diff --git a/checklist.txt b/checklist.txt new file mode 100644 index 00000000..d00f60e8 --- /dev/null +++ b/checklist.txt @@ -0,0 +1,6 @@ +# You can add a comma seperated list of checks like this: +check11, check12 +extra72 # You can also use newlines for each check +check13 # This way allows you to add inline comments +# Both of these can be combined if you have a standard list and want to add +# inline comments for other checks. \ No newline at end of file diff --git a/prowler b/prowler index 8022ba0b..1bd7febd 100755 --- a/prowler +++ b/prowler @@ -72,6 +72,8 @@ USAGE: (i.e.: us-east-1), all regions are checked anyway if the check requires it -c specify one or multiple check ids separated by commas, to see all available checks use "-l" option (i.e.: "check11" for check 1.1 or "extra71,extra72" for extra check 71 and extra check 72) + -C Checklist file. See checklist.txt for reference and format. + (i.e.: checklist.txt) -g specify a group of checks by id, to see all available group of checks use "-L" (i.e.: "group3" for entire section 3, "cislevel1" for CIS Level 1 Profile Definitions or "forensics-ready") -f specify an AWS region to run checks against @@ -115,7 +117,7 @@ USAGE: exit } -while getopts ":hlLkqp:r:c:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:F:zZ:" OPTION; do +while getopts ":hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:F:zZ:" OPTION; do case $OPTION in h ) usage @@ -140,6 +142,9 @@ while getopts ":hlLkqp:r:c:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:F:zZ:" OPTION; do c ) CHECK_ID=$OPTARG ;; + C ) + CHECK_FILE=$OPTARG + ;; g ) GROUP_ID_READ=$OPTARG ;; @@ -279,6 +284,19 @@ unset AWS_DEFAULT_OUTPUT . $PROWLER_DIR/include/securityhub_integration . $PROWLER_DIR/include/junit_integration +# Parses the check file into CHECK_ID's. +if [[ -n "$CHECK_FILE" ]]; then + if [[ -f $CHECK_FILE ]]; then + # Parses the file, converting it to a comma seperated list. Ignores all # comments and removes extra blank spaces + CHECK_ID="$(awk '!/^[[:space:]]*#/{print }' <(cat $CHECK_FILE | sed 's/[[:space:]]*#.*$//g;/^$/d' | sed 'H;1h;$!d;x;y/\n/,/' | tr -d ' '))" + else + # If the file doesn't exist, exits Prowler + echo "$CHECK_FILE does not exist" + EXITCODE=1 + exit $EXITCODE + fi +fi + # Pre-process whitelist file if supplied if [[ -n "$WHITELIST_FILE" ]]; then # ignore lines starting with # (comments)