Support whitelists per check

prowler-cloud · Mar 11, 2020 · 56a4fd8 · 56a4fd8
1 parent 530baca
commit 56a4fd8
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 8 deletions.
diff --git a/include/outputs b/include/outputs
@@ -104,15 +104,29 @@ textInfo(){
 }
 
 textFail(){
-  FAIL_COUNTER=$((FAIL_COUNTER+1))
-  EXITCODE=3
+  ## ignore whitelists for current check
+  level="FAIL"
+  for i in $IGNORES; do
+    ignore_value="${i#*${CHECK_NAME}:}"
+    if [[ $1 =~ ${ignore_value} ]]; then
+      level="WARNING"
+      break
+    fi
+  done
+
+  # only set non-0 exit code on FAIL mode, WARN is ok
+  if [[ "$level" == "FAIL" ]]; then
+    FAIL_COUNTER=$((FAIL_COUNTER+1))
+    EXITCODE=3
+  fi
+
   if [[ "$MODE" == "csv" ]]; then
     if [[ $2 ]]; then
       REPREGION=$2
     else
       REPREGION=$REGION
     fi
-    echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}FAIL${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1"
+    echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1"
   elif [[ "$MODE" == "json" ]]; then
     if [[ $2 ]]; then
       REPREGION=$2
@@ -128,7 +142,7 @@ textFail(){
     --arg ITEM_LEVEL "$ITEM_LEVEL" \
     --arg TITLE_ID "$TITLE_ID" \
     --arg REPREGION "$REPREGION" \
-    --arg TIMESTAMP $(date -u +"%Y-%m-%dT%H:%M:%SZ") \
+    --arg TIMESTAMP "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
     -n '{
       "Profile": $PROFILE,
       "Account Number": $ACCOUNT_NUM,
@@ -142,7 +156,11 @@ textFail(){
       "Timestamp": $TIMESTAMP,
     }'
   else
-    echo "      $BAD FAIL! $1 $NORMAL"
+    if [[ "${level}" == "FAIL" ]]; then
+      echo "      $BAD ${level}! $1 $NORMAL"
+    else
+      echo "      $WARNING ${level}! $1 $NORMAL"
+    fi
   fi
 }
 

diff --git a/prowler b/prowler
@@ -47,6 +47,7 @@ EXITCODE=0
 SCRIPT_START_TIME=$( date -u +"%Y-%m-%dT%H:%M:%S%z" )
 TITLE_ID=""
 TITLE_TEXT="CALLER ERROR - UNSET TITLE"
+WHITELIST_FILE=""
 
 # Command usage menu
 usage(){
@@ -83,12 +84,19 @@ USAGE:
                             (i.e.: ProwlerRole)
       -T                  session durantion given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T
                             (i.e.: 43200) 
+      -w                  whitelist file. (Lines starting with # are ignored as comments) Format:
+                            # ignore these due to some reason
+                            # check1 checks s3 buckets
+                            <checkid1>:<resource to ignore 1>
+                            <checkid1>:<resource to ignore 2>
+                            # checkid2
+                            <checkid2>:<resource to ignore 1>
       -h                  this help
   "
   exit
 }
 
-while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsx:A:R:T:" OPTION; do
+while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsx:A:R:T:w:" OPTION; do
    case $OPTION in
      h )
         usage
@@ -160,6 +168,11 @@ while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsx:A:R:T:" OPTION; do
      T )
         SESSION_DURATION_TO_ASSUME=$OPTARG
         ;;
+     w )
+        WHITELIST_FILE=$OPTARG
+        echo ""
+        echo "$OPTNORMAL Using Whitelist file: $OPTARG"
+        ;;
      : )
         echo ""
         echo "$OPTRED ERROR!$OPTNORMAL  -$OPTARG requires an argument"
@@ -202,6 +215,12 @@ REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \
   --region $REGION \
   --region-names $FILTERREGION)
 
+# Pre-process whitelist file if supplied
+if [[ -n "$WHITELIST_FILE" ]]; then
+  # ignore lines starting with # (comments)
+  WHITELIST=$(awk   '!/^[[:space:]]*#/{print }' <(cat "$WHITELIST_FILE"))
+fi
+
 # Load all of the groups of checks inside groups folder named as "groupNumber*"
 for group in $(ls $PROWLER_DIR/groups/group[0-9]*|grep -v groupN_sample); do
 	. "$group"
@@ -266,8 +285,10 @@ execute_check() {
           saveReport
         fi
       fi
-		  show_check_title $1
-		  $1
+      show_check_title "$1"
+      ignores=$(awk '/${1}/{print}' <(echo "${WHITELIST}"))
+      # set the custom ignores list for this check
+      IGNORES="${ignores}" $1
     else
       textFail "ERROR! Use a valid check name (i.e. check41 or extra71)";
       exit $EXITCODE

diff --git a/whitelist_sample.txt b/whitelist_sample.txt
@@ -0,0 +1,4 @@
+# Each line is a (checkid:item) tuple
+
+# Example: Will not consider a myignoredbucket failures as full failure. (Still printed as a warning)
+check26:myignoredbucket