From e1169ddfd886f0a0cc9ee82d86ad9e047356517a Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 18 Oct 2024 11:28:26 +0530 Subject: [PATCH 01/28] AWS - GuardDuty (4 Templates) --- cloud/aws/guardduty/guardduty-disabled.yaml | 38 ++++++++++ cloud/aws/guardduty/guardduty-findings.yaml | 76 +++++++++++++++++++ .../malware-protection-disabled.yaml | 58 ++++++++++++++ .../aws/guardduty/s3-protection-disabled.yaml | 58 ++++++++++++++ 4 files changed, 230 insertions(+) create mode 100644 cloud/aws/guardduty/guardduty-disabled.yaml create mode 100644 cloud/aws/guardduty/guardduty-findings.yaml create mode 100644 cloud/aws/guardduty/malware-protection-disabled.yaml create mode 100644 cloud/aws/guardduty/s3-protection-disabled.yaml diff --git a/cloud/aws/guardduty/guardduty-disabled.yaml b/cloud/aws/guardduty/guardduty-disabled.yaml new file mode 100644 index 0000000000..7f65536dc7 --- /dev/null +++ b/cloud/aws/guardduty/guardduty-disabled.yaml @@ -0,0 +1,38 @@ +id: guardduty-disabled + +info: + name: GuardDuty - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that Amazon GuardDuty service is currently enabled in all regions in order to protect your AWS environment and infrastructure (AWS accounts and resources, IAM credentials, guest operating systems, applications, etc) against security threats. + impact: | + GuardDuty disabled leaves your AWS environment vulnerable to undetected threats, such as unauthorized access, anomalous activities, and potential security breaches, compromising the overall security posture. + remediation: | + Enable GuardDuty to continuously monitor and detect security threats in your AWS environment. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/guardduty-enabled.html + - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html + tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config + +variables: + region: "us-west-2" + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws guardduty list-detectors --region $region --query 'DetectorIds' --output json + + matchers: + - type: word + words: + - "[]" + + extractors: + - type: dsl + dsl: + - '"GuardDuty is Disabled"' \ No newline at end of file diff --git a/cloud/aws/guardduty/guardduty-findings.yaml b/cloud/aws/guardduty/guardduty-findings.yaml new file mode 100644 index 0000000000..8401318ea9 --- /dev/null +++ b/cloud/aws/guardduty/guardduty-findings.yaml @@ -0,0 +1,76 @@ +id: guardduty-findings + +info: + name: GuardDuty Findings + author: DhiyaneshDK + severity: medium + description: | + Check for AWS GuardDuty findings and resolve them step by step to ensure that your AWS infrastructure is protected against security threats. + impact: | + GuardDuty findings indicate potential security threats, such as compromised instances, unauthorized access, or malicious activities within your AWS environment, requiring immediate investigation. + remediation: | + Investigate and respond to GuardDuty findings by analyzing the threat details and taking corrective actions, such as blocking malicious IPs, revoking compromised credentials, or isolating affected instances. Use AWS Security Hub or AWS Config for automated remediation where applicable. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/findings.html + - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html + tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DetectorIds of iterate(template.detectors)){ + set("detector", DetectorIds) + code(2)} + for(let FindingIds of iterate(template.findings)){ + set("finding", FindingIds) + code(3) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws guardduty list-detectors --region $region --query 'DetectorIds' --output json + + extractors: + - type: json + name: detectors + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + source: | + aws guardduty list-findings --region $region --detector-id $detector --query 'FindingIds' --output json + + extractors: + - type: json + name: findings + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + source: | + aws guardduty get-findings --region $region --detector-id $detector --finding-ids $finding --output json + + matchers: + - type: word + words: + - '"Title":' + - '"Type":' + condition: and + + extractors: + - type: dsl + dsl: + - '"GuardDuty Findings " + finding + " is present"' \ No newline at end of file diff --git a/cloud/aws/guardduty/malware-protection-disabled.yaml b/cloud/aws/guardduty/malware-protection-disabled.yaml new file mode 100644 index 0000000000..9244079018 --- /dev/null +++ b/cloud/aws/guardduty/malware-protection-disabled.yaml @@ -0,0 +1,58 @@ +id: malware-protection-disabled + +info: + name: GuardDuty Malware Protection - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that the Malware Protection feature is enabled for your Amazon GuardDuty detectors. + impact: | + GuardDuty Malware Protection disabled increases the risk of undetected malware threats on EBS volumes, potentially leading to data compromise or system breaches. + remediation: | + Enable GuardDuty Malware Protection by configuring the feature in the GuardDuty console or using the AWS CLI, to scan EBS volumes for malware and ensure proactive threat detection. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/enable-malware-protection.html + - https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html + tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DetectorIds of iterate(template.detectors)){ + set("detector", DetectorIds) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws guardduty list-detectors --region $region --query 'DetectorIds' --output json + + extractors: + - type: json + name: detectors + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + source: | + aws guardduty get-detector --region $region --detector-id "$detector" --query 'DataSources.MalwareProtection.ScanEc2InstanceWithFindings.EbsVolumes.Status' --output json + + matchers: + - type: word + words: + - "DISABLED" + + extractors: + - type: dsl + dsl: + - '"GuardDuty Malware Protection " + detector + " is Disabled"' \ No newline at end of file diff --git a/cloud/aws/guardduty/s3-protection-disabled.yaml b/cloud/aws/guardduty/s3-protection-disabled.yaml new file mode 100644 index 0000000000..e38fe6ca6d --- /dev/null +++ b/cloud/aws/guardduty/s3-protection-disabled.yaml @@ -0,0 +1,58 @@ +id: s3-protection-disabled + +info: + name: GuardDuty S3 Protection - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that the S3 Protection feature is enabled for your Amazon GuardDuty detectors. + impact: | + GuardDuty S3 Protection disabled increases the risk of undetected malicious activities, such as unauthorized access or data exfiltration, within S3 buckets. + remediation: | + Enable GuardDuty S3 Protection by configuring it in the GuardDuty console or via AWS CLI to monitor S3 buckets for unauthorized access and malicious activities. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/enable-s3-protection.html + - https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html + tags: cloud,devops,aws,amazon,guardduty,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DetectorIds of iterate(template.detectors)){ + set("detector", DetectorIds) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws guardduty list-detectors --region $region --query 'DetectorIds' --output json + + extractors: + - type: json + name: detectors + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + source: | + aws guardduty get-detector --region $region --detector-id "$detector" --query 'DataSources.S3Logs.Status' --output json + + matchers: + - type: word + words: + - "DISABLED" + + extractors: + - type: dsl + dsl: + - '"GuardDuty S3 Protection " + detector + " is Disabled"' \ No newline at end of file From 49a552773f7cf12cc25f349d94bf986f251ba0d1 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 18 Oct 2024 15:23:16 +0530 Subject: [PATCH 02/28] fix-trail-space --- cloud/aws/guardduty/malware-protection-disabled.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud/aws/guardduty/malware-protection-disabled.yaml b/cloud/aws/guardduty/malware-protection-disabled.yaml index 9244079018..3011a96597 100644 --- a/cloud/aws/guardduty/malware-protection-disabled.yaml +++ b/cloud/aws/guardduty/malware-protection-disabled.yaml @@ -9,7 +9,7 @@ info: impact: | GuardDuty Malware Protection disabled increases the risk of undetected malware threats on EBS volumes, potentially leading to data compromise or system breaches. remediation: | - Enable GuardDuty Malware Protection by configuring the feature in the GuardDuty console or using the AWS CLI, to scan EBS volumes for malware and ensure proactive threat detection. + Enable GuardDuty Malware Protection by configuring the feature in the GuardDuty console or using the AWS CLI, to scan EBS volumes for malware and ensure proactive threat detection. reference: - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/enable-malware-protection.html - https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html @@ -55,4 +55,4 @@ code: extractors: - type: dsl dsl: - - '"GuardDuty Malware Protection " + detector + " is Disabled"' \ No newline at end of file + - '"GuardDuty Malware Protection " + detector + " is Disabled"' From eafbc4ed73714b4786ca1ef1d317473db4a2cdec Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 18 Oct 2024 15:23:38 +0530 Subject: [PATCH 03/28] fix-trail-space --- cloud/aws/guardduty/s3-protection-disabled.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud/aws/guardduty/s3-protection-disabled.yaml b/cloud/aws/guardduty/s3-protection-disabled.yaml index e38fe6ca6d..44b7113b73 100644 --- a/cloud/aws/guardduty/s3-protection-disabled.yaml +++ b/cloud/aws/guardduty/s3-protection-disabled.yaml @@ -9,7 +9,7 @@ info: impact: | GuardDuty S3 Protection disabled increases the risk of undetected malicious activities, such as unauthorized access or data exfiltration, within S3 buckets. remediation: | - Enable GuardDuty S3 Protection by configuring it in the GuardDuty console or via AWS CLI to monitor S3 buckets for unauthorized access and malicious activities. + Enable GuardDuty S3 Protection by configuring it in the GuardDuty console or via AWS CLI to monitor S3 buckets for unauthorized access and malicious activities. reference: - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/GuardDuty/enable-s3-protection.html - https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html @@ -55,4 +55,4 @@ code: extractors: - type: dsl dsl: - - '"GuardDuty S3 Protection " + detector + " is Disabled"' \ No newline at end of file + - '"GuardDuty S3 Protection " + detector + " is Disabled"' From 653d46a366a2b60e1ea14a0ce3ea1af3a70760df Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 18 Oct 2024 16:18:03 +0530 Subject: [PATCH 04/28] AWS - Inspector2 (1 Template) --- cloud/aws/inspector2/inspector2-disabled.yaml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 cloud/aws/inspector2/inspector2-disabled.yaml diff --git a/cloud/aws/inspector2/inspector2-disabled.yaml b/cloud/aws/inspector2/inspector2-disabled.yaml new file mode 100644 index 0000000000..6f5ad13afd --- /dev/null +++ b/cloud/aws/inspector2/inspector2-disabled.yaml @@ -0,0 +1,39 @@ +id: inspector2-disabled + +info: + name: Amazon Inspector 2 - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that the new version of Amazon Inspector is enabled in order to help you improve the security and compliance of your AWS cloud environment. + impact: | + Amazon Inspector 2 disabled increases the risk of unaddressed vulnerabilities in your EC2 instances, Lambda functions, and container images, leaving your environment exposed to potential security threats. + remediation: | + Enable Amazon Inspector 2 to automatically scan for vulnerabilities in EC2 instances, Lambda functions, and container images by using the AWS Management Console or using the AWS CLI. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Inspector2/enable-amazon-inspector2.html + - https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-inspector-continual-vulnerability-management/ + tags: cloud,devops,aws,amazon,inspector2,aws-cloud-config + +variables: + region: "us-west-2" + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aws inspector2 batch-get-account-status --region $region --query 'accounts[*].[accountId,state.status]' --output json + + matchers: + - type: word + words: + - '"DISABLED"' + + extractors: + - type: dsl + dsl: + - '"Amazon Inspector 2 " + region + " is Disabled"' \ No newline at end of file From 2f0fd3aa054637ce772b17ee0cec73aa39c404ec Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 23 Oct 2024 07:03:49 +0530 Subject: [PATCH 05/28] AWS - RDS (10 Templates) --- .../rds/rds-auto-minor-upgrade-disabled.yaml | 59 +++++++++++++++++++ .../rds/rds-automated-backup-disabled.yaml | 59 +++++++++++++++++++ cloud/aws/rds/rds-backtrack-disabled.yaml | 59 +++++++++++++++++++ .../rds/rds-cluster-protection-disabled.yaml | 59 +++++++++++++++++++ cloud/aws/rds/rds-copy-snap.yaml | 59 +++++++++++++++++++ cloud/aws/rds/rds-insights-disabled.yaml | 59 +++++++++++++++++++ .../rds-instance-autoscaling-disabled.yaml | 59 +++++++++++++++++++ cloud/aws/rds/rds-log-export-disabled.yaml | 59 +++++++++++++++++++ cloud/aws/rds/rds-multi-az.yaml | 59 +++++++++++++++++++ cloud/aws/rds/rds-public-access.yaml | 59 +++++++++++++++++++ 10 files changed, 590 insertions(+) create mode 100644 cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml create mode 100644 cloud/aws/rds/rds-automated-backup-disabled.yaml create mode 100644 cloud/aws/rds/rds-backtrack-disabled.yaml create mode 100644 cloud/aws/rds/rds-cluster-protection-disabled.yaml create mode 100644 cloud/aws/rds/rds-copy-snap.yaml create mode 100644 cloud/aws/rds/rds-insights-disabled.yaml create mode 100644 cloud/aws/rds/rds-instance-autoscaling-disabled.yaml create mode 100644 cloud/aws/rds/rds-log-export-disabled.yaml create mode 100644 cloud/aws/rds/rds-multi-az.yaml create mode 100644 cloud/aws/rds/rds-public-access.yaml diff --git a/cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml b/cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml new file mode 100644 index 0000000000..d551fc5418 --- /dev/null +++ b/cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-auto-minor-upgrade-disabled + +info: + name: RDS Auto Minor Version Upgrade - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that your Amazon RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. + impact: | + The RDS instance may miss critical security patches and minor feature updates, increasing vulnerability to security risks and bugs. + remediation: | + Enable auto minor version upgrades for the RDS instance through the AWS Management Console, CLI, or API to ensure timely application of security patches and updates. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-auto-minor-version-upgrade.html + - http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []' --output json + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].AutoMinorVersionUpgrade' --output json + + matchers: + - type: word + words: + - 'false' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Auto Minor Version Upgrade is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-automated-backup-disabled.yaml b/cloud/aws/rds/rds-automated-backup-disabled.yaml new file mode 100644 index 0000000000..291708599d --- /dev/null +++ b/cloud/aws/rds/rds-automated-backup-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-automated-backup-disabled + +info: + name: RDS Automated Backups - Disabled + author: DhiyaneshDK + severity: high + description: | + Ensure that your Amazon RDS database instances have automated backups enabled for point-in-time recovery. + impact: | + Data loss risk increases, as the RDS instance cannot be automatically restored to a previous state in case of failure or accidental deletion. + remediation: | + Enable automated backups for the RDS instance in the AWS Management Console, CLI, or API to ensure regular, automatic backups are created and retained. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-automated-backups-enabled.html + - http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --query 'DBInstances[*].DBInstanceIdentifier' --output json + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].BackupRetentionPeriod' --output json + + matchers: + - type: word + words: + - '0' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Automated Backups is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-backtrack-disabled.yaml b/cloud/aws/rds/rds-backtrack-disabled.yaml new file mode 100644 index 0000000000..1eb73da068 --- /dev/null +++ b/cloud/aws/rds/rds-backtrack-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-backtrack-disabled + +info: + name: AWS RDS Backtrack - Disabled + author: DhiyaneshDK + severity: low + description: | + Ensure that the Backtrack feature is enabled for your Amazon Aurora (with MySQL compatibility) database clusters in order to backtrack your clusters to a specific time, without using backups. + impact: | + Unable to quickly revert the database to a previous state, leading to longer recovery times in case of accidental changes or data corruption. + remediation: | + Enable Backtrack for the RDS instance through the AWS Management Console, CLI, or API, and configure the desired backtrack window to allow quick recovery. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/backtrack.html + - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Managing.Backtrack.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-clusters --region $region --output json --query 'DBClusters[?Engine==`aurora-mysql`].DBClusterIdentifier | []' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-clusters --region $region --db-cluster-identifier $dbcluster --query 'DBClusters[*].BacktrackWindow' --output json + + matchers: + - type: word + words: + - '[]' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " AWS RDS Backtrack is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-cluster-protection-disabled.yaml b/cloud/aws/rds/rds-cluster-protection-disabled.yaml new file mode 100644 index 0000000000..1693286df3 --- /dev/null +++ b/cloud/aws/rds/rds-cluster-protection-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-cluster-protection-disabled + +info: + name: RDS Cluster Deletion Protection - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that all your provisioned Amazon Aurora database clusters are protected from accidental deletion by having the Deletion Protection feature enabled at the Aurora cluster level. + impact: | + The RDS cluster can be accidentally deleted, leading to potential data loss and service disruption. + remediation: | + Enable deletion protection for the RDS cluster via the AWS Management Console, CLI, or API to prevent accidental deletion. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/cluster-deletion-protection.html + - https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/ + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-clusters --region $region --output json --query 'DBClusters[?Engine==`aurora-mysql`].DBClusterIdentifier | []' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-clusters --region $region --db-cluster-identifier $dbcluster --query 'DBClusters[*].DeletionProtection' --output json + + matchers: + - type: word + words: + - 'false' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Cluster Deletion Protection is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-copy-snap.yaml b/cloud/aws/rds/rds-copy-snap.yaml new file mode 100644 index 0000000000..da686cb154 --- /dev/null +++ b/cloud/aws/rds/rds-copy-snap.yaml @@ -0,0 +1,59 @@ +id: rds-copy-snap + +info: + name: RDS Copy Tags to Snapshots - Disabled + author: DhiyaneshDK + severity: low + description: | + Ensure that your Amazon RDS database instances make use of the Copy Tags to Snapshots feature in order to allow tags set on your database instances to be automatically copied to any automated or manual database snapshots that are created from these RDS instances. + impact: | + Tags are not copied to snapshots, making it harder to track, manage, and identify snapshots for cost allocation, compliance, or organization. + remediation: | + Enable the "Copy Tags to Snapshots" option for the RDS instance in the AWS Management Console, CLI, or API to ensure that tags are automatically applied to any created snapshots. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/copy-tags-to-snapshot.html + - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].CopyTagsToSnapshot' + + matchers: + - type: word + words: + - 'false' + + extractors: + - type: dsl + dsl: + - '"Copy Tags To Snapshot is not enable for instance " + dbcluster' \ No newline at end of file diff --git a/cloud/aws/rds/rds-insights-disabled.yaml b/cloud/aws/rds/rds-insights-disabled.yaml new file mode 100644 index 0000000000..a7506fb4f2 --- /dev/null +++ b/cloud/aws/rds/rds-insights-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-insights-disabled + +info: + name: RDS Performance Insights - Disabled + author: DhiyaneshDK + severity: low + description: | + Ensure that your Amazon RDS MySQL and PostgreSQL database instances have the Performance Insights feature enabled in order to allow you to obtain a better overview of your databases performance as well as help you to identify potential performance issues. + impact: | + Inability to monitor and analyze database performance metrics, making it harder to identify and resolve performance bottlenecks. + remediation: | + Enable Performance Insights for the RDS instance in the AWS Management Console or via CLI/API to monitor and analyze database performance metrics. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/performance-insights.html + - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.Enabling.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`aurora-mysql` || Engine==`aurora-postgresql` || Engine==`postgres`].DBInstanceIdentifier | []' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].PerformanceInsightsEnabled' --output json + + matchers: + - type: word + words: + - 'false' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Performance Insights is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-instance-autoscaling-disabled.yaml b/cloud/aws/rds/rds-instance-autoscaling-disabled.yaml new file mode 100644 index 0000000000..aca686526f --- /dev/null +++ b/cloud/aws/rds/rds-instance-autoscaling-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-instance-autoscaling-disabled + +info: + name: RDS Instance Storage AutoScaling - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that the Storage AutoScaling feature is enabled for your Amazon RDS database instances in order to provide dynamic scaling support for the database's storage based on your RDS application needs. + impact: | + The RDS instance may run out of storage, leading to potential application downtime or performance degradation due to lack of disk space. + remediation: | + Enable storage autoscaling for the RDS instance in the AWS Management Console or via CLI/API to automatically adjust storage capacity as needed. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/enable-rds-storage-autoscaling.html + - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIOPS.StorageTypes.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].MaxAllocatedStorage' --output json + + matchers: + - type: word + words: + - '[]' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Instance Storage AutoScaling is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-log-export-disabled.yaml b/cloud/aws/rds/rds-log-export-disabled.yaml new file mode 100644 index 0000000000..d9d08ffdfb --- /dev/null +++ b/cloud/aws/rds/rds-log-export-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-log-export-disabled + +info: + name: RDS Log Exports - Disabled + author: DhiyaneshDK + severity: low + description: | + Ensure that your Amazon RDS database instances have the Log Exports feature enabled in order to publish database log events directly to CloudWatch Logs. + impact: | + Critical database logs are not exported, limiting visibility into performance issues, security events, and troubleshooting capabilities. + remediation: | + Enable RDS log exports in the AWS Management Console or via CLI/API by configuring the desired logs (e.g., slow query, general, error logs) for export to CloudWatch. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/log-exports.html + - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output table --query 'DBInstances[?Engine==`mysql` || Engine==`aurora-mysql` || Engine==`mariadb`].DBInstanceIdentifier | []' --output json + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].EnabledCloudwatchLogsExports' --output json + + matchers: + - type: word + words: + - '[]' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Log Exports is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-multi-az.yaml b/cloud/aws/rds/rds-multi-az.yaml new file mode 100644 index 0000000000..2368ed26dd --- /dev/null +++ b/cloud/aws/rds/rds-multi-az.yaml @@ -0,0 +1,59 @@ +id: rds-multi-az + +info: + name: RDS Multi-AZ - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that your Amazon RDS instances are using the Multi-AZ deployment configuration for high availability and automatic failover support, fully managed by AWS. + impact: | + The RDS instance lacks high availability and failover support, increasing the risk of downtime during instance failures or maintenance events. + remediation: | + Enable Multi-AZ deployment for the RDS instance in the AWS Management Console, CLI, or API to enhance availability and automatic failover. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-multi-az.html + - http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].MultiAZ' + + matchers: + - type: word + words: + - 'false' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Multi-AZ is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-public-access.yaml b/cloud/aws/rds/rds-public-access.yaml new file mode 100644 index 0000000000..c4f3f9afa1 --- /dev/null +++ b/cloud/aws/rds/rds-public-access.yaml @@ -0,0 +1,59 @@ +id: rds-public-access + +info: + name: RDS Publicly Accessible - Enabled + author: DhiyaneshDK + severity: high + description: | + Check for any public-facing Amazon RDS database instances provisioned within your AWS cloud account and restrict unauthorized access in order to minimize security risks. + impact: | + The RDS instance is exposed to the internet, increasing the risk of unauthorized access, attacks, and data breaches. + remediation: | + To restrict access to a publicly accessible database instance, you must disable the PubliclyAccessible configuration flag, and update the security group associated with the database instance. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-publicly-accessible.html + - http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].PubliclyAccessible' --output json + + matchers: + - type: word + words: + - 'true' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Publicly Accessible Enabled"' \ No newline at end of file From 92a68837b77be441036d7615c736ce01c5764b45 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 23 Oct 2024 07:16:32 +0530 Subject: [PATCH 06/28] fix-error --- cloud/aws/rds/rds-backtrack-disabled.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud/aws/rds/rds-backtrack-disabled.yaml b/cloud/aws/rds/rds-backtrack-disabled.yaml index 1eb73da068..74f607a631 100644 --- a/cloud/aws/rds/rds-backtrack-disabled.yaml +++ b/cloud/aws/rds/rds-backtrack-disabled.yaml @@ -5,7 +5,7 @@ info: author: DhiyaneshDK severity: low description: | - Ensure that the Backtrack feature is enabled for your Amazon Aurora (with MySQL compatibility) database clusters in order to backtrack your clusters to a specific time, without using backups. + Ensure that the Backtrack feature is enabled for your Amazon Aurora (with MySQL compatibility) database clusters in order to backtrack your clusters to a specific time, without using backups. impact: | Unable to quickly revert the database to a previous state, leading to longer recovery times in case of accidental changes or data corruption. remediation: | @@ -56,4 +56,4 @@ code: extractors: - type: dsl dsl: - - 'dbcluster + " AWS RDS Backtrack is Disabled"' \ No newline at end of file + - 'dbcluster + " AWS RDS Backtrack is Disabled"' From d032491a19a0f660c0b3a03f2b7232505f19b8d5 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 23 Oct 2024 08:26:13 +0530 Subject: [PATCH 07/28] AWS - Route53 (2 Templates) --- .../route53/route53-dns-query-disabled.yaml | 72 +++++++++++++++++++ .../route53-dnssec-signing-disabled.yaml | 59 +++++++++++++++ 2 files changed, 131 insertions(+) create mode 100644 cloud/aws/route53/route53-dns-query-disabled.yaml create mode 100644 cloud/aws/route53/route53-dnssec-signing-disabled.yaml diff --git a/cloud/aws/route53/route53-dns-query-disabled.yaml b/cloud/aws/route53/route53-dns-query-disabled.yaml new file mode 100644 index 0000000000..cac1d329fe --- /dev/null +++ b/cloud/aws/route53/route53-dns-query-disabled.yaml @@ -0,0 +1,72 @@ +id: route53-dns-query-disabled + +info: + name: DNS Query Logging for Route 53 Hosted Zones - Disabled + author: DhiyaneshDK + severity: medium + description: | + Domain Name System Security Extensions (DNSSEC) represents a set of protocols that adds a layer of security to the Domain Name System (DNS) lookup and exchange processes by enabling DNS responses to be validated. + impact: | + Disabling DNS query logging for Route 53 hosted zones prevents visibility into DNS queries, making it difficult to detect suspicious activity, troubleshoot issues, or analyze traffic patterns. + remediation: | + Enable DNS query logging in the Route 53 console for the hosted zone to capture and store DNS queries, allowing for better monitoring and analysis of DNS traffic. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Route53/enable-query-logging.html + - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/monitoring-overview.html + tags: cloud,devops,aws,amazon,route53,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let HostedZones of iterate(template.hostedzones)){ + set("hostedzone", HostedZones) + code(2) && code(3) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws route53 list-hosted-zones --region $region --query "HostedZones[*].Id" --output json + + extractors: + - type: json + name: hostedzones + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws route53 get-hosted-zone --id $hostedzone --query "HostedZone.Config.PrivateZone" --region $region --output json + + matchers: + - type: word + words: + - 'false' + internal: true + + - engine: + - sh + - bash + + source: | + aws route53 list-query-logging-configs --hosted-zone-id "$hostedzone" --query "QueryLoggingConfigs" --region $region --output json + + matchers: + - type: word + words: + - '[]' + + extractors: + - type: dsl + dsl: + - 'hostedzone + " DNSSEC Signing for Route 53 Hosted Zones is Disabled"' \ No newline at end of file diff --git a/cloud/aws/route53/route53-dnssec-signing-disabled.yaml b/cloud/aws/route53/route53-dnssec-signing-disabled.yaml new file mode 100644 index 0000000000..6d34b1dacc --- /dev/null +++ b/cloud/aws/route53/route53-dnssec-signing-disabled.yaml @@ -0,0 +1,59 @@ +id: route53-dnssec-signing-disabled + +info: + name: DNSSEC Signing for Route 53 Hosted Zones - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that Domain Name System Security Extensions (DNSSEC) signing is enabled for your Amazon Route 53 public hosted zones in order to protect your domains against spoofing and cache poisoning attacks. By default, DNSSEC signing is not enabled for Route 53 hosted zones. + impact: | + Attackers can hijack the process of domain/IP lookup and redirect users to malicious web content through DNS hijacking and Man-In-The-Middle (MITM) attacks. DNSSEC security feature helps mitigate the risk of such attacks by encrypting signing DNS records. + remediation: | + Enable DNSSEC signing in the Route 53 console for the hosted zone, sign the zone with a strong key algorithm, and ensure all DNS records are published correctly. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Route53/enable-query-logging.html + - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/monitoring-overview.html + tags: cloud,devops,aws,amazon,route53,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let HostedZones of iterate(template.hostedzones)){ + set("hostedzone", HostedZones) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws route53 list-hosted-zones --region $region --query "HostedZones[*].Id" --output json + + extractors: + - type: json + name: hostedzones + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws route53 get-dnssec --region $region --hosted-zone-id "$hostedzone" --query "Status.ServeSignature" --output json + + matchers: + - type: word + words: + - 'NOT_SIGNING' + + extractors: + - type: dsl + dsl: + - 'hostedzone + " DNSSEC Signing for Route 53 Hosted Zones is Disabled"' \ No newline at end of file From f3b2bbb944c01993b2c0fc88471e77e1d28053e4 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 23 Oct 2024 08:38:51 +0530 Subject: [PATCH 08/28] fix-trail-space --- cloud/aws/route53/route53-dns-query-disabled.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud/aws/route53/route53-dns-query-disabled.yaml b/cloud/aws/route53/route53-dns-query-disabled.yaml index cac1d329fe..12914be8c4 100644 --- a/cloud/aws/route53/route53-dns-query-disabled.yaml +++ b/cloud/aws/route53/route53-dns-query-disabled.yaml @@ -5,7 +5,7 @@ info: author: DhiyaneshDK severity: medium description: | - Domain Name System Security Extensions (DNSSEC) represents a set of protocols that adds a layer of security to the Domain Name System (DNS) lookup and exchange processes by enabling DNS responses to be validated. + Domain Name System Security Extensions (DNSSEC) represents a set of protocols that adds a layer of security to the Domain Name System (DNS) lookup and exchange processes by enabling DNS responses to be validated. impact: | Disabling DNS query logging for Route 53 hosted zones prevents visibility into DNS queries, making it difficult to detect suspicious activity, troubleshoot issues, or analyze traffic patterns. remediation: | @@ -69,4 +69,4 @@ code: extractors: - type: dsl dsl: - - 'hostedzone + " DNSSEC Signing for Route 53 Hosted Zones is Disabled"' \ No newline at end of file + - 'hostedzone + " DNSSEC Signing for Route 53 Hosted Zones is Disabled"' From f3667611048b5b760fd70ceeab453c24a5625665 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 23 Oct 2024 10:28:53 +0530 Subject: [PATCH 09/28] AWS - ElastiCache (4 Templates) --- .../cache-automatic-backups-disabled.yaml | 59 ++++++++++++++++++ .../cache-event-notification-disabled.yaml | 59 ++++++++++++++++++ .../cache-redis-encryption-disabled.yaml | 60 +++++++++++++++++++ .../cache-redis-multiaz-disabled.yaml | 59 ++++++++++++++++++ 4 files changed, 237 insertions(+) create mode 100644 cloud/aws/elasticache/cache-automatic-backups-disabled.yaml create mode 100644 cloud/aws/elasticache/cache-event-notification-disabled.yaml create mode 100644 cloud/aws/elasticache/cache-redis-encryption-disabled.yaml create mode 100644 cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml diff --git a/cloud/aws/elasticache/cache-automatic-backups-disabled.yaml b/cloud/aws/elasticache/cache-automatic-backups-disabled.yaml new file mode 100644 index 0000000000..4e68cbc4bf --- /dev/null +++ b/cloud/aws/elasticache/cache-automatic-backups-disabled.yaml @@ -0,0 +1,59 @@ +id: cache-automatic-backups-disabled + +info: + name: ElastiCache Automatic Backups - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that Amazon ElastiCache is configured to take automatic daily backups for Redis cache clusters. + impact: | + Disabling ElastiCache automatic backups increases the risk of data loss, as you won't have point-in-time recovery options in case of data corruption or accidental deletion. + remediation: | + enable automatic backups in the AWS Management Console for your ElastiCache Redis or Memcached cluster to ensure regular snapshots for data recovery. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/enable-automatic-backups.html + - https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/backups-automatic.html + tags: cloud,devops,aws,amazon,elasticache,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let ReplicationGroupId of iterate(template.replicationgroupids)){ + set("replicationgroup", ReplicationGroupId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws elasticache describe-replication-groups --region $region --output json --query 'ReplicationGroups[*].ReplicationGroupId' + + extractors: + - type: json + name: replicationgroupids + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws elasticache describe-replication-groups --replication-group-id $replicationgroup --query 'ReplicationGroups[*].SnapshotRetentionLimit' --region $region --output json + + matchers: + - type: word + words: + - '0' + + extractors: + - type: dsl + dsl: + - 'replicationgroup + " ElastiCache Automatic Backups is Disabled"' \ No newline at end of file diff --git a/cloud/aws/elasticache/cache-event-notification-disabled.yaml b/cloud/aws/elasticache/cache-event-notification-disabled.yaml new file mode 100644 index 0000000000..88b6aa964d --- /dev/null +++ b/cloud/aws/elasticache/cache-event-notification-disabled.yaml @@ -0,0 +1,59 @@ +id: cache-event-notification-disabled + +info: + name: ElastiCache Event Notifications - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that your Amazon ElastiCache clusters are configured to send event notifications via Amazon Simple Notification Service (SNS) in order to monitor your cache clusters for important events and quickly mitigate any issues with your cache system. + impact: | + Disabling ElastiCache event notifications prevents timely alerts about cluster events, such as failovers, maintenance updates, or configuration changes, which can hinder proactive incident response and monitoring. + remediation: | + To remediate the disabled ElastiCache event notifications, enable event notifications in the AWS Management Console by configuring an Amazon SNS topic to receive alerts for important cluster events. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/enable-cluster-event-notifications.html + - https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/ECEvents.SNS.html + tags: cloud,devops,aws,amazon,elasticache,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let CacheClusterId of iterate(template.cacheclusterids)){ + set("cacheclusterid", CacheClusterId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws elasticache describe-cache-clusters --region $region --output json --query 'CacheClusters[*].CacheClusterId' + + extractors: + - type: json + name: cacheclusterids + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws elasticache describe-cache-clusters --region $region --cache-cluster-id $cacheclusterid --query 'CacheClusters[*].NotificationConfiguration.TopicArn' --output json + + matchers: + - type: word + words: + - '[]' + + extractors: + - type: dsl + dsl: + - 'replicationgroup + " ElastiCache Event Notifications is Disabled"' \ No newline at end of file diff --git a/cloud/aws/elasticache/cache-redis-encryption-disabled.yaml b/cloud/aws/elasticache/cache-redis-encryption-disabled.yaml new file mode 100644 index 0000000000..5518d8c759 --- /dev/null +++ b/cloud/aws/elasticache/cache-redis-encryption-disabled.yaml @@ -0,0 +1,60 @@ +id: cache-redis-encryption-disabled + +info: + name: ElastiCache Redis In-Transit and At-Rest Encryption - Disabled + author: DhiyaneshDK + severity: high + description: | + Ensure that your Amazon ElastiCache Redis cache clusters are encrypted in order to meet security and compliance requirements. + impact: | + Sensitive data transmitted or stored in Redis could be exposed, leading to potential data breaches or unauthorized access. + remediation: | + Enable in-transit and at-rest encryption in the Redis cluster settings to protect sensitive data. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/in-transit-and-at-rest-encryption.html + - https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html + - https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html + tags: cloud,devops,aws,amazon,elasticache,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let ReplicationGroupId of iterate(template.replicationgroupids)){ + set("replicationgroup", ReplicationGroupId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws elasticache describe-replication-groups --region $region --output json --query 'ReplicationGroups[*].ReplicationGroupId' + + extractors: + - type: json + name: replicationgroupids + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws elasticache describe-replication-groups --region $region --replication-group-id $replicationgroup --query 'ReplicationGroups[*].[AtRestEncryptionEnabled,TransitEncryptionEnabled] | []' --output json + + matchers: + - type: word + words: + - "false" + + extractors: + - type: dsl + dsl: + - 'replicationgroup + " ElastiCache Redis In-Transit and At-Rest Encryption is Disabled"' \ No newline at end of file diff --git a/cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml b/cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml new file mode 100644 index 0000000000..98b600a4d7 --- /dev/null +++ b/cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml @@ -0,0 +1,59 @@ +id: cache-redis-multiaz-disabled + +info: + name: ElastiCache Redis Multi-AZ - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that your Amazon ElastiCache Redis cache clusters are using a Multi-AZ deployment configuration to enhance reliability through automatic failover. + impact: | + Disabling ElastiCache Redis Multi-AZ can lead to data loss and increased downtime in the event of a primary node failure, as failover to a secondary node in a different availability zone will not occur automatically. + remediation: | + Enable Multi-AZ replication in the ElastiCache Redis settings or create a new cluster with Multi-AZ enabled to ensure high availability. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/elasticache-multi-az.html + - https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html + tags: cloud,devops,aws,amazon,elasticache,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let ReplicationGroupId of iterate(template.replicationgroupids)){ + set("replicationgroup", ReplicationGroupId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws elasticache describe-replication-groups --region $region --output json --query 'ReplicationGroups[*].ReplicationGroupId' + + extractors: + - type: json + name: replicationgroupids + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws elasticache describe-replication-groups --region $region --replication-group-id $replicationgroup --query 'ReplicationGroups[*].MultiAZ' + + matchers: + - type: word + words: + - 'disabled' + + extractors: + - type: dsl + dsl: + - 'replicationgroup + " ElastiCache Redis Multi-AZ is Disabled"' \ No newline at end of file From c2f540d275ba2d0b1668ac34cc3c2aab39d258b1 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 23 Oct 2024 11:58:03 +0530 Subject: [PATCH 10/28] AWS - EFS (1 Template) --- cloud/aws/efs/efs-encryption-disabled.yaml | 59 ++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 cloud/aws/efs/efs-encryption-disabled.yaml diff --git a/cloud/aws/efs/efs-encryption-disabled.yaml b/cloud/aws/efs/efs-encryption-disabled.yaml new file mode 100644 index 0000000000..e739bcda78 --- /dev/null +++ b/cloud/aws/efs/efs-encryption-disabled.yaml @@ -0,0 +1,59 @@ +id: efs-encryption-disabled + +info: + name: EFS Encryption - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that the data available on your Amazon EFS file systems is encrypted at rest in order to meet security and compliance requirements. + impact: | + Sensitive data transmitted or stored in Redis could be exposed, leading to potential data breaches or unauthorized access. + remediation: | + Enable encryption for AWS EFS by configuring encryption at rest in the EFS settings to protect data from unauthorized access. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/in-transit-and-at-rest-encryption.html + - https://docs.aws.amazon.com/efs/latest/ug/encryption.html + tags: cloud,devops,aws,amazon,efs-encryption-disabled,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let FileSystemId of iterate(template.filesystemids)){ + set("filesystemid", FileSystemId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws efs describe-file-systems --region $region --output json --query 'FileSystems[*].FileSystemId' + + extractors: + - type: json + name: filesystemids + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws efs describe-file-systems --region $region --file-system-id $filesystemid --query 'FileSystems[*].Encrypted' + + matchers: + - type: word + words: + - "false" + + extractors: + - type: dsl + dsl: + - 'filesystemid + " EFS Encryption is Disabled"' \ No newline at end of file From 4f6854b8310d4e2496298d028141373737ab3d4a Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 23 Oct 2024 12:01:16 +0530 Subject: [PATCH 11/28] Update efs-encryption-disabled.yaml --- cloud/aws/efs/efs-encryption-disabled.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud/aws/efs/efs-encryption-disabled.yaml b/cloud/aws/efs/efs-encryption-disabled.yaml index e739bcda78..948d323c0b 100644 --- a/cloud/aws/efs/efs-encryption-disabled.yaml +++ b/cloud/aws/efs/efs-encryption-disabled.yaml @@ -46,7 +46,7 @@ code: - bash source: | - aws efs describe-file-systems --region $region --file-system-id $filesystemid --query 'FileSystems[*].Encrypted' + aws efs describe-file-systems --region $region --file-system-id $filesystemid --query 'FileSystems[*].Encrypted' --output json matchers: - type: word From d9a40f5fa67187b97f1f4852b97baa90678fc90f Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 28 Oct 2024 13:54:39 +0530 Subject: [PATCH 12/28] updated names --- ...guardduty-disabled.yaml => guardduty-not-enabled.yaml} | 8 ++++---- cloud/aws/guardduty/malware-protection-disabled.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) rename cloud/aws/guardduty/{guardduty-disabled.yaml => guardduty-not-enabled.yaml} (91%) diff --git a/cloud/aws/guardduty/guardduty-disabled.yaml b/cloud/aws/guardduty/guardduty-not-enabled.yaml similarity index 91% rename from cloud/aws/guardduty/guardduty-disabled.yaml rename to cloud/aws/guardduty/guardduty-not-enabled.yaml index 7f65536dc7..5f1dffea07 100644 --- a/cloud/aws/guardduty/guardduty-disabled.yaml +++ b/cloud/aws/guardduty/guardduty-not-enabled.yaml @@ -1,9 +1,9 @@ -id: guardduty-disabled +id: guardduty-not-enabled info: - name: GuardDuty - Disabled + name: GuardDuty Not Enabled author: DhiyaneshDK - severity: medium + severity: info description: | Ensure that Amazon GuardDuty service is currently enabled in all regions in order to protect your AWS environment and infrastructure (AWS accounts and resources, IAM credentials, guest operating systems, applications, etc) against security threats. impact: | @@ -35,4 +35,4 @@ code: extractors: - type: dsl dsl: - - '"GuardDuty is Disabled"' \ No newline at end of file + - '"GuardDuty Is Not Enabled"' \ No newline at end of file diff --git a/cloud/aws/guardduty/malware-protection-disabled.yaml b/cloud/aws/guardduty/malware-protection-disabled.yaml index 3011a96597..013eaecd30 100644 --- a/cloud/aws/guardduty/malware-protection-disabled.yaml +++ b/cloud/aws/guardduty/malware-protection-disabled.yaml @@ -3,7 +3,7 @@ id: malware-protection-disabled info: name: GuardDuty Malware Protection - Disabled author: DhiyaneshDK - severity: medium + severity: info description: | Ensure that the Malware Protection feature is enabled for your Amazon GuardDuty detectors. impact: | From 4db79f8d10edb9358869f80902a4c2b34d669f35 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 28 Oct 2024 14:10:05 +0530 Subject: [PATCH 13/28] updated template --- cloud/aws/guardduty/guardduty-findings.yaml | 29 ++++--------------- .../malware-protection-disabled.yaml | 2 +- .../aws/guardduty/s3-protection-disabled.yaml | 2 +- 3 files changed, 7 insertions(+), 26 deletions(-) diff --git a/cloud/aws/guardduty/guardduty-findings.yaml b/cloud/aws/guardduty/guardduty-findings.yaml index 8401318ea9..5db0cc8d89 100644 --- a/cloud/aws/guardduty/guardduty-findings.yaml +++ b/cloud/aws/guardduty/guardduty-findings.yaml @@ -1,7 +1,7 @@ id: guardduty-findings info: - name: GuardDuty Findings + name: Open GuardDuty Findings author: DhiyaneshDK severity: medium description: | @@ -23,10 +23,6 @@ flow: | for(let DetectorIds of iterate(template.detectors)){ set("detector", DetectorIds) code(2)} - for(let FindingIds of iterate(template.findings)){ - set("finding", FindingIds) - code(3) - } self-contained: true @@ -50,27 +46,12 @@ code: source: | aws guardduty list-findings --region $region --detector-id $detector --query 'FindingIds' --output json - extractors: - - type: json - name: findings - internal: true - json: - - '.[]' - - - engine: - - sh - - bash - source: | - aws guardduty get-findings --region $region --detector-id $detector --finding-ids $finding --output json - matchers: - - type: word - words: - - '"Title":' - - '"Type":' - condition: and + - type: regex + regex: + - '\"(.*)\"' extractors: - type: dsl dsl: - - '"GuardDuty Findings " + finding + " is present"' \ No newline at end of file + - '"The AWS account has open GuardDuty Findings"' \ No newline at end of file diff --git a/cloud/aws/guardduty/malware-protection-disabled.yaml b/cloud/aws/guardduty/malware-protection-disabled.yaml index 013eaecd30..a78bfb2d63 100644 --- a/cloud/aws/guardduty/malware-protection-disabled.yaml +++ b/cloud/aws/guardduty/malware-protection-disabled.yaml @@ -55,4 +55,4 @@ code: extractors: - type: dsl dsl: - - '"GuardDuty Malware Protection " + detector + " is Disabled"' + - '"GuardDuty Malware Protection " + detector + " is Disabled"' \ No newline at end of file diff --git a/cloud/aws/guardduty/s3-protection-disabled.yaml b/cloud/aws/guardduty/s3-protection-disabled.yaml index 44b7113b73..5e86686296 100644 --- a/cloud/aws/guardduty/s3-protection-disabled.yaml +++ b/cloud/aws/guardduty/s3-protection-disabled.yaml @@ -55,4 +55,4 @@ code: extractors: - type: dsl dsl: - - '"GuardDuty S3 Protection " + detector + " is Disabled"' + - '"GuardDuty S3 Protection " + detector + " is Disabled"' \ No newline at end of file From 3ad95492fdb5958d69256816b647ec6b8867d6c5 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 28 Oct 2024 14:12:15 +0530 Subject: [PATCH 14/28] Update inspector2-disabled.yaml --- cloud/aws/inspector2/inspector2-disabled.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud/aws/inspector2/inspector2-disabled.yaml b/cloud/aws/inspector2/inspector2-disabled.yaml index 6f5ad13afd..0bc38408b3 100644 --- a/cloud/aws/inspector2/inspector2-disabled.yaml +++ b/cloud/aws/inspector2/inspector2-disabled.yaml @@ -3,7 +3,7 @@ id: inspector2-disabled info: name: Amazon Inspector 2 - Disabled author: DhiyaneshDK - severity: medium + severity: info description: | Ensure that the new version of Amazon Inspector is enabled in order to help you improve the security and compliance of your AWS cloud environment. impact: | @@ -36,4 +36,4 @@ code: extractors: - type: dsl dsl: - - '"Amazon Inspector 2 " + region + " is Disabled"' \ No newline at end of file + - '"Amazon Inspector 2 " + region + " is Disabled"' From 5517809f1d302115d1d6d55a9dfe0adc6398ca07 Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:45:32 +0000 Subject: [PATCH 15/28] =?UTF-8?q?chore:=20generate=20new=20addition=20list?= =?UTF-8?q?=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .new-additions | 1 + 1 file changed, 1 insertion(+) diff --git a/.new-additions b/.new-additions index 4d7f25942d..aeca2a2826 100644 --- a/.new-additions +++ b/.new-additions @@ -2,6 +2,7 @@ cloud/aws/dms/dms-multi-az.yaml cloud/aws/dms/dms-public-access.yaml cloud/aws/dms/dms-version-upgrade.yaml cloud/aws/ebs/ebs-encryption-disabled.yaml +cloud/aws/efs/efs-encryption-disabled.yaml cloud/aws/firehose/firehose-server-destination-encryption.yaml cloud/aws/firehose/firehose-server-side-encryption.yaml dast/cves/2024/CVE-2024-2961.yaml From fdedb39a8757626ffa8e56a01c851d76b9a4713d Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:45:51 +0000 Subject: [PATCH 16/28] =?UTF-8?q?chore:=20sign=20templates=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cloud/aws/efs/efs-encryption-disabled.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cloud/aws/efs/efs-encryption-disabled.yaml b/cloud/aws/efs/efs-encryption-disabled.yaml index 948d323c0b..898a3c9756 100644 --- a/cloud/aws/efs/efs-encryption-disabled.yaml +++ b/cloud/aws/efs/efs-encryption-disabled.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'filesystemid + " EFS Encryption is Disabled"' \ No newline at end of file + - 'filesystemid + " EFS Encryption is Disabled"' +# digest: 490a0046304402202f3524493875a0119ee2ee6e8fc65a74c5f15c1e355ac921c5835d100f13bc7302200d7986a9d0b33d821a24772e250381523a6c47374b1f84ca39891df988fefc87:922c64590222798bb761d5b6d8e72950 \ No newline at end of file From 2a76e7f04e418cb9c93e2a9fc48c8297c66980d1 Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:45:57 +0000 Subject: [PATCH 17/28] =?UTF-8?q?chore:=20generate=20templates=20checksum?= =?UTF-8?q?=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- templates-checksum.txt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/templates-checksum.txt b/templates-checksum.txt index 10bcf77018..619f556e74 100644 --- a/templates-checksum.txt +++ b/templates-checksum.txt @@ -58,8 +58,9 @@ cloud/aws/ec2/ec2-unrestricted-ssh.yaml:92a1200da475f085c33d0f86edd3077ba19eea33 cloud/aws/ec2/ec2-unrestricted-telnet.yaml:d7f80cec0723d2723300c078552824ec1a8b641a cloud/aws/ec2/publicly-shared-ami.yaml:49e3f4939b9991f5ac9db99fbb7f7caba021227d cloud/aws/ec2/unencrypted-aws-ami.yaml:35fc4a61e70120df3aafba92b4153ffa5b8c92b6 -cloud/aws/firehose/firehose-server-destination-encryption.yaml:8d734f21761ffb41988d3d216b7e9f7aa7bd5f48 -cloud/aws/firehose/firehose-server-side-encryption.yaml:5e78f1b9a1d2eeb44b87f9af6d9699a493b4e80a +cloud/aws/efs/efs-encryption-disabled.yaml:539511aec9f396d111565286ffc4cd1b4429a5af +cloud/aws/firehose/firehose-server-destination-encryption.yaml:cc2ce3e4a4f4173fdbae1efba8565a0617750bbd +cloud/aws/firehose/firehose-server-side-encryption.yaml:bbcbf8014a6f4a4278b89fde4f89a6416e0e0b59 cloud/aws/iam/iam-access-analyzer.yaml:f50b212fc028372e3aeba52e43c0417c845a01a9 cloud/aws/iam/iam-expired-ssl.yaml:a2ec4618352430440ddb4d7704058a4c7507d3f8 cloud/aws/iam/iam-full-admin-privileges.yaml:ab5d0948a725aa5a9a1059d6b7c0ae9f5d846d06 @@ -9552,7 +9553,7 @@ ssl/tls-version.yaml:4e40f08efbb39172b9280ea9e26ca5f0a14a575a ssl/untrusted-root-certificate.yaml:a91d36990a1d052f5ee64d170ad8f084d38dab19 ssl/weak-cipher-suites.yaml:62fe808d9dfafda67c410e6cb9445fdc70257e89 ssl/wildcard-tls.yaml:d244f62c7bd22d3868fc6fc7cb9550af6b261210 -templates-checksum.txt:b3593609a5c788fe4bf0ad23ac7b9030d7031bb4 +templates-checksum.txt:ff518bb92ceda5ca71087fc95aa48529a39fe66a wappalyzer-mapping.yml:7f03bd65baacac20c1dc6bbf35ff2407959574f1 workflows/74cms-workflow.yaml:bb010e767ad32b906153e36ea618be545b4e22d0 workflows/acrolinx-workflow.yaml:8434089bb55dec3d7b2ebc6a6f340e73382dd0c4 From dd94335280b33d48c10e0e3d8cba8afb01b2006d Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:47:29 +0000 Subject: [PATCH 18/28] =?UTF-8?q?chore:=20generate=20new=20addition=20list?= =?UTF-8?q?=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .new-additions | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.new-additions b/.new-additions index aeca2a2826..848a0b61eb 100644 --- a/.new-additions +++ b/.new-additions @@ -5,6 +5,10 @@ cloud/aws/ebs/ebs-encryption-disabled.yaml cloud/aws/efs/efs-encryption-disabled.yaml cloud/aws/firehose/firehose-server-destination-encryption.yaml cloud/aws/firehose/firehose-server-side-encryption.yaml +cloud/aws/guardduty/guardduty-findings.yaml +cloud/aws/guardduty/guardduty-not-enabled.yaml +cloud/aws/guardduty/malware-protection-disabled.yaml +cloud/aws/guardduty/s3-protection-disabled.yaml dast/cves/2024/CVE-2024-2961.yaml http/cnvd/2024/CNVD-2024-38747.yaml http/cves/2015/CVE-2015-8562.yaml From d015b388ee94f2abc1aec875841d6080039957f8 Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:47:55 +0000 Subject: [PATCH 19/28] =?UTF-8?q?chore:=20sign=20templates=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cloud/aws/guardduty/guardduty-findings.yaml | 3 ++- cloud/aws/guardduty/guardduty-not-enabled.yaml | 3 ++- cloud/aws/guardduty/malware-protection-disabled.yaml | 3 ++- cloud/aws/guardduty/s3-protection-disabled.yaml | 3 ++- cloud/aws/inspector2/inspector2-disabled.yaml | 2 ++ 5 files changed, 10 insertions(+), 4 deletions(-) diff --git a/cloud/aws/guardduty/guardduty-findings.yaml b/cloud/aws/guardduty/guardduty-findings.yaml index 5db0cc8d89..8691c85d78 100644 --- a/cloud/aws/guardduty/guardduty-findings.yaml +++ b/cloud/aws/guardduty/guardduty-findings.yaml @@ -54,4 +54,5 @@ code: extractors: - type: dsl dsl: - - '"The AWS account has open GuardDuty Findings"' \ No newline at end of file + - '"The AWS account has open GuardDuty Findings"' +# digest: 4a0a00473045022100e3c328614414aef385eb992b48dc665cffd2a483618b008b2b8cc7cff933c87502202c2e1a3ef936449c944508ccfb2460ac96d065c3e72244fb83cb529ed5a3e95e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/guardduty/guardduty-not-enabled.yaml b/cloud/aws/guardduty/guardduty-not-enabled.yaml index 5f1dffea07..a3a11ffe96 100644 --- a/cloud/aws/guardduty/guardduty-not-enabled.yaml +++ b/cloud/aws/guardduty/guardduty-not-enabled.yaml @@ -35,4 +35,5 @@ code: extractors: - type: dsl dsl: - - '"GuardDuty Is Not Enabled"' \ No newline at end of file + - '"GuardDuty Is Not Enabled"' +# digest: 4b0a00483046022100a4b4d58c1c63e777f526ea729b0606c9778e22d31303546c4dd802e07f6adbaf022100b6259e9ecca607e4a4a59f5783407a2624c810904acde7de240c6b371fbf65c0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/guardduty/malware-protection-disabled.yaml b/cloud/aws/guardduty/malware-protection-disabled.yaml index a78bfb2d63..d008882ffb 100644 --- a/cloud/aws/guardduty/malware-protection-disabled.yaml +++ b/cloud/aws/guardduty/malware-protection-disabled.yaml @@ -55,4 +55,5 @@ code: extractors: - type: dsl dsl: - - '"GuardDuty Malware Protection " + detector + " is Disabled"' \ No newline at end of file + - '"GuardDuty Malware Protection " + detector + " is Disabled"' +# digest: 4b0a00483046022100decfe07108934c7e0cc3a86caa2ebb9e10c7ab08a6eb81fdad419f5ccc0e4924022100b723fe87a025db147a310cb8210fc4ee048e49ca029d8c4d1e74eeab03b91eab:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/guardduty/s3-protection-disabled.yaml b/cloud/aws/guardduty/s3-protection-disabled.yaml index 5e86686296..e5cbe0b131 100644 --- a/cloud/aws/guardduty/s3-protection-disabled.yaml +++ b/cloud/aws/guardduty/s3-protection-disabled.yaml @@ -55,4 +55,5 @@ code: extractors: - type: dsl dsl: - - '"GuardDuty S3 Protection " + detector + " is Disabled"' \ No newline at end of file + - '"GuardDuty S3 Protection " + detector + " is Disabled"' +# digest: 4a0a0047304502201cb765569f71fef3078bc3e696e2e2cdde022763c3263167499c6cb873421a6b0221009484f07bc61583c6e21c8d07156bc75367a977e71a4db9c3828257b14022fa00:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/inspector2/inspector2-disabled.yaml b/cloud/aws/inspector2/inspector2-disabled.yaml index 0bc38408b3..14a412b5b8 100644 --- a/cloud/aws/inspector2/inspector2-disabled.yaml +++ b/cloud/aws/inspector2/inspector2-disabled.yaml @@ -37,3 +37,5 @@ code: - type: dsl dsl: - '"Amazon Inspector 2 " + region + " is Disabled"' + +# digest: 490a00463044022010f8e8d9aacde24c0c4f4d20dd066d33afd1da0d1dc57400b79affbbcb999372022034831dd93ac404391bfbcd6374a59699cff7a607cce387f17def5864d7afcbf6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file From 7f9287415175717a590c93f749eb35550c05f812 Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:49:39 +0000 Subject: [PATCH 20/28] =?UTF-8?q?chore:=20generate=20new=20addition=20list?= =?UTF-8?q?=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .new-additions | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.new-additions b/.new-additions index 848a0b61eb..b80806f07b 100644 --- a/.new-additions +++ b/.new-additions @@ -9,6 +9,9 @@ cloud/aws/guardduty/guardduty-findings.yaml cloud/aws/guardduty/guardduty-not-enabled.yaml cloud/aws/guardduty/malware-protection-disabled.yaml cloud/aws/guardduty/s3-protection-disabled.yaml +cloud/aws/inspector2/inspector2-disabled.yaml +cloud/aws/route53/route53-dns-query-disabled.yaml +cloud/aws/route53/route53-dnssec-signing-disabled.yaml dast/cves/2024/CVE-2024-2961.yaml http/cnvd/2024/CNVD-2024-38747.yaml http/cves/2015/CVE-2015-8562.yaml From c0ec84061241b51eb2b9ff9adecc00f76977f73f Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:49:53 +0000 Subject: [PATCH 21/28] =?UTF-8?q?chore:=20generate=20templates=20checksum?= =?UTF-8?q?=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- templates-checksum.txt | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/templates-checksum.txt b/templates-checksum.txt index 619f556e74..546156265c 100644 --- a/templates-checksum.txt +++ b/templates-checksum.txt @@ -58,9 +58,13 @@ cloud/aws/ec2/ec2-unrestricted-ssh.yaml:92a1200da475f085c33d0f86edd3077ba19eea33 cloud/aws/ec2/ec2-unrestricted-telnet.yaml:d7f80cec0723d2723300c078552824ec1a8b641a cloud/aws/ec2/publicly-shared-ami.yaml:49e3f4939b9991f5ac9db99fbb7f7caba021227d cloud/aws/ec2/unencrypted-aws-ami.yaml:35fc4a61e70120df3aafba92b4153ffa5b8c92b6 -cloud/aws/efs/efs-encryption-disabled.yaml:539511aec9f396d111565286ffc4cd1b4429a5af +cloud/aws/efs/efs-encryption-disabled.yaml:a06753f3438ae2c8d33f22e1897809a40ebd4f58 cloud/aws/firehose/firehose-server-destination-encryption.yaml:cc2ce3e4a4f4173fdbae1efba8565a0617750bbd cloud/aws/firehose/firehose-server-side-encryption.yaml:bbcbf8014a6f4a4278b89fde4f89a6416e0e0b59 +cloud/aws/guardduty/guardduty-findings.yaml:ab7105cc4d1c7f27fc076d2eec8180857f72bfbd +cloud/aws/guardduty/guardduty-not-enabled.yaml:87d785038ee4ee7e2357aa46b99c4cd81fe20f36 +cloud/aws/guardduty/malware-protection-disabled.yaml:6fccd83c3391b6cb318753a0956a6ff26a7e7be3 +cloud/aws/guardduty/s3-protection-disabled.yaml:2b3e7a645bd050d55d652564f0fa9703ea44dfba cloud/aws/iam/iam-access-analyzer.yaml:f50b212fc028372e3aeba52e43c0417c845a01a9 cloud/aws/iam/iam-expired-ssl.yaml:a2ec4618352430440ddb4d7704058a4c7507d3f8 cloud/aws/iam/iam-full-admin-privileges.yaml:ab5d0948a725aa5a9a1059d6b7c0ae9f5d846d06 @@ -72,6 +76,7 @@ cloud/aws/iam/iam-ssh-keys-rotation.yaml:d3bb01e0e9eba3375cee6bf5bbde2c2b629b5cd cloud/aws/iam/iam-unapproved-policy.yaml:883cdcaea84c6970f6f99cc3289ffc2ed85bbac1 cloud/aws/iam/iam-user-password-change.yaml:af7fc040fa28a4621255bcb6f7f3ccfb6e1825df cloud/aws/iam/ssl-cert-renewal.yaml:40622e59896e04627695c6d286e0015aaed13010 +cloud/aws/inspector2/inspector2-disabled.yaml:73a4124a26d17a1e76940b7c1dcc6dcc08b40a1f cloud/aws/rds/aurora-copy-tags-snap.yaml:9d0f7c95a0e76e441aa771fc7ee6c85a0f510736 cloud/aws/rds/aurora-delete-protect.yaml:4ff1aef5f611e5bdec4248c135e99db23c8c599e cloud/aws/rds/iam-db-auth.yaml:8b12e2e629800d449708351652b27657e5854081 @@ -86,6 +91,8 @@ cloud/aws/rds/rds-public-snapshot.yaml:c5d64997130a6c496154d96b3373904bd1fbebfd cloud/aws/rds/rds-public-subnet.yaml:d2b63d178d24faa83223568a3bb5bb7ac2a53f46 cloud/aws/rds/rds-ri-payment-fail.yaml:905953edc8139ecfb370d3ee288b65e77eef65b0 cloud/aws/rds/rds-snapshot-encryption.yaml:fb8b45fa0dff44a66911abf6a70e32530de776f1 +cloud/aws/route53/route53-dns-query-disabled.yaml:c19c18b6b115c6a4512f30502cac471677a8df72 +cloud/aws/route53/route53-dnssec-signing-disabled.yaml:73588c5b5e5b7ebd343c9f5193d4f36b5cadf01b cloud/aws/s3/s3-access-logging.yaml:60f0011f6da935cef7d76840d5755de49e06730e cloud/aws/s3/s3-auth-fullcontrol.yaml:b7bbb1b9edac9baef27465651bb5afcf41ff51e3 cloud/aws/s3/s3-bucket-key.yaml:0fe1d8b9f1b99dc0231d0c22ea3a68b2fdf2a7b6 @@ -9553,7 +9560,7 @@ ssl/tls-version.yaml:4e40f08efbb39172b9280ea9e26ca5f0a14a575a ssl/untrusted-root-certificate.yaml:a91d36990a1d052f5ee64d170ad8f084d38dab19 ssl/weak-cipher-suites.yaml:62fe808d9dfafda67c410e6cb9445fdc70257e89 ssl/wildcard-tls.yaml:d244f62c7bd22d3868fc6fc7cb9550af6b261210 -templates-checksum.txt:ff518bb92ceda5ca71087fc95aa48529a39fe66a +templates-checksum.txt:1ff8c0871c509263102d0bf034842741d6e27471 wappalyzer-mapping.yml:7f03bd65baacac20c1dc6bbf35ff2407959574f1 workflows/74cms-workflow.yaml:bb010e767ad32b906153e36ea618be545b4e22d0 workflows/acrolinx-workflow.yaml:8434089bb55dec3d7b2ebc6a6f340e73382dd0c4 From 3567cbfdab3ddb09f73365fd326f792b2a2b2c53 Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:49:59 +0000 Subject: [PATCH 22/28] =?UTF-8?q?chore:=20sign=20templates=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cloud/aws/inspector2/inspector2-disabled.yaml | 3 +-- cloud/aws/route53/route53-dns-query-disabled.yaml | 2 ++ cloud/aws/route53/route53-dnssec-signing-disabled.yaml | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/cloud/aws/inspector2/inspector2-disabled.yaml b/cloud/aws/inspector2/inspector2-disabled.yaml index 14a412b5b8..9a346fd9f6 100644 --- a/cloud/aws/inspector2/inspector2-disabled.yaml +++ b/cloud/aws/inspector2/inspector2-disabled.yaml @@ -37,5 +37,4 @@ code: - type: dsl dsl: - '"Amazon Inspector 2 " + region + " is Disabled"' - -# digest: 490a00463044022010f8e8d9aacde24c0c4f4d20dd066d33afd1da0d1dc57400b79affbbcb999372022034831dd93ac404391bfbcd6374a59699cff7a607cce387f17def5864d7afcbf6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502204c395c8b6be9e20ec59536a0e23e6563659d5b7bd5e33d711610bff4c9f04d67022100ba18cd98feeefa78561f5b09c4771df6f68c6f4f03784dc57d8b2073a61129d2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/route53/route53-dns-query-disabled.yaml b/cloud/aws/route53/route53-dns-query-disabled.yaml index 12914be8c4..61d79e27e0 100644 --- a/cloud/aws/route53/route53-dns-query-disabled.yaml +++ b/cloud/aws/route53/route53-dns-query-disabled.yaml @@ -70,3 +70,5 @@ code: - type: dsl dsl: - 'hostedzone + " DNSSEC Signing for Route 53 Hosted Zones is Disabled"' + +# digest: 4b0a00483046022100a8c33ea3072ea1df86f892e8e309bf413394b8c5ad76e0fa2becffd131257da4022100a9f1b201ca2538545cf9539692909c3c48216e6e357f913c2713561a7f55e6b1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/route53/route53-dnssec-signing-disabled.yaml b/cloud/aws/route53/route53-dnssec-signing-disabled.yaml index 6d34b1dacc..ab4e09850b 100644 --- a/cloud/aws/route53/route53-dnssec-signing-disabled.yaml +++ b/cloud/aws/route53/route53-dnssec-signing-disabled.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'hostedzone + " DNSSEC Signing for Route 53 Hosted Zones is Disabled"' \ No newline at end of file + - 'hostedzone + " DNSSEC Signing for Route 53 Hosted Zones is Disabled"' +# digest: 4a0a004730450221009251d99374c677d15210c7aa3cbce5efc72564a59038b848eaf6bdb7130a3fd902200796026b32fc568c2b407a4c1ceb2b332b2ad8c77d2d71eee4d1f2917918e1f9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file From aaed2ffc79e0dbd4e39ea6a41a59b1dc30a440fc Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:52:56 +0000 Subject: [PATCH 23/28] =?UTF-8?q?chore:=20generate=20new=20addition=20list?= =?UTF-8?q?=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .new-additions | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.new-additions b/.new-additions index b80806f07b..b48c1f197e 100644 --- a/.new-additions +++ b/.new-additions @@ -3,6 +3,10 @@ cloud/aws/dms/dms-public-access.yaml cloud/aws/dms/dms-version-upgrade.yaml cloud/aws/ebs/ebs-encryption-disabled.yaml cloud/aws/efs/efs-encryption-disabled.yaml +cloud/aws/elasticache/cache-automatic-backups-disabled.yaml +cloud/aws/elasticache/cache-event-notification-disabled.yaml +cloud/aws/elasticache/cache-redis-encryption-disabled.yaml +cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml cloud/aws/firehose/firehose-server-destination-encryption.yaml cloud/aws/firehose/firehose-server-side-encryption.yaml cloud/aws/guardduty/guardduty-findings.yaml From fbae59e1c0bbf8552b4f0e25c8d473363348c887 Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:53:25 +0000 Subject: [PATCH 24/28] =?UTF-8?q?chore:=20sign=20templates=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cloud/aws/elasticache/cache-automatic-backups-disabled.yaml | 3 ++- cloud/aws/elasticache/cache-event-notification-disabled.yaml | 3 ++- cloud/aws/elasticache/cache-redis-encryption-disabled.yaml | 3 ++- cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml | 3 ++- cloud/aws/route53/route53-dns-query-disabled.yaml | 3 +-- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/cloud/aws/elasticache/cache-automatic-backups-disabled.yaml b/cloud/aws/elasticache/cache-automatic-backups-disabled.yaml index 4e68cbc4bf..dd424ea732 100644 --- a/cloud/aws/elasticache/cache-automatic-backups-disabled.yaml +++ b/cloud/aws/elasticache/cache-automatic-backups-disabled.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'replicationgroup + " ElastiCache Automatic Backups is Disabled"' \ No newline at end of file + - 'replicationgroup + " ElastiCache Automatic Backups is Disabled"' +# digest: 4a0a0047304502210087c54085d08d635a332b799ec9ec22d6ddfa6740d360649eab91c74f128664ca0220747eef461974f2e267e2356c4f18a67918ca9b085d0e0cf0b81be01288315ebd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/elasticache/cache-event-notification-disabled.yaml b/cloud/aws/elasticache/cache-event-notification-disabled.yaml index 88b6aa964d..db020fbd4e 100644 --- a/cloud/aws/elasticache/cache-event-notification-disabled.yaml +++ b/cloud/aws/elasticache/cache-event-notification-disabled.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'replicationgroup + " ElastiCache Event Notifications is Disabled"' \ No newline at end of file + - 'replicationgroup + " ElastiCache Event Notifications is Disabled"' +# digest: 4b0a00483046022100ab045d9b41360da2b45ee3b9c537ba52e19a0755acb19ec581b2ed23f9dc20a5022100ffa958947047b3edf93b57eef8be1044206e78ca23573a7a1afaf60fdf92b531:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/elasticache/cache-redis-encryption-disabled.yaml b/cloud/aws/elasticache/cache-redis-encryption-disabled.yaml index 5518d8c759..4cf9855795 100644 --- a/cloud/aws/elasticache/cache-redis-encryption-disabled.yaml +++ b/cloud/aws/elasticache/cache-redis-encryption-disabled.yaml @@ -57,4 +57,5 @@ code: extractors: - type: dsl dsl: - - 'replicationgroup + " ElastiCache Redis In-Transit and At-Rest Encryption is Disabled"' \ No newline at end of file + - 'replicationgroup + " ElastiCache Redis In-Transit and At-Rest Encryption is Disabled"' +# digest: 4b0a00483046022100c36ec305884cf56077c4292344b9fae8b609e594655832d1904ca65a1aee63d00221009a93c7d9990d13b1b8fafa34671dcfcef0805a7e98d0df94566791411fd0a593:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml b/cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml index 98b600a4d7..e5b1ed1c1d 100644 --- a/cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml +++ b/cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'replicationgroup + " ElastiCache Redis Multi-AZ is Disabled"' \ No newline at end of file + - 'replicationgroup + " ElastiCache Redis Multi-AZ is Disabled"' +# digest: 4a0a0047304502204301e43ac045c6186aedb2a1a074610422c2002d90876cf4ac2d3402436911b6022100b9868d4c62014154ed9d7f27e2aa4282e365d89ee6795b2f192a11c9e74505e8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/route53/route53-dns-query-disabled.yaml b/cloud/aws/route53/route53-dns-query-disabled.yaml index 61d79e27e0..efddf7d19b 100644 --- a/cloud/aws/route53/route53-dns-query-disabled.yaml +++ b/cloud/aws/route53/route53-dns-query-disabled.yaml @@ -70,5 +70,4 @@ code: - type: dsl dsl: - 'hostedzone + " DNSSEC Signing for Route 53 Hosted Zones is Disabled"' - -# digest: 4b0a00483046022100a8c33ea3072ea1df86f892e8e309bf413394b8c5ad76e0fa2becffd131257da4022100a9f1b201ca2538545cf9539692909c3c48216e6e357f913c2713561a7f55e6b1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220018711c266d5989a927422b1f3ca48fc29633a1f997a417b68649c02d392537202206fa24b0f17b1b4b89e9e338369a021aafdb5191ada52d1e94b45ca50b2a0513f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file From 1999deec858a6bae35147cfb34a6351e5db957d4 Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:53:40 +0000 Subject: [PATCH 25/28] =?UTF-8?q?chore:=20generate=20templates=20checksum?= =?UTF-8?q?=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- templates-checksum.txt | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/templates-checksum.txt b/templates-checksum.txt index 546156265c..f69c8924e8 100644 --- a/templates-checksum.txt +++ b/templates-checksum.txt @@ -59,6 +59,10 @@ cloud/aws/ec2/ec2-unrestricted-telnet.yaml:d7f80cec0723d2723300c078552824ec1a8b6 cloud/aws/ec2/publicly-shared-ami.yaml:49e3f4939b9991f5ac9db99fbb7f7caba021227d cloud/aws/ec2/unencrypted-aws-ami.yaml:35fc4a61e70120df3aafba92b4153ffa5b8c92b6 cloud/aws/efs/efs-encryption-disabled.yaml:a06753f3438ae2c8d33f22e1897809a40ebd4f58 +cloud/aws/elasticache/cache-automatic-backups-disabled.yaml:3c43708f22f2f4b03d0b3c5d53f69241a5433fd4 +cloud/aws/elasticache/cache-event-notification-disabled.yaml:e9936376845ba8371aeca8160578a5cbb5260879 +cloud/aws/elasticache/cache-redis-encryption-disabled.yaml:19222ba22326d0d3c241dad6ff73312364aa8fd3 +cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml:339eb5bc29e78e279e1446e79f94f33eaffe01cd cloud/aws/firehose/firehose-server-destination-encryption.yaml:cc2ce3e4a4f4173fdbae1efba8565a0617750bbd cloud/aws/firehose/firehose-server-side-encryption.yaml:bbcbf8014a6f4a4278b89fde4f89a6416e0e0b59 cloud/aws/guardduty/guardduty-findings.yaml:ab7105cc4d1c7f27fc076d2eec8180857f72bfbd @@ -76,7 +80,7 @@ cloud/aws/iam/iam-ssh-keys-rotation.yaml:d3bb01e0e9eba3375cee6bf5bbde2c2b629b5cd cloud/aws/iam/iam-unapproved-policy.yaml:883cdcaea84c6970f6f99cc3289ffc2ed85bbac1 cloud/aws/iam/iam-user-password-change.yaml:af7fc040fa28a4621255bcb6f7f3ccfb6e1825df cloud/aws/iam/ssl-cert-renewal.yaml:40622e59896e04627695c6d286e0015aaed13010 -cloud/aws/inspector2/inspector2-disabled.yaml:73a4124a26d17a1e76940b7c1dcc6dcc08b40a1f +cloud/aws/inspector2/inspector2-disabled.yaml:e2be1022666c9efa9fe7e311bd4eb60c5c5cbbda cloud/aws/rds/aurora-copy-tags-snap.yaml:9d0f7c95a0e76e441aa771fc7ee6c85a0f510736 cloud/aws/rds/aurora-delete-protect.yaml:4ff1aef5f611e5bdec4248c135e99db23c8c599e cloud/aws/rds/iam-db-auth.yaml:8b12e2e629800d449708351652b27657e5854081 @@ -91,8 +95,8 @@ cloud/aws/rds/rds-public-snapshot.yaml:c5d64997130a6c496154d96b3373904bd1fbebfd cloud/aws/rds/rds-public-subnet.yaml:d2b63d178d24faa83223568a3bb5bb7ac2a53f46 cloud/aws/rds/rds-ri-payment-fail.yaml:905953edc8139ecfb370d3ee288b65e77eef65b0 cloud/aws/rds/rds-snapshot-encryption.yaml:fb8b45fa0dff44a66911abf6a70e32530de776f1 -cloud/aws/route53/route53-dns-query-disabled.yaml:c19c18b6b115c6a4512f30502cac471677a8df72 -cloud/aws/route53/route53-dnssec-signing-disabled.yaml:73588c5b5e5b7ebd343c9f5193d4f36b5cadf01b +cloud/aws/route53/route53-dns-query-disabled.yaml:82ebb642bce252700c264c9bba18adc546c95815 +cloud/aws/route53/route53-dnssec-signing-disabled.yaml:8db84df5d34c7f1cbc88ad2730776c7cc6439a3d cloud/aws/s3/s3-access-logging.yaml:60f0011f6da935cef7d76840d5755de49e06730e cloud/aws/s3/s3-auth-fullcontrol.yaml:b7bbb1b9edac9baef27465651bb5afcf41ff51e3 cloud/aws/s3/s3-bucket-key.yaml:0fe1d8b9f1b99dc0231d0c22ea3a68b2fdf2a7b6 @@ -9560,7 +9564,7 @@ ssl/tls-version.yaml:4e40f08efbb39172b9280ea9e26ca5f0a14a575a ssl/untrusted-root-certificate.yaml:a91d36990a1d052f5ee64d170ad8f084d38dab19 ssl/weak-cipher-suites.yaml:62fe808d9dfafda67c410e6cb9445fdc70257e89 ssl/wildcard-tls.yaml:d244f62c7bd22d3868fc6fc7cb9550af6b261210 -templates-checksum.txt:1ff8c0871c509263102d0bf034842741d6e27471 +templates-checksum.txt:5b6e4773e737b48c5c963dbb1da96f85770d791a wappalyzer-mapping.yml:7f03bd65baacac20c1dc6bbf35ff2407959574f1 workflows/74cms-workflow.yaml:bb010e767ad32b906153e36ea618be545b4e22d0 workflows/acrolinx-workflow.yaml:8434089bb55dec3d7b2ebc6a6f340e73382dd0c4 From 69a8a757ecf6f6112bde0a3df8ca8c6d5b0bf36a Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:54:55 +0000 Subject: [PATCH 26/28] =?UTF-8?q?chore:=20generate=20new=20addition=20list?= =?UTF-8?q?=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .new-additions | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.new-additions b/.new-additions index b48c1f197e..bdd2e05fb6 100644 --- a/.new-additions +++ b/.new-additions @@ -14,6 +14,16 @@ cloud/aws/guardduty/guardduty-not-enabled.yaml cloud/aws/guardduty/malware-protection-disabled.yaml cloud/aws/guardduty/s3-protection-disabled.yaml cloud/aws/inspector2/inspector2-disabled.yaml +cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml +cloud/aws/rds/rds-automated-backup-disabled.yaml +cloud/aws/rds/rds-backtrack-disabled.yaml +cloud/aws/rds/rds-cluster-protection-disabled.yaml +cloud/aws/rds/rds-copy-snap.yaml +cloud/aws/rds/rds-insights-disabled.yaml +cloud/aws/rds/rds-instance-autoscaling-disabled.yaml +cloud/aws/rds/rds-log-export-disabled.yaml +cloud/aws/rds/rds-multi-az.yaml +cloud/aws/rds/rds-public-access.yaml cloud/aws/route53/route53-dns-query-disabled.yaml cloud/aws/route53/route53-dnssec-signing-disabled.yaml dast/cves/2024/CVE-2024-2961.yaml From 62ed99988770e6eac98875c31be165cfd5c2ebd5 Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:55:10 +0000 Subject: [PATCH 27/28] =?UTF-8?q?chore:=20sign=20templates=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml | 3 ++- cloud/aws/rds/rds-automated-backup-disabled.yaml | 3 ++- cloud/aws/rds/rds-backtrack-disabled.yaml | 2 ++ cloud/aws/rds/rds-cluster-protection-disabled.yaml | 3 ++- cloud/aws/rds/rds-copy-snap.yaml | 3 ++- cloud/aws/rds/rds-insights-disabled.yaml | 3 ++- cloud/aws/rds/rds-instance-autoscaling-disabled.yaml | 3 ++- cloud/aws/rds/rds-log-export-disabled.yaml | 3 ++- cloud/aws/rds/rds-multi-az.yaml | 3 ++- cloud/aws/rds/rds-public-access.yaml | 3 ++- 10 files changed, 20 insertions(+), 9 deletions(-) diff --git a/cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml b/cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml index d551fc5418..336835b133 100644 --- a/cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml +++ b/cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'dbcluster + " RDS Auto Minor Version Upgrade is Disabled"' \ No newline at end of file + - 'dbcluster + " RDS Auto Minor Version Upgrade is Disabled"' +# digest: 4a0a00473045022100af0e66ac1bdc81235715fe6e81e67ad54d83705aac3969f70fff9512321aa2780220554e2a16c4bd3cd676145fd521e0b598f5537fca46eeb51dc70109a32b6ed317:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/rds/rds-automated-backup-disabled.yaml b/cloud/aws/rds/rds-automated-backup-disabled.yaml index 291708599d..b7c7d2bc1f 100644 --- a/cloud/aws/rds/rds-automated-backup-disabled.yaml +++ b/cloud/aws/rds/rds-automated-backup-disabled.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'dbcluster + " RDS Automated Backups is Disabled"' \ No newline at end of file + - 'dbcluster + " RDS Automated Backups is Disabled"' +# digest: 4a0a00473045022100e960fd3daad878cd4faf86f582d1342e6a36a537f38399cb0042886a3d251d8002204f10fa5ad530a97e5707b0d68d908ad39d633bb4fe198d1dc2d7eb4ecb8bfcd5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/rds/rds-backtrack-disabled.yaml b/cloud/aws/rds/rds-backtrack-disabled.yaml index 74f607a631..3be95aa347 100644 --- a/cloud/aws/rds/rds-backtrack-disabled.yaml +++ b/cloud/aws/rds/rds-backtrack-disabled.yaml @@ -57,3 +57,5 @@ code: - type: dsl dsl: - 'dbcluster + " AWS RDS Backtrack is Disabled"' + +# digest: 4a0a00473045022035344c17e663db3af068393d598b55b6ad0d1c6d92d873911e71afd646ff73ef022100b50edc465f5800f3a1e82f0f3444532ede7c449e0fff9e47712bbdc88ef6ef0b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/rds/rds-cluster-protection-disabled.yaml b/cloud/aws/rds/rds-cluster-protection-disabled.yaml index 1693286df3..46ce1b382e 100644 --- a/cloud/aws/rds/rds-cluster-protection-disabled.yaml +++ b/cloud/aws/rds/rds-cluster-protection-disabled.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'dbcluster + " RDS Cluster Deletion Protection is Disabled"' \ No newline at end of file + - 'dbcluster + " RDS Cluster Deletion Protection is Disabled"' +# digest: 490a0046304402200739860f75125c05a20a0938ad2c851bf23e4a3ec2fc60607ebb2029aec85cc20220553d51f85cb4ffe450af721605d778bf0e121cf14e589cddabdcd07263038a01:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/rds/rds-copy-snap.yaml b/cloud/aws/rds/rds-copy-snap.yaml index da686cb154..6ac0069791 100644 --- a/cloud/aws/rds/rds-copy-snap.yaml +++ b/cloud/aws/rds/rds-copy-snap.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - '"Copy Tags To Snapshot is not enable for instance " + dbcluster' \ No newline at end of file + - '"Copy Tags To Snapshot is not enable for instance " + dbcluster' +# digest: 490a00463044022051022f479a0afd2afcaf9d9d367a89ea9ec98a164addc7348dfef195b6c5fbcd02205b2c561640b25055cd8ef27cb924f349dac20be3c13b32840c35835adcf6b48f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/rds/rds-insights-disabled.yaml b/cloud/aws/rds/rds-insights-disabled.yaml index a7506fb4f2..675f6366ee 100644 --- a/cloud/aws/rds/rds-insights-disabled.yaml +++ b/cloud/aws/rds/rds-insights-disabled.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'dbcluster + " RDS Performance Insights is Disabled"' \ No newline at end of file + - 'dbcluster + " RDS Performance Insights is Disabled"' +# digest: 490a00463044022076ed2cd39be2faa1af19918d6b51b7ebdc501bde23706e79e0b16ce01d9e91a5022047cf1a639be81999d86f0b95ee5d5abb9137cd19704e07fe687ac3ebe762c4ff:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/rds/rds-instance-autoscaling-disabled.yaml b/cloud/aws/rds/rds-instance-autoscaling-disabled.yaml index aca686526f..f56945e705 100644 --- a/cloud/aws/rds/rds-instance-autoscaling-disabled.yaml +++ b/cloud/aws/rds/rds-instance-autoscaling-disabled.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'dbcluster + " RDS Instance Storage AutoScaling is Disabled"' \ No newline at end of file + - 'dbcluster + " RDS Instance Storage AutoScaling is Disabled"' +# digest: 4a0a00473045022052cfa85782ba576ca83865f40047d55c219215742a8804975e05f2528f4ab6ff022100d0bd782a640c68eea072b5b0e95703bf0a7c6d85db7f3290592eac60a5ec440d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/rds/rds-log-export-disabled.yaml b/cloud/aws/rds/rds-log-export-disabled.yaml index d9d08ffdfb..df044ecc55 100644 --- a/cloud/aws/rds/rds-log-export-disabled.yaml +++ b/cloud/aws/rds/rds-log-export-disabled.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'dbcluster + " RDS Log Exports is Disabled"' \ No newline at end of file + - 'dbcluster + " RDS Log Exports is Disabled"' +# digest: 4b0a00483046022100b17bbb6881382beebcea1014f405102e2771bca097a08fc3702371e015c77fa102210086c211a7532e3e876f8f57aaed3fcea6a679b4d228fe1e9064c8e63c5828f48b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/rds/rds-multi-az.yaml b/cloud/aws/rds/rds-multi-az.yaml index 2368ed26dd..5f01c085c4 100644 --- a/cloud/aws/rds/rds-multi-az.yaml +++ b/cloud/aws/rds/rds-multi-az.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'dbcluster + " RDS Multi-AZ is Disabled"' \ No newline at end of file + - 'dbcluster + " RDS Multi-AZ is Disabled"' +# digest: 490a004630440220429586da4f2e5d006e1a229969d4cecc4a3fcf3fe2af1e0611eb3fb11cf5b48e022056a5ab00af314086136ac8d8ac43055203a436f53f05a1f36abd2b8c8d9aabe7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/cloud/aws/rds/rds-public-access.yaml b/cloud/aws/rds/rds-public-access.yaml index c4f3f9afa1..2034419303 100644 --- a/cloud/aws/rds/rds-public-access.yaml +++ b/cloud/aws/rds/rds-public-access.yaml @@ -56,4 +56,5 @@ code: extractors: - type: dsl dsl: - - 'dbcluster + " RDS Publicly Accessible Enabled"' \ No newline at end of file + - 'dbcluster + " RDS Publicly Accessible Enabled"' +# digest: 4b0a00483046022100d9e7638aebedfb54a1eda95f6d2d9baff969579b003a9471167303bac6816bc8022100e79a1be5210dfce91a16923d8aa5d154e592c9c50c9b3ea10317445c9a936006:922c64590222798bb761d5b6d8e72950 \ No newline at end of file From 0ad235e4fa921ffeeb95a68cd536ff40fbda08dd Mon Sep 17 00:00:00 2001 From: ghost Date: Mon, 28 Oct 2024 08:55:18 +0000 Subject: [PATCH 28/28] =?UTF-8?q?chore:=20generate=20templates=20checksum?= =?UTF-8?q?=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- templates-checksum.txt | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/templates-checksum.txt b/templates-checksum.txt index f69c8924e8..c5be9bc8f6 100644 --- a/templates-checksum.txt +++ b/templates-checksum.txt @@ -59,10 +59,10 @@ cloud/aws/ec2/ec2-unrestricted-telnet.yaml:d7f80cec0723d2723300c078552824ec1a8b6 cloud/aws/ec2/publicly-shared-ami.yaml:49e3f4939b9991f5ac9db99fbb7f7caba021227d cloud/aws/ec2/unencrypted-aws-ami.yaml:35fc4a61e70120df3aafba92b4153ffa5b8c92b6 cloud/aws/efs/efs-encryption-disabled.yaml:a06753f3438ae2c8d33f22e1897809a40ebd4f58 -cloud/aws/elasticache/cache-automatic-backups-disabled.yaml:3c43708f22f2f4b03d0b3c5d53f69241a5433fd4 -cloud/aws/elasticache/cache-event-notification-disabled.yaml:e9936376845ba8371aeca8160578a5cbb5260879 -cloud/aws/elasticache/cache-redis-encryption-disabled.yaml:19222ba22326d0d3c241dad6ff73312364aa8fd3 -cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml:339eb5bc29e78e279e1446e79f94f33eaffe01cd +cloud/aws/elasticache/cache-automatic-backups-disabled.yaml:a56a30751815c84caf6a12ed97611398841ae1bf +cloud/aws/elasticache/cache-event-notification-disabled.yaml:447687c2c87aff99cc56b53bf64ec732c315fb6a +cloud/aws/elasticache/cache-redis-encryption-disabled.yaml:cff952504f5572689ce445ef04df6701be811c88 +cloud/aws/elasticache/cache-redis-multiaz-disabled.yaml:edefd293dc8cfa469ddf33157eb4d2c4e4c6751f cloud/aws/firehose/firehose-server-destination-encryption.yaml:cc2ce3e4a4f4173fdbae1efba8565a0617750bbd cloud/aws/firehose/firehose-server-side-encryption.yaml:bbcbf8014a6f4a4278b89fde4f89a6416e0e0b59 cloud/aws/guardduty/guardduty-findings.yaml:ab7105cc4d1c7f27fc076d2eec8180857f72bfbd @@ -84,18 +84,28 @@ cloud/aws/inspector2/inspector2-disabled.yaml:e2be1022666c9efa9fe7e311bd4eb60c5c cloud/aws/rds/aurora-copy-tags-snap.yaml:9d0f7c95a0e76e441aa771fc7ee6c85a0f510736 cloud/aws/rds/aurora-delete-protect.yaml:4ff1aef5f611e5bdec4248c135e99db23c8c599e cloud/aws/rds/iam-db-auth.yaml:8b12e2e629800d449708351652b27657e5854081 +cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml:b4f1f559369656933487bd873047a33b301a2a1f +cloud/aws/rds/rds-automated-backup-disabled.yaml:5d64d546257d3c79598c6ebe449771205114e883 +cloud/aws/rds/rds-backtrack-disabled.yaml:1d29816bf3dad0d49b8325fd32042a1917129469 cloud/aws/rds/rds-backup-enable.yaml:cf8045353bdd93d67f9daf86df24ad7d94004cab +cloud/aws/rds/rds-cluster-protection-disabled.yaml:bcc5219c0fe499d4cb7a518fc516d9414f38f70f +cloud/aws/rds/rds-copy-snap.yaml:234202c75b7095c084565278063a118ef3a3d453 cloud/aws/rds/rds-deletion-protection.yaml:7b330b03c3a6066324dfe33af351de0b85cb4cd0 cloud/aws/rds/rds-encryption-check.yaml:c35b52675cf1ae565d3edd5a8864e1601a1fb498 cloud/aws/rds/rds-event-notify.yaml:03998790659d38696b70b1f3e6c64c6dffccc7a2 cloud/aws/rds/rds-event-sub-enable.yaml:10469f43441c8414c199458f88524419275a187b cloud/aws/rds/rds-event-sub.yaml:f83dba6f60062de8a3accc50ed6ef2e83aca9e67 cloud/aws/rds/rds-gp-ssd-usage.yaml:bf522b4246d3285ca43b326e0565b532ad7315ac +cloud/aws/rds/rds-insights-disabled.yaml:4f0b2afa6397dd19bc392256e7b0756e6a17141a +cloud/aws/rds/rds-instance-autoscaling-disabled.yaml:01b1e18a345246fd34c65d967d88b9f2e84469a6 +cloud/aws/rds/rds-log-export-disabled.yaml:740b200a5ac1b93b867b6a6145891e2ac2ea0d84 +cloud/aws/rds/rds-multi-az.yaml:ab64db92c3fbb7b1c4abc4ac0c48db79358f392d +cloud/aws/rds/rds-public-access.yaml:9f5789c6eed7cf4fac280ae37186f2cf1e1e6b06 cloud/aws/rds/rds-public-snapshot.yaml:c5d64997130a6c496154d96b3373904bd1fbebfd cloud/aws/rds/rds-public-subnet.yaml:d2b63d178d24faa83223568a3bb5bb7ac2a53f46 cloud/aws/rds/rds-ri-payment-fail.yaml:905953edc8139ecfb370d3ee288b65e77eef65b0 cloud/aws/rds/rds-snapshot-encryption.yaml:fb8b45fa0dff44a66911abf6a70e32530de776f1 -cloud/aws/route53/route53-dns-query-disabled.yaml:82ebb642bce252700c264c9bba18adc546c95815 +cloud/aws/route53/route53-dns-query-disabled.yaml:7c09b95c96bf5f0cdef37bc6e9e084024dfe0137 cloud/aws/route53/route53-dnssec-signing-disabled.yaml:8db84df5d34c7f1cbc88ad2730776c7cc6439a3d cloud/aws/s3/s3-access-logging.yaml:60f0011f6da935cef7d76840d5755de49e06730e cloud/aws/s3/s3-auth-fullcontrol.yaml:b7bbb1b9edac9baef27465651bb5afcf41ff51e3 @@ -9564,7 +9574,7 @@ ssl/tls-version.yaml:4e40f08efbb39172b9280ea9e26ca5f0a14a575a ssl/untrusted-root-certificate.yaml:a91d36990a1d052f5ee64d170ad8f084d38dab19 ssl/weak-cipher-suites.yaml:62fe808d9dfafda67c410e6cb9445fdc70257e89 ssl/wildcard-tls.yaml:d244f62c7bd22d3868fc6fc7cb9550af6b261210 -templates-checksum.txt:5b6e4773e737b48c5c963dbb1da96f85770d791a +templates-checksum.txt:88fe40c990c6bcaaab282123da7bb0ad91d1dcb1 wappalyzer-mapping.yml:7f03bd65baacac20c1dc6bbf35ff2407959574f1 workflows/74cms-workflow.yaml:bb010e767ad32b906153e36ea618be545b4e22d0 workflows/acrolinx-workflow.yaml:8434089bb55dec3d7b2ebc6a6f340e73382dd0c4