ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0cd13b90f4445bebad84aaa208c0c21bf1ac06fd
prowler/groups/group15_pci
Ramon 8c70efde5f delete check extra756 and its references
2021-07-16 12:03:39 +02:00

134 lines
8.1 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
GROUP_ID[15]='pci'
GROUP_NUMBER[15]='15.0'
GROUP_TITLE[15]='PCI-DSS v3.2.1 Readiness - ONLY AS REFERENCE - [pci] **********'
GROUP_RUN_BY_DEFAULT[15]='N' # run it when execute_all is called
GROUP_CHECKS[15]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check112,check113,check114,check116,check21,check23,check25,check26,check27,check28,check29,check314,check36,check38,check43,extra711,extra713,extra717,extra718,extra72,extra729,extra735,extra738,extra740,extra744,extra748,extra75,extra750,extra751,extra753,extra754,extra755,extra773,extra78,extra780,extra781,extra782,extra783,extra784,extra785,extra787,extra788,extra798'
# Resources:
# https://github.com/toniblyx/prowler/issues/296
# List of checks based on PCI v3.2.1
# 3.1 Requirement: Install and Maintain a Firewall Configuration to Protect Cardholder Data
# Ensure no security groups allow ingress from 0.0.0.0/0 to all ports and protocols extra748
# Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP 3389) check42
# Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP 22) check41
# Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (TCP 1521) extra749
# Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (TCP and UDP 2483) extra749
# Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (UDP 2483) extra749
# Ensure no security groups allow ingress from 0.0.0.0/0 to MySQL (TCP 3306) extra750
# Ensure no security groups allow ingress from 0.0.0.0/0 to Postgres (TCP 5432) extra751
# Ensure no security groups allow ingress from 0.0.0.0/0 to Redis (TCP 6379)extra752
# Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP 27017 and 27018) extra753
# Ensure no security groups allow ingress from 0.0.0.0/0 to Cassandra (TCP 7199, 9160 and 8888) extra754
# Ensure no security groups allow ingress from 0.0.0.0/0 to Memcached (TCP and UDP 11211) extra755
# Ensure no security groups allow ingress from 0.0.0.0/0 to Elasticsearch ports (TCP 9200/9300/5601) extra779
# Ensure the default security group restricts all traffic check43
# Remove unused security groups extra75
# RDS should not have Public interface open to a public scope extra78
# Check for Publicly Accessible Redshift Clusters extra711
# Ensure Lambda Functions are not publicly accessible extra798
# 3.2 Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
# Instance with administrative service: SSH (TCP:22) is exposed to the public Internet check41
# Instance with administrative service: RDP (TCP:3389) is exposed to the public Internet check42
# Instance with unencrypted Redis: (TCP:6379) is exposed to the public Internet extra752
# 3.3 Requirement 3: Protect Stored Cardholder Data
# S3 Buckets Server Side encryption at rest extra734
# Ensure ECS Cluster At-rest encryption TODO
# Ensure DynamoDB -Server Side Encryption DONE (default behavior)
# Check if RDS instances storage is encrypted extra735
# Ensure there are no EBS Volumes unencrypted extra729
# Ensure CloudTrail logs are encrypted at rest using KMS CMKs check27
# Ensure rotation for customer created CMKs is enabled check28
# Check if EBS snapshots are encrypted extra740
# Ensure there are no EBS Snapshots set as Public extra72
# Ensure there is no Fargate containers in use (/aws/containers-roadmap/issues/314) TODO
# 3.4 Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks
# Use encrypted connections between CloudFront and origin server extra738 and TODO
# Ensure that S3 Buckets only allow data transfer using SSL/TLS extra734
# ELB is setup with SSL for secure communications TODO
# Ensure the access keys are rotated every 90 days or less check14
# Network Load Balancer with unencrypted service: ElasticSearch (TCP:9200) is exposed to the public Internet TODO? ELB on SSL should be enough extra779 and extra716
# Network Load Balancer with unencrypted service: ElasticSearch (TCP:9300) is exposed to the public Internet TODO? ELB on SSL should be enough extra779 and extra716
# Network Load Balancer with unencrypted service: LDAP (UDP:389) is exposed to the public Internet TODO? ELB on SSL should be enough
# Network Load Balancer with unencrypted service: LDAP (TCP:389) is exposed to the public Internet TODO? ELB on SSL should be enough
# Instance with unencrypted service: ElasticSearch (TCP:9200) is exposed to the public Internet extra779 and extra716
# Instance with unencrypted service: ElasticSearch (TCP:9300) is exposed to the public Internet extra779 and extra716
# Instance with unencrypted service: LDAP (UDP:389) is exposed to the public Internet
# Instance with unencrypted service: LDAP (TCP:389) is exposed to the public Internet
# Instance with unencrypted Redis: (TCP:6379) is exposed to the public Internet
# 3.5. Requirement 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs
# N/A
# 3.6. Requirement 6: Develop and Maintain Secure Systems and Applications
# Ensure Inspector has Assessment Targets TODO
# Ensure Inspector has a Scheduled Assessment Template TODO
# Check for WAF IPSet TODO
# Check for WAF Constraint Sets TODO
# Check for WAF Web ACL extra744,extra773
# 3.7. Requirement 7: Restrict Access to Cardholder Data By Business Need To Know
# Credentials (access keys) unused for 90 days or more should be disabled check13
# Credentials (password enabled) unused for 90 days or more should be disabled check111
# Ensure IAM policies are attached only to groups or roles check116
# 3.8. Requirement 8: Identify and Authenticate Access to System Components
# Enforce password policy: IAM (check15, check16, check17, check18, check19, check110, check111)
# Ensure that MFA is enabled for root account check113
# Ensure MFA is enabled for all IAM users that have a console password check12
# Ensure no root account access key exist check112
# Ensure hardware MFA is enabled for the root account check114
# Avoid the use of root account. check11
# 3.9 Requirement 9: Restrict Physical Access to Cardholder Data
# N/A
# 3.10. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
# Ensure CloudTrail is enabled in all regions check21
# Ensure VPC Flow Logging is enabled in all the applicable Regions check29
# Ensure S3 Buckets access logging is enabled on the CloudTrail S3 bucket check26
# ELB is created with access logs enabled extra717
# S3 bucket should have server access logging enabled extra718
# Ensure AWS Config in all regions check25
# S3 bucket CloudTrail logs should not have public accessible check23
# S3 buckets should not be world-listable extra73
# S3 buckets should not be world-writable extra73
# S3 buckets should not be world-readable extra73
# Ensure a log metric filter and alarm exist for S3 bucket policy changes check38
# Ensure a log metric exist for AWS Management console authentication failures check36
# Ensure a log metric exist for VPC changes check314
# 3.11. Requirement 11: Regularly Test Security Systems and Processes
# Ensure AWS GuarDduty is enabled extra713
# Ensure Inspector has Assessment Targets
# Ensure Inspector has a Scheduled Assessment Template
# Requirement 12: Maintain a Policy That Addresses Information Security For All Personnel
# N/A
Reference in New Issue View Git Blame Copy Permalink