From 49423dee4a12ba20372507edce66fdddb33f74ee Mon Sep 17 00:00:00 2001 From: Ramon Diez Date: Wed, 18 Nov 2020 12:42:01 +0100 Subject: [PATCH 1/2] fixing check_extra7116 and check_extra7117 --- checks/check_extra7116 | 13 +++++++++---- checks/check_extra7117 | 13 +++++++++---- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/checks/check_extra7116 b/checks/check_extra7116 index 2165b91a..de077e4a 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -20,11 +20,16 @@ CHECK_ALTERNATE_check7116="extra7116" extra7116(){ for regx in $REGIONS; do - METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode") - if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then - textFail "$regx: Glue data catalog settings have metadata encryption disabled" "$regx" + TABLE_LIST=$($AWSCLI glue search-tables --max-results 1 $PROFILE_OPT --region $regx --output text --query 'TableList[*]' ) + if [[ ! -z $TABLE_LIST ]]; then + METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode") + if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then + textFail "$regx: Glue data catalog settings have metadata encryption disabled" "$regx" + else + textPass "$regx: Glue data catalog settings have metadata encryption enabled" "$regx" + fi else - textPass "$regx: Glue data catalog settings have metadata encryption enabled" "$regx" + textInfo "$regx: Glue data catalog settings metadata encryption does not apply" "$regx" fi done } diff --git a/checks/check_extra7117 b/checks/check_extra7117 index 7c11c76d..808687c5 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -20,11 +20,16 @@ CHECK_ALTERNATE_check7117="extra7117" extra7117(){ for regx in $REGIONS; do - METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted") - if [[ "$METADATA_ENCRYPTED" == "False" ]]; then - textFail "$regx: Glue data catalog connection password is not encrypted" "$regx" + CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx --output text --query 'ConnectionList[*]') + if [[ ! -z $CONNECTION_LIST ]]; then + METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted") + if [[ "$METADATA_ENCRYPTED" == "False" ]]; then + textFail "$regx: Glue data catalog connection password is not encrypted" "$regx" + else + textPass "$regx: Glue data catalog connection password is encrypted" "$regx" + fi else - textPass "$regx: Glue data catalog connection password is encrypted" "$regx" + textInfo "$regx: Glue data catalog connection password encryption does not apply" "$regx" fi done } From f3d4cc85141126c5894dacbd35465259b447df2d Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 18 Nov 2020 13:31:20 +0100 Subject: [PATCH 2/2] Fixed extra7116 extra7117 outputs and added to extras --- checks/check_extra7116 | 4 ++-- checks/check_extra7117 | 2 +- groups/group7_extras | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/checks/check_extra7116 b/checks/check_extra7116 index de077e4a..2dee0295 100644 --- a/checks/check_extra7116 +++ b/checks/check_extra7116 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7116="7.116" -CHECK_TITLE_extra7116="[extra7116] Check if Glue data-catalog settings have metadata encryption enabled." +CHECK_TITLE_extra7116="[extra7116] Check if Glue data catalog settings have metadata encryption enabled." CHECK_SCORED_extra7116="NOT_SCORED" CHECK_TYPE_extra7116="EXTRA" CHECK_SEVERITY_extra7116="Medium" @@ -29,7 +29,7 @@ extra7116(){ textPass "$regx: Glue data catalog settings have metadata encryption enabled" "$regx" fi else - textInfo "$regx: Glue data catalog settings metadata encryption does not apply" "$regx" + textInfo "$regx: Glue data catalog settings metadata encryption does not apply since there are no tables" "$regx" fi done } diff --git a/checks/check_extra7117 b/checks/check_extra7117 index 808687c5..686cd729 100644 --- a/checks/check_extra7117 +++ b/checks/check_extra7117 @@ -29,7 +29,7 @@ extra7117(){ textPass "$regx: Glue data catalog connection password is encrypted" "$regx" fi else - textInfo "$regx: Glue data catalog connection password encryption does not apply" "$regx" + textInfo "$regx: Glue data catalog connection password encryption does not apply since there are no connections" "$regx" fi done } diff --git a/groups/group7_extras b/groups/group7_extras index 041b56df..3326013b 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets`