From 1e3985d3b41dc4cc47c069a4ede5081e3cb44461 Mon Sep 17 00:00:00 2001 From: Ben Allen Date: Fri, 7 Jul 2017 16:33:42 -0500 Subject: [PATCH 1/2] change name of temp file so that it's random Allows multiple instances of prowler to run in parallel (eg. via xargs -P ). Also, add trap handler to remove temp file if interrupted. --- prowler | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/prowler b/prowler index d623447bdb8..8ea3314953f 100755 --- a/prowler +++ b/prowler @@ -362,7 +362,7 @@ genCredReport() { # Save report to a file, decode it, deletion at finish and after every single check, acb stands for AWS CIS Benchmark saveReport(){ - TEMP_REPORT_FILE=/tmp/.acb + TEMP_REPORT_FILE=$(mktemp -t prowler-XXXXX.cred_report ) $AWSCLI iam get-credential-report --query 'Content' --output text --profile $PROFILE --region $REGION | decode_report > $TEMP_REPORT_FILE } @@ -371,6 +371,9 @@ cleanTemp(){ rm -fr $TEMP_REPORT_FILE } +# Delete the temporary report file if we get interrupted/terminated +trap cleanTemp SIGHUP SIGINT SIGTERM + # Get a list of all available AWS Regions REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \ --output text \ From cdbcac5251816ddcc12143353e4b39e0d85bc7fd Mon Sep 17 00:00:00 2001 From: Ben Allen Date: Fri, 7 Jul 2017 16:35:32 -0500 Subject: [PATCH 2/2] add account number to CSV output. --- prowler | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/prowler b/prowler index 8ea3314953f..60450f50daf 100755 --- a/prowler +++ b/prowler @@ -250,7 +250,7 @@ textOK(){ else REPREGION=$REGION fi - echo "$PROFILE${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$TITLE_TEXT${SEP}$1" + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$TITLE_TEXT${SEP}$1" else echo " $OK OK! $NORMAL $1" fi @@ -263,7 +263,7 @@ textNotice(){ else REPREGION=$REGION fi - echo "$PROFILE${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$TITLE_TEXT${SEP}$1" + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$TITLE_TEXT${SEP}$1" else echo " $NOTICE INFO! $1 $NORMAL" fi @@ -276,7 +276,7 @@ textWarn(){ else REPREGION=$REGION fi - echo "$PROFILE${SEP}$REPREGION${SEP}$TITLE_ID${SEP}WARNING${SEP}$ITEM_SCORED${SEP}$TITLE_TEXT${SEP}$1" + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}WARNING${SEP}$ITEM_SCORED${SEP}$TITLE_TEXT${SEP}$1" else echo " $BAD WARNING! $1 $NORMAL" fi @@ -307,9 +307,9 @@ printCsvHeader() { >&2 echo "" >&2 echo "" >&2 echo "Generating \"${SEP}\" delimited report on stdout; Diagnostics on stderr." - >&2 echo " Using Profile $PROFILE" + >&2 echo " Using Profile $PROFILE, Account $ACCOUNT_NUM" >&2 echo "" - echo "PROFILE${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}TITLE_TEXT${SEP}NOTES" + echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}TITLE_TEXT${SEP}NOTES" } prowlerBanner() { @@ -323,6 +323,7 @@ prowlerBanner() { # Get whoami in AWS, who is the user running this shell script getWhoami(){ + ACCOUNT_NUM=$($AWSCLI sts get-caller-identity --output json --profile $PROFILE --region $REGION --query "Account" | tr -d '"') if [[ $MODE == "csv" ]]; then CALLER_ARN=$($AWSCLI sts get-caller-identity --output json --profile $PROFILE --region $REGION --query "Arn" | tr -d '"') textTitle "0.0" "Show report generation info"