adamcrosby / aws-cis-scanner Goto Github PK
View Code? Open in Web Editor NEWAWS CIS Benchmark scanner
AWS CIS Benchmark scanner
Enable the scanner to be used in a pipeline and/or other situations (such as a cron job, or cgi).
Hi,
When running v1.1 on Ubuntu 16.04, it segfaults with the following error:
./aws-cis-scanner-linux-x64-v1.1
BucketRegionError: incorrect region, the bucket is not in 'ap-northeast-1' region
status code: 301, request id:
BucketRegionError: incorrect region, the bucket is not in 'ap-northeast-1' region
status code: 301, request id:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x491419]
goroutine 1 [running]:
panic(0x9c4bc0, 0xc42000a0a0)
/usr/local/go/src/runtime/panic.go:500 +0x1a1
github.com/adamcrosby/aws-cis-scanner/benchmark.s3BucketPolicyChecks(0xc4200240b0, 0xc420443420, 0x1b, 0xaacf01)
/Users/adam/code/golang/src/github.com/adamcrosby/aws-cis-scanner/benchmark/logging.go:203 +0x139
github.com/adamcrosby/aws-cis-scanner/benchmark.ensureS3LogsBucketNotPublic(0xc42043da70, 0x2, 0x2, 0xc4200240b0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/Users/adam/code/golang/src/github.com/adamcrosby/aws-cis-scanner/benchmark/logging.go:152 +0x17e
github.com/adamcrosby/aws-cis-scanner/benchmark.LoggingChecks(0xc4200240d0, 0xc4200240c0, 0xc4200240b0, 0xc4200240a0, 0xc4200119b0, 0xc420024110)
/Users/adam/code/golang/src/github.com/adamcrosby/aws-cis-scanner/benchmark/logging.go:52 +0x2b5
main.checkRegion(0xc4200119b0, 0xc420070c60, 0x0, 0x0, 0x0, 0xc42000bbd0, 0x0, 0x0, 0x0, 0x0, ...)
/Users/adam/code/golang/src/github.com/adamcrosby/aws-cis-scanner/aws-cis-scanner.go:99 +0x4f3
main.main()
/Users/adam/code/golang/src/github.com/adamcrosby/aws-cis-scanner/aws-cis-scanner.go:61 +0x2b9
When running with -r "eu-west-1"
, it completes within a second, without checking anything:
real 0m0.013s
user 0m0.008s
sys 0m0.004s
Suggestion on how to fix this? This tools surely looks nice!
Some of the checks would be useful to have notes on, such as 'security groups which allow port 22 from 0.0.0.0/0': print the name and info in a notes column.
GovCloud, Beijing and C2S regions need to be added as flags.
Need to verify if each of the regions even supports the services necessary. I might break this into 3 different issues to track each separately. I have no way of testing Beijing or C2S.
Right now there is no testing, and barely any error catching.
Add automated testing and test coverage.
The CIS benchmark has a few checks that require 'all' regions to be checked.
Part of #1 requires special handling logic for GovCloud:
Part of #1 requires special handling logic for Beijing Region:
Need: someway to TEST this?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.