Tested new checks 7143 to 7147

checks/check_extra7142

@@ -10,39 +10,35 @@
 # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
-CHECK_ID_extra7147="7.147"
-CHECK_TITLE_extra7147="[extra7147] Check if S3 Glacier vaults have policies which allow access to everyone"
-CHECK_SCORED_extra7147="NOT_SCORED"
-CHECK_TYPE_extra7147="EXTRA"
-CHECK_SEVERITY_extra7147="Critical"
-CHECK_ASFF_RESOURCE_TYPE_extra7147="AwsS3Glacier"
-CHECK_ALTERNATE_check7147="extra7142"
-CHECK_SERVICENAME_extra7147="s3glacier"
-CHECK_RISK_extra7147='Vaults accessible to everyone could expose sensible data to bad actors'
-CHECK_REMEDIATION_extra7147='Ensure vault policy does not have principle as *'
-CHECK_DOC_extra7147='https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html'
-CHECK_CAF_EPIC_extra7147='Data Protection'
+CHECK_ID_extra7142="7.142"
+CHECK_TITLE_extra7142="[extra7142] Check if Application Load Balancer is dropping invalid packets to prevent header based http request smuggling"
+CHECK_SCORED_extra7142="NOT_SCORED"
+CHECK_TYPE_extra7142="EXTRA"
+CHECK_SEVERITY_extra7142="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7142="AwsElasticLoadBalancingV2LoadBalancer"
+CHECK_ALTERNATE_check7142="extra7142"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7142=""
+CHECK_SERVICENAME_extra7142="elb"
+CHECK_RISK_extra7142='ALB can be target of actors sendingn bad http headers'
+CHECK_REMEDIATION_extra7142='Ensure Application Load Balancer is configured for HTTP headers with header fields that are not valid are removed by the load balancer (true)'
+CHECK_DOC_extra7142='https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#desync-mitigation-mode'
+CHECK_CAF_EPIC_extra7142='Data Protection'
 
-extra7147(){
+
+extra7142(){
   for regx in $REGIONS; do
-  LIST_OF_VAULTS=$($AWSCLI glacier list-vaults $PROFILE_OPT --region $regx --account-id $ACCOUNT_NUM --query VaultList[*].VaultName --output text|xargs -n1)
-  if [[ $LIST_OF_VAULTS ]]; then
-    for vault in $LIST_OF_VAULTS;do
-      VAULT_POLICY_STATEMENTS=$($AWSCLI glacier $PROFILE_OPT get-vault-access-policy --region $regx --account-id $ACCOUNT_NUM --vault-name $vault --output json --query policy.Policy 2>&1)
-      if [[ $VAULT_POLICY_STATEMENTS == *GetVaultAccessPolicy* ]]; then
-        textInfo "$regx: Vault $vault doesn't have any policy" "$regx" "$vault"
-      else
-        VAULT_POLICY_BAD_STATEMENTS=$(echo $VAULT_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
-        if [[ $VAULT_POLICY_BAD_STATEMENTS != "" ]]; then
-          textFail "$regx: Vault $vault has policy which allows access to everyone" "$regx" "$vault"
+    LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?Type == `application`].[LoadBalancerArn]' --output text)
+    if [[ $LIST_OF_ELBSV2 ]];then
+      for alb in $LIST_OF_ELBSV2;do
+        CHECK_IF_DROP_INVALID_HEADER_FIELDS=$($AWSCLI elbv2 describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-arn $alb --query 'Attributes[6]' --output text|grep -i true)
+        if [[ $CHECK_IF_DROP_INVALID_HEADER_FIELDS ]];then
+          textPass "$regx: Application Load Balancer $alb is dropping invalid header fields." "$regx" "$alb"
         else
-          textPass "$regx: Vault $vault has policy which does not allow access to everyone" "$regx" "$vault"
+          textFail "$regx: Application Load Balancer $alb is not dropping invalid header fields" "$regx" "$alb"
         fi
-      fi
-    done
-
-  else
-    textInfo "$regx: No Glacier vaults found" "$regx"
-  fi
- done
-}
+      done
+    else 
+      textInfo "$regx: no ALBs found"
+    fi
+  done
+}

checks/check_extra7143

@@ -11,7 +11,7 @@
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 CHECK_ID_extra7143="7.143"
-CHECK_TITLE_extra7143="[extra7143] Check if EFS have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark)"
+CHECK_TITLE_extra7143="[extra7143] Check if EFS have policies which allow access to everyone"
 CHECK_SCORED_extra7143="NOT_SCORED"
 CHECK_TYPE_extra7143="EXTRA"
 CHECK_SEVERITY_extra7143="Critical"
@@ -25,25 +25,25 @@ CHECK_CAF_EPIC_extra7143='Data Protection'
 
 extra7143(){
   # "Check if EFS have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark)"
-  for region in $REGIONS; do
-  LIST_OF_EFS_IDS=$($AWSCLI efs describe-file-systems $PROFILE_OPT --region $region --query FileSystems[*].FileSystemId --output text|xargs -n1)
+  for regx in $REGIONS; do
+  LIST_OF_EFS_IDS=$($AWSCLI efs describe-file-systems $PROFILE_OPT --region $regx --query FileSystems[*].FileSystemId --output text|xargs -n1)
   if [[ $LIST_OF_EFS_IDS ]]; then
     for efsId in $LIST_OF_EFS_IDS;do
-      EFS_POLICY_STATEMENTS=$($AWSCLI efs $PROFILE_OPT describe-file-system-policy --region $region --file-system-id $efsId --output json --query Policy 2>&1)
+      EFS_POLICY_STATEMENTS=$($AWSCLI efs $PROFILE_OPT describe-file-system-policy --region $regx --file-system-id $efsId --output json --query Policy 2>&1)
       if [[ $EFS_POLICY_STATEMENTS == *PolicyNotFound* ]]; then
-        textFail "$region:  EFS: $efsId doesn't have any policy which means it grants full access to any client" "$region" "$efsId"
+        textFail "$regx:  EFS: $efsId doesn't have any policy which means it grants full access to any client" "$regx" "$efsId"
       else
         EFS_POLICY_BAD_STATEMENTS=$(echo $EFS_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
         if [[ $EFS_POLICY_BAD_STATEMENTS != "" ]]; then
-          textFail "$region: EFS: $efsId has policy which allows access to everyone" "$region" "$efsId"
+          textFail "$regx: EFS $efsId has policy which allows access to everyone" "$regx" "$efsId"
         else
-          textPass "$region: EFS: $efsId has policy which does not allow access to everyone" "$region" "$efsId"
+          textPass "$regx: EFS $efsId has policy which does not allow access to everyone" "$regx" "$efsId"
         fi
       fi
     done
 
   else
-    textInfo "$region: No EFS found" "$region"
+    textInfo "$regx: No EFS found" "$regx"
   fi
  done
 }

checks/check_extra7144

@@ -11,7 +11,7 @@
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 CHECK_ID_extra7144="7.144"
-CHECK_TITLE_extra7144="[extra7144] Check if aws cloudwatch has allowed sharing with other accounts (Not Scored) (Not part of CIS benchmark)"
+CHECK_TITLE_extra7144="[extra7144] Check if CloudWatch has allowed cross-account sharing"
 CHECK_SCORED_extra7144="NOT_SCORED"
 CHECK_TYPE_extra7144="EXTRA"
 CHECK_SEVERITY_extra7144="Medium"
@@ -21,15 +21,15 @@ CHECK_SERVICENAME_extra7144="cloudwatch"
 CHECK_RISK_extra7144=''
 CHECK_REMEDIATION_extra7144=''
 CHECK_DOC_extra7144='https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html'
-CHECK_CAF_EPIC_extra7144=''
+CHECK_CAF_EPIC_extra7144='Logging and Monitoring'
 
 extra7144(){
   # "Check if aws cloudwatch has allowed sharing with other accounts (Not Scored) (Not part of CIS benchmark)"
   CLOUDWATCH_CROSS_ACCOUNT_ROLE=$($AWSCLI iam get-role $PROFILE_OPT --role-name=CloudWatch-CrossAccountSharingRole --output json --query Role 2>&1)
   if [[ $CLOUDWATCH_CROSS_ACCOUNT_ROLE != *NoSuchEntity* ]]; then
       CLOUDWATCH_POLICY_BAD_STATEMENTS=$(echo $CLOUDWATCH_CROSS_ACCOUNT_ROLE | jq '.AssumeRolePolicyDocument')
-      textInfo "Cloudwatch has allowed cross account sharing"
+      textInfo "$REGION: CloudWatch has allowed cross-account sharing" "$REGION"
   else
-      textPass "CloudWatch doesn't allows cross account sharing"
+      textPass "$REGION: CloudWatch doesn't allows cross-account sharing" "$REGION"
   fi
 }

checks/check_extra7145

@@ -11,39 +11,39 @@
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 CHECK_ID_extra7145="7.145"
-CHECK_TITLE_extra7145="[extra7145] Check if lambda functions have policies which allow access to every aws account (Not Scored) (Not part of CIS benchmark)"
+CHECK_TITLE_extra7145="[extra7145] Check if Lambda functions have policies which allow access to any AWS account"
 CHECK_SCORED_extra7145="NOT_SCORED"
 CHECK_TYPE_extra7145="EXTRA"
 CHECK_SEVERITY_extra7145="Critical"
 CHECK_ASFF_RESOURCE_TYPE_extra7145="AwsLambda"
 CHECK_ALTERNATE_check7145="extra7145"
 CHECK_SERVICENAME_extra7145="lambda"
-CHECK_RISK_extra7145='Lambda function access to any aws account may result security issues'
-CHECK_REMEDIATION_extra7145='Ensure lambda function policiy does not allow access to any account'
+CHECK_RISK_extra7145='Lambda function access to any AWS account may result security issues'
+CHECK_REMEDIATION_extra7145='Ensure Lambda function policiy does not allow access to any account'
 CHECK_DOC_extra7145='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html'
-CHECK_CAF_EPIC_extra7145=''
+CHECK_CAF_EPIC_extra7145='IAM'
 
 extra7145(){
   # "Check if lambda functions have policies which allow access to every aws account (Not Scored) (Not part of CIS benchmark)"
-  for region in $REGIONS; do
-  LIST_OF_LAMBDA_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $region --query Functions[*].FunctionName --output text)
+  for regx in $REGIONS; do
+  LIST_OF_LAMBDA_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text)
   if [[ $LIST_OF_LAMBDA_FUNCTIONS ]]; then
     for lambdaFunction in $LIST_OF_LAMBDA_FUNCTIONS;do
-      FUNCTION_POLICY_STATEMENTS=$($AWSCLI lambda $PROFILE_OPT get-policy --region $region --function-name $lambdaFunction --output json --query Policy 2>&1)
+      FUNCTION_POLICY_STATEMENTS=$($AWSCLI lambda $PROFILE_OPT get-policy --region $regx --function-name $lambdaFunction --output json --query Policy 2>&1)
       if [[ $FUNCTION_POLICY_STATEMENTS == *ResourceNotFoundException* ]]; then
-        textInfo "$region : Lambda function: $lambdaFunction doesn't have any policy" "$region" "$lambdaFunction"
+        textInfo "$regx: Lambda function $lambdaFunction doesn't have any policy" "$regx" "$lambdaFunction"
       else
         FUNCTION_POLICY_BAD_STATEMENTS=$(echo $FUNCTION_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow")	 | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
         if [[ $FUNCTION_POLICY_BAD_STATEMENTS != "" ]]; then
-          textFail "$region: Lambda function: $lambdaFunction allows public access to every aws account" "$region" "$lambdaFunction"
+          textFail "$regx: Lambda function $lambdaFunction allows public access to any AWS account" "$regx" "$lambdaFunction"
         else
-          textPass "$region: Lambda function: $lambdaFunction has policy which doesn't allow access to everyone having an aws account" "$region" "$lambdaFunction"
+          textPass "$regx: Lambda function $lambdaFunction has policy which doesn't allow access to everyone having an AWS account" "$regx" "$lambdaFunction"
         fi
       fi
     done
 
   else
-    textInfo "$region: No lambda functions found" "$region"
+    textInfo "$regx: No lambda functions found" "$regx"
   fi
  done
 }

checks/check_extra7146

@@ -11,33 +11,33 @@
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 CHECK_ID_extra7146="7.146"
-CHECK_TITLE_extra7146="[extra7146] Check if there is any unassigned elastic ip's (Not Scored) (Not part of CIS benchmark)"
+CHECK_TITLE_extra7146="[extra7146] Check if there is any unassigned Elastic IP"
 CHECK_SCORED_extra7146="NOT_SCORED"
 CHECK_TYPE_extra7146="EXTRA"
-CHECK_SEVERITY_extra7146="Medium"
+CHECK_SEVERITY_extra7146="Low"
 CHECK_ASFF_RESOURCE_TYPE_extra7146="AwsElasticIPs"
 CHECK_ALTERNATE_check7146="extra7146"
-CHECK_SERVICENAME_extra7146="elasticip"
-CHECK_RISK_extra7146='Unassigned elastic ips may result in extra cost'
-CHECK_REMEDIATION_extra7146='Ensure elastic ips are not unassigned'
+CHECK_SERVICENAME_extra7146="ec2"
+CHECK_RISK_extra7146='Unassigned Elastic IPs may result in extra cost'
+CHECK_REMEDIATION_extra7146='Ensure Elastic IPs are not unassigned'
 CHECK_DOC_extra7146='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html'
-CHECK_CAF_EPIC_extra7146=''
+CHECK_CAF_EPIC_extra7146='Infrastructure Security'
 
 extra7146(){
   # "Check if there is any unassigned elastic ip (Not Scored) (Not part of CIS benchmark)"
-  for region in $REGIONS; do
-  ELASTIC_IP_ADDRESSES=$($AWSCLI ec2 describe-addresses $PROFILE_OPT --region $region --query Addresses --output json)
-  if [[ $ELASTIC_IP_ADDRESSES != [] ]]; then
-    LIST_OF_ASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId!=null) | .PublicIp')
-    LIST_OF_UNASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId==null) | .PublicIp')
-    for ass_ip in $LIST_OF_ASSOCIATED_IPS; do
-     textPass "$region: Elastic IP: $ass_ip is associated with an instance or network interface" "$region" "$ass_ip"
-     done
-    for unass_ip in $LIST_OF_UNASSOCIATED_IPS; do
-     textInfo "$region: Elastic IP: $unass_ip is not associated with any instance or network interface, it may incurr extra cost" "$region" "$unass_ip"
-     done
-  else
-    textInfo "$region: No elastic ip's found" "$region"
-  fi
- done
+  for regx in $REGIONS; do
+    ELASTIC_IP_ADDRESSES=$($AWSCLI ec2 describe-addresses $PROFILE_OPT --region $regx --query Addresses --output json)
+    if [[ $ELASTIC_IP_ADDRESSES != [] ]]; then
+      LIST_OF_ASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId!=null) | .PublicIp')
+      LIST_OF_UNASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId==null) | .PublicIp')
+      for ass_ip in $LIST_OF_ASSOCIATED_IPS; do
+      textPass "$regx: Elastic IP $ass_ip is associated with an instance or network interface" "$regx" "$ass_ip"
+      done
+      for unass_ip in $LIST_OF_UNASSOCIATED_IPS; do
+      textInfo "$regx: Elastic IP $unass_ip is not associated with any instance or network interface and it may incurr extra cost" "$regx" "$unass_ip"
+      done
+    else
+      textInfo "$regx: No Elastic IPs found" "$regx"
+    fi
+  done
 }

checks/check_extra7147

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7147="7.147"
+CHECK_TITLE_extra7147="[extra7147] Check if S3 Glacier vaults have policies which allow access to everyone"
+CHECK_SCORED_extra7147="NOT_SCORED"
+CHECK_TYPE_extra7147="EXTRA"
+CHECK_SEVERITY_extra7147="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra7147="AwsGlacierVault"
+CHECK_ALTERNATE_check7147="extra7142"
+CHECK_SERVICENAME_extra7147="glacier"
+CHECK_RISK_extra7147='Vaults accessible to everyone could expose sensible data to bad actors'
+CHECK_REMEDIATION_extra7147='Ensure vault policy does not have principle as *'
+CHECK_DOC_extra7147='https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html'
+CHECK_CAF_EPIC_extra7147='Data Protection'
+
+extra7147(){
+  for regx in $REGIONS; do
+  LIST_OF_VAULTS=$($AWSCLI glacier list-vaults $PROFILE_OPT --region $regx --account-id $ACCOUNT_NUM --query VaultList[*].VaultName --output text|xargs -n1)
+  if [[ $LIST_OF_VAULTS ]]; then
+    for vault in $LIST_OF_VAULTS;do
+      VAULT_POLICY_STATEMENTS=$($AWSCLI glacier $PROFILE_OPT get-vault-access-policy --region $regx --account-id $ACCOUNT_NUM --vault-name $vault --output json --query policy.Policy 2>&1)
+      if [[ $VAULT_POLICY_STATEMENTS == *GetVaultAccessPolicy* ]]; then
+        textInfo "$regx: Vault $vault doesn't have any policy" "$regx" "$vault"
+      else
+        VAULT_POLICY_BAD_STATEMENTS=$(echo $VAULT_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
+        if [[ $VAULT_POLICY_BAD_STATEMENTS != "" ]]; then
+          textFail "$regx: Vault $vault has policy which allows access to everyone" "$regx" "$vault"
+        else
+          textPass "$regx: Vault $vault has policy which does not allow access to everyone" "$regx" "$vault"
+        fi
+      fi
+    done
+  else
+    textInfo "$regx: No Glacier vaults found" "$regx"
+  fi
+ done
+}