-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check ID32="3.2,3.02" needs improvement #112
Comments
Thanks @GaboP87, do you mean that changing L 1058 with your suggestion works fine? |
Hi @toniblyx, no. I mean that the Regex that is being used in the Prowler script is the wrong one in order to correctly check for a successful login without MFA. If you check the AWS_CIS_Foundations_Benchmark PDF file, in page 91 you can read the exact description of the requirement to be fulfilled in this case. Now, being the requirement too generic, and being currently three ways to login into an AWS Console (root account, IAM User, assumed IAM Role), it is necessary to specify different checks here:
The login needs to be successful in order to track this event. For failed logins there is already a CloudWatch Metric and associated Alarm that takes care of it. It is necessary then to check for: We need to track all those successful logins from any IAM User of the Root Account which did not use MFA. for this we need to check for: Finally, from the Prowler script, it will be great to check for different Regex patterns for the two Filter Patterns that might be together, or separated depending on how the Metrics and Alarms are configured:
Let me know if you understood what I mean with this. Cheers, |
Thanks @GaboP87 I haven't forgot you, just a bit busy these days. I'll get back to this asap. |
Hi @GaboP87, I think I've fixed it. This is the trick: aws logs describe-metric-filters --log-group-name CloudTrail/DefaultLogGroup --profile xxxx --region us-east-1 --query 'metricFilters' |grep filterPattern|awk '/.userIdentity.type/&&/IAMUser/||/root/&&/.responseElements.ConsoleLogin/&&/.additionalEventData.MFAUsed/&&/Yes/' |
Please, feel free to open this case again if doesn't work for you. |
Hi,
From the AWS_CIS_Foundations_Benchmark PDF file (https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf), for the check 3.2 (page 91), it is stated that it would be necessary to check for this Filter Pattern of the specified Metric:
"filterPattern": "{ ($.eventName = "ConsoleLogin") && ($ .additionalEventData.MFAUsed != "Yes") }"
Since it is not possible to check only for this because it would involve ConsoleLogin for IAM Federated Users as well (assumed roles for the federated groups in AD), and it is not possible to configure MFA for federated users (IAM Roles) as a native AWS Solution, I created the following Filter Pattern which covers the ConsoleLogin API call with success for any generic IAM User, as well as for the root user of the AWS Account:
"filterPattern": "{ ($.userIdentity.type= IAMUser || $ .userIdentity.type= Root) && ($.responseElements.ConsoleLogin= Success) && ($ .additionalEventData.MFAUsed != "Yes") }"
This works well from any CIS Benchmark Security Requirement. However, from a quick review of the Prowler script (Line 1058), I found the following Regex checking for:
'userIdentity.sessionContext.attributes.mfaAuthenticated.*true'
This will clearly result in an error. It checks for any Metric which looks for Logs containing the sessionContext attribute. It does not appear whenever an IAM User or the root account signs successfully to the console without MFA. It will check for all the API Calls with that parameter in the Log stream. Examples of these API Calls:
And neither of the API Calls containing the sessionContext parameter have ConsoleLogin as an eventName parameter.
Can you help me with this please?
Cheers,
Gabriel
The text was updated successfully, but these errors were encountered: