Merge branch '2.5' into new-acls-checks

2026-02-10 14:55:00 +00:00 · 2021-05-18 15:34:27 +02:00
parent 2727b7e8e2 cf4034c3b4
commit 46c6f44055
5 changed files with 132 additions and 5 deletions
--- a/checks/check_extra7139
+++ b/checks/check_extra7139
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7139="7.139"
+CHECK_TITLE_extra7139="[extra7139] There are High severity GuardDuty findings (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra7139="NOT_SCORED"
+CHECK_TYPE_extra7139="EXTRA"
+CHECK_SEVERITY_extra7139="High"
+CHECK_ASFF_RESOURCE_TYPE_extra7139="AwsGuardDutyDetector"
+CHECK_ALTERNATE_check7138="extra7139"
+CHECK_SERVICENAME_extra7139="guardduty"
+CHECK_RISK_extra7139='If critical findings are not addressed threats can spread in the environment.'
+CHECK_REMEDIATION_extra7139='Review and remediate critical GuardDuty findings as quickly as possible.'
+CHECK_DOC_extra7139='https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html'
+CHECK_CAF_EPIC_extra7139='Incident Response'
+extra7139(){
+  
+  for regx in $REGIONS; do
+    DETECTORS_LIST=""
+    DETECTORS_LIST=$($AWSCLI guardduty list-detectors --query DetectorIds $PROFILE_OPT --region $regx --output text)
+    if [[ $DETECTORS_LIST ]];then
+      for DETECTOR in $DETECTORS_LIST;do
+        FINDINGS_COUNT=""
+        FINDINGS_COUNT=$($AWSCLI $PROFILE_OPT --region $regx --output text guardduty list-findings --detector-id $DETECTOR --finding-criteria '{"Criterion":{"severity": {"Eq":["8"]}}}' 2> /dev/null | wc -l | xargs) # Severity LOW=2, MED=4, HIGH=8
+          if [[ $FINDINGS_COUNT -gt 0 ]];then
+            textFail "$regx: GuardDuty has $FINDINGS_COUNT high severity findings." "$regx"
+          else
+            textPass "$regx: GuardDuty has no high severity findings." "$regx"
+          fi
+      done
+    else
+      textInfo "$regx: No GuardDuty detectors found." "$regx"
+    fi
+  done
+}
--- a/include/outputs
+++ b/include/outputs
@@ -20,6 +20,20 @@ EXTENSION_TEXT="txt"
 EXTENSION_HTML="html"
 OUTPUT_DATE=$(date -u +"%Y%m%d%H%M%S")
 OUTPUT_DIR="${PROWLER_DIR}/output" # default output if none 
+if [[ $OUTPUT_DIR_CUSTOM ]]; then
+  # output mode has to be set to other than text
+  if [[ ! " ${MODES[@]} " =~ " text " || ${check_id} == 7.1 || ${check_id} == 7.74  ]]; then
+    if [[ ! -d $OUTPUT_DIR_CUSTOM ]]; then
+      echo "$OPTRED ERROR!$OPTNORMAL directory \"$OUTPUT_DIR_CUSTOM\" does not exist."
+      exit 1
+    else
+      OUTPUT_DIR=$OUTPUT_DIR_CUSTOM
+    fi
+  else
+    echo "$OPTRED ERROR!$OPTNORMAL - Mode (-M) has to be set as well. Use -h for help."
+    exit 1
+  fi 
+fi
 OUTPUT_FILE_NAME="${OUTPUT_DIR}/prowler-output-${ACCOUNT_NUM}-${OUTPUT_DATE}"
 HTML_LOGO_URL="https://github.com/toniblyx/prowler/"
 HTML_LOGO_IMG="https://github.com/toniblyx/prowler/raw/2.4/util/html/prowler-logo-new.png"
--- a/include/outputs_bucket
+++ b/include/outputs_bucket
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2021) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+if [[ $OUTPUT_BUCKET ]]; then
+  # output mode has to be set to other than text
+  if [[ "${MODES[@]}" =~ "html" ]] || [[ "${MODES[@]}" =~ "csv" ]] || [[ "${MODES[@]}" =~ "json" ]] || [[ "${MODES[@]}" =~ "json-asff" ]]; then
+      OUTPUT_BUCKET_WITHOUT_FOLDERS=$(echo $OUTPUT_BUCKET | awk -F'/' '{ print $1 }')
+      OUTPUT_BUCKET_STATUS=$($AWSCLI s3api head-bucket --bucket "$OUTPUT_BUCKET" 2>&1 || true)
+      if [[ ! -z $OUTPUT_BUCKET_STATUS ]]; then 
+        echo "$OPTRED ERROR!$OPTNORMAL wrong bucket name or not right permissions."
+        exit 1
+      else 
+        # need to make sure last / is not set to avoid // in S3
+        if [[ $OUTPUT_BUCKET != *"/" ]]; then 
+          OUTPUT_BUCKET="$OUTPUT_BUCKET"
+        else
+          OUTPUT_BUCKET=${OUTPUT_BUCKET::-1}
+        fi 
+      fi
+  else
+    echo "$OPTRED ERROR!$OPTNORMAL - Mode (-M) has to be set as well. Use -h for help."
+    exit 1
+  fi 
+fi
+
+copyToS3(){
+  # Prowler will copy each format to its own folder in S3, that is for better handling 
+  # and processing by Quicksight or others.
+  if [[ $OUTPUT_BUCKET ]]; then
+    if [[ "${MODES[@]}" =~ "csv" ]]; then
+      $AWSCLI s3 cp $OUTPUT_DIR/prowler-output-${ACCOUNT_NUM}-${OUTPUT_DATE}.$EXTENSION_CSV s3://$OUTPUT_BUCKET/csv/
+    fi 
+    if [[ "${MODES[@]}" =~ "html" ]]; then
+      $AWSCLI s3 cp $OUTPUT_DIR/prowler-output-${ACCOUNT_NUM}-${OUTPUT_DATE}.$EXTENSION_HTML s3://$OUTPUT_BUCKET/html/
+    fi 
+    if [[ "${MODES[@]}" =~ "json" ]]; then
+      $AWSCLI s3 cp $OUTPUT_DIR/prowler-output-${ACCOUNT_NUM}-${OUTPUT_DATE}.$EXTENSION_JSON s3://$OUTPUT_BUCKET/json/
+    fi
+    if [[ "${MODES[@]}" =~ "json-asff" ]]; then
+      $AWSCLI s3 cp $OUTPUT_DIR/prowler-output-${ACCOUNT_NUM}-${OUTPUT_DATE}.$EXTENSION_ASFF s3://$OUTPUT_BUCKET/json-asff/
+    fi
+  fi
+}
--- a/include/whoami
+++ b/include/whoami
@@ -29,8 +29,9 @@ case "$REGION" in
  ;;
 esac

-GETCALLER=$($AWSCLI sts get-caller-identity $PROFILE_OPT --region $REGION_FOR_STS 2>&1)
-if [[ $(echo "$GETCALLER" | grep 'Unable') ]]; then
+GETCALLER=$($AWSCLI sts get-caller-identity $PROFILE_OPT --output json --region $REGION_FOR_STS 2>&1)
+ret=$?
+if [[ $ret -ne 0 ]]; then
  if [[ $PRINTCHECKSONLY || $PRINTGROUPSONLY ]]; then
    echo Listing... 
  else
--- a/22
+++ b/22
@@ -32,7 +32,7 @@ OPTRED="[1;31m"
 OPTNORMAL="[0;39m"

 # Set the defaults variables
-PROWLER_VERSION=2.4.0-07042021
+PROWLER_VERSION=2.5.0-15042021
 PROWLER_DIR=$(dirname "$0")

 REGION=""
@@ -100,13 +100,17 @@ USAGE:
      -w                  whitelist file. See whitelist_sample.txt for reference and format
                            (i.e.: whitelist_sample.txt)
      -N <shodan_api_key> Shoadan API key used by check extra7102.
+      -o                  Custom output directory, if not specified will use default prowler/output, requires -M <mode>
+                            (i.e.: -M csv -o /tmp/reports/)
+      -B                  Custom output bucket, requires -M <mode> and it can work also with -o flag.
+                            (i.e.: -M csv -B my-bucket or -M csv -B my-bucket/folder/)
      -V                  show version number & exit
      -h                  this help
  "
  exit
 }

-while getopts ":hlLkqp:r:c:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:" OPTION; do
+while getopts ":hlLkqp:r:c:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:" OPTION; do
   case $OPTION in
     h )
        usage
@@ -190,6 +194,12 @@ while getopts ":hlLkqp:r:c:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:" OPTION; do
     N )
        SHODAN_API_KEY=$OPTARG
        ;;
+     o )
+        OUTPUT_DIR_CUSTOM=$OPTARG
+        ;;
+     B )
+        OUTPUT_BUCKET=$OPTARG
+        ;;
     : )
        echo ""
        echo "$OPTRED ERROR!$OPTNORMAL  -$OPTARG requires an argument"
@@ -243,6 +253,7 @@ unset AWS_DEFAULT_OUTPUT
 . $PROWLER_DIR/include/csv_header
 . $PROWLER_DIR/include/banner
 . $PROWLER_DIR/include/html_report
+. $PROWLER_DIR/include/outputs_bucket
 . $PROWLER_DIR/include/outputs
 . $PROWLER_DIR/include/credentials_report
 . $PROWLER_DIR/include/scoring
@@ -295,7 +306,8 @@ TOTAL_CHECKS=($(echo "${TOTAL_CHECKS[*]}" | tr ' ' '\n' | awk '!seen[$0]++' | so
 get_regions() {
  # Get list of regions based on include/whoami
  REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' --output text $PROFILE_OPT --region $REGION_FOR_STS --region-names $FILTERREGION 2>&1)
-  if [[ $(echo "$REGIONS" | grep 'AccessDenied\|UnauthorizedOperation') ]]; then
+  ret=$?
+  if [[ $ret -ne 0 ]]; then
    echo "$OPTRED Access Denied trying to describe regions! Review permissions as described here: https://github.com/toniblyx/prowler/#requirements-and-installation $OPTNORMAL"
    EXITCODE=1
    exit $EXITCODE
@@ -607,6 +619,7 @@ if [[ $GROUP_ID_READ ]];then
    fi
    cleanTemp
    scoring
+    copyToS3
    exit $EXITCODE
  else
    textFail "Use a valid check group ID i.e.: group1, extras, forensics-ready, etc."
@@ -634,6 +647,7 @@ if [[ $CHECK_ID ]];then
  if [[ "${MODES[@]}" =~ "html" ]]; then
    addHtmlFooter >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
  fi
+  copyToS3
  cleanTemp
  exit $EXITCODE
 fi
@@ -643,8 +657,10 @@ execute_all
 if [[ "${MODES[@]}" =~ "html" ]]; then
  addHtmlFooter >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
 fi
+
 scoring
 cleanTemp
+copyToS3

 if [[ $ACCOUNT_TO_ASSUME ]]; then
  # unset env variables with assumed role credentials