From c2f541134b5aa65b5064209389f395420836a049 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ng=E1=BB=8D=20Anh=20=C4=90=E1=BB=A9c?= Date: Wed, 8 Jan 2020 11:13:25 +0700 Subject: [PATCH 1/5] Update README.md Add jq package in requirements --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 8a779175..61bb9089 100644 --- a/README.md +++ b/README.md @@ -64,6 +64,11 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX AWS-CLI can be also installed it using "brew", "apt", "yum" or manually from , but `ansi2html` and `detect-secrets` has to be installed using `pip`. You will need to install `jq` to get more accuracy in some checks. +- Make sure jq is installed: + ```sh + sudo apt install jq + ``` + - Previous steps, from your workstation: ```sh From 49ec898b9e413815d4de0d148da10c1173b34131 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 8 Jan 2020 09:14:21 +0100 Subject: [PATCH 2/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 61bb9089..2cc37a20 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,7 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX AWS-CLI can be also installed it using "brew", "apt", "yum" or manually from , but `ansi2html` and `detect-secrets` has to be installed using `pip`. You will need to install `jq` to get more accuracy in some checks. -- Make sure jq is installed: +- Make sure jq is installed (example below with "apt" but use a valid package manager for your OS): ```sh sudo apt install jq ``` From cea0cfb47d46450bc0638b0f25487260c386bf00 Mon Sep 17 00:00:00 2001 From: bgeesaman Date: Wed, 8 Jan 2020 20:21:18 -0500 Subject: [PATCH 3/5] Prevent colorization on Failed and Info --- include/outputs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/outputs b/include/outputs index a33b1dca..b18ac683 100644 --- a/include/outputs +++ b/include/outputs @@ -76,7 +76,7 @@ textInfo(){ else REPREGION=$REGION fi - jq -c \ + jq -M -c \ --arg PROFILE "$PROFILE" \ --arg ACCOUNT_NUM "$ACCOUNT_NUM" \ --arg TITLE_TEXT "$TITLE_TEXT" \ @@ -119,7 +119,7 @@ textFail(){ else REPREGION=$REGION fi - jq -c \ + jq -M -c \ --arg PROFILE "$PROFILE" \ --arg ACCOUNT_NUM "$ACCOUNT_NUM" \ --arg TITLE_TEXT "$TITLE_TEXT" \ From f006c81e6a888fd6bd3cc7bcaf62fefea7401acb Mon Sep 17 00:00:00 2001 From: Fayez Barbari Date: Mon, 20 Jan 2020 14:36:01 -0600 Subject: [PATCH 4/5] Use custom aws profile with Role to assume --- include/assume_role | 12 ++++++++---- prowler | 7 +++++++ 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/include/assume_role b/include/assume_role index 0ff97610..4fedfb3d 100644 --- a/include/assume_role +++ b/include/assume_role @@ -27,7 +27,7 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then TEMP_STS_ASSUMED_FILE=$(mktemp -t prowler.sts_assumed-XXXXXX) # assume role command - $AWSCLI sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \ + $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \ --role-session-name ProwlerAssessmentSession \ --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE @@ -41,9 +41,13 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then exit 1 fi + # The profile shouldn't be used for CLI + PROFILE="" + PROFILE_OPT="" + # set env variables with assumed role credentials - AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId') - AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey') - AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken') + export AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId') + export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey') + export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken') rm -fr $TEMP_STS_ASSUMED_FILE fi diff --git a/prowler b/prowler index 57315da3..e4e096d0 100755 --- a/prowler +++ b/prowler @@ -439,6 +439,13 @@ if [[ $CHECK_ID ]];then exit $EXITCODE fi +if [[ $ACCOUNT_TO_ASSUME ]]; then + # unset env variables with assumed role credentials + unset AWS_ACCESS_KEY_ID + unset AWS_SECRET_ACCESS_KEY + unset AWS_SESSION_TOKEN +fi + execute_all scoring From 9fc0f6c61c585684a2eb675f42cc4b24cb85a1d2 Mon Sep 17 00:00:00 2001 From: "C.J" <31103058+zfLQ2qx2@users.noreply.github.com> Date: Sat, 25 Jan 2020 15:29:05 -0500 Subject: [PATCH 5/5] Remove check 766, dupe of check 765 --- checks/check_extra766 | 46 ------------------------------------------- groups/group7_extras | 2 +- 2 files changed, 1 insertion(+), 47 deletions(-) delete mode 100644 checks/check_extra766 diff --git a/checks/check_extra766 b/checks/check_extra766 deleted file mode 100644 index 2382f4ac..00000000 --- a/checks/check_extra766 +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. - -# Remediation: -# -# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#configuring-instance-metadata-service -# -# aws ecr put-image-scanning-configuration \ -# --region \ -# --repository-name \ -# --image-scanning-configuration scanOnPush=true - - -CHECK_ID_extra766="7.66" -CHECK_TITLE_extra766="[extra766] Check if ECR image scan on push is enabled (Not Scored) (Not part of CIS benchmark)" -CHECK_SCORED_extra766="NOT_SCORED" -CHECK_TYPE_extra766="EXTRA" -CHECK_ALTERNATE_check766="extra766" - -extra766(){ - for regx in $REGIONS; do - LIST_ECR_REPOS=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $regx --query "repositories[*].[repositoryName]" --output text 2>&1) - if [[ $LIST_ECR_REPOS ]]; then - for repo in $LIST_ECR_REPOS; do - SCAN_ENABLED=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $regx --query "repositories[?repositoryName==\`$repo\`].[imageScanningConfiguration.scanOnPush]" --output text|grep True) - if [[ $SCAN_ENABLED ]];then - textPass "$regx: ECR repository $repo has scan on push enabled" "$regx" - else - textFail "$regx: ECR repository $repo has scan on push disabled!" "$regx" - fi - done - else - textInfo "$regx: No ECR repositories found" "$regx" - fi - done -} diff --git a/groups/group7_extras b/groups/group7_extras index 12afb988..30bd2e77 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - [extras] **********************************************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra766,extra767,extra768,extra769,extra770,extra771' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets`