PyPI - sraverify - Versions diffs - 0.1.0__py3-none-any.whl - Mend

sraverify 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (261) hide show

sraverify/__init__.py +36 -0
sraverify/checks/__init__.py +56 -0
sraverify/checks/accessanalyzer/SRA_IAA_1.py +188 -0
sraverify/checks/accessanalyzer/SRA_IAA_2.py +162 -0
sraverify/checks/accessanalyzer/SRA_IAA_3.py +260 -0
sraverify/checks/accessanalyzer/SRA_IAA_4.py +207 -0
sraverify/checks/accessanalyzer/__init__.py +3 -0
sraverify/checks/cloudtrail/SRA-CT-1.py +220 -0
sraverify/checks/cloudtrail/SRA-CT-10.py +229 -0
sraverify/checks/cloudtrail/SRA-CT-11.py +242 -0
sraverify/checks/cloudtrail/SRA-CT-12.py +163 -0
sraverify/checks/cloudtrail/SRA-CT-13.py +279 -0
sraverify/checks/cloudtrail/SRA-CT-2.py +218 -0
sraverify/checks/cloudtrail/SRA-CT-3.py +196 -0
sraverify/checks/cloudtrail/SRA-CT-4.py +161 -0
sraverify/checks/cloudtrail/SRA-CT-5.py +200 -0
sraverify/checks/cloudtrail/SRA-CT-6.py +161 -0
sraverify/checks/cloudtrail/SRA-CT-7.py +194 -0
sraverify/checks/cloudtrail/SRA-CT-8.py +226 -0
sraverify/checks/cloudtrail/SRA-CT-9.py +226 -0
sraverify/checks/cloudtrail/__init__.py +3 -0
sraverify/checks/config/SRA-CONFIG-1.py +197 -0
sraverify/checks/config/__init__.py +3 -0
sraverify/core/__init__.py +3 -0
sraverify/core/check.py +227 -0
sraverify/core/logging.py +37 -0
sraverify/core/session.py +47 -0
sraverify/lib/__init__.py +4 -0
sraverify/lib/audit_info.py +37 -0
sraverify/lib/banner.py +42 -0
sraverify/lib/check_loader.py +80 -0
sraverify/lib/org_mgmt_checker.py +86 -0
sraverify/lib/outputs.py +46 -0
sraverify/lib/progress.py +75 -0
sraverify/lib/regions.py +27 -0
sraverify/lib/session.py +23 -0
sraverify/main.py +350 -0
sraverify/services/__init__.py +3 -0
sraverify/services/accessanalyzer/__init__.py +15 -0
sraverify/services/accessanalyzer/base.py +123 -0
sraverify/services/accessanalyzer/checks/__init__.py +3 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_01.py +82 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_02.py +82 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_03.py +103 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_04.py +139 -0
sraverify/services/accessanalyzer/client.py +123 -0
sraverify/services/account/__init__.py +9 -0
sraverify/services/account/base.py +56 -0
sraverify/services/account/checks/__init__.py +1 -0
sraverify/services/account/checks/sra_account_01.py +65 -0
sraverify/services/account/checks/sra_account_02.py +63 -0
sraverify/services/account/checks/sra_account_03.py +63 -0
sraverify/services/account/client.py +51 -0
sraverify/services/auditmanager/__init__.py +10 -0
sraverify/services/auditmanager/base.py +72 -0
sraverify/services/auditmanager/checks/__init__.py +1 -0
sraverify/services/auditmanager/checks/sra_auditmanager_01.py +58 -0
sraverify/services/auditmanager/checks/sra_auditmanager_02.py +80 -0
sraverify/services/auditmanager/client.py +58 -0
sraverify/services/cloudtrail/__init__.py +33 -0
sraverify/services/cloudtrail/base.py +167 -0
sraverify/services/cloudtrail/checks/__init__.py +1 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_01.py +83 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_02.py +99 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_03.py +94 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_04.py +92 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_05.py +106 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_06.py +93 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_07.py +96 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_08.py +145 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_09.py +167 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_10.py +162 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_11.py +178 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_12.py +77 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_13.py +120 -0
sraverify/services/cloudtrail/client.py +118 -0
sraverify/services/config/__init__.py +25 -0
sraverify/services/config/base.py +249 -0
sraverify/services/config/checks/__init__.py +1 -0
sraverify/services/config/checks/sra_config_01.py +123 -0
sraverify/services/config/checks/sra_config_02.py +156 -0
sraverify/services/config/checks/sra_config_03.py +149 -0
sraverify/services/config/checks/sra_config_04.py +104 -0
sraverify/services/config/checks/sra_config_05.py +104 -0
sraverify/services/config/checks/sra_config_06.py +194 -0
sraverify/services/config/checks/sra_config_07.py +162 -0
sraverify/services/config/checks/sra_config_08.py +185 -0
sraverify/services/config/checks/sra_config_09.py +177 -0
sraverify/services/config/client.py +264 -0
sraverify/services/ec2/__init__.py +8 -0
sraverify/services/ec2/base.py +75 -0
sraverify/services/ec2/checks/__init__.py +1 -0
sraverify/services/ec2/checks/sra_ec2_01.py +83 -0
sraverify/services/ec2/client.py +63 -0
sraverify/services/firewallmanager/__init__.py +23 -0
sraverify/services/firewallmanager/base.py +48 -0
sraverify/services/firewallmanager/checks/__init__.py +1 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_01.py +75 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_02.py +57 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_03.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_04.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_05.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_06.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_07.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_08.py +61 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_09.py +61 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_10.py +71 -0
sraverify/services/firewallmanager/client.py +40 -0
sraverify/services/guardduty/__init__.py +58 -0
sraverify/services/guardduty/base.py +207 -0
sraverify/services/guardduty/checks/__init__.py +3 -0
sraverify/services/guardduty/checks/sra_guardduty_01.py +51 -0
sraverify/services/guardduty/checks/sra_guardduty_02.py +80 -0
sraverify/services/guardduty/checks/sra_guardduty_03.py +77 -0
sraverify/services/guardduty/checks/sra_guardduty_04.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_05.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_06.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_07.py +85 -0
sraverify/services/guardduty/checks/sra_guardduty_08.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_09.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_10.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_11.py +93 -0
sraverify/services/guardduty/checks/sra_guardduty_12.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_13.py +90 -0
sraverify/services/guardduty/checks/sra_guardduty_14.py +136 -0
sraverify/services/guardduty/checks/sra_guardduty_15.py +94 -0
sraverify/services/guardduty/checks/sra_guardduty_16.py +94 -0
sraverify/services/guardduty/checks/sra_guardduty_17.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_18.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_19.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_20.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_21.py +112 -0
sraverify/services/guardduty/checks/sra_guardduty_22.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_23.py +154 -0
sraverify/services/guardduty/checks/sra_guardduty_24.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_25.py +111 -0
sraverify/services/guardduty/client.py +107 -0
sraverify/services/inspector/__init__.py +29 -0
sraverify/services/inspector/base.py +233 -0
sraverify/services/inspector/checks/__init__.py +3 -0
sraverify/services/inspector/checks/sra_inspector_01.py +69 -0
sraverify/services/inspector/checks/sra_inspector_02.py +68 -0
sraverify/services/inspector/checks/sra_inspector_03.py +68 -0
sraverify/services/inspector/checks/sra_inspector_04.py +70 -0
sraverify/services/inspector/checks/sra_inspector_05.py +69 -0
sraverify/services/inspector/checks/sra_inspector_06.py +115 -0
sraverify/services/inspector/checks/sra_inspector_07.py +109 -0
sraverify/services/inspector/checks/sra_inspector_08.py +69 -0
sraverify/services/inspector/checks/sra_inspector_09.py +69 -0
sraverify/services/inspector/checks/sra_inspector_10.py +69 -0
sraverify/services/inspector/checks/sra_inspector_11.py +69 -0
sraverify/services/inspector/client.py +99 -0
sraverify/services/macie/__init__.py +27 -0
sraverify/services/macie/base.py +271 -0
sraverify/services/macie/checks/__init__.py +1 -0
sraverify/services/macie/checks/sra_macie_01.py +100 -0
sraverify/services/macie/checks/sra_macie_02.py +102 -0
sraverify/services/macie/checks/sra_macie_03.py +152 -0
sraverify/services/macie/checks/sra_macie_04.py +120 -0
sraverify/services/macie/checks/sra_macie_05.py +85 -0
sraverify/services/macie/checks/sra_macie_06.py +124 -0
sraverify/services/macie/checks/sra_macie_07.py +138 -0
sraverify/services/macie/checks/sra_macie_08.py +82 -0
sraverify/services/macie/checks/sra_macie_09.py +103 -0
sraverify/services/macie/checks/sra_macie_10.py +81 -0
sraverify/services/macie/client.py +220 -0
sraverify/services/s3/__init__.py +16 -0
sraverify/services/s3/base.py +69 -0
sraverify/services/s3/checks/__init__.py +1 -0
sraverify/services/s3/checks/sra_s3_01.py +89 -0
sraverify/services/s3/checks/sra_s3_02.py +89 -0
sraverify/services/s3/checks/sra_s3_03.py +88 -0
sraverify/services/s3/checks/sra_s3_04.py +88 -0
sraverify/services/s3/client.py +52 -0
sraverify/services/securityhub/__init__.py +27 -0
sraverify/services/securityhub/base.py +349 -0
sraverify/services/securityhub/checks/__init__.py +1 -0
sraverify/services/securityhub/checks/sra_securityhub_01.py +115 -0
sraverify/services/securityhub/checks/sra_securityhub_02.py +114 -0
sraverify/services/securityhub/checks/sra_securityhub_03.py +136 -0
sraverify/services/securityhub/checks/sra_securityhub_04.py +75 -0
sraverify/services/securityhub/checks/sra_securityhub_05.py +102 -0
sraverify/services/securityhub/checks/sra_securityhub_06.py +113 -0
sraverify/services/securityhub/checks/sra_securityhub_07.py +121 -0
sraverify/services/securityhub/checks/sra_securityhub_08.py +113 -0
sraverify/services/securityhub/checks/sra_securityhub_09.py +100 -0
sraverify/services/securityhub/checks/sra_securityhub_10.py +94 -0
sraverify/services/securityhub/checks/sra_securityhub_11.py +73 -0
sraverify/services/securityhub/client.py +249 -0
sraverify/services/securityincidentresponse/__init__.py +13 -0
sraverify/services/securityincidentresponse/base.py +95 -0
sraverify/services/securityincidentresponse/checks/__init__.py +1 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_01.py +77 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_02.py +72 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_03.py +86 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_04.py +117 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_05.py +55 -0
sraverify/services/securityincidentresponse/client.py +71 -0
sraverify/services/securitylake/__init__.py +39 -0
sraverify/services/securitylake/base.py +461 -0
sraverify/services/securitylake/checks/__init__.py +1 -0
sraverify/services/securitylake/checks/sra_securitylake_01.py +98 -0
sraverify/services/securitylake/checks/sra_securitylake_02.py +133 -0
sraverify/services/securitylake/checks/sra_securitylake_03.py +116 -0
sraverify/services/securitylake/checks/sra_securitylake_04.py +72 -0
sraverify/services/securitylake/checks/sra_securitylake_05.py +116 -0
sraverify/services/securitylake/checks/sra_securitylake_06.py +104 -0
sraverify/services/securitylake/checks/sra_securitylake_07.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_08.py +107 -0
sraverify/services/securitylake/checks/sra_securitylake_09.py +107 -0
sraverify/services/securitylake/checks/sra_securitylake_10.py +106 -0
sraverify/services/securitylake/checks/sra_securitylake_11.py +109 -0
sraverify/services/securitylake/checks/sra_securitylake_12.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_13.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_14.py +72 -0
sraverify/services/securitylake/checks/sra_securitylake_15.py +120 -0
sraverify/services/securitylake/checks/sra_securitylake_16.py +104 -0
sraverify/services/securitylake/checks/sra_securitylake_17.py +103 -0
sraverify/services/securitylake/client.py +247 -0
sraverify/services/shield/__init__.py +33 -0
sraverify/services/shield/base.py +199 -0
sraverify/services/shield/checks/__init__.py +1 -0
sraverify/services/shield/checks/sra_shield_01.py +68 -0
sraverify/services/shield/checks/sra_shield_02.py +77 -0
sraverify/services/shield/checks/sra_shield_03.py +84 -0
sraverify/services/shield/checks/sra_shield_04.py +84 -0
sraverify/services/shield/checks/sra_shield_05.py +84 -0
sraverify/services/shield/checks/sra_shield_06.py +84 -0
sraverify/services/shield/checks/sra_shield_07.py +84 -0
sraverify/services/shield/checks/sra_shield_08.py +69 -0
sraverify/services/shield/checks/sra_shield_09.py +86 -0
sraverify/services/shield/checks/sra_shield_10.py +100 -0
sraverify/services/shield/checks/sra_shield_11.py +71 -0
sraverify/services/shield/checks/sra_shield_12.py +130 -0
sraverify/services/shield/checks/sra_shield_13.py +112 -0
sraverify/services/shield/checks/sra_shield_14.py +111 -0
sraverify/services/shield/client.py +214 -0
sraverify/services/waf/__init__.py +21 -0
sraverify/services/waf/base.py +100 -0
sraverify/services/waf/checks/__init__.py +1 -0
sraverify/services/waf/checks/sra_waf_01.py +63 -0
sraverify/services/waf/checks/sra_waf_02.py +82 -0
sraverify/services/waf/checks/sra_waf_03.py +123 -0
sraverify/services/waf/checks/sra_waf_04.py +94 -0
sraverify/services/waf/checks/sra_waf_05.py +94 -0
sraverify/services/waf/checks/sra_waf_06.py +91 -0
sraverify/services/waf/checks/sra_waf_07.py +94 -0
sraverify/services/waf/checks/sra_waf_08.py +66 -0
sraverify/services/waf/checks/sra_waf_09.py +95 -0
sraverify/services/waf/client.py +109 -0
sraverify/utils/__init__.py +3 -0
sraverify/utils/banner.py +65 -0
sraverify/utils/outputs.py +57 -0
sraverify/utils/progress.py +97 -0
sraverify-0.1.0.dist-info/LICENSE +175 -0
sraverify-0.1.0.dist-info/METADATA +516 -0
sraverify-0.1.0.dist-info/NOTICE +1 -0
sraverify-0.1.0.dist-info/RECORD +261 -0
sraverify-0.1.0.dist-info/WHEEL +5 -0
sraverify-0.1.0.dist-info/entry_points.txt +2 -0
sraverify-0.1.0.dist-info/top_level.txt +1 -0

sraverify/checks/cloudtrail/SRA-CT-3.py ADDED Viewed

@@ -0,0 +1,196 @@
+from typing import Dict, List, Any
+from sraverify.checks import SecurityCheck
+from botocore.exceptions import ClientError
+class SRACT3(SecurityCheck):
+    """SRA-CT-3: Organization Trail Log File Validation"""
+    def __init__(self, check_type="organization"):
+        super().__init__(check_type=check_type)
+        self.check_id = "SRA-CT-3"
+        self.check_name = "Organization Trail Log File Validation"
+        self.severity = 'HIGH'
+        self.description = ('This check verifies that your organization trail has log file validation enabled. '
+                         'Validated log files are especially valuable in security and forensic investigations. '
+                         'CloudTrail log file integrity validation uses industry standard algorithms: SHA-256 '
+                         'for hashing and SHA-256 with RSA for digital signing. This makes it computationally '
+                         'unfeasible to modify, delete or forge CloudTrail log files without detection.')
+        self.check_logic = ('1. Verify execution from Organization Management Account | '
+                         '2. List CloudTrail trails in current region | '
+                         '3. Check for organization trail with IsOrganizationTrail=true | '
+                         '4. Verify trail configuration has EnableLogFileValidation=true | '
+                         '5. Validate digest files are being delivered | '
+                         '6. Check passes if organization trail has log file validation enabled and working')
+        self.service = 'CloudTrail'
+    def get_findings(self) -> List[Dict[str, Any]]:
+        """Return the findings"""
+        return self.findings
+    def run(self, session):
+        """Run the security check"""
+        try:
+            region = session.region_name
+            account_id = session.client('sts').get_caller_identity()['Account']
+            # Initialize clients
+            org_client = session.client('organizations')
+            cloudtrail_client = session.client('cloudtrail')
+             # Step 1: Verify we're in management account using org_mgmt_checker
+            is_management, error_message = self.org_checker.verify_org_management()
+            if not is_management:
+                finding = {
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::Organizations::Account',
+                    'AccountId': account_id,
+                    'CheckedValue': 'Management Account Access',
+                    'ActualValue': error_message if error_message else 'Not running from management account',
+                    'Remediation': 'Run this check from the Organization Management Account',
+                    'Service': self.service,
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                }
+                self.findings.append(finding)
+                return self.findings
+            # Steps 2-6: List trails and check validation
+            trails = cloudtrail_client.list_trails()['Trails']
+            org_trails = []
+            for trail in trails:
+                trail_info = cloudtrail_client.get_trail(Name=trail['Name'])['Trail']
+                if trail_info.get('IsOrganizationTrail', False):
+                    org_trails.append(trail_info)
+            if not org_trails:
+                self.findings.append({
+                    'CheckId': self.check_id,
+                    'Status': 'FAIL',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::CloudTrail::Trail',
+                    'AccountId': account_id,
+                    'CheckedValue': 'Organization Trail',
+                    'ActualValue': 'No organization trail found',
+                    'Remediation': 'Create an organization-wide CloudTrail trail with log file validation enabled',
+                    'Service': self.service,
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                })
+                return self.findings
+            for trail in org_trails:
+                trail_name = trail['Name']
+                trail_arn = trail['TrailARN']
+                # Check if logging is enabled
+                trail_status = cloudtrail_client.get_trail_status(Name=trail_name)
+                if not trail_status.get('IsLogging', False):
+                    self.findings.append({
+                        'CheckId': self.check_id,
+                        'Status': 'FAIL',
+                        'Region': region,
+                        "Severity": self.severity,
+                        'Title': f"{self.check_id} {self.check_name}",
+                        'Description': self.description,
+                        'ResourceId': trail_arn,
+                        'ResourceType': 'AWS::CloudTrail::Trail',
+                        'AccountId': account_id,
+                        'CheckedValue': 'Trail Logging Status',
+                        'ActualValue': 'Organization trail is not logging',
+                        'Remediation': 'Enable logging for the organization trail',
+                        'Service': self.service,
+                        'CheckLogic': self.check_logic,
+                        'CheckType': self.check_type
+                    })
+                    continue
+                # Check log file validation
+                if not trail.get('LogFileValidationEnabled', False):
+                    self.findings.append({
+                        'CheckId': self.check_id,
+                        'Status': 'FAIL',
+                        'Region': region,
+                        "Severity": self.severity,
+                        'Title': f"{self.check_id} {self.check_name}",
+                        'Description': self.description,
+                        'ResourceId': trail_arn,
+                        'ResourceType': 'AWS::CloudTrail::Trail',
+                        'AccountId': account_id,
+                        'CheckedValue': 'Log File Validation',
+                        'ActualValue': 'Log file validation is not enabled',
+                        'Remediation': 'Enable log file validation on the organization CloudTrail trail',
+                        'Service': self.service,
+                        'CheckLogic': self.check_logic,
+                        'CheckType': self.check_type
+                    })
+                else:
+                    # Check if digest files are being delivered
+                    if not trail_status.get('LatestDigestDeliveryTime'):
+                        self.findings.append({
+                            'CheckId': self.check_id,
+                            'Status': 'FAIL',
+                            'Region': region,
+                            "Severity": self.severity,
+                            'Title': f"{self.check_id} {self.check_name}",
+                            'Description': self.description,
+                            'ResourceId': trail_arn,
+                            'ResourceType': 'AWS::CloudTrail::Trail',
+                            'AccountId': account_id,
+                            'CheckedValue': 'Digest File Delivery',
+                            'ActualValue': 'No digest files have been delivered',
+                            'Remediation': 'Verify S3 bucket permissions and trail configuration',
+                            'Service': self.service,
+                            'CheckLogic': self.check_logic,
+                            'CheckType': self.check_type
+                        })
+                    else:
+                        self.findings.append({
+                            'CheckId': self.check_id,
+                            'Status': 'PASS',
+                            'Region': region,
+                            "Severity": self.severity,
+                            'Title': f"{self.check_id} {self.check_name}",
+                            'Description': self.description,
+                            'ResourceId': trail_arn,
+                            'ResourceType': 'AWS::CloudTrail::Trail',
+                            'AccountId': account_id,
+                            'CheckedValue': 'Log File Validation',
+                            'ActualValue': 'Log file validation is enabled and digest files are being delivered',
+                            'Remediation': None,
+                            'Service': self.service,
+                            'CheckLogic': self.check_logic,
+                            'CheckType': self.check_type
+                        })
+        except Exception as e:
+            self.findings.append({
+                'CheckId': self.check_id,
+                'Status': 'ERROR',
+                'Region': region,
+                "Severity": self.severity,
+                'Title': f"{self.check_id} {self.check_name}",
+                'Description': self.description,
+                'ResourceId': account_id,
+                'ResourceType': 'AWS::CloudTrail::Trail',
+                'AccountId': account_id,
+                'CheckedValue': 'Check Execution',
+                'ActualValue': f'Error running check: {str(e)}',
+                'Remediation': 'Review the error message and try again',
+                'Service': self.service,
+                'CheckLogic': self.check_logic,
+                'CheckType': self.check_type
+            })
+        return self.findings

sraverify/checks/cloudtrail/SRA-CT-4.py ADDED Viewed

@@ -0,0 +1,161 @@
+from typing import Dict, List, Any
+from sraverify.checks import SecurityCheck
+from botocore.exceptions import ClientError
+import logging
+class SRACT4(SecurityCheck):
+    """SRA-CT-4: Organization Trail Multi-Region Configuration"""
+    def __init__(self, check_type="organization"):
+        """Initialize the check with organization type"""
+        super().__init__(check_type=check_type)
+        self.check_id = "SRA-CT-4"
+        self.check_name = "Organization Trail Multi-Region Configuration"
+        self.severity = "HIGH"
+        self.description = ('This check verifies that your organization trail is configured as a multi-region trail. '
+                          'This helps ensure you have visibility across your entire AWS environment.')
+        self.check_logic = ('1. Verify execution from Organization Management account | '
+                          '2. List CloudTrail trails in current region | '
+                          '3. Check for organization trail with IsOrganizationTrail=true | '
+                          '4. Verify trail configuration has IsMultiRegionTrail=true | '
+                          '5. Verify trail is recording in all regions | '
+                          '6. Check passes if organization trail is properly configured for multi-region logging')
+        self.service = 'CloudTrail'
+        self.logger = logging.getLogger(self.__class__.__name__)
+        self.findings = []
+    def get_findings(self) -> List[Dict[str, Any]]:
+        """Return the findings"""
+        return self.findings
+    def run(self, session) -> None:
+        """Run the security check"""
+        try:
+            # Get account information
+            sts_client = session.client('sts')
+            account_id = sts_client.get_caller_identity()['Account']
+            region = session.region_name
+            self.logger.debug(f"Running check for account: {account_id} in region: {region}")
+            # Initialize CloudTrail client
+            cloudtrail_client = session.client('cloudtrail')
+             # Step 1: Verify we're in management account using org_mgmt_checker
+            is_management, error_message = self.org_checker.verify_org_management()
+            if not is_management:
+                finding = {
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::Organizations::Account',
+                    'AccountId': account_id,
+                    'CheckedValue': 'Management Account Access',
+                    'ActualValue': error_message if error_message else 'Not running from management account',
+                    'Remediation': 'Run this check from the Organization Management Account',
+                    'Service': self.service,
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                }
+                self.findings.append(finding)
+                return self.findings
+            try:
+                # List trails and find organization trails
+                trails = cloudtrail_client.describe_trails(includeShadowTrails=True)
+                org_trails = [t for t in trails['trailList'] if t.get('IsOrganizationTrail')]
+                self.logger.debug(f"Found {len(org_trails)} organization trails")
+                if not org_trails:
+                    self.findings.append({
+                        "CheckId": self.check_id,
+                        "Status": "FAIL",
+                        "Region": region,
+                        "Severity": self.severity,
+                        "Title": f"{self.check_id} {self.check_name}",
+                        "Description": self.description,
+                        "ResourceId": "organization-trail",
+                        "ResourceType": "AWS::CloudTrail::Trail",
+                        "AccountId": account_id,
+                        "CheckedValue": "Organization Trail Configuration",
+                        "ActualValue": "No organization trail found",
+                        "Remediation": "Create an organization trail with multi-region logging enabled",
+                        "Service": "CloudTrail",
+                        "CheckLogic": self.check_logic,
+                        "CheckType": self.check_type
+                    })
+                    return
+                # Check multi-region configuration for organization trails
+                multi_region_trail = None
+                for trail in org_trails:
+                    if trail.get('IsMultiRegionTrail'):
+                        multi_region_trail = trail
+                        self.logger.debug(f"Found multi-region organization trail: {trail['Name']}")
+                        break
+                # Create finding based on multi-region configuration
+                status = "PASS" if multi_region_trail else "FAIL"
+                actual_value = (f"Organization trail {multi_region_trail['Name'] if multi_region_trail else org_trails[0]['Name']} "
+                              f"{'is' if multi_region_trail else 'is not'} configured for multi-region logging")
+                self.findings.append({
+                    "CheckId": self.check_id,
+                    "Status": status,
+                    "Region": region,
+                    "Severity": self.severity,
+                    "Title": f"{self.check_id} {self.check_name}",
+                    "Description": self.description,
+                    "ResourceId": (multi_region_trail or org_trails[0])['TrailARN'],
+                    "ResourceType": "AWS::CloudTrail::Trail",
+                    "AccountId": account_id,
+                    "CheckedValue": "Multi-Region Configuration",
+                    "ActualValue": actual_value,
+                    "Remediation": "None required" if multi_region_trail else "Enable multi-region logging for the organization trail",
+                    "Service": "CloudTrail",
+                    "CheckLogic": self.check_logic,
+                    "CheckType": self.check_type
+                })
+            except ClientError as e:
+                self.logger.error(f"Error accessing CloudTrail: {str(e)}")
+                self.findings.append({
+                    "CheckId": self.check_id,
+                    "Status": "ERROR",
+                    "Region": region,
+                    "Severity": self.severity,
+                    "Title": f"{self.check_id} {self.check_name}",
+                    "Description": self.description,
+                    "ResourceId": "cloudtrail",
+                    "ResourceType": "AWS::CloudTrail::Trail",
+                    "AccountId": account_id,
+                    "CheckedValue": "CloudTrail API Access",
+                    "ActualValue": f"Error accessing CloudTrail: {str(e)}",
+                    "Remediation": "Verify CloudTrail permissions",
+                    "Service": "CloudTrail",
+                    "CheckLogic": self.check_logic,
+                    "CheckType": self.check_type
+                })
+        except Exception as e:
+            self.logger.error(f"Unexpected error in check: {str(e)}")
+            self.findings.append({
+                "CheckId": self.check_id,
+                "Status": "ERROR",
+                "Region": region if 'region' in locals() else session.region_name,
+                "Severity": self.severity,
+                "Title": f"{self.check_id} {self.check_name}",
+                "Description": self.description,
+                "ResourceId": "check-execution",
+                "ResourceType": "AWS::CloudTrail::Trail",
+                "AccountId": account_id if 'account_id' in locals() else "unknown",
+                "CheckedValue": "Check Execution",
+                "ActualValue": f"Unexpected error: {str(e)}",
+                "Remediation": "Contact support team",
+                "Service": "CloudTrail",
+                "CheckLogic": self.check_logic,
+                "CheckType": self.check_type
+            })

sraverify/checks/cloudtrail/SRA-CT-5.py ADDED Viewed

@@ -0,0 +1,200 @@
+from typing import Dict, List, Any
+from sraverify.checks import SecurityCheck
+from botocore.exceptions import ClientError
+from datetime import datetime, timezone
+class SRACT5(SecurityCheck):
+    """SRA-CT-5: Organization Trail CloudWatch Logs Delivery"""
+    def __init__(self, check_type="organization"):
+        super().__init__(check_type=check_type)
+        self.check_id = "SRA-CT-5"
+        self.check_name = "Organization Trail CloudWatch Logs Delivery"
+        self.severity = "HIGH"
+        self.description = ('This check verifies that last delivery of cloudtrail logs to CloudWatch Logs was successful. '
+                          'CloudWatch Logs enables you to centralize the cloudtrail logs from all your AWS accounts and '
+                          'regions in the AWS Organization, to a single, highly scalable service. You can then easily view '
+                          'them, search them for specific error codes or patterns, filter them based on specific fields, '
+                          'or archive them securely for future analysis.')
+        self.check_logic = ('1. Verify execution from Organization Management account | '
+                          '2. List CloudTrail trails in current region and identify organization trails (IsOrganizationTrail=true) | '
+                          '3. For each organization trail, verify CloudWatch Logs integration is configured (CloudWatchLogsLogGroupArn and CloudWatchLogsRoleArn exist) | '
+                          '4. Get trail status and verify no CloudWatch Logs delivery errors (LatestCloudWatchLogsDeliveryError is empty) | '
+                          '5. Verify latest CloudWatch Logs delivery time exists and occurred within last 24 hours | '
+                          '6. Check passes if all above conditions are met for at least one organization trail')
+        self.service = 'CloudTrail'
+    def get_findings(self) -> List[Dict[str, Any]]:
+        """Return the findings"""
+        return self.findings
+    def run(self, session):
+        """Run the security check"""
+        try:
+            region = session.region_name
+            account_id = session.client('sts').get_caller_identity()['Account']
+            organizations = session.client('organizations')
+            cloudtrail_client = session.client('cloudtrail')
+             # Step 1: Verify we're in management account using org_mgmt_checker
+            is_management, error_message = self.org_checker.verify_org_management()
+            if not is_management:
+                finding = {
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::Organizations::Account',
+                    'AccountId': account_id,
+                    'CheckedValue': 'Management Account Access',
+                    'ActualValue': error_message if error_message else 'Not running from management account',
+                    'Remediation': 'Run this check from the Organization Management Account',
+                    'Service': self.service,
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                }
+                self.findings.append(finding)
+                return self.findings
+            # Step 2: List trails and identify organization trails
+            try:
+                trails = cloudtrail_client.list_trails()['Trails']
+                org_trails = []
+                for trail in trails:
+                    trail_info = cloudtrail_client.get_trail(Name=trail['Name'])['Trail']
+                    if trail_info.get('IsOrganizationTrail', False):
+                        org_trails.append(trail_info)
+                if not org_trails:
+                    self.findings.append({
+                        'CheckId': self.check_id,
+                        'Status': 'FAIL',
+                        'Region': region,
+                        "Severity": self.severity,
+                        'Title': f"{self.check_id} {self.check_name}",
+                        'Description': self.description,
+                        'ResourceId': account_id,
+                        'ResourceType': 'AWS::CloudTrail::Trail',
+                        'AccountId': account_id,
+                        'CheckedValue': 'Organization Trail',
+                        'ActualValue': 'No organization trails found in the current region',
+                        'Remediation': 'Create an organization-wide CloudTrail trail with CloudWatch Logs integration enabled',
+                        'Service': self.service,
+                        'CheckLogic': self.check_logic,
+                        'CheckType': self.check_type
+                    })
+                    return self.findings
+                for trail in org_trails:
+                    trail_name = trail['Name']
+                    trail_arn = trail['TrailARN']
+                    failures = []
+                    # Step 3: Verify CloudWatch Logs integration configuration
+                    cloudwatch_logs_group_arn = trail.get('CloudWatchLogsLogGroupArn')
+                    cloudwatch_logs_role_arn = trail.get('CloudWatchLogsRoleArn')
+                    if not cloudwatch_logs_group_arn:
+                        failures.append('CloudWatch Logs group ARN is not configured')
+                    if not cloudwatch_logs_role_arn:
+                        failures.append('CloudWatch Logs role ARN is not configured')
+                    if cloudwatch_logs_group_arn and cloudwatch_logs_role_arn:
+                        # Step 4: Check CloudWatch Logs delivery errors
+                        trail_status = cloudtrail_client.get_trail_status(Name=trail_name)
+                        delivery_error = trail_status.get('LatestCloudWatchLogsDeliveryError')
+                        if delivery_error:
+                            failures.append(f"CloudWatch Logs delivery error: {delivery_error}")
+                        # Step 5: Verify latest delivery time
+                        latest_delivery_time = trail_status.get('LatestCloudWatchLogsDeliveryTime')
+                        if not latest_delivery_time:
+                            failures.append('No CloudWatch Logs deliveries found')
+                        else:
+                            current_time = datetime.now(timezone.utc)
+                            time_difference = current_time - latest_delivery_time
+                            if time_difference.total_seconds() > 86400:  # 24 hours in seconds
+                                failures.append(f'Last CloudWatch Logs delivery was more than 24 hours ago: {latest_delivery_time.isoformat()}')
+                    if failures:
+                        self.findings.append({
+                            'CheckId': self.check_id,
+                            'Status': 'FAIL',
+                            'Region': region,
+                            "Severity": self.severity,
+                            'Title': f"{self.check_id} {self.check_name}",
+                            'Description': self.description,
+                            'ResourceId': trail_arn,
+                            'ResourceType': 'AWS::CloudTrail::Trail',
+                            'AccountId': account_id,
+                            'CheckedValue': 'CloudWatch Logs Integration Requirements',
+                            'ActualValue': f'Trail "{trail_name}" has the following issues: {" | ".join(failures)}',
+                            'Remediation': ('Ensure CloudWatch Logs integration is properly configured and delivering logs within 24 hours'),
+                            'Service': self.service,
+                            'CheckLogic': self.check_logic,
+                            'CheckType': self.check_type
+                        })
+                    else:
+                        self.findings.append({
+                            'CheckId': self.check_id,
+                            'Status': 'PASS',
+                            'Region': region,
+                            "Severity": self.severity,
+                            'Title': f"{self.check_id} {self.check_name}",
+                            'Description': self.description,
+                            'ResourceId': trail_arn,
+                            'ResourceType': 'AWS::CloudTrail::Trail',
+                            'AccountId': account_id,
+                            'CheckedValue': 'CloudWatch Logs Integration Requirements',
+                            'ActualValue': f'Organization trail {trail_name} has properly configured CloudWatch Logs integration and successfully delivered logs within the last 24 hours',
+                            'Remediation': 'None required',
+                            'Service': self.service,
+                            'CheckLogic': self.check_logic,
+                            'CheckType': self.check_type
+                        })
+            except ClientError as e:
+                self.findings.append({
+                    'CheckId': self.check_id,
+                    'Status': 'ERROR',
+                    'Region': region,
+                    "Severity": self.severity,
+                    'Title': f"{self.check_id} {self.check_name}",
+                    'Description': self.description,
+                    'ResourceId': account_id,
+                    'ResourceType': 'AWS::CloudTrail::Trail',
+                    'AccountId': account_id,
+                    'CheckedValue': 'API Access',
+                    'ActualValue': f'Error accessing CloudTrail API: {str(e)}',
+                    'Remediation': 'Verify CloudTrail API permissions and retry',
+                    'Service': self.service,
+                    'CheckLogic': self.check_logic,
+                    'CheckType': self.check_type
+                })
+        except Exception as e:
+            self.findings.append({
+                'CheckId': self.check_id,
+                'Status': 'ERROR',
+                'Region': region,
+                "Severity": self.severity,
+                'Title': f"{self.check_id} {self.check_name}",
+                'Description': self.description,
+                'ResourceId': account_id,
+                'ResourceType': 'AWS::CloudTrail::Trail',
+                'AccountId': account_id,
+                'CheckedValue': 'Check Execution',
+                'ActualValue': f'Error running check: {str(e)}',
+                'Remediation': 'Review the error message and try again',
+                'Service': self.service,
+                'CheckLogic': self.check_logic,
+                'CheckType': self.check_type
+            })
+        return self.findings