mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
first semi functional v2
This commit is contained in:
Toni de la Fuente
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check11="1.1,1.01"
|
CHECK_ID_check11="1.1,1.01"
|
||||||
CHECK_TITLE_check11="Avoid the use of the root account (Scored)"
|
CHECK_TITLE_check11="Avoid the use of the root account (Scored)"
|
||||||
CHECK_SCORED_check11="SCORED"
|
CHECK_SCORED_check11="SCORED"
|
||||||
CHECK_TYPE_check11="LEVEL1"
|
|
||||||
CHECK_ALTERNATE_check101="check11"
|
CHECK_ALTERNATE_check101="check11"
|
||||||
|
|
||||||
check11(){
|
check11(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check110=""
|
CHECK_ID_check110="1.10"
|
||||||
CHECK_TITLE_check110=""
|
CHECK_TITLE_check110="Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
|
||||||
CHECK_SCORED_check110=""
|
CHECK_SCORED_check110="SCORED"
|
||||||
CHECK_TYPE_check110=""
|
|
||||||
CHECK_ALTERNATE_check110="check110"
|
CHECK_ALTERNATE_check110="check110"
|
||||||
|
|
||||||
check110(){
|
check110(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check111=""
|
CHECK_ID_check111="1.11"
|
||||||
CHECK_TITLE_check111=""
|
CHECK_TITLE_check111="Ensure IAM password policy expires passwords within 90 days or less (Scored)"
|
||||||
CHECK_SCORED_check111=""
|
CHECK_SCORED_check111="SCORED"
|
||||||
CHECK_TYPE_check111=""
|
|
||||||
CHECK_ALTERNATE_check111="check111"
|
CHECK_ALTERNATE_check111="check111"
|
||||||
|
|
||||||
check111(){
|
check111(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check112=""
|
CHECK_ID_check112="1.12"
|
||||||
CHECK_TITLE_check112=""
|
CHECK_TITLE_check112="Ensure no root account access key exists (Scored)"
|
||||||
CHECK_SCORED_check112=""
|
CHECK_SCORED_check112="SCORED"
|
||||||
CHECK_TYPE_check112=""
|
|
||||||
CHECK_ALTERNATE_check112="check112"
|
CHECK_ALTERNATE_check112="check112"
|
||||||
|
|
||||||
check112(){
|
check112(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check113=""
|
CHECK_ID_check113="1.13"
|
||||||
CHECK_TITLE_check113=""
|
CHECK_TITLE_check113="Ensure MFA is enabled for the root account (Scored)"
|
||||||
CHECK_SCORED_check113=""
|
CHECK_SCORED_check113="SCORED"
|
||||||
CHECK_TYPE_check113=""
|
|
||||||
CHECK_ALTERNATE_check113="check113"
|
CHECK_ALTERNATE_check113="check113"
|
||||||
|
|
||||||
check113(){
|
check113(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check114=""
|
CHECK_ID_check114="1.14"
|
||||||
CHECK_TITLE_check114=""
|
CHECK_TITLE_check114="Ensure hardware MFA is enabled for the root account (Scored)"
|
||||||
CHECK_SCORED_check114=""
|
CHECK_SCORED_check114="SCORED"
|
||||||
CHECK_TYPE_check114=""
|
|
||||||
CHECK_ALTERNATE_check114="check114"
|
CHECK_ALTERNATE_check114="check114"
|
||||||
|
|
||||||
check114(){
|
check114(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check115=""
|
CHECK_ID_check115="1.15"
|
||||||
CHECK_TITLE_check115=""
|
CHECK_TITLE_check115="Ensure security questions are registered in the AWS account (Not Scored)"
|
||||||
CHECK_SCORED_check115=""
|
CHECK_SCORED_check115="SCORED"
|
||||||
CHECK_TYPE_check115=""
|
|
||||||
CHECK_ALTERNATE_check115="check115"
|
CHECK_ALTERNATE_check115="check115"
|
||||||
|
|
||||||
check115(){
|
check115(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check116=""
|
CHECK_ID_check116="1.16"
|
||||||
CHECK_TITLE_check116=""
|
CHECK_TITLE_check116="Ensure IAM policies are attached only to groups or roles (Scored)"
|
||||||
CHECK_SCORED_check116=""
|
CHECK_SCORED_check116="SCORED"
|
||||||
CHECK_TYPE_check116=""
|
|
||||||
CHECK_ALTERNATE_check116="check116"
|
CHECK_ALTERNATE_check116="check116"
|
||||||
|
|
||||||
check116(){
|
check116(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check117=""
|
CHECK_ID_check117="1.17"
|
||||||
CHECK_TITLE_check117=""
|
CHECK_TITLE_check117="Enable detailed billing (Scored)"
|
||||||
CHECK_SCORED_check117=""
|
CHECK_SCORED_check117="SCORED"
|
||||||
CHECK_TYPE_check117=""
|
|
||||||
CHECK_ALTERNATE_check117="check117"
|
CHECK_ALTERNATE_check117="check117"
|
||||||
|
|
||||||
check117(){
|
check117(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check118=""
|
CHECK_ID_check118="1.18"
|
||||||
CHECK_TITLE_check118=""
|
CHECK_TITLE_check118="Ensure IAM Master and IAM Manager roles are active (Scored)"
|
||||||
CHECK_SCORED_check118=""
|
CHECK_SCORED_check118="SCORED"
|
||||||
CHECK_TYPE_check118=""
|
|
||||||
CHECK_ALTERNATE_check118="check118"
|
CHECK_ALTERNATE_check118="check118"
|
||||||
|
|
||||||
check118(){
|
check118(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check119=""
|
CHECK_ID_check119="1.19"
|
||||||
CHECK_TITLE_check119=""
|
CHECK_TITLE_check119="Maintain current contact details (Scored)"
|
||||||
CHECK_SCORED_check119=""
|
CHECK_SCORED_check119="SCORED"
|
||||||
CHECK_TYPE_check119=""
|
|
||||||
CHECK_ALTERNATE_check119="check119"
|
CHECK_ALTERNATE_check119="check119"
|
||||||
|
|
||||||
check119(){
|
check119(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check12="1.2,1.02"
|
CHECK_ID_check12="1.2,1.02"
|
||||||
CHECK_TITLE_check12="Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
|
CHECK_TITLE_check12="Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
|
||||||
CHECK_SCORED_check12="SCORED"
|
CHECK_SCORED_check12="SCORED"
|
||||||
CHECK_TYPE_check12="LEVEL1"
|
|
||||||
CHECK_ALTERNATE_check102="check12"
|
CHECK_ALTERNATE_check102="check12"
|
||||||
|
|
||||||
check12(){
|
check12(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check120=""
|
CHECK_ID_check120="1.20"
|
||||||
CHECK_TITLE_check120=""
|
CHECK_TITLE_check120="Ensure security contact information is registered (Scored)"
|
||||||
CHECK_SCORED_check120=""
|
CHECK_SCORED_check120="SCORED"
|
||||||
CHECK_TYPE_check120=""
|
|
||||||
CHECK_ALTERNATE_check120="check120"
|
CHECK_ALTERNATE_check120="check120"
|
||||||
|
|
||||||
check120(){
|
check120(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check121=""
|
CHECK_ID_check121="1.21"
|
||||||
CHECK_TITLE_check121=""
|
CHECK_TITLE_check121="Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
|
||||||
CHECK_SCORED_check121=""
|
CHECK_SCORED_check121="NOT_SCORED"
|
||||||
CHECK_TYPE_check121=""
|
|
||||||
CHECK_ALTERNATE_check121="check121"
|
CHECK_ALTERNATE_check121="check121"
|
||||||
|
|
||||||
check121(){
|
check121(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check122=""
|
CHECK_ID_check122="1.22"
|
||||||
CHECK_TITLE_check122=""
|
CHECK_TITLE_check122="Ensure a support role has been created to manage incidents with AWS Support (Scored)"
|
||||||
CHECK_SCORED_check122=""
|
CHECK_SCORED_check122="SCORED"
|
||||||
CHECK_TYPE_check122=""
|
|
||||||
CHECK_ALTERNATE_check122="check122"
|
CHECK_ALTERNATE_check122="check122"
|
||||||
|
|
||||||
check122(){
|
check122(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check123=""
|
CHECK_ID_check123="1.23"
|
||||||
CHECK_TITLE_check123=""
|
CHECK_TITLE_check123="Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
|
||||||
CHECK_SCORED_check123=""
|
CHECK_SCORED_check123="NOT_SCORED"
|
||||||
CHECK_TYPE_check123=""
|
|
||||||
CHECK_ALTERNATE_check123="check123"
|
CHECK_ALTERNATE_check123="check123"
|
||||||
|
|
||||||
check123(){
|
check123(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check124=""
|
CHECK_ID_check124="1.24"
|
||||||
CHECK_TITLE_check124=""
|
CHECK_TITLE_check124="Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
|
||||||
CHECK_SCORED_check124=""
|
CHECK_SCORED_check124="SCORED"
|
||||||
CHECK_TYPE_check124=""
|
|
||||||
CHECK_ALTERNATE_check124="check124"
|
CHECK_ALTERNATE_check124="check124"
|
||||||
|
|
||||||
check124(){
|
check124(){
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check13=""
|
CHECK_ID_check13="1.3,1.03"
|
||||||
CHECK_TITLE_check13=""
|
CHECK_TITLE_check13="Ensure credentials unused for 90 days or greater are disabled (Scored)"
|
||||||
CHECK_SCORED_check13=""
|
CHECK_SCORED_check13="SCORED"
|
||||||
CHECK_TYPE_check13=""
|
CHECK_ALTERNATE_check103="check13"
|
||||||
CHECK_ALTERNATE_check13="check13"
|
|
||||||
|
|
||||||
check13(){
|
check13(){
|
||||||
# "Ensure credentials unused for 90 days or greater are disabled (Scored)"
|
# "Ensure credentials unused for 90 days or greater are disabled (Scored)"
|
||||||
@@ -11,8 +10,7 @@ check13(){
|
|||||||
if [[ $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED ]]; then
|
if [[ $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED ]]; then
|
||||||
COMMAND13=$(
|
COMMAND13=$(
|
||||||
for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
|
for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
|
||||||
cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$5 }' |grep $i| awk '{ print $1 }'|tr '
|
cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$5 }' |grep $i| awk '{ print $1 }'|tr '\n' ' ';
|
||||||
' ' ';
|
|
||||||
done)
|
done)
|
||||||
# list of users that have used password
|
# list of users that have used password
|
||||||
USERS_PASSWORD_USED=$($AWSCLI iam list-users --query "Users[?PasswordLastUsed].UserName" --output text $PROFILE_OPT --region $REGION)
|
USERS_PASSWORD_USED=$($AWSCLI iam list-users --query "Users[?PasswordLastUsed].UserName" --output text $PROFILE_OPT --region $REGION)
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check14=""
|
CHECK_ID_check14="1.4,1.04"
|
||||||
CHECK_TITLE_check14=""
|
CHECK_TITLE_check14="Ensure access keys are rotated every 90 days or less (Scored)"
|
||||||
CHECK_SCORED_check14=""
|
CHECK_SCORED_check14="SCORED"
|
||||||
CHECK_TYPE_check14=""
|
CHECK_ALTERNATE_check104="check14"
|
||||||
CHECK_ALTERNATE_check14="check14"
|
|
||||||
|
|
||||||
check14(){
|
check14(){
|
||||||
# "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
|
# "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check15=""
|
CHECK_ID_check15="1.5,1.05"
|
||||||
CHECK_TITLE_check15=""
|
CHECK_TITLE_check15="Ensure IAM password policy requires at least one uppercase letter (Scored)"
|
||||||
CHECK_SCORED_check15=""
|
CHECK_SCORED_check15="SCORED"
|
||||||
CHECK_TYPE_check15=""
|
CHECK_ALTERNATE_check105="check15"
|
||||||
CHECK_ALTERNATE_check15="check15"
|
|
||||||
|
|
||||||
check15(){
|
check15(){
|
||||||
# "Ensure IAM password policy requires at least one uppercase letter (Scored)"
|
# "Ensure IAM password policy requires at least one uppercase letter (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check16=""
|
CHECK_ID_check16="1.6,1.06"
|
||||||
CHECK_TITLE_check16=""
|
CHECK_TITLE_check16="Ensure IAM password policy require at least one lowercase letter (Scored)"
|
||||||
CHECK_SCORED_check16=""
|
CHECK_SCORED_check16="SCORED"
|
||||||
CHECK_TYPE_check16=""
|
CHECK_ALTERNATE_check106="check16"
|
||||||
CHECK_ALTERNATE_check16="check16"
|
|
||||||
|
|
||||||
check16(){
|
check16(){
|
||||||
# "Ensure IAM password policy require at least one lowercase letter (Scored)"
|
# "Ensure IAM password policy require at least one lowercase letter (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check17=""
|
CHECK_ID_check17="1.7,1.07"
|
||||||
CHECK_TITLE_check17=""
|
CHECK_TITLE_check17="Ensure IAM password policy require at least one symbol (Scored)"
|
||||||
CHECK_SCORED_check17=""
|
CHECK_SCORED_check17="SCORED"
|
||||||
CHECK_TYPE_check17=""
|
CHECK_ALTERNATE_check107="check17"
|
||||||
CHECK_ALTERNATE_check17="check17"
|
|
||||||
|
|
||||||
check17(){
|
check17(){
|
||||||
# "Ensure IAM password policy require at least one symbol (Scored)"
|
# "Ensure IAM password policy require at least one symbol (Scored)"
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check18=""
|
CHECK_ID_check18="1.8,1.08"
|
||||||
CHECK_TITLE_check18=""
|
CHECK_TITLE_check18="Ensure IAM password policy require at least one number (Scored)"
|
||||||
CHECK_SCORED_check18=""
|
CHECK_SCORED_check18="SCORED"
|
||||||
CHECK_TYPE_check18=""
|
|
||||||
CHECK_ALTERNATE_check18="check18"
|
CHECK_ALTERNATE_check18="check18"
|
||||||
|
|
||||||
check18(){
|
check18(){
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check19=""
|
CHECK_ID_check19="1.9,1.09"
|
||||||
CHECK_TITLE_check19=""
|
CHECK_TITLE_check19="Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
|
||||||
CHECK_SCORED_check19=""
|
CHECK_SCORED_check19="SCORED"
|
||||||
CHECK_TYPE_check19=""
|
CHECK_ALTERNATE_check109="check19"
|
||||||
CHECK_ALTERNATE_check19="check19"
|
|
||||||
|
|
||||||
check19(){
|
check19(){
|
||||||
# "Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
|
# "Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check21=""
|
CHECK_ID_check21="2.1,2.01"
|
||||||
CHECK_TITLE_check21=""
|
CHECK_TITLE_check21="Ensure CloudTrail is enabled in all regions (Scored)"
|
||||||
CHECK_SCORED_check21=""
|
CHECK_SCORED_check21="SCORED"
|
||||||
CHECK_TYPE_check21=""
|
CHECK_ALTERNATE_check201="check21"
|
||||||
CHECK_ALTERNATE_check21="check21"
|
|
||||||
|
|
||||||
check21(){
|
check21(){
|
||||||
# "Ensure CloudTrail is enabled in all regions (Scored)"
|
# "Ensure CloudTrail is enabled in all regions (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check22=""
|
CHECK_ID_check22="2.2,2.02"
|
||||||
CHECK_TITLE_check22=""
|
CHECK_TITLE_check22="Ensure CloudTrail log file validation is enabled (Scored)"
|
||||||
CHECK_SCORED_check22=""
|
CHECK_SCORED_check22="SCORED"
|
||||||
CHECK_TYPE_check22=""
|
CHECK_ALTERNATE_check202="check22"
|
||||||
CHECK_ALTERNATE_check22="check22"
|
|
||||||
|
|
||||||
check22(){
|
check22(){
|
||||||
# "Ensure CloudTrail log file validation is enabled (Scored)"
|
# "Ensure CloudTrail log file validation is enabled (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check23=""
|
CHECK_ID_check23="2.3,2.03"
|
||||||
CHECK_TITLE_check23=""
|
CHECK_TITLE_check23="Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
|
||||||
CHECK_SCORED_check23=""
|
CHECK_SCORED_check23="SCORED"
|
||||||
CHECK_TYPE_check23=""
|
CHECK_ALTERNATE_check203="check23"
|
||||||
CHECK_ALTERNATE_check23="check23"
|
|
||||||
|
|
||||||
check23(){
|
check23(){
|
||||||
# "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
|
# "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check24=""
|
CHECK_ID_check24="2.4,2.04"
|
||||||
CHECK_TITLE_check24=""
|
CHECK_TITLE_check24="Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
|
||||||
CHECK_SCORED_check24=""
|
CHECK_SCORED_check24="SCORED"
|
||||||
CHECK_TYPE_check24=""
|
CHECK_ALTERNATE_check204="check24"
|
||||||
CHECK_ALTERNATE_check24="check24"
|
|
||||||
|
|
||||||
check24(){
|
check24(){
|
||||||
# "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
|
# "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check25=""
|
CHECK_ID_check25="2.5,2.05"
|
||||||
CHECK_TITLE_check25=""
|
CHECK_TITLE_check25="Ensure AWS Config is enabled in all regions (Scored)"
|
||||||
CHECK_SCORED_check25=""
|
CHECK_SCORED_check25="SCORED"
|
||||||
CHECK_TYPE_check25=""
|
CHECK_ALTERNATE_check205="check25"
|
||||||
CHECK_ALTERNATE_check25="check25"
|
|
||||||
|
|
||||||
check25(){
|
check25(){
|
||||||
# "Ensure AWS Config is enabled in all regions (Scored)"
|
# "Ensure AWS Config is enabled in all regions (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check26=""
|
CHECK_ID_check26="2.6,2.06"
|
||||||
CHECK_TITLE_check26=""
|
CHECK_TITLE_check26="Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
|
||||||
CHECK_SCORED_check26=""
|
CHECK_SCORED_check26="SCORED"
|
||||||
CHECK_TYPE_check26=""
|
CHECK_ALTERNATE_check206="check26"
|
||||||
CHECK_ALTERNATE_check26="check26"
|
|
||||||
|
|
||||||
check26(){
|
check26(){
|
||||||
# "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
|
# "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check27=""
|
CHECK_ID_check27="2.7,2.07"
|
||||||
CHECK_TITLE_check27=""
|
CHECK_TITLE_check27="Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
|
||||||
CHECK_SCORED_check27=""
|
CHECK_SCORED_check27="SCORED"
|
||||||
CHECK_TYPE_check27=""
|
CHECK_ALTERNATE_check207="check27"
|
||||||
CHECK_ALTERNATE_check27="check27"
|
|
||||||
|
|
||||||
check27(){
|
check27(){
|
||||||
# "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
|
# "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check28=""
|
CHECK_ID_check28="2.8,2.08"
|
||||||
CHECK_TITLE_check28=""
|
CHECK_TITLE_check28="Ensure rotation for customer created CMKs is enabled (Scored)"
|
||||||
CHECK_SCORED_check28=""
|
CHECK_SCORED_check28="SCORED"
|
||||||
CHECK_TYPE_check28=""
|
CHECK_ALTERNATE_check208="check28"
|
||||||
CHECK_ALTERNATE_check28="check28"
|
|
||||||
|
|
||||||
check28(){
|
check28(){
|
||||||
# "Ensure rotation for customer created CMKs is enabled (Scored)"
|
# "Ensure rotation for customer created CMKs is enabled (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check31=""
|
CHECK_ID_check31="3.1,3.01"
|
||||||
CHECK_TITLE_check31=""
|
CHECK_TITLE_check31="Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
|
||||||
CHECK_SCORED_check31=""
|
CHECK_SCORED_check31="SCORED"
|
||||||
CHECK_TYPE_check31=""
|
CHECK_ALTERNATE_check301="check31"
|
||||||
CHECK_ALTERNATE_check31="check31"
|
|
||||||
|
|
||||||
check31(){
|
check31(){
|
||||||
# "Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
|
# "Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check310=""
|
CHECK_ID_check310="3.10"
|
||||||
CHECK_TITLE_check310=""
|
CHECK_TITLE_check310="Ensure a log metric filter and alarm exist for security group changes (Scored)"
|
||||||
CHECK_SCORED_check310=""
|
CHECK_SCORED_check310="SCORED"
|
||||||
CHECK_TYPE_check310=""
|
|
||||||
CHECK_ALTERNATE_check310="check310"
|
CHECK_ALTERNATE_check310="check310"
|
||||||
|
|
||||||
check310(){
|
check310(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check311=""
|
CHECK_ID_check311="3.11"
|
||||||
CHECK_TITLE_check311=""
|
CHECK_TITLE_check311="Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
|
||||||
CHECK_SCORED_check311=""
|
CHECK_SCORED_check311="SCORED"
|
||||||
CHECK_TYPE_check311=""
|
|
||||||
CHECK_ALTERNATE_check311="check311"
|
CHECK_ALTERNATE_check311="check311"
|
||||||
|
|
||||||
check311(){
|
check311(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check312=""
|
CHECK_ID_check312="3.12"
|
||||||
CHECK_TITLE_check312=""
|
CHECK_TITLE_check312="Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
|
||||||
CHECK_SCORED_check312=""
|
CHECK_SCORED_check312="SCORED"
|
||||||
CHECK_TYPE_check312=""
|
|
||||||
CHECK_ALTERNATE_check312="check312"
|
CHECK_ALTERNATE_check312="check312"
|
||||||
|
|
||||||
check312(){
|
check312(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check313=""
|
CHECK_ID_check313="3.13"
|
||||||
CHECK_TITLE_check313=""
|
CHECK_TITLE_check313="Ensure a log metric filter and alarm exist for route table changes (Scored)"
|
||||||
CHECK_SCORED_check313=""
|
CHECK_SCORED_check313="SCORED"
|
||||||
CHECK_TYPE_check313=""
|
|
||||||
CHECK_ALTERNATE_check313="check313"
|
CHECK_ALTERNATE_check313="check313"
|
||||||
|
|
||||||
check313(){
|
check313(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check314=""
|
CHECK_ID_check314="3.14"
|
||||||
CHECK_TITLE_check314=""
|
CHECK_TITLE_check314="Ensure a log metric filter and alarm exist for VPC changes (Scored)"
|
||||||
CHECK_SCORED_check314=""
|
CHECK_SCORED_check314="SCORED"
|
||||||
CHECK_TYPE_check314=""
|
|
||||||
CHECK_ALTERNATE_check314="check314"
|
CHECK_ALTERNATE_check314="check314"
|
||||||
|
|
||||||
check314(){
|
check314(){
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
CHECK_ID_check315=""
|
CHECK_ID_check315="3.15"
|
||||||
CHECK_TITLE_check315=""
|
CHECK_TITLE_check315="Ensure appropriate subscribers to each SNS topic (Not Scored)"
|
||||||
CHECK_SCORED_check315=""
|
CHECK_SCORED_check315="SCORED"
|
||||||
CHECK_TYPE_check315=""
|
|
||||||
CHECK_ALTERNATE_check315="check315"
|
CHECK_ALTERNATE_check315="check315"
|
||||||
|
|
||||||
check315(){
|
check315(){
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check32=""
|
CHECK_ID_check32="3.2,3.02"
|
||||||
CHECK_TITLE_check32=""
|
CHECK_TITLE_check32="Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
|
||||||
CHECK_SCORED_check32=""
|
CHECK_SCORED_check32="SCORED"
|
||||||
CHECK_TYPE_check32=""
|
CHECK_ALTERNATE_check302="check32"
|
||||||
CHECK_ALTERNATE_check32="check32"
|
|
||||||
|
|
||||||
check32(){
|
check32(){
|
||||||
# "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
|
# "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check33=""
|
CHECK_ID_check33="3.3,3.03"
|
||||||
CHECK_TITLE_check33=""
|
CHECK_TITLE_check33="Ensure a log metric filter and alarm exist for usage of root account (Scored)"
|
||||||
CHECK_SCORED_check33=""
|
CHECK_SCORED_check33="SCORED"
|
||||||
CHECK_TYPE_check33=""
|
CHECK_ALTERNATE_check303="check33"
|
||||||
CHECK_ALTERNATE_check33="check33"
|
|
||||||
|
|
||||||
check33(){
|
check33(){
|
||||||
# "Ensure a log metric filter and alarm exist for usage of root account (Scored)"
|
# "Ensure a log metric filter and alarm exist for usage of root account (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check34=""
|
CHECK_ID_check34="3.4,3.04"
|
||||||
CHECK_TITLE_check34=""
|
CHECK_TITLE_check34="Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
|
||||||
CHECK_SCORED_check34=""
|
CHECK_SCORED_check34="SCORED"
|
||||||
CHECK_TYPE_check34=""
|
CHECK_ALTERNATE_check304="check34"
|
||||||
CHECK_ALTERNATE_check34="check34"
|
|
||||||
|
|
||||||
check34(){
|
check34(){
|
||||||
# "Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
|
# "Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check35=""
|
CHECK_ID_check35="3.5,3.05"
|
||||||
CHECK_TITLE_check35=""
|
CHECK_TITLE_check35="Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
|
||||||
CHECK_SCORED_check35=""
|
CHECK_SCORED_check35="SCORED"
|
||||||
CHECK_TYPE_check35=""
|
CHECK_ALTERNATE_check305="check35"
|
||||||
CHECK_ALTERNATE_check35="check35"
|
|
||||||
|
|
||||||
check35(){
|
check35(){
|
||||||
# "Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
|
# "Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check36=""
|
CHECK_ID_check36="3.6,3.06"
|
||||||
CHECK_TITLE_check36=""
|
CHECK_TITLE_check36="Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
|
||||||
CHECK_SCORED_check36=""
|
CHECK_SCORED_check36="SCORED"
|
||||||
CHECK_TYPE_check36=""
|
CHECK_ALTERNATE_check306="check36"
|
||||||
CHECK_ALTERNATE_check36="check36"
|
|
||||||
|
|
||||||
check36(){
|
check36(){
|
||||||
# "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
|
# "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check37=""
|
CHECK_ID_check37="3.7,3.07"
|
||||||
CHECK_TITLE_check37=""
|
CHECK_TITLE_check37="Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
|
||||||
CHECK_SCORED_check37=""
|
CHECK_SCORED_check37="SCORED"
|
||||||
CHECK_TYPE_check37=""
|
CHECK_ALTERNATE_check307="check37"
|
||||||
CHECK_ALTERNATE_check37="check37"
|
|
||||||
|
|
||||||
check37(){
|
check37(){
|
||||||
# "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
|
# "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check38=""
|
CHECK_ID_check38="3.8,3.08"
|
||||||
CHECK_TITLE_check38=""
|
CHECK_TITLE_check38="Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
|
||||||
CHECK_SCORED_check38=""
|
CHECK_SCORED_check38="SCORED"
|
||||||
CHECK_TYPE_check38=""
|
CHECK_ALTERNATE_check308="check38"
|
||||||
CHECK_ALTERNATE_check38="check38"
|
|
||||||
|
|
||||||
check38(){
|
check38(){
|
||||||
# "Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
|
# "Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check39=""
|
CHECK_ID_check39="3.9,3.09"
|
||||||
CHECK_TITLE_check39=""
|
CHECK_TITLE_check39="Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
|
||||||
CHECK_SCORED_check39=""
|
CHECK_SCORED_check39="SCORED"
|
||||||
CHECK_TYPE_check39=""
|
CHECK_ALTERNATE_check309="check39"
|
||||||
CHECK_ALTERNATE_check39="check39"
|
|
||||||
|
|
||||||
check39(){
|
check39(){
|
||||||
# "Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
|
# "Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check41=""
|
CHECK_ID_check41="4.1,4.01"
|
||||||
CHECK_TITLE_check41=""
|
CHECK_TITLE_check41="Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
|
||||||
CHECK_SCORED_check41=""
|
CHECK_SCORED_check41="SCORED"
|
||||||
CHECK_TYPE_check41=""
|
CHECK_ALTERNATE_check401="check41"
|
||||||
CHECK_ALTERNATE_check41="check41"
|
|
||||||
|
|
||||||
check41(){
|
check41(){
|
||||||
# "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
|
# "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check42=""
|
CHECK_ID_check42="4.2,4.02"
|
||||||
CHECK_TITLE_check42=""
|
CHECK_TITLE_check42="Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
|
||||||
CHECK_SCORED_check42=""
|
CHECK_SCORED_check42="SCORED"
|
||||||
CHECK_TYPE_check42=""
|
CHECK_ALTERNATE_check402="check42"
|
||||||
CHECK_ALTERNATE_check42="check42"
|
|
||||||
|
|
||||||
check42(){
|
check42(){
|
||||||
# "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
|
# "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check43=""
|
CHECK_ID_check43="4.3,4.03"
|
||||||
CHECK_TITLE_check43=""
|
CHECK_TITLE_check43="Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
|
||||||
CHECK_SCORED_check43=""
|
CHECK_SCORED_check43="SCORED"
|
||||||
CHECK_TYPE_check43=""
|
CHECK_ALTERNATE_check403="check43"
|
||||||
CHECK_ALTERNATE_check43="check43"
|
|
||||||
|
|
||||||
check43(){
|
check43(){
|
||||||
# "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
|
# "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check44=""
|
CHECK_ID_check44="4.4,4.04"
|
||||||
CHECK_TITLE_check44=""
|
CHECK_TITLE_check44="Ensure the default security group of every VPC restricts all traffic (Scored)"
|
||||||
CHECK_SCORED_check44=""
|
CHECK_SCORED_check44="SCORED"
|
||||||
CHECK_TYPE_check44=""
|
CHECK_ALTERNATE_check404="check44"
|
||||||
CHECK_ALTERNATE_check44="check44"
|
|
||||||
|
|
||||||
check44(){
|
check44(){
|
||||||
# "Ensure the default security group of every VPC restricts all traffic (Scored)"
|
# "Ensure the default security group of every VPC restricts all traffic (Scored)"
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
CHECK_ID_check45=""
|
CHECK_ID_check45="4.5,4.05"
|
||||||
CHECK_TITLE_check45=""
|
CHECK_TITLE_check45="Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
|
||||||
CHECK_SCORED_check45=""
|
CHECK_SCORED_check45="NOT_SCORED"
|
||||||
CHECK_TYPE_check45=""
|
CHECK_ALTERNATE_check405="check45"
|
||||||
CHECK_ALTERNATE_check45="check45"
|
|
||||||
|
|
||||||
check45(){
|
check45(){
|
||||||
# "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
|
# "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
|
||||||
|
|||||||
@@ -1,13 +1,13 @@
|
|||||||
CHECK_ID_check_extra71=""
|
CHECK_ID_extra71="7.1,7.01"
|
||||||
CHECK_TITLE_check_extra71=""
|
CHECK_TITLE_extra71="Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra71=""
|
CHECK_SCORED_extra71="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra71=""
|
CHECK_ALTERNATE_extra701="extra71"
|
||||||
CHECK_ALTERNATE_check_extra71="check_extra71"
|
CHECK_ALTERNATE_check71="extra71"
|
||||||
|
CHECK_ALTERNATE_check701="extra71"
|
||||||
|
|
||||||
extra71(){
|
extra71(){
|
||||||
# "Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
|
# "Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
textTitle "$ID71" "$TITLE71" "NOT_SCORED" "EXTRA"
|
textTitle "$ID71" "$TITLE71" "NOT_SCORED" "EXTRA"
|
||||||
|
|
||||||
ADMIN_GROUPS=''
|
ADMIN_GROUPS=''
|
||||||
AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --query 'Groups[].GroupName')
|
AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --query 'Groups[].GroupName')
|
||||||
for grp in $AWS_GROUPS; do
|
for grp in $AWS_GROUPS; do
|
||||||
@@ -33,5 +33,4 @@ extra71(){
|
|||||||
textNotice "$grp group provides non-administrative access"
|
textNotice "$grp group provides non-administrative access"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
# set +x
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra710=""
|
CHECK_ID_extra710="7.10"
|
||||||
CHECK_TITLE_check_extra710=""
|
CHECK_TITLE_extra710="Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra710=""
|
CHECK_SCORED_extra710="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra710=""
|
CHECK_ALTERNATE_extra710="extra710"
|
||||||
CHECK_ALTERNATE_check_extra710="check_extra710"
|
CHECK_ALTERNATE_check710="extra710"
|
||||||
|
|
||||||
extra710(){
|
extra710(){
|
||||||
# "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
|
# "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra711=""
|
CHECK_ID_extra711="7.11"
|
||||||
CHECK_TITLE_check_extra711=""
|
CHECK_TITLE_extra711="Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra711=""
|
CHECK_SCORED_extra711="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra711=""
|
CHECK_ALTERNATE_extra711="extra711"
|
||||||
CHECK_ALTERNATE_check_extra711="check_extra711"
|
CHECK_ALTERNATE_check711="extra711"
|
||||||
|
|
||||||
extra711(){
|
extra711(){
|
||||||
# "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
|
# "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra712=""
|
CHECK_ID_extra712="7.12"
|
||||||
CHECK_TITLE_check_extra712=""
|
CHECK_TITLE_extra712="Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra712=""
|
CHECK_SCORED_extra712="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra712=""
|
CHECK_ALTERNATE_extra712="extra712"
|
||||||
CHECK_ALTERNATE_check_extra712="check_extra712"
|
CHECK_ALTERNATE_check712="extra712"
|
||||||
|
|
||||||
extra712(){
|
extra712(){
|
||||||
# "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
|
# "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra713=""
|
CHECK_ID_extra713="7.13"
|
||||||
CHECK_TITLE_check_extra713=""
|
CHECK_TITLE_extra713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra713=""
|
CHECK_SCORED_extra713="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra713=""
|
CHECK_ALTERNATE_extra713="extra713"
|
||||||
CHECK_ALTERNATE_check_extra713="check_extra713"
|
CHECK_ALTERNATE_check713="extra713"
|
||||||
|
|
||||||
extra713(){
|
extra713(){
|
||||||
# "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
|
# "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra714=""
|
CHECK_ID_extra714="7.14"
|
||||||
CHECK_TITLE_check_extra714=""
|
CHECK_TITLE_extra714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra714=""
|
CHECK_SCORED_extra714="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra714=""
|
CHECK_ALTERNATE_extra714="extra714"
|
||||||
CHECK_ALTERNATE_check_extra714="check_extra714"
|
CHECK_ALTERNATE_check714="extra714"
|
||||||
|
|
||||||
extra714(){
|
extra714(){
|
||||||
# "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
# "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,11 +1,10 @@
|
|||||||
CHECK_ID_check_extra715=""
|
CHECK_ID_extra715="7.15"
|
||||||
CHECK_TITLE_check_extra715=""
|
CHECK_TITLE_extra715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra715=""
|
CHECK_SCORED_extra715="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra715=""
|
CHECK_ALTERNATE_extra715="extra715"
|
||||||
CHECK_ALTERNATE_check_extra715="check_extra715"
|
CHECK_ALTERNATE_check715="extra715"
|
||||||
|
|
||||||
extra715(){
|
extra715(){
|
||||||
# "Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
|
||||||
textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA"
|
textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA"
|
||||||
for regx in $REGIONS; do
|
for regx in $REGIONS; do
|
||||||
LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
|
LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra716=""
|
CHECK_ID_extra716="7.16"
|
||||||
CHECK_TITLE_check_extra716=""
|
CHECK_TITLE_extra716="Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra716=""
|
CHECK_SCORED_extra716="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra716=""
|
CHECK_ALTERNATE_extra716="extra716"
|
||||||
CHECK_ALTERNATE_check_extra716="check_extra716"
|
CHECK_ALTERNATE_check716="extra716"
|
||||||
|
|
||||||
extra716(){
|
extra716(){
|
||||||
# "Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
|
# "Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra717=""
|
CHECK_ID_extra717="7.17"
|
||||||
CHECK_TITLE_check_extra717=""
|
CHECK_TITLE_extra717="Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra717=""
|
CHECK_SCORED_extra717="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra717=""
|
CHECK_ALTERNATE_extra717="extra717"
|
||||||
CHECK_ALTERNATE_check_extra717="check_extra717"
|
CHECK_ALTERNATE_check717="extra717"
|
||||||
|
|
||||||
extra717(){
|
extra717(){
|
||||||
# "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
# "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra718=""
|
CHECK_ID_extra718="7.18"
|
||||||
CHECK_TITLE_check_extra718=""
|
CHECK_TITLE_extra718="Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra718=""
|
CHECK_SCORED_extra718="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra718=""
|
CHECK_ALTERNATE_extra718="extra718"
|
||||||
CHECK_ALTERNATE_check_extra718="check_extra718"
|
CHECK_ALTERNATE_check718="extra718"
|
||||||
|
|
||||||
extra718(){
|
extra718(){
|
||||||
# "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
|
# "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra719=""
|
CHECK_ID_extra719="7.19"
|
||||||
CHECK_TITLE_check_extra719=""
|
CHECK_TITLE_extra719="Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra719=""
|
CHECK_SCORED_extra719="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra719=""
|
CHECK_ALTERNATE_extra719="extra719"
|
||||||
CHECK_ALTERNATE_check_extra719="check_extra719"
|
CHECK_ALTERNATE_check719="extra719"
|
||||||
|
|
||||||
extra719(){
|
extra719(){
|
||||||
# "Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)"
|
# "Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
CHECK_ID_check_extra72=""
|
CHECK_ID_extra72="7.2,7.02"
|
||||||
CHECK_TITLE_check_extra72=""
|
CHECK_TITLE_extra72="Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra72=""
|
CHECK_SCORED_extra72="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra72=""
|
CHECK_ALTERNATE_extra702="extra72"
|
||||||
CHECK_ALTERNATE_check_extra72="check_extra72"
|
CHECK_ALTERNATE_check72="extra72"
|
||||||
|
CHECK_ALTERNATE_check702="extra72"
|
||||||
|
|
||||||
extra72(){
|
extra72(){
|
||||||
# "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
|
# "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra720=""
|
CHECK_ID_extra720="7.20"
|
||||||
CHECK_TITLE_check_extra720=""
|
CHECK_TITLE_extra720="Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra720=""
|
CHECK_SCORED_extra720="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra720=""
|
CHECK_ALTERNATE_extra720="extra720"
|
||||||
CHECK_ALTERNATE_check_extra720="check_extra720"
|
CHECK_ALTERNATE_check720="extra720"
|
||||||
|
|
||||||
extra720(){
|
extra720(){
|
||||||
# "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
|
# "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra721=""
|
CHECK_ID_extra721="7.21"
|
||||||
CHECK_TITLE_check_extra721=""
|
CHECK_TITLE_extra721="Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra721=""
|
CHECK_SCORED_extra721="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra721=""
|
CHECK_ALTERNATE_extra721="extra721"
|
||||||
CHECK_ALTERNATE_check_extra721="check_extra721"
|
CHECK_ALTERNATE_check721="extra721"
|
||||||
|
|
||||||
extra721(){
|
extra721(){
|
||||||
# "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)"
|
# "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra722=""
|
CHECK_ID_extra722="7.22"
|
||||||
CHECK_TITLE_check_extra722=""
|
CHECK_TITLE_extra722="Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra722=""
|
CHECK_SCORED_extra722="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra722=""
|
CHECK_ALTERNATE_check722="extra722"
|
||||||
CHECK_ALTERNATE_check_extra722="check_extra722"
|
CHECK_ALTERNATE_extra722="extra722"
|
||||||
|
|
||||||
extra722(){
|
extra722(){
|
||||||
# "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)"
|
# "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
CHECK_ID_check_extra723=""
|
CHECK_ID_extra723="7.23"
|
||||||
CHECK_TITLE_check_extra723=""
|
CHECK_TITLE_extra723="Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra723=""
|
CHECK_SCORED_extra723="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra723=""
|
CHECK_ALTERNATE_check723="extra723"
|
||||||
CHECK_ALTERNATE_check_extra723="check_extra723"
|
CHECK_ALTERNATE_extra723="extra723"
|
||||||
|
|
||||||
extra723(){
|
extra723(){
|
||||||
# "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)"
|
# "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
CHECK_ID_check_extra73=""
|
CHECK_ID_extra73="7.3,7.03"
|
||||||
CHECK_TITLE_check_extra73=""
|
CHECK_TITLE_extra73="Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra73=""
|
CHECK_SCORED_extra73="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra73=""
|
CHECK_ALTERNATE_extra703="extra73"
|
||||||
CHECK_ALTERNATE_check_extra73="check_extra73"
|
CHECK_ALTERNATE_check73="extra73"
|
||||||
|
CHECK_ALTERNATE_check703="extra73"
|
||||||
|
|
||||||
extra73(){
|
extra73(){
|
||||||
# "Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
|
# "Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
CHECK_ID_check_extra74=""
|
CHECK_ID_extra74="7.4,7.04"
|
||||||
CHECK_TITLE_check_extra74=""
|
CHECK_TITLE_extra74="Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra74=""
|
CHECK_SCORED_extra74="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra74=""
|
CHECK_ALTERNATE_extra704="extra74"
|
||||||
CHECK_ALTERNATE_check_extra74="check_extra74"
|
CHECK_ALTERNATE_check74="extra74"
|
||||||
|
CHECK_ALTERNATE_check704="extra74"
|
||||||
|
|
||||||
extra74(){
|
extra74(){
|
||||||
# "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
|
# "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
CHECK_ID_check_extra75=""
|
CHECK_ID_extra75="7.5,7.05"
|
||||||
CHECK_TITLE_check_extra75=""
|
CHECK_TITLE_extra75="Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra75=""
|
CHECK_SCORED_extra75="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra75=""
|
CHECK_ALTERNATE_extra705="extra75"
|
||||||
CHECK_ALTERNATE_check_extra75="check_extra75"
|
CHECK_ALTERNATE_check75="extra75"
|
||||||
|
CHECK_ALTERNATE_check705="extra75"
|
||||||
|
|
||||||
extra75(){
|
extra75(){
|
||||||
# "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
|
# "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
CHECK_ID_check_extra76=""
|
CHECK_ID_extra76="7.6,7.06"
|
||||||
CHECK_TITLE_check_extra76=""
|
CHECK_TITLE_extra76="Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra76=""
|
CHECK_SCORED_extra76="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra76=""
|
CHECK_ALTERNATE_extra706="extra76"
|
||||||
CHECK_ALTERNATE_check_extra76="check_extra76"
|
CHECK_ALTERNATE_check76="extra76"
|
||||||
|
CHECK_ALTERNATE_check706="extra76"
|
||||||
|
|
||||||
extra76(){
|
extra76(){
|
||||||
# "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)"
|
# "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
CHECK_ID_check_extra77=""
|
CHECK_ID_extra77="7.7,7.07"
|
||||||
CHECK_TITLE_check_extra77=""
|
CHECK_TITLE_extra77="Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra77=""
|
CHECK_SCORED_extra77="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra77=""
|
CHECK_ALTERNATE_extra707="extra77"
|
||||||
CHECK_ALTERNATE_check_extra77="check_extra77"
|
CHECK_ALTERNATE_check77="extra77"
|
||||||
|
CHECK_ALTERNATE_check707="extra77"
|
||||||
|
|
||||||
extra77(){
|
extra77(){
|
||||||
# "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)"
|
# "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
CHECK_ID_check_extra78=""
|
CHECK_ID_extra78="7.8,7.08"
|
||||||
CHECK_TITLE_check_extra78=""
|
CHECK_TITLE_extra78="Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra78=""
|
CHECK_SCORED_extra78="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra78=""
|
CHECK_ALTERNATE_extra708="extra78"
|
||||||
CHECK_ALTERNATE_check_extra78="check_extra78"
|
CHECK_ALTERNATE_check78="extra78"
|
||||||
|
CHECK_ALTERNATE_check708="extra78"
|
||||||
|
|
||||||
extra78(){
|
extra78(){
|
||||||
# "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)"
|
# "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
CHECK_ID_check_extra79=""
|
CHECK_ID_extra79="7.9,7.09"
|
||||||
CHECK_TITLE_check_extra79=""
|
CHECK_TITLE_extra79="Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
|
||||||
CHECK_SCORED_check_extra79=""
|
CHECK_SCORED_extra79="NOT_SCORED"
|
||||||
CHECK_TYPE_check_extra79=""
|
CHECK_ALTERNATE_extra709="extra79"
|
||||||
CHECK_ALTERNATE_check_extra79="check_extra79"
|
CHECK_ALTERNATE_check79="extra79"
|
||||||
|
CHECK_ALTERNATE_check709="extra79"
|
||||||
|
|
||||||
extra79(){
|
extra79(){
|
||||||
# "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
|
# "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
|
||||||
|
|||||||
6
groups/group0_init
Normal file
6
groups/group0_init
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
GROUP_ID[0]='init' # this group make easier to understand the array of groups
|
||||||
|
GROUP_NUMBER[0]='0.0'
|
||||||
|
GROUP_TITLE[0]='Init ****************************************************************'
|
||||||
|
GROUP_RUN_BY_DEFAULT[0]='N' # run it when execute_all is called
|
||||||
|
GROUP_CHECKS[0]=''
|
||||||
|
|
||||||
@@ -1,5 +1,5 @@
|
|||||||
GROUP_ID[1]="group1"
|
GROUP_ID[1]='group1'
|
||||||
GROUP_NUMBER[1]="1.0"
|
GROUP_NUMBER[1]='1.0'
|
||||||
GROUP_TITLE[1]="Identity and Access Management ****************************************"
|
GROUP_TITLE[1]='Identity and Access Management ****************************************'
|
||||||
GROUP_RUN_BY_DEFAULT[1]="Y" # run it when execute_all is called
|
GROUP_RUN_BY_DEFAULT[1]='Y' # run it when execute_all is called
|
||||||
GROUP_CHECKS[1]="check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124"
|
GROUP_CHECKS[1]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124'
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
GROUP_ID[2]="group2"
|
GROUP_ID[2]='group2'
|
||||||
GROUP_NUMBER[2]="2.0"
|
GROUP_NUMBER[2]='2.0'
|
||||||
GROUP_TITLE[2]="Logging ***************************************************************"
|
GROUP_TITLE[2]='Logging ***************************************************************'
|
||||||
GROUP_RUN_BY_DEFAULT[2]="Y" # run it when execute_all is called
|
GROUP_RUN_BY_DEFAULT[2]='Y' # run it when execute_all is called
|
||||||
GROUP_CHECKS[2]="check21,check22,check23,check24,check25,check26,check27,check28"
|
GROUP_CHECKS[2]='check21,check22,check23,check24,check25,check26,check27,check28'
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
GROUP_ID[3]="group3"
|
GROUP_ID[3]='group3'
|
||||||
GROUP_NUMBER[3]="3.0"
|
GROUP_NUMBER[3]='3.0'
|
||||||
GROUP_TITLE[3]="Monitoring ************************************************************"
|
GROUP_TITLE[3]='Monitoring ************************************************************'
|
||||||
GROUP_RUN_BY_DEFAULT[3]="Y" # run it when execute_all is called
|
GROUP_RUN_BY_DEFAULT[3]='Y' # run it when execute_all is called
|
||||||
GROUP_CHECKS[3]="check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315"
|
GROUP_CHECKS[3]='check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315'
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
GROUP_ID[5]="level1"
|
GROUP_ID[5]='level1'
|
||||||
GROUP_NUMBER[5]="5.0"
|
GROUP_NUMBER[5]='5.0'
|
||||||
GROUP_TITLE[5]="CIS Level 1 **********************************************************"
|
GROUP_TITLE[5]='CIS Level 1 **********************************************************'
|
||||||
GROUP_RUN_BY_DEFAULT[5]="N" # run it when execute_all is called
|
GROUP_RUN_BY_DEFAULT[5]='N' # run it when execute_all is called
|
||||||
GROUP_CHECKS[5]="check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check123,check124,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42"
|
GROUP_CHECKS[5]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check123,check124,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42'
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
GROUP_ID[6]="level2"
|
GROUP_ID[6]='level2'
|
||||||
GROUP_NUMBER[6]="6.0"
|
GROUP_NUMBER[6]='6.0'
|
||||||
GROUP_TITLE[6]="CIS Level 2 **********************************************************"
|
GROUP_TITLE[6]='CIS Level 2 **********************************************************'
|
||||||
GROUP_RUN_BY_DEFAULT[6]="N" # run it when execute_all is called
|
GROUP_RUN_BY_DEFAULT[6]='N' # run it when execute_all is called
|
||||||
GROUP_CHECKS[6]="check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124,check21,check22,check23,check24,check25,check26,check27,check28,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315,check41,check42,check43,check44,check45"
|
GROUP_CHECKS[6]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124,check21,check22,check23,check24,check25,check26,check27,check28,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315,check41,check42,check43,check44,check45'
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
GROUP_ID[7]="extras"
|
GROUP_ID[7]='extras'
|
||||||
GROUP_NUMBER[7]="7.0"
|
GROUP_NUMBER[7]='7.0'
|
||||||
GROUP_TITLE[7]="Extras ****************************************************************"
|
GROUP_TITLE[7]='Extras ****************************************************************'
|
||||||
GROUP_RUN_BY_DEFAULT[7]="Y" # run it when execute_all is called
|
GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
|
||||||
GROUP_CHECKS[7]="extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723"
|
GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723'
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
GROUP_ID[8]="forensics-ready"
|
GROUP_ID[8]='forensics-ready'
|
||||||
GROUP_NUMBER[8]="8.0"
|
GROUP_NUMBER[8]='8.0'
|
||||||
GROUP_TITLE[8]="Forensics Readiness ***************************************************"
|
GROUP_TITLE[8]='Forensics Readiness ***************************************************'
|
||||||
GROUP_RUN_BY_DEFAULT[8]="N" # run it when execute_all is called
|
GROUP_RUN_BY_DEFAULT[8]='N' # run it when execute_all is called
|
||||||
GROUP_CHECKS[8]="check21,check22,check23,check24,check25,check26,check27,check43,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722"
|
GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check43,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722'
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
GROUP_ID[9]="my-custom-group"
|
GROUP_ID[9]='my-custom-group'
|
||||||
GROUP_NUMBER[9]="9.0"
|
GROUP_NUMBER[9]='9.0'
|
||||||
GROUP_TITLE[9]="My Custom Group **********************************************"
|
GROUP_TITLE[9]='My Custom Group **********************************************'
|
||||||
GROUP_RUN_BY_DEFAULT[9]="N" # run it when execute_all is called
|
GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called
|
||||||
GROUP_CHECKS[9]="checkNN,checkMM"
|
GROUP_CHECKS[9]='checkNN,checkMM'
|
||||||
|
|||||||
56
prowler2
56
prowler2
@@ -136,42 +136,20 @@ REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \
|
|||||||
--region $REGION \
|
--region $REGION \
|
||||||
--region-names $FILTERREGION)
|
--region-names $FILTERREGION)
|
||||||
|
|
||||||
callCheck(){
|
# Load all of the groups of checks inside groups folder named as "groupNumber*"
|
||||||
if [[ $CHECKNUMBER ]];then
|
for group in $(ls groups/group[0-9]*|grep -v groupN_sample); do
|
||||||
execute_check $CHECKNUMBER
|
|
||||||
# case "$CHECKNUMBER" in
|
|
||||||
# check11|check101 ) execute_check check11;;
|
|
||||||
# check12|check102 ) execute_check check12;;
|
|
||||||
# * )
|
|
||||||
# textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
|
|
||||||
# esac
|
|
||||||
cleanTemp
|
|
||||||
exit $EXITCODE
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# List only check tittles
|
|
||||||
if [[ $PRINTCHECKSONLY == "1" ]]; then
|
|
||||||
prowlerBanner
|
|
||||||
show_all_titles
|
|
||||||
exit $EXITCODE
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Load all of the groups of checks inside groups folder named as "group*"
|
|
||||||
for group in $(ls groups/group*); do
|
|
||||||
. "$group"
|
. "$group"
|
||||||
done
|
done
|
||||||
|
|
||||||
# Load all of the checks inside checks folder named as "check*"
|
# Load all of the checks inside checks folder named as "check*"
|
||||||
# this includes also extra checks since they are "check_extraNN"
|
# this includes also extra checks since they are "check_extraNN"
|
||||||
for checks in $(ls checks/check*); do
|
for checks in $(ls checks/check*|grep -v check_sample); do
|
||||||
. "$checks"
|
. "$checks"
|
||||||
done
|
done
|
||||||
|
|
||||||
# Function to show the title of the check
|
# Function to show the title of the check
|
||||||
# using this way instead of arrays to keep bash3 (osx) and bash4(linux) compatibility
|
# using this way instead of arrays to keep bash3 (osx) and bash4(linux) compatibility
|
||||||
show_check_title() {
|
show_check_title() {
|
||||||
# This would just call textTitle
|
|
||||||
local check_id=CHECK_ID_$1
|
local check_id=CHECK_ID_$1
|
||||||
local check_title=CHECK_TITLE_$1
|
local check_title=CHECK_TITLE_$1
|
||||||
local check_scored=CHECK_SCORED_$1
|
local check_scored=CHECK_SCORED_$1
|
||||||
@@ -205,7 +183,7 @@ execute_check() {
|
|||||||
show_check_title $1
|
show_check_title $1
|
||||||
$1
|
$1
|
||||||
else
|
else
|
||||||
textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
|
textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)";
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@@ -231,7 +209,7 @@ execute_group_by_name() {
|
|||||||
|
|
||||||
# Function to execute all checks in all groups
|
# Function to execute all checks in all groups
|
||||||
execute_all() {
|
execute_all() {
|
||||||
for i in ${#GROUP_TITLE[@]}; do
|
for i in "${!GROUP_TITLE[@]}"; do
|
||||||
if [ "${GROUP_RUN_BY_DEFAULT[$i]}" == "Y" ]; then
|
if [ "${GROUP_RUN_BY_DEFAULT[$i]}" == "Y" ]; then
|
||||||
execute_group $i
|
execute_group $i
|
||||||
fi
|
fi
|
||||||
@@ -240,16 +218,30 @@ execute_all() {
|
|||||||
|
|
||||||
# Function to show the titles of everything
|
# Function to show the titles of everything
|
||||||
show_all_titles() {
|
show_all_titles() {
|
||||||
for i in ${#GROUP_TITLE[@]}; do
|
for i in "${!GROUP_TITLE[@]}"; do
|
||||||
show_group_title $i
|
show_group_title $i
|
||||||
# Display the title of the checks
|
# Display the title of the checks
|
||||||
IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$i]}
|
IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$i]}
|
||||||
for j in "${CHECKS[@]}"; do
|
for j in "${GROUP_CHECKS[@]}"; do
|
||||||
show_check_title $j
|
show_check_title $j
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Execute single check if called with -c
|
||||||
|
if [[ $CHECKNUMBER ]];then
|
||||||
|
execute_check $CHECKNUMBER
|
||||||
|
cleanTemp
|
||||||
|
exit $EXITCODE
|
||||||
|
fi
|
||||||
|
|
||||||
|
# List only check tittles
|
||||||
|
if [[ $PRINTCHECKSONLY == "1" ]]; then
|
||||||
|
prowlerBanner
|
||||||
|
show_all_titles
|
||||||
|
exit $EXITCODE
|
||||||
|
fi
|
||||||
|
|
||||||
### All functions defined above ... run the workflow
|
### All functions defined above ... run the workflow
|
||||||
if [[ $MODE != "csv" ]]; then
|
if [[ $MODE != "csv" ]]; then
|
||||||
prowlerBanner
|
prowlerBanner
|
||||||
@@ -263,11 +255,5 @@ saveReport
|
|||||||
|
|
||||||
execute_all
|
execute_all
|
||||||
|
|
||||||
|
|
||||||
# if [[ ! $EXTRAS ]]; then
|
|
||||||
# textTitle "7" "$TITLE7" "NOT_SCORED" "SUPPORT"
|
|
||||||
# execute_group 7
|
|
||||||
# fi
|
|
||||||
|
|
||||||
cleanTemp
|
cleanTemp
|
||||||
exit $EXITCODE
|
exit $EXITCODE
|
||||||
|
|||||||
Reference in New Issue
Block a user