Merge branch 'master' into prowler_eip_check

2026-02-10 14:55:00 +00:00 · 2020-01-27 17:44:59 -05:00
parent 4c1d1887e4 f2f82165ab
commit e65a11bc27
6 changed files with 23 additions and 53 deletions
--- a/README.md
+++ b/README.md
@@ -64,6 +64,11 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX

    AWS-CLI can be also installed it using "brew", "apt", "yum" or manually from <https://aws.amazon.com/cli/>, but `ansi2html` and `detect-secrets` has to be installed using `pip`. You will need to install `jq` to get more accuracy in some checks. 

+- Make sure jq is installed (example below with "apt" but use a valid package manager for your OS):
+    ```sh
+    sudo apt install jq
+    ```
+
 - Previous steps, from your workstation:

    ```sh
--- a/checks/check_extra766
+++ b/checks/check_extra766
@@ -1,46 +0,0 @@
-#!/usr/bin/env bash
-
-# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not
-# use this file except in compliance with the License. You may obtain a copy
-# of the License at http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed
-# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-# CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-
-# Remediation:
-#
-#   https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#configuring-instance-metadata-service
-#
-#   aws ecr put-image-scanning-configuration \
-#     --region <value> \
-#     --repository-name <value> \
-#     --image-scanning-configuration scanOnPush=true
-  
-
-CHECK_ID_extra766="7.66"
-CHECK_TITLE_extra766="[extra766] Check if ECR image scan on push is enabled (Not Scored) (Not part of CIS benchmark)"
-CHECK_SCORED_extra766="NOT_SCORED"
-CHECK_TYPE_extra766="EXTRA"
-CHECK_ALTERNATE_check766="extra766"
-
-extra766(){
-  for regx in $REGIONS; do
-    LIST_ECR_REPOS=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $regx --query "repositories[*].[repositoryName]" --output text 2>&1)
-    if [[ $LIST_ECR_REPOS ]]; then 
-      for repo in $LIST_ECR_REPOS; do
-        SCAN_ENABLED=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $regx --query "repositories[?repositoryName==\`$repo\`].[imageScanningConfiguration.scanOnPush]" --output text|grep True)
-        if [[ $SCAN_ENABLED ]];then
-          textPass "$regx: ECR repository $repo has scan on push enabled" "$regx"
-        else
-          textFail "$regx: ECR repository $repo has scan on push disabled!" "$regx"
-        fi
-      done 
-    else
-      textInfo "$regx: No ECR repositories found" "$regx"
-    fi 
-  done 
-}
--- a/groups/group7_extras
+++ b/groups/group7_extras
@@ -15,7 +15,7 @@ GROUP_ID[7]='extras'
 GROUP_NUMBER[7]='7.0'
 GROUP_TITLE[7]='Extras - [extras] **********************************************'
 GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
-GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra766,extra767,extra768,extra769,extra770,extra771,extra772'
+GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772'

 # Extras 759 and 760 (lambda variables and code secrets finder are not included)
 # to run detect-secrets use `./prowler -g secrets`
--- a/include/assume_role
+++ b/include/assume_role
@@ -27,7 +27,7 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then
    TEMP_STS_ASSUMED_FILE=$(mktemp -t prowler.sts_assumed-XXXXXX)

    # assume role command
-    $AWSCLI sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
+    $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
        --role-session-name ProwlerAssessmentSession \
        --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE 

@@ -41,9 +41,13 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then
        exit 1
    fi

+    # The profile shouldn't be used for CLI
+    PROFILE=""
+    PROFILE_OPT=""
+
    # set env variables with assumed role credentials
-    AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId')
-    AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey')
-    AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken')
+    export AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId')
+    export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey')
+    export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken')
    rm -fr $TEMP_STS_ASSUMED_FILE
 fi
--- a/include/outputs
+++ b/include/outputs
@@ -76,7 +76,7 @@ textInfo(){
    else
      REPREGION=$REGION
    fi
-    jq -c \
+    jq -M -c \
    --arg PROFILE "$PROFILE" \
    --arg ACCOUNT_NUM "$ACCOUNT_NUM" \
    --arg TITLE_TEXT "$TITLE_TEXT" \
@@ -119,7 +119,7 @@ textFail(){
    else
      REPREGION=$REGION
    fi
-    jq -c \
+    jq -M -c \
    --arg PROFILE "$PROFILE" \
    --arg ACCOUNT_NUM "$ACCOUNT_NUM" \
    --arg TITLE_TEXT "$TITLE_TEXT" \
--- a/7
+++ b/7
@@ -439,6 +439,13 @@ if [[ $CHECK_ID ]];then
  exit $EXITCODE
 fi

+if [[ $ACCOUNT_TO_ASSUME ]]; then
+  # unset env variables with assumed role credentials
+  unset AWS_ACCESS_KEY_ID
+  unset AWS_SECRET_ACCESS_KEY
+  unset AWS_SESSION_TOKEN
+fi
+

 execute_all
 scoring