- Remove securityhub output mode and replace with '-S' flag to send findings to Security Hub

- Move Security Hub related code to a dedicated include/securityhub_integration file
- Check that Security Hub is enabled in the target region before beginning checks when -S is specified
- Add error handling to the batch-import-findings call
- Add CHECK_ASFF_TYPE variables to all CIS checks to override the default
- Add support for CHECK_ASFF_RESOURCE_TYPE variables which override the default 'AwsAccount' value for the resource a finding relates to.
- Add CHECK_ASFF_RESOURCE_TYPE variables to all checks where there is a suitable value in the schema
- Remove json-asff output for info messages as they are not appropriate for possible submission to Security Hub
- Update the README to cover Security Hub integration
- Add an IAM policy JSON document that provides the necessary BatchImportFindings permission for Security Hub
- Remove trailing whitespace and periods in pass/fail messages to be consistent with the majority of messages, to prevent future tidy-up from changing the finding IDs

include/colors

@@ -11,9 +11,9 @@
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 
-if [[ "$MODE" != "mono" && "$MODE" != "text" && "$MODE" != "csv" && "$MODE" != "json" && "$MODE" != "json-asff" && "$MODE" != "securityhub" ]]; then
+if [[ "$MODE" != "mono" && "$MODE" != "text" && "$MODE" != "csv" && "$MODE" != "json" && "$MODE" != "json-asff" ]]; then
   echo ""
-  echo "$OPTRED ERROR!$OPTNORMAL Invalid output mode.  Choose text, mono, csv, json, json-asff or securityhub."
+  echo "$OPTRED ERROR!$OPTNORMAL Invalid output mode.  Choose text, mono, csv, json or json-asff."
   usage
   EXITCODE=1
   exit $EXITCODE

include/outputs

@@ -18,7 +18,7 @@ textPass(){
   fi
 
   PASS_COUNTER=$((PASS_COUNTER+1))
-  if [[ "$MODE" == "csv" || "$MODE" == "json" || "$MODE" == "json-asff" || "$MODE" == "securityhub" ]]; then
+  if [[ "$MODE" == "csv" || "$MODE" == "json" || "$MODE" == "json-asff" ]]; then
     if [[ $2 ]]; then
       REPREGION=$2
     else
@@ -29,10 +29,11 @@ textPass(){
     elif [[ "$MODE" == "json" ]]; then
       generateJsonOutput "$1" "Pass"
     elif [[ "$MODE" == "json-asff" ]]; then
-      generateJsonAsffOutput "$1" "PASSED" "INFORMATIONAL"
-    elif [[ "$MODE" == "securityhub" ]]; then
-      printf "      $OK PASS!$NORMAL %s... "  "$1"
-      aws securityhub batch-import-findings --findings "$(generateJsonAsffOutput "$1" "PASSED" "INFORMATIONAL")" | jq -M -r 'if .SuccessCount == 1 then "Successfully submitted finding" else "Failed to upload finding" end'
+      JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "PASSED" "INFORMATIONAL")
+      echo "${JSON_ASFF_OUTPUT}"
+      if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then
+        sendToSecurityHub "${JSON_ASFF_OUTPUT}"
+      fi
     fi
   else
     echo "      $OK PASS!$NORMAL $1"
@@ -54,11 +55,6 @@ textInfo(){
       echo "$PROFILE${SEP}$ACCOUNT_NUM${SEP}$REPREGION${SEP}$TITLE_ID${SEP}INFO${SEP}$ITEM_SCORED${SEP}$ITEM_LEVEL${SEP}$TITLE_TEXT${SEP}$1"
     elif [[ "$MODE" == "json" ]]; then
       generateJsonOutput "$1" "Info"
-    elif [[ "$MODE" == "json-asff" ]]; then
-      generateJsonAsffOutput "$1" "NOT_AVAILABLE" "LOW"
-    elif [[ "$MODE" == "securityhub" ]]; then
-      printf "      $NOTICE INFO! %s... $NORMAL"  "$1"
-      aws securityhub batch-import-findings --findings "$(generateJsonAsffOutput "$1" "NOT_AVAILABLE" "LOW")" | jq -M -r 'if .SuccessCount == 1 then "Successfully submitted finding" else "Failed to upload finding" end'
     fi
   else
     echo "      $NOTICE INFO! $1 $NORMAL"
@@ -68,7 +64,7 @@ textInfo(){
 textFail(){
   FAIL_COUNTER=$((FAIL_COUNTER+1))
   EXITCODE=3
-  if [[ "$MODE" == "csv" || "$MODE" == "json" || "$MODE" == "json-asff" || "$MODE" == "securityhub" ]]; then
+  if [[ "$MODE" == "csv" || "$MODE" == "json" || "$MODE" == "json-asff" ]]; then
     if [[ $2 ]]; then
       REPREGION=$2
     else
@@ -79,10 +75,11 @@ textFail(){
     elif [[ "$MODE" == "json" ]]; then
       generateJsonOutput "$1" "Fail"
     elif [[ "$MODE" == "json-asff" ]]; then
-      generateJsonAsffOutput "$1" "FAILED" "HIGH"
-    elif [[ "$MODE" == "securityhub" ]]; then
-      printf "      $BAD FAIL! %s... $NORMAL"  "$1"
-      aws securityhub batch-import-findings --findings "$(generateJsonAsffOutput "$1" "FAILED" "HIGH")" | jq -M -r 'if .SuccessCount == 1 then "Successfully submitted finding" else "Failed to upload finding" end'
+      JSON_ASFF_OUTPUT=$(generateJsonAsffOutput "$1" "FAILED" "HIGH")
+      echo "${JSON_ASFF_OUTPUT}"
+      if [[ "${SEND_TO_SECURITY_HUB}" -eq 1 ]]; then
+        sendToSecurityHub "${JSON_ASFF_OUTPUT}"
+      fi
     fi
   else
     echo "      $BAD FAIL! $1 $NORMAL"
@@ -178,6 +175,8 @@ generateJsonAsffOutput(){
   --arg SCORED "$ITEM_SCORED" \
   --arg ITEM_LEVEL "$ITEM_LEVEL" \
   --arg TITLE_ID "$TITLE_ID" \
+  --arg TYPE "$ASFF_TYPE" \
+  --arg RESOURCE_TYPE "$ASFF_RESOURCE_TYPE" \
   --arg REPREGION "$REPREGION" \
   --arg TIMESTAMP $(date -u +"%Y-%m-%dT%H:%M:%SZ") \
   --arg PROWLER_VERSION "$PROWLER_VERSION" \
@@ -192,7 +191,7 @@ generateJsonAsffOutput(){
       "GeneratorId": "prowler-\($PROWLER_VERSION)",
       "AwsAccountId": $ACCOUNT_NUM,
       "Types": [
-          "Software and Configuration Checks"
+          $TYPE
       ],
       "FirstObservedAt": $TIMESTAMP,
       "UpdatedAt": $TIMESTAMP,
@@ -204,8 +203,8 @@ generateJsonAsffOutput(){
       "Description": $MESSAGE,
       "Resources": [
           {
-              "Type": "AwsAccount",
-              "Id": "AWS: : : :Account:\($ACCOUNT_NUM)",
+              "Type": $RESOURCE_TYPE,
+              "Id": "AWS::::Account:\($ACCOUNT_NUM)",
               "Partition": "aws",
               "Region": $REPREGION
           }

include/securityhub_integration

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+# Checks that the correct mode (json-asff) has been specified if wanting to send check output to AWS Security Hub
+# and that Security Hub is enabled in the chosen region
+checkSecurityHubCompatibility(){
+  if [[ "${MODE}" != "json-asff" ]]; then
+    echo -e "\n$RED ERROR!$NORMAL Output can only be sent to Security Hub when the output mode is json-asff, i.e. -M json-asff -S\n"
+    EXITCODE=1
+    exit $EXITCODE
+  fi
+  SECURITY_HUB_ENABLED=$($AWSCLI securityhub --region $REGION $PROFILE_OPT describe-hub)
+  if [[ -z "${SECURITY_HUB_ENABLED}" ]]; then
+    echo -e "\n$RED ERROR!$NORMAL Security Hub is not enabled in $REGION. Enable it by calling '$AWSCLI securityhub --region $REGION $PROFILE_OPT enable-security-hub'\n"
+    EXITCODE=1
+    exit $EXITCODE
+  fi
+}
+
+sendToSecurityHub(){
+  BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region $REGION $PROFILE_OPT batch-import-findings --findings "$1")
+  # A successful CLI response is: {"SuccessCount": 1,"FailedFindings": [],"FailedCount": 0}
+  # Therefore, check that SuccessCount is indeed 1
+  if [[ -z "${BATCH_IMPORT_RESULT}" ]] || ! jq -e '.SuccessCount == 1' <<< "${BATCH_IMPORT_RESULT}" > /dev/null 2>&1; then
+    echo -e "\n$RED ERROR!$NORMAL Failed to send check output to AWS Security Hub\n"
+  fi
+}