ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

add extra71 check

Browse Source
This commit is contained in:
Ben Allen
2017-07-17 21:43:43 -05:00
parent c2b5ed17c2
commit bb1cb1e081
1 changed files with 43 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
prowler
View File

@@ -25,8 +25,6 @@
# set -vx # set -vx
# Exits if any error is found # Exits if any error is found
# set -e # set -e
# Enable set -x to see commands and debug
# set -x
OPTRED="" OPTRED=""
OPTNORMAL="" OPTNORMAL=""
@@ -312,10 +310,7 @@ textTitle(){
printCsvHeader() { printCsvHeader() {
>&2 echo "" >&2 echo ""
>&2 echo "" >&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM"
>&2 echo "Generating \"${SEP}\" delimited report on stdout; Diagnostics on stderr."
>&2 echo " Using Profile $PROFILE, Account $ACCOUNT_NUM"
>&2 echo ""
echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}TITLE_TEXT${SEP}NOTES" echo "PROFILE${SEP}ACCOUNT_NUM${SEP}REGION${SEP}TITLE_ID${SEP}RESULT${SEP}SCORED${SEP}TITLE_TEXT${SEP}NOTES"
} }
@@ -1366,6 +1361,41 @@ check45(){
done done
} }
extra71(){
# set -x
ID71="7.1"
TITLE71="Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
textTitle "$ID71" "$TITLE71" "0"
ADMIN_GROUPS=''
AWS_GROUPS=$($AWSCLI --profile $PROFILE iam list-groups --output text --query 'Groups[].GroupName')
for grp in $AWS_GROUPS; do
# aws --profile onlinetraining iam list-attached-group-policies --group-name Administrators --query 'AttachedPolicies[].PolicyArn' | grep 'arn:aws:iam::aws:policy/AdministratorAccess'
# list-attached-group-policies
CHECK_ADMIN_GROUP=$($AWSCLI --profile $PROFILE iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep 'arn:aws:iam::aws:policy/AdministratorAccess')
if [[ $CHECK_ADMIN_GROUP ]]; then
ADMIN_GROUPS="$ADMIN_GROUPS $grp"
textNotice "$grp group provides administrative access"
ADMIN_USERS=$($AWSCLI --profile $PROFILE iam get-group --group-name $grp --output json --query 'Users[].UserName' | grep '"' | cut -d'"' -f2 )
for auser in $ADMIN_USERS; do
# users in group are Administrators
# users
# check for user MFA device in credential report
USER_MFA_ENABLED=$( cat $TEMP_REPORT_FILE | grep "^$auser," | cut -d',' -f8)
if [[ "true" == $USER_MFA_ENABLED ]]; then
textOK "$auser / MFA Enabled / admin via group $grp"
else
textWarn "$auser / MFA DISABLED / admin via group $grp"
fi
done
else
textNotice "$grp group provides non-administrative access"
fi
done
# set +x
}
callCheck(){ callCheck(){
if [[ $CHECKNUMBER ]];then if [[ $CHECKNUMBER ]];then
case "$CHECKNUMBER" in case "$CHECKNUMBER" in
@@ -1421,6 +1451,8 @@ callCheck(){
check43 ) check43;; check43 ) check43;;
check44 ) check44;; check44 ) check44;;
check45 ) check45;; check45 ) check45;;
extra71 ) extra71;;
## Groups of Checks
check1 ) check1 )
check11;check12;check13;check14;check15;check16;check17;check18; check11;check12;check13;check14;check15;check16;check17;check18;
check19;check110;check111;check112;check113;check114;check115; check19;check110;check111;check112;check113;check114;check115;
@@ -1453,6 +1485,9 @@ callCheck(){
check310;check311;check312;check313;check314;check315;check41;check42; check310;check311;check312;check313;check314;check315;check41;check42;
check43;check44;check45 check43;check44;check45
;; ;;
extras )
extra71;
;;
* ) * )
textWarn "ERROR! Use a valid check name (i.e. check41)\n"; textWarn "ERROR! Use a valid check name (i.e. check41)\n";
esac esac
@@ -1468,10 +1503,11 @@ if [[ $MODE != "csv" ]]; then
prowlerBanner prowlerBanner
printCurrentDate printCurrentDate
printColorsCode printColorsCode
getWhoami
else else
getWhoami
printCsvHeader printCsvHeader
fi fi
getWhoami
genCredReport genCredReport
saveReport saveReport