ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #155 from sidewinder12s/extra-check-79

Browse Source 
added extra79 to check for internet facing ELBs.
This commit is contained in:
Toni de la Fuente
2018-02-01 12:41:03 -05:00
committed by GitHub
parent 4b395d50db 398e55f21a
commit affe26cfe6
2 changed files with 25 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@@ -24,7 +24,7 @@ It covers hardening and security best practices for all AWS regions related to:
- Logging (8 checks) - Logging (8 checks)
- Monitoring (15 checks) - Monitoring (15 checks)
- Networking (5 checks) - Networking (5 checks)
- Extras (8 checks) *see Extras section - Extras (9 checks) *see Extras section
For a comprehesive list and resolution look at the guide on the link above. For a comprehesive list and resolution look at the guide on the link above.
@@ -578,7 +578,7 @@ The `aws iam create-access-key` command will output the secret access key and th
## Extras ## Extras
We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it. We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it.
At this moment we have 8 extra checks: At this moment we have 9 extra checks:
- 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark) - 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
- 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark) - 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
@@ -588,6 +588,7 @@ At this moment we have 8 extra checks:
- 7.6 (`extra76`) Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark) - 7.6 (`extra76`) Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)
- 7.7 (`extra77`) Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark) - 7.7 (`extra77`) Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)
- 7.8 (`extra78`) Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark) - 7.8 (`extra78`) Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)
- 7.9 (`extra79`) Check for internet accessible Elastic Load Blancers (Not Scored) (Not part of CIS benchmark)
To check all extras in one command: To check all extras in one command:
``` ```

23
prowler
View File

@@ -480,6 +480,8 @@ ID77="7.7,7.07"
TITLE77="Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" TITLE77="Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)"
ID78="7.8,7.08" ID78="7.8,7.08"
TITLE78="Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" TITLE78="Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)"
ID79="7.9,7.09"
TITLE79="Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
printCsvHeader() { printCsvHeader() {
@@ -1767,6 +1769,22 @@ extra78(){
done done
} }
extra79(){
# "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
textTitle "$ID79" "$TITLE79" "NOT_SCORED" "EXTRA"
textNotice "Looking for Elastic Load Balancers in all regions... "
for regx in $REGIONS; do
LIST_OF_PUBLIC_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[?Scheme == `internet-facing`].LoadBalancerName' --output text)
if [[ $LIST_OF_PUBLIC_ELBS ]];then
for elb in $(echo $LIST_OF_PUBLIC_ELBS);do
textWarn "$regx: ELB: $elb is internet-facing!" "$regx"
done
else
textOK "$regx: no Internet Facing ELBs found" "$regx"
fi
done
}
callCheck(){ callCheck(){
if [[ $CHECKNUMBER ]];then if [[ $CHECKNUMBER ]];then
case "$CHECKNUMBER" in case "$CHECKNUMBER" in
@@ -1830,6 +1848,7 @@ callCheck(){
extra76|extra706 ) extra76;; extra76|extra706 ) extra76;;
extra77|extra707 ) extra77;; extra77|extra707 ) extra77;;
extra78|extra708 ) extra78;; extra78|extra708 ) extra78;;
extra79|extra709 ) extra79;;
## Groups of Checks ## Groups of Checks
check1 ) check1 )
@@ -1865,7 +1884,7 @@ callCheck(){
check43;check44;check45 check43;check44;check45
;; ;;
extras ) extras )
extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78 extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;extra79
;; ;;
* ) * )
textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n"; textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
@@ -1944,6 +1963,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then
textTitle "$ID76" "$TITLE76" "NOT_SCORED" "EXTRA" textTitle "$ID76" "$TITLE76" "NOT_SCORED" "EXTRA"
textTitle "$ID77" "$TITLE77" "NOT_SCORED" "EXTRA" textTitle "$ID77" "$TITLE77" "NOT_SCORED" "EXTRA"
textTitle "$ID78" "$TITLE78" "NOT_SCORED" "EXTRA" textTitle "$ID78" "$TITLE78" "NOT_SCORED" "EXTRA"
textTitle "$ID79" "$TITLE79" "NOT_SCORED" "EXTRA"
exit $EXITCODE exit $EXITCODE
fi fi
@@ -2028,6 +2048,7 @@ extra75
extra76 extra76
extra77 extra77
extra78 extra78
extra79
cleanTemp cleanTemp
exit $EXITCODE exit $EXITCODE