Merge branch 'master' of https://github.com/toniblyx/prowler into master

iam/create_role_to_assume_cfn.yaml

@@ -1,5 +1,31 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: 'This template creates a custom policy and role to be assumed by account 123456789012 (change it in line 12 as needed) to run Prowler from and perform a security assessment with a command like: ./prowler -A <THIS_ACCOUNT_ID> -R ProwlerExecRole'
+#
+# You can invoke CloudFormation and pass the principal ARN from a command line like this:
+# aws cloudformation create-stack \
+#  --capabilities CAPABILITY_IAM --capabilities CAPABILITY_NAMED_IAM \
+#  --template-body "file://create_role_to_assume_cfn.yaml" \
+#  --stack-name "ProwlerExecRole" \
+#  --parameters "ParameterKey=AuthorisedARN,ParameterValue=arn:aws:iam::123456789012:root"
+#
+Description: | 
+  This template creates an AWS IAM Role with an inline policy and two AWS managed policies
+  attached. It sets the trust policy on that IAM Role to permit a named ARN in another AWS
+  account to assume that role. The role name and the ARN of the trusted user can all be passed
+  to the CloudFormation stack as parameters. Then you can run Prowler to perform a security
+  assessment with a command like:
+  ./prowler -A <THIS_ACCOUNT_ID> -R ProwlerExecRole
+Parameters:
+  AuthorisedARN:
+    Description: |
+      ARN of user who is authorised to assume the role that is created by this template.
+      E.g., arn:aws:iam::123456789012:root
+    Type: String
+  ProwlerRoleName:
+    Description: |
+      Name of the IAM role that will have these policies attached. Default: ProwlerExecRole
+    Type: String
+    Default: 'ProwlerExecRole'
+
 Resources:
   ProwlerExecRole:
     Type: AWS::IAM::Role
@@ -9,7 +35,7 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              AWS: arn:aws:iam::123456789012:root
+              AWS: !Sub ${AuthorisedARN}
             Action: 'sts:AssumeRole'
             ## In case MFA is required uncomment lines below 
             ## and read https://github.com/toniblyx/prowler#run-prowler-with-mfa-protected-credentials
@@ -19,7 +45,7 @@ Resources:
       ManagedPolicyArns:
         - 'arn:aws:iam::aws:policy/SecurityAudit'
         - 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'
-      RoleName: ProwlerExecRole
+      RoleName: !Sub ${ProwlerRoleName}
       Policies: 
         - PolicyName: ProwlerExecRoleAdditionalViewPrivileges
           PolicyDocument:

include/os_detector

@@ -104,6 +104,10 @@ gnu_get_iso8601_timestamp() {
   "$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ"
 }
 
+gsu_get_iso8601_one_minute_ago() {
+  "$DATE_CMD" -d "1 minute ago" -u +"%Y-%m-%dT%H:%M:%SZ"
+}
+
 gsu_get_iso8601_hundred_days_ago() {
   "$DATE_CMD" -d "100 days ago" -u +"%Y-%m-%dT%H:%M:%SZ"
 }
@@ -116,6 +120,10 @@ bsd_get_iso8601_hundred_days_ago() {
   "$DATE_CMD" -v-100d -u +"%Y-%m-%dT%H:%M:%SZ"
 }
 
+bsd_get_iso8601_one_minute_ago() {
+  "$DATE_CMD" -v-1m -u +"%Y-%m-%dT%H:%M:%SZ"
+}
+
 gnu_test_tcp_connectivity() {
   HOST=$1
   PORT=$2
@@ -159,6 +167,9 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then
   get_iso8601_timestamp() {
     gnu_get_iso8601_timestamp
   }
+  get_iso8601_one_minute_ago() {
+    gsu_get_iso8601_one_minute_ago
+  }
   get_iso8601_hundred_days_ago() {
     gsu_get_iso8601_hundred_days_ago
   }
@@ -219,6 +230,9 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then
     get_iso8601_timestamp() {
       bsd_get_iso8601_timestamp
     }
+    get_iso8601_one_minute_ago() {
+      bsd_get_iso8601_one_minute_ago
+    }
     get_iso8601_hundred_days_ago() {
       bsd_get_iso8601_hundred_days_ago
     }

include/outputs

@@ -276,6 +276,7 @@ generateJsonAsffOutput(){
       "SchemaVersion": "2018-10-08",
       "Id": "prowler-\($TITLE_ID)-\($ACCOUNT_NUM)-\($REPREGION)-\($UNIQUE_ID)",
       "ProductArn": "arn:\($AWS_PARTITION):securityhub:\($REPREGION):\($ACCOUNT_NUM):product/\($ACCOUNT_NUM)/default",
+      "RecordState": "ACTIVE",
       "ProductFields": {
           "ProviderName": "Prowler",
           "ProviderVersion": $PROWLER_VERSION
@@ -358,4 +359,4 @@ generateHtmlOutput(){
       echo '<td>'$message'</td>' >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
     echo '</tr>'>> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
   fi
-}
+}

include/securityhub_integration

@@ -31,16 +31,17 @@ checkSecurityHubCompatibility(){
 }
 
 resolveSecurityHubPreviousFails(){
-  # Move previous check findings to Workflow to PASSED (as prowler didn't re-detect them)
+  # Move previous check findings RecordState to ARCHIVED (as prowler didn't re-detect them)
   for regx in $REGIONS; do
 
     local check="$1"
-    
+    OLD_TIMESTAMP=$(get_iso8601_one_minute_ago)
     NEW_TIMESTAMP=$(get_iso8601_timestamp)
 
     PREVIOUS_DATE=$(get_iso8601_hundred_days_ago)
-    FILTER="{\"UpdatedAt\":[{\"Start\":\"$PREVIOUS_DATE\",\"End\":\"$TIMESTAMP\"}],\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"PREFIX\"}],\"ComplianceStatus\":[{\"Value\": \"FAILED\",\"Comparison\":\"EQUALS\"}]}"
-    SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -c --arg updated_at $NEW_TIMESTAMP  '[ .Findings[] | .Compliance = {"Status":"PASSED"} | .UpdatedAt = $updated_at ]')
+
+    FILTER="{\"UpdatedAt\":[{\"Start\":\"$PREVIOUS_DATE\",\"End\":\"$OLD_TIMESTAMP\"}],\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"PREFIX\"}],\"ComplianceStatus\":[{\"Value\": \"FAILED\",\"Comparison\":\"EQUALS\"}]}"
+    SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -c --arg updated_at $NEW_TIMESTAMP  '[ .Findings[] | .RecordState = "ARCHIVED" | .UpdatedAt = $updated_at ]')
     if [[ $SECURITY_HUB_PREVIOUS_FINDINGS != "[]" ]]; then
       BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT batch-import-findings --findings "${SECURITY_HUB_PREVIOUS_FINDINGS}")