Merge pull request #284 from toniblyx/devel

Devel
2026-02-11 15:25:10 +00:00 · 2019-01-07 22:15:28 -05:00
parent 1203700d34 b59d5db16b
commit 8f89a01541
3 changed files with 66 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -105,6 +105,14 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX
    ```sh
    ./prowler -c check310
    ```
+    or multiple checks separated by comma:
+    ```sh
+    ./prowler -c check310,check722
+    ```
+    or all checks but some of them:
+    ```sh
+    ./prowler -E check42,check43
+    ```

    or for custom profile and region:

@@ -189,6 +197,7 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX
        -l                  list all available checks only (does not perform any check)
        -L                  list all groups (does not perform any check)
        -e                  exclude group extras
+        -E                  execute all tests except a list of specified checks separated by comma (i.e. check21,check31)
        -b                  do not print Prowler banner
        -h                  this help
    ```
--- a/checks/check120
+++ b/checks/check120
@@ -19,15 +19,16 @@ check120(){
  SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
  if [[ $SUPPORTPOLICYARN ]];then
    for policyarn in $SUPPORTPOLICYARN;do
-      POLICYUSERS=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --output json)
-      if [[ $POLICYUSERS ]];then
-        textPass "Support Policy attached to $policyarn"
-        for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do
-          textInfo "User $user has support access via $policyarn"
+      POLICYROLES=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --query PolicyRoles[*] --output text)
+      if [[ $POLICYROLES ]];then
+        for role in $POLICYROLES; do
+          textPass "Support Policy attached to $role role"
        done
-        # textInfo "Make sure your team can create a Support case with AWS "
+        # for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do
+        #   textInfo "User $user has support access via $policyarn"
+        # done
      else
-        textFail "Support Policy not applied to any Group / User / Role "
+        textFail "Support Policy not applied to any Role "
      fi
    done
  else
--- a/50
+++ b/50
@@ -70,6 +70,7 @@ USAGE:
      -l                  list all available checks only (does not perform any check)
      -L                  list all groups (does not perform any check)
      -e                  exclude group extras
+      -E                  execute all tests except a list of specified checks separated by comma (i.e. check21,check31)
      -b                  do not print Prowler banner
      -V                  show version number & exit
      -h                  this help
@@ -77,7 +78,7 @@ USAGE:
  exit
 }

-while getopts ":hlLkp:r:c:g:f:m:M:enbV" OPTION; do
+while getopts ":hlLkp:r:c:g:f:m:M:E:enbV" OPTION; do
   case $OPTION in
     h )
        usage
@@ -123,6 +124,9 @@ while getopts ":hlLkp:r:c:g:f:m:M:enbV" OPTION; do
     e )
        EXTRAS=1
        ;;
+     E )
+        EXCLUDE_CHECK_ID=$OPTARG
+        ;;
     V )
        echo "Prowler $PROWLER_VERSION"
        EXITCODE=0
@@ -278,6 +282,40 @@ show_all_group_titles() {
 	done
 }

+
+# Function to execute all checks but exclude some of them
+get_all_checks_without_exclusion() {
+        CHECKS_EXCLUDED=()
+        local CHECKS_TO_EXCLUDE=()
+        local TOTAL_CHECKS=()
+        #Get a list of checks to exclude
+        IFS=',' read -ra E_CHECKS <<< "$1"
+        for E_CHECK in "${E_CHECKS[@]}"; do
+            CHECKS_TO_EXCLUDE+=($E_CHECK)
+        done
+        #Get a list of total checks available by ID
+	for i in "${!GROUP_TITLE[@]}"; do
+		#show_group_title $i
+		IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$i]}
+		for j in ${CHECKS[@]}; do
+                    TOTAL_CHECKS+=($CHECK_ID_$j)
+		done
+	done
+        TOTAL_CHECKS=($(echo "${TOTAL_CHECKS[*]}" | tr ' ' '\n' | sort -u)) #removes duplicate and store the result as an array
+        #Create a list that contains all checks but excluded ones
+        for i in "${TOTAL_CHECKS[@]}"; do
+            local COINCIDENCE=false
+            for x in "${CHECKS_TO_EXCLUDE[@]}"; do
+                if [[ "$i" == "$x" ]]; then
+                    COINCIDENCE=true
+                fi
+            done
+            if [[ "$COINCIDENCE" = false ]]; then
+                CHECKS_EXCLUDED+=($i)
+            fi
+        done
+}
+
 ### All functions defined above ... run the workflow
 if [[ $MODE != "csv" ]]; then
  prowlerBanner
@@ -303,6 +341,16 @@ fi
 # Gather account data / test aws cli connectivity
 getWhoami

+# Get a list of total checks excluding a list provided by the user and overwrite CHECK_ID with the result
+# if the list provided by the user contains an invalid check, this will be discarded.
+# if the list provided by the user contains  just one argument and is invalid, then it will be discarded and all tests will be executed
+if [[ $EXCLUDE_CHECK_ID ]];then
+  get_all_checks_without_exclusion $EXCLUDE_CHECK_ID
+  function join { local IFS="$1"; shift; echo "$*"; }
+  CHECKS_EXCLUDED=$(join , "${CHECKS_EXCLUDED[@]}")
+  CHECK_ID=$CHECKS_EXCLUDED
+fi
+
 # Execute single check if called with -c
 if [[ $CHECK_ID ]];then
  IFS=',' read -ra CHECKS <<< "$CHECK_ID"