diff --git a/README.md b/README.md index 1bfab97d..ade71fcc 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ It covers hardening and security best practices for all AWS regions related to: - Logging (8 checks) - Monitoring (15 checks) - Networking (5 checks) -- Extras (17 checks) *see Extras section +- Extras (18 checks) *see Extras section - Forensics related checks For a comprehesive list and resolution look at the guide on the link above. @@ -345,6 +345,7 @@ At this moment we have 16 extra checks: - 7.15 (`extra715`) Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.16 (`extra716`) Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark) - 7.17 (`extra717`) Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) +- 7.18 (`extra718`) Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark) To check all extras in one command: @@ -372,6 +373,7 @@ With this group of checks, Prowler looks if each service with logging or audit c - 7.14 Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.15 Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark) - 7.17 Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark) +- 7.18 Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark) The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command: ``` diff --git a/prowler b/prowler index 8decceb6..0b91f640 100755 --- a/prowler +++ b/prowler @@ -502,6 +502,8 @@ ID716="7.16,7.16" TITLE716="Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)" ID717="7.17,7.17" TITLE717="Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)" +ID718="7.18,7.18" +TITLE718="Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" printCsvHeader() { >&2 echo "" @@ -2009,6 +2011,24 @@ extra717(){ done } +extra718(){ + # "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)" + textTitle "$ID718" "$TITLE718" "NOT_SCORED" "EXTRA" + LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1) + if [[ $LIST_OF_BUCKETS ]]; then + for bucket in $LIST_OF_BUCKETS;do + BUCKET_SERVER_LOG_ENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --query [LoggingEnabled] --output text|grep -v "^None$") + if [[ $BUCKET_SERVER_LOG_ENABLED ]];then + textOK "Bucket $bucket has server access logging enabled" + else + textWarn "Bucket $bucket has server access logging disabled!" + fi + done + else + textNotice "No S3 Buckets found" + fi +} + callCheck(){ if [[ $CHECKNUMBER ]];then case "$CHECKNUMBER" in @@ -2081,6 +2101,7 @@ callCheck(){ extra715|extra715 ) extra715;; extra716|extra716 ) extra716;; extra717|extra717 ) extra717;; + extra718|extra718 ) extra718;; ## Groups of Checks check1 ) @@ -2118,12 +2139,12 @@ callCheck(){ extras ) extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78; extra79;extra710;extra711;extra712;extra713;extra714;extra715;extra716; - extra717 + extra717;extra718 ;; forensics-ready ) check21;check22;check23;check24;check25;check26;check27; check43; - extra712;extra713;extra714;extra715;extra717 + extra712;extra713;extra714;extra715;extra717;extra718 ;; * ) textWarn "ERROR! Use a valid check name (i.e. check41 or extra71)\n"; @@ -2211,6 +2232,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then textTitle "$ID715" "$TITLE715" "NOT_SCORED" "EXTRA" textTitle "$ID716" "$TITLE716" "NOT_SCORED" "EXTRA" textTitle "$ID717" "$TITLE717" "NOT_SCORED" "EXTRA" + textTitle "$ID718" "$TITLE718" "NOT_SCORED" "EXTRA" exit $EXITCODE fi @@ -2304,6 +2326,7 @@ extra714 extra715 extra716 extra717 +extra718 cleanTemp exit $EXITCODE