mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 23:05:05 +00:00
renaming extra checkId, change in text message format, adding more metadata variables, lowercase servicename, adding checks in extras group
This commit is contained in:
Patel
@@ -10,37 +10,40 @@
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
CHECK_ID_extra91="9.1"
|
||||
CHECK_TITLE_extra91="[extra91] Check if S3 glacier vaults have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark) (Custom Check)"
|
||||
CHECK_SCORED_extra91="NOT_SCORED"
|
||||
CHECK_TYPE_extra91="EXTRA"
|
||||
CHECK_SEVERITY_extra91="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra91="AwsS3Glacier"
|
||||
CHECK_ALTERNATE_check91="extra91"
|
||||
CHECK_SERVICENAME_extra91="s3Glacier"
|
||||
CHECK_ID_extra7142="7.142"
|
||||
CHECK_TITLE_extra7142="[extra7142] Check if S3 glacier vaults have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra7142="NOT_SCORED"
|
||||
CHECK_TYPE_extra7142="EXTRA"
|
||||
CHECK_SEVERITY_extra7142="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7142="AwsS3Glacier"
|
||||
CHECK_ALTERNATE_check7142="extra7142"
|
||||
CHECK_SERVICENAME_extra7142="s3glacier"
|
||||
CHECK_RISK_extra7142='Vaults accessible to everyone could expose sensible data to bad actors'
|
||||
CHECK_REMEDIATION_extra7142='Ensure vault policy does not have principle as *'
|
||||
CHECK_DOC_extra7142='https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html'
|
||||
CHECK_CAF_EPIC_extra7142='Data Protection'
|
||||
|
||||
# If an s3 glacier vault has a policy principle as *, we consider it public accessible resource.
|
||||
|
||||
extra91(){
|
||||
extra7142(){
|
||||
# "Check if S3 glacier vaults have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark)"
|
||||
for region in $REGIONS; do
|
||||
LIST_OF_VAULTS=$($AWSCLI glacier list-vaults $PROFILE_OPT --region $region --account-id $ACCOUNT_NUM --query VaultList[*].VaultName --output text|xargs -n1)
|
||||
if [[ $LIST_OF_VAULTS ]]; then
|
||||
for vault in $LIST_OF_VAULTS;do
|
||||
VAULT_POLICY_STATEMENTS=$($AWSCLI glacier $PROFILE_OPT get-vault-access-policy --region $region --account-id $ACCOUNT_NUM --vault-name $vault --output json --query policy.Policy 2>&1)
|
||||
if [[ $VAULT_POLICY_STATEMENTS == *GetVaultAccessPolicy* ]]; then
|
||||
textInfo "Vault policy does not exist for vault $vault"
|
||||
textInfo "$region: Vault: $vault doesn't have any policy" "$region" "$vault"
|
||||
else
|
||||
VAULT_POLICY_BAD_STATEMENTS=$(echo $VAULT_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
|
||||
if [[ $VAULT_POLICY_BAD_STATEMENTS != "" ]]; then
|
||||
textFail "$region : Vault $vault allows public access with policy as: $VAULT_POLICY_BAD_STATEMENTS"
|
||||
textFail "$region : Vault: $vault has policy which allows access to everyone" "$region" "$vault"
|
||||
else
|
||||
textPass "$region :Vault $vault has vault policy which does not allow public access"
|
||||
textPass "$region: Vault: $vault has policy which does not allow access to everyone" "$region" "$vault"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
else
|
||||
textInfo "No glacier vaults found in $region region"
|
||||
textInfo "$region: No glacier vaults found" "$region"
|
||||
fi
|
||||
done
|
||||
}
|
||||
@@ -10,39 +10,40 @@
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
CHECK_ID_extra92="9.2"
|
||||
CHECK_TITLE_extra92="[extra92] Check if EFS have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark) (Custom Check)"
|
||||
CHECK_SCORED_extra92="NOT_SCORED"
|
||||
CHECK_TYPE_extra92="EXTRA"
|
||||
CHECK_SEVERITY_extra92="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra92="AwsEFS"
|
||||
CHECK_ALTERNATE_check92="extra92"
|
||||
CHECK_SERVICENAME_extra92="EFS"
|
||||
CHECK_ID_extra7143="7.143"
|
||||
CHECK_TITLE_extra7143="[extra7143] Check if EFS have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra7143="NOT_SCORED"
|
||||
CHECK_TYPE_extra7143="EXTRA"
|
||||
CHECK_SEVERITY_extra7143="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7143="AwsEFS"
|
||||
CHECK_ALTERNATE_check7143="extra7143"
|
||||
CHECK_SERVICENAME_extra7143="efs"
|
||||
CHECK_RISK_extra7143='EFS accessible to everyone could expose sensible data to bad actors'
|
||||
CHECK_REMEDIATION_extra7143='Ensure efs has some policy but it does not have principle as *'
|
||||
CHECK_DOC_extra7143='https://docs.aws.amazon.com/efs/latest/ug/access-control-block-public-access.html'
|
||||
CHECK_CAF_EPIC_extra7143='Data Protection'
|
||||
|
||||
# If an EFS has a policy principle as *, we consider it as public accessible even though client connects through a
|
||||
# vpc peering or transit gateway. Also if EFS has a default policy(no user defined policy), it's also a security risk,
|
||||
# as default policy grants full access to any client that can connect to the file system using a file system mount target.
|
||||
|
||||
extra92(){
|
||||
extra7143(){
|
||||
# "Check if EFS have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark)"
|
||||
for region in $REGIONS; do
|
||||
LIST_OF_EFS_IDS=$($AWSCLI efs describe-file-systems $PROFILE_OPT --region $region --query FileSystems[*].FileSystemId --output text|xargs -n1)
|
||||
if [[ $LIST_OF_EFS_IDS ]]; then
|
||||
for efsId in $LIST_OF_EFS_IDS;do
|
||||
EFS_POLICY_STATEMENTS=$($AWSCLI efs $PROFILE_OPT describe-file-system-policy --region $region --file-system-id $efsId --output json --query Policy 2>&1)
|
||||
if [[ $EFS_POLICY_STATEMENTS == *PolicyNotFound* ]]; then
|
||||
textFail "$region : EFS $efsId doesn't have any policy which means it grants full access to any client"
|
||||
textFail "$region: EFS: $efsId doesn't have any policy which means it grants full access to any client" "$region" "$efsId"
|
||||
else
|
||||
EFS_POLICY_BAD_STATEMENTS=$(echo $EFS_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
|
||||
if [[ $EFS_POLICY_BAD_STATEMENTS != "" ]]; then
|
||||
textFail "$region : EFS $efsId allows public access with policy as: $EFS_POLICY_BAD_STATEMENTS"
|
||||
textFail "$region: EFS: $efsId has policy which allows access to everyone" "$region" "$efsId"
|
||||
else
|
||||
textPass "$region : EFS $efsId has file system policy which does not allow public access"
|
||||
textPass "$region: EFS: $efsId has policy which does not allow access to everyone" "$region" "$efsId"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
else
|
||||
textInfo "No EFS found in $region region"
|
||||
textInfo "$region: No EFS found" "$region"
|
||||
fi
|
||||
done
|
||||
}
|
||||
@@ -10,25 +10,25 @@
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
CHECK_ID_extra7144="7.144"
|
||||
CHECK_TITLE_extra7144="[extra7144] Check if aws cloudwatch has allowed sharing with other accounts (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra7144="NOT_SCORED"
|
||||
CHECK_TYPE_extra7144="EXTRA"
|
||||
CHECK_SEVERITY_extra7144="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7144="AwsCloudWatch"
|
||||
CHECK_ALTERNATE_check7144="extra7144"
|
||||
CHECK_SERVICENAME_extra7144="cloudwatch"
|
||||
CHECK_RISK_extra7144=''
|
||||
CHECK_REMEDIATION_extra7144=''
|
||||
CHECK_DOC_extra7144='https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html'
|
||||
CHECK_CAF_EPIC_extra7144=''
|
||||
|
||||
CHECK_ID_extra93="9.3"
|
||||
CHECK_TITLE_extra93="[extra93] Check if aws cloudwatch has allowed sharing with other accounts (Not Scored) (Not part of CIS benchmark) (Custom Check)"
|
||||
CHECK_SCORED_extra93="NOT_SCORED"
|
||||
CHECK_TYPE_extra93="EXTRA"
|
||||
CHECK_SEVERITY_extra93="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra93="AwsCloudWatch"
|
||||
CHECK_ALTERNATE_check93="extra93"
|
||||
CHECK_SERVICENAME_extra93="CloudWatch"
|
||||
|
||||
# When CloudWatch allows cross account sharing, a role with name CloudWatch-CrossAccountSharingRole
|
||||
# get's created by aws itself. So we are validating role name existance for checking the cloudwatch security.
|
||||
|
||||
extra93(){
|
||||
|
||||
extra7144(){
|
||||
# "Check if aws cloudwatch has allowed sharing with other accounts (Not Scored) (Not part of CIS benchmark)"
|
||||
CLOUDWATCH_CROSS_ACCOUNT_ROLE=$($AWSCLI iam get-role $PROFILE_OPT --role-name=CloudWatch-CrossAccountSharingRole --output json --query Role 2>&1)
|
||||
if [[ $CLOUDWATCH_CROSS_ACCOUNT_ROLE != *NoSuchEntity* ]]; then
|
||||
CLOUDWATCH_POLICY_BAD_STATEMENTS=$(echo $CLOUDWATCH_CROSS_ACCOUNT_ROLE | jq '.AssumeRolePolicyDocument')
|
||||
textFail "Cloudwatch has allowed cross account sharing with policy as $CLOUDWATCH_POLICY_BAD_STATEMENTS"
|
||||
textInfo "Cloudwatch has allowed cross account sharing"
|
||||
else
|
||||
textPass "CloudWatch doesn't allows cross account sharing"
|
||||
fi
|
||||
@@ -10,39 +10,40 @@
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
CHECK_ID_extra7145="7.145"
|
||||
CHECK_TITLE_extra7145="[extra7145] Check if lambda functions have policies which allow access to every aws account (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra7145="NOT_SCORED"
|
||||
CHECK_TYPE_extra7145="EXTRA"
|
||||
CHECK_SEVERITY_extra7145="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7145="AwsLambda"
|
||||
CHECK_ALTERNATE_check7145="extra7145"
|
||||
CHECK_SERVICENAME_extra7145="lambda"
|
||||
CHECK_RISK_extra7145='Lambda function access to any aws account may result security issues'
|
||||
CHECK_REMEDIATION_extra7145='Ensure lambda function policiy does not allow access to any account'
|
||||
CHECK_DOC_extra7145='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html'
|
||||
CHECK_CAF_EPIC_extra7145=''
|
||||
|
||||
CHECK_ID_extra94="9.4"
|
||||
CHECK_TITLE_extra94="[extra94] Check if lambda functions have policies which allow access to everyone having an aws account (Not Scored) (Not part of CIS benchmark) (Custom Check)"
|
||||
CHECK_SCORED_extra94="NOT_SCORED"
|
||||
CHECK_TYPE_extra94="EXTRA"
|
||||
CHECK_SEVERITY_extra94="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra94="AwsLambda"
|
||||
CHECK_ALTERNATE_check94="extra94"
|
||||
CHECK_SERVICENAME_extra94="Lambda"
|
||||
|
||||
# If a lambda function has a policy principle as *, It can be accessed by any aws account.
|
||||
# We consider such functions as publicly accessible resource.
|
||||
|
||||
extra94(){
|
||||
extra7145(){
|
||||
# "Check if lambda functions have policies which allow access to every aws account (Not Scored) (Not part of CIS benchmark)"
|
||||
for region in $REGIONS; do
|
||||
LIST_OF_LAMBDA_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $region --query Functions[*].FunctionName --output text)
|
||||
if [[ $LIST_OF_LAMBDA_FUNCTIONS ]]; then
|
||||
for lambdaFunction in $LIST_OF_LAMBDA_FUNCTIONS;do
|
||||
FUNCTION_POLICY_STATEMENTS=$($AWSCLI lambda $PROFILE_OPT get-policy --region $region --function-name $lambdaFunction --output json --query Policy 2>&1)
|
||||
if [[ $FUNCTION_POLICY_STATEMENTS == *ResourceNotFoundException* ]]; then
|
||||
textInfo "$region : Lambda function $lambdaFunction doesn't have any policy"
|
||||
textInfo "$region : Lambda function: $lambdaFunction doesn't have any policy" "$region" "$lambdaFunction"
|
||||
else
|
||||
FUNCTION_POLICY_BAD_STATEMENTS=$(echo $FUNCTION_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
|
||||
if [[ $FUNCTION_POLICY_BAD_STATEMENTS != "" ]]; then
|
||||
textFail "$region : Lambda function $lambdaFunction allows public access with policy as: $FUNCTION_POLICY_BAD_STATEMENTS"
|
||||
textFail "$region: Lambda function: $lambdaFunction allows public access to every aws account" "$region" "$lambdaFunction"
|
||||
else
|
||||
textPass "$region : Lambda function $lambdaFunction has policy which doesn't allow access to everyone having an aws account"
|
||||
textPass "$region: Lambda function: $lambdaFunction has policy which doesn't allow access to everyone having an aws account" "$region" "$lambdaFunction"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
else
|
||||
textInfo "No lambda functions found in $region region"
|
||||
textInfo "$region: No lambda functions found" "$region"
|
||||
fi
|
||||
done
|
||||
}
|
||||
@@ -10,32 +10,34 @@
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
CHECK_ID_extra7146="7.146"
|
||||
CHECK_TITLE_extra7146="[extra7146] Check if there is any unassigned elastic ip's (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra7146="NOT_SCORED"
|
||||
CHECK_TYPE_extra7146="EXTRA"
|
||||
CHECK_SEVERITY_extra7146="Medium"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7146="AwsElasticIPs"
|
||||
CHECK_ALTERNATE_check7146="extra7146"
|
||||
CHECK_SERVICENAME_extra7146="elasticip"
|
||||
CHECK_RISK_extra7146='Unassigned elastic ips may result in extra cost'
|
||||
CHECK_REMEDIATION_extra7146='Ensure elastic ips are not unassigned'
|
||||
CHECK_DOC_extra7146='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html'
|
||||
CHECK_CAF_EPIC_extra7146=''
|
||||
|
||||
CHECK_ID_extra95="9.5"
|
||||
CHECK_TITLE_extra95="[extra95] Check if there is any unassigned elastic ip's (Not Scored) (Not part of CIS benchmark) (Custom Check)"
|
||||
CHECK_SCORED_extra95="NOT_SCORED"
|
||||
CHECK_TYPE_extra95="EXTRA"
|
||||
CHECK_SEVERITY_extra95="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra95="AwsElasticIPs"
|
||||
CHECK_ALTERNATE_check95="extra95"
|
||||
CHECK_SERVICENAME_extra95="ElasticIPs"
|
||||
|
||||
# If there is any elasting ip which is not assigned to any instance or network interface, we will list that out.
|
||||
|
||||
extra95(){
|
||||
extra7146(){
|
||||
# "Check if there is any unassigned elastic ip (Not Scored) (Not part of CIS benchmark)"
|
||||
for region in $REGIONS; do
|
||||
ELASTIC_IP_ADDRESSES=$($AWSCLI ec2 describe-addresses $PROFILE_OPT --region $region --query Addresses --output json)
|
||||
if [[ $ELASTIC_IP_ADDRESSES != [] ]]; then
|
||||
LIST_OF_ASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId!=null) | .PublicIp')
|
||||
LIST_OF_UNASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId==null) | .PublicIp')
|
||||
for ass_ip in $LIST_OF_ASSOCIATED_IPS; do
|
||||
textPass "$region : Elastic IP $ass_ip is associated with an instance or network interface"
|
||||
textPass "$region: Elastic IP: $ass_ip is associated with an instance or network interface" "$region" "$ass_ip"
|
||||
done
|
||||
for unass_ip in $LIST_OF_UNASSOCIATED_IPS; do
|
||||
textInfo "$region : Elastic IP $unass_ip is not associated with any instance or network interface, it may incurr cost"
|
||||
textInfo "$region: Elastic IP: $unass_ip is not associated with any instance or network interface, it may incurr extra cost" "$region" "$unass_ip"
|
||||
done
|
||||
else
|
||||
textInfo "No elastic ip's found in region $region"
|
||||
textInfo "$region: No elastic ip's found" "$region"
|
||||
fi
|
||||
done
|
||||
}
|
||||
Reference in New Issue
Block a user