ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 23:05:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

finish up first pass of conversion to text_ok for passed checks

Browse Source
This commit is contained in:
Ben Allen
2017-06-26 10:30:33 -05:00
parent 408cc78499
commit 9bb8f0537a
1 changed files with 30 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
prowler
View File

@@ -364,12 +364,12 @@ check13(){
if [ $HOWOLDER -gt "90" ];then
echo " $BAD WARNING! User \"$i\" has not logged in during the last 90 days $NORMAL"
else
echo " $OK OK! $NORMAL User \"$i\" found with credentials used in the last 90 days"
echo text_ok "User \"$i\" found with credentials used in the last 90 days"
fi
done
fi
else
echo " $OK OK! $NORMAL No users found with password enabled"
text_ok "No users found with password enabled"
fi
}
@@ -694,7 +694,7 @@ check21(){
if [[ $MULTIREGION_TRAIL_STATUS == 'False' ]];then
echo -e " $BAD WARNING! $trail trail in $REGION is not enabled in multi region mode$NORMAL"
else
text_ok " $trail trail in $REGION is enabled for all regions"
text_ok "$trail trail in $REGION is enabled for all regions"
fi
done
else
@@ -712,7 +712,7 @@ check22(){
if [[ $LOGFILEVALIDATION_TRAIL_STATUS == 'False' ]];then
echo -e " $BAD WARNING! $trail trail in $REGION has not log file validation enabled$NORMAL"
else
text_ok " $trail trail in $REGION has log file validation enabled"
text_ok "$trail trail in $REGION has log file validation enabled"
fi
done
else
@@ -730,7 +730,7 @@ check23(){
if [[ $CLOUDTRAILBUCKET_HASALLPERMISIONS ]];then
echo -e " $BAD WARNING! check your $bucket CloudTrail bucket ACL and Policy!$NORMAL"
else
text_ok " Bucket $bucket is set correctly"
text_ok "Bucket $bucket is set correctly"
fi
done
else
@@ -755,7 +755,7 @@ check24(){
if [ $HOWOLDER -gt "1" ];then
echo -e " $BAD WARNING! $trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)$NORMAL"
else
text_ok " $trail trail has been logging during the last 24h (it is in $TRAIL_REGION)"
text_ok "$trail trail has been logging during the last 24h (it is in $TRAIL_REGION)"
fi
fi
done
@@ -770,7 +770,7 @@ check25(){
for regx in $REGIONS; do
CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status --profile $PROFILE --region $regx | grep "recorder: ON")
if [[ $CHECK_AWSCONFIG_STATUS ]];then
text_ok " Region $regx has AWS Config recorder: ON "
text_ok "Region $regx has AWS Config recorder: ON "
else
echo -e " $BAD WARNING! Region $regx has AWS Config disabled or not configured$NORMAL"
fi
@@ -785,7 +785,7 @@ check26(){
for bucket in $CLOUDTRAILBUCKET;do
CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket --profile $PROFILE --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None)
if [[ $CLOUDTRAILBUCKET_LOGENABLED ]];then
text_ok " It is enabled in $bucket"
text_ok "Bucket access logging enabled in $bucket"
else
echo -e " $BAD WARNING! access logging is not enabled in $bucket CloudTrail S3 bucket!$NORMAL"
fi
@@ -803,7 +803,7 @@ check27(){
for trail in $CLOUDTRAILNAME;do
CLOUDTRAILENC_ENABLED=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --trail $trail --query 'trailList[*].KmsKeyId' --output text)
if [[ $CLOUDTRAILENC_ENABLED ]];then
text_ok " KMS key found for $trail"
text_ok "KMS key found for $trail"
else
echo -e " $BAD WARNING! encryption is not enabled in your CloudTrail trail $trail, KMS key not found!$NORMAL"
fi
@@ -823,12 +823,12 @@ check28(){
for key in $CHECK_KMS_KEYLIST_NO_DEFAULT; do
CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g')
if [[ $CHECK_KMS_KEY_TYPE == "EXTERNAL" ]];then
text_ok " Key $key in Region $regx Customer Uploaded Key Material."
text_ok "Key $key in Region $regx Customer Uploaded Key Material."
else
CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key --profile $PROFILE --region $regx --output text)
#CHECK_KMS_DEFAULT_KEY=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Description' | sed -n '/Default master key that protects my ACM private keys when no other key is defined /p'|| echo "False")
if [[ $CHECK_KMS_KEY_ROTATION == "True" ]];then
text_ok " Key $key in Region $regx is set correctly"
text_ok "Key $key in Region $regx is set correctly"
elif [[ $CHECK_KMS_KEY_ROTATION == "False" && $CHECK_KMS_DEFAULT_KEY ]];then
echo -e " $NOTICE Region $regx key $key is an AWS default master key and cannot be deleted nor modified.$NORMAL"
else
@@ -850,7 +850,7 @@ check31(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep AccessDenied)
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters for Access Denied enabled"
text_ok "CloudWatch group found, and metric filters for Access Denied enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -866,7 +866,7 @@ check32(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'userIdentity.sessionContext.attributes.mfaAuthenticated.*true')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters for sign-in Console without MFA enabled"
text_ok "CloudWatch group found, and metric filters for sign-in Console without MFA enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -882,7 +882,7 @@ check33(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION |grep -E 'userIdentity.*Root.*AwsServiceEvent')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters for usage of root account enabled"
text_ok "CloudWatch group found, and metric filters for usage of root account enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -898,7 +898,7 @@ check34(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'DeleteGroupPolicy.*DeleteRolePolicy.*DeleteUserPolicy.*PutGroupPolicy.*PutRolePolicy.*PutUserPolicy.*CreatePolicy.*DeletePolicy.*CreatePolicyVersion.*DeletePolicyVersion.*AttachRolePolicy.*DetachRolePolicy.*AttachUserPolicy.*DetachUserPolicy.*AttachGroupPolicy.*DetachGroupPolicy')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters for IAM policy changes enabled"
text_ok "CloudWatch group found, and metric filters for IAM policy changes enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -914,7 +914,7 @@ check35(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateTrail.*UpdateTrail.*DeleteTrail.*StartLogging.*StopLogging')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters for CloudTrail configuration changes enabled"
text_ok "CloudWatch group found, and metric filters for CloudTrail configuration changes enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -930,7 +930,7 @@ check36(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'ConsoleLogin.*Failed')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters for usage of root account enabled"
text_ok "CloudWatch group found, and metric filters for usage of root account enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -946,7 +946,7 @@ check37(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'kms.amazonaws.com.*DisableKey.*ScheduleKeyDeletion')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters enabled"
text_ok "CloudWatch group found, and metric filters enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -962,7 +962,7 @@ check38(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 's3.amazonaws.com.*PutBucketAcl.*PutBucketPolicy.*PutBucketCors.*PutBucketLifecycle.*PutBucketReplication.*DeleteBucketPolicy.*DeleteBucketCors.*DeleteBucketLifecycle.*DeleteBucketReplication')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters enabled"
text_ok "CloudWatch group found, and metric filters enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -978,7 +978,7 @@ check39(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'config.amazonaws.com.*StopConfigurationRecorder.*DeleteDeliveryChannel.*PutDeliveryChannel.*PutConfigurationRecorder')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters enabled"
text_ok "CloudWatch group found, and metric filters enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -994,7 +994,7 @@ check310(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'AuthorizeSecurityGroupIngress.*AuthorizeSecurityGroupEgress.*RevokeSecurityGroupIngress.*RevokeSecurityGroupEgress.*CreateSecurityGroup.*DeleteSecurityGroup')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters enabled"
text_ok "CloudWatch group found, and metric filters enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -1010,7 +1010,7 @@ check311(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateNetworkAcl.*CreateNetworkAclEntry.*DeleteNetworkAcl.*DeleteNetworkAclEntry.*ReplaceNetworkAclEntry.*ReplaceNetworkAclAssociation')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters enabled"
text_ok "CloudWatch group found, and metric filters enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -1026,7 +1026,7 @@ check312(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateCustomerGateway.*DeleteCustomerGateway.*AttachInternetGateway.*CreateInternetGateway.*DeleteInternetGateway.*DetachInternetGateway')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters enabled"
text_ok "CloudWatch group found, and metric filters enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -1042,7 +1042,7 @@ check313(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateRoute.*CreateRouteTable.*ReplaceRoute.*ReplaceRouteTableAssociation.*DeleteRouteTable.*DeleteRoute.*DisassociateRouteTable')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters enabled"
text_ok "CloudWatch group found, and metric filters enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -1058,7 +1058,7 @@ check314(){
if [[ $CLOUDWATCH_GROUP ]];then
METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateVpc.*DeleteVpc.*ModifyVpcAttribute.*AcceptVpcPeeringConnection.*CreateVpcPeeringConnection.*DeleteVpcPeeringConnection.*RejectVpcPeeringConnection.*AttachClassicLinkVpc.*DetachClassicLinkVpc.*DisableVpcClassicLink.*EnableVpcClassicLink')
if [[ $METRICFILTER_SET ]];then
text_ok " CloudWatch group found, and metric filters enabled"
text_ok "CloudWatch group found, and metric filters enabled"
else
echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL"
fi
@@ -1100,7 +1100,7 @@ check41(){
echo -e " $BAD WARNING! Found Security Group: $SG open to 0.0.0.0/0 in Region $regx $NORMAL "
done
else
text_ok " No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0 "
text_ok "No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0 "
fi
done
}
@@ -1115,7 +1115,7 @@ check42(){
echo -e " $BAD WARNING! Found Security Group: $SG open to 0.0.0.0/0 in Region $regx $NORMAL "
done
else
text_ok " No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0 "
text_ok "No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0 "
fi
done
}
@@ -1127,7 +1127,7 @@ check43(){
CHECK_FL=$($AWSCLI ec2 describe-flow-logs --profile $PROFILE --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text)
if [[ $CHECK_FL ]];then
for FL in $CHECK_FL;do
text_ok " VPCFlowLog is enabled for LogGroupName: $FL in Region $regx "
text_ok "VPCFlowLog is enabled for LogGroupName: $FL in Region $regx "
done
else
echo -e " $BAD WARNING! No VPCFlowLog has been found in Region $regx $NORMAL "
@@ -1143,7 +1143,7 @@ check44(){
if [[ $CHECK_SGDEFAULT ]];then
echo -e " $BAD WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx $NORMAL "
else
text_ok " No Default Security Groups open to 0.0.0.0 found in Region $regx "
text_ok "No Default Security Groups open to 0.0.0.0 found in Region $regx "
fi
done
}
@@ -1164,7 +1164,7 @@ check45(){
# done
#echo $VPCS_WITH_PEERING
else
text_ok " $regx: No VPC peering found "
text_ok "$regx: No VPC peering found "
fi
done
}