diff --git a/README.md b/README.md
index ff7c40d7..f300b5a4 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@
- [Advanced Usage](#advanced-usage)
- [Security Hub integration](#security-hub-integration)
- [CodeBuild deployment](#codebuild-deployment)
-- [Whitelist/allowlist or remove FAIL from resources](whitelist-allowlist-or-remove-fail-from-resources)
+- [Whitelist/allowlist or remove FAIL from resources](#whitelist-or-allowlist-or-remove-a-fail-from-resources)
- [Fix](#how-to-fix-every-fail)
- [Troubleshooting](#troubleshooting)
- [Extras](#extras)
@@ -54,6 +54,7 @@ Read more about [CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-20
- EKS-CIS
- FFIEC
- SOC2
+- ENS (Esquema Nacional de Seguridad of Spain)
With Prowler you can:
diff --git a/checks/check116 b/checks/check116
index 4aa7f80d..8b049496 100644
--- a/checks/check116
+++ b/checks/check116
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check116="Low"
CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser"
CHECK_ALTERNATE_check116="check116"
+CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1"
check116(){
# "Ensure IAM policies are attached only to groups or roles (Scored)"
diff --git a/checks/check12 b/checks/check12
index 7a96a7a3..77620418 100644
--- a/checks/check12
+++ b/checks/check12
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check12="High"
CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser"
CHECK_ALTERNATE_check102="check12"
+CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1"
check12(){
# "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
diff --git a/checks/check120 b/checks/check120
index d0935bf7..ae25a345 100644
--- a/checks/check120
+++ b/checks/check120
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check120="Medium"
CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole"
CHECK_ALTERNATE_check120="check120"
+CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4"
check120(){
# "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
diff --git a/checks/check121 b/checks/check121
index f2ec8bc9..530a98e7 100644
--- a/checks/check121
+++ b/checks/check121
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check121="Medium"
CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
CHECK_ALTERNATE_check121="check121"
+CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"
check121(){
# "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
diff --git a/checks/check13 b/checks/check13
index f0c3f49b..a6228207 100644
--- a/checks/check13
+++ b/checks/check13
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check13="Medium"
CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser"
CHECK_ALTERNATE_check103="check13"
+CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3,ens-op.acc.5.aws.iam.4"
check13(){
check_creds_used_in_last_days 90
diff --git a/checks/check14 b/checks/check14
index afc0d4ea..91971a59 100644
--- a/checks/check14
+++ b/checks/check14
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check14="Medium"
CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser"
CHECK_ALTERNATE_check104="check14"
+CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4,ens-op.acc.5.aws.iam.3"
check14(){
# "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
diff --git a/checks/check21 b/checks/check21
index a576df7b..eed98f61 100644
--- a/checks/check21
+++ b/checks/check21
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check21="High"
CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail"
CHECK_ALTERNATE_check201="check21"
+CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1,ens-op.mon.1.aws.trail.1"
check21(){
trail_count=0
diff --git a/checks/check22 b/checks/check22
index bb16a994..9deeb4c9 100644
--- a/checks/check22
+++ b/checks/check22
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check22="Medium"
CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail"
CHECK_ALTERNATE_check202="check22"
+CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1"
check22(){
# "Ensure CloudTrail log file validation is enabled (Scored)"
diff --git a/checks/check23 b/checks/check23
index 12017640..00d7dae6 100644
--- a/checks/check23
+++ b/checks/check23
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check23="Critical"
CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket"
CHECK_ALTERNATE_check203="check23"
+CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3,ens-op.exp.10.aws.trail.4"
check23(){
# "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
diff --git a/checks/check24 b/checks/check24
index e76db361..16f7cf7f 100644
--- a/checks/check24
+++ b/checks/check24
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check24="Low"
CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail"
CHECK_ALTERNATE_check204="check24"
+CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1"
check24(){
# "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
diff --git a/checks/check25 b/checks/check25
index c5614b1f..8b008c89 100644
--- a/checks/check25
+++ b/checks/check25
@@ -15,6 +15,7 @@ CHECK_TYPE_check25="LEVEL1"
CHECK_SEVERITY_check25="Medium"
CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check205="check25"
+CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1"
check25(){
# "Ensure AWS Config is enabled in all regions (Scored)"
diff --git a/checks/check27 b/checks/check27
index 8f670883..ba9caa83 100644
--- a/checks/check27
+++ b/checks/check27
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check27="Medium"
CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail"
CHECK_ALTERNATE_check207="check27"
+CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5"
check27(){
# "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
diff --git a/checks/check29 b/checks/check29
index fc61b1da..2546e341 100644
--- a/checks/check29
+++ b/checks/check29
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check29="Medium"
CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc"
CHECK_ALTERNATE_check209="check29"
+CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1"
check29(){
# "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
diff --git a/checks/check31 b/checks/check31
index e2171a62..469dc0c6 100644
--- a/checks/check31
+++ b/checks/check31
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check31="Medium"
CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail"
CHECK_ALTERNATE_check301="check31"
+CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2"
check31(){
check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"'
diff --git a/checks/check32 b/checks/check32
index 73da96a4..c6f5acad 100644
--- a/checks/check32
+++ b/checks/check32
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check32="Medium"
CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail"
CHECK_ALTERNATE_check302="check32"
+CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4"
check32(){
check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"'
diff --git a/checks/check33 b/checks/check33
index efefe775..779d95a1 100644
--- a/checks/check33
+++ b/checks/check33
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check33="Medium"
CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail"
CHECK_ALTERNATE_check303="check33"
+CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5"
check33(){
check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
diff --git a/checks/check34 b/checks/check34
index c472b3df..2765f92e 100644
--- a/checks/check34
+++ b/checks/check34
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check34="Medium"
CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail"
CHECK_ALTERNATE_check304="check34"
+CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6"
check34(){
check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
diff --git a/checks/check35 b/checks/check35
index b533879b..50c09212 100644
--- a/checks/check35
+++ b/checks/check35
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check35="Medium"
CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail"
CHECK_ALTERNATE_check305="check35"
+CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1"
check35(){
check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging'
diff --git a/checks/check36 b/checks/check36
index 39b7b9af..89d4f2ab 100644
--- a/checks/check36
+++ b/checks/check36
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check36="Medium"
CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail"
CHECK_ALTERNATE_check306="check36"
+CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3"
check36(){
check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"'
diff --git a/checks/check37 b/checks/check37
index d569d11f..e9b63524 100644
--- a/checks/check37
+++ b/checks/check37
@@ -41,6 +41,7 @@ CHECK_SEVERITY_check37="Medium"
CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail"
CHECK_ALTERNATE_check307="check37"
+CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1"
check37(){
check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion'
diff --git a/checks/check41 b/checks/check41
index c3c4c825..5863a2a9 100644
--- a/checks/check41
+++ b/checks/check41
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check41="High"
CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check401="check41"
+CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4"
check41(){
# "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
diff --git a/checks/check42 b/checks/check42
index e04d01c8..3e88d26f 100644
--- a/checks/check42
+++ b/checks/check42
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check42="High"
CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check402="check42"
+CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5"
check42(){
# "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
diff --git a/checks/check43 b/checks/check43
index 18dc3bab..9c1f5d49 100644
--- a/checks/check43
+++ b/checks/check43
@@ -16,6 +16,7 @@ CHECK_SEVERITY_check43="Medium"
CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check403="check43"
+CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1"
check43(){
# "Ensure the default security group of every VPC restricts all traffic (Scored)"
diff --git a/checks/check_extra71 b/checks/check_extra71
index 61491c57..bcd016a1 100644
--- a/checks/check_extra71
+++ b/checks/check_extra71
@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra71="AwsIamUser"
CHECK_ALTERNATE_extra701="extra71"
CHECK_ALTERNATE_check71="extra71"
CHECK_ALTERNATE_check701="extra71"
+CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2"
extra71(){
# "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
diff --git a/checks/check_extra710 b/checks/check_extra710
index 680b6e0f..a126dfca 100644
--- a/checks/check_extra710
+++ b/checks/check_extra710
@@ -17,6 +17,7 @@ CHECK_TYPE_extra710="EXTRA"
CHECK_SEVERITY_extra710="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance"
CHECK_ALTERNATE_check710="extra710"
+CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1"
extra710(){
# "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
diff --git a/checks/check_extra7100 b/checks/check_extra7100
index 1e2a5318..36e05f8e 100644
--- a/checks/check_extra7100
+++ b/checks/check_extra7100
@@ -21,6 +21,7 @@ CHECK_TYPE_extra7100="EXTRA"
CHECK_SEVERITY_extra7100="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
CHECK_ALTERNATE_check7100="extra7100"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1"
extra7100(){
# "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"
diff --git a/checks/check_extra713 b/checks/check_extra713
index 18fbac3d..3d5975b9 100644
--- a/checks/check_extra713
+++ b/checks/check_extra713
@@ -16,6 +16,7 @@ CHECK_SCORED_extra713="NOT_SCORED"
CHECK_TYPE_extra713="EXTRA"
CHECK_SEVERITY_extra713="High"
CHECK_ALTERNATE_check713="extra713"
+CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1"
extra713(){
# "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
diff --git a/checks/check_extra728 b/checks/check_extra728
index 32802c6d..640ee876 100644
--- a/checks/check_extra728
+++ b/checks/check_extra728
@@ -18,6 +18,7 @@ CHECK_TYPE_extra728="EXTRA"
CHECK_SEVERITY_extra728="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue"
CHECK_ALTERNATE_check728="extra728"
+CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1"
extra728(){
for regx in $REGIONS; do
diff --git a/checks/check_extra729 b/checks/check_extra729
index 64f42671..e841503b 100644
--- a/checks/check_extra729
+++ b/checks/check_extra729
@@ -18,6 +18,7 @@ CHECK_TYPE_extra729="EXTRA"
CHECK_SEVERITY_extra729="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra729="AwsEc2Volume"
CHECK_ALTERNATE_check729="extra729"
+CHECK_ASFF_COMPLIANCE_TYPE_extra729="ens-mp.info.3.aws.ebs.1"
extra729(){
# "Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)"
diff --git a/checks/check_extra733 b/checks/check_extra733
index 1b41dfd5..ce0bfcd9 100644
--- a/checks/check_extra733
+++ b/checks/check_extra733
@@ -17,6 +17,7 @@ CHECK_SCORED_extra733="NOT_SCORED"
CHECK_TYPE_extra733="EXTRA"
CHECK_SEVERITY_extra733="Low"
CHECK_ALTERNATE_check733="extra733"
+CHECK_ASFF_COMPLIANCE_TYPE_extra733="ens-op.acc.1.aws.iam.1"
extra733(){
LIST_SAML_PROV=$($AWSCLI iam list-saml-providers $PROFILE_OPT --query 'SAMLProviderList[*].Arn' --output text |grep -v ^None)
@@ -26,6 +27,6 @@ extra733(){
textInfo "SAML Provider $PROVIDER_NAME has been found"
done
else
- textInfo "No SAML Provider found, add one and use STS"
+ textInfo "No SAML Provider found. Add one and use STS"
fi
}
diff --git a/checks/check_extra734 b/checks/check_extra734
index 8b212ae6..f7ce12db 100644
--- a/checks/check_extra734
+++ b/checks/check_extra734
@@ -17,6 +17,7 @@ CHECK_TYPE_extra734="EXTRA"
CHECK_SEVERITY_extra734="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket"
CHECK_ALTERNATE_check734="extra734"
+CHECK_ASFF_COMPLIANCE_TYPE_extra734="ens-mp.info.3.s3.1"
extra734(){
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1)
diff --git a/checks/check_extra735 b/checks/check_extra735
index cd824fba..7c0c29f1 100644
--- a/checks/check_extra735
+++ b/checks/check_extra735
@@ -17,6 +17,7 @@ CHECK_TYPE_extra735="EXTRA"
CHECK_SEVERITY_extra735="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance"
CHECK_ALTERNATE_check735="extra735"
+CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1"
extra735(){
textInfo "Looking for RDS Volumes in all regions... "
diff --git a/checks/check_extra736 b/checks/check_extra736
index 8847af89..2d8c48f5 100644
--- a/checks/check_extra736
+++ b/checks/check_extra736
@@ -17,6 +17,7 @@ CHECK_TYPE_extra736="EXTRA"
CHECK_SEVERITY_extra736="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra736="AwsKmsKey"
CHECK_ALTERNATE_check736="extra736"
+CHECK_ASFF_COMPLIANCE_TYPE_extra736="ens-op.exp.11.aws.kms.2"
extra736(){
textInfo "Looking for KMS keys in all regions... "
diff --git a/checks/check_extra737 b/checks/check_extra737
index b766a555..e2c32e87 100644
--- a/checks/check_extra737
+++ b/checks/check_extra737
@@ -17,6 +17,7 @@ CHECK_TYPE_extra737="EXTRA"
CHECK_SEVERITY_extra737="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra737="AwsKmsKey"
CHECK_ALTERNATE_check737="extra737"
+CHECK_ASFF_COMPLIANCE_TYPE_extra737="ens-op.exp.11.aws.kms.3"
extra737(){
textInfo "Looking for KMS keys in all regions... "
diff --git a/checks/check_extra738 b/checks/check_extra738
index 6ec16147..42c178a2 100644
--- a/checks/check_extra738
+++ b/checks/check_extra738
@@ -17,6 +17,7 @@ CHECK_TYPE_extra738="EXTRA"
CHECK_SEVERITY_extra738="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution"
CHECK_ALTERNATE_check738="extra738"
+CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1"
extra738(){
LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None)
diff --git a/checks/check_extra74 b/checks/check_extra74
index 9dc7323b..73e9b343 100644
--- a/checks/check_extra74
+++ b/checks/check_extra74
@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra74="AwsEc2SecurityGroup"
CHECK_ALTERNATE_extra704="extra74"
CHECK_ALTERNATE_check74="extra74"
CHECK_ALTERNATE_check704="extra74"
+CHECK_ASFF_COMPLIANCE_TYPE_extra74="ens-mp.com.4.aws.sg.2"
extra74(){
# "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
diff --git a/checks/check_extra740 b/checks/check_extra740
index ef0ac8bb..31e1f952 100644
--- a/checks/check_extra740
+++ b/checks/check_extra740
@@ -17,6 +17,7 @@ CHECK_TYPE_extra740="EXTRA"
CHECK_SEVERITY_extra740="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra740="AwsEc2Snapshot"
CHECK_ALTERNATE_check740="extra740"
+CHECK_ASFF_COMPLIANCE_TYPE_extra740="ens-mp.info.3.aws.ebs.3"
extra740(){
textInfo "Looking for EBS Snapshots in all regions... "
diff --git a/checks/check_extra744 b/checks/check_extra744
index 972f297f..c08c4a5f 100644
--- a/checks/check_extra744
+++ b/checks/check_extra744
@@ -17,6 +17,7 @@ CHECK_TYPE_extra744="EXTRA"
CHECK_SEVERITY_extra744="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi"
CHECK_ALTERNATE_check744="extra744"
+CHECK_ASFF_COMPLIANCE_TYPE_extra744="ens-mp.s.2.aws.waf.2"
extra744(){
for regx in $REGIONS; do
diff --git a/checks/check_extra749 b/checks/check_extra749
index c5ef6cc2..a9ac7510 100644
--- a/checks/check_extra749
+++ b/checks/check_extra749
@@ -17,6 +17,7 @@ CHECK_TYPE_extra749="EXTRA"
CHECK_SEVERITY_extra749="High"
CHECK_ASFF_RESOURCE_TYPE_extra749="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check749="extra749"
+CHECK_ASFF_COMPLIANCE_TYPE_extra749="ens-mp.com.4.aws.sg.6"
extra749(){
for regx in $REGIONS; do
diff --git a/checks/check_extra75 b/checks/check_extra75
index 1063dd34..a25fc784 100644
--- a/checks/check_extra75
+++ b/checks/check_extra75
@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra75="AwsEc2SecurityGroup"
CHECK_ALTERNATE_extra705="extra75"
CHECK_ALTERNATE_check75="extra75"
CHECK_ALTERNATE_check705="extra75"
+CHECK_ASFF_COMPLIANCE_TYPE_extra75="ens-mp.com.4.aws.sg.3"
extra75(){
# "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
diff --git a/checks/check_extra750 b/checks/check_extra750
index fff980d9..dcc4b098 100644
--- a/checks/check_extra750
+++ b/checks/check_extra750
@@ -17,6 +17,7 @@ CHECK_TYPE_extra750="EXTRA"
CHECK_SEVERITY_extra750="High"
CHECK_ASFF_RESOURCE_TYPE_extra750="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check750="extra750"
+CHECK_ASFF_COMPLIANCE_TYPE_extra750="ens-mp.com.4.aws.sg.7"
extra750(){
for regx in $REGIONS; do
diff --git a/checks/check_extra751 b/checks/check_extra751
index a0f8fd53..8f711bd0 100644
--- a/checks/check_extra751
+++ b/checks/check_extra751
@@ -17,6 +17,7 @@ CHECK_TYPE_extra751="EXTRA"
CHECK_SEVERITY_extra751="High"
CHECK_ASFF_RESOURCE_TYPE_extra751="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check751="extra751"
+CHECK_ASFF_COMPLIANCE_TYPE_extra751="ens-mp.com.4.aws.sg.8"
extra751(){
for regx in $REGIONS; do
diff --git a/checks/check_extra752 b/checks/check_extra752
index 7fc60bc7..0189a6ba 100644
--- a/checks/check_extra752
+++ b/checks/check_extra752
@@ -17,6 +17,7 @@ CHECK_TYPE_extra752="EXTRA"
CHECK_SEVERITY_extra752="High"
CHECK_ASFF_RESOURCE_TYPE_extra752="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check752="extra752"
+CHECK_ASFF_COMPLIANCE_TYPE_extra752="ens-mp.com.4.aws.sg.9"
extra752(){
for regx in $REGIONS; do
diff --git a/checks/check_extra753 b/checks/check_extra753
index b3cf6674..75950a67 100644
--- a/checks/check_extra753
+++ b/checks/check_extra753
@@ -17,6 +17,7 @@ CHECK_TYPE_extra753="EXTRA"
CHECK_SEVERITY_extra753="High"
CHECK_ASFF_RESOURCE_TYPE_extra753="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check753="extra753"
+CHECK_ASFF_COMPLIANCE_TYPE_extra753="ens-mp.com.4.aws.sg.10"
extra753(){
for regx in $REGIONS; do
diff --git a/checks/check_extra754 b/checks/check_extra754
index af61d86e..84b8e377 100644
--- a/checks/check_extra754
+++ b/checks/check_extra754
@@ -17,6 +17,7 @@ CHECK_TYPE_extra754="EXTRA"
CHECK_SEVERITY_extra754="High"
CHECK_ASFF_RESOURCE_TYPE_extra754="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check754="extra754"
+CHECK_ASFF_COMPLIANCE_TYPE_extra754="ens-mp.com.4.aws.sg.11"
extra754(){
for regx in $REGIONS; do
diff --git a/checks/check_extra755 b/checks/check_extra755
index de5a7ab1..a04819e2 100644
--- a/checks/check_extra755
+++ b/checks/check_extra755
@@ -17,6 +17,7 @@ CHECK_TYPE_extra755="EXTRA"
CHECK_SEVERITY_extra755="High"
CHECK_ASFF_RESOURCE_TYPE_extra755="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check755="extra755"
+CHECK_ASFF_COMPLIANCE_TYPE_extra755="ens-mp.com.4.aws.sg.12"
extra755(){
for regx in $REGIONS; do
diff --git a/checks/check_extra761 b/checks/check_extra761
index a0754c3a..4c2fcb6a 100644
--- a/checks/check_extra761
+++ b/checks/check_extra761
@@ -16,6 +16,7 @@ CHECK_SCORED_extra761="NOT_SCORED"
CHECK_TYPE_extra761="EXTRA"
CHECK_SEVERITY_extra761="Medium"
CHECK_ALTERNATE_check761="extra761"
+CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2"
extra761(){
textInfo "Looking for EBS Default Encryption activation in all regions... "
diff --git a/checks/check_extra764 b/checks/check_extra764
index d04768d4..10ae9606 100644
--- a/checks/check_extra764
+++ b/checks/check_extra764
@@ -17,6 +17,7 @@ CHECK_TYPE_extra764="EXTRA"
CHECK_SEVERITY_extra764="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket"
CHECK_ALTERNATE_check764="extra764"
+CHECK_ASFF_COMPLIANCE_TYPE_extra764="ens-mp.com.2.aws.s3.1"
extra764(){
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1)
diff --git a/checks/check_extra773 b/checks/check_extra773
index 0ff0be80..93298073 100644
--- a/checks/check_extra773
+++ b/checks/check_extra773
@@ -17,6 +17,7 @@ CHECK_TYPE_extra773="EXTRA"
CHECK_SEVERITY_extra773="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra773="AwsCloudFrontDistribution"
CHECK_ALTERNATE_check773="extra773"
+CHECK_ASFF_COMPLIANCE_TYPE_extra773="ens-mp.s.2.aws.waf.1"
extra773(){
# "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
diff --git a/checks/check_extra781 b/checks/check_extra781
index dcb154fa..12d5f484 100644
--- a/checks/check_extra781
+++ b/checks/check_extra781
@@ -17,6 +17,7 @@ CHECK_TYPE_extra781="EXTRA"
CHECK_SEVERITY_extra781="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra781="AwsElasticsearchDomain"
CHECK_ALTERNATE_check781="extra781"
+CHECK_ASFF_COMPLIANCE_TYPE_extra781="ens-mp.info.3.aws.au.1"
extra781(){
for regx in $REGIONS; do
diff --git a/checks/check_extra792 b/checks/check_extra792
index f7329d4f..f9f67dcc 100644
--- a/checks/check_extra792
+++ b/checks/check_extra792
@@ -17,6 +17,7 @@ CHECK_TYPE_extra792="EXTRA"
CHECK_SEVERITY_extra792="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra792="AwsElbLoadBalancer"
CHECK_ALTERNATE_check792="extra792"
+CHECK_ASFF_COMPLIANCE_TYPE_extra792="ens-mp.com.2.aws.elb.2"
extra792(){
# "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)"
diff --git a/checks/check_extra793 b/checks/check_extra793
index 1acb5d11..0a45f313 100644
--- a/checks/check_extra793
+++ b/checks/check_extra793
@@ -17,6 +17,7 @@ CHECK_TYPE_extra793="EXTRA"
CHECK_SEVERITY_extra793="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra793="AwsElbLoadBalancer"
CHECK_ALTERNATE_check793="extra793"
+CHECK_ASFF_COMPLIANCE_TYPE_extra793="ens-mp.com.2.aws.elb.1"
extra793(){
# "Check if Elastic Load Balancers have encrypted listeners (Not Scored) (Not part of CIS benchmark)"
diff --git a/include/csv_header b/include/csv_header
index 07ac75bc..67230dda 100644
--- a/include/csv_header
+++ b/include/csv_header
@@ -15,5 +15,5 @@
printCsvHeader() {
>&2 echo ""
>&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM"
- echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV
+ echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES${SEP}COMPLIANCE" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV
}
diff --git a/include/html_report b/include/html_report
index b38a2eca..251c0255 100644
--- a/include/html_report
+++ b/include/html_report
@@ -100,6 +100,7 @@ addHtmlHeader() {
| Result |
AccountID |
Region |
+ Compliance |
Group |
CheckID |
Check Title |
diff --git a/include/outputs b/include/outputs
index 6649c898..58669e19 100644
--- a/include/outputs
+++ b/include/outputs
@@ -51,7 +51,7 @@ textPass(){
REPREGION=$REGION
fi
if [[ "${MODES[@]}" =~ "csv" ]]; then
- echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
+ echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
fi
if [[ "${MODES[@]}" =~ "json" ]]; then
generateJsonOutput "$1" "Pass" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON
@@ -88,7 +88,7 @@ textInfo(){
REPREGION=$REGION
fi
if [[ "${MODES[@]}" =~ "csv" ]]; then
- echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
+ echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
fi
if [[ "${MODES[@]}" =~ "json" ]]; then
generateJsonOutput "$1" "Info" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
@@ -140,7 +140,7 @@ textFail(){
fi
if [[ "${MODES[@]}" =~ "csv" ]]; then
- echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
+ echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
fi
if [[ "${MODES[@]}" =~ "json" ]]; then
generateJsonOutput "$1" "${level}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
@@ -211,9 +211,9 @@ textTitle(){
:
else
if [[ "$ITEM_SCORED" == "Scored" ]]; then
- echo -e "\n$BLUE $TITLE_ID $NORMAL $TITLE_TEXT $group_ids"
+ echo -e "\n$BLUE $TITLE_ID $NORMAL $TITLE_TEXT $6 $group_ids "
else
- echo -e "\n$PURPLE $TITLE_ID $TITLE_TEXT $NORMAL $group_ids"
+ echo -e "\n$PURPLE $TITLE_ID $TITLE_TEXT $6 $NORMAL $group_ids "
fi
fi
}
@@ -232,6 +232,7 @@ generateJsonOutput(){
--arg ITEM_LEVEL "$ITEM_LEVEL" \
--arg TITLE_ID "$TITLE_ID" \
--arg REPREGION "$REPREGION" \
+ --arg TYPE "$ASFF_COMPLIANCE_TYPE" \
--arg TIMESTAMP "$(get_iso8601_timestamp)" \
-n '{
"Profile": $PROFILE,
@@ -245,6 +246,7 @@ generateJsonOutput(){
"Control ID": $TITLE_ID,
"Region": $REPREGION,
"Timestamp": $TIMESTAMP,
+ "Compliance": $TYPE
}'
}
@@ -266,7 +268,8 @@ generateJsonAsffOutput(){
--arg SEVERITY "$(echo $CHECK_SEVERITY| awk '{ print toupper($0) }')" \
--arg TITLE_ID "$TITLE_ID" \
--arg CHECK_ID "$CHECK_ID" \
- --arg TYPE "$ASFF_TYPE" \
+ --arg TYPE "$ASFF_COMPLIANCE_TYPE" \
+ --arg COMPLIANCE_RELATED_REQUIREMENTS "$ASFF_COMPLIANCE_TYPE" \
--arg RESOURCE_TYPE "$ASFF_RESOURCE_TYPE" \
--arg REPREGION "$REPREGION" \
--arg TIMESTAMP "$(get_iso8601_timestamp)" \
@@ -303,7 +306,8 @@ generateJsonAsffOutput(){
}
],
"Compliance": {
- "Status": $STATUS
+ "Status": $STATUS,
+ "RelatedRequirements": [ $COMPLIANCE_RELATED_REQUIREMENTS ]
}
}'
}
@@ -317,6 +321,7 @@ generateHtmlOutput(){
echo 'INFO | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$ACCOUNT_NUM' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$REPREGION' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
+ echo ''$ASFF_COMPLIANCE_TYPE' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$ITEM_LEVEL' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$TITLE_ID' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$TITLE_TEXT' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
@@ -329,6 +334,7 @@ generateHtmlOutput(){
echo 'PASS | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$ACCOUNT_NUM' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$REPREGION' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
+ echo ''$ASFF_COMPLIANCE_TYPE' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$ITEM_LEVEL' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$TITLE_ID' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$TITLE_TEXT' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
@@ -341,6 +347,7 @@ generateHtmlOutput(){
echo 'FAIL | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$ACCOUNT_NUM' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$REPREGION' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
+ echo ''$ASFF_COMPLIANCE_TYPE' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$ITEM_LEVEL' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$TITLE_ID' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$TITLE_TEXT' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
@@ -353,6 +360,7 @@ generateHtmlOutput(){
echo 'WARN | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$ACCOUNT_NUM' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$REPREGION' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
+ echo ''$ASFF_COMPLIANCE_TYPE' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$ITEM_LEVEL' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$TITLE_ID' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo ''$TITLE_TEXT' | ' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
diff --git a/prowler b/prowler
index c88fab83..d7e8a623 100755
--- a/prowler
+++ b/prowler
@@ -32,7 +32,7 @@ OPTRED="�[1;31m"
OPTNORMAL="�[0;39m"
# Set the defaults variables
-PROWLER_VERSION=2.3.0RC5
+PROWLER_VERSION=2.3.0RC6
PROWLER_DIR=$(dirname "$0")
REGION=""
@@ -283,6 +283,7 @@ show_check_title() {
local check_title=CHECK_TITLE_$1
local check_scored=CHECK_SCORED_$1
local check_type=CHECK_TYPE_$1
+ local check_asff_compliance_type=CHECK_ASFF_COMPLIANCE_TYPE_$1
local group_ids
local group_index
# If requested ($2 is any non-null value) iterate all GROUP_CHECKS and produce a comma-separated list of all
@@ -297,7 +298,12 @@ show_check_title() {
fi
done
fi
- textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}" "$group_ids"
+ # This shows ASFF_COMPLIANCE_TYPE if group used is ens, this si used to show ENS compliance ID control, can be used for other compliance groups as well.
+ if [[ ${GROUP_ID_READ} == "ens" ]];then
+ textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}" "$group_ids" "(${!check_asff_compliance_type})"
+ else
+ textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}" "$group_ids"
+ fi
}
# Function to show the title of a group, by numeric id
@@ -317,6 +323,8 @@ execute_check() {
# See if this check defines an ASFF Type, if so, use this, falling back to a sane default
# For a list of Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#securityhub-findings-format-type-taxonomy
local asff_type_var=CHECK_ASFF_TYPE_$1
+ local asff_compliance_type_var=CHECK_ASFF_COMPLIANCE_TYPE_$1
+
local severity_var=CHECK_SEVERITY_$1
@@ -325,6 +333,7 @@ execute_check() {
CHECK_ID="$1"
ASFF_TYPE="${!asff_type_var:-Software and Configuration Checks}"
+ ASFF_COMPLIANCE_TYPE="${!asff_compliance_type_var:-Software and Configuration Checks}"
# See if this check defines an ASFF Resource Type, if so, use this, falling back to a sane default
# For a list of Resource Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-resources
local asff_resource_type_var=CHECK_ASFF_RESOURCE_TYPE_$1
@@ -339,7 +348,7 @@ execute_check() {
ignores="$(awk "/${1}/{print}" <(echo "${WHITELIST}"))"
if [ ${alternate_name} ];then
- if [[ ${alternate_name} == check1* || ${alternate_name} == extra71 ]];then
+ if [[ ${alternate_name} == check1* || ${alternate_name} == extra71 || ${alternate_name} == extra774 || ${alternate_name} == extra7123 ]];then
if [ ! -s $TEMP_REPORT_FILE ];then
genCredReport
saveReport
@@ -363,7 +372,7 @@ execute_check() {
local check_id_var=CHECK_ID_$1
local check_id=${!check_id_var}
if [ ${check_id} ]; then
- if [[ ${check_id} == 1* || ${check_id} == 7.1 || ${check_id} == 7.74 ]];then
+ if [[ ${check_id} == 1* || ${check_id} == 7.1 || ${check_id} == 7.74 || ${check_id} == 7.123 ]];then
if [ ! -s $TEMP_REPORT_FILE ];then
genCredReport
saveReport