From b4669a2a72c99a1b132d1808910fd33e179c60b9 Mon Sep 17 00:00:00 2001
From: n4ch04 <59198746+n4ch04@users.noreply.github.com>
Date: Fri, 11 Feb 2022 10:54:32 +0100
Subject: [PATCH] fix(check41/42): Added tcp protocol filter to query (#1035)

* fix(check41/42): Added tcp protocol filter to query

* Include {} in vars

Co-authored-by: Pepe Fagoaga <pepe@verica.io>

* Include {} in vars

Co-authored-by: Pepe Fagoaga <pepe@verica.io>

Co-authored-by: Pepe Fagoaga <pepe@verica.io>
---
 checks/check41 | 2 +-
 checks/check42 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/checks/check41 b/checks/check41
index 33e87109..621aa522 100644
--- a/checks/check41
+++ b/checks/check41
@@ -29,7 +29,7 @@ CHECK_CAF_EPIC_check41='Infrastructure Security'
 check41(){
   # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
   for regx in $REGIONS; do
-    SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text 2>&1)
+    SG_LIST=$("${AWSCLI}" ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`)) && (IpProtocol==`tcp`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region "${regx}" --output text 2>&1)
     if [[ $(echo "$SG_LIST" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
         textInfo "$regx: Access Denied trying to describe security groups" "$regx"
         continue
diff --git a/checks/check42 b/checks/check42
index 71c67838..4b0e54ed 100644
--- a/checks/check42
+++ b/checks/check42
@@ -29,7 +29,7 @@ CHECK_CAF_EPIC_check42='Infrastructure Security'
 check42(){
   # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
   for regx in $REGIONS; do
-    SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text 2>&1)
+    SG_LIST=$("${AWSCLI}" ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`)) && (IpProtocol==`tcp`) ]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region "${regx}" --output text 2>&1)
     if [[ $(echo "$SG_LIST" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
         textInfo "$regx: Access Denied trying to describe security groups" "$regx"
         continue