@cyberstrike-io/cyberstrike 1.1.9 → 1.1.10-beta.1

package/skill/CIS_benchmarks/AWS/CIS_AWS_End_User_Compute_Services_Benchmark_v1.2.0/cis-aws-euc-4.1/SKILL.md

@@ -0,0 +1,113 @@
+---
+name: cis-aws-euc-4.1
+description: "Ensure Administrators of WorkDocs is defined using IAM"
+category: cis-end-user-compute
+version: "1.2.0"
+author: cyberstrike-official
+tags: [cis, aws, end-user-compute, workdocs, iam, access-control]
+cis_id: "4.1"
+cis_benchmark: "CIS AWS End User Compute Services Benchmark v1.2.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure Administrators of WorkDocs is defined using IAM (Automated)
+
+## Profile Applicability
+
+- Level 1
+
+## Description
+
+Administration of AWS WorkDocs should be defined using AWS Identity and Access Management (IAM).
+
+## Rationale
+
+By default, IAM users and roles don't have permission to create or modify Amazon WorkDocs resources. Using IAM to manage WorkDocs administrators ensures proper access control and follows the principle of least privilege.
+
+## Impact
+
+None - this is a security best practice.
+
+## Audit Procedure
+
+### Using AWS Console
+
+1. Log in to the IAM console at `https://console.aws.amazon.com/iam/`
+2. In the left pane, click **Groups** and then click **Create New Group**
+3. In the Group Name box, type the name of the group and then click **Next Step**
+4. In the list of policies, select the check box for **AmazonWorkDocsFullAccess**
+5. Click **Next Step**
+6. Click **Create Group**
+
+Add users to the Amazon WorkDocs Full Access group:
+
+1. Log in to the IAM console at `https://console.aws.amazon.com/iam/`
+2. In the left pane, click **Groups**
+3. Select the group you created above
+4. Click **Add Users To Group**
+5. Select the users to be added to the group
+6. Click **Add Users**
+
+### Using AWS CLI
+
+Not applicable for this control - must be configured via Console.
+
+## Expected Result
+
+IAM group with AmazonWorkDocsFullAccess policy exists and WorkDocs administrators are members of this group.
+
+## Remediation
+
+### Using AWS Console
+
+Perform the following to create an IAM group and assign the Amazon WorkDocs Full Access policy to it:
+
+1. Log in to the IAM console at `https://console.aws.amazon.com/iam/`
+2. In the left pane, click **Groups** and then click **Create New Group**
+3. In the Group Name box, type the name of the group and then click **Next Step**
+4. In the list of policies, select the check box for **AmazonWorkDocsFullAccess**
+5. Click **Next Step**
+6. Click **Create Group**
+
+Perform the following to add a user to a Amazon WorkDocs Full Access group:
+
+1. Log in to the IAM console at `https://console.aws.amazon.com/iam/`
+2. In the left pane, click **Groups**
+3. Select the group you created above
+4. Click **Add Users To Group**
+5. Select the users to be added to the group
+6. Click **Add Users**
+
+### Using AWS CLI
+
+Not applicable - must be configured via Console.
+
+## Default Value
+
+By default, IAM users and roles don't have permission to create or modify Amazon WorkDocs resources.
+
+## References
+
+1. https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html
+2. https://docs.aws.amazon.com/workspaces/latest/adminguide/manage-workspaces-users.html
+3. https://docs.aws.amazon.com/workdocs/latest/adminguide/security_iam_id-based-policy-examples.html
+
+## CIS Controls
+
+**v8:**
+
+- 5.1 Establish and Maintain an Inventory of Accounts
+  - Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
+
+**v7:**
+
+- 4.1 Maintain Inventory of Administrative Accounts
+  - Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.
+
+## Profile
+
+Level 1

package/skill/CIS_benchmarks/AWS/CIS_AWS_End_User_Compute_Services_Benchmark_v1.2.0/cis-aws-euc-4.2/SKILL.md

@@ -0,0 +1,181 @@
+---
+name: cis-aws-euc-4.2
+description: "Ensure MFA is enabled for WorkDoc users"
+category: cis-end-user-compute
+version: "1.2.0"
+author: cyberstrike-official
+tags: [cis, aws, end-user-compute, workdocs, mfa, authentication]
+cis_id: "4.2"
+cis_benchmark: "CIS AWS End User Compute Services Benchmark v1.2.0"
+tech_stack: [aws]
+cwe_ids: [CWE-308]
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure MFA is enabled for WorkDoc users (Manual)
+
+## Profile Applicability
+
+- Level 2
+
+## Description
+
+Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional username and password. With MFA enabled, when a user signs in to Amazon WorkDocs, they will be prompted for their user name and password as well as for an authentication code from their MFA token.
+
+## Rationale
+
+Enabling MFA provides increased security to a user name and password as it requires the user to possess a solution that displays a time-sensitive authentication code.
+
+## Impact
+
+To enable MFA for Amazon WorkDocs you require a RADIUS server or a plugin to a RADIUS server already implemented in your environment.
+
+Multi-factor authentication is not available for Simple AD.
+
+You can enable multi-factor authentication for AD Connector if you have Active Directory running on-premises or in EC2 instances.
+
+## Audit Procedure
+
+Perform the steps below to confirm MFA setup and configuration.
+
+### Using AWS Console
+
+1. Log in to the Directory Service console at `https://console.aws.amazon.com/directoryservicev2`
+2. Select **Directories**
+3. Choose the directory ID link for your AWS Managed Microsoft AD directory
+4. On the Directory details page, select the **Networking & security tab**
+5. In the Multi-factor authentication section, Confirm Radius status is set to **Enabled**
+6. Open the WorkDocs console at `https://console.aws.amazon.com/zocalo/`
+7. In the Manage Your WorkDocs Sites page, select the desired site and choose **Actions** and **Manage MFA**
+8. Confirm the values are set correctly
+
+Multi-factor authentication is available when the RADIUS Status reads Enabled.
+
+### Using AWS CLI
+
+1. Run describe-directories command to list the identifiers of all the Active Directory (AD) Connector directories, available in the selected AWS region:
+
+```bash
+aws ds describe-directories \
+  --region us-east-1 \
+  --output table \
+  --query 'DirectoryDescriptions[*].DirectoryId'
+```
+
+2. The command output should return a table with the requested resource IDs:
+
+```
+--------------------
+|DescribeDirectories|
++------------------+
+|  d-12345abcde    |
+|  d-abcd012345    |
+|  d-aabbcc1234    |
++------------------+
+```
+
+3. Run describe-directories command using the ID of the AD Connector directory to get the status of the RADIUS MFA server connection:
+
+```bash
+aws ds describe-directories \
+  --region us-east-1 \
+  --directory-ids d-12345abcde \
+  --query 'DirectoryDescriptions[*].RadiusStatus'
+```
+
+4. The command output should return the requested status information:
+
+```
+[]
+```
+
+5. Repeat steps 3 and 4 to determine the MFA status for other AD Connector directories
+6. Change the AWS region by updating the --region command parameter value and repeat steps 1 – 5 to perform the audit process for other regions
+
+If describe-directories command output returns an empty array, as shown in the example above, there is no RADIUS MFA server configured for the selected AD Directory, therefore the resource does not have Multi-Factor Authentication (MFA) protection enabled. Refer to the remediation below.
+
+## Expected Result
+
+RADIUS MFA is enabled for WorkDocs directories in Directory Service, and WorkDocs sites have MFA configured.
+
+## Remediation
+
+### Using AWS Console
+
+Perform the following steps to setup MFA on the server and in WorkDocs:
+
+1. Identify the IP address of your RADIUS MFA server and your AWS Managed Microsoft AD directory
+2. In the AWS Directory Service console navigation pane, select **Directories**
+3. Choose the directory ID link for your AWS Managed Microsoft AD directory
+4. On the Directory details page, select the **Networking & security tab**
+5. In the Multi-factor authentication section, choose **Actions**, and then choose **Enable**
+6. On the Enable multi-factor authentication (MFA) page, provide the following values:
+   - Display label - Provide a label name
+   - RADIUS server DNS name or IP addresses
+   - Port - default 1812
+   - Shared secret code
+   - Confirm shared secret code
+   - Protocol - MS-CHAPv2
+   - Server timeout - (in seconds) - 20
+   - Max retries - 3
+
+**To enable multi-factor authentication in WorkDocs:**
+
+1. Open WorkDocs console at `https://console.aws.amazon.com/zocalo/`
+2. In the Manage Your WorkDocs Sites page, select the desired site and choose **Actions** and **Manage MFA**
+3. Enter the following values:
+   - Enable Multi-Factor Authentication
+   - Check to enable multi-factor authentication
+   - RADIUS server IP address(es) - The IP addresses of your RADIUS server endpoints
+   - Port - The port that your RADIUS server is using for communications. Default RADIUS server port (1812)
+   - Shared secret code - The shared secret code that was specified when your RADIUS endpoints were created
+   - Confirm shared secret code
+   - Protocol - MS-CHAPv2
+   - Server timeout - (in seconds) - 20
+   - Max retries - 3
+4. Choose **Enable**
+
+### Using AWS CLI
+
+Multi-factor authentication is available when the RADIUS Status changes to Enabled. To enable RADIUS-based MFA protection for your Active Directory (AD) Connector directories, perform the following actions:
+
+**Note:** Enabling Multi-Factor authentication for AD Connector directories using the AWS Management Console is not currently supported.
+
+1. Run the enable-radius command:
+
+```bash
+aws ds enable-radius \
+  --region us-east-1 \
+  --directory-id <value> \
+  --radius-settings { "RadiusServers": ["<your-radius-server>.com"],"RadiusPort": 1812,"RadiusTimeout": 20,"RadiusRetries": 3,"SharedSecret": "radiusmfa","AuthenticationProtocol": "MS-CHAPv2","DisplayLabel": "RADIUS Multi-Factor Authentication","UseSameUsername": true }
+```
+
+2. Repeat step 1 for other AD Connectors and the Selected regions
+
+## Default Value
+
+By default, MFA is not enabled in AWS Workdocs.
+
+## References
+
+1. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_mfa.html
+2. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_mfa.html
+3. https://aws.amazon.com/blogs/security/how-to-enable-multi-factor-authentication-for-amazon-workspaces-and-amazon-quicksight-by-using-microsoft-ad-and-on-premises-credentials/
+
+## CIS Controls
+
+**v8:**
+
+- 6.3 Require MFA for Externally-Exposed Applications
+  - Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
+
+**v7:**
+
+- 16.3 Require Multi-factor Authentication
+  - Require multi-factor authentication for all user accounts, on all systems, whether managed onsite or by a third-party provider.
+
+## Profile
+
+Level 2

package/skill/CIS_benchmarks/AWS/CIS_AWS_End_User_Compute_Services_Benchmark_v1.2.0/cis-aws-euc-4.3/SKILL.md

@@ -0,0 +1,101 @@
+---
+name: cis-aws-euc-4.3
+description: "Ensure Workdocs access is limited to a range of allowable IP addresses"
+category: cis-end-user-compute
+version: "1.2.0"
+author: cyberstrike-official
+tags: [cis, aws, end-user-compute, workdocs, network-security, ip-filtering]
+cis_id: "4.3"
+cis_benchmark: "CIS AWS End User Compute Services Benchmark v1.2.0"
+tech_stack: [aws]
+cwe_ids: [CWE-284]
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure Workdocs access is limited to a range of allowable IP addresses (Manual)
+
+## Profile Applicability
+
+- Level 1
+
+## Description
+
+Access to WorkDocs can be limited to an allowed range of IP addresses.
+
+## Rationale
+
+Using IP address allow lists, you define and permit access to your WorkDocs site from trusted networks.
+
+## Impact
+
+IP Lists currently only work for IPv4 addresses and denying access through an IP list is not supported.
+
+## Audit Procedure
+
+Perform these steps to review the list of IP addresses allowed to access WorkDocs.
+
+### Using AWS Console
+
+1. Log into the AWS console
+2. Navigate to WorkDocs or go to WorkDocs Console at `https://console.aws.amazon.com/zocalo/`
+3. Under My Account, choose **Open admin control panel**
+4. For IP Allow List, choose **Change**
+5. Review the IP address ranges and any single IP addresses
+6. Click **Cancel**
+
+If the IP address ranges do not match trusted networks refer to the remediation below to create or edit the IP Allow list.
+
+### Using AWS CLI
+
+Not applicable - must be audited via Console.
+
+## Expected Result
+
+IP Allow List is configured with trusted IP ranges only.
+
+## Remediation
+
+### Using AWS Console
+
+Perform the steps below to create or edit the IP Allow list for WorkDocs:
+
+1. Log into the AWS console
+2. Navigate to WorkDocs or go to WorkDocs Console at `https://console.aws.amazon.com/zocalo/`
+3. Under My Account, choose **Open admin control panel**
+4. For IP Allow List, choose **Change**
+5. For Enter CIDR value, enter the IP address ranges to **allowlist**. To allow access from a single IP address, specify /32 as the CIDR prefix
+6. Click **Add**
+7. Click **Save Changes**
+
+### Using AWS CLI
+
+Not applicable - must be configured via Console.
+
+## Default Value
+
+By default, no IP addresses are allowed.
+
+## References
+
+1. https://docs.aws.amazon.com/workdocs/latest/adminguide/prereqs.html
+2. https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-workdocs-control-ip-address-access/
+3. https://docs.aws.amazon.com/workdocs/latest/adminguide/workdocs-ag.pdf
+4. https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-sites.html
+
+## CIS Controls
+
+**v8:**
+
+- 3.3 Configure Data Access Control Lists
+  - Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
+
+**v7:**
+
+- 14.6 Protect Information through Access Control Lists
+  - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.
+
+## Profile
+
+Level 1

package/skill/CIS_benchmarks/AWS/CIS_AWS_End_User_Compute_Services_Benchmark_v1.2.0/cis-aws-euc-4.4/SKILL.md

@@ -0,0 +1,96 @@
+---
+name: cis-aws-euc-4.4
+description: "Utilize site wide activity feed for monitoring"
+category: cis-end-user-compute
+version: "1.2.0"
+author: cyberstrike-official
+tags: [cis, aws, end-user-compute, workdocs, monitoring, logging, audit]
+cis_id: "4.4"
+cis_benchmark: "CIS AWS End User Compute Services Benchmark v1.2.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Utilize site wide activity feed for monitoring (Manual)
+
+## Profile Applicability
+
+- Level 1
+
+## Description
+
+Admins can view and export the activity feed for an entire WorkDocs site.
+
+## Rationale
+
+WorkDoc admins should monitor and export activity feeds for the site as record of activity. These activity reports should be reviewed every month for any abnormalities and rotated every 90 days.
+
+## Impact
+
+To use this feature, you must first install the Amazon WorkDocs Companion.
+
+## Audit Procedure
+
+Perform the steps below to view site-wide activity feed.
+
+### Using WorkDocs Web Application
+
+1. Click **Activity feed**
+2. Click Filter, then Click **Site-wide activity**
+3. Select Activity Type filters and choose **Date Modified** settings as needed, then click **Apply**
+4. When the filtered activity feed results appear, search by file, folder, or user name to narrow your results. You can also add or remove filters as needed
+
+### Using AWS Console
+
+Not applicable - must be accessed via WorkDocs web application.
+
+## Expected Result
+
+Site-wide activity feed is being monitored and exported regularly.
+
+## Remediation
+
+### Using WorkDocs Web Application
+
+Perform the following steps to Export site-wide activity feed:
+
+1. Click **Activity feed**
+2. Click Filter, then Click **Site-wide activity**
+3. Select Activity Type filters and choose **Date Modified** settings as needed, then click **Apply**
+4. When the filtered activity feed results appear, search by file, folder, or user name to narrow your results. You can also add or remove filters as needed
+5. Click **Export**
+6. Export the activity feed as a .csv or .json file. Any filters you applied are reflected in the exported file
+
+### Using AWS CLI
+
+Not applicable - must be configured via WorkDocs web application.
+
+## Default Value
+
+By default, site wide monitoring is not enabled and requires additional configuration to enable the feature.
+
+## References
+
+1. https://docs.aws.amazon.com/workdocs/latest/adminguide/site-activity.html
+2. https://amazonworkdocs.com/apps.html
+3. https://docs.aws.amazon.com/workdocs/latest/userguide/activity_feed.html
+4. https://docs.aws.amazon.com/workdocs/latest/adminguide/site-activity.html
+
+## CIS Controls
+
+**v8:**
+
+- 8.2 Collect Audit Logs
+  - Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets.
+
+**v7:**
+
+- 6.2 Activate audit logging
+  - Ensure that local logging has been enabled on all systems and networking devices.
+
+## Profile
+
+Level 1

package/skill/CIS_benchmarks/AWS/CIS_AWS_End_User_Compute_Services_Benchmark_v1.2.0/cis-aws-euc-4.5/SKILL.md

@@ -0,0 +1,97 @@
+---
+name: cis-aws-euc-4.5
+description: "Ensure new users can only be invited from allowed domains"
+category: cis-end-user-compute
+version: "1.2.0"
+author: cyberstrike-official
+tags: [cis, aws, end-user-compute, workdocs, access-control, domain-restriction]
+cis_id: "4.5"
+cis_benchmark: "CIS AWS End User Compute Services Benchmark v1.2.0"
+tech_stack: [aws]
+cwe_ids: [CWE-284]
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure new users can only be invited from allowed domains (Manual)
+
+## Profile Applicability
+
+- Level 1
+
+## Description
+
+Users that are allowed access to shared files or folders in WorkDocs should be limited to specific domains.
+
+## Rationale
+
+To control who should be allowed to join your WorkDocs site, users should be limited on who they can invite sharing files or folders with new people from the specified domains.
+
+## Audit Procedure
+
+Perform the steps to confirm WorkDocs file and sharing folders is controlled by specified domains.
+
+### Using WorkDocs Admin Control Panel
+
+1. Log in to WorkDocs as an Administrator
+2. Click **Security**
+3. Under **Invite settings**
+4. Confirm that only:
+
+**Users can invite new people from a few specific domains by sharing files or folders with them**
+
+5. Confirm the listed **Domains** is accurate
+
+If the setting is not set to "Users can invite new people from a few specific domains by sharing files or folders with them" or the domains listed is not accurate refer to the remediation below.
+
+### Using AWS Console
+
+Not applicable - must be audited via WorkDocs Admin control panel.
+
+## Expected Result
+
+WorkDocs invite settings restrict user invitations to approved domains only.
+
+## Remediation
+
+### Using WorkDocs Admin Control Panel
+
+Perform the steps to set WorkDocs file and sharing folders to be controlled by specified domains:
+
+1. Log in to WorkDocs as an Administrator
+2. Click **Security**
+3. Under **Invite settings**
+4. Select:
+
+**Users can invite new people from a few specific domains by sharing files or folders with them**
+
+5. Add in or edit the listed allowed Domains
+
+### Using AWS CLI
+
+Not applicable - must be configured via WorkDocs Admin control panel.
+
+## Default Value
+
+By default, this setting is disabled.
+
+## References
+
+1. https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-sites.html
+
+## CIS Controls
+
+**v8:**
+
+- 3.3 Configure Data Access Control Lists
+  - Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
+
+**v7:**
+
+- 14.6 Protect Information through Access Control Lists
+  - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.
+
+## Profile
+
+Level 1

package/skill/CIS_benchmarks/AWS/CIS_AWS_End_User_Compute_Services_Benchmark_v1.2.0/cis-aws-euc-4.6/SKILL.md

@@ -0,0 +1,95 @@
+---
+name: cis-aws-euc-4.6
+description: "Ensure only specific users are allowed to invite external users"
+category: cis-end-user-compute
+version: "1.2.0"
+author: cyberstrike-official
+tags: [cis, aws, end-user-compute, workdocs, access-control, external-sharing]
+cis_id: "4.6"
+cis_benchmark: "CIS AWS End User Compute Services Benchmark v1.2.0"
+tech_stack: [aws]
+cwe_ids: [CWE-284]
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure only specific users are allowed to invite external users (Manual)
+
+## Profile Applicability
+
+- Level 1
+
+## Description
+
+The organization should only allow administrators the ability to invite external users to the WorkDocs site.
+
+## Rationale
+
+If anyone can invite a user outside of the organization it could potentially lead to security or information leak.
+
+## Audit Procedure
+
+Perform the steps to confirm Only Administrators can invite new external users for WorkDocs.
+
+### Using WorkDocs Admin Control Panel
+
+1. Log in to WorkDocs as an Administrator
+2. Click **Security**
+3. Under **external invites**
+4. Confirm that only:
+
+**Only administrators can invite new external users**
+
+If this is not set to "Only administrators can invite new external users" refer to the remediation below.
+
+### Using AWS Console
+
+Not applicable - must be audited via WorkDocs Admin control panel.
+
+## Expected Result
+
+External invite settings are configured so only administrators can invite external users.
+
+## Remediation
+
+### Using WorkDocs Admin Control Panel
+
+Perform the steps to Set Only Administrators can invite new external users for WorkDocs:
+
+1. Log in to WorkDocs as an Administrator
+2. Click **Security**
+3. Under **external invites**
+4. Select:
+
+**Only administrators can invite new external users**
+
+- Only administrators can invite external users to use Amazon WorkDocs.
+
+### Using AWS CLI
+
+Not applicable - must be configured via WorkDocs Admin control panel.
+
+## Default Value
+
+By default, this is dependent on the policies assigned.
+
+## References
+
+1. https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-sites.html
+
+## CIS Controls
+
+**v8:**
+
+- 3.3 Configure Data Access Control Lists
+  - Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
+
+**v7:**
+
+- 14.6 Protect Information through Access Control Lists
+  - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.
+
+## Profile
+
+Level 1