From 800bcb0016a299680c2a6184444486b9fd3db0ce Mon Sep 17 00:00:00 2001 From: Patel Date: Thu, 24 Jun 2021 15:47:29 +0530 Subject: [PATCH] renaming extra checkId, change in text message format, adding more metadata variables, lowercase servicename, adding checks in extras group --- checks/{check_extra91 => check_extra7142} | 33 +++++++++++---------- checks/{check_extra92 => check_extra7143} | 35 ++++++++++++----------- checks/{check_extra93 => check_extra7144} | 30 +++++++++---------- checks/{check_extra94 => check_extra7145} | 35 ++++++++++++----------- checks/{check_extra95 => check_extra7146} | 32 +++++++++++---------- groups/group7_extras | 2 +- 6 files changed, 87 insertions(+), 80 deletions(-) rename checks/{check_extra91 => check_extra7142} (55%) rename checks/{check_extra92 => check_extra7143} (54%) rename checks/{check_extra93 => check_extra7144} (57%) rename checks/{check_extra94 => check_extra7145} (55%) rename checks/{check_extra95 => check_extra7146} (52%) diff --git a/checks/check_extra91 b/checks/check_extra7142 similarity index 55% rename from checks/check_extra91 rename to checks/check_extra7142 index 70afae9a..daee64f6 100644 --- a/checks/check_extra91 +++ b/checks/check_extra7142 @@ -10,37 +10,40 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra91="9.1" -CHECK_TITLE_extra91="[extra91] Check if S3 glacier vaults have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark) (Custom Check)" -CHECK_SCORED_extra91="NOT_SCORED" -CHECK_TYPE_extra91="EXTRA" -CHECK_SEVERITY_extra91="Critical" -CHECK_ASFF_RESOURCE_TYPE_extra91="AwsS3Glacier" -CHECK_ALTERNATE_check91="extra91" -CHECK_SERVICENAME_extra91="s3Glacier" +CHECK_ID_extra7142="7.142" +CHECK_TITLE_extra7142="[extra7142] Check if S3 glacier vaults have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7142="NOT_SCORED" +CHECK_TYPE_extra7142="EXTRA" +CHECK_SEVERITY_extra7142="Critical" +CHECK_ASFF_RESOURCE_TYPE_extra7142="AwsS3Glacier" +CHECK_ALTERNATE_check7142="extra7142" +CHECK_SERVICENAME_extra7142="s3glacier" +CHECK_RISK_extra7142='Vaults accessible to everyone could expose sensible data to bad actors' +CHECK_REMEDIATION_extra7142='Ensure vault policy does not have principle as *' +CHECK_DOC_extra7142='https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html' +CHECK_CAF_EPIC_extra7142='Data Protection' -# If an s3 glacier vault has a policy principle as *, we consider it public accessible resource. - -extra91(){ +extra7142(){ + # "Check if S3 glacier vaults have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark)" for region in $REGIONS; do LIST_OF_VAULTS=$($AWSCLI glacier list-vaults $PROFILE_OPT --region $region --account-id $ACCOUNT_NUM --query VaultList[*].VaultName --output text|xargs -n1) if [[ $LIST_OF_VAULTS ]]; then for vault in $LIST_OF_VAULTS;do VAULT_POLICY_STATEMENTS=$($AWSCLI glacier $PROFILE_OPT get-vault-access-policy --region $region --account-id $ACCOUNT_NUM --vault-name $vault --output json --query policy.Policy 2>&1) if [[ $VAULT_POLICY_STATEMENTS == *GetVaultAccessPolicy* ]]; then - textInfo "Vault policy does not exist for vault $vault" + textInfo "$region: Vault: $vault doesn't have any policy" "$region" "$vault" else VAULT_POLICY_BAD_STATEMENTS=$(echo $VAULT_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') if [[ $VAULT_POLICY_BAD_STATEMENTS != "" ]]; then - textFail "$region : Vault $vault allows public access with policy as: $VAULT_POLICY_BAD_STATEMENTS" + textFail "$region : Vault: $vault has policy which allows access to everyone" "$region" "$vault" else - textPass "$region :Vault $vault has vault policy which does not allow public access" + textPass "$region: Vault: $vault has policy which does not allow access to everyone" "$region" "$vault" fi fi done else - textInfo "No glacier vaults found in $region region" + textInfo "$region: No glacier vaults found" "$region" fi done } diff --git a/checks/check_extra92 b/checks/check_extra7143 similarity index 54% rename from checks/check_extra92 rename to checks/check_extra7143 index d83c3f24..fbd1c324 100644 --- a/checks/check_extra92 +++ b/checks/check_extra7143 @@ -10,39 +10,40 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. -CHECK_ID_extra92="9.2" -CHECK_TITLE_extra92="[extra92] Check if EFS have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark) (Custom Check)" -CHECK_SCORED_extra92="NOT_SCORED" -CHECK_TYPE_extra92="EXTRA" -CHECK_SEVERITY_extra92="Critical" -CHECK_ASFF_RESOURCE_TYPE_extra92="AwsEFS" -CHECK_ALTERNATE_check92="extra92" -CHECK_SERVICENAME_extra92="EFS" +CHECK_ID_extra7143="7.143" +CHECK_TITLE_extra7143="[extra7143] Check if EFS have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7143="NOT_SCORED" +CHECK_TYPE_extra7143="EXTRA" +CHECK_SEVERITY_extra7143="Critical" +CHECK_ASFF_RESOURCE_TYPE_extra7143="AwsEFS" +CHECK_ALTERNATE_check7143="extra7143" +CHECK_SERVICENAME_extra7143="efs" +CHECK_RISK_extra7143='EFS accessible to everyone could expose sensible data to bad actors' +CHECK_REMEDIATION_extra7143='Ensure efs has some policy but it does not have principle as *' +CHECK_DOC_extra7143='https://docs.aws.amazon.com/efs/latest/ug/access-control-block-public-access.html' +CHECK_CAF_EPIC_extra7143='Data Protection' -# If an EFS has a policy principle as *, we consider it as public accessible even though client connects through a -# vpc peering or transit gateway. Also if EFS has a default policy(no user defined policy), it's also a security risk, -# as default policy grants full access to any client that can connect to the file system using a file system mount target. - -extra92(){ +extra7143(){ + # "Check if EFS have policies which allow access to everyone (Not Scored) (Not part of CIS benchmark)" for region in $REGIONS; do LIST_OF_EFS_IDS=$($AWSCLI efs describe-file-systems $PROFILE_OPT --region $region --query FileSystems[*].FileSystemId --output text|xargs -n1) if [[ $LIST_OF_EFS_IDS ]]; then for efsId in $LIST_OF_EFS_IDS;do EFS_POLICY_STATEMENTS=$($AWSCLI efs $PROFILE_OPT describe-file-system-policy --region $region --file-system-id $efsId --output json --query Policy 2>&1) if [[ $EFS_POLICY_STATEMENTS == *PolicyNotFound* ]]; then - textFail "$region : EFS $efsId doesn't have any policy which means it grants full access to any client" + textFail "$region: EFS: $efsId doesn't have any policy which means it grants full access to any client" "$region" "$efsId" else EFS_POLICY_BAD_STATEMENTS=$(echo $EFS_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') if [[ $EFS_POLICY_BAD_STATEMENTS != "" ]]; then - textFail "$region : EFS $efsId allows public access with policy as: $EFS_POLICY_BAD_STATEMENTS" + textFail "$region: EFS: $efsId has policy which allows access to everyone" "$region" "$efsId" else - textPass "$region : EFS $efsId has file system policy which does not allow public access" + textPass "$region: EFS: $efsId has policy which does not allow access to everyone" "$region" "$efsId" fi fi done else - textInfo "No EFS found in $region region" + textInfo "$region: No EFS found" "$region" fi done } diff --git a/checks/check_extra93 b/checks/check_extra7144 similarity index 57% rename from checks/check_extra93 rename to checks/check_extra7144 index 02fbd1ab..7f8192e9 100644 --- a/checks/check_extra93 +++ b/checks/check_extra7144 @@ -10,25 +10,25 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. +CHECK_ID_extra7144="7.144" +CHECK_TITLE_extra7144="[extra7144] Check if aws cloudwatch has allowed sharing with other accounts (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7144="NOT_SCORED" +CHECK_TYPE_extra7144="EXTRA" +CHECK_SEVERITY_extra7144="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7144="AwsCloudWatch" +CHECK_ALTERNATE_check7144="extra7144" +CHECK_SERVICENAME_extra7144="cloudwatch" +CHECK_RISK_extra7144='' +CHECK_REMEDIATION_extra7144='' +CHECK_DOC_extra7144='https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html' +CHECK_CAF_EPIC_extra7144='' -CHECK_ID_extra93="9.3" -CHECK_TITLE_extra93="[extra93] Check if aws cloudwatch has allowed sharing with other accounts (Not Scored) (Not part of CIS benchmark) (Custom Check)" -CHECK_SCORED_extra93="NOT_SCORED" -CHECK_TYPE_extra93="EXTRA" -CHECK_SEVERITY_extra93="Critical" -CHECK_ASFF_RESOURCE_TYPE_extra93="AwsCloudWatch" -CHECK_ALTERNATE_check93="extra93" -CHECK_SERVICENAME_extra93="CloudWatch" - -# When CloudWatch allows cross account sharing, a role with name CloudWatch-CrossAccountSharingRole -# get's created by aws itself. So we are validating role name existance for checking the cloudwatch security. - -extra93(){ - +extra7144(){ + # "Check if aws cloudwatch has allowed sharing with other accounts (Not Scored) (Not part of CIS benchmark)" CLOUDWATCH_CROSS_ACCOUNT_ROLE=$($AWSCLI iam get-role $PROFILE_OPT --role-name=CloudWatch-CrossAccountSharingRole --output json --query Role 2>&1) if [[ $CLOUDWATCH_CROSS_ACCOUNT_ROLE != *NoSuchEntity* ]]; then CLOUDWATCH_POLICY_BAD_STATEMENTS=$(echo $CLOUDWATCH_CROSS_ACCOUNT_ROLE | jq '.AssumeRolePolicyDocument') - textFail "Cloudwatch has allowed cross account sharing with policy as $CLOUDWATCH_POLICY_BAD_STATEMENTS" + textInfo "Cloudwatch has allowed cross account sharing" else textPass "CloudWatch doesn't allows cross account sharing" fi diff --git a/checks/check_extra94 b/checks/check_extra7145 similarity index 55% rename from checks/check_extra94 rename to checks/check_extra7145 index de9a00c3..d608d8c4 100644 --- a/checks/check_extra94 +++ b/checks/check_extra7145 @@ -10,39 +10,40 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. +CHECK_ID_extra7145="7.145" +CHECK_TITLE_extra7145="[extra7145] Check if lambda functions have policies which allow access to every aws account (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7145="NOT_SCORED" +CHECK_TYPE_extra7145="EXTRA" +CHECK_SEVERITY_extra7145="Critical" +CHECK_ASFF_RESOURCE_TYPE_extra7145="AwsLambda" +CHECK_ALTERNATE_check7145="extra7145" +CHECK_SERVICENAME_extra7145="lambda" +CHECK_RISK_extra7145='Lambda function access to any aws account may result security issues' +CHECK_REMEDIATION_extra7145='Ensure lambda function policiy does not allow access to any account' +CHECK_DOC_extra7145='https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html' +CHECK_CAF_EPIC_extra7145='' -CHECK_ID_extra94="9.4" -CHECK_TITLE_extra94="[extra94] Check if lambda functions have policies which allow access to everyone having an aws account (Not Scored) (Not part of CIS benchmark) (Custom Check)" -CHECK_SCORED_extra94="NOT_SCORED" -CHECK_TYPE_extra94="EXTRA" -CHECK_SEVERITY_extra94="Critical" -CHECK_ASFF_RESOURCE_TYPE_extra94="AwsLambda" -CHECK_ALTERNATE_check94="extra94" -CHECK_SERVICENAME_extra94="Lambda" - -# If a lambda function has a policy principle as *, It can be accessed by any aws account. -# We consider such functions as publicly accessible resource. - -extra94(){ +extra7145(){ + # "Check if lambda functions have policies which allow access to every aws account (Not Scored) (Not part of CIS benchmark)" for region in $REGIONS; do LIST_OF_LAMBDA_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $region --query Functions[*].FunctionName --output text) if [[ $LIST_OF_LAMBDA_FUNCTIONS ]]; then for lambdaFunction in $LIST_OF_LAMBDA_FUNCTIONS;do FUNCTION_POLICY_STATEMENTS=$($AWSCLI lambda $PROFILE_OPT get-policy --region $region --function-name $lambdaFunction --output json --query Policy 2>&1) if [[ $FUNCTION_POLICY_STATEMENTS == *ResourceNotFoundException* ]]; then - textInfo "$region : Lambda function $lambdaFunction doesn't have any policy" + textInfo "$region : Lambda function: $lambdaFunction doesn't have any policy" "$region" "$lambdaFunction" else FUNCTION_POLICY_BAD_STATEMENTS=$(echo $FUNCTION_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') if [[ $FUNCTION_POLICY_BAD_STATEMENTS != "" ]]; then - textFail "$region : Lambda function $lambdaFunction allows public access with policy as: $FUNCTION_POLICY_BAD_STATEMENTS" + textFail "$region: Lambda function: $lambdaFunction allows public access to every aws account" "$region" "$lambdaFunction" else - textPass "$region : Lambda function $lambdaFunction has policy which doesn't allow access to everyone having an aws account" + textPass "$region: Lambda function: $lambdaFunction has policy which doesn't allow access to everyone having an aws account" "$region" "$lambdaFunction" fi fi done else - textInfo "No lambda functions found in $region region" + textInfo "$region: No lambda functions found" "$region" fi done } diff --git a/checks/check_extra95 b/checks/check_extra7146 similarity index 52% rename from checks/check_extra95 rename to checks/check_extra7146 index a41f3c9c..980b9fa4 100644 --- a/checks/check_extra95 +++ b/checks/check_extra7146 @@ -10,32 +10,34 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. +CHECK_ID_extra7146="7.146" +CHECK_TITLE_extra7146="[extra7146] Check if there is any unassigned elastic ip's (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra7146="NOT_SCORED" +CHECK_TYPE_extra7146="EXTRA" +CHECK_SEVERITY_extra7146="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7146="AwsElasticIPs" +CHECK_ALTERNATE_check7146="extra7146" +CHECK_SERVICENAME_extra7146="elasticip" +CHECK_RISK_extra7146='Unassigned elastic ips may result in extra cost' +CHECK_REMEDIATION_extra7146='Ensure elastic ips are not unassigned' +CHECK_DOC_extra7146='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html' +CHECK_CAF_EPIC_extra7146='' -CHECK_ID_extra95="9.5" -CHECK_TITLE_extra95="[extra95] Check if there is any unassigned elastic ip's (Not Scored) (Not part of CIS benchmark) (Custom Check)" -CHECK_SCORED_extra95="NOT_SCORED" -CHECK_TYPE_extra95="EXTRA" -CHECK_SEVERITY_extra95="Critical" -CHECK_ASFF_RESOURCE_TYPE_extra95="AwsElasticIPs" -CHECK_ALTERNATE_check95="extra95" -CHECK_SERVICENAME_extra95="ElasticIPs" - -# If there is any elasting ip which is not assigned to any instance or network interface, we will list that out. - -extra95(){ +extra7146(){ + # "Check if there is any unassigned elastic ip (Not Scored) (Not part of CIS benchmark)" for region in $REGIONS; do ELASTIC_IP_ADDRESSES=$($AWSCLI ec2 describe-addresses $PROFILE_OPT --region $region --query Addresses --output json) if [[ $ELASTIC_IP_ADDRESSES != [] ]]; then LIST_OF_ASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId!=null) | .PublicIp') LIST_OF_UNASSOCIATED_IPS=$(echo $ELASTIC_IP_ADDRESSES | jq -r '.[] | select(.AssociationId==null) | .PublicIp') for ass_ip in $LIST_OF_ASSOCIATED_IPS; do - textPass "$region : Elastic IP $ass_ip is associated with an instance or network interface" + textPass "$region: Elastic IP: $ass_ip is associated with an instance or network interface" "$region" "$ass_ip" done for unass_ip in $LIST_OF_UNASSOCIATED_IPS; do - textInfo "$region : Elastic IP $unass_ip is not associated with any instance or network interface, it may incurr cost" + textInfo "$region: Elastic IP: $unass_ip is not associated with any instance or network interface, it may incurr extra cost" "$region" "$unass_ip" done else - textInfo "No elastic ip's found in region $region" + textInfo "$region: No elastic ip's found" "$region" fi done } diff --git a/groups/group7_extras b/groups/group7_extras index e7333d62..090deca2 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7142,extra7143,extra7144,extra7145,extra7146' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets`