Closed4
Inspector通知
イベントパターン
{
"detail-type": ["Security Hub Findings - Imported"],
"source": ["aws.securityhub"],
"detail": {
"findings": {
"ProductArn": ["arn:aws:securityhub:ap-northeast-1::product/aws/inspector"],
"Workflow": {
"Status": ["NEW"]
},
"Severity": {
"Label": ["HIGH", "MEDIUM"]
}
}
}
}
入力トランスフォーマー
入力パス
{"DATE":"$.detail.findings[0].UpdatedAt","Description":"$.detail.findings[0].Description","ID":"$.detail.findings[0].Id","LEVEL":"$.detail.findings[0].Severity.Label"}
入力テンプレート
"LEVEL : <LEVEL>"
"ID : <ID>"
"Description : <Description>"
"DATE : <DATE>"
トランスフォーマーをかまさなかった時の通知例(アカウント番号のみマスク)
{"version":"0","id":"bd7af87e-c155-a084-463d-6bd3677fc188","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"000000000000","time":"2021-12-06T08:25:58Z","region":"ap-northeast-1","resources":["arn:aws:securityhub:ap-northeast-1::product/aws/inspector/inspector/ap-northeast-1/000000000000/1f4f586c70a7565903076584ee3c3a9c76107319"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:ap-northeast-1::product/aws/inspector","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks – 1.1.1.1 Ensure mounting of cramfs filesystems is disabled"],"Description":"Description\n\n\t\t\t\t\t\t\nThe cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.\n\n\t\t\t\t\t\n\nRationale\n\n\t\t\t\t\t\t\nRemoving support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it.\n\n\t\t\t\t\t\n\n","SchemaVersion":"2018-10-08","ProductName":"Inspector","GeneratorId":"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu","CreatedAt":"2021-12-06T08:25:51.654Z","RecordState":"ACTIVE","Title":"\n Instance i-0986014d98308ac67 is not compliant with rule 1.1.1.1 Ensure mounting of cramfs filesystems is disabled, 1.0.0 CIS Amazon Linux 2 Benchmark. \n\n Applicable profiles: Level 1, Level 2.\n ","Workflow":{"Status":"NEW"},"Severity":{"Normalized":70,"Label":"HIGH","Original":"9.0"},"UpdatedAt":"2021-12-06T08:25:51.654Z","CompanyName":"Amazon","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks – 1.1.1.1 Ensure mounting of cramfs filesystems is disabled"],"Confidence":10,"Severity":{"Normalized":70,"Label":"HIGH","Original":"9.0"}},"Confidence":10,"WorkflowState":"NEW","ProductFields":{"aws/inspector/id":"1.1.1.1 Ensure mounting of cramfs filesystems is disabled","serviceAttributes/schemaVersion":"1","aws/inspector/arn":"arn:aws:inspector:ap-northeast-1:000000000000:target/0-u94f6NHw/template/0-vXjp9LBu/run/0-G7CQWHVo/finding/0-OJ2LElvn","serviceAttributes/rulesPackageArn":"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu","aws/inspector/ProductVersion":"1","serviceAttributes/assessmentRunArn":"arn:aws:inspector:ap-northeast-1:000000000000:target/0-u94f6NHw/template/0-vXjp9LBu/run/0-G7CQWHVo","attributes/CIS_BENCHMARK_PROFILE":"Level 1, Level 2","aws/inspector/RulesPackageName":"CIS Operating System Security Configuration Benchmarks","attributes/BENCHMARK_RULE_ID":"1.1.1.1 Ensure mounting of cramfs filesystems is disabled","attributes/INSTANCE_ID":"i-0986014d98308ac67","attributes/CIS_WEIGHT":"SCORED","attributes/BENCHMARK_ID":"1.0.0 CIS Amazon Linux 2 Benchmark","aws/securityhub/FindingId":"arn:aws:securityhub:ap-northeast-1::product/aws/inspector/inspector/ap-northeast-1/000000000000/1f4f586c70a7565903076584ee3c3a9c76107319","aws/securityhub/ProductName":"Inspector","aws/securityhub/CompanyName":"Amazon"},"AwsAccountId":"000000000000","Region":"ap-northeast-1","Id":"inspector/ap-northeast-1/000000000000/1f4f586c70a7565903076584ee3c3a9c76107319","Remediation":{"Recommendation":{"Text":"\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\n\t\t\t\t\t\t\t\tExample: vim /etc/modprobe.d/cramfs.conf\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tand add the following line:\n\t\t\t\t\t\t\t\tinstall cramfs /bin/true\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tRun the following command to unload the cramfs module:\n\t\t\t\t\t\t\t\t# rmmod cramfs\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t \n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t"}},"Resources":[{"Partition":"aws","Type":"AwsEc2Instance","Details":{"AwsEc2Instance":{"VpcId":"vpc-0e4acafc38414468c","ImageId":"ami-0218d08a1f9dac831","IpV4Addresses":["192.168.0.142"],"SubnetId":"subnet-0caa45223899b4b73"}},"Region":"ap-northeast-1","Id":"arn:aws:ec2:ap-northeast-1:000000000000:instance/i-0986014d98308ac67","Tags":{"Name":"Inspector Test"}}]}]}}
JSONに整形
{
"version": "0",
"id": "bd7af87e-c155-a084-463d-6bd3677fc188",
"detail-type": "Security Hub Findings - Imported",
"source": "aws.securityhub",
"account": "000000000000",
"time": "2021-12-06T08:25:58Z",
"region": "ap-northeast-1",
"resources": [
"arn:aws:securityhub:ap-northeast-1::product/aws/inspector/inspector/ap-northeast-1/000000000000/1f4f586c70a7565903076584ee3c3a9c76107319"
],
"detail": {
"findings": [
{
"ProductArn": "arn:aws:securityhub:ap-northeast-1::product/aws/inspector",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks – 1.1.1.1 Ensure mounting of cramfs filesystems is disabled"
],
"Description": "Description\n\n\t\t\t\t\t\t\nThe cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.\n\n\t\t\t\t\t\n\nRationale\n\n\t\t\t\t\t\t\nRemoving support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it.\n\n\t\t\t\t\t\n\n",
"SchemaVersion": "2018-10-08",
"ProductName": "Inspector",
"GeneratorId": "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
"CreatedAt": "2021-12-06T08:25:51.654Z",
"RecordState": "ACTIVE",
"Title": "\n Instance i-0986014d98308ac67 is not compliant with rule 1.1.1.1 Ensure mounting of cramfs filesystems is disabled, 1.0.0 CIS Amazon Linux 2 Benchmark. \n\n Applicable profiles: Level 1, Level 2.\n ",
"Workflow": {
"Status": "NEW"
},
"Severity": {
"Normalized": 70,
"Label": "HIGH",
"Original": "9.0"
},
"UpdatedAt": "2021-12-06T08:25:51.654Z",
"CompanyName": "Amazon",
"FindingProviderFields": {
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks – 1.1.1.1 Ensure mounting of cramfs filesystems is disabled"
],
"Confidence": 10,
"Severity": {
"Normalized": 70,
"Label": "HIGH",
"Original": "9.0"
}
},
"Confidence": 10,
"WorkflowState": "NEW",
"ProductFields": {
"aws/inspector/id": "1.1.1.1 Ensure mounting of cramfs filesystems is disabled",
"serviceAttributes/schemaVersion": "1",
"aws/inspector/arn": "arn:aws:inspector:ap-northeast-1:000000000000:target/0-u94f6NHw/template/0-vXjp9LBu/run/0-G7CQWHVo/finding/0-OJ2LElvn",
"serviceAttributes/rulesPackageArn": "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
"aws/inspector/ProductVersion": "1",
"serviceAttributes/assessmentRunArn": "arn:aws:inspector:ap-northeast-1:000000000000:target/0-u94f6NHw/template/0-vXjp9LBu/run/0-G7CQWHVo",
"attributes/CIS_BENCHMARK_PROFILE": "Level 1, Level 2",
"aws/inspector/RulesPackageName": "CIS Operating System Security Configuration Benchmarks",
"attributes/BENCHMARK_RULE_ID": "1.1.1.1 Ensure mounting of cramfs filesystems is disabled",
"attributes/INSTANCE_ID": "i-0986014d98308ac67",
"attributes/CIS_WEIGHT": "SCORED",
"attributes/BENCHMARK_ID": "1.0.0 CIS Amazon Linux 2 Benchmark",
"aws/securityhub/FindingId": "arn:aws:securityhub:ap-northeast-1::product/aws/inspector/inspector/ap-northeast-1/000000000000/1f4f586c70a7565903076584ee3c3a9c76107319",
"aws/securityhub/ProductName": "Inspector",
"aws/securityhub/CompanyName": "Amazon"
},
"AwsAccountId": "000000000000",
"Region": "ap-northeast-1",
"Id": "inspector/ap-northeast-1/000000000000/1f4f586c70a7565903076584ee3c3a9c76107319",
"Remediation": {
"Recommendation": {
"Text": "\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\n\t\t\t\t\t\t\t\tExample: vim /etc/modprobe.d/cramfs.conf\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tand add the following line:\n\t\t\t\t\t\t\t\tinstall cramfs /bin/true\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tRun the following command to unload the cramfs module:\n\t\t\t\t\t\t\t\t# rmmod cramfs\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t \n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t"
}
},
"Resources": [
{
"Partition": "aws",
"Type": "AwsEc2Instance",
"Details": {
"AwsEc2Instance": {
"VpcId": "vpc-0e4acafc38414468c",
"ImageId": "ami-0218d08a1f9dac831",
"IpV4Addresses": [
"192.168.0.142"
],
"SubnetId": "subnet-0caa45223899b4b73"
}
},
"Region": "ap-northeast-1",
"Id": "arn:aws:ec2:ap-northeast-1:000000000000:instance/i-0986014d98308ac67",
"Tags": {
"Name": "Inspector Test"
}
}
]
}
]
}
}
このスクラップは2022/02/09にクローズされました