False positive: aws_compliance.control.foundational_security_ssm_2 if Patch is not applicable #759
Assignees
Labels
bug
Something isn't working
Comments
khushboo9024
added a commit
that referenced
this issue
Feb 15, 2024
… Patch is not applicable closes #759
|
Thanks, @the-cloud-ninja, for catching this bug. I have raised a PR with a fix. Could you please test it and let us know if it works for you? |
|
Very nice job indeed! Review succesful, false positive gone! Thank you so much! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
False Positive Results for Control aws_compliance.control.foundational_security_ssm_2. All Patches that are not applicable raises alarm.
Especially for windows instances, this result into thousands of false positives in our environment.
Steampipe version (
steampipe -v)v0.21.4
Plugin version (
steampipe plugin list)aws 0.130.0
To reproduce
Lets check patches for an instance with AWS CLI:
aws ssm describe-instance-patches --instance-id i-03cdb --region eu-central-1Result (stripped to KB2305420)
{
"Patches": [
{
"Title": "",
"KBId": "KB2305420",
"Classification": "",
"Severity": "",
"State": "NotApplicable",
"InstalledTime": 0.0
}
]
}
Please note the State "NotApplicable"
Now let's start the control:
steampipe check aws_compliance.control.foundational_security_ssm_2ALARM: i-03cdb patch KB2305420 is non-compliant. ............................... eu-central-1 123456789
Expected behavior
Instead of raising an ALARM please consider the NotApplicable as SKIP.
Please see the AWS documentation regarding this status as well here:
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-compliance-states.html
Not-Applicable means really: The related vulnerable software package is not even installed on that specific instance, therefore the patch is not required and skipped.
thanks in advance
Markus
The text was updated successfully, but these errors were encountered: