prowler/include/check3x

#!/usr/bin/env bash

# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.

check3x(){
  grep_filter=$1
  local CHECK_OK
  local CHECK_WARN
  local CHECK_CROSS_ACCOUNT_WARN

  # In order to make all these checks work properly logs and alarms have to
  # be based only on CloudTrail tail with CloudWatchLog configuration.
  DESCRIBE_TRAILS_CACHE=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[?CloudWatchLogsLogGroupArn != `null`]' 2>&1)
  if [[ $(echo "$DESCRIBE_TRAILS_CACHE" | grep AccessDenied) ]]; then
    textInfo "$REGION: Access Denied trying to describe trails in $REGION"  "$REGION"
    return
  fi

  TRAIL_LIST=$(echo $DESCRIBE_TRAILS_CACHE | jq -r -c '.[] |@base64') # this treats each array element as its own line
  CURRENT_ACCOUNT_ID=$($AWSCLI sts $PROFILE_OPT get-caller-identity --region "$REGION" --query Account --output text)
  CLOUDWATCH_LOGGROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text| tr '\011' '\012' | awk -F: '{print $7}')

  if [[ $CLOUDWATCH_LOGGROUP != "" ]]; then
    pass_count=0
    for group_obj_enc in $TRAIL_LIST; do

      group_obj_raw=$(echo $group_obj_enc | decode_report)

      CLOUDWATCH_LOGGROUP_NAME=$(echo $group_obj_raw | jq -r '.CloudWatchLogsLogGroupArn|split(":")[6]')
      CLOUDWATCH_LOGGROUP_REGION=$(echo $group_obj_raw | jq -r '.CloudWatchLogsLogGroupArn|split(":")[3]')
      CLOUDWATCH_LOGGROUP_ACCOUNT=$(echo $group_obj_raw | jq -r '.CloudWatchLogsLogGroupArn|split(":")[4]')

      if [ "$CLOUDWATCH_LOGGROUP_ACCOUNT" == "$CURRENT_ACCOUNT_ID" ];then
        # Filter control and whitespace from .metricFilters[*].filterPattern for easier matching later
        METRICFILTER_CACHE=$($AWSCLI logs describe-metric-filters --log-group-name "$CLOUDWATCH_LOGGROUP_NAME" $PROFILE_OPT --region "$CLOUDWATCH_LOGGROUP_REGION"|jq '.metricFilters|=map(.filterPattern|=gsub("[[:space:]]+"; " "))')
        METRICFILTER_SET=$(echo $METRICFILTER_CACHE | jq -r --arg re "$grep_filter" '.metricFilters[]|select(.filterPattern|test($re))|.filterName')
      fi
      if [[ $METRICFILTER_SET ]];then
        for metric in $METRICFILTER_SET; do
          metric_name=$(echo $METRICFILTER_CACHE | jq -r --arg name $metric '.metricFilters[]|select(.filterName==$name)|.metricTransformations[0].metricName')
          HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region "$CLOUDWATCH_LOGGROUP_REGION" --query 'MetricAlarms[?MetricName==`'"$metric_name"'`]' --output text)
          if [[ $HAS_ALARM_ASSOCIATED ]];then
            CHECK_OK="$CHECK_OK $CLOUDWATCH_LOGGROUP_NAME:$metric"
            pass_count=$((pass_count + 1))
          else
            CHECK_WARN="$CHECK_WARN $CLOUDWATCH_LOGGROUP_NAME:$metric"
          fi
        done
      elif [ "$CLOUDWATCH_LOGGROUP_ACCOUNT" == "$CURRENT_ACCOUNT_ID" ];then
        CHECK_WARN="$CHECK_WARN $CLOUDWATCH_LOGGROUP_NAME"
      else
        CHECK_CROSS_ACCOUNT_WARN="$CHECK_CROSS_ACCOUNT_WARN $CLOUDWATCH_LOGGROUP_NAME"
      fi
    done

    if [[ $CHECK_OK ]]; then
      for group in $CHECK_OK; do
        metric=${group#*:}
        group=${group%:*}
        textPass "$REGION: CloudWatch group $group found with metric filter $metric and alarms set" "$REGION" "$group"
      done
    fi
    if [[ $CHECK_WARN ]]; then
      for group in $CHECK_WARN; do
        case $group in
           *:*) metric=${group#*:}
                group=${group%:*}
                if [[ $pass_count == 0 ]]; then
                  textFail "$REGION: CloudWatch group $group found with metric filter $metric but no alarms associated" "$REGION" "$group"
                else
                  textInfo "$REGION: CloudWatch group $group found with metric filter $metric but no alarms associated" "$REGION" "$group"
                fi
                ;;
             *) if [[ $pass_count == 0 ]]; then
                  textFail "$REGION: CloudWatch group $group found but no metric filters or alarms associated" "$REGION" "$group"
                else
                  textInfo "$REGION: CloudWatch group $group found but no metric filters or alarms associated" "$REGION" "$group"
                fi
                ;;
        esac
      done
    fi
    if [[ $CHECK_CROSS_ACCOUNT_WARN ]]; then
      for group in $CHECK_CROSS_ACCOUNT_WARN; do
        textInfo "$REGION: CloudWatch group $group is not in this account" "$REGION" "$group"
      done
    fi
  else
    textFail "$REGION: No CloudWatch group found for CloudTrail events" "$REGION"
  fi
}