From b61af3a9eb1e01f5b9ca5420d3306a5172013efc Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Thu, 21 Nov 2019 12:39:22 -0800 Subject: [PATCH 1/2] Add ECS task definition environment variables check (cherry picked from commit 662f287dd6739cd6d8e5e0d95537f4ca4b7b6493) --- checks/check_extra768 | 38 ++++++++++++++++++++++++++++++++++++++ groups/group11_secrets | 2 +- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 checks/check_extra768 diff --git a/checks/check_extra768 b/checks/check_extra768 new file mode 100644 index 00000000..5aa77651 --- /dev/null +++ b/checks/check_extra768 @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra763="7.63" +CHECK_TITLE_extra763="[extra763] Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra763="NOT_SCORED" +CHECK_TYPE_extra763="EXTRA" +CHECK_ALTERNATE_check763="extra763" + +extra763(){ + # "Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" + LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1) + if [[ $LIST_OF_BUCKETS ]]; then + for bucket in $LIST_OF_BUCKETS;do + BUCKET_VERSIONING_ENABLED=$($AWSCLI s3api get-bucket-versioning --bucket $bucket $PROFILE_OPT --query Status --output text 2>&1) + if [[ $(echo "$BUCKET_VERSIONING_ENABLED" | grep AccessDenied) ]]; then + textFail "Access Denied Trying to Get Bucket Versioning for $bucket" + continue + fi + if [[ $(echo "$BUCKET_VERSIONING_ENABLED" | grep "^Enabled$") ]]; then + textPass "Bucket $bucket has versioning enabled" + else + textFail "Bucket $bucket has versioning disabled!" + fi + done + else + textInfo "No S3 Buckets found" + fi +} diff --git a/groups/group11_secrets b/groups/group11_secrets index ec0b971f..b66a6f88 100644 --- a/groups/group11_secrets +++ b/groups/group11_secrets @@ -15,7 +15,7 @@ GROUP_ID[11]='secrets' GROUP_NUMBER[11]='11.0' GROUP_TITLE[11]='Look for keys secrets or passwords around resources - [secrets] **' GROUP_RUN_BY_DEFAULT[11]='N' # but it runs when execute_all is called (default) -GROUP_CHECKS[11]='extra741,extra742,extra759,extra760' +GROUP_CHECKS[11]='extra741,extra742,extra759,extra760,extra768' # requires https://github.com/Yelp/detect-secrets # `pip install detect-secrets` From d19ae27f7c474058107d4d1f71cada508f5dbade Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Thu, 21 Nov 2019 12:48:17 -0800 Subject: [PATCH 2/2] Fix merge issue --- checks/check_extra768 | 67 +++++++++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 25 deletions(-) diff --git a/checks/check_extra768 b/checks/check_extra768 index 5aa77651..66ea5a7b 100644 --- a/checks/check_extra768 +++ b/checks/check_extra768 @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +``# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente # # Licensed under the Apache License, Version 2.0 (the "License"); you may not # use this file except in compliance with the License. You may obtain a copy @@ -10,29 +10,46 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra763="7.63" -CHECK_TITLE_extra763="[extra763] Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" -CHECK_SCORED_extra763="NOT_SCORED" -CHECK_TYPE_extra763="EXTRA" -CHECK_ALTERNATE_check763="extra763" +CHECK_ID_extra768="7.68" +CHECK_TITLE_extra768="[extra768] Find secrets in ECS task definitions variables (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra768="NOT_SCORED" +CHECK_TYPE_extra768="EXTRA" +CHECK_ALTERNATE_check768="extra768" -extra763(){ - # "Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" - LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1) - if [[ $LIST_OF_BUCKETS ]]; then - for bucket in $LIST_OF_BUCKETS;do - BUCKET_VERSIONING_ENABLED=$($AWSCLI s3api get-bucket-versioning --bucket $bucket $PROFILE_OPT --query Status --output text 2>&1) - if [[ $(echo "$BUCKET_VERSIONING_ENABLED" | grep AccessDenied) ]]; then - textFail "Access Denied Trying to Get Bucket Versioning for $bucket" - continue - fi - if [[ $(echo "$BUCKET_VERSIONING_ENABLED" | grep "^Enabled$") ]]; then - textPass "Bucket $bucket has versioning enabled" - else - textFail "Bucket $bucket has versioning disabled!" - fi - done - else - textInfo "No S3 Buckets found" +extra768(){ + SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" + if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then + # this folder is deleted once this check is finished + mkdir $SECRETS_TEMP_FOLDER fi -} + + textInfo "Looking for secrets in ECS task definitions' environment variables across all regions... " + for regx in $REGIONS; do + LIST_OF_TASK_DEFINITIONS=$($AWSCLI ecs list-task-definitions $PROFILE_OPT --region $regx --query taskDefinitionArns[*] --output text) + if [[ $LIST_OF_TASK_DEFINITIONS ]]; then + for taskDefinition in $LIST_OF_TASK_DEFINITIONS;do + IFS='/' read -r -a splitArn <<< "$taskDefinition" + TASK_DEFINITION=${splitArn[1]} + TASK_DEFINITION_ENV_VARIABLES_FILE="$SECRETS_TEMP_FOLDER/extra768-$TASK_DEFINITION-$regx-variables.txt" + TASK_DEFINITION_ENV_VARIABLES=$($AWSCLI ecs $PROFILE_OPT --region $regx describe-task-definition --task-definition $taskDefinition --query 'taskDefinition.containerDefinitions[*].environment' --output text > $TASK_DEFINITION_ENV_VARIABLES_FILE) + if [ -s $TASK_DEFINITION_ENV_VARIABLES_FILE ];then + # Implementation using https://github.com/Yelp/detect-secrets + FINDINGS=$(secretsDetector file $TASK_DEFINITION_ENV_VARIABLES_FILE) + if [[ $FINDINGS -eq 0 ]]; then + textPass "$regx: No secrets found in ECS task definition $TASK_DEFINITION variables" "$regx" + # delete file if nothing interesting is there + rm -f $TASK_DEFINITION_ENV_VARIABLES_FILE + else + textFail "$regx: Potential secret found in ECS task definition $TASK_DEFINITION variables" "$regx" + fi + else + textInfo "$regx: ECS task definition $TASK_DEFINITION has no variables" "$regx" + rm -f $TASK_DEFINITION_ENV_VARIABLES_FILE + fi + done + else + textInfo "$regx: No ECS task definitions found" "$regx" + fi + done +# rm -rf $SECRETS_TEMP_FOLDER +} \ No newline at end of file