From 72b1421294620d33f04d64704001fcfad86b4deb Mon Sep 17 00:00:00 2001 From: Venkatadri Duggina Date: Sat, 14 Sep 2019 22:10:45 +0100 Subject: [PATCH 1/5] fixing cross account cloudtrail issue --- include/check3x | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/include/check3x b/include/check3x index 3f7b8709..70bf9b91 100644 --- a/include/check3x +++ b/include/check3x @@ -12,13 +12,18 @@ check3x(){ grep_filter=$1 local CHECK_OK local CHECK_WARN + local CHECK_CROSS_ACCOUNT_WARN CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text| tr '\011' '\012' | awk -F: '{print $7}') + CURRENT_ACCOUNT_ID=$($AWSCLI sts $PROFILE_OPT get-caller-identity --region "$REGION" --query Account --output text) + if [[ $CLOUDWATCH_GROUP ]];then for group in $CLOUDWATCH_GROUP; do - CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr ' ' ' -' | grep "$group" | awk -F: '{ print $4 }' | head -n 1) - METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name "$group" $PROFILE_OPT --region "$CLOUDWATCH_LOGGROUP_REGION" --output text | grep METRICFILTERS | grep -E "$grep_filter" | awk '{ print $3 }') + CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | grep "$group" | awk -F: '{ print $4 }' | head -n 1) + CLOUDWATCH_ACCOUNT_ID=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | grep "$group" | awk -F: '{ print $5 }' | head -n 1) + if [ "$CLOUDWATCH_ACCOUNT_ID" == "$CURRENT_ACCOUNT_ID" ];then + METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name "$group" $PROFILE_OPT --region "$CLOUDWATCH_LOGGROUP_REGION" --output text | grep METRICFILTERS | grep -E "$grep_filter" | awk '{ print $3 }') + fi if [[ $METRICFILTER_SET ]];then for metric in $METRICFILTER_SET; do metric_name=$($AWSCLI logs describe-metric-filters $PROFILE_OPT --region "$CLOUDWATCH_LOGGROUP_REGION" --log-group-name "$group" --filter-name-prefix "$metric" --output text --query 'metricFilters[0].metricTransformations[0].metricName') @@ -29,8 +34,10 @@ check3x(){ CHECK_WARN="$CHECK_WARN $group:$metric" fi done - else + elif [ "$CLOUDWATCH_ACCOUNT_ID" == "$CURRENT_ACCOUNT_ID" ];then CHECK_WARN="$CHECK_WARN $group" + else + CHECK_CROSS_ACCOUNT_WARN="$CHECK_CROSS_ACCOUNT_WARN $group" fi done @@ -52,6 +59,11 @@ check3x(){ esac done fi + if [[ $CHECK_CROSS_ACCOUNT_WARN ]]; then + for group in $CHECK_CROSS_ACCOUNT_WARN; do + textInfo "CloudWatch group $group is not in this account" + done + fi else textFail "No CloudWatch group found for CloudTrail events" fi From d5f22ab10072eb39fa6812cd16284d75fd6fa828 Mon Sep 17 00:00:00 2001 From: Venkatadri Duggina Date: Sun, 15 Sep 2019 23:33:37 +0100 Subject: [PATCH 2/5] fixing check26 cross access bug --- checks/check26 | 45 +++++++++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 12 deletions(-) diff --git a/checks/check26 b/checks/check26 index 5d19c2c6..711af860 100644 --- a/checks/check26 +++ b/checks/check26 @@ -16,17 +16,38 @@ CHECK_ALTERNATE_check206="check26" check26(){ # "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" - CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text $PROFILE_OPT --region $REGION) - if [[ $CLOUDTRAILBUCKET ]];then - for bucket in $CLOUDTRAILBUCKET;do - CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None) + local CHECK_OK + local CHECK_WARN + local CHECK_CROSS_ACCOUNT_WARN + + CLOUDTRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].Name' --output text| tr '\011' '\012' | awk -F: '{print $1}') + CURRENT_ACCOUNT_ID=$($AWSCLI sts $PROFILE_OPT get-caller-identity --region "$REGION" --query Account --output text) + + if [[ $CLOUDTRAILS ]];then + for trail in $CLOUDTRAILS; do + CLOUDTRAIL_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].TrailARN' --output text | tr '\011' '\012' | grep "$trail" | awk -F: '{ print $4 }' | head -n 1) + CLOUDTRAIL_ACCOUNT_ID=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].TrailARN' --output text | tr '\011' '\012' | grep "$trail" | awk -F: '{ print $5 }' | head -n 1) + CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].[Name, S3BucketName]' --output text | tr '\011' ':' | grep "$trail" | awk -F: '{ print $2 }' ) + + if [[ $CLOUDTRAILBUCKET ]];then + bucket=$CLOUDTRAILBUCKET + if [ "$CLOUDTRAIL_ACCOUNT_ID" == "$CURRENT_ACCOUNT_ID" ];then + CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None) + fi if [[ $CLOUDTRAILBUCKET_LOGENABLED ]];then - textPass "Bucket access logging enabled in $bucket" - else - textFail "access logging is not enabled in $bucket CloudTrail S3 bucket!" + textPass "Bucket access logging enabled in bucket $bucket for cloudtrail $trail" + elif [ "$CLOUDTRAIL_ACCOUNT_ID" == "$CURRENT_ACCOUNT_ID" ];then + textFail "access logging is not enabled in bucket $bucket CloudTrail S3 bucket! for cloudtrail trail $trail" + else + textInfo "CloudTrail S3 bucket $bucket for for cloudtrail $trail is not in current account" fi - done - else - textFail "CloudTrail bucket not found!" - fi -} + + else + textFail "CloudTrail bucket not found!" + fi + done + + else + echo "No CloudWatch group found for CloudTrail events" + fi +} \ No newline at end of file From ecde62451c227879b9ffd9a64cbf1829dcc9024e Mon Sep 17 00:00:00 2001 From: Venki Date: Mon, 16 Sep 2019 09:16:59 +0100 Subject: [PATCH 3/5] remove unnecessary variables and removed echo --- checks/check26 | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/checks/check26 b/checks/check26 index 711af860..796ff26e 100644 --- a/checks/check26 +++ b/checks/check26 @@ -16,9 +16,6 @@ CHECK_ALTERNATE_check206="check26" check26(){ # "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" - local CHECK_OK - local CHECK_WARN - local CHECK_CROSS_ACCOUNT_WARN CLOUDTRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].Name' --output text| tr '\011' '\012' | awk -F: '{print $1}') CURRENT_ACCOUNT_ID=$($AWSCLI sts $PROFILE_OPT get-caller-identity --region "$REGION" --query Account --output text) @@ -48,6 +45,6 @@ check26(){ done else - echo "No CloudWatch group found for CloudTrail events" + textFail "No CloudWatch group found for CloudTrail events" fi -} \ No newline at end of file +} From 44cfa71358210e50e59ed432d6299496df0dcdab Mon Sep 17 00:00:00 2001 From: Venki Date: Mon, 16 Sep 2019 09:24:34 +0100 Subject: [PATCH 4/5] updated logging --- checks/check26 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/checks/check26 b/checks/check26 index 796ff26e..d22b77ee 100644 --- a/checks/check26 +++ b/checks/check26 @@ -32,11 +32,11 @@ check26(){ CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None) fi if [[ $CLOUDTRAILBUCKET_LOGENABLED ]];then - textPass "Bucket access logging enabled in bucket $bucket for cloudtrail $trail" + textPass "Bucket access logging enabled in CloudTrail S3 bucket $bucket for $trail" elif [ "$CLOUDTRAIL_ACCOUNT_ID" == "$CURRENT_ACCOUNT_ID" ];then - textFail "access logging is not enabled in bucket $bucket CloudTrail S3 bucket! for cloudtrail trail $trail" + textFail "Bucket access logging is not enabled in CloudTrail S3 bucket $bucket for $trail" else - textInfo "CloudTrail S3 bucket $bucket for for cloudtrail $trail is not in current account" + textInfo "CloudTrail S3 bucket $bucket for trail $trail is not in current account" fi else @@ -45,6 +45,6 @@ check26(){ done else - textFail "No CloudWatch group found for CloudTrail events" + textFail "No CloudWatch group found and no CloudTrail bucket" fi } From 4401d4209c724bf869752eaeabbd8b663a0b86f4 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 17 Sep 2019 14:52:30 -0400 Subject: [PATCH 5/5] CURRENT_ACCOUNT_ID is not needed since ACCOUNT_ID is available --- checks/check26 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/checks/check26 b/checks/check26 index d22b77ee..133a4176 100644 --- a/checks/check26 +++ b/checks/check26 @@ -18,7 +18,6 @@ check26(){ # "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" CLOUDTRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].Name' --output text| tr '\011' '\012' | awk -F: '{print $1}') - CURRENT_ACCOUNT_ID=$($AWSCLI sts $PROFILE_OPT get-caller-identity --region "$REGION" --query Account --output text) if [[ $CLOUDTRAILS ]];then for trail in $CLOUDTRAILS; do @@ -28,12 +27,12 @@ check26(){ if [[ $CLOUDTRAILBUCKET ]];then bucket=$CLOUDTRAILBUCKET - if [ "$CLOUDTRAIL_ACCOUNT_ID" == "$CURRENT_ACCOUNT_ID" ];then + if [ "$CLOUDTRAIL_ACCOUNT_ID" == "$ACCOUNT_ID" ];then CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None) fi if [[ $CLOUDTRAILBUCKET_LOGENABLED ]];then textPass "Bucket access logging enabled in CloudTrail S3 bucket $bucket for $trail" - elif [ "$CLOUDTRAIL_ACCOUNT_ID" == "$CURRENT_ACCOUNT_ID" ];then + elif [ "$CLOUDTRAIL_ACCOUNT_ID" == "$ACCOUNT_ID" ];then textFail "Bucket access logging is not enabled in CloudTrail S3 bucket $bucket for $trail" else textInfo "CloudTrail S3 bucket $bucket for trail $trail is not in current account"