Skip to content

Commit

Permalink
Implemented CIS 1.2.0 Monitoring findings
Browse files Browse the repository at this point in the history
  • Loading branch information
Pau Risa committed May 25, 2020
1 parent 95f9710 commit 0c75f6c
Show file tree
Hide file tree
Showing 16 changed files with 120 additions and 82 deletions.
39 changes: 39 additions & 0 deletions ScoutSuite/providers/aws/resources/cloudwatch/base.py
View file
Expand Up @@ -20,8 +20,47 @@ async def finalize(self):
for region in self['regions']:
self['regions'][region]['metric_filters_pattern_checks'] = {}
# Initialize results at "False"
self['regions'][region]['metric_filters_pattern_checks']['unauthorized_api_calls'] = False
self['regions'][region]['metric_filters_pattern_checks']['console_login_mfa'] = False
self['regions'][region]['metric_filters_pattern_checks']['root_usage'] = False
self['regions'][region]['metric_filters_pattern_checks']['iam_policy_changes'] = False
self['regions'][region]['metric_filters_pattern_checks']['cloudtrail_configuration_changes'] = False
self['regions'][region]['metric_filters_pattern_checks']['console_authentication_failures'] = False
self['regions'][region]['metric_filters_pattern_checks']['cmk_deletion'] = False
self['regions'][region]['metric_filters_pattern_checks']['s3_policy_changes'] = False
self['regions'][region]['metric_filters_pattern_checks']['aws_configuration_changes'] = False
self['regions'][region]['metric_filters_pattern_checks']['security_group_changes'] = False
self['regions'][region]['metric_filters_pattern_checks']['nacl_changes'] = False
self['regions'][region]['metric_filters_pattern_checks']['network_gateways_changes'] = False
self['regions'][region]['metric_filters_pattern_checks']['route_table_changes'] = False
self['regions'][region]['metric_filters_pattern_checks']['vpc_changes'] = False
for metric_filter_id, metric_filter in self['regions'][region]['metric_filters'].items():
# Check events
if metric_filter['pattern'] == 'filterPattern": "{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }':
self['regions'][region]['metric_filters_pattern_checks']['unauthorized_api_calls'] = True
if metric_filter['pattern'] == 'filterPattern": "{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }':
self['regions'][region]['metric_filters_pattern_checks']['console_login_mfa'] = True
if metric_filter['pattern'] == 'filterPattern": "{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }':
self['regions'][region]['metric_filters_pattern_checks']['root_usage'] = True
if metric_filter['pattern'] == 'filterPattern": "{ ($.eventName=DeleteGroupPolicy) || ($..eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy) }':
self['regions'][region]['metric_filters_pattern_checks']['iam_policy_changes'] = True
if metric_filter['pattern'] == 'filterPattern": "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }':
self['regions'][region]['metric_filters_pattern_checks']['cloudtrail_configuration_changes'] = True
if metric_filter['pattern'] == 'filterPattern": "{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }':
self['regions'][region]['metric_filters_pattern_checks']['console_authentication_failures'] = True
if metric_filter['pattern'] == 'filterPattern": "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }':
self['regions'][region]['metric_filters_pattern_checks']['cmk_deletion'] = True
if metric_filter['pattern'] == 'filterPattern": "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketReplication)) }':
self['regions'][region]['metric_filters_pattern_checks']['s3_policy_changes'] = True
if metric_filter['pattern'] == 'filterPattern": "{ ($.eventSource = config.amazonaws.com) && (($.eventName = StopConfigurationRecorder) || ($.eventName = DeleteDeliveryChannel) || ($.eventName = PutDeliveryChannel) || ($.eventName = PutConfigurationRecorder)) }':
self['regions'][region]['metric_filters_pattern_checks']['aws_configuration_changes'] = True
if metric_filter['pattern'] == 'filterPattern": "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }':
self['regions'][region]['metric_filters_pattern_checks']['security_group_changes'] = True
if metric_filter['pattern'] == 'filterPattern": "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }':
self['regions'][region]['metric_filters_pattern_checks']['nacl_changes'] = True
if metric_filter['pattern'] == 'filterPattern": "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }':
self['regions'][region]['metric_filters_pattern_checks']['network_gateways_changes'] = True
if metric_filter['pattern'] == 'filterPattern": "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }':
self['regions'][region]['metric_filters_pattern_checks']['route_table_changes'] = True
if metric_filter['pattern'] == 'filterPattern": "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }':
self['regions'][region]['metric_filters_pattern_checks']['vpc_changes'] = True
12 changes: 6 additions & 6 deletions ScoutSuite/providers/aws/rules/findings/logs-no-alarm-aws-configuration-changes.json
View file
@@ -1,5 +1,5 @@
{
"description": "No CloudWatch alarm for AWS configuration changes",
"description": "No CloudWatch alarm for \"AWS Configuration Changes\"",
"rationale": "There was no CloudWatch alarm to monitor AWS configuration changes. Monitoring for AWS configuration changes will help ensure sustained visibility to changes performed in the AWS account.",
"remediation": "Enable a CloudWatch alarm to detect AWS configuration changes.",
"compliance": [
Expand All @@ -19,13 +19,13 @@
"reference": "3.9"
}
],
"dashboard_name": "Cloudwatch",
"path": "cloudwatch.regions.id.alarms.id",
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.alarms.id.AlarmActions",
"empty",
"cloudwatch.regions.id.metric_filters_pattern_checks.aws_configuration_changes",
"false",
""
]
]
Expand Down
12 changes: 6 additions & 6 deletions ScoutSuite/providers/aws/rules/findings/logs-no-alarm-cloudtrail-configuration-changes.json
View file
@@ -1,5 +1,5 @@
{
"description": "No CloudWatch alarm for CloudTrail configuration changes",
"description": "No CloudWatch alarm for \"CloudTrail Configuration Changes\"",
"rationale": "There was no CloudWatch alarm to monitor CloudTrail configuration changes. Monitoring for CloudTrail policy changes will help ensure sustained visibility to activities performed in the AWS account.",
"remediation": "Enable a CloudWatch alarm to monitor CloudTrail configuration changes.",
"compliance": [
Expand All @@ -19,13 +19,13 @@
"reference": "3.5"
}
],
"dashboard_name": "Cloudwatch",
"path": "cloudwatch.regions.id.alarms.id",
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.alarms.id.AlarmActions",
"empty",
"cloudwatch.regions.id.metric_filters_pattern_checks.cloudtrail_configuration_changes",
"false",
""
]
]
Expand Down
12 changes: 6 additions & 6 deletions ScoutSuite/providers/aws/rules/findings/logs-no-alarm-cmk-deletion.json
View file
@@ -1,5 +1,5 @@
{
"description": "No CloudWatch alarm for disabled or deleted master keys",
"description": "No CloudWatch alarm for \"Disabled or Deleted Master Keys\"",
"rationale": "There was no CloudWatch alarm to alert about disabled or deleted master keys. Monitoring for disabled or deleted master keys can prevent permanent loss of data encrypted with such keys.",
"remediation": "Enable a CloudWatch alarm to detect recently disabled or deleted master keys.",
"compliance": [
Expand All @@ -19,13 +19,13 @@
"reference": "3.7"
}
],
"dashboard_name": "Cloudwatch",
"path": "cloudwatch.regions.id.alarms.id",
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.alarms.id.AlarmActions",
"empty",
"cloudwatch.regions.id.metric_filters_pattern_checks.cmk_deletion",
"false",
""
]
]
Expand Down
12 changes: 6 additions & 6 deletions ScoutSuite/providers/aws/rules/findings/logs-no-alarm-console-authentication-failures.json
View file
@@ -1,5 +1,5 @@
{
"description": "No CloudWatch alarm for failed console authentications",
"description": "No CloudWatch alarm for \"Failed Console Authentications\"",
"rationale": "There was no CloudWatch alarm for failed console authentication requests. Monitoring for failed console authentications can decrease the lead time to detect brute force attacks.",
"remediation": "Enable a CloudWatch alarm to monitor failed authentication attempts.",
"compliance": [
Expand All @@ -19,13 +19,13 @@
"reference": "3.6"
}
],
"dashboard_name": "Cloudwatch",
"path": "cloudwatch.regions.id.alarms.id",
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.alarms.id.AlarmActions",
"empty",
"cloudwatch.regions.id.metric_filters_pattern_checks.console_authentication_failures",
"false",
""
]
]
Expand Down
12 changes: 6 additions & 6 deletions ...ngs/logs-no-alarm-IAM-policy-changes.json → ...ngs/logs-no-alarm-iam-policy-changes.json
View file
@@ -1,5 +1,5 @@
{
"description": "No CloudWatch alarm for IAM policy changes",
"description": "No CloudWatch alarm for \"IAM Policy Changes\"",
"rationale": "There was no CloudWatch alarm to monitor IAM policy changes. Monitoring for IAM policy changes will help ensure authentication and authorization control remain intact.",
"remediation": "Enable a CloudWatch alarm to monitor the usage of the root account.",
"compliance": [
Expand All @@ -19,13 +19,13 @@
"reference": "3.4"
}
],
"dashboard_name": "Cloudwatch",
"path": "cloudwatch.regions.id.alarms.id",
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.alarms.id.AlarmActions",
"empty",
"cloudwatch.regions.id.metric_filters_pattern_checks.iam_policy_changes",
"false",
""
]
]
Expand Down
12 changes: 6 additions & 6 deletions ScoutSuite/providers/aws/rules/findings/logs-no-alarm-nacl-changes.json
View file
@@ -1,5 +1,5 @@
{
"description": "No CloudWatch alarm for Network Access Control Lists changes",
"description": "No CloudWatch alarm for \"Network Access Control Lists Changes\"",
"rationale": "There was no CloudWatch alarm to detect changes to NACL. Monitoring for NACL changes will help ensure that no service or resource is unintentionally exposed.",
"remediation": "Enable a CloudWatch alarm to detect NACL changes.",
"compliance": [
Expand All @@ -19,13 +19,13 @@
"reference": "3.11"
}
],
"dashboard_name": "Cloudwatch",
"path": "cloudwatch.regions.id.alarms.id",
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.alarms.id.AlarmActions",
"empty",
"cloudwatch.regions.id.metric_filters_pattern_checks.nacl_changes",
"false",
""
]
]
Expand Down
12 changes: 6 additions & 6 deletions ScoutSuite/providers/aws/rules/findings/logs-no-alarm-network-gateways-changes.json
View file
@@ -1,5 +1,5 @@
{
"description": "No CloudWatch alarm for network gateways changes",
"description": "No CloudWatch alarm for \"Network Gateways Changes\"",
"rationale": "There was no CloudWatch alarm to monitor changes in network gateways. Monitoring for network gateways changes will help ensure that all traffic traverses the VPC border via a controlled path.",
"remediation": "Enable a CloudWatch alarm to detect network gateways changes.",
"compliance": [
Expand All @@ -19,13 +19,13 @@
"reference": "3.12"
}
],
"dashboard_name": "Cloudwatch",
"path": "cloudwatch.regions.id.alarms.id",
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.alarms.id.AlarmActions",
"empty",
"cloudwatch.regions.id.metric_filters_pattern_checks.network_gateways_changes",
"false",
""
]
]
Expand Down
12 changes: 6 additions & 6 deletions ScoutSuite/providers/aws/rules/findings/logs-no-alarm-root-usage.json
View file
@@ -1,5 +1,5 @@
{
"description": "No CloudWatch alarm for root account usage",
"description": "No CloudWatch alarm for \"Root Account Usage\"",
"rationale": "There was no CloudWatch alarm for the usage of the root account. Monitoring for root account log ins will provide visibility into the use of a fully privileged account.",
"remediation": "Enable a CloudWatch alarm to monitor the usage of the root account.",
"compliance": [
Expand All @@ -19,13 +19,13 @@
"reference": "3.3"
}
],
"dashboard_name": "Cloudwatch",
"path": "cloudwatch.regions.id.alarms.id",
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.alarms.id.AlarmActions",
"empty",
"cloudwatch.regions.id.metric_filters_pattern_checks.root_usage",
"false",
""
]
]
Expand Down
12 changes: 6 additions & 6 deletions ScoutSuite/providers/aws/rules/findings/logs-no-alarm-route-table-changes.json
View file
@@ -1,5 +1,5 @@
{
"description": "No CloudWatch alarm for route table changes",
"description": "No CloudWatch alarm for \"Route Table Changes\"",
"rationale": "There was no CloudWatch alarm to monitor changes in route tables. Monitoring for route table changes will help ensure that all VPC traffic flows thorough an expected path.",
"remediation": "Enable a CloudWatch alarm to detect route table changes.",
"compliance": [
Expand All @@ -19,13 +19,13 @@
"reference": "3.13"
}
],
"dashboard_name": "Cloudwatch",
"path": "cloudwatch.regions.id.alarms.id",
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.alarms.id.AlarmActions",
"empty",
"cloudwatch.regions.id.metric_filters_pattern_checks.route_table_changes",
"false",
""
]
]
Expand Down
12 changes: 6 additions & 6 deletions ScoutSuite/providers/aws/rules/findings/logs-no-alarm-s3-policy-changes.json
View file
@@ -1,5 +1,5 @@
{
"description": "No CloudWatch alarm for S3 bucket policy changes",
"description": "No CloudWatch alarm for \"S3 Bucket Policy Changes\"",
"rationale": "There was no CloudWatch alarm to detect changes in S3 bucket policy changes. Monitoring for changes in S3 bucket policy changes may reduce the time to detect and fix permissive policies on sensitive S3 buckets.",
"remediation": "Enable a CloudWatch alarm to detect policy changes in S3 buckets.",
"compliance": [
Expand All @@ -19,13 +19,13 @@
"reference": "3.8"
}
],
"dashboard_name": "Cloudwatch",
"path": "cloudwatch.regions.id.alarms.id",
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.alarms.id.AlarmActions",
"empty",
"cloudwatch.regions.id.metric_filters_pattern_checks.s3_policy_changes",
"false",
""
]
]
Expand Down
12 changes: 6 additions & 6 deletions ScoutSuite/providers/aws/rules/findings/logs-no-alarm-security-group-changes.json
View file
@@ -1,5 +1,5 @@
{
"description": "No CloudWatch alarm for security group changes",
"description": "No CloudWatch alarm for \"Security Group Changes\"",
"rationale": "There was no CloudWatch alarm to monitor changes to security groups. Monitoring for security group changes will help ensure that no service or resource is unintentionally exposed.",
"remediation": "Enable a CloudWatch alarm to monitor security group changes.",
"compliance": [
Expand All @@ -19,13 +19,13 @@
"reference": "3.10"
}
],
"dashboard_name": "Cloudwatch",
"path": "cloudwatch.regions.id.alarms.id",
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.alarms.id.AlarmActions",
"empty",
"cloudwatch.regions.id.metric_filters_pattern_checks.security_group_changes",
"false",
""
]
]
Expand Down
5 changes: 2 additions & 3 deletions ScoutSuite/providers/aws/rules/findings/logs-no-alarm-signin-without-mfa.json
View file
Expand Up @@ -20,10 +20,9 @@
}
],
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters_pattern_checks.console_login_mfa",
"display_path": "cloudwatch.regions.id.metric_filters.id",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.metric_filters_pattern_checks.console_login_mfa",
"false",
Expand Down
12 changes: 6 additions & 6 deletions ScoutSuite/providers/aws/rules/findings/logs-no-alarm-unauthorized-api-calls.json
View file
@@ -1,5 +1,5 @@
{
"description": "No CloudWatch alarm for unauthorized API calls",
"description": "No CloudWatch Alarm for \"Unauthorized API Calls\"",
"rationale": "There was no CloudWatch alarm for unauthorized API calls. Monitoring for unauthorized API calls helps reveal application errors and detect malicious activity.",
"remediation": "Enable a CloudWatch alarm to monitor unauthorized API calls.",
"compliance": [
Expand All @@ -19,13 +19,13 @@
"reference": "3.1"
}
],
"dashboard_name": "Cloudwatch",
"path": "cloudwatch.regions.id.alarms.id",
"dashboard_name": "Regions",
"path": "cloudwatch.regions.id.metric_filters.id",
"conditions": [
"and",
"or",
[
"cloudwatch.regions.id.alarms.id.AlarmActions",
"empty",
"cloudwatch.regions.id.metric_filters_pattern_checks.unauthorized_api_calls",
"false",
""
]
]
Expand Down

0 comments on commit 0c75f6c

Please sign in to comment.