Closed4

Inspector通知

batchibatchi

イベントパターン

{
  "detail-type": ["Security Hub Findings - Imported"],
  "source": ["aws.securityhub"],
  "detail": {
    "findings": {
      "ProductArn": ["arn:aws:securityhub:ap-northeast-1::product/aws/inspector"],
      "Workflow": {
        "Status": ["NEW"]
      },
      "Severity": {
        "Label": ["HIGH", "MEDIUM"]
      }
    }
  }
}
batchibatchi

入力トランスフォーマー

入力パス

{"DATE":"$.detail.findings[0].UpdatedAt","Description":"$.detail.findings[0].Description","ID":"$.detail.findings[0].Id","LEVEL":"$.detail.findings[0].Severity.Label"}

入力テンプレート

"LEVEL : <LEVEL>" 
"ID : <ID>"
"Description : <Description>" 
"DATE : <DATE>" 
batchibatchi

トランスフォーマーをかまさなかった時の通知例(アカウント番号のみマスク)

{"version":"0","id":"bd7af87e-c155-a084-463d-6bd3677fc188","detail-type":"Security Hub Findings - Imported","source":"aws.securityhub","account":"000000000000","time":"2021-12-06T08:25:58Z","region":"ap-northeast-1","resources":["arn:aws:securityhub:ap-northeast-1::product/aws/inspector/inspector/ap-northeast-1/000000000000/1f4f586c70a7565903076584ee3c3a9c76107319"],"detail":{"findings":[{"ProductArn":"arn:aws:securityhub:ap-northeast-1::product/aws/inspector","Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks – 1.1.1.1 Ensure mounting of cramfs filesystems is disabled"],"Description":"Description\n\n\t\t\t\t\t\t\nThe cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.\n\n\t\t\t\t\t\n\nRationale\n\n\t\t\t\t\t\t\nRemoving support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it.\n\n\t\t\t\t\t\n\n","SchemaVersion":"2018-10-08","ProductName":"Inspector","GeneratorId":"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu","CreatedAt":"2021-12-06T08:25:51.654Z","RecordState":"ACTIVE","Title":"\n    Instance i-0986014d98308ac67 is not compliant with rule 1.1.1.1 Ensure mounting of cramfs filesystems is disabled, 1.0.0 CIS Amazon Linux 2 Benchmark.            \n\n    Applicable profiles: Level 1, Level 2.\n            ","Workflow":{"Status":"NEW"},"Severity":{"Normalized":70,"Label":"HIGH","Original":"9.0"},"UpdatedAt":"2021-12-06T08:25:51.654Z","CompanyName":"Amazon","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks – 1.1.1.1 Ensure mounting of cramfs filesystems is disabled"],"Confidence":10,"Severity":{"Normalized":70,"Label":"HIGH","Original":"9.0"}},"Confidence":10,"WorkflowState":"NEW","ProductFields":{"aws/inspector/id":"1.1.1.1 Ensure mounting of cramfs filesystems is disabled","serviceAttributes/schemaVersion":"1","aws/inspector/arn":"arn:aws:inspector:ap-northeast-1:000000000000:target/0-u94f6NHw/template/0-vXjp9LBu/run/0-G7CQWHVo/finding/0-OJ2LElvn","serviceAttributes/rulesPackageArn":"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu","aws/inspector/ProductVersion":"1","serviceAttributes/assessmentRunArn":"arn:aws:inspector:ap-northeast-1:000000000000:target/0-u94f6NHw/template/0-vXjp9LBu/run/0-G7CQWHVo","attributes/CIS_BENCHMARK_PROFILE":"Level 1, Level 2","aws/inspector/RulesPackageName":"CIS Operating System Security Configuration Benchmarks","attributes/BENCHMARK_RULE_ID":"1.1.1.1 Ensure mounting of cramfs filesystems is disabled","attributes/INSTANCE_ID":"i-0986014d98308ac67","attributes/CIS_WEIGHT":"SCORED","attributes/BENCHMARK_ID":"1.0.0 CIS Amazon Linux 2 Benchmark","aws/securityhub/FindingId":"arn:aws:securityhub:ap-northeast-1::product/aws/inspector/inspector/ap-northeast-1/000000000000/1f4f586c70a7565903076584ee3c3a9c76107319","aws/securityhub/ProductName":"Inspector","aws/securityhub/CompanyName":"Amazon"},"AwsAccountId":"000000000000","Region":"ap-northeast-1","Id":"inspector/ap-northeast-1/000000000000/1f4f586c70a7565903076584ee3c3a9c76107319","Remediation":{"Recommendation":{"Text":"\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\n\t\t\t\t\t\t\t\tExample: vim /etc/modprobe.d/cramfs.conf\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tand add the following line:\n\t\t\t\t\t\t\t\tinstall cramfs /bin/true\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tRun the following command to unload the cramfs module:\n\t\t\t\t\t\t\t\t# rmmod cramfs\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t \n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t"}},"Resources":[{"Partition":"aws","Type":"AwsEc2Instance","Details":{"AwsEc2Instance":{"VpcId":"vpc-0e4acafc38414468c","ImageId":"ami-0218d08a1f9dac831","IpV4Addresses":["192.168.0.142"],"SubnetId":"subnet-0caa45223899b4b73"}},"Region":"ap-northeast-1","Id":"arn:aws:ec2:ap-northeast-1:000000000000:instance/i-0986014d98308ac67","Tags":{"Name":"Inspector Test"}}]}]}}

JSONに整形

{
	"version": "0",
	"id": "bd7af87e-c155-a084-463d-6bd3677fc188",
	"detail-type": "Security Hub Findings - Imported",
	"source": "aws.securityhub",
	"account": "000000000000",
	"time": "2021-12-06T08:25:58Z",
	"region": "ap-northeast-1",
	"resources": [
		"arn:aws:securityhub:ap-northeast-1::product/aws/inspector/inspector/ap-northeast-1/000000000000/1f4f586c70a7565903076584ee3c3a9c76107319"
	],
	"detail": {
		"findings": [
			{
				"ProductArn": "arn:aws:securityhub:ap-northeast-1::product/aws/inspector",
				"Types": [
					"Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks – 1.1.1.1 Ensure mounting of cramfs filesystems is disabled"
				],
				"Description": "Description\n\n\t\t\t\t\t\t\nThe cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.\n\n\t\t\t\t\t\n\nRationale\n\n\t\t\t\t\t\t\nRemoving support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it.\n\n\t\t\t\t\t\n\n",
				"SchemaVersion": "2018-10-08",
				"ProductName": "Inspector",
				"GeneratorId": "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
				"CreatedAt": "2021-12-06T08:25:51.654Z",
				"RecordState": "ACTIVE",
				"Title": "\n    Instance i-0986014d98308ac67 is not compliant with rule 1.1.1.1 Ensure mounting of cramfs filesystems is disabled, 1.0.0 CIS Amazon Linux 2 Benchmark.            \n\n    Applicable profiles: Level 1, Level 2.\n            ",
				"Workflow": {
					"Status": "NEW"
				},
				"Severity": {
					"Normalized": 70,
					"Label": "HIGH",
					"Original": "9.0"
				},
				"UpdatedAt": "2021-12-06T08:25:51.654Z",
				"CompanyName": "Amazon",
				"FindingProviderFields": {
					"Types": [
						"Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks – 1.1.1.1 Ensure mounting of cramfs filesystems is disabled"
					],
					"Confidence": 10,
					"Severity": {
						"Normalized": 70,
						"Label": "HIGH",
						"Original": "9.0"
					}
				},
				"Confidence": 10,
				"WorkflowState": "NEW",
				"ProductFields": {
					"aws/inspector/id": "1.1.1.1 Ensure mounting of cramfs filesystems is disabled",
					"serviceAttributes/schemaVersion": "1",
					"aws/inspector/arn": "arn:aws:inspector:ap-northeast-1:000000000000:target/0-u94f6NHw/template/0-vXjp9LBu/run/0-G7CQWHVo/finding/0-OJ2LElvn",
					"serviceAttributes/rulesPackageArn": "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
					"aws/inspector/ProductVersion": "1",
					"serviceAttributes/assessmentRunArn": "arn:aws:inspector:ap-northeast-1:000000000000:target/0-u94f6NHw/template/0-vXjp9LBu/run/0-G7CQWHVo",
					"attributes/CIS_BENCHMARK_PROFILE": "Level 1, Level 2",
					"aws/inspector/RulesPackageName": "CIS Operating System Security Configuration Benchmarks",
					"attributes/BENCHMARK_RULE_ID": "1.1.1.1 Ensure mounting of cramfs filesystems is disabled",
					"attributes/INSTANCE_ID": "i-0986014d98308ac67",
					"attributes/CIS_WEIGHT": "SCORED",
					"attributes/BENCHMARK_ID": "1.0.0 CIS Amazon Linux 2 Benchmark",
					"aws/securityhub/FindingId": "arn:aws:securityhub:ap-northeast-1::product/aws/inspector/inspector/ap-northeast-1/000000000000/1f4f586c70a7565903076584ee3c3a9c76107319",
					"aws/securityhub/ProductName": "Inspector",
					"aws/securityhub/CompanyName": "Amazon"
				},
				"AwsAccountId": "000000000000",
				"Region": "ap-northeast-1",
				"Id": "inspector/ap-northeast-1/000000000000/1f4f586c70a7565903076584ee3c3a9c76107319",
				"Remediation": {
					"Recommendation": {
						"Text": "\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tEdit or create a file in the /etc/modprobe.d/ directory ending in .conf\n\t\t\t\t\t\t\t\tExample: vim /etc/modprobe.d/cramfs.conf\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tand add the following line:\n\t\t\t\t\t\t\t\tinstall cramfs /bin/true\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tRun the following command to unload the cramfs module:\n\t\t\t\t\t\t\t\t# rmmod cramfs\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t \n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t"
					}
				},
				"Resources": [
					{
						"Partition": "aws",
						"Type": "AwsEc2Instance",
						"Details": {
							"AwsEc2Instance": {
								"VpcId": "vpc-0e4acafc38414468c",
								"ImageId": "ami-0218d08a1f9dac831",
								"IpV4Addresses": [
									"192.168.0.142"
								],
								"SubnetId": "subnet-0caa45223899b4b73"
							}
						},
						"Region": "ap-northeast-1",
						"Id": "arn:aws:ec2:ap-northeast-1:000000000000:instance/i-0986014d98308ac67",
						"Tags": {
							"Name": "Inspector Test"
						}
					}
				]
			}
		]
	}
}
このスクラップは2022/02/09にクローズされました