Adding insecure SSL checks for CloudFront and CLB/ALB

(cherry picked from commit c9a60c07a2b5497cbed2d70c53821d826171dd68)
2026-02-10 14:55:00 +00:00 · 2020-05-22 17:05:02 -05:00
parent 485b7d90bc
commit df15388577
2 changed files with 137 additions and 0 deletions
--- a/checks/check_extra791
+++ b/checks/check_extra791
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra791="7.91"
+CHECK_TITLE_extra791="[extra791] Check if CloudFront distributions are using deprecated SSL protocols"
+CHECK_SCORED_extra791="NOT_SCORED"
+CHECK_TYPE_extra791="EXTRA"
+CHECK_ALTERNATE_check791="extra791"
+
+extra791(){
+    LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None)
+    if [[ $LIST_OF_DISTRIBUTIONS ]];then
+      for dist in $LIST_OF_DISTRIBUTIONS; do
+        CHECK_ORIGINSSLPROTOCOL_STATUS=$($AWSCLI cloudfront get-distribution --id $dist --query Distribution.DistributionConfig.Origins.Items[].CustomOriginConfig.OriginSslProtocols.Items $PROFILE_OPT --output text)
+        if [[ $CHECK_ORIGINSSLPROTOCOL_STATUS == *"SSLv2"* ]] || [[ $CHECK_ORIGINSSLPROTOCOL_STATUS == *"SSLv3"* ]]; then
+          textFail "CloudFront distribution $dist is using a deprecated SSL protocol!" "$regx"
+        else
+          textPass "CloudFront distribution $dist is not using a deprecated SSL protocol" "$regx"
+        fi
+      done
+    else
+      textInfo "No CloudFront distributions found" "$regx"
+    fi
+}
--- a/checks/check_extra792
+++ b/checks/check_extra792
@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra792="7.87"
+CHECK_TITLE_extra792="[extra792] Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra792="NOT_SCORED"
+CHECK_TYPE_extra792="EXTRA"
+CHECK_ALTERNATE_check792="extra792"
+
+extra792(){
+  # "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)"
+  for regx in $REGIONS; do
+    LIST_OF_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[*].LoadBalancerName' --output text|xargs -n1)
+    LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn' --output text|xargs -n1)
+    if [[ $LIST_OF_ELBS || $LIST_OF_ELBSV2 ]]; then
+      if [[ $LIST_OF_ELBS ]]; then
+        # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html#ssl-ciphers
+        # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html
+        ELBSECUREPOLICIES=("ELBSecurityPolicy-2016-08" "ELBSecurityPolicy-TLS-1-2-2017-01" "ELBSecurityPolicy-TLS-1-1-2017-01")
+        ELBSECURECIPHERS=("Protocol-TLSv1.2" "Protocol-TLSv1.1" "Protocol-TLSv1" "ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256" "ECDHE-ECDSA-AES128-SHA256" "ECDHE-RSA-AES128-SHA256" "ECDHE-ECDSA-AES128-SHA" "ECDHE-RSA-AES128-SHA" "ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-RSA-AES256-GCM-SHA384" "ECDHE-ECDSA-AES256-SHA384" "ECDHE-RSA-AES256-SHA384" "ECDHE-RSA-AES256-SHA" "ECDHE-ECDSA-AES256-SHA" "AES128-GCM-SHA256" "AES128-SHA256" "AES128-SHA" "AES256-GCM-SHA384" "AES256-SHA256" "AES256-SHA" "Server-Defined-Cipher-Order")
+
+        for elb in $LIST_OF_ELBS; do
+          ELB_POLICIES=$($AWSCLI elb describe-load-balancers --load-balancer-name $elb --query "LoadBalancerDescriptions[0].ListenerDescriptions[*].PolicyNames" --output text) 
+          passed=true
+          for policy in $ELB_POLICIES; do
+            # Check for secure default policy 
+            REFPOLICY=$($AWSCLI elb describe-load-balancer-policies $PROFILE_OPT --region $regx --load-balancer-name $elb --policy-name $policy --query "PolicyDescriptions[0].PolicyAttributeDescriptions[?(AttributeName == 'Reference-Security-Policy')].AttributeValue" --output text)
+            if [[ -n "$REFPOLICY" ]]; then 
+              if array_contains ELBSECUREPOLICIES "$REFPOLICY"; then
+                continue 	# Passed for this listener/policy
+              else
+                passed=false
+              fi
+            else
+              # A custom policy is in use.  Check Ciphers
+              CIPHERS=$($AWSCLI  elb describe-load-balancer-policies $PROFILE_OPT --region $regx --load-balancer-name $elb --policy-name $policy --query "PolicyDescriptions[0].PolicyAttributeDescriptions[?(AttributeValue == 'true')].AttributeName" --output text)
+              for cipher in $CIPHERS; do
+                if array_contains ELBSECURECIPHERS "$cipher"; then
+                  continue
+                else
+                  passed=false
+                fi 
+              done
+            fi
+          done
+          
+          if $passed; then
+            textPass "$regx: $elb has no insecure SSL ciphers" "$regx"
+          else
+            textFail "$regx: $elb has insecure SSL ciphers" "$regx" 
+          fi
+        done
+      fi
+      if [[ $LIST_OF_ELBSV2 ]]; then
+        # NOTE - ALBs do NOT support custom security policies 
+        # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
+        ELBV2SECUREPOLICIES=("ELBSecurityPolicy-2016-08" "ELBSecurityPolicy-TLS-1-1-2017-01" "ELBSecurityPolicy-TLS-1-2-2017-01" "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" "ELBSecurityPolicy-FS-2018-06" "ELBSecurityPolicy-FS-1-1-2019-08" "ELBSecurityPolicy-FS-1-2-2019-08" "ELBSecurityPolicy-FS-1-2-Res-2019-08" "ELBSecurityPolicy-2015-05")
+        for elbarn in $LIST_OF_ELBSV2; do
+          passed=true
+          elbname=$(echo $elbarn | awk -F 'loadbalancer/app/' '{print $2}' | awk -F '/' '{print $1}')
+          ELBV2_SSL_POLICIES=$($AWSCLI elbv2 describe-listeners $PROFILE_OPT --region $regx --load-balancer-arn $elbarn --query 'Listeners[*].SslPolicy' --output text)
+       
+          for policy in $ELBV2_SSL_POLICIES; do
+            if array_contains ELBV2SECUREPOLICIES "$policy"; then
+              continue        # Passed for this listener/policy
+            else
+              passed=false
+            fi
+          done
+
+          if $passed; then
+            textPass "$regx: $elbname has no insecure SSL ciphers" "$regx"
+          else
+            textFail "$regx: $elbname has insecure SSL ciphers" "$regx"
+          fi
+        done
+      fi
+    else
+      textInfo "$regx: No ELBs found" "$regx"
+    fi
+  done
+}
+
+array_contains () { 
+    local array="$1[@]"
+    local seeking=$2
+    local in=1
+    for element in "${!array}"; do
+        if [[ $element == "$seeking" ]]; then
+            in=0
+            break
+        fi
+    done
+    return $in
+}