ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-11 07:15:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

changed output to PASS and FAIL

Browse Source
This commit is contained in:
Toni de la Fuente
2018-03-26 15:40:40 -04:00
parent da0f266944
commit 7866d42df9
7 changed files with 3 additions and 2715 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
checks/check11
View File

@@ -6,6 +6,5 @@ CHECK_ALTERNATE_check101="check11"
check11(){
# "Avoid the use of the root account (Scored)."
COMMAND11=$(cat $TEMP_REPORT_FILE| grep '<root_account>' | cut -d, -f5,11,16 | sed 's/,/\ /g')
textTitle "$ID11" "$TITLE11" "SCORED" "LEVEL1"
textNotice "Root account last accessed (password key_1 key_2): $COMMAND11"
}

1
checks/check12
View File

@@ -11,7 +11,6 @@ check12(){
for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "$i " |grep false | awk '{ print $1 }'
done)
textTitle "$ID12" "$TITLE12" "SCORED" "LEVEL1"
if [[ $COMMAND12 ]]; then
for u in $COMMAND12; do
textWarn "User $u has Password enabled but MFA disabled"

166
checks/list
View File

@@ -1,166 +0,0 @@
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|
|_| CIS based AWS Account Hardening Tool
Date: Tue Mar 20 21:50:38 EDT 2018
1 Identity and Access Management ****************************************
1.1 Avoid the use of the root account (Scored).
1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)
1.3 Ensure credentials unused for 90 days or greater are disabled (Scored)
1.4 Ensure access keys are rotated every 90 days or less (Scored)
1.5 Ensure IAM password policy requires at least one uppercase letter (Scored)
1.6 Ensure IAM password policy require at least one lowercase letter (Scored)
1.7 Ensure IAM password policy require at least one symbol (Scored)
1.8 Ensure IAM password policy require at least one number (Scored)
1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored)
1.10 Ensure IAM password policy prevents password reuse: 24 or greater (Scored)
1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)
1.12 Ensure no root account access key exists (Scored)
1.13 Ensure MFA is enabled for the root account (Scored)
1.14 Ensure hardware MFA is enabled for the root account (Scored)
1.15 Ensure security questions are registered in the AWS account (Not Scored)
1.16 Ensure IAM policies are attached only to groups or roles (Scored)
1.17 Enable detailed billing (Scored)
1.18 Ensure IAM Master and IAM Manager roles are active (Scored)
1.19 Maintain current contact details (Scored)
1.20 Ensure security contact information is registered (Scored)
1.21 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
1.22 Ensure a support role has been created to manage incidents with AWS Support (Scored)
1.23 Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
1.24 Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
2 Logging ***************************************************************
2.1 Ensure CloudTrail is enabled in all regions (Scored)
2.2 Ensure CloudTrail log file validation is enabled (Scored)
2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)
2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
2.5 Ensure AWS Config is enabled in all regions (Scored)
2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
2.8 Ensure rotation for customer created CMKs is enabled (Scored)
3 Monitoring ************************************************************
3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored)
3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)
3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)
3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)
3.15 Ensure appropriate subscribers to each SNS topic (Not Scored)
4 Networking ************************************************************
4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
4.3 Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
4.4 Ensure the default security group of every VPC restricts all traffic (Scored)
4.5 Ensure routing tables for VPC peering are "least access" (Not Scored)
7 Extras ****************************************************************
7.1 Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
7.2 Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
7.3 Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)
7.4 Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)
7.5 Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)
7.6 Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)
7.7 Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)
7.8 Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)
7.9 Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)
7.10 Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)
7.11 Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)
7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
7.15 Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
7.16 Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)
7.17 Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
7.18 Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)
7.19 Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)
7.20 Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)
7.21 Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)
7.22 Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)

73
checks/lista
View File

@@ -1,73 +0,0 @@
check13
check14
check15
check16
check17
check18
check19
check110
check111
check112
check113
check114
check115
check116
check117
check118
check119
check120
check121
check122
check123
check124
check21
check22
check23
check24
check25
check26
check27
check28
check31
check32
check33
check34
check35
check36
check37
check38
check39
check310
check311
check312
check313
check314
check315
check41
check42
check43
check44
check45
check_extra71
check_extra72
check_extra73
check_extra74
check_extra75
check_extra76
check_extra77
check_extra78
check_extra79
check_extra710
check_extra711
check_extra712
check_extra713
check_extra714
check_extra715
check_extra716
check_extra717
check_extra718
check_extra719
check_extra720
check_extra721
check_extra722
check_extra723

4
include/outputs
View File

@@ -8,7 +8,7 @@ textOK(){
fi
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}PASS${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1"
else
echo " $OK OK! $NORMAL $1"
echo " $OK PASS! $NORMAL $1"
fi
}
@@ -35,7 +35,7 @@ textWarn(){
fi
echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}WARNING${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1"
else
echo " $BAD WARNING! $1 $NORMAL"
echo " $BAD FAIL! $1 $NORMAL"
fi
}

2
prowler2 → prowler
View File

@@ -222,7 +222,7 @@ show_all_titles() {
show_group_title $i
# Display the title of the checks
IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$i]}
for j in "${GROUP_CHECKS[@]}"; do
for j in $CHECKS; do
show_check_title $j
done
done

2471
prowler1
View File

File diff suppressed because it is too large Load Diff