mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
Merge pull request #166 from toniblyx/master
New check and fix issue #165
This commit is contained in:
Toni de la Fuente
29
README.md
29
README.md
@@ -9,6 +9,7 @@
|
||||
- [Screenshots](#screenshots)
|
||||
- [Troubleshooting](#troubleshooting)
|
||||
- [Extras](#extras)
|
||||
- [Forensics Ready Checks](#forensics-ready-checks)
|
||||
- [Add Custom Checks](#add-custom-checks)
|
||||
- [Third Party Integrations](#third-party-integrations)
|
||||
|
||||
@@ -24,7 +25,8 @@ It covers hardening and security best practices for all AWS regions related to:
|
||||
- Logging (8 checks)
|
||||
- Monitoring (15 checks)
|
||||
- Networking (5 checks)
|
||||
- Extras (11 checks) *see Extras section
|
||||
- Extras (12 checks) *see Extras section
|
||||
- Forensics related checks
|
||||
|
||||
For a comprehesive list and resolution look at the guide on the link above.
|
||||
|
||||
@@ -577,7 +579,7 @@ unset ACCOUNT_ID AWS_DEFAULT_PROFILE
|
||||
The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to ~/.aws/credentials with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown. If you loose it, you will need to generate a replacement.
|
||||
|
||||
## Extras
|
||||
We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it.
|
||||
We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it.
|
||||
|
||||
Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.
|
||||
|
||||
@@ -591,9 +593,11 @@ At this moment we have 11 extra checks:
|
||||
- 7.6 (`extra76`) Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.7 (`extra77`) Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.8 (`extra78`) Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.9 (`extra79`) Check for internet facing Elastic Load Blancers (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.9 (`extra79`) Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.10 (`extra710`) Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.11 (`extra711`) Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.12 (`extra712`) Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
|
||||
|
||||
|
||||
To check all extras in one command:
|
||||
```
|
||||
@@ -604,6 +608,25 @@ or to run just one of the checks:
|
||||
./prowler -c extraNUMBER
|
||||
```
|
||||
|
||||
## Forensics Ready Checks
|
||||
|
||||
With this group of checks, Prowler looks if each service with logging or audit capabilities has them enabled to ensure all needed evidences are recorded and collected for an eventual digital forensic investigation in case of incident. List of checks part of this group:
|
||||
- 2.1 Ensure CloudTrail is enabled in all regions (Scored)
|
||||
- 2.2 Ensure CloudTrail log file validation is enabled (Scored)
|
||||
- 2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)
|
||||
- 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
|
||||
- 2.5 Ensure AWS Config is enabled in all regions (Scored)
|
||||
- 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
|
||||
- 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
|
||||
- 4.3 Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
|
||||
- 7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
|
||||
- 7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
|
||||
|
||||
The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command:
|
||||
```
|
||||
./prowler -c forensics-ready
|
||||
```
|
||||
|
||||
## Add Custom Checks
|
||||
|
||||
In order to add any new check feel free to create a new extra check in the extras section. To do so, you will need to follow these steps:
|
||||
|
||||
55
prowler
55
prowler
@@ -167,7 +167,7 @@ fi
|
||||
SCRIPT_START_TIME=$( date -u +"%Y-%m-%dT%H:%M:%S%z" )
|
||||
|
||||
# Functions to manage dates depending on OS
|
||||
if [[ "$OSTYPE" == "linux-gnu" ]]; then
|
||||
if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then
|
||||
# function to compare in days, usage how_older_from_today date
|
||||
# date format %Y-%m-%d
|
||||
how_older_from_today()
|
||||
@@ -486,7 +486,10 @@ ID710="7.10,7.10"
|
||||
TITLE710="Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
|
||||
ID711="7.11,7.11"
|
||||
TITLE711="Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
ID712="7.12,7.12"
|
||||
TITLE712="Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
ID713="7.13,7.13"
|
||||
TITLE713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
printCsvHeader() {
|
||||
>&2 echo ""
|
||||
@@ -567,7 +570,7 @@ genCredReport() {
|
||||
|
||||
# Save report to a file, decode it, deletion at finish and after every single check
|
||||
saveReport(){
|
||||
TEMP_REPORT_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-XXXXX.cred_report )
|
||||
TEMP_REPORT_FILE=$(mktemp -t -p /tmp prowler-${ACCOUNT_NUM}.cred_report-XXXXXX)
|
||||
$AWSCLI iam get-credential-report --query 'Content' --output text $PROFILE_OPT --region $REGION | decode_report > $TEMP_REPORT_FILE
|
||||
if [[ $KEEPCREDREPORT -eq 1 ]]; then
|
||||
textTitle "0.2" "Saving IAM Credential Report ..." "NOT_SCORED" "SUPPORT"
|
||||
@@ -1851,6 +1854,39 @@ extra711(){
|
||||
done
|
||||
}
|
||||
|
||||
extra712(){
|
||||
# "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA"
|
||||
textNotice "No API commands available to check if Macie is enabled,"
|
||||
textNotice "just looking if IAM Macie related permissions exist. "
|
||||
MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l)
|
||||
if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then
|
||||
textOK "Macie related IAM roles exist, so it might be enabled. Check it out manually."
|
||||
else
|
||||
textWarn "No Macie related IAM roles found. It is most likely not be enabled"
|
||||
fi
|
||||
}
|
||||
|
||||
extra713(){
|
||||
# "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA"
|
||||
for regx in $REGIONS; do
|
||||
LIST_OF_GUARDDUTY_DETECTORS=$($AWSCLI guardduty list-detectors $PROFILE_OPT --region $regx --output text 2>/dev/null |cut -f2)
|
||||
if [[ $LIST_OF_GUARDDUTY_DETECTORS ]];then
|
||||
while read -r detector;do
|
||||
DETECTOR_ENABLED=$($AWSCLI guardduty get-detector --detector-id $detector $PROFILE_OPT --region $regx --output text| cut -f3|grep ENABLED)
|
||||
if [[ $DETECTOR_ENABLED ]]; then
|
||||
textOK "$regx: GuardDuty detector $detector enabled" "$regx"
|
||||
else
|
||||
textWarn "$regx: GuardDuty detector $detector configured but suspended" "$regx"
|
||||
fi
|
||||
done <<< "$LIST_OF_GUARDDUTY_DETECTORS"
|
||||
else
|
||||
textWarn "$regx: GuardDuty detector $detector not configured" "$regx"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
callCheck(){
|
||||
if [[ $CHECKNUMBER ]];then
|
||||
case "$CHECKNUMBER" in
|
||||
@@ -1917,6 +1953,8 @@ callCheck(){
|
||||
extra79|extra709 ) extra79;;
|
||||
extra710|extra710 ) extra710;;
|
||||
extra711|extra711 ) extra711;;
|
||||
extra712|extra712 ) extra712;;
|
||||
extra713|extra713 ) extra713;;
|
||||
|
||||
## Groups of Checks
|
||||
check1 )
|
||||
@@ -1953,7 +1991,12 @@ callCheck(){
|
||||
;;
|
||||
extras )
|
||||
extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;
|
||||
extra79;extra710;extra711
|
||||
extra79;extra710;extra711;extra712;extra713
|
||||
;;
|
||||
forensics-ready )
|
||||
check21;check22;check23;check24;check25;check26;check27;
|
||||
check43;
|
||||
extra712;extra713
|
||||
;;
|
||||
* )
|
||||
textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
|
||||
@@ -2035,6 +2078,8 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then
|
||||
textTitle "$ID79" "$TITLE79" "NOT_SCORED" "EXTRA"
|
||||
textTitle "$ID710" "$TITLE710" "NOT_SCORED" "EXTRA"
|
||||
textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA"
|
||||
textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA"
|
||||
textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA"
|
||||
exit $EXITCODE
|
||||
fi
|
||||
|
||||
@@ -2122,6 +2167,8 @@ extra78
|
||||
extra79
|
||||
extra710
|
||||
extra711
|
||||
extra712
|
||||
extra713
|
||||
|
||||
cleanTemp
|
||||
exit $EXITCODE
|
||||
|
||||
Reference in New Issue
Block a user