From 3665d64f2b4182db9bf400def6b878cba88e51db Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 7 Feb 2018 23:49:26 -0500 Subject: [PATCH] Added check extra714 CloudFront logging --- README.md | 6 ++++-- prowler | 29 +++++++++++++++++++++++++++-- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 294768f7..0bd66e29 100644 --- a/README.md +++ b/README.md @@ -583,7 +583,7 @@ We are adding additional checks to improve the information gather from each acco Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs. -At this moment we have 11 extra checks: +At this moment we have 14 extra checks: - 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark) - 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark) @@ -597,7 +597,8 @@ At this moment we have 11 extra checks: - 7.10 (`extra710`) Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark) - 7.11 (`extra711`) Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark) - 7.12 (`extra712`) Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) - +- 7.13 (`extra713`) Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) +- 7.14 (`extra714`) Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) To check all extras in one command: ``` @@ -621,6 +622,7 @@ With this group of checks, Prowler looks if each service with logging or audit c - 4.3 Ensure VPC Flow Logging is Enabled in all VPCs (Scored) - 7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) - 7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) +- 7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command: ``` diff --git a/prowler b/prowler index 49a3ba9f..8e530619 100755 --- a/prowler +++ b/prowler @@ -494,6 +494,8 @@ ID712="7.12,7.12" TITLE712="Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" ID713="7.13,7.13" TITLE713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" +ID714="7.14,7.14" +TITLE714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" printCsvHeader() { >&2 echo "" @@ -1890,6 +1892,26 @@ extra713(){ done } +extra714(){ + # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" + textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA" + for regx in $REGIONS; do + LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --region $regx --query 'DistributionList.Items[].Id' --output text |grep -v "^None") + if [[ $LIST_OF_DISTRIBUTIONS ]]; then + for cdn in $LIST_OF_DISTRIBUTIONS;do + CDN_LOG_ENABLED=$($AWSCLI cloudfront get-distribution $PROFILE_OPT --region $regx --id "$cdn" --query 'Distribution.DistributionConfig.Logging.Enabled' | grep true) + if [[ $CDN_LOG_ENABLED ]];then + textOK "$regx: CDN $cdn logging enabled" "$regx" + else + textWarn "$regx: CDN $cdn logging disabled!" "$regx" + fi + done + else + textOK "$regx: CDN not configured" "$regx" + fi + done +} + callCheck(){ if [[ $CHECKNUMBER ]];then case "$CHECKNUMBER" in @@ -1958,6 +1980,7 @@ callCheck(){ extra711|extra711 ) extra711;; extra712|extra712 ) extra712;; extra713|extra713 ) extra713;; + extra714|extra714 ) extra714;; ## Groups of Checks check1 ) @@ -1994,12 +2017,12 @@ callCheck(){ ;; extras ) extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78; - extra79;extra710;extra711;extra712;extra713 + extra79;extra710;extra711;extra712;extra713;extra714 ;; forensics-ready ) check21;check22;check23;check24;check25;check26;check27; check43; - extra712;extra713 + extra712;extra713;extra714 ;; * ) textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n"; @@ -2083,6 +2106,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA" textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA" textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA" + textTitle "$ID714" "$TITLE713" "NOT_SCORED" "EXTRA" exit $EXITCODE fi @@ -2172,6 +2196,7 @@ extra710 extra711 extra712 extra713 +extra714 cleanTemp exit $EXITCODE