mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 06:45:08 +00:00
cleanup using shellcheck
This commit is contained in:
Mr. Secure
@@ -1,25 +1,26 @@
|
||||
#!/bin/bash
|
||||
########### CODEBUILD CONFIGURATION ##################
|
||||
|
||||
# shellcheck disable=SC2034
|
||||
## Collect environment parameters set by buildspec
|
||||
CHECKGROUP=${PROWL_CHECK_GROUP}
|
||||
|
||||
if [ "none" == "${PROWL_MASTER_ACCOUNTS}" ]; then
|
||||
ORG_MASTERS=""
|
||||
else
|
||||
ORG_MASTERS=$(echo ${PROWL_MASTER_ACCOUNTS} | tr "," " ")
|
||||
ORG_MASTERS=$(echo "${PROWL_MASTER_ACCOUNTS}" | tr "," " ")
|
||||
fi
|
||||
|
||||
if [ "none" == "${PROWL_STANDALONE_ACCOUNTS}" ]; then
|
||||
STANDALONE_ACCOUNTS=""
|
||||
else
|
||||
STANDALONE_ACCOUNTS=$(echo ${PROWL_STANDALONE_ACCOUNTS} | tr "," " ")
|
||||
STANDALONE_ACCOUNTS=$(echo "${PROWL_STANDALONE_ACCOUNTS}" | tr "," " ")
|
||||
fi
|
||||
|
||||
if [ "none" == "${PROWL_SKIP_ACCOUNTS}" ]; then
|
||||
SKIP_ACCOUNTS_REGEX='^$'
|
||||
else
|
||||
skip_inside=$(echo ${PROWL_SKIP_ACCOUNTS} | tr "," "|")
|
||||
skip_inside=$(echo "${PROWL_SKIP_ACCOUNTS}" | tr "," "|")
|
||||
# shellcheck disable=SC2116
|
||||
SKIP_ACCOUNTS_REGEX=$(echo "(${skip_inside})" )
|
||||
fi
|
||||
|
||||
|
||||
@@ -1,11 +1,14 @@
|
||||
#!/bin/bash
|
||||
|
||||
BASEDIR=$(dirname "${0}")
|
||||
# source the configuration data from "config" in this directory
|
||||
if [[ -f $(dirname $0)/config ]]; then
|
||||
. $(dirname $0)/config
|
||||
if [[ -f "${BASEDIR}/config" ]]; then
|
||||
# shellcheck disable=SC1090
|
||||
. "${BASEDIR}/config"
|
||||
|
||||
else
|
||||
echo "CONFIG file missing - $(dirname $0)/config"
|
||||
exit -1
|
||||
echo "CONFIG file missing - ${BASEDIR}/config"
|
||||
exit 255
|
||||
fi
|
||||
|
||||
## Check Environment variables which are set by config
|
||||
@@ -19,11 +22,11 @@ fi
|
||||
|
||||
if [[ -z $CHECKGROUP ]]; then
|
||||
echo "Missing check group from config file"
|
||||
exit -1
|
||||
exit 255
|
||||
fi
|
||||
if [[ -z $AUDIT_ROLE ]]; then
|
||||
echo "Missing audit role from config file"
|
||||
exit -1
|
||||
exit 255
|
||||
fi
|
||||
|
||||
## ========================================================================================
|
||||
@@ -43,14 +46,14 @@ fi
|
||||
|
||||
|
||||
## Check Requirements
|
||||
if [[ -x $(which aws) ]]; then
|
||||
if [[ -x $(command -v aws) ]]; then
|
||||
aws --version
|
||||
else
|
||||
echo "AWS CLI is not in PATH ... giving up"
|
||||
exit 4
|
||||
fi
|
||||
|
||||
if [[ -x $(which jq) ]]; then
|
||||
if [[ -x $(command -v jq) ]]; then
|
||||
jq --version
|
||||
else
|
||||
echo "JQ is not in PATH ... giving up"
|
||||
@@ -62,10 +65,9 @@ if [[ -z $CREDSOURCE ]]; then
|
||||
echo "No source for base credentials ... giving up"
|
||||
exit 5
|
||||
fi
|
||||
# if [[ Ec2InstanceMetadata ]]
|
||||
|
||||
if [[ -f ${PROWLER} && -x ${PROWLER} ]]; then
|
||||
PROWLER_VERSION=$(${PROWLER} -V)
|
||||
${PROWLER} -V
|
||||
else
|
||||
echo "Unable to execute prowler from ${PROWLER}"
|
||||
exit 3
|
||||
@@ -79,10 +81,10 @@ STAMP=$(date -u +%Y%m%dT%H%M%SZ)
|
||||
## Create output subdirs
|
||||
OUTDATA="${OUTBASE}/data/${DAYPATH}"
|
||||
OUTLOGS="${OUTBASE}/logs/${DAYPATH}"
|
||||
mkdir -p ${OUTDATA} ${OUTLOGS}
|
||||
mkdir -p "${OUTDATA}" "${OUTLOGS}"
|
||||
|
||||
|
||||
if [[ -x $(which parallel) ]]; then
|
||||
if [[ -x $(command -v parallel) ]]; then
|
||||
# Note: the "standard" codebuild container includes parallel
|
||||
echo "Using GNU sem/parallel, with NCPU+4 jobs"
|
||||
parallel --citation > /dev/null 2> /dev/null
|
||||
@@ -102,15 +104,15 @@ ALL_ACCOUNTS=""
|
||||
|
||||
|
||||
# Create a temporary credential file
|
||||
export AWS_MASTERS_CREDENTIALS_FILE=$(mktemp -t prowler.masters-XXXXXX)
|
||||
AWS_MASTERS_CREDENTIALS_FILE=$(mktemp -t prowler.masters-XXXXXX)
|
||||
echo "Preparing Credentials ${AWS_MASTERS_CREDENTIALS_FILE} ( ${CREDSOURCE} )"
|
||||
echo "# Master Credentials ${STAMP}" >> $AWS_MASTERS_CREDENTIALS_FILE
|
||||
echo "" >> $AWS_MASTERS_CREDENTIALS_FILE
|
||||
echo "# Master Credentials ${STAMP}" >> "${AWS_MASTERS_CREDENTIALS_FILE}"
|
||||
echo "" >> "${AWS_MASTERS_CREDENTIALS_FILE}"
|
||||
|
||||
AWS_TARGETS_CREDENTIALS_FILE=$(mktemp -t prowler.targets-XXXXXX)
|
||||
echo "Preparing Credentials ${AWS_TARGETS_CREDENTIALS_FILE} ( ${CREDSOURCE} )"
|
||||
echo "# Target Credentials ${STAMP}" >> $AWS_TARGETS_CREDENTIALS_FILE
|
||||
echo "" >> $AWS_TARGETS_CREDENTIALS_FILE
|
||||
echo "# Target Credentials ${STAMP}" >> "${AWS_TARGETS_CREDENTIALS_FILE}"
|
||||
echo "" >> "${AWS_TARGETS_CREDENTIALS_FILE}"
|
||||
|
||||
|
||||
## Visit the Organization Master accounts & build a list of all member accounts
|
||||
@@ -118,34 +120,38 @@ export AWS_SHARED_CREDENTIALS_FILE=$AWS_MASTERS_CREDENTIALS_FILE
|
||||
for org in $ORG_MASTERS ; do
|
||||
echo -n "Preparing organization $org "
|
||||
# create credential profile
|
||||
echo "[audit_${org}]" >> $AWS_MASTERS_CREDENTIALS_FILE
|
||||
echo "role_arn = arn:aws:iam::${org}:role${AUDIT_ROLE}" >> $AWS_MASTERS_CREDENTIALS_FILE
|
||||
echo "credential_source = ${CREDSOURCE}" >> $AWS_MASTERS_CREDENTIALS_FILE
|
||||
echo "" >> $AWS_MASTERS_CREDENTIALS_FILE
|
||||
{
|
||||
echo "[audit_${org}]"
|
||||
echo "role_arn = arn:aws:iam::${org}:role${AUDIT_ROLE}"
|
||||
echo "credential_source = ${CREDSOURCE}"
|
||||
echo ""
|
||||
} >> "${AWS_MASTERS_CREDENTIALS_FILE}"
|
||||
|
||||
# Get the Organization ID to use for output paths, collecting info, etc
|
||||
org_id=$(aws --output json --profile audit_${org} organizations describe-organization | jq -r '.Organization.Id' )
|
||||
org_id=$(aws --output json --profile "audit_${org}" organizations describe-organization | jq -r '.Organization.Id' )
|
||||
|
||||
echo "( $org_id )"
|
||||
ORG_ID_LIST="${ORG_ID_LIST} ${org_id}"
|
||||
|
||||
|
||||
# Build the list of all accounts in the organizations
|
||||
aws --output json --profile audit_${org} organizations list-accounts > ${OUTLOGS}/${STAMP}-${org_id}-account-list.json
|
||||
ORG_ACCOUNTS=$( cat ${OUTLOGS}/${STAMP}-${org_id}-account-list.json | jq -r '.Accounts[].Id' | tr "\n" " ")
|
||||
aws --output json --profile "audit_${org}" organizations list-accounts > "${OUTLOGS}/${STAMP}-${org_id}-account-list.json"
|
||||
ORG_ACCOUNTS=$( cat "${OUTLOGS}/${STAMP}-${org_id}-account-list.json" | jq -r '.Accounts[].Id' | tr "\n" " ")
|
||||
ALL_ACCOUNTS="${ALL_ACCOUNTS} ${ORG_ACCOUNTS}"
|
||||
|
||||
# Add the Org's Accounts (including master) to the TARGETS_CREDENTIALS file
|
||||
for target in $ORG_ACCOUNTS ; do
|
||||
if $(echo $target | grep -qE $SKIP_ACCOUNTS_REGEX) ; then
|
||||
if echo "$target" | grep -qE "${SKIP_ACCOUNTS_REGEX}"; then
|
||||
echo " skipping account ${target} ( ${org_id} )"
|
||||
continue
|
||||
fi
|
||||
# echo " ${org_id}_${target}"
|
||||
echo "[${org_id}_${target}]" >> $AWS_TARGETS_CREDENTIALS_FILE
|
||||
echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}" >> $AWS_TARGETS_CREDENTIALS_FILE
|
||||
echo "credential_source = ${CREDSOURCE}" >> $AWS_TARGETS_CREDENTIALS_FILE
|
||||
echo "" >> $AWS_TARGETS_CREDENTIALS_FILE
|
||||
{
|
||||
echo "[${org_id}_${target}]"
|
||||
echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}"
|
||||
echo "credential_source = ${CREDSOURCE}"
|
||||
echo ""
|
||||
} >> "${AWS_TARGETS_CREDENTIALS_FILE}"
|
||||
done
|
||||
|
||||
done
|
||||
@@ -155,10 +161,12 @@ if [[ "" != "${STANDALONE_ACCOUNTS}" ]] ; then
|
||||
# mkdir -p ${OUTBASE}/data/standalone/${DAYPATH} ${OUTBASE}/logs/standalone/${DAYPATH}
|
||||
for target in $STANDALONE_ACCOUNTS ; do
|
||||
echo "Preparing account ${target} ( standalone )"
|
||||
echo "[standalone_${target}]" >> $AWS_TARGETS_CREDENTIALS_FILE
|
||||
echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}" >> $AWS_TARGETS_CREDENTIALS_FILE
|
||||
echo "credential_source = ${CREDSOURCE}" >> $AWS_TARGETS_CREDENTIALS_FILE
|
||||
echo "" >> $AWS_TARGETS_CREDENTIALS_FILE
|
||||
{
|
||||
echo "[standalone_${target}]"
|
||||
echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}"
|
||||
echo "credential_source = ${CREDSOURCE}"
|
||||
echo ""
|
||||
} >> "${AWS_TARGETS_CREDENTIALS_FILE}"
|
||||
done
|
||||
ALL_ACCOUNTS="${ALL_ACCOUNTS} ${STANDALONE_ACCOUNTS}"
|
||||
fi
|
||||
@@ -170,11 +178,11 @@ fi
|
||||
export AWS_SHARED_CREDENTIALS_FILE=${AWS_TARGETS_CREDENTIALS_FILE}
|
||||
|
||||
## visit each target account
|
||||
NUM_ACCOUNTS=$(grep -cE '^\[' ${AWS_TARGETS_CREDENTIALS_FILE})
|
||||
NUM_ACCOUNTS=$(grep -cE '^\[' "${AWS_TARGETS_CREDENTIALS_FILE}")
|
||||
echo "Launching ${CHECKGROUP} audit of ${NUM_ACCOUNTS} accounts"
|
||||
for member in $(grep -E '^\[' ${AWS_TARGETS_CREDENTIALS_FILE} | tr -d '][') ; do
|
||||
ORG_ID=$(echo $member | cut -d'_' -f1)
|
||||
ACCOUNT_NUM=$(echo $member | cut -d'_' -f2)
|
||||
for member in $(grep -E '^\[' "${AWS_TARGETS_CREDENTIALS_FILE}" | tr -d '][') ; do
|
||||
ORG_ID=$(echo "$member" | cut -d'_' -f1)
|
||||
ACCOUNT_NUM=$(echo "$member" | cut -d'_' -f2)
|
||||
|
||||
${PARALLEL_START} "${PROWLER} -p ${member} -n -M csv -g ${CHECKGROUP} 2> ${OUTLOGS}/${STAMP}-${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP}.log > ${OUTDATA}/${STAMP}-${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP}.csv ; echo \"${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP} finished\" " ${PARALLEL_START_SUFFIX}
|
||||
done
|
||||
@@ -187,4 +195,4 @@ echo "Completed ${CHECKGROUP} audit with stamp ${STAMP}"
|
||||
# mkdir -p ${OUTBASE}/logs/debug/${DAYPATH}
|
||||
# cp $AWS_MASTERS_CREDENTIALS_FILE ${OUTLOGS}/${STAMP}-master_creds.txt
|
||||
# cp $AWS_TARGETS_CREDENTIALS_FILE ${OUTLOGS}/${STAMP}-target_creds.txt
|
||||
rm $AWS_MASTERS_CREDENTIALS_FILE $AWS_TARGETS_CREDENTIALS_FILE
|
||||
rm "$AWS_MASTERS_CREDENTIALS_FILE" "$AWS_TARGETS_CREDENTIALS_FILE"
|
||||
Reference in New Issue
Block a user