Adding custom security checks

2026-02-10 23:05:05 +00:00 · 2021-06-14 12:43:21 +05:30
parent 583cffaefb
commit 8e9ef841e5
5 changed files with 217 additions and 0 deletions
--- a/checks/check_extra91
+++ b/checks/check_extra91
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra91="9.1"
+CHECK_TITLE_extra91="[extra91] Check if S3 glacier vaults have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark) (Custom Check)"
+CHECK_SCORED_extra91="NOT_SCORED"
+CHECK_TYPE_extra91="EXTRA"
+CHECK_SEVERITY_extra91="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra91="AwsS3Glacier"
+CHECK_ALTERNATE_check91="extra91"
+CHECK_SERVICENAME_extra91="s3Glacier"
+
+# If an s3 glacier vault has a policy principle as *, we consider it public accessible resource.
+
+extra91(){
+  for region in $REGIONS; do
+  LIST_OF_VAULTS=$($AWSCLI glacier list-vaults $PROFILE_OPT --region $region --account-id $ACCOUNT_NUM --query VaultList[*].VaultName --output text|xargs -n1)
+  if [[ $LIST_OF_VAULTS ]]; then
+    for vault in $LIST_OF_VAULTS;do
+      VAULT_POLICY_STATEMENTS=$($AWSCLI glacier $PROFILE_OPT get-vault-access-policy --region $region --account-id $ACCOUNT_NUM --vault-name $vault --output json --query policy.Policy 2>&1)
+      if [[ $VAULT_POLICY_STATEMENTS == *GetVaultAccessPolicy* ]]; then
+        textInfo "Vault policy does not exist for vault $vault"
+      else
+        VAULT_POLICY_BAD_STATEMENTS=$(echo $VAULT_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
+        if [[ $VAULT_POLICY_BAD_STATEMENTS != "" ]]; then
+          textFail "$region : Vault $vault allows public access with policy as: $VAULT_POLICY_BAD_STATEMENTS"
+        else
+          textPass "$region :Vault $vault has vault policy which does not allow public access"
+        fi
+      fi
+    done
+
+  else
+    textInfo "No glacier vaults found in $region region"
+  fi
+ done
+}
--- a/checks/check_extra92
+++ b/checks/check_extra92
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra92="9.2"
+CHECK_TITLE_extra92="[extra92] Check if EFS have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark) (Custom Check)"
+CHECK_SCORED_extra92="NOT_SCORED"
+CHECK_TYPE_extra92="EXTRA"
+CHECK_SEVERITY_extra92="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra92="AwsEFS"
+CHECK_ALTERNATE_check92="extra92"
+CHECK_SERVICENAME_extra92="EFS"
+
+# If an EFS has a policy principle as *, we consider it as public accessible even though client connects through a vpc peering or transit gateway. Also if EFS has a default policy(no user defined
+# policy), it's also a security risk, as default policy grants full access to any client that can connect to the file system using a file system mount target.
+
+extra92(){
+  for region in $REGIONS; do
+  LIST_OF_EFS_IDS=$($AWSCLI efs describe-file-systems $PROFILE_OPT --region $region --query FileSystems[*].FileSystemId --output text|xargs -n1)
+  if [[ $LIST_OF_EFS_IDS ]]; then
+    for efsId in $LIST_OF_EFS_IDS;do
+      EFS_POLICY_STATEMENTS=$($AWSCLI efs $PROFILE_OPT describe-file-system-policy --region $region --file-system-id $efsId --output json --query Policy 2>&1)
+      if [[ $EFS_POLICY_STATEMENTS == *PolicyNotFound* ]]; then
+        textFail "$region :  EFS $efsId doesn't have any policy which means it grants full access to any client"
+        # textInfo "EFS policy does not exist for efs id $efsId"
+      else
+        EFS_POLICY_BAD_STATEMENTS=$(echo $EFS_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
+        if [[ $EFS_POLICY_BAD_STATEMENTS != "" ]]; then
+          textFail "$region : EFS $efsId allows public access with policy as: $EFS_POLICY_BAD_STATEMENTS"
+        else
+          textPass "$region : EFS $efsId has file system policy which does not allow public access"
+        fi
+      fi
+    done
+
+  else
+    textInfo "No EFS found in $region region"
+  fi
+ done
+}
--- a/checks/check_extra93
+++ b/checks/check_extra93
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra93="9.3"
+CHECK_TITLE_extra93="[extra93] Check if aws cloudwatch has allowed sharing with other accounts (Not Scored) (Not part of CIS benchmark) (Custom Check)"
+CHECK_SCORED_extra93="NOT_SCORED"
+CHECK_TYPE_extra93="EXTRA"
+CHECK_SEVERITY_extra93="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra93="AwsCloudWatch"
+CHECK_ALTERNATE_check93="extra93"
+CHECK_SERVICENAME_extra93="CloudWatch"
+
+# When CloudWatch allows cross account sharing, a role with name CloudWatch-CrossAccountSharingRole get's created by aws itself. So we are validating role name existance for checking the 
+# cloudwatch security.
+
+extra93(){
+  
+  CLOUDWATCH_CROSS_ACCOUNT_ROLE=$($AWSCLI iam get-role $PROFILE_OPT --role-name=CloudWatch-CrossAccountSharingRole --output json --query Role 2>&1)
+  if [[ $CLOUDWATCH_CROSS_ACCOUNT_ROLE != *NoSuchEntity* ]]; then
+      CLOUDWATCH_POLICY_BAD_STATEMENTS=$(echo $CLOUDWATCH_CROSS_ACCOUNT_ROLE | jq '.AssumeRolePolicyDocument')
+      textFail "Cloudwatch has allowed cross account sharing with policy as $CLOUDWATCH_POLICY_BAD_STATEMENTS"
+  else
+      textPass "CloudWatch doesn't allows cross account sharing"
+  fi
+}
--- a/checks/check_extra94
+++ b/checks/check_extra94
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra94="9.4"
+CHECK_TITLE_extra94="[extra94] Check if lambda functions has policies which allow access to everyone having an aws account (Not Scored) (Not part of CIS benchmark) (Custom Check)"
+CHECK_SCORED_extra94="NOT_SCORED"
+CHECK_TYPE_extra94="EXTRA"
+CHECK_SEVERITY_extra94="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra94="AwsCloudWatch"
+CHECK_ALTERNATE_check94="extra94"
+CHECK_SERVICENAME_extra94="CloudWatch"
+
+# If a lambda function has a policy principle as *, It can be accessed by any aws account. We consider such functions as publicly accessible resource.
+
+extra94(){
+  for region in $REGIONS; do
+  LIST_OF_LAMBDA_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $region --query Functions[*].FunctionName --output text)
+  if [[ $LIST_OF_LAMBDA_FUNCTIONS ]]; then
+    for lambdaFunction in $LIST_OF_LAMBDA_FUNCTIONS;do
+      FUNCTION_POLICY_STATEMENTS=$($AWSCLI lambda $PROFILE_OPT get-policy --region $region --function-name $lambdaFunction --output json --query Policy 2>&1)
+      if [[ $FUNCTION_POLICY_STATEMENTS == *ResourceNotFoundException* ]]; then
+        textInfo "$region : Lambda function $lambdaFunction doesn't have any policy"
+      else
+        FUNCTION_POLICY_BAD_STATEMENTS=$(echo $FUNCTION_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow")	 | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
+        if [[ $FUNCTION_POLICY_BAD_STATEMENTS != "" ]]; then
+          textFail "$region : Lambda function $lambdaFunction allows public access with policy as: $FUNCTION_POLICY_BAD_STATEMENTS"
+        else
+          textPass "$region : Lambda function $lambdaFunction has policy which doesn't allow access to everyone having an aws account"
+        fi
+      fi
+    done
+
+  else
+    textInfo "No lambda functions found in $region region"
+  fi
+ done
+}
--- a/checks/check_extra95
+++ b/checks/check_extra95
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra95="9.5"
+CHECK_TITLE_extra95="[extra95] Check if there is any unassigned elastic ip's (Not Scored) (Not part of CIS benchmark) (Custom Check)"
+CHECK_SCORED_extra95="NOT_SCORED"
+CHECK_TYPE_extra95="EXTRA"
+CHECK_SEVERITY_extra95="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra95="AwsCloudWatch"
+CHECK_ALTERNATE_check95="extra95"
+CHECK_SERVICENAME_extra95="CloudWatch"
+
+# If there is any elasting ip which is not assigned to any instance or network interface, we will list that out.
+
+extra95(){
+  for region in $REGIONS; do
+  ELASTIC_IP_ADDRESSES=$($AWSCLI ec2 describe-addresses $PROFILE_OPT --region $region --query Addresses --output json)
+  if [[ $ELASTIC_IP_ADDRESSES != [] ]]; then
+    LIST_OF_ASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId!=null) | .PublicIp')
+    LIST_OF_UNASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId==null) | .PublicIp')
+    for ass_ip in $LIST_OF_ASSOCIATED_IPS; do
+     textPass "$region : Elastic IP $ass_ip is associated with an instance or network interface"
+     done
+    for unass_ip in $LIST_OF_UNASSOCIATED_IPS; do
+     textInfo "$region : Elastic IP $unass_ip is not associated with any instance or network interface, it may incurr cost"
+     done
+  else
+    textInfo "No elastic ip's found in region $region"
+  fi
+ done
+}