Skip to content

Commit

Permalink
version 2.0
Browse files Browse the repository at this point in the history
  • Loading branch information
shivankarmadaan committed Mar 22, 2018
1 parent b68d92e commit e39adfc
Show file tree
Hide file tree
Showing 56 changed files with 2,453 additions and 248 deletions.
427 changes: 389 additions & 38 deletions cs.py
View file

Large diffs are not rendered by default.

3 changes: 3 additions & 0 deletions requirements.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,6 @@ s3transfer==0.1.10
termcolor==1.1.0
urllib3==1.22
opinel>=3.3.0,<4.0.0
tinydb==3.2.2
google_api_python_client==1.6.1
jinja2==2.9.5
14 changes: 8 additions & 6 deletions scripts/audit_aws_certs.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,13 @@
import datetime
from termcolor import colored
import subprocess
print "\n\n"
print "################"
print " CERTS AUDIT "
print "################\n\n"
#print "\n\n"
#print "################"
#print " CERTS AUDIT "
#print "################\n\n"
epoch=int(time.time())
account=subprocess.check_output(['aws', 'sts', 'get-caller-identity', '--output', 'text', '--query', 'Account'])
account=account.strip()
certs = subprocess.check_output(['aws', 'iam', 'list-server-certificates', '--region', 'us-east-1', '--query', 'ServerCertificateMetadataList[].ServerCertificateName', '--output', 'text'])
if certs:
for cert in certs.split('\t'):
Expand All @@ -15,6 +17,6 @@
expire_time=time.mktime(time.strptime(expire_date,'%Y-%m-%dT%H:%M:%SZ'))
epoch=int(time.time())
if epoch > expire_time:
print colored("certificate %s has expired",'red') % cert
print ("default,%s,us-east-1,null,WARNING,Scored,null,CERT_AUDIT,certificate %s has expired") % (account,cert)
else:
print colored("certificate %s not expired", 'green') % cert
print ("default,%s,us-east-1,null,PASS,Scored,null,CERT_AUDIT,certificate %s not expired") % (account,cert)
17 changes: 9 additions & 8 deletions scripts/audit_aws_cloud_formation.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,29 +9,30 @@
GREEN='\033[0;32m'
BOLD='\033[1m'
# Check Cloud Formation stacks are using SNS
printf "\n\n"
printf "${BOLD}##############\n"
printf "CloudFormation AUDIT\n"
printf "##############${NC}\n\n"
#printf "\n\n"
#printf "${BOLD}##############\n"
#printf "CloudFormation AUDIT\n"
#printf "##############${NC}\n\n"
account=`aws sts get-caller-identity --output text --query 'Account'`
for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do
stacks=`aws cloudformation list-stacks --region $aws_region --query 'StackSummaries[].StackId' --output text`
for stack in $stacks; do
check=`aws cloudformation describe-stacks --region $aws_region --stack-name $stack --query 'Stack[].NotificationARNs' --output text`
stack=`printf "$stack" |cut -f2 -d/`
if [ ! "$check" ]; then
printf "${RED}SNS topic does not exist for CloudFormation stack $stack${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,CLOUD_FORMATION_AUDIT,SNS topic does not exist for CloudFormation stack $stack\n"
else
printf "${GREEN}SNS topic does exist for CloudFormation stack $stack${NC}\n"
printf "default,$account,$aws_region,null,PASS,Scored,null,CLOUD_FORMATION_AUDIT,SNS topic does exist for CloudFormation stack $stack\n"
fi
done
# Check stacks have a policy
stacks=`aws cloudformation list-stacks --region $aws_region --query 'StackSummaries[].StackName' --output text`
for stack in $stacks; do
check=`aws cloudformation get-stack-policy --region $aws_region --stack-name $stack --query 'StackPolicyBody' --output text 2> /dev/null`
if [ ! "$check" ]; then
printf "${RED}CloudFormation stack $stack does not have a policy${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,CLOUD_FORMATION_AUDIT,CloudFormation stack $stack does not have a policy\n"
else
printf "${GREEN}CloudFormation stack $stack has a policy${NC}\n"
printf "default,$account,$aws_region,null,PASS,Scored,null,CLOUD_FORMATION_AUDIT,CloudFormation stack $stack has a policy\n"
fi
done
done
17 changes: 9 additions & 8 deletions scripts/audit_aws_config.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,21 +7,22 @@
NC='\033[0m'
GREEN='\033[0;32m'
BOLD='\033[1m'
printf "\n\n"
printf "${BOLD}############\n"
printf "Config AUDIT\n"
printf "############${NC}\n\n"
#printf "\n\n"
#printf "${BOLD}############\n"
#printf "Config AUDIT\n"
#printf "############${NC}\n\n"
account=`aws sts get-caller-identity --output text --query 'Account'`
for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do
check=`aws configservice describe-configuration-recorders --region $aws_region`
if [ ! "$check" ]; then
printf "${RED}AWS Configuration Recorder not enabled${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,CONFIG_AUDIT,AWS Configuration Recorder not enabled\n"
else
printf "${GREEN}AWS Configuration Recorder enabled${NC}\n"
printf "default,$account,$aws_region,null,PASS,Scored,null,CONFIG_AUDIT,AWS Configuration Recorder enabled\n"
fi
check=`aws configservice --region $aws_region get-status |grep FAILED`
if [ "$check" ]; then
printf "${RED}AWS Config not enabled${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,CONFIG_AUDIT,AWS Config not enabled\n"
else
printf "${GREEN}AWS Config enabled in region $aws_region${NC}\n"
printf "default,$account,$aws_region,null,PASS,Scored,null,CONFIG_AUDIT,AWS Config enabled in region $aws_region\n"
fi
done
25 changes: 13 additions & 12 deletions scripts/audit_aws_dns.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,40 +11,41 @@
NC='\033[0m'
GREEN='\033[0;32m'
BOLD='\033[1m'
printf "\n\n"
printf "${BOLD}############\n"
printf " Route53 AUDIT\n"
printf "############${NC}\n\n"
#printf "\n\n"
#printf "${BOLD}############\n"
#printf " Route53 AUDIT\n"
#printf "############${NC}\n\n"
account=`aws sts get-caller-identity --output text --query 'Account'`
for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do
domains=`aws route53domains --region $aws_region list-domains --query 'Domains[].DomainName' --output text 2> /dev/null`
for domain in $domains; do
check=`aws route53domains get-domain-detail --region $aws_region --domain-name $domain |grep true`
if [ ! "$check" ]; then
printf "${RED}Domain $domain does not auto renew${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,DNS_AUDIT,Domain $domain does not auto renew\n"
else
printf "${GREEN}Domain $domain does auto renew${NC}\n"
printf "default,$account,$aws_region,null,PASS,Scored,null,DNS_AUDIT,Domain $domain does auto renew\n"
fi
cur_secs=`date "+%s"`
exp_secs=`aws route53domains get-domain-detail --region $aws_region --domain-name $domain --query "ExpirationDate" --output text 2> /dev/null`
if [ "$exp_secs" -lt "$cur_secs" ]; then
printf "${RED}Warning: Domain $domain registration has expired${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,DNS_AUDIT,Warning: Domain $domain registration has expired\n"
else
printf "${GREEN}Domain $domain registration has not expired${NC}\n"
printf "default,$account,$aws_region,null,PASS,Scored,null,DNS_AUDIT,Domain $domain registration has not expired\n"
fi
check=`aws route53domains get-domain-detail --region $aws_region --domain-name $domain --query "Status" --output text 2> /dev/null | grep clientTransferProhibited`
if [ ! "$check" ]; then
printf "${RED}Domain $domain does not have Domain Transfer Lock enabled${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,DNS_AUDIT,Domain $domain does not have Domain Transfer Lock enabled\n"
else
printf "${GREEN}Domain $domain does have Domain Transfer Lock enabled${NC}\n"
printf "default,$account,$aws_region,null,PASS,Scored,null,DNS_AUDIT,Domain $domain does have Domain Transfer Lock enabled\n"
fi
done
zones=`aws route53 list-hosted-zones --region $aws_region --query "HostedZones[].Id" --output text 2> /dev/null |cut -f3 -d'/'`
for zone in $zones; do
spf=`aws route53 list-resource-record-sets --region $aws_region --hosted-zone-id $zone --query "ResourceRecordSets[?Type == 'SPF']" --output text`
if [ ! "$spf" ]; then
printf "${RED}Zone $zone does not have SPF records${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,DNS_AUDIT,Zone $zone does not have SPF records\n"
else
printf "${GREEN}Zone $zone has SPF records${NC}\n"
printf "default,$account,$aws_region,null,PASS,Scored,null,DNS_AUDIT,Zone $zone has SPF records\n"
fi
done
done
13 changes: 7 additions & 6 deletions scripts/audit_aws_ec.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,19 @@
NC='\033[0m'
GREEN='\033[0;32m'
BOLD='\033[1m'
printf "\n\n"
printf "${BOLD}############\n"
printf " ElastiCache AUDIT\n"
printf "############${NC}\n\n"
#printf "\n\n"
#printf "${BOLD}############\n"
#printf " ElastiCache AUDIT\n"
#printf "############${NC}\n\n"
account=`aws sts get-caller-identity --output text --query 'Account'`
for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do
caches=`aws elasticache describe-replication-groups --region $aws_region --query 'ReplicationGroups[].ReplicationGroupId' --output text`
for cache in $caches; do
check=`aws elasticache describe-replication-groups --region $aws_region --replication-group-id $cache --query 'ReplicationGroups[].AutomaticFailover' |grep enabled`
if [ ! "$check" ]; then
printf "${RED}ElastiCache $cache is not Multi-AZ enabled${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,ELASTIC_CACHE_AUDIT,ElastiCache $cache is not Multi-AZ enabled\n"
else
printf "${GREEN}ElastiCache $cache is Multi-AZ enabled${NC}\n"
printf "default,$account,$aws_region,null,PASS,Scored,null,ELASTIC_CACHE_AUDIT,ElastiCache $cache is Multi-AZ enabled\n"
fi
done
done
23 changes: 12 additions & 11 deletions scripts/audit_aws_ec2.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,28 +11,29 @@
NC='\033[0m'
GREEN='\033[0;32m'
BOLD='\033[1m'
printf "\n\n"
printf "${BOLD}############\n"
printf "EC2 AUDIT\n"
printf "############${NC}\n\n"
#printf "\n\n"
#printf "${BOLD}############\n"
#printf "EC2 AUDIT\n"
#printf "############${NC}\n\n"
account=`aws sts get-caller-identity --output text --query 'Account'`
for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do
check=`aws ec2 describe-instances --region $aws_region --query 'Reservations[*].Instances[?!IamInstanceProfile==\`true\`].InstanceId[]' --output text`
if [[ ! -z $check ]];then
checkb=`aws ec2 describe-instances --region $aws_region --query 'Reservations[*].Instances[?!IamInstanceProfile==\`true\`].InstanceId[]'`
printf "${RED}List of servers which are not associated with IamInstanceProfile $checkb in region $aws_region ${NC}\n"
checkb=`aws ec2 describe-instances --region $aws_region --query 'Reservations[*].Instances[?!IamInstanceProfile==\`true\`].InstanceId[]' --output text`
printf "default,$account,$aws_region,null,WARNING,Scored,null,EC2_AUDIT,List of servers which are not associated with IamInstanceProfile $check \n"
fi
public=`aws ec2 describe-images --region $aws_region --owners self --query 'Images[?Public==\`true\`].ImageId' --output text`
if [ "$public" ]; then
printf "${RED}List of Images which are public $public for region $aws_region ${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,EC2_AUDIT,List of Images which are public $public\n"
fi
check=`aws ec2 describe-volumes --region $aws_region --query 'Volumes[?Encrypted==\`false\`].VolumeId' --output text`
if [[ ! -z $check ]];then
checkb=`aws ec2 describe-volumes --region $aws_region --query 'Volumes[?Encrypted==\`false\`].VolumeId'`
printf "${RED}List of volumes which are not encrypted $checkb for region $aws_region${NC}\n"
checkb=`aws ec2 describe-volumes --region $aws_region --query 'Volumes[?Encrypted==\`false\`].VolumeId' --output text`
printf "default,$account,$aws_region,null,WARNING,Scored,null,EC2_AUDIT,List of volumes which are not encrypted $checkb\n"
fi
kms=`aws ec2 describe-volumes --region $aws_region --query 'Volumes[?!KmsKeyId==\`true\`].VolumeId' --output text`
if [[ ! -z $kms ]];then
kmsb=`aws ec2 describe-volumes --region $aws_region --query 'Volumes[?!KmsKeyId==\`true\`].VolumeId'`
printf "${RED}List of volumes which are not encrypted with KMS key are $kmsb for region $aws_region ${NC}\n"
kmsb=`aws ec2 describe-volumes --region $aws_region --query 'Volumes[?!KmsKeyId==\`true\`].VolumeId' --output text`
printf "default,$account,$aws_region,null,WARNING,Scored,null,EC2_AUDIT,List of volumes which are not encrypted with KMS key are $kmsb\n"
fi
done
13 changes: 7 additions & 6 deletions scripts/audit_aws_elb.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,11 @@
NC='\033[0m'
GREEN='\033[0;32m'
BOLD='\033[1m'
printf "\n\n"
printf "${BOLD}############\n"
printf " ELB AUDIT \n"
printf "############${NC}\n\n"
#printf "\n\n"
#printf "${BOLD}############\n"
#printf " ELB AUDIT \n"
#printf "############${NC}\n\n"
account=`aws sts get-caller-identity --output text --query 'Account'`
for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do

elbs=`aws elb describe-load-balancers --region $aws_region --query "LoadBalancerDescriptions[].LoadBalancerName" --output text`
Expand All @@ -26,7 +27,7 @@
if [ "$protocol" == "HTTP" ];then
https=`aws elb describe-load-balancers --region $aws_region --load-balancer-name $elb --query "LoadBalancerDescriptions[].ListenerDescriptions[].Listener[]" | grep -B 1 80, | grep 443`
if [ ! "$https" ];then
printf "${RED}$elb is running only on http${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,ELB_AUDIT,$elb is running only on http\n"
fi
fi
done
Expand All @@ -38,7 +39,7 @@
EXP-KRB5-DES-CBC-MD5 EXP-ADH-RC4-MD5 EXP-RC4-MD5 EXP-KRB5-RC4-SHA EXP-KRB5-RC4-MD5; do
check=`echo "$list" |grep $cipher |grep true`
if [ "$check" ]; then
printf "${RED}ELB $elb is using deprecated cipher $cipher${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,ELB_AUDIT,ELB $elb is using deprecated cipher $cipher\n"
fi
done
done
Expand Down
17 changes: 9 additions & 8 deletions scripts/audit_aws_es.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,24 +8,25 @@
NC='\033[0m'
GREEN='\033[0;32m'
BOLD='\033[1m'
printf "\n\n"
printf "${BOLD}############\n"
printf "ElasticSearch\n"
printf "############${NC}\n\n"
#printf "\n\n"
#printf "${BOLD}############\n"
#printf "ElasticSearch\n"
#printf "############${NC}\n\n"
account=`aws sts get-caller-identity --output text --query 'Account'`
for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do
domains=`aws es list-domain-names --region $aws_region --query "DomainNames[].DomainName" --output text`
for domain in $domains; do
check=`aws es describe-elasticsearch-domain --domain-name $domain --query 'DomainStatus.AccessPolicies' --output text |grep Principle | grep "{\"AWS\":\"\*\"}"`
if [ ! "$check" ]; then
printf "${GREEN}Elasticsearch doamin $domain is not publicly accessible${NC}\n"
printf "default,$account,$aws_region,null,PASS,Scored,null,ELASTIC_SEARCH_AUDIT,Elasticsearch doamin $domain is not publicly accessible\n"
else
printf "${RED}Elasticsearch doamin $domain is publicly accessible${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,ELASTIC_SEARCH_AUDIT,Elasticsearch doamin $domain is publicly accessible\n"
fi
check=`aws es describe-elasticsearch-domain --domain-name $domain --query 'DomainStatus.AccessPolicies' --output text |grep "aws:SourceIp" |grep "[0-9]\."`
if [ ! "$check" ]; then
printf "${RED}Elasticsearch domain $domain does not have an IP based access policy${NC}\n"
printf "default,$account,$aws_region,null,WARNING,Scored,null,ELASTIC_SEARCH_AUDIT,Elasticsearch domain $domain does not have an IP based access policy\n"
else
printf "${GREEN}Elasticsearch doamin $domain has an IP based access policy${NC}\n"
printf "default,$account,$aws_region,null,PASS,Scored,null,ELASTIC_SEARCH_AUDIT,Elasticsearch doamin $domain has an IP based access policy\n"
fi
done
done
13 changes: 7 additions & 6 deletions scripts/audit_aws_keys.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,19 @@
NC='\033[0m'
GREEN='\033[0;32m'
BOLD='\033[1m'
printf "\n\n"
#printf "\n\n"
aws_region=`aws configure get region`
printf "${BOLD}############\n"
printf "AWS SSH AUDIT\n"
printf "############${NC}\n\n"
#printf "${BOLD}############\n"
#printf "AWS SSH AUDIT\n"
#printf "############${NC}\n\n"
# Check for SSH keys
account=`aws sts get-caller-identity --output text --query 'Account'`
users=`aws iam list-users --query 'Users[].UserName' --output text`
for user in $users; do
check=`aws iam list-ssh-public-keys --region $aws_region --user-name $user |grep Active |wc -l`
if [ "$check" -gt 1 ]; then
printf "${RED}User $user does has more than one active SSH key${NC}\n"
printf "default,$account,us-east-1,null,WARNING,Scored,null,AWS_KEY_AUDIT,User $user does has more than one active SSH key\n"
else
printf "${GREEN}User $user does not have any active SSH key${NC}\n"
printf "default,$account,us-east-1,null,PASS,Scored,null,AWS_KEY_AUDIT,User $user does not have any active SSH key\n"
fi
done
13 changes: 7 additions & 6 deletions scripts/audit_aws_rds.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,18 +13,19 @@
NC='\033[0m'
GREEN='\033[0;32m'
BOLD='\033[1m'
printf "\n\n"
printf "${BOLD}############\n"
printf " RDS AUDIT\n"
printf "############${NC}\n\n"
#printf "\n\n"
#printf "${BOLD}############\n"
#printf " RDS AUDIT\n"
#printf "############${NC}\n\n"
account=`aws sts get-caller-identity --output text --query 'Account'`
for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do
dbs=`aws rds describe-db-instances --region $aws_region --query 'DBInstances[].DBInstanceIdentifier' --output text`
for db in $dbs; do
check=`aws rds describe-db-instances --region $aws_region --db-instance-identifier $db --query 'DBInstances[].MasterUsername' |grep "awsuser"`
if [ "$check" ]; then
echo -e "${RED}RDS instance $db is using aws-user as master username${NC}\n"
echo -e "default,$account,$aws_region,null,WARNING,Scored,null,RDS_AUDIT,RDS instance $db is using aws-user as master username"
else
echo -e "${GREEN}RDS instance $db is not using aws-user as master username${NC}\n"
echo -e "default,$account,$aws_region,null,PASS,Scored,null,RDS_AUDIT,RDS instance $db is not using aws-user as master username"
fi
done
done
Loading

0 comments on commit e39adfc

Please sign in to comment.