ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Modified checks and documentation to reflect changes in CIS_Benchmark_v1.2.0(05-23-2018)

Browse Source
This commit is contained in:
Keith Rhea
2018-08-15 09:16:27 -06:00
parent 3ef5a42b73
commit 97da9c2122
21 changed files with 158 additions and 287 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
LIST_OF_CHECKS_AND_GROUPS.md
View File

@@ -44,21 +44,17 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored)
1.17 [check117] Enable detailed billing (Scored)
1.17 [check117] Maintain current contact details (Scored)
1.18 [check118] Ensure IAM Master and IAM Manager roles are active (Scored)
1.18 [check118] Ensure security contact information is registered (Scored)
1.19 [check119] Maintain current contact details (Scored)
1.19 [check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
1.20 [check120] Ensure security contact information is registered (Scored)
1.20 [check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)
1.21 [check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
1.21 [check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
1.22 [check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)
1.23 [check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
1.24 [check124] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
1.22 [check122] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
2.0 Logging - [group2] *********************************************
@@ -78,6 +74,8 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
2.8 [check28] Ensure rotation for customer created CMKs is enabled (Scored)
2.9 [check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
3.0 Monitoring - [group3] ******************************************
3.1 [check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
@@ -108,19 +106,15 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)
3.15 [check315] Ensure appropriate subscribers to each SNS topic (Not Scored)
4.0 Networking - [group4] ******************************************
4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
4.3 [check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
4.3 [check43] Ensure the default security group of every VPC restricts all traffic (Scored)
4.4 [check44] Ensure the default security group of every VPC restricts all traffic (Scored)
4.5 [check45] Ensure routing tables for VPC peering are "least access" (Not Scored)
4.4 [check44] Ensure routing tables for VPC peering are "least access" (Not Scored)
5.0 CIS Level 1 - [cislevel1] **************************************
@@ -154,19 +148,17 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored)
1.17 [check117] Enable detailed billing (Scored)
1.17 [check117] Maintain current contact details (Scored)
1.18 [check118] Ensure IAM Master and IAM Manager roles are active (Scored)
1.18 [check118] Ensure security contact information is registered (Scored)
1.19 [check119] Maintain current contact details (Scored)
1.19 [check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
1.20 [check120] Ensure security contact information is registered (Scored)
1.20 [check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)
1.22 [check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)
1.21 [check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
1.23 [check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
1.24 [check124] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
1.22 [check122] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored)
@@ -196,8 +188,6 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)
3.15 [check315] Ensure appropriate subscribers to each SNS topic (Not Scored)
4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
@@ -236,21 +226,17 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored)
1.17 [check117] Enable detailed billing (Scored)
1.17 [check117] Maintain current contact details (Scored)
1.18 [check118] Ensure IAM Master and IAM Manager roles are active (Scored)
1.18 [check118] Ensure security contact information is registered (Scored)
1.19 [check119] Maintain current contact details (Scored)
1.19 [check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
1.20 [check120] Ensure security contact information is registered (Scored)
1.20 [check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)
1.21 [check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
1.21 [check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
1.22 [check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)
1.23 [check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
1.24 [check124] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
1.22 [check122] Ensure IAM policies that allow full "*:*" administrative privileges are not created (Scored)
2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored)
@@ -268,6 +254,8 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
2.8 [check28] Ensure rotation for customer created CMKs is enabled (Scored)
2.9 [check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
3.1 [check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
3.2 [check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
@@ -296,17 +284,13 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)
3.15 [check315] Ensure appropriate subscribers to each SNS topic (Not Scored)
4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
4.3 [check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
4.3 [check43] Ensure the default security group of every VPC restricts all traffic (Scored)
4.4 [check44] Ensure the default security group of every VPC restricts all traffic (Scored)
4.5 [check45] Ensure routing tables for VPC peering are "least access" (Not Scored)
4.4 [check44] Ensure routing tables for VPC peering are "least access" (Not Scored)
7.0 Extras - [extras] **********************************************
@@ -376,7 +360,7 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F
2.7 [check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
4.3 [check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
2.9 [check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
7.12 [extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)

6
checks/check117
View File

@@ -9,13 +9,13 @@
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check117="1.17"
CHECK_TITLE_check117="[check117] Enable detailed billing (Scored)"
CHECK_SCORED_check117="SCORED"
CHECK_TITLE_check117="[check117] Maintain current contact details (Scored)"
CHECK_SCORED_check117="NOT_SCORED"
CHECK_TYPE_check117="LEVEL1"
CHECK_ALTERNATE_check117="check117"
check117(){
# "Enable detailed billing (Scored)"
# "Maintain current contact details (Scored)"
# No command available
textInfo "No command available for check 1.17 "
textInfo "See section 1.17 on the CIS Benchmark guide for details "

30
checks/check118
View File

@@ -9,32 +9,14 @@
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check118="1.18"
CHECK_TITLE_check118="[check118] Ensure IAM Master and IAM Manager roles are active (Scored)"
CHECK_SCORED_check118="SCORED"
CHECK_TITLE_check118="[check118] Ensure security contact information is registered (Scored)"
CHECK_SCORED_check118="NOT_SCORED"
CHECK_TYPE_check118="LEVEL1"
CHECK_ALTERNATE_check118="check118"
check118(){
# "Ensure IAM Master and IAM Manager roles are active (Scored)"
FINDMASTERANDMANAGER=$($AWSCLI iam list-roles $PROFILE_OPT --region $REGION --query "Roles[*].{RoleName:RoleName}" --output text | grep -E 'Master|Manager'| tr '
' ' ')
if [[ $FINDMASTERANDMANAGER ]];then
textInfo "Found next roles as possible IAM Master and IAM Manager candidates: "
textInfo "$FINDMASTERANDMANAGER "
textInfo "run the commands below to check their policies with section 1.18 in the guide..."
for role in $FINDMASTERANDMANAGER;do
# find inline policies in found roles
INLINEPOLICIES=$($AWSCLI iam list-role-policies --role-name $role $PROFILE_OPT --region $REGION --query "PolicyNames[*]" --output text)
for policy in $INLINEPOLICIES;do
textInfo "INLINE: $AWSCLI iam get-role-policy --role-name $role --policy-name $policy $PROFILE_OPT --region $REGION --output json"
done
# find attached policies in found roles
ATTACHEDPOLICIES=$($AWSCLI iam list-attached-role-policies --role-name $role $PROFILE_OPT --region $REGION --query "AttachedPolicies[*]" --output text)
for policy in $ATTACHEDPOLICIES;do
textInfo "ATTACHED: $AWSCLI iam get-role-policy --role-name $role --policy-name $policy $PROFILE_OPT --region $REGION --output json"
done
done
else
textFail "IAM Master and IAM Manager roles not found"
fi
# "Ensure security contact information is registered (Scored)"
# No command available
textInfo "No command available for check 1.18 "
textInfo "See section 1.18 on the CIS Benchmark guide for details "
}

9
checks/check119
View File

@@ -9,14 +9,13 @@
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check119="1.19"
CHECK_TITLE_check119="[check119] Maintain current contact details (Scored)"
CHECK_SCORED_check119="SCORED"
CHECK_TYPE_check119="LEVEL1"
CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
CHECK_SCORED_check119="NOT_SCORED"
CHECK_TYPE_check119="LEVEL2"
CHECK_ALTERNATE_check119="check119"
check119(){
# "Maintain current contact details (Scored)"
# No command available
# "Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
textInfo "No command available for check 1.19 "
textInfo "See section 1.19 on the CIS Benchmark guide for details "
}

24
checks/check120
View File

@@ -9,14 +9,28 @@
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check120="1.20"
CHECK_TITLE_check120="[check120] Ensure security contact information is registered (Scored)"
CHECK_TITLE_check120="[check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)"
CHECK_SCORED_check120="SCORED"
CHECK_TYPE_check120="LEVEL1"
CHECK_ALTERNATE_check120="check120"
check120(){
# "Ensure security contact information is registered (Scored)"
# No command available
textInfo "No command available for check 1.20 "
textInfo "See section 1.20 on the CIS Benchmark guide for details "
# "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
if [[ $SUPPORTPOLICYARN ]];then
for policyarn in $SUPPORTPOLICYARN;do
POLICYUSERS=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --output json)
if [[ $POLICYUSERS ]];then
textPass "Support Policy attached to $policyarn"
for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do
textInfo "User $user has support access via $policyarn"
done
# textInfo "Make sure your team can create a Support case with AWS "
else
textFail "Support Policy not applied to any Group / User / Role "
fi
done
else
textFail "No Support Policy found"
fi
}

29
checks/check121
View File

@@ -9,13 +9,32 @@
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check121="1.21"
CHECK_TITLE_check121="[check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
CHECK_SCORED_check121="NOT_SCORED"
CHECK_TYPE_check121="LEVEL2"
CHECK_TYPE_check121="LEVEL1"
CHECK_ALTERNATE_check121="check121"
check121(){
# "Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
textInfo "No command available for check 1.21 "
textInfo "See section 1.21 on the CIS Benchmark guide for details "
# "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
# List of USERS with KEY1 last_used_date as N/A
LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)
LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$9 }'|grep "true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done)
if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
for user in $LIST_USERS_KEY1_ACTIVE; do
textInfo "$user has never used Access Key 1"
done
else
textPass "No users found with Access Key 1 never used"
fi
# List of USERS with KEY2 last_used_date as N/A
LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$14 }'|grep "true$" |awk '{ print $1 }' ; done)
if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
for user in $LIST_USERS_KEY2_ACTIVE; do
textInfo "$user has never used Access Key 2"
done
else
textPass "No users found with Access Key 2 never used"
fi
}

34
checks/check122
View File

@@ -9,28 +9,32 @@
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check122="1.22"
CHECK_TITLE_check122="[check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)"
CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
CHECK_SCORED_check122="SCORED"
CHECK_TYPE_check122="LEVEL1"
CHECK_ALTERNATE_check122="check122"
check122(){
# "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
if [[ $SUPPORTPOLICYARN ]];then
for policyarn in $SUPPORTPOLICYARN;do
POLICYUSERS=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --output json)
if [[ $POLICYUSERS ]];then
textPass "Support Policy attached to $policyarn"
for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do
textInfo "User $user has support access via $policyarn"
done
# textInfo "Make sure your team can create a Support case with AWS "
else
textFail "Support Policy not applied to any Group / User / Role "
# "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }')
if [[ $LIST_CUSTOM_POLICIES ]]; then
textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
for policy in $LIST_CUSTOM_POLICIES; do
POLICY_VERSION=$($AWSCLI iam list-policies $PROFILE_OPT --region $REGION --query 'Policies[*].[Arn,DefaultVersionId]' --output text |awk "\$1 == \"$policy\" { print \$2 }")
POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $policy --version-id $POLICY_VERSION --query "PolicyVersion.Document.Statement[?Action!=null]|[?Effect == 'Allow' && contains(Resource, '*') && contains (Action, '*')]" $PROFILE_OPT --region $REGION)
if [[ $POLICY_WITH_FULL ]]; then
POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $policy"
fi
done
if [[ $POLICIES_ALLOW_LIST ]]; then
textInfo "List of custom policies: "
for policy in $POLICIES_ALLOW_LIST; do
textInfo "Policy $policy allows \"*:*\""
done
else
textPass "No custom policy found that allow full \"*:*\" administrative privileges"
fi
else
textFail "No Support Policy found"
textPass "No custom policies found"
fi
}

40
checks/check123
View File

@@ -1,40 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check123="1.23"
CHECK_TITLE_check123="[check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
CHECK_SCORED_check123="NOT_SCORED"
CHECK_TYPE_check123="LEVEL1"
CHECK_ALTERNATE_check123="check123"
check123(){
# "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
# List of USERS with KEY1 last_used_date as N/A
LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)
LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$9 }'|grep "true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done)
if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
for user in $LIST_USERS_KEY1_ACTIVE; do
textInfo "$user has never used Access Key 1"
done
else
textPass "No users found with Access Key 1 never used"
fi
# List of USERS with KEY2 last_used_date as N/A
LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$14 }'|grep "true$" |awk '{ print $1 }' ; done)
if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
for user in $LIST_USERS_KEY2_ACTIVE; do
textInfo "$user has never used Access Key 2"
done
else
textPass "No users found with Access Key 2 never used"
fi
}

40
checks/check124
View File

@@ -1,40 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check124="1.24"
CHECK_TITLE_check124="[check124] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
CHECK_SCORED_check124="SCORED"
CHECK_TYPE_check124="LEVEL1"
CHECK_ALTERNATE_check124="check124"
check124(){
# "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }')
if [[ $LIST_CUSTOM_POLICIES ]]; then
textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
for policy in $LIST_CUSTOM_POLICIES; do
POLICY_VERSION=$($AWSCLI iam list-policies $PROFILE_OPT --region $REGION --query 'Policies[*].[Arn,DefaultVersionId]' --output text |awk "\$1 == \"$policy\" { print \$2 }")
POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $policy --version-id $POLICY_VERSION --query "PolicyVersion.Document.Statement[?Action!=null]|[?Effect == 'Allow' && contains(Resource, '*') && contains (Action, '*')]" $PROFILE_OPT --region $REGION)
if [[ $POLICY_WITH_FULL ]]; then
POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $policy"
fi
done
if [[ $POLICIES_ALLOW_LIST ]]; then
textInfo "List of custom policies: "
for policy in $POLICIES_ALLOW_LIST; do
textInfo "Policy $policy allows \"*:*\""
done
else
textPass "No custom policy found that allow full \"*:*\" administrative privileges"
fi
else
textPass "No custom policies found"
fi
}

29
checks/check29 Normal file
View File

@@ -0,0 +1,29 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check29="2.9,2.09"
CHECK_TITLE_check29="[check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
CHECK_SCORED_check29="SCORED"
CHECK_TYPE_check29="LEVEL2"
CHECK_ALTERNATE_check209="check29"
check29(){
# "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
for regx in $REGIONS; do
CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text)
if [[ $CHECK_FL ]];then
for FL in $CHECK_FL;do
textPass "VPCFlowLog is enabled for LogGroupName: $FL in Region $regx" "$regx"
done
else
textFail "No VPCFlowLog has been found in Region $regx" "$regx"
fi
done
}

51
checks/check315
View File

@@ -1,51 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check315="3.15"
CHECK_TITLE_check315="[check315] Ensure appropriate subscribers to each SNS topic (Not Scored)"
CHECK_SCORED_check315="NOT_SCORED"
CHECK_TYPE_check315="LEVEL1"
CHECK_ALTERNATE_check315="check315"
check315(){
# "Ensure appropriate subscribers to each SNS topic (Not Scored)"
CAN_SNS_LIST_SUBS=1
for regx in $REGIONS; do
TOPICS_LIST=$($AWSCLI sns list-topics $PROFILE_OPT --region $regx --output text --query 'Topics[*].TopicArn')
ntopics=$(echo $TOPICS_LIST | wc -w )
if [[ $TOPICS_LIST && $CAN_SNS_LIST_SUBS -eq 1 ]];then
textInfo "Region $regx has $ntopics topics" "$regx"
for topic in $TOPICS_LIST; do
TOPIC_SHORT=$(echo $topic | awk -F: '{ print $6 }')
CHECK_TOPIC_LIST=$($AWSCLI sns list-subscriptions-by-topic --topic-arn $topic $PROFILE_OPT --region $regx --query 'Subscriptions[*].{Endpoint:Endpoint,Protocol:Protocol}' --output text --max-items $MAXITEMS 2> /dev/null)
if [[ $? -eq 255 ]]; then
# Permission error
export CAN_SNS_LIST_SUBS=0
ntopics=$(echo $TOPICS_LIST | wc -w )
textInfo "Region $regx / $ntopics Topics / Subscriptions NO_PERMISSION" "$regx"
break;
fi
if [[ "Z" != "Z${CHECK_TOPIC_LIST}" ]]; then
printf '%s
' "$CHECK_TOPIC_LIST" | while IFS= read -r dest ; do
textInfo "Region $regx / Topic $TOPIC_SHORT / Subscription $dest" "$regx"
done
else
textFail "Region $regx / Topic $TOPIC_SHORT / Subscription NONE" "$regx"
fi
done
elif [[ $CAN_SNS_LIST_SUBS -eq 0 ]]; then
textInfo "Region $regx has $ntopics topics - unable to list subscribers" "$regx"
# break
else
textPass "Region $regx has 0 topics" "$regx"
fi
done
}

14
checks/check43
View File

@@ -9,21 +9,19 @@
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check43="4.3,4.03"
CHECK_TITLE_check43="[check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
CHECK_TITLE_check43="[check43] Ensure the default security group of every VPC restricts all traffic (Scored)"
CHECK_SCORED_check43="SCORED"
CHECK_TYPE_check43="LEVEL2"
CHECK_ALTERNATE_check403="check43"
check43(){
# "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
# "Ensure the default security group of every VPC restricts all traffic (Scored)"
for regx in $REGIONS; do
CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text)
if [[ $CHECK_FL ]];then
for FL in $CHECK_FL;do
textPass "VPCFlowLog is enabled for LogGroupName: $FL in Region $regx" "$regx"
done
CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0)
if [[ $CHECK_SGDEFAULT ]];then
textFail "Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx"
else
textFail "No VPCFlowLog has been found in Region $regx" "$regx"
textPass "No Default Security Groups open to 0.0.0.0 found in Region $regx" "$regx"
fi
done
}

21
checks/check44
View File

@@ -9,19 +9,26 @@
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check44="4.4,4.04"
CHECK_TITLE_check44="[check44] Ensure the default security group of every VPC restricts all traffic (Scored)"
CHECK_SCORED_check44="SCORED"
CHECK_TITLE_check44="[check44] Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
CHECK_SCORED_check44="NOT_SCORED"
CHECK_TYPE_check44="LEVEL2"
CHECK_ALTERNATE_check404="check44"
check44(){
# "Ensure the default security group of every VPC restricts all traffic (Scored)"
# "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
textInfo "Looking for VPC peering in all regions... "
for regx in $REGIONS; do
CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0)
if [[ $CHECK_SGDEFAULT ]];then
textFail "Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx"
LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId')
if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then
textInfo "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS - review routing tables" "$regx"
#LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[*].VpcId' --output text)
#aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" $PROFILE_OPT --region $regx
# for vpc in $LIST_OF_VPCS; do
# VPCS_WITH_PEERING=$($AWSCLI ec2 describe-route-tables --filter "Name=vpc-id,Values=$vpc" $PROFILE_OPT --region $regx --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" |grep GatewayId|grep pcx-)
# done
#echo $VPCS_WITH_PEERING
else
textPass "No Default Security Groups open to 0.0.0.0 found in Region $regx" "$regx"
textPass "$regx: No VPC peering found" "$regx"
fi
done
}

34
checks/check45
View File

@@ -1,34 +0,0 @@
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
#
# This Prowler check is licensed under a
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
#
# You should have received a copy of the license along with this
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
CHECK_ID_check45="4.5,4.05"
CHECK_TITLE_check45="[check45] Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
CHECK_SCORED_check45="NOT_SCORED"
CHECK_TYPE_check45="LEVEL2"
CHECK_ALTERNATE_check405="check45"
check45(){
# "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
textInfo "Looking for VPC peering in all regions... "
for regx in $REGIONS; do
LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId')
if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then
textInfo "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS - review routing tables" "$regx"
#LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[*].VpcId' --output text)
#aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" $PROFILE_OPT --region $regx
# for vpc in $LIST_OF_VPCS; do
# VPCS_WITH_PEERING=$($AWSCLI ec2 describe-route-tables --filter "Name=vpc-id,Values=$vpc" $PROFILE_OPT --region $regx --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" |grep GatewayId|grep pcx-)
# done
#echo $VPCS_WITH_PEERING
else
textPass "$regx: No VPC peering found" "$regx"
fi
done
}

2
groups/group1_iam
View File

@@ -12,4 +12,4 @@ GROUP_ID[1]='group1'
GROUP_NUMBER[1]='1.0'
GROUP_TITLE[1]='Identity and Access Management - [group1] **********************'
GROUP_RUN_BY_DEFAULT[1]='Y' # run it when execute_all is called
GROUP_CHECKS[1]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124'
GROUP_CHECKS[1]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122'

2
groups/group2_logging
View File

@@ -12,4 +12,4 @@ GROUP_ID[2]='group2'
GROUP_NUMBER[2]='2.0'
GROUP_TITLE[2]='Logging - [group2] *********************************************'
GROUP_RUN_BY_DEFAULT[2]='Y' # run it when execute_all is called
GROUP_CHECKS[2]='check21,check22,check23,check24,check25,check26,check27,check28'
GROUP_CHECKS[2]='check21,check22,check23,check24,check25,check26,check27,check28,check29'

2
groups/group3_monitoring
View File

@@ -12,4 +12,4 @@ GROUP_ID[3]='group3'
GROUP_NUMBER[3]='3.0'
GROUP_TITLE[3]='Monitoring - [group3] ******************************************'
GROUP_RUN_BY_DEFAULT[3]='Y' # run it when execute_all is called
GROUP_CHECKS[3]='check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315'
GROUP_CHECKS[3]='check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314'

2
groups/group4_networking
View File

@@ -12,4 +12,4 @@ GROUP_ID[4]='group4'
GROUP_NUMBER[4]='4.0'
GROUP_TITLE[4]='Networking - [group4] ******************************************'
GROUP_RUN_BY_DEFAULT[4]='Y' # run it when execute_all is called
GROUP_CHECKS[4]='check41,check42,check43,check44,check45'
GROUP_CHECKS[4]='check41,check42,check43,check44'

2
groups/group5_cislevel1
View File

@@ -12,4 +12,4 @@ GROUP_ID[5]='cislevel1'
GROUP_NUMBER[5]='5.0'
GROUP_TITLE[5]='CIS Level 1 - [cislevel1] **************************************'
GROUP_RUN_BY_DEFAULT[5]='N' # run it when execute_all is called
GROUP_CHECKS[5]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check123,check124,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42'
GROUP_CHECKS[5]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42'

2
groups/group6_cislevel2
View File

@@ -12,4 +12,4 @@ GROUP_ID[6]='cislevel2'
GROUP_NUMBER[6]='6.0'
GROUP_TITLE[6]='CIS Level 2 - [cislevel2] **************************************'
GROUP_RUN_BY_DEFAULT[6]='N' # run it when execute_all is called
GROUP_CHECKS[6]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124,check21,check22,check23,check24,check25,check26,check27,check28,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315,check41,check42,check43,check44,check45'
GROUP_CHECKS[6]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check21,check22,check23,check24,check25,check26,check27,check28,check29,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check41,check42,check43,check44'

2
groups/group8_forensics
View File

@@ -15,4 +15,4 @@ GROUP_ID[8]='forensics-ready'
GROUP_NUMBER[8]='8.0'
GROUP_TITLE[8]='Forensics Readiness - [forensics-ready] ************************'
GROUP_RUN_BY_DEFAULT[8]='N' # run it when execute_all is called
GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check43,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722,extra725'
GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check29,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722,extra725'