#!/usr/bin/env bash

# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.

GROUP_ID[15]='pci'
GROUP_NUMBER[15]='15.0'
GROUP_TITLE[15]='PCI-DSS v3.2.1 Readiness - ONLY AS REFERENCE - [pci] **********'
GROUP_CHECKS[15]='check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check112,check113,check114,check116,check21,check23,check25,check26,check27,check28,check29,check314,check36,check38,check43,extra711,extra713,extra717,extra718,extra72,extra729,extra735,extra738,extra740,extra744,extra748,extra75,extra750,extra751,extra753,extra754,extra755,extra773,extra78,extra780,extra781,extra782,extra783,extra784,extra785,extra787,extra788,extra798'

# Resources:
# https://github.com/toniblyx/prowler/issues/296

# List of checks based on PCI v3.2.1
# 3.1 Requirement: Install and Maintain a Firewall Configuration to Protect Cardholder Data

#     Ensure no security groups allow ingress from 0.0.0.0/0 to all ports and protocols extra748
#     Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP 3389) check42
#     Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP 22) check41
#     Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (TCP 1521) extra749
#     Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (TCP and UDP 2483) extra749
#     Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (UDP 2483) extra749
#     Ensure no security groups allow ingress from 0.0.0.0/0 to MySQL (TCP 3306) extra750
#     Ensure no security groups allow ingress from 0.0.0.0/0 to Postgres (TCP 5432) extra751
#     Ensure no security groups allow ingress from 0.0.0.0/0 to Redis (TCP 6379)extra752
#     Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP 27017 and 27018) extra753
#     Ensure no security groups allow ingress from 0.0.0.0/0 to Cassandra (TCP 7199, 9160 and 8888) extra754
#     Ensure no security groups allow ingress from 0.0.0.0/0 to Memcached (TCP and UDP 11211) extra755
#     Ensure no security groups allow ingress from 0.0.0.0/0 to Elasticsearch ports (TCP 9200/9300/5601) extra779
#     Ensure the default security group restricts all traffic check43
#     Remove unused security groups extra75
#     RDS should not have Public interface open to a public scope extra78
#     Check for Publicly Accessible Redshift Clusters extra711
#     Ensure Lambda Functions are not publicly accessible   extra798

# 3.2 Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

#     Instance with administrative service: SSH (TCP:22) is exposed to the public Internet check41
#     Instance with administrative service: RDP (TCP:3389) is exposed to the public Internet check42
#     Instance with unencrypted Redis: (TCP:6379) is exposed to the public Internet extra752

# 3.3 Requirement 3: Protect Stored Cardholder Data

#     S3 Buckets Server Side encryption at rest extra734
#     Ensure ECS Cluster At-rest encryption TODO
#     Ensure DynamoDB -Server Side Encryption DONE (default behavior)
#     Check if RDS instances storage is encrypted extra735
#     Ensure there are no EBS Volumes unencrypted extra729
#     Ensure CloudTrail logs are encrypted at rest using KMS CMKs check27
#     Ensure rotation for customer created CMKs is enabled check28
#     Check if EBS snapshots are encrypted extra740
#     Ensure there are no EBS Snapshots set as Public extra72
#     Ensure there is no Fargate containers in use (/aws/containers-roadmap/issues/314) TODO

# 3.4 Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

#     Use encrypted connections between CloudFront and origin server extra738 and TODO
#     Ensure that S3 Buckets only allow data transfer using SSL/TLS extra734
#     ELB is setup with SSL for secure communications TODO
#     Ensure the access keys are rotated every 90 days or less check14
#     Network Load Balancer with unencrypted service: ElasticSearch (TCP:9200) is exposed to the public Internet TODO? ELB on SSL should be enough extra779 and extra716
#     Network Load Balancer with unencrypted service: ElasticSearch (TCP:9300) is exposed to the public Internet TODO? ELB on SSL should be enough extra779 and extra716
#     Network Load Balancer with unencrypted service: LDAP (UDP:389) is exposed to the public Internet TODO? ELB on SSL should be enough
#     Network Load Balancer with unencrypted service: LDAP (TCP:389) is exposed to the public Internet TODO? ELB on SSL should be enough
#     Instance with unencrypted service: ElasticSearch (TCP:9200) is exposed to the public Internet extra779 and extra716
#     Instance with unencrypted service: ElasticSearch (TCP:9300) is exposed to the public Internet extra779 and extra716
#     Instance with unencrypted service: LDAP (UDP:389) is exposed to the public Internet
#     Instance with unencrypted service: LDAP (TCP:389) is exposed to the public Internet
#     Instance with unencrypted Redis: (TCP:6379) is exposed to the public Internet

# 3.5. Requirement 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs

# N/A
# 3.6. Requirement 6: Develop and Maintain Secure Systems and Applications

#     Ensure Inspector has Assessment Targets TODO
#     Ensure Inspector has a Scheduled Assessment Template TODO
#     Check for WAF IPSet TODO
#     Check for WAF Constraint Sets TODO
#     Check for WAF Web ACL extra744,extra773

# 3.7. Requirement 7: Restrict Access to Cardholder Data By Business Need To Know

#     Credentials (access keys) unused for 90 days or more should be disabled check13
#     Credentials (password enabled) unused for 90 days or more should be disabled check111
#     Ensure IAM policies are attached only to groups or roles check116

# 3.8. Requirement 8: Identify and Authenticate Access to System Components

#     Enforce password policy: IAM (check15, check16, check17, check18, check19, check110, check111)
#     Ensure that MFA is enabled for root account check113
#     Ensure MFA is enabled for all IAM users that have a console password check12
#     Ensure no root account access key exist check112
#     Ensure hardware MFA is enabled for the root account check114
#     Avoid the use of root account. check11

# 3.9 Requirement 9: Restrict Physical Access to Cardholder Data

# N/A
# 3.10. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

#     Ensure CloudTrail is enabled in all regions check21
#     Ensure VPC Flow Logging is enabled in all the applicable Regions check29
#     Ensure S3 Buckets access logging is enabled on the CloudTrail S3 bucket check26
#     ELB is created with access logs enabled extra717
#     S3 bucket should have server access logging enabled extra718
#     Ensure AWS Config in all regions check25
#     S3 bucket CloudTrail logs should not have public accessible check23
#     S3 buckets should not be world-listable extra73
#     S3 buckets should not be world-writable extra73
#     S3 buckets should not be world-readable extra73
#     Ensure a log metric filter and alarm exist for S3 bucket policy changes check38
#     Ensure a log metric exist for AWS Management console authentication failures check36
#     Ensure a log metric exist for VPC changes check314

# 3.11. Requirement 11: Regularly Test Security Systems and Processes

#     Ensure AWS GuarDduty is enabled extra713
#     Ensure Inspector has Assessment Targets
#     Ensure Inspector has a Scheduled Assessment Template

# Requirement 12: Maintain a Policy That Addresses Information Security For All Personnel

# N/A
