mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 23:05:05 +00:00
24 lines
1.3 KiB
Plaintext
24 lines
1.3 KiB
Plaintext
CHECK_ID_extra74="7.4,7.04"
|
|
CHECK_TITLE_extra74="Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
|
|
CHECK_SCORED_extra74="NOT_SCORED"
|
|
CHECK_ALTERNATE_extra704="extra74"
|
|
CHECK_ALTERNATE_check74="extra74"
|
|
CHECK_ALTERNATE_check704="extra74"
|
|
|
|
extra74(){
|
|
# "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
|
|
textTitle "$ID74" "$TITLE74" "NOT_SCORED" "EXTRA"
|
|
textNotice "Looking for Security Groups in all regions... "
|
|
for regx in $REGIONS; do
|
|
LIST_OF_SECURITYGROUPS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[].[GroupId]" --output text --max-items $MAXITEMS)
|
|
for SG_ID in $LIST_OF_SECURITYGROUPS; do
|
|
SG_NO_INGRESS_FILTER=$($AWSCLI ec2 describe-network-interfaces $PROFILE_OPT --region $regx --filters "Name=group-id,Values=$SG_ID" --query "length(NetworkInterfaces)" --output text)
|
|
if [[ $SG_NO_INGRESS_FILTER -ne 0 ]];then
|
|
textWarn "$regx: $SG_ID has not ingress filtering and it is being used!" "$regx"
|
|
else
|
|
textNotice "$regx: $SG_ID has not ingress filtering but it is no being used" "$regx"
|
|
fi
|
|
done
|
|
done
|
|
}
|