diff --git a/CHECKLIST.md b/LIST_OF_CHECKS_AND_GROUPS.md similarity index 98% rename from CHECKLIST.md rename to LIST_OF_CHECKS_AND_GROUPS.md index d22470dd..45da4264 100644 --- a/CHECKLIST.md +++ b/LIST_OF_CHECKS_AND_GROUPS.md @@ -392,4 +392,8 @@ Colors code for results: INFO (Information), PASS (Recommended value), FAIL (F 7.21 Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark) 7.22 Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark) + +7.23 Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark) + +7.24 Check if ACM certificates have Certificate Transparence enabled (Not Scored) (Not part of CIS benchmark) ``` diff --git a/README.md b/README.md index 950398ee..0f89e34e 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ - [Forensics Ready Checks](#forensics-ready-checks) - [Add Custom Checks](#add-custom-checks) - [Third Party Integrations](#third-party-integrations) +- [Full list of checks and groups] (LIST_OF_CHECKS_AND_GROUPS.md) ## Description diff --git a/checks/check_extra724 b/checks/check_extra724 new file mode 100644 index 00000000..d355a9ca --- /dev/null +++ b/checks/check_extra724 @@ -0,0 +1,24 @@ +CHECK_ID_extra724="7.24" +CHECK_TITLE_extra724="Check if ACM certificates have Certificate Transparence enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra724="NOT_SCORED" +CHECK_ALTERNATE_check724="extra724" + +extra724(){ + # "Check if ACM certificates have Certificate Transparence enabled (Not Scored) (Not part of CIS benchmark)" + for regx in $REGIONS; do + LIST_OF_CERTS=$($AWSCLI acm list-certificates $PROFILE_OPT --region $regx --query CertificateSummaryList[].CertificateArn --output text) + if [[ $LIST_OF_CERTS ]];then + for cert_arn in $LIST_OF_CERTS;do + CT_ENABLED=$($AWSCLI acm describe-certificate $PROFILE_OPT --region $regx --certificate-arn $cert_arn --query Certificate.Options.CertificateTransparencyLoggingPreference --output text) + if [[ $CT_ENABLED == "ENABLED" ]];then + CERT_DOMAIN_NAME=$(aws acm describe-certificate $PROFILE_OPT --region $regx --certificate-arn $cert_arn --query Certificate.DomainName --output text) + textWarn "$regx: ACM Certificate $CERT_DOMAIN_NAME has Certificate Transparency logging enabled!" "$regx" + else + textOK "$regx: ACM Certificate $CERT_DOMAIN_NAME has Certificate Transparency logging disabled!" "$regx" + fi + done + else + textNotice "$regx: No ACM Certificates found" "$regx" + fi + done +} diff --git a/groups/group7_extras b/groups/group7_extras index 0c3319b2..bddb4c84 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -2,4 +2,4 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras ****************************************************************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724'