ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 23:05:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Support whitelists per check

Browse Source
This commit is contained in:
Urjit Singh Bhatia
2020-03-10 18:54:32 -07:00
parent 530bacac5b
commit 56a4fd813c
3 changed files with 51 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
include/outputs
View File

@@ -104,15 +104,29 @@ textInfo(){
}
textFail(){
FAIL_COUNTER=$((FAIL_COUNTER+1))
EXITCODE=3
## ignore whitelists for current check
level="FAIL"
for i in $IGNORES; do
ignore_value="${i#*${CHECK_NAME}:}"
if [[ $1 =~ ${ignore_value} ]]; then
level="WARNING"
break
fi
done
# only set non-0 exit code on FAIL mode, WARN is ok
if [[ "$level" == "FAIL" ]]; then
FAIL_COUNTER=$((FAIL_COUNTER+1))
EXITCODE=3
fi
if [[ "$MODE" == "csv" ]]; then
if [[ $2 ]]; then
REPREGION=$2
else
REPREGION=$REGION
fi
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}FAIL${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1"
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1"
elif [[ "$MODE" == "json" ]]; then
if [[ $2 ]]; then
REPREGION=$2
@@ -128,7 +142,7 @@ textFail(){
--arg ITEM_LEVEL "$ITEM_LEVEL" \
--arg TITLE_ID "$TITLE_ID" \
--arg REPREGION "$REPREGION" \
--arg TIMESTAMP $(date -u +"%Y-%m-%dT%H:%M:%SZ") \
--arg TIMESTAMP "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
-n '{
"Profile": $PROFILE,
"Account Number": $ACCOUNT_NUM,
@@ -142,7 +156,11 @@ textFail(){
"Timestamp": $TIMESTAMP,
}'
else
echo " $BAD FAIL! $1 $NORMAL"
if [[ "${level}" == "FAIL" ]]; then
echo " $BAD ${level}! $1 $NORMAL"
else
echo " $WARNING ${level}! $1 $NORMAL"
fi
fi
}

27
prowler
View File

@@ -47,6 +47,7 @@ EXITCODE=0
SCRIPT_START_TIME=$( date -u +"%Y-%m-%dT%H:%M:%S%z" )
TITLE_ID=""
TITLE_TEXT="CALLER ERROR - UNSET TITLE"
WHITELIST_FILE=""
# Command usage menu
usage(){
@@ -83,12 +84,19 @@ USAGE:
(i.e.: ProwlerRole)
-T session durantion given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T
(i.e.: 43200)
-w whitelist file. (Lines starting with # are ignored as comments) Format:
# ignore these due to some reason
# check1 checks s3 buckets
<checkid1>:<resource to ignore 1>
<checkid1>:<resource to ignore 2>
# checkid2
<checkid2>:<resource to ignore 1>
-h this help
"
exit
}
while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsx:A:R:T:" OPTION; do
while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsx:A:R:T:w:" OPTION; do
case $OPTION in
h )
usage
@@ -160,6 +168,11 @@ while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsx:A:R:T:" OPTION; do
T )
SESSION_DURATION_TO_ASSUME=$OPTARG
;;
w )
WHITELIST_FILE=$OPTARG
echo ""
echo "$OPTNORMAL Using Whitelist file: $OPTARG"
;;
: )
echo ""
echo "$OPTRED ERROR!$OPTNORMAL -$OPTARG requires an argument"
@@ -202,6 +215,12 @@ REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \
--region $REGION \
--region-names $FILTERREGION)
# Pre-process whitelist file if supplied
if [[ -n "$WHITELIST_FILE" ]]; then
# ignore lines starting with # (comments)
WHITELIST=$(awk '!/^[[:space:]]*#/{print }' <(cat "$WHITELIST_FILE"))
fi
# Load all of the groups of checks inside groups folder named as "groupNumber*"
for group in $(ls $PROWLER_DIR/groups/group[0-9]*|grep -v groupN_sample); do
. "$group"
@@ -266,8 +285,10 @@ execute_check() {
saveReport
fi
fi
show_check_title $1
$1
show_check_title "$1"
ignores=$(awk '/${1}/{print}' <(echo "${WHITELIST}"))
# set the custom ignores list for this check
IGNORES="${ignores}" $1
else
textFail "ERROR! Use a valid check name (i.e. check41 or extra71)";
exit $EXITCODE

4
whitelist_sample.txt Normal file
View File

@@ -0,0 +1,4 @@
# Each line is a (checkid:item) tuple
# Example: Will not consider a myignoredbucket failures as full failure. (Still printed as a warning)
check26:myignoredbucket