From ebf80a6455747e06169f97f81bf53c67245f5085 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 17 Jul 2017 21:14:46 -0400 Subject: [PATCH 1/2] Added CIS profile definitions checks level1 and level2 profile definition checks enabled see https://github.com/Alfresco/prowler/issues/64 --- prowler | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/prowler b/prowler index fd0694e4..bdb3baa5 100755 --- a/prowler +++ b/prowler @@ -48,7 +48,7 @@ USAGE: Options: -p specify your AWS profile to use (i.e.: default) -r specify an AWS region to direct API requests to (i.e.: us-east-1) - -c specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3) + -c specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1, check3 for entire section 3 or level1 for CIS Level 1 Profile Definitions) -f specify an AWS region to run checks against (i.e.: us-west-1) -m specify the maximum number of items to return for long-running requests (default: 100) -M output mode: text (defalut), mono, csv (separator is \"${SEP}\"; data is on stdout; progress on stderr) @@ -673,7 +673,7 @@ check115(){ ID115="1.15" TITLE115="Ensure security questions are registered in the AWS account (Not Scored)" # No command available - textTitle "$ID115" "$TITLE115" "0" + textTitle "$ID115" "$TITLE115" textNotice "No command available for check 1.15 " textNotice "Login to the AWS Console as root & click on the Account " textNotice "Name -> My Account -> Configure Security Challenge Questions " @@ -756,7 +756,7 @@ check120(){ check121(){ ID121="1.21" TITLE121="Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)" - textTitle "$ID121" "$TITLE121" "0" + textTitle "$ID121" "$TITLE121" textNotice "No command available for check 1.21 " textNotice "See section 1.21 on the CIS Benchmark guide for details " infoReferenceShort @@ -788,7 +788,7 @@ check122(){ check123(){ ID123="1.23" TITLE123="Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)" - textTitle "$ID123" "$TITLE123" "0" + textTitle "$ID123" "$TITLE123" LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text --profile $PROFILE --region $REGION) # List of USERS with KEY1 last_used_date as N/A LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep $user $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done) @@ -1247,7 +1247,7 @@ check314(){ check315(){ ID315="3.15" TITLE315="Ensure appropriate subscribers to each SNS topic (Not Scored)" - textTitle "$ID315" "$TITLE315" "0" + textTitle "$ID315" "$TITLE315" CAN_SNS_LIST_SUBS=1 for regx in $REGIONS; do TOPICS_LIST=$($AWSCLI sns list-topics --profile $PROFILE --region $regx --output text --query 'Topics[*].TopicArn') @@ -1347,7 +1347,7 @@ check45(){ #set -xe ID45="4.5" TITLE45="Ensure routing tables for VPC peering are \"least access\" (Not Scored)" - textTitle "$ID45" "$TITLE45" "0" + textTitle "$ID45" "$TITLE45" textNotice "Looking for VPC peering in all regions... " for regx in $REGIONS; do LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text --profile $PROFILE --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId') @@ -1436,6 +1436,22 @@ callCheck(){ check4 ) check41;check42;check43;check44;check45 ;; + level1 ) + check11;check12;check13;check14;check15;check16;check17;check18; + check19;check110;check111;check112;check113;check115;check116;check117; + check118;check119;check120;check122;check123;check124;check21;check23; + check24;check25;check26;check31;check32;check33;check34;check35; + check38;check312;check313;check314;check315;check41;check42 + ;; + level2 ) + check11;check12;check13;check14;check15;check16;check17;check18; + check19;check110;check111;check112;check113;check114;check115;check116; + check117;check118;check119;check120;check121;check122;check123;check124; + check21;check22;check23;check24;check25;check26;check27;check28;check31; + check32;check33;check34;check35;check36;check37;check38;check39; + check310;check311;check312;check313;check314;check315;check41;check42; + check43;check44;check45 + ;; * ) textWarn "ERROR! Use a valid check name (i.e. check41)\n"; esac From 39f1411f309a8eb7450f724ffa8c39993bff7c65 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 17 Jul 2017 21:20:05 -0400 Subject: [PATCH 2/2] added info about profile definitions --- README.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index eba19d0a..91346310 100644 --- a/README.md +++ b/README.md @@ -92,14 +92,19 @@ or if you want a pipe-delimited report file, do: ./prowler -M csv > output.psv ``` -5 - If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously `-P 4`): +5 - To perform an assessment based on CIS Profile Definitions you can use level1 or level2 with `-c` flag, more information about this [here, page 8](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf): +``` +./prowler -c level1 +``` + +6 - If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously `-P 4`): ``` grep -E '^\[([0-9A-Aa-z_-]+)\]' ~/.aws/credentials | tr -d '][' | shuf | \ xargs -n 1 -L 1 -I @ -r -P 4 ./prowler -p @ -M csv 2> /dev/null >> all-accounts.csv ``` -6 - For help use: +7 - For help use: ``` ./prowler -h @@ -109,10 +114,10 @@ USAGE: Options: -p specify your AWS profile to use (i.e.: default) -r specify an AWS region to direct API requests to (i.e.: us-east-1) - -c specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3) + -c specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1, check3 for entire section 3 or level1 for CIS Level 1 Profile Definitions) -f specify an AWS region to run checks against (i.e.: us-west-1) -m specify the maximum number of items to return for long-running requests (default: 100) - -M output mode: text (defalut), mono, csv (separator is "|"; data is on stdout; progress on stderr) + -M output mode: text (defalut), mono, csv (separator is ","; data is on stdout; progress on stderr) -k keep the credential report -h this help