mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
Added resource id to RDS checks and in json,csv,html outputs
This commit is contained in:
Toni de la Fuente
@@ -36,20 +36,19 @@ CHECK_DOC_extra7113='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER
|
|||||||
CHECK_CAF_EPIC_extra7113='Data Protection'
|
CHECK_CAF_EPIC_extra7113='Data Protection'
|
||||||
|
|
||||||
extra7113(){
|
extra7113(){
|
||||||
textInfo "Looking for RDS Volumes in all regions... "
|
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].DBInstanceIdentifier' --output text)
|
LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].DBInstanceIdentifier' --output text)
|
||||||
if [[ $LIST_OF_RDS_INSTANCES ]];then
|
if [[ $LIST_OF_RDS_INSTANCES ]];then
|
||||||
for rdsinstance in $LIST_OF_RDS_INSTANCES; do
|
for rdsinstance in $LIST_OF_RDS_INSTANCES; do
|
||||||
IS_DELETIONPROTECTION=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].DeletionProtection' --output text)
|
IS_DELETIONPROTECTION=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].DeletionProtection' --output text)
|
||||||
if [[ $IS_DELETIONPROTECTION == "False" ]]; then
|
if [[ $IS_DELETIONPROTECTION == "False" ]]; then
|
||||||
textFail "$regx: RDS instance $rdsinstance deletion protection is not enabled!" "$regx"
|
textFail "$regx: RDS instance $rdsinstance deletion protection is not enabled!" "$regx" "$rdsinstance"
|
||||||
else
|
else
|
||||||
textPass "$regx: RDS instance $rdsinstance deletion protection is enabled" "$regx"
|
textPass "$regx: RDS instance $rdsinstance deletion protection is enabled" "$regx" "$rdsinstance"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
textInfo "$regx: No RDS instances found" "$regx"
|
textInfo "$regx: No RDS instances found" "$regx" "$rdsinstance"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -32,13 +32,13 @@ extra7131(){
|
|||||||
RDS_NAME=$(echo $rds_instance | awk '{ print $1; }')
|
RDS_NAME=$(echo $rds_instance | awk '{ print $1; }')
|
||||||
RDS_AUTOMINORUPGRADE_FLAG=$(echo $rds_instance | awk '{ print $2; }')
|
RDS_AUTOMINORUPGRADE_FLAG=$(echo $rds_instance | awk '{ print $2; }')
|
||||||
if [[ $RDS_AUTOMINORUPGRADE_FLAG == "True" ]];then
|
if [[ $RDS_AUTOMINORUPGRADE_FLAG == "True" ]];then
|
||||||
textPass "$regx: RDS instance: $RDS_NAME is has minor version upgrade enabled" "$regx"
|
textPass "$regx: RDS instance: $RDS_NAME is has minor version upgrade enabled" "$regx" "$RDS_NAME"
|
||||||
else
|
else
|
||||||
textFail "$regx: RDS instance: $RDS_NAME does not have minor version upgrade enabled" "$regx"
|
textFail "$regx: RDS instance: $RDS_NAME does not have minor version upgrade enabled" "$regx" "$RDS_NAME"
|
||||||
fi
|
fi
|
||||||
done <<< "$LIST_OF_RDS_INSTANCES"
|
done <<< "$LIST_OF_RDS_INSTANCES"
|
||||||
else
|
else
|
||||||
textInfo "$regx: no RDS instances found" "$regx"
|
textInfo "$regx: no RDS instances found" "$regx" "$RDS_NAME"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -31,13 +31,13 @@ extra7132(){
|
|||||||
RDS_NAME="$rdsinstance"
|
RDS_NAME="$rdsinstance"
|
||||||
MONITORING_FLAG=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].[EnhancedMonitoringResourceArn]' --output text)
|
MONITORING_FLAG=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].[EnhancedMonitoringResourceArn]' --output text)
|
||||||
if [[ $MONITORING_FLAG == "None" ]];then
|
if [[ $MONITORING_FLAG == "None" ]];then
|
||||||
textFail "$regx: RDS instance: $RDS_NAME has enhanced monitoring disabled!" "$rex"
|
textFail "$regx: RDS instance: $RDS_NAME has enhanced monitoring disabled!" "$rex" "$RDS_NAME"
|
||||||
else
|
else
|
||||||
textPass "$regx: RDS instance: $RDS_NAME has enhanced monitoring enabled." "$regx"
|
textPass "$regx: RDS instance: $RDS_NAME has enhanced monitoring enabled." "$regx" "$RDS_NAME"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
textInfo "$regx: no RDS instances found" "$regx"
|
textInfo "$regx: no RDS instances found" "$regx" "$RDS_NAME"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -31,13 +31,13 @@ extra7133(){
|
|||||||
RDS_NAME="$rdsinstance"
|
RDS_NAME="$rdsinstance"
|
||||||
MULTIAZ_FLAG=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].MultiAZ' --output text)
|
MULTIAZ_FLAG=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].MultiAZ' --output text)
|
||||||
if [[ $MULTIAZ_FLAG == "True" ]];then
|
if [[ $MULTIAZ_FLAG == "True" ]];then
|
||||||
textPass "$regx: RDS instance: $RDS_NAME has multi-AZ enabled" "$rex"
|
textPass "$regx: RDS instance: $RDS_NAME has multi-AZ enabled" "$regx" "$RDS_NAME"
|
||||||
else
|
else
|
||||||
textFail "$regx: RDS instance: $RDS_NAME has multi-AZ disabled!" "$regx"
|
textFail "$regx: RDS instance: $RDS_NAME has multi-AZ disabled!" "$regx" "$RDS_NAME"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
textInfo "$regx: no RDS instances found" "$regx"
|
textInfo "$regx: no RDS instances found" "$regx" "$RDS_NAME"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -32,13 +32,13 @@ extra723(){
|
|||||||
for rdssnapshot in $LIST_OF_RDS_SNAPSHOTS;do
|
for rdssnapshot in $LIST_OF_RDS_SNAPSHOTS;do
|
||||||
SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-snapshot-attributes $PROFILE_OPT --region $regx --db-snapshot-identifier $rdssnapshot --query DBSnapshotAttributesResult.DBSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all)
|
SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-snapshot-attributes $PROFILE_OPT --region $regx --db-snapshot-identifier $rdssnapshot --query DBSnapshotAttributesResult.DBSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all)
|
||||||
if [[ $SNAPSHOT_IS_PUBLIC ]];then
|
if [[ $SNAPSHOT_IS_PUBLIC ]];then
|
||||||
textFail "$regx: RDS Snapshot $rdssnapshot is public!" "$regx"
|
textFail "$regx: RDS Snapshot $rdssnapshot is public!" "$regx" "$rdssnapshot"
|
||||||
else
|
else
|
||||||
textPass "$regx: RDS Snapshot $rdssnapshot is not shared" "$regx"
|
textPass "$regx: RDS Snapshot $rdssnapshot is not shared" "$regx" "$rdssnapshot"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
textInfo "$regx: No RDS Snapshots found" "$regx"
|
textInfo "$regx: No RDS Snapshots found" "$regx" "$rdssnapshot"
|
||||||
fi
|
fi
|
||||||
# RDS cluster snapshots
|
# RDS cluster snapshots
|
||||||
LIST_OF_RDS_CLUSTER_SNAPSHOTS=$($AWSCLI rds describe-db-cluster-snapshots $PROFILE_OPT --region $regx --query DBClusterSnapshots[*].DBClusterSnapshotIdentifier --output text)
|
LIST_OF_RDS_CLUSTER_SNAPSHOTS=$($AWSCLI rds describe-db-cluster-snapshots $PROFILE_OPT --region $regx --query DBClusterSnapshots[*].DBClusterSnapshotIdentifier --output text)
|
||||||
@@ -46,13 +46,13 @@ extra723(){
|
|||||||
for rdsclustersnapshot in $LIST_OF_RDS_CLUSTER_SNAPSHOTS;do
|
for rdsclustersnapshot in $LIST_OF_RDS_CLUSTER_SNAPSHOTS;do
|
||||||
CLUSTER_SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-cluster-snapshot-attributes $PROFILE_OPT --region $regx --db-cluster-snapshot-identifier $rdsclustersnapshot --query DBClusterSnapshotAttributesResult.DBClusterSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all)
|
CLUSTER_SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-cluster-snapshot-attributes $PROFILE_OPT --region $regx --db-cluster-snapshot-identifier $rdsclustersnapshot --query DBClusterSnapshotAttributesResult.DBClusterSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all)
|
||||||
if [[ $CLUSTER_SNAPSHOT_IS_PUBLIC ]];then
|
if [[ $CLUSTER_SNAPSHOT_IS_PUBLIC ]];then
|
||||||
textFail "$regx: RDS Cluster Snapshot $rdsclustersnapshot is public!" "$regx"
|
textFail "$regx: RDS Cluster Snapshot $rdsclustersnapshot is public!" "$regx" "$rdsclustersnapshot"
|
||||||
else
|
else
|
||||||
textPass "$regx: RDS Cluster Snapshot $rdsclustersnapshot is not shared" "$regx"
|
textPass "$regx: RDS Cluster Snapshot $rdsclustersnapshot is not shared" "$regx" "$rdsclustersnapshot"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
textInfo "$regx: No RDS Cluster Snapshots found" "$regx"
|
textInfo "$regx: No RDS Cluster Snapshots found" "$regx" "$rdsclustersnapshot"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,20 +25,19 @@ CHECK_DOC_extra735='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overv
|
|||||||
CHECK_CAF_EPIC_extra735='Data Protection'
|
CHECK_CAF_EPIC_extra735='Data Protection'
|
||||||
|
|
||||||
extra735(){
|
extra735(){
|
||||||
textInfo "Looking for RDS Volumes in all regions... "
|
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].DBInstanceIdentifier' --output text)
|
LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].DBInstanceIdentifier' --output text)
|
||||||
if [[ $LIST_OF_RDS_INSTANCES ]];then
|
if [[ $LIST_OF_RDS_INSTANCES ]];then
|
||||||
for rdsinstance in $LIST_OF_RDS_INSTANCES; do
|
for rdsinstance in $LIST_OF_RDS_INSTANCES; do
|
||||||
IS_ENCRYPTED=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].StorageEncrypted' --output text)
|
IS_ENCRYPTED=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].StorageEncrypted' --output text)
|
||||||
if [[ $IS_ENCRYPTED == "False" ]]; then
|
if [[ $IS_ENCRYPTED == "False" ]]; then
|
||||||
textFail "$regx: RDS instance $rdsinstance is not encrypted!" "$regx"
|
textFail "$regx: RDS instance $rdsinstance is not encrypted!" "$regx" "$rdsinstance"
|
||||||
else
|
else
|
||||||
textPass "$regx: RDS instance $rdsinstance is encrypted" "$regx"
|
textPass "$regx: RDS instance $rdsinstance is encrypted" "$regx" "$rdsinstance"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
textInfo "$regx: No RDS instances found" "$regx"
|
textInfo "$regx: No RDS instances found" "$regx" "$rdsinstance"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -31,13 +31,13 @@ extra739(){
|
|||||||
# if retention is 0 then is disabled
|
# if retention is 0 then is disabled
|
||||||
BACKUP_RETENTION=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].BackupRetentionPeriod' --output text)
|
BACKUP_RETENTION=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].BackupRetentionPeriod' --output text)
|
||||||
if [[ $BACKUP_RETENTION == "0" ]]; then
|
if [[ $BACKUP_RETENTION == "0" ]]; then
|
||||||
textFail "$regx: RDS instance $rdsinstance has not backup enabled!" "$regx"
|
textFail "$regx: RDS instance $rdsinstance has not backup enabled!" "$regx" "$rdsinstance"
|
||||||
else
|
else
|
||||||
textPass "$regx: RDS instance $rdsinstance has backup enabled with retention period $BACKUP_RETENTION days" "$regx"
|
textPass "$regx: RDS instance $rdsinstance has backup enabled with retention period $BACKUP_RETENTION days" "$regx" "$rdsinstance"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
textInfo "$regx: No RDS instances found" "$regx"
|
textInfo "$regx: No RDS instances found" "$regx" "$rdsinstance"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -31,13 +31,13 @@ extra747(){
|
|||||||
# if retention is 0 then is disabled
|
# if retention is 0 then is disabled
|
||||||
ENABLED_CLOUDWATCHLOGS_EXPORTS=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].EnabledCloudwatchLogsExports' --output text)
|
ENABLED_CLOUDWATCHLOGS_EXPORTS=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].EnabledCloudwatchLogsExports' --output text)
|
||||||
if [[ $ENABLED_CLOUDWATCHLOGS_EXPORTS ]]; then
|
if [[ $ENABLED_CLOUDWATCHLOGS_EXPORTS ]]; then
|
||||||
textPass "$regx: RDS instance $rdsinstance is shipping $ENABLED_CLOUDWATCHLOGS_EXPORTS to CloudWatch Logs" "$regx"
|
textPass "$regx: RDS instance $rdsinstance is shipping $ENABLED_CLOUDWATCHLOGS_EXPORTS to CloudWatch Logs" "$regx" "$rdsinstance"
|
||||||
else
|
else
|
||||||
textFail "$regx: RDS instance $rdsinstance has no CloudWatch Logs enabled!" "$regx"
|
textFail "$regx: RDS instance $rdsinstance has no CloudWatch Logs enabled!" "$regx" "$rdsinstance"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
textInfo "$regx: No RDS instances found" "$regx"
|
textInfo "$regx: No RDS instances found" "$regx" "$rdsinstance"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -27,17 +27,16 @@ CHECK_CAF_EPIC_extra78='Data Protection'
|
|||||||
|
|
||||||
extra78(){
|
extra78(){
|
||||||
# "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)"
|
# "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)"
|
||||||
textInfo "Looking for RDS instances in all regions... "
|
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true` && DBInstanceStatus==`"available"`].[DBInstanceIdentifier,Endpoint.Address]' --output text)
|
LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true` && DBInstanceStatus==`"available"`].[DBInstanceIdentifier,Endpoint.Address]' --output text)
|
||||||
if [[ $LIST_OF_RDS_PUBLIC_INSTANCES ]];then
|
if [[ $LIST_OF_RDS_PUBLIC_INSTANCES ]];then
|
||||||
while read -r rds_instance;do
|
while read -r rds_instance;do
|
||||||
RDS_NAME=$(echo $rds_instance | awk '{ print $1; }')
|
RDS_NAME=$(echo $rds_instance | awk '{ print $1; }')
|
||||||
RDS_DNSNAME=$(echo $rds_instance | awk '{ print $2; }')
|
RDS_DNSNAME=$(echo $rds_instance | awk '{ print $2; }')
|
||||||
textFail "$regx: RDS instance: $RDS_NAME at $RDS_DNSNAME is set as Publicly Accessible!" "$regx"
|
textFail "$regx: RDS instance: $RDS_NAME at $RDS_DNSNAME is set as Publicly Accessible!" "$regx" "$RDS_NAME"
|
||||||
done <<< "$LIST_OF_RDS_PUBLIC_INSTANCES"
|
done <<< "$LIST_OF_RDS_PUBLIC_INSTANCES"
|
||||||
else
|
else
|
||||||
textPass "$regx: no Publicly Accessible RDS instances found" "$regx"
|
textPass "$regx: no Publicly Accessible RDS instances found" "$regx" "$RDS_NAME"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -15,6 +15,6 @@
|
|||||||
printCsvHeader() {
|
printCsvHeader() {
|
||||||
# >&2 echo ""
|
# >&2 echo ""
|
||||||
# >&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM"
|
# >&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM"
|
||||||
echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}CHECK_RESULT${SEP}ITEM_SCORED${SEP}ITEM_LEVEL${SEP}TITLE_TEXT${SEP}CHECK_RESULT_EXTENDED${SEP}CHECK_ASFF_COMPLIANCE_TYPE${SEP}CHECK_SEVERITY${SEP}CHECK_SERVICENAME${SEP}CHECK_ASFF_RESOURCE_TYPE${SEP}CHECK_ASFF_TYPE${SEP}CHECK_RISK${SEP}CHECK_REMEDIATION${SEP}CHECK_DOC${SEP}CHECK_CAF_EPIC" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
|
echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}CHECK_RESULT${SEP}ITEM_SCORED${SEP}ITEM_LEVEL${SEP}TITLE_TEXT${SEP}CHECK_RESULT_EXTENDED${SEP}CHECK_ASFF_COMPLIANCE_TYPE${SEP}CHECK_SEVERITY${SEP}CHECK_SERVICENAME${SEP}CHECK_ASFF_RESOURCE_TYPE${SEP}CHECK_ASFF_TYPE${SEP}CHECK_RISK${SEP}CHECK_REMEDIATION${SEP}CHECK_DOC${SEP}CHECK_CAF_EPIC${SEP}CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
|
||||||
# echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES${SEP}COMPLIANCE${SEP}SEVERITY${SEP}SERVICENAME" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV
|
# echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES${SEP}COMPLIANCE${SEP}SEVERITY${SEP}SERVICENAME" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -158,6 +158,7 @@ addHtmlHeader() {
|
|||||||
<th style="width:40%" scope="col">Risk</th>
|
<th style="width:40%" scope="col">Risk</th>
|
||||||
<th style="width:40%" scope="col">Remediation</th>
|
<th style="width:40%" scope="col">Remediation</th>
|
||||||
<th style="width:40%" scope="col">Link to doc</th>
|
<th style="width:40%" scope="col">Link to doc</th>
|
||||||
|
<th scope="col">Resource ID</th>
|
||||||
</tr>
|
</tr>
|
||||||
</thead>
|
</thead>
|
||||||
<tbody>
|
<tbody>
|
||||||
|
|||||||
@@ -77,6 +77,7 @@ fi
|
|||||||
textPass(){
|
textPass(){
|
||||||
CHECK_RESULT="PASS"
|
CHECK_RESULT="PASS"
|
||||||
CHECK_RESULT_EXTENDED="$1"
|
CHECK_RESULT_EXTENDED="$1"
|
||||||
|
CHECK_RESOURCE_ID="$3"
|
||||||
|
|
||||||
if [[ "$QUIET" == 1 ]]; then
|
if [[ "$QUIET" == 1 ]]; then
|
||||||
return
|
return
|
||||||
@@ -89,13 +90,13 @@ textPass(){
|
|||||||
REPREGION=$REGION
|
REPREGION=$REGION
|
||||||
fi
|
fi
|
||||||
if [[ "${MODES[@]}" =~ "csv" ]]; then
|
if [[ "${MODES[@]}" =~ "csv" ]]; then
|
||||||
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
|
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
|
||||||
fi
|
fi
|
||||||
if [[ "${MODES[@]}" =~ "json" ]]; then
|
if [[ "${MODES[@]}" =~ "json" ]]; then
|
||||||
generateJsonOutput "$1" "Pass" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON
|
generateJsonOutput "$1" "Pass" "$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON
|
||||||
fi
|
fi
|
||||||
if [[ "${MODES[@]}" =~ "json-asff" ]]; then
|
if [[ "${MODES[@]}" =~ "json-asff" ]]; then
|
||||||
JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "PASSED")
|
JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "PASSED" "$CHECK_RESOURCE_ID")
|
||||||
echo "${JSON_ASFF_OUTPUT}" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_ASFF
|
echo "${JSON_ASFF_OUTPUT}" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_ASFF
|
||||||
if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then
|
if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then
|
||||||
sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}"
|
sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}"
|
||||||
@@ -118,6 +119,7 @@ textPass(){
|
|||||||
textInfo(){
|
textInfo(){
|
||||||
CHECK_RESULT="INFO"
|
CHECK_RESULT="INFO"
|
||||||
CHECK_RESULT_EXTENDED="$1"
|
CHECK_RESULT_EXTENDED="$1"
|
||||||
|
CHECK_RESOURCE_ID="$3"
|
||||||
|
|
||||||
if [[ "$QUIET" == 1 ]]; then
|
if [[ "$QUIET" == 1 ]]; then
|
||||||
return
|
return
|
||||||
@@ -129,10 +131,10 @@ textInfo(){
|
|||||||
REPREGION=$REGION
|
REPREGION=$REGION
|
||||||
fi
|
fi
|
||||||
if [[ "${MODES[@]}" =~ "csv" ]]; then
|
if [[ "${MODES[@]}" =~ "csv" ]]; then
|
||||||
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
|
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
|
||||||
fi
|
fi
|
||||||
if [[ "${MODES[@]}" =~ "json" ]]; then
|
if [[ "${MODES[@]}" =~ "json" ]]; then
|
||||||
generateJsonOutput "$1" "Info" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
|
generateJsonOutput "$1" "Info" "$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
|
||||||
fi
|
fi
|
||||||
if is_junit_output_enabled; then
|
if is_junit_output_enabled; then
|
||||||
output_junit_info "$1"
|
output_junit_info "$1"
|
||||||
@@ -144,7 +146,7 @@ textInfo(){
|
|||||||
echo " $NOTICE INFO! $1 $NORMAL"
|
echo " $NOTICE INFO! $1 $NORMAL"
|
||||||
fi
|
fi
|
||||||
if [[ "${MODES[@]}" =~ "html" ]]; then
|
if [[ "${MODES[@]}" =~ "html" ]]; then
|
||||||
generateHtmlOutput "$1" "INFO"
|
generateHtmlOutput "$1" "INFO" "$CHECK_RESOURCE_ID"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -176,6 +178,7 @@ textFail(){
|
|||||||
|
|
||||||
CHECK_RESULT=$level
|
CHECK_RESULT=$level
|
||||||
CHECK_RESULT_EXTENDED="$1"
|
CHECK_RESULT_EXTENDED="$1"
|
||||||
|
CHECK_RESOURCE_ID="$3"
|
||||||
|
|
||||||
if [[ $2 ]]; then
|
if [[ $2 ]]; then
|
||||||
REPREGION=$2
|
REPREGION=$2
|
||||||
@@ -184,13 +187,13 @@ textFail(){
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "${MODES[@]}" =~ "csv" ]]; then
|
if [[ "${MODES[@]}" =~ "csv" ]]; then
|
||||||
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
|
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
|
||||||
fi
|
fi
|
||||||
if [[ "${MODES[@]}" =~ "json" ]]; then
|
if [[ "${MODES[@]}" =~ "json" ]]; then
|
||||||
generateJsonOutput "$1" "${level}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
|
generateJsonOutput "$1" "${level}" "$CHECK_RESOURCE_ID"| tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
|
||||||
fi
|
fi
|
||||||
if [[ "${MODES[@]}" =~ "json-asff" ]]; then
|
if [[ "${MODES[@]}" =~ "json-asff" ]]; then
|
||||||
JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "${level}")
|
JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "${level}" "$CHECK_RESOURCE_ID")
|
||||||
echo "${JSON_ASFF_OUTPUT}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_ASFF}
|
echo "${JSON_ASFF_OUTPUT}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_ASFF}
|
||||||
if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then
|
if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then
|
||||||
sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}"
|
sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}"
|
||||||
@@ -210,7 +213,7 @@ textFail(){
|
|||||||
echo " $colorcode ${level}! $1 $NORMAL"
|
echo " $colorcode ${level}! $1 $NORMAL"
|
||||||
fi
|
fi
|
||||||
if [[ "${MODES[@]}" =~ "html" ]]; then
|
if [[ "${MODES[@]}" =~ "html" ]]; then
|
||||||
generateHtmlOutput "$1" "${level}"
|
generateHtmlOutput "$1" "${level}" "$CHECK_RESOURCE_ID"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -265,6 +268,7 @@ textTitle(){
|
|||||||
generateJsonOutput(){
|
generateJsonOutput(){
|
||||||
local message=$1
|
local message=$1
|
||||||
local status=$2
|
local status=$2
|
||||||
|
local resource_id=$3
|
||||||
jq -M -c \
|
jq -M -c \
|
||||||
--arg PROFILE "$PROFILE" \
|
--arg PROFILE "$PROFILE" \
|
||||||
--arg ACCOUNT_NUM "$ACCOUNT_NUM" \
|
--arg ACCOUNT_NUM "$ACCOUNT_NUM" \
|
||||||
@@ -279,6 +283,11 @@ generateJsonOutput(){
|
|||||||
--arg TYPE "$CHECK_ASFF_COMPLIANCE_TYPE" \
|
--arg TYPE "$CHECK_ASFF_COMPLIANCE_TYPE" \
|
||||||
--arg TIMESTAMP "$(get_iso8601_timestamp)" \
|
--arg TIMESTAMP "$(get_iso8601_timestamp)" \
|
||||||
--arg SERVICENAME "$CHECK_SERVICENAME" \
|
--arg SERVICENAME "$CHECK_SERVICENAME" \
|
||||||
|
--arg CHECK_CAF_EPIC "$CHECK_CAF_EPIC" \
|
||||||
|
--arg CHECK_RISK "$CHECK_RISK" \
|
||||||
|
--arg CHECK_REMEDIATION "$CHECK_REMEDIATION" \
|
||||||
|
--arg CHECK_DOC "$CHECK_DOC" \
|
||||||
|
--arg CHECK_RESOURCE_ID "$resource_id" \
|
||||||
-n '{
|
-n '{
|
||||||
"Profile": $PROFILE,
|
"Profile": $PROFILE,
|
||||||
"Account Number": $ACCOUNT_NUM,
|
"Account Number": $ACCOUNT_NUM,
|
||||||
@@ -292,7 +301,12 @@ generateJsonOutput(){
|
|||||||
"Region": $REPREGION,
|
"Region": $REPREGION,
|
||||||
"Timestamp": $TIMESTAMP,
|
"Timestamp": $TIMESTAMP,
|
||||||
"Compliance": $TYPE,
|
"Compliance": $TYPE,
|
||||||
"Service": $SERVICENAME
|
"Service": $SERVICENAME,
|
||||||
|
"CAF Epic": $CHECK_CAF_EPIC,
|
||||||
|
"Risk": $CHECK_RISK,
|
||||||
|
"Remediation": $CHECK_REMEDIATION,
|
||||||
|
"Doc link": $CHECK_DOC,
|
||||||
|
"Resource ID": $CHECK_RESOURCE_ID
|
||||||
}'
|
}'
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -377,6 +391,7 @@ generateHtmlOutput(){
|
|||||||
echo '<td><p class="show-read-more">'$CHECK_RISK'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '<td><p class="show-read-more">'$CHECK_RISK'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
echo '<td><p class="show-read-more">'$CHECK_REMEDIATION'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '<td><p class="show-read-more">'$CHECK_REMEDIATION'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
echo '<td><a href="'$CHECK_DOC'">'$CHECK_DOC'</a></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '<td><a href="'$CHECK_DOC'">'$CHECK_DOC'</a></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
|
echo '<td>'$CHECK_RESOURCE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
echo '</tr>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '</tr>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
fi
|
fi
|
||||||
if [[ $status == "PASS" ]];then
|
if [[ $status == "PASS" ]];then
|
||||||
@@ -395,6 +410,7 @@ generateHtmlOutput(){
|
|||||||
echo '<td><p class="show-read-more">'$CHECK_RISK'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '<td><p class="show-read-more">'$CHECK_RISK'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
echo '<td><p class="show-read-more">'$CHECK_REMEDIATION'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '<td><p class="show-read-more">'$CHECK_REMEDIATION'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
echo '<td><a href="'$CHECK_DOC'">'$CHECK_DOC'</a></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '<td><a href="'$CHECK_DOC'">'$CHECK_DOC'</a></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
|
echo '<td>'$CHECK_RESOURCE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
echo '</tr>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '</tr>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
fi
|
fi
|
||||||
if [[ $status == "FAIL" ]];then
|
if [[ $status == "FAIL" ]];then
|
||||||
@@ -413,6 +429,7 @@ generateHtmlOutput(){
|
|||||||
echo '<td><p class="show-read-more">'$CHECK_RISK'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '<td><p class="show-read-more">'$CHECK_RISK'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
echo '<td><p class="show-read-more">'$CHECK_REMEDIATION'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '<td><p class="show-read-more">'$CHECK_REMEDIATION'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
echo '<td><a href="'$CHECK_DOC'">'$CHECK_DOC'</a></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '<td><a href="'$CHECK_DOC'">'$CHECK_DOC'</a></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
|
echo '<td>'$CHECK_RESOURCE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
echo '</tr>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '</tr>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
fi
|
fi
|
||||||
if [[ $status == "WARNING" ]];then
|
if [[ $status == "WARNING" ]];then
|
||||||
@@ -431,6 +448,7 @@ generateHtmlOutput(){
|
|||||||
echo '<td><p class="show-read-more">'$CHECK_RISK'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '<td><p class="show-read-more">'$CHECK_RISK'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
echo '<td><p class="show-read-more">'$CHECK_REMEDIATION'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '<td><p class="show-read-more">'$CHECK_REMEDIATION'</p></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
echo '<td><a href="'$CHECK_DOC'">'$CHECK_DOC'</a></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '<td><a href="'$CHECK_DOC'">'$CHECK_DOC'</a></td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
|
echo '<td>'$CHECK_RESOURCE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
echo '</tr>'>> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
echo '</tr>'>> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user