From 11cc8e998bed0823d5b6f2122df9771f0c04618c Mon Sep 17 00:00:00 2001 From: Nacho Rivera <59198746+n4ch04@users.noreply.github.com> Date: Wed, 5 Oct 2022 13:50:49 +0200 Subject: [PATCH] fix(checks): Handle checks not returning result (#1383) Co-authored-by: Pepe Fagoaga --- checks/check_extra7164 | 37 +++++++++++++++++++------------------ checks/check_extra72 | 21 +++++++++++++-------- checks/check_extra729 | 36 ++++++++++++++++++++---------------- checks/check_extra74 | 21 +++++++++++++-------- 4 files changed, 65 insertions(+), 50 deletions(-) diff --git a/checks/check_extra7164 b/checks/check_extra7164 index f01358998e5..7009f6ce1f0 100644 --- a/checks/check_extra7164 +++ b/checks/check_extra7164 @@ -33,29 +33,30 @@ CHECK_REMEDIATION_extra7164="Associate KMS Key with Cloudwatch log group." CHECK_DOC_extra7164="https://docs.aws.amazon.com/cli/latest/reference/logs/associate-kms-key.html" CHECK_CAF_EPIC_extra7164="Data Protection" + extra7164(){ - # "Check if Cloudwatch log groups are associated with AWS KMS" + + # "Check if Cloudwatch log groups are associated with AWS KMS" for regx in $REGIONS; do - LIST_OF_LOGGROUPS=$($AWSCLI logs describe-log-groups $PROFILE_OPT --region $regx --output json 2>&1 ) - if [[ $(echo "$LIST_OF_LOGGROUPS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then + LIST_OF_LOGGROUPS=$($AWSCLI logs describe-log-groups $PROFILE_OPT --region $regx --query 'logGroups[]' 2>&1 ) + if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_LOGGROUPS}" + then textInfo "$regx: Access Denied trying to describe log groups" "$regx" continue fi - if [[ $LIST_OF_LOGGROUPS ]]; then - LIST_OF_LOGGROUPS_WITHOUT_KMS=$(echo "${LIST_OF_LOGGROUPS}" | jq '.logGroups[]' | jq '. | select( has("kmsKeyId") == false )' | jq -r '.logGroupName') - LIST_OF_LOGGROUPS_WITH_KMS=$(echo "${LIST_OF_LOGGROUPS}" | jq '.logGroups[]' | jq '. | select( has("kmsKeyId") == true )' | jq -r '.logGroupName') - if [[ $LIST_OF_LOGGROUPS_WITHOUT_KMS ]]; then - for loggroup in $LIST_OF_LOGGROUPS_WITHOUT_KMS; do - textFail "$regx: ${loggroup} does not have AWS KMS keys associated." "$regx" "${loggroup}" - done - fi - if [[ $LIST_OF_LOGGROUPS_WITH_KMS ]]; then - for loggroup in $LIST_OF_LOGGROUPS_WITH_KMS; do - textPass "$regx: ${loggroup} does have AWS KMS keys associated." "$regx" "${loggroup}" - done - fi - else - textPass "$regx: No Cloudwatch log groups found." "$regx" + if [[ "${LIST_OF_LOGGROUPS}" != '[]' ]] + then + for LOGGROUP in $(jq -c '.[]' <<< "${LIST_OF_LOGGROUPS}"); do + LOGGROUP_NAME=$(jq -r '.logGroupName' <<< "${LOGGROUP}") + if [[ $(jq '. | select( has("kmsKeyId") == false )' <<< "${LOGGROUP}") ]] + then + textFail "$regx: ${LOGGROUP_NAME} does not have AWS KMS keys associated." "$regx" "${LOGGROUP_NAME}" + else + textPass "$regx: ${LOGGROUP_NAME} does have AWS KMS keys associated." "$regx" "${LOGGROUP_NAME}" + fi + done + else + textPass "$regx: No Cloudwatch log groups found." "$regx" "No log groups" fi done } diff --git a/checks/check_extra72 b/checks/check_extra72 index 36ba6ed41ed..612b0d4bf08 100644 --- a/checks/check_extra72 +++ b/checks/check_extra72 @@ -33,13 +33,18 @@ extra72(){ textInfo "$regx: Access Denied trying to describe snapshot" "$regx" continue fi - for snapshot in $LIST_OF_EBS_SNAPSHOTS; do - SNAPSHOT_IS_PUBLIC=$($AWSCLI ec2 describe-snapshot-attribute $PROFILE_OPT --region $regx --output text --snapshot-id $snapshot --attribute createVolumePermission --query "CreateVolumePermissions[?Group=='all']") - if [[ $SNAPSHOT_IS_PUBLIC ]];then - textFail "$regx: $snapshot is currently Public!" "$regx" "$snapshot" - else - textPass "$regx: $snapshot is not Public" "$regx" "$snapshot" - fi - done + if [[ ${LIST_OF_EBS_SNAPSHOTS} ]] + then + for snapshot in $LIST_OF_EBS_SNAPSHOTS; do + SNAPSHOT_IS_PUBLIC=$($AWSCLI ec2 describe-snapshot-attribute $PROFILE_OPT --region $regx --output text --snapshot-id $snapshot --attribute createVolumePermission --query "CreateVolumePermissions[?Group=='all']") + if [[ $SNAPSHOT_IS_PUBLIC ]];then + textFail "$regx: $snapshot is currently Public!" "$regx" "$snapshot" + else + textPass "$regx: $snapshot is not Public" "$regx" "$snapshot" + fi + done + else + textPass "$regx: There is no EBS Snapshots" "$regx" "No EBS Snapshots" + fi done } diff --git a/checks/check_extra729 b/checks/check_extra729 index 89ee70d9c9e..3fdb51a866f 100644 --- a/checks/check_extra729 +++ b/checks/check_extra729 @@ -28,21 +28,25 @@ CHECK_CAF_EPIC_extra729='Data Protection' extra729(){ # "Ensure there are no EBS Volumes unencrypted " for regx in $REGIONS; do - LIST_OF_EBS_NON_ENC_VOLUMES=$($AWSCLI ec2 describe-volumes $PROFILE_OPT --region $regx --query 'Volumes[?Encrypted==`false`].VolumeId' --output text 2>&1) - if [[ $(echo "$LIST_OF_EBS_NON_ENC_VOLUMES" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then - textInfo "$regx: Access Denied trying to describe volumes" "$regx" - continue - fi - if [[ $LIST_OF_EBS_NON_ENC_VOLUMES ]];then - for volume in $LIST_OF_EBS_NON_ENC_VOLUMES; do - textFail "$regx: $volume is not encrypted!" "$regx" "$volume" - done - fi - LIST_OF_EBS_ENC_VOLUMES=$($AWSCLI ec2 describe-volumes $PROFILE_OPT --region $regx --query 'Volumes[?Encrypted==`true`].VolumeId' --output text) - if [[ $LIST_OF_EBS_ENC_VOLUMES ]];then - for volume in $LIST_OF_EBS_ENC_VOLUMES; do - textPass "$regx: $volume is encrypted" "$regx" "$volume" - done - fi + LIST_OF_EBS_NON_ENC_VOLUMES=$($AWSCLI ec2 describe-volumes $PROFILE_OPT --region $regx --query 'Volumes[?Encrypted==`false`].VolumeId' --output text 2>&1) + if [[ $(echo "$LIST_OF_EBS_NON_ENC_VOLUMES" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then + textInfo "$regx: Access Denied trying to describe volumes" "$regx" + continue + fi + if [[ $LIST_OF_EBS_NON_ENC_VOLUMES ]];then + for volume in $LIST_OF_EBS_NON_ENC_VOLUMES; do + textFail "$regx: $volume is not encrypted!" "$regx" "$volume" + done + fi + LIST_OF_EBS_ENC_VOLUMES=$($AWSCLI ec2 describe-volumes $PROFILE_OPT --region $regx --query 'Volumes[?Encrypted==`true`].VolumeId' --output text) + if [[ $LIST_OF_EBS_ENC_VOLUMES ]];then + for volume in $LIST_OF_EBS_ENC_VOLUMES; do + textPass "$regx: $volume is encrypted" "$regx" "$volume" + done + fi + if [[ ! "${LIST_OF_EBS_NON_ENC_VOLUMES}" ]] && [[ ! "${LIST_OF_EBS_ENC_VOLUMES}" ]] + then + textPass "$regx: There are no ebs volumes" "$regx" "No ebs volumes" + fi done } diff --git a/checks/check_extra74 b/checks/check_extra74 index 50ed2aa8356..bedf467d9f3 100644 --- a/checks/check_extra74 +++ b/checks/check_extra74 @@ -34,13 +34,18 @@ extra74(){ textInfo "$regx: Access Denied trying to describe security groups" "$regx" continue fi - for SG_ID in $LIST_OF_SECURITYGROUPS; do - SG_NO_INGRESS_FILTER=$($AWSCLI ec2 describe-network-interfaces $PROFILE_OPT --region $regx --filters "Name=group-id,Values=$SG_ID" --query "length(NetworkInterfaces)" --output text) - if [[ $SG_NO_INGRESS_FILTER -ne 0 ]];then - textFail "$regx: $SG_ID has no ingress filtering and it is being used!" "$regx" "$SG_ID" - else - textInfo "$regx: $SG_ID has no ingress filtering but it is not being used" "$regx" "$SG_ID" - fi - done + if [[ ${LIST_OF_SECURITYGROUPS} ]] + then + for SG_ID in $LIST_OF_SECURITYGROUPS; do + SG_NO_INGRESS_FILTER=$($AWSCLI ec2 describe-network-interfaces $PROFILE_OPT --region $regx --filters "Name=group-id,Values=$SG_ID" --query "length(NetworkInterfaces)" --output text) + if [[ $SG_NO_INGRESS_FILTER -ne 0 ]];then + textFail "$regx: $SG_ID has no ingress filtering and it is being used!" "$regx" "$SG_ID" + else + textInfo "$regx: $SG_ID has no ingress filtering but it is not being used" "$regx" "$SG_ID" + fi + done + else + textPass "$regx: There is no EC2 Security Groups" "$regx" "No EBS Snapshots" + fi done }