diff --git a/checks/check11 b/checks/check11 index b77edbbe..6162db56 100644 --- a/checks/check11 +++ b/checks/check11 @@ -35,13 +35,13 @@ check11(){ days_not_in_use=$(how_many_days_from_today ${date%T*}) if [ "$days_not_in_use" -gt "$MAX_DAYS" ];then failures=1 - textFail "Root user in the account was last accessed ${MAX_DAYS#-} day ago" + textFail "$REGION: Root user in the account was last accessed ${MAX_DAYS#-} day ago" "$REGION" "root" break fi fi done if [[ $failures == 0 ]]; then - textPass "Root user in the account wasn't accessed in the last ${MAX_DAYS#-} days" + textPass "$REGION: Root user in the account wasn't accessed in the last ${MAX_DAYS#-} days" "$REGION" "root" fi } diff --git a/checks/check110 b/checks/check110 index e031bf60..2e60a65e 100644 --- a/checks/check110 +++ b/checks/check110 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check110="1.10" -CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" +CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater" CHECK_SCORED_check110="SCORED" CHECK_TYPE_check110="LEVEL1" CHECK_SEVERITY_check110="Medium" @@ -29,11 +29,11 @@ check110(){ COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null) if [[ $COMMAND110 ]];then if [[ $COMMAND110 -gt "23" ]];then - textPass "Password Policy limits reuse" + textPass "$REGION: Password Policy limits reuse" "$REGION" "password policy" else - textFail "Password Policy has weak reuse requirement (lower than 24)" + textFail "$REGION: Password Policy has weak reuse requirement (lower than 24)" "$REGION" "password policy" fi else - textFail "Password Policy missing reuse requirement" + textFail "$REGION: Password Policy missing reuse requirement" "$REGION" "password policy" fi } diff --git a/checks/check111 b/checks/check111 index 1cc174da..1a696f0b 100644 --- a/checks/check111 +++ b/checks/check111 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check111="1.11" -CHECK_TITLE_check111="[check111] Ensure IAM password policy expires passwords within 90 days or less (Scored)" +CHECK_TITLE_check111="[check111] Ensure IAM password policy expires passwords within 90 days or less" CHECK_SCORED_check111="SCORED" CHECK_TYPE_check111="LEVEL1" CHECK_SEVERITY_check111="Medium" @@ -29,11 +29,11 @@ check111(){ COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query PasswordPolicy.MaxPasswordAge --output text 2> /dev/null) if [[ $COMMAND111 == [0-9]* ]];then if [[ "$COMMAND111" -le "90" ]];then - textPass "Password Policy includes expiration (Value: $COMMAND111)" + textPass "$REGION: Password Policy includes expiration (Value: $COMMAND111)" "$REGION" "password policy" else - textFail "Password expiration is set greater than 90 days" + textFail "$REGION: Password expiration is set greater than 90 days" "$REGION" "password policy" fi else - textFail "Password expiration is not set" + textFail "$REGION: Password expiration is not set" "$REGION" "password policy" fi } diff --git a/checks/check112 b/checks/check112 index 0336877a..f2f6c422 100644 --- a/checks/check112 +++ b/checks/check112 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check112="1.12" -CHECK_TITLE_check112="[check112] Ensure no root account access key exists (Scored)" +CHECK_TITLE_check112="[check112] Ensure no root account access key exists" CHECK_SCORED_check112="SCORED" CHECK_TYPE_check112="LEVEL1" CHECK_SEVERITY_check112="Critical" @@ -30,13 +30,13 @@ check112(){ ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }') ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }') if [ "$ROOTKEY1" == "false" ];then - textPass "No access key 1 found for root" + textPass "$REGION: No access key 1 found for root" "$REGION" "root access key1" else - textFail "Found access key 1 for root" + textFail "$REGION: Found access key 1 for root" "$REGION" "root access key1" fi if [ "$ROOTKEY2" == "false" ];then - textPass "No access key 2 found for root" + textPass "$REGION: No access key 2 found for root" "$REGION" "root access key2" else - textFail "Found access key 2 for root" + textFail "$REGION: Found access key 2 for root" "$REGION" "root access key2" fi } diff --git a/checks/check113 b/checks/check113 index 63717306..657c9b0a 100644 --- a/checks/check113 +++ b/checks/check113 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check113="1.13" -CHECK_TITLE_check113="[check113] Ensure MFA is enabled for the root account (Scored)" +CHECK_TITLE_check113="[check113] Ensure MFA is enabled for the root account" CHECK_SCORED_check113="SCORED" CHECK_TYPE_check113="LEVEL1" CHECK_SEVERITY_check113="Critical" @@ -28,8 +28,8 @@ check113(){ # "Ensure MFA is enabled for the root account (Scored)" COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled') if [ "$COMMAND113" == "1" ]; then - textPass "Virtual MFA is enabled for root" + textPass "$REGION: Virtual MFA is enabled for root" "$REGION" "MFA" else - textFail "MFA is not ENABLED for root account" + textFail "$REGION: MFA is not ENABLED for root account" "$REGION" "MFA" fi } diff --git a/checks/check114 b/checks/check114 index f8a5b315..7872583f 100644 --- a/checks/check114 +++ b/checks/check114 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check114="1.14" -CHECK_TITLE_check114="[check114] Ensure hardware MFA is enabled for the root account (Scored)" +CHECK_TITLE_check114="[check114] Ensure hardware MFA is enabled for the root account" CHECK_SCORED_check114="SCORED" CHECK_TYPE_check114="LEVEL2" CHECK_SEVERITY_check114="Critical" @@ -30,11 +30,11 @@ check114(){ if [ "$COMMAND113" == "1" ]; then COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep "^arn:${AWS_PARTITION}:iam::[0-9]\{12\}:mfa/root-account-mfa-device$") if [[ "$COMMAND114" ]]; then - textFail "Only Virtual MFA is enabled for root" + textFail "$REGION: Only Virtual MFA is enabled for root" "$REGION" "MFA" else - textPass "Hardware MFA is enabled for root" + textPass "$REGION: Hardware MFA is enabled for root" "$REGION" "MFA" fi else - textFail "MFA is not ENABLED for root account" + textFail "$REGION: MFA is not ENABLED for root account" "$REGION" "MFA" fi } diff --git a/checks/check115 b/checks/check115 index 54dfc0a9..356ba6d7 100644 --- a/checks/check115 +++ b/checks/check115 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check115="1.15" -CHECK_TITLE_check115="[check115] Ensure security questions are registered in the AWS account (Not Scored)" +CHECK_TITLE_check115="[check115] Ensure security questions are registered in the AWS account" CHECK_SCORED_check115="NOT_SCORED" CHECK_TYPE_check115="LEVEL1" CHECK_SEVERITY_check115="Medium" @@ -26,7 +26,5 @@ CHECK_CAF_EPIC_check115='IAM' check115(){ # "Ensure security questions are registered in the AWS account (Not Scored)" - textInfo "No command available for check 1.15 " - textInfo "Login to the AWS Console as root & click on the Account " - textInfo "Name -> My Account -> Configure Security Challenge Questions " + textInfo "No command available for check 1.15. Login to the AWS Console as root & click on the Account. Name -> My Account -> Configure Security Challenge Questions." } diff --git a/checks/check116 b/checks/check116 index 2d864117..18a0cbc3 100644 --- a/checks/check116 +++ b/checks/check116 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check116="1.16" -CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles (Scored)" +CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles" CHECK_SCORED_check116="SCORED" CHECK_TYPE_check116="LEVEL1" CHECK_SEVERITY_check116="Low" @@ -33,16 +33,16 @@ check116(){ for user in $LIST_USERS;do USER_POLICY=$($AWSCLI iam list-attached-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user) if [[ $USER_POLICY ]]; then - textFail "$user has managed policy directly attached" "us-east-1" "$user" + textFail "$REGION: $user has managed policy directly attached" "$REGION" "$user" C116_NUM_USERS=$(expr $C116_NUM_USERS + 1) fi USER_POLICY=$($AWSCLI iam list-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user) if [[ $USER_POLICY ]]; then - textFail "$user has inline policy directly attached" "us-east-1" "$user" + textFail "$REGION: $user has inline policy directly attached" "$REGION" "$user" C116_NUM_USERS=$(expr $C116_NUM_USERS + 1) fi done if [[ $C116_NUM_USERS -eq 0 ]]; then - textPass "No policies attached to users" + textPass "$REGION: No policies attached to users" "$REGION" "$user" fi } diff --git a/checks/check117 b/checks/check117 index 85c5eb56..e9854cd0 100644 --- a/checks/check117 +++ b/checks/check117 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check117="1.17" -CHECK_TITLE_check117="[check117] Maintain current contact details (Not Scored)" +CHECK_TITLE_check117="[check117] Maintain current contact details" CHECK_SCORED_check117="NOT_SCORED" CHECK_TYPE_check117="LEVEL1" CHECK_SEVERITY_check117="Medium" @@ -27,6 +27,5 @@ CHECK_CAF_EPIC_check117='IAM' check117(){ # "Maintain current contact details (Scored)" # No command available - textInfo "No command available for check 1.17 " - textInfo "See section 1.17 on the CIS Benchmark guide for details " + textInfo "No command available for check 1.17. See section 1.17 on the CIS Benchmark guide for details." } diff --git a/checks/check118 b/checks/check118 index c57647d5..736bb594 100644 --- a/checks/check118 +++ b/checks/check118 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check118="1.18" -CHECK_TITLE_check118="[check118] Ensure security contact information is registered (Not Scored)" +CHECK_TITLE_check118="[check118] Ensure security contact information is registered" CHECK_SCORED_check118="NOT_SCORED" CHECK_TYPE_check118="LEVEL1" CHECK_SEVERITY_check118="Medium" @@ -27,6 +27,5 @@ CHECK_CAF_EPIC_check118='IAM' check118(){ # "Ensure security contact information is registered (Scored)" # No command available - textInfo "No command available for check 1.18 " - textInfo "See section 1.18 on the CIS Benchmark guide for details " + textInfo "No command available for check 1.18. See section 1.18 on the CIS Benchmark guide for details." } diff --git a/checks/check119 b/checks/check119 index e82f8e83..e9d148dc 100644 --- a/checks/check119 +++ b/checks/check119 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check119="1.19" -CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" +CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances" CHECK_SCORED_check119="NOT_SCORED" CHECK_TYPE_check119="LEVEL2" CHECK_SEVERITY_check119="Medium" @@ -38,12 +38,12 @@ check119(){ if [[ $PROFILEARN == "null" ]]; then textFail "$regx: Instance $instance not associated with an instance role" "$regx" "$instance" else - textPass "$regx: Instance $instance associated with role ${PROFILEARN##*/}" $regx + textPass "$regx: Instance $instance associated with role ${PROFILEARN##*/}" "$regx" "$instance" fi fi done else - textInfo "$regx: No EC2 instances found" $regx + textInfo "$regx: No EC2 instances found" "$regx" "$instance" fi done } diff --git a/checks/check12 b/checks/check12 index 63314bab..15ae9e4b 100644 --- a/checks/check12 +++ b/checks/check12 @@ -36,9 +36,9 @@ check12(){ done) if [[ $COMMAND12 ]]; then for u in $COMMAND12; do - textFail "User $u has Password enabled but MFA disabled" + textFail "$REGION: User $u has Password enabled but MFA disabled" "$REGION" "$u" done else - textPass "No users found with Password enabled and MFA disabled" + textPass "$REGION: No users found with Password enabled and MFA disabled" "$REGION" "$u" fi } diff --git a/checks/check120 b/checks/check120 index 6cabbad4..e2935a5b 100644 --- a/checks/check120 +++ b/checks/check120 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check120="1.20" -CHECK_TITLE_check120="[check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)" +CHECK_TITLE_check120="[check120] Ensure a support role has been created to manage incidents with AWS Support" CHECK_SCORED_check120="SCORED" CHECK_TYPE_check120="LEVEL1" CHECK_SEVERITY_check120="Medium" @@ -34,16 +34,16 @@ check120(){ POLICYROLES=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --output text | awk -F$'\t' '{ print $3 }') if [[ $POLICYROLES ]];then for name in $POLICYROLES; do - textPass "Support Policy attached to $name" + textPass "$REGION: Support Policy attached to $name" "$REGION" "$name" done # for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do # textInfo "User $user has support access via $policyarn" # done else - textFail "Support Policy not applied to any Role" + textFail "$REGION: Support Policy not applied to any Role" "$REGION" "$name" fi done else - textFail "No Support Policy found" + textFail "$REGION: No Support Policy found" "$REGION" "$name" fi } diff --git a/checks/check121 b/checks/check121 index 26f2458e..64dd729c 100644 --- a/checks/check121 +++ b/checks/check121 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check121="1.21" -CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" +CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password" CHECK_SCORED_check121="NOT_SCORED" CHECK_TYPE_check121="LEVEL1" CHECK_SEVERITY_check121="Medium" @@ -35,10 +35,10 @@ check121(){ LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$9 }'|grep "true true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done) if [[ $LIST_USERS_KEY1_ACTIVE ]]; then for user in $LIST_USERS_KEY1_ACTIVE; do - textFail "User $user has never used access key 1" "us-east-1" "$user" + textFail "$REGION: User $user has never used access key 1" "$REGION" "$user" done else - textPass "No users found with access key 1 never used" + textPass "$REGION: No users found with access key 1 never used" "$REGION" "$user" fi # List of USERS with KEY2 last_used_date as N/A LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done) @@ -46,9 +46,9 @@ check121(){ LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$14 }'|grep "true true$" |awk '{ print $1 }' ; done) if [[ $LIST_USERS_KEY2_ACTIVE ]]; then for user in $LIST_USERS_KEY2_ACTIVE; do - textFail "User $user has never used access key 2" + textFail "$REGION: User $user has never used access key 2" "$REGION" "$user" done else - textPass "No users found with access key 2 never used" + textPass "$REGION: No users found with access key 2 never used" "$REGION" "$user" fi } diff --git a/checks/check122 b/checks/check122 index 0aa01e3c..70423199 100644 --- a/checks/check122 +++ b/checks/check122 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check122="1.22" -CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" +CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created" CHECK_SCORED_check122="SCORED" CHECK_TYPE_check122="LEVEL1" CHECK_SEVERITY_check122="Medium" @@ -29,7 +29,6 @@ check122(){ # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}') if [[ $LIST_CUSTOM_POLICIES ]]; then - textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)" for policy in $LIST_CUSTOM_POLICIES; do POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}') POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}') @@ -39,14 +38,13 @@ check122(){ fi done if [[ $POLICIES_ALLOW_LIST ]]; then - textInfo "List of custom policies: " for policy in $POLICIES_ALLOW_LIST; do - textFail "Policy $policy allows \"*:*\"" "us-east-1" "$policy" + textFail "$REGION: Policy $policy allows \"*:*\"" "$REGION" "$policy" done else - textPass "No custom policy found that allow full \"*:*\" administrative privileges" + textPass "$REGION: No custom policy found that allow full \"*:*\" administrative privileges" "$REGION" "$policy" fi else - textPass "No custom policies found" + textPass "$REGION: No custom policies found" "$REGION" "$policy" fi } diff --git a/checks/check13 b/checks/check13 index 6ede4ae6..81b2c52b 100644 --- a/checks/check13 +++ b/checks/check13 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check13="1.3" -CHECK_TITLE_check13="[check13] Ensure credentials unused for 90 days or greater are disabled (Scored)" +CHECK_TITLE_check13="[check13] Ensure credentials unused for 90 days or greater are disabled" CHECK_SCORED_check13="SCORED" CHECK_TYPE_check13="LEVEL1" CHECK_SEVERITY_check13="Medium" diff --git a/checks/check14 b/checks/check14 index 594a785e..0d9d1cc7 100644 --- a/checks/check14 +++ b/checks/check14 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check14="1.4" -CHECK_TITLE_check14="[check14] Ensure access keys are rotated every 90 days or less (Scored)" +CHECK_TITLE_check14="[check14] Ensure access keys are rotated every 90 days or less" CHECK_SCORED_check14="SCORED" CHECK_TYPE_check14="LEVEL1" CHECK_SEVERITY_check14="Medium" @@ -40,15 +40,15 @@ check14(){ HOWOLDER=$(how_older_from_today $DATEROTATED1) if [ $HOWOLDER -gt "90" ];then - textFail "$user has not rotated access key 1 in over 90 days" "us-east-1" "$user" + textFail "$REGION: $user has not rotated access key 1 in over 90 days" "$REGION" "$user" C14_NUM_USERS1=$(expr $C14_NUM_USERS1 + 1) fi done if [[ $C14_NUM_USERS1 -eq 0 ]]; then - textPass "No users with access key 1 older than 90 days" + textPass "$REGION: No users with access key 1 older than 90 days" "$REGION" "$user" fi else - textPass "No users with access key 1" + textPass "$REGION: No users with access key 1" "$REGION" "$user" fi if [[ $LIST_OF_USERS_WITH_ACCESS_KEY2 ]]; then @@ -58,14 +58,14 @@ check14(){ DATEROTATED2=$(cat $TEMP_REPORT_FILE | grep -v user_creation_time | grep "^${user},"| awk -F, '{ print $15 }' | grep -v "N/A" | awk -F"T" '{ print $1 }') HOWOLDER=$(how_older_from_today $DATEROTATED2) if [ $HOWOLDER -gt "90" ];then - textFail "$user has not rotated access key 2 in over 90 days" "us-east-1" "$user" + textFail "$REGION: $user has not rotated access key 2 in over 90 days" "$REGION" "$user" C14_NUM_USERS2=$(expr $C14_NUM_USERS2 + 1) fi done if [[ $C14_NUM_USERS2 -eq 0 ]]; then - textPass "No users with access key 2 older than 90 days" + textPass "$REGION: No users with access key 2 older than 90 days" "$REGION" "$user" fi else - textPass "No users with access key 2" + textPass "$REGION: No users with access key 2" "$REGION" "$user" fi } diff --git a/checks/check15 b/checks/check15 index 902efcdf..079245d0 100644 --- a/checks/check15 +++ b/checks/check15 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check15="1.5" -CHECK_TITLE_check15="[check15] Ensure IAM password policy requires at least one uppercase letter (Scored)" +CHECK_TITLE_check15="[check15] Ensure IAM password policy requires at least one uppercase letter" CHECK_SCORED_check15="SCORED" CHECK_TYPE_check15="LEVEL1" CHECK_SEVERITY_check15="Medium" @@ -28,8 +28,8 @@ check15(){ # "Ensure IAM password policy requires at least one uppercase letter (Scored)" COMMAND15=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireUppercaseCharacters' 2> /dev/null) # must be true if [[ "$COMMAND15" == "true" ]];then - textPass "Password Policy requires upper case" + textPass "$REGION: Password Policy requires upper case" "$REGION" "password policy" else - textFail "Password Policy missing upper-case requirement" + textFail "$REGION: Password Policy missing upper-case requirement" "$REGION" "password policy" fi } diff --git a/checks/check16 b/checks/check16 index bb818535..719811d9 100644 --- a/checks/check16 +++ b/checks/check16 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check16="1.6" -CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter (Scored)" +CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter" CHECK_SCORED_check16="SCORED" CHECK_TYPE_check16="LEVEL1" CHECK_SEVERITY_check16="Medium" @@ -28,8 +28,8 @@ check16(){ # "Ensure IAM password policy require at least one lowercase letter (Scored)" COMMAND16=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireLowercaseCharacters' 2> /dev/null) # must be true if [[ "$COMMAND16" == "true" ]];then - textPass "Password Policy requires lower case" + textPass "$REGION: Password Policy requires lower case" "$REGION" "password policy" else - textFail "Password Policy missing lower-case requirement" + textFail "$REGION: Password Policy missing lower-case requirement" "$REGION" "password policy" fi } diff --git a/checks/check17 b/checks/check17 index 8995dcc3..72fdd247 100644 --- a/checks/check17 +++ b/checks/check17 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check17="1.7" -CHECK_TITLE_check17="[check17] Ensure IAM password policy require at least one symbol (Scored)" +CHECK_TITLE_check17="[check17] Ensure IAM password policy require at least one symbol" CHECK_SCORED_check17="SCORED" CHECK_TYPE_check17="LEVEL1" CHECK_SEVERITY_check17="Medium" @@ -28,8 +28,8 @@ check17(){ # "Ensure IAM password policy require at least one symbol (Scored)" COMMAND17=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireSymbols' 2> /dev/null) # must be true if [[ "$COMMAND17" == "true" ]];then - textPass "Password Policy requires symbol" + textPass "$REGION: Password Policy requires symbol" "$REGION" "password policy" else - textFail "Password Policy missing symbol requirement" + textFail "$REGION: Password Policy missing symbol requirement" "$REGION" "password policy" fi } diff --git a/checks/check18 b/checks/check18 index cb68c2e9..c13e101b 100644 --- a/checks/check18 +++ b/checks/check18 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check18="1.8" -CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number (Scored)" +CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number" CHECK_SCORED_check18="SCORED" CHECK_TYPE_check18="LEVEL1" CHECK_SEVERITY_check18="Medium" @@ -28,8 +28,8 @@ check18(){ # "Ensure IAM password policy require at least one number (Scored)" COMMAND18=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireNumbers' 2> /dev/null) # must be true if [[ "$COMMAND18" == "true" ]];then - textPass "Password Policy requires number" + textPass "$REGION: Password Policy requires number" "$REGION" "password policy" else - textFail "Password Policy missing number requirement" + textFail "$REGION: Password Policy missing number requirement" "$REGION" "password policy" fi } diff --git a/checks/check19 b/checks/check19 index c28d21d8..27a61f9d 100644 --- a/checks/check19 +++ b/checks/check19 @@ -28,8 +28,8 @@ check19(){ # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)" COMMAND19=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.MinimumPasswordLength' 2> /dev/null) if [[ $COMMAND19 -gt "13" ]];then - textPass "Password Policy requires more than 13 characters" + textPass "$REGION: Password Policy requires more than 13 characters" "$REGION" "password policy" else - textFail "Password Policy missing or weak length requirement" + textFail "$REGION: Password Policy missing or weak length requirement" "$REGION" "password policy" fi } diff --git a/checks/check21 b/checks/check21 index e88b2a71..bf7d2064 100644 --- a/checks/check21 +++ b/checks/check21 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check21="2.1" -CHECK_TITLE_check21="[check21] Ensure CloudTrail is enabled in all regions (Scored)" +CHECK_TITLE_check21="[check21] Ensure CloudTrail is enabled in all regions" CHECK_SCORED_check21="SCORED" CHECK_TYPE_check21="LEVEL1" CHECK_SEVERITY_check21="High" @@ -32,7 +32,7 @@ check21(){ for regx in $REGIONS; do TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr " " ',') if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then - textFail "Access Denied trying to describe trails in $regx" + textFail "$regx: Access Denied trying to describe trails" "$regx" "$trail" continue fi if [[ $TRAILS_AND_REGIONS ]]; then @@ -46,15 +46,15 @@ check21(){ MULTIREGION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].IsMultiRegionTrail' --output text --trail-name-list $trail) if [[ "$MULTIREGION_TRAIL_STATUS" == 'False' ]];then - textFail "Trail $trail in $regx is not enabled for all regions" "$regx" "$trail" + textFail "$regx: Trail $trail is not enabled for all regions" "$regx" "$trail" else - textPass "Trail $trail in $regx is enabled for all regions" "$regx" "$trail" + textPass "$regx: Trail $trail is enabled for all regions" "$regx" "$trail" fi done fi done if [[ $trail_count == 0 ]]; then - textFail "No CloudTrail trails were found in the account" + textFail "$regx: No CloudTrail trails were found in the account" "$regx" "$trail" fi } diff --git a/checks/check22 b/checks/check22 index 9aaba77c..3ae3e775 100644 --- a/checks/check22 +++ b/checks/check22 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check22="2.2" -CHECK_TITLE_check22="[check22] Ensure CloudTrail log file validation is enabled (Scored)" +CHECK_TITLE_check22="[check22] Ensure CloudTrail log file validation is enabled" CHECK_SCORED_check22="SCORED" CHECK_TYPE_check22="LEVEL2" CHECK_SEVERITY_check22="Medium" @@ -32,7 +32,7 @@ check22(){ for regx in $REGIONS; do TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr " " ',') if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then - textFail "Access Denied trying to describe trails in $regx" + textFail "$regx: Access Denied trying to describe trails" "$regx" "$trail" continue fi if [[ $TRAILS_AND_REGIONS ]]; then @@ -46,15 +46,15 @@ check22(){ LOGFILEVALIDATION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].LogFileValidationEnabled' --output text --trail-name-list $trail) if [[ "$LOGFILEVALIDATION_TRAIL_STATUS" == 'False' ]];then - textFail "Trail $trail in $regx log file validation disabled" "$regx" "$trail" + textFail "$regx: Trail $trail log file validation disabled" "$regx" "$trail" else - textPass "Trail $trail in $regx log file validation enabled" "$regx" "$trail" + textPass "$regx: Trail $trail log file validation enabled" "$regx" "$trail" fi done fi done if [[ $trail_count == 0 ]]; then - textFail "No CloudTrail trails were found in the account" + textFail "$REGION: No CloudTrail trails were found in the account" "$REGION" "$trail" fi } diff --git a/checks/check23 b/checks/check23 index 719a3ac7..56984176 100644 --- a/checks/check23 +++ b/checks/check23 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check23="2.3" -CHECK_TITLE_check23="[check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" +CHECK_TITLE_check23="[check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible" CHECK_SCORED_check23="SCORED" CHECK_TYPE_check23="LEVEL1" CHECK_SEVERITY_check23="Critical" @@ -32,7 +32,7 @@ check23(){ for regx in $REGIONS; do TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr " " ',') if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then - textFail "Access Denied trying to describe trails in $regx" + textFail "$regx: Access Denied trying to describe trails" "$regx" "$trail" continue fi if [[ $TRAILS_AND_REGIONS ]]; then @@ -89,6 +89,6 @@ check23(){ fi done if [[ $trail_count == 0 ]]; then - textFail "No CloudTrail trails were found in the account" + textFail "$REGION: No CloudTrail trails were found in the account" "$REGION" "$trail" fi } diff --git a/checks/check24 b/checks/check24 index 3146d71d..57691f3b 100644 --- a/checks/check24 +++ b/checks/check24 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check24="2.4" -CHECK_TITLE_check24="[check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" +CHECK_TITLE_check24="[check24] Ensure CloudTrail trails are integrated with CloudWatch Logs" CHECK_SCORED_check24="SCORED" CHECK_TYPE_check24="LEVEL1" CHECK_SEVERITY_check24="Low" @@ -32,7 +32,7 @@ check24(){ for regx in $REGIONS; do TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr " " ',') if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then - textFail "Access Denied trying to describe trails in $regx" + textFail "$regx: Access Denied trying to describe trails" "$regx" "$trail" continue fi if [[ $TRAILS_AND_REGIONS ]]; then @@ -46,14 +46,14 @@ check24(){ LATESTDELIVERY_TIMESTAMP=$($AWSCLI cloudtrail get-trail-status --name $trail $PROFILE_OPT --region $TRAIL_REGION --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None) if [[ ! $LATESTDELIVERY_TIMESTAMP ]];then - textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)" + textFail "$TRAIL_REGION: $trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)" "$TRAIL_REGION" "$trail" else LATESTDELIVERY_DATE=$(timestamp_to_date $LATESTDELIVERY_TIMESTAMP) HOWOLDER=$(how_older_from_today $LATESTDELIVERY_DATE) if [ $HOWOLDER -gt "1" ];then - textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)" + textFail "$TRAIL_REGION: $trail trail is not logging in the last 24h or not configured" "$TRAIL_REGION" "$trail" else - textPass "$trail trail has been logging during the last 24h (it is in $TRAIL_REGION)" + textPass "$TRAIL_REGION: $trail trail has been logging during the last 24h" "$TRAIL_REGION" "$trail" fi fi @@ -61,6 +61,6 @@ check24(){ fi done if [[ $trail_count == 0 ]]; then - textFail "No CloudTrail trails were found in the account" + textFail "$REGION: No CloudTrail trails were found in the account" "$REGION" "$trail" fi } diff --git a/checks/check25 b/checks/check25 index 3444bbdb..c853cde5 100644 --- a/checks/check25 +++ b/checks/check25 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check25="2.5" -CHECK_TITLE_check25="[check25] Ensure AWS Config is enabled in all regions (Scored)" +CHECK_TITLE_check25="[check25] Ensure AWS Config is enabled in all regions" CHECK_SCORED_check25="SCORED" CHECK_TYPE_check25="LEVEL1" CHECK_SEVERITY_check25="Medium" @@ -31,17 +31,17 @@ check25(){ CHECK_AWSCONFIG_RECORDING=$($AWSCLI configservice describe-configuration-recorder-status $PROFILE_OPT --region $regx --query 'ConfigurationRecordersStatus[*].recording' --output text 2>&1) CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice describe-configuration-recorder-status $PROFILE_OPT --region $regx --query 'ConfigurationRecordersStatus[*].lastStatus' --output text 2>&1) if [[ $(echo "$CHECK_AWSCONFIG_STATUS" | grep AccessDenied) ]]; then - textFail "Access Denied trying to describe configuration recorder status in $regx" + textFail "$regx: Access Denied trying to describe configuration recorder status" "$regx" "recorder" continue fi if [[ $CHECK_AWSCONFIG_RECORDING == "True" ]]; then if [[ $CHECK_AWSCONFIG_STATUS == "SUCCESS" ]]; then - textPass "Region $regx AWS Config recorder enabled" + textPass "$regx: AWS Config recorder enabled" "$regx" "recorder" else - textFail "Region $regx AWS Config recorder in failure state" + textFail "$regx: AWS Config recorder in failure state" "$regx" "recorder" fi else - textFail "Region $regx AWS Config recorder disabled" + textFail "$regx: AWS Config recorder disabled" "$regx" "recorder" fi done } diff --git a/checks/check26 b/checks/check26 index 3b1e0947..a6663a22 100644 --- a/checks/check26 +++ b/checks/check26 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check26="2.6" -CHECK_TITLE_check26="[check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" +CHECK_TITLE_check26="[check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket" CHECK_SCORED_check26="SCORED" CHECK_TYPE_check26="LEVEL1" CHECK_SEVERITY_check26="Medium" @@ -31,7 +31,7 @@ check26(){ for regx in $REGIONS; do TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr " " ',') if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then - textFail "Access Denied trying to describe trails in $regx" + textFail "$regx: Access Denied trying to describe trails" "$regx" "$trail" continue fi if [[ $TRAILS_AND_REGIONS ]]; then @@ -45,13 +45,13 @@ check26(){ CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].[S3BucketName]' --output text --trail-name-list $trail) if [[ -z $CLOUDTRAILBUCKET ]]; then - textFail "Trail $trail in $TRAIL_REGION does not publish to S3" + textFail "$regx: Trail $trail does not publish to S3" "$TRAIL_REGION" "$trail" continue fi CLOUDTRAIL_ACCOUNT_ID=$(echo $trail | awk -F: '{ print $5 }') if [ "$CLOUDTRAIL_ACCOUNT_ID" != "$ACCOUNT_NUM" ]; then - textInfo "Trail $trail in $TRAIL_REGION S3 logging bucket $CLOUDTRAILBUCKET is not in current account" + textInfo "$regx: Trail $trail S3 logging bucket $CLOUDTRAILBUCKET is not in current account" "$TRAIL_REGION" "$trail" continue fi @@ -62,7 +62,7 @@ check26(){ # BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $regx --bucket $CLOUDTRAILBUCKET --output text 2>&1) if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then - textFail "Trail $trail in $TRAIL_REGION Access Denied getting bucket location for $CLOUDTRAILBUCKET" + textFail "$regx: Trail $trail Access Denied getting bucket location for $CLOUDTRAILBUCKET" "$TRAIL_REGION" "$trail" continue fi if [[ $BUCKET_LOCATION == "None" ]]; then @@ -74,20 +74,20 @@ check26(){ CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $CLOUDTRAILBUCKET $PROFILE_OPT --region $BUCKET_LOCATION --query 'LoggingEnabled.TargetBucket' --output text 2>&1) if [[ $(echo "$CLOUDTRAILBUCKET_LOGENABLED" | grep AccessDenied) ]]; then - textInfo "Trail $trail in $TRAIL_REGION Access Denied getting bucket logging for $CLOUDTRAILBUCKET" + textInfo "$regx: Trail $trail Access Denied getting bucket logging for $CLOUDTRAILBUCKET" "$TRAIL_REGION" "$trail" continue fi if [[ $CLOUDTRAILBUCKET_LOGENABLED != "None" ]]; then - textPass "Trail $trail in $TRAIL_REGION S3 bucket access logging is enabled for $CLOUDTRAILBUCKET" + textPass "$regx: Trail $trail S3 bucket access logging is enabled for $CLOUDTRAILBUCKET" "$TRAIL_REGION" "$trail" else - textFail "Trail $trail in $TRAIL_REGION S3 bucket access logging is not enabled for $CLOUDTRAILBUCKET" + textFail "$regx: Trail $trail S3 bucket access logging is not enabled for $CLOUDTRAILBUCKET" "$TRAIL_REGION" "$trail" fi done fi done if [[ $trail_count == 0 ]]; then - textFail "No CloudTrail trails were found in the account" + textFail "$REGION: No CloudTrail trails were found in the account" "$REGION" "$trail" fi } diff --git a/checks/check27 b/checks/check27 index 8eb61059..fa6a432d 100644 --- a/checks/check27 +++ b/checks/check27 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check27="2.7" -CHECK_TITLE_check27="[check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" +CHECK_TITLE_check27="[check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs" CHECK_SCORED_check27="SCORED" CHECK_TYPE_check27="LEVEL2" CHECK_SEVERITY_check27="Medium" @@ -32,7 +32,7 @@ check27(){ for regx in $REGIONS; do TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr " " ',') if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then - textFail "Access Denied trying to describe trails in $regx" + textFail "$regx: Access Denied trying to describe trails" "$regx" "$trail" continue fi if [[ $TRAILS_AND_REGIONS ]]; then @@ -46,14 +46,14 @@ check27(){ KMSKEYID=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].KmsKeyId' --output text --trail-name-list $trail) if [[ "$KMSKEYID" ]];then - textPass "Trail $trail in $regx has encryption enabled" + textPass "$regx: Trail $trail has encryption enabled" "$regx" "$trail" else - textFail "Trail $trail in $regx has encryption disabled" + textFail "$regx: Trail $trail has encryption disabled" "$regx" "$trail" fi done fi done if [[ $trail_count == 0 ]]; then - textFail "No CloudTrail trails were found in the account" + textFail "$REGION: No CloudTrail trails were found in the account" "$REGION" "$trail" fi } diff --git a/checks/check28 b/checks/check28 index a1f7b547..aef746b1 100644 --- a/checks/check28 +++ b/checks/check28 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check28="2.8" -CHECK_TITLE_check28="[check28] Ensure rotation for customer created KMS CMKs is enabled (Scored)" +CHECK_TITLE_check28="[check28] Ensure rotation for customer created KMS CMKs is enabled" CHECK_SCORED_check28="SCORED" CHECK_TYPE_check28="LEVEL2" CHECK_SEVERITY_check28="Medium" @@ -30,7 +30,7 @@ check28(){ for regx in $REGIONS; do CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys $PROFILE_OPT --region $regx --output text --query 'Keys[*].KeyId' --output text 2>&1) if [[ $(echo "$CHECK_KMS_KEYLIST" | grep AccessDenied) ]]; then - textFail "Access Denied trying to list keys in $regx" "$regx" "$key" + textFail "$regx: Access Denied trying to list keys" "$regx" "$key" continue fi if [[ $CHECK_KMS_KEYLIST ]]; then diff --git a/checks/check29 b/checks/check29 index 0187f628..b5023894 100644 --- a/checks/check29 +++ b/checks/check29 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check29="2.9" -CHECK_TITLE_check29="[check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" +CHECK_TITLE_check29="[check29] Ensure VPC Flow Logging is Enabled in all VPCs" CHECK_SCORED_check29="SCORED" CHECK_TYPE_check29="LEVEL2" CHECK_SEVERITY_check29="Medium" @@ -31,7 +31,7 @@ check29(){ for regx in $REGIONS; do AVAILABLE_VPC=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[?State==`available`].VpcId' --output text 2>&1) if [[ $(echo "$AVAILABLE_VPC" | grep AccessDenied) ]]; then - textFail "$regx: Access Denied trying to describe VPCs" + textFail "$regx: Access Denied trying to describe VPCs" "$regx" "$vpcx" continue fi for vpcx in $AVAILABLE_VPC; do diff --git a/checks/check31 b/checks/check31 index 938c147d..4411c6fa 100644 --- a/checks/check31 +++ b/checks/check31 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check31="3.1" -CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)" +CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls" CHECK_SCORED_check31="SCORED" CHECK_TYPE_check31="LEVEL1" CHECK_SEVERITY_check31="Medium" diff --git a/checks/check310 b/checks/check310 index 4f821784..0a2d53d9 100644 --- a/checks/check310 +++ b/checks/check310 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check310="3.10" -CHECK_TITLE_check310="[check310] Ensure a log metric filter and alarm exist for security group changes (Scored)" +CHECK_TITLE_check310="[check310] Ensure a log metric filter and alarm exist for security group changes" CHECK_SCORED_check310="SCORED" CHECK_TYPE_check310="LEVEL2" CHECK_SEVERITY_check310="Medium" diff --git a/checks/check311 b/checks/check311 index 9c661251..fb66edb6 100644 --- a/checks/check311 +++ b/checks/check311 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check311="3.11" -CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)" +CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)" CHECK_SCORED_check311="SCORED" CHECK_TYPE_check311="LEVEL2" CHECK_SEVERITY_check311="Medium" diff --git a/checks/check312 b/checks/check312 index 8c44117e..1de26238 100644 --- a/checks/check312 +++ b/checks/check312 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check312="3.12" -CHECK_TITLE_check312="[check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)" +CHECK_TITLE_check312="[check312] Ensure a log metric filter and alarm exist for changes to network gateways" CHECK_SCORED_check312="SCORED" CHECK_TYPE_check312="LEVEL1" CHECK_SEVERITY_check312="Medium" diff --git a/checks/check313 b/checks/check313 index 5852e63e..2ce23a51 100644 --- a/checks/check313 +++ b/checks/check313 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check313="3.13" -CHECK_TITLE_check313="[check313] Ensure a log metric filter and alarm exist for route table changes (Scored)" +CHECK_TITLE_check313="[check313] Ensure a log metric filter and alarm exist for route table changes" CHECK_SCORED_check313="SCORED" CHECK_TYPE_check313="LEVEL1" CHECK_SEVERITY_check313="Medium" diff --git a/checks/check314 b/checks/check314 index 820458eb..a0d728bb 100644 --- a/checks/check314 +++ b/checks/check314 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check314="3.14" -CHECK_TITLE_check314="[check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)" +CHECK_TITLE_check314="[check314] Ensure a log metric filter and alarm exist for VPC changes" CHECK_SCORED_check314="SCORED" CHECK_TYPE_check314="LEVEL1" CHECK_SEVERITY_check314="Medium" diff --git a/checks/check32 b/checks/check32 index 9a28147d..b932b13a 100644 --- a/checks/check32 +++ b/checks/check32 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check32="3.2" -CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)" +CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA" CHECK_SCORED_check32="SCORED" CHECK_TYPE_check32="LEVEL1" CHECK_SEVERITY_check32="Medium" diff --git a/checks/check33 b/checks/check33 index 7af68e62..1cd54328 100644 --- a/checks/check33 +++ b/checks/check33 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check33="3.3" -CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)" +CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account" CHECK_SCORED_check33="SCORED" CHECK_TYPE_check33="LEVEL1" CHECK_SEVERITY_check33="Medium" diff --git a/checks/check34 b/checks/check34 index d32bc066..250044e0 100644 --- a/checks/check34 +++ b/checks/check34 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check34="3.4" -CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)" +CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes" CHECK_SCORED_check34="SCORED" CHECK_TYPE_check34="LEVEL1" CHECK_SEVERITY_check34="Medium" diff --git a/checks/check35 b/checks/check35 index cdbbf038..bae1f254 100644 --- a/checks/check35 +++ b/checks/check35 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check35="3.5" -CHECK_TITLE_check35="[check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)" +CHECK_TITLE_check35="[check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes" CHECK_SCORED_check35="SCORED" CHECK_TYPE_check35="LEVEL1" CHECK_SEVERITY_check35="Medium" diff --git a/checks/check36 b/checks/check36 index 1696912b..fc9e4c39 100644 --- a/checks/check36 +++ b/checks/check36 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check36="3.6" -CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)" +CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures" CHECK_SCORED_check36="SCORED" CHECK_TYPE_check36="LEVEL2" CHECK_SEVERITY_check36="Medium" diff --git a/checks/check37 b/checks/check37 index 2d7d189b..03f593ea 100644 --- a/checks/check37 +++ b/checks/check37 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check37="3.7" -CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created KMS CMKs (Scored)" +CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created KMS CMKs" CHECK_SCORED_check37="SCORED" CHECK_TYPE_check37="LEVEL2" CHECK_SEVERITY_check37="Medium" diff --git a/checks/check38 b/checks/check38 index 196ced51..9d81443c 100644 --- a/checks/check38 +++ b/checks/check38 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check38="3.8" -CHECK_TITLE_check38="[check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)" +CHECK_TITLE_check38="[check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes" CHECK_SCORED_check38="SCORED" CHECK_TYPE_check38="LEVEL1" CHECK_SEVERITY_check38="Medium" diff --git a/checks/check39 b/checks/check39 index 5e580499..aabbd359 100644 --- a/checks/check39 +++ b/checks/check39 @@ -37,7 +37,7 @@ # --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic CHECK_ID_check39="3.9" -CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)" +CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes" CHECK_SCORED_check39="SCORED" CHECK_TYPE_check39="LEVEL2" CHECK_SEVERITY_check39="Medium" diff --git a/checks/check41 b/checks/check41 index 1ffd8961..02f0fbf5 100644 --- a/checks/check41 +++ b/checks/check41 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check41="4.1" -CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)" +CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22" CHECK_SCORED_check41="SCORED" CHECK_TYPE_check41="LEVEL2" CHECK_SEVERITY_check41="High" @@ -32,10 +32,10 @@ check41(){ SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text) if [[ $SG_LIST ]];then for SG in $SG_LIST;do - textFail "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx" "$SG" + textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0" "$regx" "$SG" done else - textPass "No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0" "$regx" + textPass "$regx: No Security Groups found with port 22 TCP open to 0.0.0.0/0" "$regx" "$SG" fi done } diff --git a/checks/check42 b/checks/check42 index d0e34354..a2bf70fd 100644 --- a/checks/check42 +++ b/checks/check42 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check42="4.2" -CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)" +CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389" CHECK_SCORED_check42="SCORED" CHECK_TYPE_check42="LEVEL2" CHECK_SEVERITY_check42="High" @@ -32,10 +32,10 @@ check42(){ SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text) if [[ $SG_LIST ]];then for SG in $SG_LIST;do - textFail "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx" "$SG" + textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0" "$regx" "$SG" done else - textPass "No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0" "$regx" + textPass "$regx: No Security Groups found with port 3389 TCP open to 0.0.0.0/0" "$regx" "$SG" fi done } diff --git a/checks/check43 b/checks/check43 index a8da5612..205f4eb3 100644 --- a/checks/check43 +++ b/checks/check43 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check43="4.3" -CHECK_TITLE_check43="[check43] Ensure the default security group of every VPC restricts all traffic (Scored)" +CHECK_TITLE_check43="[check43] Ensure the default security group of every VPC restricts all traffic" CHECK_SCORED_check43="SCORED" CHECK_TYPE_check43="LEVEL2" CHECK_SEVERITY_check43="High" @@ -33,9 +33,9 @@ check43(){ for CHECK_SGDEFAULT_ID in $CHECK_SGDEFAULT_IDS; do CHECK_SGDEFAULT_ID_OPEN=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --group-ids $CHECK_SGDEFAULT_ID --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |egrep '\s0.0.0.0|\:\:\/0') if [[ $CHECK_SGDEFAULT_ID_OPEN ]];then - textFail "Default Security Groups ($CHECK_SGDEFAULT_ID) found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx" "$CHECK_SGDEFAULT_ID" + textFail "$regx: Default Security Groups ($CHECK_SGDEFAULT_ID) found that allow 0.0.0.0 IN or OUT traffic" "$regx" "$CHECK_SGDEFAULT_ID" else - textPass "No Default Security Groups ($CHECK_SGDEFAULT_ID) open to 0.0.0.0 found in Region $regx" "$regx" "$CHECK_SGDEFAULT_ID" + textPass "$regx: No Default Security Groups ($CHECK_SGDEFAULT_ID) open to 0.0.0.0 found" "$regx" "$CHECK_SGDEFAULT_ID" fi done done diff --git a/checks/check44 b/checks/check44 index 62a8bf4d..e5328c29 100644 --- a/checks/check44 +++ b/checks/check44 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_check44="4.4" -CHECK_TITLE_check44="[check44] Ensure routing tables for VPC peering are \"least access\" (Not Scored)" +CHECK_TITLE_check44="[check44] Ensure routing tables for VPC peering are \"least access\"" CHECK_SCORED_check44="NOT_SCORED" CHECK_TYPE_check44="LEVEL2" CHECK_SEVERITY_check44="Medium" @@ -27,11 +27,10 @@ CHECK_CAF_EPIC_check44='Infrastructure Security' check44(){ # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)" - textInfo "Looking for VPC peering in all regions... " for regx in $REGIONS; do LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId'| sort | paste -s -d" " -) if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then - textInfo "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS - review routing tables" "$regx" + textInfo "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS - review routing tables" "$regx" "$LIST_OF_VPCS_PEERING_CONNECTIONS" #LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[*].VpcId' --output text) #aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" $PROFILE_OPT --region $regx # for vpc in $LIST_OF_VPCS; do @@ -39,7 +38,7 @@ check44(){ # done #echo $VPCS_WITH_PEERING else - textPass "$regx: No VPC peering found" "$regx" + textPass "$regx: No VPC peering found" "$regx" "$LIST_OF_VPCS_PEERING_CONNECTIONS" fi done } diff --git a/checks/check45 b/checks/check45 index fdd5912f..d68fc140 100644 --- a/checks/check45 +++ b/checks/check45 @@ -30,10 +30,10 @@ check45(){ NACL_LIST=$($AWSCLI ec2 describe-network-acls --query 'NetworkAcls[?Entries[?(((!PortRange) || (PortRange.From<=`22` && PortRange.To>=`22`)) && ((CidrBlock == `0.0.0.0/0`) && (Egress == `false`) && (RuleAction == `allow`)))]].{NetworkAclId:NetworkAclId}' $PROFILE_OPT --region $regx --output text) if [[ $NACL_LIST ]];then for NACL in $NACL_LIST;do - textInfo "$regx: Found Network ACL: $NACL open to 0.0.0.0/0 for SSH port 22" "$regx" + textInfo "$regx: Found Network ACL: $NACL open to 0.0.0.0/0 for SSH port 22" "$regx" "$NACL" done else - textPass "$regx: No Network ACL found with SSH port 22 open to 0.0.0.0/0" "$regx" + textPass "$regx: No Network ACL found with SSH port 22 open to 0.0.0.0/0" "$regx" "$NACL" fi done } diff --git a/checks/check46 b/checks/check46 index fc03c121..02c2101b 100644 --- a/checks/check46 +++ b/checks/check46 @@ -30,10 +30,10 @@ check46(){ NACL_LIST=$($AWSCLI ec2 describe-network-acls --query 'NetworkAcls[?Entries[?(((!PortRange) || (PortRange.From<=`3389` && PortRange.To>=`3389`)) && ((CidrBlock == `0.0.0.0/0`) && (Egress == `false`) && (RuleAction == `allow`)))]].{NetworkAclId:NetworkAclId}' $PROFILE_OPT --region $regx --output text) if [[ $NACL_LIST ]];then for NACL in $NACL_LIST;do - textInfo "$regx: Found Network ACL: $NACL open to 0.0.0.0/0 for Microsoft RDP port 3389" "$regx" + textInfo "$regx: Found Network ACL: $NACL open to 0.0.0.0/0 for Microsoft RDP port 3389" "$regx" "$NACL" done else - textPass "$regx: No Network ACL found with Microsoft RDP port 3389 open to 0.0.0.0/0" "$regx" + textPass "$regx: No Network ACL found with Microsoft RDP port 3389 open to 0.0.0.0/0" "$regx" "$NACL" fi done } diff --git a/checks/check_extra71 b/checks/check_extra71 index 23234823..4bf1706c 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra71="7.1" -CHECK_TITLE_extra71="[extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra71="[extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled" CHECK_SCORED_extra71="NOT_SCORED" CHECK_TYPE_extra71="EXTRA" CHECK_SEVERITY_extra71="High" @@ -27,7 +27,7 @@ CHECK_DOC_extra71='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentia CHECK_CAF_EPIC_extra71='Infrastructure Security' extra71(){ - # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" + # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled " ADMIN_GROUPS='' AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --region $REGION --query 'Groups[].GroupName') for grp in $AWS_GROUPS; do @@ -36,7 +36,7 @@ extra71(){ CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT --region $REGION iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep "arn:${AWS_PARTITION}:iam::aws:policy/AdministratorAccess") if [[ $CHECK_ADMIN_GROUP ]]; then ADMIN_GROUPS="$ADMIN_GROUPS $grp" - textInfo "$grp group provides administrative access" + textInfo "$REGION: $grp group provides administrative access" "$REGION" "$grp" ADMIN_USERS=$($AWSCLI $PROFILE_OPT iam get-group --region $REGION --group-name $grp --output json --query 'Users[].UserName' | grep '"' | cut -d'"' -f2 ) for auser in $ADMIN_USERS; do # users in group are Administrators @@ -44,13 +44,13 @@ extra71(){ # check for user MFA device in credential report USER_MFA_ENABLED=$( cat $TEMP_REPORT_FILE | grep "^$auser," | cut -d',' -f8) if [[ "true" == $USER_MFA_ENABLED ]]; then - textPass "$auser / MFA Enabled / admin via group $grp" "us-east-1" "$auser" + textPass "$REGION: $auser / MFA Enabled / admin via group $grp" "$REGION" "$grp" else - textFail "$auser / MFA DISABLED / admin via group $grp" "us-east-1" "$auser" + textFail "$REGION: $auser / MFA DISABLED / admin via group $grp" "$REGION" "$grp" fi done else - textInfo "$grp group provides non-administrative access" + textInfo "$REGION: $grp group provides non-administrative access" "$REGION" "$grp" fi done } diff --git a/checks/check_extra710 b/checks/check_extra710 index 8e13384d..a1c10252 100644 --- a/checks/check_extra710 +++ b/checks/check_extra710 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra710="7.10" -CHECK_TITLE_extra710="[extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra710="[extra710] Check for internet facing EC2 Instances" CHECK_SCORED_extra710="NOT_SCORED" CHECK_TYPE_extra710="EXTRA" CHECK_SEVERITY_extra710="Medium" @@ -25,8 +25,7 @@ CHECK_DOC_extra710='https://aws.amazon.com/blogs/aws/aws-web-application-firewal CHECK_CAF_EPIC_extra710='Infrastructure Security' extra710(){ - # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" - textInfo "Looking for instances in all regions... " + # "Check for internet facing EC2 Instances " for regx in $REGIONS; do LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId,PublicIpAddress]' --output text) if [[ $LIST_OF_PUBLIC_INSTANCES ]];then diff --git a/checks/check_extra7100 b/checks/check_extra7100 index 1aa6859f..8e2a3807 100644 --- a/checks/check_extra7100 +++ b/checks/check_extra7100 @@ -37,7 +37,6 @@ extra7100(){ # Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}') if [[ $LIST_CUSTOM_POLICIES ]]; then - textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)" for policy in $LIST_CUSTOM_POLICIES; do POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}') POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}') @@ -72,12 +71,12 @@ extra7100(){ textInfo "STS AssumeRole Policies should only include the complete ARNs for the Roles that the user needs" textInfo "Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy" for policy in $PERMISSIVE_POLICIES_LIST; do - textFail "Policy $policy allows permissive STS Role assumption" "us-east-1" "$policy" + textFail "$REGION: Policy $policy allows permissive STS Role assumption" "$REGION" "$policy" done else - textPass "No custom policies found that allow permissive STS Role assumption" + textPass "$REGION: No custom policies found that allow permissive STS Role assumption" "$REGION" fi else - textPass "No custom policies found" + textPass "$REGION: No custom policies found" "$REGION" fi } diff --git a/checks/check_extra711 b/checks/check_extra711 index 746d4a8f..4a0b5d66 100644 --- a/checks/check_extra711 +++ b/checks/check_extra711 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra711="7.11" -CHECK_TITLE_extra711="[extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra711="[extra711] Check for Publicly Accessible Redshift Clusters" CHECK_SCORED_extra711="NOT_SCORED" CHECK_TYPE_extra711="EXTRA" CHECK_SEVERITY_extra711="High" @@ -24,8 +24,7 @@ CHECK_DOC_extra711='https://docs.aws.amazon.com/redshift/latest/mgmt/managing-cl CHECK_CAF_EPIC_extra711='Data Protection' extra711(){ - # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" - textInfo "Looking for Redshift clusters in all regions... " + # "Check for Publicly Accessible Redshift Clusters " for regx in $REGIONS; do LIST_OF_PUBLIC_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[?PubliclyAccessible == `true`].[ClusterIdentifier,Endpoint.Address]' --output text) if [[ $LIST_OF_PUBLIC_REDSHIFT_CLUSTERS ]];then diff --git a/checks/check_extra7113 b/checks/check_extra7113 index 876ce7eb..3412a56b 100644 --- a/checks/check_extra7113 +++ b/checks/check_extra7113 @@ -23,7 +23,7 @@ # [--apply-immediately | --no-apply-immediately] CHECK_ID_extra7113="7.113" -CHECK_TITLE_extra7113="[extra7113] Check if RDS instances have deletion protection enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7113="[extra7113] Check if RDS instances have deletion protection enabled " CHECK_SCORED_extra7113="NOT_SCORED" CHECK_TYPE_extra7113="EXTRA" CHECK_SEVERITY_extra7113="Medium" diff --git a/checks/check_extra712 b/checks/check_extra712 index 21c9fcae..754c3559 100644 --- a/checks/check_extra712 +++ b/checks/check_extra712 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra712="7.12" -CHECK_TITLE_extra712="[extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra712="[extra712] Check if Amazon Macie is enabled" CHECK_SCORED_extra712="NOT_SCORED" CHECK_TYPE_extra712="EXTRA" CHECK_SEVERITY_extra712="Low" @@ -24,12 +24,12 @@ CHECK_DOC_extra712='https://docs.aws.amazon.com/macie/latest/user/getting-starte CHECK_CAF_EPIC_extra712='Data Protection' extra712(){ -# textInfo "No API commands available to check if Macie is enabled," -# textInfo "just looking if IAM Macie related permissions exist. " +# "No API commands available to check if Macie is enabled," +# "just looking if IAM Macie related permissions exist. " MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l) if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then - textPass "Macie related IAM roles exist so it might be enabled. Check it out manually" + textPass "$REGION: Macie related IAM roles exist so it might be enabled. Check it out manually" "$REGION" else - textFail "No Macie related IAM roles found. It is most likely not to be enabled" + textFail "$REGION: No Macie related IAM roles found. It is most likely not to be enabled" "$REGION" fi } diff --git a/checks/check_extra713 b/checks/check_extra713 index 008bf252..7a83b9bb 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra713="7.13" -CHECK_TITLE_extra713="[extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra713="[extra713] Check if GuardDuty is enabled" CHECK_SCORED_extra713="NOT_SCORED" CHECK_TYPE_extra713="EXTRA" CHECK_SEVERITY_extra713="High" @@ -25,7 +25,7 @@ CHECK_DOC_extra713='https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_se CHECK_CAF_EPIC_extra713='Data Protection' extra713(){ - # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" + # "Check if GuardDuty is enabled " for regx in $REGIONS; do LIST_OF_GUARDDUTY_DETECTORS=$($AWSCLI guardduty list-detectors $PROFILE_OPT --region $regx --output text --query DetectorIds[*] 2> /dev/null) RESULT=$? diff --git a/checks/check_extra7130 b/checks/check_extra7130 index 7c55d7fe..a302f0d4 100644 --- a/checks/check_extra7130 +++ b/checks/check_extra7130 @@ -25,7 +25,6 @@ CHECK_DOC_extra7130='https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-e CHECK_CAF_EPIC_extra7130='Data Protection' extra7130(){ - textInfo "Looking for SNS Topics in all regions... " for regx in $REGIONS; do LIST_SNS=$($AWSCLI sns list-topics $PROFILE_OPT --region $regx --query 'Topics[*].TopicArn' --output text) if [[ $LIST_SNS ]];then diff --git a/checks/check_extra7134 b/checks/check_extra7134 index 6d38148c..4d649f83 100644 --- a/checks/check_extra7134 +++ b/checks/check_extra7134 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7134="7.134" -CHECK_TITLE_extra7134="[extra7134] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21 (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7134="[extra7134] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21 " CHECK_SCORED_extra7134="NOT_SCORED" CHECK_TYPE_extra7134="EXTRA" CHECK_SEVERITY_extra7134="High" diff --git a/checks/check_extra7135 b/checks/check_extra7135 index c8562b52..42a27bfb 100644 --- a/checks/check_extra7135 +++ b/checks/check_extra7135 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7135="7.135" -CHECK_TITLE_extra7135="[extra7135] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092 (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7135="[extra7135] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092 " CHECK_SCORED_extra7135="NOT_SCORED" CHECK_TYPE_extra7135="EXTRA" CHECK_SEVERITY_extra7135="High" diff --git a/checks/check_extra7136 b/checks/check_extra7136 index 3c247bcb..7b440031 100644 --- a/checks/check_extra7136 +++ b/checks/check_extra7136 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7136="7.136" -CHECK_TITLE_extra7136="[extra7136] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23 (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7136="[extra7136] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23 " CHECK_SCORED_extra7136="NOT_SCORED" CHECK_TYPE_extra7136="EXTRA" CHECK_SEVERITY_extra7136="High" diff --git a/checks/check_extra7137 b/checks/check_extra7137 index 8014b442..754acc5f 100644 --- a/checks/check_extra7137 +++ b/checks/check_extra7137 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7137="7.137" -CHECK_TITLE_extra7137="[extra7137] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434 (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7137="[extra7137] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434 " CHECK_SCORED_extra7137="NOT_SCORED" CHECK_TYPE_extra7137="EXTRA" CHECK_SEVERITY_extra7137="High" diff --git a/checks/check_extra7139 b/checks/check_extra7139 index bfb10568..0b635a10 100644 --- a/checks/check_extra7139 +++ b/checks/check_extra7139 @@ -10,7 +10,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra7139="7.139" -CHECK_TITLE_extra7139="[extra7139] There are High severity GuardDuty findings (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra7139="[extra7139] There are High severity GuardDuty findings " CHECK_SCORED_extra7139="NOT_SCORED" CHECK_TYPE_extra7139="EXTRA" CHECK_SEVERITY_extra7139="High" diff --git a/checks/check_extra714 b/checks/check_extra714 index fbe31dbc..27681e1f 100644 --- a/checks/check_extra714 +++ b/checks/check_extra714 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra714="7.14" -CHECK_TITLE_extra714="[extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra714="[extra714] Check if CloudFront distributions have logging enabled" CHECK_SCORED_extra714="NOT_SCORED" CHECK_TYPE_extra714="EXTRA" CHECK_SEVERITY_extra714="Medium" @@ -24,18 +24,18 @@ CHECK_DOC_extra714='https://docs.aws.amazon.com/AmazonCloudFront/latest/Develope CHECK_CAF_EPIC_extra714='Logging and Monitoring' extra714(){ - # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" + # "Check if CloudFront distributions have logging enabled " LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --query 'DistributionList.Items[].Id' --output text | grep -v "^None") if [[ $LIST_OF_DISTRIBUTIONS ]]; then for dist in $LIST_OF_DISTRIBUTIONS; do LOG_ENABLED=$($AWSCLI cloudfront get-distribution $PROFILE_OPT --id "$dist" --query 'Distribution.DistributionConfig.Logging.Enabled' | grep true) if [[ $LOG_ENABLED ]]; then - textPass "CloudFront distribution $dist has logging enabled" "us-east-1" "$dist" + textPass "$REGION: CloudFront distribution $dist has logging enabled" "$REGION" "$dist" else - textFail "CloudFront distribution $dist has logging disabled" "us-east-1" "$dist" + textFail "$REGION: CloudFront distribution $dist has logging disabled" "$REGION" "$dist" fi done else - textInfo "No CloudFront distributions found" + textInfo "$REGION: No CloudFront distributions found" "$REGION" "$dist" fi } diff --git a/checks/check_extra716 b/checks/check_extra716 index f666b273..9a307f67 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -34,7 +34,7 @@ extra716(){ # If the endpoint starts with "vpc-" it is in a VPC then it is fine. if [[ "$ES_DOMAIN_ENDPOINT" =~ ^vpc-* ]];then ES_DOMAIN_VPC=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.VPCOptions.VPCId' --output text) - textInfo "$regx: Amazon ES domain $domain is in VPC $ES_DOMAIN_VPC run extra779 to make sure it is not exposed using custom proxy" "$regx" + textInfo "$regx: Amazon ES domain $domain is in VPC $ES_DOMAIN_VPC run extra779 to make sure it is not exposed using custom proxy" "$regx" "$domain" else $AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.AccessPolicies.Options --output text > $TEMP_POLICY_FILE 2> /dev/null # check if the policy has a principal set up @@ -76,11 +76,11 @@ extra716(){ textFail "$regx: Amazon ES domain $domain policy allows access (Principal: \"*\" and network \"*\") - use extra788 to test AUTH" "$regx" "$domain" fi if [[ $CHECK_ES_DOMAIN_POLICY_HAS_CONDITION && ${CHECK_ES_DOMAIN_POLICY_CONDITION_PUBLIC_IP[@]} ]];then - textInfo "$regx: Amazon ES domain $domain policy allows access (Principal: \"*\" and Public IP or Network $(echo ${CONDITION_HAS_PUBLIC_IP_ARRAY[@]})) - use extra788 to test AUTH" "$regx" + textInfo "$regx: Amazon ES domain $domain policy allows access (Principal: \"*\" and Public IP or Network $(echo ${CONDITION_HAS_PUBLIC_IP_ARRAY[@]})) - use extra788 to test AUTH" "$regx" "$domain" fi else if [[ $CHECK_ES_DOMAIN_POLICY_HAS_CONDITION && ${CHECK_ES_DOMAIN_POLICY_CONDITION_PRIVATE_IP[@]} ]];then - textInfo "$regx: Amazon ES domain $domain policy allows access from a Private IP or CIDR RFC1918 $(echo ${CONDITION_HAS_PRIVATE_IP_ARRAY[@]})" "$regx" + textInfo "$regx: Amazon ES domain $domain policy allows access from a Private IP or CIDR RFC1918 $(echo ${CONDITION_HAS_PRIVATE_IP_ARRAY[@]})" "$regx" "$domain" else textPass "$regx: Amazon ES domain $domain does not allow anonymous access" "$regx" "$domain" fi diff --git a/checks/check_extra717 b/checks/check_extra717 index 53892197..f2f8996c 100644 --- a/checks/check_extra717 +++ b/checks/check_extra717 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra717="7.17" -CHECK_TITLE_extra717="[extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra717="[extra717] Check if Elastic Load Balancers have logging enabled" CHECK_SCORED_extra717="NOT_SCORED" CHECK_TYPE_extra717="EXTRA" CHECK_SEVERITY_extra717="Medium" @@ -24,7 +24,7 @@ CHECK_DOC_extra717='https://docs.aws.amazon.com/elasticloadbalancing/latest/appl CHECK_CAF_EPIC_extra717='Logging and Monitoring' extra717(){ - # "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" + # "Check if Elastic Load Balancers have logging enabled " for regx in $REGIONS; do LIST_OF_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[*].LoadBalancerName' --output text|xargs -n1) LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[*].LoadBalancerArn' --output text|xargs -n1) diff --git a/checks/check_extra718 b/checks/check_extra718 index 17b11b0b..8e1e8020 100644 --- a/checks/check_extra718 +++ b/checks/check_extra718 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra718="7.18" -CHECK_TITLE_extra718="[extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra718="[extra718] Check if S3 buckets have server access logging enabled" CHECK_SCORED_extra718="NOT_SCORED" CHECK_TYPE_extra718="EXTRA" CHECK_SEVERITY_extra718="Medium" @@ -24,22 +24,22 @@ CHECK_DOC_extra718='https://docs.aws.amazon.com/AmazonS3/latest/dev/security-bes CHECK_CAF_EPIC_extra718='Logging and Monitoring' extra718(){ - # "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" + # "Check if S3 buckets have server access logging enabled " LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1) if [[ $LIST_OF_BUCKETS ]]; then for bucket in $LIST_OF_BUCKETS;do BUCKET_SERVER_LOG_ENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --query [LoggingEnabled] --output text 2>&1) if [[ $(echo "$BUCKET_SERVER_LOG_ENABLED" | grep AccessDenied) ]]; then - textFail "Access Denied Trying to Get Bucket Logging for $bucket" + textFail "$REGION: Access Denied Trying to Get Bucket Logging for $bucket" "$REGION" "$bucket" continue fi if [[ $(echo "$BUCKET_SERVER_LOG_ENABLED" | grep "^None$") ]]; then - textFail "Bucket $bucket has server access logging disabled!" "us-east-1" "$bucket" + textFail "$REGION: Bucket $bucket has server access logging disabled!" "$REGION" "$bucket" else - textPass "Bucket $bucket has server access logging enabled" "us-east-1" "$bucket" + textPass "$REGION: Bucket $bucket has server access logging enabled" "$REGION" "$bucket" fi done else - textInfo "No S3 Buckets found" + textInfo "$REGION: No S3 Buckets found" "$REGION" "$bucket" fi } diff --git a/checks/check_extra719 b/checks/check_extra719 index ad148c3a..b3435656 100644 --- a/checks/check_extra719 +++ b/checks/check_extra719 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra719="7.19" -CHECK_TITLE_extra719="[extra719] Check if Route53 public hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra719="[extra719] Check if Route53 public hosted zones are logging queries to CloudWatch Logs" CHECK_SCORED_extra719="NOT_SCORED" CHECK_TYPE_extra719="EXTRA" CHECK_SEVERITY_extra719="Medium" @@ -30,12 +30,12 @@ extra719(){ for hostedzoneid in $LIST_OF_HOSTED_ZONES;do HOSTED_ZONE_QUERY_LOG_ENABLED=$($AWSCLI route53 list-query-logging-configs --hosted-zone-id $hostedzoneid $PROFILE_OPT --query QueryLoggingConfigs[*].CloudWatchLogsLogGroupArn --output text|cut -d: -f7) if [[ $HOSTED_ZONE_QUERY_LOG_ENABLED ]];then - textPass "Route53 public hosted zone Id $hostedzoneid has query logging enabled in Log Group $HOSTED_ZONE_QUERY_LOG_ENABLED" "us-east-1" "$hostedzoneid" + textPass "$REGION: Route53 public hosted zone Id $hostedzoneid has query logging enabled in Log Group $HOSTED_ZONE_QUERY_LOG_ENABLED" "$REGION" "$hostedzoneid" else - textFail "Route53 public hosted zone Id $hostedzoneid has query logging disabled!" "us-east-1" "$hostedzoneid" + textFail "$REGION: Route53 public hosted zone Id $hostedzoneid has query logging disabled!" "$REGION" "$hostedzoneid" fi done else - textInfo "No Route53 hosted zones found" + textInfo "$REGION: No Route53 hosted zones found" "$REGION" fi } diff --git a/checks/check_extra72 b/checks/check_extra72 index a7598b30..0d088896 100644 --- a/checks/check_extra72 +++ b/checks/check_extra72 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra72="7.2" -CHECK_TITLE_extra72="[extra72] Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra72="[extra72] Ensure there are no EBS Snapshots set as Public" CHECK_SCORED_extra72="NOT_SCORED" CHECK_TYPE_extra72="EXTRA" CHECK_SEVERITY_extra72="Critical" @@ -26,8 +26,7 @@ CHECK_DOC_extra72='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modif CHECK_CAF_EPIC_extra72='Data Protection' extra72(){ - # "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" - textInfo "Looking for EBS Snapshots in all regions... " + # "Ensure there are no EBS Snapshots set as Public " for regx in $REGIONS; do LIST_OF_EBS_SNAPSHOTS=$($AWSCLI ec2 describe-snapshots $PROFILE_OPT --region $regx --owner-ids $ACCOUNT_NUM --output text --query 'Snapshots[*].{ID:SnapshotId}' --max-items $MAXITEMS | grep -v None 2> /dev/null) for snapshot in $LIST_OF_EBS_SNAPSHOTS; do diff --git a/checks/check_extra720 b/checks/check_extra720 index 5cef8b37..06608532 100644 --- a/checks/check_extra720 +++ b/checks/check_extra720 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra720="7.20" -CHECK_TITLE_extra720="[extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra720="[extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail" CHECK_SCORED_extra720="NOT_SCORED" CHECK_TYPE_extra720="EXTRA" CHECK_SEVERITY_extra720="Low" @@ -24,17 +24,17 @@ CHECK_DOC_extra720='https://docs.aws.amazon.com/lambda/latest/dg/logging-using-c CHECK_CAF_EPIC_extra720='Logging and Monitoring' extra720(){ - # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" + # "Check if Lambda functions invoke API operations are being recorded by CloudTrail " for regx in $REGIONS; do LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query 'Functions[*].FunctionName' --output text 2>&1) if [[ $(echo "$LIST_OF_FUNCTIONS" | grep AccessDenied) ]]; then - textFail "$regx: Access Denied trying to list functions" + textFail "$regx: Access Denied trying to list functions" "$regx" continue fi if [[ $LIST_OF_FUNCTIONS ]]; then LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].TrailARN' --output text 2>&1) if [[ $(echo "$LIST_OF_TRAILS" | grep AccessDenied) ]]; then - textFail "$regx: Access Denied trying to describe trails" + textFail "$regx: Access Denied trying to describe trails" "$regx" continue fi for lambdafunction in $LIST_OF_FUNCTIONS; do diff --git a/checks/check_extra721 b/checks/check_extra721 index 93d2ed92..8b2e54bf 100644 --- a/checks/check_extra721 +++ b/checks/check_extra721 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra721="7.21" -CHECK_TITLE_extra721="[extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra721="[extra721] Check if Redshift cluster has audit logging enabled" CHECK_SCORED_extra721="NOT_SCORED" CHECK_TYPE_extra721="EXTRA" CHECK_SEVERITY_extra721="Medium" @@ -24,7 +24,7 @@ CHECK_DOC_extra721='https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing CHECK_CAF_EPIC_extra721='Logging and Monitoring' extra721(){ - # "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" + # "Check if Redshift cluster has audit logging enabled " for regx in $REGIONS; do LIST_OF_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[*].ClusterIdentifier' --output text) if [[ $LIST_OF_REDSHIFT_CLUSTERS ]]; then diff --git a/checks/check_extra722 b/checks/check_extra722 index 53dde9ed..4db8470c 100644 --- a/checks/check_extra722 +++ b/checks/check_extra722 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra722="7.22" -CHECK_TITLE_extra722="[extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra722="[extra722] Check if API Gateway has logging enabled" CHECK_SCORED_extra722="NOT_SCORED" CHECK_TYPE_extra722="EXTRA" CHECK_SEVERITY_extra722="Medium" @@ -24,7 +24,7 @@ CHECK_DOC_extra722='https://docs.aws.amazon.com/apigateway/latest/developerguide CHECK_CAF_EPIC_extra722='Logging and Monitoring' extra722(){ - # "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" + # "Check if API Gateway has logging enabled " for regx in $REGIONS; do LIST_OF_API_GW=$($AWSCLI apigateway get-rest-apis $PROFILE_OPT --region $regx --query items[*].id --output text) if [[ $LIST_OF_API_GW ]];then diff --git a/checks/check_extra723 b/checks/check_extra723 index 3e0cbd04..9653b956 100644 --- a/checks/check_extra723 +++ b/checks/check_extra723 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra723="7.23" -CHECK_TITLE_extra723="[extra723] Check if RDS Snapshots and Cluster Snapshots are public (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra723="[extra723] Check if RDS Snapshots and Cluster Snapshots are public" CHECK_SCORED_extra723="NOT_SCORED" CHECK_TYPE_extra723="EXTRA" CHECK_SEVERITY_extra723="Critical" @@ -24,7 +24,7 @@ CHECK_DOC_extra723='https://docs.aws.amazon.com/config/latest/developerguide/rds CHECK_CAF_EPIC_extra723='Data Protection' extra723(){ - # "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" + # "Check if RDS Snapshots are public " for regx in $REGIONS; do # RDS snapshots LIST_OF_RDS_SNAPSHOTS=$($AWSCLI rds describe-db-snapshots $PROFILE_OPT --region $regx --query DBSnapshots[*].DBSnapshotIdentifier --output text) diff --git a/checks/check_extra724 b/checks/check_extra724 index f53e13fe..e0b2497f 100644 --- a/checks/check_extra724 +++ b/checks/check_extra724 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra724="7.24" -CHECK_TITLE_extra724="[extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra724="[extra724] Check if ACM certificates have Certificate Transparency logging enabled" CHECK_SCORED_extra724="NOT_SCORED" CHECK_TYPE_extra724="EXTRA" CHECK_SEVERITY_extra724="Medium" @@ -24,7 +24,7 @@ CHECK_DOC_extra724='https://aws.amazon.com/blogs/security/how-to-get-ready-for-c CHECK_CAF_EPIC_extra724='Logging and Monitoring' extra724(){ - # "Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)" + # "Check if ACM certificates have Certificate Transparency logging enabled " for regx in $REGIONS; do LIST_OF_CERTS=$($AWSCLI acm list-certificates $PROFILE_OPT --region $regx --query CertificateSummaryList[].CertificateArn --output text) if [[ $LIST_OF_CERTS ]];then @@ -34,7 +34,7 @@ extra724(){ CERT_TYPE=$(aws acm describe-certificate $PROFILE_OPT --region $regx --certificate-arn $cert_arn --query Certificate.Type --output text) if [[ $CERT_TYPE == "IMPORTED" ]];then # Ignore imported certificate - textInfo "$regx: ACM Certificate $CERT_DOMAIN_NAME is imported." "$regx" + textInfo "$regx: ACM Certificate $CERT_DOMAIN_NAME is imported." "$regx" "$CERT_DOMAIN_NAME" else if [[ $CT_ENABLED == "ENABLED" ]];then textPass "$regx: ACM Certificate $CERT_DOMAIN_NAME has Certificate Transparency logging enabled!" "$regx" "$CERT_DOMAIN_NAME" @@ -47,5 +47,4 @@ extra724(){ textInfo "$regx: No ACM Certificates found" "$regx" fi done - textInfo "*Read more about this here: https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/" } diff --git a/checks/check_extra725 b/checks/check_extra725 index 8a90f8c9..4100b083 100644 --- a/checks/check_extra725 +++ b/checks/check_extra725 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra725="7.25" -CHECK_TITLE_extra725="[extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra725="[extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail" CHECK_SCORED_extra725="NOT_SCORED" CHECK_TYPE_extra725="EXTRA" CHECK_SEVERITY_extra725="Medium" @@ -26,17 +26,15 @@ CHECK_CAF_EPIC_extra725='Logging and Monitoring' # per Object-level logging is not configured at Bucket level but at CloudTrail trail level extra725(){ - # "Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)" - textInfo "Looking for S3 Buckets Object-level logging information in all trails... " - + # "Check if S3 buckets have Object-level logging enabled in CloudTrail " LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query 'Buckets[*].{Name:Name}' --output text 2>&1) if [[ $(echo "$LIST_OF_BUCKETS" | grep AccessDenied) ]]; then - textFail "Access Denied trying to list buckets" + textFail "$REGION: Access Denied trying to list buckets" return fi LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[].TrailARN' --output text 2>&1) if [[ $(echo "$LIST_OF_TRAILS" | grep AccessDenied) ]]; then - textFail "Access Denied trying to describe trails" + textFail "$REGION: Access Denied trying to describe trails" return fi if [[ $LIST_OF_BUCKETS ]]; then @@ -53,17 +51,17 @@ extra725(){ if [[ ${#BUCKET_ENABLED_TRAILS[@]} -gt 0 ]]; then for trail in "${BUCKET_ENABLED_TRAILS[@]}"; do - textPass "$regx: S3 bucket $bucketName has Object-level logging enabled in trail $trail" "$regx" "$bucketName" + textPass "$REGION: S3 bucket $bucketName has Object-level logging enabled in trail $trail" "$REGION" "$bucketName" done else - textFail "$regx: S3 bucket $bucketName has Object-level logging disabled" "$regx" "$bucketName" + textFail "$REGION: S3 bucket $bucketName has Object-level logging disabled" "$REGION" "$bucketName" fi else - textFail "$regx: S3 bucket $bucketName is not being recorded no CloudTrail found!" "$regx" "$bucketName" + textFail "$REGION: S3 bucket $bucketName is not being recorded no CloudTrail found!" "$REGION" "$bucketName" fi done else - textInfo "$regx: No S3 buckets found" "$regx" + textInfo "$REGION: No S3 buckets found" "$REGION" fi } diff --git a/checks/check_extra726 b/checks/check_extra726 index 1119e526..76de3c84 100644 --- a/checks/check_extra726 +++ b/checks/check_extra726 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra726="7.26" -CHECK_TITLE_extra726="[extra726] Check Trusted Advisor for errors and warnings (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra726="[extra726] Check Trusted Advisor for errors and warnings" CHECK_SCORED_extra726="NOT_SCORED" CHECK_TYPE_extra726="EXTRA" CHECK_SEVERITY_extra726="Medium" @@ -25,32 +25,32 @@ CHECK_CAF_EPIC_extra726='IAM' extra726(){ trap "exit" INT - # forcing us-east-1 region only since support only works in that region - TA_CHECKS_ID=$($AWSCLI support describe-trusted-advisor-checks --language en $PROFILE_OPT --region us-east-1 --query checks[*].id --output text 2>&1) + # forcing REGION if not set will be us-east-1 region only since support only works in that region + TA_CHECKS_ID=$($AWSCLI support describe-trusted-advisor-checks --language en $PROFILE_OPT --region $REGION --query checks[*].id --output text 2>&1) if [[ $(echo "$TA_CHECKS_ID" | grep SubscriptionRequiredException) ]]; then - textInfo "Trusted Advisor requires AWS Premium Support Subscription" + textInfo "$REGION: Trusted Advisor requires AWS Premium Support Subscription" "$REGION" return fi for checkid in $TA_CHECKS_ID; do - TA_CHECKS_NAME=$($AWSCLI support describe-trusted-advisor-checks --language en $PROFILE_OPT --region us-east-1 --query "checks[?id==\`$checkid\`].{name:name}[*]" --output text) - QUERY_TA_CHECK_RESULT=$($AWSCLI support describe-trusted-advisor-check-result --check-id $checkid --language en $PROFILE_OPT --region us-east-1 --query 'result.status' --output text) + TA_CHECKS_NAME=$($AWSCLI support describe-trusted-advisor-checks --language en $PROFILE_OPT --region $REGION --query "checks[?id==\`$checkid\`].{name:name}[*]" --output text) + QUERY_TA_CHECK_RESULT=$($AWSCLI support describe-trusted-advisor-check-result --check-id $checkid --language en $PROFILE_OPT --region $REGION --query 'result.status' --output text) # Possible results - https://docs.aws.amazon.com/cli/latest/reference/support/describe-trusted-advisor-check-result.html case "$QUERY_TA_CHECK_RESULT" in "ok") - textPass "Trusted Advisor check $TA_CHECKS_NAME is in ok state $QUERY_TA_CHECK_RESULT" "us-east-1" "$TA_CHECKS_NAME" + textPass "$REGION: Trusted Advisor check $TA_CHECKS_NAME is in ok state $QUERY_TA_CHECK_RESULT" "$REGION" "$TA_CHECKS_NAME" ;; "error") - textFail "Trusted Advisor check $TA_CHECKS_NAME is in error state $QUERY_TA_CHECK_RESULT" "us-east-1" "$TA_CHECKS_NAME" + textFail "$REGION: Trusted Advisor check $TA_CHECKS_NAME is in error state $QUERY_TA_CHECK_RESULT" "$REGION" "$TA_CHECKS_NAME" ;; "warning") - textInfo "Trusted Advisor check $TA_CHECKS_NAME is in warning state $QUERY_TA_CHECK_RESULT" "us-east-1" "$TA_CHECKS_NAME" + textInfo "$REGION: Trusted Advisor check $TA_CHECKS_NAME is in warning state $QUERY_TA_CHECK_RESULT" "$REGION" "$TA_CHECKS_NAME" ;; "not_available") - textInfo "Trusted Advisor check $TA_CHECKS_NAME is in not_available state $QUERY_TA_CHECK_RESULT" "us-east-1" "$TA_CHECKS_NAME" + textInfo "$REGION: Trusted Advisor check $TA_CHECKS_NAME is in not_available state $QUERY_TA_CHECK_RESULT" "u$REGION" "$TA_CHECKS_NAME" ;; "*") - textFail "Trusted Advisor check $TA_CHECKS_NAME is in unknown state $QUERY_TA_CHECK_RESULT" "us-east-1" "$TA_CHECKS_NAME" + textFail "$REGION: Trusted Advisor check $TA_CHECKS_NAME is in unknown state $QUERY_TA_CHECK_RESULT" "$REGION" "$TA_CHECKS_NAME" ;; esac done diff --git a/checks/check_extra727 b/checks/check_extra727 index 63ad651e..797401be 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra727="7.27" -CHECK_TITLE_extra727="[extra727] Check if SQS queues have policy set as Public (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra727="[extra727] Check if SQS queues have policy set as Public" CHECK_SCORED_extra727="NOT_SCORED" CHECK_TYPE_extra727="EXTRA" CHECK_SEVERITY_extra727="Critical" @@ -41,7 +41,7 @@ extra727(){ | jq '"[Principal: " + (.Principal|tostring) + " Action: " + (.Action|tostring) + "]"' ) textFail "$regx: SQS $queue queue policy with public access: $SQS_POLICY_ALLOW_ALL_WITHOUT_CONDITION_DETAILS" "$regx" "$queue" else - textInfo "$regx: SQS $queue queue policy with public access but has a Condition" "$regx" + textInfo "$regx: SQS $queue queue policy with public access but has a Condition" "$regx" "$queue" fi else textPass "$regx: SQS $queue queue without public access" "$regx" "$queue" diff --git a/checks/check_extra728 b/checks/check_extra728 index 3fbaff2c..f7589af1 100644 --- a/checks/check_extra728 +++ b/checks/check_extra728 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra728="7.28" -CHECK_TITLE_extra728="[extra728] Check if SQS queues have Server Side Encryption enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra728="[extra728] Check if SQS queues have Server Side Encryption enabled" CHECK_SCORED_extra728="NOT_SCORED" CHECK_TYPE_extra728="EXTRA" CHECK_SEVERITY_extra728="Medium" diff --git a/checks/check_extra729 b/checks/check_extra729 index e3759bf2..743e568d 100644 --- a/checks/check_extra729 +++ b/checks/check_extra729 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra729="7.29" -CHECK_TITLE_extra729="[extra729] Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra729="[extra729] Ensure there are no EBS Volumes unencrypted" CHECK_SCORED_extra729="NOT_SCORED" CHECK_TYPE_extra729="EXTRA" CHECK_SEVERITY_extra729="Medium" @@ -26,8 +26,7 @@ CHECK_DOC_extra729='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncry CHECK_CAF_EPIC_extra729='Data Protection' extra729(){ - # "Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)" - textInfo "Looking for EBS Volumes in all regions... " + # "Ensure there are no EBS Volumes unencrypted " for regx in $REGIONS; do LIST_OF_EBS_NON_ENC_VOLUMES=$($AWSCLI ec2 describe-volumes $PROFILE_OPT --region $regx --query 'Volumes[?Encrypted==`false`].VolumeId' --output text) if [[ $LIST_OF_EBS_NON_ENC_VOLUMES ]];then diff --git a/checks/check_extra73 b/checks/check_extra73 index 9a0b9162..c2329607 100644 --- a/checks/check_extra73 +++ b/checks/check_extra73 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra73="7.3" -CHECK_TITLE_extra73="[extra73] Ensure there are no S3 buckets open to Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra73="[extra73] Ensure there are no S3 buckets open to Everyone or Any AWS user" CHECK_SCORED_extra73="NOT_SCORED" CHECK_TYPE_extra73="EXTRA" CHECK_SEVERITY_extra73="Critical" @@ -43,14 +43,12 @@ CHECK_CAF_EPIC_extra73='Data Protection' # for day to day usage that is probably desirable. extra73(){ - textInfo "Looking for open S3 Buckets (ACLs and Policies) in all regions... " - # # If public ACLs disabled at account level then look no further # ACCOUNT_PUBLIC_ACCESS_BLOCK=$($AWSCLI s3control get-public-access-block $PROFILE_OPT --region $REGION --account-id $ACCOUNT_NUM --output json 2>&1) if [[ $(echo "$ACCOUNT_PUBLIC_ACCESS_BLOCK" | grep AccessDenied) ]]; then - textFail "Access Denied getting PublicAccessBlock configuration for AWS account" + textFail "$REGION: Access Denied getting PublicAccessBlock configuration for AWS account" "$REGION" "$bucket" return fi if [[ $(echo "$ACCOUNT_PUBLIC_ACCESS_BLOCK" | grep NoSuchPublicAccessBlockConfiguration) ]]; then @@ -61,7 +59,7 @@ extra73(){ ACCOUNTRESTRICTPUBLICBUCKETS=$(echo "$ACCOUNT_PUBLIC_ACCESS_BLOCK" | jq -r '.PublicAccessBlockConfiguration.RestrictPublicBuckets') fi if [[ $ACCOUNTIGNOREPUBLICACLS == "true" && $ACCOUNTRESTRICTPUBLICBUCKETS == "true" ]]; then - textPass "All S3 public access blocked at account level" + textPass "$REGION: All S3 public access blocked at account level" "$REGION" "$bucket" return fi @@ -70,11 +68,11 @@ extra73(){ # ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' $PROFILE_OPT --output text 2>&1) if [[ $(echo "$ALL_BUCKETS_LIST" | grep AccessDenied) ]]; then - textFail "Access Denied Trying to List Buckets" + textFail "$REGION: Access Denied Trying to List Buckets" "$REGION" "$bucket" return fi if [[ "$ALL_BUCKETS_LIST" == "" ]]; then - textInfo "No buckets found" + textInfo "$REGION: No buckets found" "$REGION" "$bucket" return fi @@ -87,7 +85,7 @@ extra73(){ # BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $REGION --bucket $bucket --output text 2>&1) if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then - textFail "Access Denied Trying to Get Bucket Location for $bucket" + textFail "$REGION: Access Denied Trying to Get Bucket Location for $bucket" "$REGION" "$bucket" continue fi if [[ $BUCKET_LOCATION == "None" ]]; then @@ -101,7 +99,7 @@ extra73(){ # BUCKET_PUBLIC_ACCESS_BLOCK=$($AWSCLI s3api get-public-access-block $PROFILE_OPT --region $BUCKET_LOCATION --bucket $bucket --output json 2>&1) if [[ $(echo "$BUCKET_PUBLIC_ACCESS_BLOCK" | grep AccessDenied) ]]; then - textFail "Access Denied Trying to Get Public Access Block for $bucket" + textFail "$BUCKET_LOCATION: Access Denied Trying to Get Public Access Block for $bucket" "$BUCKET_LOCATION" "$bucket" continue fi if [[ $(echo "$BUCKET_PUBLIC_ACCESS_BLOCK" | grep NoSuchPublicAccessBlockConfiguration) ]]; then @@ -112,7 +110,7 @@ extra73(){ BUCKETRESTRICTPUBLICBUCKETS=$(echo "$BUCKET_PUBLIC_ACCESS_BLOCK" | jq -r '.PublicAccessBlockConfiguration.RestrictPublicBuckets') fi if [[ $BUCKETIGNOREPUBLICACLS == "true" && $BUCKETRESTRICTPUBLICBUCKETS == "true" ]]; then - textPass "$BUCKET_LOCATION: $bucket bucket is not Public" "$BUCKET_LOCATION" + textPass "$BUCKET_LOCATION: $bucket bucket is not Public" "$BUCKET_LOCATION" "$bucket" continue fi @@ -121,7 +119,7 @@ extra73(){ # BUCKET_ACL=$($AWSCLI s3api get-bucket-acl $PROFILE_OPT --region $BUCKET_LOCATION --bucket $bucket --output json 2>&1) if [[ $(echo "$BUCKET_ACL" | grep AccessDenied) ]]; then - textFail "Access Denied Trying to Get Bucket Acl for $bucket" + textFail "$BUCKET_LOCATION: Access Denied Trying to Get Bucket Acl for $bucket" "$BUCKET_LOCATION" "$bucket" continue fi @@ -142,7 +140,7 @@ extra73(){ # BUCKET_POLICY_STATUS=$($AWSCLI s3api get-bucket-policy-status $PROFILE_OPT --region $BUCKET_LOCATION --bucket $bucket --query PolicyStatus.IsPublic --output text 2>&1) if [[ $(echo "$BUCKET_POLICY_STATUS" | grep AccessDenied) ]]; then - textFail "Access Denied Trying to Get Bucket Policy Status for $bucket" + textFail "$BUCKET_LOCATION: Access Denied Trying to Get Bucket Policy Status for $bucket" "$BUCKET_LOCATION" "$bucket" continue fi if [[ $(echo "$BUCKET_POLICY_STATUS" | grep NoSuchBucketPolicy) ]]; then diff --git a/checks/check_extra730 b/checks/check_extra730 index f37e9a8f..706922fa 100644 --- a/checks/check_extra730 +++ b/checks/check_extra730 @@ -14,7 +14,7 @@ DAYS_TO_EXPIRE_THRESHOLD="7" CHECK_ID_extra730="7.30" -CHECK_TITLE_extra730="[extra730] Check if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra730="[extra730] Check if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less" CHECK_SCORED_extra730="NOT_SCORED" CHECK_TYPE_extra730="EXTRA" CHECK_SEVERITY_extra730="High" diff --git a/checks/check_extra731 b/checks/check_extra731 index 69b4d81c..3a5eec01 100644 --- a/checks/check_extra731 +++ b/checks/check_extra731 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra731="7.31" -CHECK_TITLE_extra731="[extra731] Check if SNS topics have policy set as Public (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra731="[extra731] Check if SNS topics have policy set as Public" CHECK_SCORED_extra731="NOT_SCORED" CHECK_TYPE_extra731="EXTRA" CHECK_SEVERITY_extra731="Critical" diff --git a/checks/check_extra732 b/checks/check_extra732 index 75e4f9ab..3b584d34 100644 --- a/checks/check_extra732 +++ b/checks/check_extra732 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra732="7.32" -CHECK_TITLE_extra732="[extra732] Check if Geo restrictions are enabled in CloudFront distributions (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra732="[extra732] Check if Geo restrictions are enabled in CloudFront distributions" CHECK_SCORED_extra732="NOT_SCORED" CHECK_TYPE_extra732="EXTRA" CHECK_SEVERITY_extra732="Low" @@ -30,12 +30,12 @@ extra732(){ for dist in $LIST_DISTRIBUTIONS; do GEO_ENABLED=$($AWSCLI cloudfront get-distribution-config $PROFILE_OPT --id $dist --query DistributionConfig.Restrictions.GeoRestriction.RestrictionType --output text) if [[ $GEO_ENABLED == "none" ]]; then - textFail "CloudFront distribution $dist has not Geo restrictions" "us-east-1" "$dist" + textFail "$REGION: CloudFront distribution $dist has not Geo restrictions" "$REGION" "$dist" else - textPass "CloudFront distribution $dist has Geo restrictions enabled" "us-east-1" "$dist" + textPass "$REGION: CloudFront distribution $dist has Geo restrictions enabled" "$REGION" "$dist" fi done else - textInfo "No CloudFront distributions found" + textInfo "$REGION: No CloudFront distributions found" fi } diff --git a/checks/check_extra733 b/checks/check_extra733 index 32a05152..24ea3275 100644 --- a/checks/check_extra733 +++ b/checks/check_extra733 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra733="7.33" -CHECK_TITLE_extra733="[extra733] Check if there are SAML Providers then STS can be used (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra733="[extra733] Check if there are SAML Providers then STS can be used" CHECK_SCORED_extra733="NOT_SCORED" CHECK_TYPE_extra733="EXTRA" CHECK_SEVERITY_extra733="Low" @@ -29,9 +29,9 @@ extra733(){ if [[ $LIST_SAML_PROV ]]; then for provider in $LIST_SAML_PROV; do PROVIDER_NAME=$(echo $provider| cut -d/ -f2) - textInfo "SAML Provider $PROVIDER_NAME has been found" + textInfo "$REGION: SAML Provider $PROVIDER_NAME has been found" "$REGION" "$PROVIDER_NAME" done else - textFail "No SAML Provider found. Add one and use STS" + textFail "$REGION: No SAML Provider found. Add one and use STS" "$REGION" "$PROVIDER_NAME" fi } diff --git a/checks/check_extra734 b/checks/check_extra734 index cb64f335..bb6e2ae5 100644 --- a/checks/check_extra734 +++ b/checks/check_extra734 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra734="7.34" -CHECK_TITLE_extra734="[extra734] Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra734="[extra734] Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it" CHECK_SCORED_extra734="NOT_SCORED" CHECK_TYPE_extra734="EXTRA" CHECK_SEVERITY_extra734="Medium" @@ -30,7 +30,7 @@ extra734(){ for bucket in $LIST_OF_BUCKETS;do BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $REGION --bucket $bucket --output text 2>&1) if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then - textFail "Access Denied Trying to Get Bucket Location for $bucket" + textFail "$BUCKET_LOCATION Access Denied Trying to Get Bucket Location for $bucket" "$BUCKET_LOCATION" "$bucket" continue fi if [[ $BUCKET_LOCATION == "None" ]]; then @@ -46,13 +46,13 @@ extra734(){ # query to get if has encryption enabled or not RESULT=$($AWSCLI s3api get-bucket-encryption $PROFILE_OPT --region $BUCKET_LOCATION --bucket $bucket --query ServerSideEncryptionConfiguration.Rules[].ApplyServerSideEncryptionByDefault[].SSEAlgorithm --output text 2>&1) if [[ $(echo "$RESULT" | grep AccessDenied) ]]; then - textFail "Access Denied Trying to Get Encryption for $bucket" + textFail "$BUCKET_LOCATION: Access Denied Trying to Get Encryption for $bucket" "$BUCKET_LOCATION" "$bucket" continue fi if [[ $RESULT == "AES256" || $RESULT == "aws:kms" ]]; then - textPass "Bucket $bucket is enabled for default encryption with $RESULT" "us-east-1" "$bucket" + textPass "$BUCKET_LOCATION: Bucket $bucket is enabled for default encryption with $RESULT" "$BUCKET_LOCATION" "$bucket" continue fi @@ -61,12 +61,12 @@ extra734(){ # get bucket policy $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --region $BUCKET_LOCATION --output text --query Policy > $TEMP_SSE_POLICY_FILE 2>&1 if [[ $(grep AccessDenied $TEMP_SSE_POLICY_FILE) ]]; then - textFail "Access Denied Trying to Get Bucket Policy for $bucket" + textFail "$BUCKET_LOCATION: Access Denied Trying to Get Bucket Policy for $bucket" "$BUCKET_LOCATION" "$bucket" rm -f $TEMP_SSE_POLICY_FILE continue fi if [[ $(grep NoSuchBucketPolicy $TEMP_SSE_POLICY_FILE) ]]; then - textFail "No bucket policy for $bucket" "us-east-1" "$bucket" "us-east-1" "$bucket" + textFail "$BUCKET_LOCATION: No bucket policy for $bucket" "$BUCKET_LOCATION" "$bucket" rm -f $TEMP_SSE_POLICY_FILE continue fi @@ -74,18 +74,18 @@ extra734(){ # check if the S3 policy forces SSE s3:x-amz-server-side-encryption:true CHECK_BUCKET_SSE_POLICY_PRESENT=$(cat $TEMP_SSE_POLICY_FILE | jq --arg arn "arn:${AWS_PARTITION}:s3:::${bucket}/*" '.Statement[]|select(.Effect=="Deny" and ((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*") and .Action=="s3:PutObject" and .Resource==$arn and .Condition.StringEquals."s3:x-amz-server-side-encryption" != null)') if [[ $CHECK_BUCKET_SSE_POLICY_PRESENT == "" ]]; then - textFail "Bucket $bucket does not enforce encryption!" "us-east-1" "$bucket" + textFail "$BUCKET_LOCATION: Bucket $bucket does not enforce encryption!" "$BUCKET_LOCATION" "$bucket" rm -f $TEMP_SSE_POLICY_FILE continue fi CHECK_BUCKET_SSE_POLICY_VALUE=$(echo "$CHECK_BUCKET_SSE_POLICY_PRESENT" | jq -r '.Condition.StringNotEquals."s3:x-amz-server-side-encryption"') - textPass "Bucket $bucket has S3 bucket policy to enforce encryption with $CHECK_BUCKET_SSE_POLICY_VALUE" + textPass "$BUCKET_LOCATION: Bucket $bucket has S3 bucket policy to enforce encryption with $CHECK_BUCKET_SSE_POLICY_VALUE" "$BUCKET_LOCATION" "$bucket" rm -f $TEMP_SSE_POLICY_FILE done else - textInfo "No S3 Buckets found" + textInfo "$REGION No S3 Buckets found" "$REGION" fi } diff --git a/checks/check_extra735 b/checks/check_extra735 index f1d07aba..72cb30f9 100644 --- a/checks/check_extra735 +++ b/checks/check_extra735 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra735="7.35" -CHECK_TITLE_extra735="[extra735] Check if RDS instances storage is encrypted (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra735="[extra735] Check if RDS instances storage is encrypted" CHECK_SCORED_extra735="NOT_SCORED" CHECK_TYPE_extra735="EXTRA" CHECK_SEVERITY_extra735="Medium" diff --git a/checks/check_extra736 b/checks/check_extra736 index 00d246c9..1c87be8e 100644 --- a/checks/check_extra736 +++ b/checks/check_extra736 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra736="7.36" -CHECK_TITLE_extra736="[extra736] Check exposed KMS keys (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra736="[extra736] Check exposed KMS keys" CHECK_SCORED_extra736="NOT_SCORED" CHECK_TYPE_extra736="EXTRA" CHECK_SEVERITY_extra736="Critical" @@ -25,7 +25,6 @@ CHECK_DOC_extra736='https://docs.aws.amazon.com/kms/latest/developerguide/determ CHECK_CAF_EPIC_extra736='Data Protection' extra736(){ - textInfo "Looking for KMS keys in all regions... " for regx in $REGIONS; do LIST_OF_CUSTOMER_KMS_KEYS=$($AWSCLI kms list-aliases $PROFILE_OPT --region $regx --query "Aliases[].[AliasName,TargetKeyId]" --output text |grep -v ^alias/aws/ |awk '{ print $2 }') if [[ $LIST_OF_CUSTOMER_KMS_KEYS ]];then diff --git a/checks/check_extra737 b/checks/check_extra737 index b3e751b8..056e7be6 100644 --- a/checks/check_extra737 +++ b/checks/check_extra737 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra737="7.37" -CHECK_TITLE_extra737="[extra737] Check KMS keys with key rotation disabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra737="[extra737] Check KMS keys with key rotation disabled" CHECK_SCORED_extra737="NOT_SCORED" CHECK_TYPE_extra737="EXTRA" CHECK_SEVERITY_extra737="Medium" @@ -25,7 +25,6 @@ CHECK_DOC_extra737='https://docs.aws.amazon.com/kms/latest/developerguide/rotate CHECK_CAF_EPIC_extra737='Data Protection' extra737(){ - textInfo "Looking for KMS keys in all regions... " for regx in $REGIONS; do LIST_OF_CUSTOMER_KMS_KEYS=$($AWSCLI kms list-aliases $PROFILE_OPT --region $regx --query "Aliases[].[AliasName,TargetKeyId]" --output text |grep -v ^alias/aws/ |awk '{ print $2 }') if [[ $LIST_OF_CUSTOMER_KMS_KEYS ]];then diff --git a/checks/check_extra738 b/checks/check_extra738 index da1f9840..2a637a9d 100644 --- a/checks/check_extra738 +++ b/checks/check_extra738 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra738="7.38" -CHECK_TITLE_extra738="[extra738] Check if CloudFront distributions are set to HTTPS (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra738="[extra738] Check if CloudFront distributions are set to HTTPS" CHECK_SCORED_extra738="NOT_SCORED" CHECK_TYPE_extra738="EXTRA" CHECK_SEVERITY_extra738="Medium" @@ -30,14 +30,14 @@ extra738(){ for dist in $LIST_OF_DISTRIBUTIONS; do CHECK_HTTPS_STATUS=$($AWSCLI cloudfront get-distribution --id $dist --query Distribution.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy $PROFILE_OPT --output text) if [[ $CHECK_HTTPS_STATUS == "allow-all" ]]; then - textFail "CloudFront distribution $dist viewers can use HTTP or HTTPS!" "$regx" "$dist" + textFail "$REGION: CloudFront distribution $dist viewers can use HTTP or HTTPS!" "$REGION" "$dist" elif [[ $CHECK_HTTPS_STATUS == "redirect-to-https" ]]; then - textPass "CloudFront distribution $dist has redirect to HTTPS" "$regx" "$dist" + textPass "$REGION: CloudFront distribution $dist has redirect to HTTPS" "$REGION" "$dist" else - textPass "CloudFront distribution $dist has HTTPS only" "$regx" "$dist" + textPass "$REGION: CloudFront distribution $dist has HTTPS only" "$REGION" "$dist" fi done else - textInfo "No CloudFront distributions found" "$regx" + textInfo "$REGION: No CloudFront distributions found" "$REGION" fi } diff --git a/checks/check_extra739 b/checks/check_extra739 index 0cf5eb98..0dea5d78 100644 --- a/checks/check_extra739 +++ b/checks/check_extra739 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra739="7.39" -CHECK_TITLE_extra739="[extra739] Check if RDS instances have backup enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra739="[extra739] Check if RDS instances have backup enabled" CHECK_SCORED_extra739="NOT_SCORED" CHECK_TYPE_extra739="EXTRA" CHECK_SEVERITY_extra739="Medium" diff --git a/checks/check_extra74 b/checks/check_extra74 index fde3b648..7d94a6a9 100644 --- a/checks/check_extra74 +++ b/checks/check_extra74 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra74="7.4" -CHECK_TITLE_extra74="[extra74] Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra74="[extra74] Ensure there are no Security Groups without ingress filtering being used" CHECK_SCORED_extra74="NOT_SCORED" CHECK_TYPE_extra74="EXTRA" CHECK_SEVERITY_extra74="High" @@ -27,8 +27,7 @@ CHECK_DOC_extra74='https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security CHECK_CAF_EPIC_extra74='Infrastructure Security' extra74(){ - # "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" - textInfo "Looking for Security Groups in all regions... " + # "Ensure there are no Security Groups without ingress filtering being used " for regx in $REGIONS; do LIST_OF_SECURITYGROUPS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[].[GroupId]" --output text --max-items $MAXITEMS) for SG_ID in $LIST_OF_SECURITYGROUPS; do @@ -36,7 +35,7 @@ extra74(){ if [[ $SG_NO_INGRESS_FILTER -ne 0 ]];then textFail "$regx: $SG_ID has no ingress filtering and it is being used!" "$regx" "$SG_ID" else - textInfo "$regx: $SG_ID has no ingress filtering but it is not being used" "$regx" + textInfo "$regx: $SG_ID has no ingress filtering but it is not being used" "$regx" "$SG_ID" fi done done diff --git a/checks/check_extra740 b/checks/check_extra740 index 37f81434..7f771663 100644 --- a/checks/check_extra740 +++ b/checks/check_extra740 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra740="7.40" -CHECK_TITLE_extra740="[extra740] Check if EBS snapshots are encrypted (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra740="[extra740] Check if EBS snapshots are encrypted" CHECK_SCORED_extra740="NOT_SCORED" CHECK_TYPE_extra740="EXTRA" CHECK_SEVERITY_extra740="Medium" @@ -25,7 +25,6 @@ CHECK_DOC_extra740='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncry CHECK_CAF_EPIC_extra740='Data Protection' extra740(){ - textInfo "Examining EBS Volume Snapshots ..." # This does NOT use max-items, which would limit the number of items # considered. It considers all snapshots, but only reports at most # max-items passing and max-items failing. @@ -47,7 +46,7 @@ extra740(){ for snapshot in ${UNENCRYPTED_SNAPSHOTS}; do unencrypted=${unencrypted}+1 if [ "${unencrypted}" -le "${MAXITEMS}" ]; then - textFail "${regx}: ${snapshot} is not encrypted!" "${regx}" + textFail "${regx}: ${snapshot} is not encrypted!" "${regx}" "${snapshot}" fi done fi @@ -55,7 +54,7 @@ extra740(){ for snapshot in ${ENCRYPTED_SNAPSHOTS}; do encrypted=${encrypted}+1 if [ "${encrypted}" -le "${MAXITEMS}" ]; then - textPass "${regx}: ${snapshot} is encrypted." "${regx}" + textPass "${regx}: ${snapshot} is encrypted." "${regx}" "${snapshot}" fi done fi diff --git a/checks/check_extra741 b/checks/check_extra741 index 3fbd71e9..ebf12543 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra741="7.41" -CHECK_TITLE_extra741="[extra741] Find secrets in EC2 User Data (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra741="[extra741] Find secrets in EC2 User Data" CHECK_SCORED_extra741="NOT_SCORED" CHECK_TYPE_extra741="EXTRA" CHECK_SEVERITY_extra741="Critical" @@ -30,7 +30,6 @@ extra741(){ mkdir $SECRETS_TEMP_FOLDER fi - textInfo "Looking for secrets in EC2 User Data in instances across all regions... (max 100 instances per region use -m to increase it) " for regx in $REGIONS; do LIST_OF_EC2_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query Reservations[*].Instances[*].InstanceId --output text --max-items $MAXITEMS | grep -v None) if [[ $LIST_OF_EC2_INSTANCES ]];then @@ -47,7 +46,7 @@ extra741(){ fi FINDINGS=$(secretsDetector file "$EC2_USERDATA_FILE") if [[ $FINDINGS -eq 0 ]]; then - textPass "$regx: No secrets found in $instance User Data" "$regx" + textPass "$regx: No secrets found in $instance User Data" "$regx" "$instance" # delete file if nothing interesting is there rm -f "$EC2_USERDATA_FILE" else diff --git a/checks/check_extra742 b/checks/check_extra742 index 92cd10b3..6c78c7a9 100644 --- a/checks/check_extra742 +++ b/checks/check_extra742 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra742="7.42" -CHECK_TITLE_extra742="[extra742] Find secrets in CloudFormation outputs (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra742="[extra742] Find secrets in CloudFormation outputs" CHECK_SCORED_extra742="NOT_SCORED" CHECK_TYPE_extra742="EXTRA" CHECK_SEVERITY_extra742="Critical" @@ -30,7 +30,6 @@ extra742(){ mkdir $SECRETS_TEMP_FOLDER fi - textInfo "Looking for secrets in CloudFormation output across all regions... " for regx in $REGIONS; do CFN_STACKS=$($AWSCLI cloudformation describe-stacks $PROFILE_OPT --region $regx --output json) LIST_OF_CFN_STACKS=$(echo $CFN_STACKS | jq -r '.Stacks[].StackName') diff --git a/checks/check_extra743 b/checks/check_extra743 index fb98bec4..b5c365a4 100644 --- a/checks/check_extra743 +++ b/checks/check_extra743 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra743="7.43" -CHECK_TITLE_extra743="[extra743] Check if API Gateway has client certificate enabled to access your backend endpoint (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra743="[extra743] Check if API Gateway has client certificate enabled to access your backend endpoint" CHECK_SCORED_extra743="NOT_SCORED" CHECK_TYPE_extra743="EXTRA" CHECK_SEVERITY_extra743="Medium" diff --git a/checks/check_extra744 b/checks/check_extra744 index 6d0d219b..48cf6f11 100644 --- a/checks/check_extra744 +++ b/checks/check_extra744 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra744="7.44" -CHECK_TITLE_extra744="[extra744] Check if API Gateway has a WAF ACL attached (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra744="[extra744] Check if API Gateway has a WAF ACL attached" CHECK_SCORED_extra744="NOT_SCORED" CHECK_TYPE_extra744="EXTRA" CHECK_SEVERITY_extra744="Medium" diff --git a/checks/check_extra745 b/checks/check_extra745 index 743bf12a..1ee49e72 100644 --- a/checks/check_extra745 +++ b/checks/check_extra745 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra745="7.45" -CHECK_TITLE_extra745="[extra745] Check if API Gateway endpoint is public or private (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra745="[extra745] Check if API Gateway endpoint is public or private" CHECK_SCORED_extra745="NOT_SCORED" CHECK_TYPE_extra745="EXTRA" CHECK_SEVERITY_extra745="Medium" diff --git a/checks/check_extra746 b/checks/check_extra746 index 91d3052a..638d15ef 100644 --- a/checks/check_extra746 +++ b/checks/check_extra746 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra746="7.46" -CHECK_TITLE_extra746="[extra746] Check if API Gateway has configured authorizers (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra746="[extra746] Check if API Gateway has configured authorizers" CHECK_SCORED_extra746="NOT_SCORED" CHECK_TYPE_extra746="EXTRA" CHECK_SEVERITY_extra746="Medium" diff --git a/checks/check_extra747 b/checks/check_extra747 index ec6a86d8..2b2ede3b 100644 --- a/checks/check_extra747 +++ b/checks/check_extra747 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra747="7.47" -CHECK_TITLE_extra747="[extra747] Check if RDS instances is integrated with CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra747="[extra747] Check if RDS instances is integrated with CloudWatch Logs" CHECK_SCORED_extra747="NOT_SCORED" CHECK_TYPE_extra747="EXTRA" CHECK_SEVERITY_extra747="Medium" diff --git a/checks/check_extra748 b/checks/check_extra748 index 925f5173..f46ef6c5 100644 --- a/checks/check_extra748 +++ b/checks/check_extra748 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra748="7.48" -CHECK_TITLE_extra748="[extra748] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra748="[extra748] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port" CHECK_SCORED_extra748="NOT_SCORED" CHECK_TYPE_extra748="EXTRA" CHECK_SEVERITY_extra748="High" diff --git a/checks/check_extra749 b/checks/check_extra749 index 72bbb129..820d2f68 100644 --- a/checks/check_extra749 +++ b/checks/check_extra749 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra749="7.49" -CHECK_TITLE_extra749="[extra749] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483 (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra749="[extra749] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483" CHECK_SCORED_extra749="NOT_SCORED" CHECK_TYPE_extra749="EXTRA" CHECK_SEVERITY_extra749="High" diff --git a/checks/check_extra75 b/checks/check_extra75 index f2ae8842..34a05fb8 100644 --- a/checks/check_extra75 +++ b/checks/check_extra75 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra75="7.5" -CHECK_TITLE_extra75="[extra75] Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra75="[extra75] Ensure there are no Security Groups not being used" CHECK_SCORED_extra75="NOT_SCORED" CHECK_TYPE_extra75="EXTRA" CHECK_SEVERITY_extra75="Informational" @@ -27,9 +27,7 @@ CHECK_DOC_extra75='https://aws.amazon.com/premiumsupport/knowledge-center/ec2-fi CHECK_CAF_EPIC_extra75='Infrastructure Security' extra75(){ - # "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" - textInfo "Looking for Security Groups in all regions... " - + # "Ensure there are no Security Groups not being used " for regx in $REGIONS; do SECURITYGROUPS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --max-items $MAXITEMS --output json | jq '.SecurityGroups|map({(.GroupId): (.GroupName)})|add') if [[ $SECURITYGROUPS == "null" ]]; @@ -46,7 +44,7 @@ extra75(){ then textFail "$regx: $SG_ID is not being used!" "$regx" "$SG_ID" else - textInfo "$regx: $SG_ID is not being used - default security group" "$regx" + textInfo "$regx: $SG_ID is not being used - default security group" "$regx" "$SG_ID" fi else textPass "$regx: $SG_ID is being used" "$regx" "$SG_ID" diff --git a/checks/check_extra750 b/checks/check_extra750 index d8352433..62dcf115 100644 --- a/checks/check_extra750 +++ b/checks/check_extra750 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra750="7.50" -CHECK_TITLE_extra750="[extra750] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306 (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra750="[extra750] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306" CHECK_SCORED_extra750="NOT_SCORED" CHECK_TYPE_extra750="EXTRA" CHECK_SEVERITY_extra750="High" diff --git a/checks/check_extra751 b/checks/check_extra751 index c9772ccb..c98cd4fe 100644 --- a/checks/check_extra751 +++ b/checks/check_extra751 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra751="7.51" -CHECK_TITLE_extra751="[extra751] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432 (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra751="[extra751] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432" CHECK_SCORED_extra751="NOT_SCORED" CHECK_TYPE_extra751="EXTRA" CHECK_SEVERITY_extra751="High" diff --git a/checks/check_extra752 b/checks/check_extra752 index 17217098..07aa549d 100644 --- a/checks/check_extra752 +++ b/checks/check_extra752 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra752="7.52" -CHECK_TITLE_extra752="[extra752] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379 (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra752="[extra752] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379" CHECK_SCORED_extra752="NOT_SCORED" CHECK_TYPE_extra752="EXTRA" CHECK_SEVERITY_extra752="High" diff --git a/checks/check_extra753 b/checks/check_extra753 index 045af6bf..34042b6e 100644 --- a/checks/check_extra753 +++ b/checks/check_extra753 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra753="7.53" -CHECK_TITLE_extra753="[extra753] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018 (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra753="[extra753] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018" CHECK_SCORED_extra753="NOT_SCORED" CHECK_TYPE_extra753="EXTRA" CHECK_SEVERITY_extra753="High" diff --git a/checks/check_extra754 b/checks/check_extra754 index 03400ba1..4277fe4f 100644 --- a/checks/check_extra754 +++ b/checks/check_extra754 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra754="7.54" -CHECK_TITLE_extra754="[extra754] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888 (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra754="[extra754] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888" CHECK_SCORED_extra754="NOT_SCORED" CHECK_TYPE_extra754="EXTRA" CHECK_SEVERITY_extra754="High" diff --git a/checks/check_extra755 b/checks/check_extra755 index e0e55079..50430f1a 100644 --- a/checks/check_extra755 +++ b/checks/check_extra755 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra755="7.55" -CHECK_TITLE_extra755="[extra755] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211 (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra755="[extra755] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211" CHECK_SCORED_extra755="NOT_SCORED" CHECK_TYPE_extra755="EXTRA" CHECK_SEVERITY_extra755="High" diff --git a/checks/check_extra756 b/checks/check_extra756 index ba4bb323..a931904f 100644 --- a/checks/check_extra756 +++ b/checks/check_extra756 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra756="7.56" -CHECK_TITLE_extra756="[extra756] Check if Redshift cluster is Public Accessible (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra756="[extra756] Check if Redshift cluster is Public Accessible" CHECK_SCORED_extra756="NOT_SCORED" CHECK_TYPE_extra756="EXTRA" CHECK_SEVERITY_extra756="High" diff --git a/checks/check_extra757 b/checks/check_extra757 index 9277f030..364caab7 100644 --- a/checks/check_extra757 +++ b/checks/check_extra757 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra757="7.57" -CHECK_TITLE_extra757="[extra757] Check EC2 Instances older than 6 months (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra757="[extra757] Check EC2 Instances older than 6 months" CHECK_SCORED_extra757="NOT_SCORED" CHECK_TYPE_extra757="EXTRA" CHECK_SEVERITY_extra757="Medium" @@ -25,7 +25,6 @@ CHECK_CAF_EPIC_extra757='Infrastructure Security' extra757(){ OLDAGE="$(get_date_previous_than_months 6)" - textInfo "Looking for EC2 instances in all regions..." for regx in $REGIONS; do EC2_RUNNING="$($AWSCLI ec2 describe-instances --query "Reservations[*].Instances[*].[InstanceId]" $PROFILE_OPT --region $regx --output text)" if [[ $EC2_RUNNING ]]; then diff --git a/checks/check_extra758 b/checks/check_extra758 index 17b47776..0beabcf4 100644 --- a/checks/check_extra758 +++ b/checks/check_extra758 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra758="7.58" -CHECK_TITLE_extra758="[extra758] Check EC2 Instances older than 12 months (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra758="[extra758] Check EC2 Instances older than 12 months " CHECK_SCORED_extra758="NOT_SCORED" CHECK_TYPE_extra758="EXTRA" CHECK_SEVERITY_extra758="Medium" @@ -25,7 +25,6 @@ CHECK_CAF_EPIC_extra758='Infrastructure Security' extra758(){ OLDAGE="$(get_date_previous_than_months 12)" - textInfo "Looking for EC2 instances in all regions..." for regx in $REGIONS; do EC2_RUNNING="$($AWSCLI ec2 describe-instances --query "Reservations[*].Instances[*].[InstanceId]" $PROFILE_OPT --region $regx --output text)" if [[ $EC2_RUNNING ]]; then diff --git a/checks/check_extra759 b/checks/check_extra759 index aa557e46..15f73fcd 100644 --- a/checks/check_extra759 +++ b/checks/check_extra759 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra759="7.59" -CHECK_TITLE_extra759="[extra759] Find secrets in Lambda functions variables (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra759="[extra759] Find secrets in Lambda functions variables " CHECK_SCORED_extra759="NOT_SCORED" CHECK_TYPE_extra759="EXTRA" CHECK_SEVERITY_extra759="Critical" @@ -30,7 +30,6 @@ extra759(){ mkdir $SECRETS_TEMP_FOLDER fi - textInfo "Looking for secrets in Lambda variables across all regions... " for regx in $REGIONS; do LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text) if [[ $LIST_OF_FUNCTIONS ]]; then diff --git a/checks/check_extra76 b/checks/check_extra76 index c8348216..9124b8cb 100644 --- a/checks/check_extra76 +++ b/checks/check_extra76 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra76="7.6" -CHECK_TITLE_extra76="[extra76] Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra76="[extra76] Ensure there are no EC2 AMIs set as Public" CHECK_SCORED_extra76="NOT_SCORED" CHECK_TYPE_extra76="EXTRA" CHECK_SEVERITY_extra76="Critical" @@ -25,8 +25,7 @@ CHECK_DOC_extra76='https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingshar CHECK_CAF_EPIC_extra76='Infrastructure Security' extra76(){ - # "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" - textInfo "Looking for AMIs in all regions... " + # "Ensure there are no EC2 AMIs set as Public " for regx in $REGIONS; do LIST_OF_PUBLIC_AMIS=$($AWSCLI ec2 describe-images --owners self $PROFILE_OPT --region $regx --filters "Name=is-public,Values=true" --query 'Images[*].{ID:ImageId}' --output text) if [[ $LIST_OF_PUBLIC_AMIS ]];then diff --git a/checks/check_extra760 b/checks/check_extra760 index f770e5b4..ca70b83f 100644 --- a/checks/check_extra760 +++ b/checks/check_extra760 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra760="7.60" -CHECK_TITLE_extra760="[extra760] Find secrets in Lambda functions code (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra760="[extra760] Find secrets in Lambda functions code " CHECK_SCORED_extra760="NOT_SCORED" CHECK_TYPE_extra760="EXTRA" CHECK_SEVERITY_extra760="Critical" @@ -30,8 +30,6 @@ extra760(){ mkdir $SECRETS_TEMP_FOLDER fi - textInfo "Looking for secrets in Lambda functions code across all regions... " - textInfo "This check may take a while depending on your functions size! " for regx in $REGIONS; do LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --query Functions[*].FunctionName --output text) if [[ $LIST_OF_FUNCTIONS ]]; then diff --git a/checks/check_extra761 b/checks/check_extra761 index a8504632..34ecb953 100644 --- a/checks/check_extra761 +++ b/checks/check_extra761 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra761="7.61" -CHECK_TITLE_extra761="[extra761] Check if EBS Default Encryption is activated (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra761="[extra761] Check if EBS Default Encryption is activated " CHECK_SCORED_extra761="NOT_SCORED" CHECK_TYPE_extra761="EXTRA" CHECK_SEVERITY_extra761="Medium" @@ -24,15 +24,14 @@ CHECK_DOC_extra761='https://aws.amazon.com/premiumsupport/knowledge-center/ebs-a CHECK_CAF_EPIC_extra761='Data Protection' extra761(){ - textInfo "Looking for EBS Default Encryption activation in all regions... " for regx in $REGIONS; do EBS_DEFAULT_ENCRYPTION=$($AWSCLI ec2 get-ebs-encryption-by-default $PROFILE_OPT --region $regx --query 'EbsEncryptionByDefault' 2>&1) if [[ $(echo "$EBS_DEFAULT_ENCRYPTION" | grep "argument operation: Invalid choice") ]]; then - textFail "Newer aws cli needed for get-ebs-encryption-by-default" + textFail "$regx: Newer aws cli needed for get-ebs-encryption-by-default" "$regx" continue fi if [[ $(echo "$EBS_DEFAULT_ENCRYPTION" | grep UnauthorizedOperation) ]]; then - textFail "Prowler needs ec2:GetEbsEncryptionByDefault permission for this check" + textFail "$regx: Prowler needs ec2:GetEbsEncryptionByDefault permission for this check" "$regx" continue fi if [[ $EBS_DEFAULT_ENCRYPTION == "true" ]];then diff --git a/checks/check_extra762 b/checks/check_extra762 index 92389bc2..2345f058 100644 --- a/checks/check_extra762 +++ b/checks/check_extra762 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra762="7.62" -CHECK_TITLE_extra762="[extra762] Find obsolete Lambda runtimes (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra762="[extra762] Find obsolete Lambda runtimes " CHECK_SCORED_extra762="NOT_SCORED" CHECK_TYPE_extra762="EXTRA" CHECK_SEVERITY_extra762="Medium" diff --git a/checks/check_extra763 b/checks/check_extra763 index 7c8b74ce..d2d53e0d 100644 --- a/checks/check_extra763 +++ b/checks/check_extra763 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra763="7.63" -CHECK_TITLE_extra763="[extra763] Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra763="[extra763] Check if S3 buckets have object versioning enabled " CHECK_SCORED_extra763="NOT_SCORED" CHECK_TYPE_extra763="EXTRA" CHECK_SEVERITY_extra763="Medium" @@ -24,7 +24,7 @@ CHECK_DOC_extra763='https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/Vers CHECK_CAF_EPIC_extra763='Data Protection' extra763(){ - # "Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" + # "Check if S3 buckets have object versioning enabled " LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1) if [[ $LIST_OF_BUCKETS ]]; then for bucket in $LIST_OF_BUCKETS;do diff --git a/checks/check_extra764 b/checks/check_extra764 index 7e1153c4..67a6158c 100644 --- a/checks/check_extra764 +++ b/checks/check_extra764 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra764="7.64" -CHECK_TITLE_extra764="[extra764] Check if S3 buckets have secure transport policy (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra764="[extra764] Check if S3 buckets have secure transport policy " CHECK_SCORED_extra764="NOT_SCORED" CHECK_TYPE_extra764="EXTRA" CHECK_SEVERITY_extra764="Medium" diff --git a/checks/check_extra765 b/checks/check_extra765 index e00d272c..38cdc508 100644 --- a/checks/check_extra765 +++ b/checks/check_extra765 @@ -21,7 +21,7 @@ # --image-scanning-configuration scanOnPush=true CHECK_ID_extra765="7.65" -CHECK_TITLE_extra765="[extra765] Check if ECR image scan on push is enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra765="[extra765] Check if ECR image scan on push is enabled " CHECK_SCORED_extra765="NOT_SCORED" CHECK_TYPE_extra765="EXTRA" CHECK_SEVERITY_extra765="Medium" diff --git a/checks/check_extra767 b/checks/check_extra767 index b97bbdae..7bff69fd 100644 --- a/checks/check_extra767 +++ b/checks/check_extra767 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra767="7.67" -CHECK_TITLE_extra767="[extra767] Check if CloudFront distributions have Field Level Encryption enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra767="[extra767] Check if CloudFront distributions have Field Level Encryption enabled " CHECK_SCORED_extra767="NOT_SCORED" CHECK_TYPE_extra767="EXTRA" CHECK_SEVERITY_extra767="Low" diff --git a/checks/check_extra768 b/checks/check_extra768 index c1806dd3..dc222b5d 100644 --- a/checks/check_extra768 +++ b/checks/check_extra768 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra768="7.68" -CHECK_TITLE_extra768="[extra768] Find secrets in ECS task definitions variables (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra768="[extra768] Find secrets in ECS task definitions variables " CHECK_SCORED_extra768="NOT_SCORED" CHECK_TYPE_extra768="EXTRA" CHECK_SEVERITY_extra768="Critical" @@ -29,7 +29,6 @@ extra768(){ # this folder is deleted once this check is finished mkdir $SECRETS_TEMP_FOLDER fi - textInfo "Looking for secrets in ECS task definitions' environment variables across all regions... " for regx in $REGIONS; do # Get a list of all families first: FAMILIES=$($AWSCLI ecs list-task-definition-families $PROFILE_OPT --region $regx --status ACTIVE | jq -r .families[]) @@ -53,7 +52,7 @@ extra768(){ textFail "$regx: Potential secret found in ECS task definition $TASK_DEFINITION variables" "$regx" "$TASK_DEFINITION" fi else - textInfo "$regx: ECS task definition $TASK_DEFINITION has no variables" "$regx" + textInfo "$regx: ECS task definition $TASK_DEFINITION has no variables" "$regx" "$TASK_DEFINITION" rm -f $TASK_DEFINITION_ENV_VARIABLES_FILE fi done diff --git a/checks/check_extra769 b/checks/check_extra769 index f9f5308f..00e34e00 100644 --- a/checks/check_extra769 +++ b/checks/check_extra769 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra769="7.69" -CHECK_TITLE_extra769="[extra769] Check if IAM Access Analyzer is enabled and its findings (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra769="[extra769] Check if IAM Access Analyzer is enabled and its findings " CHECK_SCORED_extra769="NOT_SCORED" CHECK_TYPE_extra769="EXTRA" CHECK_SEVERITY_extra769="High" diff --git a/checks/check_extra77 b/checks/check_extra77 index b9624616..d3cc4a50 100644 --- a/checks/check_extra77 +++ b/checks/check_extra77 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra77="7.7" -CHECK_TITLE_extra77="[extra77] Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra77="[extra77] Ensure there are no ECR repositories set as Public" CHECK_SCORED_extra77="NOT_SCORED" CHECK_TYPE_extra77="EXTRA" CHECK_SEVERITY_extra77="Critical" @@ -26,43 +26,43 @@ CHECK_DOC_extra77='https://docs.aws.amazon.com/AmazonECR/latest/public/security_ CHECK_CAF_EPIC_extra77='Data Protection' extra77(){ - # "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" - for region in $REGIONS; do - LIST_ECR_REPOS=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $region --query "repositories[*].[repositoryName]" --output text 2>&1) + # "Ensure there are no ECR repositories set as Public " + for regx in $REGIONS; do + LIST_ECR_REPOS=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $regx --query "repositories[*].[repositoryName]" --output text 2>&1) if [[ $(echo "$LIST_ECR_REPOS" | grep AccessDenied) ]]; then - textFail "Access Denied Trying to describe ECR repositories" + textFail "$regx: Access Denied Trying to describe ECR repositories" "$regx" "$repo" continue fi if [[ $(echo "$LIST_ECR_REPOS" | grep SubscriptionRequiredException) ]]; then - textFail "Subscription Required Exception trying to describe ECR repositories" + textFail "$regx: Subscription Required Exception trying to describe ECR repositories" "$regx" "$repo" continue fi if [[ ! -z "$LIST_ECR_REPOS" ]]; then for repo in $LIST_ECR_REPOS; do TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-ecr-repo.policy.XXXXXXXXXX) - $AWSCLI ecr get-repository-policy $PROFILE_OPT --region $region --repository-name $repo --query "policyText" --output text > $TEMP_POLICY_FILE 2>&1 + $AWSCLI ecr get-repository-policy $PROFILE_OPT --region $regx --repository-name $repo --query "policyText" --output text > $TEMP_POLICY_FILE 2>&1 if [[ $(grep AccessDenied $TEMP_POLICY_FILE) ]]; then - textFail "$region: $repo Access Denied for get-repository-policy" + textFail "$regx: $repo Access Denied for get-repository-policy" "$regx" "$repo" rm -f $TEMP_POLICY_FILE continue fi # https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html - "By default, only the repository owner has access to a repository." if [[ $(grep RepositoryPolicyNotFoundException $TEMP_POLICY_FILE) ]]; then - textPass "$region: $repo is not open" "$region" "$repo" + textPass "$regx: $repo is not open" "$regx" "$repo" rm -f $TEMP_POLICY_FILE continue fi # check if the policy has Principal as * CHECK_ECR_REPO_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | jq '.Statement[]|select(.Effect=="Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")))') if [[ $CHECK_ECR_REPO_ALLUSERS_POLICY ]]; then - textFail "$region: $repo policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$region" + textFail "$regx: $repo policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx" else - textPass "$region: $repo is not open" "$region" "$repo" + textPass "$regx: $repo is not open" "$regx" "$repo" fi rm -f $TEMP_POLICY_FILE done else - textInfo "$region: No ECR repositories found" "$region" "$repo" + textInfo "$regx: No ECR repositories found" "$regx" "$repo" fi done } diff --git a/checks/check_extra770 b/checks/check_extra770 index e8d023a4..c1e9694b 100644 --- a/checks/check_extra770 +++ b/checks/check_extra770 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra770="7.70" -CHECK_TITLE_extra770="[extra770] Check for internet facing EC2 instances with Instance Profiles attached (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra770="[extra770] Check for internet facing EC2 instances with Instance Profiles attached " CHECK_SCORED_extra770="NOT_SCORED" CHECK_TYPE_extra770="EXTRA" CHECK_SEVERITY_extra770="Medium" @@ -24,8 +24,7 @@ CHECK_DOC_extra770='https://aws.amazon.com/blogs/aws/aws-web-application-firewal CHECK_CAF_EPIC_extra770='Infrastructure Security' extra770(){ - # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" - textInfo "Looking for instances in all regions... " + # "Check for internet facing EC2 Instances " for regx in $REGIONS; do LIST_OF_PUBLIC_INSTANCES_WITH_INSTANCE_PROFILES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?((IamInstanceProfile!=`null` && PublicIpAddress!=`null`))].[InstanceId,PublicIpAddress,IamInstanceProfile.Arn]' --output text) if [[ $LIST_OF_PUBLIC_INSTANCES_WITH_INSTANCE_PROFILES ]];then diff --git a/checks/check_extra771 b/checks/check_extra771 index 9bcaea71..a2236c00 100644 --- a/checks/check_extra771 +++ b/checks/check_extra771 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra771="7.71" -CHECK_TITLE_extra771="[extra771] Check if S3 buckets have policies which allow WRITE access (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra771="[extra771] Check if S3 buckets have policies which allow WRITE access " CHECK_SCORED_extra771="NOT_SCORED" CHECK_TYPE_extra771="EXTRA" CHECK_SEVERITY_extra771="Critical" diff --git a/checks/check_extra772 b/checks/check_extra772 index 9f3dbcd9..93b36041 100644 --- a/checks/check_extra772 +++ b/checks/check_extra772 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra772="7.72" -CHECK_TITLE_extra772="[extra772] Check if elastic IPs are unused (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra772="[extra772] Check if elastic IPs are unused " CHECK_SCORED_extra772="NOT_SCORED" CHECK_TYPE_extra772="EXTRA" CHECK_SEVERITY_extra772="Low" diff --git a/checks/check_extra773 b/checks/check_extra773 index b8eee770..7c168fcd 100644 --- a/checks/check_extra773 +++ b/checks/check_extra773 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra773="7.73" -CHECK_TITLE_extra773="[extra773] Check if CloudFront distributions are using WAF (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra773="[extra773] Check if CloudFront distributions are using WAF " CHECK_SCORED_extra773="NOT_SCORED" CHECK_TYPE_extra773="EXTRA" CHECK_SEVERITY_extra773="Medium" @@ -25,7 +25,7 @@ CHECK_DOC_extra773='https://docs.aws.amazon.com/waf/latest/developerguide/cloudf CHECK_CAF_EPIC_extra773='Infrastructure Security' extra773(){ - # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" + # "Check if CloudFront distributions have logging enabled " LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --query 'DistributionList.Items[].Id' --output text | grep -v "^None") if [[ $LIST_OF_DISTRIBUTIONS ]]; then for dist in $LIST_OF_DISTRIBUTIONS; do diff --git a/checks/check_extra775 b/checks/check_extra775 index dbb50c8d..96d0d3b4 100644 --- a/checks/check_extra775 +++ b/checks/check_extra775 @@ -11,7 +11,7 @@ # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. CHECK_ID_extra775="7.75" -CHECK_TITLE_extra775="[extra775] Find secrets in EC2 Auto Scaling Launch Configuration (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra775="[extra775] Find secrets in EC2 Auto Scaling Launch Configuration " CHECK_SCORED_extra775="NOT_SCORED" CHECK_TYPE_extra775="EXTRA" CHECK_SEVERITY_extra775="Critical" @@ -29,7 +29,6 @@ extra775(){ mkdir $SECRETS_TEMP_FOLDER fi - textInfo "Looking for secrets in EC2 Auto Scaling Launch Configuration across all regions... (max 100 autoscaling_configurations per region use -m to increase it) " for regx in $REGIONS; do LIST_OF_EC2_AUTOSCALING=$($AWSCLI autoscaling describe-launch-configurations $PROFILE_OPT --region $regx --query LaunchConfigurations[*].LaunchConfigurationName --output text --max-items $MAXITEMS | grep -v None) if [[ $LIST_OF_EC2_AUTOSCALING ]];then diff --git a/checks/check_extra776 b/checks/check_extra776 index a572afe4..f234bb0b 100644 --- a/checks/check_extra776 +++ b/checks/check_extra776 @@ -26,7 +26,7 @@ # --image-id imageTag= CHECK_ID_extra776="7.76" -CHECK_TITLE_extra776="[extra776] Check if ECR image scan found vulnerabilities in the newest image version (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra776="[extra776] Check if ECR image scan found vulnerabilities in the newest image version " CHECK_SCORED_extra776="NOT_SCORED" CHECK_TYPE_extra776="EXTRA" CHECK_SEVERITY_extra776="Medium" diff --git a/checks/check_extra777 b/checks/check_extra777 index fe784968..f79d907e 100644 --- a/checks/check_extra777 +++ b/checks/check_extra777 @@ -15,7 +15,7 @@ # Reference: https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html CHECK_ID_extra777="7.77" -CHECK_TITLE_extra777="[extra777] Find VPC security groups with many ingress or egress rules (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra777="[extra777] Find VPC security groups with many ingress or egress rules " CHECK_SCORED_extra777="NOT_SCORED" CHECK_TYPE_extra777="EXTRA" CHECK_SEVERITY_extra777="Medium" @@ -29,7 +29,6 @@ CHECK_CAF_EPIC_extra777='Infrastructure Security' extra777(){ THRESHOLD=50 - textInfo "Looking for VPC security groups with more than ${THRESHOLD} rules across all regions... " for regx in ${REGIONS}; do SECURITY_GROUP_IDS=$(${AWSCLI} ec2 describe-security-groups \ diff --git a/checks/check_extra778 b/checks/check_extra778 index 14383912..63cb12cd 100644 --- a/checks/check_extra778 +++ b/checks/check_extra778 @@ -12,7 +12,7 @@ # specific language governing permissions and limitations under the License. CHECK_ID_extra778="7.78" -CHECK_TITLE_extra778="[extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS benchmark)" +CHECK_TITLE_extra778="[extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) " CHECK_SCORED_extra778="NOT_SCORED" CHECK_TYPE_extra778="EXTRA" CHECK_SEVERITY_extra778="Medium" @@ -27,7 +27,6 @@ CHECK_CAF_EPIC_extra778='Infrastructure Security' extra778(){ CIDR_THRESHOLD=24 RFC1918_REGEX="(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)" - textInfo "Looking for VPC security groups with wide-open (&1) if [[ $(echo "$DESCRIBE_TRAILS_CACHE" | grep AccessDenied) ]]; then - textFail "Access Denied trying to describe trails in $REGION" + textFail "$REGION: Access Denied trying to describe trails in $REGION" "$REGION" "$group" return fi @@ -63,7 +63,7 @@ check3x(){ for group in $CHECK_OK; do metric=${group#*:} group=${group%:*} - textPass "CloudWatch group $group found with metric filter $metric and alarms set" + textPass "$REGION: CloudWatch group $group found with metric filter $metric and alarms set" "$REGION" "$group" done fi if [[ $CHECK_WARN ]]; then @@ -72,15 +72,15 @@ check3x(){ *:*) metric=${group#*:} group=${group%:*} if [[ $pass_count == 0 ]]; then - textFail "CloudWatch group $group found with metric filter $metric but no alarms associated" + textFail "$REGION: CloudWatch group $group found with metric filter $metric but no alarms associated" "$REGION" "$group" else - textInfo "CloudWatch group $group found with metric filter $metric but no alarms associated" + textInfo "$REGION: CloudWatch group $group found with metric filter $metric but no alarms associated" "$REGION" "$group" fi ;; *) if [[ $pass_count == 0 ]]; then - textFail "CloudWatch group $group found but no metric filters or alarms associated" + textFail "$REGION: CloudWatch group $group found but no metric filters or alarms associated" "$REGION" "$group" else - textInfo "CloudWatch group $group found but no metric filters or alarms associated" + textInfo "$REGION: CloudWatch group $group found but no metric filters or alarms associated" "$REGION" "$group" fi ;; esac @@ -88,10 +88,10 @@ check3x(){ fi if [[ $CHECK_CROSS_ACCOUNT_WARN ]]; then for group in $CHECK_CROSS_ACCOUNT_WARN; do - textInfo "CloudWatch group $group is not in this account" + textInfo "$REGION: CloudWatch group $group is not in this account" "$REGION" "$group" done fi else - textFail "No CloudWatch group found for CloudTrail events" + textFail "$REGION: No CloudWatch group found for CloudTrail events" "$REGION" "$group" fi } diff --git a/include/check_creds_last_used b/include/check_creds_last_used index 4f8633b3..09c64632 100644 --- a/include/check_creds_last_used +++ b/include/check_creds_last_used @@ -69,23 +69,23 @@ check_passwords_used_in_last_days() { # "When password_enabled is set to TRUE and password_last_used is set to no_information, ensure password_last_changed is less than X days ago" if [[ "$days_since_password_last_changed" -ge "$max_days" ]]; then - textFail "User $user has never logged into the console since creation and their password not changed in the past ${max_days} days" + textFail "$REGION: User $user has never logged into the console since creation and their password not changed in the past ${max_days} days" "$REGION" "$user" else - textInfo "User $user has not logged into the console since creation" + textInfo "$REGION: User $user has not logged into the console since creation" "$REGION" "$user" fi else days_password_not_in_use=$(how_older_from_today "${last_login_date%T*}") # "For each user having password_enabled set to TRUE, ensure password_last_used_date is less than X days ago." if [[ "$days_password_not_in_use" -ge "$max_days" ]]; then - textFail "User $user has not logged into the console in the past ${max_days} days" + textFail "$REGION: User $user has not logged into the console in the past ${max_days} days" "$REGION" "$user" else - textPass "User $user has logged into the console in the past ${max_days} days" + textPass "$REGION: User $user has logged into the console in the past ${max_days} days" "$REGION" "$user" fi fi done else - textPass "No users found with password enabled" + textPass "$REGION: No users found with password enabled" "$REGION" "$user" fi } @@ -122,22 +122,22 @@ check_access_key_used_in_last_days() { # "When a user having an access_key_x_active (where x is 1 or 2) to TRUE and corresponding access_key_x_last_used_date is set to N/A, # ensure access_key_x_last_rotated is less than X days ago" if [[ "$days_since_access_key_rotated" -ge "$max_days" ]]; then - textFail "User $user has never used access key $access_key_name since creation and not rotated it in the past ${max_days} days" + textFail "$REGION: User $user has never used access key $access_key_name since creation and not rotated it in the past ${max_days} days" "$REGION" "$user" else - textInfo "User $user has not used access key $access_key_name since creation" + textInfo "$REGION: User $user has not used access key $access_key_name since creation" "$REGION" "$user" fi else days_since_access_key_used=$(how_older_from_today "${access_key_last_used_date%T*}") # "For each user having an access_key_1_active or access_key_2_active to TRUE, ensure the corresponding access_key_n_last_used_date is less than X days ago" if [[ "$days_since_access_key_used" -ge "$max_days" ]]; then - textFail "User $user has not used access key $access_key_name in the past ${max_days} days" + textFail "$REGION: User $user has not used access key $access_key_name in the past ${max_days} days" "$REGION" "$user" else - textPass "User $user has used access key $access_key_name in the past ${max_days} days" + textPass "$REGION: User $user has used access key $access_key_name in the past ${max_days} days" "$REGION" "$user" fi fi done else - textPass "No users found with access key $access_key_name enabled" + textPass "$REGION: No users found with access key $access_key_name enabled" "$REGION" "$user" fi } diff --git a/include/outputs b/include/outputs index 525301ce..712745c3 100644 --- a/include/outputs +++ b/include/outputs @@ -15,7 +15,7 @@ EXTENSION_CSV="csv" EXTENSION_JSON="json" -EXTENSION_ASFF="asff-json" +EXTENSION_ASFF="asff.json" EXTENSION_TEXT="txt" EXTENSION_HTML="html" OUTPUT_DATE=$(date -u +"%Y%m%d%H%M%S") @@ -72,6 +72,11 @@ if [[ $MODE ]];then fi fi +# textInfo "HTML report will be saved: ${OUTPUT_FILE_NAME}.$EXTENSION_HTML" +# textInfo "JSON ASFF report will be saved: ${OUTPUT_FILE_NAME}.$EXTENSION_ASFF" +# textInfo "CSV report will be saved: ${OUTPUT_FILE_NAME}.$EXTENSION_CSV" +# textInfo "JSON report will be saved: ${OUTPUT_FILE_NAME}.$EXTENSION_JSON" + if [[ $PROFILE == "" ]];then PROFILE="ENV" fi @@ -92,23 +97,23 @@ textPass(){ REPREGION=$REGION fi if [[ "${MODES[@]}" =~ "csv" ]]; then - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" >> ${OUTPUT_FILE_NAME}.$EXTENSION_CSV fi if [[ "${MODES[@]}" =~ "json" ]]; then - generateJsonOutput "$1" "Pass" "$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON + generateJsonOutput "$1" "Pass" "$CHECK_RESOURCE_ID" >> ${OUTPUT_FILE_NAME}.$EXTENSION_JSON fi if [[ "${MODES[@]}" =~ "json-asff" ]]; then JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "PASSED" "$CHECK_RESOURCE_ID") - echo "${JSON_ASFF_OUTPUT}" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_ASFF + echo "${JSON_ASFF_OUTPUT}" >> $OUTPUT_FILE_NAME.$EXTENSION_ASFF if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then - sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}" + sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}" fi fi if is_junit_output_enabled; then output_junit_success "$1" fi if [[ "${MODES[@]}" =~ "mono" ]]; then - echo " $OK PASS!$NORMAL $1" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT + echo " $OK PASS!$NORMAL $1" >> ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT fi if [[ "${MODES[@]}" =~ "text" || "${MODES[@]}" =~ "mono" ]]; then echo " $OK PASS!$NORMAL $1" @@ -133,16 +138,16 @@ textInfo(){ REPREGION=$REGION fi if [[ "${MODES[@]}" =~ "csv" ]]; then - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" >> ${OUTPUT_FILE_NAME}.$EXTENSION_CSV fi if [[ "${MODES[@]}" =~ "json" ]]; then - generateJsonOutput "$1" "Info" "$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} + generateJsonOutput "$1" "Info" "$CHECK_RESOURCE_ID" >> ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} fi if is_junit_output_enabled; then output_junit_info "$1" fi if [[ "${MODES[@]}" =~ "mono" ]]; then - echo " $NOTICE INFO! $1 $NORMAL" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT + echo " $NOTICE INFO! $1 $NORMAL" >> ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT fi if [[ "${MODES[@]}" =~ "text" ]]; then echo " $NOTICE INFO! $1 $NORMAL" @@ -189,14 +194,14 @@ textFail(){ fi if [[ "${MODES[@]}" =~ "csv" ]]; then - echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_CSV + echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}$CHECK_RESULT${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$CHECK_RESULT_EXTENDED${SEP}$CHECK_ASFF_COMPLIANCE_TYPE${SEP}$CHECK_SEVERITY${SEP}$CHECK_SERVICENAME${SEP}$CHECK_ASFF_RESOURCE_TYPE${SEP}$CHECK_ASFF_TYPE${SEP}$CHECK_RISK${SEP}$CHECK_REMEDIATION${SEP}$CHECK_DOC${SEP}$CHECK_CAF_EPIC${SEP}$CHECK_RESOURCE_ID" >> ${OUTPUT_FILE_NAME}.$EXTENSION_CSV fi if [[ "${MODES[@]}" =~ "json" ]]; then - generateJsonOutput "$1" "${level}" "$CHECK_RESOURCE_ID"| tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} + generateJsonOutput "$1" "${level}" "$CHECK_RESOURCE_ID">> ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} fi if [[ "${MODES[@]}" =~ "json-asff" ]]; then JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "${level}" "$CHECK_RESOURCE_ID") - echo "${JSON_ASFF_OUTPUT}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_ASFF} + echo "${JSON_ASFF_OUTPUT}" >> ${OUTPUT_FILE_NAME}.${EXTENSION_ASFF} if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}" fi @@ -209,7 +214,7 @@ textFail(){ fi fi if [[ "${MODES[@]}" =~ "mono" ]]; then - echo " $colorcode ${level}! $1 $NORMAL" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT + echo " $colorcode ${level}! $1 $NORMAL" >> ${OUTPUT_FILE_NAME}.$EXTENSION_TEXT fi if [[ "${MODES[@]}" =~ "text" ]]; then echo " $colorcode ${level}! $1 $NORMAL" @@ -257,7 +262,7 @@ textTitle(){ # fi if [[ "${MODES[@]}" =~ "csv" ]]; then - >&2 echo "$TITLE_ID $TITLE_TEXT" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} + >&2 echo "$TITLE_ID $TITLE_TEXT" >> ${OUTPUT_FILE_NAME}.${EXTENSION_CSV} elif [[ "${MODES[@]}" =~ "json" || "${MODES[@]}" =~ "json-asff" ]]; then : else @@ -279,7 +284,7 @@ generateJsonOutput(){ --arg TITLE_TEXT "$TITLE_TEXT" \ --arg MESSAGE "$(echo -e "${message}" | sed -e 's/^[[:space:]]*//')" \ --arg STATUS "$status" \ - --arg SEVERITY "$CHECK_SEVERITY" \ + --arg SEVERITY "$(echo $CHECK_SEVERITY | sed 's/[][]//g')" \ --arg SCORED "$ITEM_SCORED" \ --arg ITEM_LEVEL "$ITEM_LEVEL" \ --arg TITLE_ID "$TITLE_ID" \ @@ -321,10 +326,9 @@ generateJsonAsffOutput(){ local status=$2 #Checks to determine if the rule passes in a resource name that prowler uses to track the AWS Resource for whitelisting purposes - if [ -z $3 ] - then + if [ -z $3 ]; then local resource_id="NONE_PROVIDED" - else + else local resource_id=$3 fi @@ -374,7 +378,7 @@ generateJsonAsffOutput(){ "Resources": [ { "Type": $RESOURCE_TYPE, - "Id": "AWS::::Account:\($ACCOUNT_NUM)", + "Id": $CHECK_RESOURCE_ID, "Partition": $AWS_PARTITION, "Region": $REPREGION } @@ -403,6 +407,8 @@ generateHtmlOutput(){ if [[ $status == "WARN" ]];then local ROW_CLASS='table-warning' fi + + local CHECK_SEVERITY="$(echo $CHECK_SEVERITY | sed 's/[][]//g')" echo '' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ' '$status'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML diff --git a/prowler b/prowler index b3cc2e09..a67bf35d 100755 --- a/prowler +++ b/prowler @@ -32,7 +32,7 @@ OPTRED="" OPTNORMAL="" # Set the defaults variables -PROWLER_VERSION=2.5.0-15042021 +PROWLER_VERSION=2.5.0-05July2021 PROWLER_DIR=$(dirname "$0") REGION=""