Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: when prowler exits with a non-zero status, the remainder of the block is not executed #1015

Merged
merged 2 commits into from
Feb 2, 2022
Merged

Fix: when prowler exits with a non-zero status, the remainder of the block is not executed #1015

merged 2 commits into from
Feb 2, 2022

Conversation

lorchda
Copy link
Contributor

@lorchda lorchda commented Feb 1, 2022

Context

When prowler exits with a non-zero status code, the remainder of the block is not executed.

Description

|| true ensures the remainder of the block is executed.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@jfagoagas
Copy link
Member

Hi @lorchda, can you provide us more information about this?

I think this code needs to include a better error handling more than force true. What do you think?

@jfagoagas jfagoagas added the status/awaiting-reponse Waiting response from Issue owner label Feb 2, 2022
@jfagoagas jfagoagas self-requested a review February 2, 2022 12:29
@lorchda
Copy link
Contributor Author

lorchda commented Feb 2, 2022

Hi @jfagoagas

The errors are correctly reported by prowler to the console, and FAIL!s are captured by whatever reporting method you choose (e.g. HTML).

Suppose there was an error during execution, then prowler will run through completely and then exit with a non-zero exit code to the shell.

Consider the following code here:

# Run Prowler against Accounts in AWS Organization
echo "AWS Accounts in Organization"
echo "$ACCOUNTS_IN_ORGS"
PARALLEL_ACCOUNTS="1"
for accountId in $ACCOUNTS_IN_ORGS; do
    # shellcheck disable=SC2015
    test "$(jobs | wc -l)" -ge $PARALLEL_ACCOUNTS && wait || true
    {
        START_TIME=$SECONDS
        # Unset AWS Profile Variables
        unset_aws
        # Run Prowler
        echo -e "Assessing AWS Account: $accountId, using Role: $ROLE on $(date)"
        # remove -g cislevel for a full report and add other formats if needed
        ./prowler/prowler -R "$ROLE" -A "$accountId" -g cislevel1 -M html
        echo "Report stored locally at: prowler/output/ directory"
        TOTAL_SEC=$((SECONDS - START_TIME))
        echo -e "Completed AWS Account: $accountId, using Role: $ROLE on $(date)"
        printf "Completed AWS Account: $accountId in %02dh:%02dm:%02ds" $((TOTAL_SEC / 3600)) $((TOTAL_SEC % 3600 / 60)) $((TOTAL_SEC % 60))
        echo ""
    } &
done

When prowler exits with a non-zero exit code, then the remainder of the block, namely...

        echo "Report stored locally at: prowler/output/ directory"
        TOTAL_SEC=$((SECONDS - START_TIME))
        echo -e "Completed AWS Account: $accountId, using Role: $ROLE on $(date)"
        printf "Completed AWS Account: $accountId in %02dh:%02dm:%02ds" $((TOTAL_SEC / 3600)) $((TOTAL_SEC % 3600 / 60)) $((TOTAL_SEC % 60))
        echo ""

... is not executed, cutting the console output short. Note that prowler still completes successfully and generates the required reports.

This is how the output looks, with extra7145 being the last required check and prowler having a successful run, but with some errors on the way.

...
7.141 [extra7141] Find secrets in SSM Documents - ssm [Critical]
       INFO! eu-central-1: No SSM Document found. 
7.145 [extra7145] Check if Lambda functions have policies which allow access to any AWS account - lambda [Critical]
       INFO! eu-central-1: Lambda function TransitNetworkOrchestratorSMLambda doesn't have any policy 
       INFO! eu-central-1: Lambda function TgwPeeringAttachmentLambda-STNO doesn't have any policy 
       PASS! eu-central-1: Lambda function aws-controltower-NotificationForwarder has policy which doesn't allow access to everyone having an AWS account
       PASS! eu-central-1: Lambda function TransitNetworkOrchestratorCRLambda has policy which doesn't allow access to everyone having an AWS account
Assessing AWS Account: 1234567890, using Role: ProwlerXA-CBRole on Mon Jan 31 23:27:46 UTC 2022                          _

  _ __  _ __ _____      _| | ___ _ __
 | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
 | |_) | | | (_) \ V  V /| |  __/ |
 | .__/|_|  \___/ \_/\_/ |_|\___|_|v2.7.0-24January2022
 |_| the handy cloud security tool

 Date: Mon Jan 31 23:27:49 UTC 2022

 Color code for results: 
 -  INFO (Information)
 -  PASS (Recommended value)
 -  WARNING (Ignored by whitelist)
 -  FAIL (Fix required)

 This report is being generated using credentials below:
 AWS-CLI Profile: [INSTANCE-PROFILE] AWS API Region: [eu-central-1] AWS Filter Region: [eu-central-1]
 AWS Account: [1234567890] UserId: [AROA2NM6J2FE6YLKHLB2Q:AWSCodeBuild-d4216dfc-6dad-4980-ae30-f3f6c2b5a6bc]
 Caller Identity ARN: [arn:aws:sts::1234567890:assumed-role/ProwlerCodeBuild-Role/AWSCodeBuild-d4216dfc-6dad-4980-ae30-f3f6c2b5a6bc]
...

Regards
Daniel

@toniblyx
Copy link
Member

toniblyx commented Feb 2, 2022

@lorchda can this be handled with the existing Z options? (./prowler -h)

-z Failed checks do not trigger exit code 3.
-Z Specify one or multiple check ids separated by commas that will trigger exit code 3 if they fail. Unspecified checks will not trigger exit code 3. This will override -z.

Copy link
Member

@jfagoagas jfagoagas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job @lorchda

Thanks!!

@jfagoagas jfagoagas merged commit 6794144 into prowler-cloud:master Feb 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status/awaiting-reponse Waiting response from Issue owner
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants