Added new check extra715 ES service logging

2026-02-10 14:55:00 +00:00 · 2018-02-08 00:27:27 -05:00
parent 3665d64f2b
commit 841e5436b9
2 changed files with 38 additions and 4 deletions
--- a/README.md
+++ b/README.md
@@ -583,7 +583,7 @@ We are adding additional checks to improve the information gather from each acco

 Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.

-At this moment we have 14 extra checks:
+At this moment we have 15 extra checks:

 - 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
 - 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
@@ -599,6 +599,8 @@ At this moment we have 14 extra checks:
 - 7.12 (`extra712`) Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
 - 7.13 (`extra713`) Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
 - 7.14 (`extra714`) Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
+- 7.15 (`extra715`) Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
+

 To check all extras in one command:
 ```
@@ -623,6 +625,7 @@ With this group of checks, Prowler looks if each service with logging or audit c
 - 7.12  Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
 - 7.13  Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
 - 7.14  Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
+- 7.15  Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)

 The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command:
 ```
--- a/37
+++ b/37
@@ -496,6 +496,8 @@ ID713="7.13,7.13"
 TITLE713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
 ID714="7.14,7.14"
 TITLE714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
+ID715="7.15,7.15"
+TITLE715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)"

 printCsvHeader() {
  >&2 echo ""
@@ -1912,6 +1914,32 @@ extra714(){
  done
 }

+extra715(){
+  # "Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)"
+  textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA"
+  for regx in $REGIONS; do
+    LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
+    if [[ $LIST_OF_DOMAINS ]]; then
+      for domain in $LIST_OF_DOMAINS;do
+        SEARCH_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.SEARCH_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
+        if [[ $SEARCH_SLOWLOG_ENABLED ]];then
+          textOK "$regx: ElasticSearch Service domain $domain SEARCH_SLOW_LOGS enabled" "$regx"
+        else
+          textWarn "$regx: ElasticSearch Service domain $domain SEARCH_SLOW_LOGS disabled!" "$regx"
+        fi
+        INDEX_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.INDEX_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
+        if [[ $INDEX_SLOWLOG_ENABLED ]];then
+          textOK "$regx: ElasticSearch Service domain $domain INDEX_SLOW_LOGS enabled" "$regx"
+        else
+          textWarn "$regx: ElasticSearch Service domain $domain INDEX_SLOW_LOGS disabled!" "$regx"
+        fi
+      done
+    else
+      textOK "$regx: No Elasticsearch Service domain found" "$regx"
+    fi
+  done
+}
+
 callCheck(){
  if [[ $CHECKNUMBER ]];then
    case "$CHECKNUMBER" in
@@ -1981,6 +2009,7 @@ callCheck(){
      extra712|extra712 ) extra712;;
      extra713|extra713 ) extra713;;
      extra714|extra714 ) extra714;;
+      extra715|extra715 ) extra715;;

      ## Groups of Checks
      check1 )
@@ -2017,12 +2046,12 @@ callCheck(){
        ;;
      extras )
        extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;
-        extra79;extra710;extra711;extra712;extra713;extra714
+        extra79;extra710;extra711;extra712;extra713;extra714;extra715
        ;;
      forensics-ready )
        check21;check22;check23;check24;check25;check26;check27;
        check43;
-        extra712;extra713;extra714
+        extra712;extra713;extra714;extra715
        ;;
      * )
        textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
@@ -2106,7 +2135,8 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then
  textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA"
  textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA"
  textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA"
-  textTitle "$ID714" "$TITLE713" "NOT_SCORED" "EXTRA"
+  textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA"
+  textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA"
  exit $EXITCODE
 fi

@@ -2197,6 +2227,7 @@ extra711
 extra712
 extra713
 extra714
+extra715

 cleanTemp
 exit $EXITCODE