mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
first semi functional v2
This commit is contained in:
Toni de la Fuente
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check11="1.1,1.01"
|
||||
CHECK_TITLE_check11="Avoid the use of the root account (Scored)"
|
||||
CHECK_SCORED_check11="SCORED"
|
||||
CHECK_TYPE_check11="LEVEL1"
|
||||
CHECK_ALTERNATE_check101="check11"
|
||||
|
||||
check11(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check110=""
|
||||
CHECK_TITLE_check110=""
|
||||
CHECK_SCORED_check110=""
|
||||
CHECK_TYPE_check110=""
|
||||
CHECK_ID_check110="1.10"
|
||||
CHECK_TITLE_check110="Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
|
||||
CHECK_SCORED_check110="SCORED"
|
||||
CHECK_ALTERNATE_check110="check110"
|
||||
|
||||
check110(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check111=""
|
||||
CHECK_TITLE_check111=""
|
||||
CHECK_SCORED_check111=""
|
||||
CHECK_TYPE_check111=""
|
||||
CHECK_ID_check111="1.11"
|
||||
CHECK_TITLE_check111="Ensure IAM password policy expires passwords within 90 days or less (Scored)"
|
||||
CHECK_SCORED_check111="SCORED"
|
||||
CHECK_ALTERNATE_check111="check111"
|
||||
|
||||
check111(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check112=""
|
||||
CHECK_TITLE_check112=""
|
||||
CHECK_SCORED_check112=""
|
||||
CHECK_TYPE_check112=""
|
||||
CHECK_ID_check112="1.12"
|
||||
CHECK_TITLE_check112="Ensure no root account access key exists (Scored)"
|
||||
CHECK_SCORED_check112="SCORED"
|
||||
CHECK_ALTERNATE_check112="check112"
|
||||
|
||||
check112(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check113=""
|
||||
CHECK_TITLE_check113=""
|
||||
CHECK_SCORED_check113=""
|
||||
CHECK_TYPE_check113=""
|
||||
CHECK_ID_check113="1.13"
|
||||
CHECK_TITLE_check113="Ensure MFA is enabled for the root account (Scored)"
|
||||
CHECK_SCORED_check113="SCORED"
|
||||
CHECK_ALTERNATE_check113="check113"
|
||||
|
||||
check113(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check114=""
|
||||
CHECK_TITLE_check114=""
|
||||
CHECK_SCORED_check114=""
|
||||
CHECK_TYPE_check114=""
|
||||
CHECK_ID_check114="1.14"
|
||||
CHECK_TITLE_check114="Ensure hardware MFA is enabled for the root account (Scored)"
|
||||
CHECK_SCORED_check114="SCORED"
|
||||
CHECK_ALTERNATE_check114="check114"
|
||||
|
||||
check114(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check115=""
|
||||
CHECK_TITLE_check115=""
|
||||
CHECK_SCORED_check115=""
|
||||
CHECK_TYPE_check115=""
|
||||
CHECK_ID_check115="1.15"
|
||||
CHECK_TITLE_check115="Ensure security questions are registered in the AWS account (Not Scored)"
|
||||
CHECK_SCORED_check115="SCORED"
|
||||
CHECK_ALTERNATE_check115="check115"
|
||||
|
||||
check115(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check116=""
|
||||
CHECK_TITLE_check116=""
|
||||
CHECK_SCORED_check116=""
|
||||
CHECK_TYPE_check116=""
|
||||
CHECK_ID_check116="1.16"
|
||||
CHECK_TITLE_check116="Ensure IAM policies are attached only to groups or roles (Scored)"
|
||||
CHECK_SCORED_check116="SCORED"
|
||||
CHECK_ALTERNATE_check116="check116"
|
||||
|
||||
check116(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check117=""
|
||||
CHECK_TITLE_check117=""
|
||||
CHECK_SCORED_check117=""
|
||||
CHECK_TYPE_check117=""
|
||||
CHECK_ID_check117="1.17"
|
||||
CHECK_TITLE_check117="Enable detailed billing (Scored)"
|
||||
CHECK_SCORED_check117="SCORED"
|
||||
CHECK_ALTERNATE_check117="check117"
|
||||
|
||||
check117(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check118=""
|
||||
CHECK_TITLE_check118=""
|
||||
CHECK_SCORED_check118=""
|
||||
CHECK_TYPE_check118=""
|
||||
CHECK_ID_check118="1.18"
|
||||
CHECK_TITLE_check118="Ensure IAM Master and IAM Manager roles are active (Scored)"
|
||||
CHECK_SCORED_check118="SCORED"
|
||||
CHECK_ALTERNATE_check118="check118"
|
||||
|
||||
check118(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check119=""
|
||||
CHECK_TITLE_check119=""
|
||||
CHECK_SCORED_check119=""
|
||||
CHECK_TYPE_check119=""
|
||||
CHECK_ID_check119="1.19"
|
||||
CHECK_TITLE_check119="Maintain current contact details (Scored)"
|
||||
CHECK_SCORED_check119="SCORED"
|
||||
CHECK_ALTERNATE_check119="check119"
|
||||
|
||||
check119(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check12="1.2,1.02"
|
||||
CHECK_TITLE_check12="Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
|
||||
CHECK_SCORED_check12="SCORED"
|
||||
CHECK_TYPE_check12="LEVEL1"
|
||||
CHECK_ALTERNATE_check102="check12"
|
||||
|
||||
check12(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check120=""
|
||||
CHECK_TITLE_check120=""
|
||||
CHECK_SCORED_check120=""
|
||||
CHECK_TYPE_check120=""
|
||||
CHECK_ID_check120="1.20"
|
||||
CHECK_TITLE_check120="Ensure security contact information is registered (Scored)"
|
||||
CHECK_SCORED_check120="SCORED"
|
||||
CHECK_ALTERNATE_check120="check120"
|
||||
|
||||
check120(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check121=""
|
||||
CHECK_TITLE_check121=""
|
||||
CHECK_SCORED_check121=""
|
||||
CHECK_TYPE_check121=""
|
||||
CHECK_ID_check121="1.21"
|
||||
CHECK_TITLE_check121="Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
|
||||
CHECK_SCORED_check121="NOT_SCORED"
|
||||
CHECK_ALTERNATE_check121="check121"
|
||||
|
||||
check121(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check122=""
|
||||
CHECK_TITLE_check122=""
|
||||
CHECK_SCORED_check122=""
|
||||
CHECK_TYPE_check122=""
|
||||
CHECK_ID_check122="1.22"
|
||||
CHECK_TITLE_check122="Ensure a support role has been created to manage incidents with AWS Support (Scored)"
|
||||
CHECK_SCORED_check122="SCORED"
|
||||
CHECK_ALTERNATE_check122="check122"
|
||||
|
||||
check122(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check123=""
|
||||
CHECK_TITLE_check123=""
|
||||
CHECK_SCORED_check123=""
|
||||
CHECK_TYPE_check123=""
|
||||
CHECK_ID_check123="1.23"
|
||||
CHECK_TITLE_check123="Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
|
||||
CHECK_SCORED_check123="NOT_SCORED"
|
||||
CHECK_ALTERNATE_check123="check123"
|
||||
|
||||
check123(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check124=""
|
||||
CHECK_TITLE_check124=""
|
||||
CHECK_SCORED_check124=""
|
||||
CHECK_TYPE_check124=""
|
||||
CHECK_ID_check124="1.24"
|
||||
CHECK_TITLE_check124="Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
|
||||
CHECK_SCORED_check124="SCORED"
|
||||
CHECK_ALTERNATE_check124="check124"
|
||||
|
||||
check124(){
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check13=""
|
||||
CHECK_TITLE_check13=""
|
||||
CHECK_SCORED_check13=""
|
||||
CHECK_TYPE_check13=""
|
||||
CHECK_ALTERNATE_check13="check13"
|
||||
CHECK_ID_check13="1.3,1.03"
|
||||
CHECK_TITLE_check13="Ensure credentials unused for 90 days or greater are disabled (Scored)"
|
||||
CHECK_SCORED_check13="SCORED"
|
||||
CHECK_ALTERNATE_check103="check13"
|
||||
|
||||
check13(){
|
||||
# "Ensure credentials unused for 90 days or greater are disabled (Scored)"
|
||||
@@ -11,8 +10,7 @@ check13(){
|
||||
if [[ $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED ]]; then
|
||||
COMMAND13=$(
|
||||
for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
|
||||
cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$5 }' |grep $i| awk '{ print $1 }'|tr '
|
||||
' ' ';
|
||||
cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$5 }' |grep $i| awk '{ print $1 }'|tr '\n' ' ';
|
||||
done)
|
||||
# list of users that have used password
|
||||
USERS_PASSWORD_USED=$($AWSCLI iam list-users --query "Users[?PasswordLastUsed].UserName" --output text $PROFILE_OPT --region $REGION)
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check14=""
|
||||
CHECK_TITLE_check14=""
|
||||
CHECK_SCORED_check14=""
|
||||
CHECK_TYPE_check14=""
|
||||
CHECK_ALTERNATE_check14="check14"
|
||||
CHECK_ID_check14="1.4,1.04"
|
||||
CHECK_TITLE_check14="Ensure access keys are rotated every 90 days or less (Scored)"
|
||||
CHECK_SCORED_check14="SCORED"
|
||||
CHECK_ALTERNATE_check104="check14"
|
||||
|
||||
check14(){
|
||||
# "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check15=""
|
||||
CHECK_TITLE_check15=""
|
||||
CHECK_SCORED_check15=""
|
||||
CHECK_TYPE_check15=""
|
||||
CHECK_ALTERNATE_check15="check15"
|
||||
CHECK_ID_check15="1.5,1.05"
|
||||
CHECK_TITLE_check15="Ensure IAM password policy requires at least one uppercase letter (Scored)"
|
||||
CHECK_SCORED_check15="SCORED"
|
||||
CHECK_ALTERNATE_check105="check15"
|
||||
|
||||
check15(){
|
||||
# "Ensure IAM password policy requires at least one uppercase letter (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check16=""
|
||||
CHECK_TITLE_check16=""
|
||||
CHECK_SCORED_check16=""
|
||||
CHECK_TYPE_check16=""
|
||||
CHECK_ALTERNATE_check16="check16"
|
||||
CHECK_ID_check16="1.6,1.06"
|
||||
CHECK_TITLE_check16="Ensure IAM password policy require at least one lowercase letter (Scored)"
|
||||
CHECK_SCORED_check16="SCORED"
|
||||
CHECK_ALTERNATE_check106="check16"
|
||||
|
||||
check16(){
|
||||
# "Ensure IAM password policy require at least one lowercase letter (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check17=""
|
||||
CHECK_TITLE_check17=""
|
||||
CHECK_SCORED_check17=""
|
||||
CHECK_TYPE_check17=""
|
||||
CHECK_ALTERNATE_check17="check17"
|
||||
CHECK_ID_check17="1.7,1.07"
|
||||
CHECK_TITLE_check17="Ensure IAM password policy require at least one symbol (Scored)"
|
||||
CHECK_SCORED_check17="SCORED"
|
||||
CHECK_ALTERNATE_check107="check17"
|
||||
|
||||
check17(){
|
||||
# "Ensure IAM password policy require at least one symbol (Scored)"
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check18=""
|
||||
CHECK_TITLE_check18=""
|
||||
CHECK_SCORED_check18=""
|
||||
CHECK_TYPE_check18=""
|
||||
CHECK_ID_check18="1.8,1.08"
|
||||
CHECK_TITLE_check18="Ensure IAM password policy require at least one number (Scored)"
|
||||
CHECK_SCORED_check18="SCORED"
|
||||
CHECK_ALTERNATE_check18="check18"
|
||||
|
||||
check18(){
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check19=""
|
||||
CHECK_TITLE_check19=""
|
||||
CHECK_SCORED_check19=""
|
||||
CHECK_TYPE_check19=""
|
||||
CHECK_ALTERNATE_check19="check19"
|
||||
CHECK_ID_check19="1.9,1.09"
|
||||
CHECK_TITLE_check19="Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
|
||||
CHECK_SCORED_check19="SCORED"
|
||||
CHECK_ALTERNATE_check109="check19"
|
||||
|
||||
check19(){
|
||||
# "Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check21=""
|
||||
CHECK_TITLE_check21=""
|
||||
CHECK_SCORED_check21=""
|
||||
CHECK_TYPE_check21=""
|
||||
CHECK_ALTERNATE_check21="check21"
|
||||
CHECK_ID_check21="2.1,2.01"
|
||||
CHECK_TITLE_check21="Ensure CloudTrail is enabled in all regions (Scored)"
|
||||
CHECK_SCORED_check21="SCORED"
|
||||
CHECK_ALTERNATE_check201="check21"
|
||||
|
||||
check21(){
|
||||
# "Ensure CloudTrail is enabled in all regions (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check22=""
|
||||
CHECK_TITLE_check22=""
|
||||
CHECK_SCORED_check22=""
|
||||
CHECK_TYPE_check22=""
|
||||
CHECK_ALTERNATE_check22="check22"
|
||||
CHECK_ID_check22="2.2,2.02"
|
||||
CHECK_TITLE_check22="Ensure CloudTrail log file validation is enabled (Scored)"
|
||||
CHECK_SCORED_check22="SCORED"
|
||||
CHECK_ALTERNATE_check202="check22"
|
||||
|
||||
check22(){
|
||||
# "Ensure CloudTrail log file validation is enabled (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check23=""
|
||||
CHECK_TITLE_check23=""
|
||||
CHECK_SCORED_check23=""
|
||||
CHECK_TYPE_check23=""
|
||||
CHECK_ALTERNATE_check23="check23"
|
||||
CHECK_ID_check23="2.3,2.03"
|
||||
CHECK_TITLE_check23="Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
|
||||
CHECK_SCORED_check23="SCORED"
|
||||
CHECK_ALTERNATE_check203="check23"
|
||||
|
||||
check23(){
|
||||
# "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check24=""
|
||||
CHECK_TITLE_check24=""
|
||||
CHECK_SCORED_check24=""
|
||||
CHECK_TYPE_check24=""
|
||||
CHECK_ALTERNATE_check24="check24"
|
||||
CHECK_ID_check24="2.4,2.04"
|
||||
CHECK_TITLE_check24="Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
|
||||
CHECK_SCORED_check24="SCORED"
|
||||
CHECK_ALTERNATE_check204="check24"
|
||||
|
||||
check24(){
|
||||
# "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check25=""
|
||||
CHECK_TITLE_check25=""
|
||||
CHECK_SCORED_check25=""
|
||||
CHECK_TYPE_check25=""
|
||||
CHECK_ALTERNATE_check25="check25"
|
||||
CHECK_ID_check25="2.5,2.05"
|
||||
CHECK_TITLE_check25="Ensure AWS Config is enabled in all regions (Scored)"
|
||||
CHECK_SCORED_check25="SCORED"
|
||||
CHECK_ALTERNATE_check205="check25"
|
||||
|
||||
check25(){
|
||||
# "Ensure AWS Config is enabled in all regions (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check26=""
|
||||
CHECK_TITLE_check26=""
|
||||
CHECK_SCORED_check26=""
|
||||
CHECK_TYPE_check26=""
|
||||
CHECK_ALTERNATE_check26="check26"
|
||||
CHECK_ID_check26="2.6,2.06"
|
||||
CHECK_TITLE_check26="Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
|
||||
CHECK_SCORED_check26="SCORED"
|
||||
CHECK_ALTERNATE_check206="check26"
|
||||
|
||||
check26(){
|
||||
# "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check27=""
|
||||
CHECK_TITLE_check27=""
|
||||
CHECK_SCORED_check27=""
|
||||
CHECK_TYPE_check27=""
|
||||
CHECK_ALTERNATE_check27="check27"
|
||||
CHECK_ID_check27="2.7,2.07"
|
||||
CHECK_TITLE_check27="Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
|
||||
CHECK_SCORED_check27="SCORED"
|
||||
CHECK_ALTERNATE_check207="check27"
|
||||
|
||||
check27(){
|
||||
# "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check28=""
|
||||
CHECK_TITLE_check28=""
|
||||
CHECK_SCORED_check28=""
|
||||
CHECK_TYPE_check28=""
|
||||
CHECK_ALTERNATE_check28="check28"
|
||||
CHECK_ID_check28="2.8,2.08"
|
||||
CHECK_TITLE_check28="Ensure rotation for customer created CMKs is enabled (Scored)"
|
||||
CHECK_SCORED_check28="SCORED"
|
||||
CHECK_ALTERNATE_check208="check28"
|
||||
|
||||
check28(){
|
||||
# "Ensure rotation for customer created CMKs is enabled (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check31=""
|
||||
CHECK_TITLE_check31=""
|
||||
CHECK_SCORED_check31=""
|
||||
CHECK_TYPE_check31=""
|
||||
CHECK_ALTERNATE_check31="check31"
|
||||
CHECK_ID_check31="3.1,3.01"
|
||||
CHECK_TITLE_check31="Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
|
||||
CHECK_SCORED_check31="SCORED"
|
||||
CHECK_ALTERNATE_check301="check31"
|
||||
|
||||
check31(){
|
||||
# "Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check310=""
|
||||
CHECK_TITLE_check310=""
|
||||
CHECK_SCORED_check310=""
|
||||
CHECK_TYPE_check310=""
|
||||
CHECK_ID_check310="3.10"
|
||||
CHECK_TITLE_check310="Ensure a log metric filter and alarm exist for security group changes (Scored)"
|
||||
CHECK_SCORED_check310="SCORED"
|
||||
CHECK_ALTERNATE_check310="check310"
|
||||
|
||||
check310(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check311=""
|
||||
CHECK_TITLE_check311=""
|
||||
CHECK_SCORED_check311=""
|
||||
CHECK_TYPE_check311=""
|
||||
CHECK_ID_check311="3.11"
|
||||
CHECK_TITLE_check311="Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
|
||||
CHECK_SCORED_check311="SCORED"
|
||||
CHECK_ALTERNATE_check311="check311"
|
||||
|
||||
check311(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check312=""
|
||||
CHECK_TITLE_check312=""
|
||||
CHECK_SCORED_check312=""
|
||||
CHECK_TYPE_check312=""
|
||||
CHECK_ID_check312="3.12"
|
||||
CHECK_TITLE_check312="Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
|
||||
CHECK_SCORED_check312="SCORED"
|
||||
CHECK_ALTERNATE_check312="check312"
|
||||
|
||||
check312(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check313=""
|
||||
CHECK_TITLE_check313=""
|
||||
CHECK_SCORED_check313=""
|
||||
CHECK_TYPE_check313=""
|
||||
CHECK_ID_check313="3.13"
|
||||
CHECK_TITLE_check313="Ensure a log metric filter and alarm exist for route table changes (Scored)"
|
||||
CHECK_SCORED_check313="SCORED"
|
||||
CHECK_ALTERNATE_check313="check313"
|
||||
|
||||
check313(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check314=""
|
||||
CHECK_TITLE_check314=""
|
||||
CHECK_SCORED_check314=""
|
||||
CHECK_TYPE_check314=""
|
||||
CHECK_ID_check314="3.14"
|
||||
CHECK_TITLE_check314="Ensure a log metric filter and alarm exist for VPC changes (Scored)"
|
||||
CHECK_SCORED_check314="SCORED"
|
||||
CHECK_ALTERNATE_check314="check314"
|
||||
|
||||
check314(){
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
CHECK_ID_check315=""
|
||||
CHECK_TITLE_check315=""
|
||||
CHECK_SCORED_check315=""
|
||||
CHECK_TYPE_check315=""
|
||||
CHECK_ID_check315="3.15"
|
||||
CHECK_TITLE_check315="Ensure appropriate subscribers to each SNS topic (Not Scored)"
|
||||
CHECK_SCORED_check315="SCORED"
|
||||
CHECK_ALTERNATE_check315="check315"
|
||||
|
||||
check315(){
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check32=""
|
||||
CHECK_TITLE_check32=""
|
||||
CHECK_SCORED_check32=""
|
||||
CHECK_TYPE_check32=""
|
||||
CHECK_ALTERNATE_check32="check32"
|
||||
CHECK_ID_check32="3.2,3.02"
|
||||
CHECK_TITLE_check32="Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
|
||||
CHECK_SCORED_check32="SCORED"
|
||||
CHECK_ALTERNATE_check302="check32"
|
||||
|
||||
check32(){
|
||||
# "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check33=""
|
||||
CHECK_TITLE_check33=""
|
||||
CHECK_SCORED_check33=""
|
||||
CHECK_TYPE_check33=""
|
||||
CHECK_ALTERNATE_check33="check33"
|
||||
CHECK_ID_check33="3.3,3.03"
|
||||
CHECK_TITLE_check33="Ensure a log metric filter and alarm exist for usage of root account (Scored)"
|
||||
CHECK_SCORED_check33="SCORED"
|
||||
CHECK_ALTERNATE_check303="check33"
|
||||
|
||||
check33(){
|
||||
# "Ensure a log metric filter and alarm exist for usage of root account (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check34=""
|
||||
CHECK_TITLE_check34=""
|
||||
CHECK_SCORED_check34=""
|
||||
CHECK_TYPE_check34=""
|
||||
CHECK_ALTERNATE_check34="check34"
|
||||
CHECK_ID_check34="3.4,3.04"
|
||||
CHECK_TITLE_check34="Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
|
||||
CHECK_SCORED_check34="SCORED"
|
||||
CHECK_ALTERNATE_check304="check34"
|
||||
|
||||
check34(){
|
||||
# "Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check35=""
|
||||
CHECK_TITLE_check35=""
|
||||
CHECK_SCORED_check35=""
|
||||
CHECK_TYPE_check35=""
|
||||
CHECK_ALTERNATE_check35="check35"
|
||||
CHECK_ID_check35="3.5,3.05"
|
||||
CHECK_TITLE_check35="Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
|
||||
CHECK_SCORED_check35="SCORED"
|
||||
CHECK_ALTERNATE_check305="check35"
|
||||
|
||||
check35(){
|
||||
# "Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check36=""
|
||||
CHECK_TITLE_check36=""
|
||||
CHECK_SCORED_check36=""
|
||||
CHECK_TYPE_check36=""
|
||||
CHECK_ALTERNATE_check36="check36"
|
||||
CHECK_ID_check36="3.6,3.06"
|
||||
CHECK_TITLE_check36="Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
|
||||
CHECK_SCORED_check36="SCORED"
|
||||
CHECK_ALTERNATE_check306="check36"
|
||||
|
||||
check36(){
|
||||
# "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check37=""
|
||||
CHECK_TITLE_check37=""
|
||||
CHECK_SCORED_check37=""
|
||||
CHECK_TYPE_check37=""
|
||||
CHECK_ALTERNATE_check37="check37"
|
||||
CHECK_ID_check37="3.7,3.07"
|
||||
CHECK_TITLE_check37="Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
|
||||
CHECK_SCORED_check37="SCORED"
|
||||
CHECK_ALTERNATE_check307="check37"
|
||||
|
||||
check37(){
|
||||
# "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check38=""
|
||||
CHECK_TITLE_check38=""
|
||||
CHECK_SCORED_check38=""
|
||||
CHECK_TYPE_check38=""
|
||||
CHECK_ALTERNATE_check38="check38"
|
||||
CHECK_ID_check38="3.8,3.08"
|
||||
CHECK_TITLE_check38="Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
|
||||
CHECK_SCORED_check38="SCORED"
|
||||
CHECK_ALTERNATE_check308="check38"
|
||||
|
||||
check38(){
|
||||
# "Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check39=""
|
||||
CHECK_TITLE_check39=""
|
||||
CHECK_SCORED_check39=""
|
||||
CHECK_TYPE_check39=""
|
||||
CHECK_ALTERNATE_check39="check39"
|
||||
CHECK_ID_check39="3.9,3.09"
|
||||
CHECK_TITLE_check39="Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
|
||||
CHECK_SCORED_check39="SCORED"
|
||||
CHECK_ALTERNATE_check309="check39"
|
||||
|
||||
check39(){
|
||||
# "Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check41=""
|
||||
CHECK_TITLE_check41=""
|
||||
CHECK_SCORED_check41=""
|
||||
CHECK_TYPE_check41=""
|
||||
CHECK_ALTERNATE_check41="check41"
|
||||
CHECK_ID_check41="4.1,4.01"
|
||||
CHECK_TITLE_check41="Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
|
||||
CHECK_SCORED_check41="SCORED"
|
||||
CHECK_ALTERNATE_check401="check41"
|
||||
|
||||
check41(){
|
||||
# "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check42=""
|
||||
CHECK_TITLE_check42=""
|
||||
CHECK_SCORED_check42=""
|
||||
CHECK_TYPE_check42=""
|
||||
CHECK_ALTERNATE_check42="check42"
|
||||
CHECK_ID_check42="4.2,4.02"
|
||||
CHECK_TITLE_check42="Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
|
||||
CHECK_SCORED_check42="SCORED"
|
||||
CHECK_ALTERNATE_check402="check42"
|
||||
|
||||
check42(){
|
||||
# "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check43=""
|
||||
CHECK_TITLE_check43=""
|
||||
CHECK_SCORED_check43=""
|
||||
CHECK_TYPE_check43=""
|
||||
CHECK_ALTERNATE_check43="check43"
|
||||
CHECK_ID_check43="4.3,4.03"
|
||||
CHECK_TITLE_check43="Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
|
||||
CHECK_SCORED_check43="SCORED"
|
||||
CHECK_ALTERNATE_check403="check43"
|
||||
|
||||
check43(){
|
||||
# "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check44=""
|
||||
CHECK_TITLE_check44=""
|
||||
CHECK_SCORED_check44=""
|
||||
CHECK_TYPE_check44=""
|
||||
CHECK_ALTERNATE_check44="check44"
|
||||
CHECK_ID_check44="4.4,4.04"
|
||||
CHECK_TITLE_check44="Ensure the default security group of every VPC restricts all traffic (Scored)"
|
||||
CHECK_SCORED_check44="SCORED"
|
||||
CHECK_ALTERNATE_check404="check44"
|
||||
|
||||
check44(){
|
||||
# "Ensure the default security group of every VPC restricts all traffic (Scored)"
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
CHECK_ID_check45=""
|
||||
CHECK_TITLE_check45=""
|
||||
CHECK_SCORED_check45=""
|
||||
CHECK_TYPE_check45=""
|
||||
CHECK_ALTERNATE_check45="check45"
|
||||
CHECK_ID_check45="4.5,4.05"
|
||||
CHECK_TITLE_check45="Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
|
||||
CHECK_SCORED_check45="NOT_SCORED"
|
||||
CHECK_ALTERNATE_check405="check45"
|
||||
|
||||
check45(){
|
||||
# "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
|
||||
|
||||
@@ -1,13 +1,13 @@
|
||||
CHECK_ID_check_extra71=""
|
||||
CHECK_TITLE_check_extra71=""
|
||||
CHECK_SCORED_check_extra71=""
|
||||
CHECK_TYPE_check_extra71=""
|
||||
CHECK_ALTERNATE_check_extra71="check_extra71"
|
||||
CHECK_ID_extra71="7.1,7.01"
|
||||
CHECK_TITLE_extra71="Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra71="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra701="extra71"
|
||||
CHECK_ALTERNATE_check71="extra71"
|
||||
CHECK_ALTERNATE_check701="extra71"
|
||||
|
||||
extra71(){
|
||||
# "Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
textTitle "$ID71" "$TITLE71" "NOT_SCORED" "EXTRA"
|
||||
|
||||
ADMIN_GROUPS=''
|
||||
AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --query 'Groups[].GroupName')
|
||||
for grp in $AWS_GROUPS; do
|
||||
@@ -33,5 +33,4 @@ extra71(){
|
||||
textNotice "$grp group provides non-administrative access"
|
||||
fi
|
||||
done
|
||||
# set +x
|
||||
}
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra710=""
|
||||
CHECK_TITLE_check_extra710=""
|
||||
CHECK_SCORED_check_extra710=""
|
||||
CHECK_TYPE_check_extra710=""
|
||||
CHECK_ALTERNATE_check_extra710="check_extra710"
|
||||
CHECK_ID_extra710="7.10"
|
||||
CHECK_TITLE_extra710="Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra710="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra710="extra710"
|
||||
CHECK_ALTERNATE_check710="extra710"
|
||||
|
||||
extra710(){
|
||||
# "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra711=""
|
||||
CHECK_TITLE_check_extra711=""
|
||||
CHECK_SCORED_check_extra711=""
|
||||
CHECK_TYPE_check_extra711=""
|
||||
CHECK_ALTERNATE_check_extra711="check_extra711"
|
||||
CHECK_ID_extra711="7.11"
|
||||
CHECK_TITLE_extra711="Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra711="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra711="extra711"
|
||||
CHECK_ALTERNATE_check711="extra711"
|
||||
|
||||
extra711(){
|
||||
# "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra712=""
|
||||
CHECK_TITLE_check_extra712=""
|
||||
CHECK_SCORED_check_extra712=""
|
||||
CHECK_TYPE_check_extra712=""
|
||||
CHECK_ALTERNATE_check_extra712="check_extra712"
|
||||
CHECK_ID_extra712="7.12"
|
||||
CHECK_TITLE_extra712="Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra712="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra712="extra712"
|
||||
CHECK_ALTERNATE_check712="extra712"
|
||||
|
||||
extra712(){
|
||||
# "Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra713=""
|
||||
CHECK_TITLE_check_extra713=""
|
||||
CHECK_SCORED_check_extra713=""
|
||||
CHECK_TYPE_check_extra713=""
|
||||
CHECK_ALTERNATE_check_extra713="check_extra713"
|
||||
CHECK_ID_extra713="7.13"
|
||||
CHECK_TITLE_extra713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra713="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra713="extra713"
|
||||
CHECK_ALTERNATE_check713="extra713"
|
||||
|
||||
extra713(){
|
||||
# "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra714=""
|
||||
CHECK_TITLE_check_extra714=""
|
||||
CHECK_SCORED_check_extra714=""
|
||||
CHECK_TYPE_check_extra714=""
|
||||
CHECK_ALTERNATE_check_extra714="check_extra714"
|
||||
CHECK_ID_extra714="7.14"
|
||||
CHECK_TITLE_extra714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra714="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra714="extra714"
|
||||
CHECK_ALTERNATE_check714="extra714"
|
||||
|
||||
extra714(){
|
||||
# "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,11 +1,10 @@
|
||||
CHECK_ID_check_extra715=""
|
||||
CHECK_TITLE_check_extra715=""
|
||||
CHECK_SCORED_check_extra715=""
|
||||
CHECK_TYPE_check_extra715=""
|
||||
CHECK_ALTERNATE_check_extra715="check_extra715"
|
||||
CHECK_ID_extra715="7.15"
|
||||
CHECK_TITLE_extra715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra715="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra715="extra715"
|
||||
CHECK_ALTERNATE_check715="extra715"
|
||||
|
||||
extra715(){
|
||||
# "Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA"
|
||||
for regx in $REGIONS; do
|
||||
LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra716=""
|
||||
CHECK_TITLE_check_extra716=""
|
||||
CHECK_SCORED_check_extra716=""
|
||||
CHECK_TYPE_check_extra716=""
|
||||
CHECK_ALTERNATE_check_extra716="check_extra716"
|
||||
CHECK_ID_extra716="7.16"
|
||||
CHECK_TITLE_extra716="Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra716="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra716="extra716"
|
||||
CHECK_ALTERNATE_check716="extra716"
|
||||
|
||||
extra716(){
|
||||
# "Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra717=""
|
||||
CHECK_TITLE_check_extra717=""
|
||||
CHECK_SCORED_check_extra717=""
|
||||
CHECK_TYPE_check_extra717=""
|
||||
CHECK_ALTERNATE_check_extra717="check_extra717"
|
||||
CHECK_ID_extra717="7.17"
|
||||
CHECK_TITLE_extra717="Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra717="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra717="extra717"
|
||||
CHECK_ALTERNATE_check717="extra717"
|
||||
|
||||
extra717(){
|
||||
# "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra718=""
|
||||
CHECK_TITLE_check_extra718=""
|
||||
CHECK_SCORED_check_extra718=""
|
||||
CHECK_TYPE_check_extra718=""
|
||||
CHECK_ALTERNATE_check_extra718="check_extra718"
|
||||
CHECK_ID_extra718="7.18"
|
||||
CHECK_TITLE_extra718="Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra718="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra718="extra718"
|
||||
CHECK_ALTERNATE_check718="extra718"
|
||||
|
||||
extra718(){
|
||||
# "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra719=""
|
||||
CHECK_TITLE_check_extra719=""
|
||||
CHECK_SCORED_check_extra719=""
|
||||
CHECK_TYPE_check_extra719=""
|
||||
CHECK_ALTERNATE_check_extra719="check_extra719"
|
||||
CHECK_ID_extra719="7.19"
|
||||
CHECK_TITLE_extra719="Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra719="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra719="extra719"
|
||||
CHECK_ALTERNATE_check719="extra719"
|
||||
|
||||
extra719(){
|
||||
# "Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
CHECK_ID_check_extra72=""
|
||||
CHECK_TITLE_check_extra72=""
|
||||
CHECK_SCORED_check_extra72=""
|
||||
CHECK_TYPE_check_extra72=""
|
||||
CHECK_ALTERNATE_check_extra72="check_extra72"
|
||||
CHECK_ID_extra72="7.2,7.02"
|
||||
CHECK_TITLE_extra72="Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra72="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra702="extra72"
|
||||
CHECK_ALTERNATE_check72="extra72"
|
||||
CHECK_ALTERNATE_check702="extra72"
|
||||
|
||||
extra72(){
|
||||
# "Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra720=""
|
||||
CHECK_TITLE_check_extra720=""
|
||||
CHECK_SCORED_check_extra720=""
|
||||
CHECK_TYPE_check_extra720=""
|
||||
CHECK_ALTERNATE_check_extra720="check_extra720"
|
||||
CHECK_ID_extra720="7.20"
|
||||
CHECK_TITLE_extra720="Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra720="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra720="extra720"
|
||||
CHECK_ALTERNATE_check720="extra720"
|
||||
|
||||
extra720(){
|
||||
# "Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra721=""
|
||||
CHECK_TITLE_check_extra721=""
|
||||
CHECK_SCORED_check_extra721=""
|
||||
CHECK_TYPE_check_extra721=""
|
||||
CHECK_ALTERNATE_check_extra721="check_extra721"
|
||||
CHECK_ID_extra721="7.21"
|
||||
CHECK_TITLE_extra721="Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra721="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra721="extra721"
|
||||
CHECK_ALTERNATE_check721="extra721"
|
||||
|
||||
extra721(){
|
||||
# "Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra722=""
|
||||
CHECK_TITLE_check_extra722=""
|
||||
CHECK_SCORED_check_extra722=""
|
||||
CHECK_TYPE_check_extra722=""
|
||||
CHECK_ALTERNATE_check_extra722="check_extra722"
|
||||
CHECK_ID_extra722="7.22"
|
||||
CHECK_TITLE_extra722="Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra722="NOT_SCORED"
|
||||
CHECK_ALTERNATE_check722="extra722"
|
||||
CHECK_ALTERNATE_extra722="extra722"
|
||||
|
||||
extra722(){
|
||||
# "Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
CHECK_ID_check_extra723=""
|
||||
CHECK_TITLE_check_extra723=""
|
||||
CHECK_SCORED_check_extra723=""
|
||||
CHECK_TYPE_check_extra723=""
|
||||
CHECK_ALTERNATE_check_extra723="check_extra723"
|
||||
CHECK_ID_extra723="7.23"
|
||||
CHECK_TITLE_extra723="Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra723="NOT_SCORED"
|
||||
CHECK_ALTERNATE_check723="extra723"
|
||||
CHECK_ALTERNATE_extra723="extra723"
|
||||
|
||||
extra723(){
|
||||
# "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
CHECK_ID_check_extra73=""
|
||||
CHECK_TITLE_check_extra73=""
|
||||
CHECK_SCORED_check_extra73=""
|
||||
CHECK_TYPE_check_extra73=""
|
||||
CHECK_ALTERNATE_check_extra73="check_extra73"
|
||||
CHECK_ID_extra73="7.3,7.03"
|
||||
CHECK_TITLE_extra73="Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra73="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra703="extra73"
|
||||
CHECK_ALTERNATE_check73="extra73"
|
||||
CHECK_ALTERNATE_check703="extra73"
|
||||
|
||||
extra73(){
|
||||
# "Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
CHECK_ID_check_extra74=""
|
||||
CHECK_TITLE_check_extra74=""
|
||||
CHECK_SCORED_check_extra74=""
|
||||
CHECK_TYPE_check_extra74=""
|
||||
CHECK_ALTERNATE_check_extra74="check_extra74"
|
||||
CHECK_ID_extra74="7.4,7.04"
|
||||
CHECK_TITLE_extra74="Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra74="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra704="extra74"
|
||||
CHECK_ALTERNATE_check74="extra74"
|
||||
CHECK_ALTERNATE_check704="extra74"
|
||||
|
||||
extra74(){
|
||||
# "Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
CHECK_ID_check_extra75=""
|
||||
CHECK_TITLE_check_extra75=""
|
||||
CHECK_SCORED_check_extra75=""
|
||||
CHECK_TYPE_check_extra75=""
|
||||
CHECK_ALTERNATE_check_extra75="check_extra75"
|
||||
CHECK_ID_extra75="7.5,7.05"
|
||||
CHECK_TITLE_extra75="Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra75="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra705="extra75"
|
||||
CHECK_ALTERNATE_check75="extra75"
|
||||
CHECK_ALTERNATE_check705="extra75"
|
||||
|
||||
extra75(){
|
||||
# "Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
CHECK_ID_check_extra76=""
|
||||
CHECK_TITLE_check_extra76=""
|
||||
CHECK_SCORED_check_extra76=""
|
||||
CHECK_TYPE_check_extra76=""
|
||||
CHECK_ALTERNATE_check_extra76="check_extra76"
|
||||
CHECK_ID_extra76="7.6,7.06"
|
||||
CHECK_TITLE_extra76="Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra76="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra706="extra76"
|
||||
CHECK_ALTERNATE_check76="extra76"
|
||||
CHECK_ALTERNATE_check706="extra76"
|
||||
|
||||
extra76(){
|
||||
# "Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
CHECK_ID_check_extra77=""
|
||||
CHECK_TITLE_check_extra77=""
|
||||
CHECK_SCORED_check_extra77=""
|
||||
CHECK_TYPE_check_extra77=""
|
||||
CHECK_ALTERNATE_check_extra77="check_extra77"
|
||||
CHECK_ID_extra77="7.7,7.07"
|
||||
CHECK_TITLE_extra77="Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra77="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra707="extra77"
|
||||
CHECK_ALTERNATE_check77="extra77"
|
||||
CHECK_ALTERNATE_check707="extra77"
|
||||
|
||||
extra77(){
|
||||
# "Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
CHECK_ID_check_extra78=""
|
||||
CHECK_TITLE_check_extra78=""
|
||||
CHECK_SCORED_check_extra78=""
|
||||
CHECK_TYPE_check_extra78=""
|
||||
CHECK_ALTERNATE_check_extra78="check_extra78"
|
||||
CHECK_ID_extra78="7.8,7.08"
|
||||
CHECK_TITLE_extra78="Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra78="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra708="extra78"
|
||||
CHECK_ALTERNATE_check78="extra78"
|
||||
CHECK_ALTERNATE_check708="extra78"
|
||||
|
||||
extra78(){
|
||||
# "Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
CHECK_ID_check_extra79=""
|
||||
CHECK_TITLE_check_extra79=""
|
||||
CHECK_SCORED_check_extra79=""
|
||||
CHECK_TYPE_check_extra79=""
|
||||
CHECK_ALTERNATE_check_extra79="check_extra79"
|
||||
CHECK_ID_extra79="7.9,7.09"
|
||||
CHECK_TITLE_extra79="Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
|
||||
CHECK_SCORED_extra79="NOT_SCORED"
|
||||
CHECK_ALTERNATE_extra709="extra79"
|
||||
CHECK_ALTERNATE_check79="extra79"
|
||||
CHECK_ALTERNATE_check709="extra79"
|
||||
|
||||
extra79(){
|
||||
# "Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)"
|
||||
|
||||
6
groups/group0_init
Normal file
6
groups/group0_init
Normal file
@@ -0,0 +1,6 @@
|
||||
GROUP_ID[0]='init' # this group make easier to understand the array of groups
|
||||
GROUP_NUMBER[0]='0.0'
|
||||
GROUP_TITLE[0]='Init ****************************************************************'
|
||||
GROUP_RUN_BY_DEFAULT[0]='N' # run it when execute_all is called
|
||||
GROUP_CHECKS[0]=''
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
GROUP_ID[1]="group1"
|
||||
GROUP_NUMBER[1]="1.0"
|
||||
GROUP_TITLE[1]="Identity and Access Management ****************************************"
|
||||
GROUP_RUN_BY_DEFAULT[1]="Y" # run it when execute_all is called
|
||||
GROUP_CHECKS[1]="check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124"
|
||||
GROUP_ID[1]='group1'
|
||||
GROUP_NUMBER[1]='1.0'
|
||||
GROUP_TITLE[1]='Identity and Access Management ****************************************'
|
||||
GROUP_RUN_BY_DEFAULT[1]='Y' # run it when execute_all is called
|
||||
GROUP_CHECKS[1]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124'
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
GROUP_ID[2]="group2"
|
||||
GROUP_NUMBER[2]="2.0"
|
||||
GROUP_TITLE[2]="Logging ***************************************************************"
|
||||
GROUP_RUN_BY_DEFAULT[2]="Y" # run it when execute_all is called
|
||||
GROUP_CHECKS[2]="check21,check22,check23,check24,check25,check26,check27,check28"
|
||||
GROUP_ID[2]='group2'
|
||||
GROUP_NUMBER[2]='2.0'
|
||||
GROUP_TITLE[2]='Logging ***************************************************************'
|
||||
GROUP_RUN_BY_DEFAULT[2]='Y' # run it when execute_all is called
|
||||
GROUP_CHECKS[2]='check21,check22,check23,check24,check25,check26,check27,check28'
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
GROUP_ID[3]="group3"
|
||||
GROUP_NUMBER[3]="3.0"
|
||||
GROUP_TITLE[3]="Monitoring ************************************************************"
|
||||
GROUP_RUN_BY_DEFAULT[3]="Y" # run it when execute_all is called
|
||||
GROUP_CHECKS[3]="check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315"
|
||||
GROUP_ID[3]='group3'
|
||||
GROUP_NUMBER[3]='3.0'
|
||||
GROUP_TITLE[3]='Monitoring ************************************************************'
|
||||
GROUP_RUN_BY_DEFAULT[3]='Y' # run it when execute_all is called
|
||||
GROUP_CHECKS[3]='check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315'
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
GROUP_ID[5]="level1"
|
||||
GROUP_NUMBER[5]="5.0"
|
||||
GROUP_TITLE[5]="CIS Level 1 **********************************************************"
|
||||
GROUP_RUN_BY_DEFAULT[5]="N" # run it when execute_all is called
|
||||
GROUP_CHECKS[5]="check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check123,check124,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42"
|
||||
GROUP_ID[5]='level1'
|
||||
GROUP_NUMBER[5]='5.0'
|
||||
GROUP_TITLE[5]='CIS Level 1 **********************************************************'
|
||||
GROUP_RUN_BY_DEFAULT[5]='N' # run it when execute_all is called
|
||||
GROUP_CHECKS[5]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check123,check124,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check315,check41,check42'
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
GROUP_ID[6]="level2"
|
||||
GROUP_NUMBER[6]="6.0"
|
||||
GROUP_TITLE[6]="CIS Level 2 **********************************************************"
|
||||
GROUP_RUN_BY_DEFAULT[6]="N" # run it when execute_all is called
|
||||
GROUP_CHECKS[6]="check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124,check21,check22,check23,check24,check25,check26,check27,check28,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315,check41,check42,check43,check44,check45"
|
||||
GROUP_ID[6]='level2'
|
||||
GROUP_NUMBER[6]='6.0'
|
||||
GROUP_TITLE[6]='CIS Level 2 **********************************************************'
|
||||
GROUP_RUN_BY_DEFAULT[6]='N' # run it when execute_all is called
|
||||
GROUP_CHECKS[6]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check123,check124,check21,check22,check23,check24,check25,check26,check27,check28,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check315,check41,check42,check43,check44,check45'
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
GROUP_ID[7]="extras"
|
||||
GROUP_NUMBER[7]="7.0"
|
||||
GROUP_TITLE[7]="Extras ****************************************************************"
|
||||
GROUP_RUN_BY_DEFAULT[7]="Y" # run it when execute_all is called
|
||||
GROUP_CHECKS[7]="extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723"
|
||||
GROUP_ID[7]='extras'
|
||||
GROUP_NUMBER[7]='7.0'
|
||||
GROUP_TITLE[7]='Extras ****************************************************************'
|
||||
GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
|
||||
GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723'
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
GROUP_ID[8]="forensics-ready"
|
||||
GROUP_NUMBER[8]="8.0"
|
||||
GROUP_TITLE[8]="Forensics Readiness ***************************************************"
|
||||
GROUP_RUN_BY_DEFAULT[8]="N" # run it when execute_all is called
|
||||
GROUP_CHECKS[8]="check21,check22,check23,check24,check25,check26,check27,check43,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722"
|
||||
GROUP_ID[8]='forensics-ready'
|
||||
GROUP_NUMBER[8]='8.0'
|
||||
GROUP_TITLE[8]='Forensics Readiness ***************************************************'
|
||||
GROUP_RUN_BY_DEFAULT[8]='N' # run it when execute_all is called
|
||||
GROUP_CHECKS[8]='check21,check22,check23,check24,check25,check26,check27,check43,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722'
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
GROUP_ID[9]="my-custom-group"
|
||||
GROUP_NUMBER[9]="9.0"
|
||||
GROUP_TITLE[9]="My Custom Group **********************************************"
|
||||
GROUP_RUN_BY_DEFAULT[9]="N" # run it when execute_all is called
|
||||
GROUP_CHECKS[9]="checkNN,checkMM"
|
||||
GROUP_ID[9]='my-custom-group'
|
||||
GROUP_NUMBER[9]='9.0'
|
||||
GROUP_TITLE[9]='My Custom Group **********************************************'
|
||||
GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called
|
||||
GROUP_CHECKS[9]='checkNN,checkMM'
|
||||
|
||||
56
prowler2
56
prowler2
@@ -136,42 +136,20 @@ REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' \
|
||||
--region $REGION \
|
||||
--region-names $FILTERREGION)
|
||||
|
||||
callCheck(){
|
||||
if [[ $CHECKNUMBER ]];then
|
||||
execute_check $CHECKNUMBER
|
||||
# case "$CHECKNUMBER" in
|
||||
# check11|check101 ) execute_check check11;;
|
||||
# check12|check102 ) execute_check check12;;
|
||||
# * )
|
||||
# textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
|
||||
# esac
|
||||
cleanTemp
|
||||
exit $EXITCODE
|
||||
fi
|
||||
}
|
||||
|
||||
# List only check tittles
|
||||
if [[ $PRINTCHECKSONLY == "1" ]]; then
|
||||
prowlerBanner
|
||||
show_all_titles
|
||||
exit $EXITCODE
|
||||
fi
|
||||
|
||||
# Load all of the groups of checks inside groups folder named as "group*"
|
||||
for group in $(ls groups/group*); do
|
||||
# Load all of the groups of checks inside groups folder named as "groupNumber*"
|
||||
for group in $(ls groups/group[0-9]*|grep -v groupN_sample); do
|
||||
. "$group"
|
||||
done
|
||||
|
||||
# Load all of the checks inside checks folder named as "check*"
|
||||
# this includes also extra checks since they are "check_extraNN"
|
||||
for checks in $(ls checks/check*); do
|
||||
for checks in $(ls checks/check*|grep -v check_sample); do
|
||||
. "$checks"
|
||||
done
|
||||
|
||||
# Function to show the title of the check
|
||||
# using this way instead of arrays to keep bash3 (osx) and bash4(linux) compatibility
|
||||
show_check_title() {
|
||||
# This would just call textTitle
|
||||
local check_id=CHECK_ID_$1
|
||||
local check_title=CHECK_TITLE_$1
|
||||
local check_scored=CHECK_SCORED_$1
|
||||
@@ -205,7 +183,7 @@ execute_check() {
|
||||
show_check_title $1
|
||||
$1
|
||||
else
|
||||
textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
|
||||
textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)";
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@@ -231,7 +209,7 @@ execute_group_by_name() {
|
||||
|
||||
# Function to execute all checks in all groups
|
||||
execute_all() {
|
||||
for i in ${#GROUP_TITLE[@]}; do
|
||||
for i in "${!GROUP_TITLE[@]}"; do
|
||||
if [ "${GROUP_RUN_BY_DEFAULT[$i]}" == "Y" ]; then
|
||||
execute_group $i
|
||||
fi
|
||||
@@ -240,16 +218,30 @@ execute_all() {
|
||||
|
||||
# Function to show the titles of everything
|
||||
show_all_titles() {
|
||||
for i in ${#GROUP_TITLE[@]}; do
|
||||
for i in "${!GROUP_TITLE[@]}"; do
|
||||
show_group_title $i
|
||||
# Display the title of the checks
|
||||
IFS=',' read -ra CHECKS <<< ${GROUP_CHECKS[$i]}
|
||||
for j in "${CHECKS[@]}"; do
|
||||
for j in "${GROUP_CHECKS[@]}"; do
|
||||
show_check_title $j
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
# Execute single check if called with -c
|
||||
if [[ $CHECKNUMBER ]];then
|
||||
execute_check $CHECKNUMBER
|
||||
cleanTemp
|
||||
exit $EXITCODE
|
||||
fi
|
||||
|
||||
# List only check tittles
|
||||
if [[ $PRINTCHECKSONLY == "1" ]]; then
|
||||
prowlerBanner
|
||||
show_all_titles
|
||||
exit $EXITCODE
|
||||
fi
|
||||
|
||||
### All functions defined above ... run the workflow
|
||||
if [[ $MODE != "csv" ]]; then
|
||||
prowlerBanner
|
||||
@@ -263,11 +255,5 @@ saveReport
|
||||
|
||||
execute_all
|
||||
|
||||
|
||||
# if [[ ! $EXTRAS ]]; then
|
||||
# textTitle "7" "$TITLE7" "NOT_SCORED" "SUPPORT"
|
||||
# execute_group 7
|
||||
# fi
|
||||
|
||||
cleanTemp
|
||||
exit $EXITCODE
|
||||
|
||||
Reference in New Issue
Block a user