prowler/checks/check_extra716

#!/usr/bin/env bash

# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra716="7.16"
CHECK_TITLE_extra716="[extra716] Check if Amazon Elasticsearch Service (ES) domains are set as Public and have cross account access"
CHECK_SCORED_extra716="NOT_SCORED"
CHECK_TYPE_extra716="EXTRA"
CHECK_ALTERNATE_check716="extra716"

extra716(){
  # if TEST_AUTHENTICATION has a value Prowler will try to access each ElasticSearch server to the public URI endpoint.
  # That is from the host where Prowler is running and will try to read indices or get kibana status
  TEST_ES_AUTHENTICATION=1
  httpStatus(){
    case $1 in 
      000) SERVER_RESPONSE="000 Not responding" ;;
      200) SERVER_RESPONSE="200 Successful" ;;
      400) SERVER_RESPONSE="400 Error: Bad Request" ;;
      401) SERVER_RESPONSE="401 Error: Unauthorized" ;;
      403) SERVER_RESPONSE="403 Error: Forbidden" ;;
      404) SERVER_RESPONSE="404 Error: Not Found" ;;
      407) SERVER_RESPONSE="407 Error: Proxy Authentication Required" ;;
      408) SERVER_RESPONSE="408 Error: Request Timeout" ;;
      500) SERVER_RESPONSE="500 Error: Internal Server Error" ;;
      502) SERVER_RESPONSE="502 Error: Bad Gateway" ;;
      503) SERVER_RESPONSE="503 Error: Service Unavailable" ;;
      504) SERVER_RESPONSE="504 Error: Gateway Timeout" ;;
      505) SERVER_RESPONSE="505 Error: HTTP Version Not Supported" ;;
      *)   SERVER_RESPONSE="HTTP: status not defined." ;;
    esac
  }

  # "Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
  for regx in $REGIONS; do
    LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
    if [[ $LIST_OF_DOMAINS ]]; then
      for domain in $LIST_OF_DOMAINS;do
        TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-es-domain.policy.XXXXXXXXXX)
        $AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.AccessPolicies.Options --output text > $TEMP_POLICY_FILE 2> /dev/null
        # check if the policy has Principal as *
        CHECK_ES_DOMAIN_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | jq -r '. | .Statement[] | select(.Effect == "Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and .Condition == null)')
        if [[ $CHECK_ES_DOMAIN_ALLUSERS_POLICY ]];then
          if [[ $TEST_ES_AUTHENTICATION ]];then
            # get endpoint or vpc endpoints
            ES_DOMAIN_ENDPOINT=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.[Endpoint || Endpoints]' --output text)

            # check for Elasticsearch on port 443, rest API HTTP.
            CHECH_ES_HTTPS=$(curl -m 2 -s -w "%{http_code}" -o /dev/null -X GET "https://$ES_DOMAIN_ENDPOINT/_cat/indices")
            httpStatus $CHECH_ES_HTTPS
            if [[ $CHECH_ES_HTTPS -eq "200" ]];then 
              textFail "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\") and ES service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
            else
              textInfo "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\") but ES service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
            fi 
            # check for Kibana on port 443
            CHECH_KIBANA_HTTPS=$(curl -m 2 -s -w "%{http_code}" -o /dev/null -X GET "https://$ES_DOMAIN_ENDPOINT/_plugin/kibana/api/status")
            httpStatus $CHECH_KIBANA_HTTPS
            if [[ $CHECH_KIBANA_HTTPS -eq "200" ]];then
              textFail "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\") and Kibana service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
            else
              textInfo "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\") but Kibana service endpoint $ES_DOMAIN_ENDPOINT responded $SERVER_RESPONSE" "$regx"
            fi  
          else 
            textFail "$regx: Amazon ES domain $domain policy allow Anonymous cross account access (Principal: \"*\")" "$regx"
          fi 
        else
          textPass "$regx: Amazon ES domain $domain does not allow Anonymous cross account access" "$regx"
        fi
        rm -f $TEMP_POLICY_FILE
      done
    else
      textInfo "$regx: No Amazon ES domain found" "$regx"
    fi
  done
}