diff --git a/checks/check_extra716 b/checks/check_extra716 index ea459098..404462b1 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -36,10 +36,10 @@ extra716(){ else textPass "$regx: $domain is in a VPC" "$regx" fi + rm -f $TEMP_POLICY_FILE done else textInfo "$regx: No Elasticsearch Service domain found" "$regx" fi - rm -fr $TEMP_POLICY_FILE done } diff --git a/checks/check_extra73 b/checks/check_extra73 index 8e203b79..04996754 100644 --- a/checks/check_extra73 +++ b/checks/check_extra73 @@ -10,6 +10,7 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. + CHECK_ID_extra73="7.3,7.03" CHECK_TITLE_extra73="[extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra73="NOT_SCORED" @@ -176,5 +177,5 @@ extra73(){ # else # textOK "$BUCKET_LOCATION: $bucket bucket is not open" "$BUCKET_LOCATION" # fi -# rm -fr $TEMP_POLICY_FILE +# rm -f $TEMP_POLICY_FILE # } diff --git a/checks/check_extra734 b/checks/check_extra734 index 26c5fbcf..bebd2bfc 100644 --- a/checks/check_extra734 +++ b/checks/check_extra734 @@ -42,15 +42,15 @@ extra734(){ TEMP_SSE_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX) # get bucket policy - $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_SSE_POLICY_FILE 2> /dev/null + $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_SSE_POLICY_FILE 2>&1 if [[ $(grep AccessDenied $TEMP_SSE_POLICY_FILE) ]]; then textFail "Access Denied Trying to Get Bucket Policy for $bucket" - rm -fr $TEMP_SSE_POLICY_FILE + rm -f $TEMP_SSE_POLICY_FILE continue fi if [[ $(grep NoSuchBucketPolicy $TEMP_SSE_POLICY_FILE) ]]; then textFail "No bucket policy for $bucket" - rm -fr $TEMP_SSE_POLICY_FILE + rm -f $TEMP_SSE_POLICY_FILE continue fi @@ -58,14 +58,14 @@ extra734(){ CHECK_BUCKET_SSE_POLICY_PRESENT=$(cat $TEMP_SSE_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}/*" '.Statement[]|select(.Effect=="Deny" and ((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*") and .Action=="s3:PutObject" and .Resource==$arn and .Condition.StringEquals."s3:x-amz-server-side-encryption" != null)') if [[ $CHECK_BUCKET_SSE_POLICY_PRESENT == "" ]]; then textFail "Bucket $bucket does not enforce encryption!" - rm -fr $TEMP_SSE_POLICY_FILE + rm -f $TEMP_SSE_POLICY_FILE continue fi CHECK_BUCKET_SSE_POLICY_VALUE=$(echo "$CHECK_BUCKET_SSE_POLICY_PRESENT" | jq -r '.Condition.StringNotEquals."s3:x-amz-server-side-encryption"') textPass "Bucket $bucket has S3 bucket policy to enforce encryption with $CHECK_BUCKET_SSE_POLICY_VALUE" - rm -fr $TEMP_SSE_POLICY_FILE + rm -f $TEMP_SSE_POLICY_FILE done else diff --git a/checks/check_extra764 b/checks/check_extra764 index 86d1e47f..6fd2c513 100644 --- a/checks/check_extra764 +++ b/checks/check_extra764 @@ -26,10 +26,12 @@ extra764(){ $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_STP_POLICY_FILE 2>&1 if [[ $(grep AccessDenied $TEMP_STP_POLICY_FILE) ]]; then textFail "Access Denied Trying to Get Bucket Policy for $bucket" + rm -f $TEMP_STP_POLICY_FILE continue fi if [[ $(grep NoSuchBucketPolicy $TEMP_STP_POLICY_FILE) ]]; then textFail "No bucket policy for $bucket" + rm -f $TEMP_STP_POLICY_FILE continue fi diff --git a/checks/check_extra77 b/checks/check_extra77 index 886184c8..cfd1078a 100644 --- a/checks/check_extra77 +++ b/checks/check_extra77 @@ -28,16 +28,18 @@ extra77(){ continue fi if [[ ! -z "$LIST_ECR_REPOS" ]]; then - TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-ecr-repo.policy.XXXXXXXXXX) for repo in $LIST_ECR_REPOS; do + TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-ecr-repo.policy.XXXXXXXXXX) $AWSCLI ecr get-repository-policy $PROFILE_OPT --region $region --repository-name $repo --query "policyText" --output text > $TEMP_POLICY_FILE 2>&1 if [[ $(grep AccessDenied $TEMP_POLICY_FILE) ]]; then textFail "$region: $repo Access Denied for get-repository-policy" + rm -f $TEMP_POLICY_FILE continue fi # https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html - "By default, only the repository owner has access to a repository." if [[ $(grep RepositoryPolicyNotFoundException $TEMP_POLICY_FILE) ]]; then textPass "$region: $repo is not open" "$region" + rm -f $TEMP_POLICY_FILE continue fi # check if the policy has Principal as * @@ -47,8 +49,8 @@ extra77(){ else textPass "$region: $repo is not open" "$region" fi + rm -f $TEMP_POLICY_FILE done - rm -f $TEMP_POLICY_FILE else textInfo "$region: No ECR repositories found" "$region" fi diff --git a/prowler b/prowler index 8677e0c7..57315da3 100755 --- a/prowler +++ b/prowler @@ -177,6 +177,9 @@ while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsx:A:R:T:" OPTION; do esac done +# Clean up any temp files when prowler quits unexpectedly +trap "{ rm -f /tmp/prowler*.policy.*; }" EXIT + . $PROWLER_DIR/include/colors . $PROWLER_DIR/include/os_detector . $PROWLER_DIR/include/aws_profile_loader @@ -210,12 +213,12 @@ for checks in $(ls $PROWLER_DIR/checks/check*|grep -v check_sample); do . "$checks" done -# include checks if external folder is specified -if [[ $EXTERNAL_CHECKS_PATH ]]; then +# include checks if external folder is specified +if [[ $EXTERNAL_CHECKS_PATH ]]; then for checks in $(ls $EXTERNAL_CHECKS_PATH/check*); do . "$checks" done -fi +fi # Function to show the title of the check # using this way instead of arrays to keep bash3 (osx) and bash4(linux) compatibility @@ -308,7 +311,7 @@ execute_group_by_id() { done } -# Function to execute all checks in all groups except extras if -e is invoked +# Function to execute all checks in all groups except extras if -e is invoked execute_all() { for i in "${!GROUP_TITLE[@]}"; do if [[ $EXTRAS ]]; then @@ -325,7 +328,7 @@ show_all_titles() { MAIN_GROUPS=(1 2 3 4 7) for i in "${MAIN_GROUPS[@]}"; do show_group_title $i - # Display the title of the checks in groups 1,2,3,4 and 7 + # Display the title of the checks in groups 1,2,3,4 and 7 # Any other group has checks in these groups IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$i]} for j in ${CHECKS[@]}; do