ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-12 07:45:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Consolidated titles and outputs including resource ID in ASFF

Browse Source
This commit is contained in:
Toni de la Fuente
2021-07-05 20:17:27 +02:00
parent a9f277e131
commit c09385976a
148 changed files with 415 additions and 452 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
include/check3x
View File

@@ -18,7 +18,7 @@ check3x(){
# be based only on CloudTrail tail with CloudWatchLog configuration.
DESCRIBE_TRAILS_CACHE=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[?CloudWatchLogsLogGroupArn != `null`]' 2>&1)
if [[ $(echo "$DESCRIBE_TRAILS_CACHE" | grep AccessDenied) ]]; then
textFail "Access Denied trying to describe trails in $REGION"
textFail "$REGION: Access Denied trying to describe trails in $REGION" "$REGION" "$group"
return
fi
@@ -63,7 +63,7 @@ check3x(){
for group in $CHECK_OK; do
metric=${group#*:}
group=${group%:*}
textPass "CloudWatch group $group found with metric filter $metric and alarms set"
textPass "$REGION: CloudWatch group $group found with metric filter $metric and alarms set" "$REGION" "$group"
done
fi
if [[ $CHECK_WARN ]]; then
@@ -72,15 +72,15 @@ check3x(){
*:*) metric=${group#*:}
group=${group%:*}
if [[ $pass_count == 0 ]]; then
textFail "CloudWatch group $group found with metric filter $metric but no alarms associated"
textFail "$REGION: CloudWatch group $group found with metric filter $metric but no alarms associated" "$REGION" "$group"
else
textInfo "CloudWatch group $group found with metric filter $metric but no alarms associated"
textInfo "$REGION: CloudWatch group $group found with metric filter $metric but no alarms associated" "$REGION" "$group"
fi
;;
*) if [[ $pass_count == 0 ]]; then
textFail "CloudWatch group $group found but no metric filters or alarms associated"
textFail "$REGION: CloudWatch group $group found but no metric filters or alarms associated" "$REGION" "$group"
else
textInfo "CloudWatch group $group found but no metric filters or alarms associated"
textInfo "$REGION: CloudWatch group $group found but no metric filters or alarms associated" "$REGION" "$group"
fi
;;
esac
@@ -88,10 +88,10 @@ check3x(){
fi
if [[ $CHECK_CROSS_ACCOUNT_WARN ]]; then
for group in $CHECK_CROSS_ACCOUNT_WARN; do
textInfo "CloudWatch group $group is not in this account"
textInfo "$REGION: CloudWatch group $group is not in this account" "$REGION" "$group"
done
fi
else
textFail "No CloudWatch group found for CloudTrail events"
textFail "$REGION: No CloudWatch group found for CloudTrail events" "$REGION" "$group"
fi
}

20
include/check_creds_last_used
View File

@@ -69,23 +69,23 @@ check_passwords_used_in_last_days() {
# "When password_enabled is set to TRUE and password_last_used is set to no_information, ensure password_last_changed is less than X days ago"
if [[ "$days_since_password_last_changed" -ge "$max_days" ]]; then
textFail "User $user has never logged into the console since creation and their password not changed in the past ${max_days} days"
textFail "$REGION: User $user has never logged into the console since creation and their password not changed in the past ${max_days} days" "$REGION" "$user"
else
textInfo "User $user has not logged into the console since creation"
textInfo "$REGION: User $user has not logged into the console since creation" "$REGION" "$user"
fi
else
days_password_not_in_use=$(how_older_from_today "${last_login_date%T*}")
# "For each user having password_enabled set to TRUE, ensure password_last_used_date is less than X days ago."
if [[ "$days_password_not_in_use" -ge "$max_days" ]]; then
textFail "User $user has not logged into the console in the past ${max_days} days"
textFail "$REGION: User $user has not logged into the console in the past ${max_days} days" "$REGION" "$user"
else
textPass "User $user has logged into the console in the past ${max_days} days"
textPass "$REGION: User $user has logged into the console in the past ${max_days} days" "$REGION" "$user"
fi
fi
done
else
textPass "No users found with password enabled"
textPass "$REGION: No users found with password enabled" "$REGION" "$user"
fi
}
@@ -122,22 +122,22 @@ check_access_key_used_in_last_days() {
# "When a user having an access_key_x_active (where x is 1 or 2) to TRUE and corresponding access_key_x_last_used_date is set to N/A,
# ensure access_key_x_last_rotated is less than X days ago"
if [[ "$days_since_access_key_rotated" -ge "$max_days" ]]; then
textFail "User $user has never used access key $access_key_name since creation and not rotated it in the past ${max_days} days"
textFail "$REGION: User $user has never used access key $access_key_name since creation and not rotated it in the past ${max_days} days" "$REGION" "$user"
else
textInfo "User $user has not used access key $access_key_name since creation"
textInfo "$REGION: User $user has not used access key $access_key_name since creation" "$REGION" "$user"
fi
else
days_since_access_key_used=$(how_older_from_today "${access_key_last_used_date%T*}")
# "For each user having an access_key_1_active or access_key_2_active to TRUE, ensure the corresponding access_key_n_last_used_date is less than X days ago"
if [[ "$days_since_access_key_used" -ge "$max_days" ]]; then
textFail "User $user has not used access key $access_key_name in the past ${max_days} days"
textFail "$REGION: User $user has not used access key $access_key_name in the past ${max_days} days" "$REGION" "$user"
else
textPass "User $user has used access key $access_key_name in the past ${max_days} days"
textPass "$REGION: User $user has used access key $access_key_name in the past ${max_days} days" "$REGION" "$user"
fi
fi
done
else
textPass "No users found with access key $access_key_name enabled"
textPass "$REGION: No users found with access key $access_key_name enabled" "$REGION" "$user"
fi
}

44
include/outputs
View File

@@ -15,7 +15,7 @@
EXTENSION_CSV="csv"
EXTENSION_JSON="json"
EXTENSION_ASFF="asff-json"
EXTENSION_ASFF="asff.json"
EXTENSION_TEXT="txt"
EXTENSION_HTML="html"
OUTPUT_DATE=$(date -u +"%Y%m%d%H%M%S")
@@ -72,6 +72,11 @@ if [[ $MODE ]];then
fi
fi
# textInfo "HTML report will be saved: ${OUTPUT_FILE_NAME}.$EXTENSION_HTML"
# textInfo "JSON ASFF report will be saved: ${OUTPUT_FILE_NAME}.$EXTENSION_ASFF"
# textInfo "CSV report will be saved: ${OUTPUT_FILE_NAME}.$EXTENSION_CSV"
# textInfo "JSON report will be saved: ${OUTPUT_FILE_NAME}.$EXTENSION_JSON"
if [[ $PROFILE == "" ]];then
PROFILE="ENV"
fi
@@ -92,23 +97,23 @@ textPass(){
REPREGION=$REGION
fi
if [[ "${MODES[@]}" =~ "csv" ]]; then
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" >> ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
fi
if [[ "${MODES[@]}" =~ "json" ]]; then
generateJsonOutput "$1" "Pass" "$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON
generateJsonOutput "$1" "Pass" "$CHECK_RESOURCE_ID" >> ${OUTPUT_FILE_NAME}.$EXTENSION_JSON
fi
if [[ "${MODES[@]}" =~ "json-asff" ]]; then
JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "PASSED" "$CHECK_RESOURCE_ID")
echo "${JSON_ASFF_OUTPUT}" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_ASFF
echo "${JSON_ASFF_OUTPUT}" >> $OUTPUT_FILE_NAME.$EXTENSION_ASFF
if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then
sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}"
sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}"
fi
fi
if is_junit_output_enabled; then
output_junit_success "$1"
fi
if [[ "${MODES[@]}" =~ "mono" ]]; then
echo " $OK PASS!$NORMAL $1" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT
echo " $OK PASS!$NORMAL $1" >> ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT
fi
if [[ "${MODES[@]}" =~ "text" || "${MODES[@]}" =~ "mono" ]]; then
echo " $OK PASS!$NORMAL $1"
@@ -133,16 +138,16 @@ textInfo(){
REPREGION=$REGION
fi
if [[ "${MODES[@]}" =~ "csv" ]]; then
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" >> ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
fi
if [[ "${MODES[@]}" =~ "json" ]]; then
generateJsonOutput "$1" "Info" "$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
generateJsonOutput "$1" "Info" "$CHECK_RESOURCE_ID" >> ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
fi
if is_junit_output_enabled; then
output_junit_info "$1"
fi
if [[ "${MODES[@]}" =~ "mono" ]]; then
echo " $NOTICE INFO! $1 $NORMAL" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT
echo " $NOTICE INFO! $1 $NORMAL" >> ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT
fi
if [[ "${MODES[@]}" =~ "text" ]]; then
echo " $NOTICE INFO! $1 $NORMAL"
@@ -189,14 +194,14 @@ textFail(){
fi
if [[ "${MODES[@]}" =~ "csv" ]]; then
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" >> ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
fi
if [[ "${MODES[@]}" =~ "json" ]]; then
generateJsonOutput "$1" "${level}" "$CHECK_RESOURCE_ID"| tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
generateJsonOutput "$1" "${level}" "$CHECK_RESOURCE_ID">> ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
fi
if [[ "${MODES[@]}" =~ "json-asff" ]]; then
JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "${level}" "$CHECK_RESOURCE_ID")
echo "${JSON_ASFF_OUTPUT}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_ASFF}
echo "${JSON_ASFF_OUTPUT}" >> ${OUTPUT_FILE_NAME}.${EXTENSION_ASFF}
if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then
sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}"
fi
@@ -209,7 +214,7 @@ textFail(){
fi
fi
if [[ "${MODES[@]}" =~ "mono" ]]; then
echo " $colorcode ${level}! $1 $NORMAL" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT
echo " $colorcode ${level}! $1 $NORMAL" >> ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT
fi
if [[ "${MODES[@]}" =~ "text" ]]; then
echo " $colorcode ${level}! $1 $NORMAL"
@@ -257,7 +262,7 @@ textTitle(){
# fi
if [[ "${MODES[@]}" =~ "csv" ]]; then
>&2 echo "$TITLE_ID $TITLE_TEXT" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
>&2 echo "$TITLE_ID $TITLE_TEXT" >> ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
elif [[ "${MODES[@]}" =~ "json" || "${MODES[@]}" =~ "json-asff" ]]; then
:
else
@@ -279,7 +284,7 @@ generateJsonOutput(){
--arg TITLE_TEXT "$TITLE_TEXT" \
--arg MESSAGE "$(echo -e "${message}" | sed -e 's/^[[:space:]]*//')" \
--arg STATUS "$status" \
--arg SEVERITY "$CHECK_SEVERITY" \
--arg SEVERITY "$(echo $CHECK_SEVERITY | sed 's/[][]//g')" \
--arg SCORED "$ITEM_SCORED" \
--arg ITEM_LEVEL "$ITEM_LEVEL" \
--arg TITLE_ID "$TITLE_ID" \
@@ -321,10 +326,9 @@ generateJsonAsffOutput(){
local status=$2
#Checks to determine if the rule passes in a resource name that prowler uses to track the AWS Resource for whitelisting purposes
if [ -z $3 ]
then
if [ -z $3 ]; then
local resource_id="NONE_PROVIDED"
else
else
local resource_id=$3
fi
@@ -374,7 +378,7 @@ generateJsonAsffOutput(){
"Resources": [
{
"Type": $RESOURCE_TYPE,
"Id": "AWS::::Account:\($ACCOUNT_NUM)",
"Id": $CHECK_RESOURCE_ID,
"Partition": $AWS_PARTITION,
"Region": $REPREGION
}
@@ -403,6 +407,8 @@ generateHtmlOutput(){
if [[ $status == "WARN" ]];then
local ROW_CLASS='table-warning'
fi
local CHECK_SEVERITY="$(echo $CHECK_SEVERITY | sed 's/[][]//g')"
echo '<tr class="'$ROW_CLASS'">' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ' <td>'$status'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML