From 7117399e14b794c5934ca11559c04e8c2ff94dca Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Tue, 5 Mar 2019 11:40:29 -0500 Subject: [PATCH 1/4] Added find creds in URL on extra741 --- checks/check_extra741 | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/checks/check_extra741 b/checks/check_extra741 index 0618276e..fc48a852 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -27,10 +27,12 @@ extra741(){ if [ -s $USERDATA_FILE ];then FILE_FORMAT_ASCII=$(file -b $USERDATA_FILE|grep ASCII) #FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE | grep -i -e key -e secret -e token -e pass - |wc -l|tr -d '\ ') - FINDINGS=$(grep -i -e key -e secret -e token -e pass $USERDATA_FILE |wc -l|tr -d '\ ') + #FINDINGS=$(grep -i -e key -e secret -e token -e pass $USERDATA_FILE |wc -l|tr -d '\ ') + # This finds ftp or http URLs with credentials and common keywords + FINDINGS=$(egrep -i '[[:alpha:]]*://[[:alnum:]]*:[[:alnum:]]*@.*/|key|secret|token|pass' $USERDATA_FILE |wc -l|tr -d '\ ') if [[ $FILE_FORMAT_ASCII ]]; then if [[ $FINDINGS -eq 0 ]]; then - textPass "$regx: Nothing found in $instance" "$regx" + textPass "$regx: No keys found in $instance" "$regx" # delete file if nothing interesting is there rm -f $USERDATA_FILE else @@ -39,7 +41,7 @@ extra741(){ else mv $USERDATA_FILE $USERDATA_FILE.gz ; gunzip $USERDATA_FILE.gz if [[ $FINDINGS -eq 0 ]]; then - textPass "$regx: Nothing found in $instance" "$regx" + textPass "$regx: No keys found in $instance" "$regx" rm -f $USERDATA_FILE.gz else textFail "$regx: Found $FINDINGS keys in $instance! Check file $USERDATA_FILE" "$regx" From b60d320622014ffd807c96e6b18b40c0ea9eb2ab Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 11 Mar 2019 22:09:12 -0400 Subject: [PATCH 2/4] Improved tittle to describe what extra71 does --- checks/check_extra71 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check_extra71 b/checks/check_extra71 index 25e95cda..21e102cb 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra71="7.1,7.01" -CHECK_TITLE_extra71="[extra71] Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra71="[extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra71="NOT_SCORED" CHECK_TYPE_extra71="EXTRA" CHECK_ALTERNATE_extra701="extra71" From 6d15bb67fefb72c978f644e67b93f29676269fa3 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 11 Mar 2019 22:10:37 -0400 Subject: [PATCH 3/4] Fix issue #300 --- checks/check_extra713 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check_extra713 b/checks/check_extra713 index 1fb60842..cb0f8d5d 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -19,7 +19,7 @@ CHECK_ALTERNATE_check713="extra713" extra713(){ # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" for regx in $REGIONS; do - LIST_OF_GUARDDUTY_DETECTORS=$($AWSCLI guardduty list-detectors $PROFILE_OPT --region $regx --output text |cut -f2) + LIST_OF_GUARDDUTY_DETECTORS=$($AWSCLI guardduty list-detectors $PROFILE_OPT --region $regx --output text 2> /dev/null | cut -f2) if [[ $LIST_OF_GUARDDUTY_DETECTORS ]];then while read -r detector;do DETECTOR_ENABLED=$($AWSCLI guardduty get-detector --detector-id $detector $PROFILE_OPT --region $regx --query "Status" --output text|grep ENABLED) From c8cc343784dbcd163d0212d693dbb8c4bc630086 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 11 Mar 2019 22:12:54 -0400 Subject: [PATCH 4/4] Fix issue #303 --- checks/check_extra71 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check_extra71 b/checks/check_extra71 index 21e102cb..8667666b 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -19,7 +19,7 @@ CHECK_ALTERNATE_check71="extra71" CHECK_ALTERNATE_check701="extra71" extra71(){ - # "Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" + # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" ADMIN_GROUPS='' AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --query 'Groups[].GroupName') for grp in $AWS_GROUPS; do