From af38286a155cf3337b22212aa2e82ebe8eea4b73 Mon Sep 17 00:00:00 2001 From: Shubham Shah <82979155+ShubhamShah11@users.noreply.github.com> Date: Mon, 20 Sep 2021 17:06:33 -0400 Subject: [PATCH 01/10] Create check_extra7154 --- checks/check_extra7154 | 1 + 1 file changed, 1 insertion(+) create mode 100644 checks/check_extra7154 diff --git a/checks/check_extra7154 b/checks/check_extra7154 new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/checks/check_extra7154 @@ -0,0 +1 @@ + From 7d79532c1ff2d0a91a817c4fdaad14c7df3baa95 Mon Sep 17 00:00:00 2001 From: Shubham Shah <82979155+ShubhamShah11@users.noreply.github.com> Date: Mon, 20 Sep 2021 17:20:13 -0400 Subject: [PATCH 02/10] Adding check_extra7154 --- checks/check_extra7154 | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/checks/check_extra7154 b/checks/check_extra7154 index 8b13789179..76e5f50893 100644 --- a/checks/check_extra7154 +++ b/checks/check_extra7154 @@ -1 +1,35 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +# +# Remediation: +# +# https://docs.aws.amazon.com/cli/latest/reference/cloudformation/update-termination-protection.html +# +# aws cloudformation update-termination-protection \ +# --stack-name my-stack \ +# --enable-termination-protection + +CHECK_ID_extra7154="7.154" +CHECK_TITLE_extra7154="[extra7154] Enable termination protection for Cloudformation Stacks" +CHECK_SCORED_extra7154="NOT_SCORED" +CHECK_TYPE_extra7154="EXTRA" +CHECK_SEVERITY_extra7154="LOW" +CHECK_ASFF_RESOURCE_TYPE_extra7154="AwsCloudFormationStack" +CHECK_ALTERNATE_check7154="extra7154" +CHECK_SERVICENAME_extra7154="cloudformation" +CHECK_RISK_extra7154='Without termination protection enabled, a critical cloudformation stack can be accidently deleted.' +CHECK_REMEDIATION_extra7154='Ensure termination protection is enabled for the cloudformation stacks' +CHECK_DOC_extra7154='https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html' +CHECK_CAF_EPIC_extra7154='Infrastructure Protection' + From c6c730a81e80e9e3789e674b48a82d6e1a3b27b0 Mon Sep 17 00:00:00 2001 From: Shubham Shah <82979155+ShubhamShah11@users.noreply.github.com> Date: Mon, 20 Sep 2021 17:21:19 -0400 Subject: [PATCH 03/10] Update check_extra7154 --- checks/check_extra7154 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check_extra7154 b/checks/check_extra7154 index 76e5f50893..472064320c 100644 --- a/checks/check_extra7154 +++ b/checks/check_extra7154 @@ -23,7 +23,7 @@ CHECK_ID_extra7154="7.154" CHECK_TITLE_extra7154="[extra7154] Enable termination protection for Cloudformation Stacks" CHECK_SCORED_extra7154="NOT_SCORED" CHECK_TYPE_extra7154="EXTRA" -CHECK_SEVERITY_extra7154="LOW" +CHECK_SEVERITY_extra7154="MEDIUM" CHECK_ASFF_RESOURCE_TYPE_extra7154="AwsCloudFormationStack" CHECK_ALTERNATE_check7154="extra7154" CHECK_SERVICENAME_extra7154="cloudformation" From 6201a2a3fbe345535ce12c689c7730635a69aa18 Mon Sep 17 00:00:00 2001 From: Shubham Shah <82979155+ShubhamShah11@users.noreply.github.com> Date: Mon, 20 Sep 2021 19:02:28 -0400 Subject: [PATCH 04/10] Update check_extra7154 --- checks/check_extra7154 | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/checks/check_extra7154 b/checks/check_extra7154 index 472064320c..eb57130337 100644 --- a/checks/check_extra7154 +++ b/checks/check_extra7154 @@ -32,4 +32,22 @@ CHECK_REMEDIATION_extra7154='Ensure termination protection is enabled for the cl CHECK_DOC_extra7154='https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html' CHECK_CAF_EPIC_extra7154='Infrastructure Protection' - +extra7154() { + for regx in $REGIONS; do + CFN_STACKS=$($AWSCLI cloudformation describe-stacks $PROFILE_OPT --region $regx --output json) + LIST_OF_CFN_STACKS=$(echo $CFN_STACKS | jq -r '.Stacks[].StackName') + if [[ $LIST_OF_CFN_STACKS ]];then + for stack in $LIST_OF_CFN_STACKS; do + CFN_STACK_DETAILS=$($AWSCLI cloudformation describe-stacks $PROFILE_OPT --region $regx --stack-name $stack --output json) + TERMINATION_ENABLED=echo $CFN_STACK_DETAILS | jq -r '.Stacks[] | select( .EnableTerminationProtection == true )' + if [[ $TERMINATION_ENABLED ]]; then + textPass "$regx: Cloudformation stack $stack has termination protection enabled" "$regx" "$stack" + else + textFail "$regx: Cloudformation stack $stack has termination protection disabled" "$regx" "$stack" + fi + done + else + textInfo "$regx: No Cloudformation stacks found" "$regx" + fi + done +} From ff3ef0b8c07adc353720a470ebf0cb7a0821c189 Mon Sep 17 00:00:00 2001 From: Shubham Shah <82979155+ShubhamShah11@users.noreply.github.com> Date: Mon, 20 Sep 2021 19:11:23 -0400 Subject: [PATCH 05/10] Update check_extra7154 --- checks/check_extra7154 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checks/check_extra7154 b/checks/check_extra7154 index eb57130337..c44787c173 100644 --- a/checks/check_extra7154 +++ b/checks/check_extra7154 @@ -39,8 +39,8 @@ extra7154() { if [[ $LIST_OF_CFN_STACKS ]];then for stack in $LIST_OF_CFN_STACKS; do CFN_STACK_DETAILS=$($AWSCLI cloudformation describe-stacks $PROFILE_OPT --region $regx --stack-name $stack --output json) - TERMINATION_ENABLED=echo $CFN_STACK_DETAILS | jq -r '.Stacks[] | select( .EnableTerminationProtection == true )' - if [[ $TERMINATION_ENABLED ]]; then + TERMINATION_ENABLED=$(echo $CFN_STACK_DETAILS | jq -r '.Stacks[].EnableTerminationProtection') + if [[ $TERMINATION_ENABLED == "true" ]]; then textPass "$regx: Cloudformation stack $stack has termination protection enabled" "$regx" "$stack" else textFail "$regx: Cloudformation stack $stack has termination protection disabled" "$regx" "$stack" From 052a36207cb3455c3e98115babe268f8c3274d5a Mon Sep 17 00:00:00 2001 From: Shubham Shah <82979155+ShubhamShah11@users.noreply.github.com> Date: Mon, 20 Sep 2021 20:06:48 -0400 Subject: [PATCH 06/10] Update check_extra7154 --- checks/check_extra7154 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/checks/check_extra7154 b/checks/check_extra7154 index c44787c173..4c2ff3aaa4 100644 --- a/checks/check_extra7154 +++ b/checks/check_extra7154 @@ -40,7 +40,10 @@ extra7154() { for stack in $LIST_OF_CFN_STACKS; do CFN_STACK_DETAILS=$($AWSCLI cloudformation describe-stacks $PROFILE_OPT --region $regx --stack-name $stack --output json) TERMINATION_ENABLED=$(echo $CFN_STACK_DETAILS | jq -r '.Stacks[].EnableTerminationProtection') - if [[ $TERMINATION_ENABLED == "true" ]]; then + ROOT_ID=$(echo $CFN_STACK_DETAILS | jq -r '.Stacks[].RootId') + if [[ $ROOT_ID != null && $TERMINATION_ENABLED == "false" ]]; then + textFail "$regx: $stack is a nested stack, enable termination protection on the root stack $ROOT_ID" "$regx" "$stack" "$ROOT_ID" + elif [[ $TERMINATION_ENABLED == "true" ]]; then textPass "$regx: Cloudformation stack $stack has termination protection enabled" "$regx" "$stack" else textFail "$regx: Cloudformation stack $stack has termination protection disabled" "$regx" "$stack" From 73c65cf323472881eee089dc9fa9441e635f8bff Mon Sep 17 00:00:00 2001 From: Shubham Shah <82979155+ShubhamShah11@users.noreply.github.com> Date: Mon, 20 Sep 2021 20:07:43 -0400 Subject: [PATCH 07/10] Update group7_extras --- groups/group7_extras | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/groups/group7_extras b/groups/group7_extras index 5c2b7010bd..282a410ead 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140,extra7141,extra7142,extra7143,extra7144,extra7145,extra7146,extra7147' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140,extra7141,extra7142,extra7143,extra7144,extra7145,extra7146,extra7147,extra7154' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets` From 7c0d53a0e652185563fe0a07a292886020572410 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Thu, 23 Sep 2021 10:16:26 +0200 Subject: [PATCH 08/10] Delete group7_extras --- groups/group7_extras | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 groups/group7_extras diff --git a/groups/group7_extras b/groups/group7_extras deleted file mode 100644 index 282a410ead..0000000000 --- a/groups/group7_extras +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. - -GROUP_ID[7]='extras' -GROUP_NUMBER[7]='7.0' -GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' -GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140,extra7141,extra7142,extra7143,extra7144,extra7145,extra7146,extra7147,extra7154' - -# Extras 759 and 760 (lambda variables and code secrets finder are not included) -# to run detect-secrets use `./prowler -g secrets` - -# Extras 789 and 790 VPC trust boundaries are not included by default in Extras -# to run trust-boundaries use `./prowler -g trustboundaries` -# read more in https://github.com/toniblyx/prowler/#trust-boundaries-checks - - From 44d40e4f0d4477a77c26383fbf499eedc3dd55fa Mon Sep 17 00:00:00 2001 From: Shubham Shah <82979155+ShubhamShah11@users.noreply.github.com> Date: Tue, 28 Sep 2021 16:34:44 -0400 Subject: [PATCH 09/10] Update check_extra7154 --- checks/check_extra7154 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check_extra7154 b/checks/check_extra7154 index 4c2ff3aaa4..9a38bd467b 100644 --- a/checks/check_extra7154 +++ b/checks/check_extra7154 @@ -42,7 +42,7 @@ extra7154() { TERMINATION_ENABLED=$(echo $CFN_STACK_DETAILS | jq -r '.Stacks[].EnableTerminationProtection') ROOT_ID=$(echo $CFN_STACK_DETAILS | jq -r '.Stacks[].RootId') if [[ $ROOT_ID != null && $TERMINATION_ENABLED == "false" ]]; then - textFail "$regx: $stack is a nested stack, enable termination protection on the root stack $ROOT_ID" "$regx" "$stack" "$ROOT_ID" + textInfo "$regx: $stack is a nested stack, enable termination protection on the root stack $ROOT_ID" "$regx" "$stack" "$ROOT_ID" elif [[ $TERMINATION_ENABLED == "true" ]]; then textPass "$regx: Cloudformation stack $stack has termination protection enabled" "$regx" "$stack" else From f74414532dd598be3e8e13642da8404d6ba850bd Mon Sep 17 00:00:00 2001 From: Shubham Shah <82979155+ShubhamShah11@users.noreply.github.com> Date: Fri, 1 Oct 2021 11:14:26 -0400 Subject: [PATCH 10/10] Update check_extra7154 --- checks/check_extra7154 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checks/check_extra7154 b/checks/check_extra7154 index 9a38bd467b..0b7394beaa 100644 --- a/checks/check_extra7154 +++ b/checks/check_extra7154 @@ -27,7 +27,7 @@ CHECK_SEVERITY_extra7154="MEDIUM" CHECK_ASFF_RESOURCE_TYPE_extra7154="AwsCloudFormationStack" CHECK_ALTERNATE_check7154="extra7154" CHECK_SERVICENAME_extra7154="cloudformation" -CHECK_RISK_extra7154='Without termination protection enabled, a critical cloudformation stack can be accidently deleted.' +CHECK_RISK_extra7154='Without termination protection enabled; a critical cloudformation stack can be accidently deleted.' CHECK_REMEDIATION_extra7154='Ensure termination protection is enabled for the cloudformation stacks' CHECK_DOC_extra7154='https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html' CHECK_CAF_EPIC_extra7154='Infrastructure Protection' @@ -42,7 +42,7 @@ extra7154() { TERMINATION_ENABLED=$(echo $CFN_STACK_DETAILS | jq -r '.Stacks[].EnableTerminationProtection') ROOT_ID=$(echo $CFN_STACK_DETAILS | jq -r '.Stacks[].RootId') if [[ $ROOT_ID != null && $TERMINATION_ENABLED == "false" ]]; then - textInfo "$regx: $stack is a nested stack, enable termination protection on the root stack $ROOT_ID" "$regx" "$stack" "$ROOT_ID" + textInfo "$regx: $stack is a nested stack. Enable termination protection on the root stack $ROOT_ID" "$regx" "$stack" "$ROOT_ID" elif [[ $TERMINATION_ENABLED == "true" ]]; then textPass "$regx: Cloudformation stack $stack has termination protection enabled" "$regx" "$stack" else