From ee16a8ae1a00802f2417b324cd01e4335cdcab64 Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Tue, 5 Mar 2024 18:13:06 +0100 Subject: [PATCH] fix(compliance): set correct CSV Compliance model for CIS (#3503) --- .../security-compliance-framework.md | 4 +- prowler/lib/outputs/file_descriptors.py | 139 +++++++----------- 2 files changed, 59 insertions(+), 84 deletions(-) diff --git a/docs/developer-guide/security-compliance-framework.md b/docs/developer-guide/security-compliance-framework.md index 8532af23..53406a5a 100644 --- a/docs/developer-guide/security-compliance-framework.md +++ b/docs/developer-guide/security-compliance-framework.md @@ -23,7 +23,7 @@ Each file version of a framework will have the following structure at high level "Requirements": [ { "Id": "", - "Description": "Requiemente full description", + "Description": "Requirement full description", "Checks": [ "Here is the prowler check or checks that is going to be executed" ], @@ -38,4 +38,4 @@ Each file version of a framework will have the following structure at high level } ``` -Finally, to have a proper output file for your reports, your framework data model has to be created in `prowler/lib/outputs/models.py` and also the CLI table output in `prowler/lib/outputs/compliance.py`. +Finally, to have a proper output file for your reports, your framework data model has to be created in `prowler/lib/outputs/models.py` and also the CLI table output in `prowler/lib/outputs/compliance.py`. Also, you need to add a new conditional in `prowler/lib/outputs/file_descriptors.py` if you create a new CSV model. diff --git a/prowler/lib/outputs/file_descriptors.py b/prowler/lib/outputs/file_descriptors.py index 9b5def4d..d17cb87f 100644 --- a/prowler/lib/outputs/file_descriptors.py +++ b/prowler/lib/outputs/file_descriptors.py @@ -107,8 +107,8 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit file_descriptors.update({output_mode: file_descriptor}) elif isinstance(audit_info, GCP_Audit_Info): - if output_mode == "cis_2.0_gcp": - filename = f"{output_directory}/{output_filename}_cis_2.0_gcp{csv_file_suffix}" + filename = f"{output_directory}/{output_filename}_{output_mode}{csv_file_suffix}" + if "cis_" in output_mode: file_descriptor = initialize_file_descriptor( filename, output_mode, audit_info, Check_Output_CSV_GCP_CIS ) @@ -121,87 +121,62 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit filename, output_mode, audit_info ) file_descriptors.update({output_mode: file_descriptor}) - - elif output_mode == "ens_rd2022_aws": - filename = f"{output_directory}/{output_filename}_ens_rd2022_aws{csv_file_suffix}" - file_descriptor = initialize_file_descriptor( - filename, - output_mode, - audit_info, - Check_Output_CSV_ENS_RD2022, - ) - file_descriptors.update({output_mode: file_descriptor}) - - elif output_mode == "cis_1.5_aws": - filename = f"{output_directory}/{output_filename}_cis_1.5_aws{csv_file_suffix}" - file_descriptor = initialize_file_descriptor( - filename, output_mode, audit_info, Check_Output_CSV_AWS_CIS - ) - file_descriptors.update({output_mode: file_descriptor}) - - elif output_mode == "cis_1.4_aws": - filename = f"{output_directory}/{output_filename}_cis_1.4_aws{csv_file_suffix}" - file_descriptor = initialize_file_descriptor( - filename, output_mode, audit_info, Check_Output_CSV_AWS_CIS - ) - file_descriptors.update({output_mode: file_descriptor}) - - elif ( - output_mode - == "aws_well_architected_framework_security_pillar_aws" - ): - filename = f"{output_directory}/{output_filename}_aws_well_architected_framework_security_pillar_aws{csv_file_suffix}" - file_descriptor = initialize_file_descriptor( - filename, - output_mode, - audit_info, - Check_Output_CSV_AWS_Well_Architected, - ) - file_descriptors.update({output_mode: file_descriptor}) - - elif ( - output_mode - == "aws_well_architected_framework_reliability_pillar_aws" - ): - filename = f"{output_directory}/{output_filename}_aws_well_architected_framework_reliability_pillar_aws{csv_file_suffix}" - file_descriptor = initialize_file_descriptor( - filename, - output_mode, - audit_info, - Check_Output_CSV_AWS_Well_Architected, - ) - file_descriptors.update({output_mode: file_descriptor}) - - elif output_mode == "iso27001_2013_aws": - filename = f"{output_directory}/{output_filename}_iso27001_2013_aws{csv_file_suffix}" - file_descriptor = initialize_file_descriptor( - filename, - output_mode, - audit_info, - Check_Output_CSV_AWS_ISO27001_2013, - ) - file_descriptors.update({output_mode: file_descriptor}) - - elif output_mode == "mitre_attack_aws": - filename = f"{output_directory}/{output_filename}_mitre_attack_aws{csv_file_suffix}" - file_descriptor = initialize_file_descriptor( - filename, - output_mode, - audit_info, - Check_Output_MITRE_ATTACK, - ) - file_descriptors.update({output_mode: file_descriptor}) - - else: - # Generic Compliance framework + else: # Compliance frameworks filename = f"{output_directory}/{output_filename}_{output_mode}{csv_file_suffix}" - file_descriptor = initialize_file_descriptor( - filename, - output_mode, - audit_info, - Check_Output_CSV_Generic_Compliance, - ) - file_descriptors.update({output_mode: file_descriptor}) + if output_mode == "ens_rd2022_aws": + file_descriptor = initialize_file_descriptor( + filename, + output_mode, + audit_info, + Check_Output_CSV_ENS_RD2022, + ) + file_descriptors.update({output_mode: file_descriptor}) + + elif "cis_" in output_mode: + file_descriptor = initialize_file_descriptor( + filename, + output_mode, + audit_info, + Check_Output_CSV_AWS_CIS, + ) + file_descriptors.update({output_mode: file_descriptor}) + + elif "aws_well_architected_framework" in output_mode: + file_descriptor = initialize_file_descriptor( + filename, + output_mode, + audit_info, + Check_Output_CSV_AWS_Well_Architected, + ) + file_descriptors.update({output_mode: file_descriptor}) + + elif output_mode == "iso27001_2013_aws": + file_descriptor = initialize_file_descriptor( + filename, + output_mode, + audit_info, + Check_Output_CSV_AWS_ISO27001_2013, + ) + file_descriptors.update({output_mode: file_descriptor}) + + elif output_mode == "mitre_attack_aws": + file_descriptor = initialize_file_descriptor( + filename, + output_mode, + audit_info, + Check_Output_MITRE_ATTACK, + ) + file_descriptors.update({output_mode: file_descriptor}) + + else: + # Generic Compliance framework + file_descriptor = initialize_file_descriptor( + filename, + output_mode, + audit_info, + Check_Output_CSV_Generic_Compliance, + ) + file_descriptors.update({output_mode: file_descriptor}) except Exception as error: logger.error(