From 40117ed5dda6811050ffcfbd0b89707aa73e04b3 Mon Sep 17 00:00:00 2001 From: gabrielsoltz Date: Thu, 6 Jun 2019 19:22:26 +0100 Subject: [PATCH 1/5] new ec2 age checks --- checks/check_extra757 | 41 +++++++++++++++++++++++++++++++++++++++++ checks/check_extra758 | 41 +++++++++++++++++++++++++++++++++++++++++ groups/group7_extras | 2 +- 3 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 checks/check_extra757 create mode 100644 checks/check_extra758 diff --git a/checks/check_extra757 b/checks/check_extra757 new file mode 100644 index 00000000..1ee03f34 --- /dev/null +++ b/checks/check_extra757 @@ -0,0 +1,41 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra757="7.57" +CHECK_TITLE_extra757="[extra757] Check EC2 Instances older than 6 months (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra757="NOT_SCORED" +CHECK_TYPE_extra757="EXTRA" +CHECK_ALTERNATE_check757="extra757" + +extra757(){ + OLDAGE="$(date -v -6m '+%Y-%m-%d')" + textInfo "Looking for EC2 instances in all regions..." + for regx in $REGIONS; do + textInfo "Looking for EC2 instances in region $regx" + INSTACES_OLD_THAN_AGE=$($AWSCLI --region $regx ec2 describe-instances --query "Reservations[].Instances[?LaunchTime<='$OLDAGE'][].{id: InstanceId, launched: LaunchTime}" --output text) + EC2_RUNNING="$($AWSCLI ec2 describe-instances --region $regx --query "Reservations[*].Instances[*].[InstanceId]" --output text)" + if [[ $EC2_RUNNING ]]; then + if [[ $INSTACES_OLD_THAN_AGE ]]; then + while IFS= read -r ec2_instace + do + EC2_ID=$(echo "$ec2_instace" | awk '{print $1}') + LAUNCH_DATE=$(echo "$ec2_instace" | awk '{print $2}') + textFail "$regx: EC2 Instance $EC2_ID running before than $OLDAGE" + done <<< "$INSTACES_OLD_THAN_AGE" + else + textPass "All Instances newer than 6 months" + fi + else + textInfo "No EC2 Instances Found" + fi + done +} diff --git a/checks/check_extra758 b/checks/check_extra758 new file mode 100644 index 00000000..129047a4 --- /dev/null +++ b/checks/check_extra758 @@ -0,0 +1,41 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra758="7.58" +CHECK_TITLE_extra758="[extra758] Check EC2 Instances older than 12 months (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra758="NOT_SCORED" +CHECK_TYPE_extra758="EXTRA" +CHECK_ALTERNATE_check758="extra758" + +extra758(){ + OLDAGE="$(date -v -12m '+%Y-%m-%d')" + textInfo "Looking for EC2 instances in all regions..." + for regx in $REGIONS; do + textInfo "Looking for EC2 instances in region $regx" + INSTACES_OLD_THAN_AGE=$($AWSCLI --region $regx ec2 describe-instances --query "Reservations[].Instances[?LaunchTime<='$OLDAGE'][].{id: InstanceId, launched: LaunchTime}" --output text) + EC2_RUNNING="$($AWSCLI ec2 describe-instances --region $regx --query "Reservations[*].Instances[*].[InstanceId]" --output text)" + if [[ $EC2_RUNNING ]]; then + if [[ $INSTACES_OLD_THAN_AGE ]]; then + while IFS= read -r ec2_instace + do + EC2_ID=$(echo "$ec2_instace" | awk '{print $1}') + LAUNCH_DATE=$(echo "$ec2_instace" | awk '{print $2}') + textFail "$regx: EC2 Instance $EC2_ID running before than $OLDAGE" + done <<< "$INSTACES_OLD_THAN_AGE" + else + textPass "All Instances newer than 12 months" + fi + else + textInfo "No EC2 Instances Found" + fi + done +} diff --git a/groups/group7_extras b/groups/group7_extras index 4fb3cd43..6077c111 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,4 +15,4 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - [extras] **********************************************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758' From 085dd338f40f09708702f7ac87e6201866eb8a3d Mon Sep 17 00:00:00 2001 From: gabrielsoltz Date: Thu, 6 Jun 2019 21:04:40 +0100 Subject: [PATCH 2/5] function os --- checks/check_extra757 | 4 ++-- checks/check_extra758 | 2 +- include/os_detector | 6 ++++++ 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/checks/check_extra757 b/checks/check_extra757 index 1ee03f34..7c5a5e95 100644 --- a/checks/check_extra757 +++ b/checks/check_extra757 @@ -17,13 +17,13 @@ CHECK_TYPE_extra757="EXTRA" CHECK_ALTERNATE_check757="extra757" extra757(){ - OLDAGE="$(date -v -6m '+%Y-%m-%d')" + OLDAGE="$(get_date_previous_than_months 6)" textInfo "Looking for EC2 instances in all regions..." for regx in $REGIONS; do textInfo "Looking for EC2 instances in region $regx" - INSTACES_OLD_THAN_AGE=$($AWSCLI --region $regx ec2 describe-instances --query "Reservations[].Instances[?LaunchTime<='$OLDAGE'][].{id: InstanceId, launched: LaunchTime}" --output text) EC2_RUNNING="$($AWSCLI ec2 describe-instances --region $regx --query "Reservations[*].Instances[*].[InstanceId]" --output text)" if [[ $EC2_RUNNING ]]; then + INSTACES_OLD_THAN_AGE=$($AWSCLI --region $regx ec2 describe-instances --query "Reservations[].Instances[?LaunchTime<='$OLDAGE'][].{id: InstanceId, launched: LaunchTime}" --output text) if [[ $INSTACES_OLD_THAN_AGE ]]; then while IFS= read -r ec2_instace do diff --git a/checks/check_extra758 b/checks/check_extra758 index 129047a4..0d1fee22 100644 --- a/checks/check_extra758 +++ b/checks/check_extra758 @@ -17,7 +17,7 @@ CHECK_TYPE_extra758="EXTRA" CHECK_ALTERNATE_check758="extra758" extra758(){ - OLDAGE="$(date -v -12m '+%Y-%m-%d')" + OLDAGE="$(get_date_previous_than_months 12)" textInfo "Looking for EC2 instances in all regions..." for regx in $REGIONS; do textInfo "Looking for EC2 instances in region $regx" diff --git a/include/os_detector b/include/os_detector index 1cbb368d..4acbec93 100644 --- a/include/os_detector +++ b/include/os_detector @@ -76,6 +76,12 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then DAYS_TO=$((( $DATE_IN_DAYS - $TODAY_IN_DAYS )/60/60/24)) echo $DAYS_TO } + get_date_previous_than_months() + { + MONTHS_TO_COMPARE=$1 + DATE_BEFORE_MONTHS_TO_COMPARE=$(date -v -$(echo $MONTHS_TO_COMPARE)m '+%Y-%m-%d') + echo $DATE_BEFORE_MONTHS_TO_COMPARE + } elif [[ "$OSTYPE" == "cygwin" ]]; then # POSIX compatibility layer and Linux environment emulation for Windows TEMP_REPORT_FILE=$(mktemp -t -p /tmp prowler.cred_report-XXXXXX) From 5037cb03f2194f1c87b06aaa15cb8247b512d0f4 Mon Sep 17 00:00:00 2001 From: gabrielsoltz Date: Thu, 6 Jun 2019 21:07:57 +0100 Subject: [PATCH 3/5] improve code --- checks/check_extra758 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check_extra758 b/checks/check_extra758 index 0d1fee22..276928d0 100644 --- a/checks/check_extra758 +++ b/checks/check_extra758 @@ -21,9 +21,9 @@ extra758(){ textInfo "Looking for EC2 instances in all regions..." for regx in $REGIONS; do textInfo "Looking for EC2 instances in region $regx" - INSTACES_OLD_THAN_AGE=$($AWSCLI --region $regx ec2 describe-instances --query "Reservations[].Instances[?LaunchTime<='$OLDAGE'][].{id: InstanceId, launched: LaunchTime}" --output text) EC2_RUNNING="$($AWSCLI ec2 describe-instances --region $regx --query "Reservations[*].Instances[*].[InstanceId]" --output text)" if [[ $EC2_RUNNING ]]; then + INSTACES_OLD_THAN_AGE=$($AWSCLI --region $regx ec2 describe-instances --query "Reservations[].Instances[?LaunchTime<='$OLDAGE'][].{id: InstanceId, launched: LaunchTime}" --output text) if [[ $INSTACES_OLD_THAN_AGE ]]; then while IFS= read -r ec2_instace do From c5f170307da4015c2f078c31b0f4c5789ee0b5cf Mon Sep 17 00:00:00 2001 From: gabrielsoltz Date: Tue, 11 Jun 2019 12:08:48 +0200 Subject: [PATCH 4/5] add linux and cygwin get_date_previous_than_months function --- include/os_detector | 92 +++++++++++++++++++++++++-------------------- 1 file changed, 52 insertions(+), 40 deletions(-) diff --git a/include/os_detector b/include/os_detector index 4acbec93..22efbc78 100644 --- a/include/os_detector +++ b/include/os_detector @@ -39,24 +39,30 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then base64 -d } how_many_days_from_today() - { - DATE_TO_COMPARE=$1 - TODAY_IN_DAYS=$(date -d "$(date +%Y-%m-%d)" +%s) - DATE_IN_DAYS=$(date -d $DATE_TO_COMPARE +%s) - DAYS_TO=$((( $DATE_IN_DAYS - $TODAY_IN_DAYS )/60/60/24)) - echo $DAYS_TO - } + { + DATE_TO_COMPARE=$1 + TODAY_IN_DAYS=$(date -d "$(date +%Y-%m-%d)" +%s) + DATE_IN_DAYS=$(date -d $DATE_TO_COMPARE +%s) + DAYS_TO=$((( $DATE_IN_DAYS - $TODAY_IN_DAYS )/60/60/24)) + echo $DAYS_TO + } + get_date_previous_than_months() + { + MONTHS_TO_COMPARE=$1 + DATE_BEFORE_MONTHS_TO_COMPARE=$(date --date="$(echo $MONTHS_TO_COMPARE) months ago" '+%Y-%m-%d') + echo $DATE_BEFORE_MONTHS_TO_COMPARE + } elif [[ "$OSTYPE" == "darwin"* ]]; then # BSD/OSX commands compatibility TEMP_REPORT_FILE=$(mktemp -t prowler.cred_report-XXXXXX) how_older_from_today() - { - DATE_TO_COMPARE=$1 - TODAY_IN_DAYS=$(date +%s) - DATE_FROM_IN_DAYS=$(date -jf %Y-%m-%d $DATE_TO_COMPARE +%s) - DAYS_SINCE=$((($TODAY_IN_DAYS - $DATE_FROM_IN_DAYS )/60/60/24)) - echo $DAYS_SINCE - } + { + DATE_TO_COMPARE=$1 + TODAY_IN_DAYS=$(date +%s) + DATE_FROM_IN_DAYS=$(date -jf %Y-%m-%d $DATE_TO_COMPARE +%s) + DAYS_SINCE=$((($TODAY_IN_DAYS - $DATE_FROM_IN_DAYS )/60/60/24)) + echo $DAYS_SINCE + } timestamp_to_date() { # remove fractions of a second @@ -69,30 +75,30 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then base64 -D } how_many_days_from_today() - { - DATE_TO_COMPARE=$1 - TODAY_IN_DAYS=$(date +%s) - DATE_IN_DAYS=$(date -jf %Y-%m-%d $DATE_TO_COMPARE +%s) - DAYS_TO=$((( $DATE_IN_DAYS - $TODAY_IN_DAYS )/60/60/24)) - echo $DAYS_TO - } + { + DATE_TO_COMPARE=$1 + TODAY_IN_DAYS=$(date +%s) + DATE_IN_DAYS=$(date -jf %Y-%m-%d $DATE_TO_COMPARE +%s) + DAYS_TO=$((( $DATE_IN_DAYS - $TODAY_IN_DAYS )/60/60/24)) + echo $DAYS_TO + } get_date_previous_than_months() - { - MONTHS_TO_COMPARE=$1 - DATE_BEFORE_MONTHS_TO_COMPARE=$(date -v -$(echo $MONTHS_TO_COMPARE)m '+%Y-%m-%d') - echo $DATE_BEFORE_MONTHS_TO_COMPARE - } + { + MONTHS_TO_COMPARE=$1 + DATE_BEFORE_MONTHS_TO_COMPARE=$(date -v -$(echo $MONTHS_TO_COMPARE)m '+%Y-%m-%d') + echo $DATE_BEFORE_MONTHS_TO_COMPARE + } elif [[ "$OSTYPE" == "cygwin" ]]; then # POSIX compatibility layer and Linux environment emulation for Windows TEMP_REPORT_FILE=$(mktemp -t -p /tmp prowler.cred_report-XXXXXX) how_older_from_today() - { - DATE_TO_COMPARE=$1 - TODAY_IN_DAYS=$(date -d "$(date +%Y-%m-%d)" +%s) - DATE_FROM_IN_DAYS=$(date -d $DATE_TO_COMPARE +%s) - DAYS_SINCE=$((($TODAY_IN_DAYS - $DATE_FROM_IN_DAYS )/60/60/24)) - echo $DAYS_SINCE - } + { + DATE_TO_COMPARE=$1 + TODAY_IN_DAYS=$(date -d "$(date +%Y-%m-%d)" +%s) + DATE_FROM_IN_DAYS=$(date -d $DATE_TO_COMPARE +%s) + DAYS_SINCE=$((($TODAY_IN_DAYS - $DATE_FROM_IN_DAYS )/60/60/24)) + echo $DAYS_SINCE + } timestamp_to_date() { # remove fractions of a second @@ -105,13 +111,19 @@ elif [[ "$OSTYPE" == "cygwin" ]]; then base64 -d } how_many_days_from_today() - { - DATE_TO_COMPARE=$1 - TODAY_IN_DAYS=$(date -d "$(date +%Y-%m-%d)" +%s) - DATE_IN_DAYS=$(date -d $DATE_TO_COMPARE +%s) - DAYS_TO=$((( $TODAY_IN_DAYS - $DATE_IN_DAYS )/60/60/24)) - echo $DAYS_TO - } + { + DATE_TO_COMPARE=$1 + TODAY_IN_DAYS=$(date -d "$(date +%Y-%m-%d)" +%s) + DATE_IN_DAYS=$(date -d $DATE_TO_COMPARE +%s) + DAYS_TO=$((( $TODAY_IN_DAYS - $DATE_IN_DAYS )/60/60/24)) + echo $DAYS_TO + } + get_date_previous_than_months() + { + MONTHS_TO_COMPARE=$1 + DATE_BEFORE_MONTHS_TO_COMPARE=$(date --date="$(echo $MONTHS_TO_COMPARE) months ago" '+%Y-%m-%d') + echo $DATE_BEFORE_MONTHS_TO_COMPARE + } else echo "Unknown Operating System! Valid \$OSTYPE: linux-gnu, linux-musl, darwin* or cygwin" echo "Found: $OSTYPE" From b1e7dc85190e884ef99109f5b8362a1765196c91 Mon Sep 17 00:00:00 2001 From: gabrielsoltz Date: Tue, 11 Jun 2019 17:09:28 +0200 Subject: [PATCH 5/5] get_date_previous_than_months compatible busybox --- include/os_detector | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/include/os_detector b/include/os_detector index 22efbc78..2394c521 100644 --- a/include/os_detector +++ b/include/os_detector @@ -49,7 +49,10 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then get_date_previous_than_months() { MONTHS_TO_COMPARE=$1 - DATE_BEFORE_MONTHS_TO_COMPARE=$(date --date="$(echo $MONTHS_TO_COMPARE) months ago" '+%Y-%m-%d') + MONTHS_TO_COMPARE_IN_SECONDS=$(( 60 * 60 * 24 * 31 * $MONTHS_TO_COMPARE )) + CURRENTSECS=`date +%s` + STARTDATEINSECS=$(( $CURRENTSECS - $MONTHS_TO_COMPARE_IN_SECONDS )) + DATE_BEFORE_MONTHS_TO_COMPARE=$(date -d @$STARTDATEINSECS '+%Y-%m-%d') echo $DATE_BEFORE_MONTHS_TO_COMPARE } elif [[ "$OSTYPE" == "darwin"* ]]; then @@ -121,7 +124,10 @@ elif [[ "$OSTYPE" == "cygwin" ]]; then get_date_previous_than_months() { MONTHS_TO_COMPARE=$1 - DATE_BEFORE_MONTHS_TO_COMPARE=$(date --date="$(echo $MONTHS_TO_COMPARE) months ago" '+%Y-%m-%d') + MONTHS_TO_COMPARE_IN_SECONDS=$(( 60 * 60 * 24 * 31 * $MONTHS_TO_COMPARE )) + CURRENTSECS=`date +%s` + STARTDATEINSECS=$(( $CURRENTSECS - $MONTHS_TO_COMPARE_IN_SECONDS )) + DATE_BEFORE_MONTHS_TO_COMPARE=$(date -d @$STARTDATEINSECS '+%Y-%m-%d') echo $DATE_BEFORE_MONTHS_TO_COMPARE } else