From 841e5436b967b4cc2279c21f489ef5a3a3aa30ff Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Thu, 8 Feb 2018 00:27:27 -0500 Subject: [PATCH 1/2] Added new check extra715 ES service logging --- README.md | 5 ++++- prowler | 37 ++++++++++++++++++++++++++++++++++--- 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0bd66e29..0d789bee 100644 --- a/README.md +++ b/README.md @@ -583,7 +583,7 @@ We are adding additional checks to improve the information gather from each acco Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs. -At this moment we have 14 extra checks: +At this moment we have 15 extra checks: - 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark) - 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark) @@ -599,6 +599,8 @@ At this moment we have 14 extra checks: - 7.12 (`extra712`) Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) - 7.13 (`extra713`) Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) - 7.14 (`extra714`) Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) +- 7.15 (`extra715`) Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) + To check all extras in one command: ``` @@ -623,6 +625,7 @@ With this group of checks, Prowler looks if each service with logging or audit c - 7.12 Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark) - 7.13 Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) - 7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) +- 7.15 Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command: ``` diff --git a/prowler b/prowler index 8e530619..141fb6b8 100755 --- a/prowler +++ b/prowler @@ -496,6 +496,8 @@ ID713="7.13,7.13" TITLE713="Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" ID714="7.14,7.14" TITLE714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" +ID715="7.15,7.15" +TITLE715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)" printCsvHeader() { >&2 echo "" @@ -1912,6 +1914,32 @@ extra714(){ done } +extra715(){ + # "Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)" + textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA" + for regx in $REGIONS; do + LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text) + if [[ $LIST_OF_DOMAINS ]]; then + for domain in $LIST_OF_DOMAINS;do + SEARCH_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.SEARCH_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False) + if [[ $SEARCH_SLOWLOG_ENABLED ]];then + textOK "$regx: ElasticSearch Service domain $domain SEARCH_SLOW_LOGS enabled" "$regx" + else + textWarn "$regx: ElasticSearch Service domain $domain SEARCH_SLOW_LOGS disabled!" "$regx" + fi + INDEX_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.INDEX_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False) + if [[ $INDEX_SLOWLOG_ENABLED ]];then + textOK "$regx: ElasticSearch Service domain $domain INDEX_SLOW_LOGS enabled" "$regx" + else + textWarn "$regx: ElasticSearch Service domain $domain INDEX_SLOW_LOGS disabled!" "$regx" + fi + done + else + textOK "$regx: No Elasticsearch Service domain found" "$regx" + fi + done +} + callCheck(){ if [[ $CHECKNUMBER ]];then case "$CHECKNUMBER" in @@ -1981,6 +2009,7 @@ callCheck(){ extra712|extra712 ) extra712;; extra713|extra713 ) extra713;; extra714|extra714 ) extra714;; + extra715|extra715 ) extra715;; ## Groups of Checks check1 ) @@ -2017,12 +2046,12 @@ callCheck(){ ;; extras ) extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78; - extra79;extra710;extra711;extra712;extra713;extra714 + extra79;extra710;extra711;extra712;extra713;extra714;extra715 ;; forensics-ready ) check21;check22;check23;check24;check25;check26;check27; check43; - extra712;extra713;extra714 + extra712;extra713;extra714;extra715 ;; * ) textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n"; @@ -2106,7 +2135,8 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then textTitle "$ID711" "$TITLE711" "NOT_SCORED" "EXTRA" textTitle "$ID712" "$TITLE712" "NOT_SCORED" "EXTRA" textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA" - textTitle "$ID714" "$TITLE713" "NOT_SCORED" "EXTRA" + textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA" + textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA" exit $EXITCODE fi @@ -2197,6 +2227,7 @@ extra711 extra712 extra713 extra714 +extra715 cleanTemp exit $EXITCODE From 55d3d642f97f0fae0e9a157953cdaa87cddfc10f Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Thu, 8 Feb 2018 01:01:28 -0500 Subject: [PATCH 2/2] Added new check extra716 ES service allow open access --- README.md | 3 ++- prowler | 31 ++++++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0d789bee..b06ffbef 100644 --- a/README.md +++ b/README.md @@ -583,7 +583,7 @@ We are adding additional checks to improve the information gather from each acco Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs. -At this moment we have 15 extra checks: +At this moment we have 16 extra checks: - 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark) - 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark) @@ -600,6 +600,7 @@ At this moment we have 15 extra checks: - 7.13 (`extra713`) Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark) - 7.14 (`extra714`) Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.15 (`extra715`) Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) +- 7.16 (`extra716`) Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark) To check all extras in one command: diff --git a/prowler b/prowler index 141fb6b8..b00cb69b 100755 --- a/prowler +++ b/prowler @@ -498,6 +498,9 @@ ID714="7.14,7.14" TITLE714="Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" ID715="7.15,7.15" TITLE715="Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)" +ID716="7.16,7.16" +TITLE716="Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" + printCsvHeader() { >&2 echo "" @@ -1940,6 +1943,29 @@ extra715(){ done } +extra716(){ + # "Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" + textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA" + for regx in $REGIONS; do + LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text) + if [[ $LIST_OF_DOMAINS ]]; then + for domain in $LIST_OF_DOMAINS;do + TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-es-domain.policy.XXXXXXXXXX) + $AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.AccessPolicies.Options --output text > $TEMP_POLICY_FILE 2> /dev/null + # check if the policy has Principal as * + CHECK_ES_DOMAIN_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep \"Principal|grep \*) + if [[ $CHECK_ES_DOMAIN_ALLUSERS_POLICY ]];then + textWarn "$regx: $domain policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx" + else + textOK "$regx: $domain is not open" "$regx" + fi + done + fi + textOK "$regx: No Elasticsearch Service domain found" "$regx" + rm -fr $TEMP_POLICY_FILE + done +} + callCheck(){ if [[ $CHECKNUMBER ]];then case "$CHECKNUMBER" in @@ -2010,6 +2036,7 @@ callCheck(){ extra713|extra713 ) extra713;; extra714|extra714 ) extra714;; extra715|extra715 ) extra715;; + extra716|extra716 ) extra716;; ## Groups of Checks check1 ) @@ -2046,7 +2073,7 @@ callCheck(){ ;; extras ) extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78; - extra79;extra710;extra711;extra712;extra713;extra714;extra715 + extra79;extra710;extra711;extra712;extra713;extra714;extra715;extra716 ;; forensics-ready ) check21;check22;check23;check24;check25;check26;check27; @@ -2137,6 +2164,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then textTitle "$ID713" "$TITLE713" "NOT_SCORED" "EXTRA" textTitle "$ID714" "$TITLE714" "NOT_SCORED" "EXTRA" textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA" + textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA" exit $EXITCODE fi @@ -2228,6 +2256,7 @@ extra712 extra713 extra714 extra715 +extra716 cleanTemp exit $EXITCODE