diff --git a/README.md b/README.md index 0d789bee..b06ffbef 100644 --- a/README.md +++ b/README.md @@ -583,7 +583,7 @@ We are adding additional checks to improve the information gather from each acco Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs. -At this moment we have 15 extra checks: +At this moment we have 16 extra checks: - 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark) - 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark) @@ -600,6 +600,7 @@ At this moment we have 15 extra checks: - 7.13 (`extra713`) Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) - 7.14 (`extra714`) Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.15 (`extra715`) Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) +- 7.16 (`extra716`) Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark) To check all extras in one command: diff --git a/prowler b/prowler index 141fb6b8..b00cb69b 100755 --- a/prowler +++ b/prowler @@ -498,6 +498,9 @@ ID714="7.14,7.14" TITLE714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" ID715="7.15,7.15" TITLE715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)" +ID716="7.16,7.16" +TITLE716="Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" + printCsvHeader() { >&2 echo "" @@ -1940,6 +1943,29 @@ extra715(){ done } +extra716(){ + # "Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" + textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA" + for regx in $REGIONS; do + LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text) + if [[ $LIST_OF_DOMAINS ]]; then + for domain in $LIST_OF_DOMAINS;do + TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-es-domain.policy.XXXXXXXXXX) + $AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.AccessPolicies.Options --output text > $TEMP_POLICY_FILE 2> /dev/null + # check if the policy has Principal as * + CHECK_ES_DOMAIN_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep \"Principal|grep \*) + if [[ $CHECK_ES_DOMAIN_ALLUSERS_POLICY ]];then + textWarn "$regx: $domain policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx" + else + textOK "$regx: $domain is not open" "$regx" + fi + done + fi + textOK "$regx: No Elasticsearch Service domain found" "$regx" + rm -fr $TEMP_POLICY_FILE + done +} + callCheck(){ if [[ $CHECKNUMBER ]];then case "$CHECKNUMBER" in @@ -2010,6 +2036,7 @@ callCheck(){ extra713|extra713 ) extra713;; extra714|extra714 ) extra714;; extra715|extra715 ) extra715;; + extra716|extra716 ) extra716;; ## Groups of Checks check1 ) @@ -2046,7 +2073,7 @@ callCheck(){ ;; extras ) extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78; - extra79;extra710;extra711;extra712;extra713;extra714;extra715 + extra79;extra710;extra711;extra712;extra713;extra714;extra715;extra716 ;; forensics-ready ) check21;check22;check23;check24;check25;check26;check27; @@ -2137,6 +2164,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA" textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA" textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA" + textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA" exit $EXITCODE fi @@ -2228,6 +2256,7 @@ extra712 extra713 extra714 extra715 +extra716 cleanTemp exit $EXITCODE