v2.2.1 with new function and Improved extra779 and extra716

2026-02-10 14:55:00 +00:00 · 2020-04-02 15:31:43 +02:00
parent 2c580dd750
commit e567ccb828
4 changed files with 42 additions and 42 deletions
--- a/checks/check_extra716
+++ b/checks/check_extra716
@@ -20,24 +20,6 @@ extra716(){
  # if TEST_AUTHENTICATION has a value Prowler will try to access each ElasticSearch server to the public URI endpoint.
  # That is from the host where Prowler is running and will try to read indices or get kibana status
  TEST_ES_AUTHENTICATION=
-  httpStatus(){
-    case $1 in 
-      000) SERVER_RESPONSE="000 Not responding" ;;
-      200) SERVER_RESPONSE="200 Successful" ;;
-      400) SERVER_RESPONSE="400 Error: Bad Request" ;;
-      401) SERVER_RESPONSE="401 Error: Unauthorized" ;;
-      403) SERVER_RESPONSE="403 Error: Forbidden" ;;
-      404) SERVER_RESPONSE="404 Error: Not Found" ;;
-      407) SERVER_RESPONSE="407 Error: Proxy Authentication Required" ;;
-      408) SERVER_RESPONSE="408 Error: Request Timeout" ;;
-      500) SERVER_RESPONSE="500 Error: Internal Server Error" ;;
-      502) SERVER_RESPONSE="502 Error: Bad Gateway" ;;
-      503) SERVER_RESPONSE="503 Error: Service Unavailable" ;;
-      504) SERVER_RESPONSE="504 Error: Gateway Timeout" ;;
-      505) SERVER_RESPONSE="505 Error: HTTP Version Not Supported" ;;
-      *)   SERVER_RESPONSE="HTTP: status not defined." ;;
-    esac
-  }

  # "Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
  for regx in $REGIONS; do
@@ -55,10 +37,12 @@ extra716(){
          $AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.AccessPolicies.Options --output text > $TEMP_POLICY_FILE 2> /dev/null
          CHECK_ES_DOMAIN_POLICY_OPEN=$(cat $TEMP_POLICY_FILE | jq -r '. | .Statement[] | select(.Effect == "Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and select(has("Condition") | not))')
          CHECK_ES_DOMAIN_POLICY_HAS_CONDITION=$(cat $TEMP_POLICY_FILE | jq -r '. | .Statement[] | select(.Effect == "Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and select(has("Condition")))' )
-          CHECK_ES_DOMAIN_POLICY_CONDITION_PRIVATE_IP=$(cat $TEMP_POLICY_FILE | jq 'select (.Statement[0] .Condition.IpAddress."aws:SourceIp" | select( test("^192.168.[0-9]|^10.0.[0-9]|^172.(1[6-9]|2[0-9]|3[01])|^127.0.0.1")))' )
-          CHECK_ES_DOMAIN_POLICY_CONDITION_ZERO=$(cat $TEMP_POLICY_FILE | jq 'select (.Statement[0] .Condition.IpAddress."aws:SourceIp" | select( test("^0.0.0.0/0|^0.0.0.0/8")))' )
-          CHECK_ES_DOMAIN_POLICY_CONDITION_STAR=$(cat $TEMP_POLICY_FILE | jq 'select (.Statement[0] .Condition.IpAddress."aws:SourceIp" == "*")')
-          CHECK_ES_DOMAIN_POLICY_CONDITION_PUBLIC_IP=$(cat $TEMP_POLICY_FILE | jq 'select (.Statement[0] .Condition.IpAddress."aws:SourceIp" | select( test("^192.168.[0-9]|^10.0.[0-9]|^172.(1[6-9]|2[0-9]|3[01])|^127.0.0.1")| not))' )
+          if [[ $CHECK_ES_DOMAIN_POLICY_HAS_CONDITION ]]; then
+            CHECK_ES_DOMAIN_POLICY_CONDITION_PRIVATE_IP=$(cat $TEMP_POLICY_FILE | jq 'select (.Statement[0] .Condition.IpAddress."aws:SourceIp" | select( test("^192.168.[0-9]|^10.0.[0-9]|^172.(1[6-9]|2[0-9]|3[01])|^127.0.0.1")))' )
+            CHECK_ES_DOMAIN_POLICY_CONDITION_ZERO=$(cat $TEMP_POLICY_FILE | jq 'select (.Statement[0] .Condition.IpAddress."aws:SourceIp" | select( test("^0.0.0.0/0|^0.0.0.0/8")))' )
+            CHECK_ES_DOMAIN_POLICY_CONDITION_STAR=$(cat $TEMP_POLICY_FILE | jq 'select (.Statement[0] .Condition.IpAddress."aws:SourceIp" == "*")')
+            CHECK_ES_DOMAIN_POLICY_CONDITION_PUBLIC_IP=$(cat $TEMP_POLICY_FILE | jq 'select (.Statement[0] .Condition.IpAddress."aws:SourceIp" | select( test("^192.168.[0-9]|^10.0.[0-9]|^172.(1[6-9]|2[0-9]|3[01])|^127.0.0.1")| not))' )
+          fi 
          if [[ $CHECK_ES_DOMAIN_POLICY_OPEN || $CHECK_ES_DOMAIN_POLICY_CONDITION_ZERO || $CHECK_ES_DOMAIN_POLICY_CONDITION_STAR ]];then
            if [[ $TEST_ES_AUTHENTICATION ]];then
              # check for REST API on port 443
--- a/checks/check_extra779
+++ b/checks/check_extra779
@@ -25,25 +25,6 @@ extra779(){
  ES_DATA_PORT="9300"
  ES_KIBANA_PORT="5601"

-  httpStatus(){
-    case $1 in 
-      000) SERVER_RESPONSE="000 Not responding" ;;
-      200) SERVER_RESPONSE="200 Successful" ;;
-      400) SERVER_RESPONSE="400 Error: Bad Request" ;;
-      401) SERVER_RESPONSE="401 Error: Unauthorized" ;;
-      403) SERVER_RESPONSE="403 Error: Forbidden" ;;
-      404) SERVER_RESPONSE="404 Error: Not Found" ;;
-      407) SERVER_RESPONSE="407 Error: Proxy Authentication Required" ;;
-      408) SERVER_RESPONSE="408 Error: Request Timeout" ;;
-      500) SERVER_RESPONSE="500 Error: Internal Server Error" ;;
-      502) SERVER_RESPONSE="502 Error: Bad Gateway" ;;
-      503) SERVER_RESPONSE="503 Error: Service Unavailable" ;;
-      504) SERVER_RESPONSE="504 Error: Gateway Timeout" ;;
-      505) SERVER_RESPONSE="505 Error: HTTP Version Not Supported" ;;
-      *)   SERVER_RESPONSE="HTTP: status not defined." ;;
-    esac
-  }
-
  for regx in $REGIONS; do
    # crate a list of SG open to the world with port $ES_API_PORT or $ES_DATA_PORT or $ES_KIBANA_PORT
    SG_LIST=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --output text \
--- a/include/connection_tests
+++ b/include/connection_tests
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+
+# Functions to connection responses initially used for Elasticsearch related checks
+
+httpStatus(){
+    case $1 in 
+      000) SERVER_RESPONSE="000 Not responding" ;;
+      200) SERVER_RESPONSE="200 Successful" ;;
+      400) SERVER_RESPONSE="400 Error: Bad Request" ;;
+      401) SERVER_RESPONSE="401 Error: Unauthorized" ;;
+      403) SERVER_RESPONSE="403 Error: Forbidden" ;;
+      404) SERVER_RESPONSE="404 Error: Not Found" ;;
+      407) SERVER_RESPONSE="407 Error: Proxy Authentication Required" ;;
+      408) SERVER_RESPONSE="408 Error: Request Timeout" ;;
+      500) SERVER_RESPONSE="500 Error: Internal Server Error" ;;
+      502) SERVER_RESPONSE="502 Error: Bad Gateway" ;;
+      503) SERVER_RESPONSE="503 Error: Service Unavailable" ;;
+      504) SERVER_RESPONSE="504 Error: Gateway Timeout" ;;
+      505) SERVER_RESPONSE="505 Error: HTTP Version Not Supported" ;;
+      *)   SERVER_RESPONSE="HTTP: status not defined." ;;
+    esac
+  }
--- a/3
+++ b/3
@@ -32,7 +32,7 @@ OPTRED="[1;31m"
 OPTNORMAL="[0;39m"

 # Set the defaults variables
-PROWLER_VERSION=2.2.0
+PROWLER_VERSION=2.2.1
 PROWLER_DIR=$(dirname "$0")

 REGION=""
@@ -194,6 +194,7 @@ trap "{ rm -f /tmp/prowler*.policy.*; }" EXIT
 . $PROWLER_DIR/include/secrets_detector
 . $PROWLER_DIR/include/check3x
 . $PROWLER_DIR/include/assume_role
+. $PROWLER_DIR/include/connection_tests

 # Get a list of all available AWS Regions
 REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \