From b95cf5bc7b96c9bb3782800d8c93f52f9a7153d0 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Thu, 16 May 2019 14:48:00 -0400 Subject: [PATCH] Added check extra748 SG open to any port --- checks/check_extra748 | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 checks/check_extra748 diff --git a/checks/check_extra748 b/checks/check_extra748 new file mode 100644 index 00000000000..dff4bf9fcb6 --- /dev/null +++ b/checks/check_extra748 @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra748="7.48" +CHECK_TITLE_extra748="[extra748] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra748="NOT_SCORED" +CHECK_TYPE_extra748="EXTRA" +CHECK_ALTERNATE_check748="extra748" + +extra748(){ + for regx in $REGIONS; do + SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort==null && ToPort==null)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text) + if [[ $SG_LIST ]];then + for SG in $SG_LIST;do + textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0" "$regx" + done + else + textPass "$regx: No Security Groups found with any port open to 0.0.0.0/0" "$regx" + fi + done +}