ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added new check extra715 ES service logging

Browse Source
This commit is contained in:
Toni de la Fuente
2018-02-08 00:27:27 -05:00
parent 3665d64f2b
commit 841e5436b9
2 changed files with 38 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@@ -583,7 +583,7 @@ We are adding additional checks to improve the information gather from each acco
Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs. Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.
At this moment we have 14 extra checks: At this moment we have 15 extra checks:
- 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark) - 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
- 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark) - 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
@@ -599,6 +599,8 @@ At this moment we have 14 extra checks:
- 7.12 (`extra712`) Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) - 7.12 (`extra712`) Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
- 7.13 (`extra713`) Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) - 7.13 (`extra713`) Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
- 7.14 (`extra714`) Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.14 (`extra714`) Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
- 7.15 (`extra715`) Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
To check all extras in one command: To check all extras in one command:
``` ```
@@ -623,6 +625,7 @@ With this group of checks, Prowler looks if each service with logging or audit c
- 7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) - 7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
- 7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) - 7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
- 7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
- 7.15 Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command: The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command:
``` ```

37
prowler
View File

@@ -496,6 +496,8 @@ ID713="7.13,7.13"
TITLE713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" TITLE713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
ID714="7.14,7.14" ID714="7.14,7.14"
TITLE714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" TITLE714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
ID715="7.15,7.15"
TITLE715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)"
printCsvHeader() { printCsvHeader() {
>&2 echo "" >&2 echo ""
@@ -1912,6 +1914,32 @@ extra714(){
done done
} }
extra715(){
# "Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)"
textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA"
for regx in $REGIONS; do
LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
if [[ $LIST_OF_DOMAINS ]]; then
for domain in $LIST_OF_DOMAINS;do
SEARCH_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.SEARCH_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
if [[ $SEARCH_SLOWLOG_ENABLED ]];then
textOK "$regx: ElasticSearch Service domain $domain SEARCH_SLOW_LOGS enabled" "$regx"
else
textWarn "$regx: ElasticSearch Service domain $domain SEARCH_SLOW_LOGS disabled!" "$regx"
fi
INDEX_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.INDEX_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
if [[ $INDEX_SLOWLOG_ENABLED ]];then
textOK "$regx: ElasticSearch Service domain $domain INDEX_SLOW_LOGS enabled" "$regx"
else
textWarn "$regx: ElasticSearch Service domain $domain INDEX_SLOW_LOGS disabled!" "$regx"
fi
done
else
textOK "$regx: No Elasticsearch Service domain found" "$regx"
fi
done
}
callCheck(){ callCheck(){
if [[ $CHECKNUMBER ]];then if [[ $CHECKNUMBER ]];then
case "$CHECKNUMBER" in case "$CHECKNUMBER" in
@@ -1981,6 +2009,7 @@ callCheck(){
extra712|extra712 ) extra712;; extra712|extra712 ) extra712;;
extra713|extra713 ) extra713;; extra713|extra713 ) extra713;;
extra714|extra714 ) extra714;; extra714|extra714 ) extra714;;
extra715|extra715 ) extra715;;
## Groups of Checks ## Groups of Checks
check1 ) check1 )
@@ -2017,12 +2046,12 @@ callCheck(){
;; ;;
extras ) extras )
extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78; extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;
extra79;extra710;extra711;extra712;extra713;extra714 extra79;extra710;extra711;extra712;extra713;extra714;extra715
;; ;;
forensics-ready ) forensics-ready )
check21;check22;check23;check24;check25;check26;check27; check21;check22;check23;check24;check25;check26;check27;
check43; check43;
extra712;extra713;extra714 extra712;extra713;extra714;extra715
;; ;;
* ) * )
textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n"; textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
@@ -2106,7 +2135,8 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then
textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA" textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA"
textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA" textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA"
textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA" textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA"
textTitle "$ID714" "$TITLE713" "NOT_SCORED" "EXTRA" textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA"
textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA"
exit $EXITCODE exit $EXITCODE
fi fi
@@ -2197,6 +2227,7 @@ extra711
extra712 extra712
extra713 extra713
extra714 extra714
extra715
cleanTemp cleanTemp
exit $EXITCODE exit $EXITCODE