ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 23:05:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #171 from toniblyx/master

Browse Source 
Fixed extra79 and added extra717
This commit is contained in:
Toni de la Fuente
2018-02-09 17:22:43 -05:00
committed by GitHub
parent d38e5aa088 1281867bd4
commit da86408431
2 changed files with 54 additions and 267 deletions
Download Patch File Download Diff File Expand all files Collapse all files

261
README.md
View File

@@ -25,7 +25,7 @@ It covers hardening and security best practices for all AWS regions related to:
- Logging (8 checks)
- Monitoring (15 checks)
- Networking (5 checks)
- Extras (12 checks) *see Extras section
- Extras (17 checks) *see Extras section
- Forensics related checks
For a comprehesive list and resolution look at the guide on the link above.
@@ -150,263 +150,6 @@ USAGE:
- Sample screnshot of single check for check 3.3:
<img width="1006" alt="screenshot 2016-09-14 13 20 46" src="https://cloud.githubusercontent.com/assets/3985464/18522590/a04ca9a6-7a7e-11e6-8730-b545c9204990.png">
- Sample of a full report:
```
$ ./prowler
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|
|_| CIS based AWS Account Hardening Tool
Date: Wed Sep 14 13:30:13 EDT 2016
This report is being generated using credentials below:
AWS-CLI Profile: [default] AWS Region: [us-east-1]
--------------------------------------------------------------------------------------
| GetCallerIdentity |
+--------------+-------------------------------------------+-------------------------+
| Account | Arn | UserId |
+--------------+-------------------------------------------+-------------------------+
| XXXXXXXXXXXX| arn:aws:iam::XXXXXXXXXXXX:user/toni | XXXXXXXXXXXXXXXXXXXXX |
+--------------+-------------------------------------------+-------------------------+
Colors Code for results: INFORMATIVE, OK (RECOMMENDED VALUE), CRITICAL (FIX REQUIRED)
Generating AWS IAM Credential Report....COMPLETE
1 Identity and Access Management *********************************
1.1 Avoid the use of the root account (Scored). Last time root account was used
(password last used, access_key_1_last_used, access_key_2_last_used):
2016-08-11T20:59:27+00:00, N/A, N/A
1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)
List of users with Password enabled but MFA disabled:
toni
1.3 Ensure credentials unused for 90 days or greater are disabled (Scored)
User list:
toni
1.4 Ensure access keys are rotated every 90 days or less (Scored)
Users with access key 1 older than 90 days:
<root_account>
Users with access key 2 older than 90 days:
1.5 Ensure IAM password policy requires at least one uppercase letter (Scored)
FALSE
1.6 Ensure IAM password policy require at least one lowercase letter (Scored)
FALSE
1.7 Ensure IAM password policy require at least one symbol (Scored)
FALSE
1.8 Ensure IAM password policy require at least one number (Scored)
FALSE
1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored)
FALSE
1.10 Ensure IAM password policy prevents password reuse (Scored)
FALSE
1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)
FALSE
1.12 Ensure no root account access key exists (Scored)
Found access key 1
OK No access key 2 found
1.13 Ensure hardware MFA is enabled for the root account (Scored)
OK
1.14 Ensure security questions are registered in the AWS account (Not Scored)
No command available for check 1.14
Login to the AWS Console as root, click on the Account
Name -> My Account -> Configure Security Challenge Questions
1.15 Ensure IAM policies are attached only to groups or roles (Scored)
Users with policy attached to them instead to groups: (it may take few seconds...)
toni
2 Logging ********************************************************
2.1 Ensure CloudTrail is enabled in all regions (Scored)
FALSE
2.2 Ensure CloudTrail log file validation is enabled (Scored)
FALSE
2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)
WARNING! CloudTrail bucket doesn't exist!
2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
WARNING! No CloudTrail trails found!
2.5 Ensure AWS Config is enabled in all regions (Scored)
WARNING! Region ap-south-1 has AWS Config disabled or not configured
WARNING! Region eu-west-1 has AWS Config disabled or not configured
WARNING! Region ap-southeast-1 has AWS Config disabled or not configured
WARNING! Region ap-southeast-2 has AWS Config disabled or not configured
WARNING! Region eu-central-1 has AWS Config disabled or not configured
WARNING! Region ap-northeast-2 has AWS Config disabled or not configured
WARNING! Region ap-northeast-1 has AWS Config disabled or not configured
WARNING! Region us-east-1 has AWS Config disabled or not configured
WARNING! Region sa-east-1 has AWS Config disabled or not configured
WARNING! Region us-west-1 has AWS Config disabled or not configured
WARNING! Region us-west-2 has AWS Config disabled or not configured
2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
WARNING! CloudTrail bucket doesn't exist!
2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
WARNING! CloudTrail bucket doesn't exist!
2.8 Ensure rotation for customer created CMKs is enabled (Scored)
Region ap-south-1 doesn't have encryption keys
Region eu-west-1 doesn't have encryption keys
Region ap-southeast-1 doesn't have encryption keys
Region ap-southeast-2 doesn't have encryption keys
Region eu-central-1 doesn't have encryption keys
Region ap-northeast-2 doesn't have encryption keys
Region ap-northeast-1 doesn't have encryption keys
WARNING! Key a0e988df-bc84-423f-996c-XXXX in Region us-east-1 is not set to rotate!
Region sa-east-1 doesn't have encryption keys
Region us-west-1 doesn't have encryption keys
Region us-west-2 doesn't have encryption keys
3 Monitoring *****************************************************
3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)
WARNING! No CloudWatch group found, no metric filters or alarms associated
3.15 Ensure security contact information is registered (Scored)
No command available for check 3.15
Login to the AWS Console, click on My Account
Go to Alternate Contacts -> make sure Security section is filled
3.16 Ensure appropriate subscribers to each SNS topic (Not Scored)
Region ap-south-1 doesn't have topics
Region eu-west-1 doesn't have topics
Region ap-southeast-1 doesn't have topics
Region ap-southeast-2 doesn't have topics
Region eu-central-1 doesn't have topics
Region ap-northeast-2 doesn't have topics
Region ap-northeast-1 doesn't have topics
Region us-east-1 doesn't have topics
Region sa-east-1 doesn't have topics
Region us-west-1 doesn't have topics
Region us-west-2 doesn't have topics
4 Networking **************************************************
4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
OK, No Security Groups found in ap-south-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in eu-west-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-southeast-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-southeast-2 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in eu-central-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-northeast-2 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-northeast-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in us-east-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in sa-east-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in us-west-1 with port 22 TCP open to 0.0.0.0/0
OK, No Security Groups found in us-west-2 with port 22 TCP open to 0.0.0.0/0
4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
OK, No Security Groups found in ap-south-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in eu-west-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-southeast-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-southeast-2 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in eu-central-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-northeast-2 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in ap-northeast-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in us-east-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in sa-east-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in us-west-1 with port 3389 TCP open to 0.0.0.0/0
OK, No Security Groups found in us-west-2 with port 3389 TCP open to 0.0.0.0/0
4.3 Ensure VPC Flow Logging is Enabled in all Applicable Regions (Scored)
WARNING! no VPCFlowLog has been found in Region ap-south-1
WARNING! no VPCFlowLog has been found in Region eu-west-1
WARNING! no VPCFlowLog has been found in Region ap-southeast-1
WARNING! no VPCFlowLog has been found in Region ap-southeast-2
WARNING! no VPCFlowLog has been found in Region eu-central-1
WARNING! no VPCFlowLog has been found in Region ap-northeast-2
WARNING! no VPCFlowLog has been found in Region ap-northeast-1
WARNING! no VPCFlowLog has been found in Region us-east-1
WARNING! no VPCFlowLog has been found in Region sa-east-1
WARNING! no VPCFlowLog has been found in Region us-west-1
WARNING! no VPCFlowLog has been found in Region us-west-2
4.4 Ensure the default security group restricts all traffic (Scored)
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-south-1
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-west-1
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-1
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-2
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-central-1
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-2
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-1
OK, no Default Security Groups open to 0.0.0.0 found in Region us-east-1
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region sa-east-1
WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region us-west-1
OK, no Default Security Groups open to 0.0.0.0 found in Region us-west-2
- For more information and reference:
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
```
## Troubleshooting
### STS expired token
@@ -601,6 +344,7 @@ At this moment we have 16 extra checks:
- 7.14 (`extra714`) Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
- 7.15 (`extra715`) Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
- 7.16 (`extra716`) Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)
- 7.17 (`extra717`) Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
To check all extras in one command:
@@ -627,6 +371,7 @@ With this group of checks, Prowler looks if each service with logging or audit c
- 7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
- 7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
- 7.15 Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
- 7.17 Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command:
```

60
prowler
View File

@@ -500,7 +500,8 @@ ID715="7.15,7.15"
TITLE715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)"
ID716="7.16,7.16"
TITLE716="Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)"
ID717="7.17,7.17"
TITLE717="Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
printCsvHeader() {
>&2 echo ""
@@ -1816,12 +1817,15 @@ extra79(){
textNotice "Looking for Elastic Load Balancers in all regions... "
for regx in $REGIONS; do
LIST_OF_PUBLIC_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[?Scheme == `internet-facing`].[LoadBalancerName,DNSName]' --output text)
if [[ $LIST_OF_PUBLIC_ELBS ]];then
LIST_OF_PUBLIC_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?Scheme == `internet-facing`].[LoadBalancerName,DNSName]' --output text)
LIST_OF_ALL_ELBS=$( echo $LIST_OF_PUBLIC_ELBS; echo $LIST_OF_PUBLIC_ELBSV2)
LIST_OF_ALL_ELBS_PER_LINE=$( echo $LIST_OF_ALL_ELBS| xargs -n2 )
if [[ $LIST_OF_ALL_ELBS ]];then
while read -r elb;do
ELB_NAME=$(echo $elb | awk '{ print $1; }')
ELB_DNSNAME=$(echo $elb | awk '{ print $2; }')
textWarn "$regx: ELB: $ELB_NAME at DNS: $ELB_DNSNAME is internet-facing!" "$regx"
done <<< "$LIST_OF_PUBLIC_ELBS"
done <<< "$LIST_OF_ALL_ELBS_PER_LINE"
else
textOK "$regx: no Internet Facing ELBs found" "$regx"
fi
@@ -1873,7 +1877,7 @@ extra712(){
if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then
textOK "Macie related IAM roles exist, so it might be enabled. Check it out manually."
else
textWarn "No Macie related IAM roles found. It is most likely not be enabled"
textWarn "No Macie related IAM roles found. It is most likely not to be enabled"
fi
}
@@ -1912,7 +1916,7 @@ extra714(){
fi
done
else
textOK "$regx: CDN not configured" "$regx"
textNotice "$regx: No CDN configured" "$regx"
fi
done
}
@@ -1938,7 +1942,7 @@ extra715(){
fi
done
else
textOK "$regx: No Elasticsearch Service domain found" "$regx"
textNotice "$regx: No Elasticsearch Service domain found" "$regx"
fi
done
}
@@ -1966,11 +1970,45 @@ extra716(){
fi
done
fi
textOK "$regx: No Elasticsearch Service domain found" "$regx"
textNotice "$regx: No Elasticsearch Service domain found" "$regx"
rm -fr $TEMP_POLICY_FILE
done
}
extra717(){
# "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
textTitle "$ID717" "$TITLE717" "NOT_SCORED" "EXTRA"
for regx in $REGIONS; do
LIST_OF_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[*].LoadBalancerName' --output text|xargs -n1)
LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[*].LoadBalancerArn' --output text|xargs -n1)
if [[ $LIST_OF_ELBS || $LIST_OF_ELBSV2 ]]; then
if [[ $LIST_OF_ELBS ]]; then
for elb in $LIST_OF_ELBS; do
CHECK_ELBS_LOG_ENABLED=$($AWSCLI elb describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-name $elb --query 'LoadBalancerAttributes.AccessLog.Enabled'|grep "^true")
if [[ $CHECK_ELBS_LOG_ENABLED ]]; then
textOK "$regx: $elb has access logs to S3 configured" "$regx"
else
textWarn "$regx: $elb has not access logs configured" "$regx"
fi
done
fi
if [[ $LIST_OF_ELBSV2 ]]; then
for elbarn in $LIST_OF_ELBSV2; do
CHECK_ELBSV2_LOG_ENABLED=$($AWSCLI elbv2 describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-arn $elbarn --query Attributes[*] --output text|grep "^access_logs.s3.enabled"|cut -f2|grep true)
ELBV2_NAME=$(echo $elbarn|cut -d\/ -f3)
if [[ $CHECK_ELBSV2_LOG_ENABLED ]]; then
textOK "$regx: $ELBV2_NAME has access logs to S3 configured" "$regx"
else
textWarn "$regx: $ELBV2_NAME has not access logs configured" "$regx"
fi
done
fi
else
textNotice "$regx: No ELBs found" "$regx"
fi
done
}
callCheck(){
if [[ $CHECKNUMBER ]];then
case "$CHECKNUMBER" in
@@ -2042,6 +2080,7 @@ callCheck(){
extra714|extra714 ) extra714;;
extra715|extra715 ) extra715;;
extra716|extra716 ) extra716;;
extra717|extra717 ) extra717;;
## Groups of Checks
check1 )
@@ -2078,12 +2117,13 @@ callCheck(){
;;
extras )
extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;
extra79;extra710;extra711;extra712;extra713;extra714;extra715;extra716
extra79;extra710;extra711;extra712;extra713;extra714;extra715;extra716;
extra717
;;
forensics-ready )
check21;check22;check23;check24;check25;check26;check27;
check43;
extra712;extra713;extra714;extra715
extra712;extra713;extra714;extra715;extra717
;;
* )
textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n";
@@ -2170,6 +2210,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then
textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA"
textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA"
textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA"
textTitle "$ID717" "$TITLE717" "NOT_SCORED" "EXTRA"
exit $EXITCODE
fi
@@ -2262,6 +2303,7 @@ extra713
extra714
extra715
extra716
extra717
cleanTemp
exit $EXITCODE