ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

New RC6 including ENS as a new compliance type all formats

Browse Source
This commit is contained in:
Toni de la Fuente
2020-12-01 10:03:59 +01:00
parent 30937c3275
commit 3d62aedf29
57 changed files with 85 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -10,7 +10,7 @@
- [Advanced Usage](#advanced-usage) - [Advanced Usage](#advanced-usage)
- [Security Hub integration](#security-hub-integration) - [Security Hub integration](#security-hub-integration)
- [CodeBuild deployment](#codebuild-deployment) - [CodeBuild deployment](#codebuild-deployment)
- [Whitelist/allowlist or remove FAIL from resources](whitelist-allowlist-or-remove-fail-from-resources) - [Whitelist/allowlist or remove FAIL from resources](#whitelist-or-allowlist-or-remove-a-fail-from-resources)
- [Fix](#how-to-fix-every-fail) - [Fix](#how-to-fix-every-fail)
- [Troubleshooting](#troubleshooting) - [Troubleshooting](#troubleshooting)
- [Extras](#extras) - [Extras](#extras)
@@ -54,6 +54,7 @@ Read more about [CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-20
- EKS-CIS - EKS-CIS
- FFIEC - FFIEC
- SOC2 - SOC2
- ENS (Esquema Nacional de Seguridad of Spain)
With Prowler you can: With Prowler you can:

1
checks/check116
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check116="Low"
CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser" CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser"
CHECK_ALTERNATE_check116="check116" CHECK_ALTERNATE_check116="check116"
CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1"
check116(){ check116(){
# "Ensure IAM policies are attached only to groups or roles (Scored)" # "Ensure IAM policies are attached only to groups or roles (Scored)"

1
checks/check12
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check12="High"
CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser" CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser"
CHECK_ALTERNATE_check102="check12" CHECK_ALTERNATE_check102="check12"
CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1"
check12(){ check12(){
# "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"

1
checks/check120
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check120="Medium"
CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole" CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole"
CHECK_ALTERNATE_check120="check120" CHECK_ALTERNATE_check120="check120"
CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4"
check120(){ check120(){
# "Ensure a support role has been created to manage incidents with AWS Support (Scored)" # "Ensure a support role has been created to manage incidents with AWS Support (Scored)"

1
checks/check121
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check121="Medium"
CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser" CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
CHECK_ALTERNATE_check121="check121" CHECK_ALTERNATE_check121="check121"
CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"
check121(){ check121(){
# "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"

1
checks/check13
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check13="Medium"
CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser" CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser"
CHECK_ALTERNATE_check103="check13" CHECK_ALTERNATE_check103="check13"
CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3,ens-op.acc.5.aws.iam.4"
check13(){ check13(){
check_creds_used_in_last_days 90 check_creds_used_in_last_days 90

1
checks/check14
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check14="Medium"
CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser" CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser"
CHECK_ALTERNATE_check104="check14" CHECK_ALTERNATE_check104="check14"
CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4,ens-op.acc.5.aws.iam.3"
check14(){ check14(){
# "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey

1
checks/check21
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check21="High"
CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail" CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail"
CHECK_ALTERNATE_check201="check21" CHECK_ALTERNATE_check201="check21"
CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1,ens-op.mon.1.aws.trail.1"
check21(){ check21(){
trail_count=0 trail_count=0

1
checks/check22
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check22="Medium"
CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail" CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail"
CHECK_ALTERNATE_check202="check22" CHECK_ALTERNATE_check202="check22"
CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1"
check22(){ check22(){
# "Ensure CloudTrail log file validation is enabled (Scored)" # "Ensure CloudTrail log file validation is enabled (Scored)"

1
checks/check23
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check23="Critical"
CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket" CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket"
CHECK_ALTERNATE_check203="check23" CHECK_ALTERNATE_check203="check23"
CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3,ens-op.exp.10.aws.trail.4"
check23(){ check23(){
# "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" # "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"

1
checks/check24
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check24="Low"
CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail" CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail"
CHECK_ALTERNATE_check204="check24" CHECK_ALTERNATE_check204="check24"
CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1"
check24(){ check24(){
# "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" # "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"

1
checks/check25
View File

@@ -15,6 +15,7 @@ CHECK_TYPE_check25="LEVEL1"
CHECK_SEVERITY_check25="Medium" CHECK_SEVERITY_check25="Medium"
CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ALTERNATE_check205="check25" CHECK_ALTERNATE_check205="check25"
CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1"
check25(){ check25(){
# "Ensure AWS Config is enabled in all regions (Scored)" # "Ensure AWS Config is enabled in all regions (Scored)"

1
checks/check27
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check27="Medium"
CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail" CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail"
CHECK_ALTERNATE_check207="check27" CHECK_ALTERNATE_check207="check27"
CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5"
check27(){ check27(){
# "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" # "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"

1
checks/check29
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check29="Medium"
CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc" CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc"
CHECK_ALTERNATE_check209="check29" CHECK_ALTERNATE_check209="check29"
CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1"
check29(){ check29(){
# "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"

1
checks/check31
View File

@@ -41,6 +41,7 @@ CHECK_SEVERITY_check31="Medium"
CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail" CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail"
CHECK_ALTERNATE_check301="check31" CHECK_ALTERNATE_check301="check31"
CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2"
check31(){ check31(){
check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"' check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"'

1
checks/check32
View File

@@ -41,6 +41,7 @@ CHECK_SEVERITY_check32="Medium"
CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail" CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail"
CHECK_ALTERNATE_check302="check32" CHECK_ALTERNATE_check302="check32"
CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4"
check32(){ check32(){
check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"' check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"'

1
checks/check33
View File

@@ -41,6 +41,7 @@ CHECK_SEVERITY_check33="Medium"
CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail" CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail"
CHECK_ALTERNATE_check303="check33" CHECK_ALTERNATE_check303="check33"
CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5"
check33(){ check33(){
check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'

1
checks/check34
View File

@@ -41,6 +41,7 @@ CHECK_SEVERITY_check34="Medium"
CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail" CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail"
CHECK_ALTERNATE_check304="check34" CHECK_ALTERNATE_check304="check34"
CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6"
check34(){ check34(){
check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'

1
checks/check35
View File

@@ -41,6 +41,7 @@ CHECK_SEVERITY_check35="Medium"
CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail" CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail"
CHECK_ALTERNATE_check305="check35" CHECK_ALTERNATE_check305="check35"
CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1"
check35(){ check35(){
check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging'

1
checks/check36
View File

@@ -41,6 +41,7 @@ CHECK_SEVERITY_check36="Medium"
CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail" CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail"
CHECK_ALTERNATE_check306="check36" CHECK_ALTERNATE_check306="check36"
CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3"
check36(){ check36(){
check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"'

1
checks/check37
View File

@@ -41,6 +41,7 @@ CHECK_SEVERITY_check37="Medium"
CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail" CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail"
CHECK_ALTERNATE_check307="check37" CHECK_ALTERNATE_check307="check37"
CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1"
check37(){ check37(){
check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion'

1
checks/check41
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check41="High"
CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup" CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check401="check41" CHECK_ALTERNATE_check401="check41"
CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4"
check41(){ check41(){
# "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)" # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"

1
checks/check42
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check42="High"
CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup" CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check402="check42" CHECK_ALTERNATE_check402="check42"
CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5"
check42(){ check42(){
# "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)" # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"

1
checks/check43
View File

@@ -16,6 +16,7 @@ CHECK_SEVERITY_check43="Medium"
CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup" CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check403="check43" CHECK_ALTERNATE_check403="check43"
CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1"
check43(){ check43(){
# "Ensure the default security group of every VPC restricts all traffic (Scored)" # "Ensure the default security group of every VPC restricts all traffic (Scored)"

1
checks/check_extra71
View File

@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra71="AwsIamUser"
CHECK_ALTERNATE_extra701="extra71" CHECK_ALTERNATE_extra701="extra71"
CHECK_ALTERNATE_check71="extra71" CHECK_ALTERNATE_check71="extra71"
CHECK_ALTERNATE_check701="extra71" CHECK_ALTERNATE_check701="extra71"
CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2"
extra71(){ extra71(){
# "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"

1
checks/check_extra710
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra710="EXTRA"
CHECK_SEVERITY_extra710="Medium" CHECK_SEVERITY_extra710="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance" CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance"
CHECK_ALTERNATE_check710="extra710" CHECK_ALTERNATE_check710="extra710"
CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1"
extra710(){ extra710(){
# "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"

1
checks/check_extra7100
View File

@@ -21,6 +21,7 @@ CHECK_TYPE_extra7100="EXTRA"
CHECK_SEVERITY_extra7100="Critical" CHECK_SEVERITY_extra7100="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy" CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
CHECK_ALTERNATE_check7100="extra7100" CHECK_ALTERNATE_check7100="extra7100"
CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1"
extra7100(){ extra7100(){
# "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)" # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"

1
checks/check_extra713
View File

@@ -16,6 +16,7 @@ CHECK_SCORED_extra713="NOT_SCORED"
CHECK_TYPE_extra713="EXTRA" CHECK_TYPE_extra713="EXTRA"
CHECK_SEVERITY_extra713="High" CHECK_SEVERITY_extra713="High"
CHECK_ALTERNATE_check713="extra713" CHECK_ALTERNATE_check713="extra713"
CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1"
extra713(){ extra713(){
# "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"

1
checks/check_extra728
View File

@@ -18,6 +18,7 @@ CHECK_TYPE_extra728="EXTRA"
CHECK_SEVERITY_extra728="Medium" CHECK_SEVERITY_extra728="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue" CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue"
CHECK_ALTERNATE_check728="extra728" CHECK_ALTERNATE_check728="extra728"
CHECK_ASFF_COMPLIANCE_TYPE_extra728="ens-mp.info.3.sns.1"
extra728(){ extra728(){
for regx in $REGIONS; do for regx in $REGIONS; do

1
checks/check_extra729
View File

@@ -18,6 +18,7 @@ CHECK_TYPE_extra729="EXTRA"
CHECK_SEVERITY_extra729="Medium" CHECK_SEVERITY_extra729="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra729="AwsEc2Volume" CHECK_ASFF_RESOURCE_TYPE_extra729="AwsEc2Volume"
CHECK_ALTERNATE_check729="extra729" CHECK_ALTERNATE_check729="extra729"
CHECK_ASFF_COMPLIANCE_TYPE_extra729="ens-mp.info.3.aws.ebs.1"
extra729(){ extra729(){
# "Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)" # "Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)"

3
checks/check_extra733
View File

@@ -17,6 +17,7 @@ CHECK_SCORED_extra733="NOT_SCORED"
CHECK_TYPE_extra733="EXTRA" CHECK_TYPE_extra733="EXTRA"
CHECK_SEVERITY_extra733="Low" CHECK_SEVERITY_extra733="Low"
CHECK_ALTERNATE_check733="extra733" CHECK_ALTERNATE_check733="extra733"
CHECK_ASFF_COMPLIANCE_TYPE_extra733="ens-op.acc.1.aws.iam.1"
extra733(){ extra733(){
LIST_SAML_PROV=$($AWSCLI iam list-saml-providers $PROFILE_OPT --query 'SAMLProviderList[*].Arn' --output text |grep -v ^None) LIST_SAML_PROV=$($AWSCLI iam list-saml-providers $PROFILE_OPT --query 'SAMLProviderList[*].Arn' --output text |grep -v ^None)
@@ -26,6 +27,6 @@ extra733(){
textInfo "SAML Provider $PROVIDER_NAME has been found" textInfo "SAML Provider $PROVIDER_NAME has been found"
done done
else else
textInfo "No SAML Provider found, add one and use STS" textInfo "No SAML Provider found. Add one and use STS"
fi fi
} }

1
checks/check_extra734
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra734="EXTRA"
CHECK_SEVERITY_extra734="Medium" CHECK_SEVERITY_extra734="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket" CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket"
CHECK_ALTERNATE_check734="extra734" CHECK_ALTERNATE_check734="extra734"
CHECK_ASFF_COMPLIANCE_TYPE_extra734="ens-mp.info.3.s3.1"
extra734(){ extra734(){
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1) LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1)

1
checks/check_extra735
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra735="EXTRA"
CHECK_SEVERITY_extra735="Medium" CHECK_SEVERITY_extra735="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance" CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance"
CHECK_ALTERNATE_check735="extra735" CHECK_ALTERNATE_check735="extra735"
CHECK_ASFF_COMPLIANCE_TYPE_extra735="ens-mp.info.3.aws.rds.1"
extra735(){ extra735(){
textInfo "Looking for RDS Volumes in all regions... " textInfo "Looking for RDS Volumes in all regions... "

1
checks/check_extra736
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra736="EXTRA"
CHECK_SEVERITY_extra736="Critical" CHECK_SEVERITY_extra736="Critical"
CHECK_ASFF_RESOURCE_TYPE_extra736="AwsKmsKey" CHECK_ASFF_RESOURCE_TYPE_extra736="AwsKmsKey"
CHECK_ALTERNATE_check736="extra736" CHECK_ALTERNATE_check736="extra736"
CHECK_ASFF_COMPLIANCE_TYPE_extra736="ens-op.exp.11.aws.kms.2"
extra736(){ extra736(){
textInfo "Looking for KMS keys in all regions... " textInfo "Looking for KMS keys in all regions... "

1
checks/check_extra737
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra737="EXTRA"
CHECK_SEVERITY_extra737="Medium" CHECK_SEVERITY_extra737="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra737="AwsKmsKey" CHECK_ASFF_RESOURCE_TYPE_extra737="AwsKmsKey"
CHECK_ALTERNATE_check737="extra737" CHECK_ALTERNATE_check737="extra737"
CHECK_ASFF_COMPLIANCE_TYPE_extra737="ens-op.exp.11.aws.kms.3"
extra737(){ extra737(){
textInfo "Looking for KMS keys in all regions... " textInfo "Looking for KMS keys in all regions... "

1
checks/check_extra738
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra738="EXTRA"
CHECK_SEVERITY_extra738="Medium" CHECK_SEVERITY_extra738="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution" CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution"
CHECK_ALTERNATE_check738="extra738" CHECK_ALTERNATE_check738="extra738"
CHECK_ASFF_COMPLIANCE_TYPE_extra738="ens-mp.com.2.aws.front.1"
extra738(){ extra738(){
LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None) LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions --query 'DistributionList.Items[*].Id' $PROFILE_OPT --output text|grep -v ^None)

1
checks/check_extra74
View File

@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra74="AwsEc2SecurityGroup"
CHECK_ALTERNATE_extra704="extra74" CHECK_ALTERNATE_extra704="extra74"
CHECK_ALTERNATE_check74="extra74" CHECK_ALTERNATE_check74="extra74"
CHECK_ALTERNATE_check704="extra74" CHECK_ALTERNATE_check704="extra74"
CHECK_ASFF_COMPLIANCE_TYPE_extra74="ens-mp.com.4.aws.sg.2"
extra74(){ extra74(){
# "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" # "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"

1
checks/check_extra740
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra740="EXTRA"
CHECK_SEVERITY_extra740="Medium" CHECK_SEVERITY_extra740="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra740="AwsEc2Snapshot" CHECK_ASFF_RESOURCE_TYPE_extra740="AwsEc2Snapshot"
CHECK_ALTERNATE_check740="extra740" CHECK_ALTERNATE_check740="extra740"
CHECK_ASFF_COMPLIANCE_TYPE_extra740="ens-mp.info.3.aws.ebs.3"
extra740(){ extra740(){
textInfo "Looking for EBS Snapshots in all regions... " textInfo "Looking for EBS Snapshots in all regions... "

1
checks/check_extra744
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra744="EXTRA"
CHECK_SEVERITY_extra744="Medium" CHECK_SEVERITY_extra744="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi" CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi"
CHECK_ALTERNATE_check744="extra744" CHECK_ALTERNATE_check744="extra744"
CHECK_ASFF_COMPLIANCE_TYPE_extra744="ens-mp.s.2.aws.waf.2"
extra744(){ extra744(){
for regx in $REGIONS; do for regx in $REGIONS; do

1
checks/check_extra749
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra749="EXTRA"
CHECK_SEVERITY_extra749="High" CHECK_SEVERITY_extra749="High"
CHECK_ASFF_RESOURCE_TYPE_extra749="AwsEc2SecurityGroup" CHECK_ASFF_RESOURCE_TYPE_extra749="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check749="extra749" CHECK_ALTERNATE_check749="extra749"
CHECK_ASFF_COMPLIANCE_TYPE_extra749="ens-mp.com.4.aws.sg.6"
extra749(){ extra749(){
for regx in $REGIONS; do for regx in $REGIONS; do

1
checks/check_extra75
View File

@@ -19,6 +19,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra75="AwsEc2SecurityGroup"
CHECK_ALTERNATE_extra705="extra75" CHECK_ALTERNATE_extra705="extra75"
CHECK_ALTERNATE_check75="extra75" CHECK_ALTERNATE_check75="extra75"
CHECK_ALTERNATE_check705="extra75" CHECK_ALTERNATE_check705="extra75"
CHECK_ASFF_COMPLIANCE_TYPE_extra75="ens-mp.com.4.aws.sg.3"
extra75(){ extra75(){
# "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" # "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"

1
checks/check_extra750
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra750="EXTRA"
CHECK_SEVERITY_extra750="High" CHECK_SEVERITY_extra750="High"
CHECK_ASFF_RESOURCE_TYPE_extra750="AwsEc2SecurityGroup" CHECK_ASFF_RESOURCE_TYPE_extra750="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check750="extra750" CHECK_ALTERNATE_check750="extra750"
CHECK_ASFF_COMPLIANCE_TYPE_extra750="ens-mp.com.4.aws.sg.7"
extra750(){ extra750(){
for regx in $REGIONS; do for regx in $REGIONS; do

1
checks/check_extra751
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra751="EXTRA"
CHECK_SEVERITY_extra751="High" CHECK_SEVERITY_extra751="High"
CHECK_ASFF_RESOURCE_TYPE_extra751="AwsEc2SecurityGroup" CHECK_ASFF_RESOURCE_TYPE_extra751="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check751="extra751" CHECK_ALTERNATE_check751="extra751"
CHECK_ASFF_COMPLIANCE_TYPE_extra751="ens-mp.com.4.aws.sg.8"
extra751(){ extra751(){
for regx in $REGIONS; do for regx in $REGIONS; do

1
checks/check_extra752
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra752="EXTRA"
CHECK_SEVERITY_extra752="High" CHECK_SEVERITY_extra752="High"
CHECK_ASFF_RESOURCE_TYPE_extra752="AwsEc2SecurityGroup" CHECK_ASFF_RESOURCE_TYPE_extra752="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check752="extra752" CHECK_ALTERNATE_check752="extra752"
CHECK_ASFF_COMPLIANCE_TYPE_extra752="ens-mp.com.4.aws.sg.9"
extra752(){ extra752(){
for regx in $REGIONS; do for regx in $REGIONS; do

1
checks/check_extra753
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra753="EXTRA"
CHECK_SEVERITY_extra753="High" CHECK_SEVERITY_extra753="High"
CHECK_ASFF_RESOURCE_TYPE_extra753="AwsEc2SecurityGroup" CHECK_ASFF_RESOURCE_TYPE_extra753="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check753="extra753" CHECK_ALTERNATE_check753="extra753"
CHECK_ASFF_COMPLIANCE_TYPE_extra753="ens-mp.com.4.aws.sg.10"
extra753(){ extra753(){
for regx in $REGIONS; do for regx in $REGIONS; do

1
checks/check_extra754
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra754="EXTRA"
CHECK_SEVERITY_extra754="High" CHECK_SEVERITY_extra754="High"
CHECK_ASFF_RESOURCE_TYPE_extra754="AwsEc2SecurityGroup" CHECK_ASFF_RESOURCE_TYPE_extra754="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check754="extra754" CHECK_ALTERNATE_check754="extra754"
CHECK_ASFF_COMPLIANCE_TYPE_extra754="ens-mp.com.4.aws.sg.11"
extra754(){ extra754(){
for regx in $REGIONS; do for regx in $REGIONS; do

1
checks/check_extra755
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra755="EXTRA"
CHECK_SEVERITY_extra755="High" CHECK_SEVERITY_extra755="High"
CHECK_ASFF_RESOURCE_TYPE_extra755="AwsEc2SecurityGroup" CHECK_ASFF_RESOURCE_TYPE_extra755="AwsEc2SecurityGroup"
CHECK_ALTERNATE_check755="extra755" CHECK_ALTERNATE_check755="extra755"
CHECK_ASFF_COMPLIANCE_TYPE_extra755="ens-mp.com.4.aws.sg.12"
extra755(){ extra755(){
for regx in $REGIONS; do for regx in $REGIONS; do

1
checks/check_extra761
View File

@@ -16,6 +16,7 @@ CHECK_SCORED_extra761="NOT_SCORED"
CHECK_TYPE_extra761="EXTRA" CHECK_TYPE_extra761="EXTRA"
CHECK_SEVERITY_extra761="Medium" CHECK_SEVERITY_extra761="Medium"
CHECK_ALTERNATE_check761="extra761" CHECK_ALTERNATE_check761="extra761"
CHECK_ASFF_COMPLIANCE_TYPE_extra761="ens-mp.info.3.aws.ebs.2"
extra761(){ extra761(){
textInfo "Looking for EBS Default Encryption activation in all regions... " textInfo "Looking for EBS Default Encryption activation in all regions... "

1
checks/check_extra764
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra764="EXTRA"
CHECK_SEVERITY_extra764="Medium" CHECK_SEVERITY_extra764="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket" CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket"
CHECK_ALTERNATE_check764="extra764" CHECK_ALTERNATE_check764="extra764"
CHECK_ASFF_COMPLIANCE_TYPE_extra764="ens-mp.com.2.aws.s3.1"
extra764(){ extra764(){
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1) LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1)

1
checks/check_extra773
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra773="EXTRA"
CHECK_SEVERITY_extra773="Medium" CHECK_SEVERITY_extra773="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra773="AwsCloudFrontDistribution" CHECK_ASFF_RESOURCE_TYPE_extra773="AwsCloudFrontDistribution"
CHECK_ALTERNATE_check773="extra773" CHECK_ALTERNATE_check773="extra773"
CHECK_ASFF_COMPLIANCE_TYPE_extra773="ens-mp.s.2.aws.waf.1"
extra773(){ extra773(){
# "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"

1
checks/check_extra781
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra781="EXTRA"
CHECK_SEVERITY_extra781="Medium" CHECK_SEVERITY_extra781="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra781="AwsElasticsearchDomain" CHECK_ASFF_RESOURCE_TYPE_extra781="AwsElasticsearchDomain"
CHECK_ALTERNATE_check781="extra781" CHECK_ALTERNATE_check781="extra781"
CHECK_ASFF_COMPLIANCE_TYPE_extra781="ens-mp.info.3.aws.au.1"
extra781(){ extra781(){
for regx in $REGIONS; do for regx in $REGIONS; do

1
checks/check_extra792
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra792="EXTRA"
CHECK_SEVERITY_extra792="Medium" CHECK_SEVERITY_extra792="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra792="AwsElbLoadBalancer" CHECK_ASFF_RESOURCE_TYPE_extra792="AwsElbLoadBalancer"
CHECK_ALTERNATE_check792="extra792" CHECK_ALTERNATE_check792="extra792"
CHECK_ASFF_COMPLIANCE_TYPE_extra792="ens-mp.com.2.aws.elb.2"
extra792(){ extra792(){
# "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)" # "Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)"

1
checks/check_extra793
View File

@@ -17,6 +17,7 @@ CHECK_TYPE_extra793="EXTRA"
CHECK_SEVERITY_extra793="Medium" CHECK_SEVERITY_extra793="Medium"
CHECK_ASFF_RESOURCE_TYPE_extra793="AwsElbLoadBalancer" CHECK_ASFF_RESOURCE_TYPE_extra793="AwsElbLoadBalancer"
CHECK_ALTERNATE_check793="extra793" CHECK_ALTERNATE_check793="extra793"
CHECK_ASFF_COMPLIANCE_TYPE_extra793="ens-mp.com.2.aws.elb.1"
extra793(){ extra793(){
# "Check if Elastic Load Balancers have encrypted listeners (Not Scored) (Not part of CIS benchmark)" # "Check if Elastic Load Balancers have encrypted listeners (Not Scored) (Not part of CIS benchmark)"

2
include/csv_header
View File

@@ -15,5 +15,5 @@
printCsvHeader() { printCsvHeader() {
>&2 echo "" >&2 echo ""
>&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM" >&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM"
echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}LEVEL${SEP}TITLE_TEXT${SEP}NOTES${SEP}COMPLIANCE" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_CSV
} }

1
include/html_report
View File

@@ -100,6 +100,7 @@ addHtmlHeader() {
<th scope="col">Result</th> <th scope="col">Result</th>
<th scope="col">AccountID</th> <th scope="col">AccountID</th>
<th scope="col">Region</th> <th scope="col">Region</th>
<th scope="col">Compliance</th>
<th scope="col">Group</th> <th scope="col">Group</th>
<th scope="col">CheckID</th> <th scope="col">CheckID</th>
<th style="width:40%" scope="col">Check Title</th> <th style="width:40%" scope="col">Check Title</th>

22
include/outputs
View File

@@ -51,7 +51,7 @@ textPass(){
REPREGION=$REGION REPREGION=$REGION
fi fi
if [[ "${MODES[@]}" =~ "csv" ]]; then if [[ "${MODES[@]}" =~ "csv" ]]; then
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV
fi fi
if [[ "${MODES[@]}" =~ "json" ]]; then if [[ "${MODES[@]}" =~ "json" ]]; then
generateJsonOutput "$1" "Pass" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON generateJsonOutput "$1" "Pass" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON
@@ -88,7 +88,7 @@ textInfo(){
REPREGION=$REGION REPREGION=$REGION
fi fi
if [[ "${MODES[@]}" =~ "csv" ]]; then if [[ "${MODES[@]}" =~ "csv" ]]; then
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
fi fi
if [[ "${MODES[@]}" =~ "json" ]]; then if [[ "${MODES[@]}" =~ "json" ]]; then
generateJsonOutput "$1" "Info" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} generateJsonOutput "$1" "Info" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
@@ -140,7 +140,7 @@ textFail(){
fi fi
if [[ "${MODES[@]}" =~ "csv" ]]; then if [[ "${MODES[@]}" =~ "csv" ]]; then
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}${level}${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1${SEP}$ASFF_COMPLIANCE_TYPE" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV}
fi fi
if [[ "${MODES[@]}" =~ "json" ]]; then if [[ "${MODES[@]}" =~ "json" ]]; then
generateJsonOutput "$1" "${level}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} generateJsonOutput "$1" "${level}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON}
@@ -211,9 +211,9 @@ textTitle(){
: :
else else
if [[ "$ITEM_SCORED" == "Scored" ]]; then if [[ "$ITEM_SCORED" == "Scored" ]]; then
echo -e "\n$BLUE $TITLE_ID $NORMAL $TITLE_TEXT $group_ids" echo -e "\n$BLUE $TITLE_ID $NORMAL $TITLE_TEXT $6 $group_ids "
else else
echo -e "\n$PURPLE $TITLE_ID $TITLE_TEXT $NORMAL $group_ids" echo -e "\n$PURPLE $TITLE_ID $TITLE_TEXT $6 $NORMAL $group_ids "
fi fi
fi fi
} }
@@ -232,6 +232,7 @@ generateJsonOutput(){
--arg ITEM_LEVEL "$ITEM_LEVEL" \ --arg ITEM_LEVEL "$ITEM_LEVEL" \
--arg TITLE_ID "$TITLE_ID" \ --arg TITLE_ID "$TITLE_ID" \
--arg REPREGION "$REPREGION" \ --arg REPREGION "$REPREGION" \
--arg TYPE "$ASFF_COMPLIANCE_TYPE" \
--arg TIMESTAMP "$(get_iso8601_timestamp)" \ --arg TIMESTAMP "$(get_iso8601_timestamp)" \
-n '{ -n '{
"Profile": $PROFILE, "Profile": $PROFILE,
@@ -245,6 +246,7 @@ generateJsonOutput(){
"Control ID": $TITLE_ID, "Control ID": $TITLE_ID,
"Region": $REPREGION, "Region": $REPREGION,
"Timestamp": $TIMESTAMP, "Timestamp": $TIMESTAMP,
"Compliance": $TYPE
}' }'
} }
@@ -266,7 +268,8 @@ generateJsonAsffOutput(){
--arg SEVERITY "$(echo $CHECK_SEVERITY| awk '{ print toupper($0) }')" \ --arg SEVERITY "$(echo $CHECK_SEVERITY| awk '{ print toupper($0) }')" \
--arg TITLE_ID "$TITLE_ID" \ --arg TITLE_ID "$TITLE_ID" \
--arg CHECK_ID "$CHECK_ID" \ --arg CHECK_ID "$CHECK_ID" \
--arg TYPE "$ASFF_TYPE" \ --arg TYPE "$ASFF_COMPLIANCE_TYPE" \
--arg COMPLIANCE_RELATED_REQUIREMENTS "$ASFF_COMPLIANCE_TYPE" \
--arg RESOURCE_TYPE "$ASFF_RESOURCE_TYPE" \ --arg RESOURCE_TYPE "$ASFF_RESOURCE_TYPE" \
--arg REPREGION "$REPREGION" \ --arg REPREGION "$REPREGION" \
--arg TIMESTAMP "$(get_iso8601_timestamp)" \ --arg TIMESTAMP "$(get_iso8601_timestamp)" \
@@ -303,7 +306,8 @@ generateJsonAsffOutput(){
} }
], ],
"Compliance": { "Compliance": {
"Status": $STATUS "Status": $STATUS,
"RelatedRequirements": [ $COMPLIANCE_RELATED_REQUIREMENTS ]
} }
}' }'
} }
@@ -317,6 +321,7 @@ generateHtmlOutput(){
echo '<td>INFO</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>INFO</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$ACCOUNT_NUM'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$ACCOUNT_NUM'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$REPREGION'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$REPREGION'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$ASFF_COMPLIANCE_TYPE'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$ITEM_LEVEL'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$ITEM_LEVEL'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$TITLE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$TITLE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$TITLE_TEXT'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$TITLE_TEXT'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
@@ -329,6 +334,7 @@ generateHtmlOutput(){
echo '<td>PASS</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>PASS</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$ACCOUNT_NUM'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$ACCOUNT_NUM'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$REPREGION'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$REPREGION'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$ASFF_COMPLIANCE_TYPE'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$ITEM_LEVEL'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$ITEM_LEVEL'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$TITLE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$TITLE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$TITLE_TEXT'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$TITLE_TEXT'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
@@ -341,6 +347,7 @@ generateHtmlOutput(){
echo '<td>FAIL</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>FAIL</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$ACCOUNT_NUM'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$ACCOUNT_NUM'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$REPREGION'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$REPREGION'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$ASFF_COMPLIANCE_TYPE'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$ITEM_LEVEL'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$ITEM_LEVEL'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$TITLE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$TITLE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$TITLE_TEXT'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$TITLE_TEXT'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
@@ -353,6 +360,7 @@ generateHtmlOutput(){
echo '<td>WARN</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>WARN</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$ACCOUNT_NUM'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$ACCOUNT_NUM'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$REPREGION'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$REPREGION'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$ASFF_COMPLIANCE_TYPE'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$ITEM_LEVEL'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$ITEM_LEVEL'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$TITLE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$TITLE_ID'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
echo '<td>'$TITLE_TEXT'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo '<td>'$TITLE_TEXT'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML

17
prowler
View File

@@ -32,7 +32,7 @@ OPTRED=""
OPTNORMAL="" OPTNORMAL=""
# Set the defaults variables # Set the defaults variables
PROWLER_VERSION=2.3.0RC5 PROWLER_VERSION=2.3.0RC6
PROWLER_DIR=$(dirname "$0") PROWLER_DIR=$(dirname "$0")
REGION="" REGION=""
@@ -283,6 +283,7 @@ show_check_title() {
local check_title=CHECK_TITLE_$1 local check_title=CHECK_TITLE_$1
local check_scored=CHECK_SCORED_$1 local check_scored=CHECK_SCORED_$1
local check_type=CHECK_TYPE_$1 local check_type=CHECK_TYPE_$1
local check_asff_compliance_type=CHECK_ASFF_COMPLIANCE_TYPE_$1
local group_ids local group_ids
local group_index local group_index
# If requested ($2 is any non-null value) iterate all GROUP_CHECKS and produce a comma-separated list of all # If requested ($2 is any non-null value) iterate all GROUP_CHECKS and produce a comma-separated list of all
@@ -297,7 +298,12 @@ show_check_title() {
fi fi
done done
fi fi
textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}" "$group_ids" # This shows ASFF_COMPLIANCE_TYPE if group used is ens, this si used to show ENS compliance ID control, can be used for other compliance groups as well.
if [[ ${GROUP_ID_READ} == "ens" ]];then
textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}" "$group_ids" "(${!check_asff_compliance_type})"
else
textTitle "${!check_id}" "${!check_title}" "${!check_scored}" "${!check_type}" "$group_ids"
fi
} }
# Function to show the title of a group, by numeric id # Function to show the title of a group, by numeric id
@@ -317,6 +323,8 @@ execute_check() {
# See if this check defines an ASFF Type, if so, use this, falling back to a sane default # See if this check defines an ASFF Type, if so, use this, falling back to a sane default
# For a list of Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#securityhub-findings-format-type-taxonomy # For a list of Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#securityhub-findings-format-type-taxonomy
local asff_type_var=CHECK_ASFF_TYPE_$1 local asff_type_var=CHECK_ASFF_TYPE_$1
local asff_compliance_type_var=CHECK_ASFF_COMPLIANCE_TYPE_$1
local severity_var=CHECK_SEVERITY_$1 local severity_var=CHECK_SEVERITY_$1
@@ -325,6 +333,7 @@ execute_check() {
CHECK_ID="$1" CHECK_ID="$1"
ASFF_TYPE="${!asff_type_var:-Software and Configuration Checks}" ASFF_TYPE="${!asff_type_var:-Software and Configuration Checks}"
ASFF_COMPLIANCE_TYPE="${!asff_compliance_type_var:-Software and Configuration Checks}"
# See if this check defines an ASFF Resource Type, if so, use this, falling back to a sane default # See if this check defines an ASFF Resource Type, if so, use this, falling back to a sane default
# For a list of Resource Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-resources # For a list of Resource Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-resources
local asff_resource_type_var=CHECK_ASFF_RESOURCE_TYPE_$1 local asff_resource_type_var=CHECK_ASFF_RESOURCE_TYPE_$1
@@ -339,7 +348,7 @@ execute_check() {
ignores="$(awk "/${1}/{print}" <(echo "${WHITELIST}"))" ignores="$(awk "/${1}/{print}" <(echo "${WHITELIST}"))"
if [ ${alternate_name} ];then if [ ${alternate_name} ];then
if [[ ${alternate_name} == check1* || ${alternate_name} == extra71 ]];then if [[ ${alternate_name} == check1* || ${alternate_name} == extra71 || ${alternate_name} == extra774 || ${alternate_name} == extra7123 ]];then
if [ ! -s $TEMP_REPORT_FILE ];then if [ ! -s $TEMP_REPORT_FILE ];then
genCredReport genCredReport
saveReport saveReport
@@ -363,7 +372,7 @@ execute_check() {
local check_id_var=CHECK_ID_$1 local check_id_var=CHECK_ID_$1
local check_id=${!check_id_var} local check_id=${!check_id_var}
if [ ${check_id} ]; then if [ ${check_id} ]; then
if [[ ${check_id} == 1* || ${check_id} == 7.1 || ${check_id} == 7.74 ]];then if [[ ${check_id} == 1* || ${check_id} == 7.1 || ${check_id} == 7.74 || ${check_id} == 7.123 ]];then
if [ ! -s $TEMP_REPORT_FILE ];then if [ ! -s $TEMP_REPORT_FILE ];then
genCredReport genCredReport
saveReport saveReport