ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 23:05:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

changed outputs to the new ones

Browse Source
This commit is contained in:
Toni de la Fuente
2018-03-28 11:07:46 -04:00
parent 1acc6e45d0
commit 07b166baa9
81 changed files with 267 additions and 267 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
checks/check11
View File

@@ -6,5 +6,5 @@ CHECK_ALTERNATE_check101="check11"
check11(){ check11(){
# "Avoid the use of the root account (Scored)." # "Avoid the use of the root account (Scored)."
COMMAND11=$(cat $TEMP_REPORT_FILE| grep '<root_account>' | cut -d, -f5,11,16 | sed 's/,/\ /g') COMMAND11=$(cat $TEMP_REPORT_FILE| grep '<root_account>' | cut -d, -f5,11,16 | sed 's/,/\ /g')
textNotice "Root account last accessed (password key_1 key_2): $COMMAND11" textInfo "Root account last accessed (password key_1 key_2): $COMMAND11"
} }

6
checks/check110
View File

@@ -8,11 +8,11 @@ check110(){
COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null) COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null)
if [[ $COMMAND110 ]];then if [[ $COMMAND110 ]];then
if [[ $COMMAND110 -gt "23" ]];then if [[ $COMMAND110 -gt "23" ]];then
textOK "Password Policy limits reuse" textPass "Password Policy limits reuse"
else else
textWarn "Password Policy has weak reuse requirement (lower than 24)" textFail "Password Policy has weak reuse requirement (lower than 24)"
fi fi
else else
textWarn "Password Policy missing reuse requirement" textFail "Password Policy missing reuse requirement"
fi fi
} }

4
checks/check111
View File

@@ -8,9 +8,9 @@ check111(){
COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json | grep MaxPasswordAge | awk -F: '{ print $2 }'|sed 's/\ //g'|sed 's/,/ /g' 2> /dev/null) COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json | grep MaxPasswordAge | awk -F: '{ print $2 }'|sed 's/\ //g'|sed 's/,/ /g' 2> /dev/null)
if [[ $COMMAND111 ]];then if [[ $COMMAND111 ]];then
if [ "$COMMAND111" == "90" ];then if [ "$COMMAND111" == "90" ];then
textOK "Password Policy includes expiration" textPass "Password Policy includes expiration"
fi fi
else else
textWarn "Password expiration not set or set greater than 90 days " textFail "Password expiration not set or set greater than 90 days "
fi fi
} }

8
checks/check112
View File

@@ -9,13 +9,13 @@ check112(){
ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }') ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }')
ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }') ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }')
if [ "$ROOTKEY1" == "false" ];then if [ "$ROOTKEY1" == "false" ];then
textOK "No access key 1 found for root" textPass "No access key 1 found for root"
else else
textWarn "Found access key 1 for root " textFail "Found access key 1 for root "
fi fi
if [ "$ROOTKEY2" == "false" ];then if [ "$ROOTKEY2" == "false" ];then
textOK "No access key 2 found for root" textPass "No access key 2 found for root"
else else
textWarn "Found access key 2 for root " textFail "Found access key 2 for root "
fi fi
} }

4
checks/check113
View File

@@ -7,8 +7,8 @@ check113(){
# "Ensure MFA is enabled for the root account (Scored)" # "Ensure MFA is enabled for the root account (Scored)"
COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled') COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
if [ "$COMMAND113" == "1" ]; then if [ "$COMMAND113" == "1" ]; then
textOK "Virtual MFA is enabled for root" textPass "Virtual MFA is enabled for root"
else else
textWarn "MFA is not ENABLED for root account " textFail "MFA is not ENABLED for root account "
fi fi
} }

6
checks/check114
View File

@@ -9,11 +9,11 @@ check114(){
if [ "$COMMAND113" == "1" ]; then if [ "$COMMAND113" == "1" ]; then
COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep '^arn:aws:iam::[0-9]\{12\}:mfa/root-account-mfa-device$') COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep '^arn:aws:iam::[0-9]\{12\}:mfa/root-account-mfa-device$')
if [[ "$COMMAND114" ]]; then if [[ "$COMMAND114" ]]; then
textWarn "Only Virtual MFA is enabled for root" textFail "Only Virtual MFA is enabled for root"
else else
textOK "Hardware MFA is enabled for root " textPass "Hardware MFA is enabled for root "
fi fi
else else
textWarn "MFA is not ENABLED for root account " textFail "MFA is not ENABLED for root account "
fi fi
} }

6
checks/check115
View File

@@ -5,7 +5,7 @@ CHECK_ALTERNATE_check115="check115"
check115(){ check115(){
# "Ensure security questions are registered in the AWS account (Not Scored)" # "Ensure security questions are registered in the AWS account (Not Scored)"
textNotice "No command available for check 1.15 " textInfo "No command available for check 1.15 "
textNotice "Login to the AWS Console as root & click on the Account " textInfo "Login to the AWS Console as root & click on the Account "
textNotice "Name -> My Account -> Configure Security Challenge Questions " textInfo "Name -> My Account -> Configure Security Challenge Questions "
} }

4
checks/check116
View File

@@ -10,11 +10,11 @@ check116(){
for user in $LIST_USERS;do for user in $LIST_USERS;do
USER_POLICY=$($AWSCLI iam list-attached-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user) USER_POLICY=$($AWSCLI iam list-attached-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
if [[ $USER_POLICY ]]; then if [[ $USER_POLICY ]]; then
textWarn "$user has policy directly attached " textFail "$user has policy directly attached "
C116_NUM_USERS=$(expr $C116_NUM_USERS + 1) C116_NUM_USERS=$(expr $C116_NUM_USERS + 1)
fi fi
done done
if [[ $C116_NUM_USERS -eq 0 ]]; then if [[ $C116_NUM_USERS -eq 0 ]]; then
textOK "No policies attached to users." textPass "No policies attached to users."
fi fi
} }

4
checks/check117
View File

@@ -6,6 +6,6 @@ CHECK_ALTERNATE_check117="check117"
check117(){ check117(){
# "Enable detailed billing (Scored)" # "Enable detailed billing (Scored)"
# No command available # No command available
textNotice "No command available for check 1.17 " textInfo "No command available for check 1.17 "
textNotice "See section 1.17 on the CIS Benchmark guide for details " textInfo "See section 1.17 on the CIS Benchmark guide for details "
} }

12
checks/check118
View File

@@ -8,22 +8,22 @@ check118(){
FINDMASTERANDMANAGER=$($AWSCLI iam list-roles $PROFILE_OPT --region $REGION --query "Roles[*].{RoleName:RoleName}" --output text | grep -E 'Master|Manager'| tr ' FINDMASTERANDMANAGER=$($AWSCLI iam list-roles $PROFILE_OPT --region $REGION --query "Roles[*].{RoleName:RoleName}" --output text | grep -E 'Master|Manager'| tr '
' ' ') ' ' ')
if [[ $FINDMASTERANDMANAGER ]];then if [[ $FINDMASTERANDMANAGER ]];then
textNotice "Found next roles as possible IAM Master and IAM Manager candidates: " textInfo "Found next roles as possible IAM Master and IAM Manager candidates: "
textNotice "$FINDMASTERANDMANAGER " textInfo "$FINDMASTERANDMANAGER "
textNotice "run the commands below to check their policies with section 1.18 in the guide..." textInfo "run the commands below to check their policies with section 1.18 in the guide..."
for role in $FINDMASTERANDMANAGER;do for role in $FINDMASTERANDMANAGER;do
# find inline policies in found roles # find inline policies in found roles
INLINEPOLICIES=$($AWSCLI iam list-role-policies --role-name $role $PROFILE_OPT --region $REGION --query "PolicyNames[*]" --output text) INLINEPOLICIES=$($AWSCLI iam list-role-policies --role-name $role $PROFILE_OPT --region $REGION --query "PolicyNames[*]" --output text)
for policy in $INLINEPOLICIES;do for policy in $INLINEPOLICIES;do
textNotice "INLINE: $AWSCLI iam get-role-policy --role-name $role --policy-name $policy $PROFILE_OPT --region $REGION --output json" textInfo "INLINE: $AWSCLI iam get-role-policy --role-name $role --policy-name $policy $PROFILE_OPT --region $REGION --output json"
done done
# find attached policies in found roles # find attached policies in found roles
ATTACHEDPOLICIES=$($AWSCLI iam list-attached-role-policies --role-name $role $PROFILE_OPT --region $REGION --query "AttachedPolicies[*]" --output text) ATTACHEDPOLICIES=$($AWSCLI iam list-attached-role-policies --role-name $role $PROFILE_OPT --region $REGION --query "AttachedPolicies[*]" --output text)
for policy in $ATTACHEDPOLICIES;do for policy in $ATTACHEDPOLICIES;do
textNotice "ATTACHED: $AWSCLI iam get-role-policy --role-name $role --policy-name $policy $PROFILE_OPT --region $REGION --output json" textInfo "ATTACHED: $AWSCLI iam get-role-policy --role-name $role --policy-name $policy $PROFILE_OPT --region $REGION --output json"
done done
done done
else else
textWarn "IAM Master and IAM Manager roles not found" textFail "IAM Master and IAM Manager roles not found"
fi fi
} }

4
checks/check119
View File

@@ -6,6 +6,6 @@ CHECK_ALTERNATE_check119="check119"
check119(){ check119(){
# "Maintain current contact details (Scored)" # "Maintain current contact details (Scored)"
# No command available # No command available
textNotice "No command available for check 1.19 " textInfo "No command available for check 1.19 "
textNotice "See section 1.19 on the CIS Benchmark guide for details " textInfo "See section 1.19 on the CIS Benchmark guide for details "
} }

4
checks/check12
View File

@@ -13,9 +13,9 @@ check12(){
done) done)
if [[ $COMMAND12 ]]; then if [[ $COMMAND12 ]]; then
for u in $COMMAND12; do for u in $COMMAND12; do
textWarn "User $u has Password enabled but MFA disabled" textFail "User $u has Password enabled but MFA disabled"
done done
else else
textOK "No users found with Password enabled and MFA disabled" textPass "No users found with Password enabled and MFA disabled"
fi fi
} }

4
checks/check120
View File

@@ -6,6 +6,6 @@ CHECK_ALTERNATE_check120="check120"
check120(){ check120(){
# "Ensure security contact information is registered (Scored)" # "Ensure security contact information is registered (Scored)"
# No command available # No command available
textNotice "No command available for check 1.20 " textInfo "No command available for check 1.20 "
textNotice "See section 1.20 on the CIS Benchmark guide for details " textInfo "See section 1.20 on the CIS Benchmark guide for details "
} }

4
checks/check121
View File

@@ -5,6 +5,6 @@ CHECK_ALTERNATE_check121="check121"
check121(){ check121(){
# "Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" # "Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
textNotice "No command available for check 1.21 " textInfo "No command available for check 1.21 "
textNotice "See section 1.21 on the CIS Benchmark guide for details " textInfo "See section 1.21 on the CIS Benchmark guide for details "
} }

10
checks/check122
View File

@@ -10,16 +10,16 @@ check122(){
for policyarn in $SUPPORTPOLICYARN;do for policyarn in $SUPPORTPOLICYARN;do
POLICYUSERS=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --output json) POLICYUSERS=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --output json)
if [[ $POLICYUSERS ]];then if [[ $POLICYUSERS ]];then
textOK "Support Policy attached to $policyarn" textPass "Support Policy attached to $policyarn"
for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do
textNotice "User $user has support access via $policyarn" textInfo "User $user has support access via $policyarn"
done done
# textNotice "Make sure your team can create a Support case with AWS " # textInfo "Make sure your team can create a Support case with AWS "
else else
textWarn "Support Policy not applied to any Group / User / Role " textFail "Support Policy not applied to any Group / User / Role "
fi fi
done done
else else
textWarn "No Support Policy found" textFail "No Support Policy found"
fi fi
} }

8
checks/check123
View File

@@ -11,19 +11,19 @@ check123(){
LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$9 }'|grep "true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done) LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$9 }'|grep "true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done)
if [[ $LIST_USERS_KEY1_ACTIVE ]]; then if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
for user in $LIST_USERS_KEY1_ACTIVE; do for user in $LIST_USERS_KEY1_ACTIVE; do
textNotice "$user has never used Access Key 1" textInfo "$user has never used Access Key 1"
done done
else else
textOK "No users found with Access Key 1 never used" textPass "No users found with Access Key 1 never used"
fi fi
# List of USERS with KEY2 last_used_date as N/A # List of USERS with KEY2 last_used_date as N/A
LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done) LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$14 }'|grep "true$" |awk '{ print $1 }' ; done) LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$14 }'|grep "true$" |awk '{ print $1 }' ; done)
if [[ $LIST_USERS_KEY2_ACTIVE ]]; then if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
for user in $LIST_USERS_KEY2_ACTIVE; do for user in $LIST_USERS_KEY2_ACTIVE; do
textNotice "$user has never used Access Key 2" textInfo "$user has never used Access Key 2"
done done
else else
textOK "No users found with Access Key 2 never used" textPass "No users found with Access Key 2 never used"
fi fi
} }

10
checks/check124
View File

@@ -7,7 +7,7 @@ check124(){
# "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }') LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }')
if [[ $LIST_CUSTOM_POLICIES ]]; then if [[ $LIST_CUSTOM_POLICIES ]]; then
textNotice "Looking for custom policies: (skipping default policies - it may take few seconds...)" textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
for policy in $LIST_CUSTOM_POLICIES; do for policy in $LIST_CUSTOM_POLICIES; do
POLICY_VERSION=$($AWSCLI iam list-policies $PROFILE_OPT --region $REGION --query 'Policies[*].[Arn,DefaultVersionId]' --output text |awk "\$1 == \"$policy\" { print \$2 }") POLICY_VERSION=$($AWSCLI iam list-policies $PROFILE_OPT --region $REGION --query 'Policies[*].[Arn,DefaultVersionId]' --output text |awk "\$1 == \"$policy\" { print \$2 }")
POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $policy --version-id $POLICY_VERSION --query "PolicyVersion.Document.Statement[?Effect == 'Allow' && contains(Resource, '*') && contains (Action, '*')]" $PROFILE_OPT --region $REGION) POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $policy --version-id $POLICY_VERSION --query "PolicyVersion.Document.Statement[?Effect == 'Allow' && contains(Resource, '*') && contains (Action, '*')]" $PROFILE_OPT --region $REGION)
@@ -16,14 +16,14 @@ check124(){
fi fi
done done
if [[ $POLICIES_ALLOW_LIST ]]; then if [[ $POLICIES_ALLOW_LIST ]]; then
textNotice "List of custom policies: " textInfo "List of custom policies: "
for policy in $POLICIES_ALLOW_LIST; do for policy in $POLICIES_ALLOW_LIST; do
textNotice "Policy $policy allows \"*:*\"" textInfo "Policy $policy allows \"*:*\""
done done
else else
textOK "No custom policy found that allow full \"*:*\" administrative privileges" textPass "No custom policy found that allow full \"*:*\" administrative privileges"
fi fi
else else
textOK "No custom policies found" textPass "No custom policies found"
fi fi
} }

6
checks/check13
View File

@@ -19,13 +19,13 @@ check13(){
DATEUSED=$($AWSCLI iam list-users --query "Users[?UserName=='$i'].PasswordLastUsed" --output text $PROFILE_OPT --region $REGION | cut -d'T' -f1) DATEUSED=$($AWSCLI iam list-users --query "Users[?UserName=='$i'].PasswordLastUsed" --output text $PROFILE_OPT --region $REGION | cut -d'T' -f1)
HOWOLDER=$(how_older_from_today $DATEUSED) HOWOLDER=$(how_older_from_today $DATEUSED)
if [ $HOWOLDER -gt "90" ];then if [ $HOWOLDER -gt "90" ];then
textWarn "User \"$i\" has not logged in during the last 90 days " textFail "User \"$i\" has not logged in during the last 90 days "
else else
textOK "User \"$i\" found with credentials used in the last 90 days" textPass "User \"$i\" found with credentials used in the last 90 days"
fi fi
done done
fi fi
else else
textOK "No users found with password enabled" textPass "No users found with password enabled"
fi fi
} }

16
checks/check14
View File

@@ -10,39 +10,39 @@ check14(){
C14_NUM_USERS1=0 C14_NUM_USERS1=0
C14_NUM_USERS2=0 C14_NUM_USERS2=0
if [[ $LIST_OF_USERS_WITH_ACCESS_KEY1 ]]; then if [[ $LIST_OF_USERS_WITH_ACCESS_KEY1 ]]; then
# textWarn "Users with access key 1 older than 90 days:" # textFail "Users with access key 1 older than 90 days:"
for user in $LIST_OF_USERS_WITH_ACCESS_KEY1; do for user in $LIST_OF_USERS_WITH_ACCESS_KEY1; do
# check access key 1 # check access key 1
DATEROTATED1=$(cat $TEMP_REPORT_FILE | grep -v user_creation_time | grep "^${user},"| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }') DATEROTATED1=$(cat $TEMP_REPORT_FILE | grep -v user_creation_time | grep "^${user},"| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
HOWOLDER=$(how_older_from_today $DATEROTATED1) HOWOLDER=$(how_older_from_today $DATEROTATED1)
if [ $HOWOLDER -gt "90" ];then if [ $HOWOLDER -gt "90" ];then
textWarn " $user has not rotated access key1 in over 90 days " textFail " $user has not rotated access key1 in over 90 days "
C14_NUM_USERS1=$(expr $C14_NUM_USERS1 + 1) C14_NUM_USERS1=$(expr $C14_NUM_USERS1 + 1)
fi fi
done done
if [[ $C14_NUM_USERS1 -eq 0 ]]; then if [[ $C14_NUM_USERS1 -eq 0 ]]; then
textOK "No users with access key 1 older than 90 days." textPass "No users with access key 1 older than 90 days."
fi fi
else else
textOK "No users with access key 1." textPass "No users with access key 1."
fi fi
if [[ $LIST_OF_USERS_WITH_ACCESS_KEY2 ]]; then if [[ $LIST_OF_USERS_WITH_ACCESS_KEY2 ]]; then
# textWarn "Users with access key 2 older than 90 days:" # textFail "Users with access key 2 older than 90 days:"
for user in $LIST_OF_USERS_WITH_ACCESS_KEY2; do for user in $LIST_OF_USERS_WITH_ACCESS_KEY2; do
# check access key 2 # check access key 2
DATEROTATED2=$(cat $TEMP_REPORT_FILE | grep -v user_creation_time | grep "^${user},"| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }') DATEROTATED2=$(cat $TEMP_REPORT_FILE | grep -v user_creation_time | grep "^${user},"| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
HOWOLDER=$(how_older_from_today $DATEROTATED2) HOWOLDER=$(how_older_from_today $DATEROTATED2)
if [ $HOWOLDER -gt "90" ];then if [ $HOWOLDER -gt "90" ];then
textWarn " $user has not rotated access key2. " textFail " $user has not rotated access key2. "
C14_NUM_USERS2=$(expr $C14_NUM_USERS2 + 1) C14_NUM_USERS2=$(expr $C14_NUM_USERS2 + 1)
fi fi
done done
if [[ $C14_NUM_USERS2 -eq 0 ]]; then if [[ $C14_NUM_USERS2 -eq 0 ]]; then
textOK "No users with access key 2 older than 90 days." textPass "No users with access key 2 older than 90 days."
fi fi
else else
textOK "No users with access key 2." textPass "No users with access key 2."
fi fi
} }

4
checks/check15
View File

@@ -7,8 +7,8 @@ check15(){
# "Ensure IAM password policy requires at least one uppercase letter (Scored)" # "Ensure IAM password policy requires at least one uppercase letter (Scored)"
COMMAND15=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireUppercaseCharacters' 2> /dev/null) # must be true COMMAND15=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireUppercaseCharacters' 2> /dev/null) # must be true
if [[ "$COMMAND15" == "true" ]];then if [[ "$COMMAND15" == "true" ]];then
textOK "Password Policy requires upper case" textPass "Password Policy requires upper case"
else else
textWarn "Password Policy missing upper-case requirement" textFail "Password Policy missing upper-case requirement"
fi fi
} }

4
checks/check16
View File

@@ -7,8 +7,8 @@ check16(){
# "Ensure IAM password policy require at least one lowercase letter (Scored)" # "Ensure IAM password policy require at least one lowercase letter (Scored)"
COMMAND16=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireLowercaseCharacters' 2> /dev/null) # must be true COMMAND16=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireLowercaseCharacters' 2> /dev/null) # must be true
if [[ "$COMMAND16" == "true" ]];then if [[ "$COMMAND16" == "true" ]];then
textOK "Password Policy requires lower case" textPass "Password Policy requires lower case"
else else
textWarn "Password Policy missing lower-case requirement" textFail "Password Policy missing lower-case requirement"
fi fi
} }

4
checks/check17
View File

@@ -7,8 +7,8 @@ check17(){
# "Ensure IAM password policy require at least one symbol (Scored)" # "Ensure IAM password policy require at least one symbol (Scored)"
COMMAND17=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireSymbols' 2> /dev/null) # must be true COMMAND17=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireSymbols' 2> /dev/null) # must be true
if [[ "$COMMAND17" == "true" ]];then if [[ "$COMMAND17" == "true" ]];then
textOK "Password Policy requires symbol" textPass "Password Policy requires symbol"
else else
textWarn "Password Policy missing symbol requirement" textFail "Password Policy missing symbol requirement"
fi fi
} }

4
checks/check18
View File

@@ -7,8 +7,8 @@ check18(){
# "Ensure IAM password policy require at least one number (Scored)" # "Ensure IAM password policy require at least one number (Scored)"
COMMAND18=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireNumbers' 2> /dev/null) # must be true COMMAND18=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireNumbers' 2> /dev/null) # must be true
if [[ "$COMMAND18" == "true" ]];then if [[ "$COMMAND18" == "true" ]];then
textOK "Password Policy requires number" textPass "Password Policy requires number"
else else
textWarn "Password Policy missing number requirement" textFail "Password Policy missing number requirement"
fi fi
} }

4
checks/check19
View File

@@ -7,8 +7,8 @@ check19(){
# "Ensure IAM password policy requires minimum length of 14 or greater (Scored)" # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
COMMAND19=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.MinimumPasswordLength' 2> /dev/null) COMMAND19=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.MinimumPasswordLength' 2> /dev/null)
if [[ $COMMAND19 -gt "13" ]];then if [[ $COMMAND19 -gt "13" ]];then
textOK "Password Policy requires more than 13 characters" textPass "Password Policy requires more than 13 characters"
else else
textWarn "Password Policy missing or weak length requirement" textFail "Password Policy missing or weak length requirement"
fi fi
} }

6
checks/check21
View File

@@ -10,12 +10,12 @@ check21(){
for trail in $LIST_OF_TRAILS;do for trail in $LIST_OF_TRAILS;do
MULTIREGION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].IsMultiRegionTrail' --output text --trail-name-list $trail) MULTIREGION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].IsMultiRegionTrail' --output text --trail-name-list $trail)
if [[ "$MULTIREGION_TRAIL_STATUS" == 'False' ]];then if [[ "$MULTIREGION_TRAIL_STATUS" == 'False' ]];then
textWarn "$trail trail in $REGION is not enabled in multi region mode" textFail "$trail trail in $REGION is not enabled in multi region mode"
else else
textOK "$trail trail in $REGION is enabled for all regions" textPass "$trail trail in $REGION is enabled for all regions"
fi fi
done done
else else
textWarn "No CloudTrail trails found!" textFail "No CloudTrail trails found!"
fi fi
} }

6
checks/check22
View File

@@ -10,12 +10,12 @@ check22(){
for trail in $LIST_OF_TRAILS;do for trail in $LIST_OF_TRAILS;do
LOGFILEVALIDATION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].LogFileValidationEnabled' --output text --trail-name-list $trail) LOGFILEVALIDATION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].LogFileValidationEnabled' --output text --trail-name-list $trail)
if [[ "$LOGFILEVALIDATION_TRAIL_STATUS" == 'False' ]];then if [[ "$LOGFILEVALIDATION_TRAIL_STATUS" == 'False' ]];then
textWarn "$trail trail in $REGION has not log file validation enabled" textFail "$trail trail in $REGION has not log file validation enabled"
else else
textOK "$trail trail in $REGION has log file validation enabled" textPass "$trail trail in $REGION has log file validation enabled"
fi fi
done done
else else
textWarn "No CloudTrail trails found!" textFail "No CloudTrail trails found!"
fi fi
} }

6
checks/check23
View File

@@ -10,12 +10,12 @@ check23(){
for bucket in $CLOUDTRAILBUCKET;do for bucket in $CLOUDTRAILBUCKET;do
CLOUDTRAILBUCKET_HASALLPERMISIONS=$($AWSCLI s3api get-bucket-acl --bucket $bucket --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' $PROFILE_OPT --region $REGION --output text) CLOUDTRAILBUCKET_HASALLPERMISIONS=$($AWSCLI s3api get-bucket-acl --bucket $bucket --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' $PROFILE_OPT --region $REGION --output text)
if [[ $CLOUDTRAILBUCKET_HASALLPERMISIONS ]];then if [[ $CLOUDTRAILBUCKET_HASALLPERMISIONS ]];then
textWarn "check your $bucket CloudTrail bucket ACL and Policy!" textFail "check your $bucket CloudTrail bucket ACL and Policy!"
else else
textOK "Bucket $bucket is set correctly" textPass "Bucket $bucket is set correctly"
fi fi
done done
else else
textWarn "No CloudTrail bucket found!" textFail "No CloudTrail bucket found!"
fi fi
} }

8
checks/check24
View File

@@ -12,18 +12,18 @@ check24(){
TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1) TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1)
LATESTDELIVERY_TIMESTAMP=$($AWSCLI cloudtrail get-trail-status --name $trail $PROFILE_OPT --region $TRAIL_REGION --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None) LATESTDELIVERY_TIMESTAMP=$($AWSCLI cloudtrail get-trail-status --name $trail $PROFILE_OPT --region $TRAIL_REGION --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None)
if [[ ! $LATESTDELIVERY_TIMESTAMP ]];then if [[ ! $LATESTDELIVERY_TIMESTAMP ]];then
textWarn "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)" textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)"
else else
LATESTDELIVERY_DATE=$(timestamp_to_date $LATESTDELIVERY_TIMESTAMP) LATESTDELIVERY_DATE=$(timestamp_to_date $LATESTDELIVERY_TIMESTAMP)
HOWOLDER=$(how_older_from_today $LATESTDELIVERY_DATE) HOWOLDER=$(how_older_from_today $LATESTDELIVERY_DATE)
if [ $HOWOLDER -gt "1" ];then if [ $HOWOLDER -gt "1" ];then
textWarn "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)" textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)"
else else
textOK "$trail trail has been logging during the last 24h (it is in $TRAIL_REGION)" textPass "$trail trail has been logging during the last 24h (it is in $TRAIL_REGION)"
fi fi
fi fi
done done
else else
textWarn "No CloudTrail trails found!" textFail "No CloudTrail trails found!"
fi fi
} }

4
checks/check25
View File

@@ -8,9 +8,9 @@ check25(){
for regx in $REGIONS; do for regx in $REGIONS; do
CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status $PROFILE_OPT --region $regx --output json| grep "recorder: ON") CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status $PROFILE_OPT --region $regx --output json| grep "recorder: ON")
if [[ $CHECK_AWSCONFIG_STATUS ]];then if [[ $CHECK_AWSCONFIG_STATUS ]];then
textOK "Region $regx has AWS Config recorder: ON" "$regx" textPass "Region $regx has AWS Config recorder: ON" "$regx"
else else
textWarn "Region $regx has AWS Config disabled or not configured" "$regx" textFail "Region $regx has AWS Config disabled or not configured" "$regx"
fi fi
done done
} }

6
checks/check26
View File

@@ -10,12 +10,12 @@ check26(){
for bucket in $CLOUDTRAILBUCKET;do for bucket in $CLOUDTRAILBUCKET;do
CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None) CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None)
if [[ $CLOUDTRAILBUCKET_LOGENABLED ]];then if [[ $CLOUDTRAILBUCKET_LOGENABLED ]];then
textOK "Bucket access logging enabled in $bucket" textPass "Bucket access logging enabled in $bucket"
else else
textWarn "access logging is not enabled in $bucket CloudTrail S3 bucket!" textFail "access logging is not enabled in $bucket CloudTrail S3 bucket!"
fi fi
done done
else else
textWarn "CloudTrail bucket not found!" textFail "CloudTrail bucket not found!"
fi fi
} }

6
checks/check27
View File

@@ -10,12 +10,12 @@ check27(){
for trail in $CLOUDTRAILNAME;do for trail in $CLOUDTRAILNAME;do
CLOUDTRAILENC_ENABLED=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --trail $trail --query 'trailList[*].KmsKeyId' --output text) CLOUDTRAILENC_ENABLED=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --trail $trail --query 'trailList[*].KmsKeyId' --output text)
if [[ $CLOUDTRAILENC_ENABLED ]];then if [[ $CLOUDTRAILENC_ENABLED ]];then
textOK "KMS key found for $trail" textPass "KMS key found for $trail"
else else
textWarn "encryption is not enabled in your CloudTrail trail $trail (KMS key not found)!" textFail "encryption is not enabled in your CloudTrail trail $trail (KMS key not found)!"
fi fi
done done
else else
textWarn "CloudTrail bucket doesn't exist!" textFail "CloudTrail bucket doesn't exist!"
fi fi
} }

8
checks/check28
View File

@@ -12,19 +12,19 @@ check28(){
for key in $CHECK_KMS_KEYLIST_NO_DEFAULT; do for key in $CHECK_KMS_KEYLIST_NO_DEFAULT; do
CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g') CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g')
if [[ "$CHECK_KMS_KEY_TYPE" == "EXTERNAL" ]];then if [[ "$CHECK_KMS_KEY_TYPE" == "EXTERNAL" ]];then
textOK "Key $key in Region $regx Customer Uploaded Key Material." "$regx" textPass "Key $key in Region $regx Customer Uploaded Key Material." "$regx"
else else
CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key $PROFILE_OPT --region $regx --output text) CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key $PROFILE_OPT --region $regx --output text)
if [[ "$CHECK_KMS_KEY_ROTATION" == "True" ]];then if [[ "$CHECK_KMS_KEY_ROTATION" == "True" ]];then
textOK "Key $key in Region $regx is set correctly" textPass "Key $key in Region $regx is set correctly"
else else
textWarn "Key $key in Region $regx is not set to rotate!!!" "$regx" textFail "Key $key in Region $regx is not set to rotate!!!" "$regx"
fi fi
fi fi
done done
else else
textNotice "Region $regx doesn't have encryption keys" "$regx" textInfo "Region $regx doesn't have encryption keys" "$regx"
fi fi
done done
} }

8
checks/check31
View File

@@ -32,7 +32,7 @@ check31(){
for group in $CHECK31OK; do for group in $CHECK31OK; do
metric=${group#*:} metric=${group#*:}
group=${group%:*} group=${group%:*}
textOK "CloudWatch group $group found with metric filter $metric and alarms set for Unauthorized Operation and Access Denied" textPass "CloudWatch group $group found with metric filter $metric and alarms set for Unauthorized Operation and Access Denied"
done done
fi fi
if [[ $CHECK31WARN ]]; then if [[ $CHECK31WARN ]]; then
@@ -40,13 +40,13 @@ check31(){
case $group in case $group in
*:*) metric=${group#*:} *:*) metric=${group#*:}
group=${group%:*} group=${group%:*}
textWarn "CloudWatch group $group found with metric filter $metric but no alarms associated" textFail "CloudWatch group $group found with metric filter $metric but no alarms associated"
;; ;;
*) textWarn "CloudWatch group $group found but no metric filters or alarms associated" *) textFail "CloudWatch group $group found but no metric filters or alarms associated"
esac esac
done done
fi fi
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

8
checks/check310
View File

@@ -14,15 +14,15 @@ check310(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /SecurityGroup/;') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /SecurityGroup/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms for security group changes" textPass "CloudWatch group $group found with metric filters and alarms for security group changes"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

8
checks/check311
View File

@@ -14,15 +14,15 @@ check311(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /NetworkAcl/;') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /NetworkAcl/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms for changes to NACLs" textPass "CloudWatch group $group found with metric filters and alarms for changes to NACLs"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

8
checks/check312
View File

@@ -14,15 +14,15 @@ check312(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /InternetGateway/ || /CustomerGateway/;') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /InternetGateway/ || /CustomerGateway/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms for changes to network gateways" textPass "CloudWatch group $group found with metric filters and alarms for changes to network gateways"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

8
checks/check313
View File

@@ -14,15 +14,15 @@ check313(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /Route/;') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /Route/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms for route table changes" textPass "CloudWatch group $group found with metric filters and alarms for route table changes"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

8
checks/check314
View File

@@ -14,15 +14,15 @@ check314(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /VPC/;') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /VPC/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms for VPC changes" textPass "CloudWatch group $group found with metric filters and alarms for VPC changes"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

12
checks/check315
View File

@@ -10,7 +10,7 @@ check315(){
TOPICS_LIST=$($AWSCLI sns list-topics $PROFILE_OPT --region $regx --output text --query 'Topics[*].TopicArn') TOPICS_LIST=$($AWSCLI sns list-topics $PROFILE_OPT --region $regx --output text --query 'Topics[*].TopicArn')
ntopics=$(echo $TOPICS_LIST | wc -w ) ntopics=$(echo $TOPICS_LIST | wc -w )
if [[ $TOPICS_LIST && $CAN_SNS_LIST_SUBS -eq 1 ]];then if [[ $TOPICS_LIST && $CAN_SNS_LIST_SUBS -eq 1 ]];then
textNotice "Region $regx has $ntopics topics" "$regx" textInfo "Region $regx has $ntopics topics" "$regx"
for topic in $TOPICS_LIST; do for topic in $TOPICS_LIST; do
TOPIC_SHORT=$(echo $topic | awk -F: '{ print $6 }') TOPIC_SHORT=$(echo $topic | awk -F: '{ print $6 }')
CHECK_TOPIC_LIST=$($AWSCLI sns list-subscriptions-by-topic --topic-arn $topic $PROFILE_OPT --region $regx --query 'Subscriptions[*].{Endpoint:Endpoint,Protocol:Protocol}' --output text --max-items $MAXITEMS 2> /dev/null) CHECK_TOPIC_LIST=$($AWSCLI sns list-subscriptions-by-topic --topic-arn $topic $PROFILE_OPT --region $regx --query 'Subscriptions[*].{Endpoint:Endpoint,Protocol:Protocol}' --output text --max-items $MAXITEMS 2> /dev/null)
@@ -18,23 +18,23 @@ check315(){
# Permission error # Permission error
export CAN_SNS_LIST_SUBS=0 export CAN_SNS_LIST_SUBS=0
ntopics=$(echo $TOPICS_LIST | wc -w ) ntopics=$(echo $TOPICS_LIST | wc -w )
textNotice "Region $regx / $ntopics Topics / Subscriptions NO_PERMISSION" "$regx" textInfo "Region $regx / $ntopics Topics / Subscriptions NO_PERMISSION" "$regx"
break; break;
fi fi
if [[ "Z" != "Z${CHECK_TOPIC_LIST}" ]]; then if [[ "Z" != "Z${CHECK_TOPIC_LIST}" ]]; then
printf '%s printf '%s
' "$CHECK_TOPIC_LIST" | while IFS= read -r dest ; do ' "$CHECK_TOPIC_LIST" | while IFS= read -r dest ; do
textNotice "Region $regx / Topic $TOPIC_SHORT / Subscription $dest" "$regx" textInfo "Region $regx / Topic $TOPIC_SHORT / Subscription $dest" "$regx"
done done
else else
textWarn "Region $regx / Topic $TOPIC_SHORT / Subscription NONE" "$regx" textFail "Region $regx / Topic $TOPIC_SHORT / Subscription NONE" "$regx"
fi fi
done done
elif [[ $CAN_SNS_LIST_SUBS -eq 0 ]]; then elif [[ $CAN_SNS_LIST_SUBS -eq 0 ]]; then
textNotice "Region $regx has $ntopics topics - unable to list subscribers" "$regx" textInfo "Region $regx has $ntopics topics - unable to list subscribers" "$regx"
# break # break
else else
textOK "Region $regx has 0 topics" "$regx" textPass "Region $regx has 0 topics" "$regx"
fi fi
done done
} }

8
checks/check32
View File

@@ -14,15 +14,15 @@ check32(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /ConsoleLogin/ || /MFAUsed/;') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /ConsoleLogin/ || /MFAUsed/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms set for sign-in Console without MFA enabled" textPass "CloudWatch group $group found with metric filters and alarms set for sign-in Console without MFA enabled"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

8
checks/check33
View File

@@ -14,15 +14,15 @@ check33(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | tr '[:upper:]' '[:lower:]'| grep -Ei 'userIdentity|Root|AwsServiceEvent') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | tr '[:upper:]' '[:lower:]'| grep -Ei 'userIdentity|Root|AwsServiceEvent')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms set for usage of root account" textPass "CloudWatch group $group found with metric filters and alarms set for usage of root account"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

8
checks/check34
View File

@@ -14,15 +14,15 @@ check34(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /DeletePolicy/ || /DeletePolicies/ || /Policies/ || /Policy/;') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /DeletePolicy/ || /DeletePolicies/ || /Policies/ || /Policy/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms for IAM policy changes" textPass "CloudWatch group $group found with metric filters and alarms for IAM policy changes"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

8
checks/check35
View File

@@ -14,15 +14,15 @@ check35(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /TrailChange/ || /Trails/ || /CreateTrail/ || /UpdateTrail/ || /DeleteTrail/ || /StartLogging/ || /StopLogging/;') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /TrailChange/ || /Trails/ || /CreateTrail/ || /UpdateTrail/ || /DeleteTrail/ || /StartLogging/ || /StopLogging/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms for CloudTrail configuration changes" textPass "CloudWatch group $group found with metric filters and alarms for CloudTrail configuration changes"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

8
checks/check36
View File

@@ -14,15 +14,15 @@ check36(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /FailedLogin/ || /ConsoleLogin/ || /Failed/;') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /FailedLogin/ || /ConsoleLogin/ || /Failed/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms for AWS Management Console authentication failures" textPass "CloudWatch group $group found with metric filters and alarms for AWS Management Console authentication failures"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

8
checks/check37
View File

@@ -14,15 +14,15 @@ check37(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /DisableKey/ || /ScheduleKeyDeletion/ || /kms/;') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /DisableKey/ || /ScheduleKeyDeletion/ || /kms/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms for changes of customer created CMKs" textPass "CloudWatch group $group found with metric filters and alarms for changes of customer created CMKs"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

8
checks/check38
View File

@@ -14,15 +14,15 @@ check38(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /S3/ || /BucketPolicy/ || /BucketPolicies/;') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /S3/ || /BucketPolicy/ || /BucketPolicies/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms for S3 bucket policy changes" textPass "CloudWatch group $group found with metric filters and alarms for S3 bucket policy changes"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

8
checks/check39
View File

@@ -14,15 +14,15 @@ check39(){
if [[ $METRICFILTER_SET ]];then if [[ $METRICFILTER_SET ]];then
HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /config/ || /ConfigurationRecorder/ || /DeliveryChannel/;') HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /config/ || /ConfigurationRecorder/ || /DeliveryChannel/;')
if [[ $HAS_ALARM_ASSOCIATED ]];then if [[ $HAS_ALARM_ASSOCIATED ]];then
textOK "CloudWatch group $group found with metric filters and alarms for AWS Config configuration changes" textPass "CloudWatch group $group found with metric filters and alarms for AWS Config configuration changes"
else else
textWarn "CloudWatch group $group found with metric filters but no alarms associated" textFail "CloudWatch group $group found with metric filters but no alarms associated"
fi fi
else else
textWarn "CloudWatch group $group found but no metric filters or alarms associated" textFail "CloudWatch group $group found but no metric filters or alarms associated"
fi fi
done done
else else
textWarn "No CloudWatch group found for CloudTrail events" textFail "No CloudWatch group found for CloudTrail events"
fi fi
} }

4
checks/check41
View File

@@ -9,10 +9,10 @@ check41(){
SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text) SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
if [[ $SG_LIST ]];then if [[ $SG_LIST ]];then
for SG in $SG_LIST;do for SG in $SG_LIST;do
textWarn "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx" textFail "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx"
done done
else else
textOK "No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0" "$regx" textPass "No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0" "$regx"
fi fi
done done
} }

4
checks/check42
View File

@@ -9,10 +9,10 @@ check42(){
SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text) SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
if [[ $SG_LIST ]];then if [[ $SG_LIST ]];then
for SG in $SG_LIST;do for SG in $SG_LIST;do
textWarn "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx" textFail "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx"
done done
else else
textOK "No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0" "$regx" textPass "No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0" "$regx"
fi fi
done done
} }

4
checks/check43
View File

@@ -9,10 +9,10 @@ check43(){
CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text) CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text)
if [[ $CHECK_FL ]];then if [[ $CHECK_FL ]];then
for FL in $CHECK_FL;do for FL in $CHECK_FL;do
textOK "VPCFlowLog is enabled for LogGroupName: $FL in Region $regx" "$regx" textPass "VPCFlowLog is enabled for LogGroupName: $FL in Region $regx" "$regx"
done done
else else
textWarn "No VPCFlowLog has been found in Region $regx" "$regx" textFail "No VPCFlowLog has been found in Region $regx" "$regx"
fi fi
done done
} }

4
checks/check44
View File

@@ -8,9 +8,9 @@ check44(){
for regx in $REGIONS; do for regx in $REGIONS; do
CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0) CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0)
if [[ $CHECK_SGDEFAULT ]];then if [[ $CHECK_SGDEFAULT ]];then
textWarn "Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx" textFail "Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx"
else else
textOK "No Default Security Groups open to 0.0.0.0 found in Region $regx" "$regx" textPass "No Default Security Groups open to 0.0.0.0 found in Region $regx" "$regx"
fi fi
done done
} }

6
checks/check45
View File

@@ -5,11 +5,11 @@ CHECK_ALTERNATE_check405="check45"
check45(){ check45(){
# "Ensure routing tables for VPC peering are \"least access\" (Not Scored)" # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
textNotice "Looking for VPC peering in all regions... " textInfo "Looking for VPC peering in all regions... "
for regx in $REGIONS; do for regx in $REGIONS; do
LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId') LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId')
if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then
textNotice "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS - review routing tables" "$regx" textInfo "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS - review routing tables" "$regx"
#LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[*].VpcId' --output text) #LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[*].VpcId' --output text)
#aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" $PROFILE_OPT --region $regx #aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" $PROFILE_OPT --region $regx
# for vpc in $LIST_OF_VPCS; do # for vpc in $LIST_OF_VPCS; do
@@ -17,7 +17,7 @@ check45(){
# done # done
#echo $VPCS_WITH_PEERING #echo $VPCS_WITH_PEERING
else else
textOK "$regx: No VPC peering found" "$regx" textPass "$regx: No VPC peering found" "$regx"
fi fi
done done
} }

8
checks/check_extra71
View File

@@ -15,7 +15,7 @@ extra71(){
CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep 'arn:aws:iam::aws:policy/AdministratorAccess') CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep 'arn:aws:iam::aws:policy/AdministratorAccess')
if [[ $CHECK_ADMIN_GROUP ]]; then if [[ $CHECK_ADMIN_GROUP ]]; then
ADMIN_GROUPS="$ADMIN_GROUPS $grp" ADMIN_GROUPS="$ADMIN_GROUPS $grp"
textNotice "$grp group provides administrative access" textInfo "$grp group provides administrative access"
ADMIN_USERS=$($AWSCLI $PROFILE_OPT iam get-group --group-name $grp --output json --query 'Users[].UserName' | grep '"' | cut -d'"' -f2 ) ADMIN_USERS=$($AWSCLI $PROFILE_OPT iam get-group --group-name $grp --output json --query 'Users[].UserName' | grep '"' | cut -d'"' -f2 )
for auser in $ADMIN_USERS; do for auser in $ADMIN_USERS; do
# users in group are Administrators # users in group are Administrators
@@ -23,13 +23,13 @@ extra71(){
# check for user MFA device in credential report # check for user MFA device in credential report
USER_MFA_ENABLED=$( cat $TEMP_REPORT_FILE | grep "^$auser," | cut -d',' -f8) USER_MFA_ENABLED=$( cat $TEMP_REPORT_FILE | grep "^$auser," | cut -d',' -f8)
if [[ "true" == $USER_MFA_ENABLED ]]; then if [[ "true" == $USER_MFA_ENABLED ]]; then
textOK "$auser / MFA Enabled / admin via group $grp" textPass "$auser / MFA Enabled / admin via group $grp"
else else
textWarn "$auser / MFA DISABLED / admin via group $grp" textFail "$auser / MFA DISABLED / admin via group $grp"
fi fi
done done
else else
textNotice "$grp group provides non-administrative access" textInfo "$grp group provides non-administrative access"
fi fi
done done
} }

6
checks/check_extra710
View File

@@ -5,17 +5,17 @@ CHECK_ALTERNATE_check710="extra710"
extra710(){ extra710(){
# "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
textNotice "Looking for instances in all regions... " textInfo "Looking for instances in all regions... "
for regx in $REGIONS; do for regx in $REGIONS; do
LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId,PublicIpAddress]' --output text) LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId,PublicIpAddress]' --output text)
if [[ $LIST_OF_PUBLIC_INSTANCES ]];then if [[ $LIST_OF_PUBLIC_INSTANCES ]];then
while read -r instance;do while read -r instance;do
INSTANCE_ID=$(echo $instance | awk '{ print $1; }') INSTANCE_ID=$(echo $instance | awk '{ print $1; }')
PUBLIC_IP=$(echo $instance | awk '{ print $2; }') PUBLIC_IP=$(echo $instance | awk '{ print $2; }')
textWarn "$regx: Instance: $INSTANCE_ID at IP: $PUBLIC_IP is internet-facing!" "$regx" textFail "$regx: Instance: $INSTANCE_ID at IP: $PUBLIC_IP is internet-facing!" "$regx"
done <<< "$LIST_OF_PUBLIC_INSTANCES" done <<< "$LIST_OF_PUBLIC_INSTANCES"
else else
textOK "$regx: no Internet Facing EC2 Instances found" "$regx" textPass "$regx: no Internet Facing EC2 Instances found" "$regx"
fi fi
done done
} }

6
checks/check_extra711
View File

@@ -5,17 +5,17 @@ CHECK_ALTERNATE_check711="extra711"
extra711(){ extra711(){
# "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
textNotice "Looking for Reshift clusters in all regions... " textInfo "Looking for Reshift clusters in all regions... "
for regx in $REGIONS; do for regx in $REGIONS; do
LIST_OF_PUBLIC_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[?PubliclyAccessible == `true`].[ClusterIdentifier,Endpoint.Address]' --output text) LIST_OF_PUBLIC_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[?PubliclyAccessible == `true`].[ClusterIdentifier,Endpoint.Address]' --output text)
if [[ $LIST_OF_PUBLIC_REDSHIFT_CLUSTERS ]];then if [[ $LIST_OF_PUBLIC_REDSHIFT_CLUSTERS ]];then
while read -r cluster;do while read -r cluster;do
CLUSTER_ID=$(echo $cluster | awk '{ print $1; }') CLUSTER_ID=$(echo $cluster | awk '{ print $1; }')
CLUSTER_ENDPOINT=$(echo $cluster | awk '{ print $2; }') CLUSTER_ENDPOINT=$(echo $cluster | awk '{ print $2; }')
textWarn "$regx: Cluster: $CLUSTER_ID at Endpoint: $CLUSTER_ENDPOINT is publicly accessible!" "$regx" textFail "$regx: Cluster: $CLUSTER_ID at Endpoint: $CLUSTER_ENDPOINT is publicly accessible!" "$regx"
done <<< "$LIST_OF_PUBLIC_REDSHIFT_CLUSTERS" done <<< "$LIST_OF_PUBLIC_REDSHIFT_CLUSTERS"
else else
textOK "$regx: no Publicly Accessible Redshift Clusters found" "$regx" textPass "$regx: no Publicly Accessible Redshift Clusters found" "$regx"
fi fi
done done
} }

8
checks/check_extra712
View File

@@ -5,12 +5,12 @@ CHECK_ALTERNATE_check712="extra712"
extra712(){ extra712(){
# "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" # "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
textNotice "No API commands available to check if Macie is enabled," textInfo "No API commands available to check if Macie is enabled,"
textNotice "just looking if IAM Macie related permissions exist. " textInfo "just looking if IAM Macie related permissions exist. "
MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l) MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l)
if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then
textOK "Macie related IAM roles exist, so it might be enabled. Check it out manually." textPass "Macie related IAM roles exist, so it might be enabled. Check it out manually."
else else
textWarn "No Macie related IAM roles found. It is most likely not to be enabled" textFail "No Macie related IAM roles found. It is most likely not to be enabled"
fi fi
} }

6
checks/check_extra713
View File

@@ -11,13 +11,13 @@ extra713(){
while read -r detector;do while read -r detector;do
DETECTOR_ENABLED=$($AWSCLI guardduty get-detector --detector-id $detector $PROFILE_OPT --region $regx --output text| cut -f3|grep ENABLED) DETECTOR_ENABLED=$($AWSCLI guardduty get-detector --detector-id $detector $PROFILE_OPT --region $regx --output text| cut -f3|grep ENABLED)
if [[ $DETECTOR_ENABLED ]]; then if [[ $DETECTOR_ENABLED ]]; then
textOK "$regx: GuardDuty detector $detector enabled" "$regx" textPass "$regx: GuardDuty detector $detector enabled" "$regx"
else else
textWarn "$regx: GuardDuty detector $detector configured but suspended" "$regx" textFail "$regx: GuardDuty detector $detector configured but suspended" "$regx"
fi fi
done <<< "$LIST_OF_GUARDDUTY_DETECTORS" done <<< "$LIST_OF_GUARDDUTY_DETECTORS"
else else
textWarn "$regx: GuardDuty detector not configured!" "$regx" textFail "$regx: GuardDuty detector not configured!" "$regx"
fi fi
done done
} }

6
checks/check_extra714
View File

@@ -11,13 +11,13 @@ extra714(){
for cdn in $LIST_OF_DISTRIBUTIONS;do for cdn in $LIST_OF_DISTRIBUTIONS;do
CDN_LOG_ENABLED=$($AWSCLI cloudfront get-distribution $PROFILE_OPT --region $regx --id "$cdn" --query 'Distribution.DistributionConfig.Logging.Enabled' | grep true) CDN_LOG_ENABLED=$($AWSCLI cloudfront get-distribution $PROFILE_OPT --region $regx --id "$cdn" --query 'Distribution.DistributionConfig.Logging.Enabled' | grep true)
if [[ $CDN_LOG_ENABLED ]];then if [[ $CDN_LOG_ENABLED ]];then
textOK "$regx: CDN $cdn logging enabled" "$regx" textPass "$regx: CDN $cdn logging enabled" "$regx"
else else
textWarn "$regx: CDN $cdn logging disabled!" "$regx" textFail "$regx: CDN $cdn logging disabled!" "$regx"
fi fi
done done
else else
textNotice "$regx: No CDN configured" "$regx" textInfo "$regx: No CDN configured" "$regx"
fi fi
done done
} }

10
checks/check_extra715
View File

@@ -10,19 +10,19 @@ extra715(){
for domain in $LIST_OF_DOMAINS;do for domain in $LIST_OF_DOMAINS;do
SEARCH_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.SEARCH_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False) SEARCH_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.SEARCH_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
if [[ $SEARCH_SLOWLOG_ENABLED ]];then if [[ $SEARCH_SLOWLOG_ENABLED ]];then
textOK "$regx: ElasticSearch Service domain $domain SEARCH_SLOW_LOGS enabled" "$regx" textPass "$regx: ElasticSearch Service domain $domain SEARCH_SLOW_LOGS enabled" "$regx"
else else
textWarn "$regx: ElasticSearch Service domain $domain SEARCH_SLOW_LOGS disabled!" "$regx" textFail "$regx: ElasticSearch Service domain $domain SEARCH_SLOW_LOGS disabled!" "$regx"
fi fi
INDEX_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.INDEX_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False) INDEX_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.INDEX_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
if [[ $INDEX_SLOWLOG_ENABLED ]];then if [[ $INDEX_SLOWLOG_ENABLED ]];then
textOK "$regx: ElasticSearch Service domain $domain INDEX_SLOW_LOGS enabled" "$regx" textPass "$regx: ElasticSearch Service domain $domain INDEX_SLOW_LOGS enabled" "$regx"
else else
textWarn "$regx: ElasticSearch Service domain $domain INDEX_SLOW_LOGS disabled!" "$regx" textFail "$regx: ElasticSearch Service domain $domain INDEX_SLOW_LOGS disabled!" "$regx"
fi fi
done done
else else
textNotice "$regx: No Elasticsearch Service domain found" "$regx" textInfo "$regx: No Elasticsearch Service domain found" "$regx"
fi fi
done done
} }

8
checks/check_extra716
View File

@@ -16,16 +16,16 @@ extra716(){
# check if the policy has Principal as * # check if the policy has Principal as *
CHECK_ES_DOMAIN_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep \"Principal|grep \*) CHECK_ES_DOMAIN_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep \"Principal|grep \*)
if [[ $CHECK_ES_DOMAIN_ALLUSERS_POLICY ]];then if [[ $CHECK_ES_DOMAIN_ALLUSERS_POLICY ]];then
textWarn "$regx: $domain policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx" textFail "$regx: $domain policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx"
else else
textOK "$regx: $domain is not open" "$regx" textPass "$regx: $domain is not open" "$regx"
fi fi
else else
textOK "$regx: $domain is in a VPC" "$regx" textPass "$regx: $domain is in a VPC" "$regx"
fi fi
done done
fi fi
textNotice "$regx: No Elasticsearch Service domain found" "$regx" textInfo "$regx: No Elasticsearch Service domain found" "$regx"
rm -fr $TEMP_POLICY_FILE rm -fr $TEMP_POLICY_FILE
done done
} }

10
checks/check_extra717
View File

@@ -13,9 +13,9 @@ extra717(){
for elb in $LIST_OF_ELBS; do for elb in $LIST_OF_ELBS; do
CHECK_ELBS_LOG_ENABLED=$($AWSCLI elb describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-name $elb --query 'LoadBalancerAttributes.AccessLog.Enabled'|grep "^true") CHECK_ELBS_LOG_ENABLED=$($AWSCLI elb describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-name $elb --query 'LoadBalancerAttributes.AccessLog.Enabled'|grep "^true")
if [[ $CHECK_ELBS_LOG_ENABLED ]]; then if [[ $CHECK_ELBS_LOG_ENABLED ]]; then
textOK "$regx: $elb has access logs to S3 configured" "$regx" textPass "$regx: $elb has access logs to S3 configured" "$regx"
else else
textWarn "$regx: $elb has not configured access logs" "$regx" textFail "$regx: $elb has not configured access logs" "$regx"
fi fi
done done
fi fi
@@ -24,14 +24,14 @@ extra717(){
CHECK_ELBSV2_LOG_ENABLED=$($AWSCLI elbv2 describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-arn $elbarn --query Attributes[*] --output text|grep "^access_logs.s3.enabled"|cut -f2|grep true) CHECK_ELBSV2_LOG_ENABLED=$($AWSCLI elbv2 describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-arn $elbarn --query Attributes[*] --output text|grep "^access_logs.s3.enabled"|cut -f2|grep true)
ELBV2_NAME=$(echo $elbarn|cut -d\/ -f3) ELBV2_NAME=$(echo $elbarn|cut -d\/ -f3)
if [[ $CHECK_ELBSV2_LOG_ENABLED ]]; then if [[ $CHECK_ELBSV2_LOG_ENABLED ]]; then
textOK "$regx: $ELBV2_NAME has access logs to S3 configured" "$regx" textPass "$regx: $ELBV2_NAME has access logs to S3 configured" "$regx"
else else
textWarn "$regx: $ELBV2_NAME has not configured access logs" "$regx" textFail "$regx: $ELBV2_NAME has not configured access logs" "$regx"
fi fi
done done
fi fi
else else
textNotice "$regx: No ELBs found" "$regx" textInfo "$regx: No ELBs found" "$regx"
fi fi
done done
} }

6
checks/check_extra718
View File

@@ -10,12 +10,12 @@ extra718(){
for bucket in $LIST_OF_BUCKETS;do for bucket in $LIST_OF_BUCKETS;do
BUCKET_SERVER_LOG_ENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --query [LoggingEnabled] --output text|grep -v "^None$") BUCKET_SERVER_LOG_ENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --query [LoggingEnabled] --output text|grep -v "^None$")
if [[ $BUCKET_SERVER_LOG_ENABLED ]];then if [[ $BUCKET_SERVER_LOG_ENABLED ]];then
textOK "Bucket $bucket has server access logging enabled" textPass "Bucket $bucket has server access logging enabled"
else else
textWarn "Bucket $bucket has server access logging disabled!" textFail "Bucket $bucket has server access logging disabled!"
fi fi
done done
else else
textNotice "No S3 Buckets found" textInfo "No S3 Buckets found"
fi fi
} }

6
checks/check_extra719
View File

@@ -10,12 +10,12 @@ extra719(){
for hostedzoneid in $LIST_OF_HOSTED_ZONES;do for hostedzoneid in $LIST_OF_HOSTED_ZONES;do
HOSTED_ZONE_QUERY_LOG_ENABLED=$($AWSCLI route53 list-query-logging-configs --hosted-zone-id $hostedzoneid $PROFILE_OPT --query QueryLoggingConfigs[*].CloudWatchLogsLogGroupArn --output text|cut -d: -f7) HOSTED_ZONE_QUERY_LOG_ENABLED=$($AWSCLI route53 list-query-logging-configs --hosted-zone-id $hostedzoneid $PROFILE_OPT --query QueryLoggingConfigs[*].CloudWatchLogsLogGroupArn --output text|cut -d: -f7)
if [[ $HOSTED_ZONE_QUERY_LOG_ENABLED ]];then if [[ $HOSTED_ZONE_QUERY_LOG_ENABLED ]];then
textOK "Route53 hosted zone Id $hostedzoneid has query logging enabled in Log Group $HOSTED_ZONE_QUERY_LOG_ENABLED" textPass "Route53 hosted zone Id $hostedzoneid has query logging enabled in Log Group $HOSTED_ZONE_QUERY_LOG_ENABLED"
else else
textWarn "Route53 hosted zone Id $hostedzoneid has query logging disabled!" textFail "Route53 hosted zone Id $hostedzoneid has query logging disabled!"
fi fi
done done
else else
textNotice "No Route53 hosted zones found" textInfo "No Route53 hosted zones found"
fi fi
} }

6
checks/check_extra72
View File

@@ -7,15 +7,15 @@ CHECK_ALTERNATE_check702="extra72"
extra72(){ extra72(){
# "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" # "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
textNotice "Looking for EBS Snapshots in all regions... " textInfo "Looking for EBS Snapshots in all regions... "
for regx in $REGIONS; do for regx in $REGIONS; do
LIST_OF_EBS_SNAPSHOTS=$($AWSCLI ec2 describe-snapshots $PROFILE_OPT --region $regx --owner-ids $ACCOUNT_NUM --output text --query 'Snapshots[*].{ID:SnapshotId}' --max-items $MAXITEMS | grep -v None 2> /dev/null) LIST_OF_EBS_SNAPSHOTS=$($AWSCLI ec2 describe-snapshots $PROFILE_OPT --region $regx --owner-ids $ACCOUNT_NUM --output text --query 'Snapshots[*].{ID:SnapshotId}' --max-items $MAXITEMS | grep -v None 2> /dev/null)
for snapshot in $LIST_OF_EBS_SNAPSHOTS; do for snapshot in $LIST_OF_EBS_SNAPSHOTS; do
SNAPSHOT_IS_PUBLIC=$($AWSCLI ec2 describe-snapshot-attribute $PROFILE_OPT --region $regx --output text --snapshot-id $snapshot --attribute createVolumePermission --query "CreateVolumePermissions[?Group=='all']") SNAPSHOT_IS_PUBLIC=$($AWSCLI ec2 describe-snapshot-attribute $PROFILE_OPT --region $regx --output text --snapshot-id $snapshot --attribute createVolumePermission --query "CreateVolumePermissions[?Group=='all']")
if [[ $SNAPSHOT_IS_PUBLIC ]];then if [[ $SNAPSHOT_IS_PUBLIC ]];then
textWarn "$regx: $snapshot is currently Public!" "$regx" textFail "$regx: $snapshot is currently Public!" "$regx"
else else
textOK "$regx: $snapshot is not Public" "$regx" textPass "$regx: $snapshot is not Public" "$regx"
fi fi
done done
done done

14
checks/check_extra720
View File

@@ -14,9 +14,9 @@ extra720(){
for trail in $LIST_OF_TRAILS; do for trail in $LIST_OF_TRAILS; do
FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$") FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then
textOK "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx" textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
else else
textWarn "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx" textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
fi fi
done done
# LIST_OF_MULTIREGION_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\`].Name" --output text) # LIST_OF_MULTIREGION_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\`].Name" --output text)
@@ -25,20 +25,20 @@ extra720(){
# REGION_OF_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\` && Name == \`$trail\` ].HomeRegion" --output text) # REGION_OF_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\` && Name == \`$trail\` ].HomeRegion" --output text)
# FUNCTION_ENABLED_IN_THIS_REGION=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $REGION_OF_TRAIL --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$") # FUNCTION_ENABLED_IN_THIS_REGION=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $REGION_OF_TRAIL --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$")
# if [[ $FUNCTION_ENABLED_IN_THIS_REGION ]]; then # if [[ $FUNCTION_ENABLED_IN_THIS_REGION ]]; then
# textOK "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx" # textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx"
# else # else
# textWarn "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx" # textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx"
# fi # fi
# done # done
# else # else
# textWarn "$regx: Lambda function $lambdafunction is not being recorded!" "$regx" # textFail "$regx: Lambda function $lambdafunction is not being recorded!" "$regx"
# fi # fi
else else
textWarn "$regx: Lambda function $lambdafunction is not being recorded no CloudTrail found!" "$regx" textFail "$regx: Lambda function $lambdafunction is not being recorded no CloudTrail found!" "$regx"
fi fi
done done
else else
textNotice "$regx: No Lambda functions found" "$regx" textInfo "$regx: No Lambda functions found" "$regx"
fi fi
done done
} }

6
checks/check_extra721
View File

@@ -12,13 +12,13 @@ extra721(){
REDSHIFT_LOG_ENABLED=$($AWSCLI redshift describe-logging-status $PROFILE_OPT --region $regx --cluster-identifier $redshiftcluster --query LoggingEnabled --output text | grep True) REDSHIFT_LOG_ENABLED=$($AWSCLI redshift describe-logging-status $PROFILE_OPT --region $regx --cluster-identifier $redshiftcluster --query LoggingEnabled --output text | grep True)
if [[ $REDSHIFT_LOG_ENABLED ]];then if [[ $REDSHIFT_LOG_ENABLED ]];then
REDSHIFT_LOG_ENABLED_BUCKET=$($AWSCLI redshift describe-logging-status $PROFILE_OPT --region $regx --cluster-identifier $redshiftcluster --query BucketName --output text) REDSHIFT_LOG_ENABLED_BUCKET=$($AWSCLI redshift describe-logging-status $PROFILE_OPT --region $regx --cluster-identifier $redshiftcluster --query BucketName --output text)
textOK "$regx: Redshift cluster $redshiftcluster has audit logging enabled to bucket $REDSHIFT_LOG_ENABLED_BUCKET" "$regx" textPass "$regx: Redshift cluster $redshiftcluster has audit logging enabled to bucket $REDSHIFT_LOG_ENABLED_BUCKET" "$regx"
else else
textWarn "$regx: Redshift cluster $redshiftcluster logging disabled!" "$regx" textFail "$regx: Redshift cluster $redshiftcluster logging disabled!" "$regx"
fi fi
done done
else else
textNotice "$regx: No Redshift cluster configured" "$regx" textInfo "$regx: No Redshift cluster configured" "$regx"
fi fi
done done
} }

8
checks/check_extra722
View File

@@ -15,17 +15,17 @@ extra722(){
for stagname in $CHECK_STAGES_NAME;do for stagname in $CHECK_STAGES_NAME;do
CHECK_STAGE_METHOD_LOGGING=$($AWSCLI apigateway get-stages $PROFILE_OPT --region $regx --rest-api-id $apigwid --query "item[?stageName == \`$stagname\` ].methodSettings" --output text|awk '{ print $1" log level "$6}') CHECK_STAGE_METHOD_LOGGING=$($AWSCLI apigateway get-stages $PROFILE_OPT --region $regx --rest-api-id $apigwid --query "item[?stageName == \`$stagname\` ].methodSettings" --output text|awk '{ print $1" log level "$6}')
if [[ $CHECK_STAGE_METHOD_LOGGING ]];then if [[ $CHECK_STAGE_METHOD_LOGGING ]];then
textOK "$regx: API Gateway $API_GW_NAME has stage logging enabled for $CHECK_STAGE_METHOD_LOGGING" "$regx" textPass "$regx: API Gateway $API_GW_NAME has stage logging enabled for $CHECK_STAGE_METHOD_LOGGING" "$regx"
else else
textWarn "$regx: API Gateway $API_GW_NAME logging disabled for stage $stagname!" "$regx" textFail "$regx: API Gateway $API_GW_NAME logging disabled for stage $stagname!" "$regx"
fi fi
done done
else else
textWarn "$regx: No Stage name found for $API_GW_NAME" "$regx" textFail "$regx: No Stage name found for $API_GW_NAME" "$regx"
fi fi
done done
else else
textNotice "$regx: No API Gateway found" "$regx" textInfo "$regx: No API Gateway found" "$regx"
fi fi
done done
} }

12
checks/check_extra723
View File

@@ -12,13 +12,13 @@ extra723(){
for rdssnapshot in $LIST_OF_RDS_SNAPSHOTS;do for rdssnapshot in $LIST_OF_RDS_SNAPSHOTS;do
SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-snapshot-attributes $PROFILE_OPT --region $regx --db-snapshot-identifier $rdssnapshot --query DBSnapshotAttributesResult.DBSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all) SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-snapshot-attributes $PROFILE_OPT --region $regx --db-snapshot-identifier $rdssnapshot --query DBSnapshotAttributesResult.DBSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all)
if [[ $SNAPSHOT_IS_PUBLIC ]];then if [[ $SNAPSHOT_IS_PUBLIC ]];then
textWarn "$regx: RDS Snapshot $rdssnapshot is public!" "$regx" textFail "$regx: RDS Snapshot $rdssnapshot is public!" "$regx"
else else
textOK "$regx: RDS Snapshot $rdssnapshot is not shared" "$regx" textPass "$regx: RDS Snapshot $rdssnapshot is not shared" "$regx"
fi fi
done done
else else
textNotice "$regx: No RDS Snapshots found" "$regx" textInfo "$regx: No RDS Snapshots found" "$regx"
fi fi
# RDS cluster snapshots # RDS cluster snapshots
LIST_OF_RDS_CLUSTER_SNAPSHOTS=$($AWSCLI rds describe-db-cluster-snapshots $PROFILE_OPT --region $regx --query DBClusterSnapshots[*].DBClusterSnapshotIdentifier --output text) LIST_OF_RDS_CLUSTER_SNAPSHOTS=$($AWSCLI rds describe-db-cluster-snapshots $PROFILE_OPT --region $regx --query DBClusterSnapshots[*].DBClusterSnapshotIdentifier --output text)
@@ -26,13 +26,13 @@ extra723(){
for rdsclustersnapshot in $LIST_OF_RDS_CLUSTER_SNAPSHOTS;do for rdsclustersnapshot in $LIST_OF_RDS_CLUSTER_SNAPSHOTS;do
CLUSTER_SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-cluster-snapshot-attributes $PROFILE_OPT --region $regx --db-cluster-snapshot-identifier $rdsclustersnapshot --query DBClusterSnapshotAttributesResult.DBClusterSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all) CLUSTER_SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-cluster-snapshot-attributes $PROFILE_OPT --region $regx --db-cluster-snapshot-identifier $rdsclustersnapshot --query DBClusterSnapshotAttributesResult.DBClusterSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all)
if [[ $CLUSTER_SNAPSHOT_IS_PUBLIC ]];then if [[ $CLUSTER_SNAPSHOT_IS_PUBLIC ]];then
textWarn "$regx: RDS Cluster Snapshot $rdsclustersnapshot is public!" "$regx" textFail "$regx: RDS Cluster Snapshot $rdsclustersnapshot is public!" "$regx"
else else
textOK "$regx: RDS Cluster Snapshot $rdsclustersnapshot is not shared" "$regx" textPass "$regx: RDS Cluster Snapshot $rdsclustersnapshot is not shared" "$regx"
fi fi
done done
else else
textNotice "$regx: No RDS Cluster Snapshots found" "$regx" textInfo "$regx: No RDS Cluster Snapshots found" "$regx"
fi fi
done done
} }

6
checks/check_extra724
View File

@@ -12,13 +12,13 @@ extra724(){
CT_ENABLED=$($AWSCLI acm describe-certificate $PROFILE_OPT --region $regx --certificate-arn $cert_arn --query Certificate.Options.CertificateTransparencyLoggingPreference --output text) CT_ENABLED=$($AWSCLI acm describe-certificate $PROFILE_OPT --region $regx --certificate-arn $cert_arn --query Certificate.Options.CertificateTransparencyLoggingPreference --output text)
CERT_DOMAIN_NAME=$(aws acm describe-certificate $PROFILE_OPT --region $regx --certificate-arn $cert_arn --query Certificate.DomainName --output text) CERT_DOMAIN_NAME=$(aws acm describe-certificate $PROFILE_OPT --region $regx --certificate-arn $cert_arn --query Certificate.DomainName --output text)
if [[ $CT_ENABLED == "ENABLED" ]];then if [[ $CT_ENABLED == "ENABLED" ]];then
textWarn "$regx: ACM Certificate $CERT_DOMAIN_NAME has Certificate Transparency logging enabled!" "$regx" textFail "$regx: ACM Certificate $CERT_DOMAIN_NAME has Certificate Transparency logging enabled!" "$regx"
else else
textOK "$regx: ACM Certificate $CERT_DOMAIN_NAME has Certificate Transparency logging disabled!" "$regx" textPass "$regx: ACM Certificate $CERT_DOMAIN_NAME has Certificate Transparency logging disabled!" "$regx"
fi fi
done done
else else
textNotice "$regx: No ACM Certificates found" "$regx" textInfo "$regx: No ACM Certificates found" "$regx"
fi fi
done done
} }

10
checks/check_extra73
View File

@@ -6,7 +6,7 @@ CHECK_ALTERNATE_check73="extra73"
CHECK_ALTERNATE_check703="extra73" CHECK_ALTERNATE_check703="extra73"
extra73(){ extra73(){
textNotice "Looking for open S3 Buckets (ACLs and Policies) in all regions... " textInfo "Looking for open S3 Buckets (ACLs and Policies) in all regions... "
ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' --profile $PROFILE --region $REGION --output text) ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' --profile $PROFILE --region $REGION --output text)
for bucket in $ALL_BUCKETS_LIST; do for bucket in $ALL_BUCKETS_LIST; do
extra73Thread $bucket & extra73Thread $bucket &
@@ -35,16 +35,16 @@ extra73Thread(){
CHECK_BUCKET_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | sed -e 's/[{}]/''/g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}'|awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep ^\"Principal|grep \*) CHECK_BUCKET_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | sed -e 's/[{}]/''/g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}'|awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep ^\"Principal|grep \*)
if [[ $CHECK_BUCKET_ALLUSERS_ACL || $CHECK_BUCKET_AUTHUSERS_ACL || $CHECK_BUCKET_ALLUSERS_POLICY ]];then if [[ $CHECK_BUCKET_ALLUSERS_ACL || $CHECK_BUCKET_AUTHUSERS_ACL || $CHECK_BUCKET_ALLUSERS_POLICY ]];then
if [[ $CHECK_BUCKET_ALLUSERS_ACL ]];then if [[ $CHECK_BUCKET_ALLUSERS_ACL ]];then
textWarn "$BUCKET_LOCATION: $bucket bucket is open to the Internet (Everyone) with permissions: $CHECK_BUCKET_ALLUSERS_ACL_SINGLE_LINE" "$regx" textFail "$BUCKET_LOCATION: $bucket bucket is open to the Internet (Everyone) with permissions: $CHECK_BUCKET_ALLUSERS_ACL_SINGLE_LINE" "$regx"
fi fi
if [[ $CHECK_BUCKET_AUTHUSERS_ACL ]];then if [[ $CHECK_BUCKET_AUTHUSERS_ACL ]];then
textWarn "$BUCKET_LOCATION: $bucket bucket is open to Authenticated users (Any AWS user) with permissions: $CHECK_BUCKET_AUTHUSERS_ACL_SINGLE_LINE" "$regx" textFail "$BUCKET_LOCATION: $bucket bucket is open to Authenticated users (Any AWS user) with permissions: $CHECK_BUCKET_AUTHUSERS_ACL_SINGLE_LINE" "$regx"
fi fi
if [[ $CHECK_BUCKET_ALLUSERS_POLICY ]];then if [[ $CHECK_BUCKET_ALLUSERS_POLICY ]];then
textWarn "$BUCKET_LOCATION: $bucket bucket policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx" textFail "$BUCKET_LOCATION: $bucket bucket policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx"
fi fi
else else
textOK "$BUCKET_LOCATION: $bucket bucket is not open" "$regx" textPass "$BUCKET_LOCATION: $bucket bucket is not open" "$regx"
fi fi
rm -fr $TEMP_POLICY_FILE rm -fr $TEMP_POLICY_FILE
} }

6
checks/check_extra74
View File

@@ -7,15 +7,15 @@ CHECK_ALTERNATE_check704="extra74"
extra74(){ extra74(){
# "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" # "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
textNotice "Looking for Security Groups in all regions... " textInfo "Looking for Security Groups in all regions... "
for regx in $REGIONS; do for regx in $REGIONS; do
LIST_OF_SECURITYGROUPS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[].[GroupId]" --output text --max-items $MAXITEMS) LIST_OF_SECURITYGROUPS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[].[GroupId]" --output text --max-items $MAXITEMS)
for SG_ID in $LIST_OF_SECURITYGROUPS; do for SG_ID in $LIST_OF_SECURITYGROUPS; do
SG_NO_INGRESS_FILTER=$($AWSCLI ec2 describe-network-interfaces $PROFILE_OPT --region $regx --filters "Name=group-id,Values=$SG_ID" --query "length(NetworkInterfaces)" --output text) SG_NO_INGRESS_FILTER=$($AWSCLI ec2 describe-network-interfaces $PROFILE_OPT --region $regx --filters "Name=group-id,Values=$SG_ID" --query "length(NetworkInterfaces)" --output text)
if [[ $SG_NO_INGRESS_FILTER -ne 0 ]];then if [[ $SG_NO_INGRESS_FILTER -ne 0 ]];then
textWarn "$regx: $SG_ID has not ingress filtering and it is being used!" "$regx" textFail "$regx: $SG_ID has not ingress filtering and it is being used!" "$regx"
else else
textNotice "$regx: $SG_ID has not ingress filtering but it is no being used" "$regx" textInfo "$regx: $SG_ID has not ingress filtering but it is no being used" "$regx"
fi fi
done done
done done

6
checks/check_extra75
View File

@@ -7,15 +7,15 @@ CHECK_ALTERNATE_check705="extra75"
extra75(){ extra75(){
# "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" # "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
textNotice "Looking for Security Groups in all regions... " textInfo "Looking for Security Groups in all regions... "
for regx in $REGIONS; do for regx in $REGIONS; do
LIST_OF_SECURITYGROUPS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --query "SecurityGroups[].[GroupId]" --output text --max-items $MAXITEMS) LIST_OF_SECURITYGROUPS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --query "SecurityGroups[].[GroupId]" --output text --max-items $MAXITEMS)
for SG_ID in $LIST_OF_SECURITYGROUPS; do for SG_ID in $LIST_OF_SECURITYGROUPS; do
SG_NOT_USED=$($AWSCLI ec2 describe-network-interfaces $PROFILE_OPT --region $regx --filters "Name=group-id,Values=$SG_ID" --query "length(NetworkInterfaces)" --output text) SG_NOT_USED=$($AWSCLI ec2 describe-network-interfaces $PROFILE_OPT --region $regx --filters "Name=group-id,Values=$SG_ID" --query "length(NetworkInterfaces)" --output text)
if [[ $SG_NOT_USED -eq 0 ]];then if [[ $SG_NOT_USED -eq 0 ]];then
textWarn "$regx: $SG_ID is not being used!" "$regx" textFail "$regx: $SG_ID is not being used!" "$regx"
else else
textOK "$regx: $SG_ID is being used" "$regx" textPass "$regx: $SG_ID is being used" "$regx"
fi fi
done done
done done

6
checks/check_extra76
View File

@@ -7,15 +7,15 @@ CHECK_ALTERNATE_check706="extra76"
extra76(){ extra76(){
# "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" # "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)"
textNotice "Looking for AMIs in all regions... " textInfo "Looking for AMIs in all regions... "
for regx in $REGIONS; do for regx in $REGIONS; do
LIST_OF_PUBLIC_AMIS=$($AWSCLI ec2 describe-images --owners self $PROFILE_OPT --region $regx --filters "Name=is-public,Values=true" --query 'Images[*].{ID:ImageId}' --output text) LIST_OF_PUBLIC_AMIS=$($AWSCLI ec2 describe-images --owners self $PROFILE_OPT --region $regx --filters "Name=is-public,Values=true" --query 'Images[*].{ID:ImageId}' --output text)
if [[ $LIST_OF_PUBLIC_AMIS ]];then if [[ $LIST_OF_PUBLIC_AMIS ]];then
for ami in $LIST_OF_PUBLIC_AMIS; do for ami in $LIST_OF_PUBLIC_AMIS; do
textWarn "$regx: $ami is currently Public!" "$regx" textFail "$regx: $ami is currently Public!" "$regx"
done done
else else
textOK "$regx: No Public AMIs found" "$regx" textPass "$regx: No Public AMIs found" "$regx"
fi fi
done done
} }

6
checks/check_extra77
View File

@@ -7,7 +7,7 @@ CHECK_ALTERNATE_check707="extra77"
extra77(){ extra77(){
# "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" # "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)"
textNotice "Looking for ECR repos in all regions... " textInfo "Looking for ECR repos in all regions... "
for regx in $REGIONS; do for regx in $REGIONS; do
LIST_OF_ECR_REPOS=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $regx --query 'repositories[*].{Name:repositoryName}' --output text) LIST_OF_ECR_REPOS=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $regx --query 'repositories[*].{Name:repositoryName}' --output text)
for ecr_repo in $LIST_OF_ECR_REPOS; do for ecr_repo in $LIST_OF_ECR_REPOS; do
@@ -16,9 +16,9 @@ extra77(){
# check if the policy has Principal as * # check if the policy has Principal as *
CHECK_ECR_REPO_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep \"Principal|grep \*) CHECK_ECR_REPO_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep \"Principal|grep \*)
if [[ $CHECK_ECR_REPO_ALLUSERS_POLICY ]];then if [[ $CHECK_ECR_REPO_ALLUSERS_POLICY ]];then
textWarn "$regx: $ecr_repo policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx" textFail "$regx: $ecr_repo policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx"
else else
textOK "$regx: $ecr_repo is not open" "$regx" textPass "$regx: $ecr_repo is not open" "$regx"
fi fi
done done
rm -fr $TEMP_POLICY_FILE rm -fr $TEMP_POLICY_FILE

6
checks/check_extra78
View File

@@ -7,17 +7,17 @@ CHECK_ALTERNATE_check708="extra78"
extra78(){ extra78(){
# "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" # "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)"
textNotice "Looking for RDS instances in all regions... " textInfo "Looking for RDS instances in all regions... "
for regx in $REGIONS; do for regx in $REGIONS; do
LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true`].[DBInstanceIdentifier,Endpoint.Address]' --output text) LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true`].[DBInstanceIdentifier,Endpoint.Address]' --output text)
if [[ $LIST_OF_RDS_PUBLIC_INSTANCES ]];then if [[ $LIST_OF_RDS_PUBLIC_INSTANCES ]];then
while read -r rds_instance;do while read -r rds_instance;do
RDS_NAME=$(echo $rds_instance | awk '{ print $1; }') RDS_NAME=$(echo $rds_instance | awk '{ print $1; }')
RDS_DNSNAME=$(echo $rds_instance | awk '{ print $2; }') RDS_DNSNAME=$(echo $rds_instance | awk '{ print $2; }')
textWarn "$regx: RDS instance: $RDS_NAME at $RDS_DNSNAME is set as Publicly Accessible!" "$regx" textFail "$regx: RDS instance: $RDS_NAME at $RDS_DNSNAME is set as Publicly Accessible!" "$regx"
done <<< "$LIST_OF_RDS_PUBLIC_INSTANCES" done <<< "$LIST_OF_RDS_PUBLIC_INSTANCES"
else else
textOK "$regx: no Publicly Accessible RDS instances found" "$regx" textPass "$regx: no Publicly Accessible RDS instances found" "$regx"
fi fi
done done
} }

6
checks/check_extra79
View File

@@ -7,7 +7,7 @@ CHECK_ALTERNATE_check709="extra79"
extra79(){ extra79(){
# "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)" # "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
textNotice "Looking for Elastic Load Balancers in all regions... " textInfo "Looking for Elastic Load Balancers in all regions... "
for regx in $REGIONS; do for regx in $REGIONS; do
LIST_OF_PUBLIC_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[?Scheme == `internet-facing`].[LoadBalancerName,DNSName]' --output text) LIST_OF_PUBLIC_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[?Scheme == `internet-facing`].[LoadBalancerName,DNSName]' --output text)
LIST_OF_PUBLIC_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?Scheme == `internet-facing`].[LoadBalancerName,DNSName]' --output text) LIST_OF_PUBLIC_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?Scheme == `internet-facing`].[LoadBalancerName,DNSName]' --output text)
@@ -17,10 +17,10 @@ extra79(){
while read -r elb;do while read -r elb;do
ELB_NAME=$(echo $elb | awk '{ print $1; }') ELB_NAME=$(echo $elb | awk '{ print $1; }')
ELB_DNSNAME=$(echo $elb | awk '{ print $2; }') ELB_DNSNAME=$(echo $elb | awk '{ print $2; }')
textWarn "$regx: ELB: $ELB_NAME at DNS: $ELB_DNSNAME is internet-facing!" "$regx" textFail "$regx: ELB: $ELB_NAME at DNS: $ELB_DNSNAME is internet-facing!" "$regx"
done <<< "$LIST_OF_ALL_ELBS_PER_LINE" done <<< "$LIST_OF_ALL_ELBS_PER_LINE"
else else
textOK "$regx: no Internet Facing ELBs found" "$regx" textPass "$regx: no Internet Facing ELBs found" "$regx"
fi fi
done done
} }

6
checks/check_sample
View File

@@ -5,17 +5,17 @@
# #
# extraN(){ # extraN(){
# # "Description (Not Scored) (Not part of CIS benchmark)" # # "Description (Not Scored) (Not part of CIS benchmark)"
# textNotice "Looking for instances in all regions... " # textInfo "Looking for instances in all regions... "
# for regx in $REGIONS; do # for regx in $REGIONS; do
# LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId,PublicIpAddress]' --output text) # LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId,PublicIpAddress]' --output text)
# if [[ $LIST_OF_PUBLIC_INSTANCES ]];then # if [[ $LIST_OF_PUBLIC_INSTANCES ]];then
# while read -r instance;do # while read -r instance;do
# INSTANCE_ID=$(echo $instance | awk '{ print $1; }') # INSTANCE_ID=$(echo $instance | awk '{ print $1; }')
# PUBLIC_IP=$(echo $instance | awk '{ print $2; }') # PUBLIC_IP=$(echo $instance | awk '{ print $2; }')
# textWarn "$regx: Instance: $INSTANCE_ID at IP: $PUBLIC_IP is internet-facing!" "$regx" # textFail "$regx: Instance: $INSTANCE_ID at IP: $PUBLIC_IP is internet-facing!" "$regx"
# done <<< "$LIST_OF_PUBLIC_INSTANCES" # done <<< "$LIST_OF_PUBLIC_INSTANCES"
# else # else
# textOK "$regx: no Internet Facing EC2 Instances found" "$regx" # textPass "$regx: no Internet Facing EC2 Instances found" "$regx"
# fi # fi
# done # done
# } # }

2
include/credentials_report
View File

@@ -11,7 +11,7 @@ saveReport(){
$AWSCLI iam get-credential-report --query 'Content' --output text $PROFILE_OPT --region $REGION | decode_report > $TEMP_REPORT_FILE $AWSCLI iam get-credential-report --query 'Content' --output text $PROFILE_OPT --region $REGION | decode_report > $TEMP_REPORT_FILE
if [[ $KEEPCREDREPORT -eq 1 ]]; then if [[ $KEEPCREDREPORT -eq 1 ]]; then
textTitle "0.2" "Saving IAM Credential Report ..." "NOT_SCORED" "SUPPORT" textTitle "0.2" "Saving IAM Credential Report ..." "NOT_SCORED" "SUPPORT"
textNotice "IAM Credential Report saved in $TEMP_REPORT_FILE" textInfo "IAM Credential Report saved in $TEMP_REPORT_FILE"
fi fi
} }

6
include/outputs
View File

@@ -1,5 +1,5 @@
## Output formatting functions ## Output formatting functions
textOK(){ textPass(){
if [[ "$MODE" == "csv" ]]; then if [[ "$MODE" == "csv" ]]; then
if [[ $2 ]]; then if [[ $2 ]]; then
REPREGION=$2 REPREGION=$2
@@ -12,7 +12,7 @@ textOK(){
fi fi
} }
textNotice(){ textInfo(){
if [[ "$MODE" == "csv" ]]; then if [[ "$MODE" == "csv" ]]; then
if [[ $2 ]]; then if [[ $2 ]]; then
REPREGION=$2 REPREGION=$2
@@ -25,7 +25,7 @@ textNotice(){
fi fi
} }
textWarn(){ textFail(){
EXITCODE=3 EXITCODE=3
if [[ "$MODE" == "csv" ]]; then if [[ "$MODE" == "csv" ]]; then
if [[ $2 ]]; then if [[ $2 ]]; then

2
include/whoami
View File

@@ -13,7 +13,7 @@ getWhoami(){
CALLER_ARN=$(echo $CALLER_ARN_RAW | tr -d '"') CALLER_ARN=$(echo $CALLER_ARN_RAW | tr -d '"')
printCsvHeader printCsvHeader
textTitle "0.0" "Show report generation info" "NOT_SCORED" "SUPPORT" textTitle "0.0" "Show report generation info" "NOT_SCORED" "SUPPORT"
textNotice "ARN: $CALLER_ARN TIMESTAMP: $SCRIPT_START_TIME" textInfo "ARN: $CALLER_ARN TIMESTAMP: $SCRIPT_START_TIME"
else else
echo "" echo ""
echo -e " This report is being generated using credentials below:\n" echo -e " This report is being generated using credentials below:\n"

2
prowler
View File

@@ -190,7 +190,7 @@ execute_check() {
show_check_title $1 show_check_title $1
$1 $1
else else
textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)"; textFail "ERROR! Use a valid check name (i.e. check41 or extra71)";
exit $EXITCODE exit $EXITCODE
fi fi
fi fi