From d101e2b3bf2ac83808d8583bdd793ca9a26760d0 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 9 Feb 2018 19:57:54 -0500 Subject: [PATCH] Added new check extra719 route53 query logging --- README.md | 4 +++- prowler | 27 +++++++++++++++++++++++++-- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ade71fcc..bd0e2090 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ It covers hardening and security best practices for all AWS regions related to: - Logging (8 checks) - Monitoring (15 checks) - Networking (5 checks) -- Extras (18 checks) *see Extras section +- Extras (19 checks) *see Extras section - Forensics related checks For a comprehesive list and resolution look at the guide on the link above. @@ -346,6 +346,7 @@ At this moment we have 16 extra checks: - 7.16 (`extra716`) Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark) - 7.17 (`extra717`) Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.18 (`extra718`) Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark) +- 7.19 (`extra719`) Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark) To check all extras in one command: @@ -374,6 +375,7 @@ With this group of checks, Prowler looks if each service with logging or audit c - 7.15 Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.17 Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.18 Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark) +- 7.19 Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark) The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command: ``` diff --git a/prowler b/prowler index 0b91f640..f9162adb 100755 --- a/prowler +++ b/prowler @@ -504,6 +504,8 @@ ID717="7.17,7.17" TITLE717="Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" ID718="7.18,7.18" TITLE718="Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" +ID719="7.19,7.19" +TITLE719="Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" printCsvHeader() { >&2 echo "" @@ -2029,6 +2031,24 @@ extra718(){ fi } +extra719(){ + # "Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" + textTitle "$ID719" "$TITLE719" "NOT_SCORED" "EXTRA" + LIST_OF_HOSTED_ZONES=$($AWSCLI route53 list-hosted-zones $PROFILE_OPT --query HostedZones[*].Id --output text|xargs -n1) + if [[ $LIST_OF_HOSTED_ZONES ]]; then + for hostedzoneid in $LIST_OF_HOSTED_ZONES;do + HOSTED_ZONE_QUERY_LOG_ENABLED=$($AWSCLI route53 list-query-logging-configs --hosted-zone-id $hostedzoneid $PROFILE_OPT --query QueryLoggingConfigs[*].CloudWatchLogsLogGroupArn --output text|cut -d: -f7) + if [[ $HOSTED_ZONE_QUERY_LOG_ENABLED ]];then + textOK "Route53 hosted zone Id $hostedzoneid has query logging enabled in Log Group $HOSTED_ZONE_QUERY_LOG_ENABLED" + else + textWarn "Route53 hosted zone Id $hostedzoneid has query logging disabled!" + fi + done + else + textNotice "No Route53 hosted zones found" + fi +} + callCheck(){ if [[ $CHECKNUMBER ]];then case "$CHECKNUMBER" in @@ -2102,6 +2122,7 @@ callCheck(){ extra716|extra716 ) extra716;; extra717|extra717 ) extra717;; extra718|extra718 ) extra718;; + extra719|extra719 ) extra719;; ## Groups of Checks check1 ) @@ -2139,12 +2160,12 @@ callCheck(){ extras ) extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78; extra79;extra710;extra711;extra712;extra713;extra714;extra715;extra716; - extra717;extra718 + extra717;extra718;extra719 ;; forensics-ready ) check21;check22;check23;check24;check25;check26;check27; check43; - extra712;extra713;extra714;extra715;extra717;extra718 + extra712;extra713;extra714;extra715;extra717;extra718;extra719 ;; * ) textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n"; @@ -2233,6 +2254,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA" textTitle "$ID717" "$TITLE717" "NOT_SCORED" "EXTRA" textTitle "$ID718" "$TITLE718" "NOT_SCORED" "EXTRA" + textTitle "$ID719" "$TITLE719" "NOT_SCORED" "EXTRA" exit $EXITCODE fi @@ -2327,6 +2349,7 @@ extra715 extra716 extra717 extra718 +extra719 cleanTemp exit $EXITCODE