ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-12 15:55:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improved feature to refresh assume role credentials before it expires

Browse Source
This commit is contained in:
Toni de la Fuente
2021-04-09 15:13:13 +02:00
parent 10d062960e
commit e4edc2fa2c
3 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/assume_role
View File

@@ -70,7 +70,7 @@ assume_role(){
export AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId') export AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey') export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken') export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken')
export AWS_SESSION_EXPIRATION=$(convert_date_to_timestamp "$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration')") export AWS_SESSION_EXPIRATION=$(convert_date_to_timestamp "$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration'| sed 's/+00:00//g')")
rm -fr $TEMP_STS_ASSUMED_FILE rm -fr $TEMP_STS_ASSUMED_FILE
} }

5
include/os_detector
View File

@@ -112,13 +112,12 @@ gnu_convert_date_to_timestamp() {
# if [ "$OSTYPE" == "linux-musl" ]; then # if [ "$OSTYPE" == "linux-musl" ]; then
# date -D "%Y-%m-%dT%H:%M:%SZ" -d "$1" +%s # date -D "%Y-%m-%dT%H:%M:%SZ" -d "$1" +%s
# else # else
date -d "$1" +%s date -u -d "$1" +%s
# fi # fi
} }
bsd_convert_date_to_timestamp() { bsd_convert_date_to_timestamp() {
echo $(( $(date -j -f %Y-%m-%dT%H:%M:%S "$1" +%s) + 3600 )) echo $(date -u -j -f %Y-%m-%dT%H:%M:%S "$1" +%s)
# Change above is because epoch time generator in BSD is 1h less than in Linux ¯\_(ツ)_/¯
#date -j -f "%Y-%m-%dT%H:%M:%S" "$1" "+%s" #date -j -f "%Y-%m-%dT%H:%M:%S" "$1" "+%s"
} }

11
prowler
View File

@@ -296,7 +296,7 @@ get_regions() {
# Get list of regions based on include/whoami # Get list of regions based on include/whoami
REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' --output text $PROFILE_OPT --region $REGION_FOR_STS --region-names $FILTERREGION 2>&1) REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' --output text $PROFILE_OPT --region $REGION_FOR_STS --region-names $FILTERREGION 2>&1)
if [[ $(echo "$REGIONS" | grep 'AccessDenied\|UnauthorizedOperation') ]]; then if [[ $(echo "$REGIONS" | grep 'AccessDenied\|UnauthorizedOperation') ]]; then
echo "Access Denied trying to describe regions" echo "$OPTRED Access Denied trying to describe regions! Review permissions as described here: https://github.com/toniblyx/prowler/#requirements-and-installation $OPTNORMAL"
EXITCODE=1 EXITCODE=1
exit $EXITCODE exit $EXITCODE
fi fi
@@ -342,11 +342,14 @@ show_group_title() {
# Function to execute the check # Function to execute the check
execute_check() { execute_check() {
if [[ $ACCOUNT_TO_ASSUME ]]; then if [[ $ACCOUNT_TO_ASSUME ]]; then
MINIMUM_REMAINING_TIME_ALLOWED=$(($SESSION_DURATION_TO_ASSUME / 10 )) # Following logic looks for time remaining in the session and review it
# if it is less than 600 seconds, 10 minutes.
CURRENT_TIMESTAMP=$(date -u "+%s") CURRENT_TIMESTAMP=$(date -u "+%s")
SESSION_CUTOFF=$(($CURRENT_TIMESTAMP + $MINIMUM_REMAINING_TIME_ALLOWED)) SESSION_TIME_REMAINING=$(expr $AWS_SESSION_EXPIRATION - $CURRENT_TIMESTAMP)
if [[ $AWS_SESSION_EXPIRATION < $SESSION_CUTOFF ]]; then MINIMUM_REMAINING_TIME_ALLOWED="600"
if [[ $MINIMUM_REMAINING_TIME_ALLOWED > $SESSION_TIME_REMAINING ]]; then
unset AWS_ACCESS_KEY_ID unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN unset AWS_SESSION_TOKEN