Merge pull request #168 from toniblyx/master

Added check extra714 CloudFront logging
2026-02-11 07:15:15 +00:00 · 2018-02-07 23:50:31 -05:00
parent 0b7a17b2b2 3665d64f2b
commit 0360db1b64
2 changed files with 31 additions and 4 deletions
--- a/README.md
+++ b/README.md
@@ -583,7 +583,7 @@ We are adding additional checks to improve the information gather from each acco

 Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.

-At this moment we have 11 extra checks:
+At this moment we have 14 extra checks:

 - 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
 - 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
@@ -597,7 +597,8 @@ At this moment we have 11 extra checks:
 - 7.10 (`extra710`) Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)
 - 7.11 (`extra711`) Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)
 - 7.12 (`extra712`) Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
-
+- 7.13 (`extra713`) Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
+- 7.14 (`extra714`) Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)

 To check all extras in one command:
 ```
@@ -621,6 +622,7 @@ With this group of checks, Prowler looks if each service with logging or audit c
 - 4.3  Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
 - 7.12  Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
 - 7.13  Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
+- 7.14  Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)

 The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command:
 ```
--- a/29
+++ b/29
@@ -494,6 +494,8 @@ ID712="7.12,7.12"
 TITLE712="Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
 ID713="7.13,7.13"
 TITLE713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
+ID714="7.14,7.14"
+TITLE714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"

 printCsvHeader() {
  >&2 echo ""
@@ -1890,6 +1892,26 @@ extra713(){
  done
 }

+extra714(){
+  # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
+  textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA"
+  for regx in $REGIONS; do
+    LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --region $regx --query 'DistributionList.Items[].Id' --output text |grep -v "^None")
+    if [[ $LIST_OF_DISTRIBUTIONS ]]; then
+      for cdn in $LIST_OF_DISTRIBUTIONS;do
+        CDN_LOG_ENABLED=$($AWSCLI cloudfront get-distribution $PROFILE_OPT --region $regx --id "$cdn" --query 'Distribution.DistributionConfig.Logging.Enabled' | grep true)
+        if [[ $CDN_LOG_ENABLED ]];then
+          textOK "$regx: CDN $cdn logging enabled" "$regx"
+        else
+          textWarn "$regx: CDN $cdn logging disabled!" "$regx"
+        fi
+      done
+    else
+      textOK "$regx: CDN not configured" "$regx"
+    fi
+  done
+}
+
 callCheck(){
  if [[ $CHECKNUMBER ]];then
    case "$CHECKNUMBER" in
@@ -1958,6 +1980,7 @@ callCheck(){
      extra711|extra711 ) extra711;;
      extra712|extra712 ) extra712;;
      extra713|extra713 ) extra713;;
+      extra714|extra714 ) extra714;;

      ## Groups of Checks
      check1 )
@@ -1994,12 +2017,12 @@ callCheck(){
        ;;
      extras )
        extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;
-        extra79;extra710;extra711;extra712;extra713
+        extra79;extra710;extra711;extra712;extra713;extra714
        ;;
      forensics-ready )
        check21;check22;check23;check24;check25;check26;check27;
        check43;
-        extra712;extra713
+        extra712;extra713;extra714
        ;;
      * )
        textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
@@ -2083,6 +2106,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then
  textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA"
  textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA"
  textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA"
+  textTitle "$ID714" "$TITLE713" "NOT_SCORED" "EXTRA"
  exit $EXITCODE
 fi

@@ -2172,6 +2196,7 @@ extra710
 extra711
 extra712
 extra713
+extra714

 cleanTemp
 exit $EXITCODE