diff --git a/checks/check_extra768 b/checks/check_extra768 new file mode 100644 index 00000000..66ea5a7b --- /dev/null +++ b/checks/check_extra768 @@ -0,0 +1,55 @@ +#!/usr/bin/env bash + +``# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra768="7.68" +CHECK_TITLE_extra768="[extra768] Find secrets in ECS task definitions variables (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra768="NOT_SCORED" +CHECK_TYPE_extra768="EXTRA" +CHECK_ALTERNATE_check768="extra768" + +extra768(){ + SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" + if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then + # this folder is deleted once this check is finished + mkdir $SECRETS_TEMP_FOLDER + fi + + textInfo "Looking for secrets in ECS task definitions' environment variables across all regions... " + for regx in $REGIONS; do + LIST_OF_TASK_DEFINITIONS=$($AWSCLI ecs list-task-definitions $PROFILE_OPT --region $regx --query taskDefinitionArns[*] --output text) + if [[ $LIST_OF_TASK_DEFINITIONS ]]; then + for taskDefinition in $LIST_OF_TASK_DEFINITIONS;do + IFS='/' read -r -a splitArn <<< "$taskDefinition" + TASK_DEFINITION=${splitArn[1]} + TASK_DEFINITION_ENV_VARIABLES_FILE="$SECRETS_TEMP_FOLDER/extra768-$TASK_DEFINITION-$regx-variables.txt" + TASK_DEFINITION_ENV_VARIABLES=$($AWSCLI ecs $PROFILE_OPT --region $regx describe-task-definition --task-definition $taskDefinition --query 'taskDefinition.containerDefinitions[*].environment' --output text > $TASK_DEFINITION_ENV_VARIABLES_FILE) + if [ -s $TASK_DEFINITION_ENV_VARIABLES_FILE ];then + # Implementation using https://github.com/Yelp/detect-secrets + FINDINGS=$(secretsDetector file $TASK_DEFINITION_ENV_VARIABLES_FILE) + if [[ $FINDINGS -eq 0 ]]; then + textPass "$regx: No secrets found in ECS task definition $TASK_DEFINITION variables" "$regx" + # delete file if nothing interesting is there + rm -f $TASK_DEFINITION_ENV_VARIABLES_FILE + else + textFail "$regx: Potential secret found in ECS task definition $TASK_DEFINITION variables" "$regx" + fi + else + textInfo "$regx: ECS task definition $TASK_DEFINITION has no variables" "$regx" + rm -f $TASK_DEFINITION_ENV_VARIABLES_FILE + fi + done + else + textInfo "$regx: No ECS task definitions found" "$regx" + fi + done +# rm -rf $SECRETS_TEMP_FOLDER +} \ No newline at end of file diff --git a/groups/group11_secrets b/groups/group11_secrets index ec0b971f..b66a6f88 100644 --- a/groups/group11_secrets +++ b/groups/group11_secrets @@ -15,7 +15,7 @@ GROUP_ID[11]='secrets' GROUP_NUMBER[11]='11.0' GROUP_TITLE[11]='Look for keys secrets or passwords around resources - [secrets] **' GROUP_RUN_BY_DEFAULT[11]='N' # but it runs when execute_all is called (default) -GROUP_CHECKS[11]='extra741,extra742,extra759,extra760' +GROUP_CHECKS[11]='extra741,extra742,extra759,extra760,extra768' # requires https://github.com/Yelp/detect-secrets # `pip install detect-secrets`