diff --git a/include/os_detector b/include/os_detector index 55a6e761..6f74c1c4 100644 --- a/include/os_detector +++ b/include/os_detector @@ -104,6 +104,10 @@ gnu_get_iso8601_timestamp() { "$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ" } +gsu_get_iso8601_one_minute_ago() { + "$DATE_CMD" -d "1 minute ago" -u +"%Y-%m-%dT%H:%M:%SZ" +} + gsu_get_iso8601_hundred_days_ago() { "$DATE_CMD" -d "100 days ago" -u +"%Y-%m-%dT%H:%M:%SZ" } @@ -116,6 +120,10 @@ bsd_get_iso8601_hundred_days_ago() { "$DATE_CMD" -v-100d -u +"%Y-%m-%dT%H:%M:%SZ" } +bsd_get_iso8601_one_minute_ago() { + "$DATE_CMD" -v-1m -u +"%Y-%m-%dT%H:%M:%SZ" +} + gnu_test_tcp_connectivity() { HOST=$1 PORT=$2 @@ -159,6 +167,9 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then get_iso8601_timestamp() { gnu_get_iso8601_timestamp } + get_iso8601_one_minute_ago() { + gsu_get_iso8601_one_minute_ago + } get_iso8601_hundred_days_ago() { gsu_get_iso8601_hundred_days_ago } @@ -219,6 +230,9 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then get_iso8601_timestamp() { bsd_get_iso8601_timestamp } + get_iso8601_one_minute_ago() { + bsd_get_iso8601_one_minute_ago + } get_iso8601_hundred_days_ago() { bsd_get_iso8601_hundred_days_ago } diff --git a/include/outputs b/include/outputs index 68570341..92eb61b5 100644 --- a/include/outputs +++ b/include/outputs @@ -276,6 +276,7 @@ generateJsonAsffOutput(){ "SchemaVersion": "2018-10-08", "Id": "prowler-\($TITLE_ID)-\($ACCOUNT_NUM)-\($REPREGION)-\($UNIQUE_ID)", "ProductArn": "arn:\($AWS_PARTITION):securityhub:\($REPREGION):\($ACCOUNT_NUM):product/\($ACCOUNT_NUM)/default", + "RecordState": "ACTIVE" "ProductFields": { "ProviderName": "Prowler", "ProviderVersion": $PROWLER_VERSION @@ -358,4 +359,4 @@ generateHtmlOutput(){ echo ''$message'' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML echo ''>> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML fi -} +} \ No newline at end of file diff --git a/include/securityhub_integration b/include/securityhub_integration index e969ec6e..00411f84 100644 --- a/include/securityhub_integration +++ b/include/securityhub_integration @@ -31,16 +31,17 @@ checkSecurityHubCompatibility(){ } resolveSecurityHubPreviousFails(){ - # Move previous check findings to Workflow to PASSED (as prowler didn't re-detect them) + # Move previous check findings RecordState to ARCHIVED (as prowler didn't re-detect them) for regx in $REGIONS; do local check="$1" - + OLD_TIMESTAMP=$(get_iso8601_one_minute_ago) NEW_TIMESTAMP=$(get_iso8601_timestamp) PREVIOUS_DATE=$(get_iso8601_hundred_days_ago) - FILTER="{\"UpdatedAt\":[{\"Start\":\"$PREVIOUS_DATE\",\"End\":\"$TIMESTAMP\"}],\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"PREFIX\"}],\"ComplianceStatus\":[{\"Value\": \"FAILED\",\"Comparison\":\"EQUALS\"}]}" - SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -c --arg updated_at $NEW_TIMESTAMP '[ .Findings[] | .Compliance = {"Status":"PASSED"} | .UpdatedAt = $updated_at ]') + + FILTER="{\"UpdatedAt\":[{\"Start\":\"$PREVIOUS_DATE\",\"End\":\"$OLD_TIMESTAMP\"}],\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"PREFIX\"}],\"ComplianceStatus\":[{\"Value\": \"FAILED\",\"Comparison\":\"EQUALS\"}]}" + SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -c --arg updated_at $NEW_TIMESTAMP '[ .Findings[] | .RecordState = "ARCHIVED" | .UpdatedAt = $updated_at ]') if [[ $SECURITY_HUB_PREVIOUS_FINDINGS != "[]" ]]; then BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT batch-import-findings --findings "${SECURITY_HUB_PREVIOUS_FINDINGS}")