mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 06:45:08 +00:00
updated README and usage
This commit is contained in:
Toni de la Fuente
40
README.md
40
README.md
@@ -125,22 +125,26 @@ xargs -n 1 -L 1 -I @ -r -P 4 ./prowler -p @ -M csv 2> /dev/null >> all-account
|
||||
./prowler -h
|
||||
|
||||
USAGE:
|
||||
prowler -p <profile> -r <region> [ -h ]
|
||||
prowler [ -p <profile> -r <region> -h ]
|
||||
|
||||
Options:
|
||||
-p <profile> specify your AWS profile to use (i.e.: default)
|
||||
-r <region> specify an AWS region to direct API requests to
|
||||
(i.e.: us-east-1), all regions are checked anyway
|
||||
-c <check_id> specify a check number or group from the AWS CIS benchmark
|
||||
(i.e.: "check11" for check 1.1, "check3" for entire section 3, "level1" for CIS Level 1 Profile Definitions or "forensics-ready")
|
||||
(i.e.: us-east-1), all regions are checked anyway if the check requires it
|
||||
-c <check_id> specify a check id, to see all available checks use -l option
|
||||
(i.e.: check11 for check 1.1 or extra71 for extra check 71)
|
||||
-g <group_id> specify a group of checks by id, to see all available group of checks use -l
|
||||
(i.e.: check3 for entire section 3, level1 for CIS Level 1 Profile Definitions or forensics-ready)
|
||||
-f <filterregion> specify an AWS region to run checks against
|
||||
(i.e.: us-west-1)
|
||||
-m <maxitems> specify the maximum number of items to return for long-running requests (default: 100)
|
||||
-M <mode> output mode: text (defalut), mono, csv (separator is ","; data is on stdout; progress on stderr)
|
||||
-M <mode> output mode: text (default), mono, csv (separator is ,; data is on stdout; progress on stderr)
|
||||
-k keep the credential report
|
||||
-n show check numbers to sort easier
|
||||
(i.e.: 1.01 instead of 1.1)
|
||||
-l list all available checks only (does not perform any check)
|
||||
-e exclude extras
|
||||
-e exclude group extras
|
||||
-b do not print Prowler banner
|
||||
-h this help
|
||||
|
||||
```
|
||||
@@ -330,7 +334,7 @@ We are adding additional checks to improve the information gather from each acco
|
||||
|
||||
Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.
|
||||
|
||||
At this moment we have 22 extra checks:
|
||||
At this moment we have 23 extra checks:
|
||||
|
||||
- 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
|
||||
@@ -354,6 +358,7 @@ At this moment we have 22 extra checks:
|
||||
- 7.20 (`extra720`) Check if Lambda functions are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.21 (`extra721`) Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.22 (`extra722`) Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.23 (`extra723`) Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)
|
||||
|
||||
|
||||
To check all extras in one command:
|
||||
@@ -394,14 +399,21 @@ The `forensics-ready` group of checks uses existing and extra checks. To get a f
|
||||
|
||||
## Add Custom Checks
|
||||
|
||||
In order to add any new check feel free to create a new extra check in the extras section. To do so, you will need to follow these steps:
|
||||
In order to add any new check feel free to create a new extra check in the extras group or other group. To do so, you will need to follow these steps:
|
||||
|
||||
1. use any existing extra check as reference
|
||||
2. add `ID7N` and `TITLE7N`, where N is a new check number part of the extras section (7) around line 361 `# List of checks IDs and Titles`
|
||||
3. add your new extra check function name at `callCheck` function (around line 1817) and below in that case inside extras option (around line 1853)
|
||||
4. finally add it in `# List only check tittles` around line 1930
|
||||
5. save changes and run it as ./prowler -c extraNN
|
||||
6. send me a pull request! :)
|
||||
1. Follow structure in file `checks/check_sample`
|
||||
2. Name your check with a number part of an existing group or a new one
|
||||
3. Save changes and run it as ./prowler -c extraNN`
|
||||
4. Send me a pull request! :)
|
||||
|
||||
## Add Custom Groups
|
||||
|
||||
1. Follow structure in file `groups/groupN_sample`
|
||||
2. Name your group with a non existing number
|
||||
3. Save changes and run it as `./prowler -g extraNN`
|
||||
4. Send me a pull request! :)
|
||||
|
||||
* You can also create a group with only the checks that you want to perform in your company, for instance a group named `group9_mycompany` with only the list of checks that you care or your particular compliance applies.
|
||||
|
||||
## Third Party Integrations
|
||||
|
||||
|
||||
@@ -6,41 +6,45 @@ CHECK_ALTERNATE_check73="extra73"
|
||||
CHECK_ALTERNATE_check703="extra73"
|
||||
|
||||
extra73(){
|
||||
# "Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
|
||||
textNotice "Looking for open S3 Buckets (ACLs and Policies) in all regions... "
|
||||
ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' $PROFILE_OPT --region $REGION --output text)
|
||||
ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' --profile $PROFILE --region $REGION --output text)
|
||||
for bucket in $ALL_BUCKETS_LIST; do
|
||||
BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location --bucket $bucket $PROFILE_OPT --region $REGION --output text)
|
||||
if [[ "None" == $BUCKET_LOCATION ]]; then
|
||||
BUCKET_LOCATION="us-east-1"
|
||||
fi
|
||||
if [[ "EU" == $BUCKET_LOCATION ]]; then
|
||||
BUCKET_LOCATION="eu-west-1"
|
||||
fi
|
||||
# check if AllUsers is in the ACL as Grantee
|
||||
CHECK_BUCKET_ALLUSERS_ACL=$($AWSCLI s3api get-bucket-acl $PROFILE_OPT --region $BUCKET_LOCATION --bucket $bucket --query "Grants[?Grantee.URI == 'http://acs.amazonaws.com/groups/global/AllUsers']" --output text |grep -v GRANTEE)
|
||||
CHECK_BUCKET_ALLUSERS_ACL_SINGLE_LINE=$(echo -ne $CHECK_BUCKET_ALLUSERS_ACL)
|
||||
# check if AuthenticatedUsers is in the ACL as Grantee, they will have access with sigened URL only
|
||||
CHECK_BUCKET_AUTHUSERS_ACL=$($AWSCLI s3api get-bucket-acl $PROFILE_OPT --region $BUCKET_LOCATION --bucket $bucket --query "Grants[?Grantee.URI == 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers']" --output text |grep -v GRANTEE)
|
||||
CHECK_BUCKET_AUTHUSERS_ACL_SINGLE_LINE=$(echo -ne $CHECK_BUCKET_AUTHUSERS_ACL)
|
||||
# to prevent error NoSuchBucketPolicy first clean the output controlling stderr
|
||||
TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX)
|
||||
$AWSCLI s3api get-bucket-policy $PROFILE_OPT --region $BUCKET_LOCATION --bucket $bucket --output text --query Policy > $TEMP_POLICY_FILE 2> /dev/null
|
||||
# check if the S3 policy has Principal as *
|
||||
CHECK_BUCKET_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | sed -e 's/[{}]/''/g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}'|awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep ^\"Principal|grep \*)
|
||||
if [[ $CHECK_BUCKET_ALLUSERS_ACL || $CHECK_BUCKET_AUTHUSERS_ACL || $CHECK_BUCKET_ALLUSERS_POLICY ]];then
|
||||
if [[ $CHECK_BUCKET_ALLUSERS_ACL ]];then
|
||||
textWarn "$BUCKET_LOCATION: $bucket bucket is open to the Internet (Everyone) with permissions: $CHECK_BUCKET_ALLUSERS_ACL_SINGLE_LINE" "$regx"
|
||||
fi
|
||||
if [[ $CHECK_BUCKET_AUTHUSERS_ACL ]];then
|
||||
textWarn "$BUCKET_LOCATION: $bucket bucket is open to Authenticated users (Any AWS user) with permissions: $CHECK_BUCKET_AUTHUSERS_ACL_SINGLE_LINE" "$regx"
|
||||
fi
|
||||
if [[ $CHECK_BUCKET_ALLUSERS_POLICY ]];then
|
||||
textWarn "$BUCKET_LOCATION: $bucket bucket policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx"
|
||||
fi
|
||||
else
|
||||
textOK "$BUCKET_LOCATION: $bucket bucket is not open" "$regx"
|
||||
fi
|
||||
rm -fr $TEMP_POLICY_FILE
|
||||
extra73Thread $bucket &
|
||||
done
|
||||
wait
|
||||
}
|
||||
extra73Thread(){
|
||||
bucket=$1
|
||||
BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location --bucket $bucket --profile $PROFILE --region $REGION --output text)
|
||||
if [[ "None" == $BUCKET_LOCATION ]]; then
|
||||
BUCKET_LOCATION="us-east-1"
|
||||
fi
|
||||
if [[ "EU" == $BUCKET_LOCATION ]]; then
|
||||
BUCKET_LOCATION="eu-west-1"
|
||||
fi
|
||||
# check if AllUsers is in the ACL as Grantee
|
||||
CHECK_BUCKET_ALLUSERS_ACL=$($AWSCLI s3api get-bucket-acl --profile $PROFILE --region $BUCKET_LOCATION --bucket $bucket --query "Grants[?Grantee.URI == 'http://acs.amazonaws.com/groups/global/AllUsers']" --output text |grep -v GRANTEE)
|
||||
CHECK_BUCKET_ALLUSERS_ACL_SINGLE_LINE=$(echo -ne $CHECK_BUCKET_ALLUSERS_ACL)
|
||||
# check if AuthenticatedUsers is in the ACL as Grantee, they will have access with sigened URL only
|
||||
CHECK_BUCKET_AUTHUSERS_ACL=$($AWSCLI s3api get-bucket-acl --profile $PROFILE --region $BUCKET_LOCATION --bucket $bucket --query "Grants[?Grantee.URI == 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers']" --output text |grep -v GRANTEE)
|
||||
CHECK_BUCKET_AUTHUSERS_ACL_SINGLE_LINE=$(echo -ne $CHECK_BUCKET_AUTHUSERS_ACL)
|
||||
# to prevent error NoSuchBucketPolicy first clean the output controlling stderr
|
||||
TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX)
|
||||
$AWSCLI s3api get-bucket-policy --profile $PROFILE --region $BUCKET_LOCATION --bucket $bucket --output text --query Policy > $TEMP_POLICY_FILE 2> /dev/null
|
||||
# check if the S3 policy has Principal as *
|
||||
CHECK_BUCKET_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | sed -e 's/[{}]/''/g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}'|awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep ^\"Principal|grep \*)
|
||||
if [[ $CHECK_BUCKET_ALLUSERS_ACL || $CHECK_BUCKET_AUTHUSERS_ACL || $CHECK_BUCKET_ALLUSERS_POLICY ]];then
|
||||
if [[ $CHECK_BUCKET_ALLUSERS_ACL ]];then
|
||||
textWarn "$BUCKET_LOCATION: $bucket bucket is open to the Internet (Everyone) with permissions: $CHECK_BUCKET_ALLUSERS_ACL_SINGLE_LINE" "$regx"
|
||||
fi
|
||||
if [[ $CHECK_BUCKET_AUTHUSERS_ACL ]];then
|
||||
textWarn "$BUCKET_LOCATION: $bucket bucket is open to Authenticated users (Any AWS user) with permissions: $CHECK_BUCKET_AUTHUSERS_ACL_SINGLE_LINE" "$regx"
|
||||
fi
|
||||
if [[ $CHECK_BUCKET_ALLUSERS_POLICY ]];then
|
||||
textWarn "$BUCKET_LOCATION: $bucket bucket policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx"
|
||||
fi
|
||||
else
|
||||
textOK "$BUCKET_LOCATION: $bucket bucket is not open" "$regx"
|
||||
fi
|
||||
rm -fr $TEMP_POLICY_FILE
|
||||
}
|
||||
|
||||
4
prowler
4
prowler
@@ -54,12 +54,12 @@ USAGE:
|
||||
-f <filterregion> specify an AWS region to run checks against
|
||||
(i.e.: us-west-1)
|
||||
-m <maxitems> specify the maximum number of items to return for long-running requests (default: 100)
|
||||
-M <mode> output mode: text (defalut), mono, csv (separator is ","; data is on stdout; progress on stderr)
|
||||
-M <mode> output mode: text (default), mono, csv (separator is ","; data is on stdout; progress on stderr)
|
||||
-k keep the credential report
|
||||
-n show check numbers to sort easier
|
||||
(i.e.: 1.01 instead of 1.1)
|
||||
-l list all available checks only (does not perform any check)
|
||||
-e exclude extras
|
||||
-e exclude group extras
|
||||
-b do not print Prowler banner
|
||||
-h this help
|
||||
"
|
||||
|
||||
Reference in New Issue
Block a user