ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

added extra723 and clean up

Browse Source
This commit is contained in:
Toni de la Fuente
2018-03-19 10:55:35 -04:00
parent d806c86e90
commit f411223fa8
2 changed files with 44 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -25,7 +25,7 @@ It covers hardening and security best practices for all AWS regions related to:
- Logging (8 checks)
- Monitoring (15 checks)
- Networking (5 checks)
- Extras (22 checks) *see Extras section*
- Extras (23 checks) *see Extras section*
- Forensics related group of checks
For a comprehesive list and resolution look at the guide on the link above.
@@ -354,7 +354,7 @@ At this moment we have 22 extra checks:
- 7.20 (`extra720`) Check if Lambda functions are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)
- 7.21 (`extra721`) Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)
- 7.22 (`extra722`) Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)
- 7.23 (`extra723`) Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)
To check all extras in one command:
```

52
prowler
View File

@@ -9,7 +9,7 @@
# International Public License. The link to the license terms can be found at
# https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
#
# Author: Toni de la Fuente - @ToniBlyx / Alfresco Software Inc.
# Author: Toni de la Fuente - @ToniBlyx - https://blyx.com/contact
# Prowler - Iron Maiden
#
@@ -19,13 +19,6 @@
# All there legs and lashes
# I've just got to find my way...
# Exit if a pipeline results in an error.
# set -ue
# set -o pipefail
# set -vx
# Exits if any error is found
# set -e
OPTRED=""
OPTNORMAL=""
@@ -521,6 +514,8 @@ ID721="7.21,7.21"
TITLE721="Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)"
ID722="7.22,7.22"
TITLE722="Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)"
ID723="7.23,7.23"
TITLE723="Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)"
printCsvHeader() {
>&2 echo ""
@@ -2152,6 +2147,41 @@ extra722(){
done
}
extra723(){
# "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)"
textTitle "$ID723" "$TITLE723" "NOT_SCORED" "EXTRA"
for regx in $REGIONS; do
# RDS snapshots
LIST_OF_RDS_SNAPSHOTS=$($AWSCLI rds describe-db-snapshots $PROFILE_OPT --region $regx --query DBSnapshots[*].DBSnapshotIdentifier --output text)
if [[ $LIST_OF_RDS_SNAPSHOTS ]]; then
for rdssnapshot in $LIST_OF_RDS_SNAPSHOTS;do
SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-snapshot-attributes $PROFILE_OPT --region $regx --db-snapshot-identifier $rdssnapshot --query DBSnapshotAttributesResult.DBSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all)
if [[ $SNAPSHOT_IS_PUBLIC ]];then
textWarn "$regx: RDS Snapshot $rdssnapshot is public!" "$regx"
else
textOK "$regx: RDS Snapshot $rdssnapshot is not shared" "$regx"
fi
done
else
textNotice "$regx: No RDS Snapshots found" "$regx"
fi
# RDS cluster snapshots
LIST_OF_RDS_CLUSTER_SNAPSHOTS=$($AWSCLI rds describe-db-cluster-snapshots $PROFILE_OPT --region $regx --query DBClusterSnapshots[*].DBClusterSnapshotIdentifier --output text)
if [[ $LIST_OF_RDS_CLUSTER_SNAPSHOTS ]]; then
for rdsclustersnapshot in $LIST_OF_RDS_CLUSTER_SNAPSHOTS;do
CLUSTER_SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-cluster-snapshot-attributes $PROFILE_OPT --region $regx --db-cluster-snapshot-identifier $rdsclustersnapshot --query DBClusterSnapshotAttributesResult.DBClusterSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all)
if [[ $CLUSTER_SNAPSHOT_IS_PUBLIC ]];then
textWarn "$regx: RDS Cluster Snapshot $rdsclustersnapshot is public!" "$regx"
else
textOK "$regx: RDS Cluster Snapshot $rdsclustersnapshot is not shared" "$regx"
fi
done
else
textNotice "$regx: No RDS Cluster Snapshots found" "$regx"
fi
done
}
callCheck(){
if [[ $CHECKNUMBER ]];then
case "$CHECKNUMBER" in
@@ -2229,7 +2259,7 @@ callCheck(){
extra720 ) extra720;;
extra721 ) extra721;;
extra722 ) extra722;;
extra723 ) extra723;;
## Groups of Checks
check1 )
@@ -2267,7 +2297,7 @@ callCheck(){
extras )
extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78;
extra79;extra710;extra711;extra712;extra713;extra714;extra715;extra716;
extra717;extra718;extra719;extra720;extra721;extra722
extra717;extra718;extra719;extra720;extra721;extra722;extra723
;;
forensics-ready )
check21;check22;check23;check24;check25;check26;check27;
@@ -2366,6 +2396,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then
textTitle "$ID720" "$TITLE720" "NOT_SCORED" "EXTRA"
textTitle "$ID721" "$TITLE721" "NOT_SCORED" "EXTRA"
textTitle "$ID722" "$TITLE722" "NOT_SCORED" "EXTRA"
textTitle "$ID723" "$TITLE723" "NOT_SCORED" "EXTRA"
exit $EXITCODE
fi
@@ -2465,6 +2496,7 @@ if [[ ! $EXTRAS ]]; then
extra720
extra721
extra722
extra723
fi
cleanTemp