From 9727d5a3ed0f35cd525ad90bf5cf12f60a381c7c Mon Sep 17 00:00:00 2001 From: AlexClineBB Date: Wed, 31 May 2017 14:54:39 -0400 Subject: [PATCH 1/3] Set defaults for environment variables This change sets the defaults for PROFILE and REGION before they're set by getopts, allowing us to add support for more options without needing to update the default setting code that happened after the options were parsed. --- prowler | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/prowler b/prowler index 0babb90b..36ce43f0 100755 --- a/prowler +++ b/prowler @@ -45,8 +45,9 @@ RED="" YELLOW="" WHITE="" -DEFULT_AWS_PROFILE="default" -DEFAULT_AWS_REGION="us-east-1" +# Set the defaults for these getopts variables +PROFILE="default" +REGION="us-east-1" # Command usage menu usage(){ @@ -160,11 +161,6 @@ else exit fi -if [[ "$#" -le 2 ]]; then - PROFILE=$DEFULT_AWS_PROFILE - REGION=$DEFAULT_AWS_REGION -fi - if [[ ! -f ~/.aws/credentials ]]; then echo -e "\n$RED ERROR!$NORMAL AWS credentials file not found (~/.aws/credentials). Run 'aws configure' first. \n" return 1 From fc9b8a1d3c77b132fb1f199107af44be54c9ed16 Mon Sep 17 00:00:00 2001 From: AlexClineBB Date: Wed, 31 May 2017 14:59:37 -0400 Subject: [PATCH 2/3] Add the option to filter API requests by region This change adds the ability to perform checks against specific regions only. The -r option allows you to set the region that API requests are made against, but checks are always made against all regions. The -f allows you to filter which regions to run checks against. --- prowler | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/prowler b/prowler index 36ce43f0..ef949a0a 100755 --- a/prowler +++ b/prowler @@ -48,21 +48,23 @@ WHITE="" # Set the defaults for these getopts variables PROFILE="default" REGION="us-east-1" +FILTERREGION="" # Command usage menu usage(){ echo -e "\nUSAGE: `basename $0` -p -r [ -h ] Options: - -p specify your AWS profile to use (i.e.: default) - -r specify a desired AWS region to use (i.e.: us-east-1) - -c specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3) - -h this help + -p specify your AWS profile to use (i.e.: default) + -r specify an AWS region to direct API requests to (i.e.: us-east-1) + -c specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3) + -f specify an AWS region to run checks against (i.e.: us-west-1) + -h this help " exit } -while getopts "hp:r:c:" OPTION; do +while getopts "hp:r:c:f:" OPTION; do case $OPTION in h ) usage @@ -77,6 +79,9 @@ while getopts "hp:r:c:" OPTION; do c ) CHECKNUMBER=$OPTARG ;; + f ) + FILTERREGION=$OPTARG + ;; : ) echo -e "\n$RED ERROR!$NORMAL -$OPTARG requires an argument\n" exit 1 @@ -192,7 +197,7 @@ echo -e " |_|$NORMAL$BLUE CIS based AWS Account Hardening Tool$NORMAL\n" # Get whoami in AWS, who is the user running this shell script getWhoami() { echo -e "\nThis report is being generated using credentials below:\n" - echo -e "AWS-CLI Profile: $NOTICE[$PROFILE]$NORMAL AWS Region: $NOTICE[$REGION]$NORMAL\n" + echo -e "AWS-CLI Profile: $NOTICE[$PROFILE]$NORMAL AWS API Region: $NOTICE[$REGION]$NORMAL AWS Filter Region: $NOTICE[${FILTERREGION:-all}]\n" $AWSCLI sts get-caller-identity --output table --profile $PROFILE --region $REGION } @@ -228,7 +233,8 @@ cleanTemp(){ REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \ --output text \ --profile $PROFILE \ - --region $REGION) + --region $REGION \ + --region-names $FILTERREGION) infoReferenceLong(){ # Report review note: From 4439a5f18459f502d5843c9de598f98fde4a6c1f Mon Sep 17 00:00:00 2001 From: AlexClineBB Date: Wed, 31 May 2017 15:05:04 -0400 Subject: [PATCH 3/3] Add a configuration option to configure max-items for large resources This change adds a -m option which configures the --max-items API parameter for large AWS resources. Currently, SNS topic subscriptions are limited to the default of 100 items. SNS topics can easily surpass 100,000 subscriptions which is too many to show by default. Since check 3.15 is confirming that subscribers exist - not what they actually are - it's a waste to display all 100,000 entries. --- prowler | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/prowler b/prowler index ef949a0a..35a4fd23 100755 --- a/prowler +++ b/prowler @@ -49,6 +49,7 @@ WHITE="" PROFILE="default" REGION="us-east-1" FILTERREGION="" +MAXITEMS=100 # Command usage menu usage(){ @@ -59,12 +60,13 @@ usage(){ -r specify an AWS region to direct API requests to (i.e.: us-east-1) -c specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3) -f specify an AWS region to run checks against (i.e.: us-west-1) + -m specify the maximum number of items to return for long-running requests (default: 100) -h this help " exit } -while getopts "hp:r:c:f:" OPTION; do +while getopts "hp:r:c:f:m:" OPTION; do case $OPTION in h ) usage @@ -82,6 +84,9 @@ while getopts "hp:r:c:f:" OPTION; do f ) FILTERREGION=$OPTARG ;; + m ) + MAXITEMS=$OPTARG + ;; : ) echo -e "\n$RED ERROR!$NORMAL -$OPTARG requires an argument\n" exit 1 @@ -1004,7 +1009,7 @@ check315(){ TOPICS_LIST=$($AWSCLI sns list-topics --profile $PROFILE --region $regx --output text --query 'Topics[*].TopicArn') if [[ $TOPICS_LIST ]];then for topic in $TOPICS_LIST; do - CHECK_TOPIC_LIST=$($AWSCLI sns list-subscriptions-by-topic --topic-arn $topic --profile $PROFILE --region $regx --query 'Subscriptions[*].{Endpoint:Endpoint,Protocol:Protocol}' --output text) + CHECK_TOPIC_LIST=$($AWSCLI sns list-subscriptions-by-topic --topic-arn $topic --profile $PROFILE --region $regx --query 'Subscriptions[*].{Endpoint:Endpoint,Protocol:Protocol}' --output text --max-items $MAXITEMS | grep -v "None") if [[ $CHECK_TOPIC_LIST ]]; then TOPIC_SHORT=$(echo $topic | awk -F: '{ print $7 }') echo -e " $NOTICE Region $regx with Topic $TOPIC_SHORT: $NORMAL "