mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
added -l flag to show only a list of all checks
This commit is contained in:
Toni de la Fuente
@@ -131,6 +131,7 @@ USAGE:
|
|||||||
-M <mode> output mode: text (defalut), mono, csv (separator is ","; data is on stdout; progress on stderr)
|
-M <mode> output mode: text (defalut), mono, csv (separator is ","; data is on stdout; progress on stderr)
|
||||||
-k keep the credential report
|
-k keep the credential report
|
||||||
-n show check numbers to sort easier (i.e.: 1.01 instead of 1.1)
|
-n show check numbers to sort easier (i.e.: 1.01 instead of 1.1)
|
||||||
|
-l list all available checks only (does not perform any check)
|
||||||
-h this help
|
-h this help
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|||||||
386
prowler
386
prowler
@@ -54,18 +54,22 @@ USAGE:
|
|||||||
-M <mode> output mode: text (default), mono, csv (separator is \"${SEP}\"; data is on stdout; progress on stderr)
|
-M <mode> output mode: text (default), mono, csv (separator is \"${SEP}\"; data is on stdout; progress on stderr)
|
||||||
-k keep the credential report
|
-k keep the credential report
|
||||||
-n show check numbers to sort easier (i.e.: 1.01 instead of 1.1)
|
-n show check numbers to sort easier (i.e.: 1.01 instead of 1.1)
|
||||||
|
-l list all available checks only (does not perform any check)
|
||||||
-h this help
|
-h this help
|
||||||
"
|
"
|
||||||
exit
|
exit
|
||||||
}
|
}
|
||||||
|
|
||||||
while getopts ":hkp:r:c:f:m:M:n" OPTION; do
|
while getopts ":hlkp:r:c:f:m:M:n" OPTION; do
|
||||||
case $OPTION in
|
case $OPTION in
|
||||||
h )
|
h )
|
||||||
usage
|
usage
|
||||||
EXITCODE=1
|
EXITCODE=1
|
||||||
exit $EXITCODE
|
exit $EXITCODE
|
||||||
;;
|
;;
|
||||||
|
l )
|
||||||
|
PRINTCHECKSONLY=1
|
||||||
|
;;
|
||||||
k )
|
k )
|
||||||
KEEPCREDREPORT=1
|
KEEPCREDREPORT=1
|
||||||
;;
|
;;
|
||||||
@@ -354,6 +358,129 @@ textTitle(){
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# List of checks IDs and Titles
|
||||||
|
TITLE1="Identity and Access Management ****************************************"
|
||||||
|
ID11="1.1,1.01"
|
||||||
|
TITLE11="Avoid the use of the root account (Scored)."
|
||||||
|
ID12="1.2,1.02"
|
||||||
|
TITLE12="Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
|
||||||
|
ID13="1.3,1.03"
|
||||||
|
TITLE13="Ensure credentials unused for 90 days or greater are disabled (Scored)"
|
||||||
|
ID14="1.4,1.04"
|
||||||
|
TITLE14="Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
|
||||||
|
ID15="1.5,1.05"
|
||||||
|
TITLE15="Ensure IAM password policy requires at least one uppercase letter (Scored)"
|
||||||
|
ID16="1.6,1.06"
|
||||||
|
TITLE16="Ensure IAM password policy require at least one lowercase letter (Scored)"
|
||||||
|
ID17="1.7,1.07"
|
||||||
|
TITLE17="Ensure IAM password policy require at least one symbol (Scored)"
|
||||||
|
ID18="1.8,1.08"
|
||||||
|
TITLE18="Ensure IAM password policy require at least one number (Scored)"
|
||||||
|
ID19="1.9,1.09"
|
||||||
|
TITLE19="Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
|
||||||
|
ID110="1.10"
|
||||||
|
TITLE110="Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
|
||||||
|
ID111="1.11"
|
||||||
|
TITLE111="Ensure IAM password policy expires passwords within 90 days or less (Scored)"
|
||||||
|
ID112="1.12"
|
||||||
|
TITLE112="Ensure no root account access key exists (Scored)"
|
||||||
|
ID113="1.13"
|
||||||
|
TITLE113="Ensure MFA is enabled for the root account (Scored)"
|
||||||
|
ID114="1.14"
|
||||||
|
TITLE114="Ensure hardware MFA is enabled for the root account (Scored)"
|
||||||
|
ID115="1.15"
|
||||||
|
TITLE115="Ensure security questions are registered in the AWS account (Not Scored)"
|
||||||
|
ID116="1.16"
|
||||||
|
TITLE116="Ensure IAM policies are attached only to groups or roles (Scored)"
|
||||||
|
ID117="1.17"
|
||||||
|
TITLE117="Enable detailed billing (Scored)"
|
||||||
|
ID118="1.18"
|
||||||
|
TITLE118="Ensure IAM Master and IAM Manager roles are active (Scored)"
|
||||||
|
ID119="1.19"
|
||||||
|
TITLE119="Maintain current contact details (Scored)"
|
||||||
|
ID120="1.20"
|
||||||
|
TITLE120="Ensure security contact information is registered (Scored)"
|
||||||
|
ID121="1.21"
|
||||||
|
TITLE121="Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
|
||||||
|
ID122="1.22"
|
||||||
|
TITLE122="Ensure a support role has been created to manage incidents with AWS Support (Scored)"
|
||||||
|
ID123="1.23"
|
||||||
|
TITLE123="Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
|
||||||
|
ID124="1.24"
|
||||||
|
TITLE124="Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
|
||||||
|
TITLE2="Logging ***************************************************************"
|
||||||
|
ID21="2.1,2.01"
|
||||||
|
TITLE21="Ensure CloudTrail is enabled in all regions (Scored)"
|
||||||
|
ID22="2.2,2.02"
|
||||||
|
TITLE22="Ensure CloudTrail log file validation is enabled (Scored)"
|
||||||
|
ID23="2.3,2.03"
|
||||||
|
TITLE23="Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
|
||||||
|
ID24="2.4,2.04"
|
||||||
|
TITLE24="Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
|
||||||
|
ID25="2.5,2.05"
|
||||||
|
TITLE25="Ensure AWS Config is enabled in all regions (Scored)"
|
||||||
|
ID26="2.6,2.06"
|
||||||
|
TITLE26="Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
|
||||||
|
ID27="2.7,2.07"
|
||||||
|
TITLE27="Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
|
||||||
|
ID28="2.8,2.08"
|
||||||
|
TITLE28="Ensure rotation for customer created CMKs is enabled (Scored)"
|
||||||
|
TITLE3="Monitoring ************************************************************"
|
||||||
|
ID31="3.1,3.01"
|
||||||
|
TITLE31="Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
|
||||||
|
ID32="3.2,3.02"
|
||||||
|
TITLE32="Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
|
||||||
|
ID33="3.3,3.03"
|
||||||
|
TITLE33="Ensure a log metric filter and alarm exist for usage of root account (Scored)"
|
||||||
|
ID34="3.4,3.04"
|
||||||
|
TITLE34="Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
|
||||||
|
ID35="3.5,3.05"
|
||||||
|
TITLE35="Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
|
||||||
|
ID36="3.6,3.06"
|
||||||
|
TITLE36="Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
|
||||||
|
ID37="3.7,3.07"
|
||||||
|
TITLE37="Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
|
||||||
|
ID38="3.8,3.08"
|
||||||
|
TITLE38="Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
|
||||||
|
ID39="3.9,3.09"
|
||||||
|
TITLE39="Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
|
||||||
|
ID310="3.10"
|
||||||
|
TITLE310="Ensure a log metric filter and alarm exist for security group changes (Scored)"
|
||||||
|
ID311="3.11"
|
||||||
|
TITLE311="Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
|
||||||
|
ID312="3.12"
|
||||||
|
TITLE312="Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
|
||||||
|
ID313="3.13"
|
||||||
|
TITLE313="Ensure a log metric filter and alarm exist for route table changes (Scored)"
|
||||||
|
ID314="3.14"
|
||||||
|
TITLE314="Ensure a log metric filter and alarm exist for VPC changes (Scored)"
|
||||||
|
ID315="3.15"
|
||||||
|
TITLE315="Ensure appropriate subscribers to each SNS topic (Not Scored)"
|
||||||
|
TITLE4="Networking ************************************************************"
|
||||||
|
ID41="4.1,4.01"
|
||||||
|
TITLE41="Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
|
||||||
|
ID42="4.2,4.02"
|
||||||
|
TITLE42="Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
|
||||||
|
ID43="4.3,4.03"
|
||||||
|
TITLE43="Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
|
||||||
|
ID44="4.4,4.04"
|
||||||
|
TITLE44="Ensure the default security group of every VPC restricts all traffic (Scored)"
|
||||||
|
ID45="4.5,4.05"
|
||||||
|
TITLE45="Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
|
||||||
|
TITLE7="Extras ****************************************************************"
|
||||||
|
ID71="7.1,7.01"
|
||||||
|
TITLE71="Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
ID72="7.2,7.02"
|
||||||
|
TITLE72="Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
ID73="7.3,7.03"
|
||||||
|
TITLE73="Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
ID74="7.4,7.04"
|
||||||
|
TITLE74="Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
ID75="7.5,7.05"
|
||||||
|
TITLE75="Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
ID76="7.6,7.06"
|
||||||
|
TITLE76="Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|
||||||
printCsvHeader() {
|
printCsvHeader() {
|
||||||
>&2 echo ""
|
>&2 echo ""
|
||||||
>&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM"
|
>&2 echo "Generating \"${SEP}\" delimited report on stdout for profile $PROFILE, account $ACCOUNT_NUM"
|
||||||
@@ -470,16 +597,14 @@ infoReferenceLong(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check11(){
|
check11(){
|
||||||
ID11="1.1,1.01"
|
# "Avoid the use of the root account (Scored)."
|
||||||
TITLE11="Avoid the use of the root account (Scored)."
|
|
||||||
COMMAND11=$(cat $TEMP_REPORT_FILE| grep '<root_account>' | cut -d, -f5,11,16 | sed 's/,/\ /g')
|
COMMAND11=$(cat $TEMP_REPORT_FILE| grep '<root_account>' | cut -d, -f5,11,16 | sed 's/,/\ /g')
|
||||||
textTitle "$ID11" "$TITLE11" "SCORED" "LEVEL1"
|
textTitle "$ID11" "$TITLE11" "SCORED" "LEVEL1"
|
||||||
textNotice "Root account last accessed (password key_1 key_2): $COMMAND11"
|
textNotice "Root account last accessed (password key_1 key_2): $COMMAND11"
|
||||||
}
|
}
|
||||||
|
|
||||||
check12(){
|
check12(){
|
||||||
ID12="1.2,1.02"
|
# "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
|
||||||
TITLE12="Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
|
|
||||||
# List users with password enabled
|
# List users with password enabled
|
||||||
COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep true | awk '{ print $1 }')
|
COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep true | awk '{ print $1 }')
|
||||||
COMMAND12=$(
|
COMMAND12=$(
|
||||||
@@ -497,8 +622,7 @@ check12(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check13(){
|
check13(){
|
||||||
ID13="1.3,1.03"
|
# "Ensure credentials unused for 90 days or greater are disabled (Scored)"
|
||||||
TITLE13="Ensure credentials unused for 90 days or greater are disabled (Scored)"
|
|
||||||
textTitle "$ID13" "$TITLE13" "SCORED" "LEVEL1"
|
textTitle "$ID13" "$TITLE13" "SCORED" "LEVEL1"
|
||||||
COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep true | awk '{ print $1 }')
|
COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep true | awk '{ print $1 }')
|
||||||
if [[ $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED ]]; then
|
if [[ $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED ]]; then
|
||||||
@@ -527,8 +651,7 @@ check13(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check14(){
|
check14(){
|
||||||
ID14="1.4,1.04"
|
# "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
|
||||||
TITLE14="Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
|
|
||||||
LIST_OF_USERS_WITH_ACCESS_KEY1=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9 }' |grep "\ true" | awk '{ print $1 }')
|
LIST_OF_USERS_WITH_ACCESS_KEY1=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9 }' |grep "\ true" | awk '{ print $1 }')
|
||||||
LIST_OF_USERS_WITH_ACCESS_KEY2=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $14 }' |grep "\ true" | awk '{ print $1 }')
|
LIST_OF_USERS_WITH_ACCESS_KEY2=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $14 }' |grep "\ true" | awk '{ print $1 }')
|
||||||
textTitle "$ID14" "$TITLE14" "SCORED" "LEVEL1"
|
textTitle "$ID14" "$TITLE14" "SCORED" "LEVEL1"
|
||||||
@@ -573,8 +696,7 @@ check14(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check15(){
|
check15(){
|
||||||
ID15="1.5,1.05"
|
# "Ensure IAM password policy requires at least one uppercase letter (Scored)"
|
||||||
TITLE15="Ensure IAM password policy requires at least one uppercase letter (Scored)"
|
|
||||||
COMMAND15=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireUppercaseCharacters' 2> /dev/null) # must be true
|
COMMAND15=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireUppercaseCharacters' 2> /dev/null) # must be true
|
||||||
textTitle "$ID15" "$TITLE15" "SCORED" "LEVEL1"
|
textTitle "$ID15" "$TITLE15" "SCORED" "LEVEL1"
|
||||||
if [[ "$COMMAND15" == "true" ]];then
|
if [[ "$COMMAND15" == "true" ]];then
|
||||||
@@ -585,8 +707,7 @@ check15(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check16(){
|
check16(){
|
||||||
ID16="1.6,1.06"
|
# "Ensure IAM password policy require at least one lowercase letter (Scored)"
|
||||||
TITLE16="Ensure IAM password policy require at least one lowercase letter (Scored)"
|
|
||||||
COMMAND16=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireLowercaseCharacters' 2> /dev/null) # must be true
|
COMMAND16=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireLowercaseCharacters' 2> /dev/null) # must be true
|
||||||
textTitle "$ID16" "$TITLE16" "SCORED" "LEVEL1"
|
textTitle "$ID16" "$TITLE16" "SCORED" "LEVEL1"
|
||||||
if [[ "$COMMAND16" == "true" ]];then
|
if [[ "$COMMAND16" == "true" ]];then
|
||||||
@@ -597,8 +718,7 @@ check16(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check17(){
|
check17(){
|
||||||
ID17="1.7,1.07"
|
# "Ensure IAM password policy require at least one symbol (Scored)"
|
||||||
TITLE17="Ensure IAM password policy require at least one symbol (Scored)"
|
|
||||||
COMMAND17=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireSymbols' 2> /dev/null) # must be true
|
COMMAND17=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireSymbols' 2> /dev/null) # must be true
|
||||||
textTitle "$ID17" "$TITLE17" "SCORED" "LEVEL1"
|
textTitle "$ID17" "$TITLE17" "SCORED" "LEVEL1"
|
||||||
if [[ "$COMMAND17" == "true" ]];then
|
if [[ "$COMMAND17" == "true" ]];then
|
||||||
@@ -609,8 +729,7 @@ check17(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check18(){
|
check18(){
|
||||||
ID18="1.8,1.08"
|
# "Ensure IAM password policy require at least one number (Scored)"
|
||||||
TITLE18="Ensure IAM password policy require at least one number (Scored)"
|
|
||||||
COMMAND18=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireNumbers' 2> /dev/null) # must be true
|
COMMAND18=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireNumbers' 2> /dev/null) # must be true
|
||||||
textTitle "$ID18" "$TITLE18" "SCORED" "LEVEL1"
|
textTitle "$ID18" "$TITLE18" "SCORED" "LEVEL1"
|
||||||
if [[ "$COMMAND18" == "true" ]];then
|
if [[ "$COMMAND18" == "true" ]];then
|
||||||
@@ -621,8 +740,7 @@ check18(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check19(){
|
check19(){
|
||||||
ID19="1.9,1.09"
|
# "Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
|
||||||
TITLE19="Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
|
|
||||||
COMMAND19=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.MinimumPasswordLength' 2> /dev/null)
|
COMMAND19=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.MinimumPasswordLength' 2> /dev/null)
|
||||||
textTitle "$ID19" "$TITLE19" "SCORED" "LEVEL1"
|
textTitle "$ID19" "$TITLE19" "SCORED" "LEVEL1"
|
||||||
if [[ $COMMAND19 -gt "13" ]];then
|
if [[ $COMMAND19 -gt "13" ]];then
|
||||||
@@ -633,8 +751,7 @@ check19(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check110(){
|
check110(){
|
||||||
ID110="1.10"
|
# "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
|
||||||
TITLE110="Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
|
|
||||||
COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null)
|
COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null)
|
||||||
textTitle "$ID110" "$TITLE110" "SCORED" "LEVEL1"
|
textTitle "$ID110" "$TITLE110" "SCORED" "LEVEL1"
|
||||||
if [[ $COMMAND110 ]];then
|
if [[ $COMMAND110 ]];then
|
||||||
@@ -649,8 +766,7 @@ check110(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check111(){
|
check111(){
|
||||||
ID111="1.11"
|
# "Ensure IAM password policy expires passwords within 90 days or less (Scored)"
|
||||||
TITLE111="Ensure IAM password policy expires passwords within 90 days or less (Scored)"
|
|
||||||
COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json | grep MaxPasswordAge | awk -F: '{ print $2 }'|sed 's/\ //g'|sed 's/,/ /g' 2> /dev/null)
|
COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json | grep MaxPasswordAge | awk -F: '{ print $2 }'|sed 's/\ //g'|sed 's/,/ /g' 2> /dev/null)
|
||||||
textTitle "$ID111" "$TITLE111" "SCORED" "LEVEL1"
|
textTitle "$ID111" "$TITLE111" "SCORED" "LEVEL1"
|
||||||
if [[ $COMMAND111 ]];then
|
if [[ $COMMAND111 ]];then
|
||||||
@@ -663,8 +779,7 @@ check111(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check112(){
|
check112(){
|
||||||
ID112="1.12"
|
# "Ensure no root account access key exists (Scored)"
|
||||||
TITLE112="Ensure no root account access key exists (Scored)"
|
|
||||||
# ensure the access_key_1_active and access_key_2_active fields are set to FALSE.
|
# ensure the access_key_1_active and access_key_2_active fields are set to FALSE.
|
||||||
ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }')
|
ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }')
|
||||||
ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }')
|
ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }')
|
||||||
@@ -682,8 +797,7 @@ check112(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check113(){
|
check113(){
|
||||||
ID113="1.13"
|
# "Ensure MFA is enabled for the root account (Scored)"
|
||||||
TITLE113="Ensure MFA is enabled for the root account (Scored)"
|
|
||||||
COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
|
COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
|
||||||
textTitle "$ID113" "$TITLE113" "SCORED" "LEVEL1"
|
textTitle "$ID113" "$TITLE113" "SCORED" "LEVEL1"
|
||||||
if [ "$COMMAND113" == "1" ]; then
|
if [ "$COMMAND113" == "1" ]; then
|
||||||
@@ -694,8 +808,7 @@ check113(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check114(){
|
check114(){
|
||||||
ID114="1.14"
|
# "Ensure hardware MFA is enabled for the root account (Scored)"
|
||||||
TITLE114="Ensure hardware MFA is enabled for the root account (Scored)"
|
|
||||||
COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
|
COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
|
||||||
textTitle "$ID114" "$TITLE114" "SCORED" "LEVEL1"
|
textTitle "$ID114" "$TITLE114" "SCORED" "LEVEL1"
|
||||||
if [ "$COMMAND113" == "1" ]; then
|
if [ "$COMMAND113" == "1" ]; then
|
||||||
@@ -711,8 +824,7 @@ check114(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check115(){
|
check115(){
|
||||||
ID115="1.15"
|
# "Ensure security questions are registered in the AWS account (Not Scored)"
|
||||||
TITLE115="Ensure security questions are registered in the AWS account (Not Scored)"
|
|
||||||
textTitle "$ID115" "$TITLE115" "NOT_SCORED" "LEVEL2"
|
textTitle "$ID115" "$TITLE115" "NOT_SCORED" "LEVEL2"
|
||||||
textNotice "No command available for check 1.15 "
|
textNotice "No command available for check 1.15 "
|
||||||
textNotice "Login to the AWS Console as root & click on the Account "
|
textNotice "Login to the AWS Console as root & click on the Account "
|
||||||
@@ -720,8 +832,7 @@ check115(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check116(){
|
check116(){
|
||||||
ID116="1.16"
|
# "Ensure IAM policies are attached only to groups or roles (Scored)"
|
||||||
TITLE116="Ensure IAM policies are attached only to groups or roles (Scored)"
|
|
||||||
textTitle "$ID116" "$TITLE116" "SCORED" "LEVEL1"
|
textTitle "$ID116" "$TITLE116" "SCORED" "LEVEL1"
|
||||||
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
|
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
|
||||||
C116_NUM_USERS=0
|
C116_NUM_USERS=0
|
||||||
@@ -738,8 +849,7 @@ check116(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check117(){
|
check117(){
|
||||||
ID117="1.17"
|
# "Enable detailed billing (Scored)"
|
||||||
TITLE117="Enable detailed billing (Scored)"
|
|
||||||
# No command available
|
# No command available
|
||||||
textTitle "$ID117" "$TITLE117" "SCORED" "LEVEL1"
|
textTitle "$ID117" "$TITLE117" "SCORED" "LEVEL1"
|
||||||
textNotice "No command available for check 1.17 "
|
textNotice "No command available for check 1.17 "
|
||||||
@@ -747,8 +857,7 @@ check117(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check118(){
|
check118(){
|
||||||
ID118="1.18"
|
# "Ensure IAM Master and IAM Manager roles are active (Scored)"
|
||||||
TITLE118="Ensure IAM Master and IAM Manager roles are active (Scored)"
|
|
||||||
textTitle "$ID118" "$TITLE118" "SCORED" "LEVEL1"
|
textTitle "$ID118" "$TITLE118" "SCORED" "LEVEL1"
|
||||||
FINDMASTERANDMANAGER=$($AWSCLI iam list-roles $PROFILE_OPT --region $REGION --query "Roles[*].{RoleName:RoleName}" --output text | grep -E 'Master|Manager'| tr '\n' ' ')
|
FINDMASTERANDMANAGER=$($AWSCLI iam list-roles $PROFILE_OPT --region $REGION --query "Roles[*].{RoleName:RoleName}" --output text | grep -E 'Master|Manager'| tr '\n' ' ')
|
||||||
if [[ $FINDMASTERANDMANAGER ]];then
|
if [[ $FINDMASTERANDMANAGER ]];then
|
||||||
@@ -773,8 +882,7 @@ check118(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check119(){
|
check119(){
|
||||||
ID119="1.19"
|
# "Maintain current contact details (Scored)"
|
||||||
TITLE119="Maintain current contact details (Scored)"
|
|
||||||
# No command available
|
# No command available
|
||||||
textTitle "$ID119" "$TITLE119" "SCORED" "LEVEL1"
|
textTitle "$ID119" "$TITLE119" "SCORED" "LEVEL1"
|
||||||
textNotice "No command available for check 1.19 "
|
textNotice "No command available for check 1.19 "
|
||||||
@@ -782,8 +890,7 @@ check119(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check120(){
|
check120(){
|
||||||
ID120="1.20"
|
# "Ensure security contact information is registered (Scored)"
|
||||||
TITLE120="Ensure security contact information is registered (Scored)"
|
|
||||||
# No command available
|
# No command available
|
||||||
textTitle "$ID120" "$TITLE120" "SCORED" "LEVEL1"
|
textTitle "$ID120" "$TITLE120" "SCORED" "LEVEL1"
|
||||||
textNotice "No command available for check 1.20 "
|
textNotice "No command available for check 1.20 "
|
||||||
@@ -791,16 +898,14 @@ check120(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check121(){
|
check121(){
|
||||||
ID121="1.21"
|
# "Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
|
||||||
TITLE121="Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
|
|
||||||
textTitle "$ID121" "$TITLE121" "NOT_SCORED" "LEVEL2"
|
textTitle "$ID121" "$TITLE121" "NOT_SCORED" "LEVEL2"
|
||||||
textNotice "No command available for check 1.21 "
|
textNotice "No command available for check 1.21 "
|
||||||
textNotice "See section 1.21 on the CIS Benchmark guide for details "
|
textNotice "See section 1.21 on the CIS Benchmark guide for details "
|
||||||
}
|
}
|
||||||
|
|
||||||
check122(){
|
check122(){
|
||||||
ID122="1.22"
|
# "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
|
||||||
TITLE122="Ensure a support role has been created to manage incidents with AWS Support (Scored)"
|
|
||||||
textTitle "$ID122" "$TITLE122" "SCORED" "LEVEL1"
|
textTitle "$ID122" "$TITLE122" "SCORED" "LEVEL1"
|
||||||
SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
|
SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
|
||||||
if [[ $SUPPORTPOLICYARN ]];then
|
if [[ $SUPPORTPOLICYARN ]];then
|
||||||
@@ -822,8 +927,7 @@ check122(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check123(){
|
check123(){
|
||||||
ID123="1.23"
|
# "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
|
||||||
TITLE123="Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
|
|
||||||
textTitle "$ID123" "$TITLE123" "NOT_SCORED" "LEVEL1"
|
textTitle "$ID123" "$TITLE123" "NOT_SCORED" "LEVEL1"
|
||||||
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
|
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
|
||||||
# List of USERS with KEY1 last_used_date as N/A
|
# List of USERS with KEY1 last_used_date as N/A
|
||||||
@@ -849,8 +953,7 @@ check123(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check124(){
|
check124(){
|
||||||
ID124="1.24"
|
# "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
|
||||||
TITLE124="Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
|
|
||||||
textTitle "$ID124" "$TITLE124" "SCORED" "LEVEL1"
|
textTitle "$ID124" "$TITLE124" "SCORED" "LEVEL1"
|
||||||
LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }')
|
LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION|grep 'arn:aws:iam::[0-9]\{12\}:'|awk '{ print $2 }')
|
||||||
if [[ $LIST_CUSTOM_POLICIES ]]; then
|
if [[ $LIST_CUSTOM_POLICIES ]]; then
|
||||||
@@ -876,8 +979,7 @@ check124(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check21(){
|
check21(){
|
||||||
ID21="2.1,2.01"
|
# "Ensure CloudTrail is enabled in all regions (Scored)"
|
||||||
TITLE21="Ensure CloudTrail is enabled in all regions (Scored)"
|
|
||||||
textTitle "$ID21" "$TITLE21" "SCORED" "LEVEL1"
|
textTitle "$ID21" "$TITLE21" "SCORED" "LEVEL1"
|
||||||
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].Name' --output text)
|
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].Name' --output text)
|
||||||
if [[ $LIST_OF_TRAILS ]];then
|
if [[ $LIST_OF_TRAILS ]];then
|
||||||
@@ -895,8 +997,7 @@ check21(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check22(){
|
check22(){
|
||||||
ID22="2.2,2.02"
|
# "Ensure CloudTrail log file validation is enabled (Scored)"
|
||||||
TITLE22="Ensure CloudTrail log file validation is enabled (Scored)"
|
|
||||||
textTitle "$ID22" "$TITLE22" "SCORED" "LEVEL2"
|
textTitle "$ID22" "$TITLE22" "SCORED" "LEVEL2"
|
||||||
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].Name' --output text)
|
LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].Name' --output text)
|
||||||
if [[ $LIST_OF_TRAILS ]];then
|
if [[ $LIST_OF_TRAILS ]];then
|
||||||
@@ -914,8 +1015,7 @@ check22(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check23(){
|
check23(){
|
||||||
ID23="2.3,2.03"
|
# "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
|
||||||
TITLE23="Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
|
|
||||||
textTitle "$ID23" "$TITLE23" "SCORED" "LEVEL1"
|
textTitle "$ID23" "$TITLE23" "SCORED" "LEVEL1"
|
||||||
CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text $PROFILE_OPT --region $REGION)
|
CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text $PROFILE_OPT --region $REGION)
|
||||||
if [[ $CLOUDTRAILBUCKET ]];then
|
if [[ $CLOUDTRAILBUCKET ]];then
|
||||||
@@ -933,8 +1033,7 @@ check23(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check24(){
|
check24(){
|
||||||
ID24="2.4,2.04"
|
# "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
|
||||||
TITLE24="Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
|
|
||||||
textTitle "$ID24" "$TITLE24" "SCORED" "LEVEL1"
|
textTitle "$ID24" "$TITLE24" "SCORED" "LEVEL1"
|
||||||
TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].{Name:Name, HomeRegion:HomeRegion}' --output text | tr "\t" ',')
|
TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].{Name:Name, HomeRegion:HomeRegion}' --output text | tr "\t" ',')
|
||||||
if [[ $TRAILS_AND_REGIONS ]];then
|
if [[ $TRAILS_AND_REGIONS ]];then
|
||||||
@@ -960,8 +1059,7 @@ check24(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check25(){
|
check25(){
|
||||||
ID25="2.5,2.05"
|
# "Ensure AWS Config is enabled in all regions (Scored)"
|
||||||
TITLE25="Ensure AWS Config is enabled in all regions (Scored)"
|
|
||||||
textTitle "$ID25" "$TITLE25" "SCORED" "LEVEL1"
|
textTitle "$ID25" "$TITLE25" "SCORED" "LEVEL1"
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status $PROFILE_OPT --region $regx --output json| grep "recorder: ON")
|
CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status $PROFILE_OPT --region $regx --output json| grep "recorder: ON")
|
||||||
@@ -974,8 +1072,7 @@ check25(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check26(){
|
check26(){
|
||||||
ID26="2.6,2.06"
|
# "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
|
||||||
TITLE26="Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
|
|
||||||
textTitle "$ID26" "$TITLE26" "SCORED" "LEVEL1"
|
textTitle "$ID26" "$TITLE26" "SCORED" "LEVEL1"
|
||||||
CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text $PROFILE_OPT --region $REGION)
|
CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text $PROFILE_OPT --region $REGION)
|
||||||
if [[ $CLOUDTRAILBUCKET ]];then
|
if [[ $CLOUDTRAILBUCKET ]];then
|
||||||
@@ -993,8 +1090,7 @@ check26(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check27(){
|
check27(){
|
||||||
ID27="2.7,2.07"
|
# "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
|
||||||
TITLE27="Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
|
|
||||||
textTitle "$ID27" "$TITLE27" "SCORED" "LEVEL2"
|
textTitle "$ID27" "$TITLE27" "SCORED" "LEVEL2"
|
||||||
CLOUDTRAILNAME=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].Name' --output text $PROFILE_OPT --region $REGION)
|
CLOUDTRAILNAME=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].Name' --output text $PROFILE_OPT --region $REGION)
|
||||||
if [[ $CLOUDTRAILNAME ]];then
|
if [[ $CLOUDTRAILNAME ]];then
|
||||||
@@ -1012,8 +1108,7 @@ check27(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check28(){
|
check28(){
|
||||||
ID28="2.8,2.08"
|
# "Ensure rotation for customer created CMKs is enabled (Scored)"
|
||||||
TITLE28="Ensure rotation for customer created CMKs is enabled (Scored)"
|
|
||||||
textTitle "$ID28" "$TITLE28" "SCORED" "LEVEL2"
|
textTitle "$ID28" "$TITLE28" "SCORED" "LEVEL2"
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys $PROFILE_OPT --region $regx --output text --query 'Keys[*].KeyId')
|
CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys $PROFILE_OPT --region $regx --output text --query 'Keys[*].KeyId')
|
||||||
@@ -1043,8 +1138,7 @@ check28(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check31(){
|
check31(){
|
||||||
ID31="3.1,3.01"
|
# "Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
|
||||||
TITLE31="Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
|
|
||||||
textTitle "$ID31" "$TITLE31" "SCORED" "LEVEL1"
|
textTitle "$ID31" "$TITLE31" "SCORED" "LEVEL1"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text| tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text| tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1068,8 +1162,7 @@ check31(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check32(){
|
check32(){
|
||||||
ID32="3.2,3.02"
|
# "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
|
||||||
TITLE32="Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
|
|
||||||
textTitle "$ID32" "$TITLE32" "SCORED" "LEVEL1"
|
textTitle "$ID32" "$TITLE32" "SCORED" "LEVEL1"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1093,8 +1186,7 @@ check32(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check33(){
|
check33(){
|
||||||
ID33="3.3,3.03"
|
# "Ensure a log metric filter and alarm exist for usage of root account (Scored)"
|
||||||
TITLE33="Ensure a log metric filter and alarm exist for usage of root account (Scored)"
|
|
||||||
textTitle "$ID33" "$TITLE33" "SCORED" "LEVEL1"
|
textTitle "$ID33" "$TITLE33" "SCORED" "LEVEL1"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1118,8 +1210,7 @@ check33(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check34(){
|
check34(){
|
||||||
ID34="3.4,3.04"
|
# "Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
|
||||||
TITLE34="Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
|
|
||||||
textTitle "$ID34" "$TITLE34" "SCORED" "LEVEL1"
|
textTitle "$ID34" "$TITLE34" "SCORED" "LEVEL1"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1143,8 +1234,7 @@ check34(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check35(){
|
check35(){
|
||||||
ID35="3.5,3.05"
|
# "Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
|
||||||
TITLE35="Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
|
|
||||||
textTitle "$ID35" "$TITLE35" "SCORED" "LEVEL1"
|
textTitle "$ID35" "$TITLE35" "SCORED" "LEVEL1"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1168,8 +1258,7 @@ check35(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check36(){
|
check36(){
|
||||||
ID36="3.6,3.06"
|
# "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
|
||||||
TITLE36="Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
|
|
||||||
textTitle "$ID36" "$TITLE36" "SCORED" "LEVEL2"
|
textTitle "$ID36" "$TITLE36" "SCORED" "LEVEL2"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1193,8 +1282,7 @@ check36(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check37(){
|
check37(){
|
||||||
ID37="3.7,3.07"
|
# "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
|
||||||
TITLE37="Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
|
|
||||||
textTitle "$ID37" "$TITLE37" "SCORED" "LEVEL2"
|
textTitle "$ID37" "$TITLE37" "SCORED" "LEVEL2"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1218,8 +1306,7 @@ check37(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check38(){
|
check38(){
|
||||||
ID38="3.8,3.08"
|
# "Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
|
||||||
TITLE38="Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
|
|
||||||
textTitle "$ID38" "$TITLE38" "SCORED" "LEVEL1"
|
textTitle "$ID38" "$TITLE38" "SCORED" "LEVEL1"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1243,8 +1330,7 @@ check38(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check39(){
|
check39(){
|
||||||
ID39="3.9,3.09"
|
# "Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
|
||||||
TITLE39="Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
|
|
||||||
textTitle "$ID39" "$TITLE39" "SCORED" "LEVEL2"
|
textTitle "$ID39" "$TITLE39" "SCORED" "LEVEL2"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1268,8 +1354,7 @@ check39(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check310(){
|
check310(){
|
||||||
ID310="3.10"
|
# "Ensure a log metric filter and alarm exist for security group changes (Scored)"
|
||||||
TITLE310="Ensure a log metric filter and alarm exist for security group changes (Scored)"
|
|
||||||
textTitle "$ID310" "$TITLE310" "SCORED" "LEVEL2"
|
textTitle "$ID310" "$TITLE310" "SCORED" "LEVEL2"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1293,8 +1378,7 @@ check310(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check311(){
|
check311(){
|
||||||
ID311="3.11"
|
# "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
|
||||||
TITLE311="Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
|
|
||||||
textTitle "$ID311" "$TITLE311" "SCORED" "LEVEL2"
|
textTitle "$ID311" "$TITLE311" "SCORED" "LEVEL2"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1318,8 +1402,7 @@ check311(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check312(){
|
check312(){
|
||||||
ID312="3.12"
|
# "Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
|
||||||
TITLE312="Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
|
|
||||||
textTitle "$ID312" "$TITLE312" "SCORED" "LEVEL1"
|
textTitle "$ID312" "$TITLE312" "SCORED" "LEVEL1"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1343,8 +1426,7 @@ check312(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check313(){
|
check313(){
|
||||||
ID313="3.13"
|
# "Ensure a log metric filter and alarm exist for route table changes (Scored)"
|
||||||
TITLE313="Ensure a log metric filter and alarm exist for route table changes (Scored)"
|
|
||||||
textTitle "$ID313" "$TITLE313" "SCORED" "LEVEL1"
|
textTitle "$ID313" "$TITLE313" "SCORED" "LEVEL1"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1368,8 +1450,7 @@ check313(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check314(){
|
check314(){
|
||||||
ID314="3.14"
|
# "Ensure a log metric filter and alarm exist for VPC changes (Scored)"
|
||||||
TITLE314="Ensure a log metric filter and alarm exist for VPC changes (Scored)"
|
|
||||||
textTitle "$ID314" "$TITLE314" "SCORED" "LEVEL1"
|
textTitle "$ID314" "$TITLE314" "SCORED" "LEVEL1"
|
||||||
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | tr '\011' '\012' | awk -F: '{ print $7 }')
|
||||||
if [[ $CLOUDWATCH_GROUP ]];then
|
if [[ $CLOUDWATCH_GROUP ]];then
|
||||||
@@ -1393,8 +1474,7 @@ check314(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check315(){
|
check315(){
|
||||||
ID315="3.15"
|
# "Ensure appropriate subscribers to each SNS topic (Not Scored)"
|
||||||
TITLE315="Ensure appropriate subscribers to each SNS topic (Not Scored)"
|
|
||||||
textTitle "$ID315" "$TITLE315" "NOT_SCORED" "LEVEL1"
|
textTitle "$ID315" "$TITLE315" "NOT_SCORED" "LEVEL1"
|
||||||
CAN_SNS_LIST_SUBS=1
|
CAN_SNS_LIST_SUBS=1
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
@@ -1430,8 +1510,7 @@ check315(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check41(){
|
check41(){
|
||||||
ID41="4.1,4.01"
|
# "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
|
||||||
TITLE41="Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
|
|
||||||
textTitle "$ID41" "$TITLE41" "SCORED" "LEVEL1"
|
textTitle "$ID41" "$TITLE41" "SCORED" "LEVEL1"
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
SG_LIST=$($AWSCLI ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=22" --query 'SecurityGroups[?length(IpPermissions[?ToPort==`22` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
|
SG_LIST=$($AWSCLI ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=22" --query 'SecurityGroups[?length(IpPermissions[?ToPort==`22` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
|
||||||
@@ -1446,8 +1525,7 @@ check41(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check42(){
|
check42(){
|
||||||
ID42="4.2,4.02"
|
# "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
|
||||||
TITLE42="Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
|
|
||||||
textTitle "$ID42" "$TITLE42" "SCORED" "LEVEL1"
|
textTitle "$ID42" "$TITLE42" "SCORED" "LEVEL1"
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
SG_LIST=$($AWSCLI ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=3389" --query 'SecurityGroups[?length(IpPermissions[?ToPort==`3389` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupName: GroupName}' $PROFILE_OPT --region $regx --output text)
|
SG_LIST=$($AWSCLI ec2 describe-security-groups --filters "Name=ip-permission.to-port,Values=3389" --query 'SecurityGroups[?length(IpPermissions[?ToPort==`3389` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]) > `0`].{GroupName: GroupName}' $PROFILE_OPT --region $regx --output text)
|
||||||
@@ -1462,8 +1540,7 @@ check42(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check43(){
|
check43(){
|
||||||
ID43="4.3,4.03"
|
# "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
|
||||||
TITLE43="Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
|
|
||||||
textTitle "$ID43" "$TITLE43" "SCORED" "LEVEL2"
|
textTitle "$ID43" "$TITLE43" "SCORED" "LEVEL2"
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text)
|
CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].LogGroupName' --output text)
|
||||||
@@ -1478,8 +1555,7 @@ check43(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check44(){
|
check44(){
|
||||||
ID44="4.4,4.04"
|
# "Ensure the default security group of every VPC restricts all traffic (Scored)"
|
||||||
TITLE44="Ensure the default security group of every VPC restricts all traffic (Scored)"
|
|
||||||
textTitle "$ID44" "$TITLE44" "SCORED" "LEVEL2"
|
textTitle "$ID44" "$TITLE44" "SCORED" "LEVEL2"
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0)
|
CHECK_SGDEFAULT=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |grep 0.0.0.0)
|
||||||
@@ -1492,9 +1568,7 @@ check44(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
check45(){
|
check45(){
|
||||||
#set -xe
|
# "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
|
||||||
ID45="4.5,4.05"
|
|
||||||
TITLE45="Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
|
|
||||||
textTitle "$ID45" "$TITLE45" "NOT_SCORED" "LEVEL2"
|
textTitle "$ID45" "$TITLE45" "NOT_SCORED" "LEVEL2"
|
||||||
textNotice "Looking for VPC peering in all regions... "
|
textNotice "Looking for VPC peering in all regions... "
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
@@ -1514,9 +1588,7 @@ check45(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
extra71(){
|
extra71(){
|
||||||
# set -x
|
# "Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
ID71="7.1,7.01"
|
|
||||||
TITLE71="Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
|
|
||||||
textTitle "$ID71" "$TITLE71" "NOT_SCORED" "EXTRA"
|
textTitle "$ID71" "$TITLE71" "NOT_SCORED" "EXTRA"
|
||||||
|
|
||||||
ADMIN_GROUPS=''
|
ADMIN_GROUPS=''
|
||||||
@@ -1548,9 +1620,7 @@ extra71(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
extra72(){
|
extra72(){
|
||||||
#set -x
|
# "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||||
ID72="7.2,7.02"
|
|
||||||
TITLE72="Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
|
|
||||||
textTitle "$ID72" "$TITLE72" "NOT_SCORED" "EXTRA"
|
textTitle "$ID72" "$TITLE72" "NOT_SCORED" "EXTRA"
|
||||||
textNotice "Looking for EBS Snapshots in all regions... "
|
textNotice "Looking for EBS Snapshots in all regions... "
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
@@ -1568,9 +1638,7 @@ extra72(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
extra73(){
|
extra73(){
|
||||||
#set -x
|
# "Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
|
||||||
ID73="7.3,7.03"
|
|
||||||
TITLE73="Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
|
|
||||||
textTitle "$ID73" "$TITLE73" "NOT_SCORED" "EXTRA"
|
textTitle "$ID73" "$TITLE73" "NOT_SCORED" "EXTRA"
|
||||||
textNotice "Looking for open S3 Buckets (ACLs and Policies) in all regions... "
|
textNotice "Looking for open S3 Buckets (ACLs and Policies) in all regions... "
|
||||||
ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' $PROFILE_OPT --region $REGION --output text)
|
ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' $PROFILE_OPT --region $REGION --output text)
|
||||||
@@ -1611,9 +1679,7 @@ extra73(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
extra74(){
|
extra74(){
|
||||||
#set -x
|
# "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
|
||||||
ID74="7.4,7.04"
|
|
||||||
TITLE74="Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
|
|
||||||
textTitle "$ID74" "$TITLE74" "NOT_SCORED" "EXTRA"
|
textTitle "$ID74" "$TITLE74" "NOT_SCORED" "EXTRA"
|
||||||
textNotice "Looking for Security Groups in all regions... "
|
textNotice "Looking for Security Groups in all regions... "
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
@@ -1631,9 +1697,7 @@ extra74(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
extra75(){
|
extra75(){
|
||||||
#set -x
|
# "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
|
||||||
ID75="7.5,7.05"
|
|
||||||
TITLE75="Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
|
|
||||||
textTitle "$ID75" "$TITLE75" "NOT_SCORED" "EXTRA"
|
textTitle "$ID75" "$TITLE75" "NOT_SCORED" "EXTRA"
|
||||||
textNotice "Looking for Security Groups in all regions... "
|
textNotice "Looking for Security Groups in all regions... "
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
@@ -1650,9 +1714,7 @@ extra75(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
extra76(){
|
extra76(){
|
||||||
#set -x
|
# "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||||
ID76="7.6,7.06"
|
|
||||||
TITLE76="Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)"
|
|
||||||
textTitle "$ID76" "$TITLE76" "NOT_SCORED" "EXTRA"
|
textTitle "$ID76" "$TITLE76" "NOT_SCORED" "EXTRA"
|
||||||
textNotice "Looking for AMIs in all regions... "
|
textNotice "Looking for AMIs in all regions... "
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
@@ -1773,6 +1835,75 @@ callCheck(){
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# List only check tittles
|
||||||
|
|
||||||
|
if [[ $PRINTCHECKSONLY == "1" ]]; then
|
||||||
|
prowlerBanner
|
||||||
|
textTitle "1" "$TITLE1" "NOT_SCORED" "SUPPORT"
|
||||||
|
textTitle "$ID11" "$TITLE11" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID12" "$TITLE12" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID13" "$TITLE13" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID14" "$TITLE14" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID15" "$TITLE15" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID16" "$TITLE16" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID17" "$TITLE17" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID18" "$TITLE18" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID19" "$TITLE19" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID110" "$TITLE110" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID111" "$TITLE111" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID112" "$TITLE112" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID113" "$TITLE113" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID114" "$TITLE114" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID115" "$TITLE115" "NOT_SCORED" "LEVEL2"
|
||||||
|
textTitle "$ID116" "$TITLE116" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID117" "$TITLE117" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID118" "$TITLE118" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID119" "$TITLE119" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID120" "$TITLE120" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID121" "$TITLE121" "NOT_SCORED" "LEVEL2"
|
||||||
|
textTitle "$ID122" "$TITLE122" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID123" "$TITLE123" "NOT_SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID124" "$TITLE124" "SCORED" "LEVEL1"
|
||||||
|
textTitle "2" "$TITLE2" "NOT_SCORED" "SUPPORT"
|
||||||
|
textTitle "$ID21" "$TITLE21" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID22" "$TITLE22" "SCORED" "LEVEL2"
|
||||||
|
textTitle "$ID23" "$TITLE23" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID24" "$TITLE24" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID25" "$TITLE25" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID26" "$TITLE26" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID27" "$TITLE27" "SCORED" "LEVEL2"
|
||||||
|
textTitle "$ID28" "$TITLE28" "SCORED" "LEVEL2"
|
||||||
|
textTitle "3" "$TITLE3" "NOT_SCORED" "SUPPORT"
|
||||||
|
textTitle "$ID31" "$TITLE31" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID32" "$TITLE32" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID33" "$TITLE33" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID34" "$TITLE34" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID35" "$TITLE35" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID36" "$TITLE36" "SCORED" "LEVEL2"
|
||||||
|
textTitle "$ID37" "$TITLE37" "SCORED" "LEVEL2"
|
||||||
|
textTitle "$ID38" "$TITLE38" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID39" "$TITLE39" "SCORED" "LEVEL2"
|
||||||
|
textTitle "$ID310" "$TITLE310" "SCORED" "LEVEL2"
|
||||||
|
textTitle "$ID311" "$TITLE311" "SCORED" "LEVEL2"
|
||||||
|
textTitle "$ID312" "$TITLE312" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID313" "$TITLE313" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID314" "$TITLE314" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID315" "$TITLE315" "NOT_SCORED" "LEVEL1"
|
||||||
|
textTitle "4" "$TITLE4" "NOT_SCORED" "SUPPORT"
|
||||||
|
textTitle "$ID41" "$TITLE41" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID42" "$TITLE42" "SCORED" "LEVEL1"
|
||||||
|
textTitle "$ID43" "$TITLE43" "SCORED" "LEVEL2"
|
||||||
|
textTitle "$ID44" "$TITLE44" "SCORED" "LEVEL2"
|
||||||
|
textTitle "$ID45" "$TITLE45" "NOT_SCORED" "LEVEL2"
|
||||||
|
textTitle "7" "$TITLE7" "NOT_SCORED" "SUPPORT"
|
||||||
|
textTitle "$ID71" "$TITLE71" "NOT_SCORED" "EXTRA"
|
||||||
|
textTitle "$ID72" "$TITLE72" "NOT_SCORED" "EXTRA"
|
||||||
|
textTitle "$ID73" "$TITLE73" "NOT_SCORED" "EXTRA"
|
||||||
|
textTitle "$ID74" "$TITLE74" "NOT_SCORED" "EXTRA"
|
||||||
|
textTitle "$ID75" "$TITLE75" "NOT_SCORED" "EXTRA"
|
||||||
|
textTitle "$ID76" "$TITLE76" "NOT_SCORED" "EXTRA"
|
||||||
|
exit $EXITCODE
|
||||||
|
fi
|
||||||
|
|
||||||
### All functions defined above ... run the workflow
|
### All functions defined above ... run the workflow
|
||||||
|
|
||||||
@@ -1783,11 +1914,8 @@ fi
|
|||||||
getWhoami
|
getWhoami
|
||||||
genCredReport
|
genCredReport
|
||||||
saveReport
|
saveReport
|
||||||
|
|
||||||
|
|
||||||
callCheck
|
callCheck
|
||||||
|
|
||||||
TITLE1="Identity and Access Management ****************************************"
|
|
||||||
textTitle "1" "$TITLE1" "NOT_SCORED" "SUPPORT"
|
textTitle "1" "$TITLE1" "NOT_SCORED" "SUPPORT"
|
||||||
check11
|
check11
|
||||||
check12
|
check12
|
||||||
@@ -1814,7 +1942,6 @@ check122
|
|||||||
check123
|
check123
|
||||||
check124
|
check124
|
||||||
|
|
||||||
TITLE2="Logging ***************************************************************"
|
|
||||||
textTitle "2" "$TITLE2" "NOT_SCORED" "SUPPORT"
|
textTitle "2" "$TITLE2" "NOT_SCORED" "SUPPORT"
|
||||||
check21
|
check21
|
||||||
check22
|
check22
|
||||||
@@ -1825,7 +1952,6 @@ check26
|
|||||||
check27
|
check27
|
||||||
check28
|
check28
|
||||||
|
|
||||||
TITLE3="Monitoring ************************************************************"
|
|
||||||
textTitle "3" "$TITLE3" "NOT_SCORED" "SUPPORT"
|
textTitle "3" "$TITLE3" "NOT_SCORED" "SUPPORT"
|
||||||
# 3 Monitoring check commands / Mostly covered by SecurityMonkey
|
# 3 Monitoring check commands / Mostly covered by SecurityMonkey
|
||||||
check31
|
check31
|
||||||
@@ -1844,7 +1970,6 @@ check313
|
|||||||
check314
|
check314
|
||||||
check315
|
check315
|
||||||
|
|
||||||
TITLE4="Networking ************************************************************"
|
|
||||||
textTitle "4" "$TITLE4" "NOT_SCORED" "SUPPORT"
|
textTitle "4" "$TITLE4" "NOT_SCORED" "SUPPORT"
|
||||||
check41
|
check41
|
||||||
check42
|
check42
|
||||||
@@ -1852,7 +1977,6 @@ check43
|
|||||||
check44
|
check44
|
||||||
check45
|
check45
|
||||||
|
|
||||||
TITLE7="Extras ************************************************************"
|
|
||||||
textTitle "7" "$TITLE7" "NOT_SCORED" "SUPPORT"
|
textTitle "7" "$TITLE7" "NOT_SCORED" "SUPPORT"
|
||||||
extra71
|
extra71
|
||||||
extra72
|
extra72
|
||||||
|
|||||||
Reference in New Issue
Block a user