Merge pull request #446 from zfLQ2qx2/cleanup_temp_files

Try to make sure prowler cleans up its temporary files

checks/check_extra716

@@ -36,10 +36,10 @@ extra716(){
         else
           textPass "$regx: $domain is in a VPC" "$regx"
         fi
+        rm -f $TEMP_POLICY_FILE
       done
     else
       textInfo "$regx: No Elasticsearch Service domain found" "$regx"
     fi
-    rm -fr $TEMP_POLICY_FILE
   done
 }

checks/check_extra73

@@ -10,6 +10,7 @@
 # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
+
 CHECK_ID_extra73="7.3,7.03"
 CHECK_TITLE_extra73="[extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra73="NOT_SCORED"
@@ -176,5 +177,5 @@ extra73(){
 #   else
 #     textOK "$BUCKET_LOCATION: $bucket bucket is not open" "$BUCKET_LOCATION"
 #   fi
-#   rm -fr $TEMP_POLICY_FILE
+#   rm -f $TEMP_POLICY_FILE
 # }

checks/check_extra734

@@ -42,15 +42,15 @@ extra734(){
       TEMP_SSE_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX)
 
       # get bucket policy
-      $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_SSE_POLICY_FILE 2> /dev/null
+      $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_SSE_POLICY_FILE 2>&1
       if [[ $(grep AccessDenied $TEMP_SSE_POLICY_FILE) ]]; then
         textFail "Access Denied Trying to Get Bucket Policy for $bucket"
-        rm -fr $TEMP_SSE_POLICY_FILE
+        rm -f $TEMP_SSE_POLICY_FILE
         continue
       fi
       if [[ $(grep NoSuchBucketPolicy $TEMP_SSE_POLICY_FILE) ]]; then
         textFail "No bucket policy for $bucket"
-        rm -fr $TEMP_SSE_POLICY_FILE
+        rm -f $TEMP_SSE_POLICY_FILE
         continue
       fi
 
@@ -58,14 +58,14 @@ extra734(){
       CHECK_BUCKET_SSE_POLICY_PRESENT=$(cat $TEMP_SSE_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}/*" '.Statement[]|select(.Effect=="Deny" and ((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*") and .Action=="s3:PutObject" and .Resource==$arn and .Condition.StringEquals."s3:x-amz-server-side-encryption" != null)')
       if [[ $CHECK_BUCKET_SSE_POLICY_PRESENT == "" ]]; then
         textFail "Bucket $bucket does not enforce encryption!"
-        rm -fr $TEMP_SSE_POLICY_FILE
+        rm -f $TEMP_SSE_POLICY_FILE
         continue
       fi
       CHECK_BUCKET_SSE_POLICY_VALUE=$(echo "$CHECK_BUCKET_SSE_POLICY_PRESENT" | jq -r '.Condition.StringNotEquals."s3:x-amz-server-side-encryption"')
 
       textPass "Bucket $bucket has S3 bucket policy to enforce encryption with $CHECK_BUCKET_SSE_POLICY_VALUE"
 
-      rm -fr $TEMP_SSE_POLICY_FILE
+      rm -f $TEMP_SSE_POLICY_FILE
     done
 
   else

checks/check_extra764

@@ -26,10 +26,12 @@ extra764(){
       $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_STP_POLICY_FILE 2>&1
       if [[ $(grep AccessDenied $TEMP_STP_POLICY_FILE) ]]; then
         textFail "Access Denied Trying to Get Bucket Policy for $bucket"
+        rm -f $TEMP_STP_POLICY_FILE
         continue
       fi
       if [[ $(grep NoSuchBucketPolicy $TEMP_STP_POLICY_FILE) ]]; then
         textFail "No bucket policy for $bucket"
+        rm -f $TEMP_STP_POLICY_FILE
         continue
       fi
 

checks/check_extra77

@@ -28,16 +28,18 @@ extra77(){
       continue
     fi
     if [[ ! -z "$LIST_ECR_REPOS" ]]; then
-      TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-ecr-repo.policy.XXXXXXXXXX)
       for repo in $LIST_ECR_REPOS; do
+        TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-ecr-repo.policy.XXXXXXXXXX)
         $AWSCLI ecr get-repository-policy $PROFILE_OPT --region $region --repository-name $repo --query "policyText" --output text > $TEMP_POLICY_FILE 2>&1
         if [[ $(grep AccessDenied $TEMP_POLICY_FILE) ]]; then
           textFail "$region: $repo Access Denied for get-repository-policy"
+          rm -f $TEMP_POLICY_FILE
           continue
         fi
         # https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html - "By default, only the repository owner has access to a repository."
         if [[ $(grep RepositoryPolicyNotFoundException $TEMP_POLICY_FILE) ]]; then
           textPass "$region: $repo is not open" "$region"
+          rm -f $TEMP_POLICY_FILE
           continue
         fi
         # check if the policy has Principal as *
@@ -47,8 +49,8 @@ extra77(){
         else
           textPass "$region: $repo is not open" "$region"
         fi
+        rm -f $TEMP_POLICY_FILE
       done
-      rm -f $TEMP_POLICY_FILE
     else
       textInfo "$region: No ECR repositories found" "$region"
     fi

prowler

@@ -177,6 +177,9 @@ while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsx:A:R:T:" OPTION; do
    esac
 done
 
+# Clean up any temp files when prowler quits unexpectedly
+trap "{ rm -f /tmp/prowler*.policy.*; }" EXIT
+
 . $PROWLER_DIR/include/colors
 . $PROWLER_DIR/include/os_detector
 . $PROWLER_DIR/include/aws_profile_loader
@@ -210,12 +213,12 @@ for checks in $(ls $PROWLER_DIR/checks/check*|grep -v check_sample); do
 	. "$checks"
 done
 
-# include checks if external folder is specified 
-if [[ $EXTERNAL_CHECKS_PATH ]]; then 
+# include checks if external folder is specified
+if [[ $EXTERNAL_CHECKS_PATH ]]; then
   for checks in $(ls $EXTERNAL_CHECKS_PATH/check*); do
 	. "$checks"
   done
-fi 
+fi
 
 # Function to show the title of the check
 # using this way instead of arrays to keep bash3 (osx) and bash4(linux) compatibility
@@ -308,7 +311,7 @@ execute_group_by_id() {
 	done
 }
 
-# Function to execute all checks in all groups except extras if -e is invoked 
+# Function to execute all checks in all groups except extras if -e is invoked
 execute_all() {
 	for i in "${!GROUP_TITLE[@]}"; do
     if [[ $EXTRAS ]]; then
@@ -325,7 +328,7 @@ show_all_titles() {
   MAIN_GROUPS=(1 2 3 4 7)
   for i in "${MAIN_GROUPS[@]}"; do
 		show_group_title $i
-		# Display the title of the checks in groups 1,2,3,4 and 7 
+		# Display the title of the checks in groups 1,2,3,4 and 7
     # Any other group has checks in these groups
 		IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$i]}
 		for j in ${CHECKS[@]}; do