From 3d62aedf29e3413acb44790ccdfd6ed907901cee Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 1 Dec 2020 10:03:59 +0100 Subject: [PATCH] New RC6 including ENS as a new compliance type all formats --- README.md | 3 ++- checks/check116 | 1 + checks/check12 | 1 + checks/check120 | 1 + checks/check121 | 1 + checks/check13 | 1 + checks/check14 | 1 + checks/check21 | 1 + checks/check22 | 1 + checks/check23 | 1 + checks/check24 | 1 + checks/check25 | 1 + checks/check27 | 1 + checks/check29 | 1 + checks/check31 | 1 + checks/check32 | 1 + checks/check33 | 1 + checks/check34 | 1 + checks/check35 | 1 + checks/check36 | 1 + checks/check37 | 1 + checks/check41 | 1 + checks/check42 | 1 + checks/check43 | 1 + checks/check_extra71 | 1 + checks/check_extra710 | 1 + checks/check_extra7100 | 1 + checks/check_extra713 | 1 + checks/check_extra728 | 1 + checks/check_extra729 | 1 + checks/check_extra733 | 3 ++- checks/check_extra734 | 1 + checks/check_extra735 | 1 + checks/check_extra736 | 1 + checks/check_extra737 | 1 + checks/check_extra738 | 1 + checks/check_extra74 | 1 + checks/check_extra740 | 1 + checks/check_extra744 | 1 + checks/check_extra749 | 1 + checks/check_extra75 | 1 + checks/check_extra750 | 1 + checks/check_extra751 | 1 + checks/check_extra752 | 1 + checks/check_extra753 | 1 + checks/check_extra754 | 1 + checks/check_extra755 | 1 + checks/check_extra761 | 1 + checks/check_extra764 | 1 + checks/check_extra773 | 1 + checks/check_extra781 | 1 + checks/check_extra792 | 1 + checks/check_extra793 | 1 + include/csv_header | 2 +- include/html_report | 1 + include/outputs | 22 +++++++++++++++------- prowler | 17 +++++++++++++---- 57 files changed, 85 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index ff7c40d7..f300b5a4 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ - [Advanced Usage](#advanced-usage) - [Security Hub integration](#security-hub-integration) - [CodeBuild deployment](#codebuild-deployment) -- [Whitelist/allowlist or remove FAIL from resources](whitelist-allowlist-or-remove-fail-from-resources) +- [Whitelist/allowlist or remove FAIL from resources](#whitelist-or-allowlist-or-remove-a-fail-from-resources) - [Fix](#how-to-fix-every-fail) - [Troubleshooting](#troubleshooting) - [Extras](#extras) @@ -54,6 +54,7 @@ Read more about [CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-20 - EKS-CIS - FFIEC - SOC2 +- ENS (Esquema Nacional de Seguridad of Spain) With Prowler you can: diff --git a/checks/check116 b/checks/check116 index 4aa7f80d..8b049496 100644 --- a/checks/check116 +++ b/checks/check116 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check116="Low" CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser" CHECK_ALTERNATE_check116="check116" +CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1" check116(){ # "Ensure IAM policies are attached only to groups or roles (Scored)" diff --git a/checks/check12 b/checks/check12 index 7a96a7a3..77620418 100644 --- a/checks/check12 +++ b/checks/check12 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check12="High" CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser" CHECK_ALTERNATE_check102="check12" +CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1" check12(){ # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" diff --git a/checks/check120 b/checks/check120 index d0935bf7..ae25a345 100644 --- a/checks/check120 +++ b/checks/check120 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check120="Medium" CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole" CHECK_ALTERNATE_check120="check120" +CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4" check120(){ # "Ensure a support role has been created to manage incidents with AWS Support (Scored)" diff --git a/checks/check121 b/checks/check121 index f2ec8bc9..530a98e7 100644 --- a/checks/check121 +++ b/checks/check121 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check121="Medium" CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser" CHECK_ALTERNATE_check121="check121" +CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5" check121(){ # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" diff --git a/checks/check13 b/checks/check13 index f0c3f49b..a6228207 100644 --- a/checks/check13 +++ b/checks/check13 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check13="Medium" CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser" CHECK_ALTERNATE_check103="check13" +CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3,ens-op.acc.5.aws.iam.4" check13(){ check_creds_used_in_last_days 90 diff --git a/checks/check14 b/checks/check14 index afc0d4ea..91971a59 100644 --- a/checks/check14 +++ b/checks/check14 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check14="Medium" CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser" CHECK_ALTERNATE_check104="check14" +CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4,ens-op.acc.5.aws.iam.3" check14(){ # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey diff --git a/checks/check21 b/checks/check21 index a576df7b..eed98f61 100644 --- a/checks/check21 +++ b/checks/check21 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check21="High" CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail" CHECK_ALTERNATE_check201="check21" +CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1,ens-op.mon.1.aws.trail.1" check21(){ trail_count=0 diff --git a/checks/check22 b/checks/check22 index bb16a994..9deeb4c9 100644 --- a/checks/check22 +++ b/checks/check22 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check22="Medium" CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail" CHECK_ALTERNATE_check202="check22" +CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1" check22(){ # "Ensure CloudTrail log file validation is enabled (Scored)" diff --git a/checks/check23 b/checks/check23 index 12017640..00d7dae6 100644 --- a/checks/check23 +++ b/checks/check23 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check23="Critical" CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket" CHECK_ALTERNATE_check203="check23" +CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3,ens-op.exp.10.aws.trail.4" check23(){ # "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" diff --git a/checks/check24 b/checks/check24 index e76db361..16f7cf7f 100644 --- a/checks/check24 +++ b/checks/check24 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check24="Low" CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail" CHECK_ALTERNATE_check204="check24" +CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1" check24(){ # "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" diff --git a/checks/check25 b/checks/check25 index c5614b1f..8b008c89 100644 --- a/checks/check25 +++ b/checks/check25 @@ -15,6 +15,7 @@ CHECK_TYPE_check25="LEVEL1" CHECK_SEVERITY_check25="Medium" CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check205="check25" +CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1" check25(){ # "Ensure AWS Config is enabled in all regions (Scored)" diff --git a/checks/check27 b/checks/check27 index 8f670883..ba9caa83 100644 --- a/checks/check27 +++ b/checks/check27 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check27="Medium" CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail" CHECK_ALTERNATE_check207="check27" +CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5" check27(){ # "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" diff --git a/checks/check29 b/checks/check29 index fc61b1da..2546e341 100644 --- a/checks/check29 +++ b/checks/check29 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check29="Medium" CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc" CHECK_ALTERNATE_check209="check29" +CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1" check29(){ # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" diff --git a/checks/check31 b/checks/check31 index e2171a62..469dc0c6 100644 --- a/checks/check31 +++ b/checks/check31 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check31="Medium" CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail" CHECK_ALTERNATE_check301="check31" +CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2" check31(){ check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"' diff --git a/checks/check32 b/checks/check32 index 73da96a4..c6f5acad 100644 --- a/checks/check32 +++ b/checks/check32 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check32="Medium" CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail" CHECK_ALTERNATE_check302="check32" +CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4" check32(){ check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"' diff --git a/checks/check33 b/checks/check33 index efefe775..779d95a1 100644 --- a/checks/check33 +++ b/checks/check33 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check33="Medium" CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail" CHECK_ALTERNATE_check303="check33" +CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5" check33(){ check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' diff --git a/checks/check34 b/checks/check34 index c472b3df..2765f92e 100644 --- a/checks/check34 +++ b/checks/check34 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check34="Medium" CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail" CHECK_ALTERNATE_check304="check34" +CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6" check34(){ check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' diff --git a/checks/check35 b/checks/check35 index b533879b..50c09212 100644 --- a/checks/check35 +++ b/checks/check35 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check35="Medium" CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail" CHECK_ALTERNATE_check305="check35" +CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1" check35(){ check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' diff --git a/checks/check36 b/checks/check36 index 39b7b9af..89d4f2ab 100644 --- a/checks/check36 +++ b/checks/check36 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check36="Medium" CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail" CHECK_ALTERNATE_check306="check36" +CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3" check36(){ check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' diff --git a/checks/check37 b/checks/check37 index d569d11f..e9b63524 100644 --- a/checks/check37 +++ b/checks/check37 @@ -41,6 +41,7 @@ CHECK_SEVERITY_check37="Medium" CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail" CHECK_ALTERNATE_check307="check37" +CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1" check37(){ check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' diff --git a/checks/check41 b/checks/check41 index c3c4c825..5863a2a9 100644 --- a/checks/check41 +++ b/checks/check41 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check41="High" CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup" CHECK_ALTERNATE_check401="check41" +CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4" check41(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)" diff --git a/checks/check42 b/checks/check42 index e04d01c8..3e88d26f 100644 --- a/checks/check42 +++ b/checks/check42 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check42="High" CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup" CHECK_ALTERNATE_check402="check42" +CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5" check42(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)" diff --git a/checks/check43 b/checks/check43 index 18dc3bab..9c1f5d49 100644 --- a/checks/check43 +++ b/checks/check43 @@ -16,6 +16,7 @@ CHECK_SEVERITY_check43="Medium" CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup" CHECK_ALTERNATE_check403="check43" +CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1" check43(){ # "Ensure the default security group of every VPC restricts all traffic (Scored)" diff --git a/checks/check_extra71 b/checks/check_extra71 index 61491c57..bcd016a1 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra71="AwsIamUser" CHECK_ALTERNATE_extra701="extra71" CHECK_ALTERNATE_check71="extra71" CHECK_ALTERNATE_check701="extra71" +CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2" extra71(){ # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra710 b/checks/check_extra710 index 680b6e0f..a126dfca 100644 --- a/checks/check_extra710 +++ b/checks/check_extra710 @@ -17,6 +17,7 @@ CHECK_TYPE_extra710="EXTRA" CHECK_SEVERITY_extra710="Medium" CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance" CHECK_ALTERNATE_check710="extra710" +CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1" extra710(){ # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra7100 b/checks/check_extra7100 index 1e2a5318..36e05f8e 100644 --- a/checks/check_extra7100 +++ b/checks/check_extra7100 @@ -21,6 +21,7 @@ CHECK_TYPE_extra7100="EXTRA" CHECK_SEVERITY_extra7100="Critical" CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy" CHECK_ALTERNATE_check7100="extra7100" +CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1" extra7100(){ # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)" diff --git a/checks/check_extra713 b/checks/check_extra713 index 18fbac3d..3d5975b9 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -16,6 +16,7 @@ CHECK_SCORED_extra713="NOT_SCORED" CHECK_TYPE_extra713="EXTRA" CHECK_SEVERITY_extra713="High" CHECK_ALTERNATE_check713="extra713" +CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1" extra713(){ # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra728 b/checks/check_extra728 index 32802c6d..640ee876 100644 --- a/checks/check_extra728 +++ b/checks/check_extra728 @@ -18,6 +18,7 @@ CHECK_TYPE_extra728="EXTRA" CHECK_SEVERITY_extra728="Medium" CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue" CHECK_ALTERNATE_check728="extra728" +CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1" extra728(){ for regx in $REGIONS; do diff --git a/checks/check_extra729 b/checks/check_extra729 index 64f42671..e841503b 100644 --- a/checks/check_extra729 +++ b/checks/check_extra729 @@ -18,6 +18,7 @@ CHECK_TYPE_extra729="EXTRA" CHECK_SEVERITY_extra729="Medium" CHECK_ASFF_RESOURCE_TYPE_extra729="AwsEc2Volume" CHECK_ALTERNATE_check729="extra729" +CHECK_ASFF_COMPLIANCE_TYPE_extra729="ens-mp.info.3.aws.ebs.1" extra729(){ # "Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra733 b/checks/check_extra733 index 1b41dfd5..ce0bfcd9 100644 --- a/checks/check_extra733 +++ b/checks/check_extra733 @@ -17,6 +17,7 @@ CHECK_SCORED_extra733="NOT_SCORED" CHECK_TYPE_extra733="EXTRA" CHECK_SEVERITY_extra733="Low" CHECK_ALTERNATE_check733="extra733" +CHECK_ASFF_COMPLIANCE_TYPE_extra733="ens-op.acc.1.aws.iam.1" extra733(){ LIST_SAML_PROV=$($AWSCLI iam list-saml-providers $PROFILE_OPT --query 'SAMLProviderList[*].Arn' --output text |grep -v ^None) @@ -26,6 +27,6 @@ extra733(){ textInfo "SAML Provider $PROVIDER_NAME has been found" done else - textInfo "No SAML Provider found, add one and use STS" + textInfo "No SAML Provider found. Add one and use STS" fi } diff --git a/checks/check_extra734 b/checks/check_extra734 index 8b212ae6..f7ce12db 100644 --- a/checks/check_extra734 +++ b/checks/check_extra734 @@ -17,6 +17,7 @@ CHECK_TYPE_extra734="EXTRA" CHECK_SEVERITY_extra734="Medium" CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket" CHECK_ALTERNATE_check734="extra734" +CHECK_ASFF_COMPLIANCE_TYPE_extra734="ens-mp.info.3.s3.1" extra734(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1) diff --git a/checks/check_extra735 b/checks/check_extra735 index cd824fba..7c0c29f1 100644 --- a/checks/check_extra735 +++ b/checks/check_extra735 @@ -17,6 +17,7 @@ CHECK_TYPE_extra735="EXTRA" CHECK_SEVERITY_extra735="Medium" CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance" CHECK_ALTERNATE_check735="extra735" +CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1" extra735(){ textInfo "Looking for RDS Volumes in all regions... " diff --git a/checks/check_extra736 b/checks/check_extra736 index 8847af89..2d8c48f5 100644 --- a/checks/check_extra736 +++ b/checks/check_extra736 @@ -17,6 +17,7 @@ CHECK_TYPE_extra736="EXTRA" CHECK_SEVERITY_extra736="Critical" CHECK_ASFF_RESOURCE_TYPE_extra736="AwsKmsKey" CHECK_ALTERNATE_check736="extra736" +CHECK_ASFF_COMPLIANCE_TYPE_extra736="ens-op.exp.11.aws.kms.2" extra736(){ textInfo "Looking for KMS keys in all regions... " diff --git a/checks/check_extra737 b/checks/check_extra737 index b766a555..e2c32e87 100644 --- a/checks/check_extra737 +++ b/checks/check_extra737 @@ -17,6 +17,7 @@ CHECK_TYPE_extra737="EXTRA" CHECK_SEVERITY_extra737="Medium" CHECK_ASFF_RESOURCE_TYPE_extra737="AwsKmsKey" CHECK_ALTERNATE_check737="extra737" +CHECK_ASFF_COMPLIANCE_TYPE_extra737="ens-op.exp.11.aws.kms.3" extra737(){ textInfo "Looking for KMS keys in all regions... " diff --git a/checks/check_extra738 b/checks/check_extra738 index 6ec16147..42c178a2 100644 --- a/checks/check_extra738 +++ b/checks/check_extra738 @@ -17,6 +17,7 @@ CHECK_TYPE_extra738="EXTRA" CHECK_SEVERITY_extra738="Medium" CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution" CHECK_ALTERNATE_check738="extra738" +CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1" extra738(){ LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) diff --git a/checks/check_extra74 b/checks/check_extra74 index 9dc7323b..73e9b343 100644 --- a/checks/check_extra74 +++ b/checks/check_extra74 @@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra74="AwsEc2SecurityGroup" CHECK_ALTERNATE_extra704="extra74" CHECK_ALTERNATE_check74="extra74" CHECK_ALTERNATE_check704="extra74" +CHECK_ASFF_COMPLIANCE_TYPE_extra74="ens-mp.com.4.aws.sg.2" extra74(){ # "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra740 b/checks/check_extra740 index ef0ac8bb..31e1f952 100644 --- a/checks/check_extra740 +++ b/checks/check_extra740 @@ -17,6 +17,7 @@ CHECK_TYPE_extra740="EXTRA" CHECK_SEVERITY_extra740="Medium" CHECK_ASFF_RESOURCE_TYPE_extra740="AwsEc2Snapshot" CHECK_ALTERNATE_check740="extra740" +CHECK_ASFF_COMPLIANCE_TYPE_extra740="ens-mp.info.3.aws.ebs.3" extra740(){ textInfo "Looking for EBS Snapshots in all regions... " diff --git a/checks/check_extra744 b/checks/check_extra744 index 972f297f..c08c4a5f 100644 --- a/checks/check_extra744 +++ b/checks/check_extra744 @@ -17,6 +17,7 @@ CHECK_TYPE_extra744="EXTRA" CHECK_SEVERITY_extra744="Medium" CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi" CHECK_ALTERNATE_check744="extra744" +CHECK_ASFF_COMPLIANCE_TYPE_extra744="ens-mp.s.2.aws.waf.2" extra744(){ for regx in $REGIONS; do diff --git a/checks/check_extra749 b/checks/check_extra749 index c5ef6cc2..a9ac7510 100644 --- a/checks/check_extra749 +++ b/checks/check_extra749 @@ -17,6 +17,7 @@ CHECK_TYPE_extra749="EXTRA" CHECK_SEVERITY_extra749="High" CHECK_ASFF_RESOURCE_TYPE_extra749="AwsEc2SecurityGroup" CHECK_ALTERNATE_check749="extra749" +CHECK_ASFF_COMPLIANCE_TYPE_extra749="ens-mp.com.4.aws.sg.6" extra749(){ for regx in $REGIONS; do diff --git a/checks/check_extra75 b/checks/check_extra75 index 1063dd34..a25fc784 100644 --- a/checks/check_extra75 +++ b/checks/check_extra75 @@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra75="AwsEc2SecurityGroup" CHECK_ALTERNATE_extra705="extra75" CHECK_ALTERNATE_check75="extra75" CHECK_ALTERNATE_check705="extra75" +CHECK_ASFF_COMPLIANCE_TYPE_extra75="ens-mp.com.4.aws.sg.3" extra75(){ # "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra750 b/checks/check_extra750 index fff980d9..dcc4b098 100644 --- a/checks/check_extra750 +++ b/checks/check_extra750 @@ -17,6 +17,7 @@ CHECK_TYPE_extra750="EXTRA" CHECK_SEVERITY_extra750="High" CHECK_ASFF_RESOURCE_TYPE_extra750="AwsEc2SecurityGroup" CHECK_ALTERNATE_check750="extra750" +CHECK_ASFF_COMPLIANCE_TYPE_extra750="ens-mp.com.4.aws.sg.7" extra750(){ for regx in $REGIONS; do diff --git a/checks/check_extra751 b/checks/check_extra751 index a0f8fd53..8f711bd0 100644 --- a/checks/check_extra751 +++ b/checks/check_extra751 @@ -17,6 +17,7 @@ CHECK_TYPE_extra751="EXTRA" CHECK_SEVERITY_extra751="High" CHECK_ASFF_RESOURCE_TYPE_extra751="AwsEc2SecurityGroup" CHECK_ALTERNATE_check751="extra751" +CHECK_ASFF_COMPLIANCE_TYPE_extra751="ens-mp.com.4.aws.sg.8" extra751(){ for regx in $REGIONS; do diff --git a/checks/check_extra752 b/checks/check_extra752 index 7fc60bc7..0189a6ba 100644 --- a/checks/check_extra752 +++ b/checks/check_extra752 @@ -17,6 +17,7 @@ CHECK_TYPE_extra752="EXTRA" CHECK_SEVERITY_extra752="High" CHECK_ASFF_RESOURCE_TYPE_extra752="AwsEc2SecurityGroup" CHECK_ALTERNATE_check752="extra752" +CHECK_ASFF_COMPLIANCE_TYPE_extra752="ens-mp.com.4.aws.sg.9" extra752(){ for regx in $REGIONS; do diff --git a/checks/check_extra753 b/checks/check_extra753 index b3cf6674..75950a67 100644 --- a/checks/check_extra753 +++ b/checks/check_extra753 @@ -17,6 +17,7 @@ CHECK_TYPE_extra753="EXTRA" CHECK_SEVERITY_extra753="High" CHECK_ASFF_RESOURCE_TYPE_extra753="AwsEc2SecurityGroup" CHECK_ALTERNATE_check753="extra753" +CHECK_ASFF_COMPLIANCE_TYPE_extra753="ens-mp.com.4.aws.sg.10" extra753(){ for regx in $REGIONS; do diff --git a/checks/check_extra754 b/checks/check_extra754 index af61d86e..84b8e377 100644 --- a/checks/check_extra754 +++ b/checks/check_extra754 @@ -17,6 +17,7 @@ CHECK_TYPE_extra754="EXTRA" CHECK_SEVERITY_extra754="High" CHECK_ASFF_RESOURCE_TYPE_extra754="AwsEc2SecurityGroup" CHECK_ALTERNATE_check754="extra754" +CHECK_ASFF_COMPLIANCE_TYPE_extra754="ens-mp.com.4.aws.sg.11" extra754(){ for regx in $REGIONS; do diff --git a/checks/check_extra755 b/checks/check_extra755 index de5a7ab1..a04819e2 100644 --- a/checks/check_extra755 +++ b/checks/check_extra755 @@ -17,6 +17,7 @@ CHECK_TYPE_extra755="EXTRA" CHECK_SEVERITY_extra755="High" CHECK_ASFF_RESOURCE_TYPE_extra755="AwsEc2SecurityGroup" CHECK_ALTERNATE_check755="extra755" +CHECK_ASFF_COMPLIANCE_TYPE_extra755="ens-mp.com.4.aws.sg.12" extra755(){ for regx in $REGIONS; do diff --git a/checks/check_extra761 b/checks/check_extra761 index a0754c3a..4c2fcb6a 100644 --- a/checks/check_extra761 +++ b/checks/check_extra761 @@ -16,6 +16,7 @@ CHECK_SCORED_extra761="NOT_SCORED" CHECK_TYPE_extra761="EXTRA" CHECK_SEVERITY_extra761="Medium" CHECK_ALTERNATE_check761="extra761" +CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2" extra761(){ textInfo "Looking for EBS Default Encryption activation in all regions... " diff --git a/checks/check_extra764 b/checks/check_extra764 index d04768d4..10ae9606 100644 --- a/checks/check_extra764 +++ b/checks/check_extra764 @@ -17,6 +17,7 @@ CHECK_TYPE_extra764="EXTRA" CHECK_SEVERITY_extra764="Medium" CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket" CHECK_ALTERNATE_check764="extra764" +CHECK_ASFF_COMPLIANCE_TYPE_extra764="ens-mp.com.2.aws.s3.1" extra764(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1) diff --git a/checks/check_extra773 b/checks/check_extra773 index 0ff0be80..93298073 100644 --- a/checks/check_extra773 +++ b/checks/check_extra773 @@ -17,6 +17,7 @@ CHECK_TYPE_extra773="EXTRA" CHECK_SEVERITY_extra773="Medium" CHECK_ASFF_RESOURCE_TYPE_extra773="AwsCloudFrontDistribution" CHECK_ALTERNATE_check773="extra773" +CHECK_ASFF_COMPLIANCE_TYPE_extra773="ens-mp.s.2.aws.waf.1" extra773(){ # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra781 b/checks/check_extra781 index dcb154fa..12d5f484 100644 --- a/checks/check_extra781 +++ b/checks/check_extra781 @@ -17,6 +17,7 @@ CHECK_TYPE_extra781="EXTRA" CHECK_SEVERITY_extra781="Medium" CHECK_ASFF_RESOURCE_TYPE_extra781="AwsElasticsearchDomain" CHECK_ALTERNATE_check781="extra781" +CHECK_ASFF_COMPLIANCE_TYPE_extra781="ens-mp.info.3.aws.au.1" extra781(){ for regx in $REGIONS; do diff --git a/checks/check_extra792 b/checks/check_extra792 index f7329d4f..f9f67dcc 100644 --- a/checks/check_extra792 +++ b/checks/check_extra792 @@ -17,6 +17,7 @@ CHECK_TYPE_extra792="EXTRA" CHECK_SEVERITY_extra792="Medium" CHECK_ASFF_RESOURCE_TYPE_extra792="AwsElbLoadBalancer" CHECK_ALTERNATE_check792="extra792" +CHECK_ASFF_COMPLIANCE_TYPE_extra792="ens-mp.com.2.aws.elb.2" extra792(){ # "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)" diff --git a/checks/check_extra793 b/checks/check_extra793 index 1acb5d11..0a45f313 100644 --- a/checks/check_extra793 +++ b/checks/check_extra793 @@ -17,6 +17,7 @@ CHECK_TYPE_extra793="EXTRA" CHECK_SEVERITY_extra793="Medium" CHECK_ASFF_RESOURCE_TYPE_extra793="AwsElbLoadBalancer" CHECK_ALTERNATE_check793="extra793" +CHECK_ASFF_COMPLIANCE_TYPE_extra793="ens-mp.com.2.aws.elb.1" extra793(){ # "Check if Elastic Load Balancers have encrypted listeners (Not Scored) (Not part of CIS benchmark)" diff --git a/include/csv_header b/include/csv_header index 07ac75bc..67230dda 100644 --- a/include/csv_header +++ b/include/csv_header @@ -15,5 +15,5 @@ printCsvHeader() { >&2 echo "" >&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM" - echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV + echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES${SEP}COMPLIANCE" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV } diff --git a/include/html_report b/include/html_report index b38a2eca..251c0255 100644 --- a/include/html_report +++ b/include/html_report @@ -100,6 +100,7 @@ addHtmlHeader() { Result AccountID Region + Compliance Group CheckID Check Title diff --git a/include/outputs b/include/outputs index 6649c898..58669e19 100644 --- a/include/outputs +++ b/include/outputs @@ -51,7 +51,7 @@ textPass(){ REPREGION=$REGION fi if [[ "${MODES[@]}" =~ "csv" ]]; then - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV fi if [[ "${MODES[@]}" =~ "json" ]]; then generateJsonOutput "$1" "Pass" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON @@ -88,7 +88,7 @@ textInfo(){ REPREGION=$REGION fi if [[ "${MODES[@]}" =~ "csv" ]]; then - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} fi if [[ "${MODES[@]}" =~ "json" ]]; then generateJsonOutput "$1" "Info" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} @@ -140,7 +140,7 @@ textFail(){ fi if [[ "${MODES[@]}" =~ "csv" ]]; then - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} fi if [[ "${MODES[@]}" =~ "json" ]]; then generateJsonOutput "$1" "${level}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} @@ -211,9 +211,9 @@ textTitle(){ : else if [[ "$ITEM_SCORED" == "Scored" ]]; then - echo -e "\n$BLUE $TITLE_ID $NORMAL $TITLE_TEXT $group_ids" + echo -e "\n$BLUE $TITLE_ID $NORMAL $TITLE_TEXT $6 $group_ids " else - echo -e "\n$PURPLE $TITLE_ID $TITLE_TEXT $NORMAL $group_ids" + echo -e "\n$PURPLE $TITLE_ID $TITLE_TEXT $6 $NORMAL $group_ids " fi fi } @@ -232,6 +232,7 @@ generateJsonOutput(){ --arg ITEM_LEVEL "$ITEM_LEVEL" \ --arg TITLE_ID "$TITLE_ID" \ --arg REPREGION "$REPREGION" \ + --arg TYPE "$ASFF_COMPLIANCE_TYPE" \ --arg TIMESTAMP "$(get_iso8601_timestamp)" \ -n '{ "Profile": $PROFILE, @@ -245,6 +246,7 @@ generateJsonOutput(){ "Control ID": $TITLE_ID, "Region": $REPREGION, "Timestamp": $TIMESTAMP, + "Compliance": $TYPE }' } @@ -266,7 +268,8 @@ generateJsonAsffOutput(){ --arg SEVERITY "$(echo $CHECK_SEVERITY| awk '{ print toupper($0) }')" \ --arg TITLE_ID "$TITLE_ID" \ --arg CHECK_ID "$CHECK_ID" \ - --arg TYPE "$ASFF_TYPE" \ + --arg TYPE "$ASFF_COMPLIANCE_TYPE" \ + --arg COMPLIANCE_RELATED_REQUIREMENTS "$ASFF_COMPLIANCE_TYPE" \ --arg RESOURCE_TYPE "$ASFF_RESOURCE_TYPE" \ --arg REPREGION "$REPREGION" \ --arg TIMESTAMP "$(get_iso8601_timestamp)" \ @@ -303,7 +306,8 @@ generateJsonAsffOutput(){ } ], "Compliance": { - "Status": $STATUS + "Status": $STATUS, + "RelatedRequirements": [ $COMPLIANCE_RELATED_REQUIREMENTS ] } }' } @@ -317,6 +321,7 @@ generateHtmlOutput(){ echo 'INFO' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ITEM_LEVEL'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML @@ -329,6 +334,7 @@ generateHtmlOutput(){ echo 'PASS' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ITEM_LEVEL'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML @@ -341,6 +347,7 @@ generateHtmlOutput(){ echo 'FAIL' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ITEM_LEVEL'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML @@ -353,6 +360,7 @@ generateHtmlOutput(){ echo 'WARN' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ACCOUNT_NUM'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$REPREGION'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML + echo ''$ASFF_COMPLIANCE_TYPE'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$ITEM_LEVEL'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_ID'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''$TITLE_TEXT'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML diff --git a/prowler b/prowler index c88fab83..d7e8a623 100755 --- a/prowler +++ b/prowler @@ -32,7 +32,7 @@ OPTRED="" OPTNORMAL="" # Set the defaults variables -PROWLER_VERSION=2.3.0RC5 +PROWLER_VERSION=2.3.0RC6 PROWLER_DIR=$(dirname "$0") REGION="" @@ -283,6 +283,7 @@ show_check_title() { local check_title=CHECK_TITLE_$1 local check_scored=CHECK_SCORED_$1 local check_type=CHECK_TYPE_$1 + local check_asff_compliance_type=CHECK_ASFF_COMPLIANCE_TYPE_$1 local group_ids local group_index # If requested ($2 is any non-null value) iterate all GROUP_CHECKS and produce a comma-separated list of all @@ -297,7 +298,12 @@ show_check_title() { fi done fi - textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}" "$group_ids" + # This shows ASFF_COMPLIANCE_TYPE if group used is ens, this si used to show ENS compliance ID control, can be used for other compliance groups as well. + if [[ ${GROUP_ID_READ} == "ens" ]];then + textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}" "$group_ids" "(${!check_asff_compliance_type})" + else + textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}" "$group_ids" + fi } # Function to show the title of a group, by numeric id @@ -317,6 +323,8 @@ execute_check() { # See if this check defines an ASFF Type, if so, use this, falling back to a sane default # For a list of Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#securityhub-findings-format-type-taxonomy local asff_type_var=CHECK_ASFF_TYPE_$1 + local asff_compliance_type_var=CHECK_ASFF_COMPLIANCE_TYPE_$1 + local severity_var=CHECK_SEVERITY_$1 @@ -325,6 +333,7 @@ execute_check() { CHECK_ID="$1" ASFF_TYPE="${!asff_type_var:-Software and Configuration Checks}" + ASFF_COMPLIANCE_TYPE="${!asff_compliance_type_var:-Software and Configuration Checks}" # See if this check defines an ASFF Resource Type, if so, use this, falling back to a sane default # For a list of Resource Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-resources local asff_resource_type_var=CHECK_ASFF_RESOURCE_TYPE_$1 @@ -339,7 +348,7 @@ execute_check() { ignores="$(awk "/${1}/{print}" <(echo "${WHITELIST}"))" if [ ${alternate_name} ];then - if [[ ${alternate_name} == check1* || ${alternate_name} == extra71 ]];then + if [[ ${alternate_name} == check1* || ${alternate_name} == extra71 || ${alternate_name} == extra774 || ${alternate_name} == extra7123 ]];then if [ ! -s $TEMP_REPORT_FILE ];then genCredReport saveReport @@ -363,7 +372,7 @@ execute_check() { local check_id_var=CHECK_ID_$1 local check_id=${!check_id_var} if [ ${check_id} ]; then - if [[ ${check_id} == 1* || ${check_id} == 7.1 || ${check_id} == 7.74 ]];then + if [[ ${check_id} == 1* || ${check_id} == 7.1 || ${check_id} == 7.74 || ${check_id} == 7.123 ]];then if [ ! -s $TEMP_REPORT_FILE ];then genCredReport saveReport