From e5414e87c78d3ed2d8e010c869b251a49fc1789f Mon Sep 17 00:00:00 2001
From: Nacho Rivera <nachor1992@gmail.com>
Date: Fri, 1 Sep 2023 12:55:29 +0200
Subject: [PATCH] fix(ec2 nacl checks):unify logic (#2799)

---
 .../ec2_networkacl_allow_ingress_any_port.py           |  7 +++----
 .../ec2_networkacl_allow_ingress_tcp_port_22.py        | 10 ++++------
 .../ec2_networkacl_allow_ingress_tcp_port_3389.py      | 10 ++++------
 3 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py
index 55a860a9..66b8bbfa 100644
--- a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py
+++ b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py
@@ -14,11 +14,10 @@ class ec2_networkacl_allow_ingress_any_port(Check):
             report.resource_id = network_acl.id
             report.resource_arn = network_acl.arn
             report.resource_tags = network_acl.tags
+            report.status = "PASS"
+            report.status_extended = f"Network ACL {network_acl.id} does not have every port open to the Internet."
             # If some entry allows it, that ACL is not securely configured
-            if not check_network_acl(network_acl.entries, tcp_protocol, check_port):
-                report.status = "PASS"
-                report.status_extended = f"Network ACL {network_acl.id} does not have every port open to the Internet."
-            else:
+            if check_network_acl(network_acl.entries, tcp_protocol, check_port):
                 report.status = "FAIL"
                 report.status_extended = (
                     f"Network ACL {network_acl.id} has every port open to the Internet."
diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py
index 38b7351a..239c0a95 100644
--- a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py
+++ b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py
@@ -13,15 +13,13 @@ class ec2_networkacl_allow_ingress_tcp_port_22(Check):
             report.region = network_acl.region
             report.resource_arn = network_acl.arn
             report.resource_tags = network_acl.tags
+            report.status = "PASS"
+            report.status_extended = f"Network ACL {network_acl.id} does not have SSH port 22 open to the Internet."
+            report.resource_id = network_acl.id
             # If some entry allows it, that ACL is not securely configured
-            if not check_network_acl(network_acl.entries, tcp_protocol, check_port):
-                report.status = "PASS"
-                report.status_extended = f"Network ACL {network_acl.id} does not have SSH port 22 open to the Internet."
-                report.resource_id = network_acl.id
-            else:
+            if check_network_acl(network_acl.entries, tcp_protocol, check_port):
                 report.status = "FAIL"
                 report.status_extended = f"Network ACL {network_acl.id} has SSH port 22 open to the Internet."
-                report.resource_id = network_acl.id
             findings.append(report)
 
         return findings
diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py
index bc770114..28422014 100644
--- a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py
+++ b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py
@@ -13,15 +13,13 @@ class ec2_networkacl_allow_ingress_tcp_port_3389(Check):
             report.region = network_acl.region
             report.resource_arn = network_acl.arn
             report.resource_tags = network_acl.tags
+            report.status = "PASS"
+            report.status_extended = f"Network ACL {network_acl.id} does not have Microsoft RDP port 3389 open to the Internet."
+            report.resource_id = network_acl.id
             # If some entry allows it, that ACL is not securely configured
-            if not check_network_acl(network_acl.entries, tcp_protocol, check_port):
-                report.status = "PASS"
-                report.status_extended = f"Network ACL {network_acl.id} does not have Microsoft RDP port 3389 open to the Internet."
-                report.resource_id = network_acl.id
-            else:
+            if check_network_acl(network_acl.entries, tcp_protocol, check_port):
                 report.status = "FAIL"
                 report.status_extended = f"Network ACL {network_acl.id} has Microsoft RDP port 3389 open to the Internet."
-                report.resource_id = network_acl.id
             findings.append(report)
 
         return findings