From db765e9c55918ddb122a891dde143a9b90d7560f Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 5 Feb 2018 22:26:03 -0500 Subject: [PATCH 1/5] Fixed typo in README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 10bdb469..96b6046a 100644 --- a/README.md +++ b/README.md @@ -577,7 +577,7 @@ unset ACCOUNT_ID AWS_DEFAULT_PROFILE The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to ~/.aws/credentials with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown. If you loose it, you will need to generate a replacement. ## Extras -We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it. +We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it. Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs. @@ -591,7 +591,7 @@ At this moment we have 11 extra checks: - 7.6 (`extra76`) Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark) - 7.7 (`extra77`) Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark) - 7.8 (`extra78`) Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark) -- 7.9 (`extra79`) Check for internet facing Elastic Load Blancers (Not Scored) (Not part of CIS benchmark) +- 7.9 (`extra79`) Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark) - 7.10 (`extra710`) Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark) - 7.11 (`extra711`) Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark) From 194eecb26911ceae4bd107f997d3efde3a88e523 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 5 Feb 2018 23:07:55 -0500 Subject: [PATCH 2/5] New forensics-ready check group and extra712 --- README.md | 12 +++++++++++- prowler | 24 ++++++++++++++++++++++-- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 96b6046a..02336e8a 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ - [Screenshots](#screenshots) - [Troubleshooting](#troubleshooting) - [Extras](#extras) +- [Forensics ready checks](#forensics-ready-checks) - [Add Custom Checks](#add-custom-checks) - [Third Party Integrations](#third-party-integrations) @@ -24,7 +25,7 @@ It covers hardening and security best practices for all AWS regions related to: - Logging (8 checks) - Monitoring (15 checks) - Networking (5 checks) -- Extras (11 checks) *see Extras section +- Extras (12 checks) *see Extras section For a comprehesive list and resolution look at the guide on the link above. @@ -594,6 +595,8 @@ At this moment we have 11 extra checks: - 7.9 (`extra79`) Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark) - 7.10 (`extra710`) Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark) - 7.11 (`extra711`) Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark) +- 7.12 (`extra712`) Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) + To check all extras in one command: ``` @@ -604,6 +607,13 @@ or to run just one of the checks: ./prowler -c extraNUMBER ``` +## Forensics Ready Checks + +With this group of checks, Prowler looks if each service with logging or audit capabilities has them enabled to ensure all needed evidences are recorded for an eventual digital forensic investigation in case of incident. The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command: +``` +./prowler -c forensics-ready +``` + ## Add Custom Checks In order to add any new check feel free to create a new extra check in the extras section. To do so, you will need to follow these steps: diff --git a/prowler b/prowler index 29aca926..4a1b66a8 100755 --- a/prowler +++ b/prowler @@ -486,7 +486,8 @@ ID710="7.10,7.10" TITLE710="Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" ID711="7.11,7.11" TITLE711="Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" - +ID712="7.12,7.12" +TITLE712="Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" printCsvHeader() { >&2 echo "" @@ -1851,6 +1852,19 @@ extra711(){ done } +extra712(){ + # "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" + textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA" + textNotice "No API commands available to check if Macie is enabled," + textNotice "just looking if IAM Macie related permissions exist. " + MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l) + if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then + textOK "Macie related IAM roles exist, so it might be enabled. Check it out manually." + else + textWarn "No Macie related IAM roles found. It is most likely not be enabled" + fi +} + callCheck(){ if [[ $CHECKNUMBER ]];then case "$CHECKNUMBER" in @@ -1917,6 +1931,7 @@ callCheck(){ extra79|extra709 ) extra79;; extra710|extra710 ) extra710;; extra711|extra711 ) extra711;; + extra712|extra712 ) extra712;; ## Groups of Checks check1 ) @@ -1953,7 +1968,12 @@ callCheck(){ ;; extras ) extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78; - extra79;extra710;extra711 + extra79;extra710;extra711;extra712 + ;; + forensics-ready ) + check21;check22;check23;check24;check25;check26;check27; + check43; + extra712; ;; * ) textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n"; From d67170b87c6e1f64e1f8278a341706021b26348b Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 5 Feb 2018 23:11:43 -0500 Subject: [PATCH 3/5] New forensics-ready check group and extra712 --- README.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 02336e8a..656e81ba 100644 --- a/README.md +++ b/README.md @@ -609,7 +609,18 @@ or to run just one of the checks: ## Forensics Ready Checks -With this group of checks, Prowler looks if each service with logging or audit capabilities has them enabled to ensure all needed evidences are recorded for an eventual digital forensic investigation in case of incident. The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command: +With this group of checks, Prowler looks if each service with logging or audit capabilities has them enabled to ensure all needed evidences are recorded and collected for an eventual digital forensic investigation in case of incident. List of checks part of this group: +- 2.1 Ensure CloudTrail is enabled in all regions (Scored) +- 2.2 Ensure CloudTrail log file validation is enabled (Scored) +- 2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored) +- 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored) +- 2.5 Ensure AWS Config is enabled in all regions (Scored) +- 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored) +- 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) +- 4.3 Ensure VPC Flow Logging is Enabled in all VPCs (Scored) +- 7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) + +The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command: ``` ./prowler -c forensics-ready ``` From 84591d25a69cd7cc924cefd5e99d0c1aa43161f3 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 5 Feb 2018 23:41:19 -0500 Subject: [PATCH 4/5] New check extra713 for GuardDuty --- README.md | 1 + prowler | 31 +++++++++++++++++++++++++++++-- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 656e81ba..7e109802 100644 --- a/README.md +++ b/README.md @@ -619,6 +619,7 @@ With this group of checks, Prowler looks if each service with logging or audit c - 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored) - 4.3 Ensure VPC Flow Logging is Enabled in all VPCs (Scored) - 7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) +- 7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command: ``` diff --git a/prowler b/prowler index 4a1b66a8..14d8ee65 100755 --- a/prowler +++ b/prowler @@ -488,6 +488,8 @@ ID711="7.11,7.11" TITLE711="Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" ID712="7.12,7.12" TITLE712="Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" +ID713="7.13,7.13" +TITLE713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" printCsvHeader() { >&2 echo "" @@ -1865,6 +1867,26 @@ extra712(){ fi } +extra713(){ + # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" + textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA" + for regx in $REGIONS; do + LIST_OF_GUARDDUTY_DETECTORS=$($AWSCLI guardduty list-detectors $PROFILE_OPT --region $regx --output text 2>/dev/null |cut -f2) + if [[ $LIST_OF_GUARDDUTY_DETECTORS ]];then + while read -r detector;do + DETECTOR_ENABLED=$($AWSCLI guardduty get-detector --detector-id $detector $PROFILE_OPT --region $regx --output text| cut -f3|grep ENABLED) + if [[ $DETECTOR_ENABLED ]]; then + textOK "$regx: GuardDuty detector $detector enabled" "$regx" + else + textWarn "$regx: GuardDuty detector $detector configured but suspended" "$regx" + fi + done <<< "$LIST_OF_GUARDDUTY_DETECTORS" + else + textWarn "$regx: GuardDuty detector $detector not configured" "$regx" + fi + done +} + callCheck(){ if [[ $CHECKNUMBER ]];then case "$CHECKNUMBER" in @@ -1932,6 +1954,7 @@ callCheck(){ extra710|extra710 ) extra710;; extra711|extra711 ) extra711;; extra712|extra712 ) extra712;; + extra713|extra713 ) extra713;; ## Groups of Checks check1 ) @@ -1968,12 +1991,12 @@ callCheck(){ ;; extras ) extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78; - extra79;extra710;extra711;extra712 + extra79;extra710;extra711;extra712;extra713 ;; forensics-ready ) check21;check22;check23;check24;check25;check26;check27; check43; - extra712; + extra712;extra713 ;; * ) textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n"; @@ -2055,6 +2078,8 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then textTitle "$ID79" "$TITLE79" "NOT_SCORED" "EXTRA" textTitle "$ID710" "$TITLE710" "NOT_SCORED" "EXTRA" textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA" + textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA" + textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA" exit $EXITCODE fi @@ -2142,6 +2167,8 @@ extra78 extra79 extra710 extra711 +extra712 +extra713 cleanTemp exit $EXITCODE From 53580d488c4e32d1e30871f1f5cc43f1d97e37b0 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 7 Feb 2018 22:22:51 -0500 Subject: [PATCH 5/5] Fix issue #165 --- README.md | 3 ++- prowler | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7e109802..294768f7 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ - [Screenshots](#screenshots) - [Troubleshooting](#troubleshooting) - [Extras](#extras) -- [Forensics ready checks](#forensics-ready-checks) +- [Forensics Ready Checks](#forensics-ready-checks) - [Add Custom Checks](#add-custom-checks) - [Third Party Integrations](#third-party-integrations) @@ -26,6 +26,7 @@ It covers hardening and security best practices for all AWS regions related to: - Monitoring (15 checks) - Networking (5 checks) - Extras (12 checks) *see Extras section +- Forensics related checks For a comprehesive list and resolution look at the guide on the link above. diff --git a/prowler b/prowler index 14d8ee65..527d90d2 100755 --- a/prowler +++ b/prowler @@ -167,7 +167,7 @@ fi SCRIPT_START_TIME=$( date -u +"%Y-%m-%dT%H:%M:%S%z" ) # Functions to manage dates depending on OS -if [[ "$OSTYPE" == "linux-gnu" ]]; then +if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then # function to compare in days, usage how_older_from_today date # date format %Y-%m-%d how_older_from_today() @@ -570,7 +570,7 @@ genCredReport() { # Save report to a file, decode it, deletion at finish and after every single check saveReport(){ - TEMP_REPORT_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-XXXXX.cred_report ) + TEMP_REPORT_FILE=$(mktemp -t -p /tmp prowler-${ACCOUNT_NUM}.cred_report-XXXXXX) $AWSCLI iam get-credential-report --query 'Content' --output text $PROFILE_OPT --region $REGION | decode_report > $TEMP_REPORT_FILE if [[ $KEEPCREDREPORT -eq 1 ]]; then textTitle "0.2" "Saving IAM Credential Report ..." "NOT_SCORED" "SUPPORT"