diff --git a/checks/check110 b/checks/check110 index b016c23b..5f31e844 100644 --- a/checks/check110 +++ b/checks/check110 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check110="check110" check110(){ # "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null) - textTitle "$ID110" "$TITLE110" "SCORED" "LEVEL1" if [[ $COMMAND110 ]];then if [[ $COMMAND110 -gt "23" ]];then textOK "Password Policy limits reuse" diff --git a/checks/check111 b/checks/check111 index b78f2adc..3d93a548 100644 --- a/checks/check111 +++ b/checks/check111 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check111="check111" check111(){ # "Ensure IAM password policy expires passwords within 90 days or less (Scored)" COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json | grep MaxPasswordAge | awk -F: '{ print $2 }'|sed 's/\ //g'|sed 's/,/ /g' 2> /dev/null) - textTitle "$ID111" "$TITLE111" "SCORED" "LEVEL1" if [[ $COMMAND111 ]];then if [ "$COMMAND111" == "90" ];then textOK "Password Policy includes expiration" diff --git a/checks/check112 b/checks/check112 index dc2682f9..84472b5c 100644 --- a/checks/check112 +++ b/checks/check112 @@ -8,7 +8,6 @@ check112(){ # ensure the access_key_1_active and access_key_2_active fields are set to FALSE. ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }') ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }') - textTitle "$ID112" "$TITLE112" "SCORED" "LEVEL1" if [ "$ROOTKEY1" == "false" ];then textOK "No access key 1 found for root" else diff --git a/checks/check113 b/checks/check113 index e6992d55..9f9fb579 100644 --- a/checks/check113 +++ b/checks/check113 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check113="check113" check113(){ # "Ensure MFA is enabled for the root account (Scored)" COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled') - textTitle "$ID113" "$TITLE113" "SCORED" "LEVEL1" if [ "$COMMAND113" == "1" ]; then textOK "Virtual MFA is enabled for root" else diff --git a/checks/check114 b/checks/check114 index cf1d7b06..058c3849 100644 --- a/checks/check114 +++ b/checks/check114 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check114="check114" check114(){ # "Ensure hardware MFA is enabled for the root account (Scored)" COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled') - textTitle "$ID114" "$TITLE114" "SCORED" "LEVEL1" if [ "$COMMAND113" == "1" ]; then COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep '^arn:aws:iam::[0-9]\{12\}:mfa/root-account-mfa-device$') if [[ "$COMMAND114" ]]; then diff --git a/checks/check115 b/checks/check115 index 13b0bc89..007d9f04 100644 --- a/checks/check115 +++ b/checks/check115 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check115="check115" check115(){ # "Ensure security questions are registered in the AWS account (Not Scored)" - textTitle "$ID115" "$TITLE115" "NOT_SCORED" "LEVEL2" textNotice "No command available for check 1.15 " textNotice "Login to the AWS Console as root & click on the Account " textNotice "Name -> My Account -> Configure Security Challenge Questions " diff --git a/checks/check116 b/checks/check116 index c6afa34b..ae9aee0c 100644 --- a/checks/check116 +++ b/checks/check116 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check116="check116" check116(){ # "Ensure IAM policies are attached only to groups or roles (Scored)" - textTitle "$ID116" "$TITLE116" "SCORED" "LEVEL1" LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION) C116_NUM_USERS=0 for user in $LIST_USERS;do diff --git a/checks/check117 b/checks/check117 index e37c9f6b..352e3960 100644 --- a/checks/check117 +++ b/checks/check117 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check117="check117" check117(){ # "Enable detailed billing (Scored)" # No command available - textTitle "$ID117" "$TITLE117" "SCORED" "LEVEL1" textNotice "No command available for check 1.17 " textNotice "See section 1.17 on the CIS Benchmark guide for details " } diff --git a/checks/check118 b/checks/check118 index a3d0537a..e9876912 100644 --- a/checks/check118 +++ b/checks/check118 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check118="check118" check118(){ # "Ensure IAM Master and IAM Manager roles are active (Scored)" - textTitle "$ID118" "$TITLE118" "SCORED" "LEVEL1" FINDMASTERANDMANAGER=$($AWSCLI iam list-roles $PROFILE_OPT --region $REGION --query "Roles[*].{RoleName:RoleName}" --output text | grep -E 'Master|Manager'| tr ' ' ' ') if [[ $FINDMASTERANDMANAGER ]];then diff --git a/checks/check119 b/checks/check119 index b4fe37d5..4c3b797b 100644 --- a/checks/check119 +++ b/checks/check119 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check119="check119" check119(){ # "Maintain current contact details (Scored)" # No command available - textTitle "$ID119" "$TITLE119" "SCORED" "LEVEL1" textNotice "No command available for check 1.19 " textNotice "See section 1.19 on the CIS Benchmark guide for details " } diff --git a/checks/check120 b/checks/check120 index 20de93c3..6bce3e6e 100644 --- a/checks/check120 +++ b/checks/check120 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check120="check120" check120(){ # "Ensure security contact information is registered (Scored)" # No command available - textTitle "$ID120" "$TITLE120" "SCORED" "LEVEL1" textNotice "No command available for check 1.20 " textNotice "See section 1.20 on the CIS Benchmark guide for details " } diff --git a/checks/check121 b/checks/check121 index d593576b..3457ec06 100644 --- a/checks/check121 +++ b/checks/check121 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check121="check121" check121(){ # "Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" - textTitle "$ID121" "$TITLE121" "NOT_SCORED" "LEVEL2" textNotice "No command available for check 1.21 " textNotice "See section 1.21 on the CIS Benchmark guide for details " } diff --git a/checks/check122 b/checks/check122 index 0cea82df..d5c2a81c 100644 --- a/checks/check122 +++ b/checks/check122 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check122="check122" check122(){ # "Ensure a support role has been created to manage incidents with AWS Support (Scored)" - textTitle "$ID122" "$TITLE122" "SCORED" "LEVEL1" SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text) if [[ $SUPPORTPOLICYARN ]];then for policyarn in $SUPPORTPOLICYARN;do diff --git a/checks/check123 b/checks/check123 index 6cdda330..4118f796 100644 --- a/checks/check123 +++ b/checks/check123 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check123="check123" check123(){ # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" - textTitle "$ID123" "$TITLE123" "NOT_SCORED" "LEVEL1" LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION) # List of USERS with KEY1 last_used_date as N/A LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done) diff --git a/checks/check124 b/checks/check124 index 95e1eaf0..7ae78552 100644 --- a/checks/check124 +++ b/checks/check124 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check124="check124" check124(){ # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" - textTitle "$ID124" "$TITLE124" "SCORED" "LEVEL1" LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }') if [[ $LIST_CUSTOM_POLICIES ]]; then textNotice "Looking for custom policies: (skipping default policies - it may take few seconds...)" diff --git a/checks/check13 b/checks/check13 index 154dad3b..0ef66c7c 100644 --- a/checks/check13 +++ b/checks/check13 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check103="check13" check13(){ # "Ensure credentials unused for 90 days or greater are disabled (Scored)" - textTitle "$ID13" "$TITLE13" "SCORED" "LEVEL1" COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep true | awk '{ print $1 }') if [[ $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED ]]; then COMMAND13=$( diff --git a/checks/check14 b/checks/check14 index 0a1d4a02..8aaf4087 100644 --- a/checks/check14 +++ b/checks/check14 @@ -7,7 +7,6 @@ check14(){ # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey LIST_OF_USERS_WITH_ACCESS_KEY1=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9 }' |grep "\ true" | awk '{ print $1 }') LIST_OF_USERS_WITH_ACCESS_KEY2=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $14 }' |grep "\ true" | awk '{ print $1 }') - textTitle "$ID14" "$TITLE14" "SCORED" "LEVEL1" C14_NUM_USERS1=0 C14_NUM_USERS2=0 if [[ $LIST_OF_USERS_WITH_ACCESS_KEY1 ]]; then diff --git a/checks/check15 b/checks/check15 index 0cb0b235..698fae1a 100644 --- a/checks/check15 +++ b/checks/check15 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check105="check15" check15(){ # "Ensure IAM password policy requires at least one uppercase letter (Scored)" COMMAND15=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireUppercaseCharacters' 2> /dev/null) # must be true - textTitle "$ID15" "$TITLE15" "SCORED" "LEVEL1" if [[ "$COMMAND15" == "true" ]];then textOK "Password Policy requires upper case" else diff --git a/checks/check16 b/checks/check16 index 255d4780..8ae18a22 100644 --- a/checks/check16 +++ b/checks/check16 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check106="check16" check16(){ # "Ensure IAM password policy require at least one lowercase letter (Scored)" COMMAND16=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireLowercaseCharacters' 2> /dev/null) # must be true - textTitle "$ID16" "$TITLE16" "SCORED" "LEVEL1" if [[ "$COMMAND16" == "true" ]];then textOK "Password Policy requires lower case" else diff --git a/checks/check17 b/checks/check17 index c031f187..18177b61 100644 --- a/checks/check17 +++ b/checks/check17 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check107="check17" check17(){ # "Ensure IAM password policy require at least one symbol (Scored)" COMMAND17=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireSymbols' 2> /dev/null) # must be true - textTitle "$ID17" "$TITLE17" "SCORED" "LEVEL1" if [[ "$COMMAND17" == "true" ]];then textOK "Password Policy requires symbol" else diff --git a/checks/check18 b/checks/check18 index f2acba9f..2f2189ee 100644 --- a/checks/check18 +++ b/checks/check18 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check18="check18" check18(){ # "Ensure IAM password policy require at least one number (Scored)" COMMAND18=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireNumbers' 2> /dev/null) # must be true - textTitle "$ID18" "$TITLE18" "SCORED" "LEVEL1" if [[ "$COMMAND18" == "true" ]];then textOK "Password Policy requires number" else diff --git a/checks/check19 b/checks/check19 index 1c20e6d8..08f880a0 100644 --- a/checks/check19 +++ b/checks/check19 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check109="check19" check19(){ # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)" COMMAND19=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.MinimumPasswordLength' 2> /dev/null) - textTitle "$ID19" "$TITLE19" "SCORED" "LEVEL1" if [[ $COMMAND19 -gt "13" ]];then textOK "Password Policy requires more than 13 characters" else diff --git a/checks/check21 b/checks/check21 index 58056d0b..bd7b0fcf 100644 --- a/checks/check21 +++ b/checks/check21 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check201="check21" check21(){ # "Ensure CloudTrail is enabled in all regions (Scored)" - textTitle "$ID21" "$TITLE21" "SCORED" "LEVEL1" LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].Name' --output text) if [[ $LIST_OF_TRAILS ]];then for trail in $LIST_OF_TRAILS;do diff --git a/checks/check22 b/checks/check22 index 36c1514f..ca3d48ae 100644 --- a/checks/check22 +++ b/checks/check22 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check202="check22" check22(){ # "Ensure CloudTrail log file validation is enabled (Scored)" - textTitle "$ID22" "$TITLE22" "SCORED" "LEVEL2" LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].Name' --output text) if [[ $LIST_OF_TRAILS ]];then for trail in $LIST_OF_TRAILS;do diff --git a/checks/check23 b/checks/check23 index 4306145e..5e44808f 100644 --- a/checks/check23 +++ b/checks/check23 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check203="check23" check23(){ # "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" - textTitle "$ID23" "$TITLE23" "SCORED" "LEVEL1" CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text $PROFILE_OPT --region $REGION) if [[ $CLOUDTRAILBUCKET ]];then for bucket in $CLOUDTRAILBUCKET;do diff --git a/checks/check24 b/checks/check24 index 690f572b..438d6bd2 100644 --- a/checks/check24 +++ b/checks/check24 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check204="check24" check24(){ # "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" - textTitle "$ID24" "$TITLE24" "SCORED" "LEVEL1" TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].{Name:Name, HomeRegion:HomeRegion}' --output text | tr " " ',') if [[ $TRAILS_AND_REGIONS ]];then for reg_trail in $TRAILS_AND_REGIONS;do diff --git a/checks/check25 b/checks/check25 index b97adefc..d321b0a4 100644 --- a/checks/check25 +++ b/checks/check25 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check205="check25" check25(){ # "Ensure AWS Config is enabled in all regions (Scored)" - textTitle "$ID25" "$TITLE25" "SCORED" "LEVEL1" for regx in $REGIONS; do CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status $PROFILE_OPT --region $regx --output json| grep "recorder: ON") if [[ $CHECK_AWSCONFIG_STATUS ]];then diff --git a/checks/check26 b/checks/check26 index 33f68e90..8f72cbba 100644 --- a/checks/check26 +++ b/checks/check26 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check206="check26" check26(){ # "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" - textTitle "$ID26" "$TITLE26" "SCORED" "LEVEL1" CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text $PROFILE_OPT --region $REGION) if [[ $CLOUDTRAILBUCKET ]];then for bucket in $CLOUDTRAILBUCKET;do diff --git a/checks/check27 b/checks/check27 index f0feff85..8b1964c1 100644 --- a/checks/check27 +++ b/checks/check27 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check207="check27" check27(){ # "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" - textTitle "$ID27" "$TITLE27" "SCORED" "LEVEL2" CLOUDTRAILNAME=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].Name' --output text $PROFILE_OPT --region $REGION) if [[ $CLOUDTRAILNAME ]];then for trail in $CLOUDTRAILNAME;do diff --git a/checks/check28 b/checks/check28 index fa0b0a4d..9f016dc4 100644 --- a/checks/check28 +++ b/checks/check28 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check208="check28" check28(){ # "Ensure rotation for customer created CMKs is enabled (Scored)" - textTitle "$ID28" "$TITLE28" "SCORED" "LEVEL2" for regx in $REGIONS; do CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys $PROFILE_OPT --region $regx --output text --query 'Keys[*].KeyId') if [[ $CHECK_KMS_KEYLIST ]];then diff --git a/checks/check31 b/checks/check31 index 4ca73f40..1a296278 100644 --- a/checks/check31 +++ b/checks/check31 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check301="check31" check31(){ # "Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)" - textTitle "$ID31" "$TITLE31" "SCORED" "LEVEL1" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text| tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check310 b/checks/check310 index a28a76a3..78c0ad97 100644 --- a/checks/check310 +++ b/checks/check310 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check310="check310" check310(){ # "Ensure a log metric filter and alarm exist for security group changes (Scored)" - textTitle "$ID310" "$TITLE310" "SCORED" "LEVEL2" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check311 b/checks/check311 index c2e26c88..b363f3f2 100644 --- a/checks/check311 +++ b/checks/check311 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check311="check311" check311(){ # "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)" - textTitle "$ID311" "$TITLE311" "SCORED" "LEVEL2" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check312 b/checks/check312 index ecfd969a..e3727380 100644 --- a/checks/check312 +++ b/checks/check312 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check312="check312" check312(){ # "Ensure a log metric filter and alarm exist for changes to network gateways (Scored)" - textTitle "$ID312" "$TITLE312" "SCORED" "LEVEL1" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check313 b/checks/check313 index 3ab3531b..8e92c7d5 100644 --- a/checks/check313 +++ b/checks/check313 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check313="check313" check313(){ # "Ensure a log metric filter and alarm exist for route table changes (Scored)" - textTitle "$ID313" "$TITLE313" "SCORED" "LEVEL1" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check314 b/checks/check314 index 0bec02fa..a840929d 100644 --- a/checks/check314 +++ b/checks/check314 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check314="check314" check314(){ # "Ensure a log metric filter and alarm exist for VPC changes (Scored)" - textTitle "$ID314" "$TITLE314" "SCORED" "LEVEL1" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check315 b/checks/check315 index 68f30c55..239bd8de 100644 --- a/checks/check315 +++ b/checks/check315 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check315="check315" check315(){ # "Ensure appropriate subscribers to each SNS topic (Not Scored)" - textTitle "$ID315" "$TITLE315" "NOT_SCORED" "LEVEL1" CAN_SNS_LIST_SUBS=1 for regx in $REGIONS; do TOPICS_LIST=$($AWSCLI sns list-topics $PROFILE_OPT --region $regx --output text --query 'Topics[*].TopicArn') diff --git a/checks/check32 b/checks/check32 index f07cb1a6..9122b148 100644 --- a/checks/check32 +++ b/checks/check32 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check302="check32" check32(){ # "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)" - textTitle "$ID32" "$TITLE32" "SCORED" "LEVEL1" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check33 b/checks/check33 index 49e04219..37c56daf 100644 --- a/checks/check33 +++ b/checks/check33 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check303="check33" check33(){ # "Ensure a log metric filter and alarm exist for usage of root account (Scored)" - textTitle "$ID33" "$TITLE33" "SCORED" "LEVEL1" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check34 b/checks/check34 index 3d9e8944..3d576033 100644 --- a/checks/check34 +++ b/checks/check34 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check304="check34" check34(){ # "Ensure a log metric filter and alarm exist for IAM policy changes (Scored)" - textTitle "$ID34" "$TITLE34" "SCORED" "LEVEL1" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check35 b/checks/check35 index a4d144a8..9bcf623d 100644 --- a/checks/check35 +++ b/checks/check35 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check305="check35" check35(){ # "Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)" - textTitle "$ID35" "$TITLE35" "SCORED" "LEVEL1" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check36 b/checks/check36 index 23061964..92a5fb36 100644 --- a/checks/check36 +++ b/checks/check36 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check306="check36" check36(){ # "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)" - textTitle "$ID36" "$TITLE36" "SCORED" "LEVEL2" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check37 b/checks/check37 index 2ffc48c2..064e8565 100644 --- a/checks/check37 +++ b/checks/check37 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check307="check37" check37(){ # "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)" - textTitle "$ID37" "$TITLE37" "SCORED" "LEVEL2" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check38 b/checks/check38 index 0445fb98..d2d17ab7 100644 --- a/checks/check38 +++ b/checks/check38 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check308="check38" check38(){ # "Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)" - textTitle "$ID38" "$TITLE38" "SCORED" "LEVEL1" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check39 b/checks/check39 index 0f595b15..c23b67b3 100644 --- a/checks/check39 +++ b/checks/check39 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check309="check39" check39(){ # "Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)" - textTitle "$ID39" "$TITLE39" "SCORED" "LEVEL2" CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' ' | awk -F: '{ print $7 }') if [[ $CLOUDWATCH_GROUP ]];then diff --git a/checks/check41 b/checks/check41 index a7cfa7cc..72b6a7f7 100644 --- a/checks/check41 +++ b/checks/check41 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check401="check41" check41(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)" - textTitle "$ID41" "$TITLE41" "SCORED" "LEVEL1" for regx in $REGIONS; do SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text) if [[ $SG_LIST ]];then diff --git a/checks/check42 b/checks/check42 index d912c749..41746d2d 100644 --- a/checks/check42 +++ b/checks/check42 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check402="check42" check42(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)" - textTitle "$ID42" "$TITLE42" "SCORED" "LEVEL1" for regx in $REGIONS; do SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text) if [[ $SG_LIST ]];then diff --git a/checks/check43 b/checks/check43 index 913e5f87..847e1753 100644 --- a/checks/check43 +++ b/checks/check43 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check403="check43" check43(){ # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" - textTitle "$ID43" "$TITLE43" "SCORED" "LEVEL2" for regx in $REGIONS; do CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text) if [[ $CHECK_FL ]];then diff --git a/checks/check44 b/checks/check44 index 7dc22334..f19150c0 100644 --- a/checks/check44 +++ b/checks/check44 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check404="check44" check44(){ # "Ensure the default security group of every VPC restricts all traffic (Scored)" - textTitle "$ID44" "$TITLE44" "SCORED" "LEVEL2" for regx in $REGIONS; do CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0) if [[ $CHECK_SGDEFAULT ]];then diff --git a/checks/check45 b/checks/check45 index 29401462..b71e5c0a 100644 --- a/checks/check45 +++ b/checks/check45 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_check405="check45" check45(){ # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)" - textTitle "$ID45" "$TITLE45" "NOT_SCORED" "LEVEL2" textNotice "Looking for VPC peering in all regions... " for regx in $REGIONS; do LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId') diff --git a/checks/check_extra71 b/checks/check_extra71 index e10a12fd..ef672fcf 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -7,7 +7,6 @@ CHECK_ALTERNATE_check701="extra71" extra71(){ # "Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID71" "$TITLE71" "NOT_SCORED" "EXTRA" ADMIN_GROUPS='' AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --query 'Groups[].GroupName') for grp in $AWS_GROUPS; do diff --git a/checks/check_extra710 b/checks/check_extra710 index 48fdcb01..4230686c 100644 --- a/checks/check_extra710 +++ b/checks/check_extra710 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check710="extra710" extra710(){ # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID710" "$TITLE710" "NOT_SCORED" "EXTRA" textNotice "Looking for instances in all regions... " for regx in $REGIONS; do LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId,PublicIpAddress]' --output text) diff --git a/checks/check_extra711 b/checks/check_extra711 index 4be78445..00206c36 100644 --- a/checks/check_extra711 +++ b/checks/check_extra711 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check711="extra711" extra711(){ # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA" textNotice "Looking for Reshift clusters in all regions... " for regx in $REGIONS; do LIST_OF_PUBLIC_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[?PubliclyAccessible == `true`].[ClusterIdentifier,Endpoint.Address]' --output text) diff --git a/checks/check_extra712 b/checks/check_extra712 index ae653c13..b2996e5a 100644 --- a/checks/check_extra712 +++ b/checks/check_extra712 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check712="extra712" extra712(){ # "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA" textNotice "No API commands available to check if Macie is enabled," textNotice "just looking if IAM Macie related permissions exist. " MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l) diff --git a/checks/check_extra713 b/checks/check_extra713 index 457d36cc..ac1b3bf8 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check713="extra713" extra713(){ # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA" for regx in $REGIONS; do LIST_OF_GUARDDUTY_DETECTORS=$($AWSCLI guardduty list-detectors $PROFILE_OPT --region $regx --output text |cut -f2) if [[ $LIST_OF_GUARDDUTY_DETECTORS ]];then diff --git a/checks/check_extra714 b/checks/check_extra714 index 00c625d1..6e7de69b 100644 --- a/checks/check_extra714 +++ b/checks/check_extra714 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check714="extra714" extra714(){ # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA" for regx in $REGIONS; do LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --region $regx --query 'DistributionList.Items[].Id' --output text |grep -v "^None") if [[ $LIST_OF_DISTRIBUTIONS ]]; then diff --git a/checks/check_extra715 b/checks/check_extra715 index b27e4def..883dac35 100644 --- a/checks/check_extra715 +++ b/checks/check_extra715 @@ -5,7 +5,6 @@ CHECK_ALTERNATE_extra715="extra715" CHECK_ALTERNATE_check715="extra715" extra715(){ - textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA" for regx in $REGIONS; do LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text) if [[ $LIST_OF_DOMAINS ]]; then diff --git a/checks/check_extra716 b/checks/check_extra716 index b42ccc87..7289d1b3 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check716="extra716" extra716(){ # "Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA" for regx in $REGIONS; do LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text) if [[ $LIST_OF_DOMAINS ]]; then diff --git a/checks/check_extra717 b/checks/check_extra717 index d52669ba..997c44c6 100644 --- a/checks/check_extra717 +++ b/checks/check_extra717 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check717="extra717" extra717(){ # "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID717" "$TITLE717" "NOT_SCORED" "EXTRA" for regx in $REGIONS; do LIST_OF_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[*].LoadBalancerName' --output text|xargs -n1) LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[*].LoadBalancerArn' --output text|xargs -n1) diff --git a/checks/check_extra718 b/checks/check_extra718 index f5a2b8bd..1cbe05e6 100644 --- a/checks/check_extra718 +++ b/checks/check_extra718 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check718="extra718" extra718(){ # "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID718" "$TITLE718" "NOT_SCORED" "EXTRA" LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1) if [[ $LIST_OF_BUCKETS ]]; then for bucket in $LIST_OF_BUCKETS;do diff --git a/checks/check_extra719 b/checks/check_extra719 index 4158a343..ac695483 100644 --- a/checks/check_extra719 +++ b/checks/check_extra719 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check719="extra719" extra719(){ # "Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID719" "$TITLE719" "NOT_SCORED" "EXTRA" LIST_OF_HOSTED_ZONES=$($AWSCLI route53 list-hosted-zones $PROFILE_OPT --query HostedZones[*].Id --output text|xargs -n1) if [[ $LIST_OF_HOSTED_ZONES ]]; then for hostedzoneid in $LIST_OF_HOSTED_ZONES;do diff --git a/checks/check_extra72 b/checks/check_extra72 index 06b80ea9..738b723c 100644 --- a/checks/check_extra72 +++ b/checks/check_extra72 @@ -7,7 +7,6 @@ CHECK_ALTERNATE_check702="extra72" extra72(){ # "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID72" "$TITLE72" "NOT_SCORED" "EXTRA" textNotice "Looking for EBS Snapshots in all regions... " for regx in $REGIONS; do LIST_OF_EBS_SNAPSHOTS=$($AWSCLI ec2 describe-snapshots $PROFILE_OPT --region $regx --owner-ids $ACCOUNT_NUM --output text --query 'Snapshots[*].{ID:SnapshotId}' --max-items $MAXITEMS | grep -v None 2> /dev/null) diff --git a/checks/check_extra720 b/checks/check_extra720 index 5c440297..3790544c 100644 --- a/checks/check_extra720 +++ b/checks/check_extra720 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check720="extra720" extra720(){ # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID720" "$TITLE720" "NOT_SCORED" "EXTRA" for regx in $REGIONS; do LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text) if [[ $LIST_OF_FUNCTIONS ]]; then diff --git a/checks/check_extra721 b/checks/check_extra721 index 82b78045..06d2e601 100644 --- a/checks/check_extra721 +++ b/checks/check_extra721 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_check721="extra721" extra721(){ # "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID721" "$TITLE721" "NOT_SCORED" "EXTRA" for regx in $REGIONS; do LIST_OF_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[*].ClusterIdentifier' --output text) if [[ $LIST_OF_REDSHIFT_CLUSTERS ]]; then diff --git a/checks/check_extra722 b/checks/check_extra722 index 6a16714c..6ad42e5b 100644 --- a/checks/check_extra722 +++ b/checks/check_extra722 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_extra722="extra722" extra722(){ # "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID722" "$TITLE722" "NOT_SCORED" "EXTRA" for regx in $REGIONS; do LIST_OF_API_GW=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query items[*].id --output text) if [[ $LIST_OF_API_GW ]];then diff --git a/checks/check_extra723 b/checks/check_extra723 index 3f46fb21..0c4e91f8 100644 --- a/checks/check_extra723 +++ b/checks/check_extra723 @@ -6,7 +6,6 @@ CHECK_ALTERNATE_extra723="extra723" extra723(){ # "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID723" "$TITLE723" "NOT_SCORED" "EXTRA" for regx in $REGIONS; do # RDS snapshots LIST_OF_RDS_SNAPSHOTS=$($AWSCLI rds describe-db-snapshots $PROFILE_OPT --region $regx --query DBSnapshots[*].DBSnapshotIdentifier --output text) diff --git a/checks/check_extra73 b/checks/check_extra73 index 7c45d1ee..cf3c890e 100644 --- a/checks/check_extra73 +++ b/checks/check_extra73 @@ -7,7 +7,6 @@ CHECK_ALTERNATE_check703="extra73" extra73(){ # "Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID73" "$TITLE73" "NOT_SCORED" "EXTRA" textNotice "Looking for open S3 Buckets (ACLs and Policies) in all regions... " ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' $PROFILE_OPT --region $REGION --output text) for bucket in $ALL_BUCKETS_LIST; do diff --git a/checks/check_extra74 b/checks/check_extra74 index ee264999..98210efd 100644 --- a/checks/check_extra74 +++ b/checks/check_extra74 @@ -7,7 +7,6 @@ CHECK_ALTERNATE_check704="extra74" extra74(){ # "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID74" "$TITLE74" "NOT_SCORED" "EXTRA" textNotice "Looking for Security Groups in all regions... " for regx in $REGIONS; do LIST_OF_SECURITYGROUPS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[].[GroupId]" --output text --max-items $MAXITEMS) diff --git a/checks/check_extra75 b/checks/check_extra75 index 24af2099..2aeab90a 100644 --- a/checks/check_extra75 +++ b/checks/check_extra75 @@ -7,7 +7,6 @@ CHECK_ALTERNATE_check705="extra75" extra75(){ # "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID75" "$TITLE75" "NOT_SCORED" "EXTRA" textNotice "Looking for Security Groups in all regions... " for regx in $REGIONS; do LIST_OF_SECURITYGROUPS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --query "SecurityGroups[].[GroupId]" --output text --max-items $MAXITEMS) diff --git a/checks/check_extra76 b/checks/check_extra76 index 0af33a1c..1103e2b3 100644 --- a/checks/check_extra76 +++ b/checks/check_extra76 @@ -7,7 +7,6 @@ CHECK_ALTERNATE_check706="extra76" extra76(){ # "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID76" "$TITLE76" "NOT_SCORED" "EXTRA" textNotice "Looking for AMIs in all regions... " for regx in $REGIONS; do LIST_OF_PUBLIC_AMIS=$($AWSCLI ec2 describe-images --owners self $PROFILE_OPT --region $regx --filters "Name=is-public,Values=true" --query 'Images[*].{ID:ImageId}' --output text) diff --git a/checks/check_extra77 b/checks/check_extra77 index bf4a9cff..2d0de92a 100644 --- a/checks/check_extra77 +++ b/checks/check_extra77 @@ -7,7 +7,6 @@ CHECK_ALTERNATE_check707="extra77" extra77(){ # "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID77" "$TITLE77" "NOT_SCORED" "EXTRA" textNotice "Looking for ECR repos in all regions... " for regx in $REGIONS; do LIST_OF_ECR_REPOS=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $regx --query 'repositories[*].{Name:repositoryName}' --output text) diff --git a/checks/check_extra78 b/checks/check_extra78 index a243d7bd..41f70f2d 100644 --- a/checks/check_extra78 +++ b/checks/check_extra78 @@ -7,7 +7,6 @@ CHECK_ALTERNATE_check708="extra78" extra78(){ # "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID78" "$TITLE78" "NOT_SCORED" "EXTRA" textNotice "Looking for RDS instances in all regions... " for regx in $REGIONS; do LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true`].[DBInstanceIdentifier,Endpoint.Address]' --output text) diff --git a/checks/check_extra79 b/checks/check_extra79 index 51fc1cac..c868408f 100644 --- a/checks/check_extra79 +++ b/checks/check_extra79 @@ -7,7 +7,6 @@ CHECK_ALTERNATE_check709="extra79" extra79(){ # "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)" - textTitle "$ID79" "$TITLE79" "NOT_SCORED" "EXTRA" textNotice "Looking for Elastic Load Balancers in all regions... " for regx in $REGIONS; do LIST_OF_PUBLIC_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[?Scheme == `internet-facing`].[LoadBalancerName,DNSName]' --output text) diff --git a/groups/group0_init b/groups/group0_init deleted file mode 100644 index 8b7d2410..00000000 --- a/groups/group0_init +++ /dev/null @@ -1,6 +0,0 @@ -GROUP_ID[0]='init' # this group make easier to understand the array of groups -GROUP_NUMBER[0]='0.0' -GROUP_TITLE[0]='Init ****************************************************************' -GROUP_RUN_BY_DEFAULT[0]='N' # run it when execute_all is called -GROUP_CHECKS[0]='' - diff --git a/include/banner b/include/banner index 2dcfbc99..3e39ed2c 100644 --- a/include/banner +++ b/include/banner @@ -1,11 +1,14 @@ prowlerBanner() { - echo -e "$CYAN _" - echo -e " _ __ _ __ _____ _| | ___ _ __" - echo -e " | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|" - echo -e " | |_) | | | (_) \ V V /| | __/ |" - echo -e " | .__/|_| \___/ \_/\_/ |_|\___|_|v2.0" - echo -e " |_|$NORMAL$BLUE the handy cloud security tool$NORMAL\n" - echo -e "$YELLOW Date: $(date)" + if [[ $BANNER != "0" ]]; then + echo -e "$CYAN _" + echo -e " _ __ _ __ _____ _| | ___ _ __" + echo -e " | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|" + echo -e " | |_) | | | (_) \ V V /| | __/ |" + echo -e " | .__/|_| \___/ \_/\_/ |_|\___|_|v2.0" + echo -e " |_|$NORMAL$BLUE the handy cloud security tool$NORMAL\n" + echo -e "$YELLOW Date: $(date)" + printColorsCode + fi } infoReferenceLong(){ diff --git a/include/colors b/include/colors index cd738b86..a8e63f80 100644 --- a/include/colors +++ b/include/colors @@ -53,6 +53,6 @@ fi printColorsCode(){ if [[ $MONOCHROME -eq 0 ]]; then - echo -e "\n$NORMAL Colors code for results: $NOTICE INFORMATIVE$NORMAL,$OK OK (RECOMMENDED VALUE)$NORMAL, $BAD WARNING (FIX REQUIRED)$NORMAL" + echo -e "\n$NORMAL Colors code for results: $NOTICE INFO (Information)$NORMAL,$OK PASS (Recommended value)$NORMAL, $BAD FAIL (Fix required)$NORMAL" fi } diff --git a/include/outputs b/include/outputs index ae9e260e..c873d619 100644 --- a/include/outputs +++ b/include/outputs @@ -33,7 +33,7 @@ textWarn(){ else REPREGION=$REGION fi - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}WARNING${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}FAIL${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1" else echo " $BAD FAIL! $1 $NORMAL" fi diff --git a/prowler b/prowler index 4ac90f44..19c2c68c 100755 --- a/prowler +++ b/prowler @@ -11,6 +11,8 @@ # # Author: Toni de la Fuente - @ToniBlyx - https://blyx.com/contact +# http://prowler.cloud + # Prowler - Iron Maiden # # Walking through the city, looking oh so pretty @@ -44,9 +46,11 @@ USAGE: Options: -p specify your AWS profile to use (i.e.: default) -r specify an AWS region to direct API requests to - (i.e.: us-east-1), all regions are checked anyway - -c specify a check number or group from the AWS CIS benchmark - (i.e.: "check11" for check 1.1, "check3" for entire section 3, "level1" for CIS Level 1 Profile Definitions or "forensics-ready") + (i.e.: us-east-1), all regions are checked anyway if the check requires it + -c specify a check id, to see all available checks use "-l" option + (i.e.: "check11" for check 1.1 or "extra71" for extra check 71) + -g specify a group of checks by id, to see all available group of checks use "-l" + (i.e.: "check3" for entire section 3, "level1" for CIS Level 1 Profile Definitions or "forensics-ready") -f specify an AWS region to run checks against (i.e.: us-west-1) -m specify the maximum number of items to return for long-running requests (default: 100) @@ -62,7 +66,7 @@ USAGE: exit } -while getopts ":hlkp:r:c:f:m:M:enb" OPTION; do +while getopts ":hlkp:r:c:g:f:m:M:enb" OPTION; do case $OPTION in h ) usage @@ -82,7 +86,10 @@ while getopts ":hlkp:r:c:f:m:M:enb" OPTION; do REGION=$OPTARG ;; c ) - CHECKNUMBER=$OPTARG + CHECK_ID=$OPTARG + ;; + g ) + GROUP_ID=$OPTARG ;; f ) FILTERREGION=$OPTARG @@ -97,7 +104,7 @@ while getopts ":hlkp:r:c:f:m:M:enb" OPTION; do NUMERAL=1 ;; b ) - BANNER=1 + BANNER=0 ;; e ) EXTRAS=1 @@ -184,6 +191,7 @@ execute_check() { $1 else textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)"; + exit $EXITCODE fi fi } @@ -199,10 +207,13 @@ execute_group() { } # Function to execute group by name -execute_group_by_name() { - for i in ${#GROUP_NAME[@]}; do - if [ "${GROUP_NAME[$i]}" == "$1" ]; then +execute_group_by_id() { + for i in "${!GROUP_ID[@]}"; do + if [ "${GROUP_ID[$i]}" == "$1" ]; then execute_group $i + else + textWarn "ERROR! Use a valid group check name (i.e. group1 or extras or forensics-ready)"; + exit $EXITCODE fi done } @@ -229,8 +240,15 @@ show_all_titles() { } # Execute single check if called with -c -if [[ $CHECKNUMBER ]];then - execute_check $CHECKNUMBER +if [[ $CHECK_ID ]];then + execute_check $CHECK_ID + cleanTemp + exit $EXITCODE +fi + +# Execute group of checks if called with -g +if [[ $GROUP_ID ]];then + execute_group_by_id $GROUP_ID cleanTemp exit $EXITCODE fi @@ -245,7 +263,6 @@ fi ### All functions defined above ... run the workflow if [[ $MODE != "csv" ]]; then prowlerBanner - printColorsCode fi getWhoami genCredReport