ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f0c027f54efdaf557704655c6ef3e7865bc844a3
prowler/docs/tutorials/reporting.md
Pepe Fagoaga f0c027f54e chore(merge): Merge master with Prowler 4.0 (#3467) 
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
2024-02-29 11:19:17 +01:00

608 lines
21 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Reporting
By default, Prowler will generate a CSV, JSON, JSON-OCSF and a HTML report, however you could generate a JSON-ASFF (used by AWS Security Hub) report with `-M` or `--output-modes`:
```console
prowler <provider> -M csv json json-ocsf json-asff html
```
## Custom Output Flags
By default, Prowler creates a file inside the `output` directory named `prowler-output-ACCOUNT_NUM-OUTPUT_DATE.format`.
However, both the output file name and directory can be personalised:
- Custom output report name: you can use the flag `-F`/`--output-filename`
```console
prowler <provider> -M csv json json-asff html -F <custom_report_name>
```
- Custom output directory: you can use the flag `-o`/`--output-directory`
```console
prowler <provider> -M csv json json-asff html -o <custom_report_directory>
```
???+ note
Both flags can be used simultaneously to provide a custom directory and filename.
```console
prowler <provider> -M csv json json-asff html \
-F <custom_report_name> -o <custom_report_directory>
```
## Output timestamp format
By default, the timestamp format of the output files is ISO 8601. This can be changed with the flag `--unix-timestamp` generating the timestamp fields in pure unix timestamp format.
## Output Formats
Prowler supports natively the following output formats:
- CSV
- JSON
- JSON-OCSF
- JSON-ASFF
- HTML
Hereunder is the structure for each of the supported report formats by Prowler:
### HTML
![HTML Output](../img/output-html.png)
### CSV
CSV format has a set of common columns for all the providers, and then provider specific columns.
The common columns are the following:
- ASSESSMENT_START_TIME
- FINDING_UNIQUE_ID
- PROVIDER
- CHECK_ID
- CHECK_TITLE
- CHECK_TYPE
- STATUS
- STATUS_EXTENDED
- SERVICE_NAME
- SUBSERVICE_NAME
- SEVERITY
- RESOURCE_TYPE
- RESOURCE_DETAILS
- RESOURCE_TAGS
- DESCRIPTION
- RISK
- RELATED_URL
- REMEDIATION_RECOMMENDATION_TEXT
- REMEDIATION_RECOMMENDATION_URL
- REMEDIATION_RECOMMENDATION_CODE_NATIVEIAC
- REMEDIATION_RECOMMENDATION_CODE_TERRAFORM
- REMEDIATION_RECOMMENDATION_CODE_CLI
- REMEDIATION_RECOMMENDATION_CODE_OTHER
- COMPLIANCE
- CATEGORIES
- DEPENDS_ON
- RELATED_TO
- NOTES
And then by the provider specific columns:
#### AWS
- PROFILE
- ACCOUNT_ID
- ACCOUNT_NAME
- ACCOUNT_EMAIL
- ACCOUNT_ARN
- ACCOUNT_ORG
- ACCOUNT_TAGS
- REGION
- RESOURCE_ID
- RESOURCE_ARN
#### AZURE
- TENANT_DOMAIN
- SUBSCRIPTION
- RESOURCE_ID
- RESOURCE_NAME
#### GCP
- PROJECT_ID
- LOCATION
- RESOURCE_ID
- RESOURCE_NAME
???+ note
Since Prowler v3 the CSV column delimiter is the semicolon (`;`)
### JSON
The following code is an example output of the JSON format:
```json
[{
"AssessmentStartTime": "2022-12-01T14:16:57.354413",
"FindingUniqueId": "",
"Provider": "aws",
"Profile": "dev",
"AccountId": "ACCOUNT_ID",
"OrganizationsInfo": null,
"Region": "eu-west-1",
"CheckID": "rds_instance_minor_version_upgrade_enabled",
"CheckTitle": "Ensure RDS instances have minor version upgrade enabled.",
"CheckType": [],
"ServiceName": "rds",
"SubServiceName": "",
"Status": "PASS",
"StatusExtended": "RDS Instance rds-instance-id has minor version upgrade enabled.",
"Severity": "low",
"ResourceId": "rds-instance-id",
"ResourceArn": "",
"ResourceTags": {
"test": "test",
"enironment": "dev"
},
"ResourceType": "AwsRdsDbInstance",
"ResourceDetails": "",
"Description": "Ensure RDS instances have minor version upgrade enabled.",
"Risk": "Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs and therefore should be applied.",
"RelatedUrl": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/",
"Remediation": {
"Code": {
"NativeIaC": "https://docs.bridgecrew.io/docs/ensure-aws-db-instance-gets-all-minor-upgrades-automatically#cloudformation",
"Terraform": "https://docs.bridgecrew.io/docs/ensure-aws-db-instance-gets-all-minor-upgrades-automatically#terraform",
"CLI": "aws rds modify-db-instance --db-instance-identifier <db_instance_id> --auto-minor-version-upgrade --apply-immediately",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-auto-minor-version-upgrade.html"
},
"Recommendation": {
"Text": "Enable auto minor version upgrade for all databases and environments.",
"Url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/"
}
},
"Categories": [],
"Notes": "",
"Compliance": {
"CIS-1.4": [
"1.20"
],
"CIS-1.5": [
"1.20"
]
}
},
{
"AssessmentStartTime": "2022-12-01T14:16:57.354413",
"FindingUniqueId": "",
"Provider": "aws",
"Profile": "dev",
"AccountId": "ACCOUNT_ID",
"OrganizationsInfo": null,
"Region": "eu-west-1",
"CheckID": "rds_instance_minor_version_upgrade_enabled",
"CheckTitle": "Ensure RDS instances have minor version upgrade enabled.",
"CheckType": [],
"ServiceName": "rds",
"SubServiceName": "",
"Status": "PASS",
"StatusExtended": "RDS Instance rds-instance-id has minor version upgrade enabled.",
"Severity": "low",
"ResourceId": "rds-instance-id",
"ResourceArn": "",
"ResourceType": "AwsRdsDbInstance",
"ResourceTags": {},
"Description": "Ensure RDS instances have minor version upgrade enabled.",
"Risk": "Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs and therefore should be applied.",
"RelatedUrl": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/",
"Remediation": {
"Code": {
"NativeIaC": "https://docs.bridgecrew.io/docs/ensure-aws-db-instance-gets-all-minor-upgrades-automatically#cloudformation",
"Terraform": "https://docs.bridgecrew.io/docs/ensure-aws-db-instance-gets-all-minor-upgrades-automatically#terraform",
"CLI": "aws rds modify-db-instance --db-instance-identifier <db_instance_id> --auto-minor-version-upgrade --apply-immediately",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-auto-minor-version-upgrade.html"
},
"Recommendation": {
"Text": "Enable auto minor version upgrade for all databases and environments.",
"Url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/"
}
},
"Categories": [],
"Notes": "",
"Compliance": {}
}]
```
???+ note
Each finding is a `json` object within a list. This has changed in v3 since in v2 the format used was [ndjson](http://ndjson.org/).
### JSON-OCSF
Based on [Open Cybersecurity Schema Framework Security Finding v1.0.0-rc.3](https://schema.ocsf.io/1.0.0-rc.3/classes/security_finding?extensions=)
```json
[{
"finding": {
"title": "Check if ACM Certificates are about to expire in specific days or less",
"desc": "Check if ACM Certificates are about to expire in specific days or less",
"supporting_data": {
"Risk": "Expired certificates can impact service availability.",
"Notes": ""
},
"remediation": {
"kb_articles": [
"https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html"
],
"desc": "Monitor certificate expiration and take automated action to renew; replace or remove. Having shorter TTL for any security artifact is a general recommendation; but requires additional automation in place. If not longer required delete certificate. Use AWS config using the managed rule: acm-certificate-expiration-check."
},
"types": [
"Data Protection"
],
"src_url": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html",
"uid": "prowler-aws-acm_certificates_expiration_check-012345678912-eu-west-1-*.xxxxxxxxxxxxxx",
"related_events": []
},
"resources": [
{
"group": {
"name": "acm"
},
"region": "eu-west-1",
"name": "xxxxxxxxxxxxxx",
"uid": "arn:aws:acm:eu-west-1:012345678912:certificate/xxxxxxxxxxxxxx",
"labels": [
{
"Key": "project",
"Value": "prowler-pro"
},
{
"Key": "environment",
"Value": "dev"
},
{
"Key": "terraform",
"Value": "true"
},
{
"Key": "terraform_state",
"Value": "aws"
}
],
"type": "AwsCertificateManagerCertificate",
"details": ""
}
],
"status_detail": "ACM Certificate for xxxxxxxxxxxxxx expires in 111 days.",
"compliance": {
"status": "Success",
"requirements": [
"CISA: ['your-data-2']",
"SOC2: ['cc_6_7']",
"MITRE-ATTACK: ['T1040']",
"GDPR: ['article_32']",
"HIPAA: ['164_308_a_4_ii_a', '164_312_e_1']",
"AWS-Well-Architected-Framework-Security-Pillar: ['SEC09-BP01']",
"NIST-800-171-Revision-2: ['3_13_1', '3_13_2', '3_13_8', '3_13_11']",
"NIST-800-53-Revision-4: ['ac_4', 'ac_17_2', 'sc_12']",
"NIST-800-53-Revision-5: ['sc_7_12', 'sc_7_16']",
"NIST-CSF-1.1: ['ac_5', 'ds_2']",
"RBI-Cyber-Security-Framework: ['annex_i_1_3']",
"FFIEC: ['d3-pc-im-b-1']",
"FedRamp-Moderate-Revision-4: ['ac-4', 'ac-17-2', 'sc-12']",
"FedRAMP-Low-Revision-4: ['ac-17', 'sc-12']"
],
"status_detail": "ACM Certificate for xxxxxxxxxxxxxx expires in 111 days."
},
"message": "ACM Certificate for xxxxxxxxxxxxxx expires in 111 days.",
"severity_id": 4,
"severity": "High",
"cloud": {
"account": {
"name": "",
"uid": "012345678912"
},
"region": "eu-west-1",
"org": {
"uid": "",
"name": ""
},
"provider": "aws",
"project_uid": ""
},
"time": "2023-06-30 10:28:55.297615",
"metadata": {
"original_time": "2023-06-30T10:28:55.297615",
"profiles": [
"dev"
],
"product": {
"language": "en",
"name": "Prowler",
"version": "3.6.1",
"vendor_name": "Prowler/ProwlerPro",
"feature": {
"name": "acm_certificates_expiration_check",
"uid": "acm_certificates_expiration_check",
"version": "3.6.1"
}
},
"version": "1.0.0-rc.3"
},
"state_id": 0,
"state": "New",
"status_id": 1,
"status": "Success",
"type_uid": 200101,
"type_name": "Security Finding: Create",
"impact_id": 0,
"impact": "Unknown",
"confidence_id": 0,
"confidence": "Unknown",
"activity_id": 1,
"activity_name": "Create",
"category_uid": 2,
"category_name": "Findings",
"class_uid": 2001,
"class_name": "Security Finding"
},{
"finding": {
"title": "Check if ACM Certificates are about to expire in specific days or less",
"desc": "Check if ACM Certificates are about to expire in specific days or less",
"supporting_data": {
"Risk": "Expired certificates can impact service availability.",
"Notes": ""
},
"remediation": {
"kb_articles": [
"https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html"
],
"desc": "Monitor certificate expiration and take automated action to renew; replace or remove. Having shorter TTL for any security artifact is a general recommendation; but requires additional automation in place. If not longer required delete certificate. Use AWS config using the managed rule: acm-certificate-expiration-check."
},
"types": [
"Data Protection"
],
"src_url": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html",
"uid": "prowler-aws-acm_certificates_expiration_check-012345678912-eu-west-1-xxxxxxxxxxxxx",
"related_events": []
},
"resources": [
{
"group": {
"name": "acm"
},
"region": "eu-west-1",
"name": "xxxxxxxxxxxxx",
"uid": "arn:aws:acm:eu-west-1:012345678912:certificate/3ea965a0-368d-4d13-95eb-5042a994edc4",
"labels": [
{
"Key": "name",
"Value": "prowler-pro-saas-dev-acm-internal-wildcard"
},
{
"Key": "project",
"Value": "prowler-pro-saas"
},
{
"Key": "environment",
"Value": "dev"
},
{
"Key": "terraform",
"Value": "true"
},
{
"Key": "terraform_state",
"Value": "aws/saas/base"
}
],
"type": "AwsCertificateManagerCertificate",
"details": ""
}
],
"status_detail": "ACM Certificate for xxxxxxxxxxxxx expires in 119 days.",
"compliance": {
"status": "Success",
"requirements": [
"CISA: ['your-data-2']",
"SOC2: ['cc_6_7']",
"MITRE-ATTACK: ['T1040']",
"GDPR: ['article_32']",
"HIPAA: ['164_308_a_4_ii_a', '164_312_e_1']",
"AWS-Well-Architected-Framework-Security-Pillar: ['SEC09-BP01']",
"NIST-800-171-Revision-2: ['3_13_1', '3_13_2', '3_13_8', '3_13_11']",
"NIST-800-53-Revision-4: ['ac_4', 'ac_17_2', 'sc_12']",
"NIST-800-53-Revision-5: ['sc_7_12', 'sc_7_16']",
"NIST-CSF-1.1: ['ac_5', 'ds_2']",
"RBI-Cyber-Security-Framework: ['annex_i_1_3']",
"FFIEC: ['d3-pc-im-b-1']",
"FedRamp-Moderate-Revision-4: ['ac-4', 'ac-17-2', 'sc-12']",
"FedRAMP-Low-Revision-4: ['ac-17', 'sc-12']"
],
"status_detail": "ACM Certificate for xxxxxxxxxxxxx expires in 119 days."
},
"message": "ACM Certificate for xxxxxxxxxxxxx expires in 119 days.",
"severity_id": 4,
"severity": "High",
"cloud": {
"account": {
"name": "",
"uid": "012345678912"
},
"region": "eu-west-1",
"org": {
"uid": "",
"name": ""
},
"provider": "aws",
"project_uid": ""
},
"time": "2023-06-30 10:28:55.297615",
"metadata": {
"original_time": "2023-06-30T10:28:55.297615",
"profiles": [
"dev"
],
"product": {
"language": "en",
"name": "Prowler",
"version": "3.6.1",
"vendor_name": "Prowler/ProwlerPro",
"feature": {
"name": "acm_certificates_expiration_check",
"uid": "acm_certificates_expiration_check",
"version": "3.6.1"
}
},
"version": "1.0.0-rc.3"
},
"state_id": 0,
"state": "New",
"status_id": 1,
"status": "Success",
"type_uid": 200101,
"type_name": "Security Finding: Create",
"impact_id": 0,
"impact": "Unknown",
"confidence_id": 0,
"confidence": "Unknown",
"activity_id": 1,
"activity_name": "Create",
"category_uid": 2,
"category_name": "Findings",
"class_uid": 2001,
"class_name": "Security Finding"
}]
```
???+ note
Each finding is a `json` object.
### JSON-ASFF
The following code is an example output of the [JSON-ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-syntax.html) format:
```json
[{
"SchemaVersion": "2018-10-08",
"Id": "prowler-rds_instance_minor_version_upgrade_enabled-ACCOUNT_ID-eu-west-1-b1ade474a",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/prowler/prowler",
"RecordState": "ACTIVE",
"ProductFields": {
"ProviderName": "Prowler",
"ProviderVersion": "3.0-beta-21Nov2022",
"ProwlerResourceName": "rds-instance-id"
},
"GeneratorId": "prowler-rds_instance_minor_version_upgrade_enabled",
"AwsAccountId": "ACCOUNT_ID",
"Types": [],
"FirstObservedAt": "2022-12-01T13:16:57Z",
"UpdatedAt": "2022-12-01T13:16:57Z",
"CreatedAt": "2022-12-01T13:16:57Z",
"Severity": {
"Label": "LOW"
},
"Title": "Ensure RDS instances have minor version upgrade enabled.",
"Description": "Ensure RDS instances have minor version upgrade enabled.",
"Resources": [
{
"Type": "AwsRdsDbInstance",
"Id": "rds-instance-id",
"Partition": "aws",
"Region": "eu-west-1"
}
],
"Compliance": {
"Status": "PASSED",
"RelatedRequirements": [
"CISA your-systems-2 booting-up-thing-to-do-first-3",
"CIS-1.5 2.3.2",
"AWS-Foundational-Security-Best-Practices rds",
"RBI-Cyber-Security-Framework annex_i_6",
"FFIEC d3-cc-pm-b-1 d3-cc-pm-b-3"
],
"AssociatedStandards": [
{
"StandardsId": "CISA"
},
{
"StandardsId": "CIS-1.5"
},
{
"StandardsId": "AWS-Foundational-Security-Best-Practices"
},
{
"StandardsId": "RBI-Cyber-Security-Framework"
},
{
"StandardsId": "FFIEC"
}
]
},
"Remediation": {
"Recommendation": {
"Text": "Enable auto minor version upgrade for all databases and environments.",
"Url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/"
}
}
},{
"SchemaVersion": "2018-10-08",
"Id": "prowler-rds_instance_minor_version_upgrade_enabled-ACCOUNT_ID-eu-west-1-06d21d75e",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/prowler/prowler",
"RecordState": "ACTIVE",
"ProductFields": {
"ProviderName": "Prowler",
"ProviderVersion": "3.0-beta-21Nov2022",
"ProwlerResourceName": "rds-instance-id"
},
"GeneratorId": "prowler-rds_instance_minor_version_upgrade_enabled",
"AwsAccountId": "ACCOUNT_ID",
"Types": [],
"FirstObservedAt": "2022-12-01T13:16:57Z",
"UpdatedAt": "2022-12-01T13:16:57Z",
"CreatedAt": "2022-12-01T13:16:57Z",
"Severity": {
"Label": "LOW"
},
"Title": "Ensure RDS instances have minor version upgrade enabled.",
"Description": "Ensure RDS instances have minor version upgrade enabled.",
"Resources": [
{
"Type": "AwsRdsDbInstance",
"Id": "rds-instance-id",
"Partition": "aws",
"Region": "eu-west-1"
}
],
"Compliance": {
"Status": "PASSED",
"RelatedRequirements": [
"CISA your-systems-2 booting-up-thing-to-do-first-3",
"CIS-1.5 2.3.2",
"AWS-Foundational-Security-Best-Practices rds",
"RBI-Cyber-Security-Framework annex_i_6",
"FFIEC d3-cc-pm-b-1 d3-cc-pm-b-3"
],
"AssociatedStandards": [
{
"StandardsId": "CISA"
},
{
"StandardsId": "CIS-1.5"
},
{
"StandardsId": "AWS-Foundational-Security-Best-Practices"
},
{
"StandardsId": "RBI-Cyber-Security-Framework"
},
{
"StandardsId": "FFIEC"
}
]
},
"Remediation": {
"Recommendation": {
"Text": "Enable auto minor version upgrade for all databases and environments.",
"Url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/"
}
}
}]
```
???+ note
Each finding is a `json` object within a list.
Reference in New Issue View Git Blame Copy Permalink