Merge branch 'master' into master

2026-02-10 14:55:00 +00:00 · 2020-08-27 16:28:35 +02:00
parent 1d4563f60d 5552ea1eb6
commit 0b9d3e39d4
6 changed files with 39 additions and 5 deletions
--- a/checks/check12
+++ b/checks/check12
@@ -19,7 +19,7 @@ CHECK_ALTERNATE_check102="check12"
 check12(){
  # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
  # List users with password enabled
-  COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep -F ' true$' | awk '{ print $1 }')
+  COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep 'true$' | awk '{ print $1 }')
  COMMAND12=$(
    for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
      cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "^$i " |grep false | awk '{ print $1 }'
--- a/checks/check_extra798
+++ b/checks/check_extra798
@@ -13,6 +13,7 @@
 # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
+
 CHECK_ID_extra7100="7.100"
 CHECK_TITLE_extra7100="[extra7100] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)"
 CHECK_SCORED_extra7100="NOT_SCORED"
@@ -72,4 +73,4 @@ extra7100(){
  else
    textPass "No custom policies found"
  fi
-}
+}
--- a/checks/check_extra799
+++ b/checks/check_extra799
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra799="7.99"
+CHECK_TITLE_extra799="[extra799] Check if Security Hub is enabled and its standard subscriptions"
+CHECK_SCORED_extra799="NOT_SCORED"
+CHECK_TYPE_extra799="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra799="AwsSecurityHubHub"
+CHECK_ALTERNATE_check799="extra799"
+CHECK_SEVERITY_extra799="medium"
+
+extra799(){
+  for regx in $REGIONS; do
+    # If command below fails get nothing then it there are no subscriptions and Security Hub is not enabled.
+    LIST_OF_SECHUB_SUBSCRIPTIONS=$($AWSCLI $PROFILE_OPT --region $regx securityhub get-enabled-standards --query 'StandardsSubscriptions[?StandardsStatus == `READY`].StandardsSubscriptionArn' --output json 2>/dev/null | awk -F "/" '{ print $2 }' | tr '\n' ' ' ) 
+    if [[ $LIST_OF_SECHUB_SUBSCRIPTIONS ]]; then
+      textPass "$regx: Security Hub is enabled with standards $LIST_OF_SECHUB_SUBSCRIPTIONS" "$regx"
+    else
+      textInfo "$regx: Security Hub is not enabled" "$regx"
+      #textFail "$regx: Security Hub is not enabled" "$regx"
+    fi
+  done
+}
--- a/groups/group17_internetexposed
+++ b/groups/group17_internetexposed
@@ -15,7 +15,7 @@ GROUP_ID[17]='internet-exposed'
 GROUP_NUMBER[17]='17.0'
 GROUP_TITLE[17]='Find resources exposed to the internet - [internet-exposed] *******'
 GROUP_RUN_BY_DEFAULT[17]='N' # run it when execute_all is called
-GROUP_CHECKS[17]='check41,check42,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788'
+GROUP_CHECKS[17]='check41,check42,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra736,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra770,extra771,extra778,extra779,extra787,extra788,extra798'

 # 4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)  [group4, cislevel1, cislevel2]
 # 4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)  [group4, cislevel1, cislevel2]
--- a/include/outputs
+++ b/include/outputs
@@ -294,7 +294,7 @@ generateJsonAsffOutput(){
          {
              "Type": $RESOURCE_TYPE,
              "Id": "AWS::::Account:\($ACCOUNT_NUM)",
-              "Partition": "aws",
+              "Partition": $AWS_PARTITION,
              "Region": $REPREGION
          }
      ],
--- a/2
+++ b/2
@@ -96,7 +96,7 @@ USAGE:
  exit
 }

-while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsSxI:A:R:T:w:" OPTION; do
+while getopts ":hlLkqp:r:c:g:f:m:M:E:x:enbVsSI:A:R:T:w:" OPTION; do
   case $OPTION in
     h )
        usage