ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Security Hub eventual consistency + PREFIX query bug + Archive PASSED @xeroxnir

Browse Source 
Fix: Security Hub eventual consistency + PREFIX query bug + Archive PASSED
This commit is contained in:
Toni de la Fuente
2020-11-13 19:16:58 +01:00
committed by GitHub
parent 594215661d f6d17ba6e0
commit b702990ea6
3 changed files with 9 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
include/os_detector
View File

@@ -104,26 +104,10 @@ gnu_get_iso8601_timestamp() {
"$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ" "$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ"
} }
gsu_get_iso8601_one_minute_ago() {
"$DATE_CMD" -d "1 minute ago" -u +"%Y-%m-%dT%H:%M:%SZ"
}
gsu_get_iso8601_hundred_days_ago() {
"$DATE_CMD" -d "100 days ago" -u +"%Y-%m-%dT%H:%M:%SZ"
}
bsd_get_iso8601_timestamp() { bsd_get_iso8601_timestamp() {
"$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ" "$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ"
} }
bsd_get_iso8601_hundred_days_ago() {
"$DATE_CMD" -v-100d -u +"%Y-%m-%dT%H:%M:%SZ"
}
bsd_get_iso8601_one_minute_ago() {
"$DATE_CMD" -v-1M -u +"%Y-%m-%dT%H:%M:%SZ"
}
gnu_test_tcp_connectivity() { gnu_test_tcp_connectivity() {
HOST=$1 HOST=$1
PORT=$2 PORT=$2
@@ -167,12 +151,6 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then
get_iso8601_timestamp() { get_iso8601_timestamp() {
gnu_get_iso8601_timestamp gnu_get_iso8601_timestamp
} }
get_iso8601_one_minute_ago() {
gsu_get_iso8601_one_minute_ago
}
get_iso8601_hundred_days_ago() {
gsu_get_iso8601_hundred_days_ago
}
test_tcp_connectivity() { test_tcp_connectivity() {
gnu_test_tcp_connectivity "$1" "$2" "$3" gnu_test_tcp_connectivity "$1" "$2" "$3"
} }
@@ -230,12 +208,6 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then
get_iso8601_timestamp() { get_iso8601_timestamp() {
bsd_get_iso8601_timestamp bsd_get_iso8601_timestamp
} }
get_iso8601_one_minute_ago() {
bsd_get_iso8601_one_minute_ago
}
get_iso8601_hundred_days_ago() {
bsd_get_iso8601_hundred_days_ago
}
fi fi
if "$BASE64_CMD" --version >/dev/null 2>&1 ; then if "$BASE64_CMD" --version >/dev/null 2>&1 ; then
decode_report() { decode_report() {

13
include/securityhub_integration
View File

@@ -14,7 +14,6 @@
# Checks that the correct mode (json-asff) has been specified if wanting to send check output to AWS Security Hub # Checks that the correct mode (json-asff) has been specified if wanting to send check output to AWS Security Hub
# and that Security Hub is enabled in the chosen region # and that Security Hub is enabled in the chosen region
checkSecurityHubCompatibility(){ checkSecurityHubCompatibility(){
OLD_TIMESTAMP=$(get_iso8601_one_minute_ago)
local regx local regx
if [[ "${MODE}" != "json-asff" ]]; then if [[ "${MODE}" != "json-asff" ]]; then
@@ -48,16 +47,16 @@ resolveSecurityHubPreviousFails(){
local check="$1" local check="$1"
NEW_TIMESTAMP=$(get_iso8601_timestamp) NEW_TIMESTAMP=$(get_iso8601_timestamp)
PREVIOUS_DATE=$(get_iso8601_hundred_days_ago) FILTER="{\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"EQUALS\"}],\"RecordState\":[{\"Value\": \"ACTIVE\",\"Comparison\":\"EQUALS\"}]}"
NEW_FINDING_IDS=$(echo -n "${SECURITYHUB_NEW_FINDINGS_IDS[@]}" | jq -cRs 'split(" ")')
SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -c --argjson ids "$NEW_FINDING_IDS" --arg updated_at $NEW_TIMESTAMP '[ .Findings[] | select( .Id| first(select($ids[] == .)) // false | not) | .RecordState = "ARCHIVED" | .UpdatedAt = $updated_at ]')
FILTER="{\"UpdatedAt\":[{\"Start\":\"$PREVIOUS_DATE\",\"End\":\"$OLD_TIMESTAMP\"}],\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"PREFIX\"}],\"ComplianceStatus\":[{\"Value\": \"FAILED\",\"Comparison\":\"EQUALS\"}],\"RecordState\":[{\"Value\": \"ACTIVE\",\"Comparison\":\"EQUALS\"}]}"
SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -c --arg updated_at $NEW_TIMESTAMP '[ .Findings[] | .RecordState = "ARCHIVED" | .UpdatedAt = $updated_at ]')
if [[ $SECURITY_HUB_PREVIOUS_FINDINGS != "[]" ]]; then if [[ $SECURITY_HUB_PREVIOUS_FINDINGS != "[]" ]]; then
FINDINGS_COUNT=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq '. | length') FINDINGS_COUNT=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq '. | length')
for i in `seq 0 100 $FINDINGS_COUNT`; for i in `seq 0 100 $FINDINGS_COUNT`;
do do
# Import in batches of 100 BATCH_FINDINGS=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq -c '.['"$i:$i+100"']')
BATCH_FINDINGS=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq '.['"$i:$i+100"']')
BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT batch-import-findings --findings "${BATCH_FINDINGS}") BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT batch-import-findings --findings "${BATCH_FINDINGS}")
if [[ -z "${BATCH_IMPORT_RESULT}" ]] || jq -e '.FailedCount >= 1' <<< "${BATCH_IMPORT_RESULT}" > /dev/null 2>&1; then if [[ -z "${BATCH_IMPORT_RESULT}" ]] || jq -e '.FailedCount >= 1' <<< "${BATCH_IMPORT_RESULT}" > /dev/null 2>&1; then
echo -e "\n$RED ERROR!$NORMAL Failed to send check output to AWS Security Hub\n" echo -e "\n$RED ERROR!$NORMAL Failed to send check output to AWS Security Hub\n"
@@ -73,6 +72,8 @@ sendToSecurityHub(){
local findings="$1" local findings="$1"
local region="$2" local region="$2"
local finding_id=$(echo ${findings} | jq -r .Id )
SECURITYHUB_NEW_FINDINGS_IDS+=( "$finding_id" )
BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$region" $PROFILE_OPT batch-import-findings --findings "${findings}") BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$region" $PROFILE_OPT batch-import-findings --findings "${findings}")
# Check for success if imported # Check for success if imported

2
prowler
View File

@@ -331,6 +331,8 @@ execute_check() {
ASFF_RESOURCE_TYPE="${!asff_resource_type_var:-AwsAccount}" ASFF_RESOURCE_TYPE="${!asff_resource_type_var:-AwsAccount}"
SECURITYHUB_NEW_FINDINGS_IDS=()
# Generate the credential report, only if it is group1 related which checks we # Generate the credential report, only if it is group1 related which checks we
# run so that the checks can safely assume it's available # run so that the checks can safely assume it's available
# set the custom ignores list for this check # set the custom ignores list for this check