From 1150f2782a810f96f3a307de4d1a416db629238c Mon Sep 17 00:00:00 2001 From: MrSecure Date: Tue, 24 Apr 2018 21:02:41 -0700 Subject: [PATCH 1/7] mark Level 1 checks as such --- checks/check11 | 1 + checks/check110 | 3 ++- checks/check111 | 1 + checks/check112 | 3 ++- checks/check113 | 3 ++- checks/check115 | 3 ++- checks/check116 | 3 ++- checks/check117 | 3 ++- checks/check118 | 3 ++- checks/check119 | 1 + checks/check12 | 1 + checks/check120 | 3 ++- checks/check122 | 3 ++- checks/check123 | 3 ++- checks/check124 | 3 ++- checks/check13 | 1 + checks/check14 | 1 + checks/check15 | 3 ++- checks/check16 | 1 + checks/check17 | 1 + checks/check18 | 1 + checks/check19 | 3 ++- checks/check21 | 3 ++- checks/check23 | 3 ++- checks/check24 | 3 ++- checks/check25 | 3 ++- checks/check26 | 3 ++- checks/check31 | 3 ++- checks/check312 | 3 ++- checks/check313 | 3 ++- checks/check314 | 3 ++- checks/check315 | 1 + checks/check32 | 1 + checks/check33 | 3 ++- checks/check34 | 3 ++- checks/check35 | 3 ++- checks/check38 | 3 ++- 37 files changed, 63 insertions(+), 26 deletions(-) diff --git a/checks/check11 b/checks/check11 index 98a906b0..a72c704c 100644 --- a/checks/check11 +++ b/checks/check11 @@ -11,6 +11,7 @@ CHECK_ID_check11="1.1,1.01" CHECK_TITLE_check11="[check11] Avoid the use of the root account (Scored)" CHECK_SCORED_check11="SCORED" +CHECK_TYPE_check11="LEVEL1" CHECK_ALTERNATE_check101="check11" check11(){ diff --git a/checks/check110 b/checks/check110 index 1ab1fa3b..6f34b0f2 100644 --- a/checks/check110 +++ b/checks/check110 @@ -11,7 +11,8 @@ CHECK_ID_check110="1.10" CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" CHECK_SCORED_check110="SCORED" -CHECK_ALTERNATE_check110="check110" +CHECK_TYPE_check110="LEVEL1" +CHECK_ALTERNATE_check110="check110" check110(){ # "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" diff --git a/checks/check111 b/checks/check111 index 45973792..768ff1cc 100644 --- a/checks/check111 +++ b/checks/check111 @@ -11,6 +11,7 @@ CHECK_ID_check111="1.11" CHECK_TITLE_check111="[check111] Ensure IAM password policy expires passwords within 90 days or less (Scored)" CHECK_SCORED_check111="SCORED" +CHECK_TYPE_check111="LEVEL1" CHECK_ALTERNATE_check111="check111" check111(){ diff --git a/checks/check112 b/checks/check112 index b4bbcb53..f6fa9481 100644 --- a/checks/check112 +++ b/checks/check112 @@ -10,7 +10,8 @@ CHECK_ID_check112="1.12" CHECK_TITLE_check112="[check112] Ensure no root account access key exists (Scored)" -CHECK_SCORED_check112="SCORED" +CHECK_SCORED_check112="SCORED" +CHECK_TYPE_check112="LEVEL1" CHECK_ALTERNATE_check112="check112" check112(){ diff --git a/checks/check113 b/checks/check113 index 668bf25b..481daeef 100644 --- a/checks/check113 +++ b/checks/check113 @@ -11,7 +11,8 @@ CHECK_ID_check113="1.13" CHECK_TITLE_check113="[check113] Ensure MFA is enabled for the root account (Scored)" CHECK_SCORED_check113="SCORED" -CHECK_ALTERNATE_check113="check113" +CHECK_TYPE_check113="LEVEL1" +CHECK_ALTERNATE_check113="check113" check113(){ # "Ensure MFA is enabled for the root account (Scored)" diff --git a/checks/check115 b/checks/check115 index 08d10891..3fd9229c 100644 --- a/checks/check115 +++ b/checks/check115 @@ -11,7 +11,8 @@ CHECK_ID_check115="1.15" CHECK_TITLE_check115="[check115] Ensure security questions are registered in the AWS account (Not Scored)" CHECK_SCORED_check115="SCORED" -CHECK_ALTERNATE_check115="check115" +CHECK_TYPE_check115="LEVEL1" +CHECK_ALTERNATE_check115="check115" check115(){ # "Ensure security questions are registered in the AWS account (Not Scored)" diff --git a/checks/check116 b/checks/check116 index 6dbbc4c5..a70114ae 100644 --- a/checks/check116 +++ b/checks/check116 @@ -11,7 +11,8 @@ CHECK_ID_check116="1.16" CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles (Scored)" CHECK_SCORED_check116="SCORED" -CHECK_ALTERNATE_check116="check116" +CHECK_TYPE_check116="LEVEL1" +CHECK_ALTERNATE_check116="check116" check116(){ # "Ensure IAM policies are attached only to groups or roles (Scored)" diff --git a/checks/check117 b/checks/check117 index 4550c1a1..4805a9fb 100644 --- a/checks/check117 +++ b/checks/check117 @@ -11,7 +11,8 @@ CHECK_ID_check117="1.17" CHECK_TITLE_check117="[check117] Enable detailed billing (Scored)" CHECK_SCORED_check117="SCORED" -CHECK_ALTERNATE_check117="check117" +CHECK_TYPE_check117="LEVEL1" +CHECK_ALTERNATE_check117="check117" check117(){ # "Enable detailed billing (Scored)" diff --git a/checks/check118 b/checks/check118 index d793c144..e6bb9ce9 100644 --- a/checks/check118 +++ b/checks/check118 @@ -11,7 +11,8 @@ CHECK_ID_check118="1.18" CHECK_TITLE_check118="[check118] Ensure IAM Master and IAM Manager roles are active (Scored)" CHECK_SCORED_check118="SCORED" -CHECK_ALTERNATE_check118="check118" +CHECK_TYPE_check118="LEVEL1" +CHECK_ALTERNATE_check118="check118" check118(){ # "Ensure IAM Master and IAM Manager roles are active (Scored)" diff --git a/checks/check119 b/checks/check119 index 6593fc30..b8549cec 100644 --- a/checks/check119 +++ b/checks/check119 @@ -11,6 +11,7 @@ CHECK_ID_check119="1.19" CHECK_TITLE_check119="[check119] Maintain current contact details (Scored)" CHECK_SCORED_check119="SCORED" +CHECK_TYPE_check119="LEVEL1" CHECK_ALTERNATE_check119="check119" check119(){ diff --git a/checks/check12 b/checks/check12 index a96aa30a..6a514071 100644 --- a/checks/check12 +++ b/checks/check12 @@ -11,6 +11,7 @@ CHECK_ID_check12="1.2,1.02" CHECK_TITLE_check12="[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" CHECK_SCORED_check12="SCORED" +CHECK_TYPE_check12="LEVEL1" CHECK_ALTERNATE_check102="check12" check12(){ diff --git a/checks/check120 b/checks/check120 index b18bb767..17ca89f5 100644 --- a/checks/check120 +++ b/checks/check120 @@ -11,7 +11,8 @@ CHECK_ID_check120="1.20" CHECK_TITLE_check120="[check120] Ensure security contact information is registered (Scored)" CHECK_SCORED_check120="SCORED" -CHECK_ALTERNATE_check120="check120" +CHECK_TYPE_check120="LEVEL1" +CHECK_ALTERNATE_check120="check120" check120(){ # "Ensure security contact information is registered (Scored)" diff --git a/checks/check122 b/checks/check122 index 67c93c7e..70ad1100 100644 --- a/checks/check122 +++ b/checks/check122 @@ -11,7 +11,8 @@ CHECK_ID_check122="1.22" CHECK_TITLE_check122="[check122] Ensure a support role has been created to manage incidents with AWS Support (Scored)" CHECK_SCORED_check122="SCORED" -CHECK_ALTERNATE_check122="check122" +CHECK_TYPE_check122="LEVEL1" +CHECK_ALTERNATE_check122="check122" check122(){ # "Ensure a support role has been created to manage incidents with AWS Support (Scored)" diff --git a/checks/check123 b/checks/check123 index db96a737..9f20fddf 100644 --- a/checks/check123 +++ b/checks/check123 @@ -10,7 +10,8 @@ CHECK_ID_check123="1.23" CHECK_TITLE_check123="[check123] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" -CHECK_SCORED_check123="NOT_SCORED" +CHECK_SCORED_check123="NOT_SCORED" +CHECK_TYPE_check123="LEVEL1" CHECK_ALTERNATE_check123="check123" check123(){ diff --git a/checks/check124 b/checks/check124 index 0f99d55d..1c1637f3 100644 --- a/checks/check124 +++ b/checks/check124 @@ -11,7 +11,8 @@ CHECK_ID_check124="1.24" CHECK_TITLE_check124="[check124] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" CHECK_SCORED_check124="SCORED" -CHECK_ALTERNATE_check124="check124" +CHECK_TYPE_check124="LEVEL1" +CHECK_ALTERNATE_check124="check124" check124(){ # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" diff --git a/checks/check13 b/checks/check13 index 18b4ed6f..64733cff 100644 --- a/checks/check13 +++ b/checks/check13 @@ -11,6 +11,7 @@ CHECK_ID_check13="1.3,1.03" CHECK_TITLE_check13="[check13] Ensure credentials unused for 90 days or greater are disabled (Scored)" CHECK_SCORED_check13="SCORED" +CHECK_TYPE_check13="LEVEL1" CHECK_ALTERNATE_check103="check13" check13(){ diff --git a/checks/check14 b/checks/check14 index 1ae4502f..ba30c25c 100644 --- a/checks/check14 +++ b/checks/check14 @@ -11,6 +11,7 @@ CHECK_ID_check14="1.4,1.04" CHECK_TITLE_check14="[check14] Ensure access keys are rotated every 90 days or less (Scored)" CHECK_SCORED_check14="SCORED" +CHECK_TYPE_check14="LEVEL1" CHECK_ALTERNATE_check104="check14" check14(){ diff --git a/checks/check15 b/checks/check15 index afc053ff..aedcba17 100644 --- a/checks/check15 +++ b/checks/check15 @@ -11,7 +11,8 @@ CHECK_ID_check15="1.5,1.05" CHECK_TITLE_check15="[check15] Ensure IAM password policy requires at least one uppercase letter (Scored)" CHECK_SCORED_check15="SCORED" -CHECK_ALTERNATE_check105="check15" +CHECK_TYPE_check15="LEVEL1" +CHECK_ALTERNATE_check105="check15" check15(){ # "Ensure IAM password policy requires at least one uppercase letter (Scored)" diff --git a/checks/check16 b/checks/check16 index b846e03d..de224521 100644 --- a/checks/check16 +++ b/checks/check16 @@ -11,6 +11,7 @@ CHECK_ID_check16="1.6,1.06" CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter (Scored)" CHECK_SCORED_check16="SCORED" +CHECK_TYPE_check16="LEVEL1" CHECK_ALTERNATE_check106="check16" check16(){ diff --git a/checks/check17 b/checks/check17 index 8ee31da2..f344c759 100644 --- a/checks/check17 +++ b/checks/check17 @@ -11,6 +11,7 @@ CHECK_ID_check17="1.7,1.07" CHECK_TITLE_check17="[check17] Ensure IAM password policy require at least one symbol (Scored)" CHECK_SCORED_check17="SCORED" +CHECK_TYPE_check17="LEVEL1" CHECK_ALTERNATE_check107="check17" check17(){ diff --git a/checks/check18 b/checks/check18 index 62ebc22c..2abb0df0 100644 --- a/checks/check18 +++ b/checks/check18 @@ -11,6 +11,7 @@ CHECK_ID_check18="1.8,1.08" CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number (Scored)" CHECK_SCORED_check18="SCORED" +CHECK_TYPE_check19="LEVEL1" CHECK_ALTERNATE_check18="check18" check18(){ diff --git a/checks/check19 b/checks/check19 index 57f18460..6e924ae8 100644 --- a/checks/check19 +++ b/checks/check19 @@ -11,7 +11,8 @@ CHECK_ID_check19="1.9,1.09" CHECK_TITLE_check19="[check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored)" CHECK_SCORED_check19="SCORED" -CHECK_ALTERNATE_check109="check19" +CHECK_TYPE_check19="LEVEL1" +CHECK_ALTERNATE_check109="check19" check19(){ # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)" diff --git a/checks/check21 b/checks/check21 index 82d6c904..67bf20f2 100644 --- a/checks/check21 +++ b/checks/check21 @@ -11,7 +11,8 @@ CHECK_ID_check21="2.1,2.01" CHECK_TITLE_check21="[check21] Ensure CloudTrail is enabled in all regions (Scored)" CHECK_SCORED_check21="SCORED" -CHECK_ALTERNATE_check201="check21" +CHECK_TYPE_check21="LEVEL1" +CHECK_ALTERNATE_check201="check21" check21(){ # "Ensure CloudTrail is enabled in all regions (Scored)" diff --git a/checks/check23 b/checks/check23 index e79a2924..63ccd4d7 100644 --- a/checks/check23 +++ b/checks/check23 @@ -11,7 +11,8 @@ CHECK_ID_check23="2.3,2.03" CHECK_TITLE_check23="[check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" CHECK_SCORED_check23="SCORED" -CHECK_ALTERNATE_check203="check23" +CHECK_TYPE_check23="LEVEL1" +CHECK_ALTERNATE_check203="check23" check23(){ # "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" diff --git a/checks/check24 b/checks/check24 index 89b2a966..35185035 100644 --- a/checks/check24 +++ b/checks/check24 @@ -11,7 +11,8 @@ CHECK_ID_check24="2.4,2.04" CHECK_TITLE_check24="[check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" CHECK_SCORED_check24="SCORED" -CHECK_ALTERNATE_check204="check24" +CHECK_TYPE_check24="LEVEL1" +CHECK_ALTERNATE_check204="check24" check24(){ # "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" diff --git a/checks/check25 b/checks/check25 index be0ff7cb..d8d81732 100644 --- a/checks/check25 +++ b/checks/check25 @@ -11,7 +11,8 @@ CHECK_ID_check25="2.5,2.05" CHECK_TITLE_check25="[check25] Ensure AWS Config is enabled in all regions (Scored)" CHECK_SCORED_check25="SCORED" -CHECK_ALTERNATE_check205="check25" +CHECK_TYPE_check25="LEVEL1" +CHECK_ALTERNATE_check205="check25" check25(){ # "Ensure AWS Config is enabled in all regions (Scored)" diff --git a/checks/check26 b/checks/check26 index 7cc86dce..5d19c2c6 100644 --- a/checks/check26 +++ b/checks/check26 @@ -11,7 +11,8 @@ CHECK_ID_check26="2.6,2.06" CHECK_TITLE_check26="[check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" CHECK_SCORED_check26="SCORED" -CHECK_ALTERNATE_check206="check26" +CHECK_TYPE_check26="LEVEL1" +CHECK_ALTERNATE_check206="check26" check26(){ # "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" diff --git a/checks/check31 b/checks/check31 index 5a2b0512..5b4f769d 100644 --- a/checks/check31 +++ b/checks/check31 @@ -11,7 +11,8 @@ CHECK_ID_check31="3.1,3.01" CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)" CHECK_SCORED_check31="SCORED" -CHECK_ALTERNATE_check301="check31" +CHECK_TYPE_check31="LEVEL1" +CHECK_ALTERNATE_check301="check31" check31(){ # "Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)" diff --git a/checks/check312 b/checks/check312 index f1f29b84..90edd1eb 100644 --- a/checks/check312 +++ b/checks/check312 @@ -10,7 +10,8 @@ CHECK_ID_check312="3.12" CHECK_TITLE_check312="[check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)" -CHECK_SCORED_check312="SCORED" +CHECK_SCORED_check312="SCORED" +CHECK_TYPE_check312="LEVEL1" CHECK_ALTERNATE_check312="check312" check312(){ diff --git a/checks/check313 b/checks/check313 index 5a9fed6f..8c54983f 100644 --- a/checks/check313 +++ b/checks/check313 @@ -10,7 +10,8 @@ CHECK_ID_check313="3.13" CHECK_TITLE_check313="[check313] Ensure a log metric filter and alarm exist for route table changes (Scored)" -CHECK_SCORED_check313="SCORED" +CHECK_SCORED_check313="SCORED" +CHECK_TYPE_check313="LEVEL1" CHECK_ALTERNATE_check313="check313" check313(){ diff --git a/checks/check314 b/checks/check314 index 9ef23dc0..8a7ab7c1 100644 --- a/checks/check314 +++ b/checks/check314 @@ -10,7 +10,8 @@ CHECK_ID_check314="3.14" CHECK_TITLE_check314="[check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)" -CHECK_SCORED_check314="SCORED" +CHECK_SCORED_check314="SCORED" +CHECK_TYPE_check314="LEVEL1" CHECK_ALTERNATE_check314="check314" check314(){ diff --git a/checks/check315 b/checks/check315 index cec444cd..5672b27f 100644 --- a/checks/check315 +++ b/checks/check315 @@ -11,6 +11,7 @@ CHECK_ID_check315="3.15" CHECK_TITLE_check315="[check315] Ensure appropriate subscribers to each SNS topic (Not Scored)" CHECK_SCORED_check315="SCORED" +CHECK_TYPE_check315="LEVEL1" CHECK_ALTERNATE_check315="check315" check315(){ diff --git a/checks/check32 b/checks/check32 index d6a17789..04c26703 100644 --- a/checks/check32 +++ b/checks/check32 @@ -11,6 +11,7 @@ CHECK_ID_check32="3.2,3.02" CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)" CHECK_SCORED_check32="SCORED" +CHECK_TYPE_check32="LEVEL1" CHECK_ALTERNATE_check302="check32" check32(){ diff --git a/checks/check33 b/checks/check33 index bec9d695..90d5c51a 100644 --- a/checks/check33 +++ b/checks/check33 @@ -11,7 +11,8 @@ CHECK_ID_check33="3.3,3.03" CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)" CHECK_SCORED_check33="SCORED" -CHECK_ALTERNATE_check303="check33" +CHECK_TYPE_check33="LEVEL1" +CHECK_ALTERNATE_check303="check33" check33(){ # "Ensure a log metric filter and alarm exist for usage of root account (Scored)" diff --git a/checks/check34 b/checks/check34 index 57ce435e..a88f92eb 100644 --- a/checks/check34 +++ b/checks/check34 @@ -11,7 +11,8 @@ CHECK_ID_check34="3.4,3.04" CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)" CHECK_SCORED_check34="SCORED" -CHECK_ALTERNATE_check304="check34" +CHECK_TYPE_check34="LEVEL1" +CHECK_ALTERNATE_check304="check34" check34(){ # "Ensure a log metric filter and alarm exist for IAM policy changes (Scored)" diff --git a/checks/check35 b/checks/check35 index c41aafd4..38c4eb33 100644 --- a/checks/check35 +++ b/checks/check35 @@ -11,7 +11,8 @@ CHECK_ID_check35="3.5,3.05" CHECK_TITLE_check35="[check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)" CHECK_SCORED_check35="SCORED" -CHECK_ALTERNATE_check305="check35" +CHECK_TYPE_check35="LEVEL1" +CHECK_ALTERNATE_check305="check35" check35(){ # "Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)" diff --git a/checks/check38 b/checks/check38 index 8d06f323..bd5f0fee 100644 --- a/checks/check38 +++ b/checks/check38 @@ -11,7 +11,8 @@ CHECK_ID_check38="3.8,3.08" CHECK_TITLE_check38="[check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)" CHECK_SCORED_check38="SCORED" -CHECK_ALTERNATE_check308="check38" +CHECK_TYPE_check38="LEVEL1" +CHECK_ALTERNATE_check308="check38" check38(){ # "Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)" From 2cc67151248e88adab63257576f02259683cc433 Mon Sep 17 00:00:00 2001 From: MrSecure Date: Tue, 24 Apr 2018 21:09:46 -0700 Subject: [PATCH 2/7] mark Level 2 checks as such --- checks/check114 | 3 ++- checks/check121 | 3 ++- checks/check22 | 3 ++- checks/check27 | 3 ++- checks/check28 | 3 ++- checks/check310 | 1 + checks/check311 | 3 ++- checks/check36 | 3 ++- checks/check37 | 3 ++- checks/check39 | 3 ++- checks/check41 | 3 ++- checks/check42 | 3 ++- checks/check43 | 3 ++- checks/check44 | 3 ++- checks/check45 | 3 ++- 15 files changed, 29 insertions(+), 14 deletions(-) diff --git a/checks/check114 b/checks/check114 index 3f386543..99391d33 100644 --- a/checks/check114 +++ b/checks/check114 @@ -11,7 +11,8 @@ CHECK_ID_check114="1.14" CHECK_TITLE_check114="[check114] Ensure hardware MFA is enabled for the root account (Scored)" CHECK_SCORED_check114="SCORED" -CHECK_ALTERNATE_check114="check114" +CHECK_TYPE_check114="LEVEL2" +CHECK_ALTERNATE_check114="check114" check114(){ # "Ensure hardware MFA is enabled for the root account (Scored)" diff --git a/checks/check121 b/checks/check121 index c70510d9..72086221 100644 --- a/checks/check121 +++ b/checks/check121 @@ -11,7 +11,8 @@ CHECK_ID_check121="1.21" CHECK_TITLE_check121="[check121] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" CHECK_SCORED_check121="NOT_SCORED" -CHECK_ALTERNATE_check121="check121" +CHECK_TYPE_check121="LEVEL2" +CHECK_ALTERNATE_check121="check121" check121(){ # "Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" diff --git a/checks/check22 b/checks/check22 index 3badd579..ffc28b67 100644 --- a/checks/check22 +++ b/checks/check22 @@ -11,7 +11,8 @@ CHECK_ID_check22="2.2,2.02" CHECK_TITLE_check22="[check22] Ensure CloudTrail log file validation is enabled (Scored)" CHECK_SCORED_check22="SCORED" -CHECK_ALTERNATE_check202="check22" +CHECK_TYPE_check22="LEVEL2" +CHECK_ALTERNATE_check202="check22" check22(){ # "Ensure CloudTrail log file validation is enabled (Scored)" diff --git a/checks/check27 b/checks/check27 index 20bd1258..ba926a0a 100644 --- a/checks/check27 +++ b/checks/check27 @@ -11,7 +11,8 @@ CHECK_ID_check27="2.7,2.07" CHECK_TITLE_check27="[check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" CHECK_SCORED_check27="SCORED" -CHECK_ALTERNATE_check207="check27" +CHECK_TYPE_check27="LEVEL2" +CHECK_ALTERNATE_check207="check27" check27(){ # "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" diff --git a/checks/check28 b/checks/check28 index 06e93d75..89e22ec8 100644 --- a/checks/check28 +++ b/checks/check28 @@ -11,7 +11,8 @@ CHECK_ID_check28="2.8,2.08" CHECK_TITLE_check28="[check28] Ensure rotation for customer created CMKs is enabled (Scored)" CHECK_SCORED_check28="SCORED" -CHECK_ALTERNATE_check208="check28" +CHECK_TYPE_check28="LEVEL2" +CHECK_ALTERNATE_check208="check28" check28(){ # "Ensure rotation for customer created CMKs is enabled (Scored)" diff --git a/checks/check310 b/checks/check310 index e4e29128..14ce2958 100644 --- a/checks/check310 +++ b/checks/check310 @@ -11,6 +11,7 @@ CHECK_ID_check310="3.10" CHECK_TITLE_check310="[check310] Ensure a log metric filter and alarm exist for security group changes (Scored)" CHECK_SCORED_check310="SCORED" +CHECK_TYPE_check310="LEVEL2" CHECK_ALTERNATE_check310="check310" check310(){ diff --git a/checks/check311 b/checks/check311 index 8dc05712..403bb5f0 100644 --- a/checks/check311 +++ b/checks/check311 @@ -10,7 +10,8 @@ CHECK_ID_check311="3.11" CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)" -CHECK_SCORED_check311="SCORED" +CHECK_SCORED_check311="SCORED" +CHECK_TYPE_check=311"LEVEL2" CHECK_ALTERNATE_check311="check311" check311(){ diff --git a/checks/check36 b/checks/check36 index 8b54cd87..fd7aef10 100644 --- a/checks/check36 +++ b/checks/check36 @@ -11,7 +11,8 @@ CHECK_ID_check36="3.6,3.06" CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)" CHECK_SCORED_check36="SCORED" -CHECK_ALTERNATE_check306="check36" +CHECK_TYPE_check36="LEVEL2" +CHECK_ALTERNATE_check306="check36" check36(){ # "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)" diff --git a/checks/check37 b/checks/check37 index fc017174..2395e48d 100644 --- a/checks/check37 +++ b/checks/check37 @@ -11,7 +11,8 @@ CHECK_ID_check37="3.7,3.07" CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)" CHECK_SCORED_check37="SCORED" -CHECK_ALTERNATE_check307="check37" +CHECK_TYPE_check37="LEVEL2" +CHECK_ALTERNATE_check307="check37" check37(){ # "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)" diff --git a/checks/check39 b/checks/check39 index 3c9b2ba6..a0d6811a 100644 --- a/checks/check39 +++ b/checks/check39 @@ -11,7 +11,8 @@ CHECK_ID_check39="3.9,3.09" CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)" CHECK_SCORED_check39="SCORED" -CHECK_ALTERNATE_check309="check39" +CHECK_TYPE_check39="LEVEL2" +CHECK_ALTERNATE_check309="check39" check39(){ # "Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)" diff --git a/checks/check41 b/checks/check41 index 5e7aceaf..f663297e 100644 --- a/checks/check41 +++ b/checks/check41 @@ -11,7 +11,8 @@ CHECK_ID_check41="4.1,4.01" CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)" CHECK_SCORED_check41="SCORED" -CHECK_ALTERNATE_check401="check41" +CHECK_TYPE_check41="LEVEL2" +CHECK_ALTERNATE_check401="check41" check41(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)" diff --git a/checks/check42 b/checks/check42 index d2330f84..c5f58ab1 100644 --- a/checks/check42 +++ b/checks/check42 @@ -11,7 +11,8 @@ CHECK_ID_check42="4.2,4.02" CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)" CHECK_SCORED_check42="SCORED" -CHECK_ALTERNATE_check402="check42" +CHECK_TYPE_check42="LEVEL2" +CHECK_ALTERNATE_check402="check42" check42(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)" diff --git a/checks/check43 b/checks/check43 index c0223f82..e91ee4c6 100644 --- a/checks/check43 +++ b/checks/check43 @@ -11,7 +11,8 @@ CHECK_ID_check43="4.3,4.03" CHECK_TITLE_check43="[check43] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" CHECK_SCORED_check43="SCORED" -CHECK_ALTERNATE_check403="check43" +CHECK_TYPE_check43="LEVEL2" +CHECK_ALTERNATE_check403="check43" check43(){ # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" diff --git a/checks/check44 b/checks/check44 index d3a5cef5..74450d08 100644 --- a/checks/check44 +++ b/checks/check44 @@ -11,7 +11,8 @@ CHECK_ID_check44="4.4,4.04" CHECK_TITLE_check44="[check44] Ensure the default security group of every VPC restricts all traffic (Scored)" CHECK_SCORED_check44="SCORED" -CHECK_ALTERNATE_check404="check44" +CHECK_TYPE_check44="LEVEL2" +CHECK_ALTERNATE_check404="check44" check44(){ # "Ensure the default security group of every VPC restricts all traffic (Scored)" diff --git a/checks/check45 b/checks/check45 index 7bddfa61..4d981b46 100644 --- a/checks/check45 +++ b/checks/check45 @@ -11,7 +11,8 @@ CHECK_ID_check45="4.5,4.05" CHECK_TITLE_check45="[check45] Ensure routing tables for VPC peering are \"least access\" (Not Scored)" CHECK_SCORED_check45="NOT_SCORED" -CHECK_ALTERNATE_check405="check45" +CHECK_TYPE_check45="LEVEL2" +CHECK_ALTERNATE_check405="check45" check45(){ # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)" From 6e97b41e06417c2329e85a1d0940af9c49a57e4f Mon Sep 17 00:00:00 2001 From: MrSecure Date: Tue, 24 Apr 2018 21:10:10 -0700 Subject: [PATCH 3/7] add EXTRA level marker to sample check --- checks/check_sample | 1 + 1 file changed, 1 insertion(+) diff --git a/checks/check_sample b/checks/check_sample index 78c2e29f..774eff3e 100644 --- a/checks/check_sample +++ b/checks/check_sample @@ -14,6 +14,7 @@ # CHECK_ID_checkN="N.N" # CHECK_TITLE_checkN="[checkN] Description (Not Scored) (Not part of CIS benchmark)" # CHECK_SCORED_checkN="NOT_SCORED" +# CHECK_TYPE_checkN="EXTRA" # CHECK_ALTERNATE_checkN="extraN" # # extraN(){ From ef069386e85707cabe3126ab89bef2af6977942d Mon Sep 17 00:00:00 2001 From: MrSecure Date: Tue, 24 Apr 2018 21:12:25 -0700 Subject: [PATCH 4/7] fix mismatched check_type fix CHECK_ALTERNATE --- checks/check18 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checks/check18 b/checks/check18 index 2abb0df0..412de291 100644 --- a/checks/check18 +++ b/checks/check18 @@ -11,8 +11,8 @@ CHECK_ID_check18="1.8,1.08" CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number (Scored)" CHECK_SCORED_check18="SCORED" -CHECK_TYPE_check19="LEVEL1" -CHECK_ALTERNATE_check18="check18" +CHECK_TYPE_check18="LEVEL1" +CHECK_ALTERNATE_check108="check18" check18(){ # "Ensure IAM password policy require at least one number (Scored)" From bd9e49d3e3a042d0e592ce42a469c913778cec70 Mon Sep 17 00:00:00 2001 From: MrSecure Date: Tue, 24 Apr 2018 21:19:42 -0700 Subject: [PATCH 5/7] mark Extra checks as such --- checks/check_extra71 | 1 + checks/check_extra710 | 1 + checks/check_extra711 | 1 + checks/check_extra712 | 1 + checks/check_extra713 | 1 + checks/check_extra714 | 1 + checks/check_extra715 | 1 + checks/check_extra716 | 1 + checks/check_extra717 | 1 + checks/check_extra718 | 1 + checks/check_extra719 | 1 + checks/check_extra72 | 1 + checks/check_extra720 | 1 + checks/check_extra721 | 1 + checks/check_extra722 | 1 + checks/check_extra723 | 1 + checks/check_extra724 | 1 + checks/check_extra725 | 3 ++- checks/check_extra726 | 1 + checks/check_extra727 | 1 + checks/check_extra728 | 1 + checks/check_extra729 | 1 + checks/check_extra73 | 1 + checks/check_extra74 | 1 + checks/check_extra75 | 1 + checks/check_extra76 | 1 + checks/check_extra77 | 2 +- checks/check_extra78 | 1 + checks/check_extra79 | 1 + 29 files changed, 30 insertions(+), 2 deletions(-) diff --git a/checks/check_extra71 b/checks/check_extra71 index fcba890d..25e95cda 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -13,6 +13,7 @@ CHECK_ID_extra71="7.1,7.01" CHECK_TITLE_extra71="[extra71] Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra71="NOT_SCORED" +CHECK_TYPE_extra71="EXTRA" CHECK_ALTERNATE_extra701="extra71" CHECK_ALTERNATE_check71="extra71" CHECK_ALTERNATE_check701="extra71" diff --git a/checks/check_extra710 b/checks/check_extra710 index 957c4502..c259695a 100644 --- a/checks/check_extra710 +++ b/checks/check_extra710 @@ -13,6 +13,7 @@ CHECK_ID_extra710="7.10" CHECK_TITLE_extra710="[extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra710="NOT_SCORED" +CHECK_TYPE_extra710="EXTRA" CHECK_ALTERNATE_check710="extra710" extra710(){ diff --git a/checks/check_extra711 b/checks/check_extra711 index a8e558f0..e9af65a3 100644 --- a/checks/check_extra711 +++ b/checks/check_extra711 @@ -13,6 +13,7 @@ CHECK_ID_extra711="7.11" CHECK_TITLE_extra711="[extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra711="NOT_SCORED" +CHECK_TYPE_extra711="EXTRA" CHECK_ALTERNATE_check711="extra711" extra711(){ diff --git a/checks/check_extra712 b/checks/check_extra712 index 9194dac4..641e03ef 100644 --- a/checks/check_extra712 +++ b/checks/check_extra712 @@ -13,6 +13,7 @@ CHECK_ID_extra712="7.12" CHECK_TITLE_extra712="[extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra712="NOT_SCORED" +CHECK_TYPE_extra712="EXTRA" CHECK_ALTERNATE_check712="extra712" extra712(){ diff --git a/checks/check_extra713 b/checks/check_extra713 index ffd23b0a..ffbf6a44 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -13,6 +13,7 @@ CHECK_ID_extra713="7.13" CHECK_TITLE_extra713="[extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra713="NOT_SCORED" +CHECK_TYPE_extra713="EXTRA" CHECK_ALTERNATE_check713="extra713" extra713(){ diff --git a/checks/check_extra714 b/checks/check_extra714 index 7b13cc44..2a5233d6 100644 --- a/checks/check_extra714 +++ b/checks/check_extra714 @@ -13,6 +13,7 @@ CHECK_ID_extra714="7.14" CHECK_TITLE_extra714="[extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra714="NOT_SCORED" +CHECK_TYPE_extra714="EXTRA" CHECK_ALTERNATE_check714="extra714" extra714(){ diff --git a/checks/check_extra715 b/checks/check_extra715 index b49c718f..34eb9a3d 100644 --- a/checks/check_extra715 +++ b/checks/check_extra715 @@ -13,6 +13,7 @@ CHECK_ID_extra715="7.15" CHECK_TITLE_extra715="[extra715] Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra715="NOT_SCORED" +CHECK_TYPE_extra715="EXTRA" CHECK_ALTERNATE_check715="extra715" extra715(){ diff --git a/checks/check_extra716 b/checks/check_extra716 index fe3e26f1..b0b51b85 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -13,6 +13,7 @@ CHECK_ID_extra716="7.16" CHECK_TITLE_extra716="[extra716] Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra716="NOT_SCORED" +CHECK_TYPE_extra716="EXTRA" CHECK_ALTERNATE_check716="extra716" extra716(){ diff --git a/checks/check_extra717 b/checks/check_extra717 index d141bd9f..0bb04741 100644 --- a/checks/check_extra717 +++ b/checks/check_extra717 @@ -13,6 +13,7 @@ CHECK_ID_extra717="7.17" CHECK_TITLE_extra717="[extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra717="NOT_SCORED" +CHECK_TYPE_extra717="EXTRA" CHECK_ALTERNATE_check717="extra717" extra717(){ diff --git a/checks/check_extra718 b/checks/check_extra718 index e8b245ab..e5b32690 100644 --- a/checks/check_extra718 +++ b/checks/check_extra718 @@ -13,6 +13,7 @@ CHECK_ID_extra718="7.18" CHECK_TITLE_extra718="[extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra718="NOT_SCORED" +CHECK_TYPE_extra718="EXTRA" CHECK_ALTERNATE_check718="extra718" extra718(){ diff --git a/checks/check_extra719 b/checks/check_extra719 index 2245d661..c8526139 100644 --- a/checks/check_extra719 +++ b/checks/check_extra719 @@ -13,6 +13,7 @@ CHECK_ID_extra719="7.19" CHECK_TITLE_extra719="[extra719] Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra719="NOT_SCORED" +CHECK_TYPE_extra719="EXTRA" CHECK_ALTERNATE_check719="extra719" extra719(){ diff --git a/checks/check_extra72 b/checks/check_extra72 index 4575bddd..f9fa11b9 100644 --- a/checks/check_extra72 +++ b/checks/check_extra72 @@ -13,6 +13,7 @@ CHECK_ID_extra72="7.2,7.02" CHECK_TITLE_extra72="[extra72] Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra72="NOT_SCORED" +CHECK_TYPE_extra72="EXTRA" CHECK_ALTERNATE_extra702="extra72" CHECK_ALTERNATE_check72="extra72" CHECK_ALTERNATE_check702="extra72" diff --git a/checks/check_extra720 b/checks/check_extra720 index 1e1b1255..9acff441 100644 --- a/checks/check_extra720 +++ b/checks/check_extra720 @@ -13,6 +13,7 @@ CHECK_ID_extra720="7.20" CHECK_TITLE_extra720="[extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra720="NOT_SCORED" +CHECK_TYPE_extra720="EXTRA" CHECK_ALTERNATE_check720="extra720" extra720(){ diff --git a/checks/check_extra721 b/checks/check_extra721 index b8bef0e4..ac6ca054 100644 --- a/checks/check_extra721 +++ b/checks/check_extra721 @@ -13,6 +13,7 @@ CHECK_ID_extra721="7.21" CHECK_TITLE_extra721="[extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra721="NOT_SCORED" +CHECK_TYPE_extra721="EXTRA" CHECK_ALTERNATE_check721="extra721" extra721(){ diff --git a/checks/check_extra722 b/checks/check_extra722 index 426ab785..1b088cd6 100644 --- a/checks/check_extra722 +++ b/checks/check_extra722 @@ -13,6 +13,7 @@ CHECK_ID_extra722="7.22" CHECK_TITLE_extra722="[extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra722="NOT_SCORED" +CHECK_TYPE_extra722="EXTRA" CHECK_ALTERNATE_check722="extra722" extra722(){ diff --git a/checks/check_extra723 b/checks/check_extra723 index 7065508f..589df548 100644 --- a/checks/check_extra723 +++ b/checks/check_extra723 @@ -13,6 +13,7 @@ CHECK_ID_extra723="7.23" CHECK_TITLE_extra723="[extra723] Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra723="NOT_SCORED" +CHECK_TYPE_extra723="EXTRA" CHECK_ALTERNATE_check723="extra723" extra723(){ diff --git a/checks/check_extra724 b/checks/check_extra724 index 67a2aa54..068a07d2 100644 --- a/checks/check_extra724 +++ b/checks/check_extra724 @@ -13,6 +13,7 @@ CHECK_ID_extra724="7.24" CHECK_TITLE_extra724="[extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra724="NOT_SCORED" +CHECK_TYPE_extra724="EXTRA" CHECK_ALTERNATE_check724="extra724" extra724(){ diff --git a/checks/check_extra725 b/checks/check_extra725 index 4b5d426e..e719ff26 100644 --- a/checks/check_extra725 +++ b/checks/check_extra725 @@ -14,6 +14,7 @@ CHECK_ID_extra725="7.25" CHECK_TITLE_extra725="[extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra725="NOT_SCORED" +CHECK_TYPE_extra725="EXTRA" CHECK_ALTERNATE_check725="extra725" # per Object-level logging is not configured at Bucket level but at CloudTrail trail level @@ -54,7 +55,7 @@ extra725(){ textFail "$regx: S3 bucket $bucket has Object-level logging disabled" "$regx" done fi - # delete all temp files + # delete all temp files rm -fr $TEMP_BUCKET_LIST_FILE $TEMP_TRAILS_LIST_FILE $TEMP_BUCKETS_LOGGING_LIST_FILE } diff --git a/checks/check_extra726 b/checks/check_extra726 index fa879f6e..6b0bd0b1 100644 --- a/checks/check_extra726 +++ b/checks/check_extra726 @@ -14,6 +14,7 @@ CHECK_ID_extra726="7.26" CHECK_TITLE_extra726="[extra726] Check Trusted Advisor for errors and warnings (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra726="NOT_SCORED" +CHECK_TYPE_extra726="EXTRA" CHECK_ALTERNATE_check726="extra726" extra726(){ diff --git a/checks/check_extra727 b/checks/check_extra727 index e0802e30..2356684c 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -14,6 +14,7 @@ CHECK_ID_extra727="7.27" CHECK_TITLE_extra727="[extra727] Check if SQS queues have policy set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra727="NOT_SCORED" +CHECK_TYPE_extra727="EXTRA" CHECK_ALTERNATE_check727="extra727" extra727(){ diff --git a/checks/check_extra728 b/checks/check_extra728 index 4d03d64f..7f4e4be0 100644 --- a/checks/check_extra728 +++ b/checks/check_extra728 @@ -14,6 +14,7 @@ CHECK_ID_extra728="7.28" CHECK_TITLE_extra728="[extra728] Check if SQS queues have Server Side Encryption enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra728="NOT_SCORED" +CHECK_TYPE_extra728="EXTRA" CHECK_ALTERNATE_check728="extra728" extra728(){ diff --git a/checks/check_extra729 b/checks/check_extra729 index 3b502ff6..603acbb0 100644 --- a/checks/check_extra729 +++ b/checks/check_extra729 @@ -14,6 +14,7 @@ CHECK_ID_extra729="7.29" CHECK_TITLE_extra729="[extra729] Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra729="NOT_SCORED" +CHECK_TYPE_extra729="EXTRA" CHECK_ALTERNATE_check729="extra729" extra729(){ diff --git a/checks/check_extra73 b/checks/check_extra73 index 8256915e..7838f570 100644 --- a/checks/check_extra73 +++ b/checks/check_extra73 @@ -13,6 +13,7 @@ CHECK_ID_extra73="7.3,7.03" CHECK_TITLE_extra73="[extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra73="NOT_SCORED" +CHECK_TYPE_extra73="EXTRA" CHECK_ALTERNATE_extra703="extra73" CHECK_ALTERNATE_check73="extra73" CHECK_ALTERNATE_check703="extra73" diff --git a/checks/check_extra74 b/checks/check_extra74 index b2964c13..cf736188 100644 --- a/checks/check_extra74 +++ b/checks/check_extra74 @@ -13,6 +13,7 @@ CHECK_ID_extra74="7.4,7.04" CHECK_TITLE_extra74="[extra74] Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra74="NOT_SCORED" +CHECK_TYPE_extra74="EXTRA" CHECK_ALTERNATE_extra704="extra74" CHECK_ALTERNATE_check74="extra74" CHECK_ALTERNATE_check704="extra74" diff --git a/checks/check_extra75 b/checks/check_extra75 index 029fb461..3e050462 100644 --- a/checks/check_extra75 +++ b/checks/check_extra75 @@ -13,6 +13,7 @@ CHECK_ID_extra75="7.5,7.05" CHECK_TITLE_extra75="[extra75] Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra75="NOT_SCORED" +CHECK_TYPE_extra75="EXTRA" CHECK_ALTERNATE_extra705="extra75" CHECK_ALTERNATE_check75="extra75" CHECK_ALTERNATE_check705="extra75" diff --git a/checks/check_extra76 b/checks/check_extra76 index bb8e5d53..0f5683e5 100644 --- a/checks/check_extra76 +++ b/checks/check_extra76 @@ -13,6 +13,7 @@ CHECK_ID_extra76="7.6,7.06" CHECK_TITLE_extra76="[extra75] Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra76="NOT_SCORED" +CHECK_TYPE_extra76="EXTRA" CHECK_ALTERNATE_extra706="extra76" CHECK_ALTERNATE_check76="extra76" CHECK_ALTERNATE_check706="extra76" diff --git a/checks/check_extra77 b/checks/check_extra77 index 3bf32251..8e0b9b41 100644 --- a/checks/check_extra77 +++ b/checks/check_extra77 @@ -10,10 +10,10 @@ # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the # specific language governing permissions and limitations under the License. - CHECK_ID_extra77="7.7,7.07" CHECK_TITLE_extra77="[extra77] Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra77="NOT_SCORED" +CHECK_TYPE_extra77="EXTRA" CHECK_ALTERNATE_extra707="extra77" CHECK_ALTERNATE_check77="extra77" CHECK_ALTERNATE_check707="extra77" diff --git a/checks/check_extra78 b/checks/check_extra78 index 0b0802cb..681b4d0b 100644 --- a/checks/check_extra78 +++ b/checks/check_extra78 @@ -13,6 +13,7 @@ CHECK_ID_extra78="7.8,7.08" CHECK_TITLE_extra78="[extra78] Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra78="NOT_SCORED" +CHECK_TYPE_extra78="EXTRA" CHECK_ALTERNATE_extra708="extra78" CHECK_ALTERNATE_check78="extra78" CHECK_ALTERNATE_check708="extra78" diff --git a/checks/check_extra79 b/checks/check_extra79 index d3ee4b1d..e45e5ddc 100644 --- a/checks/check_extra79 +++ b/checks/check_extra79 @@ -13,6 +13,7 @@ CHECK_ID_extra79="7.9,7.09" CHECK_TITLE_extra79="[extra79] Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra79="NOT_SCORED" +CHECK_TYPE_extra79="EXTRA" CHECK_ALTERNATE_extra709="extra79" CHECK_ALTERNATE_check79="extra79" CHECK_ALTERNATE_check709="extra79" From fbd82a8dca7474fb709230d6c0de8f4cb379d448 Mon Sep 17 00:00:00 2001 From: MrSecure Date: Tue, 24 Apr 2018 21:27:38 -0700 Subject: [PATCH 6/7] fix typo setting CHECK TYPE for 3.11 --- checks/check311 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/check311 b/checks/check311 index 403bb5f0..14a65a61 100644 --- a/checks/check311 +++ b/checks/check311 @@ -11,7 +11,7 @@ CHECK_ID_check311="3.11" CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)" CHECK_SCORED_check311="SCORED" -CHECK_TYPE_check=311"LEVEL2" +CHECK_TYPE_check311="LEVEL2" CHECK_ALTERNATE_check311="check311" check311(){ From 00df2c0d0a108a6caed9bd5a35a9cb5e4c1b5905 Mon Sep 17 00:00:00 2001 From: MrSecure Date: Fri, 27 Apr 2018 12:37:56 -0500 Subject: [PATCH 7/7] ensure credential report is available before running any checks --- prowler | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/prowler b/prowler index cb308838..6434016a 100755 --- a/prowler +++ b/prowler @@ -263,6 +263,11 @@ fi # Gather account data / test aws cli connectivity getWhoami +# Generate the credential report, regardless of which checks we run +# so that the checks can safely assume it's available +genCredReport +saveReport + # Execute single check if called with -c if [[ $CHECK_ID ]];then execute_check $CHECK_ID @@ -287,8 +292,6 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then exit $EXITCODE fi -genCredReport -saveReport execute_all cleanTemp