diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 00000000..72e2ac53 Binary files /dev/null and b/.DS_Store differ diff --git a/checks/check_extra999 b/checks/check_extra999 new file mode 100644 index 00000000..2b7cf285 --- /dev/null +++ b/checks/check_extra999 @@ -0,0 +1,68 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra999="0.00" +CHECK_TITLE_extra999="[extra999] Find secrets in EC2 Auto Scaling Launch Configuration (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra999="NOT_SCORED" +CHECK_TYPE_extra999="EXTRA" +CHECK_ALTERNATE_check000="extra999" + +extra999(){ + SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" + if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then + # this folder is deleted once this check is finished + mkdir $SECRETS_TEMP_FOLDER + fi + + textInfo "Looking for secrets in EC2 Auto Scaling Launch Configuration across all regions... (max 100 autoscaling_configurations per region use -m to increase it) " + for regx in $REGIONS; do + LIST_OF_EC2_AUTOSCALING=$($AWSCLI autoscaling describe-launch-configurations $PROFILE_OPT --region $regx --query LaunchConfigurations[*].LaunchConfigurationName --output text --max-items $MAXITEMS | grep -v None) + if [[ $LIST_OF_EC2_AUTOSCALING ]];then + for autoscaling_configuration in $LIST_OF_EC2_AUTOSCALING; do + EC2_AUTOSCALING_USERDATA_FILE="$SECRETS_TEMP_FOLDER/extra999-$autoscaling_configuration-userData.decoded" + EC2_AUTOSCALING_USERDATA=$($AWSCLI autoscaling describe-launch-configurations $PROFILE_OPT --launch-configuration-names $autoscaling_configuration --region $regx --query LaunchConfigurations[*].UserData --output text| grep -v ^None | decode_report > $EC2_AUTOSCALING_USERDATA_FILE) + if [ -s $EC2_AUTOSCALING_USERDATA_FILE ];then + FILE_FORMAT_ASCII=$(file -b $EC2_AUTOSCALING_USERDATA_FILE | grep ASCII) + # This finds ftp or http URLs with credentials and common keywords + # FINDINGS=$(egrep -i '[[:alpha:]]*://[[:alnum:]]*:[[:alnum:]]*@.*/|key|secret|token|pass' $EC2_AUTOSCALING_USERDATA_FILE |wc -l|tr -d '\ ') + # New implementation using https://github.com/Yelp/detect-secrets + if [[ $FILE_FORMAT_ASCII ]]; then + FINDINGS=$(secretsDetector file $EC2_AUTOSCALING_USERDATA_FILE) + if [[ $FINDINGS -eq 0 ]]; then + textPass "$regx: No secrets found in $autoscaling_configuration" "$regx" + # delete file if nothing interesting is there + rm -f $EC2_AUTOSCALING_USERDATA_FILE + else + textFail "$regx: Potential secret found in $autoscaling_configuration" "$regx" + # delete file to not leave trace, user must look at the autoscaling_configuration User Data + rm -f $EC2_AUTOSCALING_USERDATA_FILE + fi + else + mv $EC2_AUTOSCALING_USERDATA_FILE $EC2_AUTOSCALING_USERDATA_FILE.gz ; gunzip $EC2_AUTOSCALING_USERDATA_FILE.gz + FINDINGS=$(secretsDetector file $EC2_AUTOSCALING_USERDATA_FILE) + if [[ $FINDINGS -eq 0 ]]; then + textPass "$regx: No secrets found in $autoscaling_configuration User Data" "$regx" + rm -f $EC2_AUTOSCALING_USERDATA_FILE + else + textFail "$regx: Potential secret found in $autoscaling_configuration" "$regx" + fi + fi + else + textPass "$regx: No secrets found in $autoscaling_configuration User Data or it is empty" "$regx" + fi + done + else + textInfo "$regx: No EC2 autoscaling_configurations found" "$regx" + fi + done + rm -rf $SECRETS_TEMP_FOLDER +} diff --git a/groups/group7_extras b/groups/group7_extras index 84280f8e..5e928c3a 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - [extras] **********************************************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra999' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets`