added check extra724 Certificate Transparency

2026-02-10 06:45:08 +00:00 · 2018-03-28 10:44:36 -04:00
parent 1c0229e1a3
commit f130c899e5
4 changed files with 30 additions and 1 deletions
--- a/LIST_OF_CHECKS_AND_GROUPS.md
+++ b/LIST_OF_CHECKS_AND_GROUPS.md
@@ -392,4 +392,8 @@ Colors code for results:  INFO (Information), PASS (Recommended value),  FAIL (F
 7.21 Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)

 7.22 Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)
+
+7.23 Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)
+
+7.24 Check if ACM certificates have Certificate Transparence enabled (Not Scored) (Not part of CIS benchmark)
 ```
--- a/README.md
+++ b/README.md
@@ -12,6 +12,7 @@
 - [Forensics Ready Checks](#forensics-ready-checks)
 - [Add Custom Checks](#add-custom-checks)
 - [Third Party Integrations](#third-party-integrations)
+- [Full list of checks and groups] (LIST_OF_CHECKS_AND_GROUPS.md)

 ## Description

--- a/checks/check_extra724
+++ b/checks/check_extra724
@@ -0,0 +1,24 @@
+CHECK_ID_extra724="7.24"
+CHECK_TITLE_extra724="Check if ACM certificates have Certificate Transparence enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra724="NOT_SCORED"
+CHECK_ALTERNATE_check724="extra724"
+
+extra724(){
+  # "Check if ACM certificates have Certificate Transparence enabled (Not Scored) (Not part of CIS benchmark)"
+  for regx in $REGIONS; do
+    LIST_OF_CERTS=$($AWSCLI acm list-certificates $PROFILE_OPT  --region $regx --query CertificateSummaryList[].CertificateArn --output text)
+    if [[ $LIST_OF_CERTS ]];then
+      for cert_arn in $LIST_OF_CERTS;do
+        CT_ENABLED=$($AWSCLI acm describe-certificate $PROFILE_OPT --region $regx --certificate-arn $cert_arn --query Certificate.Options.CertificateTransparencyLoggingPreference --output text)
+        if [[ $CT_ENABLED == "ENABLED" ]];then
+          CERT_DOMAIN_NAME=$(aws acm describe-certificate $PROFILE_OPT --region $regx --certificate-arn $cert_arn --query Certificate.DomainName --output text)
+          textWarn "$regx: ACM Certificate $CERT_DOMAIN_NAME has Certificate Transparency logging enabled!" "$regx"
+        else
+          textOK "$regx: ACM Certificate $CERT_DOMAIN_NAME has Certificate Transparency logging disabled!" "$regx"
+        fi
+      done
+    else
+       textNotice "$regx: No ACM Certificates found" "$regx"
+    fi
+  done
+}
--- a/groups/group7_extras
+++ b/groups/group7_extras
@@ -2,4 +2,4 @@ GROUP_ID[7]='extras'
 GROUP_NUMBER[7]='7.0'
 GROUP_TITLE[7]='Extras ****************************************************************'
 GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
-GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723'
+GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724'