From ecbe99708495d319f304f3cbf1e4f29f2ca9d7ec Mon Sep 17 00:00:00 2001 From: Joaquin Rinaudo Date: Thu, 3 Sep 2020 08:04:13 +0200 Subject: [PATCH] severity+security_hub --- checks/check11 | 1 + checks/check110 | 1 + checks/check111 | 1 + checks/check112 | 1 + checks/check113 | 1 + checks/check114 | 1 + checks/check115 | 1 + checks/check116 | 1 + checks/check117 | 1 + checks/check118 | 1 + checks/check119 | 1 + checks/check12 | 1 + checks/check120 | 1 + checks/check121 | 1 + checks/check122 | 1 + checks/check13 | 1 + checks/check14 | 1 + checks/check15 | 1 + checks/check16 | 1 + checks/check17 | 1 + checks/check18 | 1 + checks/check19 | 1 + checks/check21 | 1 + checks/check22 | 1 + checks/check23 | 1 + checks/check24 | 1 + checks/check25 | 1 + checks/check26 | 1 + checks/check27 | 1 + checks/check28 | 1 + checks/check29 | 1 + checks/check31 | 1 + checks/check310 | 1 + checks/check311 | 1 + checks/check312 | 1 + checks/check313 | 1 + checks/check314 | 1 + checks/check32 | 1 + checks/check33 | 1 + checks/check34 | 1 + checks/check35 | 1 + checks/check36 | 1 + checks/check37 | 1 + checks/check38 | 1 + checks/check39 | 1 + checks/check41 | 1 + checks/check42 | 1 + checks/check43 | 1 + checks/check44 | 1 + checks/check_extra71 | 1 + checks/check_extra710 | 1 + checks/check_extra7100 | 1 + checks/check_extra711 | 1 + checks/check_extra712 | 1 + checks/check_extra713 | 1 + checks/check_extra714 | 1 + checks/check_extra715 | 1 + checks/check_extra716 | 1 + checks/check_extra717 | 1 + checks/check_extra718 | 1 + checks/check_extra719 | 1 + checks/check_extra72 | 1 + checks/check_extra720 | 1 + checks/check_extra721 | 1 + checks/check_extra722 | 1 + checks/check_extra723 | 1 + checks/check_extra724 | 1 + checks/check_extra725 | 1 + checks/check_extra726 | 1 + checks/check_extra727 | 1 + checks/check_extra728 | 1 + checks/check_extra729 | 1 + checks/check_extra73 | 1 + checks/check_extra730 | 1 + checks/check_extra731 | 1 + checks/check_extra732 | 1 + checks/check_extra733 | 1 + checks/check_extra734 | 1 + checks/check_extra735 | 1 + checks/check_extra736 | 1 + checks/check_extra737 | 1 + checks/check_extra738 | 1 + checks/check_extra739 | 1 + checks/check_extra74 | 1 + checks/check_extra740 | 1 + checks/check_extra741 | 1 + checks/check_extra742 | 1 + checks/check_extra743 | 1 + checks/check_extra744 | 1 + checks/check_extra745 | 1 + checks/check_extra746 | 1 + checks/check_extra747 | 1 + checks/check_extra748 | 1 + checks/check_extra749 | 1 + checks/check_extra75 | 1 + checks/check_extra750 | 1 + checks/check_extra751 | 1 + checks/check_extra752 | 1 + checks/check_extra753 | 1 + checks/check_extra754 | 1 + checks/check_extra755 | 1 + checks/check_extra756 | 1 + checks/check_extra757 | 1 + checks/check_extra758 | 1 + checks/check_extra759 | 1 + checks/check_extra76 | 1 + checks/check_extra760 | 1 + checks/check_extra761 | 1 + checks/check_extra762 | 1 + checks/check_extra763 | 1 + checks/check_extra764 | 1 + checks/check_extra765 | 1 + checks/check_extra767 | 1 + checks/check_extra768 | 1 + checks/check_extra769 | 1 + checks/check_extra77 | 1 + checks/check_extra770 | 1 + checks/check_extra771 | 1 + checks/check_extra772 | 1 + checks/check_extra773 | 1 + checks/check_extra774 | 1 + checks/check_extra775 | 1 + checks/check_extra776 | 1 + checks/check_extra777 | 1 + checks/check_extra778 | 1 + checks/check_extra779 | 1 + checks/check_extra78 | 1 + checks/check_extra780 | 1 + checks/check_extra781 | 1 + checks/check_extra782 | 1 + checks/check_extra783 | 1 + checks/check_extra784 | 1 + checks/check_extra785 | 1 + checks/check_extra786 | 1 + checks/check_extra787 | 1 + checks/check_extra788 | 1 + checks/check_extra789 | 1 + checks/check_extra79 | 1 + checks/check_extra790 | 1 + checks/check_extra791 | 1 + checks/check_extra792 | 1 + checks/check_extra793 | 1 + checks/check_extra794 | 1 + checks/check_extra795 | 1 + checks/check_extra796 | 1 + checks/check_extra797 | 1 + checks/check_extra798 | 1 + checks/check_extra799 | 2 +- checks/check_sample | 1 + include/os_detector | 15 +++++++++ include/outputs | 15 +++++---- include/securityhub_integration | 57 ++++++++++----------------------- prowler | 19 ++++++++--- 153 files changed, 204 insertions(+), 52 deletions(-) diff --git a/checks/check11 b/checks/check11 index 59e982ef..1776614e 100644 --- a/checks/check11 +++ b/checks/check11 @@ -12,6 +12,7 @@ CHECK_ID_check11="1.1" CHECK_TITLE_check11="[check11] Avoid the use of the root account (Scored)" CHECK_SCORED_check11="SCORED" CHECK_TYPE_check11="LEVEL1" +CHECK_SEVERITY_check11="High" CHECK_ASFF_TYPE_check11="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check101="check11" diff --git a/checks/check110 b/checks/check110 index dabb80dc..d483a650 100644 --- a/checks/check110 +++ b/checks/check110 @@ -12,6 +12,7 @@ CHECK_ID_check110="1.10" CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)" CHECK_SCORED_check110="SCORED" CHECK_TYPE_check110="LEVEL1" +CHECK_SEVERITY_check110="Medium" CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check110="check110" diff --git a/checks/check111 b/checks/check111 index 83575d29..805ab9b6 100644 --- a/checks/check111 +++ b/checks/check111 @@ -12,6 +12,7 @@ CHECK_ID_check111="1.11" CHECK_TITLE_check111="[check111] Ensure IAM password policy expires passwords within 90 days or less (Scored)" CHECK_SCORED_check111="SCORED" CHECK_TYPE_check111="LEVEL1" +CHECK_SEVERITY_check111="Medium" CHECK_ASFF_TYPE_check111="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check111="check111" diff --git a/checks/check112 b/checks/check112 index a9825ee1..e202e249 100644 --- a/checks/check112 +++ b/checks/check112 @@ -12,6 +12,7 @@ CHECK_ID_check112="1.12" CHECK_TITLE_check112="[check112] Ensure no root account access key exists (Scored)" CHECK_SCORED_check112="SCORED" CHECK_TYPE_check112="LEVEL1" +CHECK_SEVERITY_check112="Critical" CHECK_ASFF_TYPE_check112="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check112="check112" diff --git a/checks/check113 b/checks/check113 index 1e034c8d..04716f5d 100644 --- a/checks/check113 +++ b/checks/check113 @@ -12,6 +12,7 @@ CHECK_ID_check113="1.13" CHECK_TITLE_check113="[check113] Ensure MFA is enabled for the root account (Scored)" CHECK_SCORED_check113="SCORED" CHECK_TYPE_check113="LEVEL1" +CHECK_SEVERITY_check113="Critical" CHECK_ASFF_TYPE_check113="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check113="check113" diff --git a/checks/check114 b/checks/check114 index 18188d93..43be863c 100644 --- a/checks/check114 +++ b/checks/check114 @@ -12,6 +12,7 @@ CHECK_ID_check114="1.14" CHECK_TITLE_check114="[check114] Ensure hardware MFA is enabled for the root account (Scored)" CHECK_SCORED_check114="SCORED" CHECK_TYPE_check114="LEVEL2" +CHECK_SEVERITY_check114="Critical" CHECK_ASFF_TYPE_check114="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check114="check114" diff --git a/checks/check115 b/checks/check115 index c52db37e..dd30979c 100644 --- a/checks/check115 +++ b/checks/check115 @@ -12,6 +12,7 @@ CHECK_ID_check115="1.15" CHECK_TITLE_check115="[check115] Ensure security questions are registered in the AWS account (Not Scored)" CHECK_SCORED_check115="NOT_SCORED" CHECK_TYPE_check115="LEVEL1" +CHECK_SEVERITY_check115="Medium" CHECK_ASFF_TYPE_check115="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check115="check115" diff --git a/checks/check116 b/checks/check116 index c20abbf7..4aa7f80d 100644 --- a/checks/check116 +++ b/checks/check116 @@ -12,6 +12,7 @@ CHECK_ID_check116="1.16" CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles (Scored)" CHECK_SCORED_check116="SCORED" CHECK_TYPE_check116="LEVEL1" +CHECK_SEVERITY_check116="Low" CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser" CHECK_ALTERNATE_check116="check116" diff --git a/checks/check117 b/checks/check117 index 1264c99e..ed1fcff5 100644 --- a/checks/check117 +++ b/checks/check117 @@ -12,6 +12,7 @@ CHECK_ID_check117="1.17" CHECK_TITLE_check117="[check117] Maintain current contact details (Not Scored)" CHECK_SCORED_check117="NOT_SCORED" CHECK_TYPE_check117="LEVEL1" +CHECK_SEVERITY_check117="Medium" CHECK_ASFF_TYPE_check117="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check117="check117" diff --git a/checks/check118 b/checks/check118 index abd76906..821972eb 100644 --- a/checks/check118 +++ b/checks/check118 @@ -12,6 +12,7 @@ CHECK_ID_check118="1.18" CHECK_TITLE_check118="[check118] Ensure security contact information is registered (Not Scored)" CHECK_SCORED_check118="NOT_SCORED" CHECK_TYPE_check118="LEVEL1" +CHECK_SEVERITY_check118="Medium" CHECK_ASFF_TYPE_check118="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check118="check118" diff --git a/checks/check119 b/checks/check119 index bc97c801..bf37abe9 100644 --- a/checks/check119 +++ b/checks/check119 @@ -12,6 +12,7 @@ CHECK_ID_check119="1.19" CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" CHECK_SCORED_check119="NOT_SCORED" CHECK_TYPE_check119="LEVEL2" +CHECK_SEVERITY_check119="Medium" CHECK_ASFF_TYPE_check119="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check119="AwsEc2Instance" CHECK_ALTERNATE_check119="check119" diff --git a/checks/check12 b/checks/check12 index a5cbac6f..7a96a7a3 100644 --- a/checks/check12 +++ b/checks/check12 @@ -12,6 +12,7 @@ CHECK_ID_check12="1.2" CHECK_TITLE_check12="[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)" CHECK_SCORED_check12="SCORED" CHECK_TYPE_check12="LEVEL1" +CHECK_SEVERITY_check12="High" CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser" CHECK_ALTERNATE_check102="check12" diff --git a/checks/check120 b/checks/check120 index dd1d4fc5..d0935bf7 100644 --- a/checks/check120 +++ b/checks/check120 @@ -12,6 +12,7 @@ CHECK_ID_check120="1.20" CHECK_TITLE_check120="[check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)" CHECK_SCORED_check120="SCORED" CHECK_TYPE_check120="LEVEL1" +CHECK_SEVERITY_check120="Medium" CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole" CHECK_ALTERNATE_check120="check120" diff --git a/checks/check121 b/checks/check121 index 3fbd5535..f2ec8bc9 100644 --- a/checks/check121 +++ b/checks/check121 @@ -12,6 +12,7 @@ CHECK_ID_check121="1.21" CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" CHECK_SCORED_check121="NOT_SCORED" CHECK_TYPE_check121="LEVEL1" +CHECK_SEVERITY_check121="Medium" CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser" CHECK_ALTERNATE_check121="check121" diff --git a/checks/check122 b/checks/check122 index 1c4fdec2..ec13a27e 100644 --- a/checks/check122 +++ b/checks/check122 @@ -12,6 +12,7 @@ CHECK_ID_check122="1.22" CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)" CHECK_SCORED_check122="SCORED" CHECK_TYPE_check122="LEVEL1" +CHECK_SEVERITY_check122="Medium" CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy" CHECK_ALTERNATE_check122="check122" diff --git a/checks/check13 b/checks/check13 index 929a6aa2..f0c3f49b 100644 --- a/checks/check13 +++ b/checks/check13 @@ -12,6 +12,7 @@ CHECK_ID_check13="1.3" CHECK_TITLE_check13="[check13] Ensure credentials unused for 90 days or greater are disabled (Scored)" CHECK_SCORED_check13="SCORED" CHECK_TYPE_check13="LEVEL1" +CHECK_SEVERITY_check13="Medium" CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser" CHECK_ALTERNATE_check103="check13" diff --git a/checks/check14 b/checks/check14 index 438b8364..afc0d4ea 100644 --- a/checks/check14 +++ b/checks/check14 @@ -12,6 +12,7 @@ CHECK_ID_check14="1.4" CHECK_TITLE_check14="[check14] Ensure access keys are rotated every 90 days or less (Scored)" CHECK_SCORED_check14="SCORED" CHECK_TYPE_check14="LEVEL1" +CHECK_SEVERITY_check14="Medium" CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser" CHECK_ALTERNATE_check104="check14" diff --git a/checks/check15 b/checks/check15 index bfc31270..aa1c544d 100644 --- a/checks/check15 +++ b/checks/check15 @@ -12,6 +12,7 @@ CHECK_ID_check15="1.5" CHECK_TITLE_check15="[check15] Ensure IAM password policy requires at least one uppercase letter (Scored)" CHECK_SCORED_check15="SCORED" CHECK_TYPE_check15="LEVEL1" + CHECK_SEVERITY_check15="medium" CHECK_ASFF_TYPE_check15="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check105="check15" diff --git a/checks/check16 b/checks/check16 index 881b9a83..7dfb17d1 100644 --- a/checks/check16 +++ b/checks/check16 @@ -12,6 +12,7 @@ CHECK_ID_check16="1.6" CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter (Scored)" CHECK_SCORED_check16="SCORED" CHECK_TYPE_check16="LEVEL1" +CHECK_SEVERITY_check16="medium" CHECK_ASFF_TYPE_check16="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check106="check16" diff --git a/checks/check17 b/checks/check17 index ad8faecd..dd7d03f3 100644 --- a/checks/check17 +++ b/checks/check17 @@ -12,6 +12,7 @@ CHECK_ID_check17="1.7" CHECK_TITLE_check17="[check17] Ensure IAM password policy require at least one symbol (Scored)" CHECK_SCORED_check17="SCORED" CHECK_TYPE_check17="LEVEL1" +CHECK_SEVERITY_check17="Medium" CHECK_ASFF_TYPE_check17="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check107="check17" diff --git a/checks/check18 b/checks/check18 index bec51868..676281fc 100644 --- a/checks/check18 +++ b/checks/check18 @@ -12,6 +12,7 @@ CHECK_ID_check18="1.8" CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number (Scored)" CHECK_SCORED_check18="SCORED" CHECK_TYPE_check18="LEVEL1" +CHECK_SEVERITY_check18="Medium" CHECK_ASFF_TYPE_check18="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check108="check18" diff --git a/checks/check19 b/checks/check19 index 28199d77..bb81398f 100644 --- a/checks/check19 +++ b/checks/check19 @@ -12,6 +12,7 @@ CHECK_ID_check19="1.9" CHECK_TITLE_check19="[check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored)" CHECK_SCORED_check19="SCORED" CHECK_TYPE_check19="LEVEL1" +CHECK_SEVERITY_check19="Medium" CHECK_ASFF_TYPE_check19="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check109="check19" diff --git a/checks/check21 b/checks/check21 index d354bad5..a576df7b 100644 --- a/checks/check21 +++ b/checks/check21 @@ -12,6 +12,7 @@ CHECK_ID_check21="2.1" CHECK_TITLE_check21="[check21] Ensure CloudTrail is enabled in all regions (Scored)" CHECK_SCORED_check21="SCORED" CHECK_TYPE_check21="LEVEL1" +CHECK_SEVERITY_check21="High" CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail" CHECK_ALTERNATE_check201="check21" diff --git a/checks/check22 b/checks/check22 index d302f128..bb16a994 100644 --- a/checks/check22 +++ b/checks/check22 @@ -12,6 +12,7 @@ CHECK_ID_check22="2.2" CHECK_TITLE_check22="[check22] Ensure CloudTrail log file validation is enabled (Scored)" CHECK_SCORED_check22="SCORED" CHECK_TYPE_check22="LEVEL2" +CHECK_SEVERITY_check22="Medium" CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail" CHECK_ALTERNATE_check202="check22" diff --git a/checks/check23 b/checks/check23 index 9614fe68..12017640 100644 --- a/checks/check23 +++ b/checks/check23 @@ -12,6 +12,7 @@ CHECK_ID_check23="2.3" CHECK_TITLE_check23="[check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)" CHECK_SCORED_check23="SCORED" CHECK_TYPE_check23="LEVEL1" +CHECK_SEVERITY_check23="Critical" CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket" CHECK_ALTERNATE_check203="check23" diff --git a/checks/check24 b/checks/check24 index 1fb3c133..e76db361 100644 --- a/checks/check24 +++ b/checks/check24 @@ -12,6 +12,7 @@ CHECK_ID_check24="2.4" CHECK_TITLE_check24="[check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)" CHECK_SCORED_check24="SCORED" CHECK_TYPE_check24="LEVEL1" +CHECK_SEVERITY_check24="Low" CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail" CHECK_ALTERNATE_check204="check24" diff --git a/checks/check25 b/checks/check25 index 456223fa..c5614b1f 100644 --- a/checks/check25 +++ b/checks/check25 @@ -12,6 +12,7 @@ CHECK_ID_check25="2.5" CHECK_TITLE_check25="[check25] Ensure AWS Config is enabled in all regions (Scored)" CHECK_SCORED_check25="SCORED" CHECK_TYPE_check25="LEVEL1" +CHECK_SEVERITY_check25="Medium" CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ALTERNATE_check205="check25" diff --git a/checks/check26 b/checks/check26 index da563445..757a352d 100644 --- a/checks/check26 +++ b/checks/check26 @@ -12,6 +12,7 @@ CHECK_ID_check26="2.6" CHECK_TITLE_check26="[check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)" CHECK_SCORED_check26="SCORED" CHECK_TYPE_check26="LEVEL1" +CHECK_SEVERITY_check26="Medium" CHECK_ASFF_TYPE_check26="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check26="AwsS3Bucket" CHECK_ALTERNATE_check206="check26" diff --git a/checks/check27 b/checks/check27 index 6f5d81a3..8f670883 100644 --- a/checks/check27 +++ b/checks/check27 @@ -12,6 +12,7 @@ CHECK_ID_check27="2.7" CHECK_TITLE_check27="[check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)" CHECK_SCORED_check27="SCORED" CHECK_TYPE_check27="LEVEL2" +CHECK_SEVERITY_check27="Medium" CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail" CHECK_ALTERNATE_check207="check27" diff --git a/checks/check28 b/checks/check28 index 23c797da..36f21dd2 100644 --- a/checks/check28 +++ b/checks/check28 @@ -12,6 +12,7 @@ CHECK_ID_check28="2.8" CHECK_TITLE_check28="[check28] Ensure rotation for customer created CMKs is enabled (Scored)" CHECK_SCORED_check28="SCORED" CHECK_TYPE_check28="LEVEL2" +CHECK_SEVERITY_check28="Medium" CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey" CHECK_ALTERNATE_check208="check28" diff --git a/checks/check29 b/checks/check29 index 01681bb8..fc61b1da 100644 --- a/checks/check29 +++ b/checks/check29 @@ -12,6 +12,7 @@ CHECK_ID_check29="2.9" CHECK_TITLE_check29="[check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)" CHECK_SCORED_check29="SCORED" CHECK_TYPE_check29="LEVEL2" +CHECK_SEVERITY_check29="Medium" CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc" CHECK_ALTERNATE_check209="check29" diff --git a/checks/check31 b/checks/check31 index 2ea65085..e2171a62 100644 --- a/checks/check31 +++ b/checks/check31 @@ -37,6 +37,7 @@ CHECK_ID_check31="3.1" CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)" CHECK_SCORED_check31="SCORED" CHECK_TYPE_check31="LEVEL1" +CHECK_SEVERITY_check31="Medium" CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail" CHECK_ALTERNATE_check301="check31" diff --git a/checks/check310 b/checks/check310 index 65d50773..0e2f6bd4 100644 --- a/checks/check310 +++ b/checks/check310 @@ -37,6 +37,7 @@ CHECK_ID_check310="3.10" CHECK_TITLE_check310="[check310] Ensure a log metric filter and alarm exist for security group changes (Scored)" CHECK_SCORED_check310="SCORED" CHECK_TYPE_check310="LEVEL2" +CHECK_SEVERITY_check310="Medium" CHECK_ASFF_TYPE_check310="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check310="AwsCloudTrailTrail" CHECK_ALTERNATE_check310="check310" diff --git a/checks/check311 b/checks/check311 index e38af0dc..ac6fac4c 100644 --- a/checks/check311 +++ b/checks/check311 @@ -37,6 +37,7 @@ CHECK_ID_check311="3.11" CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)" CHECK_SCORED_check311="SCORED" CHECK_TYPE_check311="LEVEL2" +CHECK_SEVERITY_check311="Medium" CHECK_ASFF_TYPE_check311="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check311="AwsCloudTrailTrail" CHECK_ALTERNATE_check311="check311" diff --git a/checks/check312 b/checks/check312 index b5abde10..548fd97c 100644 --- a/checks/check312 +++ b/checks/check312 @@ -37,6 +37,7 @@ CHECK_ID_check312="3.12" CHECK_TITLE_check312="[check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)" CHECK_SCORED_check312="SCORED" CHECK_TYPE_check312="LEVEL1" +CHECK_SEVERITY_check312="Medium" CHECK_ASFF_TYPE_check312="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check312="AwsCloudTrailTrail" CHECK_ALTERNATE_check312="check312" diff --git a/checks/check313 b/checks/check313 index 0514045c..d08ce15a 100644 --- a/checks/check313 +++ b/checks/check313 @@ -37,6 +37,7 @@ CHECK_ID_check313="3.13" CHECK_TITLE_check313="[check313] Ensure a log metric filter and alarm exist for route table changes (Scored)" CHECK_SCORED_check313="SCORED" CHECK_TYPE_check313="LEVEL1" +CHECK_SEVERITY_check313="Medium" CHECK_ASFF_TYPE_check313="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check313="AwsCloudTrailTrail" CHECK_ALTERNATE_check313="check313" diff --git a/checks/check314 b/checks/check314 index de9c3875..4161f855 100644 --- a/checks/check314 +++ b/checks/check314 @@ -37,6 +37,7 @@ CHECK_ID_check314="3.14" CHECK_TITLE_check314="[check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)" CHECK_SCORED_check314="SCORED" CHECK_TYPE_check314="LEVEL1" +CHECK_SEVERITY_check314="Medium" CHECK_ASFF_TYPE_check314="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check314="AwsCloudTrailTrail" CHECK_ALTERNATE_check314="check314" diff --git a/checks/check32 b/checks/check32 index d6000238..73da96a4 100644 --- a/checks/check32 +++ b/checks/check32 @@ -37,6 +37,7 @@ CHECK_ID_check32="3.2" CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)" CHECK_SCORED_check32="SCORED" CHECK_TYPE_check32="LEVEL1" +CHECK_SEVERITY_check32="Medium" CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail" CHECK_ALTERNATE_check302="check32" diff --git a/checks/check33 b/checks/check33 index 837d5fb5..efefe775 100644 --- a/checks/check33 +++ b/checks/check33 @@ -37,6 +37,7 @@ CHECK_ID_check33="3.3" CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)" CHECK_SCORED_check33="SCORED" CHECK_TYPE_check33="LEVEL1" +CHECK_SEVERITY_check33="Medium" CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail" CHECK_ALTERNATE_check303="check33" diff --git a/checks/check34 b/checks/check34 index 7d2a6e26..c472b3df 100644 --- a/checks/check34 +++ b/checks/check34 @@ -37,6 +37,7 @@ CHECK_ID_check34="3.4" CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)" CHECK_SCORED_check34="SCORED" CHECK_TYPE_check34="LEVEL1" +CHECK_SEVERITY_check34="Medium" CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail" CHECK_ALTERNATE_check304="check34" diff --git a/checks/check35 b/checks/check35 index 9fd5e0f5..b533879b 100644 --- a/checks/check35 +++ b/checks/check35 @@ -37,6 +37,7 @@ CHECK_ID_check35="3.5" CHECK_TITLE_check35="[check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)" CHECK_SCORED_check35="SCORED" CHECK_TYPE_check35="LEVEL1" +CHECK_SEVERITY_check35="Medium" CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail" CHECK_ALTERNATE_check305="check35" diff --git a/checks/check36 b/checks/check36 index 334ae475..39b7b9af 100644 --- a/checks/check36 +++ b/checks/check36 @@ -37,6 +37,7 @@ CHECK_ID_check36="3.6" CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)" CHECK_SCORED_check36="SCORED" CHECK_TYPE_check36="LEVEL2" +CHECK_SEVERITY_check36="Medium" CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail" CHECK_ALTERNATE_check306="check36" diff --git a/checks/check37 b/checks/check37 index 548535d0..d569d11f 100644 --- a/checks/check37 +++ b/checks/check37 @@ -37,6 +37,7 @@ CHECK_ID_check37="3.7" CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)" CHECK_SCORED_check37="SCORED" CHECK_TYPE_check37="LEVEL2" +CHECK_SEVERITY_check37="Medium" CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail" CHECK_ALTERNATE_check307="check37" diff --git a/checks/check38 b/checks/check38 index 829cd122..eaf90120 100644 --- a/checks/check38 +++ b/checks/check38 @@ -37,6 +37,7 @@ CHECK_ID_check38="3.8" CHECK_TITLE_check38="[check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)" CHECK_SCORED_check38="SCORED" CHECK_TYPE_check38="LEVEL1" +CHECK_SEVERITY_check38="Medium" CHECK_ASFF_TYPE_check38="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check38="AwsCloudTrailTrail" CHECK_ALTERNATE_check308="check38" diff --git a/checks/check39 b/checks/check39 index 6ca13baa..84450b2c 100644 --- a/checks/check39 +++ b/checks/check39 @@ -37,6 +37,7 @@ CHECK_ID_check39="3.9" CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)" CHECK_SCORED_check39="SCORED" CHECK_TYPE_check39="LEVEL2" +CHECK_SEVERITY_check39="Medium" CHECK_ASFF_TYPE_check39="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check39="AwsCloudTrailTrail" CHECK_ALTERNATE_check309="check39" diff --git a/checks/check41 b/checks/check41 index da704739..c3c4c825 100644 --- a/checks/check41 +++ b/checks/check41 @@ -12,6 +12,7 @@ CHECK_ID_check41="4.1" CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)" CHECK_SCORED_check41="SCORED" CHECK_TYPE_check41="LEVEL2" +CHECK_SEVERITY_check41="High" CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup" CHECK_ALTERNATE_check401="check41" diff --git a/checks/check42 b/checks/check42 index 69e19891..e04d01c8 100644 --- a/checks/check42 +++ b/checks/check42 @@ -12,6 +12,7 @@ CHECK_ID_check42="4.2" CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)" CHECK_SCORED_check42="SCORED" CHECK_TYPE_check42="LEVEL2" +CHECK_SEVERITY_check42="High" CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup" CHECK_ALTERNATE_check402="check42" diff --git a/checks/check43 b/checks/check43 index 35cf44c5..18dc3bab 100644 --- a/checks/check43 +++ b/checks/check43 @@ -12,6 +12,7 @@ CHECK_ID_check43="4.3" CHECK_TITLE_check43="[check43] Ensure the default security group of every VPC restricts all traffic (Scored)" CHECK_SCORED_check43="SCORED" CHECK_TYPE_check43="LEVEL2" +CHECK_SEVERITY_check43="Medium" CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup" CHECK_ALTERNATE_check403="check43" diff --git a/checks/check44 b/checks/check44 index e7f620f8..67a1abc1 100644 --- a/checks/check44 +++ b/checks/check44 @@ -12,6 +12,7 @@ CHECK_ID_check44="4.4" CHECK_TITLE_check44="[check44] Ensure routing tables for VPC peering are \"least access\" (Not Scored)" CHECK_SCORED_check44="NOT_SCORED" CHECK_TYPE_check44="LEVEL2" +CHECK_SEVERITY_check44="Medium" CHECK_ASFF_TYPE_check44="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check44="AwsEc2Vpc" CHECK_ALTERNATE_check404="check44" diff --git a/checks/check_extra71 b/checks/check_extra71 index 51c8d024..61491c57 100644 --- a/checks/check_extra71 +++ b/checks/check_extra71 @@ -14,6 +14,7 @@ CHECK_ID_extra71="7.1" CHECK_TITLE_extra71="[extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra71="NOT_SCORED" CHECK_TYPE_extra71="EXTRA" +CHECK_SEVERITY_extra71="High" CHECK_ASFF_RESOURCE_TYPE_extra71="AwsIamUser" CHECK_ALTERNATE_extra701="extra71" CHECK_ALTERNATE_check71="extra71" diff --git a/checks/check_extra710 b/checks/check_extra710 index 55216b3d..680b6e0f 100644 --- a/checks/check_extra710 +++ b/checks/check_extra710 @@ -14,6 +14,7 @@ CHECK_ID_extra710="7.10" CHECK_TITLE_extra710="[extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra710="NOT_SCORED" CHECK_TYPE_extra710="EXTRA" +CHECK_SEVERITY_extra710="Medium" CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance" CHECK_ALTERNATE_check710="extra710" diff --git a/checks/check_extra7100 b/checks/check_extra7100 index 1b12481c..1e2a5318 100644 --- a/checks/check_extra7100 +++ b/checks/check_extra7100 @@ -18,6 +18,7 @@ CHECK_ID_extra7100="7.100" CHECK_TITLE_extra7100="[extra7100] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)" CHECK_SCORED_extra7100="NOT_SCORED" CHECK_TYPE_extra7100="EXTRA" +CHECK_SEVERITY_extra7100="Critical" CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy" CHECK_ALTERNATE_check7100="extra7100" diff --git a/checks/check_extra711 b/checks/check_extra711 index 3e9b29ee..aa3347a1 100644 --- a/checks/check_extra711 +++ b/checks/check_extra711 @@ -14,6 +14,7 @@ CHECK_ID_extra711="7.11" CHECK_TITLE_extra711="[extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra711="NOT_SCORED" CHECK_TYPE_extra711="EXTRA" +CHECK_SEVERITY_extra711="High" CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster" CHECK_ALTERNATE_check711="extra711" diff --git a/checks/check_extra712 b/checks/check_extra712 index d6ecfb7f..b27880ab 100644 --- a/checks/check_extra712 +++ b/checks/check_extra712 @@ -14,6 +14,7 @@ CHECK_ID_extra712="7.12" CHECK_TITLE_extra712="[extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra712="NOT_SCORED" CHECK_TYPE_extra712="EXTRA" +CHECK_SEVERITY_extra712="Low" CHECK_ALTERNATE_check712="extra712" extra712(){ diff --git a/checks/check_extra713 b/checks/check_extra713 index ad8cedfe..18fbac3d 100644 --- a/checks/check_extra713 +++ b/checks/check_extra713 @@ -14,6 +14,7 @@ CHECK_ID_extra713="7.13" CHECK_TITLE_extra713="[extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra713="NOT_SCORED" CHECK_TYPE_extra713="EXTRA" +CHECK_SEVERITY_extra713="High" CHECK_ALTERNATE_check713="extra713" extra713(){ diff --git a/checks/check_extra714 b/checks/check_extra714 index cb57de85..542cdce2 100644 --- a/checks/check_extra714 +++ b/checks/check_extra714 @@ -14,6 +14,7 @@ CHECK_ID_extra714="7.14" CHECK_TITLE_extra714="[extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra714="NOT_SCORED" CHECK_TYPE_extra714="EXTRA" +CHECK_SEVERITY_extra714="Medium" CHECK_ASFF_RESOURCE_TYPE_extra714="AwsCloudFrontDistribution" CHECK_ALTERNATE_check714="extra714" diff --git a/checks/check_extra715 b/checks/check_extra715 index 2268b719..3dae4809 100644 --- a/checks/check_extra715 +++ b/checks/check_extra715 @@ -14,6 +14,7 @@ CHECK_ID_extra715="7.15" CHECK_TITLE_extra715="[extra715] Check if Amazon Elasticsearch Service (ES) domains have logging enabled" CHECK_SCORED_extra715="NOT_SCORED" CHECK_TYPE_extra715="EXTRA" +CHECK_SEVERITY_extra715="Medium" CHECK_ASFF_RESOURCE_TYPE_extra715="AwsElasticsearchDomain" CHECK_ALTERNATE_check715="extra715" diff --git a/checks/check_extra716 b/checks/check_extra716 index 9d664bd1..96014d22 100644 --- a/checks/check_extra716 +++ b/checks/check_extra716 @@ -14,6 +14,7 @@ CHECK_ID_extra716="7.16" CHECK_TITLE_extra716="[extra716] Check if Amazon Elasticsearch Service (ES) domains are set as Public or if it has open policy access" CHECK_SCORED_extra716="NOT_SCORED" CHECK_TYPE_extra716="EXTRA" +CHECK_SEVERITY_extra716="Critical" CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain" CHECK_ALTERNATE_check716="extra716" diff --git a/checks/check_extra717 b/checks/check_extra717 index 74a18937..cdb9e1b2 100644 --- a/checks/check_extra717 +++ b/checks/check_extra717 @@ -14,6 +14,7 @@ CHECK_ID_extra717="7.17" CHECK_TITLE_extra717="[extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra717="NOT_SCORED" CHECK_TYPE_extra717="EXTRA" +CHECK_SEVERITY_extra717="Medium" CHECK_ASFF_RESOURCE_TYPE_extra717="AwsElbLoadBalancer" CHECK_ALTERNATE_check717="extra717" diff --git a/checks/check_extra718 b/checks/check_extra718 index 0d361c3c..6e8d8f50 100644 --- a/checks/check_extra718 +++ b/checks/check_extra718 @@ -14,6 +14,7 @@ CHECK_ID_extra718="7.18" CHECK_TITLE_extra718="[extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra718="NOT_SCORED" CHECK_TYPE_extra718="EXTRA" +CHECK_SEVERITY_extra718="Medium" CHECK_ASFF_RESOURCE_TYPE_extra718="AwsS3Bucket" CHECK_ALTERNATE_check718="extra718" diff --git a/checks/check_extra719 b/checks/check_extra719 index 458568d7..306c3b07 100644 --- a/checks/check_extra719 +++ b/checks/check_extra719 @@ -14,6 +14,7 @@ CHECK_ID_extra719="7.19" CHECK_TITLE_extra719="[extra719] Check if Route53 public hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra719="NOT_SCORED" CHECK_TYPE_extra719="EXTRA" +CHECK_SEVERITY_extra719="Medium" CHECK_ALTERNATE_check719="extra719" extra719(){ diff --git a/checks/check_extra72 b/checks/check_extra72 index b9471f9b..e03d4f1d 100644 --- a/checks/check_extra72 +++ b/checks/check_extra72 @@ -14,6 +14,7 @@ CHECK_ID_extra72="7.2" CHECK_TITLE_extra72="[extra72] Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra72="NOT_SCORED" CHECK_TYPE_extra72="EXTRA" +CHECK_SEVERITY_extra72="Critical" CHECK_ASFF_RESOURCE_TYPE_extra72="AwsEc2Snapshot" CHECK_ALTERNATE_extra702="extra72" CHECK_ALTERNATE_check72="extra72" diff --git a/checks/check_extra720 b/checks/check_extra720 index f8b2a890..2768bb3c 100644 --- a/checks/check_extra720 +++ b/checks/check_extra720 @@ -14,6 +14,7 @@ CHECK_ID_extra720="7.20" CHECK_TITLE_extra720="[extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra720="NOT_SCORED" CHECK_TYPE_extra720="EXTRA" +CHECK_SEVERITY_extra720="Low" CHECK_ASFF_RESOURCE_TYPE_extra720="AwsLambdaFunction" CHECK_ALTERNATE_check720="extra720" diff --git a/checks/check_extra721 b/checks/check_extra721 index d464786a..82d78d6b 100644 --- a/checks/check_extra721 +++ b/checks/check_extra721 @@ -14,6 +14,7 @@ CHECK_ID_extra721="7.21" CHECK_TITLE_extra721="[extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra721="NOT_SCORED" CHECK_TYPE_extra721="EXTRA" +CHECK_SEVERITY_extra721="Medium" CHECK_ASFF_RESOURCE_TYPE_extra721="AwsRedshiftCluster" CHECK_ALTERNATE_check721="extra721" diff --git a/checks/check_extra722 b/checks/check_extra722 index e90596b7..019478dd 100644 --- a/checks/check_extra722 +++ b/checks/check_extra722 @@ -14,6 +14,7 @@ CHECK_ID_extra722="7.22" CHECK_TITLE_extra722="[extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra722="NOT_SCORED" CHECK_TYPE_extra722="EXTRA" +CHECK_SEVERITY_extra722="Medium" CHECK_ASFF_RESOURCE_TYPE_extra722="AwsApiGatewayRestApi" CHECK_ALTERNATE_check722="extra722" diff --git a/checks/check_extra723 b/checks/check_extra723 index c527c3c8..db32777b 100644 --- a/checks/check_extra723 +++ b/checks/check_extra723 @@ -14,6 +14,7 @@ CHECK_ID_extra723="7.23" CHECK_TITLE_extra723="[extra723] Check if RDS Snapshots and Cluster Snapshots are public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra723="NOT_SCORED" CHECK_TYPE_extra723="EXTRA" +CHECK_SEVERITY_extra723="Critical" CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot" CHECK_ALTERNATE_check723="extra723" diff --git a/checks/check_extra724 b/checks/check_extra724 index 2aa08b0f..03b2dad2 100644 --- a/checks/check_extra724 +++ b/checks/check_extra724 @@ -14,6 +14,7 @@ CHECK_ID_extra724="7.24" CHECK_TITLE_extra724="[extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra724="NOT_SCORED" CHECK_TYPE_extra724="EXTRA" +CHECK_SEVERITY_extra724="Medium" CHECK_ASFF_RESOURCE_TYPE_extra724="AwsCertificateManagerCertificate" CHECK_ALTERNATE_check724="extra724" diff --git a/checks/check_extra725 b/checks/check_extra725 index eb336b79..65c76a85 100644 --- a/checks/check_extra725 +++ b/checks/check_extra725 @@ -15,6 +15,7 @@ CHECK_ID_extra725="7.25" CHECK_TITLE_extra725="[extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra725="NOT_SCORED" CHECK_TYPE_extra725="EXTRA" +CHECK_SEVERITY_extra725="Medium" CHECK_ASFF_RESOURCE_TYPE_extra725="AwsS3Bucket" CHECK_ALTERNATE_check725="extra725" diff --git a/checks/check_extra726 b/checks/check_extra726 index b2eee1a4..5790fcd8 100644 --- a/checks/check_extra726 +++ b/checks/check_extra726 @@ -15,6 +15,7 @@ CHECK_ID_extra726="7.26" CHECK_TITLE_extra726="[extra726] Check Trusted Advisor for errors and warnings (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra726="NOT_SCORED" CHECK_TYPE_extra726="EXTRA" +CHECK_SEVERITY_extra726="Medium" CHECK_ALTERNATE_check726="extra726" extra726(){ diff --git a/checks/check_extra727 b/checks/check_extra727 index 47c41fcb..596f174a 100644 --- a/checks/check_extra727 +++ b/checks/check_extra727 @@ -15,6 +15,7 @@ CHECK_ID_extra727="7.27" CHECK_TITLE_extra727="[extra727] Check if SQS queues have policy set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra727="NOT_SCORED" CHECK_TYPE_extra727="EXTRA" +CHECK_SEVERITY_extra727="Critical" CHECK_ASFF_RESOURCE_TYPE_extra727="AwsSqsQueue" CHECK_ALTERNATE_check727="extra727" diff --git a/checks/check_extra728 b/checks/check_extra728 index 5399822d..32802c6d 100644 --- a/checks/check_extra728 +++ b/checks/check_extra728 @@ -15,6 +15,7 @@ CHECK_ID_extra728="7.28" CHECK_TITLE_extra728="[extra728] Check if SQS queues have Server Side Encryption enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra728="NOT_SCORED" CHECK_TYPE_extra728="EXTRA" +CHECK_SEVERITY_extra728="Medium" CHECK_ASFF_RESOURCE_TYPE_extra728="AwsSqsQueue" CHECK_ALTERNATE_check728="extra728" diff --git a/checks/check_extra729 b/checks/check_extra729 index 756aa09c..64f42671 100644 --- a/checks/check_extra729 +++ b/checks/check_extra729 @@ -15,6 +15,7 @@ CHECK_ID_extra729="7.29" CHECK_TITLE_extra729="[extra729] Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra729="NOT_SCORED" CHECK_TYPE_extra729="EXTRA" +CHECK_SEVERITY_extra729="Medium" CHECK_ASFF_RESOURCE_TYPE_extra729="AwsEc2Volume" CHECK_ALTERNATE_check729="extra729" diff --git a/checks/check_extra73 b/checks/check_extra73 index 281b9f90..601d39f5 100644 --- a/checks/check_extra73 +++ b/checks/check_extra73 @@ -15,6 +15,7 @@ CHECK_ID_extra73="7.3" CHECK_TITLE_extra73="[extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra73="NOT_SCORED" CHECK_TYPE_extra73="EXTRA" +CHECK_SEVERITY_extra73="Critical" CHECK_ASFF_RESOURCE_TYPE_extra73="AwsS3Bucket" CHECK_ALTERNATE_extra703="extra73" CHECK_ALTERNATE_check73="extra73" diff --git a/checks/check_extra730 b/checks/check_extra730 index 06266cd3..c2f7fc76 100644 --- a/checks/check_extra730 +++ b/checks/check_extra730 @@ -17,6 +17,7 @@ CHECK_ID_extra730="7.30" CHECK_TITLE_extra730="[extra730] Check if ACM Certificates are about to expire in $DAYS_TO_EXPIRE_THRESHOLD days or less (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra730="NOT_SCORED" CHECK_TYPE_extra730="EXTRA" +CHECK_SEVERITY_extra730="High" CHECK_ASFF_RESOURCE_TYPE_extra730="AwsCertificateManagerCertificate" CHECK_ALTERNATE_check730="extra730" diff --git a/checks/check_extra731 b/checks/check_extra731 index 744d28a1..7474ea44 100644 --- a/checks/check_extra731 +++ b/checks/check_extra731 @@ -15,6 +15,7 @@ CHECK_ID_extra731="7.31" CHECK_TITLE_extra731="[extra731] Check if SNS topics have policy set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra731="NOT_SCORED" CHECK_TYPE_extra731="EXTRA" +CHECK_SEVERITY_extra731="Critical" CHECK_ASFF_RESOURCE_TYPE_extra731="AwsSnsTopic" CHECK_ALTERNATE_check731="extra731" diff --git a/checks/check_extra732 b/checks/check_extra732 index 30c6ec7f..811fed10 100644 --- a/checks/check_extra732 +++ b/checks/check_extra732 @@ -15,6 +15,7 @@ CHECK_ID_extra732="7.32" CHECK_TITLE_extra732="[extra732] Check if Geo restrictions are enabled in CloudFront distributions (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra732="NOT_SCORED" CHECK_TYPE_extra732="EXTRA" +CHECK_SEVERITY_extra732="Low" CHECK_ASFF_RESOURCE_TYPE_extra732="AwsCloudFrontDistribution" CHECK_ALTERNATE_check732="extra732" diff --git a/checks/check_extra733 b/checks/check_extra733 index 656b51d1..1b41dfd5 100644 --- a/checks/check_extra733 +++ b/checks/check_extra733 @@ -15,6 +15,7 @@ CHECK_ID_extra733="7.33" CHECK_TITLE_extra733="[extra733] Check if there are SAML Providers then STS can be used (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra733="NOT_SCORED" CHECK_TYPE_extra733="EXTRA" +CHECK_SEVERITY_extra733="Low" CHECK_ALTERNATE_check733="extra733" extra733(){ diff --git a/checks/check_extra734 b/checks/check_extra734 index 3ffcf826..8b212ae6 100644 --- a/checks/check_extra734 +++ b/checks/check_extra734 @@ -14,6 +14,7 @@ CHECK_ID_extra734="7.34" CHECK_TITLE_extra734="[extra734] Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra734="NOT_SCORED" CHECK_TYPE_extra734="EXTRA" +CHECK_SEVERITY_extra734="Medium" CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket" CHECK_ALTERNATE_check734="extra734" diff --git a/checks/check_extra735 b/checks/check_extra735 index 0e49b698..cd824fba 100644 --- a/checks/check_extra735 +++ b/checks/check_extra735 @@ -14,6 +14,7 @@ CHECK_ID_extra735="7.35" CHECK_TITLE_extra735="[extra735] Check if RDS instances storage is encrypted (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra735="NOT_SCORED" CHECK_TYPE_extra735="EXTRA" +CHECK_SEVERITY_extra735="Medium" CHECK_ASFF_RESOURCE_TYPE_extra735="AwsRdsDbInstance" CHECK_ALTERNATE_check735="extra735" diff --git a/checks/check_extra736 b/checks/check_extra736 index 19082827..8847af89 100644 --- a/checks/check_extra736 +++ b/checks/check_extra736 @@ -14,6 +14,7 @@ CHECK_ID_extra736="7.36" CHECK_TITLE_extra736="[extra736] Check exposed KMS keys (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra736="NOT_SCORED" CHECK_TYPE_extra736="EXTRA" +CHECK_SEVERITY_extra736="Critical" CHECK_ASFF_RESOURCE_TYPE_extra736="AwsKmsKey" CHECK_ALTERNATE_check736="extra736" diff --git a/checks/check_extra737 b/checks/check_extra737 index 17040276..b766a555 100644 --- a/checks/check_extra737 +++ b/checks/check_extra737 @@ -14,6 +14,7 @@ CHECK_ID_extra737="7.37" CHECK_TITLE_extra737="[extra737] Check KMS keys with key rotation disabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra737="NOT_SCORED" CHECK_TYPE_extra737="EXTRA" +CHECK_SEVERITY_extra737="Medium" CHECK_ASFF_RESOURCE_TYPE_extra737="AwsKmsKey" CHECK_ALTERNATE_check737="extra737" diff --git a/checks/check_extra738 b/checks/check_extra738 index c5b59eec..6ec16147 100644 --- a/checks/check_extra738 +++ b/checks/check_extra738 @@ -14,6 +14,7 @@ CHECK_ID_extra738="7.38" CHECK_TITLE_extra738="[extra738] Check if CloudFront distributions are set to HTTPS (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra738="NOT_SCORED" CHECK_TYPE_extra738="EXTRA" +CHECK_SEVERITY_extra738="Medium" CHECK_ASFF_RESOURCE_TYPE_extra738="AwsCloudFrontDistribution" CHECK_ALTERNATE_check738="extra738" diff --git a/checks/check_extra739 b/checks/check_extra739 index b1280683..5ef3c92f 100644 --- a/checks/check_extra739 +++ b/checks/check_extra739 @@ -14,6 +14,7 @@ CHECK_ID_extra739="7.39" CHECK_TITLE_extra739="[extra739] Check if RDS instances have backup enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra739="NOT_SCORED" CHECK_TYPE_extra739="EXTRA" +CHECK_SEVERITY_extra739="Medium" CHECK_ASFF_RESOURCE_TYPE_extra739="AwsRdsDbInstance" CHECK_ALTERNATE_check739="extra739" diff --git a/checks/check_extra74 b/checks/check_extra74 index c6d0aa04..9dc7323b 100644 --- a/checks/check_extra74 +++ b/checks/check_extra74 @@ -14,6 +14,7 @@ CHECK_ID_extra74="7.4" CHECK_TITLE_extra74="[extra74] Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra74="NOT_SCORED" CHECK_TYPE_extra74="EXTRA" +CHECK_SEVERITY_extra74="High" CHECK_ASFF_RESOURCE_TYPE_extra74="AwsEc2SecurityGroup" CHECK_ALTERNATE_extra704="extra74" CHECK_ALTERNATE_check74="extra74" diff --git a/checks/check_extra740 b/checks/check_extra740 index 5fa00518..ef0ac8bb 100644 --- a/checks/check_extra740 +++ b/checks/check_extra740 @@ -14,6 +14,7 @@ CHECK_ID_extra740="7.40" CHECK_TITLE_extra740="[extra740] Check if EBS snapshots are encrypted (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra740="NOT_SCORED" CHECK_TYPE_extra740="EXTRA" +CHECK_SEVERITY_extra740="Medium" CHECK_ASFF_RESOURCE_TYPE_extra740="AwsEc2Snapshot" CHECK_ALTERNATE_check740="extra740" diff --git a/checks/check_extra741 b/checks/check_extra741 index 7545c9aa..3245ce0c 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -14,6 +14,7 @@ CHECK_ID_extra741="7.41" CHECK_TITLE_extra741="[extra741] Find secrets in EC2 User Data (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra741="NOT_SCORED" CHECK_TYPE_extra741="EXTRA" +CHECK_SEVERITY_extra741="Medium" CHECK_ASFF_RESOURCE_TYPE_extra741="AwsEc2Instance" CHECK_ALTERNATE_check741="extra741" diff --git a/checks/check_extra742 b/checks/check_extra742 index 745c09c0..f9ac6868 100644 --- a/checks/check_extra742 +++ b/checks/check_extra742 @@ -14,6 +14,7 @@ CHECK_ID_extra742="7.42" CHECK_TITLE_extra742="[extra742] Find secrets in CloudFormation outputs (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra742="NOT_SCORED" CHECK_TYPE_extra742="EXTRA" +CHECK_SEVERITY_extra742="Medium" CHECK_ASFF_RESOURCE_TYPE_extra742="AwsCloudFormationStack" CHECK_ALTERNATE_check742="extra742" diff --git a/checks/check_extra743 b/checks/check_extra743 index 4cd22003..322b0d57 100644 --- a/checks/check_extra743 +++ b/checks/check_extra743 @@ -14,6 +14,7 @@ CHECK_ID_extra743="7.43" CHECK_TITLE_extra743="[extra743] Check if API Gateway has client certificate enabled to access your backend endpoint (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra743="NOT_SCORED" CHECK_TYPE_extra743="EXTRA" +CHECK_SEVERITY_extra743="Medium" CHECK_ASFF_RESOURCE_TYPE_extra743="AwsApiGatewayRestApi" CHECK_ALTERNATE_check743="extra743" diff --git a/checks/check_extra744 b/checks/check_extra744 index 4bc9edd6..972f297f 100644 --- a/checks/check_extra744 +++ b/checks/check_extra744 @@ -14,6 +14,7 @@ CHECK_ID_extra744="7.44" CHECK_TITLE_extra744="[extra744] Check if API Gateway has a WAF ACL attached (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra744="NOT_SCORED" CHECK_TYPE_extra744="EXTRA" +CHECK_SEVERITY_extra744="Medium" CHECK_ASFF_RESOURCE_TYPE_extra744="AwsApiGatewayRestApi" CHECK_ALTERNATE_check744="extra744" diff --git a/checks/check_extra745 b/checks/check_extra745 index b8674e5c..d05a262a 100644 --- a/checks/check_extra745 +++ b/checks/check_extra745 @@ -14,6 +14,7 @@ CHECK_ID_extra745="7.45" CHECK_TITLE_extra745="[extra745] Check if API Gateway endpoint is public or private (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra745="NOT_SCORED" CHECK_TYPE_extra745="EXTRA" +CHECK_SEVERITY_extra745="Medium" CHECK_ASFF_RESOURCE_TYPE_extra745="AwsApiGatewayRestApi" CHECK_ALTERNATE_check745="extra745" diff --git a/checks/check_extra746 b/checks/check_extra746 index 79de26e7..2b817b32 100644 --- a/checks/check_extra746 +++ b/checks/check_extra746 @@ -14,6 +14,7 @@ CHECK_ID_extra746="7.46" CHECK_TITLE_extra746="[extra746] Check if API Gateway has configured authorizers (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra746="NOT_SCORED" CHECK_TYPE_extra746="EXTRA" +CHECK_SEVERITY_extra746="Medium" CHECK_ASFF_RESOURCE_TYPE_extra746="AwsApiGatewayRestApi" CHECK_ALTERNATE_check746="extra746" diff --git a/checks/check_extra747 b/checks/check_extra747 index 027359bf..2f1f9915 100644 --- a/checks/check_extra747 +++ b/checks/check_extra747 @@ -14,6 +14,7 @@ CHECK_ID_extra747="7.47" CHECK_TITLE_extra747="[extra747] Check if RDS instances is integrated with CloudWatch Logs (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra747="NOT_SCORED" CHECK_TYPE_extra747="EXTRA" +CHECK_SEVERITY_extra747="Medium" CHECK_ASFF_RESOURCE_TYPE_extra747="AwsRdsDbInstance" CHECK_ALTERNATE_check747="extra747" diff --git a/checks/check_extra748 b/checks/check_extra748 index 9aa71147..b7905d09 100644 --- a/checks/check_extra748 +++ b/checks/check_extra748 @@ -14,6 +14,7 @@ CHECK_ID_extra748="7.48" CHECK_TITLE_extra748="[extra748] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra748="NOT_SCORED" CHECK_TYPE_extra748="EXTRA" +CHECK_SEVERITY_extra748="High" CHECK_ASFF_RESOURCE_TYPE_extra748="AwsEc2SecurityGroup" CHECK_ALTERNATE_check748="extra748" diff --git a/checks/check_extra749 b/checks/check_extra749 index 0a74e394..c5ef6cc2 100644 --- a/checks/check_extra749 +++ b/checks/check_extra749 @@ -14,6 +14,7 @@ CHECK_ID_extra749="7.49" CHECK_TITLE_extra749="[extra749] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483 (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra749="NOT_SCORED" CHECK_TYPE_extra749="EXTRA" +CHECK_SEVERITY_extra749="High" CHECK_ASFF_RESOURCE_TYPE_extra749="AwsEc2SecurityGroup" CHECK_ALTERNATE_check749="extra749" diff --git a/checks/check_extra75 b/checks/check_extra75 index 11179a61..1063dd34 100644 --- a/checks/check_extra75 +++ b/checks/check_extra75 @@ -14,6 +14,7 @@ CHECK_ID_extra75="7.5" CHECK_TITLE_extra75="[extra75] Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra75="NOT_SCORED" CHECK_TYPE_extra75="EXTRA" +CHECK_SEVERITY_extra75="Informational" CHECK_ASFF_RESOURCE_TYPE_extra75="AwsEc2SecurityGroup" CHECK_ALTERNATE_extra705="extra75" CHECK_ALTERNATE_check75="extra75" diff --git a/checks/check_extra750 b/checks/check_extra750 index fd105bfc..fff980d9 100644 --- a/checks/check_extra750 +++ b/checks/check_extra750 @@ -14,6 +14,7 @@ CHECK_ID_extra750="7.50" CHECK_TITLE_extra750="[extra750] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306 (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra750="NOT_SCORED" CHECK_TYPE_extra750="EXTRA" +CHECK_SEVERITY_extra750="High" CHECK_ASFF_RESOURCE_TYPE_extra750="AwsEc2SecurityGroup" CHECK_ALTERNATE_check750="extra750" diff --git a/checks/check_extra751 b/checks/check_extra751 index 0d623ba8..a0f8fd53 100644 --- a/checks/check_extra751 +++ b/checks/check_extra751 @@ -14,6 +14,7 @@ CHECK_ID_extra751="7.51" CHECK_TITLE_extra751="[extra751] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432 (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra751="NOT_SCORED" CHECK_TYPE_extra751="EXTRA" +CHECK_SEVERITY_extra751="High" CHECK_ASFF_RESOURCE_TYPE_extra751="AwsEc2SecurityGroup" CHECK_ALTERNATE_check751="extra751" diff --git a/checks/check_extra752 b/checks/check_extra752 index e6472181..7fc60bc7 100644 --- a/checks/check_extra752 +++ b/checks/check_extra752 @@ -14,6 +14,7 @@ CHECK_ID_extra752="7.52" CHECK_TITLE_extra752="[extra752] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379 (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra752="NOT_SCORED" CHECK_TYPE_extra752="EXTRA" +CHECK_SEVERITY_extra752="High" CHECK_ASFF_RESOURCE_TYPE_extra752="AwsEc2SecurityGroup" CHECK_ALTERNATE_check752="extra752" diff --git a/checks/check_extra753 b/checks/check_extra753 index 44824b93..b3cf6674 100644 --- a/checks/check_extra753 +++ b/checks/check_extra753 @@ -14,6 +14,7 @@ CHECK_ID_extra753="7.53" CHECK_TITLE_extra753="[extra753] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018 (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra753="NOT_SCORED" CHECK_TYPE_extra753="EXTRA" +CHECK_SEVERITY_extra753="High" CHECK_ASFF_RESOURCE_TYPE_extra753="AwsEc2SecurityGroup" CHECK_ALTERNATE_check753="extra753" diff --git a/checks/check_extra754 b/checks/check_extra754 index 30e8a939..af61d86e 100644 --- a/checks/check_extra754 +++ b/checks/check_extra754 @@ -14,6 +14,7 @@ CHECK_ID_extra754="7.54" CHECK_TITLE_extra754="[extra754] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888 (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra754="NOT_SCORED" CHECK_TYPE_extra754="EXTRA" +CHECK_SEVERITY_extra754="High" CHECK_ASFF_RESOURCE_TYPE_extra754="AwsEc2SecurityGroup" CHECK_ALTERNATE_check754="extra754" diff --git a/checks/check_extra755 b/checks/check_extra755 index e0164d76..de5a7ab1 100644 --- a/checks/check_extra755 +++ b/checks/check_extra755 @@ -14,6 +14,7 @@ CHECK_ID_extra755="7.55" CHECK_TITLE_extra755="[extra755] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211 (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra755="NOT_SCORED" CHECK_TYPE_extra755="EXTRA" +CHECK_SEVERITY_extra755="High" CHECK_ASFF_RESOURCE_TYPE_extra755="AwsEc2SecurityGroup" CHECK_ALTERNATE_check755="extra755" diff --git a/checks/check_extra756 b/checks/check_extra756 index 69dabb60..5c831c2a 100644 --- a/checks/check_extra756 +++ b/checks/check_extra756 @@ -14,6 +14,7 @@ CHECK_ID_extra756="7.56" CHECK_TITLE_extra756="[extra756] Check if Redshift cluster is Public Accessible (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra756="NOT_SCORED" CHECK_TYPE_extra756="EXTRA" +CHECK_SEVERITY_extra756="High" CHECK_ASFF_RESOURCE_TYPE_extra756="AwsRedshiftCluster" CHECK_ALTERNATE_check756="extra756" diff --git a/checks/check_extra757 b/checks/check_extra757 index a5ddf6fd..97e2e3c9 100644 --- a/checks/check_extra757 +++ b/checks/check_extra757 @@ -14,6 +14,7 @@ CHECK_ID_extra757="7.57" CHECK_TITLE_extra757="[extra757] Check EC2 Instances older than 6 months (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra757="NOT_SCORED" CHECK_TYPE_extra757="EXTRA" +CHECK_SEVERITY_extra757="Medium" CHECK_ASFF_RESOURCE_TYPE_extra757="AwsEc2Instance" CHECK_ALTERNATE_check757="extra757" diff --git a/checks/check_extra758 b/checks/check_extra758 index 5f5fe40b..42603535 100644 --- a/checks/check_extra758 +++ b/checks/check_extra758 @@ -14,6 +14,7 @@ CHECK_ID_extra758="7.58" CHECK_TITLE_extra758="[extra758] Check EC2 Instances older than 12 months (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra758="NOT_SCORED" CHECK_TYPE_extra758="EXTRA" +CHECK_SEVERITY_extra758="Medium" CHECK_ASFF_RESOURCE_TYPE_extra758="AwsEc2Instance" CHECK_ALTERNATE_check758="extra758" diff --git a/checks/check_extra759 b/checks/check_extra759 index 6b3ff15e..6caad4f7 100644 --- a/checks/check_extra759 +++ b/checks/check_extra759 @@ -14,6 +14,7 @@ CHECK_ID_extra759="7.59" CHECK_TITLE_extra759="[extra759] Find secrets in Lambda functions variables (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra759="NOT_SCORED" CHECK_TYPE_extra759="EXTRA" +CHECK_SEVERITY_extra759="High" CHECK_ASFF_RESOURCE_TYPE_extra759="AwsLambdaFunction" CHECK_ALTERNATE_check759="extra759" diff --git a/checks/check_extra76 b/checks/check_extra76 index e524ea7d..b1667948 100644 --- a/checks/check_extra76 +++ b/checks/check_extra76 @@ -14,6 +14,7 @@ CHECK_ID_extra76="7.6" CHECK_TITLE_extra76="[extra76] Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra76="NOT_SCORED" CHECK_TYPE_extra76="EXTRA" +CHECK_SEVERITY_extra76="Critical" CHECK_ALTERNATE_extra706="extra76" CHECK_ALTERNATE_check76="extra76" CHECK_ALTERNATE_check706="extra76" diff --git a/checks/check_extra760 b/checks/check_extra760 index ee66c791..a6c9d07e 100644 --- a/checks/check_extra760 +++ b/checks/check_extra760 @@ -14,6 +14,7 @@ CHECK_ID_extra760="7.60" CHECK_TITLE_extra760="[extra760] Find secrets in Lambda functions code (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra760="NOT_SCORED" CHECK_TYPE_extra760="EXTRA" +CHECK_SEVERITY_extra760="Medium" CHECK_ASFF_RESOURCE_TYPE_extra760="AwsLambdaFunction" CHECK_ALTERNATE_check760="extra760" diff --git a/checks/check_extra761 b/checks/check_extra761 index 54218618..a0754c3a 100644 --- a/checks/check_extra761 +++ b/checks/check_extra761 @@ -14,6 +14,7 @@ CHECK_ID_extra761="7.61" CHECK_TITLE_extra761="[extra761] Check if EBS Default Encryption is activated (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra761="NOT_SCORED" CHECK_TYPE_extra761="EXTRA" +CHECK_SEVERITY_extra761="Medium" CHECK_ALTERNATE_check761="extra761" extra761(){ diff --git a/checks/check_extra762 b/checks/check_extra762 index c66974e6..eb40aa30 100644 --- a/checks/check_extra762 +++ b/checks/check_extra762 @@ -14,6 +14,7 @@ CHECK_ID_extra762="7.62" CHECK_TITLE_extra762="[extra762] Find obsolete Lambda runtimes (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra762="NOT_SCORED" CHECK_TYPE_extra762="EXTRA" +CHECK_SEVERITY_extra762="Medium" CHECK_ASFF_RESOURCE_TYPE_extra762="AwsLambdaFunction" CHECK_ALTERNATE_check762="extra762" diff --git a/checks/check_extra763 b/checks/check_extra763 index 9ceb9494..a86c7a52 100644 --- a/checks/check_extra763 +++ b/checks/check_extra763 @@ -14,6 +14,7 @@ CHECK_ID_extra763="7.63" CHECK_TITLE_extra763="[extra763] Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra763="NOT_SCORED" CHECK_TYPE_extra763="EXTRA" +CHECK_SEVERITY_extra763="Medium" CHECK_ASFF_RESOURCE_TYPE_extra763="AwsS3Bucket" CHECK_ALTERNATE_check763="extra763" diff --git a/checks/check_extra764 b/checks/check_extra764 index 4f1f5a86..435cf474 100644 --- a/checks/check_extra764 +++ b/checks/check_extra764 @@ -14,6 +14,7 @@ CHECK_ID_extra764="7.64" CHECK_TITLE_extra764="[extra764] Check if S3 buckets have secure transport policy (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra764="NOT_SCORED" CHECK_TYPE_extra764="EXTRA" +CHECK_SEVERITY_extra764="Medium" CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket" CHECK_ALTERNATE_check764="extra764" diff --git a/checks/check_extra765 b/checks/check_extra765 index 1c4bb689..cfc1a839 100644 --- a/checks/check_extra765 +++ b/checks/check_extra765 @@ -24,6 +24,7 @@ CHECK_ID_extra765="7.65" CHECK_TITLE_extra765="[extra765] Check if ECR image scan on push is enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra765="NOT_SCORED" CHECK_TYPE_extra765="EXTRA" +CHECK_SEVERITY_extra765="Medium" CHECK_ALTERNATE_check765="extra765" extra765(){ diff --git a/checks/check_extra767 b/checks/check_extra767 index 1683d466..d82b5586 100644 --- a/checks/check_extra767 +++ b/checks/check_extra767 @@ -14,6 +14,7 @@ CHECK_ID_extra767="7.67" CHECK_TITLE_extra767="[extra767] Check if CloudFront distributions have Field Level Encryption enabled (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra767="NOT_SCORED" CHECK_TYPE_extra767="EXTRA" +CHECK_SEVERITY_extra767="Low" CHECK_ASFF_RESOURCE_TYPE_extra767="AwsCloudFrontDistribution" CHECK_ALTERNATE_check767="extra767" diff --git a/checks/check_extra768 b/checks/check_extra768 index 591983af..1468ec2f 100644 --- a/checks/check_extra768 +++ b/checks/check_extra768 @@ -14,6 +14,7 @@ CHECK_ID_extra768="7.68" CHECK_TITLE_extra768="[extra768] Find secrets in ECS task definitions variables (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra768="NOT_SCORED" CHECK_TYPE_extra768="EXTRA" +CHECK_SEVERITY_extra768="Medium" CHECK_ASFF_RESOURCE_TYPE_extra768="AwsEcsTaskDefinition" CHECK_ALTERNATE_check768="extra768" diff --git a/checks/check_extra769 b/checks/check_extra769 index 99835ba0..43b18b31 100644 --- a/checks/check_extra769 +++ b/checks/check_extra769 @@ -15,6 +15,7 @@ CHECK_ID_extra769="7.69" CHECK_TITLE_extra769="[extra769] Check if IAM Access Analyzer is enabled and its findings (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra769="NOT_SCORED" CHECK_TYPE_extra769="EXTRA" +CHECK_SEVERITY_extra769="High" CHECK_ALTERNATE_check769="extra769" extra769(){ diff --git a/checks/check_extra77 b/checks/check_extra77 index ad3011c6..d104d782 100644 --- a/checks/check_extra77 +++ b/checks/check_extra77 @@ -15,6 +15,7 @@ CHECK_ID_extra77="7.7" CHECK_TITLE_extra77="[extra77] Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra77="NOT_SCORED" CHECK_TYPE_extra77="EXTRA" +CHECK_SEVERITY_extra77="Critical" CHECK_ALTERNATE_extra707="extra77" CHECK_ALTERNATE_check77="extra77" CHECK_ALTERNATE_check707="extra77" diff --git a/checks/check_extra770 b/checks/check_extra770 index b657bbaa..0c624274 100644 --- a/checks/check_extra770 +++ b/checks/check_extra770 @@ -14,6 +14,7 @@ CHECK_ID_extra770="7.70" CHECK_TITLE_extra770="[extra770] Check for internet facing EC2 instances with Instance Profiles attached (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra770="NOT_SCORED" CHECK_TYPE_extra770="EXTRA" +CHECK_SEVERITY_extra770="Medium" CHECK_ASFF_RESOURCE_TYPE_extra770="AwsEc2Instance" CHECK_ALTERNATE_check770="extra770" diff --git a/checks/check_extra771 b/checks/check_extra771 index 98d2da9b..b30a2c20 100644 --- a/checks/check_extra771 +++ b/checks/check_extra771 @@ -14,6 +14,7 @@ CHECK_ID_extra771="7.71" CHECK_TITLE_extra771="[extra771] Check if S3 buckets have policies which allow WRITE access (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra771="NOT_SCORED" CHECK_TYPE_extra771="EXTRA" +CHECK_SEVERITY_extra771="Critical" CHECK_ASFF_RESOURCE_TYPE_extra771="AwsS3Bucket" CHECK_ALTERNATE_check771="extra771" diff --git a/checks/check_extra772 b/checks/check_extra772 index bb0e5e39..47564d79 100644 --- a/checks/check_extra772 +++ b/checks/check_extra772 @@ -14,6 +14,7 @@ CHECK_ID_extra772="7.72" CHECK_TITLE_extra772="[extra772] Check if elastic IPs are unused (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra772="NOT_SCORED" CHECK_TYPE_extra772="EXTRA" +CHECK_SEVERITY_extra772="Low" CHECK_ASFF_RESOURCE_TYPE_extra772="AwsEc2Eip" CHECK_ALTERNATE_check772="extra772" diff --git a/checks/check_extra773 b/checks/check_extra773 index dbfba0ca..0ff0be80 100644 --- a/checks/check_extra773 +++ b/checks/check_extra773 @@ -14,6 +14,7 @@ CHECK_ID_extra773="7.73" CHECK_TITLE_extra773="[extra773] Check if CloudFront distributions are using WAF (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra773="NOT_SCORED" CHECK_TYPE_extra773="EXTRA" +CHECK_SEVERITY_extra773="Medium" CHECK_ASFF_RESOURCE_TYPE_extra773="AwsCloudFrontDistribution" CHECK_ALTERNATE_check773="extra773" diff --git a/checks/check_extra774 b/checks/check_extra774 index b88bfad8..a81f3e1c 100644 --- a/checks/check_extra774 +++ b/checks/check_extra774 @@ -14,6 +14,7 @@ CHECK_ID_extra774="7.74" CHECK_TITLE_extra774="[extra774] Ensure credentials unused for 30 days or greater are disabled" CHECK_SCORED_extra774="NOT_SCORED" CHECK_TYPE_extra774="EXTRA" +CHECK_SEVERITY_extra774="Medium" CHECK_ASFF_RESOURCE_TYPE_extra774="AwsIamUser" CHECK_ALTERNATE_check774="extra774" diff --git a/checks/check_extra775 b/checks/check_extra775 index 319cdfe2..5864f227 100644 --- a/checks/check_extra775 +++ b/checks/check_extra775 @@ -14,6 +14,7 @@ CHECK_ID_extra775="7.75" CHECK_TITLE_extra775="[extra775] Find secrets in EC2 Auto Scaling Launch Configuration (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra775="NOT_SCORED" CHECK_TYPE_extra775="EXTRA" +CHECK_SEVERITY_extra775="Medium" CHECK_ALTERNATE_check775="extra775" extra775(){ diff --git a/checks/check_extra776 b/checks/check_extra776 index 369d6c54..f5d23004 100644 --- a/checks/check_extra776 +++ b/checks/check_extra776 @@ -29,6 +29,7 @@ CHECK_ID_extra776="7.76" CHECK_TITLE_extra776="[extra776] Check if ECR image scan found vulnerabilities in the newest image version (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra776="NOT_SCORED" CHECK_TYPE_extra776="EXTRA" +CHECK_SEVERITY_extra776="Medium" CHECK_ALTERNATE_check776="extra776" extra776(){ diff --git a/checks/check_extra777 b/checks/check_extra777 index fa3d8c0c..e4021339 100644 --- a/checks/check_extra777 +++ b/checks/check_extra777 @@ -18,6 +18,7 @@ CHECK_ID_extra777="7.77" CHECK_TITLE_extra777="[extra777] Find VPC security groups with many ingress or egress rules (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra777="NOT_SCORED" CHECK_TYPE_extra777="EXTRA" +CHECK_SEVERITY_extra777="Medium" CHECK_ASFF_RESOURCE_TYPE_extra777="AwsEc2SecurityGroup" CHECK_ALTERNATE_check777="extra777" diff --git a/checks/check_extra778 b/checks/check_extra778 index 8d511687..b7a63b23 100644 --- a/checks/check_extra778 +++ b/checks/check_extra778 @@ -15,6 +15,7 @@ CHECK_ID_extra778="7.78" CHECK_TITLE_extra778="[extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra778="NOT_SCORED" CHECK_TYPE_extra778="EXTRA" +CHECK_SEVERITY_extra778="Medium" CHECK_ASFF_RESOURCE_TYPE_extra778="AwsEc2SecurityGroup" CHECK_ALTERNATE_check778="extra778" diff --git a/checks/check_extra779 b/checks/check_extra779 index ac4d2220..ffa79939 100644 --- a/checks/check_extra779 +++ b/checks/check_extra779 @@ -14,6 +14,7 @@ CHECK_ID_extra779="7.79" CHECK_TITLE_extra779="[extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports" CHECK_SCORED_extra779="NOT_SCORED" CHECK_TYPE_extra779="EXTRA" +CHECK_SEVERITY_extra779="High" CHECK_ASFF_RESOURCE_TYPE_extra779="AwsEc2SecurityGroup" CHECK_ALTERNATE_check779="extra779" diff --git a/checks/check_extra78 b/checks/check_extra78 index d1c0c8ab..3c960994 100644 --- a/checks/check_extra78 +++ b/checks/check_extra78 @@ -14,6 +14,7 @@ CHECK_ID_extra78="7.8" CHECK_TITLE_extra78="[extra78] Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra78="NOT_SCORED" CHECK_TYPE_extra78="EXTRA" +CHECK_SEVERITY_extra78="Critical" CHECK_ASFF_RESOURCE_TYPE_extra78="AwsRdsDbInstance" CHECK_ALTERNATE_extra708="extra78" CHECK_ALTERNATE_check78="extra78" diff --git a/checks/check_extra780 b/checks/check_extra780 index 0a694c35..28a77104 100644 --- a/checks/check_extra780 +++ b/checks/check_extra780 @@ -14,6 +14,7 @@ CHECK_ID_extra780="7.80" CHECK_TITLE_extra780="[extra780] Check if Amazon Elasticsearch Service (ES) domains has Amazon Cognito authentication for Kibana enabled" CHECK_SCORED_extra780="NOT_SCORED" CHECK_TYPE_extra780="EXTRA" +CHECK_SEVERITY_extra780="High" CHECK_ASFF_RESOURCE_TYPE_extra780="AwsElasticsearchDomain" CHECK_ALTERNATE_check780="extra780" diff --git a/checks/check_extra781 b/checks/check_extra781 index e4f36620..dcb154fa 100644 --- a/checks/check_extra781 +++ b/checks/check_extra781 @@ -14,6 +14,7 @@ CHECK_ID_extra781="7.81" CHECK_TITLE_extra781="[extra781] Check if Amazon Elasticsearch Service (ES) domains has encryption at-rest enabled" CHECK_SCORED_extra781="NOT_SCORED" CHECK_TYPE_extra781="EXTRA" +CHECK_SEVERITY_extra781="Medium" CHECK_ASFF_RESOURCE_TYPE_extra781="AwsElasticsearchDomain" CHECK_ALTERNATE_check781="extra781" diff --git a/checks/check_extra782 b/checks/check_extra782 index ab169bee..daa5b4b2 100644 --- a/checks/check_extra782 +++ b/checks/check_extra782 @@ -14,6 +14,7 @@ CHECK_ID_extra782="7.82" CHECK_TITLE_extra782="[extra782] Check if Amazon Elasticsearch Service (ES) domains has node-to-node encryption enabled" CHECK_SCORED_extra782="NOT_SCORED" CHECK_TYPE_extra782="EXTRA" +CHECK_SEVERITY_extra782="Medium" CHECK_ASFF_RESOURCE_TYPE_extra782="AwsElasticsearchDomain" CHECK_ALTERNATE_check782="extra782" diff --git a/checks/check_extra783 b/checks/check_extra783 index fa76f6f1..49f554b5 100644 --- a/checks/check_extra783 +++ b/checks/check_extra783 @@ -14,6 +14,7 @@ CHECK_ID_extra783="7.83" CHECK_TITLE_extra783="[extra783] Check if Amazon Elasticsearch Service (ES) domains has enforce HTTPS enabled" CHECK_SCORED_extra783="NOT_SCORED" CHECK_TYPE_extra783="EXTRA" +CHECK_SEVERITY_extra783="Medium" CHECK_ASFF_RESOURCE_TYPE_extra783="AwsElasticsearchDomain" CHECK_ALTERNATE_check783="extra783" diff --git a/checks/check_extra784 b/checks/check_extra784 index 29779d50..62040df3 100644 --- a/checks/check_extra784 +++ b/checks/check_extra784 @@ -14,6 +14,7 @@ CHECK_ID_extra784="7.84" CHECK_TITLE_extra784="[extra784] Check if Amazon Elasticsearch Service (ES) domains internal user database enabled" CHECK_SCORED_extra784="NOT_SCORED" CHECK_TYPE_extra784="EXTRA" +CHECK_SEVERITY_extra784="Medium" CHECK_ASFF_RESOURCE_TYPE_extra784="AwsElasticsearchDomain" CHECK_ALTERNATE_check784="extra784" diff --git a/checks/check_extra785 b/checks/check_extra785 index 59ffba11..a7fb27aa 100644 --- a/checks/check_extra785 +++ b/checks/check_extra785 @@ -14,6 +14,7 @@ CHECK_ID_extra785="7.85" CHECK_TITLE_extra785="[extra785] Check if Amazon Elasticsearch Service (ES) domains have updates available" CHECK_SCORED_extra785="NOT_SCORED" CHECK_TYPE_extra785="EXTRA" +CHECK_SEVERITY_extra785="Low" CHECK_ASFF_RESOURCE_TYPE_extra785="AwsElasticsearchDomain" CHECK_ALTERNATE_check785="extra785" diff --git a/checks/check_extra786 b/checks/check_extra786 index f011a7f4..7491539d 100644 --- a/checks/check_extra786 +++ b/checks/check_extra786 @@ -14,6 +14,7 @@ CHECK_ID_extra786="7.86" CHECK_TITLE_extra786="[extra786] Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra786="NOT_SCORED" CHECK_TYPE_extra786="EXTRA" +CHECK_SEVERITY_extra786="Medium" CHECK_ASFF_RESOURCE_TYPE_extra786="AwsEc2Instance" CHECK_ALTERNATE_check786="extra786" diff --git a/checks/check_extra787 b/checks/check_extra787 index ea681f8e..ce5e6f9f 100644 --- a/checks/check_extra787 +++ b/checks/check_extra787 @@ -14,6 +14,7 @@ CHECK_ID_extra787="7.87" CHECK_TITLE_extra787="[extra787] Check connection and authentication for Internet exposed Elasticsearch/Kibana ports" CHECK_SCORED_extra787="NOT_SCORED" CHECK_TYPE_extra787="EXTRA" +CHECK_SEVERITY_extra787="Critical" CHECK_ASFF_RESOURCE_TYPE_extra787="AwsEc2Instance" CHECK_ALTERNATE_check787="extra787" diff --git a/checks/check_extra788 b/checks/check_extra788 index f09a9fcc..6821fd5e 100644 --- a/checks/check_extra788 +++ b/checks/check_extra788 @@ -14,6 +14,7 @@ CHECK_ID_extra788="7.88" CHECK_TITLE_extra788="[extra788] Check connection and authentication for Internet exposed Amazon Elasticsearch Service (ES) domains" CHECK_SCORED_extra788="NOT_SCORED" CHECK_TYPE_extra788="EXTRA" +CHECK_SEVERITY_extra788="Critical" CHECK_ASFF_RESOURCE_TYPE_extra788="AwsElasticsearchDomain" CHECK_ALTERNATE_check788="extra788" diff --git a/checks/check_extra789 b/checks/check_extra789 index 87f3a1a1..3a7e84c1 100644 --- a/checks/check_extra789 +++ b/checks/check_extra789 @@ -15,6 +15,7 @@ CHECK_ID_extra789="7.89" CHECK_TITLE_extra789="[extra789] Find trust boundaries in VPC endpoint services connections" CHECK_SCORED_extra789="NOT_SCORED" CHECK_TYPE_extra789="EXTRA" + CHECK_SEVERITY_extra789="Medium" CHECK_ASFF_RESOURCE_TYPE_extra789="AwsEc2Vpc" CHECK_ALTERNATE_extra789="extra789" diff --git a/checks/check_extra79 b/checks/check_extra79 index 01c7b41e..9b428bc0 100644 --- a/checks/check_extra79 +++ b/checks/check_extra79 @@ -14,6 +14,7 @@ CHECK_ID_extra79="7.9" CHECK_TITLE_extra79="[extra79] Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra79="NOT_SCORED" CHECK_TYPE_extra79="EXTRA" +CHECK_SEVERITY_extra79="Medium" CHECK_ASFF_RESOURCE_TYPE_extra79="AwsElbLoadBalancer" CHECK_ALTERNATE_extra709="extra79" CHECK_ALTERNATE_check79="extra79" diff --git a/checks/check_extra790 b/checks/check_extra790 index 6e9c2e80..83857889 100644 --- a/checks/check_extra790 +++ b/checks/check_extra790 @@ -15,6 +15,7 @@ CHECK_ID_extra790="7.90" CHECK_TITLE_extra790="[extra790] Find trust boundaries in VPC endpoint services whitelisted principles" CHECK_SCORED_extra790="NOT_SCORED" CHECK_TYPE_extra790="EXTRA" +CHECK_SEVERITY_extra790="Medium" CHECK_ASFF_RESOURCE_TYPE_extra790="AwsEc2Vpc" CHECK_ALTERNATE_extra790="extra790" diff --git a/checks/check_extra791 b/checks/check_extra791 index f3eaa8b6..b52aa248 100644 --- a/checks/check_extra791 +++ b/checks/check_extra791 @@ -14,6 +14,7 @@ CHECK_ID_extra791="7.91" CHECK_TITLE_extra791="[extra791] Check if CloudFront distributions are using deprecated SSL protocols" CHECK_SCORED_extra791="NOT_SCORED" CHECK_TYPE_extra791="EXTRA" +CHECK_SEVERITY_extra791="Medium" CHECK_ASFF_RESOURCE_TYPE_extra791="AwsCloudFrontDistribution" CHECK_ALTERNATE_check791="extra791" diff --git a/checks/check_extra792 b/checks/check_extra792 index 7b36d48f..f7329d4f 100644 --- a/checks/check_extra792 +++ b/checks/check_extra792 @@ -14,6 +14,7 @@ CHECK_ID_extra792="7.92" CHECK_TITLE_extra792="[extra792] Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra792="NOT_SCORED" CHECK_TYPE_extra792="EXTRA" +CHECK_SEVERITY_extra792="Medium" CHECK_ASFF_RESOURCE_TYPE_extra792="AwsElbLoadBalancer" CHECK_ALTERNATE_check792="extra792" diff --git a/checks/check_extra793 b/checks/check_extra793 index 038a4e1b..1acb5d11 100644 --- a/checks/check_extra793 +++ b/checks/check_extra793 @@ -14,6 +14,7 @@ CHECK_ID_extra793="7.93" CHECK_TITLE_extra793="[extra793] Check if Elastic Load Balancers have SSL listeners (Not Scored) (Not part of CIS benchmark)" CHECK_SCORED_extra793="NOT_SCORED" CHECK_TYPE_extra793="EXTRA" +CHECK_SEVERITY_extra793="Medium" CHECK_ASFF_RESOURCE_TYPE_extra793="AwsElbLoadBalancer" CHECK_ALTERNATE_check793="extra793" diff --git a/checks/check_extra794 b/checks/check_extra794 index b516048a..281dca35 100644 --- a/checks/check_extra794 +++ b/checks/check_extra794 @@ -14,6 +14,7 @@ CHECK_ID_extra794="7.94" CHECK_TITLE_extra794="[extra794] Ensure EKS Control Plane Audit Logging is enabled for all log types" CHECK_SCORED_extra794="NOT_SCORED" CHECK_TYPE_extra794="EXTRA" +CHECK_SEVERITY_extra794="Medium" CHECK_ASFF_RESOURCE_TYPE_extra794="AwsEksCluster" CHECK_ALTERNATE_check794="extra794" diff --git a/checks/check_extra795 b/checks/check_extra795 index 655e18a9..fbfa3059 100644 --- a/checks/check_extra795 +++ b/checks/check_extra795 @@ -14,6 +14,7 @@ CHECK_ID_extra795="7.95" CHECK_TITLE_extra795="[extra795] Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled" CHECK_SCORED_extra795="NOT_SCORED" CHECK_TYPE_extra795="EXTRA" +CHECK_SEVERITY_extra795="High" CHECK_ASFF_RESOURCE_TYPE_extra795="AwsEksCluster" CHECK_ALTERNATE_check795="extra795" diff --git a/checks/check_extra796 b/checks/check_extra796 index c7b869a5..601712e0 100644 --- a/checks/check_extra796 +++ b/checks/check_extra796 @@ -14,6 +14,7 @@ CHECK_ID_extra796="7.96" CHECK_TITLE_extra796="[extra796] Restrict Access to the EKS Control Plane Endpoint" CHECK_SCORED_extra796="NOT_SCORED" CHECK_TYPE_extra796="EXTRA" +CHECK_SEVERITY_extra796="High" CHECK_ASFF_RESOURCE_TYPE_extra796="AwsEksCluster" CHECK_ALTERNATE_check796="extra796" diff --git a/checks/check_extra797 b/checks/check_extra797 index a095a096..1eca9888 100644 --- a/checks/check_extra797 +++ b/checks/check_extra797 @@ -14,6 +14,7 @@ CHECK_ID_extra797="7.97" CHECK_TITLE_extra797="[extra797] Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs)" CHECK_SCORED_extra797="NOT_SCORED" CHECK_TYPE_extra797="EXTRA" +CHECK_SEVERITY_extra797="Medium" CHECK_ASFF_RESOURCE_TYPE_extra797="AwsEksCluster" CHECK_ALTERNATE_check797="extra797" diff --git a/checks/check_extra798 b/checks/check_extra798 index 74b05eaf..a70b9d0b 100644 --- a/checks/check_extra798 +++ b/checks/check_extra798 @@ -15,6 +15,7 @@ CHECK_ID_extra798="7.98" CHECK_TITLE_extra798="[extra798] Check if Lambda functions have resource-based policy set as Public" CHECK_SCORED_extra798="NOT_SCORED" CHECK_TYPE_extra798="EXTRA" +CHECK_SEVERITY_extra798="Critical" CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction" CHECK_ALTERNATE_check798="extra798" diff --git a/checks/check_extra799 b/checks/check_extra799 index f2bf742e..9b4be8eb 100644 --- a/checks/check_extra799 +++ b/checks/check_extra799 @@ -15,9 +15,9 @@ CHECK_ID_extra799="7.99" CHECK_TITLE_extra799="[extra799] Check if Security Hub is enabled and its standard subscriptions" CHECK_SCORED_extra799="NOT_SCORED" CHECK_TYPE_extra799="EXTRA" +CHECK_SEVERITY_extra799="High" CHECK_ASFF_RESOURCE_TYPE_extra799="AwsSecurityHubHub" CHECK_ALTERNATE_check799="extra799" -CHECK_SEVERITY_extra799="medium" extra799(){ for regx in $REGIONS; do diff --git a/checks/check_sample b/checks/check_sample index b041e30c..4d65e892 100644 --- a/checks/check_sample +++ b/checks/check_sample @@ -28,6 +28,7 @@ # CHECK_TITLE_checkN="[checkN] Description (Not Scored) (Not part of CIS benchmark)" # CHECK_SCORED_checkN="NOT_SCORED" # CHECK_TYPE_checkN="EXTRA" + CHECK_SEVERITY_check="medium" # CHECK_ASFF_RESOURCE_TYPE_checkN="AwsAccount" # Choose appropriate value from https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-resources # CHECK_ALTERNATE_checkN="extraN" # diff --git a/include/os_detector b/include/os_detector index b06754e2..55a6e761 100644 --- a/include/os_detector +++ b/include/os_detector @@ -103,10 +103,19 @@ bsd_get_time_in_milliseconds() { gnu_get_iso8601_timestamp() { "$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ" } + +gsu_get_iso8601_hundred_days_ago() { + "$DATE_CMD" -d "100 days ago" -u +"%Y-%m-%dT%H:%M:%SZ" +} + bsd_get_iso8601_timestamp() { "$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ" } +bsd_get_iso8601_hundred_days_ago() { + "$DATE_CMD" -v-100d -u +"%Y-%m-%dT%H:%M:%SZ" +} + gnu_test_tcp_connectivity() { HOST=$1 PORT=$2 @@ -150,6 +159,9 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then get_iso8601_timestamp() { gnu_get_iso8601_timestamp } + get_iso8601_hundred_days_ago() { + gsu_get_iso8601_hundred_days_ago + } test_tcp_connectivity() { gnu_test_tcp_connectivity "$1" "$2" "$3" } @@ -207,6 +219,9 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then get_iso8601_timestamp() { bsd_get_iso8601_timestamp } + get_iso8601_hundred_days_ago() { + bsd_get_iso8601_hundred_days_ago + } fi if "$BASE64_CMD" --version >/dev/null 2>&1 ; then decode_report() { diff --git a/include/outputs b/include/outputs index c83c2abd..f439ae55 100644 --- a/include/outputs +++ b/include/outputs @@ -57,7 +57,7 @@ textPass(){ generateJsonOutput "$1" "Pass" | tee -a ${OUTPUT_FILE_NAME}.$EXTENSION_JSON fi if [[ "${MODES[@]}" =~ "json-asff" ]]; then - JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "PASSED" "INFORMATIONAL") + JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "PASSED") echo "${JSON_ASFF_OUTPUT}" | tee -a $OUTPUT_FILE_NAME.$EXTENSION_ASFF if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}" @@ -144,7 +144,7 @@ textFail(){ generateJsonOutput "$1" "${level}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_JSON} fi if [[ "${MODES[@]}" =~ "json-asff" ]]; then - JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "${level}" "HIGH") + JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "${level}") echo "${JSON_ASFF_OUTPUT}" | tee -a ${OUTPUT_FILE_NAME}.${EXTENSION_ASFF} if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then sendToSecurityHub "${JSON_ASFF_OUTPUT}" "${REPREGION}" @@ -225,6 +225,7 @@ generateJsonOutput(){ --arg TITLE_TEXT "$TITLE_TEXT" \ --arg MESSAGE "$(echo -e "${message}" | sed -e 's/^[[:space:]]*//')" \ --arg STATUS "$status" \ + --arg SEVERITY "$CHECK_SEVERITY" \ --arg SCORED "$ITEM_SCORED" \ --arg ITEM_LEVEL "$ITEM_LEVEL" \ --arg TITLE_ID "$TITLE_ID" \ @@ -235,6 +236,7 @@ generateJsonOutput(){ "Account Number": $ACCOUNT_NUM, "Control": $TITLE_TEXT, "Message": $MESSAGE, + "Severity": "$SEVERITY", "Status": $STATUS, "Scored": $SCORED, "Level": $ITEM_LEVEL, @@ -253,8 +255,6 @@ generateJsonAsffOutput(){ if [[ "$status" == "FAIL" ]]; then status="FAILED" fi - - local severity=$3 jq -M -c \ --arg UUID $(uuidgen | awk '{print tolower($0)}') \ --arg ACCOUNT_NUM "$ACCOUNT_NUM" \ @@ -262,8 +262,9 @@ generateJsonAsffOutput(){ --arg MESSAGE "$(echo -e "${message}" | sed -e 's/^[[:space:]]*//')" \ --arg UNIQUE_ID "$(LC_ALL=C echo -e -n "${message}" | tr -cs '[:alnum:]._~-' '_')" \ --arg STATUS "$status" \ - --arg SEVERITY "$severity" \ + --arg SEVERITY "$(echo $CHECK_SEVERITY| awk '{ print toupper($0) }')" \ --arg TITLE_ID "$TITLE_ID" \ + --arg CHECK_ID "$CHECK_ID" \ --arg TYPE "$ASFF_TYPE" \ --arg RESOURCE_TYPE "$ASFF_RESOURCE_TYPE" \ --arg REPREGION "$REPREGION" \ @@ -272,13 +273,13 @@ generateJsonAsffOutput(){ --arg AWS_PARTITION "$AWS_PARTITION" \ -n '{ "SchemaVersion": "2018-10-08", - "Id": "arn:\($AWS_PARTITION):securityhub:\($REPREGION):\($ACCOUNT_NUM):product/prowler/\($PROWLER_VERSION)/finding/\($UUID)", + "Id": "arn:\($AWS_PARTITION):securityhub:\($REPREGION):\($ACCOUNT_NUM):product/prowler/finding/\($TITLE_ID)-\($ACCOUNT_NUM)-\($REPREGION)-($UNIQUE_ID)", "ProductArn": "arn:\($AWS_PARTITION):securityhub:\($REPREGION):\($ACCOUNT_NUM):product/\($ACCOUNT_NUM)/default", "ProductFields": { "ProviderName": "Prowler", "ProviderVersion": $PROWLER_VERSION }, - "GeneratorId": "prowler-\($TITLE_ID)-\($ACCOUNT_NUM)-\($REPREGION)-\($UNIQUE_ID)", + "GeneratorId": "prowler-\($CHECK_ID)", "AwsAccountId": $ACCOUNT_NUM, "Types": [ $TYPE diff --git a/include/securityhub_integration b/include/securityhub_integration index 730ea421..3aa14860 100644 --- a/include/securityhub_integration +++ b/include/securityhub_integration @@ -28,19 +28,25 @@ checkSecurityHubCompatibility(){ exit $EXITCODE fi done - # Get unresolved findings - SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters '{"GeneratorId":[{"Value": "prowler-","Comparison":"PREFIX"}],"WorkflowStatus":[{"Value": "RESOLVED","Comparison":"NOT_EQUALS"}]}' | jq -r ".Findings[] | {Id, GeneratorId, Workflow, Compliance}"| jq -cs) } resolveSecurityHubPreviousFails(){ - # Move previous findings to Workflow to RESOLVED (as prowler didn't re-detect them) - PREVIOUS_FAILED_IDS=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq -c --arg parn "$product_arn" '.[] | select(.Compliance.Status==FAILED) | map({"Id": .Id, ProductArn: $parn} )'); - BATCH_UPDATE_RESULT=$($AWSCLI securityhub --region "$region" $PROFILE_OPT batch-update-findings --finding-identifiers "${PREVIOUS_FAILED_IDS}" --workflow '{"Status": "RESOLVED"}') + # Move previous check findings to Workflow to RESOLVED (as prowler didn't re-detect them) + for regx in $REGIONS; do - # Check for success if updated - if [[ ! -z "${BATCH_UPDATE_RESULT}" ]] && ! jq -e '.ProcessedFindings >= 1' <<< "${BATCH_UPDATE_RESULT}" > /dev/null 2>&1; then - echo -e "\n$RED ERROR!$NORMAL Failed to update AWS Security Hub finding\n" - fi + local check="$1" + PREVIOUS_DATE=$(get_iso8601_hundred_days_ago) + FILTER="{\"UpdatedAt\":[{\"Start\":\"$PREVIOUS_DATE\",\"End\":\"$TIMESTAMP\"}],\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"PREFIX\"}],\"ComplianceStatus\":[{\"Value\": \"FAILED\",\"Comparison\":\"EQUALS\"}]}" + SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -r ".Findings[] | {Id, ProductArn}"| jq -cs) + if [[ $SECURITY_HUB_PREVIOUS_FINDINGS != "[]" ]]; then + BATCH_UPDATE_RESULT=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT batch-update-findings --finding-identifiers "${SECURITY_HUB_PREVIOUS_FINDINGS}" --workflow '{"Status": "RESOLVED"}') + + # Check for success if updated + if [[ ! -z "${BATCH_UPDATE_RESULT}" ]] && ! jq -e '.ProcessedFindings >= 1' <<< "${BATCH_UPDATE_RESULT}" > /dev/null 2>&1; then + echo -e "\n$RED ERROR!$NORMAL Failed to update AWS Security Hub finding\n" + fi + fi + done } @@ -48,38 +54,9 @@ sendToSecurityHub(){ local findings="$1" local region="$2" - local finding_id=$(echo $findings | jq -r ".Id") - local status=$(echo $findings | jq -r ".Compliance.Status") - local product_arn=$(echo $findings | jq -r ".ProductArn") - local generator_id=$(echo $findings | jq -r ".GeneratorId") - - PREVIOUS_FINDING=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq --arg finding "$generator_id" '.[] | select((.GeneratorId==$finding))' | jq -cs) - if [[ $PREVIOUS_FINDING != "[]" ]]; then - # Remove from previous findings to update (using generator) - SECURITY_HUB_PREVIOUS_FINDINGS=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq -s --arg finding "$generator_id" '[ .[] | select((.GeneratorId!=$finding)) ]') - - SAME_STATUS=$(echo $PREVIOUS_FINDING | jq --arg status "$status" '.[] | select(.Compliance.Status!=$status)') - SUPPRESSED=$(echo $PREVIOUS_FINDING | jq '.[] | select(.Workflow.Status=="SUPPRESSED")') - # If are old non-resolved findings with different status, re-import it to update with previous Id - if [[ ! -z $SAME_STATUS && -z $SUPPRESSED ]]; then - PREVIOUS_FINDING_ID=$(echo $PREVIOUS_FINDING | jq '.[0].Id' ); - findings =$(echo $findings | jq --arg previous_id "$PREVIOUS_FINDING_ID" .[0].Id = previous_id) - BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$region" $PROFILE_OPT batch-import-findings --findings "${findings}") - else - PREVIOUS_FINDING_IDS=$(echo $PREVIOUS_FINDING | jq -c --arg parn "$product_arn" 'map({"Id": .Id, ProductArn: $parn} )'); - # Update to avoid being deleted after 90 dayss - BATCH_UPDATE_RESULT=$($AWSCLI securityhub --region "$region" $PROFILE_OPT batch-update-findings --finding-identifiers "${PREVIOUS_FINDING_IDS}" --note '{"Text": "Finding re-detected by Prowler scan", "UpdatedBy": "prowler"}') - fi - else - #If new, import it - BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$region" $PROFILE_OPT batch-import-findings --findings "${findings}") - fi - - # Check for success if updated - if [[ ! -z "${BATCH_UPDATE_RESULT}" ]] && ! jq -e '.ProcessedFindings >= 1' <<< "${BATCH_UPDATE_RESULT}" > /dev/null 2>&1; then - echo -e "\n$RED ERROR!$NORMAL Failed to update AWS Security Hub finding\n" - fi + BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$region" $PROFILE_OPT batch-import-findings --findings "${findings}") + # Check for success if imported if [[ ! -z "${BATCH_IMPORT_RESULT}" ]] && ! jq -e '.SuccessCount == 1' <<< "${BATCH_IMPORT_RESULT}" > /dev/null 2>&1; then echo -e "\n$RED ERROR!$NORMAL Failed to send check output to AWS Security Hub\n" diff --git a/prowler b/prowler index 7cdae5c7..fa692d6f 100755 --- a/prowler +++ b/prowler @@ -317,11 +317,20 @@ execute_check() { # See if this check defines an ASFF Type, if so, use this, falling back to a sane default # For a list of Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#securityhub-findings-format-type-taxonomy local asff_type_var=CHECK_ASFF_TYPE_$1 + + local severity_var=CHECK_SEVERITY_$1 + + CHECK_SEVERITY="${!severity_var}" + + CHECK_ID="$1" + ASFF_TYPE="${!asff_type_var:-Software and Configuration Checks}" # See if this check defines an ASFF Resource Type, if so, use this, falling back to a sane default # For a list of Resource Types, see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#asff-resources local asff_resource_type_var=CHECK_ASFF_RESOURCE_TYPE_$1 + ASFF_RESOURCE_TYPE="${!asff_resource_type_var:-AwsAccount}" + # Generate the credential report, only if it is group1 related which checks we # run so that the checks can safely assume it's available # set the custom ignores list for this check @@ -360,6 +369,12 @@ execute_check() { fi # Execute the check IGNORES="${ignores}" CHECK_NAME="$1" $1 + + + if [[ "$SEND_TO_SECURITY_HUB" -eq 1 ]]; then + resolveSecurityHubPreviousFails "$1" + fi + if is_junit_output_enabled; then finalise_junit_check_output "$1" fi @@ -554,10 +569,6 @@ fi execute_all -if [[ "$SEND_TO_SECURITY_HUB" -eq 1 ]]; then - resolveSecurityHubPreviousFails -fi - if [[ "${MODES[@]}" =~ "html" ]]; then addHtmlFooter >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML fi