLOUDTRAILBUCKET_LOGENABLED" | grep AccessDenied) ]]; then
textFail "Access Denied Trying to Get Bucket Logging for $bucket"
continue
fi
if [[ $CLOUDTRAILBUCKET_LOGENABLED != "null" ]]; then
textPass "Bucket access logging enabled in CloudTrail S3 bucket $bucket for $trail"
else
textFail "Bucket access logging is not enabled in CloudTrail S3 bucket $bucket for $trail"
@@ -36,7 +40,6 @@ check26(){
else
textInfo "CloudTrail S3 bucket $bucket for trail $trail is not in current account"
fi
else
textFail "CloudTrail bucket not found!"
fi