diff --git a/checks/check_extra715 b/checks/check_extra715 index 34eb9a3d..8de075a3 100644 --- a/checks/check_extra715 +++ b/checks/check_extra715 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra715="7.15" -CHECK_TITLE_extra715="[extra715] Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra715="[extra715] Check if Amazon Elasticsearch Service (ES) domains have logging enabled" CHECK_SCORED_extra715="NOT_SCORED" CHECK_TYPE_extra715="EXTRA" CHECK_ALTERNATE_check715="extra715" @@ -23,19 +23,19 @@ extra715(){ for domain in $LIST_OF_DOMAINS;do SEARCH_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.SEARCH_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False) if [[ $SEARCH_SLOWLOG_ENABLED ]];then - textPass "$regx: ElasticSearch Service domain $domain SEARCH_SLOW_LOGS enabled" "$regx" + textPass "$regx: Amazon Elasticsearch Service (ES) domain $domain SEARCH_SLOW_LOGS enabled" "$regx" else - textFail "$regx: ElasticSearch Service domain $domain SEARCH_SLOW_LOGS disabled!" "$regx" + textFail "$regx: Amazon Elasticsearch Service (ES) domain $domain SEARCH_SLOW_LOGS disabled!" "$regx" fi INDEX_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.INDEX_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False) if [[ $INDEX_SLOWLOG_ENABLED ]];then - textPass "$regx: ElasticSearch Service domain $domain INDEX_SLOW_LOGS enabled" "$regx" + textPass "$regx: Amazon Elasticsearch Service (ES) domain $domain INDEX_SLOW_LOGS enabled" "$regx" else - textFail "$regx: ElasticSearch Service domain $domain INDEX_SLOW_LOGS disabled!" "$regx" + textFail "$regx: Amazon Elasticsearch Service (ES) domain $domain INDEX_SLOW_LOGS disabled!" "$regx" fi done else - textInfo "$regx: No Elasticsearch Service domain found" "$regx" + textInfo "$regx: No Amazon Elasticsearch Service (ES) domain found" "$regx" fi done } diff --git a/checks/check_extra716 b/checks/check_extra716 index 4726aef3..abe5c546 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra716="7.16" -CHECK_TITLE_extra716="[extra716] Check if Elasticsearch Service domains are set as Public and have cross account access (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra716="[extra716] Check if Amazon Elasticsearch Service (ES) domains are set as Public and have cross account access" CHECK_SCORED_extra716="NOT_SCORED" CHECK_TYPE_extra716="EXTRA" CHECK_ALTERNATE_check716="extra716" @@ -27,14 +27,14 @@ extra716(){ # check if the policy has Principal as * CHECK_ES_DOMAIN_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | jq -r '. | .Statement[] | select(.Effect == "Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and .Condition == null)') if [[ $CHECK_ES_DOMAIN_ALLUSERS_POLICY ]];then - textFail "$regx: $domain policy allow Anonymous cross account access (Principal: \"*\")" "$regx" + textFail "$regx: Amazon Elasticsearch Service (ES) $domain policy allow Anonymous cross account access (Principal: \"*\")" "$regx" else - textPass "$regx: $domain does not allow Anonymous cross account access" "$regx" + textPass "$regx: Amazon Elasticsearch Service (ES) $domain does not allow Anonymous cross account access" "$regx" fi rm -f $TEMP_POLICY_FILE done else - textInfo "$regx: No Elasticsearch Service domain found" "$regx" + textInfo "$regx: No Amazon Elasticsearch Service (ES) domain found" "$regx" fi done } diff --git a/checks/check_extra781 b/checks/check_extra781 index f47c022b..c19289ca 100644 --- a/checks/check_extra781 +++ b/checks/check_extra781 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra781="7.81" -CHECK_TITLE_extra781="[extra781] Check if Elasticsearch Service domains has encryption at-rest enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra781="[extra781] Check if Amazon Elasticsearch Service (ES) domains has encryption at-rest enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra781="NOT_SCORED" CHECK_TYPE_extra781="EXTRA" CHECK_ALTERNATE_check781="extra781" @@ -23,13 +23,13 @@ extra781(){ for domain in $LIST_OF_DOMAINS;do CHECK_IF_ENCREST_ENABLED=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.EncryptionAtRestOptions.Enabled' --output text|grep -i true) if [[ $CHECK_IF_ENCREST_ENABLED ]];then - textPass "$regx: $domain has encryption at-rest enabled" "$regx" + textPass "$regx: Amazon Elasticsearch Service (ES) $domain has encryption at-rest enabled" "$regx" else - textFail "$regx: $domain does not have encryption at-rest enabled" "$regx" + textFail "$regx: Amazon Elasticsearch Service (ES) $domain does not have encryption at-rest enabled" "$regx" fi done else - textInfo "$regx: No Elasticsearch Service domains found" "$regx" + textInfo "$regx: No Amazon Elasticsearch Service (ES) domains found" "$regx" fi done } diff --git a/checks/check_extra782 b/checks/check_extra782 index 8a60ea5d..1c92beec 100644 --- a/checks/check_extra782 +++ b/checks/check_extra782 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra782="7.82" -CHECK_TITLE_extra782="[extra782] Check if Elasticsearch Service domains has node-to-node encryption enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra782="[extra782] Check if Amazon Elasticsearch Service (ES) domains has node-to-node encryption enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra782="NOT_SCORED" CHECK_TYPE_extra782="EXTRA" CHECK_ALTERNATE_check782="extra782" @@ -23,13 +23,13 @@ extra782(){ for domain in $LIST_OF_DOMAINS;do CHECK_IF_NODETOENCR_ENABLED=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.NodeToNodeEncryptionOptions.Enabled' --output text|grep -i true) if [[ $CHECK_IF_NODETOENCR_ENABLED ]];then - textPass "$regx: $domain has node-to-node encryption enabled" "$regx" + textPass "$regx: Amazon Elasticsearch Service (ES) $domain has node-to-node encryption enabled" "$regx" else - textFail "$regx: $domain does not have node-to-node encryption enabled" "$regx" + textFail "$regx: Amazon Elasticsearch Service (ES) $domain does not have node-to-node encryption enabled" "$regx" fi done else - textInfo "$regx: No Elasticsearch Service domains found" "$regx" + textInfo "$regx: No Amazon Elasticsearch Service (ES) domains found" "$regx" fi done } diff --git a/checks/check_extra783 b/checks/check_extra783 index 60c2e362..8b71b478 100644 --- a/checks/check_extra783 +++ b/checks/check_extra783 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra783="7.83" -CHECK_TITLE_extra783="[extra783] Check if Elasticsearch Service domains has enforce HTTPS enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra783="[extra783] Check if Amazon Elasticsearch Service (ES) domains has enforce HTTPS enabled" CHECK_SCORED_extra783="NOT_SCORED" CHECK_TYPE_extra783="EXTRA" CHECK_ALTERNATE_check783="extra783" @@ -23,13 +23,13 @@ extra783(){ for domain in $LIST_OF_DOMAINS;do CHECK_IF_ENFORCEHTTPS_ENABLED=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.DomainEndpointOptions.EnforceHTTPS' --output text|grep -i true) if [[ $CHECK_IF_ENFORCEHTTPS_ENABLED ]];then - textPass "$regx: $domain has enforce HTTPS enabled" "$regx" + textPass "$regx: Amazon Elasticsearch Service (ES) $domain has enforce HTTPS enabled" "$regx" else - textFail "$regx: $domain does not have enforce HTTPS enabled" "$regx" + textFail "$regx: Amazon Elasticsearch Service (ES) $domain does not have enforce HTTPS enabled" "$regx" fi done else - textInfo "$regx: No Elasticsearch Service domains found" "$regx" + textInfo "$regx: No Amazon Elasticsearch Service (ES) domains found" "$regx" fi done } diff --git a/checks/check_extra784 b/checks/check_extra784 index 533b1d96..0a62207e 100644 --- a/checks/check_extra784 +++ b/checks/check_extra784 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra784="7.84" -CHECK_TITLE_extra784="[extra784] Check if Elasticsearch Service domains internal user database enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra784="[extra784] Check if Amazon Elasticsearch Service (ES) domains internal user database enabled" CHECK_SCORED_extra784="NOT_SCORED" CHECK_TYPE_extra784="EXTRA" CHECK_ALTERNATE_check784="extra784" @@ -23,13 +23,13 @@ extra784(){ for domain in $LIST_OF_DOMAINS;do CHECK_IF_INTERNALDB_ENABLED=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.AdvancedSecurityOptions.InternalUserDatabaseEnabled' --output text|grep -i true) if [[ $CHECK_IF_INTERNALDB_ENABLED ]];then - textPass "$regx: $domain has internal user database enabled" "$regx" + textPass "$regx: Amazon Elasticsearch Service (ES) $domain has internal user database enabled" "$regx" else - textFail "$regx: $domain does not have internal user database enabled" "$regx" + textFail "$regx: Amazon Elasticsearch Service (ES) $domain does not have internal user database enabled" "$regx" fi done else - textInfo "$regx: No Elasticsearch Service domains found" "$regx" + textInfo "$regx: No Amazon Elasticsearch Service (ES) domains found" "$regx" fi done } diff --git a/checks/check_extra785 b/checks/check_extra785 index fe4dbd8f..a630eb28 100644 --- a/checks/check_extra785 +++ b/checks/check_extra785 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra785="7.85" -CHECK_TITLE_extra785="[extra785] Check if Elasticsearch Service domains have updates available (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra785="[extra785] Check if Amazon Elasticsearch Service (ES) domains have updates available" CHECK_SCORED_extra785="NOT_SCORED" CHECK_TYPE_extra785="EXTRA" CHECK_ALTERNATE_check785="extra785" @@ -23,13 +23,13 @@ extra785(){ for domain in $LIST_OF_DOMAINS;do CHECK_IF_UPDATE_AVAILABLE=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.ServiceSoftwareOptions.UpdateAvailable' --output text|grep -i true) if [[ $CHECK_IF_UPDATE_AVAILABLE ]];then - textInfo "$regx: $domain has updates available" "$regx" + textInfo "$regx: Amazon Elasticsearch Service (ES) $domain has updates available" "$regx" else - textPass "$regx: $domain does not have have updates available" "$regx" + textPass "$regx: Amazon Elasticsearch Service (ES) $domain does not have have updates available" "$regx" fi done else - textInfo "$regx: No Elasticsearch Service domains found" "$regx" + textInfo "$regx: No Amazon Elasticsearch Service (ES) domains found" "$regx" fi done } diff --git a/groups/group14_elasticsearch b/groups/group14_elasticsearch index 089c85bc..e046981f 100644 --- a/groups/group14_elasticsearch +++ b/groups/group14_elasticsearch @@ -13,6 +13,6 @@ GROUP_ID[14]='elasticsearch' GROUP_NUMBER[14]='14.0' -GROUP_TITLE[14]='Elasticsearch security checks - [elasticsearch] ***************' +GROUP_TITLE[14]='Elasticsearch related security checks - [elasticsearch] ***************' GROUP_RUN_BY_DEFAULT[14]='N' # run it when execute_all is called GROUP_CHECKS[14]='extra715,extra716,extra779,extra780,extra781,extra782,extra783,extra784,extra785'