From d026ed5cac6a87e332fa6a0a7dcb4ea5f4127f1e Mon Sep 17 00:00:00 2001 From: gabrielsoltz Date: Thu, 24 Oct 2019 13:22:26 +0200 Subject: [PATCH 1/5] improve_extra727 --- checks/check_extra727 | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/checks/check_extra727 b/checks/check_extra727 index 0be47f2c..ab8e4daf 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -18,6 +18,45 @@ CHECK_TYPE_extra727="EXTRA" CHECK_ALTERNATE_check727="extra727" extra727(){ + for regx in $REGIONS; do + LIST_SQS=$($AWSCLI sqs list-queues $PROFILE_OPT --region $regx --query QueueUrls --output text |grep -v ^None) + if [[ $LIST_SQS ]]; then + for queue in $LIST_SQS; do + SQS_POLICY=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes.Policy --output text) + if [[ "$SQS_POLICY" != "None" ]]; then + SQS_POLICY_ALLOW_ALL=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes \ + | jq '.Policy | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') + if [[ $SQS_POLICY_ALLOW_ALL ]]; then + SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes \ + | jq '.Policy | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*") | select(has("Condition") | not)') + if [[ $SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION ]]; then + SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION_DETAILS=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes \ + | jq '.Policy | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*") | select(has("Condition") | not)' | jq '"[Principal: " + (.Principal|tostring) + " Action: " + .Action + "]"' ) + textFail "$regx: SQS $queue queue policy with public access: $SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION_DETAILS" "$regx" + else + textInfo "$regx: SQS $queue queue policy with public access but has a Condition" "$regx" + fi + else + textPass "$regx: SQS $queue queue without public access" "$regx" + fi + else + textPass "$regx: SQS $queue queue without policy" "$regx" + fi + done + else + textInfo "$regx: No SQS queues found" "$regx" + fi + done + + + + + + + + + + for regx in $REGIONS; do LIST_SQS=$($AWSCLI sqs list-queues $PROFILE_OPT --region $regx --query QueueUrls --output text |grep -v ^None) if [[ $LIST_SQS ]]; then From 63898690c8f785ee37dd89ce2db7f524e26f64fd Mon Sep 17 00:00:00 2001 From: gabrielsoltz Date: Thu, 24 Oct 2019 13:25:18 +0200 Subject: [PATCH 2/5] remove_old_check --- checks/check_extra727 | 32 -------------------------------- 1 file changed, 32 deletions(-) diff --git a/checks/check_extra727 b/checks/check_extra727 index ab8e4daf..b8bf354f 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -47,36 +47,4 @@ extra727(){ textInfo "$regx: No SQS queues found" "$regx" fi done - - - - - - - - - - - for regx in $REGIONS; do - LIST_SQS=$($AWSCLI sqs list-queues $PROFILE_OPT --region $regx --query QueueUrls --output text |grep -v ^None) - if [[ $LIST_SQS ]]; then - for queue in $LIST_SQS; do - # check if the policy has Principal as * - SQS_TO_CHECK=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes.Policy --output text | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | awk '/Principal/ || /Condition/ && !skip { print } { skip = /Deny/} ') - PUBLIC_SQS_WCONDITION=$(echo $SQS_TO_CHECK|grep Condition) - if [[ $PUBLIC_SQS_WCONDITION ]]; then - textPass "$regx: SQS queue $queue has a Condition" "$regx" - else - PUBLIC_SQS=$(echo $SQS_TO_CHECK|grep \"Principal|grep \*) - if [[ $PUBLIC_SQS ]]; then - textFail "$regx: SQS queue $queue seems to be public (Principal: \"*\")" "$regx" - else - textPass "$regx: SQS queue $queue seems correct" "$regx" - fi - fi - done - else - textInfo "$regx: No SQS queues found" "$regx" - fi - done } From 508a9354b7ae8fac1928b1eff2cd2dbc8000fb2b Mon Sep 17 00:00:00 2001 From: gabrielsoltz Date: Thu, 24 Oct 2019 23:28:58 +0200 Subject: [PATCH 3/5] fix jq array --- checks/check_extra727 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check_extra727 b/checks/check_extra727 index b8bf354f..e5571716 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -31,7 +31,7 @@ extra727(){ | jq '.Policy | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*") | select(has("Condition") | not)') if [[ $SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION ]]; then SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION_DETAILS=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes \ - | jq '.Policy | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*") | select(has("Condition") | not)' | jq '"[Principal: " + (.Principal|tostring) + " Action: " + .Action + "]"' ) + | jq '.Policy | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*") | select(has("Condition") | not)' | jq '"[Principal: " + (.Principal|tostring) + " Action: " + (.Action|tostring) + "]"' ) textFail "$regx: SQS $queue queue policy with public access: $SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION_DETAILS" "$regx" else textInfo "$regx: SQS $queue queue policy with public access but has a Condition" "$regx" From fb45fa0c0308112ddb39f6978b8969493844d8cc Mon Sep 17 00:00:00 2001 From: gabrielsoltz Date: Thu, 24 Oct 2019 23:56:02 +0200 Subject: [PATCH 4/5] reduce_api_calls --- checks/check_extra727 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checks/check_extra727 b/checks/check_extra727 index e5571716..a88ba0a2 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -30,8 +30,8 @@ extra727(){ SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes \ | jq '.Policy | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*") | select(has("Condition") | not)') if [[ $SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION ]]; then - SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION_DETAILS=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes \ - | jq '.Policy | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*") | select(has("Condition") | not)' | jq '"[Principal: " + (.Principal|tostring) + " Action: " + (.Action|tostring) + "]"' ) + SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION_DETAILS=$(echo $SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION \ + | jq '"[Principal: " + (.Principal|tostring) + " Action: " + (.Action|tostring) + "]"' ) textFail "$regx: SQS $queue queue policy with public access: $SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION_DETAILS" "$regx" else textInfo "$regx: SQS $queue queue policy with public access but has a Condition" "$regx" From 61ef02ec5020a3adc272ddf7260d49bc9aaf535a Mon Sep 17 00:00:00 2001 From: gabrielsoltz Date: Fri, 25 Oct 2019 16:42:59 +0200 Subject: [PATCH 5/5] reduce_api_calls --- checks/check_extra727 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/checks/check_extra727 b/checks/check_extra727 index a88ba0a2..5e14e2b5 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -22,13 +22,13 @@ extra727(){ LIST_SQS=$($AWSCLI sqs list-queues $PROFILE_OPT --region $regx --query QueueUrls --output text |grep -v ^None) if [[ $LIST_SQS ]]; then for queue in $LIST_SQS; do - SQS_POLICY=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes.Policy --output text) - if [[ "$SQS_POLICY" != "None" ]]; then - SQS_POLICY_ALLOW_ALL=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes \ - | jq '.Policy | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') + SQS_POLICY=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes.Policy) + if [[ "$SQS_POLICY" != "null" ]]; then + SQS_POLICY_ALLOW_ALL=$(echo $SQS_POLICY \ + | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') if [[ $SQS_POLICY_ALLOW_ALL ]]; then - SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes \ - | jq '.Policy | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*") | select(has("Condition") | not)') + SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION=$(echo $SQS_POLICY \ + | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*") | select(has("Condition") | not)') if [[ $SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION ]]; then SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION_DETAILS=$(echo $SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION \ | jq '"[Principal: " + (.Principal|tostring) + " Action: " + (.Action|tostring) + "]"' )