diff --git a/prowler b/prowler index af3d7187..63b97be9 100755 --- a/prowler +++ b/prowler @@ -364,12 +364,12 @@ check13(){ if [ $HOWOLDER -gt "90" ];then echo " $BAD WARNING! User \"$i\" has not logged in during the last 90 days $NORMAL" else - echo " $OK OK! $NORMAL User \"$i\" found with credentials used in the last 90 days" + echo text_ok "User \"$i\" found with credentials used in the last 90 days" fi done fi else - echo " $OK OK! $NORMAL No users found with password enabled" + text_ok "No users found with password enabled" fi } @@ -694,7 +694,7 @@ check21(){ if [[ $MULTIREGION_TRAIL_STATUS == 'False' ]];then echo -e " $BAD WARNING! $trail trail in $REGION is not enabled in multi region mode$NORMAL" else - text_ok " $trail trail in $REGION is enabled for all regions" + text_ok "$trail trail in $REGION is enabled for all regions" fi done else @@ -712,7 +712,7 @@ check22(){ if [[ $LOGFILEVALIDATION_TRAIL_STATUS == 'False' ]];then echo -e " $BAD WARNING! $trail trail in $REGION has not log file validation enabled$NORMAL" else - text_ok " $trail trail in $REGION has log file validation enabled" + text_ok "$trail trail in $REGION has log file validation enabled" fi done else @@ -730,7 +730,7 @@ check23(){ if [[ $CLOUDTRAILBUCKET_HASALLPERMISIONS ]];then echo -e " $BAD WARNING! check your $bucket CloudTrail bucket ACL and Policy!$NORMAL" else - text_ok " Bucket $bucket is set correctly" + text_ok "Bucket $bucket is set correctly" fi done else @@ -755,7 +755,7 @@ check24(){ if [ $HOWOLDER -gt "1" ];then echo -e " $BAD WARNING! $trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)$NORMAL" else - text_ok " $trail trail has been logging during the last 24h (it is in $TRAIL_REGION)" + text_ok "$trail trail has been logging during the last 24h (it is in $TRAIL_REGION)" fi fi done @@ -770,7 +770,7 @@ check25(){ for regx in $REGIONS; do CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status --profile $PROFILE --region $regx | grep "recorder: ON") if [[ $CHECK_AWSCONFIG_STATUS ]];then - text_ok " Region $regx has AWS Config recorder: ON " + text_ok "Region $regx has AWS Config recorder: ON " else echo -e " $BAD WARNING! Region $regx has AWS Config disabled or not configured$NORMAL" fi @@ -785,7 +785,7 @@ check26(){ for bucket in $CLOUDTRAILBUCKET;do CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket --profile $PROFILE --region $REGION --query 'LoggingEnabled.TargetBucket' --output text|grep -v None) if [[ $CLOUDTRAILBUCKET_LOGENABLED ]];then - text_ok " It is enabled in $bucket" + text_ok "Bucket access logging enabled in $bucket" else echo -e " $BAD WARNING! access logging is not enabled in $bucket CloudTrail S3 bucket!$NORMAL" fi @@ -803,7 +803,7 @@ check27(){ for trail in $CLOUDTRAILNAME;do CLOUDTRAILENC_ENABLED=$($AWSCLI cloudtrail describe-trails --profile $PROFILE --region $REGION --trail $trail --query 'trailList[*].KmsKeyId' --output text) if [[ $CLOUDTRAILENC_ENABLED ]];then - text_ok " KMS key found for $trail" + text_ok "KMS key found for $trail" else echo -e " $BAD WARNING! encryption is not enabled in your CloudTrail trail $trail, KMS key not found!$NORMAL" fi @@ -823,12 +823,12 @@ check28(){ for key in $CHECK_KMS_KEYLIST_NO_DEFAULT; do CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g') if [[ $CHECK_KMS_KEY_TYPE == "EXTERNAL" ]];then - text_ok " Key $key in Region $regx Customer Uploaded Key Material." + text_ok "Key $key in Region $regx Customer Uploaded Key Material." else CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key --profile $PROFILE --region $regx --output text) #CHECK_KMS_DEFAULT_KEY=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Description' | sed -n '/Default master key that protects my ACM private keys when no other key is defined /p'|| echo "False") if [[ $CHECK_KMS_KEY_ROTATION == "True" ]];then - text_ok " Key $key in Region $regx is set correctly" + text_ok "Key $key in Region $regx is set correctly" elif [[ $CHECK_KMS_KEY_ROTATION == "False" && $CHECK_KMS_DEFAULT_KEY ]];then echo -e " $NOTICE Region $regx key $key is an AWS default master key and cannot be deleted nor modified.$NORMAL" else @@ -850,7 +850,7 @@ check31(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep AccessDenied) if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters for Access Denied enabled" + text_ok "CloudWatch group found, and metric filters for Access Denied enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -866,7 +866,7 @@ check32(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'userIdentity.sessionContext.attributes.mfaAuthenticated.*true') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters for sign-in Console without MFA enabled" + text_ok "CloudWatch group found, and metric filters for sign-in Console without MFA enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -882,7 +882,7 @@ check33(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION |grep -E 'userIdentity.*Root.*AwsServiceEvent') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters for usage of root account enabled" + text_ok "CloudWatch group found, and metric filters for usage of root account enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -898,7 +898,7 @@ check34(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'DeleteGroupPolicy.*DeleteRolePolicy.*DeleteUserPolicy.*PutGroupPolicy.*PutRolePolicy.*PutUserPolicy.*CreatePolicy.*DeletePolicy.*CreatePolicyVersion.*DeletePolicyVersion.*AttachRolePolicy.*DetachRolePolicy.*AttachUserPolicy.*DetachUserPolicy.*AttachGroupPolicy.*DetachGroupPolicy') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters for IAM policy changes enabled" + text_ok "CloudWatch group found, and metric filters for IAM policy changes enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -914,7 +914,7 @@ check35(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateTrail.*UpdateTrail.*DeleteTrail.*StartLogging.*StopLogging') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters for CloudTrail configuration changes enabled" + text_ok "CloudWatch group found, and metric filters for CloudTrail configuration changes enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -930,7 +930,7 @@ check36(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'ConsoleLogin.*Failed') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters for usage of root account enabled" + text_ok "CloudWatch group found, and metric filters for usage of root account enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -946,7 +946,7 @@ check37(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'kms.amazonaws.com.*DisableKey.*ScheduleKeyDeletion') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters enabled" + text_ok "CloudWatch group found, and metric filters enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -962,7 +962,7 @@ check38(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 's3.amazonaws.com.*PutBucketAcl.*PutBucketPolicy.*PutBucketCors.*PutBucketLifecycle.*PutBucketReplication.*DeleteBucketPolicy.*DeleteBucketCors.*DeleteBucketLifecycle.*DeleteBucketReplication') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters enabled" + text_ok "CloudWatch group found, and metric filters enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -978,7 +978,7 @@ check39(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'config.amazonaws.com.*StopConfigurationRecorder.*DeleteDeliveryChannel.*PutDeliveryChannel.*PutConfigurationRecorder') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters enabled" + text_ok "CloudWatch group found, and metric filters enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -994,7 +994,7 @@ check310(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'AuthorizeSecurityGroupIngress.*AuthorizeSecurityGroupEgress.*RevokeSecurityGroupIngress.*RevokeSecurityGroupEgress.*CreateSecurityGroup.*DeleteSecurityGroup') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters enabled" + text_ok "CloudWatch group found, and metric filters enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -1010,7 +1010,7 @@ check311(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateNetworkAcl.*CreateNetworkAclEntry.*DeleteNetworkAcl.*DeleteNetworkAclEntry.*ReplaceNetworkAclEntry.*ReplaceNetworkAclAssociation') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters enabled" + text_ok "CloudWatch group found, and metric filters enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -1026,7 +1026,7 @@ check312(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateCustomerGateway.*DeleteCustomerGateway.*AttachInternetGateway.*CreateInternetGateway.*DeleteInternetGateway.*DetachInternetGateway') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters enabled" + text_ok "CloudWatch group found, and metric filters enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -1042,7 +1042,7 @@ check313(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateRoute.*CreateRouteTable.*ReplaceRoute.*ReplaceRouteTableAssociation.*DeleteRouteTable.*DeleteRoute.*DisassociateRouteTable') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters enabled" + text_ok "CloudWatch group found, and metric filters enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -1058,7 +1058,7 @@ check314(){ if [[ $CLOUDWATCH_GROUP ]];then METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP --profile $PROFILE --region $REGION --query 'metricFilters' | grep -E 'CreateVpc.*DeleteVpc.*ModifyVpcAttribute.*AcceptVpcPeeringConnection.*CreateVpcPeeringConnection.*DeleteVpcPeeringConnection.*RejectVpcPeeringConnection.*AttachClassicLinkVpc.*DetachClassicLinkVpc.*DisableVpcClassicLink.*EnableVpcClassicLink') if [[ $METRICFILTER_SET ]];then - text_ok " CloudWatch group found, and metric filters enabled" + text_ok "CloudWatch group found, and metric filters enabled" else echo -e " $BAD WARNING! CloudWatch group found, but no metric filters or alarms associated$NORMAL" fi @@ -1100,7 +1100,7 @@ check41(){ echo -e " $BAD WARNING! Found Security Group: $SG open to 0.0.0.0/0 in Region $regx $NORMAL " done else - text_ok " No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0 " + text_ok "No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0 " fi done } @@ -1115,7 +1115,7 @@ check42(){ echo -e " $BAD WARNING! Found Security Group: $SG open to 0.0.0.0/0 in Region $regx $NORMAL " done else - text_ok " No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0 " + text_ok "No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0 " fi done } @@ -1127,7 +1127,7 @@ check43(){ CHECK_FL=$($AWSCLI ec2 describe-flow-logs --profile $PROFILE --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text) if [[ $CHECK_FL ]];then for FL in $CHECK_FL;do - text_ok " VPCFlowLog is enabled for LogGroupName: $FL in Region $regx " + text_ok "VPCFlowLog is enabled for LogGroupName: $FL in Region $regx " done else echo -e " $BAD WARNING! No VPCFlowLog has been found in Region $regx $NORMAL " @@ -1143,7 +1143,7 @@ check44(){ if [[ $CHECK_SGDEFAULT ]];then echo -e " $BAD WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region $regx $NORMAL " else - text_ok " No Default Security Groups open to 0.0.0.0 found in Region $regx " + text_ok "No Default Security Groups open to 0.0.0.0 found in Region $regx " fi done } @@ -1164,7 +1164,7 @@ check45(){ # done #echo $VPCS_WITH_PEERING else - text_ok " $regx: No VPC peering found " + text_ok "$regx: No VPC peering found " fi done }