ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(checks): New group and checks for Codebuild and EMR (#1112)

Browse Source
This commit is contained in:
Divyanshu
2022-04-29 17:49:04 +05:30
committed by GitHub
parent d08576f672
commit 95df9bc316
5 changed files with 295 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
checks/check_extra7174 Normal file
View File

@@ -0,0 +1,63 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra7174="7.174"
CHECK_TITLE_extra7174="[extra7174] CodeBuild Project last invoked greater than 90 days"
CHECK_SCORED_extra7174="NOT_SCORED"
CHECK_CIS_LEVEL_extra7174="EXTRA"
CHECK_SEVERITY_extra7174="High"
CHECK_ASFF_TYPE_extra7174="AwsCodebuildProject"
CHECK_ALTERNATE_check7174="extra7174"
CHECK_SERVICENAME_extra7174="codebuild"
CHECK_RISK_extra7174='Older CodeBuild projects can be checked to see if they are currently in use'
CHECK_REMEDIATION_extra7174='Check if CodeBuild project are really in use and remove the stale ones'
CHECK_DOC_extra7174='https://docs.aws.amazon.com/codebuild/latest/userguide/delete-project.html'
CHECK_CAF_EPIC_extra7174='Infrastructure Security'
extra7174(){
# "Looking for all build projects with last build invocation greater then 90 days in all regions"
for regx in ${REGIONS}; do
LIST_OF_PROJECTS=$("${AWSCLI}" codebuild list-projects ${PROFILE_OPT} --region "${regx}" --query 'projects[*]' --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_PROJECTS}"; then
textInfo "${regx}: Access Denied trying to list Codebuild projects" "${regx}"
continue
fi
if [[ "${LIST_OF_PROJECTS}" ]]; then
for project in ${LIST_OF_PROJECTS}; do
project_id=$("${AWSCLI}" codebuild list-builds-for-project ${PROFILE_OPT} --project-name "${project}" --query 'ids[0]' --region "${regx}" --output text | head -n 1 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${project_id}"; then
textInfo "${regx}: Access Denied trying to fetch Id for Codebuild project" "${regx}" "${project}"
continue
elif grep -q -E 'None' <<< "${project_id}"; then
textInfo "${regx}: Codebuild project ${project} has been never build" "${regx}" "${project}"
continue
fi
last_invoked_time=$("${AWSCLI}" codebuild batch-get-builds ${PROFILE_OPT} --ids "${project_id}" --region "${regx}" --query 'builds[0].endTime' --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${last_invoked_time}"; then
textInfo "${regx}: Access Denied trying to get build details for Codebuild project ID" "${regx}" "${project}"
elif grep -q -E 'None' <<< "${last_invoked_time}"; then
textInfo "${regx}: Codebuild project ${project} has been never build" "${regx}" "${project}"
else
HOWOLDER=$(how_older_from_today "${last_invoked_time}")
if [ "${HOWOLDER}" -ge 90 ]; then
textFail "${regx}: CodeBuild project ${project} was last invoked greater then 90 days" "${regx}" "${project}"
else
textPass "${regx}: Codebuild project ${project} was last invoked in the past 90 days" "${regx}" "${project}"
fi
fi
done
else
textInfo "${regx}: No CodeBuild Projects found" "${regx}"
fi
done
}

52
checks/check_extra7175 Normal file
View File

@@ -0,0 +1,52 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra7175="7.175"
CHECK_TITLE_extra7175="[extra7175] CodeBuild Project with an user controlled buildspec"
CHECK_SCORED_extra7175="NOT_SCORED"
CHECK_CIS_LEVEL_extra7175="EXTRA"
CHECK_SEVERITY_extra7175="High"
CHECK_ASFF_TYPE_extra7175="AwsCodebuildProject"
CHECK_ALTERNATE_check7175="extra7175"
CHECK_SERVICENAME_extra7175="codebuild"
CHECK_RISK_extra7175='The CodeBuild projects with user controlled buildspec'
CHECK_REMEDIATION_extra7175='Use buildspec.yml from a trusted source which user cant interfere with'
CHECK_DOC_extra7175='https://docs.aws.amazon.com/codebuild/latest/userguide/security.html'
CHECK_CAF_EPIC_extra7175='Infrastructure Security'
extra7175(){
# "Looking for all build projects with user controlled buildspec files"
for regx in ${REGIONS}; do
LIST_OF_PROJECTS=$("${AWSCLI}" codebuild list-projects ${PROFILE_OPT} --region "${regx}" --query 'projects[*]' --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_PROJECTS}"; then
textInfo "${regx}: Access Denied trying to list Codebuild projects" "${regx}"
continue
fi
if [[ "${LIST_OF_PROJECTS}" ]]; then
for project in ${LIST_OF_PROJECTS}; do
buildspec_file=$("${AWSCLI}" codebuild batch-get-projects ${PROFILE_OPT} --name "${project}" --query 'projects[0].source.buildspec' --region "${regx}" --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${buildspec_file}"; then
textInfo "${regx}: Access Denied trying to fetch Id for Codebuild project" "${regx}" "${project}"
continue
fi
if [[ $buildspec_file == *.yml ]];then
textFail "${regx}: Codebuild project ${project} uses a user controlled buildspec" "${regx}" "${project}"
else
textPass "${regx}: Codebuild project ${project} not uses a user controlled buildspec" "${regx}" "${project}"
fi
done
else
textInfo "${regx}: No CodeBuild Projects found" "${regx}"
fi
done
}

55
checks/check_extra7176 Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra7176="7.176"
CHECK_TITLE_extra7176="[extra7176] EMR Cluster without Public IP"
CHECK_SCORED_extra7176="NOT_SCORED"
CHECK_CIS_LEVEL_extra7176="EXTRA"
CHECK_SEVERITY_extra7176="Medium"
CHECK_ASFF_TYPE_extra7176="AwsEMR"
CHECK_ALTERNATE_check7176="extra7176"
CHECK_SERVICENAME_extra7176="emr"
CHECK_RISK_extra7176='EMR Cluster should not have Public IP'
CHECK_REMEDIATION_extra7176='Only make acceptable EMR clusters public'
CHECK_DOC_extra7176='https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html'
CHECK_CAF_EPIC_extra7176='Infrastructure Security'
extra7176(){
# Public EMR cluster have their DNS ending with .amazonaws.com while private ones have format of ip-xxx-xx-xx.us-east-1.compute.internal.
for regx in ${REGIONS}; do
# List only EMR clusters with the following states: STARTING, BOOTSTRAPPING, RUNNING, WAITING, TERMINATING
# [NOT TERMINATED AND TERMINATED_WITH_ERRORS]
LIST_OF_CLUSTERS=$("${AWSCLI}" emr list-clusters ${PROFILE_OPT} --region "${regx}" --query 'Clusters[?(Status.State!=`TERMINATED` && Status.State!=`TERMINATED_WITH_ERRORS`)].Id' --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_CLUSTERS}"; then
textInfo "${regx}: Access Denied trying to list clusters of emr" "${regx}"
continue
fi
if [[ "${LIST_OF_CLUSTERS}" ]]
then
for cluster_id in ${LIST_OF_CLUSTERS}; do
master_public_dns=$("${AWSCLI}" emr describe-cluster ${PROFILE_OPT} --cluster-id "${cluster_id}" --query 'Cluster.MasterPublicDnsName' --region "${regx}" --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${master_public_dns}"; then
textInfo "${regx}: Access Denied trying to describe emr cluster" "${regx}" "${cluster_id}"
continue
fi
if [[ $master_public_dns != None && $master_public_dns != *.internal ]];then
textFail "${regx}: EMR Cluster ${cluster_id} has a Public IP" "${regx}" "${cluster_id}"
else
textPass "${regx}: EMR Cluster ${cluster_id} has not a Public IP" "${regx}" "${cluster_id}"
fi
done
else
textInfo "${regx}: No EMR Clusters found" "${regx}"
fi
done
}

124
checks/check_extra7177 Normal file
View File

@@ -0,0 +1,124 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra7177="7.177"
CHECK_TITLE_extra7177="[extra7177] Publicly accessible EMR Cluster"
CHECK_SCORED_extra7177="NOT_SCORED"
CHECK_CIS_LEVEL_extra7177="EXTRA"
CHECK_SEVERITY_extra7177="High"
CHECK_ASFF_TYPE_extra7177="AwsEMR"
CHECK_ALTERNATE_check7177="extra7177"
CHECK_SERVICENAME_extra7177="emr"
CHECK_RISK_extra7177='EMR Clusters should not be publicly accessible'
CHECK_REMEDIATION_extra7177='Only make acceptable EMR clusters public'
CHECK_DOC_extra7177='https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html'
CHECK_CAF_EPIC_extra7177='Infrastructure Security'
extra7177(){
for regx in ${REGIONS}; do
# List only EMR clusters with the following states: STARTING, BOOTSTRAPPING, RUNNING, WAITING, TERMINATING
# [NOT TERMINATED AND TERMINATED_WITH_ERRORS]
LIST_OF_CLUSTERS=$("${AWSCLI}" emr list-clusters ${PROFILE_OPT} --region "${regx}" --query 'Clusters[?(Status.State!=`TERMINATED` && Status.State!=`TERMINATED_WITH_ERRORS`)].Id' --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_CLUSTERS}"; then
textInfo "${regx}: Access Denied trying to list EMR clusters" "${regx}"
continue
fi
if [[ "${LIST_OF_CLUSTERS}" ]]
then
for cluster_id in ${LIST_OF_CLUSTERS}; do
master_public_dns=$("${AWSCLI}" emr describe-cluster ${PROFILE_OPT} --cluster-id "${cluster_id}" --query 'Cluster.MasterPublicDnsName' --region "${regx}" --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${master_public_dns}"; then
textInfo "${regx}: Access Denied trying to describe EMR cluster" "${regx}" "${cluster_id}"
continue
fi
if [[ $master_public_dns != None && $master_public_dns != *.internal ]];then
# If EMR cluster is Public, it is required to check their Security Groups for the Master, the Slaves and the additional ones
# Retrive EMR Master Node Security Groups rules
master_node_sg=$("${AWSCLI}" emr describe-cluster --cluster-id "${cluster_id}" ${PROFILE_OPT} --region "${regx}" --query 'Cluster.Ec2InstanceAttributes.EmrManagedMasterSecurityGroup' --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${master_node_sg}"; then
textInfo "${regx}: Access Denied trying to describe EMR cluster" "${regx}" "${cluster_id}"
continue
fi
master_node_sg_internet_open=$("${AWSCLI}" ec2 describe-security-groups --group-ids "${master_node_sg}" --query 'SecurityGroups[?length(IpPermissions[?(contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' ${PROFILE_OPT} --region "${regx}" --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${master_node_sg_internet_open}"; then
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
continue
fi
# Retrive EMR Slave Node Security Groups rules
slave_node_sg=$("${AWSCLI}" emr describe-cluster --cluster-id "${cluster_id}" ${PROFILE_OPT} --region "${regx}" --query 'Cluster.Ec2InstanceAttributes.EmrManagedSlaveSecurityGroup' --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${slave_node_sg}"; then
textInfo "${regx}: Access Denied trying to describe EMR cluster" "${regx}" "${cluster_id}"
continue
fi
slave_node_sg_internet_open=$("${AWSCLI}" ec2 describe-security-groups --group-ids "${slave_node_sg}" --query 'SecurityGroups[?length(IpPermissions[?(contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' ${PROFILE_OPT} --region "${regx}" --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${slave_node_sg_internet_open}"; then
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
continue
fi
# Retrive EMR Additional Master node Security Groups rules
additional_master_node_sg_list=$("${AWSCLI}" emr describe-cluster --cluster-id "${cluster_id}" ${PROFILE_OPT} --region "${regx}" --query 'Cluster.Ec2InstanceAttributes.AdditionalMasterSecurityGroups' --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${slave_node_sg}"; then
textInfo "${regx}: Access Denied trying to describe EMR cluster" "${regx}" "${cluster_id}"
continue
fi
local additional_master_node_sg_internet_open_list
if [[ "${additional_master_node_sg_list}" != "None" ]]; then
for additional_master_node_sg in ${additional_master_node_sg_list}; do
additional_master_node_sg_internet_open=$("${AWSCLI}" ec2 describe-security-groups --group-ids "${additional_master_node_sg}" --query 'SecurityGroups[?length(IpPermissions[?(contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' ${PROFILE_OPT} --region "${regx}" --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${slave_node_sg_internet_open}"; then
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
continue
fi
# Store additional master node security groups that allows access from the internet
additional_master_node_sg_internet_open_list+=( "${additional_master_node_sg_internet_open}" )
done
fi
# Retrive EMR Additional Slave node Security Groups rules
additional_slave_node_sg_list=$("${AWSCLI}" emr describe-cluster --cluster-id "${cluster_id}" ${PROFILE_OPT} --region "${regx}" --query 'Cluster.Ec2InstanceAttributes.AdditionalSlaveSecurityGroups' --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${slave_node_sg}"; then
textInfo "${regx}: Access Denied trying to describe EMR cluster" "${regx}" "${cluster_id}"
continue
fi
local additional_slave_node_sg_internet_open_list
if [[ "${additional_slave_node_sg_list}" != "None" ]]; then
for additional_slave_node_sg in ${additional_master_node_sg_list}; do
additional_slave_node_sg_internet_open=$("${AWSCLI}" ec2 describe-security-groups --group-ids "${additional_slave_node_sg}" --query 'SecurityGroups[?length(IpPermissions[?(contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' ${PROFILE_OPT} --region "${regx}" --output text 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${additional_slave_node_sg_internet_open}"; then
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
continue
fi
# Store additional slave node security groups that allows access from the internet
additional_slave_node_sg_internet_open_list+=( "${additional_slave_node_sg_internet_open}" )
done
fi
# Check if EMR Cluster is publicly accessible through a Security Group
if [[ -n "${master_node_sg_internet_open}" || -n "${slave_node_sg_internet_open}" || "${#additional_master_node_sg_internet_open_list[@]}" -ne 0 || "${#additional_slave_node_sg_internet_open_list[@]}" -ne 0 ]]; then
textFail "${regx}: EMR Cluster ${cluster_id} is publicly accessible through the following Security Groups: Master Node ${master_node_sg_internet_open} ${additional_master_node_sg_internet_open_list[*]} -- Slaves Nodes ${slave_node_sg_internet_open} ${additional_slave_node_sg_internet_open_list[*]}" "${regx}" "${cluster_id}"
else
textPass "${regx}: EMR Cluster ${cluster_id} is not publicly accessible" "${regx}" "${cluster_id}"
fi
else
textPass "${regx}: EMR Cluster ${cluster_id} is not publicly accessible" "${regx}" "${cluster_id}"
fi
done
else
textInfo "${regx}: No EMR Clusters found" "${regx}"
fi
done
}

3
groups/group7_extras
View File

@@ -15,8 +15,7 @@ GROUP_ID[7]='extras'
GROUP_NUMBER[7]='7.0'
GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************'
GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140,extra7141,extra7142,extra7143,extra7144,extra7145,extra7146,extra7147,extra7148,extra7149,extra7150,extra7151,extra7152,extra7153,extra7154,extra7155,extra7156,extra7157,extra7158,extra7159,extra7160,extra7161,extra7162,extra7163,extra7164,extra7165,extra7166,extra7167,extra7168,extra7169,extra7170,extra7171,extra7172,extra7173'
GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140,extra7141,extra7142,extra7143,extra7144,extra7145,extra7146,extra7147,extra7148,extra7149,extra7150,extra7151,extra7152,extra7153,extra7154,extra7155,extra7156,extra7157,extra7158,extra7159,extra7160,extra7161,extra7162,extra7163,extra7164,extra7165,extra7166,extra7167,extra7168,extra7169,extra7170,extra7171,extra7172,extra7173,extra7174,extra7175,extra7176,extra7177'
# Extras 759 and 760 (lambda variables and code secrets finder are not included)
# to run detect-secrets use `./prowler -g secrets`