From da0f26694418b1d9fae2c2b76d08a20a8ddabed6 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 23 Mar 2018 19:26:10 -0400 Subject: [PATCH] first semi functional v2 --- checks/check11 | 1 - checks/check110 | 9 +++---- checks/check111 | 9 +++---- checks/check112 | 11 ++++---- checks/check113 | 9 +++---- checks/check114 | 9 +++---- checks/check115 | 9 +++---- checks/check116 | 9 +++---- checks/check117 | 9 +++---- checks/check118 | 9 +++---- checks/check119 | 9 +++---- checks/check12 | 1 - checks/check120 | 9 +++---- checks/check121 | 9 +++---- checks/check122 | 9 +++---- checks/check123 | 11 ++++---- checks/check124 | 9 +++---- checks/check13 | 14 +++++----- checks/check14 | 11 ++++---- checks/check15 | 11 ++++---- checks/check16 | 9 +++---- checks/check17 | 11 ++++---- checks/check18 | 11 ++++---- checks/check19 | 11 ++++---- checks/check21 | 11 ++++---- checks/check22 | 11 ++++---- checks/check23 | 11 ++++---- checks/check24 | 11 ++++---- checks/check25 | 11 ++++---- checks/check26 | 11 ++++---- checks/check27 | 11 ++++---- checks/check28 | 11 ++++---- checks/check31 | 11 ++++---- checks/check310 | 11 ++++---- checks/check311 | 11 ++++---- checks/check312 | 11 ++++---- checks/check313 | 11 ++++---- checks/check314 | 11 ++++---- checks/check315 | 11 ++++---- checks/check32 | 11 ++++---- checks/check33 | 11 ++++---- checks/check34 | 11 ++++---- checks/check35 | 11 ++++---- checks/check36 | 11 ++++---- checks/check37 | 11 ++++---- checks/check38 | 11 ++++---- checks/check39 | 11 ++++---- checks/check41 | 11 ++++---- checks/check42 | 11 ++++---- checks/check43 | 11 ++++---- checks/check44 | 11 ++++---- checks/check45 | 11 ++++---- checks/check_extra71 | 15 +++++------ checks/check_extra710 | 12 ++++----- checks/check_extra711 | 12 ++++----- checks/check_extra712 | 12 ++++----- checks/check_extra713 | 12 ++++----- checks/check_extra714 | 12 ++++----- checks/check_extra715 | 13 +++++----- checks/check_extra716 | 12 ++++----- checks/check_extra717 | 12 ++++----- checks/check_extra718 | 12 ++++----- checks/check_extra719 | 12 ++++----- checks/check_extra72 | 13 +++++----- checks/check_extra720 | 12 ++++----- checks/check_extra721 | 12 ++++----- checks/check_extra722 | 12 ++++----- checks/check_extra723 | 12 ++++----- checks/check_extra73 | 13 +++++----- checks/check_extra74 | 13 +++++----- checks/check_extra75 | 13 +++++----- checks/check_extra76 | 13 +++++----- checks/check_extra77 | 13 +++++----- checks/check_extra78 | 13 +++++----- checks/check_extra79 | 13 +++++----- groups/group0_init | 6 +++++ groups/group1_iam | 10 +++---- groups/group2_logging | 10 +++---- groups/group3_monitoring | 10 +++---- groups/group5_cislevel1 | 10 +++---- groups/group6_cislevel2 | 10 +++---- groups/group7_extras | 10 +++---- groups/group8_forensics | 10 +++---- groups/groupN_sample | 10 +++---- lll | 2 -- prowler2 | 56 +++++++++++++++------------------------- 86 files changed, 451 insertions(+), 508 deletions(-) create mode 100644 groups/group0_init delete mode 100644 lll diff --git a/checks/check11 b/checks/check11 index deee3ed5..07ea5c2c 100644 --- a/checks/check11 +++ b/checks/check11 @@ -1,7 +1,6 @@ CHECK_ID_check11="1.1,1.01" CHECK_TITLE_check11="Avoid the use of the root account (Scored)" CHECK_SCORED_check11="SCORED" -CHECK_TYPE_check11="LEVEL1" CHECK_ALTERNATE_check101="check11" check11(){ diff --git a/checks/check110 b/checks/check110 index 3de5513a..b016c23b 100644 --- a/checks/check110 +++ b/checks/check110 @@ -1,9 +1,8 @@ -CHECK_ID_check110="" -CHECK_TITLE_check110="" -CHECK_SCORED_check110="" -CHECK_TYPE_check110="" +CHECK_ID_check110="1.10" +CHECK_TITLE_check110="Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" +CHECK_SCORED_check110="SCORED" CHECK_ALTERNATE_check110="check110" - + check110(){ # "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null) diff --git a/checks/check111 b/checks/check111 index 8348e4b4..b78f2adc 100644 --- a/checks/check111 +++ b/checks/check111 @@ -1,9 +1,8 @@ -CHECK_ID_check111="" -CHECK_TITLE_check111="" -CHECK_SCORED_check111="" -CHECK_TYPE_check111="" +CHECK_ID_check111="1.11" +CHECK_TITLE_check111="Ensure IAM password policy expires passwords within 90 days or less (Scored)" +CHECK_SCORED_check111="SCORED" CHECK_ALTERNATE_check111="check111" - + check111(){ # "Ensure IAM password policy expires passwords within 90 days or less (Scored)" COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json | grep MaxPasswordAge | awk -F: '{ print $2 }'|sed 's/\ //g'|sed 's/,/ /g' 2> /dev/null) diff --git a/checks/check112 b/checks/check112 index c1e85c3f..dc2682f9 100644 --- a/checks/check112 +++ b/checks/check112 @@ -1,9 +1,8 @@ -CHECK_ID_check112="" -CHECK_TITLE_check112="" -CHECK_SCORED_check112="" -CHECK_TYPE_check112="" -CHECK_ALTERNATE_check112="check112" - +CHECK_ID_check112="1.12" +CHECK_TITLE_check112="Ensure no root account access key exists (Scored)" +CHECK_SCORED_check112="SCORED" +CHECK_ALTERNATE_check112="check112" + check112(){ # "Ensure no root account access key exists (Scored)" # ensure the access_key_1_active and access_key_2_active fields are set to FALSE. diff --git a/checks/check113 b/checks/check113 index 83985785..e6992d55 100644 --- a/checks/check113 +++ b/checks/check113 @@ -1,9 +1,8 @@ -CHECK_ID_check113="" -CHECK_TITLE_check113="" -CHECK_SCORED_check113="" -CHECK_TYPE_check113="" +CHECK_ID_check113="1.13" +CHECK_TITLE_check113="Ensure MFA is enabled for the root account (Scored)" +CHECK_SCORED_check113="SCORED" CHECK_ALTERNATE_check113="check113" - + check113(){ # "Ensure MFA is enabled for the root account (Scored)" COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled') diff --git a/checks/check114 b/checks/check114 index 8fae9dcb..cf1d7b06 100644 --- a/checks/check114 +++ b/checks/check114 @@ -1,9 +1,8 @@ -CHECK_ID_check114="" -CHECK_TITLE_check114="" -CHECK_SCORED_check114="" -CHECK_TYPE_check114="" +CHECK_ID_check114="1.14" +CHECK_TITLE_check114="Ensure hardware MFA is enabled for the root account (Scored)" +CHECK_SCORED_check114="SCORED" CHECK_ALTERNATE_check114="check114" - + check114(){ # "Ensure hardware MFA is enabled for the root account (Scored)" COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled') diff --git a/checks/check115 b/checks/check115 index 95128057..13b0bc89 100644 --- a/checks/check115 +++ b/checks/check115 @@ -1,9 +1,8 @@ -CHECK_ID_check115="" -CHECK_TITLE_check115="" -CHECK_SCORED_check115="" -CHECK_TYPE_check115="" +CHECK_ID_check115="1.15" +CHECK_TITLE_check115="Ensure security questions are registered in the AWS account (Not Scored)" +CHECK_SCORED_check115="SCORED" CHECK_ALTERNATE_check115="check115" - + check115(){ # "Ensure security questions are registered in the AWS account (Not Scored)" textTitle "$ID115" "$TITLE115" "NOT_SCORED" "LEVEL2" diff --git a/checks/check116 b/checks/check116 index 5df186fc..c6afa34b 100644 --- a/checks/check116 +++ b/checks/check116 @@ -1,9 +1,8 @@ -CHECK_ID_check116="" -CHECK_TITLE_check116="" -CHECK_SCORED_check116="" -CHECK_TYPE_check116="" +CHECK_ID_check116="1.16" +CHECK_TITLE_check116="Ensure IAM policies are attached only to groups or roles (Scored)" +CHECK_SCORED_check116="SCORED" CHECK_ALTERNATE_check116="check116" - + check116(){ # "Ensure IAM policies are attached only to groups or roles (Scored)" textTitle "$ID116" "$TITLE116" "SCORED" "LEVEL1" diff --git a/checks/check117 b/checks/check117 index 4badfe9a..e37c9f6b 100644 --- a/checks/check117 +++ b/checks/check117 @@ -1,9 +1,8 @@ -CHECK_ID_check117="" -CHECK_TITLE_check117="" -CHECK_SCORED_check117="" -CHECK_TYPE_check117="" +CHECK_ID_check117="1.17" +CHECK_TITLE_check117="Enable detailed billing (Scored)" +CHECK_SCORED_check117="SCORED" CHECK_ALTERNATE_check117="check117" - + check117(){ # "Enable detailed billing (Scored)" # No command available diff --git a/checks/check118 b/checks/check118 index d81bb6ad..a3d0537a 100644 --- a/checks/check118 +++ b/checks/check118 @@ -1,9 +1,8 @@ -CHECK_ID_check118="" -CHECK_TITLE_check118="" -CHECK_SCORED_check118="" -CHECK_TYPE_check118="" +CHECK_ID_check118="1.18" +CHECK_TITLE_check118="Ensure IAM Master and IAM Manager roles are active (Scored)" +CHECK_SCORED_check118="SCORED" CHECK_ALTERNATE_check118="check118" - + check118(){ # "Ensure IAM Master and IAM Manager roles are active (Scored)" textTitle "$ID118" "$TITLE118" "SCORED" "LEVEL1" diff --git a/checks/check119 b/checks/check119 index c1095b3d..b4fe37d5 100644 --- a/checks/check119 +++ b/checks/check119 @@ -1,9 +1,8 @@ -CHECK_ID_check119="" -CHECK_TITLE_check119="" -CHECK_SCORED_check119="" -CHECK_TYPE_check119="" +CHECK_ID_check119="1.19" +CHECK_TITLE_check119="Maintain current contact details (Scored)" +CHECK_SCORED_check119="SCORED" CHECK_ALTERNATE_check119="check119" - + check119(){ # "Maintain current contact details (Scored)" # No command available diff --git a/checks/check12 b/checks/check12 index 638e29d9..62f803df 100644 --- a/checks/check12 +++ b/checks/check12 @@ -1,7 +1,6 @@ CHECK_ID_check12="1.2,1.02" CHECK_TITLE_check12="Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" CHECK_SCORED_check12="SCORED" -CHECK_TYPE_check12="LEVEL1" CHECK_ALTERNATE_check102="check12" check12(){ diff --git a/checks/check120 b/checks/check120 index d319f64d..20de93c3 100644 --- a/checks/check120 +++ b/checks/check120 @@ -1,9 +1,8 @@ -CHECK_ID_check120="" -CHECK_TITLE_check120="" -CHECK_SCORED_check120="" -CHECK_TYPE_check120="" +CHECK_ID_check120="1.20" +CHECK_TITLE_check120="Ensure security contact information is registered (Scored)" +CHECK_SCORED_check120="SCORED" CHECK_ALTERNATE_check120="check120" - + check120(){ # "Ensure security contact information is registered (Scored)" # No command available diff --git a/checks/check121 b/checks/check121 index fc0f048f..d593576b 100644 --- a/checks/check121 +++ b/checks/check121 @@ -1,9 +1,8 @@ -CHECK_ID_check121="" -CHECK_TITLE_check121="" -CHECK_SCORED_check121="" -CHECK_TYPE_check121="" +CHECK_ID_check121="1.21" +CHECK_TITLE_check121="Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" +CHECK_SCORED_check121="NOT_SCORED" CHECK_ALTERNATE_check121="check121" - + check121(){ # "Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" textTitle "$ID121" "$TITLE121" "NOT_SCORED" "LEVEL2" diff --git a/checks/check122 b/checks/check122 index aa5117c4..0cea82df 100644 --- a/checks/check122 +++ b/checks/check122 @@ -1,9 +1,8 @@ -CHECK_ID_check122="" -CHECK_TITLE_check122="" -CHECK_SCORED_check122="" -CHECK_TYPE_check122="" +CHECK_ID_check122="1.22" +CHECK_TITLE_check122="Ensure a support role has been created to manage incidents with AWS Support (Scored)" +CHECK_SCORED_check122="SCORED" CHECK_ALTERNATE_check122="check122" - + check122(){ # "Ensure a support role has been created to manage incidents with AWS Support (Scored)" textTitle "$ID122" "$TITLE122" "SCORED" "LEVEL1" diff --git a/checks/check123 b/checks/check123 index b4624896..6cdda330 100644 --- a/checks/check123 +++ b/checks/check123 @@ -1,9 +1,8 @@ -CHECK_ID_check123="" -CHECK_TITLE_check123="" -CHECK_SCORED_check123="" -CHECK_TYPE_check123="" -CHECK_ALTERNATE_check123="check123" - +CHECK_ID_check123="1.23" +CHECK_TITLE_check123="Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" +CHECK_SCORED_check123="NOT_SCORED" +CHECK_ALTERNATE_check123="check123" + check123(){ # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" textTitle "$ID123" "$TITLE123" "NOT_SCORED" "LEVEL1" diff --git a/checks/check124 b/checks/check124 index d5635f20..95e1eaf0 100644 --- a/checks/check124 +++ b/checks/check124 @@ -1,9 +1,8 @@ -CHECK_ID_check124="" -CHECK_TITLE_check124="" -CHECK_SCORED_check124="" -CHECK_TYPE_check124="" +CHECK_ID_check124="1.24" +CHECK_TITLE_check124="Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" +CHECK_SCORED_check124="SCORED" CHECK_ALTERNATE_check124="check124" - + check124(){ # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" textTitle "$ID124" "$TITLE124" "SCORED" "LEVEL1" diff --git a/checks/check13 b/checks/check13 index a981b900..154dad3b 100644 --- a/checks/check13 +++ b/checks/check13 @@ -1,9 +1,8 @@ -CHECK_ID_check13="" -CHECK_TITLE_check13="" -CHECK_SCORED_check13="" -CHECK_TYPE_check13="" -CHECK_ALTERNATE_check13="check13" - +CHECK_ID_check13="1.3,1.03" +CHECK_TITLE_check13="Ensure credentials unused for 90 days or greater are disabled (Scored)" +CHECK_SCORED_check13="SCORED" +CHECK_ALTERNATE_check103="check13" + check13(){ # "Ensure credentials unused for 90 days or greater are disabled (Scored)" textTitle "$ID13" "$TITLE13" "SCORED" "LEVEL1" @@ -11,8 +10,7 @@ check13(){ if [[ $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED ]]; then COMMAND13=$( for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do - cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$5 }' |grep $i| awk '{ print $1 }'|tr ' -' ' '; + cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$5 }' |grep $i| awk '{ print $1 }'|tr '\n' ' '; done) # list of users that have used password USERS_PASSWORD_USED=$($AWSCLI iam list-users --query "Users[?PasswordLastUsed].UserName" --output text $PROFILE_OPT --region $REGION) diff --git a/checks/check14 b/checks/check14 index 129b69f7..0a1d4a02 100644 --- a/checks/check14 +++ b/checks/check14 @@ -1,9 +1,8 @@ -CHECK_ID_check14="" -CHECK_TITLE_check14="" -CHECK_SCORED_check14="" -CHECK_TYPE_check14="" -CHECK_ALTERNATE_check14="check14" - +CHECK_ID_check14="1.4,1.04" +CHECK_TITLE_check14="Ensure access keys are rotated every 90 days or less (Scored)" +CHECK_SCORED_check14="SCORED" +CHECK_ALTERNATE_check104="check14" + check14(){ # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey LIST_OF_USERS_WITH_ACCESS_KEY1=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9 }' |grep "\ true" | awk '{ print $1 }') diff --git a/checks/check15 b/checks/check15 index 9ef12a6b..0cb0b235 100644 --- a/checks/check15 +++ b/checks/check15 @@ -1,9 +1,8 @@ -CHECK_ID_check15="" -CHECK_TITLE_check15="" -CHECK_SCORED_check15="" -CHECK_TYPE_check15="" -CHECK_ALTERNATE_check15="check15" - +CHECK_ID_check15="1.5,1.05" +CHECK_TITLE_check15="Ensure IAM password policy requires at least one uppercase letter (Scored)" +CHECK_SCORED_check15="SCORED" +CHECK_ALTERNATE_check105="check15" + check15(){ # "Ensure IAM password policy requires at least one uppercase letter (Scored)" COMMAND15=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireUppercaseCharacters' 2> /dev/null) # must be true diff --git a/checks/check16 b/checks/check16 index 5562a6ea..255d4780 100644 --- a/checks/check16 +++ b/checks/check16 @@ -1,8 +1,7 @@ -CHECK_ID_check16="" -CHECK_TITLE_check16="" -CHECK_SCORED_check16="" -CHECK_TYPE_check16="" -CHECK_ALTERNATE_check16="check16" +CHECK_ID_check16="1.6,1.06" +CHECK_TITLE_check16="Ensure IAM password policy require at least one lowercase letter (Scored)" +CHECK_SCORED_check16="SCORED" +CHECK_ALTERNATE_check106="check16" check16(){ # "Ensure IAM password policy require at least one lowercase letter (Scored)" diff --git a/checks/check17 b/checks/check17 index 97162b44..c031f187 100644 --- a/checks/check17 +++ b/checks/check17 @@ -1,9 +1,8 @@ -CHECK_ID_check17="" -CHECK_TITLE_check17="" -CHECK_SCORED_check17="" -CHECK_TYPE_check17="" -CHECK_ALTERNATE_check17="check17" - +CHECK_ID_check17="1.7,1.07" +CHECK_TITLE_check17="Ensure IAM password policy require at least one symbol (Scored)" +CHECK_SCORED_check17="SCORED" +CHECK_ALTERNATE_check107="check17" + check17(){ # "Ensure IAM password policy require at least one symbol (Scored)" COMMAND17=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireSymbols' 2> /dev/null) # must be true diff --git a/checks/check18 b/checks/check18 index 48bf56e0..f2acba9f 100644 --- a/checks/check18 +++ b/checks/check18 @@ -1,9 +1,8 @@ -CHECK_ID_check18="" -CHECK_TITLE_check18="" -CHECK_SCORED_check18="" -CHECK_TYPE_check18="" -CHECK_ALTERNATE_check18="check18" - +CHECK_ID_check18="1.8,1.08" +CHECK_TITLE_check18="Ensure IAM password policy require at least one number (Scored)" +CHECK_SCORED_check18="SCORED" +CHECK_ALTERNATE_check18="check18" + check18(){ # "Ensure IAM password policy require at least one number (Scored)" COMMAND18=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireNumbers' 2> /dev/null) # must be true diff --git a/checks/check19 b/checks/check19 index f4e56471..1c20e6d8 100644 --- a/checks/check19 +++ b/checks/check19 @@ -1,9 +1,8 @@ -CHECK_ID_check19="" -CHECK_TITLE_check19="" -CHECK_SCORED_check19="" -CHECK_TYPE_check19="" -CHECK_ALTERNATE_check19="check19" - +CHECK_ID_check19="1.9,1.09" +CHECK_TITLE_check19="Ensure IAM password policy requires minimum length of 14 or greater (Scored)" +CHECK_SCORED_check19="SCORED" +CHECK_ALTERNATE_check109="check19" + check19(){ # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)" COMMAND19=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.MinimumPasswordLength' 2> /dev/null) diff --git a/checks/check21 b/checks/check21 index 627b738b..58056d0b 100644 --- a/checks/check21 +++ b/checks/check21 @@ -1,9 +1,8 @@ -CHECK_ID_check21="" -CHECK_TITLE_check21="" -CHECK_SCORED_check21="" -CHECK_TYPE_check21="" -CHECK_ALTERNATE_check21="check21" - +CHECK_ID_check21="2.1,2.01" +CHECK_TITLE_check21="Ensure CloudTrail is enabled in all regions (Scored)" +CHECK_SCORED_check21="SCORED" +CHECK_ALTERNATE_check201="check21" + check21(){ # "Ensure CloudTrail is enabled in all regions (Scored)" textTitle "$ID21" "$TITLE21" "SCORED" "LEVEL1" diff --git a/checks/check22 b/checks/check22 index 55a9c9b6..36c1514f 100644 --- a/checks/check22 +++ b/checks/check22 @@ -1,9 +1,8 @@ -CHECK_ID_check22="" -CHECK_TITLE_check22="" -CHECK_SCORED_check22="" -CHECK_TYPE_check22="" -CHECK_ALTERNATE_check22="check22" - +CHECK_ID_check22="2.2,2.02" +CHECK_TITLE_check22="Ensure CloudTrail log file validation is enabled (Scored)" +CHECK_SCORED_check22="SCORED" +CHECK_ALTERNATE_check202="check22" + check22(){ # "Ensure CloudTrail log file validation is enabled (Scored)" textTitle "$ID22" "$TITLE22" "SCORED" "LEVEL2" diff --git a/checks/check23 b/checks/check23 index b06dbc05..4306145e 100644 --- a/checks/check23 +++ b/checks/check23 @@ -1,9 +1,8 @@ -CHECK_ID_check23="" -CHECK_TITLE_check23="" -CHECK_SCORED_check23="" -CHECK_TYPE_check23="" -CHECK_ALTERNATE_check23="check23" - +CHECK_ID_check23="2.3,2.03" +CHECK_TITLE_check23="Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" +CHECK_SCORED_check23="SCORED" +CHECK_ALTERNATE_check203="check23" + check23(){ # "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" textTitle "$ID23" "$TITLE23" "SCORED" "LEVEL1" diff --git a/checks/check24 b/checks/check24 index 95f22f79..690f572b 100644 --- a/checks/check24 +++ b/checks/check24 @@ -1,9 +1,8 @@ -CHECK_ID_check24="" -CHECK_TITLE_check24="" -CHECK_SCORED_check24="" -CHECK_TYPE_check24="" -CHECK_ALTERNATE_check24="check24" - +CHECK_ID_check24="2.4,2.04" +CHECK_TITLE_check24="Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" +CHECK_SCORED_check24="SCORED" +CHECK_ALTERNATE_check204="check24" + check24(){ # "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" textTitle "$ID24" "$TITLE24" "SCORED" "LEVEL1" diff --git a/checks/check25 b/checks/check25 index b6c9cff5..b97adefc 100644 --- a/checks/check25 +++ b/checks/check25 @@ -1,9 +1,8 @@ -CHECK_ID_check25="" -CHECK_TITLE_check25="" -CHECK_SCORED_check25="" -CHECK_TYPE_check25="" -CHECK_ALTERNATE_check25="check25" - +CHECK_ID_check25="2.5,2.05" +CHECK_TITLE_check25="Ensure AWS Config is enabled in all regions (Scored)" +CHECK_SCORED_check25="SCORED" +CHECK_ALTERNATE_check205="check25" + check25(){ # "Ensure AWS Config is enabled in all regions (Scored)" textTitle "$ID25" "$TITLE25" "SCORED" "LEVEL1" diff --git a/checks/check26 b/checks/check26 index 7158da61..33f68e90 100644 --- a/checks/check26 +++ b/checks/check26 @@ -1,9 +1,8 @@ -CHECK_ID_check26="" -CHECK_TITLE_check26="" -CHECK_SCORED_check26="" -CHECK_TYPE_check26="" -CHECK_ALTERNATE_check26="check26" - +CHECK_ID_check26="2.6,2.06" +CHECK_TITLE_check26="Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" +CHECK_SCORED_check26="SCORED" +CHECK_ALTERNATE_check206="check26" + check26(){ # "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" textTitle "$ID26" "$TITLE26" "SCORED" "LEVEL1" diff --git a/checks/check27 b/checks/check27 index 0106ad70..f0feff85 100644 --- a/checks/check27 +++ b/checks/check27 @@ -1,9 +1,8 @@ -CHECK_ID_check27="" -CHECK_TITLE_check27="" -CHECK_SCORED_check27="" -CHECK_TYPE_check27="" -CHECK_ALTERNATE_check27="check27" - +CHECK_ID_check27="2.7,2.07" +CHECK_TITLE_check27="Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" +CHECK_SCORED_check27="SCORED" +CHECK_ALTERNATE_check207="check27" + check27(){ # "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" textTitle "$ID27" "$TITLE27" "SCORED" "LEVEL2" diff --git a/checks/check28 b/checks/check28 index 56cd89a2..fa0b0a4d 100644 --- a/checks/check28 +++ b/checks/check28 @@ -1,9 +1,8 @@ -CHECK_ID_check28="" -CHECK_TITLE_check28="" -CHECK_SCORED_check28="" -CHECK_TYPE_check28="" -CHECK_ALTERNATE_check28="check28" - +CHECK_ID_check28="2.8,2.08" +CHECK_TITLE_check28="Ensure rotation for customer created CMKs is enabled (Scored)" +CHECK_SCORED_check28="SCORED" +CHECK_ALTERNATE_check208="check28" + check28(){ # "Ensure rotation for customer created CMKs is enabled (Scored)" textTitle "$ID28" "$TITLE28" "SCORED" "LEVEL2" diff --git a/checks/check31 b/checks/check31 index 59ae384b..4ca73f40 100644 --- a/checks/check31 +++ b/checks/check31 @@ -1,9 +1,8 @@ -CHECK_ID_check31="" -CHECK_TITLE_check31="" -CHECK_SCORED_check31="" -CHECK_TYPE_check31="" -CHECK_ALTERNATE_check31="check31" - +CHECK_ID_check31="3.1,3.01" +CHECK_TITLE_check31="Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)" +CHECK_SCORED_check31="SCORED" +CHECK_ALTERNATE_check301="check31" + check31(){ # "Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)" textTitle "$ID31" "$TITLE31" "SCORED" "LEVEL1" diff --git a/checks/check310 b/checks/check310 index 9860acdc..a28a76a3 100644 --- a/checks/check310 +++ b/checks/check310 @@ -1,9 +1,8 @@ -CHECK_ID_check310="" -CHECK_TITLE_check310="" -CHECK_SCORED_check310="" -CHECK_TYPE_check310="" -CHECK_ALTERNATE_check310="check310" - +CHECK_ID_check310="3.10" +CHECK_TITLE_check310="Ensure a log metric filter and alarm exist for security group changes (Scored)" +CHECK_SCORED_check310="SCORED" +CHECK_ALTERNATE_check310="check310" + check310(){ # "Ensure a log metric filter and alarm exist for security group changes (Scored)" textTitle "$ID310" "$TITLE310" "SCORED" "LEVEL2" diff --git a/checks/check311 b/checks/check311 index d097c8b4..c2e26c88 100644 --- a/checks/check311 +++ b/checks/check311 @@ -1,9 +1,8 @@ -CHECK_ID_check311="" -CHECK_TITLE_check311="" -CHECK_SCORED_check311="" -CHECK_TYPE_check311="" -CHECK_ALTERNATE_check311="check311" - +CHECK_ID_check311="3.11" +CHECK_TITLE_check311="Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)" +CHECK_SCORED_check311="SCORED" +CHECK_ALTERNATE_check311="check311" + check311(){ # "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)" textTitle "$ID311" "$TITLE311" "SCORED" "LEVEL2" diff --git a/checks/check312 b/checks/check312 index 70a0aa9f..ecfd969a 100644 --- a/checks/check312 +++ b/checks/check312 @@ -1,9 +1,8 @@ -CHECK_ID_check312="" -CHECK_TITLE_check312="" -CHECK_SCORED_check312="" -CHECK_TYPE_check312="" -CHECK_ALTERNATE_check312="check312" - +CHECK_ID_check312="3.12" +CHECK_TITLE_check312="Ensure a log metric filter and alarm exist for changes to network gateways (Scored)" +CHECK_SCORED_check312="SCORED" +CHECK_ALTERNATE_check312="check312" + check312(){ # "Ensure a log metric filter and alarm exist for changes to network gateways (Scored)" textTitle "$ID312" "$TITLE312" "SCORED" "LEVEL1" diff --git a/checks/check313 b/checks/check313 index 7e293c35..3ab3531b 100644 --- a/checks/check313 +++ b/checks/check313 @@ -1,9 +1,8 @@ -CHECK_ID_check313="" -CHECK_TITLE_check313="" -CHECK_SCORED_check313="" -CHECK_TYPE_check313="" -CHECK_ALTERNATE_check313="check313" - +CHECK_ID_check313="3.13" +CHECK_TITLE_check313="Ensure a log metric filter and alarm exist for route table changes (Scored)" +CHECK_SCORED_check313="SCORED" +CHECK_ALTERNATE_check313="check313" + check313(){ # "Ensure a log metric filter and alarm exist for route table changes (Scored)" textTitle "$ID313" "$TITLE313" "SCORED" "LEVEL1" diff --git a/checks/check314 b/checks/check314 index 437452d6..0bec02fa 100644 --- a/checks/check314 +++ b/checks/check314 @@ -1,9 +1,8 @@ -CHECK_ID_check314="" -CHECK_TITLE_check314="" -CHECK_SCORED_check314="" -CHECK_TYPE_check314="" -CHECK_ALTERNATE_check314="check314" - +CHECK_ID_check314="3.14" +CHECK_TITLE_check314="Ensure a log metric filter and alarm exist for VPC changes (Scored)" +CHECK_SCORED_check314="SCORED" +CHECK_ALTERNATE_check314="check314" + check314(){ # "Ensure a log metric filter and alarm exist for VPC changes (Scored)" textTitle "$ID314" "$TITLE314" "SCORED" "LEVEL1" diff --git a/checks/check315 b/checks/check315 index df71f786..68f30c55 100644 --- a/checks/check315 +++ b/checks/check315 @@ -1,9 +1,8 @@ -CHECK_ID_check315="" -CHECK_TITLE_check315="" -CHECK_SCORED_check315="" -CHECK_TYPE_check315="" -CHECK_ALTERNATE_check315="check315" - +CHECK_ID_check315="3.15" +CHECK_TITLE_check315="Ensure appropriate subscribers to each SNS topic (Not Scored)" +CHECK_SCORED_check315="SCORED" +CHECK_ALTERNATE_check315="check315" + check315(){ # "Ensure appropriate subscribers to each SNS topic (Not Scored)" textTitle "$ID315" "$TITLE315" "NOT_SCORED" "LEVEL1" diff --git a/checks/check32 b/checks/check32 index 68e42787..f07cb1a6 100644 --- a/checks/check32 +++ b/checks/check32 @@ -1,9 +1,8 @@ -CHECK_ID_check32="" -CHECK_TITLE_check32="" -CHECK_SCORED_check32="" -CHECK_TYPE_check32="" -CHECK_ALTERNATE_check32="check32" - +CHECK_ID_check32="3.2,3.02" +CHECK_TITLE_check32="Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)" +CHECK_SCORED_check32="SCORED" +CHECK_ALTERNATE_check302="check32" + check32(){ # "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)" textTitle "$ID32" "$TITLE32" "SCORED" "LEVEL1" diff --git a/checks/check33 b/checks/check33 index 6e6362e2..49e04219 100644 --- a/checks/check33 +++ b/checks/check33 @@ -1,9 +1,8 @@ -CHECK_ID_check33="" -CHECK_TITLE_check33="" -CHECK_SCORED_check33="" -CHECK_TYPE_check33="" -CHECK_ALTERNATE_check33="check33" - +CHECK_ID_check33="3.3,3.03" +CHECK_TITLE_check33="Ensure a log metric filter and alarm exist for usage of root account (Scored)" +CHECK_SCORED_check33="SCORED" +CHECK_ALTERNATE_check303="check33" + check33(){ # "Ensure a log metric filter and alarm exist for usage of root account (Scored)" textTitle "$ID33" "$TITLE33" "SCORED" "LEVEL1" diff --git a/checks/check34 b/checks/check34 index e84790c7..3d9e8944 100644 --- a/checks/check34 +++ b/checks/check34 @@ -1,9 +1,8 @@ -CHECK_ID_check34="" -CHECK_TITLE_check34="" -CHECK_SCORED_check34="" -CHECK_TYPE_check34="" -CHECK_ALTERNATE_check34="check34" - +CHECK_ID_check34="3.4,3.04" +CHECK_TITLE_check34="Ensure a log metric filter and alarm exist for IAM policy changes (Scored)" +CHECK_SCORED_check34="SCORED" +CHECK_ALTERNATE_check304="check34" + check34(){ # "Ensure a log metric filter and alarm exist for IAM policy changes (Scored)" textTitle "$ID34" "$TITLE34" "SCORED" "LEVEL1" diff --git a/checks/check35 b/checks/check35 index 0d93635a..a4d144a8 100644 --- a/checks/check35 +++ b/checks/check35 @@ -1,9 +1,8 @@ -CHECK_ID_check35="" -CHECK_TITLE_check35="" -CHECK_SCORED_check35="" -CHECK_TYPE_check35="" -CHECK_ALTERNATE_check35="check35" - +CHECK_ID_check35="3.5,3.05" +CHECK_TITLE_check35="Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)" +CHECK_SCORED_check35="SCORED" +CHECK_ALTERNATE_check305="check35" + check35(){ # "Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)" textTitle "$ID35" "$TITLE35" "SCORED" "LEVEL1" diff --git a/checks/check36 b/checks/check36 index 62f31c75..23061964 100644 --- a/checks/check36 +++ b/checks/check36 @@ -1,9 +1,8 @@ -CHECK_ID_check36="" -CHECK_TITLE_check36="" -CHECK_SCORED_check36="" -CHECK_TYPE_check36="" -CHECK_ALTERNATE_check36="check36" - +CHECK_ID_check36="3.6,3.06" +CHECK_TITLE_check36="Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)" +CHECK_SCORED_check36="SCORED" +CHECK_ALTERNATE_check306="check36" + check36(){ # "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)" textTitle "$ID36" "$TITLE36" "SCORED" "LEVEL2" diff --git a/checks/check37 b/checks/check37 index 6809b5d0..2ffc48c2 100644 --- a/checks/check37 +++ b/checks/check37 @@ -1,9 +1,8 @@ -CHECK_ID_check37="" -CHECK_TITLE_check37="" -CHECK_SCORED_check37="" -CHECK_TYPE_check37="" -CHECK_ALTERNATE_check37="check37" - +CHECK_ID_check37="3.7,3.07" +CHECK_TITLE_check37="Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)" +CHECK_SCORED_check37="SCORED" +CHECK_ALTERNATE_check307="check37" + check37(){ # "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)" textTitle "$ID37" "$TITLE37" "SCORED" "LEVEL2" diff --git a/checks/check38 b/checks/check38 index e51edccf..0445fb98 100644 --- a/checks/check38 +++ b/checks/check38 @@ -1,9 +1,8 @@ -CHECK_ID_check38="" -CHECK_TITLE_check38="" -CHECK_SCORED_check38="" -CHECK_TYPE_check38="" -CHECK_ALTERNATE_check38="check38" - +CHECK_ID_check38="3.8,3.08" +CHECK_TITLE_check38="Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)" +CHECK_SCORED_check38="SCORED" +CHECK_ALTERNATE_check308="check38" + check38(){ # "Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)" textTitle "$ID38" "$TITLE38" "SCORED" "LEVEL1" diff --git a/checks/check39 b/checks/check39 index 7a66fceb..0f595b15 100644 --- a/checks/check39 +++ b/checks/check39 @@ -1,9 +1,8 @@ -CHECK_ID_check39="" -CHECK_TITLE_check39="" -CHECK_SCORED_check39="" -CHECK_TYPE_check39="" -CHECK_ALTERNATE_check39="check39" - +CHECK_ID_check39="3.9,3.09" +CHECK_TITLE_check39="Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)" +CHECK_SCORED_check39="SCORED" +CHECK_ALTERNATE_check309="check39" + check39(){ # "Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)" textTitle "$ID39" "$TITLE39" "SCORED" "LEVEL2" diff --git a/checks/check41 b/checks/check41 index 0e63eb4d..a7cfa7cc 100644 --- a/checks/check41 +++ b/checks/check41 @@ -1,9 +1,8 @@ -CHECK_ID_check41="" -CHECK_TITLE_check41="" -CHECK_SCORED_check41="" -CHECK_TYPE_check41="" -CHECK_ALTERNATE_check41="check41" - +CHECK_ID_check41="4.1,4.01" +CHECK_TITLE_check41="Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)" +CHECK_SCORED_check41="SCORED" +CHECK_ALTERNATE_check401="check41" + check41(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)" textTitle "$ID41" "$TITLE41" "SCORED" "LEVEL1" diff --git a/checks/check42 b/checks/check42 index 7334c304..d912c749 100644 --- a/checks/check42 +++ b/checks/check42 @@ -1,9 +1,8 @@ -CHECK_ID_check42="" -CHECK_TITLE_check42="" -CHECK_SCORED_check42="" -CHECK_TYPE_check42="" -CHECK_ALTERNATE_check42="check42" - +CHECK_ID_check42="4.2,4.02" +CHECK_TITLE_check42="Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)" +CHECK_SCORED_check42="SCORED" +CHECK_ALTERNATE_check402="check42" + check42(){ # "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)" textTitle "$ID42" "$TITLE42" "SCORED" "LEVEL1" diff --git a/checks/check43 b/checks/check43 index 627eca2b..913e5f87 100644 --- a/checks/check43 +++ b/checks/check43 @@ -1,9 +1,8 @@ -CHECK_ID_check43="" -CHECK_TITLE_check43="" -CHECK_SCORED_check43="" -CHECK_TYPE_check43="" -CHECK_ALTERNATE_check43="check43" - +CHECK_ID_check43="4.3,4.03" +CHECK_TITLE_check43="Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" +CHECK_SCORED_check43="SCORED" +CHECK_ALTERNATE_check403="check43" + check43(){ # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" textTitle "$ID43" "$TITLE43" "SCORED" "LEVEL2" diff --git a/checks/check44 b/checks/check44 index afdbbfcb..7dc22334 100644 --- a/checks/check44 +++ b/checks/check44 @@ -1,9 +1,8 @@ -CHECK_ID_check44="" -CHECK_TITLE_check44="" -CHECK_SCORED_check44="" -CHECK_TYPE_check44="" -CHECK_ALTERNATE_check44="check44" - +CHECK_ID_check44="4.4,4.04" +CHECK_TITLE_check44="Ensure the default security group of every VPC restricts all traffic (Scored)" +CHECK_SCORED_check44="SCORED" +CHECK_ALTERNATE_check404="check44" + check44(){ # "Ensure the default security group of every VPC restricts all traffic (Scored)" textTitle "$ID44" "$TITLE44" "SCORED" "LEVEL2" diff --git a/checks/check45 b/checks/check45 index ac8764d0..29401462 100644 --- a/checks/check45 +++ b/checks/check45 @@ -1,9 +1,8 @@ -CHECK_ID_check45="" -CHECK_TITLE_check45="" -CHECK_SCORED_check45="" -CHECK_TYPE_check45="" -CHECK_ALTERNATE_check45="check45" - +CHECK_ID_check45="4.5,4.05" +CHECK_TITLE_check45="Ensure routing tables for VPC peering are \"least access\" (Not Scored)" +CHECK_SCORED_check45="NOT_SCORED" +CHECK_ALTERNATE_check405="check45" + check45(){ # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)" textTitle "$ID45" "$TITLE45" "NOT_SCORED" "LEVEL2" diff --git a/checks/check_extra71 b/checks/check_extra71 index b7575598..e10a12fd 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -1,13 +1,13 @@ -CHECK_ID_check_extra71="" -CHECK_TITLE_check_extra71="" -CHECK_SCORED_check_extra71="" -CHECK_TYPE_check_extra71="" -CHECK_ALTERNATE_check_extra71="check_extra71" - +CHECK_ID_extra71="7.1,7.01" +CHECK_TITLE_extra71="Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra71="NOT_SCORED" +CHECK_ALTERNATE_extra701="extra71" +CHECK_ALTERNATE_check71="extra71" +CHECK_ALTERNATE_check701="extra71" + extra71(){ # "Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" textTitle "$ID71" "$TITLE71" "NOT_SCORED" "EXTRA" - ADMIN_GROUPS='' AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --query 'Groups[].GroupName') for grp in $AWS_GROUPS; do @@ -33,5 +33,4 @@ extra71(){ textNotice "$grp group provides non-administrative access" fi done - # set +x } diff --git a/checks/check_extra710 b/checks/check_extra710 index 1f7cb26e..48fdcb01 100644 --- a/checks/check_extra710 +++ b/checks/check_extra710 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra710="" -CHECK_TITLE_check_extra710="" -CHECK_SCORED_check_extra710="" -CHECK_TYPE_check_extra710="" -CHECK_ALTERNATE_check_extra710="check_extra710" - +CHECK_ID_extra710="7.10" +CHECK_TITLE_extra710="Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra710="NOT_SCORED" +CHECK_ALTERNATE_extra710="extra710" +CHECK_ALTERNATE_check710="extra710" + extra710(){ # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" textTitle "$ID710" "$TITLE710" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra711 b/checks/check_extra711 index b2a0c8e4..4be78445 100644 --- a/checks/check_extra711 +++ b/checks/check_extra711 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra711="" -CHECK_TITLE_check_extra711="" -CHECK_SCORED_check_extra711="" -CHECK_TYPE_check_extra711="" -CHECK_ALTERNATE_check_extra711="check_extra711" - +CHECK_ID_extra711="7.11" +CHECK_TITLE_extra711="Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra711="NOT_SCORED" +CHECK_ALTERNATE_extra711="extra711" +CHECK_ALTERNATE_check711="extra711" + extra711(){ # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra712 b/checks/check_extra712 index 3515484c..ae653c13 100644 --- a/checks/check_extra712 +++ b/checks/check_extra712 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra712="" -CHECK_TITLE_check_extra712="" -CHECK_SCORED_check_extra712="" -CHECK_TYPE_check_extra712="" -CHECK_ALTERNATE_check_extra712="check_extra712" - +CHECK_ID_extra712="7.12" +CHECK_TITLE_extra712="Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra712="NOT_SCORED" +CHECK_ALTERNATE_extra712="extra712" +CHECK_ALTERNATE_check712="extra712" + extra712(){ # "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra713 b/checks/check_extra713 index a64cd24f..457d36cc 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra713="" -CHECK_TITLE_check_extra713="" -CHECK_SCORED_check_extra713="" -CHECK_TYPE_check_extra713="" -CHECK_ALTERNATE_check_extra713="check_extra713" - +CHECK_ID_extra713="7.13" +CHECK_TITLE_extra713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra713="NOT_SCORED" +CHECK_ALTERNATE_extra713="extra713" +CHECK_ALTERNATE_check713="extra713" + extra713(){ # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra714 b/checks/check_extra714 index 5fab1be2..00c625d1 100644 --- a/checks/check_extra714 +++ b/checks/check_extra714 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra714="" -CHECK_TITLE_check_extra714="" -CHECK_SCORED_check_extra714="" -CHECK_TYPE_check_extra714="" -CHECK_ALTERNATE_check_extra714="check_extra714" - +CHECK_ID_extra714="7.14" +CHECK_TITLE_extra714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra714="NOT_SCORED" +CHECK_ALTERNATE_extra714="extra714" +CHECK_ALTERNATE_check714="extra714" + extra714(){ # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra715 b/checks/check_extra715 index 503d7c2c..b27e4def 100644 --- a/checks/check_extra715 +++ b/checks/check_extra715 @@ -1,11 +1,10 @@ -CHECK_ID_check_extra715="" -CHECK_TITLE_check_extra715="" -CHECK_SCORED_check_extra715="" -CHECK_TYPE_check_extra715="" -CHECK_ALTERNATE_check_extra715="check_extra715" - +CHECK_ID_extra715="7.15" +CHECK_TITLE_extra715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra715="NOT_SCORED" +CHECK_ALTERNATE_extra715="extra715" +CHECK_ALTERNATE_check715="extra715" + extra715(){ - # "Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)" textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA" for regx in $REGIONS; do LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text) diff --git a/checks/check_extra716 b/checks/check_extra716 index 7749af1d..b42ccc87 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra716="" -CHECK_TITLE_check_extra716="" -CHECK_SCORED_check_extra716="" -CHECK_TYPE_check_extra716="" -CHECK_ALTERNATE_check_extra716="check_extra716" - +CHECK_ID_extra716="7.16" +CHECK_TITLE_extra716="Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra716="NOT_SCORED" +CHECK_ALTERNATE_extra716="extra716" +CHECK_ALTERNATE_check716="extra716" + extra716(){ # "Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra717 b/checks/check_extra717 index 7dac48b5..d52669ba 100644 --- a/checks/check_extra717 +++ b/checks/check_extra717 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra717="" -CHECK_TITLE_check_extra717="" -CHECK_SCORED_check_extra717="" -CHECK_TYPE_check_extra717="" -CHECK_ALTERNATE_check_extra717="check_extra717" - +CHECK_ID_extra717="7.17" +CHECK_TITLE_extra717="Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra717="NOT_SCORED" +CHECK_ALTERNATE_extra717="extra717" +CHECK_ALTERNATE_check717="extra717" + extra717(){ # "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" textTitle "$ID717" "$TITLE717" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra718 b/checks/check_extra718 index 6d3108b6..f5a2b8bd 100644 --- a/checks/check_extra718 +++ b/checks/check_extra718 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra718="" -CHECK_TITLE_check_extra718="" -CHECK_SCORED_check_extra718="" -CHECK_TYPE_check_extra718="" -CHECK_ALTERNATE_check_extra718="check_extra718" - +CHECK_ID_extra718="7.18" +CHECK_TITLE_extra718="Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra718="NOT_SCORED" +CHECK_ALTERNATE_extra718="extra718" +CHECK_ALTERNATE_check718="extra718" + extra718(){ # "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" textTitle "$ID718" "$TITLE718" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra719 b/checks/check_extra719 index d260f66f..4158a343 100644 --- a/checks/check_extra719 +++ b/checks/check_extra719 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra719="" -CHECK_TITLE_check_extra719="" -CHECK_SCORED_check_extra719="" -CHECK_TYPE_check_extra719="" -CHECK_ALTERNATE_check_extra719="check_extra719" - +CHECK_ID_extra719="7.19" +CHECK_TITLE_extra719="Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra719="NOT_SCORED" +CHECK_ALTERNATE_extra719="extra719" +CHECK_ALTERNATE_check719="extra719" + extra719(){ # "Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" textTitle "$ID719" "$TITLE719" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra72 b/checks/check_extra72 index 86fd88f2..06b80ea9 100644 --- a/checks/check_extra72 +++ b/checks/check_extra72 @@ -1,9 +1,10 @@ -CHECK_ID_check_extra72="" -CHECK_TITLE_check_extra72="" -CHECK_SCORED_check_extra72="" -CHECK_TYPE_check_extra72="" -CHECK_ALTERNATE_check_extra72="check_extra72" - +CHECK_ID_extra72="7.2,7.02" +CHECK_TITLE_extra72="Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra72="NOT_SCORED" +CHECK_ALTERNATE_extra702="extra72" +CHECK_ALTERNATE_check72="extra72" +CHECK_ALTERNATE_check702="extra72" + extra72(){ # "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" textTitle "$ID72" "$TITLE72" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra720 b/checks/check_extra720 index 975d6f92..5c440297 100644 --- a/checks/check_extra720 +++ b/checks/check_extra720 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra720="" -CHECK_TITLE_check_extra720="" -CHECK_SCORED_check_extra720="" -CHECK_TYPE_check_extra720="" -CHECK_ALTERNATE_check_extra720="check_extra720" - +CHECK_ID_extra720="7.20" +CHECK_TITLE_extra720="Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra720="NOT_SCORED" +CHECK_ALTERNATE_extra720="extra720" +CHECK_ALTERNATE_check720="extra720" + extra720(){ # "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" textTitle "$ID720" "$TITLE720" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra721 b/checks/check_extra721 index 2a5f5f4f..82b78045 100644 --- a/checks/check_extra721 +++ b/checks/check_extra721 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra721="" -CHECK_TITLE_check_extra721="" -CHECK_SCORED_check_extra721="" -CHECK_TYPE_check_extra721="" -CHECK_ALTERNATE_check_extra721="check_extra721" - +CHECK_ID_extra721="7.21" +CHECK_TITLE_extra721="Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra721="NOT_SCORED" +CHECK_ALTERNATE_extra721="extra721" +CHECK_ALTERNATE_check721="extra721" + extra721(){ # "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" textTitle "$ID721" "$TITLE721" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra722 b/checks/check_extra722 index bcd7ab47..6a16714c 100644 --- a/checks/check_extra722 +++ b/checks/check_extra722 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra722="" -CHECK_TITLE_check_extra722="" -CHECK_SCORED_check_extra722="" -CHECK_TYPE_check_extra722="" -CHECK_ALTERNATE_check_extra722="check_extra722" - +CHECK_ID_extra722="7.22" +CHECK_TITLE_extra722="Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra722="NOT_SCORED" +CHECK_ALTERNATE_check722="extra722" +CHECK_ALTERNATE_extra722="extra722" + extra722(){ # "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" textTitle "$ID722" "$TITLE722" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra723 b/checks/check_extra723 index 470ce3ad..3f46fb21 100644 --- a/checks/check_extra723 +++ b/checks/check_extra723 @@ -1,9 +1,9 @@ -CHECK_ID_check_extra723="" -CHECK_TITLE_check_extra723="" -CHECK_SCORED_check_extra723="" -CHECK_TYPE_check_extra723="" -CHECK_ALTERNATE_check_extra723="check_extra723" - +CHECK_ID_extra723="7.23" +CHECK_TITLE_extra723="Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra723="NOT_SCORED" +CHECK_ALTERNATE_check723="extra723" +CHECK_ALTERNATE_extra723="extra723" + extra723(){ # "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" textTitle "$ID723" "$TITLE723" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra73 b/checks/check_extra73 index 273d0813..7c45d1ee 100644 --- a/checks/check_extra73 +++ b/checks/check_extra73 @@ -1,9 +1,10 @@ -CHECK_ID_check_extra73="" -CHECK_TITLE_check_extra73="" -CHECK_SCORED_check_extra73="" -CHECK_TYPE_check_extra73="" -CHECK_ALTERNATE_check_extra73="check_extra73" - +CHECK_ID_extra73="7.3,7.03" +CHECK_TITLE_extra73="Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra73="NOT_SCORED" +CHECK_ALTERNATE_extra703="extra73" +CHECK_ALTERNATE_check73="extra73" +CHECK_ALTERNATE_check703="extra73" + extra73(){ # "Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)" textTitle "$ID73" "$TITLE73" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra74 b/checks/check_extra74 index c1e52727..ee264999 100644 --- a/checks/check_extra74 +++ b/checks/check_extra74 @@ -1,9 +1,10 @@ -CHECK_ID_check_extra74="" -CHECK_TITLE_check_extra74="" -CHECK_SCORED_check_extra74="" -CHECK_TYPE_check_extra74="" -CHECK_ALTERNATE_check_extra74="check_extra74" - +CHECK_ID_extra74="7.4,7.04" +CHECK_TITLE_extra74="Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra74="NOT_SCORED" +CHECK_ALTERNATE_extra704="extra74" +CHECK_ALTERNATE_check74="extra74" +CHECK_ALTERNATE_check704="extra74" + extra74(){ # "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" textTitle "$ID74" "$TITLE74" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra75 b/checks/check_extra75 index bc5a8a87..24af2099 100644 --- a/checks/check_extra75 +++ b/checks/check_extra75 @@ -1,9 +1,10 @@ -CHECK_ID_check_extra75="" -CHECK_TITLE_check_extra75="" -CHECK_SCORED_check_extra75="" -CHECK_TYPE_check_extra75="" -CHECK_ALTERNATE_check_extra75="check_extra75" - +CHECK_ID_extra75="7.5,7.05" +CHECK_TITLE_extra75="Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra75="NOT_SCORED" +CHECK_ALTERNATE_extra705="extra75" +CHECK_ALTERNATE_check75="extra75" +CHECK_ALTERNATE_check705="extra75" + extra75(){ # "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" textTitle "$ID75" "$TITLE75" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra76 b/checks/check_extra76 index bd0ebafc..0af33a1c 100644 --- a/checks/check_extra76 +++ b/checks/check_extra76 @@ -1,9 +1,10 @@ -CHECK_ID_check_extra76="" -CHECK_TITLE_check_extra76="" -CHECK_SCORED_check_extra76="" -CHECK_TYPE_check_extra76="" -CHECK_ALTERNATE_check_extra76="check_extra76" - +CHECK_ID_extra76="7.6,7.06" +CHECK_TITLE_extra76="Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra76="NOT_SCORED" +CHECK_ALTERNATE_extra706="extra76" +CHECK_ALTERNATE_check76="extra76" +CHECK_ALTERNATE_check706="extra76" + extra76(){ # "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" textTitle "$ID76" "$TITLE76" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra77 b/checks/check_extra77 index f90c34ff..bf4a9cff 100644 --- a/checks/check_extra77 +++ b/checks/check_extra77 @@ -1,9 +1,10 @@ -CHECK_ID_check_extra77="" -CHECK_TITLE_check_extra77="" -CHECK_SCORED_check_extra77="" -CHECK_TYPE_check_extra77="" -CHECK_ALTERNATE_check_extra77="check_extra77" - +CHECK_ID_extra77="7.7,7.07" +CHECK_TITLE_extra77="Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra77="NOT_SCORED" +CHECK_ALTERNATE_extra707="extra77" +CHECK_ALTERNATE_check77="extra77" +CHECK_ALTERNATE_check707="extra77" + extra77(){ # "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" textTitle "$ID77" "$TITLE77" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra78 b/checks/check_extra78 index 8baf0f59..a243d7bd 100644 --- a/checks/check_extra78 +++ b/checks/check_extra78 @@ -1,9 +1,10 @@ -CHECK_ID_check_extra78="" -CHECK_TITLE_check_extra78="" -CHECK_SCORED_check_extra78="" -CHECK_TYPE_check_extra78="" -CHECK_ALTERNATE_check_extra78="check_extra78" - +CHECK_ID_extra78="7.8,7.08" +CHECK_TITLE_extra78="Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra78="NOT_SCORED" +CHECK_ALTERNATE_extra708="extra78" +CHECK_ALTERNATE_check78="extra78" +CHECK_ALTERNATE_check708="extra78" + extra78(){ # "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" textTitle "$ID78" "$TITLE78" "NOT_SCORED" "EXTRA" diff --git a/checks/check_extra79 b/checks/check_extra79 index ff24bd2e..51fc1cac 100644 --- a/checks/check_extra79 +++ b/checks/check_extra79 @@ -1,9 +1,10 @@ -CHECK_ID_check_extra79="" -CHECK_TITLE_check_extra79="" -CHECK_SCORED_check_extra79="" -CHECK_TYPE_check_extra79="" -CHECK_ALTERNATE_check_extra79="check_extra79" - +CHECK_ID_extra79="7.9,7.09" +CHECK_TITLE_extra79="Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra79="NOT_SCORED" +CHECK_ALTERNATE_extra709="extra79" +CHECK_ALTERNATE_check79="extra79" +CHECK_ALTERNATE_check709="extra79" + extra79(){ # "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)" textTitle "$ID79" "$TITLE79" "NOT_SCORED" "EXTRA" diff --git a/groups/group0_init b/groups/group0_init new file mode 100644 index 00000000..8b7d2410 --- /dev/null +++ b/groups/group0_init @@ -0,0 +1,6 @@ +GROUP_ID[0]='init' # this group make easier to understand the array of groups +GROUP_NUMBER[0]='0.0' +GROUP_TITLE[0]='Init ****************************************************************' +GROUP_RUN_BY_DEFAULT[0]='N' # run it when execute_all is called +GROUP_CHECKS[0]='' + diff --git a/groups/group1_iam b/groups/group1_iam index 73a4e649..6145bff4 100644 --- a/groups/group1_iam +++ b/groups/group1_iam @@ -1,5 +1,5 @@ -GROUP_ID[1]="group1" -GROUP_NUMBER[1]="1.0" -GROUP_TITLE[1]="Identity and Access Management ****************************************" -GROUP_RUN_BY_DEFAULT[1]="Y" # run it when execute_all is called -GROUP_CHECKS[1]="check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124" +GROUP_ID[1]='group1' +GROUP_NUMBER[1]='1.0' +GROUP_TITLE[1]='Identity and Access Management ****************************************' +GROUP_RUN_BY_DEFAULT[1]='Y' # run it when execute_all is called +GROUP_CHECKS[1]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124' diff --git a/groups/group2_logging b/groups/group2_logging index c9225cac..da10a1d4 100644 --- a/groups/group2_logging +++ b/groups/group2_logging @@ -1,5 +1,5 @@ -GROUP_ID[2]="group2" -GROUP_NUMBER[2]="2.0" -GROUP_TITLE[2]="Logging ***************************************************************" -GROUP_RUN_BY_DEFAULT[2]="Y" # run it when execute_all is called -GROUP_CHECKS[2]="check21,check22,check23,check24,check25,check26,check27,check28" +GROUP_ID[2]='group2' +GROUP_NUMBER[2]='2.0' +GROUP_TITLE[2]='Logging ***************************************************************' +GROUP_RUN_BY_DEFAULT[2]='Y' # run it when execute_all is called +GROUP_CHECKS[2]='check21,check22,check23,check24,check25,check26,check27,check28' diff --git a/groups/group3_monitoring b/groups/group3_monitoring index c74d4cf1..56356f84 100644 --- a/groups/group3_monitoring +++ b/groups/group3_monitoring @@ -1,5 +1,5 @@ -GROUP_ID[3]="group3" -GROUP_NUMBER[3]="3.0" -GROUP_TITLE[3]="Monitoring ************************************************************" -GROUP_RUN_BY_DEFAULT[3]="Y" # run it when execute_all is called -GROUP_CHECKS[3]="check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315" +GROUP_ID[3]='group3' +GROUP_NUMBER[3]='3.0' +GROUP_TITLE[3]='Monitoring ************************************************************' +GROUP_RUN_BY_DEFAULT[3]='Y' # run it when execute_all is called +GROUP_CHECKS[3]='check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315' diff --git a/groups/group5_cislevel1 b/groups/group5_cislevel1 index 99656963..a1958a5f 100644 --- a/groups/group5_cislevel1 +++ b/groups/group5_cislevel1 @@ -1,5 +1,5 @@ -GROUP_ID[5]="level1" -GROUP_NUMBER[5]="5.0" -GROUP_TITLE[5]="CIS Level 1 **********************************************************" -GROUP_RUN_BY_DEFAULT[5]="N" # run it when execute_all is called -GROUP_CHECKS[5]="check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check123,check124,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42" +GROUP_ID[5]='level1' +GROUP_NUMBER[5]='5.0' +GROUP_TITLE[5]='CIS Level 1 **********************************************************' +GROUP_RUN_BY_DEFAULT[5]='N' # run it when execute_all is called +GROUP_CHECKS[5]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check123,check124,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42' diff --git a/groups/group6_cislevel2 b/groups/group6_cislevel2 index 698b926b..369848ba 100644 --- a/groups/group6_cislevel2 +++ b/groups/group6_cislevel2 @@ -1,5 +1,5 @@ -GROUP_ID[6]="level2" -GROUP_NUMBER[6]="6.0" -GROUP_TITLE[6]="CIS Level 2 **********************************************************" -GROUP_RUN_BY_DEFAULT[6]="N" # run it when execute_all is called -GROUP_CHECKS[6]="check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124,check21,check22,check23,check24,check25,check26,check27,check28,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315,check41,check42,check43,check44,check45" +GROUP_ID[6]='level2' +GROUP_NUMBER[6]='6.0' +GROUP_TITLE[6]='CIS Level 2 **********************************************************' +GROUP_RUN_BY_DEFAULT[6]='N' # run it when execute_all is called +GROUP_CHECKS[6]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124,check21,check22,check23,check24,check25,check26,check27,check28,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315,check41,check42,check43,check44,check45' diff --git a/groups/group7_extras b/groups/group7_extras index 1cdd6ebe..0c3319b2 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -1,5 +1,5 @@ -GROUP_ID[7]="extras" -GROUP_NUMBER[7]="7.0" -GROUP_TITLE[7]="Extras ****************************************************************" -GROUP_RUN_BY_DEFAULT[7]="Y" # run it when execute_all is called -GROUP_CHECKS[7]="extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723" +GROUP_ID[7]='extras' +GROUP_NUMBER[7]='7.0' +GROUP_TITLE[7]='Extras ****************************************************************' +GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723' diff --git a/groups/group8_forensics b/groups/group8_forensics index c199de70..704b31ac 100644 --- a/groups/group8_forensics +++ b/groups/group8_forensics @@ -1,5 +1,5 @@ -GROUP_ID[8]="forensics-ready" -GROUP_NUMBER[8]="8.0" -GROUP_TITLE[8]="Forensics Readiness ***************************************************" -GROUP_RUN_BY_DEFAULT[8]="N" # run it when execute_all is called -GROUP_CHECKS[8]="check21,check22,check23,check24,check25,check26,check27,check43,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722" +GROUP_ID[8]='forensics-ready' +GROUP_NUMBER[8]='8.0' +GROUP_TITLE[8]='Forensics Readiness ***************************************************' +GROUP_RUN_BY_DEFAULT[8]='N' # run it when execute_all is called +GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check43,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722' diff --git a/groups/groupN_sample b/groups/groupN_sample index 27678c86..a286c9f8 100644 --- a/groups/groupN_sample +++ b/groups/groupN_sample @@ -1,5 +1,5 @@ -GROUP_ID[9]="my-custom-group" -GROUP_NUMBER[9]="9.0" -GROUP_TITLE[9]="My Custom Group **********************************************" -GROUP_RUN_BY_DEFAULT[9]="N" # run it when execute_all is called -GROUP_CHECKS[9]="checkNN,checkMM" +GROUP_ID[9]='my-custom-group' +GROUP_NUMBER[9]='9.0' +GROUP_TITLE[9]='My Custom Group **********************************************' +GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called +GROUP_CHECKS[9]='checkNN,checkMM' diff --git a/lll b/lll deleted file mode 100644 index 66f5ad2d..00000000 --- a/lll +++ /dev/null @@ -1,2 +0,0 @@ -check11 -check12 diff --git a/prowler2 b/prowler2 index 082c2935..9fc59819 100755 --- a/prowler2 +++ b/prowler2 @@ -136,42 +136,20 @@ REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \ --region $REGION \ --region-names $FILTERREGION) - callCheck(){ - if [[ $CHECKNUMBER ]];then - execute_check $CHECKNUMBER - # case "$CHECKNUMBER" in - # check11|check101 ) execute_check check11;; - # check12|check102 ) execute_check check12;; - # * ) - # textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n"; - # esac - cleanTemp - exit $EXITCODE - fi - } - -# List only check tittles -if [[ $PRINTCHECKSONLY == "1" ]]; then - prowlerBanner - show_all_titles - exit $EXITCODE -fi - -# Load all of the groups of checks inside groups folder named as "group*" -for group in $(ls groups/group*); do +# Load all of the groups of checks inside groups folder named as "groupNumber*" +for group in $(ls groups/group[0-9]*|grep -v groupN_sample); do . "$group" done # Load all of the checks inside checks folder named as "check*" # this includes also extra checks since they are "check_extraNN" -for checks in $(ls checks/check*); do +for checks in $(ls checks/check*|grep -v check_sample); do . "$checks" done # Function to show the title of the check # using this way instead of arrays to keep bash3 (osx) and bash4(linux) compatibility show_check_title() { - # This would just call textTitle local check_id=CHECK_ID_$1 local check_title=CHECK_TITLE_$1 local check_scored=CHECK_SCORED_$1 @@ -205,7 +183,7 @@ execute_check() { show_check_title $1 $1 else - textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n"; + textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)"; fi fi } @@ -231,7 +209,7 @@ execute_group_by_name() { # Function to execute all checks in all groups execute_all() { - for i in ${#GROUP_TITLE[@]}; do + for i in "${!GROUP_TITLE[@]}"; do if [ "${GROUP_RUN_BY_DEFAULT[$i]}" == "Y" ]; then execute_group $i fi @@ -240,16 +218,30 @@ execute_all() { # Function to show the titles of everything show_all_titles() { - for i in ${#GROUP_TITLE[@]}; do + for i in "${!GROUP_TITLE[@]}"; do show_group_title $i # Display the title of the checks IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$i]} - for j in "${CHECKS[@]}"; do + for j in "${GROUP_CHECKS[@]}"; do show_check_title $j done done } +# Execute single check if called with -c +if [[ $CHECKNUMBER ]];then + execute_check $CHECKNUMBER + cleanTemp + exit $EXITCODE +fi + +# List only check tittles +if [[ $PRINTCHECKSONLY == "1" ]]; then + prowlerBanner + show_all_titles + exit $EXITCODE +fi + ### All functions defined above ... run the workflow if [[ $MODE != "csv" ]]; then prowlerBanner @@ -263,11 +255,5 @@ saveReport execute_all - -# if [[ ! $EXTRAS ]]; then -# textTitle "7" "$TITLE7" "NOT_SCORED" "SUPPORT" -# execute_group 7 -# fi - cleanTemp exit $EXITCODE