diff --git a/checks/check_extra71 b/checks/check_extra71 index 25e95cda..8667666b 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra71="7.1,7.01" -CHECK_TITLE_extra71="[extra71] Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra71="[extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra71="NOT_SCORED" CHECK_TYPE_extra71="EXTRA" CHECK_ALTERNATE_extra701="extra71" @@ -19,7 +19,7 @@ CHECK_ALTERNATE_check71="extra71" CHECK_ALTERNATE_check701="extra71" extra71(){ - # "Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" + # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" ADMIN_GROUPS='' AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --query 'Groups[].GroupName') for grp in $AWS_GROUPS; do diff --git a/checks/check_extra713 b/checks/check_extra713 index 1fb60842..cb0f8d5d 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -19,7 +19,7 @@ CHECK_ALTERNATE_check713="extra713" extra713(){ # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" for regx in $REGIONS; do - LIST_OF_GUARDDUTY_DETECTORS=$($AWSCLI guardduty list-detectors $PROFILE_OPT --region $regx --output text |cut -f2) + LIST_OF_GUARDDUTY_DETECTORS=$($AWSCLI guardduty list-detectors $PROFILE_OPT --region $regx --output text 2> /dev/null | cut -f2) if [[ $LIST_OF_GUARDDUTY_DETECTORS ]];then while read -r detector;do DETECTOR_ENABLED=$($AWSCLI guardduty get-detector --detector-id $detector $PROFILE_OPT --region $regx --query "Status" --output text|grep ENABLED) diff --git a/checks/check_extra741 b/checks/check_extra741 index 0618276e..fc48a852 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -27,10 +27,12 @@ extra741(){ if [ -s $USERDATA_FILE ];then FILE_FORMAT_ASCII=$(file -b $USERDATA_FILE|grep ASCII) #FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE | grep -i -e key -e secret -e token -e pass - |wc -l|tr -d '\ ') - FINDINGS=$(grep -i -e key -e secret -e token -e pass $USERDATA_FILE |wc -l|tr -d '\ ') + #FINDINGS=$(grep -i -e key -e secret -e token -e pass $USERDATA_FILE |wc -l|tr -d '\ ') + # This finds ftp or http URLs with credentials and common keywords + FINDINGS=$(egrep -i '[[:alpha:]]*://[[:alnum:]]*:[[:alnum:]]*@.*/|key|secret|token|pass' $USERDATA_FILE |wc -l|tr -d '\ ') if [[ $FILE_FORMAT_ASCII ]]; then if [[ $FINDINGS -eq 0 ]]; then - textPass "$regx: Nothing found in $instance" "$regx" + textPass "$regx: No keys found in $instance" "$regx" # delete file if nothing interesting is there rm -f $USERDATA_FILE else @@ -39,7 +41,7 @@ extra741(){ else mv $USERDATA_FILE $USERDATA_FILE.gz ; gunzip $USERDATA_FILE.gz if [[ $FINDINGS -eq 0 ]]; then - textPass "$regx: Nothing found in $instance" "$regx" + textPass "$regx: No keys found in $instance" "$regx" rm -f $USERDATA_FILE.gz else textFail "$regx: Found $FINDINGS keys in $instance! Check file $USERDATA_FILE" "$regx"