Added extra739 ELB logging and typos

LIST_OF_CHECKS_AND_GROUPS.md

@@ -1,3 +1,4 @@
 ```
 ./prowler -l # to see all available checks and groups.
+./prowler -L # to see all available groups only.
 ```

README.md

@@ -30,10 +30,10 @@ It covers hardening and security best practices for all AWS regions related to t
 - Networking (4 checks) [group4]
 - CIS Level 1 [cislevel1]
 - CIS Level 2 [cislevel2]
-- Extras (37 checks) *see Extras section* [extras]
+- Extras (39 checks) *see Extras section* [extras]
 - Forensics related group of checks [forensics-ready]
 - GDPR [gdpr] Read more [here](https://github.com/toniblyx/prowler/issues/189)
-- HIPPA [hippa]
+- HIPPA [hippa] Read more [here](https://github.com/toniblyx/prowler/issues/227)
 
 For a comprehensive list and resolution look at the guide on the link above.
 
@@ -419,6 +419,7 @@ At this moment we have 37 extra checks:
 - 7.36 (`extra736`) Check exposed KMS keys (Not Scored) (Not part of CIS benchmark)
 - 7.37 (`extra737`) Check KMS keys with key rotation disabled (Not Scored) (Not part of CIS benchmark)
 - 7.38 (`extra738`) Check if CloudFront distributions are set to HTTPS (Not Scored) (Not part of CIS benchmark)
+- 7.38 (`extra739`) Check if ELBs have logging enabled (Not Scored) (Not part of CIS benchmark)
 
 To check all extras in one command:
 
@@ -454,9 +455,10 @@ With this group of checks, Prowler looks if each service with logging or audit c
 - 7.20  Check if Lambda functions are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)
 - 7.21  Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)
 - 7.22  Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)
-- 7.23 [extra723] Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)
-- 7.24 [extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)
-- 7.25 [extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)
+- 7.23  Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)
+- 7.24  Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)
+- 7.25  Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)
+- 7.38  Check if ELBs have logging enabled (Not Scored) (Not part of CIS benchmark)
 
 
 The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command:
@@ -501,8 +503,8 @@ The link to the license terms can be found at
 Any other piece of code is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
 <http://www.apache.org/licenses/LICENSE-2.0>
 
-NOTE: If you are interested in using Prowler for commercial purposes remember that due to the CC4.0 license “The distributors or partners that are interested and using Prowler would need to enrol as CIS SecureSuite Members to incorporate this product, which includes references to CIS resources, in their offering.". Information about CIS pricing for vendors here: <https://www.cisecurity.org/cis-securesuite/pricing-and-categories/product-vendor/>
+NOTE: If you are interested in using Prowler for commercial purposes remember that due to the CC4.0 license “The distributors or partners that are interested and using Prowler would need to enroll as CIS SecureSuite Members to incorporate this product, which includes references to CIS resources, in their offering.". Information about CIS pricing for vendors here: <https://www.cisecurity.org/cis-securesuite/pricing-and-categories/product-vendor/>
 
-**I'm not related anyhow with CIS organisation, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.**
+**I'm not related anyhow with CIS organization, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.**
 
 If you want to contact me visit <https://blyx.com/contact>

checks/check_extra73

@@ -18,6 +18,30 @@ CHECK_ALTERNATE_extra703="extra73"
 CHECK_ALTERNATE_check73="extra73"
 CHECK_ALTERNATE_check703="extra73"
 
+# Improved and simplified check on Nov 18th 2018 due to a new bucket attribute
+# called PolicyStatus, not available in all regions yet.
+
+# extra73(){
+#   ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' $PROFILE_OPT --region $REGION --output text)
+#   for bucket in $ALL_BUCKETS_LIST; do
+#     BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location --bucket $bucket $PROFILE_OPT --region $REGION --output text)
+#     if [[ "None" == $BUCKET_LOCATION ]]; then
+#       BUCKET_LOCATION="us-east-1"
+#     fi
+#     if [[ "EU" == $BUCKET_LOCATION ]]; then
+#       BUCKET_LOCATION="eu-west-1"
+#     fi
+#
+#     BUCKET_POLICY_STATUS=$($AWSCLI s3api get-bucket-policy-status --bucket $bucket --query PolicyStatus.IsPublic --output text | grep False)
+#     if [[ $BUCKET_POLICY_STATUS ]];then
+#       textFail "$BUCKET_LOCATION: $bucket bucket is Public!" "$regx"
+#     else
+#       textPass "$BUCKET_LOCATION: $bucket bucket is not Public" "$regx"
+#     fi
+#   done
+# }
+
+
 extra73(){
   textInfo "Looking for open S3 Buckets (ACLs and Policies) in all regions...  "
   ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' $PROFILE_OPT --region $REGION --output text)

checks/check_extra739

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra739="7.39"
+CHECK_TITLE_extra739="[extra739] Check if ELBs have logging enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra739="NOT_SCORED"
+CHECK_TYPE_extra739="EXTRA"
+CHECK_ALTERNATE_check739="extra739"
+
+extra739(){
+  for regx in $REGIONS; do
+    LIST_OF_ELB=$($AWSCLI elb describe-load-balancers --region $regx $PROFILE_OPT --query LoadBalancerDescriptions[*].LoadBalancerName --output text)
+    if [[ $LIST_OF_ELB ]];then
+      for elb_id in $LIST_OF_ELB; do
+        CHECK_LOG_STATUS=$($AWSCLI elb describe-load-balancer-attributes --region $regx $PROFILE_OPT --load-balancer-name $elb_id --query LoadBalancerAttributes.AccessLog.Enabled --output text|grep False)
+        if [[ $CHECK_LOG_STATUS ]]; then
+          textFail "$regx: ELB $elb_id has login disabled!" "$regx"
+        else
+          textPass "$regx: ELB $elb_id has login enabled" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No ELBs found" "$regx"
+    fi
+  done
+}

groups/group10_hipaa

@@ -15,7 +15,7 @@ GROUP_ID[10]='hipaa'
 GROUP_NUMBER[10]='10.0'
 GROUP_TITLE[10]='HIPAA Compliance - WORK IN PROGRESS!! - [hipaa] *******************'
 GROUP_RUN_BY_DEFAULT[10]='N' # run it when execute_all is called
-GROUP_CHECKS[10]='check12,check113,check23,check26,check27,check29,extra718,extra725,extra72,extra75'
+GROUP_CHECKS[10]='check12,check113,check23,check26,check27,check29,extra718,extra725,extra72,extra75,extra739'
 
 # Resources:
 # https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf

groups/group8_forensics

@@ -15,4 +15,4 @@ GROUP_ID[8]='forensics-ready'
 GROUP_NUMBER[8]='8.0'
 GROUP_TITLE[8]='Forensics Readiness - [forensics-ready] ************************'
 GROUP_RUN_BY_DEFAULT[8]='N' # run it when execute_all is called
-GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check29,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722,extra725'
+GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check29,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722,extra725,extra739'