From 36e851b79f932758a66f99c66628088d4a7d5c6e Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Thu, 11 Jan 2018 16:46:08 -0500 Subject: [PATCH] Added check extra78 --- README.md | 5 +++-- prowler | 23 ++++++++++++++++++++++- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d7702523..771a24b4 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ It covers hardening and security best practices for all AWS regions related to: - Logging (8 checks) - Monitoring (15 checks) - Networking (5 checks) -- Extra checks (5 checks) *see Extras section +- Extras (8 checks) *see Extras section For a comprehesive list and resolution look at the guide on the link above. @@ -587,6 +587,7 @@ At this momment we have 5 extra checks: - 7.5 (`extra75`) Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark) - 7.6 (`extra76`) Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark) - 7.7 (`extra77`) Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark) +- 7.8 (`extra78`) Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark) ``` ./prowler -c extras @@ -612,4 +613,4 @@ In order to add any new check feel free to create a new extra check in the extra ### Telegram Javier Pecete has done an awesome job integrating Prowler with Telegram, you have more details here https://github.com/i4specete/ServerTelegramBot ### Cloud Security Suite -The guys of SecurityFTW have added Prowler in their Cloud Security Suite along with other cool security tools https://github.com/SecurityFTW/cs-suite +The guys of SecurityFTW have added Prowler in their Cloud Security Suite along with other cool security tools https://github.com/SecurityFTW/cs-suite diff --git a/prowler b/prowler index d09bdcf0..cd251b02 100755 --- a/prowler +++ b/prowler @@ -482,6 +482,9 @@ ID76="7.6,7.06" TITLE76="Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" ID77="7.7,7.07" TITLE77="Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" +ID78="7.8,7.08" +TITLE78="Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" + printCsvHeader() { >&2 echo "" @@ -1750,7 +1753,22 @@ extra77(){ done rm -fr $TEMP_POLICY_FILE done +} +extra78(){ + # "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" + textTitle "$ID78" "$TITLE78" "NOT_SCORED" "EXTRA" + textNotice "Looking for RDS instances in all regions... " + for regx in $REGIONS; do + LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true`].{id:DBInstanceIdentifier}' --output text) + if [[ $LIST_OF_RDS_PUBLIC_INSTANCES ]];then + for rds_instance in $(echo $LIST_OF_RDS_PUBLIC_INSTANCES);do + textWarn "$regx: RDS instance $rds_instance is set as Publicly Accessible!" "$regx" + done + else + textOK "$regx: no Publicly Accessible RDS instances found" "$regx" + fi + done } callCheck(){ @@ -1815,6 +1833,7 @@ callCheck(){ extra75|extra705 ) extra75;; extra76|extra706 ) extra76;; extra77|extra707 ) extra77;; + extra78|extra708 ) extra78;; ## Groups of Checks check1 ) @@ -1850,7 +1869,7 @@ callCheck(){ check43;check44;check45 ;; extras ) - extra71;extra72;extra73;extra74;extra75;extra76;extra77 + extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78 ;; * ) textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n"; @@ -1928,6 +1947,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then textTitle "$ID75" "$TITLE75" "NOT_SCORED" "EXTRA" textTitle "$ID76" "$TITLE76" "NOT_SCORED" "EXTRA" textTitle "$ID77" "$TITLE77" "NOT_SCORED" "EXTRA" + textTitle "$ID78" "$TITLE78" "NOT_SCORED" "EXTRA" exit $EXITCODE fi @@ -2011,6 +2031,7 @@ extra74 extra75 extra76 extra77 +extra78 cleanTemp exit $EXITCODE