From 194eecb26911ceae4bd107f997d3efde3a88e523 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 5 Feb 2018 23:07:55 -0500 Subject: [PATCH] New forensics-ready check group and extra712 --- README.md | 12 +++++++++++- prowler | 24 ++++++++++++++++++++++-- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 96b6046a..02336e8a 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ - [Screenshots](#screenshots) - [Troubleshooting](#troubleshooting) - [Extras](#extras) +- [Forensics ready checks](#forensics-ready-checks) - [Add Custom Checks](#add-custom-checks) - [Third Party Integrations](#third-party-integrations) @@ -24,7 +25,7 @@ It covers hardening and security best practices for all AWS regions related to: - Logging (8 checks) - Monitoring (15 checks) - Networking (5 checks) -- Extras (11 checks) *see Extras section +- Extras (12 checks) *see Extras section For a comprehesive list and resolution look at the guide on the link above. @@ -594,6 +595,8 @@ At this moment we have 11 extra checks: - 7.9 (`extra79`) Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark) - 7.10 (`extra710`) Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark) - 7.11 (`extra711`) Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark) +- 7.12 (`extra712`) Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) + To check all extras in one command: ``` @@ -604,6 +607,13 @@ or to run just one of the checks: ./prowler -c extraNUMBER ``` +## Forensics Ready Checks + +With this group of checks, Prowler looks if each service with logging or audit capabilities has them enabled to ensure all needed evidences are recorded for an eventual digital forensic investigation in case of incident. The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command: +``` +./prowler -c forensics-ready +``` + ## Add Custom Checks In order to add any new check feel free to create a new extra check in the extras section. To do so, you will need to follow these steps: diff --git a/prowler b/prowler index 29aca926..4a1b66a8 100755 --- a/prowler +++ b/prowler @@ -486,7 +486,8 @@ ID710="7.10,7.10" TITLE710="Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" ID711="7.11,7.11" TITLE711="Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" - +ID712="7.12,7.12" +TITLE712="Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" printCsvHeader() { >&2 echo "" @@ -1851,6 +1852,19 @@ extra711(){ done } +extra712(){ + # "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" + textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA" + textNotice "No API commands available to check if Macie is enabled," + textNotice "just looking if IAM Macie related permissions exist. " + MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l) + if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then + textOK "Macie related IAM roles exist, so it might be enabled. Check it out manually." + else + textWarn "No Macie related IAM roles found. It is most likely not be enabled" + fi +} + callCheck(){ if [[ $CHECKNUMBER ]];then case "$CHECKNUMBER" in @@ -1917,6 +1931,7 @@ callCheck(){ extra79|extra709 ) extra79;; extra710|extra710 ) extra710;; extra711|extra711 ) extra711;; + extra712|extra712 ) extra712;; ## Groups of Checks check1 ) @@ -1953,7 +1968,12 @@ callCheck(){ ;; extras ) extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78; - extra79;extra710;extra711 + extra79;extra710;extra711;extra712 + ;; + forensics-ready ) + check21;check22;check23;check24;check25;check26;check27; + check43; + extra712; ;; * ) textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";