mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
cleanup using shellcheck
This commit is contained in:
Mr. Secure
@@ -1,25 +1,26 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
########### CODEBUILD CONFIGURATION ##################
|
########### CODEBUILD CONFIGURATION ##################
|
||||||
|
# shellcheck disable=SC2034
|
||||||
## Collect environment parameters set by buildspec
|
## Collect environment parameters set by buildspec
|
||||||
CHECKGROUP=${PROWL_CHECK_GROUP}
|
CHECKGROUP=${PROWL_CHECK_GROUP}
|
||||||
|
|
||||||
if [ "none" == "${PROWL_MASTER_ACCOUNTS}" ]; then
|
if [ "none" == "${PROWL_MASTER_ACCOUNTS}" ]; then
|
||||||
ORG_MASTERS=""
|
ORG_MASTERS=""
|
||||||
else
|
else
|
||||||
ORG_MASTERS=$(echo ${PROWL_MASTER_ACCOUNTS} | tr "," " ")
|
ORG_MASTERS=$(echo "${PROWL_MASTER_ACCOUNTS}" | tr "," " ")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "none" == "${PROWL_STANDALONE_ACCOUNTS}" ]; then
|
if [ "none" == "${PROWL_STANDALONE_ACCOUNTS}" ]; then
|
||||||
STANDALONE_ACCOUNTS=""
|
STANDALONE_ACCOUNTS=""
|
||||||
else
|
else
|
||||||
STANDALONE_ACCOUNTS=$(echo ${PROWL_STANDALONE_ACCOUNTS} | tr "," " ")
|
STANDALONE_ACCOUNTS=$(echo "${PROWL_STANDALONE_ACCOUNTS}" | tr "," " ")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "none" == "${PROWL_SKIP_ACCOUNTS}" ]; then
|
if [ "none" == "${PROWL_SKIP_ACCOUNTS}" ]; then
|
||||||
SKIP_ACCOUNTS_REGEX='^$'
|
SKIP_ACCOUNTS_REGEX='^$'
|
||||||
else
|
else
|
||||||
skip_inside=$(echo ${PROWL_SKIP_ACCOUNTS} | tr "," "|")
|
skip_inside=$(echo "${PROWL_SKIP_ACCOUNTS}" | tr "," "|")
|
||||||
|
# shellcheck disable=SC2116
|
||||||
SKIP_ACCOUNTS_REGEX=$(echo "(${skip_inside})" )
|
SKIP_ACCOUNTS_REGEX=$(echo "(${skip_inside})" )
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
@@ -1,11 +1,14 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
BASEDIR=$(dirname "${0}")
|
||||||
# source the configuration data from "config" in this directory
|
# source the configuration data from "config" in this directory
|
||||||
if [[ -f $(dirname $0)/config ]]; then
|
if [[ -f "${BASEDIR}/config" ]]; then
|
||||||
. $(dirname $0)/config
|
# shellcheck disable=SC1090
|
||||||
|
. "${BASEDIR}/config"
|
||||||
|
|
||||||
else
|
else
|
||||||
echo "CONFIG file missing - $(dirname $0)/config"
|
echo "CONFIG file missing - ${BASEDIR}/config"
|
||||||
exit -1
|
exit 255
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## Check Environment variables which are set by config
|
## Check Environment variables which are set by config
|
||||||
@@ -19,11 +22,11 @@ fi
|
|||||||
|
|
||||||
if [[ -z $CHECKGROUP ]]; then
|
if [[ -z $CHECKGROUP ]]; then
|
||||||
echo "Missing check group from config file"
|
echo "Missing check group from config file"
|
||||||
exit -1
|
exit 255
|
||||||
fi
|
fi
|
||||||
if [[ -z $AUDIT_ROLE ]]; then
|
if [[ -z $AUDIT_ROLE ]]; then
|
||||||
echo "Missing audit role from config file"
|
echo "Missing audit role from config file"
|
||||||
exit -1
|
exit 255
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## ========================================================================================
|
## ========================================================================================
|
||||||
@@ -43,14 +46,14 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
## Check Requirements
|
## Check Requirements
|
||||||
if [[ -x $(which aws) ]]; then
|
if [[ -x $(command -v aws) ]]; then
|
||||||
aws --version
|
aws --version
|
||||||
else
|
else
|
||||||
echo "AWS CLI is not in PATH ... giving up"
|
echo "AWS CLI is not in PATH ... giving up"
|
||||||
exit 4
|
exit 4
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -x $(which jq) ]]; then
|
if [[ -x $(command -v jq) ]]; then
|
||||||
jq --version
|
jq --version
|
||||||
else
|
else
|
||||||
echo "JQ is not in PATH ... giving up"
|
echo "JQ is not in PATH ... giving up"
|
||||||
@@ -62,10 +65,9 @@ if [[ -z $CREDSOURCE ]]; then
|
|||||||
echo "No source for base credentials ... giving up"
|
echo "No source for base credentials ... giving up"
|
||||||
exit 5
|
exit 5
|
||||||
fi
|
fi
|
||||||
# if [[ Ec2InstanceMetadata ]]
|
|
||||||
|
|
||||||
if [[ -f ${PROWLER} && -x ${PROWLER} ]]; then
|
if [[ -f ${PROWLER} && -x ${PROWLER} ]]; then
|
||||||
PROWLER_VERSION=$(${PROWLER} -V)
|
${PROWLER} -V
|
||||||
else
|
else
|
||||||
echo "Unable to execute prowler from ${PROWLER}"
|
echo "Unable to execute prowler from ${PROWLER}"
|
||||||
exit 3
|
exit 3
|
||||||
@@ -79,10 +81,10 @@ STAMP=$(date -u +%Y%m%dT%H%M%SZ)
|
|||||||
## Create output subdirs
|
## Create output subdirs
|
||||||
OUTDATA="${OUTBASE}/data/${DAYPATH}"
|
OUTDATA="${OUTBASE}/data/${DAYPATH}"
|
||||||
OUTLOGS="${OUTBASE}/logs/${DAYPATH}"
|
OUTLOGS="${OUTBASE}/logs/${DAYPATH}"
|
||||||
mkdir -p ${OUTDATA} ${OUTLOGS}
|
mkdir -p "${OUTDATA}" "${OUTLOGS}"
|
||||||
|
|
||||||
|
|
||||||
if [[ -x $(which parallel) ]]; then
|
if [[ -x $(command -v parallel) ]]; then
|
||||||
# Note: the "standard" codebuild container includes parallel
|
# Note: the "standard" codebuild container includes parallel
|
||||||
echo "Using GNU sem/parallel, with NCPU+4 jobs"
|
echo "Using GNU sem/parallel, with NCPU+4 jobs"
|
||||||
parallel --citation > /dev/null 2> /dev/null
|
parallel --citation > /dev/null 2> /dev/null
|
||||||
@@ -102,15 +104,15 @@ ALL_ACCOUNTS=""
|
|||||||
|
|
||||||
|
|
||||||
# Create a temporary credential file
|
# Create a temporary credential file
|
||||||
export AWS_MASTERS_CREDENTIALS_FILE=$(mktemp -t prowler.masters-XXXXXX)
|
AWS_MASTERS_CREDENTIALS_FILE=$(mktemp -t prowler.masters-XXXXXX)
|
||||||
echo "Preparing Credentials ${AWS_MASTERS_CREDENTIALS_FILE} ( ${CREDSOURCE} )"
|
echo "Preparing Credentials ${AWS_MASTERS_CREDENTIALS_FILE} ( ${CREDSOURCE} )"
|
||||||
echo "# Master Credentials ${STAMP}" >> $AWS_MASTERS_CREDENTIALS_FILE
|
echo "# Master Credentials ${STAMP}" >> "${AWS_MASTERS_CREDENTIALS_FILE}"
|
||||||
echo "" >> $AWS_MASTERS_CREDENTIALS_FILE
|
echo "" >> "${AWS_MASTERS_CREDENTIALS_FILE}"
|
||||||
|
|
||||||
AWS_TARGETS_CREDENTIALS_FILE=$(mktemp -t prowler.targets-XXXXXX)
|
AWS_TARGETS_CREDENTIALS_FILE=$(mktemp -t prowler.targets-XXXXXX)
|
||||||
echo "Preparing Credentials ${AWS_TARGETS_CREDENTIALS_FILE} ( ${CREDSOURCE} )"
|
echo "Preparing Credentials ${AWS_TARGETS_CREDENTIALS_FILE} ( ${CREDSOURCE} )"
|
||||||
echo "# Target Credentials ${STAMP}" >> $AWS_TARGETS_CREDENTIALS_FILE
|
echo "# Target Credentials ${STAMP}" >> "${AWS_TARGETS_CREDENTIALS_FILE}"
|
||||||
echo "" >> $AWS_TARGETS_CREDENTIALS_FILE
|
echo "" >> "${AWS_TARGETS_CREDENTIALS_FILE}"
|
||||||
|
|
||||||
|
|
||||||
## Visit the Organization Master accounts & build a list of all member accounts
|
## Visit the Organization Master accounts & build a list of all member accounts
|
||||||
@@ -118,34 +120,38 @@ export AWS_SHARED_CREDENTIALS_FILE=$AWS_MASTERS_CREDENTIALS_FILE
|
|||||||
for org in $ORG_MASTERS ; do
|
for org in $ORG_MASTERS ; do
|
||||||
echo -n "Preparing organization $org "
|
echo -n "Preparing organization $org "
|
||||||
# create credential profile
|
# create credential profile
|
||||||
echo "[audit_${org}]" >> $AWS_MASTERS_CREDENTIALS_FILE
|
{
|
||||||
echo "role_arn = arn:aws:iam::${org}:role${AUDIT_ROLE}" >> $AWS_MASTERS_CREDENTIALS_FILE
|
echo "[audit_${org}]"
|
||||||
echo "credential_source = ${CREDSOURCE}" >> $AWS_MASTERS_CREDENTIALS_FILE
|
echo "role_arn = arn:aws:iam::${org}:role${AUDIT_ROLE}"
|
||||||
echo "" >> $AWS_MASTERS_CREDENTIALS_FILE
|
echo "credential_source = ${CREDSOURCE}"
|
||||||
|
echo ""
|
||||||
|
} >> "${AWS_MASTERS_CREDENTIALS_FILE}"
|
||||||
|
|
||||||
# Get the Organization ID to use for output paths, collecting info, etc
|
# Get the Organization ID to use for output paths, collecting info, etc
|
||||||
org_id=$(aws --output json --profile audit_${org} organizations describe-organization | jq -r '.Organization.Id' )
|
org_id=$(aws --output json --profile "audit_${org}" organizations describe-organization | jq -r '.Organization.Id' )
|
||||||
|
|
||||||
echo "( $org_id )"
|
echo "( $org_id )"
|
||||||
ORG_ID_LIST="${ORG_ID_LIST} ${org_id}"
|
ORG_ID_LIST="${ORG_ID_LIST} ${org_id}"
|
||||||
|
|
||||||
|
|
||||||
# Build the list of all accounts in the organizations
|
# Build the list of all accounts in the organizations
|
||||||
aws --output json --profile audit_${org} organizations list-accounts > ${OUTLOGS}/${STAMP}-${org_id}-account-list.json
|
aws --output json --profile "audit_${org}" organizations list-accounts > "${OUTLOGS}/${STAMP}-${org_id}-account-list.json"
|
||||||
ORG_ACCOUNTS=$( cat ${OUTLOGS}/${STAMP}-${org_id}-account-list.json | jq -r '.Accounts[].Id' | tr "\n" " ")
|
ORG_ACCOUNTS=$( cat "${OUTLOGS}/${STAMP}-${org_id}-account-list.json" | jq -r '.Accounts[].Id' | tr "\n" " ")
|
||||||
ALL_ACCOUNTS="${ALL_ACCOUNTS} ${ORG_ACCOUNTS}"
|
ALL_ACCOUNTS="${ALL_ACCOUNTS} ${ORG_ACCOUNTS}"
|
||||||
|
|
||||||
# Add the Org's Accounts (including master) to the TARGETS_CREDENTIALS file
|
# Add the Org's Accounts (including master) to the TARGETS_CREDENTIALS file
|
||||||
for target in $ORG_ACCOUNTS ; do
|
for target in $ORG_ACCOUNTS ; do
|
||||||
if $(echo $target | grep -qE $SKIP_ACCOUNTS_REGEX) ; then
|
if echo "$target" | grep -qE "${SKIP_ACCOUNTS_REGEX}"; then
|
||||||
echo " skipping account ${target} ( ${org_id} )"
|
echo " skipping account ${target} ( ${org_id} )"
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
# echo " ${org_id}_${target}"
|
# echo " ${org_id}_${target}"
|
||||||
echo "[${org_id}_${target}]" >> $AWS_TARGETS_CREDENTIALS_FILE
|
{
|
||||||
echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}" >> $AWS_TARGETS_CREDENTIALS_FILE
|
echo "[${org_id}_${target}]"
|
||||||
echo "credential_source = ${CREDSOURCE}" >> $AWS_TARGETS_CREDENTIALS_FILE
|
echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}"
|
||||||
echo "" >> $AWS_TARGETS_CREDENTIALS_FILE
|
echo "credential_source = ${CREDSOURCE}"
|
||||||
|
echo ""
|
||||||
|
} >> "${AWS_TARGETS_CREDENTIALS_FILE}"
|
||||||
done
|
done
|
||||||
|
|
||||||
done
|
done
|
||||||
@@ -155,10 +161,12 @@ if [[ "" != "${STANDALONE_ACCOUNTS}" ]] ; then
|
|||||||
# mkdir -p ${OUTBASE}/data/standalone/${DAYPATH} ${OUTBASE}/logs/standalone/${DAYPATH}
|
# mkdir -p ${OUTBASE}/data/standalone/${DAYPATH} ${OUTBASE}/logs/standalone/${DAYPATH}
|
||||||
for target in $STANDALONE_ACCOUNTS ; do
|
for target in $STANDALONE_ACCOUNTS ; do
|
||||||
echo "Preparing account ${target} ( standalone )"
|
echo "Preparing account ${target} ( standalone )"
|
||||||
echo "[standalone_${target}]" >> $AWS_TARGETS_CREDENTIALS_FILE
|
{
|
||||||
echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}" >> $AWS_TARGETS_CREDENTIALS_FILE
|
echo "[standalone_${target}]"
|
||||||
echo "credential_source = ${CREDSOURCE}" >> $AWS_TARGETS_CREDENTIALS_FILE
|
echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}"
|
||||||
echo "" >> $AWS_TARGETS_CREDENTIALS_FILE
|
echo "credential_source = ${CREDSOURCE}"
|
||||||
|
echo ""
|
||||||
|
} >> "${AWS_TARGETS_CREDENTIALS_FILE}"
|
||||||
done
|
done
|
||||||
ALL_ACCOUNTS="${ALL_ACCOUNTS} ${STANDALONE_ACCOUNTS}"
|
ALL_ACCOUNTS="${ALL_ACCOUNTS} ${STANDALONE_ACCOUNTS}"
|
||||||
fi
|
fi
|
||||||
@@ -170,11 +178,11 @@ fi
|
|||||||
export AWS_SHARED_CREDENTIALS_FILE=${AWS_TARGETS_CREDENTIALS_FILE}
|
export AWS_SHARED_CREDENTIALS_FILE=${AWS_TARGETS_CREDENTIALS_FILE}
|
||||||
|
|
||||||
## visit each target account
|
## visit each target account
|
||||||
NUM_ACCOUNTS=$(grep -cE '^\[' ${AWS_TARGETS_CREDENTIALS_FILE})
|
NUM_ACCOUNTS=$(grep -cE '^\[' "${AWS_TARGETS_CREDENTIALS_FILE}")
|
||||||
echo "Launching ${CHECKGROUP} audit of ${NUM_ACCOUNTS} accounts"
|
echo "Launching ${CHECKGROUP} audit of ${NUM_ACCOUNTS} accounts"
|
||||||
for member in $(grep -E '^\[' ${AWS_TARGETS_CREDENTIALS_FILE} | tr -d '][') ; do
|
for member in $(grep -E '^\[' "${AWS_TARGETS_CREDENTIALS_FILE}" | tr -d '][') ; do
|
||||||
ORG_ID=$(echo $member | cut -d'_' -f1)
|
ORG_ID=$(echo "$member" | cut -d'_' -f1)
|
||||||
ACCOUNT_NUM=$(echo $member | cut -d'_' -f2)
|
ACCOUNT_NUM=$(echo "$member" | cut -d'_' -f2)
|
||||||
|
|
||||||
${PARALLEL_START} "${PROWLER} -p ${member} -n -M csv -g ${CHECKGROUP} 2> ${OUTLOGS}/${STAMP}-${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP}.log > ${OUTDATA}/${STAMP}-${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP}.csv ; echo \"${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP} finished\" " ${PARALLEL_START_SUFFIX}
|
${PARALLEL_START} "${PROWLER} -p ${member} -n -M csv -g ${CHECKGROUP} 2> ${OUTLOGS}/${STAMP}-${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP}.log > ${OUTDATA}/${STAMP}-${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP}.csv ; echo \"${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP} finished\" " ${PARALLEL_START_SUFFIX}
|
||||||
done
|
done
|
||||||
@@ -187,4 +195,4 @@ echo "Completed ${CHECKGROUP} audit with stamp ${STAMP}"
|
|||||||
# mkdir -p ${OUTBASE}/logs/debug/${DAYPATH}
|
# mkdir -p ${OUTBASE}/logs/debug/${DAYPATH}
|
||||||
# cp $AWS_MASTERS_CREDENTIALS_FILE ${OUTLOGS}/${STAMP}-master_creds.txt
|
# cp $AWS_MASTERS_CREDENTIALS_FILE ${OUTLOGS}/${STAMP}-master_creds.txt
|
||||||
# cp $AWS_TARGETS_CREDENTIALS_FILE ${OUTLOGS}/${STAMP}-target_creds.txt
|
# cp $AWS_TARGETS_CREDENTIALS_FILE ${OUTLOGS}/${STAMP}-target_creds.txt
|
||||||
rm $AWS_MASTERS_CREDENTIALS_FILE $AWS_TARGETS_CREDENTIALS_FILE
|
rm "$AWS_MASTERS_CREDENTIALS_FILE" "$AWS_TARGETS_CREDENTIALS_FILE"
|
||||||
Reference in New Issue
Block a user