From 71355b0c4c8fc5a8af0caf8fcc9ab9401284e9cd Mon Sep 17 00:00:00 2001 From: Samuel Dugo Date: Fri, 21 Dec 2018 12:14:10 +0100 Subject: [PATCH 1/3] New option "-E" supports exclusion of one or multiple checks Added new option "-E" which will execute all tests except a list of specified checks separated by comma (i.e. check21,check31). Any invalid check name will be discarded. And if just one argument is passed and this is invalid, then Prowler will execute all checks. To save space, the option will return a list of total checks excluding the list provided. Then, the functionality will overwrite CHECK_ID with the final list and the program will continue as if the user entered "-c" option and the final list of checks. --- prowler | 50 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/prowler b/prowler index 8c3255fe..b0c7556a 100755 --- a/prowler +++ b/prowler @@ -70,6 +70,7 @@ USAGE: -l list all available checks only (does not perform any check) -L list all groups (does not perform any check) -e exclude group extras + -E execute all tests except a list of specified checks separated by comma (i.e. check21,check31) -b do not print Prowler banner -V show version number & exit -h this help @@ -77,7 +78,7 @@ USAGE: exit } -while getopts ":hlLkp:r:c:g:f:m:M:enbV" OPTION; do +while getopts ":hlLkp:r:c:g:f:m:M:E:enbV" OPTION; do case $OPTION in h ) usage @@ -123,6 +124,9 @@ while getopts ":hlLkp:r:c:g:f:m:M:enbV" OPTION; do e ) EXTRAS=1 ;; + E ) + EXCLUDE_CHECK_ID=$OPTARG + ;; V ) echo "Prowler $PROWLER_VERSION" EXITCODE=0 @@ -278,6 +282,40 @@ show_all_group_titles() { done } + +# Function to execute all checks but exclude some of them +get_all_checks_without_exclusion() { + CHECKS_EXCLUDED=() + local CHECKS_TO_EXCLUDE=() + local TOTAL_CHECKS=() + #Get a list of checks to exclude + IFS=',' read -ra E_CHECKS <<< "$1" + for E_CHECK in "${E_CHECKS[@]}"; do + CHECKS_TO_EXCLUDE+=($E_CHECK) + done + #Get a list of total checks available by ID + for i in "${!GROUP_TITLE[@]}"; do + #show_group_title $i + IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$i]} + for j in ${CHECKS[@]}; do + TOTAL_CHECKS+=($CHECK_ID_$j) + done + done + TOTAL_CHECKS=($(echo "${TOTAL_CHECKS[*]}" | tr ' ' '\n' | sort -u)) #removes duplicate and store the result as an array + #Create a list that contains all checks but excluded ones + for i in "${TOTAL_CHECKS[@]}"; do + local COINCIDENCE=false + for x in "${CHECKS_TO_EXCLUDE[@]}"; do + if [[ "$i" == "$x" ]]; then + COINCIDENCE=true + fi + done + if [[ "$COINCIDENCE" = false ]]; then + CHECKS_EXCLUDED+=($i) + fi + done +} + ### All functions defined above ... run the workflow if [[ $MODE != "csv" ]]; then prowlerBanner @@ -303,6 +341,16 @@ fi # Gather account data / test aws cli connectivity getWhoami +# Get a list of total checks excluding a list provided by the user and overwrite CHECK_ID with the result +# if the list provided by the user contains an invalid check, this will be discarded. +# if the list provided by the user contains just one argument and is invalid, then it will be discarded and all tests will be executed +if [[ $EXCLUDE_CHECK_ID ]];then + get_all_checks_without_exclusion $EXCLUDE_CHECK_ID + function join { local IFS="$1"; shift; echo "$*"; } + CHECKS_EXCLUDED=$(join , "${CHECKS_EXCLUDED[@]}") + CHECK_ID=$CHECKS_EXCLUDED +fi + # Execute single check if called with -c if [[ $CHECK_ID ]];then IFS=',' read -ra CHECKS <<< "$CHECK_ID" From 2e754a5370aafb2160edd799eb797fecdb95d1dd Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 7 Jan 2019 22:06:34 -0500 Subject: [PATCH 2/3] Fixed check120 --- checks/check120 | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/checks/check120 b/checks/check120 index a7491c38..c8f129c8 100644 --- a/checks/check120 +++ b/checks/check120 @@ -19,15 +19,16 @@ check120(){ SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text) if [[ $SUPPORTPOLICYARN ]];then for policyarn in $SUPPORTPOLICYARN;do - POLICYUSERS=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --output json) - if [[ $POLICYUSERS ]];then - textPass "Support Policy attached to $policyarn" - for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do - textInfo "User $user has support access via $policyarn" + POLICYROLES=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --query PolicyRoles[*] --output text) + if [[ $POLICYROLES ]];then + for role in $POLICYROLES; do + textPass "Support Policy attached to $role role" done - # textInfo "Make sure your team can create a Support case with AWS " + # for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do + # textInfo "User $user has support access via $policyarn" + # done else - textFail "Support Policy not applied to any Group / User / Role " + textFail "Support Policy not applied to any Role " fi done else From b59d5db16b6ba0e188af25b77e769d093dc19117 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 7 Jan 2019 22:12:01 -0500 Subject: [PATCH 3/3] Added new opton exclude to README --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 107272d0..c0753e11 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,14 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX ```sh ./prowler -c check310 ``` + or multiple checks separated by comma: + ```sh + ./prowler -c check310,check722 + ``` + or all checks but some of them: + ```sh + ./prowler -E check42,check43 + ``` or for custom profile and region: @@ -189,6 +197,7 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX -l list all available checks only (does not perform any check) -L list all groups (does not perform any check) -e exclude group extras + -E execute all tests except a list of specified checks separated by comma (i.e. check21,check31) -b do not print Prowler banner -h this help ```