feat(azure): Add new checks related to Network service #3402
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sergargar
reviewed
Feb 16, 2024
| security_rules=security_group.security_rules, | ||
| network_watchers=network_watchers, | ||
| subscription_locations=subscription_locations, | ||
| flow_logs=self.__get_flow_logs__(subscription), |
There was a problem hiding this comment.
can you do it up like the others?
sergargar
reviewed
Feb 16, 2024
| def execute(self) -> Check_Report_Azure: | ||
| findings = [] | ||
| for subscription, bastion_hosts in network_client.bastion_hosts.items(): | ||
| if bastion_hosts == []: |
There was a problem hiding this comment.
Suggested change
| if bastion_hosts == []: | |
| if not bastion_hosts: |
sergargar
reviewed
Feb 16, 2024
| else: | ||
| status = "PASS" | ||
| status_extended = ( | ||
| f"Bastion Host from subscription {subscription} exists" |
There was a problem hiding this comment.
Please, add here the bastion hosts that are available
sergargar
reviewed
Feb 16, 2024
| report.status = "PASS" | ||
| report.status_extended = f"Security Group {security_group.name} from subscription {subscription} has flow logs enabled for more than 90 days" | ||
| has_failed = False | ||
| if not has_failed: |
There was a problem hiding this comment.
Suggested change
| if not has_failed: |
sergargar
reviewed
Feb 16, 2024
| report.subscription = subscription | ||
| report.resource_name = security_group.name | ||
| report.resource_id = security_group.id | ||
| if security_group.flow_logs and security_group.flow_logs.__len__() > 0: |
There was a problem hiding this comment.
Suggested change
| if security_group.flow_logs and security_group.flow_logs.__len__() > 0: | |
| if security_group.flow_logs: |
sergargar
requested changes
Feb 16, 2024
| report.status = "PASS" | ||
| report.status_extended = f"Security Group {security_group.name} from subscription {subscription} has HTTP internet access restricted." | ||
| rule_fail_condition = any( | ||
| rule.destination_port_range == "80" |
There was a problem hiding this comment.
Please, review if the rule accepts all ports or a range of ports that includes port 80.
| @@ -0,0 +1,30 @@ | |||
| { | |||
| "Provider": "azure", | |||
| "CheckID": "network_network_watcher_enabled", | |||
There was a problem hiding this comment.
Suggested change
| "CheckID": "network_network_watcher_enabled", | |
| "CheckID": "network_watcher_enabled", |
| self.bastion_hosts = self.__get_bastion_hosts__() | ||
|
|
||
| def __get_security_groups__(self, token): | ||
| logger.info("SQL Server - Getting Network Security Groups...") |
There was a problem hiding this comment.
Please, remove SQL Server from the INFO logs.
| security_groups.update({subscription: []}) | ||
| security_groups_list = client.network_security_groups.list_all() | ||
| available_locations = {} | ||
| network_watchers = self.__get_network_watchers__(client, subscription) |
There was a problem hiding this comment.
Please, do a separate function and class for Network Watchers.
| security_rules=security_group.security_rules, | ||
| network_watchers=network_watchers, | ||
| subscription_locations=subscription_locations, | ||
| flow_logs=self.__get_flow_logs__(subscription), |
There was a problem hiding this comment.
add it to the new Network Watchers class
| report.status = "PASS" | ||
| report.status_extended = f"Security Group {security_group.name} from subscription {subscription} has RDP internet access restricted." | ||
| rule_fail_condition = any( | ||
| rule.destination_port_range == "3389" |
| report.status = "PASS" | ||
| report.status_extended = f"Security Group {security_group.name} from subscription {subscription} has SSH internet access restricted." | ||
| rule_fail_condition = any( | ||
| rule.destination_port_range == "22" |
pyproject.toml
Outdated
| @@ -53,6 +53,7 @@ schema = "0.7.5" | |||
| shodan = "1.31.0" | |||
| slack-sdk = "3.26.2" | |||
| tabulate = "0.9.0" | |||
| azure-mgmt-network = "^25.2.0" | |||
There was a problem hiding this comment.
Suggested change
| azure-mgmt-network = "^25.2.0" | |
| azure-mgmt-network = "25.2.0" |
github-actions
bot
added
the
provider/azure
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #3402 +/- ##
==========================================
- Coverage 85.85% 85.76% -0.10%
==========================================
Files 609 618 +9
Lines 19369 19615 +246
==========================================
+ Hits 16630 16823 +193
- Misses 2739 2792 +53 ☔ View full report in Codecov by Sentry. |
sergargar
reviewed
Feb 20, 2024
| name=security_group.name, | ||
| location=security_group.location, | ||
| security_rules=security_group.security_rules, | ||
| subscription_locations=subscription_locations, |
There was a problem hiding this comment.
Suggested change
| subscription_locations=subscription_locations, |
sergargar
reviewed
Feb 20, 2024
| security_groups_list = client.network_security_groups.list_all() | ||
| for security_group in security_groups_list: | ||
| subscription_id = security_group.id.split("/")[2] | ||
| subscription_locations = audit_info.locations[subscription_id] |
There was a problem hiding this comment.
Suggested change
| subscription_locations = audit_info.locations[subscription_id] |
sergargar
reviewed
Feb 20, 2024
| name: str | ||
| location: str | ||
| security_rules: list | ||
| subscription_locations: list |
There was a problem hiding this comment.
Suggested change
| subscription_locations: list |
sergargar
reviewed
Feb 20, 2024
| for network_watcher in network_watchers: | ||
| nw_locations.append(network_watcher.location) | ||
| for subscription, security_groups in network_client.security_groups.items(): | ||
| for security_group in security_groups: |
There was a problem hiding this comment.
Iterate with the locations that are in audit info, please
sergargar
reviewed
Feb 20, 2024
Comment on lines
86
to
88
| assert network.security_groups[AZURE_SUBSCRIPTION][ | ||
| 0 | ||
| ].subscription_locations == ["location"] |
There was a problem hiding this comment.
Suggested change
| assert network.security_groups[AZURE_SUBSCRIPTION][ | |
| 0 | |
| ].subscription_locations == ["location"] |
sergargar
reviewed
Feb 20, 2024
| @@ -212,3 +213,31 @@ def get_identity(self): | |||
|
|
|||
| def get_region_config(self): | |||
| return self.region_config | |||
|
|
|||
| def get_locations(self, credentials, region_config): | |||
There was a problem hiding this comment.
Please, add tests to this function
sergargar
previously approved these changes
Feb 20, 2024
sergargar
approved these changes
Feb 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
This pr adds 7 new checks related to network service.
Description
The checks that are included in this pr are:
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.