feat(new): New custom check extra9999 to build a custom check on the fly (#1103)

README.md

@@ -49,7 +49,7 @@
 - [HIPAA Checks](#hipaa-checks)
 - [Trust Boundaries Checks](#trust-boundaries-checks)
 - [Multi Account and Continuous Monitoring](util/org-multi-account/README.md)
-- [Add Custom Checks](#add-custom-checks)
+- [Custom Checks](#custom-checks)
 - [Third Party Integrations](#third-party-integrations)
 - [Full list of checks and groups](/LIST_OF_CHECKS_AND_GROUPS.md)
 - [License](#license)
@@ -736,7 +736,15 @@ Single Account environment assumes that only the AWS account subject to this ana
 Multi Account environments assumes a minimum of two trusted or known accounts. For this particular example all trusted and known accounts will be tested. Therefore `GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS` variable in [groups/group16_trustboundaries](groups/group16_trustboundaries) should include all trusted accounts Account #A, Account #B, Account #C, and Account #D in order to finally raise Account #E and Account #F for being untrusted or unknown.
 ![multi-account-environment](/docs/images/prowler-multi-account-environment.png)
 
-## Add Custom Checks
+## Custom Checks
+Using  `./prowler -c extra9999 -a` you can build your own on-the-fly custom check by specifying the AWS CLI command to execute. 
+> Omit the "aws" command and only use its parameters within quotes and do not nest quotes in the aws parameter, --output text is already included in the check.
+> 
+Here is an example of a check to find SGs with inbound port 80:
+
+```sh
+./prowler -c extra9999 -a 'ec2 describe-security-groups --filters Name=ip-permission.to-port,Values=80 --query SecurityGroups[*].GroupId[]]'
+```
 
 In order to add any new check feel free to create a new extra check in the extras group or other group. To do so, you will need to follow these steps:
 

checks/check_extra9999

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra9999="9.9999"
+CHECK_TITLE_extra9999="[check9999] Custom Defined Check"
+CHECK_SCORED_extra79999="NOT_SCORED"
+CHECK_CIS_LEVEL_extra9999="EXTRA"
+CHECK_SEVERITY_extra9999="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra9999="Custom"
+CHECK_ALTERNATE_extra9999="extra9999"
+CHECK_SERVICENAME_extra9999="custom"
+CHECK_RISK_cextra9999="Custom Defined Risk"
+CHECK_REMEDIATION_extra9999="Custom Remediation"
+CHECK_CAF_EPIC_extra9999="Custom EPIC"
+
+extra9999(){
+
+    for regx in $REGIONS; do
+        MY_CUSTOM_CMD=$($AWSCLI $CUSTOM_CMD $PROFILE_OPT --region $regx --output text 2>&1)
+        if [[ $(echo "$MY_CUSTOM_CMD" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+            textInfo "$regx: Access Denied or error trying to execute the custom command" "$regx"
+            continue
+        fi
+        if [[ $MY_CUSTOM_CMD ]]; then
+            for element in $MY_CUSTOM_CMD; do 
+                textFail "$regx: Custom output is: $element" "$regx" "$CHECK_SGDEFAULT_ID"
+            done
+        else
+            textPass "$regx: Custom output is empty" "$regx" "$CHECK_SGDEFAULT_ID"
+        fi
+    done
+}

prowler

@@ -112,13 +112,16 @@ USAGE:
                             (i.e.: "-Z check11,check12" will cause check11 and/or check12 to trigger exit code 3)
       -O <mgmnt acct ID>  Specify AWS Organizations management account ID. Used to get account details, requires -R.
                             (requires organizations:ListAccounts* and organizations:ListTagsForResource)
+      -a <aws_cli_cmd>    Build your own on-the-fly custom check by specifying the AWS CLI command to execute. Requires "-c extra9999". Omit the "aws" command and only use its parameters within quotes. 
+                          Do not nest quotes in the aws parameter. Note that --output text is already included in the check.
+                            i,e. -a 'ec2 describe-security-groups --filters Name=ip-permission.to-port,Values=80 --query SecurityGroups[*].GroupId[]]'                
       -V                  Show version number & exit.
       -h                  This help.
   "
   exit
 }
 
-while getopts ":hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:D:F:zZ:O:" OPTION; do
+while getopts ":hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:D:F:zZ:O:a:" OPTION; do
    case $OPTION in
      h )
         usage
@@ -228,7 +231,9 @@ while getopts ":hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:D:F:zZ:O:" OPTION
      O )
         MANAGEMENT_ACCOUNT_ID=$OPTARG
         ;;
-
+     a )
+        CUSTOM_CMD=$OPTARG
+        ;;
      : )
         echo ""
         echo "$OPTRED ERROR!$OPTNORMAL  -$OPTARG requires an argument"