mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 23:05:05 +00:00
4287b7ac61
* check empty array in SECURITYGROUPS object Logic is only checking an object to see if it is null. This should be checking for the array in the object to see if it is empty. * Replace new conditional with the old one * Update check_extra75 Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
60 lines
3.0 KiB
Bash
60 lines
3.0 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
# use this file except in compliance with the License. You may obtain a copy
|
|
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software distributed
|
|
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
|
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations under the License.
|
|
CHECK_ID_extra75="7.5"
|
|
CHECK_TITLE_extra75="[extra75] Ensure there are no Security Groups not being used"
|
|
CHECK_SCORED_extra75="NOT_SCORED"
|
|
CHECK_CIS_LEVEL_extra75="EXTRA"
|
|
CHECK_SEVERITY_extra75="Informational"
|
|
CHECK_ASFF_RESOURCE_TYPE_extra75="AwsEc2SecurityGroup"
|
|
CHECK_ALTERNATE_extra705="extra75"
|
|
CHECK_ALTERNATE_check75="extra75"
|
|
CHECK_ALTERNATE_check705="extra75"
|
|
CHECK_ASFF_COMPLIANCE_TYPE_extra75="ens-mp.com.4.aws.sg.3"
|
|
CHECK_SERVICENAME_extra75="ec2"
|
|
CHECK_RISK_extra75='Having clear definition and scope for Security Groups creates a better administration environment.'
|
|
CHECK_REMEDIATION_extra75='List all the security groups and then use the cli to check if they are attached to an instance.'
|
|
CHECK_DOC_extra75='https://aws.amazon.com/premiumsupport/knowledge-center/ec2-find-security-group-resources/'
|
|
CHECK_CAF_EPIC_extra75='Infrastructure Security'
|
|
|
|
extra75(){
|
|
# "Ensure there are no Security Groups not being used "
|
|
for regx in $REGIONS; do
|
|
SECURITYGROUPS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --max-items $MAXITEMS --output json 2>&1 )
|
|
if [[ $(echo "$SECURITYGROUPS" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
|
|
textInfo "$regx: Access Denied trying to describe security groups" "$regx"
|
|
continue
|
|
fi
|
|
if [[ $(echo "$SECURITYGROUPS" | jq '."SecurityGroups" | length') -eq 0 ]]; then
|
|
textInfo "$regx: No Security Groups found in $regx" "$regx"
|
|
continue
|
|
fi
|
|
SECURITYGROUP_NAMES=$(echo $SECURITYGROUPS | jq '.SecurityGroups|map({(.GroupId): (.GroupName)})|add')
|
|
LIST_OF_SECURITYGROUPS=$(echo $SECURITYGROUP_NAMES | jq -r 'to_entries|sort_by(.key)|.[]|.key')
|
|
for SG_ID in $LIST_OF_SECURITYGROUPS; do
|
|
SG_NOT_USED=$($AWSCLI ec2 describe-network-interfaces $PROFILE_OPT --region $regx --filters "Name=group-id,Values=$SG_ID" --query "length(NetworkInterfaces)" --output text)
|
|
# Default security groups can not be deleted, so draw attention to them
|
|
if [[ $SG_NOT_USED -eq 0 ]];then
|
|
GROUP_NAME=$(echo $SECURITYGROUP_NAMES | jq -r --arg id $SG_ID '.[$id]')
|
|
if [[ $GROUP_NAME != "default" ]];
|
|
then
|
|
textFail "$regx: $SG_ID is not being used!" "$regx" "$SG_ID"
|
|
else
|
|
textInfo "$regx: $SG_ID is not being used - default security group" "$regx" "$SG_ID"
|
|
fi
|
|
else
|
|
textPass "$regx: $SG_ID is being used" "$regx" "$SG_ID"
|
|
fi
|
|
done
|
|
done
|
|
}
|