ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-12 15:55:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

added check extra725 S3 object-level logging

Browse Source
This commit is contained in:
Toni de la Fuente
2018-04-10 16:17:53 -04:00
parent 168ccffaf4
commit 25cd2202a7
2 changed files with 54 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
checks/check_extra725
View File

@@ -10,49 +10,51 @@
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the # CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License. # specific language governing permissions and limitations under the License.
# CHECK_ID_extra725="7.25"
# CHECK_TITLE_extra725="[extra725] Check if S3 buckets have Object-level logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_ID_extra725="7.25"
# CHECK_SCORED_extra725="NOT_SCORED" CHECK_TITLE_extra725="[extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)"
# CHECK_ALTERNATE_check725="extra725" CHECK_SCORED_extra725="NOT_SCORED"
# CHECK_ALTERNATE_check725="extra725"
# aws cloudtrail get-event-selectors --trail-name Default --profile security --region us-east-1 --query "EventSelectors[*].DataResources[?Type == \`AWS::S3::Object\`].Values" --output text |xargs -n1 |cut -d: -f 6|sed 's/\///g'
# # per Object-level logging is not configured at Bucket level but at CloudTrail trail level
# extra725(){ extra725(){
# # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" # "Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)"
# for regx in $REGIONS; do textInfo "Looking for S3 Buckets Object-level logging information in all trails... "
# LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text)
# if [[ $LIST_OF_FUNCTIONS ]]; then # create a file with a list of all buckets
# for lambdafunction in $LIST_OF_FUNCTIONS;do TEMP_BUCKET_LIST_FILE=$(mktemp -t prowler.bucket-list-XXXXXX)
# LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].Name --output text) $AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' $PROFILE_OPT --region $REGION --output text > $TEMP_BUCKET_LIST_FILE
# if [[ $LIST_OF_TRAILS ]]; then
# for trail in $LIST_OF_TRAILS; do # now create a list with all trails available and their region
# FUNCTION_ENABLED_IN_TRAIL=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $regx --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$") TEMP_TRAILS_LIST_FILE=$(mktemp -t prowler.trails-list-XXXXXX)
# if [[ $FUNCTION_ENABLED_IN_TRAIL ]]; then for regx in $REGIONS; do
# textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx" $AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query trailList[?HomeRegion==\`$regx\`].[Name,HomeRegion] --output text >> $TEMP_TRAILS_LIST_FILE
# else done
# textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx" if [ ! -s $TEMP_TRAILS_LIST_FILE ]; then
# fi textInfo "$regx: No S3 buckets found" "$regx"
# done exit
# # LIST_OF_MULTIREGION_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\`].Name" --output text) fi
# # if [[ $LIST_OF_MULTIREGION_TRAILS ]]; then
# # for trail in $LIST_OF_MULTIREGION_TRAILS; do # look for buckets being logged per trail and create a list with them
# # REGION_OF_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query "trailList[?IsMultiRegionTrail == \`true\` && Name == \`$trail\` ].HomeRegion" --output text) TEMP_BUCKETS_LOGGING_LIST_FILE=$(mktemp -t prowler.buckets-logging-list-XXXXXX)
# # FUNCTION_ENABLED_IN_THIS_REGION=$($AWSCLI cloudtrail get-event-selectors $PROFILE_OPT --trail-name $trail --region $REGION_OF_TRAIL --query "EventSelectors[*].DataResources[?Type == \`AWS::Lambda::Function\`].Values" --output text |xargs -n1| grep -E "^arn:aws:lambda.*function:$lambdafunction$") for trail in $(cat $TEMP_TRAILS_LIST_FILE | awk '{ print $1 }'); do
# # if [[ $FUNCTION_ENABLED_IN_THIS_REGION ]]; then TRAIL_REGION=$(grep ^$trail $TEMP_TRAILS_LIST_FILE | awk '{ print $2 }')
# # textPass "$regx: Lambda function $lambdafunction enabled in trail $trail" "$regx" BUCKETS_OBJECT_LOGGING_ENABLED=$($AWSCLI cloudtrail get-event-selectors --trail-name $trail $PROFILE_OPT --region $TRAIL_REGION --query "EventSelectors[*].DataResources[?Type == \`AWS::S3::Object\`].Values" --output text |xargs -n1 |cut -d: -f 6|sed 's/\///g')
# # else echo $BUCKETS_OBJECT_LOGGING_ENABLED |tr " " "\n"|sort >> $TEMP_BUCKETS_LOGGING_LIST_FILE
# # textFail "$regx: Lambda function $lambdafunction NOT enabled in trail $trail" "$regx" if [[ $BUCKETS_OBJECT_LOGGING_ENABLED ]]; then
# # fi for bucket in $BUCKETS_OBJECT_LOGGING_ENABLED; do
# # done textPass "$regx: S3 bucket $bucket has Object-level logging enabled in trail $trail" "$regx"
# # else done
# # textFail "$regx: Lambda function $lambdafunction is not being recorded!" "$regx" fi
# # fi done
# else # diff to get the ones that are not in any trail then they are not logging
# textFail "$regx: Lambda function $lambdafunction is not being recorded no CloudTrail found!" "$regx" BUCKETS_NOT_LOGGING=$(diff $TEMP_BUCKETS_LOGGING_LIST_FILE $TEMP_BUCKET_LIST_FILE | sed -n 's/^> //p')
# fi if [[ $BUCKETS_NOT_LOGGING ]]; then
# done for bucket in $BUCKETS_NOT_LOGGING; do
# else textFail "$regx: S3 bucket $bucket has Object-level logging disabled" "$regx"
# textInfo "$regx: No Lambda functions found" "$regx" done
# fi fi
# done # delete all temp files
# } rm -fr $TEMP_BUCKET_LIST_FILE $TEMP_TRAILS_LIST_FILE $TEMP_BUCKETS_LOGGING_LIST_FILE
}

6
groups/group9_gdpr
View File

@@ -16,3 +16,9 @@ GROUP_NUMBER[9]='8.0'
GROUP_TITLE[9]='GDPR Readiness - [gdpr] ****************************************' GROUP_TITLE[9]='GDPR Readiness - [gdpr] ****************************************'
GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called
GROUP_CHECKS[9]='' GROUP_CHECKS[9]=''
# Resources:
# https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf
# https://github.com/toniblyx/prowler/issues/189
# https://www.slideshare.net/AmazonWebServices/sid303-navigating-gdpr-compliance-on-aws
# https://aws.amazon.com/compliance/gdpr-center/