ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-11 07:15:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ce1058dfedb737a4e1e70f3339b7c0dc8aac2f9c
prowler/prowler
Toni de la Fuente e567ccb828 v2.2.1 with new function and Improved extra779 and extra716
2020-04-02 15:31:43 +02:00

455 lines
13 KiB
Bash
Executable File
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/usr/bin/env bash
# Copyright 2018 Toni de la Fuente
# Prowler is a tool that provides automate auditing and hardening guidance of an
# AWS account. It is based on AWS-CLI commands. It follows some guidelines
# present in the CIS Amazon Web Services Foundations Benchmark at:
# https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
# Contact the author at https://blyx.com/contact
# and open issues or ask questions at https://github.com/toniblyx/prowler
# All CIS based checks in checks folder are licensed under a Creative Commons
# Attribution-NonCommercial-ShareAlike 4.0 International Public License.
# The link to the license terms can be found at
# https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
#
# Any other piece of code is licensed as Apache License 2.0 as specified in
# each file. You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Prowler - Iron Maiden
#
# Walking through the city, looking oh so pretty
# I've just got to find my way
# See the ladies flashing
# All there legs and lashes
# I've just got to find my way...
OPTRED=""
OPTNORMAL=""
# Set the defaults variables
PROWLER_VERSION=2.2.1
PROWLER_DIR=$(dirname "$0")
REGION=""
FILTERREGION=""
MAXITEMS=100
MONOCHROME=0
MODE="text"
QUIET=0
SEP=','
KEEPCREDREPORT=0
EXITCODE=0
SCRIPT_START_TIME=$( date -u +"%Y-%m-%dT%H:%M:%S%z" )
TITLE_ID=""
TITLE_TEXT="CALLER ERROR - UNSET TITLE"
# Command usage menu
usage(){
echo "
USAGE:
`basename $0` [ -p <profile> -r <region> -h ]
Options:
-p <profile> specify your AWS profile to use (i.e.: default)
-r <region> specify an AWS region to direct API requests to
(i.e.: us-east-1), all regions are checked anyway if the check requires it
-c <check_id> specify one or multiple check ids separated by commas, to see all available checks use "-l" option
(i.e.: "check11" for check 1.1 or "extra71,extra72" for extra check 71 and extra check 72)
-g <group_id> specify a group of checks by id, to see all available group of checks use "-L"
(i.e.: "check3" for entire section 3, "level1" for CIS Level 1 Profile Definitions or "forensics-ready")
-f <filterregion> specify an AWS region to run checks against
(i.e.: us-west-1)
-m <maxitems> specify the maximum number of items to return for long-running requests (default: 100)
-M <mode> output mode: text (default), mono, json, csv (separator is ","; data is on stdout; progress on stderr)
-k keep the credential report
-n show check numbers to sort easier
(i.e.: 1.01 instead of 1.1)
-l list all available checks only (does not perform any check)
-L list all groups (does not perform any check)
-e exclude group extras
-E execute all tests except a list of specified checks separated by comma (i.e. check21,check31)
-b do not print Prowler banner
-V show version number & exit
-s show scoring report
-x specify external directory with custom checks (i.e. /my/own/checks, files must start by "check")
-q suppress info messages and passing test output
-A account id for the account where to assume a role, requires -R and -T
(i.e.: 123456789012)
-R role name to assume in the account, requires -A and -T
(i.e.: ProwlerRole)
-T session durantion given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T
(i.e.: 43200)
-h this help
"
exit
}
while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsx:A:R:T:" OPTION; do
case $OPTION in
h )
usage
EXITCODE=1
exit $EXITCODE
;;
l )
PRINTCHECKSONLY=1
;;
L )
PRINTGROUPSONLY=1
;;
k )
KEEPCREDREPORT=1
;;
p )
PROFILE=$OPTARG
;;
r )
REGION_OPT=$OPTARG
;;
c )
CHECK_ID=$OPTARG
;;
g )
GROUP_ID_READ=$OPTARG
;;
f )
FILTERREGION=$OPTARG
;;
m )
MAXITEMS=$OPTARG
;;
M )
MODE=$OPTARG
;;
n )
NUMERAL=1
;;
b )
BANNER=0
;;
e )
EXTRAS=1
;;
E )
EXCLUDE_CHECK_ID=$OPTARG
;;
V )
echo "Prowler $PROWLER_VERSION"
EXITCODE=0
exit $EXITCODE
;;
s )
SCORING=1
;;
x )
EXTERNAL_CHECKS_PATH=$OPTARG
;;
q )
QUIET=1
;;
A )
ACCOUNT_TO_ASSUME=$OPTARG
;;
R )
ROLE_TO_ASSUME=$OPTARG
;;
T )
SESSION_DURATION_TO_ASSUME=$OPTARG
;;
: )
echo ""
echo "$OPTRED ERROR!$OPTNORMAL -$OPTARG requires an argument"
usage
EXITCODE=1
exit $EXITCODE
;;
? )
echo ""
echo "$OPTRED ERROR!$OPTNORMAL Invalid option"
usage
EXITCODE=1
exit $EXITCODE
;;
esac
done
# Clean up any temp files when prowler quits unexpectedly
trap "{ rm -f /tmp/prowler*.policy.*; }" EXIT
. $PROWLER_DIR/include/colors
. $PROWLER_DIR/include/os_detector
. $PROWLER_DIR/include/aws_profile_loader
. $PROWLER_DIR/include/awscli_detector
. $PROWLER_DIR/include/outputs
. $PROWLER_DIR/include/csv_header
. $PROWLER_DIR/include/banner
. $PROWLER_DIR/include/whoami
. $PROWLER_DIR/include/credentials_report
. $PROWLER_DIR/include/scoring
. $PROWLER_DIR/include/python_detector
. $PROWLER_DIR/include/secrets_detector
. $PROWLER_DIR/include/check3x
. $PROWLER_DIR/include/assume_role
. $PROWLER_DIR/include/connection_tests
# Get a list of all available AWS Regions
REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \
--output text \
$PROFILE_OPT \
--region $REGION \
--region-names $FILTERREGION)
# Load all of the groups of checks inside groups folder named as "groupNumber*"
for group in $(ls $PROWLER_DIR/groups/group[0-9]*|grep -v groupN_sample); do
. "$group"
done
# Load all of the checks inside checks folder named as "check*"
# this includes also extra checks since they are "check_extraNN"
for checks in $(ls $PROWLER_DIR/checks/check*|grep -v check_sample); do
. "$checks"
done
# include checks if external folder is specified
if [[ $EXTERNAL_CHECKS_PATH ]]; then
for checks in $(ls $EXTERNAL_CHECKS_PATH/check*); do
. "$checks"
done
fi
# Function to show the title of the check
# using this way instead of arrays to keep bash3 (osx) and bash4(linux) compatibility
show_check_title() {
local check_id=CHECK_ID_$1
local check_title=CHECK_TITLE_$1
local check_scored=CHECK_SCORED_$1
local check_type=CHECK_TYPE_$1
textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}"
}
# Function to show the title of a group, by numeric id
show_group_title() {
# when csv mode is used, no group tittle is shown
if [[ "$MODE" != "csv" ]]; then
textTitle "${GROUP_NUMBER[$1]}" "${GROUP_TITLE[$1]}" "NOT_SCORED" "SUPPORT"
fi
}
# Function to execute the check
execute_check() {
# See if this is an alternate name for a check
# for example, we might have been passed 1.01 which is another name for 1.1
local alternate_name_var=CHECK_ALTERNATE_$1
local alternate_name=${!alternate_name_var}
# Generate the credential report, only if it is group1 related which checks we
# run so that the checks can safely assume it's available
if [ ${alternate_name} ];then
if [[ ${alternate_name} == check1* || ${alternate_name} == extra71 ]];then
if [ ! -s $TEMP_REPORT_FILE ];then
genCredReport
saveReport
fi
fi
show_check_title ${alternate_name}
${alternate_name}
else
# Check to see if this is a real check
local check_id_var=CHECK_ID_$1
local check_id=${!check_id_var}
if [ ${check_id} ]; then
if [[ ${check_id} == 1* || ${check_id} == 7.1,7.01 || ${check_id} == 7.74 ]];then
if [ ! -s $TEMP_REPORT_FILE ];then
genCredReport
saveReport
fi
fi
show_check_title $1
$1
else
textFail "ERROR! Use a valid check name (i.e. check41 or extra71)";
exit $EXITCODE
fi
fi
}
# Function to execute all checks in a group
execute_group() {
show_group_title $1
# run the checks in the group
IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$1]}
# Exclude any checks specified
if [[ -n ${2} ]]; then
EXCLUDED_CHECKS=()
NEW_CHECKS=()
IFS=',' read -ra EXCLUDED_CHECKS <<< "${2},"
for exc in ${EXCLUDED_CHECKS[@]} ; do
for i in ${!CHECKS[@]} ; do
[[ ${CHECKS[i]} = ${exc} ]] && unset CHECKS[i]
done
done
unset EXCLUDED_CHECKS
fi
for i in ${CHECKS[@]}; do
execute_check ${i}
done
}
# Function to execute group by name
execute_group_by_id() {
if [ "${GROUP_ID[$1]}" == "group1" ]; then
genCredReport
saveReport
fi
for i in "${!GROUP_ID[@]}"; do
if [ "${GROUP_ID[$i]}" == "$1" ]; then
execute_group ${i} $2
fi
done
}
# Function to execute all checks in all groups except extras if -e is invoked
execute_all() {
for i in "${!GROUP_TITLE[@]}"; do
if [[ $EXTRAS ]]; then
GROUP_RUN_BY_DEFAULT[7]='N'
fi
if [ "${GROUP_RUN_BY_DEFAULT[$i]}" == "Y" ]; then
execute_group $i
fi
done
}
# Function to show the titles of everything
show_all_titles() {
MAIN_GROUPS=(1 2 3 4 7)
for i in "${MAIN_GROUPS[@]}"; do
show_group_title $i
# Display the title of the checks in groups 1,2,3,4 and 7
# Any other group has checks in these groups
IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$i]}
for j in ${CHECKS[@]}; do
show_check_title $j
done
done
}
show_all_group_titles() {
for i in "${!GROUP_TITLE[@]}"; do
show_group_title $i
done
}
# Function to execute all checks but exclude some of them
get_all_checks_without_exclusion() {
CHECKS_EXCLUDED=()
local CHECKS_TO_EXCLUDE=()
local TOTAL_CHECKS=()
#Get a list of checks to exclude
IFS=',' read -ra E_CHECKS <<< "$1"
for E_CHECK in "${E_CHECKS[@]}"; do
CHECKS_TO_EXCLUDE+=($E_CHECK)
done
#Get a list of total checks available by ID
for i in "${!GROUP_TITLE[@]}"; do
#show_group_title $i
IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$i]}
for j in ${CHECKS[@]}; do
TOTAL_CHECKS+=($CHECK_ID_$j)
done
done
TOTAL_CHECKS=($(echo "${TOTAL_CHECKS[*]}" | tr ' ' '\n' | sort -u)) #removes duplicate and store the result as an array
#Create a list that contains all checks but excluded ones
for i in "${TOTAL_CHECKS[@]}"; do
local COINCIDENCE=false
for x in "${CHECKS_TO_EXCLUDE[@]}"; do
if [[ "$i" == "$x" ]]; then
COINCIDENCE=true
fi
done
if [[ "$COINCIDENCE" = false ]]; then
CHECKS_EXCLUDED+=($i)
fi
done
}
### All functions defined above ... run the workflow
if [[ $MODE != "csv" ]]; then
prowlerBanner
fi
# List only check tittles
if [[ $PRINTCHECKSONLY == "1" ]]; then
show_all_titles
exit $EXITCODE
fi
# List only group tittles
if [[ $PRINTGROUPSONLY == "1" ]]; then
show_all_group_titles
exit $EXITCODE
fi
# Check that jq is installed for JSON output
if [[ $MODE == "json" ]]; then
. $PROWLER_DIR/include/jq_detector
fi
# Gather account data / test aws cli connectivity
getWhoami
# Execute group of checks if called with -g
if [[ $GROUP_ID_READ ]];then
if [[ " ${GROUP_ID[@]} " =~ " ${GROUP_ID_READ} " ]]; then
if [[ $MODE == "csv" ]]; then
BANNER=0
fi
execute_group_by_id ${GROUP_ID_READ} ${EXCLUDE_CHECK_ID}
cleanTemp
scoring
exit $EXITCODE
else
textFail "Use a valid check group ID i.e.: group1, extras, forensics-ready, etc."
show_all_group_titles
exit $EXITCODE
fi
fi
# Get a list of total checks excluding a list provided by the user and overwrite CHECK_ID with the result
# if the list provided by the user contains an invalid check, this will be discarded.
# if the list provided by the user contains just one argument and is invalid, then it will be discarded and all tests will be executed
if [[ ${EXCLUDE_CHECK_ID} ]];then
get_all_checks_without_exclusion ${EXCLUDE_CHECK_ID}
function join { local IFS="$1"; shift; echo "$*"; }
CHECKS_EXCLUDED=$(join , "${CHECKS_EXCLUDED[@]}")
CHECK_ID=${CHECKS_EXCLUDED}
fi
# Execute single check if called with -c
if [[ $CHECK_ID ]];then
IFS=',' read -ra CHECKS <<< "$CHECK_ID"
for CHECK in "${CHECKS[@]}"; do
execute_check $CHECK
done
cleanTemp
exit $EXITCODE
fi
if [[ $ACCOUNT_TO_ASSUME ]]; then
# unset env variables with assumed role credentials
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
fi
execute_all
scoring
cleanTemp
exit $EXITCODE
Reference in New Issue View Git Blame Copy Permalink