From 206b675179ef2b0e041b39f59bf163d3ef3d2848 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 13 Jul 2020 17:33:07 +0200 Subject: [PATCH] Added group for pci-dss as reference --- groups/group15_pci | 113 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 112 insertions(+), 1 deletion(-) diff --git a/groups/group15_pci b/groups/group15_pci index 89b59656..9cdf83a9 100644 --- a/groups/group15_pci +++ b/groups/group15_pci @@ -15,7 +15,118 @@ GROUP_ID[15]='pci' GROUP_NUMBER[15]='15.0' GROUP_TITLE[15]='PCI-DSS v3.2.1 Readiness - ONLY AS REFERENCE - [pci] **********' GROUP_RUN_BY_DEFAULT[15]='N' # run it when execute_all is called -GROUP_CHECKS[15]='' +GROUP_CHECKS[15]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check112,check113,check114,check116,check21,check23,check25,check26,check27,check28,check29,check314,check36,check38,check43,extra713,extra717,extra718,extra72,extra729,extra735,extra738,extra740,extra744,extra748,extra75,extra750,extra751,extra753,extra754,extra755,extra756,extra773,extra78,extra780,extra781,extra782,extra783,extra784,extra785,extra787,extra788' # Resources: # https://github.com/toniblyx/prowler/issues/296 + +# List of checks based on PCI v3.2.1 +# 3.1 Requirement: Install and Maintain a Firewall Configuration to Protect Cardholder Data + +# Ensure no security groups allow ingress from 0.0.0.0/0 to all ports and protocols extra748 +# Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP 3389) check42 +# Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP 22) check41 +# Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (TCP 1521) extra749 +# Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (TCP and UDP 2483) extra749 +# Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (UDP 2483) extra749 +# Ensure no security groups allow ingress from 0.0.0.0/0 to MySQL (TCP 3306) extra750 +# Ensure no security groups allow ingress from 0.0.0.0/0 to Postgres (TCP 5432) extra751 +# Ensure no security groups allow ingress from 0.0.0.0/0 to Redis (TCP 6379)extra752 +# Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP 27017 and 27018) extra753 +# Ensure no security groups allow ingress from 0.0.0.0/0 to Cassandra (TCP 7199, 9160 and 8888) extra754 +# Ensure no security groups allow ingress from 0.0.0.0/0 to Memcached (TCP and UDP 11211) extra755 +# Ensure no security groups allow ingress from 0.0.0.0/0 to Elasticsearch ports (TCP 9200/9300/5601) extra779 +# Ensure the default security group restricts all traffic check43 +# Remove unused security groups extra75 +# RDS should not have Public interface open to a public scope extra78 +# Check for Publicly Accessible Redshift Clusters extra756 + +# 3.2 Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters + +# Instance with administrative service: SSH (TCP:22) is exposed to the public Internet check41 +# Instance with administrative service: RDP (TCP:3389) is exposed to the public Internet check42 +# Instance with unencrypted Redis: (TCP:6379) is exposed to the public Internet extra752 + +# 3.3 Requirement 3: Protect Stored Cardholder Data + +# S3 Buckets Server Side encryption at rest extra734 +# Ensure ECS Cluster At-rest encryption TODO +# Ensure DynamoDB -Server Side Encryption DONE (default behavior) +# Check if RDS instances storage is encrypted extra735 +# Ensure there are no EBS Volumes unencrypted extra729 +# Ensure CloudTrail logs are encrypted at rest using KMS CMKs check27 +# Ensure rotation for customer created CMKs is enabled check28 +# Check if EBS snapshots are encrypted extra740 +# Ensure there are no EBS Snapshots set as Public extra72 +# Ensure there is no Fargate containers in use (/aws/containers-roadmap/issues/314) TODO + +# 3.4 Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks + +# Use encrypted connections between CloudFront and origin server extra738 and TODO +# Ensure that S3 Buckets only allow data transfer using SSL/TLS extra734 +# ELB is setup with SSL for secure communications TODO +# Ensure the access keys are rotated every 90 days or less check14 +# Network Load Balancer with unencrypted service: ElasticSearch (TCP:9200) is exposed to the public Internet TODO? ELB on SSL should be enough extra779 and extra716 +# Network Load Balancer with unencrypted service: ElasticSearch (TCP:9300) is exposed to the public Internet TODO? ELB on SSL should be enough extra779 and extra716 +# Network Load Balancer with unencrypted service: LDAP (UDP:389) is exposed to the public Internet TODO? ELB on SSL should be enough +# Network Load Balancer with unencrypted service: LDAP (TCP:389) is exposed to the public Internet TODO? ELB on SSL should be enough +# Instance with unencrypted service: ElasticSearch (TCP:9200) is exposed to the public Internet extra779 and extra716 +# Instance with unencrypted service: ElasticSearch (TCP:9300) is exposed to the public Internet extra779 and extra716 +# Instance with unencrypted service: LDAP (UDP:389) is exposed to the public Internet +# Instance with unencrypted service: LDAP (TCP:389) is exposed to the public Internet +# Instance with unencrypted Redis: (TCP:6379) is exposed to the public Internet + +# 3.5. Requirement 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs + +# N/A +# 3.6. Requirement 6: Develop and Maintain Secure Systems and Applications + +# Ensure Inspector has Assessment Targets TODO +# Ensure Inspector has a Scheduled Assessment Template TODO +# Check for WAF IPSet TODO +# Check for WAF Constraint Sets TODO +# Check for WAF Web ACL extra744,extra773 + +# 3.7. Requirement 7: Restrict Access to Cardholder Data By Business Need To Know + +# Credentials (access keys) unused for 90 days or more should be disabled check13 +# Credentials (password enabled) unused for 90 days or more should be disabled check111 +# Ensure IAM policies are attached only to groups or roles check116 + +# 3.8. Requirement 8: Identify and Authenticate Access to System Components + +# Enforce password policy: IAM (check15, check16, check17, check18, check19, check110, check111) +# Ensure that MFA is enabled for root account check113 +# Ensure MFA is enabled for all IAM users that have a console password check12 +# Ensure no root account access key exist check112 +# Ensure hardware MFA is enabled for the root account check114 +# Avoid the use of root account. check11 + +# 3.9 Requirement 9: Restrict Physical Access to Cardholder Data + +# N/A +# 3.10. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data + +# Ensure CloudTrail is enabled in all regions check21 +# Ensure VPC Flow Logging is enabled in all the applicable Regions check29 +# Ensure S3 Buckets access logging is enabled on the CloudTrail S3 bucket check26 +# ELB is created with access logs enabled extra717 +# S3 bucket should have server access logging enabled extra718 +# Ensure AWS Config in all regions check25 +# S3 bucket CloudTrail logs should not have public accessible check23 +# S3 buckets should not be world-listable extra73 +# S3 buckets should not be world-writable extra73 +# S3 buckets should not be world-readable extra73 +# Ensure a log metric filter and alarm exist for S3 bucket policy changes check38 +# Ensure a log metric exist for AWS Management console authentication failures check36 +# Ensure a log metric exist for VPC changes check314 + +# 3.11. Requirement 11: Regularly Test Security Systems and Processes + +# Ensure AWS GuarDduty is enabled extra713 +# Ensure Inspector has Assessment Targets +# Ensure Inspector has a Scheduled Assessment Template + +# Requirement 12: Maintain a Policy That Addresses Information Security For All Personnel + +# N/A \ No newline at end of file