fix(checks): Handle checks not returning result (#1383)

Co-authored-by: Pepe Fagoaga <pepe@verica.io>
prowler-cloud · Oct 5, 2022 · 11cc8e9 · 11cc8e9
1 parent 4a71739
commit 11cc8e9
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 50 deletions.
diff --git a/checks/check_extra7164 b/checks/check_extra7164
@@ -33,29 +33,30 @@ CHECK_REMEDIATION_extra7164="Associate KMS Key with Cloudwatch log group."
 CHECK_DOC_extra7164="https://docs.aws.amazon.com/cli/latest/reference/logs/associate-kms-key.html"
 CHECK_CAF_EPIC_extra7164="Data Protection"
 
+
 extra7164(){
-    # "Check if Cloudwatch log groups are associated with AWS KMS"
+
+  # "Check if Cloudwatch log groups are associated with AWS KMS"
     for regx in $REGIONS; do
-      LIST_OF_LOGGROUPS=$($AWSCLI logs describe-log-groups $PROFILE_OPT --region $regx --output json 2>&1 )
-      if [[ $(echo "$LIST_OF_LOGGROUPS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+      LIST_OF_LOGGROUPS=$($AWSCLI logs describe-log-groups $PROFILE_OPT --region $regx --query 'logGroups[]' 2>&1 )
+      if  grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_LOGGROUPS}"
+      then
           textInfo "$regx: Access Denied trying to describe log groups" "$regx"
           continue
       fi
-      if [[ $LIST_OF_LOGGROUPS ]]; then
-        LIST_OF_LOGGROUPS_WITHOUT_KMS=$(echo "${LIST_OF_LOGGROUPS}" | jq '.logGroups[]' |  jq '. | select( has("kmsKeyId") == false )' | jq -r '.logGroupName')
-        LIST_OF_LOGGROUPS_WITH_KMS=$(echo "${LIST_OF_LOGGROUPS}" | jq '.logGroups[]' |  jq '. | select( has("kmsKeyId") == true )' | jq -r '.logGroupName')
-      if [[ $LIST_OF_LOGGROUPS_WITHOUT_KMS ]]; then
-        for loggroup in $LIST_OF_LOGGROUPS_WITHOUT_KMS; do
-          textFail "$regx: ${loggroup} does not have AWS KMS keys associated." "$regx" "${loggroup}"
-        done
-      fi
-      if [[ $LIST_OF_LOGGROUPS_WITH_KMS ]]; then
-        for loggroup in $LIST_OF_LOGGROUPS_WITH_KMS; do
-          textPass "$regx: ${loggroup} does have AWS KMS keys associated." "$regx" "${loggroup}"
-        done
-      fi
-    else
-      textPass "$regx: No Cloudwatch log groups found." "$regx"
+      if [[ "${LIST_OF_LOGGROUPS}" != '[]' ]]
+      then
+          for LOGGROUP in $(jq -c '.[]' <<< "${LIST_OF_LOGGROUPS}"); do
+            LOGGROUP_NAME=$(jq -r '.logGroupName' <<< "${LOGGROUP}")
+            if [[ $(jq '. | select( has("kmsKeyId") == false )' <<< "${LOGGROUP}") ]]
+            then
+              textFail "$regx: ${LOGGROUP_NAME} does not have AWS KMS keys associated." "$regx" "${LOGGROUP_NAME}"
+            else
+              textPass "$regx: ${LOGGROUP_NAME} does have AWS KMS keys associated." "$regx" "${LOGGROUP_NAME}"
+            fi
+          done
+      else
+        textPass "$regx: No Cloudwatch log groups found." "$regx" "No log groups"
       fi
     done
 }
diff --git a/checks/check_extra72 b/checks/check_extra72
@@ -33,13 +33,18 @@ extra72(){
         textInfo "$regx: Access Denied trying to describe snapshot" "$regx"
         continue
     fi
-    for snapshot in $LIST_OF_EBS_SNAPSHOTS; do
-      SNAPSHOT_IS_PUBLIC=$($AWSCLI ec2 describe-snapshot-attribute $PROFILE_OPT --region $regx --output text --snapshot-id $snapshot --attribute createVolumePermission --query "CreateVolumePermissions[?Group=='all']")
-      if [[ $SNAPSHOT_IS_PUBLIC ]];then
-        textFail "$regx: $snapshot is currently Public!" "$regx" "$snapshot"
-      else
-        textPass "$regx: $snapshot is not Public" "$regx" "$snapshot"
-      fi
-    done
+    if [[ ${LIST_OF_EBS_SNAPSHOTS} ]]
+    then
+      for snapshot in $LIST_OF_EBS_SNAPSHOTS; do
+        SNAPSHOT_IS_PUBLIC=$($AWSCLI ec2 describe-snapshot-attribute $PROFILE_OPT --region $regx --output text --snapshot-id $snapshot --attribute createVolumePermission --query "CreateVolumePermissions[?Group=='all']")
+        if [[ $SNAPSHOT_IS_PUBLIC ]];then
+          textFail "$regx: $snapshot is currently Public!" "$regx" "$snapshot"
+        else
+          textPass "$regx: $snapshot is not Public" "$regx" "$snapshot"
+        fi
+      done
+    else
+      textPass "$regx: There is no EBS Snapshots" "$regx" "No EBS Snapshots"
+    fi
   done
 }
diff --git a/checks/check_extra729 b/checks/check_extra729
@@ -28,21 +28,25 @@ CHECK_CAF_EPIC_extra729='Data Protection'
 extra729(){
   # "Ensure there are no EBS Volumes unencrypted "
   for regx in $REGIONS; do
-    LIST_OF_EBS_NON_ENC_VOLUMES=$($AWSCLI ec2 describe-volumes $PROFILE_OPT --region $regx --query 'Volumes[?Encrypted==`false`].VolumeId' --output text 2>&1)
-    if [[ $(echo "$LIST_OF_EBS_NON_ENC_VOLUMES" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
-        textInfo "$regx: Access Denied trying to describe volumes" "$regx"
-        continue
-    fi 
-    if [[ $LIST_OF_EBS_NON_ENC_VOLUMES ]];then
-      for volume in $LIST_OF_EBS_NON_ENC_VOLUMES; do
-        textFail "$regx: $volume is not encrypted!" "$regx" "$volume"
-      done
-    fi
-    LIST_OF_EBS_ENC_VOLUMES=$($AWSCLI ec2 describe-volumes $PROFILE_OPT --region $regx --query 'Volumes[?Encrypted==`true`].VolumeId' --output text)
-    if [[ $LIST_OF_EBS_ENC_VOLUMES ]];then
-      for volume in $LIST_OF_EBS_ENC_VOLUMES; do
-        textPass "$regx: $volume is encrypted" "$regx" "$volume"
-      done
-    fi
+      LIST_OF_EBS_NON_ENC_VOLUMES=$($AWSCLI ec2 describe-volumes $PROFILE_OPT --region $regx --query 'Volumes[?Encrypted==`false`].VolumeId' --output text 2>&1)
+      if [[ $(echo "$LIST_OF_EBS_NON_ENC_VOLUMES" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+          textInfo "$regx: Access Denied trying to describe volumes" "$regx"
+          continue
+      fi
+      if [[ $LIST_OF_EBS_NON_ENC_VOLUMES ]];then
+        for volume in $LIST_OF_EBS_NON_ENC_VOLUMES; do
+          textFail "$regx: $volume is not encrypted!" "$regx" "$volume"
+        done
+      fi
+      LIST_OF_EBS_ENC_VOLUMES=$($AWSCLI ec2 describe-volumes $PROFILE_OPT --region $regx --query 'Volumes[?Encrypted==`true`].VolumeId' --output text)
+      if [[ $LIST_OF_EBS_ENC_VOLUMES ]];then
+        for volume in $LIST_OF_EBS_ENC_VOLUMES; do
+          textPass "$regx: $volume is encrypted" "$regx" "$volume"
+        done
+      fi
+      if [[ ! "${LIST_OF_EBS_NON_ENC_VOLUMES}" ]] && [[ ! "${LIST_OF_EBS_ENC_VOLUMES}" ]]
+      then
+        textPass "$regx: There are no ebs volumes" "$regx" "No ebs volumes"
+      fi
   done
 }
diff --git a/checks/check_extra74 b/checks/check_extra74
@@ -34,13 +34,18 @@ extra74(){
         textInfo "$regx: Access Denied trying to describe security groups" "$regx"
         continue
     fi
-    for SG_ID in $LIST_OF_SECURITYGROUPS; do
-      SG_NO_INGRESS_FILTER=$($AWSCLI ec2 describe-network-interfaces $PROFILE_OPT --region $regx --filters "Name=group-id,Values=$SG_ID" --query "length(NetworkInterfaces)" --output text)
-      if [[ $SG_NO_INGRESS_FILTER -ne 0 ]];then
-        textFail "$regx: $SG_ID has no ingress filtering and it is being used!" "$regx" "$SG_ID"
-      else
-        textInfo "$regx: $SG_ID has no ingress filtering but it is not being used" "$regx" "$SG_ID"
-      fi
-    done
+    if [[ ${LIST_OF_SECURITYGROUPS} ]]
+    then
+      for SG_ID in $LIST_OF_SECURITYGROUPS; do
+        SG_NO_INGRESS_FILTER=$($AWSCLI ec2 describe-network-interfaces $PROFILE_OPT --region $regx --filters "Name=group-id,Values=$SG_ID" --query "length(NetworkInterfaces)" --output text)
+        if [[ $SG_NO_INGRESS_FILTER -ne 0 ]];then
+          textFail "$regx: $SG_ID has no ingress filtering and it is being used!" "$regx" "$SG_ID"
+        else
+          textInfo "$regx: $SG_ID has no ingress filtering but it is not being used" "$regx" "$SG_ID"
+        fi
+      done
+    else
+      textPass "$regx: There is no EC2 Security Groups" "$regx" "No EBS Snapshots"
+    fi
   done
 }