From 4f623b4e314f317400b30dfd562672766bdfacfd Mon Sep 17 00:00:00 2001 From: Marc Jay Date: Sun, 12 Apr 2020 02:18:42 +0100 Subject: [PATCH] check121 - Filter out users who do not have a console password According to the benchmark, only users with a console password should be considered for this check, therefore filter out any users who do not have a console password Fixes #513 --- checks/check121 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/checks/check121 b/checks/check121 index 64032c059f..b15a0125de 100644 --- a/checks/check121 +++ b/checks/check121 @@ -19,7 +19,8 @@ check121(){ LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION) # List of USERS with KEY1 last_used_date as N/A LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done) - LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$9 }'|grep "true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done) + # List of USERS with KEY1 active, last_used_date as N/A and have a console password + LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$9 }'|grep "true true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done) if [[ $LIST_USERS_KEY1_ACTIVE ]]; then for user in $LIST_USERS_KEY1_ACTIVE; do textFail "$user has never used Access Key 1" @@ -29,7 +30,8 @@ check121(){ fi # List of USERS with KEY2 last_used_date as N/A LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done) - LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$14 }'|grep "true$" |awk '{ print $1 }' ; done) + # List of USERS with KEY2 active, last_used_date as N/A and have a console password + LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$14 }'|grep "true true$" |awk '{ print $1 }' ; done) if [[ $LIST_USERS_KEY2_ACTIVE ]]; then for user in $LIST_USERS_KEY2_ACTIVE; do textFail "$user has never used Access Key 2"