From fe8a123eadc54c0add827d0ee3ce220935a164ca Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 31 Oct 2018 00:01:47 -0400 Subject: [PATCH] Added check extra730 - ACM cert expiration --- checks/check_extra730 | 43 +++++++++++++++++++++++++++++++++++++++++++ include/os_detector | 24 ++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 checks/check_extra730 diff --git a/checks/check_extra730 b/checks/check_extra730 new file mode 100644 index 00000000..f91b9b27 --- /dev/null +++ b/checks/check_extra730 @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +DAYS_TO_EXPIRE_THRESHOLD="7" + +CHECK_ID_extra730="7.30" +CHECK_TITLE_extra730="[extra730] Check if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra730="NOT_SCORED" +CHECK_TYPE_extra730="EXTRA" +CHECK_ALTERNATE_check730="extra730" + +extra730(){ + # "Check if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less" + for regx in $REGIONS; do + LIST_OF_ACM_CERTS=$($AWSCLI acm list-certificates $PROFILE_OPT --region $regx --query 'CertificateSummaryList[].CertificateArn' --output text) + if [[ $LIST_OF_ACM_CERTS ]];then + for cert in $LIST_OF_ACM_CERTS; do + CERT_DATA=$($AWSCLI acm describe-certificate --certificate-arn $cert --query 'Certificate.[DomainName,NotAfter]' --output text) + echo "$CERT_DATA" | while read FQDN NOTAFTER; do + EXPIRES_DATE=$(timestamp_to_date $NOTAFTER) + COUNTER_DAYS=$(how_many_days_from_today $EXPIRES_DATE) + if [[ $COUNTER_DAYS -le $DAYS_TO_EXPIRE_THRESHOLD ]]; then + textFail "$regx: Certificate for $FQDN is about to expire in $COUNTER_DAYS days!" "$regx" + else + textPass "$regx: Certificate for $FQDN expires in $COUNTER_DAYS days" "$regx" + fi + done + done + else + textInfo "$regx: No certificates found" "$regx" + fi + done +} diff --git a/include/os_detector b/include/os_detector index 7c4a528a..1cbb368d 100644 --- a/include/os_detector +++ b/include/os_detector @@ -38,6 +38,14 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then { base64 -d } + how_many_days_from_today() + { + DATE_TO_COMPARE=$1 + TODAY_IN_DAYS=$(date -d "$(date +%Y-%m-%d)" +%s) + DATE_IN_DAYS=$(date -d $DATE_TO_COMPARE +%s) + DAYS_TO=$((( $DATE_IN_DAYS - $TODAY_IN_DAYS )/60/60/24)) + echo $DAYS_TO + } elif [[ "$OSTYPE" == "darwin"* ]]; then # BSD/OSX commands compatibility TEMP_REPORT_FILE=$(mktemp -t prowler.cred_report-XXXXXX) @@ -60,6 +68,14 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then { base64 -D } + how_many_days_from_today() + { + DATE_TO_COMPARE=$1 + TODAY_IN_DAYS=$(date +%s) + DATE_IN_DAYS=$(date -jf %Y-%m-%d $DATE_TO_COMPARE +%s) + DAYS_TO=$((( $DATE_IN_DAYS - $TODAY_IN_DAYS )/60/60/24)) + echo $DAYS_TO + } elif [[ "$OSTYPE" == "cygwin" ]]; then # POSIX compatibility layer and Linux environment emulation for Windows TEMP_REPORT_FILE=$(mktemp -t -p /tmp prowler.cred_report-XXXXXX) @@ -82,6 +98,14 @@ elif [[ "$OSTYPE" == "cygwin" ]]; then { base64 -d } + how_many_days_from_today() + { + DATE_TO_COMPARE=$1 + TODAY_IN_DAYS=$(date -d "$(date +%Y-%m-%d)" +%s) + DATE_IN_DAYS=$(date -d $DATE_TO_COMPARE +%s) + DAYS_TO=$((( $TODAY_IN_DAYS - $DATE_IN_DAYS )/60/60/24)) + echo $DAYS_TO + } else echo "Unknown Operating System! Valid \$OSTYPE: linux-gnu, linux-musl, darwin* or cygwin" echo "Found: $OSTYPE"