diff --git a/include/os_detector b/include/os_detector index 91fd9ce4..af962d4c 100644 --- a/include/os_detector +++ b/include/os_detector @@ -104,26 +104,10 @@ gnu_get_iso8601_timestamp() { "$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ" } -gsu_get_iso8601_one_minute_ago() { - "$DATE_CMD" -d "1 minute ago" -u +"%Y-%m-%dT%H:%M:%SZ" -} - -gsu_get_iso8601_hundred_days_ago() { - "$DATE_CMD" -d "100 days ago" -u +"%Y-%m-%dT%H:%M:%SZ" -} - bsd_get_iso8601_timestamp() { "$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ" } -bsd_get_iso8601_hundred_days_ago() { - "$DATE_CMD" -v-100d -u +"%Y-%m-%dT%H:%M:%SZ" -} - -bsd_get_iso8601_one_minute_ago() { - "$DATE_CMD" -v-1M -u +"%Y-%m-%dT%H:%M:%SZ" -} - gnu_test_tcp_connectivity() { HOST=$1 PORT=$2 @@ -167,12 +151,6 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then get_iso8601_timestamp() { gnu_get_iso8601_timestamp } - get_iso8601_one_minute_ago() { - gsu_get_iso8601_one_minute_ago - } - get_iso8601_hundred_days_ago() { - gsu_get_iso8601_hundred_days_ago - } test_tcp_connectivity() { gnu_test_tcp_connectivity "$1" "$2" "$3" } @@ -230,12 +208,6 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then get_iso8601_timestamp() { bsd_get_iso8601_timestamp } - get_iso8601_one_minute_ago() { - bsd_get_iso8601_one_minute_ago - } - get_iso8601_hundred_days_ago() { - bsd_get_iso8601_hundred_days_ago - } fi if "$BASE64_CMD" --version >/dev/null 2>&1 ; then decode_report() { diff --git a/include/securityhub_integration b/include/securityhub_integration index 790ea415..cf03cb0a 100644 --- a/include/securityhub_integration +++ b/include/securityhub_integration @@ -14,7 +14,6 @@ # Checks that the correct mode (json-asff) has been specified if wanting to send check output to AWS Security Hub # and that Security Hub is enabled in the chosen region checkSecurityHubCompatibility(){ - OLD_TIMESTAMP=$(get_iso8601_one_minute_ago) local regx if [[ "${MODE}" != "json-asff" ]]; then @@ -48,16 +47,16 @@ resolveSecurityHubPreviousFails(){ local check="$1" NEW_TIMESTAMP=$(get_iso8601_timestamp) - PREVIOUS_DATE=$(get_iso8601_hundred_days_ago) + FILTER="{\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"EQUALS\"}],\"RecordState\":[{\"Value\": \"ACTIVE\",\"Comparison\":\"EQUALS\"}]}" + + NEW_FINDING_IDS=$(echo -n "${SECURITYHUB_NEW_FINDINGS_IDS[@]}" | jq -cRs 'split(" ")') + SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -c --argjson ids "$NEW_FINDING_IDS" --arg updated_at $NEW_TIMESTAMP '[ .Findings[] | select( .Id| first(select($ids[] == .)) // false | not) | .RecordState = "ARCHIVED" | .UpdatedAt = $updated_at ]') - FILTER="{\"UpdatedAt\":[{\"Start\":\"$PREVIOUS_DATE\",\"End\":\"$OLD_TIMESTAMP\"}],\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"PREFIX\"}],\"ComplianceStatus\":[{\"Value\": \"FAILED\",\"Comparison\":\"EQUALS\"}],\"RecordState\":[{\"Value\": \"ACTIVE\",\"Comparison\":\"EQUALS\"}]}" - SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -c --arg updated_at $NEW_TIMESTAMP '[ .Findings[] | .RecordState = "ARCHIVED" | .UpdatedAt = $updated_at ]') if [[ $SECURITY_HUB_PREVIOUS_FINDINGS != "[]" ]]; then FINDINGS_COUNT=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq '. | length') for i in `seq 0 100 $FINDINGS_COUNT`; do - # Import in batches of 100 - BATCH_FINDINGS=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq '.['"$i:$i+100"']') + BATCH_FINDINGS=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq -c '.['"$i:$i+100"']') BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT batch-import-findings --findings "${BATCH_FINDINGS}") if [[ -z "${BATCH_IMPORT_RESULT}" ]] || jq -e '.FailedCount >= 1' <<< "${BATCH_IMPORT_RESULT}" > /dev/null 2>&1; then echo -e "\n$RED ERROR!$NORMAL Failed to send check output to AWS Security Hub\n" @@ -73,6 +72,8 @@ sendToSecurityHub(){ local findings="$1" local region="$2" + local finding_id=$(echo ${findings} | jq -r .Id ) + SECURITYHUB_NEW_FINDINGS_IDS+=( "$finding_id" ) BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$region" $PROFILE_OPT batch-import-findings --findings "${findings}") # Check for success if imported diff --git a/prowler b/prowler index b56c66ba..c88fab83 100755 --- a/prowler +++ b/prowler @@ -331,6 +331,8 @@ execute_check() { ASFF_RESOURCE_TYPE="${!asff_resource_type_var:-AwsAccount}" + SECURITYHUB_NEW_FINDINGS_IDS=() + # Generate the credential report, only if it is group1 related which checks we # run so that the checks can safely assume it's available # set the custom ignores list for this check